The Office of the Inspector General (OIG) at NASA blamed the lack of information security programs, missing contingency plans, and ineffective IT security handbooks for the agency’s Federal Information Security Modernization (FISMA) Act shortcomings in Fiscal Year 2019.
Following an October 2019 report concluding the NASA’s information security program was less than ideal, inspectors general evaluated NASA from March 2019 through May 2020 for the June 25 report to further understand why the program struggles. Overall, OIG concluded that NASA is facing an “unnecessarily high level of risk” that threatens the security of agency information.
“NASA information security personnel are not sufficiently aware of agency information security policies and procedures, and the current oversight process does not ensure that delinquent information security assessments are identified and mitigated,” the report reads. “As a result, information systems throughout the agency face an unnecessarily high level of risk that threatens the confidentiality, integrity, and availability of NASA’s information.”
Of the six system security plans reviewed by the inspectors general, four were operating without contingency plans. While three updated their plans during OIG’s evaluation process, the auditors noted that the NASA CIO has not addressed other deficiencies in the agency common control system security plans and CISOs generally lacked the resources to provide proper oversight of system security plans.
“The number of systems without a current or available contingency plan in RISCS [Risk Information Compliance System] puts NASA at an unnecessarily high risk by hindering the agency’s ability to recover information systems if needed in an effective and efficient manner,” OIG explains in the report.
Of the agency’s 45 IT security handbooks and other related documents, 27 had not been reviewed and approved in over a year, despite OCIO policy that the handbooks be reviewed annually. Eight of the handbooks had not been reviewed in over three years. Per the OIG, failure to update these handbooks in a timely manner undermines information security training by increasing the risk that personnel will receive out-of-date security practices.
To strengthen NASA’s information security systems, OIG made five recommendations to the OCIO: ensure that the information system oversight process identifies and corrects delinquent control risk assessments; issue clarifying policy guidance to properly support all active NASA information systems; issue clarifying policy guidance that system authorizing officials ensure all active information systems are covered by an approved contingency plan; issue clarifying policy guidance that officials should implement a contingency plan review process on an annual basis; and develop and implement an effective process to ensure that all IT security handbooks and related documents are reviewed and updated at least annually.
NASA management concurred with all recommendations made by OIG with action plans to address all recommendations by October 2021.