A new report from the Government Accountability Office (GAO) this week raises concerns that the National Aeronautics and Space Administration (NASA) isn’t properly protecting its IT systems. The agency spends about $1.5 billion annually on IT investments to support its missions.
In a report released Tuesday, the GAO claims NASA has not effectively implemented leading practices for IT management. The report specifically identified weaknesses in NASA’s IT management practices for strategic planning, workforce planning, governance, and cybersecurity.
NASA said it concurred with most of the concerns raised by GAO, but not all of them.
The GAO report raises concerns that NASA isn’t conforming with best practices regarding how the agency documents its IT strategic planning process. “While NASA’s updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs,” the report says. GAO said that without a comprehensive plan, NASA will lack the necessary information to align agency resources with business strategies and investment decisions.
In 2016 GAO identified eight key IT workforce planning activities: establish and maintain a workforce planning process; develop competency and staffing requirements; assess competency and staffing needs regularly; assess gaps in competencies and staffing; develop strategies and plans to address gaps in competencies and staffing; implement activities that address gaps; monitor the agency’s progress in addressing competency and staffing gaps; and report to agency leadership on progress in addressing competency and staffing gaps.
While NASA has partially implemented five of the key activities, it has not implemented three of them at all, GAO said. According to the report, NASA does not address competency and staffing needs regularly or report progress to agency leadership as two primary instances where the agency needs to improve. “Until NASA implements the key IT workforce planning activities, it will have difficulty anticipating and responding to changing staffing needs,” the report explains.
The GAO report admits that NASA has revised its governance boards, updated its charters, and acted to improve overall governance–however, the report notes that the agency’s IT governance doesn’t fully address leading practices. GAO explains that the agency hasn’t fully established its governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the CIO’s visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. The report stresses that until NASA addresses the weaknesses, it will struggle with duplicative investments and miss opportunities to ensure that investments perform as desired.
Cybersecurity is also top of mind for GAO–and it finds that NASA isn’t effectively managing its cybersecurity risk. The report explains that an “effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures.”
In the report, GAO offers a chart showing NASA’s progress in meeting what GAO calls an effective approach.
The report points out why managing cybersecurity risk is especially critical for NASA–the agency is reliant on collaborating with other agencies, nations, and private companies to carry out its mission. Meaning, it’s systems are all the more vulnerable to compromise.
Based on the report, GAO offered 10 recommendations for the NASA Administrator to address the issues identified in NASA IT strategic planning, workforce planning, governance, and cybersecurity. GAO recommends that the NASA Administrator direct the CIO to develop a fully documented IT strategic planning process, as well as an agency-wide approach to managing cybersecurity risk. Additionally, the report suggests the Administrator should ensure that the CIO fully defines policies and procedures for developing the IT investment portfolio criteria, creating the portfolio, and evaluating the portfolio.
The space agency concurred with seven of the recommendations, partially concurred with two, and did not concur with one. GAO notes that it “maintains that all of the recommendations discussed in this report remain valid.”