NASA CIO Drops The Ball On ACES Authorization
NASA’s ‘act of desperation’ demonstrates continued cyber deficiencies, Federal News Radio
“One of NASA’s main networks used by almost every employee and contractor and managed by Hewlett Packard Enterprise is in such bad shape, the agency’s chief information officer could no longer accept the risk and let the cybersecurity authorization expire. Renee Wynn, NASA’s new CIO, didn’t sign off on the authority to operate (ATO) for systems and tools under the $2.5 billion Agency Consolidated End-user Services (ACES) contract, which HPE won in 2010. Under the 10-year contract, HPE provides and manages most of NASA’s personal computing hardware, agency-standard software, mobile information technology services, peripherals and accessories, associated end-user services and supporting infrastructure. A NASA spokeswoman confirmed the ATO expired on July 24. She said Wynn signed a “conditional” ATO for the systems under ACES, but internal NASA sources said the authorization is just for the management tools and not for the desktops, laptops and other end user devices. Letting an ATO expire on a major agency network is unheard of in government. Multiple federal cyber experts said agencies know at least a year in advance when an authorization and accreditation needs to be renewed.”
NASA Totally Flunks FITARA Scorecard 2 Years In A Row, earlier post
“I need to thank NASA’s AA for Legislative Affairs, Seth Statler, for pointing out the hearing – and NASA’s ‘F’ grade. NASA has the distinction in 2016 for being the only agency to get an overall ‘F’, so congratulations are in order. Of course, in telling everyone about FITARA, it is quite obvious that Statler was doing a little blame shifting as he spoke for NASA CIO Renee Wynn – while throwing her under the bus.”
– Earlier posts
Someone needs to put a temporary ban on anyone connected with NASA using the acronym “ACES”. It’s a spacesuit! No, it’s an upper-stage! No, it’s an IT re-structure!
It’s a floor wax and a dessert topping!
Yet another in a long line of examples of why the decision to centralize and contract out IT services within the agency was a major blunder, as every technically competent person warned it would be from the beginning. I long for the day when someone in authority at the agency will admit the original decision was wrong.
“I long for the day when someone in authority at the agency will admit the original decision was wrong.”
So the agency that can’t simply manage an experienced IT subcontractor can then somehow find the competence and technical know-how to do it themselves??
The decision wasn’t bad, but the execution was.
The agency had plenty of very talented IT system administrators (well, at least Langley Research Center did), who left when the unwise out-sourcing decision was made. You are right, however, that the decision was not bad; it was well beyond bad.
I agree with Mr. Chuck. Previously IT management was a responsibility of individual branches and contractors, and they did an excellent job because they worked directly with the people and specialized organizations they supported. IT is effective only when it is responsive to the needs of the individual organization. In fact, there is not much I can think of that is more intrinsic to a technical organization. Think about Apple. Traditionally each new employee, whether administrative or technical, was given a computer and required to figure out for themselves how to network it and set up their office equipment.
What’s the day-to-day impact of this? The article says the temporary ATO is just for management tools, but yet all the Feds here continue to use (and acquire new) ACES systems.
It seems to me desktop computers have become extremely complex with all the network intricacies and requires huge organizations with highly specialized people much of what they do is very mysterious (kind of like mainframe systems back in 1960s). With network security loaded with firewall and DRM baggage, doing basic stuff like configuring a printer becomes excruciatingly painful (i.e. how many have you done the alt-print and save bmp or cmd-shift-3 to later print a document on another system?). With all this complexity large organizations are ripe for spending a lot of resources on IT stuff that drains efforts away from their core mission.
It does not have to be that complicated. There are reasonably easy to use systems available under linux, apple and even windows, and people who want to learn more should be able to do more. When the first agency-wide IT support contract was implemented, and during an introductory briefing a speaker fromt he new IT contractor said he “might” give us root access to our own unix systems, I knew we were in trouble.