Recently in IT/Web Category

Keith's note: Another week - and another link check update for the NASA Office of International and Interagency Relations (OIIR) website and its chronic inability to do some basic HTML updates. It looks like someone tried to fix the "Helpful Links" page by deleting links and breaking other links. For starters, they do not seem to know where these links are: Executive Order for the National Space Council (here it is)
White House Fact Sheet on the National Space Strategy (here it is)

This OIIR link for the International Space Station Crew Code of Conduct goes to a dead location. You can find it here at Cornell Law School: 14 CFR § 1214.403 - Code of Conduct for the International Space Station Crew or here at ESA or here at the Federal Register. No one seems to know where the International Space Station Bilateral Agreements are. Here they are from 1998 on NASA.gov.

All of the Space Policy Directives (SPDs) signed by the Trump Administration and previous Administrations (which are still binding unless rescinded or updated) have been removed from the OIIR website. The Space Foundation has everything nicely listed here on their website. No mention is made of the Artemis Accords - even though NASA continues to add signatories during the Biden Administration. The text is here on NASA.gov.

And since this is an International Relations page where are the links to all of those International space treaties that govern how the U.S. does things in space? No mention whatsoever. The United Nations has a nice list here.

You'd think that the largest space agency on Earth, with IT/Web budgets in the hundreds of million of dollars, could create and maintain a simple web page with links that can be found in seconds via Google. People come to these websites looking for information only to find broken or absent links. I guess its time for more memos and meetings on how to fix the links - even though I have repeatedly offered correct links for them to use - all they have to do is cut and paste. The people in charge of this website at NASA OIIR are lazy and/or inept. Seriously.

- NASA's Websites Need Some Attention, earlier post
- NASA Is Still Sleepwalking When It Comes to Policy Transparency, earlier post
- NASA's International and Interagency Relations Team Doesn't Bother To Update, earlier post

Keith's note: Last night I did a Google search for "nasa space station images". The second search result was this NASA webpage: "International Space Station Multimedia" which was last updated on 23 February 2021. If you click on the images you get "404" i.e. "not found" errors. The "future missions" that are listed happened years ago. Update: NASA saw our post and fixed the link so that it redirects here - to a link that actually works. This is what used to be there

The fifth search result is another NASA page "International Space Station Photo Highlights" last updated 12 March 2014 which also shows "404" when you click on the images which also have broken links. Update: NASA fixed the link so that it redirects here - to a link that actually works. This is what used to be there

Meanwhile, the Office of International and Interagency Relations (OIIR) links page is still filled with broken links and makes no mention of Artemis Accords among other things. NASA does not seem to care about being accurate any more - at least online.

Oh yes - this was tweeted by a reckoned space journalist in response to a @NASAWatch tweet about this issue a few minutes ago ... just sayin'

Keith's note: Below is the official NASA Social Media policy sent to me by NASA PAO last week. PAO has known for weeks that this official NASA Twitter account for its Deputy Administrator is non-compliant. They told me that they know. And yet they do nothing to bring it into compliance. Meanwhile NASA refuses to link to a wide range of external things which often support and enhance the reach of what NASA does - sometimes much better than NASA itself does. They tweeted a link to Ringo Starr to wish him happy birthday. That was sweet - but Ringo Starr or his company have no discernible connection to - or agreement with - NASA - do they? Why have an official policy if you just ignore it, NASA?

The NASA policy is below:

Keith's update: It took them a while but @NASA_Technology tweeted a link - a day after the procurement notice was issued. But there is still no mention of this NIAC opportunity on the NASA Technology Directorate or NIAC websites.

NASA OIG: NASA's Cybersecurity Readiness, NASA OIG

"The Chief Information Officer (CIO) has struggled to implement an effective IT governance structure that aligns authority and responsibility with the Agency's overall mission. ... In FY 2020, the OCIO spent $278 million on IT, $74 million of which was budgeted for institutional cybersecurity. Separate from the OCIO, mission offices in FY 2020 invested $169 million on missionbased cyber management at locations around the country. ... It is important to note that the OCIO--housed at NASA Headquarters, responsible for the overall implementation of cybersecurity measures at the Agency, and controller of institutional systems--does not have oversight or control over cybersecurity decisions within the Agency's mission systems. ..."

"We found that NASA's ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture. Enterprise Architecture (EA) and Enterprise Security Architecture (ESA)--the blueprints for how an organization analyzes and operates its IT and cybersecurity--are crucial components for effective IT management. Enterprise Architecture has been in development at NASA for more than a decade yet remains incomplete while the manner in which the Agency manages IT investments and operations remains varied and ad hoc. Unfortunately, a fragmented approach to IT, with numerous separate lines of authority, has long been a defining feature of the environment in which cybersecurity decisions are made at the Agency. The result is an overall cybersecurity posture that exposes NASA to a higher-than-necessary risk from cyber threats. We also noted that NASA conducts its assessment and authorization (A&A) of IT systems inconsistently and ineffectively, with the quality and cost of the assessments varying widely across the Agency. These inconsistencies can be tied directly to NASA's decentralized approach to cybersecurity. ... "

Earlier posts on NASA IT Problems

Keith's note: If you have been watching the space-themed photo ops fro the Oval office you have no doubt seen the Moon rock that President Biden likes to point at on the shelf. NASA can't get enough of that Moon rock love either. Bill Nelson was sworn in next to it.

Imagine what your average citizen might do to find out more about that Moon rock after seeing something on TV or on social media or reading about it in a news paper. They'd go to NASA.gov. There is no picture of the Moon rock and Biden - but look, there is a search box, let's use that. Guess what happens when you search for "Biden moon rock" and "Biden moonrock". Nothing. When you search for "Biden Moon" you get a bunch of search results from the time when Biden was vice president. Of course if you go to Google and search zillions of pictures show up instantly.

You'd think that someone in NASA PAO would have the smarts to adjust the search engine for obvious searches such that things that real people are interested in might show up in a search engine - especially when no obvious mention is made on the NASA home page. I know that they can do this since they have made adjustments to search results to feature items after some of my earlier posts. This might be a good one to feature.

Keith's note: Earlier today I posted NASA CIO's Open Data Thing Is Still Screwed Up. I went back to to the CIO's data.nasa.gov page to see if their data collection is accessible to the public. I went to the "Technical Report Server" pull down menu and clicked on "Public Search" which sent me to NTRS - NASA Technical Reports Server. I searched for "astrobiology" and the top search result is Data Sharing in Astrobiology: The Astrobiology Habitable Environments Database (AHED).

I then went back to the main page and used the "NASA Science Archives" pull down menu and clicked on "List of other NASA Science & Mission Data Archives" which sent me to to Data from NASA's Missions, Research, and Activities which was last updated 15 February 2017 (or 3 March 2020). There is no listing for the Astrobiology Habitable Environments Database (AHED). But I used Google and found that it is located here and was last updated 1 February 2021. According to the Internet Archive it existed as long ago as 25 November 2020 - before this CIO website update. The main contact for this page is someone in NASA PAO - not CIO - and the page just lists his name with no email link to report issues with this page.

If you go back to data.nasa.gov page and scroll down you will see "Other NASA Data Sites and Science Archives" which also includes a link to List of other NASA Science & Mission Data Archives (mentioned above.) This section also has a highlighted piece of text that blinks when you scroll over it (but does not link to anything) which says "submit an issue if you know of another NASA data site that should be included". I clicked on it again hoping to be able to report this omission but this is not a link - just a thing that changes color when you scroll over it. How useless.

Didn't anyone at NASA OIG do some link checks and simple sanity checks via Google before putting this site online? It took me longer to write this up than to find this error - and I was not even looking for an error. What other broken thinks lurk within this new data website from the crack NASA CIO web team?

- NASA CIO's Open Data Thing Is Still Screwed Up, earlier post
- NASA Ignores Science Websites - Loves Rocket City Trash Pandas, earlier post

But wait: there's more:

If you look at the top of the Data.nasa.gov site whose real address is https: //nasa.github.io/data-nasa-gov-frontpage/ it says "An official website of the United States government Here's how you know". Click on the link and it expands to say "The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site."

OK, since you are trying to reassure people, this site's address ends with .io not .gov or .mil. So what does that mean? Answer: "The Internet country code top-level domain .io is assigned to the British Indian Ocean Territory. The domain is administered by the Internet Computer Bureau, a domain name registry company which is a subsidiary of Afilias and is based in the United Kingdom" according to Google.

So, are taxpayers supposed to be reassured that this is an official U.S government website - and that they can upload data - when you openly tell them that it it uses an address run by a company in the UK licensed from the British Indian Ocean Territory "a British overseas territory of the United Kingdom situated in the Indian Ocean halfway between Tanzania and Indonesia."? Doesn't the NASA CIO have a proof reader they can run this stuff by?

Keith's note: NASA PAO and SMD have repeatedly told me that the NASA Astrobiology program's Twitter account @NASAAstrobio and its official website would be unable to link to or follow my twitter account @Astrobiology (with nearly 22,000 followers) or its companion website Astrobiology.com which ranks in the 3rd - 4th search results for "astrobiology" on Google, Yahoo etc. - globally - and has for decades (since 1996 to be exact). If you go to Google and search for "astrobiology" and then click on news you will see that astrobiology.com totally dominates the first four pages of search results. A single NASA result only shows up on the fourth page. I think it is not an exaggeration to say that these Astrobiology efforts on my part are of some interest and value to the Astrobiology community and the public as a whole, yes?

But PAO and SMD say no, Keith. NASA websites and Twitter accounts can only follow other NASA sites, or select government agencies, or things wherein a formal relationship has been established with NASA, they say. And they claim that this official NASA policy - except they have never provided me with a copy of the actual, formally adopted/baselined NASA policy on such things. This is all very seat of the pants. They just throw some words in an email and hope that I will just go away. It is baffling that they'd not want to help their Astrobiology community gain access to news about NASA's own research results. But no. FYI they also ignore all of the scientific journals that publish NASA Astrobiology research. Why be useful, eh?

So ... I wondered if other official NASA accounts followed this official NASA web policy. So I went to the official NASA Marshall Twitter account @NASA_Marshall and look at the official NASA accounts that it follows. Some of my favorite official NASA Twitter accounts that @NASA_Marshall follows include: Rocket City Trash Pandas @trashpandas; JOXRoundTable @JOXRoundtable; Josh Dobbs @josh_dobbs1; Karen Kilgariff
@KarenKilgariff (TV/VCR Repair); My Favorite Murder @MyFavMurder; Melissa Joan Hart @MelissaJoanHart; NelsonMandela @NelsonMandela; Ellen DeGeneres @TheEllenShow; and Smokey Bear @smokey_bear. That's just from the first two pages (larger image).

Can someone at NASA PAO please explain this to me? Do you actually have a policy - one that is enforceable - and enforced? If so can you send it to me - but wait - please incude explanations as to why your own websites ignore that policy, if you don't mind. Oh yes: is there a waiver process that allows the Rocket City Trash Pandas to be considered equal to an official NASA account? I'd love to read the justification. Just wondering. Have a nice day.

Keith's note: In my 27 March 2021 posting about yet another mess at the Chief Information Office "The NASA CIO OpenNASA Website Has Expired - Further" (updated on 19 April 2021) I documented how out of date the NASA CIO's website on open data was. This is what it looked like on 23 April 2021 - showing an update of 2 April 2021 and a responsible official who left NASA in 2018. Well, it looks like they read NASAWatch and have been busy after allowing the site to sit out of date for several years. This happened mere days after this was mentioned on NASAWatch. What a coincidence.

The new site says "Data.nasa.gov is the dataset-focused site of NASA's OCIO (Office of the Chief Information Officer) open-innovation program. There are also API.nasa.gov and Code.nasa.gov for APIs and Code respectively. Open.nasa.gov is the central page for open-innovation sites and acts as as a home for the datanauts program, which is a public outreach program where members of the public work with NASA datasets." What is weird is that there is no longer a "Open.nasa.gov" page - unless you search the Internet Archive (as I did above). But NASA still refers to it as if it exists.

Interestingly if you go to the old address of https://open.nasa.gov/ you get redirected to a site labelled http://data.nasa.gov which instantly redirects you again to a site outside of NASA's fire walled web service https://nasa.github.io/data-nasa-gov-frontpage/. https://nasa.github.io/ is the site hosting the new (old) open.nasa.gov. GitHub is a company. It is not a government agency, non-profit, educational institution.

Modernizing Science Websites, Thomas Zurbuchen

"More so than ever, our Science Mission Directorate (SMD) websites are the front-door to our worldwide community of enthusiasts and learners. Upon an in-depth analysis of our web presence, I believe it is time for us to elevate the way we communicate and enhance the breadth of our audiences using a focused approach on great content, and best-in-class optimization techniques. As will all of our communication activities, we will do this as one team, and driven by the desire to enhance the impact and inspiration of our science throughout. This is a core-element of our NASA Science strategy, which focuses deliberately on inspiration and communication."

Keith's note: I just became aware of this blog posting by Thomas Zurbuchen. This is music to my ears. As I have noted below (and for many years) NASA's web presence is out of date, broken, and counter productive - in the extreme. This is not what you'd expect Earth's pre-eminent space agency to put forth as its public face. As some of you may recall Jim Bridenstine set the process in motion exactly years ago. For the most part NASA has dragged its feet on the issue of improving its web and social media presence. Large portions of NASA simply ignored Bridenstine's direction in favor of their stove piped efforts. Now SMD is going to bite the bullet and fix things once and for all. Let's see what SMD does. Since SMD is responsible for roughly half of what NASA does in one way or another it could set an example for the rest of the agency. Oh yes: Kathy Lueders has noticed.

- Dysfunctional Science Websites At NASA, earlier post
- NASA Has Had A Year To Reorganize Their Web Presence. Did They?, earlier post
- NASA Just Can't Stop Doing Web Stuff Twice UPDATE: Three Times, earlier post
- Dueling NASA Websites Update, earlier post

The NASA CIO OpenNASA Website Has Expired

Keith's update: It has been 3 weeks since this post and not much has changed - except that the page was supposedly updated on 2 April 2021 (but shows a responsible NASA official who retired several years ago). And if you go to the Datanauts link you get a broken link error "Not Found The requested URL /explore/datanauts/ was not found on this server." Typical NASA CIO. When they try to fix things they just end up breaking more things instead.

Keith's 27 March note: The NASA Office of the Chief Information Officer is charged with lots of things and has dabbled over the years in "Open Government" - something that the Obama Administration championed and the Trump people ignored. There is a website called OpenNASA that is supposed to be a focal point for NASA's engagement in Open Government. When you click on the NASA Open Government Plan (the "most recent" report from 2016) you see a CIO who left NASA a year ago. The current CIO seems to have had no interest in revising this activity.

Let's look at the OpenNASA main page. Note that says: "Page Last Updated: Dec. 4, 2019 April 2, 2021 Page Editor: Jason Duley NASA Official: Beth Beck". Beth Beck retired from NASA in 2018. And yet she is listed as the NASA official on virtually all of the OpenNASA pages. Anyone from outside NASA who wants to contact Open NASA is going to have a hard time. As a matter of fact despite, being established to promote openness, this website has no way to contact the page's authors or the NASA CIO. No link or email address or phone number. Nothing. Isn't this a little ironic that the NASA CIO makes it hard to interact with all of this supposed openness? In fact, this site does not even have a link to the NASA CIO organization itself - or even to NASA.gov.

But wait there's much more.

Let's look at the top menu items (all pages have "Page Editor: Jason Duley NASA Official: Beth Beck"). So even though she has left NASA nearly 3 years ago she is listed as the responsible NASA official. Unless of course she is not and the CIO folks have not found a replacement. That said some pages still list her as the responsible official even though they were updated several years after her departure. So how do you contact this program? BTW email addresses are not provided for either Beth Beck or Jason Duley.

earlier post

Keith's note: By now you must be bored with my daily critique of how NASA organizes and presents itself to the public, policy makers, news media, and the rest of the world - especially when it comes to education. (see Fixing Education And Outreach At NASA. Part 1: STEM Engagement Office) To virtually everyone, everywhere, NASA.gov online resources are how people learn what NASA does - and where they go to find out what it can do for them. As such you'd expect that the agency would spend the resources needed to put forth the best online face. Guess again. (see NASA's Web Presence is An Amazing Mess).

As you may know the Trump Administration tried to defund the NASA Education Office. But Congress thwarted that. But in a compromise to sooth some political issues they changed the name to the "NASA STEM Engagement Office". While the name is not exactly obvious, whatever you call NASA's main education organization should be the focal point for the agency's education efforts - STEM and otherwise.

That said, the NASA STEM Engagement Office only links to some of the agency's ongoing educational activities and many of the field centers, directorates, missions, and other programs with overt educational interests and content, do not bother to link back to the NASA STEM Engagement Office. And if they do link back they do so indirectly and rely on a web visitor to guess where the link is. And in the case of NASA JPL, well, they simply ignore NASA HQ. But that is another story.

Now there is talk of a massive infrastructure bill to be prosed by the White House which seeks to revitalize things all throughout the government and the economy. Maybe NASA can grab some of that funding and focus it on its education and outreach problems - and not on yet another shiny office building for SES and GS-15 employees.

Here's my latest flyby analysis of how badly NASA coordinates its education activities online. It is hard to see more than a superficial semblance of an agency-wide coherent approach to presenting and integrating education and outreach. But you already knew that, right?

Keith's note: You may have noticed that I am doing a global critique of NASA's education and public outreach activities. The prime public face that NASA outs forth - the way it explains itself to the public - are its websites and social media. NASA lives to brag about the sheer size of what they do online - which is easily the most diverse and pervasive of any American government web activities - one with a branding that has a truly global reach - an enviable one at that.

Alas, NASA's online presence is so huge that people find information in spite of how NASA organizes things. While there are some very useful, engaging NASA web resources, much of what NASA has online is out of date, broken, and duplicative. If you raise this issue with NASA they immediately pivot and start talking about the vast audiences they had for their last landing. NASA mistakes the sugar high that they get from these spectaculars from the day-to-day, routine use of its online resources by the people who pay for all of the space stuff. And I am going to point this out.

I have been doing things online for 25 years - as long as NASA has. We have co-evolved. Indeed, over the years I have been called into review NASA sites and regularly interact behind the scenes on how all of this works - often highlighting broken things that need fixing. And I am certain that if you ask Jim Bridenstine who one of his tutors on Internet usage was as he hit the ground running you might hear my name. As for that memo he sent out two years ago directing fixes to NASA's Internet presence, contrary to rumors, no, I did not write it. But ...

When NASA puts out a product - be it a YouTube video, a press release, a pamphlet, or a sticker they do not put "Google NASA". No. They put 'NASA.gov". As such it behooves NASA to make their websites the most engaging and easy to navigate once a visitor arrives. And NASA needs to make sure that the parts of NASA that overlap and collaborate on missions and programs also collaborate online and not resort to stovepipes, walled gardens, and duplicated content. Oh yes: the search engine that NASA offers returns woefully inaccurate, often goofy research results.

Keith's note: The NASA Office of the Chief Information Officer is charged with lots of things and has dabbled over the years in "Open Government" - something that the Obama Administration championed and the Trump people ignored. There is a website called OpenNASA that is supposed to be a focal point for NASA's engagement in Open Government. When you click on the NASA Open Government Plan (the "most recent" report from 2016) you see a CIO who left NASA a year ago. The current CIO seems to have had no interest in revising this activity.

Let's look at the OpenNASA main page. Note that says: "Page Last Updated: Dec. 4, 2019 Page Editor: Jason Duley NASA Official: Beth Beck". Beth Beck retired from NASA in 2018. And yet she is listed as the NASA official on virtually all of the OpenNASA pages. Anyone from outside NASA who wants to contact Open NASA is going to have a hard time. As a matter of fact despite, being established to promote openness, this website has no way to contact the page's authors or the NASA CIO. No link or email address or phone number. Nothing. Isn't this a little ironic that the NASA CIO makes it hard to interact with all of this supposed openness? In fact, this site does not even have a link to the NASA CIO organization itself - or even to NASA.gov.

But wait there's much more.

Let's look at the top menu items (all pages have "Page Editor: Jason Duley NASA Official: Beth Beck"). So even though she has left NASA nearly 3 years ago she is listed as the responsible NASA official. Unless of course she is not and the CIO folks have not found a replacement. That said some pages still list her as the responsible official even though they were updated several years after her departure. So how do you contact this program? BTW email addresses are not provided for either Beth Beck or Jason Duley.

Keith's note: Earlier this week I pointed out that a search for "education" on the NASA.gov website did not even find the main STEM Engagement Office link. So someone went in and modified the search results by hand. Then I mentioned that if you search for "science" you get "Planet 9" link but no mention of SMD. No one bothered to fix that. Now there is the results you get for a search for "astrobiology". I wonder what happens when you search for "aeronautics" ...

Keith's note: Websites are a thing that people have been doing for a quarter of a century. Despite all of the fancy graphics and tricks there are some basic things a good website should do. NASA has lots of websites - more than any other government agency. The agency's Internet reach is truly global. But it gets this global reach in spite of itself. Its web presence is a jumbled mess with endless actors competing with one another to get their message out without any thought to collaboration or strategic intent.

If you go to a website for an organization or company you will see an "about" menu item. If you check the menu underneath you will see "About us"; "Who we are", "What we do", "Where we are", and "How to contact us". You might also see something like "audience" or "product categories". Under "About us" "who we are" explains where the website sponsor came from and who the "management", "Advisors", and other significant personnel are. "What we do" explains what they sell or offer as service. "Where we are" describes factory or sales or operations locations. "How to contact us" offers email addresses, physical addresses, phone numbers, online query forms or other means whereby you can make contact.

NASA tries to do some of this but mostly stumbles into itself, creates dead ends, rabbit holes, and is beset by the stovepipe mentality rampant within the agency wherein everyone does their own thing no matter how redundant it may be. In many cases, as I have noted before, NASA often has 2 or more websites covering the same mission or topic since it is easier to avoid food fights and turf battles by tolerating the status quo.

Jim Bridenstine ordered the agency to fix its website mess in 2019 (see Overhauling NASA's Tangled Internet Presence). The situation existed in 2017 (see Dueling NASA Websites Update) and 2011 (see NASA's Inability To Speak With One Voice Online) and so on. The 2019 action to fix things went to CIO and PAO. They did nothing for a year and then tossed it to the NASA Chief Scientist's office. Supposedly there is something under development but since nothing has changed in the past two years since an action was assigned I am dubious of its imminent arrival or value.

