Widespread neglect puts NASA's networks in jeopardy, Federal News Radio
"The most heralded federal agency is in serious risk of a major cyber attack and no one seems to care. Not NASA executives. Not the contractor hired to protect its end-user devices. And especially not the everyday employees who send rockets into space. Internal documents obtained by Federal News Radio indicate NASA has anywhere from hundreds of thousands to millions of out-of-date patches at every center across the country. Security Scorecard, a cybersecurity company, found as many as 10,000 pings coming directly from NASA's network to known malware hosts, some lasting weeks, if not months. Multiple sources say Hewlett Packard Enterprise (HPE), the contractor hired to protect NASA's desktops and end-user devices under a $2.5 billion contract called the Agency Consolidated End-user Services (ACES), is uncooperative at best and negligent at worst, and a major reason the agency's data and systems are at risk."
OIG Slams Both NASA and ACES Contractor, earlier post (2014)
"NASA's lack of adequate preparation prior to deploying the ACES contract together with HP's failure to meet important contract objectives has resulted in the contract falling short of Agency expectations. We attribute these shortcomings to several factors, including a lack of technical and cultural readiness by NASA for an Agency-wide IT delivery model, unclear contract requirements, and the failure of HP to deliver on some of its promises. In general, these issues fall into two categories: (1) issues related to the Agency's overall IT governance and (2) management and problems specific to the ACES contract."