This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
keithlcowing AT gmail.com | Voice +1.703.787.6567
IT/Web

FYI: NASA's Office Of The Chief Information Officer Is Still Broken

By Keith Cowing
NASA Watch
December 29, 2020
Filed under ,
FYI: NASA's Office Of The Chief Information Officer Is Still Broken

NASA OIG: Fiscal Year 2020 Federal Information Security Modernization Act Evaluation – An Agency Common System
“… We found that NASA had not assessed the Agency common control entitled SI-04, Information System Monitoring, since April 2015. Moreover, the control was classified in 2015 as “other than satisfied,” but system security officials still had not taken appropriate action to address the control deficiency by developing either a POA&M or Risk-Based Decision document. Based on discussions with system security officials, both the overdue control assessment and the failure to develop either a POA&M or Risk-Based Decision document were the result of an oversight. However, we believe the oversight was caused, in part, by the Agency Office of the Chief Information Officer (OCIO) not prioritizing and allocating the personnel resources needed to address control weaknesses in the ACS system. Since the system has the ability to affect all NASA systems that inherit controls from it, we are concerned that NASA’s failure to address the control deficiency could negatively affect the appropriate monitoring of all NASA systems.”
“… Continued delays in accomplishing the work necessary to authorize the hybrid common controls system occurred because the OCIO did not prioritize the work and allocate the necessary personnel resources to meet their intended timetable. Based on discussions with the ACS security control manager, the OCIO assigned only two people on a part-time basis to address several known issues involving the ACS system and to develop the new hybrid common controls system. Consequently, the development and authorization of the new hybrid common controls system fell behind schedule.”
“… We found that NASA did not develop or include cost estimates for remediation of any of the nine POA&Ms we tested. According to a representative from the OCIO, this occurred because, as a general practice, cost estimates are not included for POA&Ms. We take exception with this, as it is contrary to NASA guidance and inconsistent with best practices for administration and management of remediation efforts for known security weaknesses and vulnerabilities associated with information security controls.”
Two Decade NASA CIO Struggle To Implement Effective IT Governance, earlier post
The NASA Office of the Chief Information Officer Is Still Broken, earlier post
Earlier posts

Keith Cowing

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

One response to “FYI: NASA's Office Of The Chief Information Officer Is Still Broken”

  1. SC says:
    January 9, 2021 at 10:34 pm
    0
    0

    In other words….”nobody is taking any responsibility or doing the work!!”

MORE FROM IT/Web