A new report from NASA’s Office of Inspector General (OIG) shows the agency is exposed to a “higher-than-necessary risk from cyber threats,” but a new contract shows promise for NASA to secure its systems more effectively.
The report said the agency has “a disorganized approach” to enterprise architecture, which results in a “fragmented approach to IT, with numerous separate lines of authority,” according to the watchdog.
“Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity,” the May 18 OIG report says. “Although NASA has taken positive steps to address cybersecurity in the areas of network monitoring, identity management, and updating its IT Strategic Plan, it continues to face challenges in strengthening foundational cybersecurity efforts.”
The report also noted NASA conducts its assessment and authorization (A&A) of IT systems “inconsistently and ineffectively, with the quality and cost of the assessments varying widely” across the agency. However, a new Cybersecurity and Privacy Enterprise Solutions and Services (CyPrESS) contract could be key in resolving this issue, according to the report.
The contract is “intended to eliminate duplicative cyber services, which could provide the agency a vehicle to reset the A&A process to more effectively secure its IT systems,” the report says. According to SAM.gov, the draft request for proposal will be released sometime soon, with an expected release date in the second quarter of 2021.
The watchdog recommended NASA advance the CyPrESS contract and develop baseline requirements “for a dedicated enterprise team to manage and perform the assessment process for all NASA systems subject to A&A.”
Jeffrey Seaton, NASA’s CIO, agreed with all of the report’s recommendations, including developing baseline requirements for the contract and set an estimated completion date for the CyPrESS recommendation for December 30, 2022.