(Washington, DC) - Today, the Government Accountability Office (GAO) released a report, Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks. GAO was directed by The NASA Authorization Act of 2008 (P.L. 110-422), which originated in the House Committee on Science and Technology, to review information security controls that protect NASA's information technology resources and information from inadvertent or deliberate misuse, fraudulent use, disclosure, modification, or destruction.
GAO found that although NASA has made important progress in implementing security controls and various aspects of its information security program, "it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates." GAO reported that NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. It said that a key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.
GAO also found that despite actions to address prior security incidents, NASA remains vulnerable to similar incidents. It said that during fiscal years 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information. To address these incidents, GAO reported that NASA established a Security Operations Center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture. Nevertheless, GAO said that the control vulnerabilities and program shortfalls that it identified collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services.
"GAO's findings reminds us that much remains to be done to ensure the security of all of our federal agencies' IT networks" said Committee Chairman Bart Gordon (D-TN). "Although cybersecurity has long been a priority for the federal government--Congress has passed 12 major pieces of legislation that address the issue since 1987, both the Clinton and Bush Administrations instituted major cybersecurity initiatives, and $7 billion annually is spent on various aspects of securing cyberspace--the threats to our systems remain. The Committee takes this issue very seriously. In addition to requesting the GAO audit of NASA's IT security in last year's NASA Authorization Act, we have already held three hearings on cybersecurity this year and are in the process of moving cybersecurity legislation. However, regulation and legislation alone will not suffice. Agencies and departments must follow through with corrective actions to mitigate identified vulnerabilities. GAO has performed an invaluable service to NASA by identifying weaknesses and recommending needed improvements."
NASA generally concurred with GAO's recommendations that the NASA Administrator take steps to mitigate control vulnerabilities and fully implement a comprehensive information security program.
"This GAO audit provides the NASA Administrator and his team with important information to strengthen its cybersecurity controls and processes. Correcting the vulnerabilities identified by GAO will take determination, time and focused leadership. We will continue to monitor NASA's performance in this important area," added Space and Aeronautics Subcommittee Chairwoman Gabrielle Giffords (D-AZ).
For more information, visit the Committee's website.