NASA's Chief Information Officer Is Not Doing Their Job (Update)

Audit of NASA's Information Technology Supply Chain Risk Management , NASA OIG

"While NASA has improved its supply chain risk management efforts since the process was first mandated in 2013, we identified pervasive weaknesses in the Agency's internal controls and risk management practices that lead us to question the sufficiency of its current efforts. NASA's risk assessment process, when followed, often consists of a cursory review of public information obtained from Internet searches or unverified assertions from manufacturers or suppliers that the IT and communications products or services being acquired do not pose a risk of cyber-espionage or sabotage. Further, we found NASA does not consistently coordinate with the FBI in its review process. In addition, contrary to best practices the Agency's supply chain risk management practices do not require testing of IT and communication products to determine their authenticity and vulnerability to cyber-espionage or sabotage prior to their acquisition and deployment. Moreover, Agency policy excludes specific IT systems and flight hardware, such as equipment operated on the International Space Station, from risk assessment requirements. Overall, the Agency's weak controls have resulted in the purchase of non-vetted IT and communication assets, some of which we found present significant security concerns to Agency systems and data. In addition to our longstanding concerns about NASA's IT governance and security practices, the Agency compounds its security vulnerabilities by relying on ineffectual processes and information in its efforts to prevent risky IT products from entering its network environment."

NASA OIG Audit of NASA's Security Operations Center, NASA OIG

"Since its inception a decade ago, the SOC has fallen short of its original intent to serve as NASA's cybersecurity nerve center. Due in part to the Agency's failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in OCIO leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the Agency's IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities. Industry best practice for an effective SOC recommends a charter signed by stakeholders that explicitly details authorities and responsibilities. Such a charter would allow the SOC to more effectively push for the resources and the cooperation required to execute its mission. However, after 10 years the NASA SOC has no charter to govern its operations or outline its authorities. In addition, the SOC has no roadmap for moving from its current state to a future state of operation, a critical management tool for establishing priorities for continual improvement."

GAO: NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses, GAO

"NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended. NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures."

Keith's update: In less than 48 hours three reports - one from GAO, two from the NASA OIG - have been released that show continued problems with the way that the NASA Chief Information Officer Renee Wynn has not been fixing problems with NASA IT. If you go to the NASA CIO website there is no mention of this report - or any other reports that cite weaknesses in how the CIO manages NASA's IT infrastructure. Just what is it that Renee Wynn has been doing? None of the problems that were blatantly obvious when she arrived at NASA have been fixed.

If you read her "IT Talk" quarterly news letter, her office seems to be preoccupied with everything but the important things that need to be fixed. Indeed, much of what her office likes to parade around as accomplishments has little if anything to do with what the CIO is supposed to be doing.

- GAO and OIG Agree: NASA CIO Is Underperforming, earlier post
- OIG: NASA's Operational Technology Systems Are Inadequate and Disjointed, earlier post
- NASA Still Has No Effective Information Security Program, earlier post
- NASA CIO Drops The Ball On ACES Authorization, earlier post
- Previous NASA IT Posts

  • submit to reddit


Loading







Join our mailing list




Monthly Archives

About this Entry

This page contains a single entry by Keith Cowing published on May 24, 2018 9:17 AM.

Bridenstine's First Hearing As Administrator was the previous entry in this blog.

The Evolution Of Jim Bridenstine is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.