This is the accessible text file for GAO report number GAO-10-4 
entitled 'Information Security: NASA Needs to Remedy Vulnerabilities in 
Key Networks' which was released on October 15, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 
GAO: 

October 2009: 

Information Security: 

NASA Needs to Remedy Vulnerabilities in Key Networks: 

GAO-10-4: 

GAO Highlights: 

Highlights of GAO-10-4, a report to congressional committees. 

Why GAO Did This Study: 

The National Aeronautics and Space Administration (NASA) relies 
extensively on information systems and networks to pioneer space 
exploration, scientific discovery, and aeronautics research. Many of 
these systems and networks are interconnected through the Internet, and 
may be targeted by evolving and growing cyber threats from a variety of 
sources. 

GAO was directed to (1) determine whether NASA has implemented 
appropriate controls to protect the confidentiality, integrity, and 
availability of the information and systems used to support NASA’s 
mission directorates and (2) assess NASA’s vulnerabilities in the 
context of prior incidents and corrective actions. To do this, GAO 
examined network and system controls in place at three centers; 
analyzed agency information security policies, plans, and reports; and 
interviewed agency officials. 

What GAO Found: 

Although NASA has made important progress in implementing security 
controls and aspects of its information security program, it has not 
always implemented appropriate controls to sufficiently protect the 
confidentiality, integrity, and availability of the information and 
systems supporting its mission directorates. Specifically, NASA did not 
consistently implement effective controls to prevent, limit, and detect 
unauthorized access to its networks and systems. For example, it did 
not always sufficiently (1) identify and authenticate users, (2) 
restrict user access to systems, (3) encrypt network services and data, 
(4) protect network boundaries, (5) audit and monitor computer-related 
events, and (6) physically protect its information technology 
resources. In addition, weaknesses existed in other controls to 
appropriately segregate incompatible duties and manage system 
configurations and implement patches. A key reason for these weaknesses 
is that NASA has not yet fully implemented key activities of its 
information security program to ensure that controls are appropriately 
designed and operating effectively. Specifically, it has not always (1) 
fully assessed information security risks; (2) fully developed and 
documented security policies and procedures; (3) included key 
information in security plans; (4) conducted comprehensive tests and 
evaluation of its information system controls; (5) tracked the status 
of plans to remedy known weaknesses; (6) planned for contingencies and 
disruptions in service; (7) maintained capabilities to detect, report, 
and respond to security incidents; and (8) incorporated important 
security requirements in its contract with the Jet Propulsion 
Laboratory. 

Despite actions to address prior security incidents, NASA remains 
vulnerable to similar incidents. NASA networks and systems have been 
successfully targeted by cyber attacks. During fiscal years 2007 and 
2008, NASA reported 1,120 security incidents that have resulted in the 
installation of malicious software on its systems and unauthorized 
access to sensitive information. To address these incidents, NASA 
established a Security Operations Center in 2008 to enhance prevention 
and provide early detection of security incidents and coordinate agency-
level information related to its security posture. Nevertheless, the 
control vulnerabilities and program shortfalls, which GAO identified, 
collectively increase the risk of unauthorized access to NASA’s 
sensitive information, as well as inadvertent or deliberate disruption 
of its system operations and services. They make it possible for 
intruders, as well as government and contractor employees, to bypass or 
disable computer access controls and undertake a wide variety of 
inappropriate or malicious acts. As a result, increased and unnecessary 
risk exists that sensitive information is subject to unauthorized 
disclosure, modification, and destruction and that mission operations 
could be disrupted. 

What GAO Recommends: 

GAO recommends that the NASA Administrator take steps to mitigate 
control vulnerabilities and fully implement a comprehensive information 
security program. In commenting on a draft of this report, NASA 
concurred with GAO’s recommendations and stated that it will continue 
to mitigate the information security weaknesses identified. 

To view the full report, click on [hyperlink, 
http://www.gao.gov/products/GAO-10-4]. For more information, contact 
Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov or Dr. 
Nabajyoti Barkakati, (202) 512-4499, barkakatin@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Control Weaknesses Jeopardize NASA Systems and Networks: 

Despite Actions to Address Security Incidents, NASA Remains Vulnerable: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: NASA Organization Chart: 

Appendix III: Missions of NASA Centers and the Jet Propulsion 
Laboratory: 

Appendix IV: Comments from NASA: 

Appendix V: GAO Contacts and Staff Acknowledgments: 

Tables: 

Table 1: Current Support of Mission Directorates by NASA Headquarters, 
Centers, and JPL: 

Table 2: Examples of Key Networks Supporting NASA's Mission 
Directorates: 

Table 3: Key NASA Information Security Responsibilities: 

Figures: 

Figure 1: NASA Headquarters, Centers, and the Jet Propulsion 
Laboratory: 

Figure 2: Examples of NASA Programs and Projects: 

Figure 3: Simplified Illustration of Key Networks Supporting NASA 
Programs and Projects: 

Figure 4: Total Computer Security Incidents in Categories 1 through 5 
Reported by NASA to US-CERT for Fiscal Years 2007-2008: 

Abbreviations: 

CIO: Chief Information Officer: 

DSN: Deep Space Network: 

FAR: Federal Acquisition Regulation: 

FIPS: Federal Information Processing Standards: 

FISMA: Federal Information Security Management Act: 

IONet: Internet Protocol Operational Network: 

IT: information technology: 

JPL: Jet Propulsion Laboratory: 

NASA: National Aeronautics and Space Administration: 

NISN: NASA Integrated Services Network Mission and Corporate Network: 

NIST: National Institute of Standards and Technology: 

NSA: National Security Agency: 

OMB: Office of Management and Budget: 

POA&M: plans of action and milestones: 

SOC: Security Operations Center: 

US-CERT: United States Computer Emergency Readiness Team: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

October 15, 2009: 

The Honorable John D. Rockefeller, IV: 
Chairman: 
The Honorable Kay Bailey Hutchison: 
Ranking Member: 
Committee on Commerce, Science, and Transportation: 
United States Senate: 

The Honorable Bart Gordon: 
Chairman: 
The Honorable Ralph M. Hall: 
Ranking Member: 
Committee on Science and Technology: 
House of Representatives: 

The National Aeronautics and Space Administration's (NASA) mission is 
to pioneer the future in space exploration, scientific discovery, and 
aeronautics research. To carry out its critical mission and business 
operations, NASA depends on interconnected information systems. Many of 
these systems are interconnected through the public telecommunications 
infrastructure, including the Internet. 

Government officials are concerned about attacks from individuals and 
groups with malicious intent, such as criminals, terrorists, and 
adversarial foreign nations. For example, in February 2009, the 
Director of National Intelligence testified that foreign nations and 
criminals have targeted government and private sector networks to gain 
a competitive advantage and potentially disrupt or destroy them, and 
that terrorist groups have expressed a desire to use cyber attacks as a 
means to target the United States. To address such threats, NASA has 
implemented computer security controls that are intended to protect the 
confidentiality, integrity, and availability of its systems and 
information. 

In response to a congressional mandate,[Footnote 1] our objectives were 
to (1) assess the effectiveness of NASA's information security controls 
in protecting the confidentiality, integrity, and availability of its 
networks supporting mission directorates and (2) assess the 
vulnerabilities identified during the audit in the context of NASA's 
prior security incidents and corrective actions. To accomplish these 
objectives, we examined computer security controls on networks at three 
centers supporting NASA's mission directorates to see whether resources 
and information were safeguarded and protected from unauthorized 
access. We conducted vulnerability assessments of network security with 
the knowledge of NASA officials, but we did not perform unannounced 
penetration testing during this review. We also reviewed and analyzed 
NASA's security policies, plans, and reports. 

We performed this performance audit at NASA headquarters in Washington, 
D.C.; Goddard Space Flight Center in Greenbelt, Maryland; the Jet 
Propulsion Laboratory in Pasadena, California; the Marshall Space 
Flight Center in Huntsville, Alabama; and Ames Research Center in 
Moffett Field, California, from November 2008 to October 2009. See 
appendix I for further details of our objectives, scope, and 
methodology. 

We conducted our audit in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. 

Background: 

Information security is a critical consideration for any organization 
reliant on information technology (IT) and especially important for 
government agencies, where maintaining the public's trust is essential. 
The dramatic expansion in computer interconnectivity, and the rapid 
increase in the use of the Internet, have changed the way our 
government, the nation, and much of the world communicate and conduct 
business. However, without proper safeguards, systems are unprotected 
from attempts by individuals and groups with malicious intent to 
intrude and use the access to obtain sensitive information, commit 
fraud, disrupt operations, or launch attacks against other computer 
systems and networks. This concern is well-founded for a number of 
reasons, including the dramatic increase in reports of security 
incidents, the ease of obtaining and using hacking tools, the steady 
advance in the sophistication and effectiveness of attack technology, 
and the dire warnings of new and more destructive attacks to come. 

Cyber threats to federal information systems and cyber-based critical 
infrastructures are evolving and growing. These threats can be 
unintentional or intentional, targeted or nontargeted, and can come 
from a variety of sources, such as foreign nations engaged in espionage 
and information warfare, criminals, hackers, virus writers, and 
disgruntled employees and contractors working within an organization. 
Moreover, these groups and individuals have a variety of attack 
techniques at their disposal, and cyber exploitation activity has grown 
more sophisticated, more targeted, and more serious. As government, 
private sector, and personal activities continue to move to networked 
operations, as digital systems add ever more capabilities, as wireless 
systems become more ubiquitous, and as the design, manufacture, and 
service of IT have moved overseas, the threat will continue to grow. In 
the absence of robust security programs, federal agencies have 
experienced a wide range of incidents involving data loss or theft and 
computer intrusions, underscoring the need for improved security 
practices. 

Recognizing the importance of securing federal agencies' information 
and systems, Congress enacted the Federal Information Security 
Management Act of 2002 (FISMA) to strengthen the security of 
information and information systems within federal agencies.[Footnote 
2] FISMA requires each agency to use a risk-based approach to develop, 
document, and implement an agencywide security program for the 
information and information systems that support the operations and 
assets of the agency, including those provided or managed by another 
agency, contractor, or other source. 

NASA's Mission and Organization: 

The National Aeronautics and Space Act of 1958 (Space Act), as amended, 
established NASA as the civilian agency that exercises control over 
U.S. aeronautical and space activities and seeks and encourages the 
fullest commercial use of space.[Footnote 3] NASA's mission is to 
pioneer the future of space exploration, scientific discovery, and 
aeronautics research. Its current and planned activities span a broad 
range of complex and technical endeavors, including deploying a global 
climate change research and monitoring system, returning Americans to 
the Moon and exploring other destinations, flying the Space Shuttle to 
complete the International Space Station, and developing new space 
transportation systems. 

NASA is composed of a headquarters office in Washington, D.C., nine 
centers located around the country, and the Jet Propulsion Laboratory 
(JPL), which is a Federally Funded Research and Development Center 
[Footnote 4] under a contract with the California Institute of 
Technology (see figure 1). 

Figure 1: NASA Headquarters, Centers, and the Jet Propulsion 
Laboratory: 

[Refer to PDF for image: map of the U.S.] 

The following locations are indicated on the map: 

Ames Research Center (Moffett Field, CA); 
Dryden Flight Research Center (Edwards Air Force Base, CA); 
Glenn Research Center (Cleveland, OH); 
Goddard Space Flight Center (Greenbelt, MD); 
Jet Propulsion Laboratory (Pasadena, CA); 
Johnson Space Center (Houston, TX); 
Kennedy Space Center (Cape Canaveral, FL); 
Langley Research Center (Hampton, VA); 
Marshall Space Flight Center (Huntsville, AL); 
NASA Headquarters (Washington, D.C.); 
Stennis Space Center (Hancock County, MS). 

