NASA Inspector General Paul K. Martin today released a report that found significant weaknesses in the sanitization and disposal of NASA computers and hard drives used in the Space Shuttle Program. These weaknesses resulted in information technology (IT) equipment being sold or prepared for sale even though it still contained sensitive NASA data.
This Office of Inspector General (OIG) audit examined IT sanitization practices at four NASA Centers - Kennedy and Johnson Space Centers and Ames and Langley Research Centers - and found serious issues at each. We concluded that NASA did not ensure the proper sanitization of excess IT equipment before releasing it outside Agency control.
- Officials at Kennedy released to the public 10 computers that had failed sanitization testing and therefore may have contained sensitive NASA data. OIG auditors confiscated four other computers at Kennedy that had failed testing but were nevertheless being prepared for sale and found that one of these computers contained data subject to export control laws.
- The OIG found a lack of accountability for excess hard drives at Langley and Kennedy. The most serious of these issues was the discovery at Kennedy of hard drives removed from excess computers that were being stored in an unsecured dumpster accessible to the public (see full report for photos). We also found that while Langley was destroying hard drives before excess computers were released to the public, personnel at that Center did not properly account for or track the removed hard drives during the destruction process.
- Several pallets of computers at Kennedy's property disposal facility being prepared for sale contained external markings that included NASA Internet Protocol addresses. Release of Internet Protocol information could lead to unauthorized access to NASA's internal computer network.
We also found that Kennedy managers were not notified when computers failed sanitization verification testing; that no verification testing was being performed at Johnson or Ames; and that Kennedy, Johnson, and Ames were using unapproved sanitization software.
Because of the importance of the issues we found at Kennedy, the OIG immediately brought its findings to the attention of managers there who took action to address the issues we identified.
However, because we also found weaknesses in the sanitization and disposition processes for IT equipment at the three other Centers we visited, we recommended that NASA's Chief Information Officer (CIO) initiate a review of sanitization procedures at NASA Centers nationwide to identify deficiencies, take corrective actions, and share best practices.
Specifically, we recommended that the CIO coordinate with NASA's Assistant Administrator for Strategic Infrastructure to ensure that Center property disposal offices have the requisite knowledge to ensure that excess IT equipment is adequately sanitized before being released to the public. We also recommended that the CIO revise NASA's IT disposition policy to include a sampling methodology for verifying sanitization of equipment, identify an acceptable risk level, and specify the percentage of equipment and frequency of testing needed to achieve that risk level. In addition, we recommended that the Centers be required to document their sampling methodology, identify responsible officials in writing, and maintain testing records and results.
In response to our recommendations, the CIO stated that NASA's policies would be updated and a new IT security handbook created by the third quarter of fiscal year 2011.
Overall, we did not consider the CIO's proposed actions responsive to our recommendations. Moreover, we were troubled that the CIO's response did not reflect the sense of urgency we believe is required to address the serious security issues uncovered by our audit.
"Our review found serious breaches in NASA's IT security practices that could lead to the improper release of sensitive information related to the Space Shuttle and other NASA programs," said Inspector General Martin. "NASA needs to take coordinated and forceful actions to address this problem across all of its Centers."
The full report can be found on the OIG's website at http://oig.nasa.gov/ under "Reading Room" or at the following link: http://oig.nasa.gov/audits/reports/FY11/IG-11-009.pdf
Please contact Renee Juhans at (202) 358-1220 if you have questions.