NASA IT Vulnerable to DisruptionGAO: Space Agency Hasn't Implemented Sufficient Controls
"NASA has not always implemented sufficient controls to protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates," Chaplain, the Government Accountability Office's director acquisition and sourcing management, said in testimony to the House Committee on Science and Technology's Subcommittee on space and Aeronautics. "Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively."
Chaplain explained this is a critical problem for any organization like NASA that is so reliant on key computer systems and communication networks to get its job done. "These networks traverse the earth and beyond, providing critical two-way communication links between earth and spacecraft; connections between NASA centers and partners, scientists, and the public; and administrative applications and functions," she said.
Chaplain's testimony echoes a mid-2009 GAO audit that reported 1,120 security incidents resulting in the installation of malicious software on NASA's systems and unauthorized access to sensitive information in fiscal years 2007 and 2008. NASA reacted, Chaplain said, establishing a security operations center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture.
"Nevertheless, the control vulnerabilities and program shortfalls - which GAO identified - collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services," Chaplain said. "They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted."
What should NASA do? GAO recommends NASA should develop and implement comprehensive and physical risk assessments, conduct sufficient or comprehensive security testing and evaluation of all relevant security controls and implement an adequate incident detection program.
NASA Deputy Administrator Lori Garver told GAO that the agency is implementing many of the recommendations as part of its continuing strategic effort to improve information technology management and information technology security program deficiencies. Garver also said NASA would continue to mitigate the information security weaknesses identified in the GAO report.
"The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program." Chaplain said.