Sources: NASA (data), Map Resources (map). 

[End of figure] 

Headquarters: 

Headquarters is responsible for providing the agency's strategic 
direction, top-level requirements, schedules, budgets, and oversight of 
its mission. The NASA Administrator is responsible for leading the 
agency and is accountable for all aspects of its mission, including 
establishing and articulating its vision and strategic priorities and 
ensuring successful implementation of supporting policies, programs, 
and performance assessments. In this regard, the Office of the 
Administrator has overall responsibility for overseeing the activities 
and functions of the agency's mission and mission support directorates 
and centers. 

NASA Headquarters has the following four mission directorates that 
define the agency's major lines of business or core mission segments: 

* Aeronautics Research pursues long-term, innovative, and cutting-edge 
research that develops tools, concepts, and technologies to enable a 
safer, more flexible, environmentally friendly, and more efficient 
national air transportation system. It also supports the agency's human 
and robotic reentry vehicle research. 

* Exploration Systems is leading the effort to develop capabilities for 
sustained and affordable human and robotic missions. The directorate is 
focused on developing the agency's next generation of human exploration 
spacecraft designed to carry crew and cargo to low Earth orbit and 
beyond, and partnering with industry and expanding the commercial 
technology sector. The directorate's responsibilities include operating 
the Lunar Reconnaissance Orbiter, Ares V Cargo Launch Vehicle, and 
Orion Crew Exploration Vehicle. 

* Science carries out the scientific exploration of Earth and space to 
expand the frontiers of earth science, heliophysics, planetary science, 
and astrophysics. Through a variety of robotic observatory and explorer 
craft, and through sponsored research, the directorate provides virtual 
human access to the farthest reaches of space and time, as well as 
practical information about changes on Earth. The directorate's 
responsibilities include operating the Cassini orbiter, Hubble Space 
Telescope, and James Webb Space Telescope. 

* Space Operations provides mission critical space exploration services 
to both NASA customers and to other partners within the United States 
and throughout the world. The directorate's responsibilities include 
flying the Space Shuttle to assemble the International Space Station, 
operating it after assembly is completed, and ensuring the health and 
safety of astronauts. 

* Each of the agency's four directorates is responsible and accountable 
for mission safety and success for the programs and projects assigned 
to it. Figure 2 contains images and artist renderings of some of the 
spacecraft that are deployed or in development that support the 
agency's programs and projects. 

Figure 2: Examples of NASA Programs and Projects: 

[Refer to PDF for image: photographs] 

Left to right: row 1, International Space Station, Space Shuttle, and 
Cassini orbiter; row 2, Hubble Space Telescope and James Webb Space 
Telescope; row 3, Lunar Reconnaissance Orbiter, Ares V Cargo Launch 
Vehicle, and Orion Crew Exploration Vehicle. 

Source: NASA. 

[End of figure] 

NASA headquarters also consists of mission support offices and other 
offices that advise the administrator and carry out the common or 
shared services that support core mission segments. These support 
offices include the Office of Chief Safety and Mission Assurance, 
Office of Security and Program Protection, Office of the Chief 
Financial Officer, Office of the Chief Information Officer, Office of 
the Inspector General, and Office of Institutions and Management. See 
appendix II for the agency's organization chart. 

NASA Centers: 

Centers are responsible for executing the agency programs and projects. 
Each center has a director who reports to an Associate Administrator in 
the Office of the Administrator. A key institutional role of center 
directors is that of service across mission directorate needs and 
determining how best to support the various programs and projects 
hosted at a given center. Specific responsibilities include (1) 
providing resources and managing center operations; (2) ensuring that 
statutory, regulatory, fiduciary, and NASA requirements are met; and 
(3) establishing and maintaining the staff and their competency. 

Jet Propulsion Laboratory: 

JPL is a Federally Funded Research and Development Center that is 
operated by the California Institute of Technology using government-
owned equipment. The California Institute of Technology is under a 
contract with NASA that is renegotiated every 5 years. JPL develops and 
maintains technical and managerial competencies specified in the 
contract in support of NASA's programs and projects including (1) 
exploring the solar system to fully understand its formation and 
evolution, (2) establishing continuous permanent robotic presence on 
Mars to discover its history and habitability, and (3) conducting 
communications and navigation for deep space missions. 

Headquarters, centers, and JPL support multiple mission directorates by 
taking on management responsibility and contributing to their programs 
and projects. See appendix III for a description of the missions of the 
individual centers and JPL. Table 1 identifies the mission directorates 
supported by each of these entities. 

Table 1: Current Support of Mission Directorates by NASA Headquarters, 
Centers, and JPL: 

Headquarters: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Ames Research Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Dryden Flight Research Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Glenn Research Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Goddard Space Flight Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Johnson Space Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Kennedy Space Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Langley Research Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Marshall Space Flight Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Stennis Space Center: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Jet Propulsion Laboratory: 
Aeronautics Research: [Empty]; 
Exploration Systems: [Empty]; 
Science: [Empty]; 
Space Operations: [Empty]. 

Source: GAO analysis based on NASA data. 

[End of table] 

In fiscal year 2009, NASA had a budget of $17.78 billion and employed 
approximately 18,000 civil service employees and utilized approximately 
30,000 contractor employees. NASA's budget request for fiscal year 2010 
is $18.686 billion, which is roughly a 5 percent increase from fiscal 
year 2009. The agency's IT budget in fiscal year 2009 was $1.6 billion, 
of which $15 million was dedicated to IT security. 

NASA Partners with a Variety of Organizations: 

The Space Act authorizes and encourages NASA to enter into partnerships 
that help fulfill its mission. Thus, the agency engages in strategic 
partnerships with other federal agencies, and a wide variety of 
academic, private sector, and international organizations to leverage 
their unique capabilities. For example, the agency partners with (1) 
the space agencies of Canada, Japan, and Russia as well as European 
Space Agency country members Belgium, Denmark, France, Germany, Italy, 
Netherlands, Norway, Spain, Sweden, and the United Kingdom; (2) federal 
agencies such as the Federal Aviation Administration, the Department of 
Energy, the National Oceanic and Atmospheric Administration, and the 
U.S. Air Force, Army, and Navy; (3) institutes, organizations, and 
universities in India, Finland, France, Latin America, New Zealand, the 
United Kingdom, and the United States; and (4) corporations such as 
Boeing and Lockheed Martin. 

Key Networks Supporting NASA's Mission Directorates: 

NASA depends on a number of key computer systems and communication 
networks to conduct its work. These networks traverse the Earth and 
beyond providing critical two-way communication links between Earth and 
spacecraft; connections between NASA centers and partners, scientists, 
and the public; and administrative applications and functions. Table 2 
lists several of the key networks supporting the agency. 

Table 2: Examples of Key Networks Supporting NASA's Mission 
Directorates: 

Network: Enhanced Huntsville Operations Support Center System; 
Managing entity: Marshall Space Flight Center; 
Summary: The ground system responsible for integrated operational 
payload flight control and planning for the International Space 
Station. 

Network: Flight Network; 
Managing entity: Jet Propulsion Laboratory; 
Summary: Includes (1) the Deep Space Network (DSN), which supports 
NASA's deep space missions and provides critical communications and 
tracking for multiple spacecraft including Cassini. The Flight Network 
consists of radio antennae strategically located at communication 
complexes in California, Spain, and Australia to ensure that as the 
Earth turns, most spacecraft will have one of these complexes facing 
them; (2) services and tools for conducting mission operations; (3) 
infrastructure devices; (4) a Domain Name Server; and (5) e-mail. 

Network: Integrated Collaborative Environment; 
Managing entity: Marshall Space Flight Center; 
Summary: A document management and life cycle management application at 
Marshall used to manage drawings and documents and to automate 
engineering processes for the Constellation Program, which includes the 
Ares V Crew Launch Vehicle and Orion projects. 

Network: Internet Protocol Operational Network (IONet); 
Managing entity: Goddard Space Flight Center; 
Summary: A NASA-wide network that supports mission-critical spacecraft 
and science operations such as the Hubble Space Telescope and the Space 
Shuttle. It is also known as the NASA Integrated Services Network 
Mission Network (NISN). 

Network: JPLNET; 
Managing entity: Jet Propulsion Laboratory; 
Summary: JPL's administrative network that provides connectivity to its 
resources and hosts, the Internet, and NASA networks. JPLNET is not 
part of the JPL Flight Network. 

Network: NASA Integrated Services Network Mission and Corporate Network 
(NISN); 
Managing entity: Goddard Space Flight Center/Marshall Space Flight 
Center; 
Summary: Comprised of a mission network segment managed by Goddard and 
a corporate network segment managed by Marshall. The mission network 
segment (also known as the Internet Protocol Operational Network) 
provides telecommunications systems and services for mission control, 
science data handling, and program administration. Its customer base 
includes all agency centers and headquarters, the DSN, most flight 
mission programs, contractors, international partners, academia, and 
government agencies. 

Network: NASA Operational Messaging and Directory Service; 
Managing entity: Marshall Space Flight Center; 
Summary: The agency's mission support e-mail system. Many parts of NASA 
have migrated to this system, and it is intended to be the corporate 
centralized e-mail solution for nonflight activities. 

Source: GAO analysis based on NASA data. 

[End of table] 

Transmission of Satellite Data to Networks: 

Networks such as the DSN and the IONet send data to and receive data 
from spacecraft via satellite relays and ground antennae. Satellite 
telescopes accumulate status data such as the satellite's position and 
health, and science data such as images and measurements of the 
celestial object being studied. Data are stored onboard the satellite 
and transmitted to Earth in batches via satellite relays and ground 
antennae. For example, figure 3 illustrates how several of these 
networks are connected and communicate with spacecrafts, such as the 
Hubble Space Telescope, the International Space Station, and the 
Cassini orbiter.[Footnote 5] 

Figure 3: Simplified Illustration of Key Networks Supporting NASA 
Programs and Projects: 

[Refer to PDF for image: illustration] 

Hubble Space Telescope: 
International Space Station: 
Link to: 
Tracking and Data Relay Satellite System: 
Link to: 
New Mexico ground station: 
Guam ground station: 
Link to: 
IONet; 
Link to: 
Other networks; 
NASA centers; 
NISN Corporate Network. 

Saturn: 
Link to: 
Cassini orbiter: 
Link to: 
California ground station; 
Spain ground station; 
Australia ground station; 
Link to: 
Flight network; 
Link to: 
JPLNET; 
Link to: 
Internet. 

IONet also links to Flight network. 

NISN Corporate Network also links to Internet. 

Source: GAO analysis of agency data. 

[End of figure] 

As shown above, the Cassini orbiter sends data directly to the ground 
station antennae at the communication complexes in Australia, 
California, and Spain. The Hubble Space Telescope and the International 
Space Station send data to ground station antennae via the Tracking and 
Data Relay Satellite System[Footnote 6] to ground stations in New 
Mexico and Guam. Data received from spacecraft are stored at antenna 
facilities until they are distributed to the appropriate locations 
through ground communications such as IONet. When data are sent to 
spacecraft these pathways are reversed. 

Information and Information Systems Supporting NASA Need Protection: 

Imperative to mission success is the protection of information and 
information systems supporting NASA. One of the agency's most valuable 
assets is the technical and scientific knowledge and information 
generated by NASA's research, science, engineering, technology, and 
exploration initiatives. The agency relies on computer networks and 
systems to collect, access, or process a significant amount of data 
that requires protection, including data considered mission-critical, 
proprietary, and/or sensitive but unclassified information. For 
example, 

* the agencywide system controlling physical access to NASA facilities 
stores personally identifiable information such as fingerprints, Social 
Security numbers, and pay grades. 