So let's take another swipe at what is broken. If you go to NASA.gov and go to "About" in the top menu and click on leadership all you get is a short bio of Acting NASA Administrator Steve Jurczyk. No one else is mentioned. You have to go to Organization to get that information. Oddly, all of the people listed are indeed the agency's leadership but they are not listed on the leadership page. All of the field centers are listed at the bottom of the leadership page with a one sentence listing of their specialties. But if you go to the org chart from August 2020 many of the locations are not even mentioned - Wallops, White Sands, Michoud, IV&V, Safety etc. Shared services and JPL are shown in different places).

If you go to locations there is also a list of the NASA field centers but no mention is made of what they do (unlike the leadership page which at least gives a few key words for what each center does). Moreover if you visit each of NASA's locations (field centers) they only talk about themselves and rarely (if ever) talk about other NASA field centers. Indeed, they often take NASA HQ press releases and modify them to have a local feel with local contacts. If you land on one of these field center websites you'd be almost certain to not know that there are any other field centers operated by NASA. One would also think that an explanation of what each field center does and what areas it serves would be prudent. But then again, if you read the content on each of the sites, you'd be forgiven for thinking that each field center does everything that NASA as a whole does. As such, a chart showing what they do would be pointless since every field center would fight to have every box checked for every topic - even if they only do a tiny piece of that work.

One extreme example is JPL. If you go to the NASA JPL website and click on the NASA logo you go to ... the site you are already reading. The only place you can find a link to NASA on NASA JPL main page is at the absolute bottom of the page on the left hand side in small type. Talk about burying visibility of NASA outside of JPL.

But back to NASA.gov. If you look at the options under "NASA Audiences" you have 3 to choose from: Media, Educators, Students. There is nothing for "Scientists/Engineers, "Business Interests", or "Policy Makers". There are topical links but they lead you away from most of what the agency has online. Try "Solar System And Beyond". There is no link to the NASA Science Mission Directorate where all of this stuff is done. The "The Search for Life and Exoplanets" page makes mention of the Astrobiology program or the multibillion dollar Mars Perseverance mission and its "mobile astrobiologist". If you go to the Earth page there is zero mention of the major effort by the White House to address climate change. And despite having the word "aeronautics" in its name - there is no obvious link to "aeronautics" at NASA.gov.

Given that the Biden Administration is all about SCIENCE - with the tagline #ScienceIsBack in frequent use, you'd think that there would be more of a focus on helping visitors find all of the science goodness at NASA - both for the general public and for actual scientists and policy makers. Good luck with that. If you use the Search box on the upper right hand side you get results that are a mix of specific and general, and that are old and new. No strategic thought of presenting topics of relevance to current policy discussions is presented in a strategic, prominent fashion.

But NASA does have some amazing only research and search capabilities. You can only find them if you know in advance to look for them. NASA.gov is of no help. NASA.gov and its subsidiary pages make no up front mention of these NASA funded search resources. One example is PubSpace - a NASA partnership with the PubMed Central (PMC) repository, hosted by The National Institutes of Health, to provide public access to peer-reviewed papers resulting from NASA-funded research. One page buried deep inside the website sends you here where only NASA folks seem to be welcome. The public? No mention. But if you know to go to the actual PubSpace site hosted by NIH - well, everyone is welcome.

Then there is the treasure trove of 70-plus years of NASA and NACA information at NASA Technical Reports Server (NTRS) which "provides access to NASA metadata records, full-text online documents, images, and videos. The types of information included are conference papers, journal articles, meeting papers, patents, research reports, images, movies, and technical videos - scientific and technical information created or funded by NASA." You can't find it anywhere prominent via NASA.gov.

NASA JSC posted this the other day: International Space Station Archives Fuel New Scientific Discoveries: "That legacy is evident in a publication by Cell Press, a collection of scientific journals that recently compiled 29 papers on the biology of spaceflight or the study of how space affects the human body. A number of the papers relied on the NASA Life Sciences Data Archive (LSDA) and NASA's Genelab, two repositories that contain decades of biological samples and data from the International Space Station." Cool stuff, eh? Worth telling the world about, don't you think? Go to the Humans In Space page. No mention of either database. Go to the International Space Station link. No mention of either database. Go to Space Station Research and Technology. No mention of either database. Indeed go to Let's Explore Space Station Science with a searchable database. No mention of either database.

Another overlooked resource is extremely comprehensive NASA Spaceline which is "compiled weekly, contain citations to articles from peer-reviewed journals and other recent publications of interest in the space life sciences." It is buried on the NASA Taskbook website which no one in the real world ever hears about. The ISS Program Office and CASIS make no mention of this listing of their own research results. Indeed, the only complete archive is on our SpaceRef website back to 1999. NASA's support for this service has wavered - but we did a diving catch to make sure it was not lost. So ... I could go on - but I have been doing that for decades. Have a look here.

When it comes to stunning imagery and stories of the moment, NASA constantly manages to thrill, awe, and stun the world with its audacious accomplishments. Yet the same agency manages to hide much of its treasures - thus limiting the full impact of its discoveries and limiting its ability to have an impact beyond its comparatively small governmental sandbox. Maybe the Biden folks will fix this once and for all.

Keith's note: NASA JPL and NASA SMD recently put out a press release "6 Things to Know About NASA's Mars Helicopter on Its Way to Mars". Helicopters. Hmmm .. that's aeronautics. You'd think that the Aeronautics part of NASA would be mentioned. The word "aeronautics" appears nowhere. Nor is anything related to aeronautics on NASA's various websites linked to. If you go to the JPL press kit link for Ingenuity the word "aeronautics" appears nowhere. If you download the actual press kit the word "aeronautics" appears twice. Once in the agency's name (National Aeronautics and Space Administration) and then again on page 31 where it says "The Mars helicopter technology demonstration activity is supported by NASA's Science Mission Directorate, the NASA Aeronautics Research Mission Directorate, and the NASA Space Technology Mission Directorate". There is a page describing how it flies, but no mention or linkage is made of anything that NASA has been doing in Aeronautics since its inception 3/4 of a century ago.

Moreover, there is no discussion as to how it is possible to fly anything on a world with an atmosphere only 1% the thickness of Earth's. There is a great teaching experience that is being ignored. And of course no mention is made of any educational tools even though the NASA STEM Office has them and the JPL mission site has several - which are buried within the website.

Although NASA's Aeronautics Research and Space Technology Mission Directorates are listed as participants neither the Space Technology Mission Directorate website or the Aeronautics Directory website make any mention of Ingenuity. There is no mention in the Aeronautics programs page. But ... if you click on the "more stories" link at the bottom of the Aeronautics page - 6 times - and go back in time 7 months there is a single story on Ingenuity. The landing is 3 weeks away. Why isn't this sort of stuff being promoted?

And of course, in addition to not bothering to cross-coordinate within NASA's internal participants in this mission, NASA is not content with one official Mars 2020 Perseverance website. So they have two - one at NASA HQ and the other at JPL. As I have noted before, neither of these two official Mars 2020 websites link to one another and yet they duplicate each other's content. That's two web development teams at twice the cost working on the same thing.

And if you go to the JPL site and use the drag down menu for "spacecraft" you only get options for "Overview", "Rover", "Instruments", and "Rocket" none of which mention the Ingenuity helicopter. None of the links under "Timeline" mention Ingenuity either. Under "mission" only "technology" mentions Ingenuity. Its almost as if NASA is not interested in spending more than minimal effort on this helicopter. Oh yes, they have invested around $80 million on Ingenuity.

NASA is less than 3 weeks away from landing Perseverance and Ingenuity on Mars. The agency has had years to get the PR and outreach stuff into place. And yet their websites are not at all synched up with one another, are badly designed in terms of navigation, and often needlessly duplicate on another by creating parallel stove pipes. This is not a new problem. If you read NASAWatch then you have had to endure my rants about this. Last week I did an exit Interview with Jim Bridenstine and I brought this up:

"NASAWATCH: This reminds me of something. When I look at the Mars 2020 mission it is going to be flying a little drone - the Ingenuity helicopter. Right off the bat you just look at this thing and you think OK, this is aeronautics. Reynolds numbers and all of that. People can't imagine that you can fly on Mars but it is actually quite easy to do. And then you think about it a bit further and ask where are drones being used on Earth? You just mentioned agriculture. People are using them in agriculture and are combining GPS and geolocation and satellite imagery from smallsats. You would think that you should be going over to the NASA Aeronautics or Technology websites to see how they are helping with the Mars 2020 mission. But they do not talk about it. And if you go to NASA's Earth Science website - which is run by the very same Science Mission Directorate that runs Earth Sciences they do not talk about it either. There is an obvious analog there. And what is the most popular gift under many Christmas trees? Drones. You would think that this would be such a no brainer sort of thing to be highlighting and yet you do not see it being done.

So - my question (there is one here) NASA buys its stove pipes by the truckload when it comes to outreach. You put a memo out a in May 2019 that says 'OK we are going to cut down on the number of websites and make them more interactive'. From what I am told, and I regularly highlight this on NASAWatch, zero progress has been made. Why is it that NASA doesn't seem to want to tell a single, coordinated story about what it is doing. The various parts of NASA all seem to want to go off in their own little direction."

Think of all of the students and farmers in agricultural communities who are missing out on a no-brainer link between things that are important in their world and something that NASA is doing on Mars. What a colossal missed opportunity.

Yes, there will be crazy web traffic for one day for the landing. One day. That's it. NASA seems ill-prepared for the months and years to follow. How many people know or care that Curiosity has been there for years? Show of hands please. And that Moon rock in the Oval Office? It is last week's news.

NASA is forever whining and complaining about the way that the news media covers things and what the public does or does not think about what NASA does. The same goes for what Congress thinks. Now a new Administration seeks to renew a strong focus upon the role of science in government decision making. You would think that NASA would have taken this task to repair and upgrade its website seriously - perhaps not for the previous Administration, but certainly for the new one. Bridenstine's memo and direction was issued nearly 2 years ago. Nothing has been fixed - as noted above. There are urban myths within NASA about some sort of website upgrade but it will likely be equally out of date when it finally manages to crawl online.

But who cares? If NASA cannot get its team together to provide a coordinated, easy to understand story about what it does the whole space exploration thing, why it does it, and how it does it, then how can they expect people to support billions of dollars being spent on it - especially during a time of pandemic, economic desperation, and political unrest? Trillions of dollars are being devoted to keeping our nation afloat and all spending priorities - big and small - are under the relevancy microscope.

But wait - there's more: in that very same constrained budgetary environment NASA wants to spend billions more to bring samples that Perseverance will be collecting back to Earth. You would think that there would be some strategic thought given as to how to excite and engage - and then retain and build upon - the public's attention for complex, expensive science missions like this so as to generate support for these future missions. But no.

NASA has a chance to be a bright shining light in this time of darkness. Its big rocket choked last week during its big engine test. Let's hope that NASA steps up to the plate and sticks the Mars Perseverance landing both on Mars - and within the hearts and minds of people back on Earth.

NASA OIG: Fiscal Year 2020 Federal Information Security Modernization Act Evaluation - An Agency Common System

"... We found that NASA had not assessed the Agency common control entitled SI-04, Information System Monitoring, since April 2015. Moreover, the control was classified in 2015 as "other than satisfied," but system security officials still had not taken appropriate action to address the control deficiency by developing either a POA&M or Risk-Based Decision document. Based on discussions with system security officials, both the overdue control assessment and the failure to develop either a POA&M or Risk-Based Decision document were the result of an oversight. However, we believe the oversight was caused, in part, by the Agency Office of the Chief Information Officer (OCIO) not prioritizing and allocating the personnel resources needed to address control weaknesses in the ACS system. Since the system has the ability to affect all NASA systems that inherit controls from it, we are concerned that NASA's failure to address the control deficiency could negatively affect the appropriate monitoring of all NASA systems."

"... Continued delays in accomplishing the work necessary to authorize the hybrid common controls system occurred because the OCIO did not prioritize the work and allocate the necessary personnel resources to meet their intended timetable. Based on discussions with the ACS security control manager, the OCIO assigned only two people on a part-time basis to address several known issues involving the ACS system and to develop the new hybrid common controls system. Consequently, the development and authorization of the new hybrid common controls system fell behind schedule."

"... We found that NASA did not develop or include cost estimates for remediation of any of the nine POA&Ms we tested. According to a representative from the OCIO, this occurred because, as a general practice, cost estimates are not included for POA&Ms. We take exception with this, as it is contrary to NASA guidance and inconsistent with best practices for administration and management of remediation efforts for known security weaknesses and vulnerabilities associated with information security controls."

- Two Decade NASA CIO Struggle To Implement Effective IT Governance, earlier post
- The NASA Office of the Chief Information Officer Is Still Broken, earlier post
- Earlier posts

Solar Winds, Probably Hacked by Russia, Serves White House, Pentagon, NASA, Newsweek

"Two unnamed sources told the outlet that the hackers entered U.S. systems through updates released by SolarWinds, a software company based in Austin, Texas that also provides services to the White House, Pentagon and NASA, according to their website. Additionally, the company provides services to the country's leading telecommunications providers, as well as "more than 425 of the U.S. Fortune 500."

CISA Issues Emergency Directive To Mitigate The Compromise Of SolarWinds Orion Network Management Products, CISA

"The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."

Keith's note: NASA has not said anything publicly about this. And if you ask them they won't say anything publicly about this. FWIW a cursory scan of recent reports on NASA IT efforts shows them to be lacking - in the extreme. So it stands to reason that they are concerned about this.

- Two Decade NASA CIO Struggle To Implement Effective IT Governance, earlier post
- Previous posts on NASA IT security

Keith's note: Do a Google search for "NASA search engine". The first search result that comes up is NASA Multimedia Search last updated on 26 February 2006. The second result that comes up is Tools for searching last updated on 21 July 2005. Look on the left hand side of either page. Click on simple search, category search, or Advanced search and you get "404 The cosmic object you are looking for has disappeared beyond the event horizon." Indeed the subsequent 5 or so Google search results point back to the same pages with broken links. But wait - use the search box in the upper right hand corner of either page and enter a term - any term. Guess what you get? "404 The cosmic object you are looking for has disappeared beyond the event horizon."

Summary: if you do a Google search for NASA Search engines you get a bunch of NASA pages with links to NASA search engine pages that are actually a collection of broken links and a search box that does not search. These pages have been sitting atop Google search results without any one at NASA noticing - and the pages were last updated 15 years ago.

Oh yes: go and Google "NASA CIO" and look at the top search result. According to Google Renee Wynn is stili the NASA CIO. This is because of a web page hosted by NASA. They could easily fix this - as I pointed out months ago. But the NASA CIO seems to be utterly uninterested in the accuracy of NASA's websites. But he is interested in making it harder for citizens to contact government employees at NASA.

Keith's 18 Nov update: NASA wants to transmit their stuff to you. But they really don't want you to talk to their people about it.

Once upon a time - actually for more than a decade - you could go to people.nasa.gov to find out how to contact a government employee at NASA. Not any more. Here is what the site looked like on 28 October 2020. You used to be able to type in names and find out their email address and phone number. Now all you get is a statement that says "This site and its contents are no longer available. Visitors are encouraged to learn more about space and NASA's mission by visiting the NASA homepage. NASA employees visiting this site should refer to internal directory services for employee information."

I just got another response from NASA PAO to my five follow-up questions regarding the shutdown of NASA's online employee directory. In a nutshell they are afraid that letting people see email and phone numbers of government employees puts the agency at risk so that is now stopping. OK, phishing and scams are on the rise so you cannot fault them with being responsive to that. But many - most - other Federal agencies still let citizens, the media, other government employees, researchers, and congressional staff query their agency's websites to find employees. They will no longer be able to find the people who work on various NASA programs.

Instead, everyone outside of the NASA firewall will now have to go to a "Contact Page" at NASA with high level links to everything except a personnel search. Instead of finding the person you need you will have to hope that these generic links will send you some where where someone will decide that maybe you can contact someone else. Given the glacial speed at which it took CIO to fix simple errors in their own directory takedown you can imagine how slow it will be for NASA to get back to you when you are looking for someone. If they even respond, that is.

But OK, they have their "Contact" page. Is this Contact page mentioned at NASA.gov? Answer: It is a small little link at the lower right at the bottom of the home page where most people will never think to see it. How do you contact NASA if the Contact page itself is more or less hidden from view? Shouldn't it be a prominent link in all of the top menus? Seriously, doesn't NASA want to interact with actual human people while it blasts all the space stuff put on the Internet? NASA complains about not being able to do enough outreach and why people often do not understand what NASA does. So what does NASA do? It continues to shrink the ability for the public - the people who pay for the whole party - to interact with NASA. NASA's big cosmic radio is set on "TRANSMIT". It is never set on "RECEIVE".

We should all be concerned. This is another example of dumbing down NASA's public functionality and reducing overall transparency. Hopefully this will change after 20 January 2021.

NASA PAO Response:

1. Why am I still able to access that database via a rather elementary work around a day after I posted mention that the database is still accessible?

NASA Answer: The Lightweight Directory Access Protocol (LDAP) database is a service that enables secure email to be exchanged with our partners and other federal agencies. Reconfiguration is being implemented in phases in order to ensure sufficient testing is performed to not disrupt current operational services. You noticed that the main search page for the public directory was disabled. Additional changes are planned that will address other ways of obtaining this information.

2. Why are other Federal agencies not adopting your "industry standard" i.e. why are their employee directories still openly accessible by the public?

NASA Answer: With respect to other federal agencies, it is certainly up to them to determine what risks they face and how they will address those risks.

3. When was the determination made that long-standing publicly available information now presents a risk to NASA?

NASA Answer: When people.nasa.gov was established over 20 years ago, the risks of sharing internal official communication email addresses and phone numbers was significantly lower than it is today. Since then, internet-facing organizations have had to adapt to a vastly different threat environment by changing how they present and protect their services. Examples of these types of infrastructure service changes include transitioning to Secure HTTP servers, replacing passwords with multifactor authentication, and closing down insecure internet-facing services like NFS and telnet.

The NASA CIO team is working to strengthen cybersecurity across the agency, and this is part of that process. Spear phishing attacks, which are targeted email-based social engineering threats to an organization, are a very common form of attack. NASA is simply trying to prevent attackers from easily obtaining the information needed to facilitate these phishing attacks. You noticed that the main search page for the public directory was disabled. Additional changes are planned that will address other ways of obtaining this information. With respect to other organizations, it is certainly up to them to determine what risks they face and how they will address those risks.

4. Can you provide me with the specific "industry best practices" that NASA is using as a basis for this action?

NASA Answer: NASA is simply trying to prevent attackers from easily obtaining the information needed to facilitate these phishing attacks. Keith's note: in other words they actually do not have any standards even though they claim to be following them. I hope someone sends in a FOIA on this)

5. Are members of the media and general public at legal risk if they post information that can be readily accessed from this database or post the way in which this database can still be accessed by the public?

NASA Answer: The public may certainly access information that NASA makes publicly available. While the main search page for the public directory was disabled, additional changes are planned that will address other ways of obtaining this information. The public can find information about contacting NASA at: https://www.nasa.gov/about/contact/index.html

Earlier post

Hearing link, Hearing on Cybersecurity Infrastructure and Information Technology Management, Policies, and Practices at NASA

Prepared statements

- Rep. Kendra Horn
- Rep. Eddie Bernice Johnson
- Rep. Brian Babin
- Jeff Seaton, Chief Information Officer (Acting) National Aeronautics and Space Administration
- Diana L. Burley, Vice Provost for Research, American University

- Paul K. Martin, Inspector General, National Aeronautics and Space Administration

"Our concerns with NASA's IT governance and security are long-standing and reoccurring. For more than two decades, NASA's OCIO has struggled to implement an effective IT governance structure that aligns authority and responsibility commensurate with the Agency's overall mission. Specifically, we have found that the Agency Chief Information Officer (CIO) and IT security officials have limited oversight and influence over IT purchases and security decisions within Mission Directorates and at NASA Centers. The decentralized nature of NASA's operations coupled with its long-standing culture of autonomy hinder the OCIO's ability to implement effective enterprise-wide IT governance. For example, in an August 2020 audit we found OCIO's visibility into the process Centers use to authorize and approve IT systems and devices to access Agency networks remains limited.4 Although the NASA CIO is responsible for developing an Agency-wide information security program, OCIO relies on Center-based CIOs and IT security staff to implement and enforce the Agency's information security policies. This practice has allowed Centers to tailor processes to meet their own priorities, which has in turn led to inconsistent implementation of NASA's enterprise-wide IT security management. Such a decentralized approach to cybersecurity management limits OCIO's ability to effectively oversee NASA's information security activities and make informed decisions related to project timelines, costs, and efficiencies as well as realistically assess the overall security of NASA's numerous IT systems."

- Earlier posts on NASA IT

Keith's note: When most people hear the phrase "space science" it is logical to expect that they think of "science" in "space". Maybe its astronomy or planets. Maybe its studying how humans live in space. Perhaps its analyzing samples from another world or looking for life in the universe. It might even include looking down at Earth from space. But "space science" simply refers to "science" - and not any one discipline or sub-discipline.

But at NASA "space science" it has been used for decades to refer to missions that do astronomy, astrophysics, heliophysics and to some extent planetary and Earth science. ISS would never be mentioned unless it is for some astronomy or astrophysics payload on board. And there'd be no mention of any "science" done in "space" by NASA's Human Exploration, Technology or Aeronautics Directorates - even if the science was done in space. Since NASA people use a subset of the English language that reflects the NASA phone book and budget plans - and power point lingo - and not how the rest of the world sees things - its websites tend to reflect these distinctions peculiar to NASA. Advisory bodies, OMB, and Congress fall into the same trap. "Space Science" at NASA is not what the phrase probably means to English speakers who hear the two words used together.

