From: NASA Office of Inspector General
Posted: Friday, November 12, 2010
Annual Report, "Federal Information Security Management Act: Fiscal Year 2010 Report from the Office of Inspector General" (IG-11-005, November 10, 2010) Full report
This annual report, submitted as a memorandum from the Inspector General to the NASA Administrator, provides the Office of Management and Budget (OMB) with our independent assessment of NASA's information technology (IT) security posture. For FY 2010, we adopted a risk-based approach in which we selected high- and moderate-impact non-national security Agency systems for review. We examined 40 systems that included systems from all 10 NASA Centers, NASA Headquarters, and the NASA Shared Services Center.
Although our audit work identifies challenges to and weaknesses in NASA's information technology (IT) security program, we believe that the Agency is steadily working to improve its overall IT security posture.
Our report to OMB cited that NASA established a program for certification and accreditation, security configuration management, incident response and reporting, security training, Plans of Actions and Milestones, remote access, account and identity management, continuous monitoring, business continuity/disaster recovery, and overseeing systems operated by contractors. However, we found that internal controls for these areas needed improvements.
The OMB will provide a consolidated report to Congress, which will include information from our report. However, as an "Intra-Agency Memorandum," our report is considered exempt from release under the Freedom of Information Act (FOIA); it also contains NASA Information Technology/Internal Systems Data that is not routinely released under FOIA. To submit a FOIA request, see the online guide.
We will update this summary when OMB's FY 2010 report is available online. (Last year's, FY 2009 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002, was released by OMB on March 19, 2010.)
// end //