* an application for storing and sharing data such as computer-aided 
design and electrical drawings, and engineering documentation for Ares 
launch vehicles is being used by 7 agency data centers at 11 locations. 

* Accordingly, effective information security controls are essential to 
ensuring that sensitive information is adequately protected from 
inadvertent or deliberate misuse, fraudulent use, improper disclosure 
or manipulation, and destruction. The compromise or loss of such 
information could cause harm to a person's privacy or welfare, 
adversely impact economic or industrial institutions, compromise 
programs or operations essential to the safeguarding of our national 
interests, and weaken the strategic technological advantage of the 
United States. 

NASA's Information Security Program: 

FISMA requires each federal agency to develop, document, and implement 
an agencywide information security program to provide security for the 
information and information systems that support the operations and 
assets of the agency, including those provided or managed by other 
agencies, contractors, or other sources. As described in table 3, NASA 
has designated certain senior managers at headquarters and its centers 
to fill the key roles in information security designated by FISMA and 
agency policy. 

Table 3: Key NASA Information Security Responsibilities: 

NASA headquarters officials: NASA Administrator; 
Key responsibilities: Responsible for implementing a comprehensive and 
effective security program for the protection of people, property, and 
information associated with the NASA mission. The administrator must 
also ensure that the agency is in compliance with information security 
standards and guidelines. 

NASA headquarters officials: NASA Chief Information Officer (CIO); 
Key responsibilities: Responsible for the NASA-wide IT security program 
and has the management oversight responsibilities for ensuring the 
confidentiality, integrity, and availability of IT resources. The CIO's 
responsibilities are also met by (1) establishing policies and 
requirements necessary to comply with FISMA and ensure that NASA 
information and information systems are protected; (2) working with the 
mission directorates, support offices, centers, and program managers to 
reallocate funds to ensure that NASA complies with FISMA and the Office 
of Management and Budget (OMB) directives; and (3) reporting to NASA 
management and OMB on the status of the agency's IT Security Program. 

NASA headquarters officials: NASA Deputy Chief Information Officer 
(CIO) for IT; 
Key responsibilities: Serves as the Senior Agency Information Security 
Officer and is responsible for implementing the IT security program of 
NASA; managing, coordinating, and maintaining the overall direction and 
structure of the NASA IT Security Program; and establishing standard 
operating procedures to ensure consistency of IT security objectives 
and solutions. 

NASA headquarters officials: Assistant Administrator for the Office of 
Security and Program Protection; 
Key responsibilities: Responsible for all aspects of classified 
national security information matters, including establishing the 
certification and accreditation policies, procedures, and guidance for 
all classified IT systems operations. The Office of Security and 
Program Protection Assistant Administrator's responsibilities include 
coordinating with the Senior Agency Information Security Officer in the 
issuance of IT security alerts regarding potential threats and exploits 
that could affect NASA IT resources and networks. 

NASA headquarters officials: NASA IT Security Officer; 
Key responsibilities: Responsible for ensuring the effectiveness of 
NASA IT security projects crossing agency centers and overseeing the 
NASA IT Security Awareness and Training Program. 

NASA headquarters officials: Manager, Competency Center for IT 
Security; 
Key responsibilities: The NASA CIO's authorized organization to provide 
agencywide IT security leadership. The Competency Center for IT 
Security Manager is responsible for involving mission directorates, 
centers, and other stakeholders to ensure the timely introduction of 
new agency standards and services and for engaging center personnel in 
the definition and implementation of standards, guidelines, and 
services. 

Center officials: Center Director; 
Key responsibilities: Responsible for protecting the center's missions 
and programs, advocating support for IT security requirements, and 
providing the resources necessary to implement IT security 
requirements. 

Center officials: Center Chief Information Officer (CIO); 
Key responsibilities: Responsible for providing sufficient resources to 
ensure compliance with agencywide IT security requirements, managing 
the center's network infrastructure to protect information system 
owners and to control unauthorized internet protocol addresses, and 
establishing an IT security incident response capability. 

Center officials: Center IT Security Manager; 
Key responsibilities: Responsible for implementing the Center IT 
Security Program, developing centerwide IT security policies and 
guidance, and maintaining an incident response capability. The IT 
Security Manager also ensures that center system security plans are 
compliant with guidance from the Senior Agency Information Security 
Officer and reports the center's IT security metrics status to center 
and agency management. 

System-specific officials: Information system owner; 
Key responsibilities: Responsible for the successful operation and 
protection of the system and its information. These individuals are 
usually civil service personnel acting as program, project, and 
functional managers but can be support service contractors or partners 
under agreements with NASA. Information system owners oversee the IT 
security of the systems or applications that are operated and managed 
through a support service contract, grant, or agreement. For government-
owned, contractor-operated facilities such as JPL, a noncivil-service 
individual, at an equivalent civil service management level, may serve 
as the on-duty line manager. 

System-specific officials: Information owner; 
Key responsibilities: Responsible for the confidentiality, integrity, 
and availability of information. Although information owners may have 
their information processed by another organization, support service 
contractor, or partner, they are ultimately responsible for 
understanding any risk that another manager has accepted for the system 
processing their information. 

System-specific officials: Organization Computer Security Official; 
Key responsibilities: Responsible for a particular organization's IT 
security program. The Organization Computer Security Official serves as 
the critical communication link to and from that organization and its 
programs for all IT security matters. Specific responsibilities include 
reporting the status of the organization's IT security posture and 
suspected and actual IT security incidents to the Center IT Security 
Manager. 

System-specific officials: Information System Security Official; 
Key responsibilities: The principal staff advisor to the information 
system owner on all matters involving the IT security of the 
information system, including physical and personnel security, incident 
handling, and security training and education. The Information System 
Security Official plays an active role in developing and updating 
information system security plans and ensuring effective and timely 
reporting of all incidents and suspected incidents in accordance with 
center procedures. 

System-specific officials: System administrator; 
Key responsibilities: NASA civil service and support service contract 
system administrators are the managers and technicians who design and 
operate IT resources for their respective centers. They usually have 
privileged access to NASA information resources. Specific 
responsibilities include ensuring that security controls described in 
system security plans are properly implemented and following the 
center's incident response procedures. 

Source: GAO analysis of NASA data. 

[End of table] 

Control Weaknesses Jeopardize NASA Systems and Networks: 

Although NASA had implemented many information security controls to 
protect networks supporting its missions, weaknesses existed in several 
critical areas. Specifically, the centers did not consistently 
implement effective electronic access controls, including user accounts 
and passwords, access rights and permissions, encryption of sensitive 
data, protection of information system boundaries, audit and monitoring 
of security-relevant events, and physical security to prevent, limit, 
and detect access to their networks and systems. In addition, 
weaknesses in other information system controls, including managing 
system configurations and patching sensitive systems, further increase 
the risk to the information and systems that support NASA's missions. A 
key reason for these weaknesses was that NASA had not yet fully 
implemented key elements of its information security program. As a 
result, highly sensitive personal, scientific, and other data were at 
an increased risk of unauthorized use, modification, or disclosure. 

NASA Did Not Sufficiently Control Access to Information Resources: 

A basic management objective for any organization is to protect the 
resources that support its critical operations from unauthorized 
access. Organizations accomplish this objective by designing and 
implementing controls that are intended to prevent, limit, and detect 
unauthorized access to computing resources, programs, information, and 
facilities. Inadequate access controls diminish the reliability of 
computerized information and increase the risk of unauthorized 
disclosure, modification, and destruction of sensitive information and 
disruption of service. Access controls include those related to (1) 
user identification and authentication, (2) user access authorizations, 
(3) cryptography, (4) boundary protection, (5) audit and monitoring, 
and (6) physical security. Weaknesses in each of these areas existed 
across the NASA environment. 

Controls for Identifying and Authenticating Users Were Not Effectively 
Enforced: 

A computer system must be able to identify and authenticate different 
users so that activities on the system can be linked to specific 
individuals. When an organization assigns unique user accounts to 
specific users, the system is able to distinguish one user from 
another--a process called identification. The system must also 
establish the validity of a user's claimed identity by requesting some 
kind of information, such as a password, that is known only by the 
user--a process known as authentication. The combination of 
identification and authentication--such as user account/password 
combinations--provides the basis for establishing individual 
accountability and for controlling access to the system. National 
Institute of Standards and Technology (NIST) states that (1) 
information systems should uniquely identify and authenticate users (or 
processes on behalf of users), (2) passwords should be implemented that 
are sufficiently complex to slow down attackers, (3) information 
systems should protect passwords from unauthorized disclosure and 
modification when stored and transmitted, and (4) passwords should be 
encrypted to ensure that the computations used in a dictionary or 
password cracking attack against a stolen password file cannot be used 
against similar password files. 

NASA did not adequately identify and authenticate users in systems and 
networks supporting mission directorates. For example, NASA did not 
configure certain systems and networks at two centers to have complex 
passwords. Specifically, these systems and networks did not always 
require users to create long passwords. In addition, users did not need 
passwords to access certain network devices. Furthermore, encrypted 
password and network configuration files were not adequately protected, 
and passwords were not encrypted. As a result, increased risk exists 
that a malicious individual could guess or otherwise obtain user 
identification and passwords to gain network access to NASA systems and 
sensitive data. 

User Access to NASA Systems Was Not Always Sufficiently Restricted: 

Authorization is the process of granting or denying access rights and 
privileges to a protected resource, such as a network, system, 
application, function, or file. A key component of granting or denying 
access rights is the concept of "least privilege." Least privilege is a 
basic principle for securing computer resources and data that means 
that users are granted only those access rights and permissions that 
they need to perform their official duties. To restrict legitimate 
users' access to only those programs and files that they need in order 
to do their work, organizations establish access rights and 
permissions. "User rights" are allowable actions that can be assigned 
to users or to groups of users. File and directory permissions are 
rules that are associated with a particular file or directory, 
regulating which users can access it--and the extent of that access. To 
avoid unintentionally giving users unnecessary access to sensitive 
files and directories, an organization must give careful consideration 
to its assignment of rights and permissions. 

However, all three NASA centers we reviewed did not always sufficiently 
restrict system access and privileges to only those users that needed 
access to perform their assigned duties. For example, the centers did 
not always restrict access to sensitive files and control unnecessary 
remote access. In addition, NASA centers allowed shared accounts and 
group user IDs and did not restrict excessive user privileges. 
Furthermore, NASA centers did not effectively limit access to key 
network devices through access control lists. As a result, increased 
risk exists that users could gain inappropriate access to computer 
resources, circumvent security controls, and deliberately or 
inadvertently read, modify, or delete critical mission information. 

NASA Implemented Encryption Controls but Did Not Always Encrypt Network 
Services and Sensitive Data: 

Cryptography underlies many of the mechanisms used to enforce the 
confidentiality and integrity of critical and sensitive information. A 
basic element of cryptography is encryption. Encryption can be used to 
provide basic data confidentiality and integrity by transforming plain 
text into ciphertext using a special value known as a key and a 
mathematical process known as an algorithm.[Footnote 7] The National 
Security Agency (NSA) recommends encrypting network services. If 
encryption is not used, sensitive information such as user ID and 
password combinations are susceptible to electronic eavesdropping by 
devices on the network when they are transmitted. In addition, the OMB 
has recommended that all federal agencies encrypt all data on mobile 
devices like laptops, unless the data has been determined to be 
nonsensitive. 

