NASA Remedies FISMA Compliance FailureAgency Failed to Fulfill Reporting Terms in '07 and '08 When it comes to FISMA compliance, NASA's house is back in order.
The space agency's inspector general reported Friday that NASA has taken steps to remedy failures to comply with reporting requirements regarding its national security systems. NASA had not clearly assigned that responsibility to a specific NASA officer for its national security systems, which failed to comply with the reporting requirements of the Federal Information Security Management Act for fiscal years 2007 and 2008. NASA also had not formally designated an entity with appropriate resources to complete the annual independent evaluations of its national security systems required by FISMA.
The IG notified the agency about these problems in February, and NASA immediately assigned the responsibility to resolve the problem to its CIO office, according to an IG memorandum issued Friday.
In response to the IG's February draft report, NASA assigned its Office of Protective Services to work with its CIO to gather and compile the required information to report to the White House Office of Management and Budget. The agency told the IG that a formal agreement with an independent entity was being developed. "We consider management's proposed actions to be responsive and will close the related recommendation after verifying that the agency has established a formal agreement with an entity with the appropriate resources to conduct the annual independent evaluation of NASA's national security systems," the IG memo said.
The IG also reviewed the certification and accreditation program for NASA's national security systems to determine whether it provided adequate information security protection, and concluded that C&A program implementation at most of the locations it visited - the NASA headquarters and centers - generally provided adequate protection. At three of the centers, the IG reported it found systems that lacked appropriate C&A documentation, and recommended that those centers formally designate a certifier to ensure that center systems maintain current C&As, which they have done.
"All of the report's recommendations are resolved or closed," the IG report said. "As a result, NASA has reasonable assurance that its national security systems comply with national-level security requirements and maintain an appropriate security posture against current threat assessments at an acceptable risk level."