OIG Finds Problems in NASA IT Management and Implementation

Status of NASA's Transition to Internet Protocol Version 6 (IPv6), NASA OIG

"As of March 2010 the Agency did not have an updated or complete IPv6 transition plan as required by OMB. This occurred, in part, because the Agency has ample IPv4 addresses to meet its current and future requirements and because the individual who was leading the IPv6 transition effort left NASA in November 2006 and no one has been assigned to replace him. As a result, the Agency does not have adequate assurance that it has considered all necessary transition elements or that the security and interoperability of its systems will not be affected as other Government agencies and entities transition to IPv6. Accordingly, even if NASA can continue meeting its communication needs using IPv4 addresses, it should ensure that its systems are prepared as other Internet users transition to IPv6."

Information Technology Security: Improvements Needed in NASA's Continuous Monitoring Processes, NASA OIG

"Although the Agency concurred with that recommendation, NASA decided to implement a single Agency-wide inventory instead of Center-level inventories, which delayed implementation until at least September 2010. In this review, we found that the lack of complete and up-to-date inventories is a barrier to effective monitoring of IT security controls. Accurate inventory lists increase the effectiveness of an IT security program by providing a means to verify that 100 percent of the computers in the Agency's network are subject to configuration, vulnerability, and patch monitoring. Until NASA establishes a complete inventory of its network resources, Centers will be unable to fully implement these key IT security controls and NASA's IT security program will not be fully effective in protecting the Agency's valuable IT resources from potential exploitation."

Review of NASA's Management and Oversight of Its Information Technology Security Program, NASA OIG

"We found that NASA's IT security program had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited."

  • submit to reddit


Loading




Join our mailing list




Monthly Archives

About this Entry

This page contains a single entry by Keith Cowing published on September 21, 2010 2:53 PM.

OIG: NASA Doesn't Understand Its Own TDRSS Pricing was the previous entry in this blog.

Robert Truax is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.