Although NASA has implemented cryptography, it was not always 
sufficient or used in transmitting sensitive information. For example, 
NASA centers did not always employ a robust encryption algorithm that 
complied with federal standards to encrypt sensitive information. The 
three centers we reviewed neither used encryption to protect certain 
network management connections, nor did they require encryption for 
authentication to certain internal services. Instead, the centers used 
unencrypted protocols to manage network devices, such as routers and 
switches. In addition, NASA had not installed full-disk encryption on 
its laptops at all three centers. As a result, sensitive data 
transmitted through the unclassified network or stored on laptop 
computers were at an increased risk of being compromised. 

Although NASA Segregated Sensitive Networks, System Boundary Protection 
Was Not Always Adequate: 

Boundary protection controls logical connectivity into and out of 
networks and controls connectivity to and from network connected 
devices. Unnecessary connectivity to an organization's network 
increases not only the number of access paths that must be managed and 
the complexity of the task, but the risk of unauthorized access in a 
shared environment. NIST guidance states that firewalls[Footnote 8] 
should be configured to provide adequate protection for the 
organization's networks and that the transmitted information between 
interconnected systems should be controlled and regulated. 

Although NASA had employed controls to segregate sensitive areas of its 
networks and protect them from intrusion, it did not always adequately 
control the logical and physical boundaries protecting its information 
and systems. For example, NASA centers did not adequately protect their 
workstations and laptops from intrusions through the use of host-based 
firewalls. Furthermore, firewalls at the centers did not provide 
adequate protection for the organization's networks, since they could 
be bypassed. In addition, the three centers had an e-mail server that 
allowed spoofed e-mail messages and potentially harmful attachments to 
be delivered to NASA. As a result, the hosts on these system networks 
were at increased risk of compromise or disruption from the other lower 
security networks. 

Although NASA Monitored Its Networks, Monitoring Was Not Always 
Comprehensive: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine who has taken actions on the system, what these actions 
were, and when they were taken. According to NIST, when performing 
vulnerability scans, greater emphasis should be placed upon systems 
that are accessible from the Internet (e.g., Web and e-mail servers); 
systems that house important or sensitive applications or data (e.g., 
databases); or network infrastructure components (e.g., routers, 
switches, and firewalls). In addition, according to commercial vendors, 
running scanning software in an authenticated mode allows the software 
to detect additional vulnerabilities. NIST also states that the use of 
secure software development techniques, including source code review, 
is essential to preventing a number of vulnerabilities from being 
introduced into items such as a Web service. NASA requires that audit 
trails be implemented on NASA IT systems. 

Although NASA regularly monitored its unclassified network for security 
vulnerabilities, the monitoring was not always comprehensive. For 
example, none of the three centers we reviewed conducted vulnerability 
scans for such sensitive applications as databases. In addition, the 
centers did not conduct source code reviews. Furthermore, not all 
segments and protocols on center networks were effectively monitored by 
intrusion detection systems. Moreover, NASA did not always configure 
several database systems to enable auditing and monitoring of security- 
relevant events and did not adequately perform logging of 
authentication, authorization, and accounting activities. As a result, 
NASA may not detect certain vulnerabilities or unauthorized activities, 
leaving the network at increased risk of compromise or disruption. 
Until NASA establishes detailed audit logs for its systems at these 
facilities or compensating controls in cases where such logs are not 
feasible, it risks being unable to determine if malicious incidents are 
occurring and, after an event occurs, being unable to determine who or 
what caused the incident. 

Although NASA Had Various Physical Security Protections in Place, 
Weaknesses Existed: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls restrict physical access to computer resources, usually 
by limiting access to the buildings and rooms in which the resources 
are housed and by periodically reviewing the access granted in order to 
ensure that it continues to be appropriate. NASA policy requires that 
its facilities and buildings be provided the level of security 
commensurate with the level of risk as determined by a vulnerability 
risk assessment. In addition, NASA policy requires enhanced security 
measures for its mission essential infrastructure such as computing 
facilities and data centers, including access control systems, 
lighting, and vehicle barriers such as bollards or jersey barriers. 
NIST policy also requires that federal agencies implement physical 
security and environmental safety controls to protect IT systems and 
facilities, as well as employees and contractors. These controls 
include protections to prevent excessive heat and fires or unnecessary 
water damage. 

NASA had various protections in place for its IT resources. It 
effectively secured many of its sensitive areas and computer equipment 
and takes other steps to provide physical security. For example, all 
three NASA centers issued electronic badges to help control access to 
many of their sensitive and restricted areas. The agency also maintains 
liaisons with law enforcement agencies to help ensure additional 
security backup is available if necessary and to facilitate the 
accurate flow of timely security information among appropriate 
government agencies. 

However, NASA's computing facilities may be vulnerable to attack 
because of weaknesses in controls over physical access points, 
including designated entry and exit points to the facilities where 
information systems reside. NASA also neither enforced stringent 
physical access measures for, and authorizations to, areas within a 
facility, nor did it maintain and review at least annually a current 
list of personnel with access to all IT-intensive facilities and 
properly authenticate visitors to these facilities. In addition, we 
were only able to obtain evidence that risk assessments were performed 
for 11 of the 24 NASA buildings we visited, which contained significant 
and sensitive IT resources. NASA also did not fully implement enhanced 
security measures for its mission essential infrastructure such as 
computing facilities and data centers. To illustrate, retractable 
bollards that protect delivery doors, generators, and fuel tanks at the 
data and communication centers were not operable and were in the "open" 
retracted position. NASA also did not fully follow NIST safety and 
security guidance. In addition, a data center that houses a large 
concentration of sensitive IT equipment including the laboratory's 
supercomputer had "wet pipe"[Footnote 9] automatic sprinkler 
protection. This type of protection presents risks of water leaks that 
could do considerable damage to the sensitive and expensive computer 
equipment in the event of a fire. In addition, this data center's 
critical cooling equipment and fans located at the rear of the facility 
were not separately enclosed and protected. Although the facility's 
perimeter is fenced, an unauthorized individual could scale the fence 
and damage or sabotage the cooling equipment. 

Because areas containing sensitive IT and support equipment were not 
adequately protected, NASA has less assurance that computing resources 
are protected from inadvertent or deliberate misuse including sabotage, 
vandalism, theft, and destruction. 

Weaknesses in Other Important Controls Increase Risk: 

In addition to access controls, other important controls should be in 
place to ensure the security and reliability of an organization's 
information. These controls include policies, procedures, and control 
techniques to (1) appropriately segregate incompatible duties and (2) 
manage system configurations and implement patches. Weaknesses in these 
areas could increase the risk of unauthorized use, disclosure, 
modification, or loss of NASA's mission sensitive information. 

Incompatible Duties Were Not Always Segregated: 

Segregation of duties refers to the policies, procedures, and 
organizational structure that help ensure that one individual cannot 
independently control all key aspects of a process or computer-related 
operation and thereby gain unauthorized access to assets or records. 
Often segregation of incompatible duties is achieved by dividing 
responsibilities among two or more organizational groups. Dividing 
duties among two or more individuals or groups diminishes the 
likelihood that errors and wrongful acts will go undetected because the 
activities of one individual or group will serve as a check on the 
activities of the other. Inadequate segregation of duties increases the 
risk that erroneous or fraudulent transactions could be processed, 
improper program changes implemented, and computer resources damaged or 
destroyed. 

NASA did not adequately segregate incompatible duties. For example, all 
network users at two centers we reviewed had administrative privileges 
to their local computer and could install unapproved software. Only 
system administrators should have these privileges. As a consequence, 
increased risk exists that users could perform unauthorized system 
activities without detection. 

Although NASA Maintained System Configurations and Installed Patches, 
Shortcomings Existed: 

Patch management is a critical process that can help alleviate many of 
the challenges of securing computing systems.[Footnote 10] As 
vulnerabilities in a system are discovered, attackers may attempt to 
exploit them, possibly causing significant damage. Malicious acts can 
range from defacing Web sites to taking control of entire systems, 
thereby being able to read, modify, or delete sensitive information; 
disrupt operations; or launch attacks against other organizations' 
systems. After a vulnerability is validated, the software vendor may 
develop and test a patch or work-around to mitigate the vulnerability. 
Incident response groups and software vendors issue information updates 
on the vulnerability and the availability of patches. 

Although NASA had implemented innovative techniques to maintain system 
configurations and install patches, shortcomings existed. For example, 
all three NASA centers had not applied a critical operating system 
patch or patches for a number of general third-party applications. As a 
result, NASA had limited assurance that all needed patches were applied 
to critical system resources, increasing the risk of exposing critical 
and sensitive unclassified data to unauthorized access. Furthermore, 
although the three centers had configured their e-mail systems to 
prevent many common cyber attacks, they were still vulnerable to attack 
because their systems allowed various file types as e-mail attachments. 
These files could be used to install malicious software onto an 
unsuspecting user's workstation, potentially compromising the network. 
As a result, increased risk exists that an attacker could exploit known 
vulnerabilities in these applications to execute malicious code and 
gain control of or compromise a system. 

NASA Has Not Fully Implemented Its Information Security Program: 

A key reason for these weaknesses is that although NASA has made 
important progress in implementing the agency's information security 
program, it has not effectively or fully implemented an agencywide 
information security program. FISMA requires agencies to develop, 
document, and implement an information security program that, among 
other things, includes: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems; 

* policies and procedures that (1) are based on risk assessments, (2) 
cost effectively reduce information security risks to an acceptable 
level, (3) ensure that information security is addressed throughout the 
life cycle of each system, and (4) ensure compliance with applicable 
requirements; 

* plans for providing adequate information security for networks, 
facilities, and systems; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, to be performed with a 
frequency depending on risk, but no less than annually, and that 
includes testing of management, operational, and technical controls for 
every system identified in the agency's required inventory of major 
information systems; 

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in its information security 
policies, procedures, or practices; 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency; and: 

* procedures for detecting, reporting, and responding to security 
incidents. 

In addition, FISMA states the agency information security program 
applies to the information and information systems provided or managed 
by contractors or other sources. 

We identified a number of shortcomings in key program activities. For 
example, NASA had not always (1) fully assessed information security 
risks; (2) fully developed and documented security policies and 
procedures; (3) included key information in security plans; (4) 
conducted comprehensive tests and evaluation of its information system 
controls; (5) tracked the status of plans to remedy known weaknesses; 
(6) planned for contingencies and disruptions in service; (7) 
maintained capabilities to detect, report, and respond to security 
incidents; and (8) incorporated important security requirements in its 
contract with JPL. Until all key elements of its information security 
program are fully and consistently implemented, NASA will have limited 
assurance that new weaknesses will not emerge and that sensitive 
information and assets are adequately safeguarded from inadvertent or 
deliberate misuse, improper disclosure, or destruction. 

Although NASA Has Developed Risk Assessments, They Were Not Always 
Adequately Performed at Key Facilities: 

A comprehensive risk assessment should be the starting point for 
developing or modifying an agency's security policies and security 
plans. Such assessments are important because they help to make certain 
that all threats and vulnerabilities are identified and considered, 
that the greatest risks are addressed, and that appropriate decisions 
are made regarding which risks to accept and which to mitigate through 
security controls. Appropriate risk assessment policies and procedures 
should be documented and based on the security categorizations 
described in FIPS Publication 199.[Footnote 11] OMB directs federal 
agencies to consider risk when deciding what security controls to 
implement. OMB states that a risk-based approach is required to 
determine adequate security, and it encourages agencies to consider 
major risk factors, such as the value of the system or application, 
threats, vulnerabilities, and the effectiveness of current or proposed 
safeguards. Identifying and assessing physical security risks are also 
essential steps in determining what information security controls are 
required. NASA policy states that vulnerability risk assessments for 
buildings and facilities are to be performed at least every 3 years. 

