The OIG reviewed the NASA cybersecurity plans of 29 agency and contractor IT systems and found that many failed to meet IT security requirements of the Federal Information Security Management Act (FISMA). These requirements include IT security controls and contingency plan testing, certification and accreditation of contractor IT systems, and implementation of process for managing IT corrective action plans to mitigate IT security weaknesses.
“We found that NASA’s IT security program had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited. These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program,” the report said.
The OIG report laid the blame squarely on the shoulders of NASA’s Office of the Chief Information Officer (OCIO). The OCIO did not have a formal policy for managing corrective action plans and did not follow best practices when it purchased a $3 million information system to manage those plans, a system that ultimately failed, the report said.
“Specifically, we found that the information system…contained corrective actions plans for only 2 percent (7 of 289) of the 29 systems we sampled. In our judgment, the system was underutilized because OCIO did not fully document detailed system requirements prior to selecting the system and did not have users validate requirements via acceptance testing prior to implementing it. Because the information system contained minimal data and the manual process the Agency relied on was not consistently followed, OCIO’s management of corrective actions plans was ineffective and did not ensure that significant IT security weaknesses were corrected in a timely manner,” the report continued.
The report recommended that the OCIO take the following actions to address cybersecurity gaps at NASA:
- Establish an independent verification and validation function to ensure that all FISMA and agency IT security requirements are met;
- Develop a written policy for managing IT security corrective action plans; and
- Adopt industry best practices, including documenting detailed requirements prior to system selection and conducting user acceptance testing before system implementation.
In response to the report’s recommendations, NASA CIO, Linda Cureton, said her office would take the following actions:
- Update policy to require independent assessments of IT system security controls to strengthen the verification and validation function by September 30, 2011;
- Develop a policy for managing IT security corrective action plans by May 16, 2011; and
- Develop a policy requiring detailed system requirements be documented prior to system selection by May 16, 2011, and better enforce existing policy requiring user acceptance testing prior to system implementation.
The OIG said it was concerned that the first proposed action shifted responsibility for verification and validation of NASA IT security practices to third parties, such as the OIG and the Government Accountability Office.
“While these entities perform an important oversight role, the primary responsibility for establishing effective verification and validation practices for the Agency’s IT security program must reside with OCIO. Nevertheless, we will consider the recommendations resolved and will close each upon verification that management has completed the corrective actions,” the OIG concluded.
The NASA CIO declined to speak with Infosecurity about the OIG’s criticisms.