Google's top link from a search for "space science" is to a Wikipedia page "outline of space" which defines it this way: "Space science encompasses all of the scientific disciplines that involve space exploration and study natural phenomena and physical bodies occurring in outer space, such as space medicine and astrobiology." Sounds like they mean all science done in - and about - space. Makes sense. Sometimes the top link from Google goes to "Space Science" at the National Air & Space Museum which says "Space science--science performed from vehicles that travel into Earth's upper atmosphere or beyond--covers a broad range of disciplines, from meteorology and geology, to lunar, solar, and planetary science, to astronomy and astrophysics, to the life sciences."

But use the phrase "space science" to a NASA person and the defintion is much smaller and limited. The first NASA link to come up from a Google search for "space science" is "Space Science & Astrobiology @ Ames" which offers this de-facto definition of their piece of space science as:

"The Division will pursue primary leadership roles in NASA missions and mission support activities, based on our current capabilities in the following key strategic focus areas: Life Detection Research and Technology, Mission-Driven Analog Research and Mission Concept Operations, Radiative Transfer Modelling, Laboratory Astrophysics Research, (Exo)planetary Formation, Evolution, Characterization, and Technology Studies"

That is somewhat smaller than the top search result. But it is the first time something from NASA shows up. Not everyone is going to understand the whole field center organizational aspect of NASA. They will simply see "NASA". The next search result you get us is "Space Science" - a PDF reflexting the FY 2003 budget plan that says:

"NASA's Space Science Enterprise will continue to address these four profound questions: How did the universe begin and evolve? We seek to explain the earliest moments of the universe, how stars and galaxies formed, and how matter and energy are entwined on the grandest scales. How did we get here? We investigate how the chemical elements necessary for life have been built up and dispersed throughout the cosmos, evidence about how the Sun affects Earth, similarities between Earth and other planets, and how comets and asteroids in our solar system affect Earth. Where are we going? Our ultimate place in the cosmos is wrapped up in the fate of the universe. Humanity has taken its first steps off our home world, and we will contribute to making it safe to travel throughout the solar system. Are we alone? Beyond astrophysics and cosmology, there lies the central human question: Are we on Earth because of an improbable accident of nature? Or is life, perhaps even intelligent life, scattered throughout the cosmos? Now, in support of the President's new vision of space exploration, orbiting observatories and planetary probes will be joined by human explorers in seeking answers to these questions. Robotic scouts will blaze the trail, reconnoitering the planets, moons, asteroids, and comets of the solar system in advance of human expeditions, as observatories monitor the sun and its effects on its planetary retinue. The Space Science Enterprise will work with the new Exploration Systems Enterprise to develop and deploy new technologies, first on automated spacecraft and then on human missions."

That is much more expansive and seems to include pretty much everything that the Wikipedia definition describes. But there is no mention of Artemis. Oh wait: that is because it is from the FY 2003 era "Vision for Space Exploration" era under President George W. Bush. This is 2020. A 17 year old page like this showing up in a Google search result is easily found and easily remedied. But NASA does not seem to care. Nowhere in the top pages of search results for "space science" is there a link to a NASA page other than the one to the division at Ames. NASA is the pre-eminent space agency when it comes to space science so this is a little odd when a search for "space science" results in one page from a field center and another from 2003.

So lets make the Google search a little more specific for "NASA Space Science". The first search result we get - which is highlighted by Google is the one mentioned above describing a division at NASA Ames. The second result is Science at NASA - science.nasa.gov - the main NASA Science Mission Directorate page at science.nasa.gov. If you click "about us" you get some pictures but no definition of what Space Science is. The link on that page to "NASA's Science Vision" gets you to this:

"NASA's science program seeks answers to profound questions that touch us all: How and why are Earth's climate and the environment changing? How and why does the Sun vary and affect Earth and the rest of the solar system? How do planets and life originate? How does the universe work, and what are its origin and destiny? Are we alone?"

No mention is made of studying humans in space or other science done on ISS. But if you go down several links you get "Space Station Research & Technology" which talks about the science done in space on the ISS with lots of useful links to other resources. Alas, there is no link to this page from science.nasa.gov nor does this page link to science.nasa.gov - so anyone landing at science.nasa.gov will not know that there is a resource for ISS research unless they dig around for a while. Conversely people arriving at this ISS science page might not get a full appreciation of the vast scope of NASA's various science programs.

If you take the route of skipping Google and just going directly to NASA.gov you see these categories at the top of the page: "Humans in Space, Moon to Mars, Earth, Space Tech, Flight, Solar System and Beyond, STEM Engagement, History, Benefits to You"

The "Earth" and "Solar System and Beyond" pages point to content outside of the official NASA Space Science page at science.nasa.gov and do not point to science.nasa.gov. Conversely science.nasa.gov does not point to the "Earth" and "Solar System and Beyond" pages. So you have two independent and inconsistent lines of communication. But wait there's more: The "Humans in space page" page linked to from nasa.gov does not point to the "Space Station Research & Technology" page. So you have a similar redundant path in NASA's overall web strategy that is duplication and unnecessary.

Google cannot improve on bad website design. Its algorithms simply bring forth results on how things are arranged on websites and how people find and link to these resources. NASA could easily delete old information like the 2003 space science page (or replace it with current information); cross link pages that merit cross linking and delete duplicative pages. If need be referral or redirect pages at old links can send people to the right location. A good web design will also allow Google's search spiders to find pages more easily and, if done properly, find them along the lines of topic organization that make sense when someone uses Google to find something. People using a revised NASA website design which is built with an eye on how search engines find things would also find things more easily.

NASA was tasked by its Administrator more than a year to fix this sort of mess. They have not. One of the problems, IMHO is that NASA is only used to being in transmission mode. They do not listen very much. They are used to being providers of information about NASA but they seem to lack any real input from actual users of information about NASA. If they did then their websites would look a lot different. I was once told by a former NASA AA that NASA is popular in spite of itself and its bad outreach coordination simply because its stuff is so compelling and cool. They are quite correct. And NASA is not only stuck in transmission mode, everyone uses a different frequency on incompatible systems to transmit.

NASA people are forever talking about how NASA benefits everyone else and how frustrated they are that more people do not see this. But these same NASA people are hampered by a system of stovepipes and competing fiefdoms at every organizational level at NASA that make a coherent and consistent story impossible to tell. It has been like this for decades. That said, NASA's cool stuff reaches around the world in spite of the internal roadblocks. Imagine what the agency could do if it finally fixed its outreach mechanisms online so as to facilitate - not hinder - this spread of massive NASA coolness?

Form follows function, NASA.

Keith's note: Today the White House is releasing Space Policy directive 5 (SPD-5) "Cybersecurity Principles for Space Systems" according to a media briefing with senior administration officials. This is the first policy for space systems to apply key cybersecurity principles to protect space systems for government and commercial operators. SPD-5 promotes SPD-3 "Space Traffic Management" including space debris issues and other government defense and security directives. SPD-5 notes that cybersecurity practices that apply to terrestrial systems also apply to space systems. Promotes a culture of prevention, risk management, and best practices. SPD-5 Further defines best practices, establishes norms, and will apply across our industrial base and calls for space systems software to be developed using risk based cyber security engineering cybersecurity. SPD-5 calls says that space system developers should protect against unauthorized access, jamming, spoofing, infiltration of ground systems, cybersecurity hygiene, and supply chain risks. SPD-5 says that developers should leverage widely adapted best practices and norms of behavior, and that operators should make appropriate risk trades appropriate to their systems cybersecurity.

President Trump Signs Space Policy Directive Establishing America's First Comprehensive Cybersecurity Policy For Space Systems

"Today, President Donald J. Trump issued Space Policy Directive-5 (SPD-5), the Nation's first comprehensive cybersecurity policy for space systems. SPD-5 establishes key cybersecurity principles to guide and serve as the foundation for America's approach to the cyber protection of space systems."

OIG: NASA's Policy and Practices Regarding the Use of Non-Agency Information Technology Devices

"NASA is not adequately securing its networks from unauthorized access by IT devices. Although OCIO has deployed technologies to monitor unauthorized IT device connections, it has not fully implemented controls to remove or block these devices from accessing NASA's networks and systems. The initial December 2019 target date for NASA to complete installation of these controls has been delayed due to technological challenges and changes in OCIO mission priorities and requirements. Until the enforcement controls are fully implemented, NASA remains vulnerable to cybersecurity attacks."

Keith's note: And how many decades has NASA CIO had to deal with - and fix - this problem? And when they can't do their job its always due to someone or something else.

Companies Start to Think Remote Work Isn't So Great After All, Wall Street Journal

"Four months ago, employees at many U.S. companies went home and did something incredible: They got their work done, seemingly without missing a beat. Executives were amazed at how well their workers performed remotely, even while juggling child care and the distractions of home. Twitter Inc. and Facebook Inc., among others, quickly said they would embrace remote work long term. Some companies even vowed to give up their physical office spaces entirely. Now, as the work-from-home experiment stretches on, some cracks are starting to emerge. Projects take longer. Training is tougher. Hiring and integrating new employees, more complicated. Some employers say their workers appear less connected and bosses fear that younger professionals aren't developing at the same rate as they would in offices, sitting next to colleagues and absorbing how they do their jobs."

Keith's note: I have teleworked from home for more than 24 years. I have teleworked for a month at a time from Everest Base Camp at 17,600 feet and Devon Island 800 miles from the north pole. If I have comms and my fingers are not frozen, then I can work. Astronauts telework from the ISS. Its not impossible - but management and personnel have to adjust - and workflow needs to be capable of being performed remotely.

The one positive thing I expect (hope) to see NASA embrace as it endures and then emerges from this pandemic is the ability to conduct meaningful work regardless of one's physical location. Not everything is amenable to teleworking - but a lot of it is - much more than previously anticipated. Part of making teleworking happen is to redouble one's focus on collaboration. But there is an equal need to function independently and self-motivate. Some people will adapt and thrive. Others will not. Either way, we'll never become a spacefaring species if we can't expand our collective workspace beyond our cubicles.

NASA OIG: Evaluation of NASA's Information Security Program under the Federal Information Security Modernization Act for Fiscal Year 2019

"NASA has not implemented an effective Agency-wide information security program. SSP documentation for all six information systems we reviewed contained numerous instances of incomplete, inaccurate, or missing information. We also performed a limited review of the Agency Common Control (ACC) system, which aggregates and manages common controls across all Agency information systems, and found that many controls were classified as "other than satisfied," indicating they had been assessed as less than effective. Moreover, the NASA Office of the Chief Information Officer (OCIO) has not addressed these deficiencies in the ACC SSP. .

.. Of the six information systems reviewed, we found that four were operating without current contingency plans. While three of the four systems eventually updated their contingency plans in RISCS during the course of our evaluation, these systems had been operating under outdated plans for as long as 4 years. The fourth system is currently operating under a 2016 contingency plan.

... Moreover, the number of systems without a current or available contingency plan in RISCS puts NASA at an unnecessarily high risk by hindering the Agency's ability to recover information systems if needed in an effective and efficient manner, thus threatening the confidentiality, integrity, and availability of NASA information maintained in those systems. .

.. During our review of selected OCIO IT security handbooks and other related governance documents, we found that 27 of 45 documents had not been reviewed and approved in more than 1 year and 8 that not been reviewed in over 3 years. OCIO policy states that IT security handbooks shall be reviewed or updated on an annual basis or more frequently if appropriate. However, the OCIO policy management process does not provide adequate oversight of this process or a reliable list of policies requiring review."

Keith's note: Over the past several days media giants such as CNBC and National Geographic have been filing copyright takedown requests on YouTube - which have been granted - against people using their own material that they generated from the launch of DEMO-2 as well as NASA public domain material. National Geographic took this a step further by having NASA's own video taken down, asserting that National Geographic had the copyright on NASA's own footage. This has been going on for days. It is baffling that NASA PAO ever allowed this to happen - much less to continue as long as it has. At a time when global chaos has people focused on other things NASA needs every single amplifier of the value of space exploration that they can get.

NASA Advisory Council Meeting

"Virtual meeting via dial-in teleconference and WebEx only. ... Note: Please be advised that the NASA large event WebEx account is being used to support this meeting; this WebEx account is incompatible with the newest Mac operating system introduced in October 2019--MacOS Catalina."

Keith's note: Anyone who has attempted to connect to NASA FACA meetings such as the NASA Advisory Council by Webex over the past several weeks has discovered that NASA's Webex thing is usually screwed up - especially on Mac OS computers. So what does NASA do about that? They just go ahead and continue to use Webex even though there are many alternatives with a simple 'that's too bad - sorry' note in the Federal Register. If everyone was sitting inside a secure NASA facility using Webex that would be one thing. But virtually all participants are going to be sitting at home.

Why is it that millions of regular people who have never teleconferenced at home are attending virtual weddings and graduations - and in my case doing TV interviews - but NASA can't figure out how to do a simple telecon? One solution would be to broadcast the event on NASA TV. NASA has done split screen stuff before. But even that is apparently too hard for them to pull off. The National Space Council event hosted at NASA HQ earlier this week was an embarassment - even though Jim Bridenstine was onsite at JSC and the DEMO-2 crew were onsite at KSC you could not understand what they said. Even VP Pence noticed saying that he "missed every fifth word".

This virtual reality is not going away any time soon NASA. it is past time for you to bite the bullet and adapt to it.

Jeff Seaton Named Acting NASA Chief Information Officer

"NASA Administrator Jim Bridenstine has named Jeff Seaton as the agency's acting Chief Information Officer, following the retirement of Renée Wynn on April 30. Previous to this appointment, Seaton served as the Deputy Chief Information Officer where he supported the leadership and integration of NASA corporate and mission critical IT functions and capabilities, as well as oversaw NASA's annual IT spending of more than $2 billion. He collaboratively provided oversight for agencywide, mission-enabling functions related to IT investments, IT modernization efforts, cybersecurity, and the delivery of enterprisewide IT and information solutions."

Keith's note: Well Jeff, you were the Deputy CIO so you should know how royally screwed up and borderline useless your organization is. Best of luck.

- Earlier posts on the NASA CIO

NASA Bans Use Of Zoom

NASA Internal Memo: NASA's Authorized Internal and External Collaboration Tools, NASA CIO

"The NASA CIO has worked for the past several years to establish a consistent and modern set of tools to support both internal and external collaboration. While there is still work to do to support some of the more complex use-cases, such as sharing sensitive data with foreign partners, many others are met through Agency approved collaboration tools. A site has been established, with current approved collaboration resources."

"Zoom is not licensed nor authorized for use by NASA employees and contractors, and is not allowed on NASA IT devices. This includes all Government Furnished Equipment (GFE) or contractor-provided equipment, or any device that connects to the NASA network or VPN. This includes desktops, laptops and mobile devices (smartphones and tablets)."

- Beware Of Using Zoom, earlier post
- Cyber Threats At NASA Significantly Increasing, earlier post

Foreign Spies Are Targeting Americans on Zoom and Other Video Chat Platforms, U.S. Intel Officials Say, Time

"The U.S. intelligence officials stress there is no evidence that Zoom is cooperating with China or has been compromised by it, only that Zoom's security measures leave gaps, some of which may make the application less secure than others. All three intelligence officials, who requested anonymity because they are not authorized to discuss ongoing operations with the media, said spies are using multiple applications to search government, corporate, and academic conversations for financial, personal, product development, research, and intellectual property information and leads. Federal experts have warned both government and private officials not to use video conference applications to discuss or exchange sensitive information. In a memo on Thursday, the Senate Sergeant-at-Arms told Senators not to use Zoom, according to one person who received the memo."

NASA CIO Agencywide Memo: Alert: Cyber Threats Significantly Increasing During Coronavirus Pandemic, NASA CIO

"A new wave of cyber-attacks is targeting Federal Agency Personnel, required to telework from home, during the Novel Coronavirus (COVID-19) outbreak. During the past few weeks, NASA's Security Operations Center (SOC) mitigation tools have prevented success of these attempts. Here are some examples of what's been observed in the past few days:

- Doubling of email phishing attempts
- Exponential increase in malware attacks on NASA systems
- Double the number of mitigation-blocking of NASA systems trying to access malicious sites (often unknowingly) due to users accessing the Internet

Experts believe these malicious cyber-attacks will continue and likely increase during the pandemic. NASA's SOC continues to monitor and protect Agency systems, data, and intellectual property 24x7.

Please continue your vigilance, as you use NASA systems, and extend this to your home-computer usage as well."

Beware Of Using Zoom

Thousands of Zoom video calls left exposed on open Web, MSN

"Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing. Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people's names and phone numbers; small-business meetings that included private company financial statements; and elementary-school classes, in which children's faces, voices and personal details were exposed. Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people's homes."

Zoom: We're freezing all new features to sort out security and privacy, ZDNet

"US space agency NASA has also banned employees from using Zoom. Yesterday, researchers detailed two new security bugs found in the Zoom app. The Zoom Windows client was leaking network credentials due to the app rendering UNC file paths as a clickable link in group chat windows."

NASA CIO Renee Wynn Set to Retire

"NASA Chief Information Officer Renee Wynn is retiring on April 30, 2020, after 30 years in Federal service. She is one of the longest-serving departmental CIOs at NASA and in the Federal Government. Before coming to NASA, Wynn spent 25 years at the Environmental Protection Agency (EPA), where she served in several executive roles, including as acting CIO and deputy CIO. During her NASA tenure, Wynn said she had her work cut out for her. She was instrumental in improving the Agency's external reputation regarding cybersecurity and how information technology was managed at NASA."

Keith's note: To be brutally honest the NASA CIO organization has been totally ineffective for more than a decade. Hopefully Jim Bridenstine will hire someone who can fix the organization.

NASA Needs A New Chief Information Officer (2019), earlier post

"(sigh) more IT babble from the NASA CIO. AS far as NASA's blatantly obvious byzantine website mess the CIO could have addressed at any time - but they did not. Have a look at these stories about NASA's creaky, mismanaged, and needlessly redundant cyber infrastructure - from just the past year or so. NASA's CIO has been asleep at the wheel for years. Its time for a reboot."

NASA's CIO Is Officially Angry About Her Commuter Bus Website (Update)

"As it happens this commuter bus tweet was not even made by Renee Wynn but rather by someone else who has access to the @NASACIO Twitter account (even though the face on the Twitter page is Renee Wynn's). This error went unnoticed for more than 5 hours hours until NASAWatch pointed it out. And it took another 5 hours before an indirect message was sent to me explaining what had happened. ... You can hardly blame people at NASA for ignoring the CIO organization when they do things like this."

https://s3.amazonaws.com/images.spaceref.com/news/2019/CIO.Tweet.jpg

NASA Internal Memo: Website Modernization and Enhanced Security Protocols 15 May 2019 (PDF)

"Currently there are an estimated 3,000 public-facing NASA Web sites, yet the top 10 sites receive 80 percent of all Web traffic. Additionally, some NASA partners operate Web sites on our behalf outside of the Agency, creating redundancy and accumulating unnecessary costs. Not only does this duplication of information cause confusion, each Wen site provides potential access for a cyber-attack on NASA's assets. The shutdown earlier this year gave us a clear view of the cyber vulnerabilities inherent in operating thousands of Web sites. We need to take steps to protect our resources in a hostile cyber landscap, examine our digital footprint, reduce costs, and maximize the effectiveness of communications efforts. In addition to security risk, multiple sites dilute our effectiveness in communicating key messages about our missions."

Keith's update: OK. It has been 9 months. Has anyone actually done anything called for in this memo from the Administrator? The CIO shows no evidence of having done so (no surprise). Same goes for PAO. Its is not even clear who is responsible for this - I have heard that the task was tossed into the Chief Scientist's lap - that makes no sense. SMD issued a memo about this yet little seems to have been done. Indeed, NASA issued a press release today 'Pale Blue Dot' Revisited' which says "For more information about the Voyager spacecraft, visit: https://www.nasa.gov/voyager https://voyager.jpl.nasa.gov" Why does NASA need to pay people to maintain TWO websites for Voyager? Why do they have multiple websites for virtually all of their missions?

- NASA Just Can't Stop Doing Web Stuff Twice UPDATE: Three Times, earlier post
- NASA's Confusing ICESAT-2 Websites, earlier post
- Progress Made In Making NASA's Internet Presence Leaner, earlier post
- Dueling NASA Websites Update, earlier post

Keith's note: There are lots of NASA technology events and news on the @NASAiTech account which are retweeted and commented upon by @Kirablackwell - Kira Blackwell - who is the NASA Space Technology Mission Directorate Program Executive for @NASAiTech. Yet when you go to the NASA Space Technology Mission Directorate main page none of these @NASAiTech events are listed nor are they mentioned on the NASA.gov calendar. There is also no mention of the @NASAiTech Twitter account either, But STMD does have a feed on its home page from the ‎@NASA_Technology account. Alas @NASA_Technology makes no mention of anything from @NASAiTech or @Kirablackwell - and @NASAiTech or @Kirablackwell make no mention of anything that @NASA_Technology tweets.

There is no mention of any NASA IT Technology on the STMD programs page. But @NASAiTech points to this page which, in turn points to this NASA iTech page nasaitech.org page. At nasaitech.org there is no NASA logo on this page when you arrive or as you scroll down and down and down - except at the very bottom where it has a "NASA Partner" logo. Huh? Isn't nasaitech.org part of NASA? No, It is done via National Institute of Aerospace - and you only discover that if you scroll all the way to the bottom. Otherwise the webpage lets you think this is a NASA page even if they have their own logo. And of course this NASA iTech page only mentions NASA STMD in a small link - again at the utmost bottom of the page.

FWIW accepted practice on government webpages is to tell people when they are leaving a government webpage for an external website. In this case not doing so compounds the confusion as to what is - and is not - NASA. It is somewhat ironic that a page touting NASA's IT expertise involves so many stove pipes, rabbit holes, and outright deceptive web content design.

Keith's update: If you go to the NASAiTech website it says that NASAITech "NASA iTech searches for and identifies advancements in technologies, NOT already funded by NASA, that are solving problems on Earth and have the potential to address existing challenges to enable NASA missions." and "NASA iTech provides a platform for NASA's Center Chief Technologists to vet the start-up companies' technologies for their space application, and volunteer investors and external Subject Matter Experts to vet the technologies for their commercial market viability. The first 50 finalist companies that have participated in the NASA iTech Forums have been able to raise 410+ million in private investment dollars in 2.5 years."

