Export Controls:

NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies

GAO-14-315: Published: Apr 15, 2014. Publicly Released: May 15, 2014.

Multimedia:

Additional Materials:

Contact:

Marie A. Mak
(202) 512-2527
makm@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Weaknesses in the National Aeronautics and Space Administration (NASA) export control policy and implementation of foreign national access procedures at some centers increase the risk of unauthorized access to export-controlled technologies. NASA policies provide Center Directors wide latitude in implementing export controls at their centers. Federal internal control standards call for clearly defined areas of authority and establishment of appropriate lines of reporting. However, NASA procedures do not clearly define the level of Center Export Administrator (CEA) authority and organizational placement, leaving it to the discretion of the Center Director. GAO found that 7 of the 10 CEAs are at least three levels removed from the Center Director. Three of these 7 stated that their placement detracted from their ability to implement export control policies by making it difficult to maintain visibility to staff, communicate concerns to the Center Director, and obtain resources; the other four did not express concerns about their placement. However, in a 2013 meeting of export control officials, the CEAs recommended placing the CEA function at the same organizational level at each center for uniformity, visibility, and authority. GAO identified and the NASA Inspector General also reported instances in which two centers did not comply with NASA policy on foreign national access to NASA technologies. For example, during a 4-month period in 2013, one center allowed foreign nationals on a major program to fulfill the role of sponsors for other foreign nationals, including determining access rights for themselves and others. Each instance risks damage to national security. Due to access concerns, the NASA Administrator restricted foreign national visits in March 2013, and directed each center to assess compliance with foreign national access and develop corrective plans. By June 2013, six centers identified corrective actions, but only two set time frames for completion and only one planned to assess the effectiveness of actions taken. Without plans and time frames to monitor corrective actions, it will be difficult for NASA to ensure that actions are effective.

NASA headquarters export control officials and CEAs lack a comprehensive inventory of the types and location of export-controlled technologies and NASA headquarters officials have not addressed deficiencies raised in oversight tools, limiting their ability to take a risk-based approach to compliance. Export compliance guidance from the regulatory agencies of State and Commerce states the importance of identifying controlled items and continuously assessing risks. NASA headquarters officials acknowledge the benefits of identifying controlled technologies, but stated that current practices, such as foreign national screening, are sufficient to manage risk and that they lack resources to do more. Recently identified deficiencies in foreign national visitor access discussed above suggest otherwise. Three CEAs have early efforts under way to better identify technologies which could help focus compliance on areas of greatest risk. For example, one CEA is working with NASA's Office of Protective Services Counterintelligence Division to identify the most sensitive technologies at the center to help tailor oversight efforts. Such approaches, implemented NASA-wide, could enable the agency to better target existing resources to protect sensitive technologies.

Why GAO Did This Study

NASA develops sophisticated technologies and shares them with its international partners and others. U.S. export control regulations require NASA to identify and protect its sensitive technology; NASA delegates implementation of export controls to its 10 research and space centers. Recent allegations of export control violations at two NASA centers have raised questions about NASA's ability to protect its sensitive technologies. GAO was asked to review NASA's export control program.

This report assessed (1) NASA's export control policies and how centers implement them, and (2) the extent to which NASA Headquarters and CEAs apply oversight of center compliance with its export control policies. To do this, GAO reviewed export control laws and regulations, NASA export control policies, and State and Commerce export control compliance guidance. GAO also reviewed NASA information on foreign national visits and technical papers and interviewed officials from NASA and its 10 centers as well as from other agencies.

What GAO Recommends

GAO recommends that the NASA Administrator establish guidance to better define the CEA function, establish time frames to implement foreign national access corrective actions and assess results, and establish a more risk-based approach to oversight, among other actions. NASA concurred with all of our recommendations and provided information on actions taken or planned to address them.

 

Recommendations for Executive Action

  1. Status: Open

    Priority recommendation

    Comments: NASA concurred with the recommendation. In March 2015, NASA reported that NASA's Associate Administrator provided guidance in September 2014 to the Center Directors regarding the appropriate level and organizational placement of the CEA function. As of October 2016, NASA is planning by the end of 2016 to update its NASA Procedural Requirement (NPR) 2190.1B concerning NASA's Export Control Program to further codify this structure. We will review the 2190.1B policy once it is updated and determine whether this recommendation can be considered implemented at that time.