NASA had generally implemented procedures for assessing its security 
risks and conducted risk assessments for the five systems and networks 
we reviewed. It had also determined security categories for these 
systems and networks. In addition, NASA had developed an executive 
threat summary on cyber issues facing the agency. Also, NASA's Security 
Operations Center (SOC) regularly issued threat analysis reports and 
distributed them to offices within NASA responsible for security. 

However, NASA had not fully assessed its risks. For example, it had not 
conducted a comprehensive agencywide risk assessment that included 
mission-related systems and applications. In addition, one center we 
reviewed did not prepare an overall network risk assessment that 
clearly articulated the known vulnerabilities identified in the 
security plans and waivers.[Footnote 12] Furthermore, the waivers were 
not elevated or aggregated and documented into an overall risk 
management plan. NASA also could not demonstrate that it conducted 
vulnerability risk assessments for 13 of the 24 buildings we visited 
that contained significant and sensitive information resources. NASA 
staff stated that some of the 13 buildings may have had risk 
assessments performed in the past, but they could not provide copies of 
the assessments or evidence to support these assertions. As a result, 
NASA has limited assurance that computing resources are consistently 
and effectively protected from inadvertent or deliberate misuse 
including fraud or destruction. 

Although NASA Developed Security Policies and Procedures, It Did Not 
Always Include Key Elements: 

Another key task in developing an effective information security 
program is to establish and implement risk-based policies, procedures, 
and technical standards that govern security over an agency's computing 
environment. If properly implemented, policies and procedures should 
help reduce the risk that could come from unauthorized access or 
disruption of services. Because security policies and procedures are 
the primary mechanisms through which management communicates views and 
requirements, it is important that these policies and procedures be 
established and documented. FISMA requires agencies to develop and 
implement policies and procedures to support an effective information 
security program. NIST also issued security standards and related 
guidance to help agencies implement security controls, including 
appropriate information security policies and procedures. 

NASA developed and documented several information security policies and 
procedures. For example, NASA established standard operating processes 
that had been successful in producing a number of IT procedures 
relating to certification and accreditation. However, NASA had not 
always included all the necessary elements in its security policies and 
procedures, as illustrated by the following examples: 

* The agency did not have a policy for malware incident handling and 
prevention. 

* Although NASA defined some security roles, it did not define all 
necessary roles and responsibilities for incident response and 
detection. Presently the only formal role for managing incidents as 
defined by NASA policy is the Information Technology Security Manager. 
However, NASA policy did not clearly define roles and responsibilities 
for incident response within NASA, such as an intrusion analyst or 
incident response manager. 

* NASA had not updated the policy for incident handling to reflect the 
current environment. Although NASA has developed policy directives 
pertaining to incident handling that all NASA centers are required to 
follow, these documents had not been updated to reflect the November 
2008 establishment of the SOC. 

* Physical and environmental policies for the protection of NASA assets 
were not adequately defined. NASA's policies do not adequately describe 
physical access controls such as authorizing, controlling, and 
monitoring physical access to sensitive locations. For example, 
regarding monitoring, the agency's policy does not clearly require that 
officials maintain and review at least annually a current list of 
personnel with access to all IT-intensive facilities. Additionally, 
NASA's policies did not provide clear and consistent guidance for 
developing and implementing environmental safety controls. For 
instance, the agency's policies and procedures lacked information on 
fire protection and emergency power shutoff. NASA IT and physical 
security policy staff acknowledged these shortcomings and stated that 
new policies are being or will be drafted during this calendar year and 
should be approved by NASA management around the end of calendar year 
2010. 

Until these policies are fully developed and documented across all 
agency centers, NASA has less assurance that computing resources are 
consistently and effectively protected from inadvertent or deliberate 
misuse, including fraud or destruction. 

NASA Prepared Security Plans but Did Not Always Include All Key 
Information: 

An objective of system security planning is to improve the protection 
of IT resources. A system security plan provides a complete and up-to- 
date overview of the system's security requirements and describes the 
controls that are in place--or planned--to meet those requirements. OMB 
Circular A-130 specifies that agencies develop and implement system 
security plans for major applications and general support 
systems[Footnote 13] and that these plans address policies and 
procedures for providing management, operational, and technical 
controls. NIST guidance states that these plans should be updated as 
system events trigger the need for revision in order to accurately 
reflect the most current state of the system. NIST guidance requires 
that all security plans be reviewed and, if appropriate, updated at 
least annually. 

NASA generally prepared and documented security plans for the five 
systems and networks we reviewed. In addition, NASA has developed and 
mandated the use of the Risk Management System as the authoritative 
source for the creation and storage of system security plans and 
documentation. Most notably, JPL also employed a real-time 
Certification and Accreditation document repository system, which 
facilitates a more repeatable process and ensures consistency and 
correctness. 

However, NASA did not always include key information in system security 
plans. For example, NASA did not always update one system security plan 
with the results from its network risk assessment and threat analysis. 
In addition, system interconnection security agreements were not always 
signed for all external connections. Specifically, a center did not 
have signed interconnection security agreements for any connections 
with its partners and stakeholders. Furthermore, interconnection 
security agreements for one network were still pending. Without a 
security plan that describes security requirements and specific threats 
as identified in the risk assessment, and without having signed 
interconnection security agreements, NASA networks remain vulnerable to 
threats. 

NASA Conducted System Security Tests, but They Were Not Always 
Comprehensive: 

A key element of an information security program is to test and 
evaluate policies, procedures, and controls to determine whether they 
are effective and operating as intended. This type of oversight is a 
fundamental element of a security program because it demonstrates 
management's commitment to the program, reminds employees of their 
roles and responsibilities, and identifies areas of noncompliance and 
ineffectiveness. Analyzing the results of security reviews provides 
security specialists and business managers with a means of identifying 
new problem areas, reassessing the appropriateness of existing controls 
(management, operational, technical), and identifying the need for new 
controls. FISMA requires that the frequency of tests and evaluations be 
based on risks and occur no less than annually.[Footnote 14] 

NASA commissioned penetration testing using a rotational audit approach 
that covered various NASA centers. The scope of the tests included 
internal and external network-based penetration testing, Web 
application testing against center-selected Web sites, war-driving to 
identify rogue and unprotected wireless access points, configuration 
testing on center workstations and networking devices, searches for 
publicly available sensitive data, and social engineering scenarios 
against help desk staff. 

Although NASA conducted system security testing and evaluating on the 
five systems and networks we reviewed, the tests were not always 
comprehensive. For instance, NASA did not test all relevant security 
controls and did not identify certain weaknesses that we identified 
during our review. For example, our review revealed problems with a 
firewall that were not identified by a test, including the fact that 
the firewall can be bypassed. In addition, the network documentation 
highlighted managerial control issues, such as the lack of policy, but 
insufficient or limited attention was paid to testing weaknesses in 
operational and technical controls. As a result, NASA could be unaware 
of undetected vulnerabilities in its networks and systems and has 
reduced assurance that its controls are being effectively implemented. 

Remedial Action Plans Were Not Always Tracked Effectively: 

Remedial action plans, also known as plans of action and milestones 
(POA&M), can help agencies identify and assess security weaknesses in 
information systems and set priorities and monitor progress in 
correcting them. NIST guidance states that each federal civilian agency 
must report all incidents and internally document remedial actions and 
their impact. In addition, NASA policy states that all master and 
subordinate IT system POA&Ms should be tracked and reported to the NASA 
CIO in a timely manner so that corrective actions can be taken. 

Although NASA has developed and implemented a remedial action process, 
it did not always prepare remedial action plans for known control 
deficiencies or report the status of corrective actions in a 
centralized remediation tracking system maintained by the NASA CIO. 
[Footnote 15] For example, NASA did not develop POA&Ms to correct 
several weaknesses documented in one system's security assessment or to 
address remediation threats documented in its risk assessment. In 
addition, the NASA centers we reviewed did not always report remedial 
action plans and the status of corrective actions into the central 
Headquarters Risk Management System used for POA&Ms. Consequently, 
senior management officials were not always aware of control weaknesses 
that still remained outstanding. Without an effective remediation 
program, identified vulnerabilities may not be resolved in a timely 
manner, thereby allowing continuing opportunities for unauthorized 
individuals to exploit these weaknesses and gain access to sensitive 
information and systems. 

NASA Did Not Always Adequately Plan for Contingencies: 

Contingency planning is a critical component of information protection. 
If normal operations are interrupted, network managers must be able to 
detect, mitigate, and recover from service disruptions while preserving 
access to vital information. Therefore, a contingency plan details 
emergency response, backup operations, and disaster recovery for 
information systems. It is important that these plans be clearly 
documented, communicated to potentially affected staff, and updated to 
reflect current operations. NIST also requires that all of an agency's 
systems have a contingency plan and that the plans address, at a 
minimum, identification and notification of key personnel, plan 
activation, system recovery, and system reconstitution. NASA guidance 
states that contingency plans should describe an alternate backup site 
in a geographic area that is unlikely to be negatively affected by the 
same disaster event (e.g., weather-related impacts or power grid 
failure) as the organization's primary site. The guidance also states 
that contingency plans should include contact information for disaster 
recovery personnel. 

NASA had developed contingency plans for the five systems and networks 
we reviewed. However, shortcomings existed in several plans. 
Specifically, (1) NASA did not approve the contingency plans for one 
network and one system we reviewed; (2) it did not include contact 
information for disaster recovery personnel at a center, even though 
their roles and responsibilities for disaster recovery were described; 
(3) NASA did not describe an alternate backup site for a center in a 
geographic area outside of the primary site, and had not designated 
backup facilities for a network we reviewed; and (4) the contingency 
plan for a system we reviewed did not follow NASA's guidance on 
contingency planning, since it did not include review and approval 
signatures, information contact(s) and line of succession, and damage 
assessment procedures. As a result, NASA is at a greater risk for major 
service disruptions with respect to its important mission networks in 
the event of a disaster to the primary facility. 

NASA Has Implemented Incident Detection and Handling Capabilities, but 
They Remain Limited: 

Even strong controls may not block all intrusions and misuse, but 
organizations can reduce the risks associated with such events if they 
take steps to promptly detect and respond to them before significant 
damage is done. NIST offers the following guidance for establishing an 
effective computer security incident response capability. Organizations 
should create an incident response policy, and use it as the basis for 
incident response procedures, that defines which events are considered 
incidents, establishes the organizational structure for incident 
response, defines roles and responsibilities, and lists the 
requirements for reporting incidents, among other items. In addition, 
organizations should acquire the necessary tools and resources for 
incident handing, including communications, facilities, and the 
analysis of hardware and software. 

NASA has established a computer security incident handling project to 
respond to incidents. As part of this project, NASA has implemented a 
SOC, within Ames Research Center, which is the central coordination 
point for NASA's incident handling program and for reporting of 
incidents to the United States Computer Emergency Readiness Team (US- 
CERT).[Footnote 16] The SOC began operations in November 2008 and is 
expected to enhance prevention and provide early detection of security 
incidents and coordinate agency-level information related to NASA's IT 
security posture. The SOC has implemented an agency hotline for 
security incidents and a centralized incident management system for the 
coordination, tracking, and reporting of agency incidents. It is 
currently improving its infrastructure to support detection, 
notification, investigation, and response to incidents in a timely 
manner. In addition to the SOC, the three centers that we reviewed had 
their own teams of incident responders that addressed and tracked 
incidents at their centers. 

However, NASA's capabilities to detect, report, and respond to security 
incidents remain limited. The following are examples: 

* The agency is not using a consistent definition of an incident. 
Responders at several centers stated they were following the NIST/US- 
CERT definition of an incident, which makes no distinction between an 
event and an incident. Although a center's standard operating procedure 
did not include a formal definition of a computer security incident, 
the center personnel stated that incidents are only those that are 
confirmed. However, a definition of what constitutes a "confirmed" 
incident was not provided. 

