NASA OIG: CIO Cybersecurity Efforts Are Still Screwed Up

NASA OIG: NASA’s Cybersecurity Readiness, NASA OIG
“The Chief Information Officer (CIO) has struggled to implement an effective IT governance structure that aligns authority and responsibility with the Agency’s overall mission. … In FY 2020, the OCIO spent $278 million on IT, $74 million of which was budgeted for institutional cybersecurity. Separate from the OCIO, mission offices in FY 2020 invested $169 million on missionbased cyber management at locations around the country. … It is important to note that the OCIO–housed at NASA Headquarters, responsible for the overall implementation of cybersecurity measures at the Agency, and controller of institutional systems–does not have oversight or control over cybersecurity decisions within the Agency’s mission systems. …”
“We found that NASA’s ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture. Enterprise Architecture (EA) and Enterprise Security Architecture (ESA)–the blueprints for how an organization analyzes and operates its IT and cybersecurity–are crucial components for effective IT management. Enterprise Architecture has been in development at NASA for more than a decade yet remains incomplete while the manner in which the Agency manages IT investments and operations remains varied and ad hoc. Unfortunately, a fragmented approach to IT, with numerous separate lines of authority, has long been a defining feature of the environment in which cybersecurity decisions are made at the Agency. The result is an overall cybersecurity posture that exposes NASA to a higher-than-necessary risk from cyber threats. We also noted that NASA conducts its assessment and authorization (A&A) of IT systems inconsistently and ineffectively, with the quality and cost of the assessments varying widely across the Agency. These inconsistencies can be tied directly to NASA’s decentralized approach to cybersecurity. … “
Earlier posts on NASA IT Problems