The National Aeronautics and Space Administration (NASA) is a target for cybercriminals, but the agency is failing to adequately protect itself, according to a Nov. 13 report by the NASA Office of the Inspector General (OIG).
The inspector general explains that NASA’s interconnectivity with academia, research, and other outside organizations provides cybercriminals with an unusually large target for attack. However, NASA’s failure to keep up with the changing IT landscape undermines the integrity of existing cyberdefenses. The OIG specifically cited patch management and incident response as agency weaknesses.
“While NASA has taken steps to improve the agency’s overall security posture … its overall information security program struggles to adequately protect NASA data from cyberattacks,” the report states.
Many of NASA’s IT challenges have persisted for decades. The inspector general criticized NASA’s IT governance structure within the Office of the Chief Information Officer (CIO) for 20 years of misalignment. NASA’s decentralized nature hurts the Office of the CIO’s ability to oversee IT purchases and security decisions across the agency.
Meanwhile, NASA continues to lag behind Federal guidance. The 2019 review of NASA’s Federal Information Security Modernization Act (FISMA) compliance fell short of Office of Management and Budget (OMB) standards for the fourth year in a row. NASA also received a D- on the most recent iteration of the Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Because of NASA’s reliance on IT to support its missions, the OIG called these concerns a top challenge for the agency.
Data and security breaches are already a reality for NASA. The agency is “still reviewing the nature and extent of” a December 2018 breach of employee personally identifiable information (PII), according to the OIG report. Prior to that breach, the OIG discovered a lack of oversight on NASA’s Jet Propulsion Laboratory in 2015 that led to the April 2018 theft of 500 megabytes of data.
Despite these concerns, the OIG did credit NASA for its progress. Hiring four additional senior IT professionals, increasing Security Operations Center capabilities, and completing charters for all IT governance boards have helped NASA improve. To continue remediating security risks, the OIG recommends increasing collaboration between the Office of the CIO and other departments, improving compliance with Federal legislation, and filling gaps in its IT workforce.