The NASA Office of the Chief Information Officer Is Still Broken

NASA OIG: Evaluation of NASA's Information Security Program under the Federal Information Security Modernization Act for Fiscal Year 2019

"NASA has not implemented an effective Agency-wide information security program. SSP documentation for all six information systems we reviewed contained numerous instances of incomplete, inaccurate, or missing information. We also performed a limited review of the Agency Common Control (ACC) system, which aggregates and manages common controls across all Agency information systems, and found that many controls were classified as "other than satisfied," indicating they had been assessed as less than effective. Moreover, the NASA Office of the Chief Information Officer (OCIO) has not addressed these deficiencies in the ACC SSP. .

.. Of the six information systems reviewed, we found that four were operating without current contingency plans. While three of the four systems eventually updated their contingency plans in RISCS during the course of our evaluation, these systems had been operating under outdated plans for as long as 4 years. The fourth system is currently operating under a 2016 contingency plan.

... Moreover, the number of systems without a current or available contingency plan in RISCS puts NASA at an unnecessarily high risk by hindering the Agency's ability to recover information systems if needed in an effective and efficient manner, thus threatening the confidentiality, integrity, and availability of NASA information maintained in those systems. .

.. During our review of selected OCIO IT security handbooks and other related governance documents, we found that 27 of 45 documents had not been reviewed and approved in more than 1 year and 8 that not been reviewed in over 3 years. OCIO policy states that IT security handbooks shall be reviewed or updated on an annual basis or more frequently if appropriate. However, the OCIO policy management process does not provide adequate oversight of this process or a reliable list of policies requiring review."

  • submit to reddit





.
Battelle Research and Infrastructure.
Von Braun Symposium 2020.
Support SpaceRef, NASA Watch and the Astrobiology Web on Patreon.






Monthly Archives

About this Entry

This page contains a single entry by Keith Cowing published on June 25, 2020 10:26 AM.

Rethinking How And Who NASA Honors was the previous entry in this blog.

What Our Russian Partners In Space Are Doing Back On Earth is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.