    Recommendation: To ensure consistent implementation of NASA's export control program, the NASA Administrator should establish guidance defining the appropriate level and organizational placement of the CEA function.

    Agency Affected: National Aeronautics and Space Administration

  2. Status: Closed - Implemented

    Priority recommendation

    Comments: The Office of International and Interagency Relations worked with each of the NASA Centers to confirm current resource allocations and to solicit specific concerns regarding workload related issues. In April 2016, NASA received input for all Centers on their workload and requirements for the Center Export Administrator function and has identified potential shortfalls in necessary resources on a Center by Center basis. The workload analysis and resource assessment is now being reviewed for action by NASA leadership.

    Recommendation: To ensure consistent implementation of NASA's export control program, the NASA Administrator should assess CEA workload and other factors to determine appropriate resources needed to support the CEA function at each center.

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation. The NASA Export Control Operations Manual released in March 2015 outlined a risk-based approach to identifying technologies that warrant additional protection or attention, from an export control perspective. In February 2016, NASA Headquarters provided an initial risk matrix to each Center that identified critical physical and logical infrastructure assets as well as sensitive technologies that each Center managed access to. Each Center is refining the risk matrix to include Center specific information such as the annual counter-intelligence threat assessments. As described in the Operations Manual, Center risk matrixes will be used in making risk-informed decisions when considering foreign national access, training, and follow-up assessments.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should implement a risk-based approach to the export control program by using existing information sources, such as counterintelligence assessments, to identify targeted technologies and then direct that the types and location of those export-controlled technologies are identified and managed by CEAs within each center.

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Closed - Implemented

    Comments: In August 2014, the Associate Administrator for International and Interagency Relations provided each Center Director with the results of the annual export control audits for their Center the prior year, 2013. This message directed the Center Directors to ensure implementation of corrective measures. Further, NASA's updated operations manual (NPR 2190.1B), issued on March 17, 2015, codified this, directing Center Directors to oversee disposition of the findings from the annual export control audits.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should direct Center Directors to oversee implementation of export-related audit findings which could involve collaboration among several center offices.

    Agency Affected: National Aeronautics and Space Administration

  5. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA concurred with the recommendation. In July 2014, NASA developed a plan for collecting, categorizing, assigning timeframes for completion and tracking progress on CEA suggestions for improvement. Per NASA's plan, the NASA export control office collected CEA suggestions in 2014, 2015, and 2016 and provided expected actions and completion dates to track progress.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should develop a plan, including timeframes for addressing CEA issues and suggestions for improvement provided during the annual export control conference, and share the plan with CEAs.

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Closed - Implemented

    Priority recommendation

    Comments: NASA's Export Control Program Operation Manual, released on March 17, 2015, notes the importance of voluntary disclosures in the event of a potential export control violation. The updated guidance identifies the roles and responsibilities related to this process for NASA officials, stating that all NASA employees are responsible for notifying their CEA if they have knowledge of or suspect a potential violation. The guidance provides appropriate timeframes for the process, including the appropriate timeframe for researching the potential violation before sending an initial disclosure to the regulatory agencies.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should re-emphasize to CEAs the requirements on how and when to notify the Headquarters Export Administrator about potential voluntary disclosures to ensure more consistent reporting of potential export control violations at NASA centers.

    Agency Affected: National Aeronautics and Space Administration

  7. Status: Closed - Implemented

    Priority recommendation

    Comments: On June 6, 2014, the Assistant Administrator for the Office of Protective Services, the Chief Information Officer, and the Associate Administrator for OIIR signed a Program Commitment Agreement to establish the formal foreign national assessment management program within the Office of Protective Services and form a task force to prepare the program manual and to continue to implement this program. On May 2, 2016, NASA released the Foreign National Access Management Program Operations Manual that outlines processes and best practices to support consistent execution of foreign national access management across NASA Centers and Facilities. The Foreign National Access Management Program Manual incorporates specific guidelines for monitoring and implementing corrective measures for access management at NASA facilities.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should develop plans with specific time frames to monitor corrective actions related to management of foreign national access to NASA facilities and assess their effectiveness.

    Agency Affected: National Aeronautics and Space Administration

 

Explore the full database of GAO's Open Recommendations »

Dec 7, 2016

Sep 8, 2016

Jul 27, 2016

Jul 22, 2016

Jun 22, 2016

Mar 30, 2016

Feb 25, 2016

Dec 17, 2015

Dec 10, 2015

Looking for more? Browse all our products here