Still on the Hook for FISMA ComplianceIG Audit Uncovers NASA's Failings to Comply with Infosec Rules
That's also why NASA is implementing a program to continuously monitor its IT systems, as discussed in a June interview with the Jerry Davis, then space agency's deputy chief information officer for security (he now holds a similar position at the Department of Veterans Affairs). Though NASA is moving toward a more efficient way to protect its digital assets, FISMA - with its check-box regime to IT security compliance - remains the law, and its inspector general says the space agency is not doing a great job with certifying and accrediting its IT systems.
"Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA's IT security program will not be fully effective in protecting critical agency information systems," NASA Inspector General Paul Martin wrote in a 26-page audit report issued late last week. "Until such improvements are made, OCIO (Office of the Chief Information Office) will not be in a position to effectively allocate resources to correct IT security weaknesses."
NASA CIO Linda Cureton in a written response to Martin agreed with his conclusions, and promised corrective action by next May 16.
Specifically, the IG audit focused on whether NASA met annual IT security controls and contingency plan testing requirements, ensured that it certified and accredited external IT systems and implemented an effective agency-wide process for managing IT corrective actions to mitigate known IT security weaknesses.
The audit revealed that only one quarter of audited systems met FISMA requirements for annual security controls testing and just over half met FISMA requirements for annual contingency plan testing. In addition, Martin reported, only two of five external systems reviewed were certified and accredited. "These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program," he wrote.
Martin said NASA's CIO office has ineffectively managed plans to correct and prioritize the problems because, in part, it failed to follow recognized best practices when acquiring an IT system it hoped would automate corrective action plans. "After spending more than $3 million on the system since October 2005, implementation of the software failed," he said, noting the NASA is spending more money to buy a replacement system. "We found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA," he said, adding that the system contained corrective actions plans for a mere 2 percent of the 29 systems the IG sampled.
To remediate the problems, Martin recommended that NASA:
- Establish an independent verification and validation function to ensure that all FISMA and Agency IT security requirements are met;
- Develop a written policy for managing IT security corrective action plans; and
- Adopt industry system acquisition best practices, including documenting detailed requirements prior to system selection and conducting user acceptance testing before system implementation.