Cybersecurity: NASA Needs to Fully Implement Risk Management
Fast Facts
NASA plans to invest about $80 billion in its major projects to continue exploring Earth, the moon, and the solar system. NASA's cybersecurity risk management program is a set of steps it should take to protect systems and information when developing these projects. Each step comprises a set of related tasks.
NASA completed at least some cybersecurity tasks in each program step for all the projects we reviewed. But some of the tasks that haven't been done are important. For example, NASA didn't do an agency-wide risk assessment, which would allow it to prioritize cyber threats and mitigate the highest risks. We made recommendations to help.
Highlights
What GAO Found
Spacecraft and space systems are operating in a cyber threat environment with increased risks of attack and mission disruption. To help protect systems at federal agencies such as National Aeronautics and Space Administration (NASA), the National Institute of Standards and Technology developed cybersecurity risk management guidelines. The guidelines include seven key risk management steps: prepare , categorize systems, select controls, implement controls, assess control implementation, authorize the system, and continuously monitor security control effectiveness.
NASA fully or partially implemented all steps of its cybersecurity risk management program for selected systems. However, partial determinations indicate that NASA did not perform key activities within the steps. For example:
- For the prepare step, NASA did not have an approved organization-wide risk assessment. Such an assessment is essential to identifying and mitigating the highest priority cyber threats across the enterprise.
- Regarding the monitor step, selected systems did not document system-level continuous monitoring strategies due in large part to the lack of guidance on how to do so. Without documented strategies that are fully understood by key cyber personnel, organizations face increased risks of data breaches, delayed detection of threats, and slower responses to attacks.
The following table summarizes the extent to which NASA implemented each risk management step for the four selected systems.
Extent to Which National Aeronautics and Space Administration (NASA) and Selected Systems Implemented Risk Management Steps
|
Risk management step |
Implementation by NASA organization |
|---|---|
|
Preparea |
◐ |
| Implementation across selected systems | |
|
Categorize |
◐ |
|
Select |
◐ |
|
Implement |
● |
|
Assess |
◐ |
|
Authorize |
◐ |
|
Monitor |
◐ |
Legend: ●—implemented; ◐—partially implemented; ○—not implemented
Source: GAO analysis of NASA documentation. | GAO-25-108138
aFor the review of the Prepare step, GAO evaluated the organizational-level activities and not the system-level activities.
Developing, implementing, and maintaining a comprehensive cybersecurity risk management program is critical to protecting NASA's systems and information, detecting suspicious activity, and responding to incidents. Without a strong risk management program covering the selected systems, NASA faces increased risks that cyber incidents could result in loss of mission data, or decreased lifespan or capability of space systems.
Why GAO Did This Study
NASA's space development project portfolio includes 36 major projects. Over the lifecycle of these projects, NASA plans to invest about $80 billion in them.
GAO was asked to review cybersecurity risk management at NASA. This report assesses the extent to which NASA implemented cybersecurity risk management for selected major projects.
GAO reviewed NASA policies and guidance regarding cybersecurity risk management. GAO selected a nongeneralizable sample of two major projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps and associated activities. GAO also interviewed project and cybersecurity officials.
This report is a public version of a sensitive report issued in March 2025. Information that NASA deemed sensitive has been omitted.
Recommendations
GAO is making 16 recommendations to NASA to ensure that key activities within the risk management steps are being performed. These activities include (1) preparing and approving an organization-wide cybersecurity risk assessment, and (2) updating its guidance to help ensure that selected systems have documented continuous monitoring strategies. In its comments on the sensitive version of the report, NASA concurred with seven recommendations, partially concurred with four recommendations, and did not concur with the remaining five recommendations. GAO maintains that all recommendations are warranted..