* The organizational structure for incident response roles and 
responsibilities was outdated since it assigned central coordination 
and analysis of incidents to an organization that no longer existed. 
Although the SOC has developed an incident management plan, policies, 
and procedures for responding to incidents, they were in draft and had 
not been distributed to all the centers. 

* Although two of the centers support mission related operations that 
operate 24x7, the two centers' incident response teams were not staffed 
around the clock. 

* The business impacts of incidents were not adequately specified in 
NASA incident documentation. NASA incident documentation contains 
references to the fact that data subject to International Traffic in 
Arms Regulations[Footnote 17] were stolen along with a laptop. However, 
the precise data that were lost were described only in very general 
terms so that the business impacts are not known. Moreover, although 
agency officials stated that conducting root cause analyses is required 
and part of the standard incident response workflow, there were many 
incidents for which a detailed post-incident analysis was not 
performed. 

In addition, weaknesses in NASA's technical controls impact its 
incident handling and detection controls. For example, two centers we 
reviewed did not employ host-based firewalls on their workstations, 
laptops, or devices. In addition, one network had limited incident 
detection systems to detect malicious traffic coming from its internal 
and off-site connections. Moreover, another network had no internal 
incident detection system in place to monitor traffic, with the partial 
exception of network incident detection coverage of ingress/egress for 
it. Furthermore, one center had not adequately established and 
implemented tools and processes to ensure timely detection of security 
incidents. 

As a result, there is a heightened risk that NASA may not be able to 
detect, contain, eradicate, or recover from incidents, and improve the 
incident handling process. 

NASA Did Not Include Important Security Requirements in Its Contract: 

The agencywide information security program required by FISMA applies 
not only to information systems used or operated by an agency but also 
to information systems used or operated by a contractor of an agency or 
other agency on behalf of an agency. In addition, the Federal 
Acquisition Regulation (FAR) requires that federal agencies prescribe 
procedures for ensuring that agency planners on IT acquisitions comply 
with the IT security requirements of FISMA, OMB's implementing 
policies, including appendix III of OMB Circular A-130, and guidance 
and standards from NIST.[Footnote 18] Appropriate policies and 
procedures should be developed, implemented, and monitored to ensure 
that the activities performed by external third parties are documented, 
agreed to, implemented, and monitored for compliance. 

However, NASA did not adequately incorporate information security 
requirements in its contract with the JPL contractor. Although the 
contract for JPL specified adherence to certain NASA security 
policies,[Footnote 19] it did not require the contractor to implement 
key elements of an information security program. For example, the 
following NASA and FISMA requirements are not specifically referenced 
in the JPL contract: 

* Periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices performed with a frequency 
depending on risk, but not less than annually, and including testing of 
management, operational, and technical controls for every system. 

* A process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in the information 
security policies, procedures, and practices of the agency. 

* Procedures for detecting, reporting, and responding to security 
incidents. 

* Plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

In addition, NASA did not incorporate provisions in the contract to 
allow it to perform effective oversight of the contractor's 
implementation of the security controls and program. For example, the 
JPL contract did not recognize the oversight roles of the NASA 
Administrator, the NASA CIO, the senior agency information security 
officer and other senior NASA managers as defined in NASA's policy. 
[Footnote 20] 

As a result, NASA faces a range of risks from contractors and other 
users with privileged access to NASA's systems, applications, and data 
since contractors that provide users with privileged access to agency/ 
entity systems, applications, and data can introduce risks to their 
information and information systems. 

Despite Actions to Address Security Incidents, NASA Remains Vulnerable: 

NASA has experienced numerous cyber attacks on its networks and systems 
in recent years. During fiscal years 2007 and 2008, NASA reported 1,120 
security incidents to US-CERT in the following five US-CERT-defined 
categories: 

* Unauthorized access: Gaining logical or physical access without 
permission to a federal agency's network, system, application, data, or 
other resource. 

* Denial of service: Preventing or impairing the normal authorized 
functionality of networks, systems, or applications by exhausting 
resources. This activity includes being the victim of or participating 
in a denial of service attack. 

* Malicious code: Installing malicious software (e.g., virus, worm, 
Trojan horse, or other code-based malicious entity) that infects an 
operating system or application. Agencies are not required to report 
malicious logic that has been successfully quarantined by antivirus 
software. 

* Improper usage: Violating acceptable computing use policies. 

* Scans/probes/attempted access: Accessing or identifying a federal 
agency computer, open ports, protocols, service, or any combination of 
these for later exploit. This activity does not directly result in a 
compromise or denial of service. 

* As noted in figure 4, the two most prevalent types of incidents 
reported by NASA were malicious code[Footnote 21] and unauthorized 
access. 

Figure 4: Total Computer Security Incidents in Categories 1 through 5 
Reported by NASA to US-CERT for Fiscal Years 2007-2008: 

[Refer to PDF for image: pie-chart] 

Denial of service; improper usage; and scans, probes, attempted access 
(Cat 2, 4, and 5): 72; 
Unauthorized access (Cat 1): 209; 
Malicious code (Cat 3): 839. 

Source: GAO analysis of US-CERT data. 

[End of figure] 

A NASA report stated that the number of malicious code attacks (839) 
was the highest experienced by any of the federal agencies, which 
accounted for over one-quarter of the total number of malicious code 
attacks directed at federal agencies during this period. According to 
an official at the US-CERT, NASA's high profile makes the agency an 
attractive target for hackers seeking recognition, or for nation-state 
sponsored cyber spying. 

The impact of these and more recent incidents can be significant. The 
following examples are illustrative: 

* In 2009, NASA reported incidents involving unauthorized access to 
sensitive data. For example, one center reported the theft of a laptop 
containing data subject to International Traffic in Arms Regulations. 
Stolen data included roughly 3,000 files of unencrypted International 
Traffic in Arms Regulations data with information for Hypersonic Wind 
Tunnel testing for the X-51 scramjet project and possibly personally 
identifiable information. Another center reported the theft of a laptop 
containing thermal models, review documentation, test plans, test 
reports, and requirements documents pertaining to NASA's Lunar 
Reconnaissance Orbiter and James Webb Space Telescope projects. The 
incident report does not indicate whether this lost data was 
unencrypted or encrypted or how the incident was resolved. 
Significantly, these were not isolated incidents since NASA reported 
209 incidents of unauthorized access to US-CERT during fiscal years 
2007 and 2008. 

* One center was alerted by the NASA SOC in February 2009 about traffic 
associated with a Seneka Rootkit Bot.[Footnote 22] In this case, NASA 
found that 82 NASA devices had been communicating with a malicious 
server since January 2009. A review of the data revealed that most of 
these devices were communicating with a server in the Ukraine. By March 
2009, three centers were also infected with the bot attack. 

* In October 2007, a total of 86 incidents related to the Zonebac 
Trojan[Footnote 23] were reported by NASA centers. This particular form 
of malware is capable of disabling security software and downloading 
and running other malicious software at the whim of the attacker. US- 
CERT reported in January 2008 on NASA's ongoing problems with Zonebac 
and other malware infestations and recommended that the agency employ 
consistent patching and user education practices to prevent such 
infections from occurring. 

* In July 2008, NASA found several hosts infected with the Coreflood 
Trojan that is capable of frequently updating itself and stealing a 
large number of user credentials that can be used to log onto other 
machines within a domain. Investigation revealed that NASA computers 
were infected and communicating with a hostile command and control 
server. 

These attacks can result in damage to applications, data, or operating 
systems; disclosure of sensitive information; propagation of malware; 
use of affected systems as bots; an unavailability of systems and 
services; and a waste of time, money, and labor. 

In response to these and other attacks, NASA has enhanced its incident 
response capabilities and computer defensive capabilities at NASA's 
centers. For example, the three centers that we reviewed had their own 
teams of incident responders that addressed and tracked incidents at 
their centers. In addition, the SOC was established in 2008 to enhance 
prevention and provide early detection of security incidents and 
coordinate agency-level information related to NASA's security posture. 
The SOC has implemented an agency hotline for security incidents and an 
incident management system for the coordination and tracking of agency 
security incidents. It is currently improving its infrastructure to 
support detection, notification, investigation, and response to 
security incidents in a timely manner. 

Despite actions to address security incidents, NASA remains vulnerable 
to similar incidents going forward. The control vulnerabilities and 
program shortfalls that we identified collectively increase the risk of 
unauthorized access to NASA's sensitive information, as well as 
inadvertent or deliberate disruption of its system operations and 
services. They make it possible for intruders, as well as government 
and contractor employees, to bypass or disable computer access controls 
and undertake a wide variety of inappropriate or malicious acts. As a 
result, increased and unnecessary risk exists that sensitive 
information will be subject to unauthorized disclosure, modification, 
and destruction and that mission operations could be disrupted. 

Conclusions: 

Information security weaknesses at NASA impair the agency's ability to 
ensure the confidentiality, integrity, and availability of sensitive 
information. The systems supporting NASA's mission directorates at the 
three centers we reviewed have vulnerabilities in information security 
controls that place mission sensitive information, scientific, other 
data, and information systems at increased risk of compromise. A key 
reason for these vulnerabilities is that NASA has not yet fully 
implemented its information security program to ensure that controls 
are appropriately designed and operating effectively. 

NASA's high profile and cutting edge technology makes the agency an 
attractive target for hackers seeking recognition, or for nation-state 
sponsored cyber spying. Thus, it is vital that attacks on NASA computer 
systems and networks are detected, resolved, and reported in a timely 
fashion and that the agency has effective security controls in place to 
minimize its vulnerability to such attacks. Despite actions to address 
previous security incidents, the control vulnerabilities and program 
shortfalls we identified indicate that NASA remains vulnerable to 
future incidents. These weaknesses could allow intruders, as well as 
government and contractor employees, to bypass or disable computer 
access controls and undertake a wide variety of inappropriate or 
malicious acts. Until NASA mitigates identified control vulnerabilities 
and fully implements its information security program, the agency will 
be at risk of unauthorized disclosure, modification, and destruction of 
its sensitive information and disruption of critical mission 
operations. 

Recommendations for Executive Action: 

To assist NASA in improving the implementation of its agencywide 
information security program, we recommend that the NASA Administrator 
direct the NASA CIO to take the following eight actions: 

* Develop and implement comprehensive and physical risk assessments 
that include mission-related systems and applications and known 
vulnerabilities identified in the security plans and waivers. 

* Develop and fully implement security policies and procedures for 
malware, incident handling roles and responsibilities, and physical 
environmental protection. 

* Include key information for system security plans such as information 
from risk assessments and signed system interconnection security 
agreements. 

* Conduct sufficient or comprehensive security testing and evaluation 
of all relevant security controls including management, operational, 
and technical controls. 

* Develop remedial action plans to address any deficiencies and ensure 
that master and subordinate IT system items are tracked and reported to 
the agency CIO in a timely manner so that corrective actions can be 
taken. 

* Update contingency plans to include key information such as, contact 
information and approvals, and describe an alternate backup site in a 
geographic area that is unlikely to be negatively affected by the same 
disaster event. 

* Implement an adequate incident detection program to include a 
consistent definition of an incident, incident roles and 
responsibilities, resources to operate the program, and business 
impacts of the incidents. 

* Include all necessary security requirements in the JPL contract. 

In a separate report with limited distribution, we are also making 179 
recommendations to address the 129 weaknesses identified during this 
audit to enhance NASA's access controls. 

