The NASA Office of the Chief Information Officer Is Still Broken
NASA OIG: Evaluation of NASA’s Information Security Program under the Federal Information Security Modernization Act for Fiscal Year 2019
“NASA has not implemented an effective Agency-wide information security program. SSP documentation for all six information systems we reviewed contained numerous instances of incomplete, inaccurate, or missing information. We also performed a limited review of the Agency Common Control (ACC) system, which aggregates and manages common controls across all Agency information systems, and found that many controls were classified as “other than satisfied,” indicating they had been assessed as less than effective. Moreover, the NASA Office of the Chief Information Officer (OCIO) has not addressed these deficiencies in the ACC SSP. .
.. Of the six information systems reviewed, we found that four were operating without current contingency plans. While three of the four systems eventually updated their contingency plans in RISCS during the course of our evaluation, these systems had been operating under outdated plans for as long as 4 years. The fourth system is currently operating under a 2016 contingency plan.
… Moreover, the number of systems without a current or available contingency plan in RISCS puts NASA at an unnecessarily high risk by hindering the Agency’s ability to recover information systems if needed in an effective and efficient manner, thus threatening the confidentiality, integrity, and availability of NASA information maintained in those systems. .
.. During our review of selected OCIO IT security handbooks and other related governance documents, we found that 27 of 45 documents had not been reviewed and approved in more than 1 year and 8 that not been reviewed in over 3 years. OCIO policy states that IT security handbooks shall be reviewed or updated on an annual basis or more frequently if appropriate. However, the OCIO policy management process does not provide adequate oversight of this process or a reliable list of policies requiring review.”
Is it possible in any way that having this position unfilled somehow benefits NASA? If so, how?
The acting CIO has been there for a while – so I am not certain it makes much of a difference. NASA needs to take this topic far more seriously than they have and they need to get leadership and support staff who also take this seriously to fix things once and for all. This is not a new problem.
Keith writes: “NASA needs to take this topic far more seriously”
The political science people who study these things describe the fundamental differences between left and right (this is intended to be an even-handed description, not a political statement):
A fundamental point of political philosophy by the Republican Party decrements the importance of government. Think back to Reagan’s famous “the government is the problem”; and popular phrases about “get the government off our backs”, and with regard to taxes “it’s your money”.
This is a fundamentally opposite view taken by Democrats, who see governmental authority as a possible force for good and for social change.
When folks vote, they decide which view suits them; and for some time, it’s been the former. So be it.
But when the Republicans are elected they are faced with a bit of a problem: they are in charge of the very institutions they’ve decremented for so long. In extreme cases, as we’re now seeing, filling governmental posts isn’t seen as particularly critical. Complicating the view that governmental workers are somehow ‘feeding at the trough’, or part of a ‘deep state’.