Continuous monitoring of security controls is an essential element of an organization's IT security program. We found that NASA's processes for continuous monitoring of its operating system configurations, system vulnerabilities, and software patch levels were not fully effective for protecting critical Agency information resources.
For example, none of the four Centers we visited monitored operating system configurations on their computer servers to ensure they remained securely configured over time. Although all four Centers had implemented NASA's vulnerability management process that includes automated vulnerability discovery, prioritized remediation, and the quarantine of computers with unmitigated vulnerabilities, we found that this process could be improved by adding a control to provide assurance that 100 percent of the Centers' computer networks are continuously monitored. Similarly, the Centers could improve the implementation of their software patch management process by ensuring that all of the Centers' computers are included in the process. In a March 2006 OIG audit report, we recommended that Centers establish inventories of their computers.1
Although the Agency concurred with that recommendation, NASA decided to implement a single Agency-wide inventory instead of Center-level inventories, which delayed implementation until at least September 2010. In this review, we found that the lack of complete and up-to-date inventories is a barrier to effective monitoring of IT security controls. Accurate inventory lists increase the effectiveness of an IT security program by providing a means to verify that 100 percent of the computers in the Agency's network are subject to configuration, vulnerability, and patch monitoring. Until NASA establishes a complete inventory of its network resources, Centers will be unable to fully implement these key IT security controls and NASA's IT security program will not be fully effective in protecting the Agency's valuable IT resources from potential exploitation.
1 "NASA's Implementation of Patch Management Software Is Incomplete" (IG-06-007, March 17, 2006).