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Aeronautics and Space Administration | The NASA Administrator should ensure that NASA's Chief Information Officer prepares and approves an organization-wide cybersecurity risk assessment. (Recommendation 1) |
NASA disagreed with this recommendation, stating that the agency uses a near real-time cybersecurity dashboard that aggregates and displays actionable risks that can be identified and remediated at the system level. NASA stated that it uses this dashboard in lieu of a static organization-wide security risk assessment. However, as of May 2026, NASA had not provided evidence showing that the dashboard is sufficiently aggregating risk information for information systems in lieu of a documented organization-wide security risk assessment. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that the documented impact levels for confidentiality, integrity, and availability for all systems match the risk of the system, and that any changes to the provisional impact levels are fully justified in accordance with NASA policy. (Recommendation 2) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer will work with system owners to make sure these changes are implemented. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update its guidance to include oversight responsibilities for ensuring NASA-defined control baselines are properly applied when baselines are updated. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update its policies to provide more specific guidance about how to document assessment results for all types of critical controls including inherited controls. (Recommendation 4) |
NASA disagreed with this recommendation, stating that existing guidance documents provide sufficient direction on how to document assessment results for all controls. However, this guidance does not provide specific information on documenting assessment results for controls that are both critical and inherited. As of May 2026, NASA has not provided evidence that its guidance has been updated to provide more specific guidance about how to document assessment results for all types of critical controls including inherited controls. We will continue to monitor the status of this recommendation.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the first system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 5) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer plans to work with the system owners to ensure that this information is included in security assessment reports where appropriate. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the second system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 6) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer plans to work with the system owners to ensure that this information is included in security assessment reports where appropriate. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the third system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 7) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer plans to work with the system owners to ensure that this information is included in security assessment reports where appropriate. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that all critical controls for the fourth system found to be unsatisfied during security control assessments include recommendations and a residual risk level. (Recommendation 8) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer plans to work with the system owners to ensure that this information is included in security assessment reports where appropriate. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that POA&Ms related to critical controls for the first system include all key information outlined by its policies and procedures, including risk levels. (Recommendation 9) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer plans to work with the system owners to ensure that this information is included in security assessment reports where appropriate. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to ensure that POA&Ms related to critical controls for the second system include all key information outlined by its policies and procedures, including risk levels. (Recommendation 10) |
NASA agreed with this recommendation, stating that the Office of the Chief Information Officer will work with the appropriate system owners to ensure that POA&Ms related to critical controls for the system include all key information outlined by its policies and procedures, including risk levels. However, as of May 2026, NASA has not yet provided evidence that these changes have been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the first system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 11) |
NASA partially agreed with this recommendation, stating that the Office of the Chief Information Officer will work with the system owners to ensure that NASA policies are followed when POA&Ms are created for all critical controls. As of May 2026, NASA has not yet provided evidence that this recommendation has been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the second system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 12) |
NASA partially agreed with this recommendation, stating that the Office of the Chief Information Officer will work with the system owners to ensure that NASA policies are followed when POA&Ms are created for all critical controls. As of May 2026, NASA has not yet provided evidence that this recommendation has been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the third system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 13) |
NASA partially agreed with this recommendation, stating that the Office of the Chief Information Officer will work with the system owners to ensure that NASA policies are followed when POA&Ms are created for all critical controls. As of May 2026, NASA has not yet provided evidence that this recommendation has been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct the information system owner for the fourth system to ensure that estimated completion dates for POA&Ms related to all critical controls for the system are reasonable (e.g. less susceptible to extensions) and that POA&Ms related to all critical controls are completed in a timely manner. (Recommendation 14) |
NASA partially agreed with this recommendation, stating that the Office of the Chief Information Officer will work with the system owners to ensure that NASA policies are followed when POA&Ms are created for all critical controls. As of May 2026, NASA has not yet provided evidence that this recommendation has been implemented. Once the agency provides this evidence, we plan to verify whether implementation has occurred.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update its policies for the authorize step to include quality control activities to ensure that the information developed for authorization packages is appropriate, current, complete, and accurate. (Recommendation 15) |
NASA disagreed with this recommendation, stating that that the Office of the Chief Information Officer has policies for the authorize step as well as procedures for oversight related to the information developed for authorization packages. However, the agency's guidance does not describe quality control activities for officials to ensure the information was appropriate, current, complete, and accurate. As of May 2026, NASA has not provided evidence that the its policies for the authorize step have been updated to include quality control activities to ensure that the information developed for authorization packages is appropriate, current, complete, and accurate. We will continue to monitor the status of this recommendation.
|
| National Aeronautics and Space Administration | The NASA Administrator should direct NASA's Chief Information Officer to update NASA's continuous monitoring guidance to provide sufficient information to allow systems to develop clearly defined and understood continuous monitoring strategies, and ensure that selected systems develop continuous monitoring strategies in alignment with the updated guidance. (Recommendation 16) |
NASA disagreed with this recommendation, stating that its current guidance sufficiently guides systems to develop a system-level continuous monitoring strategy. However, this guidance document does not contain specific information on how to develop and document a system's continuous monitoring strategy, and states that a future update of the document will include such information. As of May 2026, NASA has not provided evidence that the guidance document has been updated to provide sufficient information to allow systems to develop clearly defined and understood continuous monitoring strategies. We will continue to monitor the status of this recommendation.
|