That certainly sounds impressive. Everyone wants NASA technology to find wider value among the public and private sectors. And the $410 million raised in private investments in 2.5 years sounds impressive too. But where do these numbers come from? How do these companies or NASAiTech staff show that NASAiTech was responsible for investors writing checks to these companies - and if so what private research these investments were made in and their connection to NASA technology?

I am told that the National Institue of Aerospace runs this for NASA. But this project either overtly represents itself as being a NASA activity on one hand but the ignores all of NASA's Technology plans on the other hand. Which is it?

Keith's note: If you look at this graphic it would seem to be something that you'd post on an internal website - not on an external, public social media account. or are they actually suggesting that they are going to try and modulate what citizens tweet to - and about - Space Force? I'm not sure that the Space Force social media folks totally understand that they are not in command of cyber "space".

Whoever runs the Space Force social media squad needs a lesson in social media. They are totally tone deaf. A look at the responses to this tweet demonstrates that. You really can't tell people in an open social media forum what they can and cannot say. That tactic simply breeds the very thing you do not want to see. Just sayin'.

Quantum supremacy using a programmable superconducting processor, Nature

"Our Sycamore processor takes about 200 seconds to sample one instance of a quantum circuit a million times--our benchmarks currently indicate that the equivalent task for a state-of-the-art classical supercomputer would take approximately 10,000 years. This dramatic increase in speed compared to all known classical algorithms is an experimental realization of quantum supremacy for this specific computational task, heralding a much-anticipated computing paradigm."

Quantum Supremacy Using a Programmable Superconducting Processor, NASA

"Here, we report using a processor with programmable superconducting qubits to create quantum states on 53 qubits ... While our processor takes about 200 seconds to sample one instance of the quantum circuit 1 million times, a state-of-the-art supercomputer would require approximately 10,000 years to perform the equivalent task."

Keith's 9:00 am EDT note: A month ago I noted that a paper on this achievement was posted and then removed by NASA from NTRS. It had Eleanor G. Rieffel as an author - as does this Nature apaper - the titles are identical. Let's see if NASA bothers to mention their role in all of this - or not. When I asked PAO about this a month ago they did not want to talk about it. I wonder if they even know it has been published. NASA has not emailed anything out nor has it posted this on PRNewswire.

Keith's 10:05 am EDT update: NSF has issued a statement. Still nothing from NASA.

Keith's 1:45 pm EDT update: I just got an email from someone at the NASA Ames Headquarters building - but not from Ames PAO. They informed me that a story had been posted. This is important stuff - but other than this email - I'd have never been alerted to this.

NASA and Google Achieve Quantum Supremacy, NASA Ames

"Achieving quantum supremacy means we've been able to do one thing faster, not everything faster," said Eleanor Rieffel, co-author on the paper on this result, published today in Nature, and the Quantum Artificial Intelligence Laboratory Lead at Ames. "And even though that one thing isn't terribly useful, that it has been done at all is groundbreaking."

Keith's 5:07 pm EDT update: NASA PAO finally sent the press release out at 5:07 pm EDT - half a day after everyone else.

Did NASA Ames Achieve Quantum Supremacy? (Update), earlier post

Keith's 7 October update: Today NASA JPL issued a press release "NASA's Curiosity Rover Finds an Ancient Oasis on Mars" It includes the text: "For more about NASA's Curiosity Mars rover mission, visit: https://mars.nasa.gov/msl/ https://nasa.gov/msl"

JPL has the release posted here with the same text and imagery as is used by NASA HQ's version here. But if you go to https://mars.nasa.gov/msl/ and dig a little bit to "news and events" you find a link to the same story here which uses the exact same text as the other two versions but is formatted differently than the JPL PAO and NASA HQ versions and uses different graphics. So this time NASA and JPL posted the same thing not twice, but three different ways - in three different places.

Oh yes: the main point of this release is more evidence of habitable periods and locations on Mars i.e. : "We went to Gale Crater because it preserves this unique record of a changing Mars," said lead author William Rapin of Caltech. "Understanding when and how the planet's climate started evolving is a piece of another puzzle: When and how long was Mars capable of supporting microbial life at the surface?". And of course NASA makes zero mention of (or link to) its Astrobiology program which is chartered to do the whole search for life in the universe thing.

Keith's 3 October note: NASA issued this press release today: NASA's Push to Save the Mars InSight Lander's Heat Probe. If you go to the end of this press release you will see links to two InSight websites

"More about InSight:
https://mars.nasa.gov/insight/
https://www.nasa.gov/insight/"

If you go to https://mars.nasa.gov/insight/ you go to the JPL Mars InSight website. If you go to the news link you will see a story "NASA's Push to Save the Mars InSight Lander's Heat Probe"

If you go to https://www.nasa.gov/insight/ it redirects you to https://www.nasa.gov/mission_pages/insight/main/index.html which is a NASA HQ website. If you go to "NASA's Push to Save the Mars InSight Lander's Heat Probe" you get the exact same story and graphics as you get on the JPL page.

The text is exactly the same on both pages - with links to both InSIght websites at the end. In essence NASA sends you to one page and when you get to the bottom it sends you back on the same dual path to another page that sends you to the same dual path - and so on in an infinite DO loop. In addition, NASA uses one link to a HQ page that then redirects you to another - so why not use the link to which you are redirected to in the release instead?

The real question is: why is NASA constantly doing things like this twice? Someone wrote the original press release, collected the graphics and then formatted it for one website while someone else in another part of NASA took the same text and reformatted it again for another website with the same graphics - but formatted differently. That means NASA is knowingly doing things twice - and paying people to do things twice. Why not just have one website? Why not just have one place where press releases like this are posted? But wait - if you go to the NASA HQ press release page this press release is not even listed. I know NASA is working on fixing this duplication per direction from the Administrator, but this silliness could be fixed now with a simple memo from NASA HQ. Just sayin'

- Overhauling NASA's Tangled Internet Presence, earlier post
- Progress Made In Making NASA's Internet Presence Leaner, earlier post

Raspberry Pi used to steal data from Nasa lab, BBC

"An audit report reveals the gadget was used to take about 500MB of data. It said two of the files that were taken dealt with the international transfer of restricted military and space technology. The attacker who used the device to hack the network went undetected for about 10 months. The malicious hacker won access to the Jet Propulsion Lab internal network via the Raspberry Pi by hijacking its user account. Although the Pi had been attached to the network by the employee, lax controls over logging meant Nasa administrators did not know it was present, said the report. This oversight left the vulnerable device unmonitored on the network, allowing the attacker to take control of it and use it to steal data."

NASA OIG Finds Pervasive Problems With JPL Cybersecurity, earlier post

"Multiple IT security control weaknesses reduce JPL's ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals."

Report: "JPL did not have complete and accurate information about the types, location, and value of NASA system components and assets connected to its network. ... The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network.32 The device should not have been permitted on the JPL network without the JPL OCIO's review and approval."

NASA Needs A New Chief Information Officer, earlier post

"NASA's CIO has been asleep at the wheel for years. Its time for a reboot."

NASA OIG: Cybersecurity Management and Oversight at the Jet Propulsion Laboratory

"Multiple IT security control weaknesses reduce JPL's ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals. ... We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time - sometimes longer than 180 days. ... Further, we found that multiple JPL incident management and response practices deviate from NASA and recommended industry practices. ... Finally, while the contract between NASA and Caltech requires JPL to report certain types of IT security incidents to the Agency through the NASA SOC incident management system, no controls were in place to ensure JPL compliance with this requirement nor did NASA officials have access to JPL's incident management system. Collectively, these weaknesses leave NASA data and systems at risk. Despite these significant concerns, the contract NASA signed with Caltech in October 2018 to manage JPL for at least the next 5 years left important IT security requirements unresolved and instead both sides agreed to continue negotiating these issues. As of March 2019, the Agency had not approved JPL's plans to implement new IT security policies and requirements NASA included in its October 2018 contract."

NASA Needs A New Chief Information Officer, earlier post

"NASA's CIO has been asleep at the wheel for years. Its time for a reboot."

Renee Wynn, CIO, NASA, GovernmentCIO

"Renee Wynn has an astronomical responsibility in managing a mix of new and legacy systems to manage NASA's vast amount of data across its programs that include missions back to the Moon and to Mars."

Overhauling NASA's Tangled Internet Presence, earlier post

"One thing NASA needs to do as part of this effort to fix its public and internal cyber infrastructure is to totally overhaul the Chief Information Officer's organization. They dabble in things that are often peripheral to their core charter while getting bad ratings and reviews year after year on the things that they are supposed to be worrying about. NASA has never had a CIO who actually does what the job entails. Just sayin'"

Keith's note: (sigh) more IT babble from the NASA CIO. AS far as NASA's blatantly obvious byzantine website mess the CIO could have addressed at any time - but they did not. Have a look at these stories about NASA's creaky, mismanaged, and needlessly redundant cyber infrastructure - from just the past year or so. NASA's CIO has been asleep at the wheel for years. Its time for a reboot.

- Dueling NASA Websites Update, earlier post
- NASA Continues To Flunk Basic IT and Cybersecurity Rankings, earlier post
- NASA's Administrator Uses Technology Better Than The Space Industry Does, earlier post
- NASA CIO Can't Even Find Their Own Directives Online, earlier post
- NASA MSFC Employee Tries To Make Serkan Golge's Past Disappear, earlier post
- NASA's Chief Information Officer Is Not Doing Their Job (Update), earlier post
- NASA Still Has Big Unresolved Cybersecurity Issues, earlier post

NASA Internal Memo: Website Modernization and Enhanced Security Protocols (PDF)

"Currently there are an estimated 3,000 public-facing NASA Web sites, yet the top 10 sites receive 80 percent of all Web traffic. Additionally, some NASA partners operate Web sites on our behalf outside of the Agency, creating redundancy and accumulating unnecessary costs. Not only does this duplication of information cause confusion, each Wen site provides potential access for a cyber-attack on NASA's assets. The shutdown earlier this year gave us a clear view of the cyber vulnerabilities inherent in operating thousands of Web sites. We need to take steps to protect our resources in a hostile cyber landscap, examine our digital footprint, reduce costs, and maximize the effectiveness of communications efforts. In addition to security risk, multiple sites dilute our effectiveness in communicating key messages about our missions."

Keith's note: One thing NASA needs to do as part of this effort to fix its public and internal cyber infrastructure is to totally overhaul the Chief Information Officer's organization. They dabble in things that are often peripheral to their core charter while getting bad ratings and reviews year after year on the things that they are supposed to be worrying about. NASA has never had a CIO who actually does what the job entails. Just sayin'

Some stories about NASA's creaky, mismanaged, and needlessly redundant cyber infrastructure - from just the past year:

- Dueling NASA Websites Update, earlier post
- NASA Continues To Flunk Basic IT and Cybersecurity Rankings, earlier post
- NASA's Administrator Uses Technology Better Than The Space Industry Does, earlier post
- NASA CIO Can't Even Find Their Own Directives Online, earlier post
- NASA MSFC Employee Tries To Make Serkan Golge's Past Disappear, earlier post
- NASA's Chief Information Officer Is Not Doing Their Job (Update), earlier post
- NASA Still Has Big Unresolved Cybersecurity Issues, earlier post

NASA WorldWind Project Suspension FAQ

"WorldWind is an open source virtual globe API. WorldWind allows developers to quickly and easily create interactive visualizations of 3D globe, map and geographical information. Organizations around the world use WorldWind to monitor weather patterns, visualize cities and terrain, track vehicle movement, analyze geospatial data and educate humanity about the Earth. Learn more at worldwind.arc.nasa.gov. ... As of April 5, 2019, the WorldWind project at NASA has been suspended. This means that the management and development team at NASA Ames Research Center is no longer actively supporting WorldWind. ... As of April 5, 2019, the WorldWind geospatial data servers at NASA Ames Research Center have been shut down. WorldWind applications that rely on those servers may not function properly."

https://s3.amazonaws.com/images.spaceref.com/news/2019/boeing.iss.jpg

Keith's note: Boeing is continuing its creepy and deceptive social media campaign - one that lures you with an innocent social media ad on Facebook to a website where they grab a lot of information about you for uses that they will not describe. Boeing uses social media ads that do not mention Boeing. In this case, they ask you to sign a petition to support the ISS. Sounds innocent enough. You click on the link and this is what it is actually sending you to:

https://watchusfly.com/campaigns/space-iss-3-0-petition-acquisition/?utm_source=facebook&utm_medium=link-post&utm_campaign=acquisition_petition_space-iss-3-a&utm_term=space&utm_content=enthusiast

You have now been caught on a Facebook ad. You arrive at the petition page at watchusfly.com which claims that "Watch U.S. Fly is a community of Americans that believes that America should lead the world in technological advancements. We realize that in order to maintain our edge, American aerospace must have the support of policymakers so they can continue to chart the future." In the lower corner in a small, faint font, it says "Copyright © 2019 Boeing"

The disclaimer says "Site intended for use by U.S. residents 14 years of age or older. Boeing may use the information you provide to send you future communications about Boeing and issues that may be of interest to you. For further information, please review Boeing's Privacy Policy." But they do not tell you this when they entice you to visit from Facebook. Too late. If you sign in to their page using Facebook then they really have you. Their cookies are in your browser and all of your Facebook, Internet, and geolocation information is now theirs to use and/or sell as they see fit - unless you take convoluted steps to try (I repeat try) and extricate yourself from their info cache on you. Here's what they tell you that they can do with the information they tricked you into giving them. According to Boeing's Privacy Policy page.

"Boeing Services often contain cookies or similar technologies from third-party providers that help us compile statistics about the effectiveness of our promotional campaigns, perform analytics, enable social networking features, and other operations. These technologies enable the third-party providers to set or read their own cookies or other identifiers on your device, through which they can collect information about your online activities across the Services and other, unaffiliated devices, applications, websites, or services... Boeing also enables cookies and third-party tracking mechanisms to collect your information for use in interest-based advertising. For example, third parties use the fact that you visited our Services to target online ads for Boeing services to you on non-Boeing websites. In addition, our third-party advertising networks use information about your use of our Services to help target non-Boeing advertisements based on your online behavior in general... Data collected from a particular browser, app, or device can be used with a linked computer or device. For example, we or our third-party service providers display ads to you on your laptop based on the fact that you visited Boeing Services on your smartphone."

Remember, if you visit, its too late unless you have disabled cookies, use a VPN, etc. Most people do not. But if you sign the petition, they got you. Boeing never tells you who they will share and/or sell your data to. Nor do they tell you what these third parties will do with the tracking that they can now do based on your visit to the watchusfly.com site. Political campaigns can buy this information, Boeing can now make pro-Boeing, anti-someone else ads appear on your browser - as you probably know by now. We've taken notice of this creep behavior before (see links below). Boeing is doing a lot of lobbying and targeted media buys these days.

This is how big aerospace is using the same shady tactics that skewed the 2016 election for their own, undisclosed purposes. Congratulations, if you visited this stealth Boeing site you have now become part of this ongoing sneaky Boeing effort.

- Boeing's Misleading Anti-SpaceX Pro-SLS Facebook Ad Campaign, previous post
- Join Boeing's SLS Fan Club So They Can Track Your Activity, previous post
- Boeing's Creepy Petition Wants To Track Your Online Activity, previous post

Keith's note: From someone@nasa.gov: "Me and my colleagues are out of work during this shutdown with no prospect for ever getting back our lost wages. The federal government has a hard time recruiting people in my field because of a large salary difference with private sector companies. We choose a career with federal agencies because we believe in the mission of protecting the United States. NASA is going to lose a lot a talent in cyber security as workers like myself seek more stable employment elsewhere."

Keith's note: The last two times there was a data breach I was directly affected since I am a former NASA civil servant even though I left the agency 25 years ago. I also underwent a FBI security scan to get a press badge at NASA HQ 15 years ago. I sent an email to NASA HQ PAO, Human Resources, and CIO yesterday asking how media and former employees are affected by the latest security breach. This is the response I got.

It is pointless to send me to the website since I am no longer a NASA civil servant and I do not have a "Smart Card" to log in. So I called the phone number. They never bothered to ask me for my case number (so why was I given one?). A recording of the call is below. Clearly NASA is not prepared for handling responses to former NASA employees about this topic. Note: I am in Virginia which is a "one party" state when it comes to recording phone calls (which I never do if you call me BTW). This is a customer service call that I think is worth sharing.

"Dear Keith, Thank you for your inquiry to the Enterprise Service Desk (ESD) regarding the potential PII compromise. At this time we are being advised to direct all media inquiries to NASA Headquarters, Ms. Karen Northon at [deleted]. We are dedicated to providing you with a high-quality and timely resolution. You can review the status of your inquiry at https://esd.nasa.gov. If you have any questions or need further assistance, please contact us at 1-877-677-2123, option 2 or submit a ticket at https://esd.nasa.gov. For quicker service, reference your case number [deleted] when calling or include it in the subject line of your e-mail. Thank you,

Service Provider, NASA Enterprise Service Desk (ESD)
NASA Shared Services Center
Self-Service/Web: http://esd.nasa.gov/esd
Phone: (877) 677-2123
Fax (support documentation only): (888) 525-6497"

http://images.spaceref.com/news/2018/nasa.flunk.jpg

Potential Personally Identifiable Information (PII) Compromise of NASA Servers

"On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised."

Keith's note: According to NASA HQ PAO the latest security breach at NASA does not affect people outside of NASA who may have interacted with NASA security. But people who work or used to work at NASA are at risk. So y'all can expect another "Dear NASA Employee" letter from the agency offering free credit monitoring services.

NASA's performance in complying with Federal regulations governing IT and cybersecurity has been pitiful - especially during the tenure of NASA CIO Renee Wynn. Now there has been another security breach that affects all present and prior NASA employees - even those of us who left the agency decades ago. In the real world the person responsible for such pitiful performance would be fired.

Federal Information Security Modernization Act of 2014 (FISMA) - 2018 report

"Congress enacted the Federal Information Security Modernization Act of 2014 (FISMA) to improve federal cybersecurity and clarify government-wide responsibilities. The act is intended to promote the use of automated security tools with the ability to continuously monitor and diagnose the security posture of federal agencies, and provide for improved oversight of federal agencies' information security programs. In particular, the act clarifies and assigns additional responsibilities to entities such as OMB and DHS."

http://images.spaceref.com/news/2018/FISM2018.jpg

- Nov 2017 FITARA Scorecard

- NASA Totally Flunks FITARA Scorecard 2 Years In A Row (2016), earlier post

"There is a slightly goofy post at NASA CIO's Open.NASA.gov (not findable on the NASA search engine) "NASA's Approach to Implementing FITARA" from 10 March 2016 that opens with "My husband and I are planning a vacation to Disneyworld, an awesome destination for our five year old dreamer. How do we budget for such an grandiose trip?", and then goes on to spout happy talk - with added IT word salad - about how seriously NASA takes FITARA. If only."

Potential Personally Identifiable Information (PII) Compromise of NASA Servers

"On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised. Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents."

- NASA Internal Memo: Breach of Personally Identifiable Information Update (2013), earlier post
- NASA's Stolen Laptop and Data Problem Just Got Worse (2012), earlier post
- NASA Still Has Big Unresolved Cybersecurity Issues , earlier post
- OIG: NASA Chief Information Officer Is Doing A Crappy Job , earlier post
- NASA Totally Flunks FITARA Scorecard 2 Years In A Row , earlier post

Earlier IT postings http://nasawatch.com/archives/itweb/

Keith's note: There is yet another space policy event in Washington, DC today aimed at another session of choir practice in an echo chamber by the proverbial usual suspects in the space policy clique. Its an event by the U.S. Chamber of Commerce launching some sort of commercial space thing. Registration for the even closed a while back and only a few media representatives were allowed in. Of course, as is typical of these events the sponsors did not bother to webcast anything. Who cares. These events are all about talking about doing things instead of actually doing the things that they talk about.

Given that there is a Chamber of Commerce in virtually every community in America this could have been an excellent opportunity for the U.S. Chamber of commerce to go into grass roots mode and educate the remaining 99.999% of the population - the ones who pay taxes or work in companies that build space hardware. But no - these policy wonks are only interested in talking to each other and being quoted in trade publications that only they and their friends read.

But there was an exception to this cloistered event: NASA Administrator Bridenstine had someone on his staff stream his keynote speech live via a streaming account registered to @JimBridenstine on their cellphone. He does things like this a lot. Much of it is spontaneous - and much of it is done on his cellphone by him using his own actual fingers. He gets it. There is no reason why any event anywhere cannot be shared with anyone, anywhere. So long as there is cellphone and/or WiFI access you have a means to reach a vast audience.

Yes, the quality is sometimes shaky. I call this the "Max Headroom effect". If you are not familiar with this then go Google the name. Of course its shaky - its being done via a cellphone. The point is that while the quality may be lacking, it is understandable, and it is live, and it is being done so that you can participate - wherever you are.

In 2009 I spent a month at Everest Base Camp at 17,600 feet doing education and public outreach with the Challenger Center as Astronaut Scott Parazynski climbed Everest. We had a commercially available HS 9210 BGAN satellite unit. I carried it to Everest on my back. With it we did live webcasts almost daily with Miles O'Brien who used his laundry room in New York City as our media command center. The quality was often lacking but, in pure Max Headroom mode, we did live webcasts from an extremely remote place where few had done such things before - because we could.

Now its easy to do things like this from Everest since there are people selling WiFI access and you can use your cellphone - the same access that people in these space policy meetings have. Oddly, a community that hypes the space spinoff benefits to the economy - including space-based communication satellites - is incapable of using the same resources to do a simple webcast from their events - something that kids in junior high school know how to do.

There is also this fetish with costs - and ignorance thereof. Space meeting organizers think that webcasts using cellphones and laptops need to be fancy or cost a lot of money. Yet they spring big bucks for expensive stage props and luncheons for their pals at these events. Its all about appearances - not substance.

People in the space industry are always keen to sniff for hints from NASA leadership as to what they are interested in so as to be able to say the right buzz words back to NASA and offer products and services that NASA seems to be interested in. OK: here's a hint: the Administrator of NASA personally streams live video of his comments on social media. He does so without an army of expensive contractors on the cellphone in his pocket. He is trying to reach people that have heretofore remained beyond the reach of NASA's traditional education and public outreach mechanisms.

When big aerospace companies and associations want to send messages to their audiences they buy full page ads in the Washington Post or blanket Metro stations near Capitol Hill with giant banners. Bridenstine uses his cellphone with the ability to reach a vastly bigger audience.

