Export Controls:

NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies

GAO-14-315: Published: Apr 15, 2014. Publicly Released: May 15, 2014.

Multimedia:

Additional Materials:

Contact:

Belva Martin
(202) 512-4841
martinb@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Weaknesses in the National Aeronautics and Space Administration (NASA) export control policy and implementation of foreign national access procedures at some centers increase the risk of unauthorized access to export-controlled technologies. NASA policies provide Center Directors wide latitude in implementing export controls at their centers. Federal internal control standards call for clearly defined areas of authority and establishment of appropriate lines of reporting. However, NASA procedures do not clearly define the level of Center Export Administrator (CEA) authority and organizational placement, leaving it to the discretion of the Center Director. GAO found that 7 of the 10 CEAs are at least three levels removed from the Center Director. Three of these 7 stated that their placement detracted from their ability to implement export control policies by making it difficult to maintain visibility to staff, communicate concerns to the Center Director, and obtain resources; the other four did not express concerns about their placement. However, in a 2013 meeting of export control officials, the CEAs recommended placing the CEA function at the same organizational level at each center for uniformity, visibility, and authority. GAO identified and the NASA Inspector General also reported instances in which two centers did not comply with NASA policy on foreign national access to NASA technologies. For example, during a 4-month period in 2013, one center allowed foreign nationals on a major program to fulfill the role of sponsors for other foreign nationals, including determining access rights for themselves and others. Each instance risks damage to national security. Due to access concerns, the NASA Administrator restricted foreign national visits in March 2013, and directed each center to assess compliance with foreign national access and develop corrective plans. By June 2013, six centers identified corrective actions, but only two set time frames for completion and only one planned to assess the effectiveness of actions taken. Without plans and time frames to monitor corrective actions, it will be difficult for NASA to ensure that actions are effective.

NASA headquarters export control officials and CEAs lack a comprehensive inventory of the types and location of export-controlled technologies and NASA headquarters officials have not addressed deficiencies raised in oversight tools, limiting their ability to take a risk-based approach to compliance. Export compliance guidance from the regulatory agencies of State and Commerce states the importance of identifying controlled items and continuously assessing risks. NASA headquarters officials acknowledge the benefits of identifying controlled technologies, but stated that current practices, such as foreign national screening, are sufficient to manage risk and that they lack resources to do more. Recently identified deficiencies in foreign national visitor access discussed above suggest otherwise. Three CEAs have early efforts under way to better identify technologies which could help focus compliance on areas of greatest risk. For example, one CEA is working with NASA's Office of Protective Services Counterintelligence Division to identify the most sensitive technologies at the center to help tailor oversight efforts. Such approaches, implemented NASA-wide, could enable the agency to better target existing resources to protect sensitive technologies.

Why GAO Did This Study

NASA develops sophisticated technologies and shares them with its international partners and others. U.S. export control regulations require NASA to identify and protect its sensitive technology; NASA delegates implementation of export controls to its 10 research and space centers. Recent allegations of export control violations at two NASA centers have raised questions about NASA's ability to protect its sensitive technologies. GAO was asked to review NASA's export control program.

This report assessed (1) NASA's export control policies and how centers implement them, and (2) the extent to which NASA Headquarters and CEAs apply oversight of center compliance with its export control policies. To do this, GAO reviewed export control laws and regulations, NASA export control policies, and State and Commerce export control compliance guidance. GAO also reviewed NASA information on foreign national visits and technical papers and interviewed officials from NASA and its 10 centers as well as from other agencies.

What GAO Recommends

GAO recommends that the NASA Administrator establish guidance to better define the CEA function, establish time frames to implement foreign national access corrective actions and assess results, and establish a more risk-based approach to oversight, among other actions. NASA concurred with all of our recommendations and provided information on actions taken or planned to address them.

For more information, contact Belva Martin at (202) 512-4841 or martinb@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: NASA concurred with the recommendation. In July 2014, NASA reported that the Office of International and Interagency Relations is working with the NASA Office of Human Capital Management to revise position descriptions and organizational affiliations for the CEAs Agency wide to confirm a consistent grade and reporting chain and is updating NASA Procedural Requirement (NPR) 2190.IB, NASA's Export Control Program, to codify this structure.

    Recommendation: To ensure consistent implementation of NASA's export control program, the NASA Administrator should establish guidance defining the appropriate level and organizational placement of the CEA function.

