NASA officials will consider implementing an insider threat program to cover its unclassified systems and data following release of a recent study by the NASA Office of Inspector General (OIG) that found including unclassified systems may better protect agency resources.
Like all Federal agencies, NASA is required to address insider threats on classified systems. The OIG found that NASA has taken numerous steps to meet that obligation. Those include establishing user activity monitoring, developing mandatory agency-wide insider threat training, and creating an insider threat reference website to assist employees and contractors with identifying threats and risks.
The OIG found, however, that NASA “may be facing a higher-than-necessary risk to its unclassified systems and data” by having its unclassified systems and data excluded from its insider threat program.
While it’s common for Federal agencies to exclude unclassified systems from insider threat programs, the OIG said that “adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources.”
The OIG made two recommendations for NASA’s associate administrator, assistant administrator for Protective Services, and CIO – both of which the agency concurred with:
- Establishing a cross-discipline team to conduct an insider threat risk assessment to evaluate NASA’s unclassified systems and determine if corresponding risk warrants expansion of the insider threat program to include those systems;
- Improve cross-discipline communication by establishing a Working Group to include the Office of Protective Services (OPS), the OCIO, the Office of Procurement, human resources officials, and other relevant agencies to collaborative on wide-ranging insider threat-related issues for both classified and unclassified systems.
“Mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity,” the OIG said.
“At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the Agency’s ability to carry out its mission,” it said.