Bridenstine is also sending a message to traditional aerospace community: they need to adapt to his new mode of communication if they want to remain relevant. He is going directly to taxpayers and other stakeholders and bypassing the long-standing system that trade and advocacy groups have usually held a grip on.

He's already got a head start and he's not looking back.

- Keith Cowing Everest Update: Webcasting from a Foggy Buddhist Monastery, 2009

Keith's 30 Nov note: People make honest mistakes on social media. I get that. But its hard to take the JPL science communicators very seriously when they make errors like this and then do nothing to fix them. I and others have pointed this out to JPL. Three days later and the incorrect tweet is still up. Either they do not care or they do not pay attention to detail. Its also becoming obvious that a lot of people who tweet for NASA have no real background on previous NASA missions. As such thousands of people have now liked an official NASA tweet that has several errors - one of them factually incorrect and totally germane to the point that JPL was trying to make i.e. "energy generated by a rover or lander on Mars". Keith's 3 Dec update: JPL finally took their incorrect went down after letting it misinform people for 3 days. Here is what it looked like:
http://images.spaceref.com/news/2018/power.tweet.jpg

Keith's note: If you go to this NASA CIO page "Security Requirements & Policies" you will see that they list all of their directives and memos but you cannot download any of them since there are no links. Lets focus on the first one on the list: "NPR 1382.1A, NASA Privacy Procedural Requirements, July 10, 2013". If you go to NASA NODIS (NASA Online Directive Information System) and enter the document number the search engine cannot find the document. But if you go to the link 1000-1999 Organization and Administration and search for it manually you can find it. But if you use Google and just cut and paste the title in the search box a link to the document magically appears. So please tell me how much credence you can put on a IT management system or a CIO organization where you cannot even use an official policy policy document search engine to find the documents that governs their own core responsibilities?

Google has enlisted NASA to help it prove quantum supremacy within months, Technology Review

"Quantum supremacy is the idea, so far undemonstrated, that a sufficiently powerful quantum computer will be able to complete certain mathematical calculations that classical supercomputers cannot. Proving it would be a big deal because it could kick-start a market for devices that might one day crack previously unbreakable codes, boost AI, improve weather forecasts, or model molecular interactions and financial systems in exquisite detail. The agreement, signed in July, calls on NASA to "analyze results from quantum circuits run on Google quantum processors, and ... provide comparisons with classical simulation to both support Google in validating its hardware and establish a baseline for quantum supremacy."

NASA/Google Space Act Agreement

Keith's note: You all may be familiar with Serkan Golge, a NASA JSC employee who has been imprisoned in Turkey for bogus reasons for a long time. A NASAWatch reader noticed that someone at NASA is using the agency's Internet access to make changes to Golge's Wikipedia page - apparently in an effort to diminish his role at NASA. Golge was a full-time contractor with an office next to the MCC. But if you look at the edits it would seem that someone who wanted to minimize his role changed his page to say "working on projects." instead. There were two edits originating from 156.68.64.53 on 4 September 2018. Have a look at the before and after edits here. And another one here.

The NASA IP address where these edits originated is 156.68.64.53

IP Address - 156.68.64.53
City - Redstone Arsenal
State/Region - Alabama
Country Code - United States
Postal Code - 35812
ISP - National Aeronautics and Space Administration
Time Zone -05:00

NASA's CIO Office is mostly useless. Let's see if they look into this. They should. I sent an email to NASA HQ and MSFC CIO offices and NASA HQ PAO. Lets see if they respond.

- One Of Your NASA Coworkers Is Still In a Turkish Jail Cell, earlier post
- NASA Employee Imprisoned By Turkey For No Reason, earlier post

Keith's note: After a series of problems the participants in this telecon gave up. You would think that a NASA field center located in the middle of Silicon Valley would have this whole telecon thing down by now. Guess again.

https://s3.amazonaws.com/images.spaceref.com/news/2018/boeing.club.jpg

Keith's note: Looks like Boeing is taking this recruitment drive seriously. Now you can become a member of their official fan club by going to this link and get exclusive content. Of course, to do this you have to sign in with your Facebook account (with all the risks that go with that) or give them your email. By visiting this page Boeing puts a cookie in your browser to track what you are doing. If you agree to become a member of their fan club you risk all of the things listed in their Boeing Privacy and Cookie Statement which says:

"Boeing collects personal information from and about individuals for a variety of purposes. In some cases Boeing requests personal information from you, or from your employer in the case of organizational Services. In other cases we obtain personal information by noting how you and the devices you use interact with our Services. Examples of personal information include: first and last names, phone numbers, e-mail addresses, mailing addresses, passport or government identification information, gender, date of birth, country of residence ... We acquire data from credible third-party sources that are either publicly or commercially available. This information includes personal data such as your name, address, email address, preferences, interests, and certain demographic data. For example, personal data is collected when you access our applications through social media account logins. We combine personal information collected through our Services with other information that we or third parties collect about you in other contexts, such as our communications with you via email or phone, or your customer service records. We treat such combined information as personal information and protect it in accordance with this Statement."

And if you are older than 14 Boeing will happily collect this information from anyone. Why does Boeing want to know this about you? We've discussed this creepy activity in previous posts.

- Boeing's Creepy Petition Wants To Track Your Online Activity, previous post
- Boeing's Misleading Anti-SpaceX Pro-SLS Facebook Ad Campaign, previous post

Keith's note: A month ago I mentioned the Facebook advertsing that Boeing has been doing (see "Boeing's Imaginary Space Program"). Well, they are at it again. I just saw this advertisement show up on Facebook (larger image). It leads with "NASA hasn't used American-made spacecraft to send astronauts to space since 2011. Sign the petition to show you support AMERICAN-MADE SPACECRAFT." What's their point? The only competitor Boeing has right now for NASA business is another 100% American-made spacecraft by SpaceX. And I suppose you can add in Sierra Nevada and Blue Origin too if you want. So no matter who flies on a commercial vehicle they will be flying on an American spacecraft. So why is Boeing trying to get you to support something that happens no matter what?

If you click on the link it sends you to this link (note the tracking code in the URL) - you are now an "enthusiast" for their "sls-space-race-petition". https://watchusfly.com/campaigns/space-american-made-petition-acquisition/?utm_source=facebook&utm_medium=video-post&utm_campaign=acquisition_petition_sls-space-race-petition-2-b&utm_term=space&utm_content=enthusiast which asks you to "Add your name to support American-made spacecraft." By giving your name, email, and zip code. Of course they also put cookies in your browser and know your IP number. Oh yes - take a look at their policy page and look at all the things you will let them do with this information (as if anyone reads this stuff):

"Your use of social media features will result in the collection or sharing of information about you, depending on the feature. The basic details we receive depends on your social network account privacy settings. We encourage you to review the privacy practices and settings of the social media sites you use to make sure you understand the personal information that may be collected, used, and shared by those sites."

Keith's note: The following statement was received by NASA Watch from the Buzz Aldrin Space Foundation (https://buzzaldrinfoundation.org) in response to an inquiry we made about recent postings on @TheRealBuzz:

"Keith,

Thanks for your interest and concern. In response to your questions from NASA Watch, I have been reassured by the Buzz Aldrin Space Foundation that, contrary to recent Twitter postings on @TheRealBuzz, Christina Korp has not been terminated. Such a termination would require a majority vote of the board, which has not occurred. Christina is continuing in her ongoing roles with the Buzz Aldrin Space Foundation and Share Space Foundation.

We are not sure who is responsible for the Tweet regarding Christina, but we are confident Buzz did not write this. It appears, as many have speculated online, that management of the Twitter account @TheRealBuzz has indeed been reassigned without proper verification.

I will add that the Aldrin family and Foundation colleagues have expressed concern for Buzz's potential vulnerability to manipulation by other parties seeking to gain access to and control of Foundation and personal resources. In addition to the important mission of the Foundation, they remain committed to protecting his personal reputation and professional legacy, as well as his ability to remain self-sustaining financially.

Thanks for your interest.

Jeff Carr
Spokesman for Buzz Aldrin Space Foundation"

Audit of NASA's Information Technology Supply Chain Risk Management , NASA OIG

"While NASA has improved its supply chain risk management efforts since the process was first mandated in 2013, we identified pervasive weaknesses in the Agency's internal controls and risk management practices that lead us to question the sufficiency of its current efforts. NASA's risk assessment process, when followed, often consists of a cursory review of public information obtained from Internet searches or unverified assertions from manufacturers or suppliers that the IT and communications products or services being acquired do not pose a risk of cyber-espionage or sabotage. Further, we found NASA does not consistently coordinate with the FBI in its review process. In addition, contrary to best practices the Agency's supply chain risk management practices do not require testing of IT and communication products to determine their authenticity and vulnerability to cyber-espionage or sabotage prior to their acquisition and deployment. Moreover, Agency policy excludes specific IT systems and flight hardware, such as equipment operated on the International Space Station, from risk assessment requirements. Overall, the Agency's weak controls have resulted in the purchase of non-vetted IT and communication assets, some of which we found present significant security concerns to Agency systems and data. In addition to our longstanding concerns about NASA's IT governance and security practices, the Agency compounds its security vulnerabilities by relying on ineffectual processes and information in its efforts to prevent risky IT products from entering its network environment."

NASA OIG Audit of NASA's Security Operations Center, NASA OIG

"Since its inception a decade ago, the SOC has fallen short of its original intent to serve as NASA's cybersecurity nerve center. Due in part to the Agency's failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in OCIO leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the Agency's IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities. Industry best practice for an effective SOC recommends a charter signed by stakeholders that explicitly details authorities and responsibilities. Such a charter would allow the SOC to more effectively push for the resources and the cooperation required to execute its mission. However, after 10 years the NASA SOC has no charter to govern its operations or outline its authorities. In addition, the SOC has no roadmap for moving from its current state to a future state of operation, a critical management tool for establishing priorities for continual improvement."

GAO: NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses, GAO

"NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended. NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures."

Keith's update: In less than 48 hours three reports - one from GAO, two from the NASA OIG - have been released that show continued problems with the way that the NASA Chief Information Officer Renee Wynn has not been fixing problems with NASA IT. If you go to the NASA CIO website there is no mention of this report - or any other reports that cite weaknesses in how the CIO manages NASA's IT infrastructure. Just what is it that Renee Wynn has been doing? None of the problems that were blatantly obvious when she arrived at NASA have been fixed.

If you read her "IT Talk" quarterly news letter, her office seems to be preoccupied with everything but the important things that need to be fixed. Indeed, much of what her office likes to parade around as accomplishments has little if anything to do with what the CIO is supposed to be doing.

- GAO and OIG Agree: NASA CIO Is Underperforming, earlier post
- OIG: NASA's Operational Technology Systems Are Inadequate and Disjointed, earlier post
- NASA Still Has No Effective Information Security Program, earlier post
- NASA CIO Drops The Ball On ACES Authorization, earlier post
- Previous NASA IT Posts

GAO: NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses

"The National Aeronautics and Space Administration (NASA) has not yet effectively implemented leading practices for information technology (IT) management. Specifically, GAO identified weaknesses in NASA's IT management practices for strategic planning, workforce planning, governance, and cybersecurity.

- NASA has not documented its IT strategic planning processes in accordance with leading practices. While NASA's updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs. Until NASA establishes a comprehensive IT strategic plan, it will lack critical information needed to align resources with business strategies and investment decisions.

- Of the eight key IT workforce planning activities, the agency partially implemented five and did not implement three. For example, NASA does not assess competency and staffing needs regularly or report progress to agency leadership. Until NASA implements the key IT workforce planning activities, it will have difficulty anticipating and responding to changing staffing needs.

-NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended.

NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures."

Keith's 4:40 pm Update: They fixed it.

OIG: NASA Chief Information Officer Is Doing A Crappy Job, earlier post (2017 OIG report)

"In the 4 years since issuance of our IT governance report and the 3 years since completion of its own internal review, the Office of the Chief Information Officer (OCIO) has made insufficient progress to improve NASA's IT governance, casting doubt on the office's ability to effectively oversee the Agency's IT assets. Specifically, the NASA Chief Information Officer (CIO) continues to have limited visibility into IT investments across the Agency and the process NASA developed to correct this shortcoming is flawed."

Agencies Need to Improve Certification of Incremental Development, GAO

"... Among the reported investments, we identified 166 investments undertaking software development activities in which at least 50 percent or more of funding was allocated to development, modernization, and enhancement activities. For each of these investments, we assessed the status of reported certifications by the CIOs of the respective agencies. [Three agencies, NASA, NSF, and NRC, did not have any investments that met this criteria for fiscal year 2017.]"

OIG: NASA's Efforts to Improve the Agency's Information Technology Governance

"In the 4 years since issuance of our IT governance report and the 3 years since completion of its own internal review, the Office of the Chief Information Officer (OCIO) has made insufficient progress to improve NASA's IT governance, casting doubt on the office's ability to effectively oversee the Agency's IT assets. Specifically, the NASA Chief Information Officer (CIO) continues to have limited visibility into IT investments across the Agency and the process NASA developed to correct this shortcoming is flawed.

Despite these efforts, the OCIO's insight into and control over the bulk of the Agency's nearly $1.4 billion in annual IT funding remains limited ... this lack of authority and visibility over the majority of the IT budget limits the Agency's ability to consolidate IT expenditures, realize cost savings, and drive improvements in the delivery of IT services. ... the Agency's current enterprise architecture remains immature after a decade-long effort, a situation that contributes to the undisciplined manner in which NASA makes IT investments. Moreover, despite changes to two of the Agency's three top-level IT governance boards, IT managers across the Agency remain unsure of board functions and their decision making processes and the boards have yet to make strategic decisions that substantively impact how IT at NASA is managed. In addition, as of August 2017 the roles and responsibilities associated with NASA's IT governance structure have not been finalized by the OCIO - one of the most basic and critical pieces of the Agency's Business Services Assessment (BSA) Implementation Plan. ... Lingering confusion about security roles coupled with poor IT inventory practices continues to negatively impact NASA's security posture. ... Finally, the OCIO continues to exercise limited ability to influence IT management within the Mission Directorates and Centers due to the autonomous nature of NASA operations and the office's lack of credibility on IT issues in the eyes of its customers."

NASA's Next Mars Mission to Investigate Interior of Red Planet, Lockheed Martin

"More information about InSight is online at:
https://www.nasa.gov/insight
https://insight.jpl.nasa.gov/"

Keith's note: Here we go again. NASA has deliberately created - and pays to maintain - two official mission websites - this time, for Mars InSight. NASA is paying twice for this. I'd ve willing to bet that a FOIA request would show that the duplication costs in terms of website contractor personnel would amount to several hundred thousand dollars over the course of the mission. This is not new wastefulness on NASA's part: the Mars 2020 Rover already has three official BASA mission websites: https://mars.nasa.gov/mars2020/, https://www.jpl.nasa.gov/missions/mars-2020/, and https://www.nasa.gov/mars2020. Every few years I ask NASA SMD about this. Someone says that they'll look into it. Tick tock - nothing changes. The real answer is stove piping: NASA cannot really tell its field centers (or JPL) what to do and they go off and do their own thing regardless of whether someone else is already dong it. The field centers and JPL want people to think of them when it comes to NASA - instead of NASA.gov. But NASA HQ wants a unified way for people to find mission information so they set up a duplicate set of mission websites. Try as they may, these dueling sites are never totally in synch - and one is almost always out of sate with respect to the other. Let's #MakeNASAConfusingAgain

NASA's Inability To Speak With One Voice Online, earlier post (2011)

"Probably the most blatant example whereby NASA simply cannot make its mind up as to where an official mission website is has to do with Hubble - here are the official websites: http://hubble.nasa.gov/, http://www.nasa.gov/mission_pages/hubble/main/index.html, http://hubblesite.org/, http://heritage.stsci.edu/, http://www.nasa.gov/hubble, and http://www.spacetelescope.org/. And NASA Hubble press releases typically offer 3 links - on three different official Hubble websites - for the same image."

- Why Does NASA Maintain Three (Four) Different MSL Websites?, earlier post (2013)
- Why does NASA need multiple websites for the same mission?, earlier post
- NASA's Tangled Human Spaceflight Web Presence, earlier post
- NASA's Sprawling Web Presence, earlier post

Getting NASA to Comply With Simple FOIA Requests Is a Nightmare

"Trying to effectively use the Freedom of Information Act can be hell. Maybe a police department will demand a ridiculous and seemingly arbitrary fee to collect records, or perhaps an agency simply won't respond to requests. Judging by Motherboard's own requests as well as those from Freedom of Information organizations, one government body in particular stands out for turning FOIA requests into a nightmare: NASA. Trying to effectively use the Freedom of Information Act can be hell. Maybe a police department will demand a ridiculous and seemingly arbitrary fee to collect records, or perhaps an agency simply won't respond to requests. Judging by Motherboard's own requests as well as those from Freedom of Information organizations, one government body in particular stands out for turning FOIA requests into a nightmare: NASA."

- NASA FOIA Follies Continue, earlier post
- Why Does it Take 2 Years For GSFC To Respond to a FOIA Request?, earlier post
- Never Ask NASA a Simple Question, earlier post
- NASA Refuses To Accept Its Own News Media Accreditation (Update), earlier post
- In Search Of A CASIS Report Card, earlier post

NASA blocks FOIA request for potential White House 'media blackout' orders, Daily Dot

"Users of a popular online service that helps the public acquire legal access to government records face new hurdles when petitioning NASA under the Freedom of Information Act (FOIA). The National Aeronautics Space Administration has begun rejecting public records requests from users of FOIA request-filing service MuckRock, which doesn't provide what the agency calls a "personal mailing address," even though the requirement appears to have no basis under the law. Last week, following nearly two months of back and forth, NASA formally denied the Daily Dot access to any records--which may or may not exist--related to White House decrees affecting its use of social media and other forms of communication. The request, filed less than a week after Trump's inauguration, was sent using MuckRock's online submission system and contained MuckRock's mailing address. "Please be advised, that everyone submitting a FOIA Request via Muckrock, who are not a staff members [sic] must provide their personal mailing address when submitting a requests [sic]," NASA's FOIA officer, Josephine Shibly, wrote in a letter to the Daily Dot on March 10."

Diehard Coders Just Rescued NASA's Earth Science Data, Wired

"Like similar groups across the country - in more than 20 cities - they believe that the Trump administration might want to disappear this data down a memory hole. So these hackers, scientists, and students are collecting it to save outside government servers. But now they're going even further. Groups like DataRefuge and the Environmental Data and Governance Initiative, which organized the Berkeley hackathon to collect data from NASA's earth sciences programs and the Department of Energy, are doing more than archiving. Diehard coders are building robust systems to monitor ongoing changes to government websites. And they're keeping track of what's already been removed - because yes, the pruning has already begun."

Climate Data Preservation Efforts Mount as Trump Takes Office, Technology Review

"Earlier federal data hackathons include the "Guerrilla Archiving" event at the University of Toronto last month, the Internet Archive's Gov Data Hackathon in San Francisco at the beginning of January, and the DataRescue Philly event at the University of Pennsylvania last week. Much of the collected data is being stored in the servers of the End of Term Web Archive, a collaborative effort to preserve government websites at the conclusion of presidential terms."

Rogue Scientists Race to Save Climate Data from Trump, Wired

"The group was split in two. One half was setting web crawlers upon NOAA web pages that could be easily copied and sent to the Internet Archive. The other was working their way through the harder-to-crack data sets--the ones that fuel pages like the EPA's incredibly detailed interactive map of greenhouse gas emissions, zoomable down to each high-emitting factory and power plant. "In that case, you have to find a back door," said Michelle Murphy, a technoscience scholar at the University of Toronto."

A US-born NASA scientist was detained at the border until he unlocked his phone, The Verge

"Seemingly, Bikkannavar's reentry into the country should not have raised any flags. Not only is he a natural-born US citizen, but he's also enrolled in Global Entry -- a program through CBP that allows individuals who have undergone background checks to have expedited entry into the country. He hasn't visited the countries listed in the immigration ban and he has worked at JPL -- a major center at a US federal agency -- for 10 years. ... The officer also presented Bikkannavar with a document titled "Inspection of Electronic Devices" and explained that CBP had authority to search his phone. Bikkannavar did not want to hand over the device, because it was given to him by JPL and is technically NASA property. He even showed the officer the JPL barcode on the back of phone. Nonetheless, CBP asked for the phone and the access PIN. "I was cautiously telling him I wasn't allowed to give it out, because I didn't want to seem like I was not cooperating," says Bikkannavar. "I told him I'm not really allowed to give the passcode; I have to protect access. But he insisted they had the authority to search it."

http://images.spaceref.com/news/2017/phonefb.jpg

NASA OIG: Audit of Industrial Control System Security within NASA's Critical and Supporting Infrastructure

"Despite its significant presence across the Agency and its criticality to the success of the Agency's multi-faceted mission, NASA has not adequately defined OT [operational technology], developed a centralized inventory of OT systems, or established a standard protocol to protect systems that contain OT components. NASA needs to know which systems incorporate OT components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction. ... NASA also lacks an integrated approach to managing risk associated with its critical infrastructure that incorporates physical and cyber security considerations in all phases of risk assessment and remediation. Specifically, the security of physical and cyber components of NASA's critical assets is managed with minimal collaboration among key Agency stakeholders and does not involve the Office of Strategic Infrastructure, which manages the supporting infrastructure associated with critical assets. This disjointed approach has led to duplication of effort and gaps in security planning and risk remediation at both the Agency and Center levels."

NASA OIG: Security of NASA's Cloud Computing Services

"While NASA has made improvements since our 2013 audit, continuing weaknesses in its governance and risk management processes have prevented the Agency from fully realizing the benefits of cloud computing and continue to leave Agency information stored in cloud environments at unnecessary risk."

What The 'Rogue' EPA, NPS and NASA Twitter Accounts Teach Us About The Future Of Social, Forbes

"These new accounts also raise the fascinating question of whether "alternative" or "rogue" or "resistance" social media accounts will become a new norm even in Western nations that have not typically had a history of "governments in exile." One could imagine that every administration would have its "rogue" employees who disagree with particular policies heading out to Twitter to fire up their own resistance accounts. Taking this a step further, the party not in power could set up its own alternative Twitter accounts for each federal agency and issue their own statements interpreting the actions of each agency through their particular partisan lens."

