FYI: NASA's Office Of The Chief Information Officer Is Still Broken

NASA OIG: Fiscal Year 2020 Federal Information Security Modernization Act Evaluation - An Agency Common System

"... We found that NASA had not assessed the Agency common control entitled SI-04, Information System Monitoring, since April 2015. Moreover, the control was classified in 2015 as "other than satisfied," but system security officials still had not taken appropriate action to address the control deficiency by developing either a POA&M or Risk-Based Decision document. Based on discussions with system security officials, both the overdue control assessment and the failure to develop either a POA&M or Risk-Based Decision document were the result of an oversight. However, we believe the oversight was caused, in part, by the Agency Office of the Chief Information Officer (OCIO) not prioritizing and allocating the personnel resources needed to address control weaknesses in the ACS system. Since the system has the ability to affect all NASA systems that inherit controls from it, we are concerned that NASA's failure to address the control deficiency could negatively affect the appropriate monitoring of all NASA systems."

"... Continued delays in accomplishing the work necessary to authorize the hybrid common controls system occurred because the OCIO did not prioritize the work and allocate the necessary personnel resources to meet their intended timetable. Based on discussions with the ACS security control manager, the OCIO assigned only two people on a part-time basis to address several known issues involving the ACS system and to develop the new hybrid common controls system. Consequently, the development and authorization of the new hybrid common controls system fell behind schedule."

"... We found that NASA did not develop or include cost estimates for remediation of any of the nine POA&Ms we tested. According to a representative from the OCIO, this occurred because, as a general practice, cost estimates are not included for POA&Ms. We take exception with this, as it is contrary to NASA guidance and inconsistent with best practices for administration and management of remediation efforts for known security weaknesses and vulnerabilities associated with information security controls."

- Two Decade NASA CIO Struggle To Implement Effective IT Governance, earlier post
- The NASA Office of the Chief Information Officer Is Still Broken, earlier post
- Earlier posts

  • submit to reddit

Kepler Communications - Aether
Baen Books - The Spacetime War by Les Johnson

Monthly Archives

About this Entry

This page contains a single entry by Keith Cowing published on December 29, 2020 10:49 PM.

NASA Employees: Has Management Told You If You Are Schedule F? was the previous entry in this blog.

Gil Moore is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.