Agency Comments and Our Evaluation: 

In providing written comments on a draft of this report (reprinted in 
appendix IV), the NASA Deputy Administrator concurred with our 
recommendations and noted that many of the recommendations are 
currently being implemented as part of an ongoing strategic effort to 
improve information technology management and IT security program 
deficiencies. In addition, she stated that NASA will continue to 
mitigate the information security weaknesses identified in our report. 
The actions identified in the Deputy Administrator's response will, if 
effectively implemented, improve the agency's information security 
program. 

We are sending copies to interested congressional committees, the 
Office of Management and Budget, the NASA Administrator, the NASA 
Inspector General and other interested parties. The report also is 
available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact Gregory C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti 
Barkakati at (202) 512-4499. We can also be reached by e-mail at 
wilshuseng@gao.gov or barkakatin@gao.gov. GAO staff who made major 
contributions to this report are listed in appendix V. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Signed by: 

Dr. Nabajyoti Barkakati: 
Chief Technologist: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to (1) determine the effectiveness of 
the National Aeronautics and Space Administration's (NASA) information 
security controls in protecting the confidentiality, integrity, and 
availability of its networks supporting mission directorates and (2) 
assess the vulnerabilities identified during the audit in the context 
of NASA's prior security incidents and corrective actions. 

To determine the effectiveness of security controls, we reviewed 
networks at three centers to gain an understanding of the overall 
network control environment, identified its interconnectivity and 
control points, and examined controls for NASA networks. 

Using our Federal Information System Controls Audit Manual,[Footnote 
24] which contains guidance for reviewing information system controls 
that affect the confidentiality, integrity, and availability of 
computerized information, National Institute of Standards and 
Technology (NIST) standards and guidance, and NASA's policies, 
procedures, practices, and standards, we evaluated controls by: 

* developing an accurate understanding of the overall network 
architecture and examining configuration settings and access controls 
for routers, network management servers, switches, and firewalls; 

* reviewing the complexity and expiration of password settings to 
determine if password management was enforced; 

* analyzing users' system authorizations to determine whether they had 
more permissions than necessary to perform their assigned functions; 

* observing methods for providing secure data transmissions across the 
network to determine whether sensitive data were being encrypted; 

* observing whether system security software was logging successful 
system changes; 

* observing physical access controls to determine if computer 
facilities and resources were being protected from espionage, sabotage, 
damage, and theft; 

* inspecting key servers and workstations to determine whether critical 
patches had been installed or were up-to-date; and: 

* examining access responsibilities to determine whether incompatible 
functions were segregated among different individuals. 

Using the requirements identified by the Federal Information Security 
Management Act of 2002 (FISMA), which establishes key elements for an 
effective agencywide information security program, we evaluated five 
NASA systems and networks by: 

* analyzing NASA's policies, procedures, practices, standards, and 
resources to determine their effectiveness in providing guidance to 
personnel responsible for securing information and information systems; 

* reviewing NASA's risk assessment process and risk assessments to 
determine whether risks and threats were documented consistent with 
federal guidance; 

* analyzing security plans to determine if management, operational, and 
technical controls were in place or planned and that security plans 
reflected the current environment; 

* analyzing NASA's procedures and results for testing and evaluating 
security controls to determine whether management, operational, and 
technical controls were sufficiently tested at least annually and based 
on risk; 

* examining remedial action plans to determine whether they addressed 
vulnerabilities identified in NASA's security testing and evaluations; 

* examining contingency plans to determine whether those plans 
contained essential information, reflected the current environment, and 
had been tested to assure their sufficiency; 

* reviewing incident detection and handling policies, procedures, and 
reports to determine the effectiveness of the incident handling 
program; and: 

* analyzing whether security requirements were implemented effectively 
by the contractor. 

We also discussed with key security representatives and management 
officials whether information security controls were in place, 
adequately designed, and operating effectively. 

To assess NASA's vulnerabilities in the context of prior incidents and 
corrective actions, we reviewed and analyzed United States Computer 
Emergency Readiness Team (US-CERT) data on NASA's reported incidents, 
examined NASA security incident reports in the last two fiscal years, 
inspected plans for corrective actions and the implementation of the 
Security Operations Center, and interviewed NASA officials on how NASA 
corrected identified vulnerabilities. 

We performed our audit at NASA headquarters in Washington, D.C.; 
Goddard Space Flight Center in Greenbelt, Maryland; the Jet Propulsion 
Laboratory in Pasadena, California; the Marshall Space Flight Center in 
Huntsville, Alabama; and Ames Research Center at Moffett Field, 
California, from November 2008 to October 2009 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

[End of section] 

Appendix II: NASA Organization Chart: 

[Refer to PDF for image: organizational chart] 

Top level: 
Office of the Administrator: 
Administrator; 
Deputy Administrator; 
Associate Administrator. 

Reporting to the Office of the Administrator: 
Chief of Staff; 
Inspector General; 
NASA Advisory Groups; 
Chief Safety and Mission Assurance; 
Program Analysis and Evaluation; 
Chief Engineer; 
Program and Institutional Integration; 

Second level, reporting to the Office of the Administrator: 

Mission Directorates: 
Aeronautics Research; 
Exploration Systems; 
Science; 
Space Operations. 

Mission Support Offices: 
Chief Financial Officer; 
Chief Health and Medical Officer; 
Chief Information Officer; 
External Relations; 
General Counsel; 
Innovative Partnership Program; 
Institutions and Management; 
Security and Program Protection; 
Strategic Communications. 

NASA Centers: 
Ames Research Center; 
Dryden Flight Research Center; 
Glenn Research Center; 
Goddard Space Flight Center; 
Jet Propulsion Laboratory; 
Johnson Space Center; 
Kennedy Space Center; 
Langley Research Center; 
Marshall Space Flight Center; 
Stennis Space Center. 

Source: NASA. 

[End of figure] 

[End of section] 

Appendix III: Missions of NASA Centers and the Jet Propulsion 
Laboratory: 

NASA center: Ames Research Center; 
Mission: Provides leadership in astrobiology, small-satellites, the 
search for habitable planets, supercomputing, intelligent/adaptive 
systems, advanced thermal protection, and airborne astronomy. 

NASA center: Dryden Flight Research Center; 
Mission: Performs flight research and technology integration to 
revolutionize aviation and pioneer aerospace technology; validates 
space exploration concepts; conducts airborne remote sensing, and 
science missions; enables airborne astrophysics observation missions to 
discover the origin, structure, evolution, and destiny of the universe; 
and supports operations of the Space Shuttle and the International 
Space Station. 

NASA center: Glenn Research Center; 
Mission: Develops critical space flight systems and technologies to 
advance the exploration of our solar system and beyond while 
maintaining leadership in aeronautics. In partnership with U.S. 
industries, universities, and other government institutions, research 
and development efforts focus on advancements in propulsion, power, 
communications, nuclear, and human-related aerospace systems. 

NASA center: Goddard Space Flight Center; 
Mission: Expands the knowledge of Earth and its environment, the solar 
system, and the universe through observations from space. The center 
also conducts scientific investigations, develops and operates space 
systems, and advances essential technologies. 

NASA center: Johnson Space Center; 
Mission: Hosts and staffs program and project offices; selects and 
trains astronauts; manages and conducts projects that build, test, and 
integrate human-rated systems for transportation, habitation, and 
working in space; and plans and operates human space flight missions. 
Programs that Johnson Space Center supports include the Space Shuttle 
Program, the International Space Station Program, and the Constellation 
Program. 

NASA center: Kennedy Space Center; 
Mission: Performs preflight processing, launch, landing, and recovery 
of the agency's human-rated spacecraft and launch vehicles; the 
assembly, integration, and processing of International Space Station 
elements and flight experiments; and the acquisition and management of 
Expendable Launch Vehicles for other agency spacecraft. The center 
leads the development of ground systems supporting human-rated 
spacecraft and launch vehicle hardware elements and hosts the 
manufacturing of the Orion Crew Exploration Vehicles. 

NASA center: Langley Research Center; 
Mission: Pioneers the future in space exploration, scientific 
discovery, and aeronautics through research and development of 
technology, scientific instruments and investigations, and exploration 
systems. 

NASA center: Marshall Space Flight Center; 
Mission: Performs systems engineering and integration for both human 
and robotic missions. Marshall performs engineering design, 
development, and integration of the systems required for space 
operations, exploration, and science. The center also manages the 
Michoud Assembly Facility, which supports the unique manufacturing and 
assembly needs of current and future NASA programs and provides 
critical telecommunications and business systems for the agency. 

NASA center: Stennis Space Center; 
Mission: Implements NASA's mission in areas assigned by three agency 
mission directorates. The center manages and operates Rocket Propulsion 
Test facilities and support infrastructure for the Space Operations and 
Exploration Systems mission directorates, serves as Systems Engineering 
Center for and manages assigned Applied Sciences program activities for 
the Science mission directorate, and serves as federal manager and host 
agency of a major government multiagency center. 

NASA center: Jet Propulsion Laboratory; 
Mission: A contractor-operated federally funded research and 
development center that supports NASA's strategic goals by exploring 
our solar system; establishing a continuous permanent robotic presence 
at Mars to discover its history and habitability; making critical 
measurements and models to better understand the solid Earth, oceans, 
atmosphere, and ecosystems, and their interactions; conducting 
observations to search for neighboring solar systems and Earth-like 
planets, and help understand formation, evolution, and composition of 
the Universe; conducting communications and navigation for deep space 
missions; providing support that enables human exploration of the Moon, 
Mars, and beyond; and collaborating with other federal and state 
government agencies and commercial endeavors. 

Source: GAO analysis of NASA data. 

[End of table] 

[End of section] 

Appendix IV: Comments from NASA: 

National Aeronautics and Space Administration: 
Office of the Administrator: 
Washington, DC 20546-0001: 

October 9, 2009: 

Mr. Gregory C. Wilshusen: 
Director, Information Security Issues: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

NASA appreciates the opportunity to comment on your draft report 
entitled, "Information Security: NASA Needs to Remedy Vulnerabilities 
in Key Networks" (GAO-10-4). In the draft report, GAO makes a total of 
eight recommendations intended to assist NASA in improving the 
implementation of its Agency-wide information security program. 

While NASA generally concurs with the GAO recommendations, I would like 
to note that many of the recommendations are currently being 
implemented as part of an ongoing strategic effort to improve 
information technology (IT) management and IT security program 
deficiencies previously identified through several NASA internal 
assessments. The ubiquitous use and reliance on IT at NASA, mixed with 
the rapidly changing and simple accessibility to new technology, make 
the size, scope, and timeline for improving IT management and security 
a complex, multiphase, and multiyear undertaking. Consequently, efforts 
toward improving IT management and the IT security program are at 
various stages of maturity. Although the IT security posture at NASA 
has significantly improved over the last three years, NASA recognizes 
there are still significant gaps that will require increased management 
attention and more time to alleviate. 

NASA views IT security not as a stand-alone set of activities, but 
rather as an embedded component within all aspects of IT, including 
management and governance. Deficiencies with IT security are often a 
result of systemic issues in the management of IT. To this end, NASA 
continues to implement improvements in IT management, adhering to the 
previously developed strategy for providing an integrated, secure, and 
efficient IT environment that supports the NASA mission. 

Specifically, GAO recommends the following: 

Recommendation 1: Develop and implement comprehensive and physical risk 
assessments that include mission-related systems and applications and 
known vulnerabilities identified in the security plans and waivers. 