Keith's note: I could not be happier to see this happen. NASAWatch started out as RIFWatch - an effort to inform people about an impending downsizing (RIF) at NASA. Guess what - that may be in NASA's future once again. I used to warn NASA that someday there would be dozens of websites like NASAWatch. I am so happy to have totally underestimated that number.

Keith's update: At first these Twitter accounts focused mostly on science issues. Then their originators (government employees, based on tweets these accounts made) handed the accounts over to non-government employees. Shortly thereafter, as visibility exploded, a lot of the commentary and follower's comments took a turn into overtly partisan, anti-Trump territory. Now its hard to extract the science policy issues from the rest of the noise. Such is social media.

Final Memorandum, Federal Information Security Modernization Act: Fiscal Year 2016 Evaluation (IG-17-002; A-16-009-00)*

"*In preparation for public release, selected portions of this report containing sensitive security information have been redacted under exemption (b)(7)(E) of the Freedom of Information Act (FOIA).

NASA received 27 out of 100 possible maturity level points, indicating that overall it has not yet implemented an effective information security program."

Obama orders Russia expulsions, sanctions for interference in 2016 election, Reuters

"President Barack Obama on Thursday ordered the expulsion of 35 Russian diplomats and sanctioned Russian intelligence officials who Washington believes were involved in hacking U.S. political groups in the 2016 presidential election. The measures, taken during the last days of Obama's presidency, mark a new low in U.S.-Russian relations which have deteriorated over serious differences on Ukraine and Syria. "These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior," Obama said in a statement from vacation in Hawaii."

Joint DHS, ODNI, FBI Statement on Russian Malicious Cyber Activity, FBI

"This activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing, campaigns targeting government organizations, critical infrastructure, think tanks, universities, political organizations, and corporations; theft of information from these organizations; and the recent public release of some of this stolen information."

- Cold War Echoes On Earth And In Space, Earlier post
- How Long Will ISS Remain Isolated From Terrestrial Politics?, Earlier post

Keith's 31 October update: NASA MSFC Internal Memo: Key Personnel Announcement -Teresa Washington is retiring, NASA MSFC

"Upon the upcoming retirement of Teresa Washington, I am pleased to announce the appointment of Marcus Lea to the Senior Executive Service (SES) position of Director, Office of Human Capital (OHC). As OHC Director, Mr. Lea will be responsible for the entire scope of the Center's workforce strategy and planning, organization and leadership development, academic affairs, training and incentives, federal labor relations, and employee services and operations."

SLS Flight Software Safety Issues at MSFC (Update), earlier post

Follow-up Evaluation of NASA's Implementation of Executive Order 13526, Classified National Security Information, NASA OIG

"Although NASA has taken steps to implement our prior recommendations, we continued to identify inconsistencies in the Agency's application of CNSI policies and procedures that led to improper marking of classified documents. This occurred because of insufficient identification and training of classifiers. Further, implementation of the Agency's self-inspection program was not fully effective because NASA Centers did not consistently review documents to verify the accuracy of classified markings. Improved identification and training of classification officials and effective self-inspections would help ensure classified information at NASA is managed in accordance with Federal requirements."

Information Security: NASA Needs to Improve Controls over Selected High-Impact Systems. GAO-16-688SU, September 23, GAO (Restricted report)

NASA Open Government 2016 Plan, NASA CIO

Keith's 15 Sept note: With regard to the Open NASA thing at FOIA this report says "NASA's FOIA program provides access to agency documents through a citizen-centered service. NASA is committed to providing the public with excellent customer service as well as access to disclosable agency documents in accordance with all appropriate laws and regulations. Each Plan listed improvements, consolidations, and revised processes. Each of these commitments was met, and the effort to provide excellence continues. http://socialforms.nasa.gov/foia"

With regard to the "excellent customer service" that the NASA CIO is so excited about, if you go to http://socialforms.nasa.gov/foia you get:

"Not Found The requested URL /foia was not found on this server. Apache/2.4.7 (Ubuntu) Server at socialforms.nasa.gov Port 443"

If you go to NASA's actual FOIA page and click on "Submit a FOIA Request
+ View Form"
- it also links to http://socialforms.nasa.gov/foia which leads you to the same dead link.

So much for enhanced customer service by the NASA CIO.

Keith's 18 Sept note: It took NASA 3 days to fix this problem once it was highlighted here. Just sayin'

NASA's 'act of desperation' demonstrates continued cyber deficiencies, Federal News Radio

"One of NASA's main networks used by almost every employee and contractor and managed by Hewlett Packard Enterprise is in such bad shape, the agency's chief information officer could no longer accept the risk and let the cybersecurity authorization expire. Renee Wynn, NASA's new CIO, didn't sign off on the authority to operate (ATO) for systems and tools under the $2.5 billion Agency Consolidated End-user Services (ACES) contract, which HPE won in 2010. Under the 10-year contract, HPE provides and manages most of NASA's personal computing hardware, agency-standard software, mobile information technology services, peripherals and accessories, associated end-user services and supporting infrastructure. A NASA spokeswoman confirmed the ATO expired on July 24. She said Wynn signed a "conditional" ATO for the systems under ACES, but internal NASA sources said the authorization is just for the management tools and not for the desktops, laptops and other end user devices. Letting an ATO expire on a major agency network is unheard of in government. Multiple federal cyber experts said agencies know at least a year in advance when an authorization and accreditation needs to be renewed."

NASA Totally Flunks FITARA Scorecard 2 Years In A Row, earlier post

"I need to thank NASA's AA for Legislative Affairs, Seth Statler, for pointing out the hearing - and NASA's 'F' grade. NASA has the distinction in 2016 for being the only agency to get an overall 'F', so congratulations are in order. Of course, in telling everyone about FITARA, it is quite obvious that Statler was doing a little blame shifting as he spoke for NASA CIO Renee Wynn - while throwing her under the bus."

- Earlier posts

NASA Unveils New Public Web Portal for Research Results

"Public access to NASA-funded research data now is just a click away, with the launch of a new agency public access portal. The creation of the NASA-Funded Research Results portal on NASA.gov reflects the agency's ongoing commitment to providing broad public access to science data. "At NASA, we are celebrating this opportunity to extend access to our extensive portfolio of scientific and technical publications," said NASA Deputy Administrator Dava Newman. "Through open access and innovation we invite the global community to join us in exploring Earth, air and space."

NASA hires cyber mainstay as CISO, FedScoop

"NASA CIO Renee Wynn selected [Jeanette] Hanna-Ruiz to officially begin on Aug. 8 after spending 20 years in public sector information security positions, according to an official release Tuesday. Hanna-Ruiz helped write the Cyberspace Policy Review that outlined the country's cyber strategy when President Barack Obama took office in 2009. She also worked at the Department of Homeland Security-National Security Agency Joint Cyber Coordination Group, and helped develop the DHS' cyber missions and capabilities. ... NASA received an F in May on a Government Accountability Office-issued FITARA scorecard, which compiled scores based on agencies' achievements in four categories: data center consolidation, IT portfolio review savings, incremental development and risk assessment transparency."

NASA Totally Flunks FITARA Scorecard 2 Years In A Row, earlier post

- @jhannaruiz 0 TWEETS - 0 FOLLOWING - 30 FOLLOWERS
- Jeanette Hanna-Ruiz, LinkedIn

"More recently, Hanna-Ruiz has traveled from January to May on a "mindfulness and meditation journey" that had her walking more than 800 miles in 100 days, and living with monks and nuns throughout France, Nepal, Thailand and other places."

Keith's note: This is interesting. Unlike the way in which most people who job hop here in DC, this is an example of someone who actually did a personal operating system reinstall and reboot. Having spent a month living at Everest Base Camp in Nepal, I totally recommend the Himalayas for wetware system upgrades.

NASA Kepler Twitter Account Hacked, Tweets Sexy Butt, io9

"The official Twitter account for NASA's Kepler, which surveys parts of the Milky Way Galaxy in search for hospitable planets, just got hacked. It's unclear how or why the account was hacked, but it definitely tweeted a butt and a sketchy link."

Keith's note: There is a somewhat NSFW image after the link, so ... if you are sitting at a government computer ...

Federal Information Technology Acquisition Reform Act, Wikipedia

"One of the requirements would be that the government develop a streamlined plan for its acquisitions. The bill would increase the power of existing Chief Information Officers (CIO) within federal agencies so that they could be more effective. Each agency would also be reduced to having only one CIO in the agency, who is then responsible for the success and failure of all IT projects in that agency. The bill would also require the federal government to make use of private sector best practices. The bill is intended to reduce IT procurement related waste."

http://images.spaceref.com/news/scorecard.2015.jpg

Oversight Committee FITARA Scorecard (2015) Larger image

http://images.spaceref.com/news/scorecard.2016.jpg

Oversight Committee FITARA Scorecard (2016) [Note: NASA is the only agency to get an overall 'F' grade]

Hearing, Federal Information Technology Reform Act Scorecard 2.0, House Oversight Committee

NASA CIO Wynn Testimony

"Admittedly, NASA's scores on the FITARA scorecard are unacceptable. We have work to do, and challenges to overcome. But at the same time, I believe it is also important to reflect on the major strides NASA has already taken in improving the management of and protection of the Agency's IT infrastructure. Thus, the remainder of my testimony today will provide a brief summary of our achievements to date, and other work in progress directed at becoming the best stewards of the Agency's IT resources."

Keith's note: I have to be completely honest: neither this hearing or the FITARA report/scorecard that was released were on my news radar. I need to thank NASA's AA for Legislative Affairs, Seth Statler, for pointing out the hearing - and NASA's 'F' grade. NASA has the distinction in 2016 for being the only agency to get an overall 'F', so congratulations are in order. Of course, in telling everyone about FITARA, it is quite obvious that Statler was doing a little blame shifting as he spoke for NASA CIO Renee Wynn - while throwing her under the bus. You'd expect the @NASACIO Twitter to say something too but they have not tweeted anything since 15 March 2015.

Nor is there any mention of the hearing, the CIO's testimony, the 2016 score card (or last year's), NASA's performance (or lack thereof) and what corrective actions NASA plans to make on the NASA CIO website. Searching for "FITARA" only yields 6 results across all of NASA's websites. This chatty 2016 newsletter from the CIO makes no mention of NASA's abysmal score in 2015 but does say "OCIO has made significant progress in the development of a solid implementation plan." So, as long as they are working on a plan, then everything must be OK.

There is a slightly goofy post at Open.NASA.gov (not findable on the NASA search engine) "NASA's Approach to Implementing FITARA" from 10 March 2016 that opens with "My husband and I are planning a vacation to Disneyworld, an awesome destination for our five year old dreamer. How do we budget for such an grandiose trip?" , and then goes on to spout happy talk - with added IT word salad - about how seriously NASA takes FITARA. If only.

NASA's Jet Propulsion Lab moves to OpenStack cloud platform, Fedscoop

"The NASA lab responsible for building the Mars rovers and robotic probes to scout the solar system has begun using an open-source cloud platform to house its mission-critical data. NASA's Jet Propulsion Lab has retooled its existing hardware to support a Red Hat OpenStack cloud platform that will manage new flight projects, centralize research and reduce the need to keep funding legacy systems, according to Red Hat."

Introducing OpenStack (2010), OpenStack Blog

"The good news is that OpenStack is starting with code contributions from two organizations that know how to build and run massively scalable clouds Rackspace and NASA. Rackspace has been in the cloud business for four years and now serves tens of thousands of customers on its cloud platform. Likewise, NASA began building their Nebula cloud platform two years ago to meet the needs of their scientific community."

NASA Drops OpenStack For Amazon Cloud, Information Week (2012)

"NASA's prestige and participation has been a selling point for advocates of the OpenStack open source cloud project, which NASA co-founded with San Antonio infrastructure-as-a-service provider RackSpace. Unfortunately, they'll have to get along without NASA from here on. NASA has withdrawn as an active contributor to OpenStack, saying it doesn't want to be in the business of producing cloud software anymore. Ray O'Brien, acting CIO at NASA Ames, when asked May 30 by InformationWeek about NASA's participation, used diplomatic language to say that NASA still endorsed the project, was proud of its founding role, and might be a user of OpenStack components in the future. "It is very possible that NASA could leverage OpenStack as a customer in the future," he wrote in his email response."

-NASA Praises a Spinoff That It Has Already Dumped, Earlier post
- Paypal Adopts Software That NASA Developed and Then Dumped, Earlier post
- Earlier posts

Widespread neglect puts NASA's networks in jeopardy, Federal News Radio

"The most heralded federal agency is in serious risk of a major cyber attack and no one seems to care. Not NASA executives. Not the contractor hired to protect its end-user devices. And especially not the everyday employees who send rockets into space. Internal documents obtained by Federal News Radio indicate NASA has anywhere from hundreds of thousands to millions of out-of-date patches at every center across the country. Security Scorecard, a cybersecurity company, found as many as 10,000 pings coming directly from NASA's network to known malware hosts, some lasting weeks, if not months. Multiple sources say Hewlett Packard Enterprise (HPE), the contractor hired to protect NASA's desktops and end-user devices under a $2.5 billion contract called the Agency Consolidated End-user Services (ACES), is uncooperative at best and negligent at worst, and a major reason the agency's data and systems are at risk."

OIG Slams Both NASA and ACES Contractor, earlier post (2014)

"NASA's lack of adequate preparation prior to deploying the ACES contract together with HP's failure to meet important contract objectives has resulted in the contract falling short of Agency expectations. We attribute these shortcomings to several factors, including a lack of technical and cultural readiness by NASA for an Agency-wide IT delivery model, unclear contract requirements, and the failure of HP to deliver on some of its promises. In general, these issues fall into two categories: (1) issues related to the Agency's overall IT governance and (2) management and problems specific to the ACES contract."

What Happened When a NASA Astronaut Got Harassed on Twitter. Motherboard

"In late 2013 and early 2014, Twitter, Google, and three law enforcement agencies in two countries tracked down a British woman who allegedly harassed a NASA astronaut over the course of several months in 2013, according to documents obtained by Motherboard using a Freedom of Information Act request. According to the documents, the astronaut and the woman began direct messaging on Twitter and also texted and called each other several times. After the woman realized the astronaut had a girlfriend, she began sending "false and malicious statements that include excessive profane and abusive language," according to the documents. Motherboard will not be naming the astronaut out of respect for his family's privacy."

Keith's note: After using Uncle Google for a while and searching for NASA airplane tail numbers etc. I came across a website run by NASA Ames online at http://asp-archive.arc.nasa.gov If you go here you can download all kinds of NASA airplane and drone footage going back a number of years. This really, really ugly HTML 1.0-flavored NASA website is sort of a central uploading point for lots of NASA aircraft imagery and flight data before that data is used by various programs for their research activities. No hacking or FOIA requests required. As best I can tell, some of these "hacked" YouTube videos would seem to have been from NASA's DC-8 N817NA and also NASA 439 C-130H (neither of which are "drones", BTW).

And of course if you go to this other NASA website https://airbornescience.nasa.gov/aircraft_detailed_cal you can see which NASA planes went where over the past few years via a somewhat better designed website. Nothing is being done in secret.

So -- everyone needs to get busy downloading these oh-so-secret NASA videos and then upload them to YouTube with hashtags suggesting that they are somehow #clandestine or #secret or involved with #chemtrails

NASA Publicly Posted 'Drone Videos' Just Like the 'Hacked' One, Motherboard

"Cowing challenged the hackers to release the logs of their activity if they really want to prove their claims. At the same time, he also admitted that it's possible that the group did get into some NASA system and didn't even realize where they were. "They may have hacked in but their gopher tunnel may have gone sideways as opposed to deep in, and they just bumped into something that was already publicly available," Cowing told me. With the new evidence he found online, that theory appears more likely every day."

- Evil NASA Drone Hack Update, earlier post
- Did Someone Hack NASA's Evil Drones? Answer: No., earlier post

The NASA 'Hack' Is Probably The Most Mundane Hack Ever, Motherboard

"Dan Guido, the founder of security firm Trail of Bits, who reviewed the hackers' claims for Motherboard, said that some of their claims were feasible, but overall, he was skeptical. "I think these hackers did gain access to *something* inside NASA," Guido said in an email. "It was clearly unclassified since all of the servers they claimed to hack were online on the internet. I doubt they are accurately describing their breach and that the reality is likely even more mundane. This obfuscation is likely motivated both by a desire to hype their reputation and to obfuscate efforts at incident response in NASA." In fact, a screenshot they included in the zine, claiming that it showed how they bypassed NASA firewalls, seems to be lifted from a NASA site."

NASA Brushes Off Claims One Of Its Drones Was Hacked, Forbes

"NASA has a lot of freely-available information that hackers could claim was taken from internal systems. The agency's Open Data websites offer more than 30,000 datasets for interested parties."

- Did Someone Hack NASA's Evil Drones? Answer: No., Earlier Post

Hackers Allegedly Hijack Drone After Massive Breach at NASA, Inforwars

"The collection of files, provided to Infowars by AnonSec admin Dêfãult Vírüsa prior to being made public Sunday, include 631 videos from aircraft and weather radars, 2,143 flight logs as well as the names, email addresses and phone numbers of 2,414 NASA employees. A "zine," or self-published paper detailing the hack, dubbed "OpNasaDrones," reveals everything from AnonSec's motives to the specific technical vulnerabilities that enabled the extensive breach."

Keith's 31 Jan note: Normally I'd never link to Infowars since much of what they post is paranoid conspiracy mongering and arm waving. In this case there is overt suggestion that NASA is somehow involved in climate hacking or geoengineering. Since NASA PAO is probably going to be responding to this claim - and this post has lots of screen grabs etc. - what the heck. As for the NASA employee names, mails/phone numbers - anyone can easily get that information from people.nasa.gov.

Keith's 1 Feb update: NASA PAO has replied (it took them several days to comfirm things internally):

"Control of our global hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations. NASA strives to make our scientific data publically available, including large data sets, which seems to be how the information in question was retrieved. Our Open Data websites offer easier access and use of NASA data through tools and shared experiences using more than 30,000 datasets:

- Open.NASA.gov
- Data.NASA.gov
- API.NASA.gov
- Code.NASA.gov
- GitHub.com/NASA"

Keith's 1 Feb update: The snarky human behind Dêfãult Vírüsa at @_d3f4ult refuses to provide me with a link to the stuff they hacked from NASA - preferring to use profanity laced taunts telling me to use Google - and when I do, to note how unworthy I am as a Google user. Eventually someone else provided an actual link https://nasadrones.thecthulhu.com/ Meanwhile InfoWars has not updated their article to reflect NASA's statement yesterday.

Keith's 2 Feb update: Well InfoWars did mention NASA's response - but only part of it.

Keith's 2 Feb update: They are going to add the full NASA statement since NASA did not send it to them.

Why Google's new quantum computer could launch an artificial intelligence arms race, Washington Post

"Ever since the 1980s, researchers have been working on the development of a quantum computer that would be exponentially more powerful than any of the digital computers that exist today. And now Google, in collaboration with NASA, says it has a quantum computer the D-Wave 2X that actually works. Google claims the D-Wave 2X is 100 million times faster than any of today's machines. As a result, this quantum computer could theoretically complete calculations within seconds to a problem that might take a digital computer 10,000 years to calculate. That's particularly important, given the difficult tasks that today's computers are called upon to complete and the staggering amount of data they are called upon to process. On the surface, the D-Wave 2X represents not just a quantum leap for computing, but also for the field of artificial intelligence. In fact, Google refers to its work being carried out at NASA's Ames Research Center as "quantum artificial intelligence." That's because machine learning problems that today are too hard or too complex for computers could be solved almost instantaneously in the future."

5 things you should know about the plan to open source artificial intelligence, Washington Post

"Arguably, the open source movement the idea that a group of technologists freely contributing their own work and commenting on the work of others, can create a final product that is comparable with anything that a commercial enterprise might create has been one of the great innovation catalysts of the technology industry. It's no wonder, then, that a group of Silicon Valley luminaries including Elon Musk, Peter Thiel and Reid Hoffman have lined up to contribute $1 billion to a new open-source AI project known as OpenAI that is led by Ilya Sutskever, one of the world's top experts in machine learning. If you can open-source software and hardware, then why not open-source artificial intelligence, right?"

Keith's note: There is a NASA-sponsored event called #BioSpaceBigThink underway. According to @Astro_Cady "It's all about the future. Spent my 55th birthday kicking off #BioSpaceBigThink for #JourneyToMars for @NASA!" OK, so what is she so exited about? There is nothing online at NASA.gov's calendar about this event - how to attend, what the program is and how it has anything to do with #JourneyToMars except that it has a picture of Mars and an astronaut in attendance. This event is apparently being run by @secondmuse which claims to be an "innovation agency" (whatever that is). SecondMuse runs the somewhat mysterious launch.org thing (a White House pet project of sorts) - so maybe that's the connection. I have asked about NASA and Launch.org before but the CIO office never responds. There is a NASA logo on this #BioSpaceBigThink event so one would assume NASA is paying for it (they pay NASA staff to do launch.org stuff).

This #BioSpaceBigThink crowd is the same group who did something called NASADatanauts recently which @BethBeck at NASA's CIO office organized under the radar. Again, there was no mention of that #NASADatanauts thing on NASA's calendar, no press release, agenda, etc. Truth is - these are just playtime events for the digerati and special friends of the CIO - things that have nothing to do with any established NASA strategy - nor do they ever produce a deliverable - tangible or otherwise - such that they can have an impact on the rest of the country. But its all about #JourneyToMars, right? - so its OK.

NASA OIG: Notice of a new system of records: Data Analytics System (ADAS)

"In accordance with the Privacy Act of 1974, as amended (Privacy Act), the National Aeronautics and Space Administration (NASA) publishes this notice of a new system of records entitled ``The Office of Inspector General Advanced Data Analytics System (ADAS)'' (System Number NASA 10IGDA. This system will store individually identifying information from a variety of individuals who have applied for or received grants, contracts, loans, or payments from NASA, including current and former employees of NASA, contractors, and subcontractors, and others whose actions have affected NASA."

