Skip to main content

Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks

GAO-10-4 Published: Oct 15, 2009. Publicly Released: Oct 15, 2009.
Jump To:
Skip to Highlights

Highlights

The National Aeronautics and Space Administration (NASA) relies extensively on information systems and networks to pioneer space exploration, scientific discovery, and aeronautics research. Many of these systems and networks are interconnected through the Internet, and may be targeted by evolving and growing cyber threats from a variety of sources. GAO was directed to (1) determine whether NASA has implemented appropriate controls to protect the confidentiality, integrity, and availability of the information and systems used to support NASA's mission directorates and (2) assess NASA's vulnerabilities in the context of prior incidents and corrective actions. To do this, GAO examined network and system controls in place at three centers; analyzed agency information security policies, plans, and reports; and interviewed agency officials.

Although NASA has made important progress in implementing security controls and aspects of its information security program, it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates. Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. For example, it did not always sufficiently (1) identify and authenticate users, (2) restrict user access to systems, (3) encrypt network services and data, (4) protect network boundaries, (5) audit and monitor computer-related events, and (6) physically protect its information technology resources. In addition, weaknesses existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively. Specifically, it has not always (1) fully assessed information security risks; (2) fully developed and documented security policies and procedures; (3) included key information in security plans; (4) conducted comprehensive tests and evaluation of its information system controls; (5) tracked the status of plans to remedy known weaknesses; (6) planned for contingencies and disruptions in service; (7) maintained capabilities to detect, report, and respond to security incidents; and (8) incorporated important security requirements in its contract with the Jet Propulsion Laboratory. Despite actions to address prior security incidents, NASA remains vulnerable to similar incidents. NASA networks and systems have been successfully targeted by cyber attacks. During fiscal years 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information. To address these incidents, NASA established a Security Operations Center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture. Nevertheless, the control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services. They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA Chief Information Officer (CIO) to develop and implement comprehensive and physical risk assessments that include mission-related systems and applications and known vulnerabilities identified in the security plans and waivers.
Closed – Implemented
NASA developed and implemented comprehensive and physical risk assessments that include mission-related systems and applications and known vulnerabilities identified in the security plans and waivers.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to develop and fully implement security policies and procedures for malware, incident handling roles and responsibilities, and physical environmental protection.
Closed – Implemented
NASA has developed and fully implemented security policies and procedures for malware, incident handling roles and responsibilities, and physical environmental protection.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to include key information for system security plans such as information from risk assessments and signed system interconnection security agreements.
Closed – Implemented
NASA included key information for system security plans such as information from risk assessments and signed system interconnection security agreements.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to conduct sufficient or comprehensive security testing and evaluation of all relevant security controls including management, operational, and technical controls.
Closed – Implemented
NASA conducted comprehensive security testing and evaluation of all relevant security controls including management, operational, and technical controls.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to develop remedial action plans to address any deficiencies and ensure that master and subordinate IT system items are tracked and reported to the agency CIO in a timely manner so that corrective actions can be taken.
Closed – Implemented
NASA developed remedial action plans to address deficiencies and ensured items are tracked and reported so that corrective actions can be taken. NASA provided the policy document on how to track and report POA&Ms. In addition, NASA provided screen shots of the remedial action findings that are tracked and reported in the RMS system.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to update contingency plans to include key information such as, contact information and approvals, and describe an alternate backup site in a geographic area that is unlikely to be negatively affected by the same disaster event.
Closed – Implemented
NASA updateed the contingency plans to include key information such as, contact information and approvals, and describe an alternate backup site in a geographic area that is unlikely to be negatively affected by the same disaster event.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to implement an adequate incident detection program to include a consistent definition of an incident, incident roles and responsibilities, resources to operate the program, and business impacts of the incidents.
Closed – Implemented
NASA has implemented an adequate incident detection program to include a consistent definition of an incident, incident roles and responsibilities, resources to operate the program. Although it still has not developed business impacts of the incidents, NASA stated in an email on 2/27/14 that in its updated policy, business impact assessments are now required.
National Aeronautics and Space Administration To assist NASA in improving the implementation of its agencywide information security program, the NASA Administrator should direct the NASA CIO to include all necessary security requirements in the Jet Propulsion Laboratory (JPL) contract.
Closed – Implemented
NASA included all necessary security requirements in the JPL contract.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Aerospace researchAgency missionsAircraftClassified defense informationComputer networksComputer securityInformation classificationInformation disclosureInformation securityInformation systemsInformation technologyInternal controlsRequirements definitionRisk managementSpace explorationStrategic information systems planningTestingConfidential communicationsCybersecurity