From: NASA Office of Inspector General
Posted: Saturday, August 29, 2009
OA initiated this audit because of an issue identified during our audit of NASA's compliance with fiscal year (FY) 2008 requirements of the Federal Information Security Management Act (FISMA). Each year, the Office of Management and Budget (OMB) provides a FISMA reporting template for agencies to use in their annual FISMA reporting. The issue we identified related to the Agency's including information on its national security systems in the responses provided to OMB.
We found that NASA did not comply with FISMA requirements for the reporting of national security systems for FYs 2007 and 2008 because NASA had not clearly assigned this responsibility to a specific NASA office. Further, NASA had not formally designated an entity with appropriate resources to complete the annual independent evaluations of its national security systems required by FISMA. We notified the Agency about this issue in February 2009, and NASA immediately assigned the responsibility to the Office of the Chief Information Officer (OCIO). In response to our draft report, NASA assigned the Office of Protective Services (OPS) to work with the OCIO to gather and compile the required information to report to OMB and stated that a formal agreement with an independent entity was being developed. We consider management's proposed actions to be responsive and will close the related recommendation after verifying that the Agency has established a formal agreement with an entity with the appropriate resources to conduct the annual independent evaluation of NASA's national security systems.
We also reviewed the certification and accreditation (C&A) program for NASA's national security systems to determine whether it provided adequate information security protection. We concluded that C&A program implementation at most of the locations we visited (the NASA Centers1and NASA Headquarters) generally provided adequate protection. At three of the Centers, we found systems that lacked appropriate C&A documentation. We recommended that those Centers formally designate a certifier to ensure that Center systems maintain current C&As, which they have done. All of the report's recommendations are resolved or closed. As a result, NASA has reasonable assurance that its national security systems comply with national-level security requirements and maintain an appropriate security posture against current threat assessments at an acceptable risk level.
The report contains NASA Information Technology/Internal Systems Data that is not routinely released under the Freedom of Information Act (FOIA). To submit a FOIA request, see the online guide.
1 Ames Research Center, Dryden Flight Research Center, Glenn Research Center, Goddard Space Flight Center, the Jet Propulsion Laboratory, Johnson Space Center, Kennedy Space Center, Langley Research Center, Marshall Space Flight Center, and Stennis Space Center.
// end //