Fully Opening NASA Research Data To The Public, SpaceRef

"In 2013 The White House told NASA and other government agencies that they needed to make the results of their research more readily available to the public. In so doing the White House said that agencies needed to make research publications that had been available only for a fee available for free within 12 months of their publication. The public plaid for this science, the public should have access to it. ... NASA Deputy Chief Scientist Gale Allen was able to provide me with insight into this project. Their intent is ambitious, but if they pull off, NASA will have a substantially enhanced presence online in a way that a much broader audience will be able to access and utilize research results from NASA. Based on my discussion with Allen there is the intent to fully comply with the spirit and intent of what the White House has directed NASA to do."

Keith's update: This presentation was delivered last week at NASA Goddard Spaceflight Center regarding NASA's plans to collect and post research data. Download.

Letter from Rep. Sensenbrenner to NASA Administrator Bolden Regarding Acquisition Issues

"I am writing to request information about the National Aeronautics and Space Administration (NASA) policy with respect to full and open competition in the acquisition process. NASA is in the midst of an up-to ten-year $1.3 billion dollar technology purchase known as the NASA Integrated Communications Service (NICS) contract. Such a large and important technology purchase should follow both the letter and spirit of full and open competition laws, regulations, and Office of Management and Budget guidelines to ensure that NASA, and the taxpayer, get the best value for their investment, as well as the best and most cost-effective solutions to meet mission requirements. ... It has come to my attention that, pursuant to NICS, there is an Approved Products List (APL) developed by the contractor. The APL governs which products can be purchased for NASA systems and networks, and likely will impact NASA acquisitions for years to come. Interestingly, every approved product listed on the NICS LAN wired and wireless network APL belongs to a single manufacturer. At the same time, alternate vendors that have supplied network equipment to NASA, and successfully met mission requirements, have not been evaluated for inclusion on the APL for current and future purchases, despite requesting an opportunity to be evaluated."

- Rep. Sensenbrenner Seeks Answers on NASA Contracting Practices
- Letter from Rep. Sensenbrenner to NASA IG Martin Regarding Acquisition Issues

Former NASA Langley employee pleads guilty in federal case, Daily Press

"A former NASA Langley Research Center employee pleaded guilty this week to violating a NASA regulation by allowing a foreign national unrestricted access to a company computer. Glenn A. Woodell entered a guilty plea to a misdemeanor count of violating a regulation and order of NASA and was sentenced to six months probation and a $500 fine, according to a judgment order signed by U.S. Magistrate Judge Robert J. Krask. The charge stems from Woodell allowing Bo Jiang, who worked as a contractor at NASA Langley, access to a computer of a deceased NASA employee in 2011."

Prior posts on NASA IT

The First (Analog) Tweet From Space - In 1968

"On October 14, 1968, the Apollo 7 crew became the first to broadcast live from space. Count the characters in their message. "Keep those cards and letters coming in, folks!". 44. A perfect Tweet. In 1968."

Keith's note: NASA MSFC is blocking access to links from SpaceRef.com using a common URL shortener - in this case http://srs.gs/jMZ NASAWatch uses the same URL shortener for links sent out via Twitter. The MSFC IT people have no idea how the Internet works. I wonder what other "gambling" sites they are blocking?

Oddly this link points to "NASA's Marshall Center to Conduct Active Shooter Emergency Exercise Oct. 22". Wouldn't you think that MSFC would want as may people as possible to know that this is an "exercise" and not something else? And if MSFC is now blocking what employees can see on Twitter, they may learn to regret this given that social media is often how law enforcement and employees find out what is going on during real shooter incidents.

Keith's note: The use of social media during the recent Pluto encounter has been widely hailed. That said, Southwest Research Institute Public affairs continues with its slightly strange media policy - in this case by blocking @NASAWatch from following @NewHorizons2015 on Twitter. Despite the recent "personal" label on this Twitter account, this account is used by a SWRI employee for NASA-funded work-related news and has been mentioned in official SWRI, JHUAPL, and NASA communications for years. You'd think that SWRI would want the biggest audience available - and a retweet by @NASAWatch could add 59,000 Twitter impressions. With all this bragging (justifiably) by NASA PAO about their social media prowess, this effort by SWRI is odd to say the least. I asked SWRI about this several times and they have declined to respond.

"Potential reach and Number of Mentions of all social media posts(NASA & non-NASA) across 21 different social media platforms using one or more of the following keywords between July 13-17, 2015: Pluto, "New Horizons", #PlutoFlyby, or #Pluto:"

- Download NASA presentation
- NASA's Pluto Web Stats, earlier post

NASA's Social Media Strategy Is Genius And Kinda Maddening, Wired

"Organizations can sometimes let social media metrics obscure their core goals and mission. (Trust us on this.) On the evening of July 14, the world was waiting for New Horizons to phone home and say it had successfully passed by Pluto. With less than two minutes until the message was scheduled to arrive, the cameras cut to (drumroll) a NASA social media representative, who proceeded to tell the world how high New Horizons was trending on Facebook, Twitter, and Instagram. The Pluto Press Corps was not too amused. The camera cut to New Horizons Mission Operations Manager Alice Bowman in the nick of time, seemingly the moment she received the I'm-OK signal from New Horizons. For a moment, it seemed, NASA's ace team of publicists had forgotten that the cameras were supposed to be on Pluto."

Sharks In Space

Keith's note: If you watched Sharknado 3 on SyFy tonight then you know that a substantial portion of the film was shot at JSC and KSC. Yes, the movie was utterly stupid (that was the whole point of the movie) but NASA allowed itself to be part of something outside its usual stodgy comfort zone. You may argue whether or not this is the best use of NASA facilities. I look at it this way: last week NASA owned the Internet during the Pluto Flyby. Tonight they were an integral part of an event that owned Twitter and other social media platforms. Not bad.

NASA's Pluto Web Stats

Dwarf Planet, Giant Numbers: NASA's Mission to Pluto Goes Global, NASA via Digital.gov

"Even on a "slow" day, NASA is a pretty cool place to work, but the cool factor gets cranked way up when the whole world joins in the adventure. That's what happened this week when the New Horizons spacecraft arrived at Pluto after decade-long, three-billion-mile journey through the solar system. New Horizons has already sent back never-before seen images of the dwarf planet, and is collecting so much data it will take 16 months to send it all back to Earth. Any time we go this far from home and do something that's never been done before, it's sort of a big deal. And it shows, thanks to our data from the Digital Analytics Program. Some quick facts:

- It's our biggest mission-related traffic event since we joined DAP in February 2013, with nearly 10 million page views on July 14th alone. During the 7 am hour, 42% of all government traffic was going to NASA pages. ..."

NASA JPL Memo: Office of Personnel Management Cyber Incidents, NASA JPL

"If you underwent a background investigation through OPM from 2000 or thereafter (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), the OPM says there is a high likelihood that anyone who filled out one of those SF forms has had their information compromised."

Keith's note: All that talk from NASA about securing personal information as they complied with HSPD-12 and ... oh well. FWIW anyone who was screened for a NASA headquarters press pass a few years back (when they actually issued them) was at risk. Guess who got an OPM letter as a result of that screening. Thanks a bunch NASA.

- HSPD-12, earlier postings
- NASA IT issues, earlier postings

How a bunch of government space geeks at NASA won the internet, Quartz

"How exactly NASA stumbled upon perhaps the greatest social-media strategy of our time is a story of both blind luck and shrewd management. Of course, the space agency benefits by having amazing pictures, videos, and discoveries to share. Its content transcends demographics and platforms, because it highlights precisely what makes us so human. But its success also contains important lessons for any large organization trying to understand how to break down the barriers between itself and its public."

Keith's note: Every time something like this happens people make all sorts of claims about NASA's Internet prowess - but NASA never issues any numbers to substantiate these claims. I have no doubt that the stats are/were impressive. I have asked NASA for their web and social media statistics. I'll post what they send me - if they send me anything, that is.

Even NASA Got Infected With 'CryptoLocker' Ransomware, Motherboard

"Between September 2013 and June 2014, a virus known as CryptoLocker infected around 500,000 computers around the world. Designed to lock data on a victim's computer and hold it for ransom, it ended up extorting an estimated $3 million from victims who agreed to pay rather than lose their files. Among those victims of Cryptolocker were two NASA computers, according to an internal document obtained by Motherboard. The ransomware virus infected a computer at the NASA Ames Research Center in California on October 23, 2013, "resulting in the loss of access to NASA data," according to the document. It also hit another computer at the visitor center of the Kennedy Space Center in Florida two days later. The document was prepared by the NASA Office of Inspector General, and is scant on details."

NASA using carrot, not stick in push for shared services, Federal News Services

"NASA isn't forcing its centers to move to IT shared services. Instead, Larry Sweet, NASA's chief information officer, is trying to make it so attractive that the 18 centers and facilities can't resist the offer. "I've initiated a program called enterprise first. That's where we focus first and foremost on our enterprise services, so I want NASA users to first consider the I3P program and consider the services that we offer there. Then we have a shared services center," Sweet said. "I'm a believer in using shared services for a lot of reasons. One is they can offer a more affordable service to NASA, generally speaking. I want to try to get us up to that 80 percent to 90 percent use of commodity-based IT that is offered through these enterprise services and shared service center."

Keith's note: This may be the pragmatic thing to do given the dysfunctional way NASA runs itself - but its also a pretty pathetic admission i.e. that NASA Headquarters cannot direct its field centers to do basic managerial and operational tasks and that they have to trick them into complying instead.

- OIG Dings NASA on IT Security - Again, earlier post
- GAO Cites NASA Technology Access Issues, earlier post
- Hearing (Tries to) Focus On NASA Security Issues, earlier post
- OIG: NASA Has No Idea How Many Portable Devices It Has, earlier post
- NASA Bring Your Own Device Update, earlier post
- Do You Really Trust NASA Not to Ruin Your Mobile Device?, earlier post
- NASA OIG IT Report Highlights Governance Problems, earlier post

Welcome to the New NASA.gov

"Based on extensive user feedback and testing, we've modernized NASA.gov to work across all devices and screen sizes, eliminate visual clutter, and put the focus on the continuous flow of news updates, images and videos we know you're looking for. We've simplified our image and video galleries to emphasize viewing and sharing the content, and organized that content around NASA's areas of work, like the Journey to Mars and exploration of the Solar System and Beyond. And we've made the content more "discoverable," by connecting features and images to related content through an "infinite scroll" of similar content and clickable topic labels that take you to pages with more related content."

Keith's note: Many people just type "nasa.gov" in their browser - like I do. Try that and see what happens - or click here: http://nasa.gov/. Some (but not all) browsers automatically add "www".

Keith's note: Why is NASA saying that this is going to be a year-long mission? It is not. Close - but not a year. NASA goes out of their way to use simple math on Twitter to make their #YearInSpace point - but - that math also easily shows that Kelly is only going to be in space for 342 days. A year is 365 days long. I guess its too much to ask for NASA to be accurate on Twitter as it simultaneously hypes all of this STEM education stuff. Its not as if any of the 9 million Twitter followers are actually paying attention. Or are they?

Reader (Max Fagin) comment: "And actually, since the ISS will be going through two high-beta periods in the next 342 days (one in late Dec 2015, and one in early June 2016) there won't even be that many sunsets. In the 342 day period starting with the last Soyuz launch, the ISS will only see 10,372 sun-rise/set pairs." Click on image to enlarge.

Reader (Max Fagin) correction: "High-Beta periods are June and December of THIS YEAR (not 2016). And if you define a sunset/rise cycle as a complete eclipse (rather than just anytime the sun contacts the horizon), the number falls to 10356."

sunsets.jpg

Keith's update: Unlike a certain space agency, Max is quick to clarify and update inaccurate data.

Grading Government Transparency: Scientists' Freedom to Speak (and Tweet) at Federal Agencies (2015), Union of Concerned Scientists

"In 2013, more than two years after the Obama administration had issued a directive ordering reform of federal scientific integrity policies - including those governing media access - we published the first version of Grading Government Transparency. This new report added social media policies to the mix, and expanded the number of agencies to 17. Our analysis showed that while many agencies had substantially improved their policies since 2008, significant issues remained."

NASA Media Policy Grade: B Social Media Policy Grade: B+

Analytics.usa.gov

"This data provides a window into how people are interacting with the government online. The data comes from a unified Google Analytics account for U.S. federal government agencies known as the Digital Analytics Program. This program helps government agencies understand how people find, access, and use government services online. The program does not track individuals, and anonymizes the IP addresses of visitors."

NASA rank 30 days: 9th - 7 days: 10th

Keith's note: If you have been paying attention to NASA's press releases this past week you know that there a series of NASA social media events at all of NASA's field centers next week. NASA does a lot of these events and goes out of its way to issue invitations for people to apply to attend. You can see the announcements for all of them here - all except one. If you go to this listing of people tweeting with the tag #tweeunion you will see that there is a NASA social media event underway at NASA JSC today - right now, in fact. But NASA never announced it. NASA JSC PAO, NASA HQ PAO, and the NASA Social team knew nothing about it until it was underway. This event was organized by NASA JSC personnel and attendees were privately invited - with no opportunity for anyone else in the United States to apply. So ... you can follow the tweets from this private viewing party as these #spacetweeps brag among themselves about how special they are to be invited to play with NASA's toys - while no one else can.

Federal Acquisition Regulation; Year Format, NASA

"DoD, GSA, and NASA published a proposed rule in the Federal Register at 79 FR 16274 on March 25, 2014. No public comments were submitted. The final rule makes no changes from the proposed rule. DoD, GSA, and NASA are amending the FAR to delete obsolete coverage relating to the year 2000 compliance at FAR 39.002, 39.101(a) and 39.106. Also, the rule makes conforming changes to FAR 39.107 and the introductory text to the clause at FAR 52.239-1. The year 2000 coverage is outdated, and no longer needed because all of the issues addressing the transition to year 2000 compliance language have been resolved."

When NASA Moves Its Websites to the Cloud, Everyone Watches, Nextgov

"The space agency has more than 1,500 public-facing websites and 2,000 intranets, extranets and applications, and the agency's data offerings and holdings are huge. "These guys have probably the most expansive list of Web assets," Ananthanpillai said. "That's one of the reasons why everyone's looking at them for lessons learned.""

NASA is Unable (and Unwilling) To Coordinate Its Websites, earlier post

"So, NASA is paying to maintain two MSL websites and the web addresses they give out are different than the actual web addresses - but they won't bother to put the actual addresses in press releases. Meanwhile, NASA is paying for 2 (or 3) MER websites - and again the links put in the press release are not the actual website address."

Hacker Breached NOAA Satellite Data From Contractor's PC, NextGov

"National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report. This is but one of the "significant security deficiencies" that pose a threat to NOAA's critical missions, the report states. Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities."

Significant Security Deficiencies in NOAA's Information Systems Create Risks in Its National Critical Mission, NOAA

"We found that (I) information systems connected to NESDIS' critical satellite ground support systems increases the risk of cyber attacks, (2) NESDIS' inconsistent implementation of mobile device protections increases the likelihood of a malware infection, (3) critical security controls remain unimplemented in NESDIS' information systems, and (4) improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous."

Audit of the Space Network's Physical and Information Technology Security Risks, NASA OIG

"With regard to physical and IT security, we found NASA has not ensured security controls are in place on certain wide area network infrastructure, needs to clarify waiver requirements for IT security controls and mitigations, and should take additional steps to ensure that long-standing physical security risks are addressed. We also found that the Space Network is not using NASA's Agency Consolidated End-User Services (ACES) contract to obtain administrative computers and associated end-user services and therefore may be spending more than necessary for equipment and services without realizing the operational and security benefits of systems provided through ACES."

NASA OIG: NASA's Independent Verification and Validation Program

"We found that by continuing to occupy and maintain the West Virginia facility, NASA is paying more than necessary in O&M expenses, which leaves the Agency with less funding to perform actual IV&V services on NASA software projects.  We estimated the Agency could save as much as $9.7 million between FYs 2015 and 2018 if the IV&V Program took steps to reduce costs associated with the facility. In order to make additional funds available for review of mission-critical software, we recommended NASA analyze alternatives for reducing occupancy costs associated with the facility, including abandoning the facility and moving staff to an existing NASA Center or relocating the staff to a nearby office building that would cost significantly less. We determined that NASA was not legally obligated to pay O&M expenses associated with the building it currently occupies, but rather has chosen to pay these expenses over the last 20 years.  In our judgment, continuing this arrangement does not make fiscal sense for NASA, particularly when the Agency has more projects needing IV&V services than the current budget can accommodate."

NASA OIG: Security of NASA's Publicly Accessible Web Applications

"NASA Inspector General Paul K. Martin released a report today evaluating NASA's effort to safeguard its Internet-accessible web applications. These applications consist of hundreds of websites NASA uses to share scientific information with the public and collaborate with research partners, as well as login portals and administrative systems that provide authorized personnel with remote access to Agency IT resources."

Export Controls: NASA Management Action and Improved Oversight Needed to Reduce the Risk of Unauthorized Access to Its Technologies

"Weaknesses in the National Aeronautics and Space Administration (NASA) export control policy and implementation of foreign national access procedures at some centers increase the risk of unauthorized access to export-controlled technologies. NASA policies provide Center Directors wide latitude in implementing export controls at their centers. Federal internal control standards call for clearly defined areas of authority and establishment of appropriate lines of reporting. However, NASA procedures do not clearly define the level of Center Export Administrator (CEA) authority and organizational placement, leaving it to the discretion of the Center Director."

Statement by Charles Bolden Hearing on NASA FY 2015 Budget

Statement by Dick Thornburgh Hearing on NASA FY 2015 Budget

"Due to the fact that the NASA systems lack the necessary controls to protect information, allow foreign nationals access to the networks, and allow remote access, the Panel concludes that the NASA networks are compromised. Publicly available reports on systemic data breaches across the country, NASA's own internal reports, and briefings given to Academy staff leave little doubt that information contained on the NASA IT systems is compromised."

Opening Statement by Rep. Frank Wolf Hearing on NASA FY 2015 Budget

"Our first panel today will focus on issues in NASA's security controls that were brought to light through the work of the National Academy of Public Administration. Governor Thornburgh, a NAPA fellow, led a team of experts in a comprehensive review of NASA security practices, culminating in a report that was issued about two months ago ... To my great frustration, the full contents of those reports are restricted and the publicly available executive summaries are lacking in many of the details and examples that are needed to fully understand the scope of the problem."

Keith's note: What is baffling is how Rep. Wolf, Culberson et al embrace the report findings that NASA's IT systems are flawed and have been compromised - and yet they want to fully release the same report that exposes these faults in great detail (so the people who want to cause problems will have a user guide.)

- OIG: NASA Has No Idea How Many Portable Devices It Has, earlier post
- NASA Admits Antiquated Record Keeping Capabilities, earlier post
- Earlier IT posts

NASA OIG: NASA's Management of its Smartphones, Tablets, and Other Mobile Devices

"The OIG found that weaknesses in NASA's mobile device management means the Agency is unable to ensure that it is not paying for a significant number of unused devices. Specifically, NASA lacks a complete and accurate inventory of Agency-issued smartphones, tablets, cellphones, and AirCards (used to provide internet access) because the information system NASA uses to order equipment from its main IT contractor is not fully functional or integrated with the database the Agency uses to track IT assets."

- Do You Really Trust NASA Not to Ruin Your Mobile Device?, earlier post
- NASA Mobile Security Requirements: Why Now?, earlier post
- OIG on Information Technology Security Tools, earlier post

Procedures for Disclosure of Records Freedom of Information Act Regulations (NASA, Federal Register

"Sec. 1206.300 How to make a request for Agency records.

(b) NASA does not have a central location for submitting FOIA requests and it does not maintain a central index or database of records in its possession. Instead, Agency records are decentralized and maintained by various Centers and Offices throughout the country.

(c) In accordance with the Agency Records Management procedures NASA has not yet implemented a records management application for automated capture and control of e-records; therefore, official files are primarily paper files."

#WhatIsNASAFor and the Defending NASA, earlier post

"@NASA tweeting resulted in 17,597,370 impacts. @NASASocial produced 7,627,023. @NASAWatch produced 5,296,071 and @SpaceRef produced 1,632,662."

Keith's note: I am not certain what David Weaver is crowing about. The agency used its main Twitter accounts @NASA and @NASASocial for the #WhatIsNASAFor effort a few times. That's it. None of the agency's field centers, major mission Twitter accounts, etc. bothered to participate - even though they were made aware that participation was encouraged. As such, it is somewhat embarassing that @NASAWatch and @SpaceRef - run by one person in their basement - were able to generate Twitter impacts on a par with the largest space agency on the planet - the same agency that loves to brag about its unrivaled social media prowess. In this instance NASA decided (by default) to sit the whole effort out because it could not figure out how to use the resources. They could have easily generated hundreds of millions of Twitter impressions. But they didn't. As they say on Twitter #FAIL.

Review of NASA's Agency Consolidated End-User Services Contract, NASA OIG

"NASA's lack of adequate preparation prior to deploying the ACES contract together with HP's failure to meet important contract objectives has resulted in the contract falling short of Agency expectations. We attribute these shortcomings to several factors, including a lack of technical and cultural readiness by NASA for an Agency-wide IT delivery model, unclear contract requirements, and the failure of HP to deliver on some of its promises. In general, these issues fall into two categories: (1) issues related to the Agency's overall IT governance and (2) management and problems specific to the ACES contract."

NASA Flunks Open Data Test

Implementation of the Open Data policy, Public Private Sector

"This is a tracking tool setup to understand which federal agencies have deployed their data.json in compliance with Executive Order 13642 of May 9, 2013, Making Open and Machine Readable the New Default for Government Information and OMB Memorandum M-13-13 Open Data Policy-Managing Information as an Asset."

China Copied NASA's NTRS

Keith's note: Have a look at "The Lunar Orbiter Meteoroid Experiments -Description and Results from Five Spacecraft" online at Infoeach - in China. China has their own version of NTRS - just in case NASA shuts it down again to check and see if China is getting access that it should not have. This paper was not available on NTRS to Americans for months even though it deals with spacecraft that flew in the 1960s. Feel safer now?