    Agency Affected: National Aeronautics and Space Administration

  2. Status: Open

    Comments: NASA concurred with the recommendation. In July 2014, NASA reported that once the CEA grade and reporting structure analysis is finalized (in response to the GAO's first recommendation), NASA will use the lessons learned from that review to evaluate resource requirements for the CEA function at each Center. The Office of International and Interagency Relations is working with each of the NASA Centers to confirm current resource allocations and solicit specific concerns regarding workload related issues.

    Recommendation: To ensure consistent implementation of NASA's export control program, the NASA Administrator should assess CEA workload and other factors to determine appropriate resources needed to support the CEA function at each center.

    Agency Affected: National Aeronautics and Space Administration

  3. Status: Open

    Comments: NASA concurred with the recommendation. In July 2014, NASA reported that it had initiated efforts to implement a risk-based approach for targeted technologies of particular concern, working with CEAs, program managers, and counterintelligence professionals to identify key technologies and catalog those key technologies at each Center. NASA described a joint effort between the Offices of International and Interagency Affairs, the Chief Technologist, Protective Services, and Mission Support to identify and catalogue NASA's technologies, which it believes will be useful in implementing a risk-based assessment of key technologies.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should implement a risk-based approach to the export control program by using existing information sources, such as counterintelligence assessments, to identify targeted technologies and then direct that the types and location of those export-controlled technologies are identified and managed by CEAs within each center.

    Agency Affected: National Aeronautics and Space Administration

  4. Status: Open

    Comments: NASA concurred with the recommendation. In July 2014, NASA reported that the export control program completed its Annual Export Control Internal Audit. NASA added that the Office of International and Interagency Relations was distributing the results of that audit to Center Directors and planned to formally request they oversee the implementation of the responses to all findings from the annual audit related to their Center. Additionally, NASA plans to update NPR 2l90.IB to codify NASA's response to this recommendation.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should direct Center Directors to oversee implementation of export-related audit findings which could involve collaboration among several center offices.

    Agency Affected: National Aeronautics and Space Administration

  5. Status: Open

    Comments: NASA concurred with the recommendation. In July 2014, NASA reported that the Headquarters Export Administrator (HEA) briefed the CEAs at the May 2014 export control program review on the new process to document and report on actions and issues raised by CEAs. The HEA documented issues and comments, assigned due dates for each action, and plans to report on progress during quarterly video conferences with the NASA export control program community where participants will have the opportunity to raise additional concerns. NASA reports that this process for continuous improvement will be documented in the Export Control Program Manual that is currently in development.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should develop a plan, including timeframes for addressing CEA issues and suggestions for improvement provided during the annual export control conference, and share the plan with CEAs.

    Agency Affected: National Aeronautics and Space Administration

  6. Status: Open

    Comments: NASA concurred with the recommendation. NASA reported that, at the May 2014 export control program review, the Headquarters Export Administrator reinforced the importance of making voluntary disclosures and their use as demonstrative of a healthy program. NASA reports it has revised the process for making voluntary disclosures, informed the CEAs, and will incorporate the new process in the planned update to NPR 2l90.1B.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should re-emphasize to CEAs the requirements on how and when to notify the Headquarters Export Administrator about potential voluntary disclosures to ensure more consistent reporting of potential export control violations at NASA centers.

    Agency Affected: National Aeronautics and Space Administration

  7. Status: Open

    Comments: NASA concurred with the recommendation. In July 2014, NASA reported that it established a foreign national access management program manual within the Office of Protective Services. NASA also stated it is developing a Foreign National Access Management Program Manual that will incorporate specific guidelines for monitoring and implementing corrective measures. On June 6, 2014, the Assistant Administrator for the Office of Protective Services, the Chief Information Officer, and the Associate Administrator for OIIR signed a Program Commitment Agreement to establish the formal foreign national assessment management program and form a task force to prepare the program manual and to continue to implement this program.

    Recommendation: To improve NASA's oversight and address identified deficiencies in the export control program, the NASA Administrator should develop plans with specific time frames to monitor corrective actions related to management of foreign national access to NASA facilities and assess their effectiveness.

    Agency Affected: National Aeronautics and Space Administration

 

Explore the full database of GAO's Open Recommendations »

Jul 23, 2014

Jul 16, 2014

Jun 20, 2014

May 15, 2014

May 8, 2014

Apr 15, 2014

Mar 12, 2014

Feb 4, 2014

Jan 13, 2014

Jan 8, 2014

Looking for more? Browse all our products here