Government inspectors have uncovered serious deficiencies in NASA’s information security program which they claim could threaten operations.
The findings come from the latest Office of the Inspector General (OIG) review of the space agency for fiscal year 2018, under the Federal Information Security Modernization Act of 2014 (FISMA).
The OIG tested the maturity of NASA’s infosec program via 61 metrics in five security function areas plus a subset of IT systems. This involved testing systems against corresponding security documentation, and interviewing information system owners and security personnel.
Unfortunately, the report assessed NASA’s cybersecurity program as at Level 2 (Defined) for the second year in a row — well short of the Level 4 (Managed and Measurable) required by the Office of Management and Budget in order to be judged effective.
The inspectors also flagged two serious issues: missing, incomplete and inaccurate data in system security plans and control assessments not conducted in a timely manner.
“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” explained assistant inspector general for audits, Jim Morrison, in a letter to NASA’s CIO, Renee Wynn.
“Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”
The news is concerning given the willingness of nation state hackers to go after sensitive government IP, which could impact national security.
Yet it’s not the first time NASA has been called out for less than optimal cybersecurity: the agency received an even worse report card back in 2010 when the OIG inspected.
Last year, NASA also revealed that a server containing Social Security numbers and other identity data from current and former employees may have been compromised.