NASA Response: Concur. NASA Procedural Requirements (NPR) 1620.2, 
Physical Security Vulnerability Risk Assessments, supports NASA Center 
management in meeting the responsibility of protecting NASA's assets in 
a cost-effective manner. It is designed to assist security officers in 
carrying out their responsibilities in support of management and the 
NASA Security Program. The results of the physical security 
vulnerability risk assessment are to be used to determine the 
appropriate level of protection needed to safeguard these resources 
adequately and economically. NPR 1620.3, Physical Security Requirements 
for NASA Facilities and Property, establishes standardized physical 
security requirements for specific categories of NASA assets. Paragraph 
3.10 of NPR 1620.3 refers to securing Super Computing Facilities and 
Data Centers. These NPR, Federal Information Security Management Act 
(FISMA), and National Institute of Standards and Technology (NIST) 
physical security requirements are incorporated into the Office of 
Protective Services' (OPS) recently re-defined functional review 
process. The OPS is on track for conducting a minimum of three 
functional reviews per year. It is projected that all Centers will have 
a completed comprehensive review by the end of 2011. Each Center will 
be assessed on a three-year cycle to assure ongoing physical 
protections of information technology assets are in place and in 
working order. In addition, the OPS will provide direction to all 
Centers to ensure that all vulnerability risk assessments older than 
two years old are revalidated within 12 months. It is understood that 
in many cases a level of security cannot be attained immediately due to 
funding constraints and at times geographical and/or environmental 
factors. In these cases, mitigating measures will be employed. In 
addition, Center physical security personnel will coordinate more 
closely with IT system owners in the preparation of system 
certification and accreditation packages. As plans of actions and 
milestones (POAMs) are developed, OPS will work collaboratively with 
the Office of the CIO (OCIO) to assure comprehensive and integrated 
security measures are implemented. 

Recommendation 2: Develop and fully implement security policies and 
procedures for malware, incident handling roles and responsibilities, 
and physical environmental protection. 

NASA Response: Concur. NASA's overarching security policy, NPR 2810.1B, 
Security of Information Technology, is currently under revision. This 
draft revision follows the requirements of NIST guidance contained 
within Special Publication 800-53r3 and includes the addition of 
policies and procedures for malware, incident handling roles and 
responsibilities, and physical environmental protections. Planned 
finalization and implementation of NPR 2810.1B is June 2010. NASA will 
issue an interim directive by November I, 2009, communicating this 
requirement. 

Recommendation 3: Include key information for system security plans 
such as information from risk assessments and signed system 
interconnection security agreements. 

NASA Response: Concur. NASA will ensure the update to NPR 2810.1B 
includes the requirement to include key information from risk 
assessments and signed interconnection security within system security 
plans. Planned finalization and implementation of NPR 2810.1B is June 
2010. NASA will issue an interim directive by November 1, 2009, 
communicating this requirement. 

Recommendation 4: Conduct sufficient or comprehensive security testing 
and evaluation of all relevant security controls including management, 
operational, and technical controls. 

NASA Response: Concur. NASA has employed the services of a third-party 
independent assessor to conduct a comprehensive security test and 
evaluation of all relevant security controls, which includes 
management, operational, and technical controls, on a three-year basis 
or when there are significant changes to an information system. The 
NASA Office of the Inspector General has formally verified that the 
process used to evaluate the security controls as "Good." NASA is 
scheduled to reevaluate the current process by January 1, 2010, and, if 
necessary, make changes to improve the evaluation of security controls. 

Recommendation 5: Develop remedial action plans to address any 
deficiencies and ensure that master and subordinate IT system items are 
tracked and reported to the agency CIO in a timely manner so that 
corrective actions can be taken. 

NASA Response: Concur. By June 1, 2010, NASA will ensure that all POAMs 
from master and subordinate systems are located in a single 
authoritative repository, which ensures centralized tracking of 
security deficiencies and remediation. 

Recommendation 6: Update contingency plans to include key information 
such as contact information and approvals and describe an alternate 
backup site in a geographic area that is unlikely to be negatively 
affected by the same disaster event. 

NASA Response: Concur. By January 1, 2010, NASA will direct the third-
party independent assessor of security controls to ensure that key 
information such as contact information and approvals and, when 
appropriate, that an alternate backup site is described, is included in 
the contingency plans as those systems are recertified and accredited. 

Recommendation 7: Implement an adequate incident detection program to 
include a consistent definition of an incident, incident roles and 
responsibilities, resources to operate the program, and business 
impacts of the incidents. 

NASA Response: Concur. NASA has implemented an adequate incident 
detection program. In 2009, the United States Computer Emergency 
Readiness Team formally validated that NASA has one of the best 
incident detection programs in the Federal Government. NASA is credited 
with identifying several zero-day vulnerabilities and exploits in 
commercial software in the previous three years. Additionally, by June 
1, 2010, NASA will: 

* Build out its incident detection capability during phase II of the 
Security Operations Center (SOC) implementation project; 

* Articulate across the enterprise a consistent definition of an 
incident; 

* Articulate incident roles and responsibilities through the update of 
the appropriate NASA policies and procedures relating to incident 
management; 

* Budget for the appropriate resources required to operate the incident 
management program; and; 

* Ensure that business impacts of enterprise-wide incidents or mission 
critical activities are described during the reporting phase of the 
incident's management life cycle. 

Recommendation 8: Include all necessary security requirements in the 
JPL contract. 

NASA Response: Concur. NASA will develop security requirements for 
potential modification of the existing Jet Propulsion Laboratory (JPL) 
contract or follow-on by June 1, 2010. Any and all security 
requirements must be reviewed and accepted by JPL before inclusion into 
the legal and binding instrument. 

We will continue measures to mitigate the information security 
weaknesses identified in this report. If you have any questions or 
require additional information, please contact Jerry Davis at 202-358-
1401. 

Thank you again for the opportunity to review this draft report, and we 
are looking forward to your final report to Congress. 

Sincerely, 

Signed by: 

Lori B. Garver: 
Deputy Administrator: 

[End of section] 

Appendix V: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244, or wilshuseng@gao.gov Dr. 
Nabajyoti Barkakati, (202) 512-4499, or barkakatin@gao.gov: 

Staff Acknowledgments: 

In addition to the individuals named above, West Coile and William 
Wadsworth (Assistant Directors), Edward Alexander, Angela Bell, Mark 
Canter, Saar Dagani, Kirk Daubenspeck, Neil Doherty, Patrick Dugan, 
Denise Fitzpatrick, Edward Glagola Jr., Tammi Kalugdan, Vernetta 
Marquis, Sean Mays, Lee McCracken, Kevin Metcalfe, Duc Ngo, Donald 
Sebers, Eugene Stevens IV, Michael Stevens, Henry Sutanto, Christopher 
Warweg, and Jayne Wilson made key contributions to this report. 

[End of section] 

Footnotes: 

[1] National Aeronautics and Space Administration Authorization Act of 
2008 Pub. L. No. 110-422, § 1001 (Oct. 15, 2008). 

[2] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347 (Dec. 17, 2002). 

[3] Pub. L. No. 85-568, § 102 (b) and (c) (1958) (codified as amended 
at 42 U.S.C. § 2451 (b), (c), and (d)). The Department of Defense 
retains the activities peculiar to or primarily associated with the 
development of weapons systems, military operations, or the defense of 
the United States. 42 U.S.C. § 2451 (c). 

[4] Federally Funded Research and Development Centers meet some special 
long-term research or development needs of the government and are 
operated, managed, and/or administered by either a university or 
consortium of universities, other not-for-profit or nonprofit 
organizations, or an industrial firm, as an autonomous organization or 
as an identifiable separate operating unit of a parent organization. 

[5] Figure 3 is neither intended to be a comprehensive illustration of 
the key mission network infrastructure at NASA, nor does it include 
protective elements such as firewalls and routers that are used to 
segregate networks. In addition, the drawing is purposely simplified 
and does not describe in detail the numerous networks at each center. 
Table 2 includes examples of other networks at Goddard, JPL, and 
Marshall. In figure 3, "other networks" include those of other federal 
agencies and NASA partners. 

[6] The Tracking and Data Relay Satellite System consists of several 
satellites in geostationary orbits around the Earth. 

[7] A cryptographic algorithm and key are used to apply cryptographic 
protection to data (e.g., encrypt the data or generate a digital 
signature) and to remove or check the protection (e.g., decrypt the 
encrypted data or verify the digital signature). 

[8] A firewall is a hardware or software component that protects 
computers or networks from attacks by blocking network traffic. 

[9] Wet pipe equipment is filled with water up to the automatic 
sprinkler head detection device. In contrast, dry pipe equipment does 
not deliver water into the pipes until an emergency occurs. Other 
automatic fire protection equipment does not use water but rather 
contains elements that remove oxygen from the room to extinguish the 
fire. 

[10] GAO, Information Security: Continued Action Needed to Improve 
Software Patch Management, [hyperlink, 
http://www.gao.gov/products/GAO-04-706] (Washington, D.C.: June 2, 
2004). 

[11] National Institute of Standards and Technology, Standards for 
Security Categorization of Federal Information and Information Systems, 
Federal Information Processing Standards Publication (FIPS PUB) 199 
(December 2003). 

[12] The waivers process constitutes the mechanism by which to document 
decisions to exceed the institutionally provided requirements and 
protective measures or accept additional risks. 

[13] OMB Circular A-130, Appendix III, defines a major application as 
one that requires special attention to security due to the risk and 
magnitude of harm resulting from the loss, misuse, or unauthorized 
access to or modification of the information in the application. It 
defines a general support system as an interconnected set of 
information resources under the same direct management control that 
shares common functionality. It normally includes hardware, software, 
information, data, applications, communications, and people. 

[14] 44 U.S.C. § 3544 (b) (5). 

[15] The Deputy CIO also evaluated NASA's remedial action process in 
October 2007 and stated that, due to the fragmented organization, not 
every center reports to the CIO headquarters diligently on corrective 
action plans for reported vulnerabilities discovered in the security 
testing and evaluation. 

[16] US-CERT is a component of the Department of Homeland Security and 
is responsible for analyzing and addressing cyber threats and 
vulnerabilities and disseminating cyber-threat warning information. 
Federal agencies, including NASA, are required to report security 
incidents to US-CERT. 

[17] 22 C.F.R. Subchapter M Parts 120-130. The International Traffic in 
Arms Regulations are promulgated by the U.S. Department of State under 
the Arms Export Control Act (22 U.S.C. 2778) for the control of the 
permanent and temporary export and the temporary import of defense 
articles and defense services. 

[18] The FAR was established to codify uniform policies for acquisition 
of supplies and services by executive agencies. The FAR appears in the 
Code of Federal Regulations in Title 48. See 48 C.F.R. 7.103 (u). 

[19] The actual contract language says "Documents referenced in the 
NASA policy 2810.1A are not applicable unless expressly incorporated in 
the Contract." 

[20] Chapter 2 of NASA Policy 2810.1A, the NASA Information Security 
Policy Manual, outlining the roles and responsibilities of senior 
management, IT Security System and Information owners, Center IT 
Security Supporting Functions, certification and accreditation roles, 
NASA Senior IT Security Management Working Relationships, etc. is 
specifically "not accepted" in the JPL contract. 

[21] Malicious code is also known as malware and, according to NIST, 
has become the most significant external threat to most systems, 
causing widespread damage and disruption, and necessitating extensive 
recovery efforts within most organizations. Malware refers to a program 
that is inserted into a system, usually covertly, with the intent of 
compromising the confidentiality, integrity, or availability of the 
victim's data, applications, or operating system or otherwise annoying 
or disrupting the victim. 

[22] "Bots" are infected machines under the control of persons other 
than the intended users that are used as proxies for attacks on other 
systems or for storage and distribution of pirated and other illicit 
content. 

[23] Trojan horses are nonreplicating programs that appear to be benign 
but actually have a hidden malicious purpose. Some Trojan horses are 
intended to replace existing files, such as system and application 
executables, with malicious versions; others add another application to 
systems instead of overwriting existing files. 

[24] GAO, Federal Information System Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: 
February 2009). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: