NASA's Cloud Policy Raises Risk ConcernsIG: Weaknesses Puts Systems, Data on Cloud at Risk
Even when NASA does something right, such as adhering to best practices in awarding a contract for cloud computing services, the space agency gets criticized by its inspector general for failing to leverage that contract throughout the organization.
That's one takeaway from a just-issued IG report that contends weaknesses in NASA's IT governance and risk management practices could put at risk its systems and data stored in the cloud. Those weaknesses also impede the agency from fully realizing the benefits of cloud computing, according to the IG report, NASA's Progress in Adopting Cloud-Computing Technologies.
The cloud is important to NASA [see Cloud Evangelist Talks Security], and the space agency is seen as a pioneer in government cloud use, although less than 1 percent of NASA's IT budget is earmarked for cloud computing. The agency projects that within five years up to 75 percent of new IT programs could begin in the cloud, and nearly all of its public data could be moved to the cloud.
That means NASA must get its act together to reduce risk, Inspector General Paul Martin says. "As NASA moves more of its systems and data to the cloud, it is imperative that the agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds," Martin writes in the report published July 29.
A case in point: the 5-year, $40 million contract that then-Chief Information Officer Linda Cureton signed last December with InfoZen, a Maryland IT services guidance firm, to assure the security on the 100 internal and external NASA websites it manages.
Martin says Cureton did everything right in executing the contract, known as WestPrime, such as following the principles of the Federal Risk and Authorization Management Program [see Feds Explain How FedRAMP Will Work]. FedRAMP requires vendors to adhere to federal security requirements. A key feature of FedRAMP allows other agencies to piggyback on the vetting performed for the original contract. Simply, various units within NASA could contract cloud services through WestPrime. But, the IG points out, they didn't.
Cureton says the inspector general knows that IT governance is a big problem at NASA. "The majority people at NASA who choose not to use WestPrime do not work for the agency CIO nor for the center CIO," Cureton tells Information Security Media Group. "The NASA CIO does not have the authority make or enforce such a mandate."
The IG, in one of his recommendations, says NASA organizations should use the WestPrime contract to help ensure risks are mitigated and FedRAMP requirements are met when acquiring cloud-computing services. In response, NASA's new CIO, Larry Sweet, concurred with the recommendations and says that by Sept. 30, 2014, all NASA units would be required to use the WestPrime contract for purchasing cloud-based web services.
Sweet also says NASA will establish agency-wide contracts to obtain commercial cloud services with selected providers and require all NASA organizations to use these contracts when purchasing commercial cloud services.
Among other weaknesses identified in the IG report:
- Several NASA centers moved agency systems and data into public clouds without the knowledge or consent of NASA's chief information officer;
- NASA, on five occasions, acquired cloud-computing services using contracts that failed to fully address the business and IT security risks unique to the cloud environment;
- One of the two moderate-impact systems NASA moved to a public cloud operated for two years without authorization, a security or contingency plan or a test of the system's security controls.
"The Office of the CIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing and did not implement measures to ensure cloud providers met agency IT security requirements," Martin says.
Cureton, who served as NASA CIO from September 2009 to April 2013, responds that "authority" is the key word in Martin's comment. "The CIO lacks sufficient authority to direct most IT activities at the agency, including use of cloud providers and IT security compliance," she says. "I don't agree that the Office of the CIO was slow. But government procurement processes in general, and NASA's in particular, is slow. Many of the reasons that the process took so long are not within NASA's control."
Among the IG's recommendations: Establish a cloud-computing program management office to promulgate cloud-computing strategy, direct unit CIOs to review FedRAMP requirements, require service provides to develop compliant security and contingency plans based on National Institute of Standards and Technology guidance and ensure the responsible information security officer reviews IT security documentation and control tests and authorize the system for operation.
Sweet, who served six years as CIO of the Johnson Space Center before becoming NASA CIO in June, concurred with the IG's findings and pledged to implement the recommendations "contingent upon the availability of funds."