Still on the Hook for FISMA Compliance

IG Audit Uncovers NASA's Failings to Comply with Infosec Rules
Still on the Hook for FISMA Compliance
The Obama administration recognizes, as do some key lawmakers and federal agencies, that continuous monitoring is a much better way to secure government IT systems than the rules and regulations that emanate from the Federal Information Security Management Act. That's why the White House earlier this year issued a memo to get agencies to adopt continuous monitoring, and legislation before Congress would make near-real-time monitoring the law.

That's also why NASA is implementing a program to continuously monitor its IT systems, as discussed in a June interview with the Jerry Davis, then space agency's deputy chief information officer for security (he now holds a similar position at the Department of Veterans Affairs). Though NASA is moving toward a more efficient way to protect its digital assets, FISMA - with its check-box regime to IT security compliance - remains the law, and its inspector general says the space agency is not doing a great job with certifying and accrediting its IT systems.

"Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA's IT security program will not be fully effective in protecting critical agency information systems," NASA Inspector General Paul Martin wrote in a 26-page audit report issued late last week. "Until such improvements are made, OCIO (Office of the Chief Information Office) will not be in a position to effectively allocate resources to correct IT security weaknesses."

NASA CIO Linda Cureton in a written response to Martin agreed with his conclusions, and promised corrective action by next May 16.

Specifically, the IG audit focused on whether NASA met annual IT security controls and contingency plan testing requirements, ensured that it certified and accredited external IT systems and implemented an effective agency-wide process for managing IT corrective actions to mitigate known IT security weaknesses.

The audit revealed that only one quarter of audited systems met FISMA requirements for annual security controls testing and just over half met FISMA requirements for annual contingency plan testing. In addition, Martin reported, only two of five external systems reviewed were certified and accredited. "These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program," he wrote.

Martin said NASA's CIO office has ineffectively managed plans to correct and prioritize the problems because, in part, it failed to follow recognized best practices when acquiring an IT system it hoped would automate corrective action plans. "After spending more than $3 million on the system since October 2005, implementation of the software failed," he said, noting the NASA is spending more money to buy a replacement system. "We found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA," he said, adding that the system contained corrective actions plans for a mere 2 percent of the 29 systems the IG sampled.

To remediate the problems, Martin recommended that NASA:

  • Establish an independent verification and validation function to ensure that all FISMA and Agency IT security requirements are met;
  • Develop a written policy for managing IT security corrective action plans; and
  • Adopt industry system acquisition best practices, including documenting detailed requirements prior to system selection and conducting user acceptance testing before system implementation.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.