In a memo entitled NASA's Top Management and Performance Challenges to NASA Administrator Charles Bolden Jr., and dated Nov. 12, Inspector General Paul Martin wrote that the agency CIO has limited ability to direct its mission directorates to fully implement IT security programs.
"Consequently, key agency computer networks and systems operated by the mission directorates do not consistently comply with agency-wide IT policy," Martin said. "Until the mission directorates fully implement NASA's IT security programs, the agency will continue to be at risk for security incidents that can have a severe adverse effect on agency operations, assets or individuals."
Martin wrote that IT security weaknesses have exposed NASA to cybersecurity threats that are growing in scope and sophistication. He cited a 2009 IG investigation that confirmed that cybercriminals had infected a computer system that supports one of NASA's mission networks. "Due to the inadequate security configurations on the system, the infection caused the computer system to make over 3,000 unauthorized connections to domestic and international IP addresses including, but not limited to, addresses in China, the Netherlands, Saudi Arabia and Estonia," Martin said. "The sophistication of the attack confirms that this event was a focused and sustained effort to target NASA's data."
The IG said his office alerted NASA to systemic IT deficiencies discovered during an investigation into unlawful computer intrusions at the Jet Propulsion Laboratory, the NASA unit that manages unmanned space probes that explore other planets. The intrusions resulted in the theft of 22 gigabytes of program data illegally transferred to an IP address in China, the IG said, including information protected under International Traffic in Arms Regulations and Export Administration Regulations. "A significant contributing factor to the theft was inadequate security settings at JPL, which allowed the intruder access to a wide range of sensitive data," Martin said. "NASA's challenge is to redouble its efforts to improve IT security to decrease the likelihood of similar incidents in the future even as the threat expands and the sophistication of the cyber attacks increases."
The IG said NASA failed to:
- Comply with Federal Information Security Management Act requirements for annual security controls testing and contingency plan testing. "These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program," Martin said.
- Manage effectively corrective action plans used to prioritize mitigation of IT security weaknesses. That's because the CIO office didn't implement a formal policy for managing the plans and follow recognized best practices when it purchased an information system intended to facilitate agency-wide management of IT corrective action plans. "The information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans," he said.
- Ensure that its computer servers remained securely configured over time.
The IG also said NASA should add a control to verify that all of the devices connected to its networks undergo vulnerability and patch monitoring. The IG found control weaknesses related to user account management, the installation of unauthorized software and inaccuracies with hardware and software inventories for a key NASA system. The agency's transition from Internet Protocol Version 4 to IPv6 needed substantial improvement, the IG said.
Besides IT security, the other top management and performance challenges include future of U.S. space flight, acquisition and project management, infrastructure and facilities management, human capital and financial management.