- NASA Blocks Everyone From Access To Everything on NTRS, Earlier post
- Charlie Bolden's Gutted Version of NTRS is Back Online, Earlier post

Keith's note: At bottom of this release "Mars Rover Teams Dub Sites in Memory of Bruce Murray", JPL has included "For more information about Opportunity, visit http://www.jpl.nasa.gov/msl , http://www.nasa.gov/rovers and http://marsrovers.jpl.nasa.gov . For more information about Curiosity, visit http://www.nasa.gov/msl and http://mars.jpl.nasa.gov/msl" .

Two missions - five websites.

First for the Opportunity links. if you go to http://www.jpl.nasa.gov/msl/ you do not get anything on Opportunity but rather its a Curiosity page. If you go to http://marsrovers.jpl.nasa.gov it redirects you to http://marsrovers.jpl.nasa.gov/home/index.html at JPL. If you go to http://www.nasa.gov/rovers it redirects you to http://www.nasa.gov/mission_pages/mer/index.html at NASA HQ. If you go to the NASA HQ rover site it has a link to a JPL rover website at http://marsrover.nasa.gov/home/index.html it does not link to http://marsrovers.jpl.nasa.gov. And http://marsrovers.jpl.nasa.gov is identical to http://marsrover.nasa.gov/home/index.html. So, one of the three links listed has nothing to do with Opportunity. The NASA HQ MER site links to a JPL MER site but it is at a different address than the JPL MER website listed in the release even though the content is identical.

Now for the Curiosity links. If you go to http://www.nasa.gov/msl it redirects you to http://www.nasa.gov/mission_pages/msl/index.html at NASA HQ. If you go to http://mars.jpl.nasa.gov/msl you end up at a MSL website at JPL. The NASA HQ MSL site points to the JPL MSL site but the JPL MSL site does not point to the NASA HQ MSL site.

So, NASA is paying to maintain two MSL websites and the web addresses they give out are different than the actual web addresses - but they won't bother to put the actual addresses in press releases. Meanwhile, NASA is paying for 2 (or 3) MER websites - and again the links put in the press release are not the actual website address. And a website link that has "MSL" in it is listed as a place to get MER information. In total 5 links are included for 2 missions - and JPL PAO seems to think this is just fine. Meanwhile NASA PAO and SMD have the nerve to moan and complain about lack of education and public outreach funds? They are squandering their money on overlapping websites that don't even coordinate their content or links. I have raised this issue at several SMD media telecons. All they say is "we'll look into it". They don't. They just don't care about being efficient or coordinating. No - they just want more money and refuse to change the way that they operate. Clueless.

Oh yes --- did you know that NASA's Constellation Program is building the Altair Lunar Lander that will land on the moon by 2020? Moreover, the Altair will be launched on the Ares V rocket. HEOMD has an incredibly tangled web presence too.

- Why Does NASA Maintain Three (Four) Different MSL Websites?
- Why does NASA need multiple websites for the same mission?, earlier post
- NASA's Tangled Human Spaceflight Web Presence, earlier post
- NASA's Sprawling Web Presence, earlier post
- NASA's Inability To Speak With One Voice Online, earlier post

NASA, Harvard & TopCoder Partner to Develop a Secure Solar System Internet Protocol

"TopCoder, the world's largest professional development and design community, with NASA and the Harvard-NASA Tournament Lab (at Harvard's Institute for Quantitative Social Science), today announced the launch of a series of innovation challenges that will develop foundational technological concepts for disruption tolerant deep space networking. NASA has made significant progress in developing Disruption Tolerant Networking (DTN) protocols that aide in deep space communication. DTN protocols are an approach to network architecture that seeks to address the potential for lack of continuous connectivity in deep space. It is meant to aid NASA in the exploration of the solar system by overcoming communication time delays caused by interplanetary distances, and the disruptions caused by planetary rotation, orbits and limited transmission power."

Keith's note: This sounds pretty cool builds upon the Interplanetary Internet work that NASA has engaged in over the past decade or so. You'd think that extending the Internet (so to speak) to allow interaction between other worlds and spacecraft traversing our solar system would be something that all of NASA's IT and Technology, and Innovation people would want to crow about - especially since this effort is geared to engage the public via crowd sourcing. In this wired world, this is something that almost everyone in the public can relate to. Indeed, utilized crowd sourced efforts and making the results widely known is something that the Open Government Initiative is supposed to be promoting.

This effort is being coordinated by the NASA Tournament Lab at TopCoder. No specific sponsoring office or organization at NASA is mentioned. TopCoder put out a press release last week. Alas, despite the obvious nexus of interest you'd expect, NASA has been totally silent:

- NASA Public Affairs (no press release issued)
- NASA Chief Information Officer (no mention)
- NASA Space Technology Directorate (no mention)
- NASA - Office of the Chief Technologist (no mention)
- NASA Space Communications and Navigation (no mention - they also make no mention of LADEE's recent laser comms test)
NASA Open Government Initiative (no mention)

Curiously, NASA PAO did promote NASA's Interplanetary Internet efforts last year when someone commanded Robonaut to do something on the ISS. A week prior to this recently announced Interplanetary Internet challenge NASA posted this:

NASA Engages the Public to Discover New Uses for Out-of-this-World Technologies

"Now NASA has joined forces with the product development startup Marblar (www.marblar.com) for a pilot program allowing the public to crowd source product ideas for forty of NASA's patents. This initiative will allow Marblar's online community to use a portion of NASA's diverse portfolio of patented technologies as the basis of new product ideas."

Again, for the most part, NASA's Technology and Information organizations have been mostly mute:

- NASA Public Affairs (no press release issued - just an online feature)
- NASA Chief Information Officer (no mention)
- NASA Space Technology Directorate (no mention)
- NASA - Office of the Chief Technologist (posted a link)
- NASA Open Government Initiative (no mention)

Add in the curious case of innovate.nasa.gov which is apparently now "under construction, but we will be re-launching soon" after being online for a year and doing absolutely nothing to warrant its existence (or expense), and you really have to wonder what NASA is planning to do with all this Technology money that is heading their way. If the agency cannot internally coordinate a simple mechanism to organize this technology stuff - and then share it with the public - then maybe that technology money belongs elsewhere.

NASA, Harvard & TopCoder Partner to Develop a Secure Solar System Internet Protocol

"TopCoder, the world's largest professional development and design community, with NASA and the Harvard-NASA Tournament Lab (at Harvard's Institute for Quantitative Social Science), today announced the launch of a series of innovation challenges that will develop foundational technological concepts for disruption tolerant deep space networking. NASA has made significant progress in developing Disruption Tolerant Networking (DTN) protocols that aide in deep space communication. DTN protocols are an approach to network architecture that seeks to address the potential for lack of continuous connectivity in deep space. It is meant to aid NASA in the exploration of the solar system by overcoming communication time delays caused by interplanetary distances, and the disruptions caused by planetary rotation, orbits and limited transmission power."

Keith's 25 October update: Erika Vick and NASA PAO have declined to respond to a series of questions regarding this Twitter account. Perhaps that explains why @ExperienceNASA has been taken offline.

Keith's note: Apparently the operation of the @ExperienceNASA Twitter account is part of Erika Vick's official duties at NASA. It is not clear what NASA program(s) this activity supports or what the guidelines are for what is proper content for this Twitter feed. Despite repeated requests no one at NASA HQ including NASA PAO and Erika Vick at the NASA Advisory Council can give me a straight answer. @ExperienceNASA was silent during the shutdown - as were all other official NASA Twitter accounts. Its description says "Welcome to your one-stop shop for opportunities to participate in/contribute to NASA goals/missions! Need help? Ask me! Washington, DC · nasa.gov"

Another Official NASA Twitter Account That Isn't, earlier post

Keith's note: All websites hosted at NASA.gov addresses websites present this placeholder when you try and visit them since all websites hosted at ***.NASA.gov are supposed to be offline. But JPL.NASA.gov is online. It would seem that JPL folks are making an illegal/unauthorized expenditure of tax funds to keep their overtly official NASA.gov website online. JPL is just another NASA contractor and bills NASA for everything eventually w/overhead - just like all of the other contractors. Why does JPL run things when other contractors are shut down? Guess they did not get the memo - or they just ignored it. I'd ask JPL PAO but they 1. always ignore me and 2. are not at work today.

Oddly, while NASA.gov goes dark, JPL keeps all of its websites online and fully functional but then tweets this - the same thing NASA itself sent out:

Yet while JPL keeps its official website functional it uses its social media accounts to say that they will not be keeping these official accounts active. So which is it? Is JPL "NASA" or is it not? Is JPL staying online or going dark? Are webmasters "essential" personnel while tweeters are not? Why is it that JPL can easily leave its websites online albeit not updated with all content available -- but NASA.gov cannot? Does JPL know something about websites that NASA HQ does not?

These websites: lvis.gsfc.nasa.gov, weather.msfc.nasa.gov, thunder.nsstc.nasa.gov/, kepler.nasa.gov, and www.nas.nasa.gov are still online. Let's see if darkness falls over them as well. Please let us know if you find any survivors that are still online. So much for a consistent NASA IT policy.

JPL-related Twitter feeds, website to cease with shutdown, Pasadena Star News

"In line with NASA headquarters shutting down on Monday, JPL has put a hiatus to news releases, website and social media updates. "Information going out through the Twitter feeds and website, we coordinate with the program manager at NASA," said JPL spokeswoman Veronica McGregor. "Without that coordination, we're not releasing mission information during the shutdown." However, since JPL is privately run by Caltech and under contract to NASA, it is spared from being shut down with the rest of the space exploration organization. But the JPL Twitter feeds that are manned by NASA headquarters are already silent."

Keith's note: Ms. McGregor (who refuses to interact with NASA Watch - on any topic) fails to explain why the NASA JPL website (with NASA's logo on it and other official NASA Information) continues to stay online while all other official NASA websites are taken offline. If she wished to actually comply with what the agency is doing then her websites would go dark. They have not. Also, unless I am mistaken, a number of JPL Twitter accounts that have been shut off are actually maintained by JPL employees.

Keith's 11 Sep note: NASA was hacked yesterday by the BMPoC to protest U.S. cyberintelligence activities. One more reminder that everything everyone posts everywhere is seen by everyone. These NASA websites (at ARC) were affected and are currently offline:

kepler.arc.nasa.gov, amase2008.arc.nasa.gov, event.arc.nasa.gov, amesevents.arc.nasa.gov/sites, academy.arc.nasa.gov, planetaryprotection.nasa.gov, virtual-institutes.arc.nasa.gov, astrobiology2.arc.nasa.gov, nextgenlunar.arc.nasa.gov , lunarscience.nasa.gov, moonfest.arc.nasa.gov, iln.arc.nasa.gov, lunarscience.arc.nasa.gov

NASA ARC has this notice up if you try to reach these websites: "Down For Maintenance. The requested webpage is down for maintenance. Please try again later. Affected sites include but is not limited to:

* lunarscience.arc.nasa.gov
* kepler.nasa.gov
* nari.arc.nasa.gov"

Keith's 19 Sep note: More than half of these websites are still offline. Wow. NASA really does not have a lot of resiliency when it comes to responding to a hacking event, despite what PAO would have you believe.

Brazilian hackers confuse Nasa with NSA in revenge attack, The Telegraph

"At no point were any of the agency's primary websites, missions or classified systems compromised," said Nasa spokesman Allard Beutel. "We are diligently taking action to investigate and reconstitute the websites impacted during web defacement incident," he said."

NASA HEOMD Internal Memo on Personal Electronic Devices, NASA

"No one wants their personal property tampered with -- we understand that. If you complain loudly because your device does something you don't like as a result of the policies and settings pushed to your personal device as a result of our efforts to improve IT security, or if mistakes are made and you happen to be the unlucky victim of one, and it gets enough attention, either personal devices may be banned in the future from connecting to NASA email and non-public facing systems, or you'll have to officially request the ability to connect a personal device, take SATERN training, sign paperwork explicitly accepting the risks to your personal device or data, and so on. That will add more bureaucracy and obstacles and hassles to doing what should be a reasonable thing, which is enabling you to read and respond to email via your personal devices. It's up to you how you respond to these changes. If you don't want NASA making any changes to your personal devices, please do not connect your personal device(s) to NASA email or internal networks. This is a compromise that allows your flexibility and choice. And please note that these changes will help protect your personal data on the device, not just NASA data."

Keith's note: In other words NASA wants you to think that they are doing you a favor by allowing you to use a cellphone that you paid for to do government work. Also ... if you use your personal device to connect to NASA and something goes wrong you had better shut up and do not complain about it - or bad things will happen.

- Do You Really Trust NASA Not to Ruin Your Mobile Device?, earlier post
- NASA Bring Your Own Device Update, earlier post

NASA Internal Memo: Do Not Access Public Web Sites Containing Classified Information

"Individuals with a security clearance have agreed to certain restrictions regarding classified information. Accessing classified information on Wikileaks, even from home, constitutes a security violation. Viewing classified information from a computer that isn't authorized to access classified information, and/or viewing classified information that he or she is not authorized access to, is a security violation. And, use of official Government computers for other than authorized purposes is prohibited by federal ethics laws."

ActiveSync Security Policies to be Applied to Mobile Devices Connecting to NOMAD

"a. The use of your own mobile device (i.e., cell phone or tablet) to retrieve your NASA email/calendar or to conduct NASA business is entirely voluntary. Users should refrain from using a personal mobile device to access NASA information and systems if uncomfortable, unable, or unwilling to comply with these minimum security requirements. As the use of personal mobile devices is purely optional, employees cannot be expected to use their own devices to accomplish their assigned tasks if they choose not to do so. Your supervisor may not require you to do so. If a mobile device is required for you to perform your assigned duties, management will provide you with an appropriate NASA-owned device consistent with the Negotiated Agreement, unless you voluntarily choose to use your own device. You cannot be required to provide your personal email address or cell-phone number to management.

b. Employees using their own mobile device for downloading NASA email /calendar directly via their phone's mail client should be aware that NASA has the ability to access your device and to erase ("wipe") it. While the current NASA policy is that no such access or wiping will occur without the employee's explicit permission, it remains possible that such adverse events could nonetheless occur inadvertently. Therefore, employees should backup their personal phones often to reduce their vulnerability of data loss."

Do You Really Trust NASA Not to Ruin Your Mobile Device?, earlier post

Keith's note: I just got an email from [someone@nasa.gov] inviting me to an event on the 9th floor today. The email (from someone at Valador Inc. who works at NASA, uses a NASA.gov email account, sent this on official NASA business) had this rather odd disclaimer at the bottom (twice):

"Visit http://www.gov.uk/fco for British foreign policy news and travel advice and http://blogs.fco.gov.uk to read our blogs. Please note that all messages sent and received by members of the Foreign & Commonwealth Office and its missions overseas may be automatically logged, monitored and/or recorded in accordance with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. We keep and use information in line with the Data Protection Act 1998. We may release this personal information to other UK government departments and public authorities."

Why is anyone at NASA (an American government agency) sending out official email with a disclaimer that suggests that people (most likely Americans) visit a foreign government's official website - and then warn these same Americans that "We may release this personal information to other UK government departments and public authorities"?

Keith's update: I am told that the person who sent me the email was forwarding it from someone who had forwarded it from the UK Embassy ...

Message from the Chief Information Officer: Bring Your Own Device and Mobile Computing at NASA, NASA CIO

"In the coming months, the NASA Office of the Chief Information Officer (OCIO) will be working to develop a formal policy to govern the use of personal devices, also known as "Bring Your Own Device (BYOD)". Until then, I have directed the OCIO to enroll every personal mobile device that accesses the NASA email system into a management profile that helps to secure NASA data, just like is currently done on NASA's government issued devices. This change, effective September 10, 2013, will enforce a minimum set of security requirements on your personal mobile device if you wish to directly access NASA's email and calendaring resources from your device's email client. This change will only affect mobile devices, i.e., those running a mobile operating system such as Apple's iOS, Google's Android, etc. It will not affect laptops, nor will affect any access to email via webmail."

Minimum Security Requirements for Personal Mobile Devices, NASA CIO

AFEU Memo: Message from the Chief Information Officer: Bring Your Own Device, Ames Federal Employees Union, IFPTE Local #30

"You should assume, if you connect your personal device in this manner, that the agency will be able to read and access any data you have on your personal device and that the agency will retain the ability to remotely erase everything on that device. The union has secured an agreement that employees' personal phones will not be remotely wiped without prior permission from the owner, and I will keep you posted if that policy is altered."

Keith's note: It is nice to see NASA slowly dragging itself into the 21st century. But based on the non-stop trail of IT blunders and damning OIG reports on NASA's chronic inability to get IT right, I'd be very leery of directly connecting any personal computer to NASA. Do you really trust the same group that allowed all of your personal info to sit on laptops that seem to be stolen on a regular basis?

Have a look at the NASA CIO security requirements that NASA wants to place on what you can and cannot do with your mobile device if you connect it to NASA and what NASA can do to it if you do. You might as well just give the phone to NASA.

- NASA is Taking More Servers Offline - With No Explanation, earlier post
- NASA OIG IT Report Highlights Governance Problems, earlier post
- OIG on Information Technology Security Tools, earlier post
- NASA Still Has Not Encrypted All Laptops, earlier post
- OIG Doubts NASA Can Meet Laptop DAR Deadline, earlier post
- NASA IT Blunder Update, earlier post
- other postings

Keith's note: CASIS sent out a news release today by email to the news media. At the bottom of the email was a confidentiality clause i.e. "The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message."

I was never asked in advance by CASIS or anyone else if I wished to receive confidential information from CASIS nor do I desire to receive confidential information from CASIS. So I asked CASIS about this.

Keith's note: NASA has lots of Twitter accounts and websites - more than any other Federal agency - by far. But as NASA PAO AA David Weaver recently said at a NASA Advisory Council EPO Subcommittee (and I paraphrase) "clearly quantity does not always equal quality". Virtually every NASA project, program, center - and mission - has at least one (sometimes more) Twitter account and website. In the case of Mars Science Laboratory NASA pays to maintain 3 (or 4 depending on how you count) websites for MSL - and they do not seem to think this is wasteful.

But what about the New Horizons mission to Pluto?

NASA OIG: NASA's Progress in Adopting Cloud-Computing Technologies

"The OIG review found that weaknesses in NASA's IT governance and risk management practices have impeded the Agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk. For example, several NASA Centers moved Agency systems and data into public clouds without the knowledge or consent of the Agency's Office of the Chief Information Officer (OCIO). Moreover, on five occasions NASA acquired cloud-computing services using contracts that failed to fully address the business and IT security risks unique to the cloud environment. Finally, one of the two moderate-impact systems NASA moved to a public cloud operated for 2 years without authorization, a security or contingency plan, or a test of the system's security controls. This occurred because the OCIO lacked proper oversight authority, was slow to establish a contract that mitigated risks unique to cloud computing, and did not implement measures to ensure cloud providers met Agency IT security requirements."

Previous IT Stories

NASA JSC PAO Internal Memo: Space Station Live Placed on Hiatus

"However, in order to have the time to ensure that our products align to our ERO BHAG and align with the desires of our partners, we can't just keep piling on additional work. To that end, after extensive discussions, we're placing Space Station Live on hiatus at the end of the week. And, we're working with the ISS Program to consider other things as well - using a new, regular meeting where leaders from ERO and ISS share updates and collaborate together. For example, we'd use this forum to discuss a pilot effort where we support uncrewed vehicle launches, dockings and undockings differently--perhaps providing commentary only through social media."

Keith's update: I just got a call from NASA JSC PAO to clarify things. They are not looking to shut down the ISS live App or website - (the email was a little confusing) rather they are looking to halt the creation of an hour long daily update about ISS events and the weekly posting of a summary thereof. I asked if they had metrics on what their viewership/readership was and they said that they were not allowed to track such information. This is odd given how much NASA just loves to crow about the number of people who visit their websites. No attempt has been - or apparently will be - made to ask users/viewers of these discontinued features as to whether they like things, if things can be improved - and how. Rather, they will just shut things off and see who (if anyone) complains. As for the use of the word "partners" JSC PAO tells me that this refers to internal partners at JSC.

To be certain, it is good that NASA periodically revisits the things that it does - especially when funds are tight - to see if they are offering the best value to their audience based on their needs and interests. I am just baffled as to why NASA spends so little time actually talking to - or consulting with - actual audience members before they make these decisions. Charlie Bolden loves to babble on about "metrics" when it comes to how he makes decisions about NASA education programs. But in reality NASA has very few audience metrics when it comes to its overall education and public outreach. And when they do have metrics, they just ignore them or bungle their interpretation of what the metrics are saying.

As for my rant about JPL's three websites for MSL. I still think that such efforts are wasteful. Back to my vacation.

NASA Hosts July 10 Online Media Briefing on Solar System Finding, NASA

"NASA will host its first Google+ Hangout news briefing at 1 p.m. EDT Wednesday, July 10, on a new finding from the Interstellar Boundary Explorer (IBEX) mission.

The briefing will be shown live on YouTube, NASA Television and the agency's website. Journalists may participate in the briefing and ask questions by phone by contacting Steve Cole at 202-358-0918 or stephen.e.cole@nasa.gov with their affiliation by 10 a.m. July 10."

Marc's note: I'm all for holding a news briefing by Google+ Hangout but why not allow questions using the Hangout features?


NASA Unveils New Web Site Design, SpaceRef

"Over the weekend NASA unveiled a new design for it's web site. The new look is only a partial update to the web site. There are more changes coming between now and September. As well NASA is planning a complete overhaul of the site early next year, it's first since 2007.

What do you think of the new interim look?"

Marc's note: There's definitely a transition ongoing here. Some sections, including the daily ISS status report, aren't to be found, yet. The old reports, in the old section are there, just no new ones and no link from the new HEO page. I'm waiting on word on the status of these reports. Have a look at the site and vote in our poll on SpaceRef from the link above.

UPDATE: The daily ISS reports have been moved to a new blog at http://blogs.nasa.gov/stationreport/. Of course you can always find the archived reports on SpaceRef.

NTRS News: The NASA Technical Reports Server has received an update!, NASA

"The update provided:

- A new fresh, clean look for users
- Enhanced record display that shows author affiliations, sponsorship, and document type
- A new Search History display that lists all searches conducted during a search session, and allows users to quickly recall a previous search for display or further refinement
- Ability to search organization names from the advanced search form
- Ability to flag multiple records of interest from a search-results display, and create a new set containing the flagged items
"

"On May 8, 2013, the NTRS was brought back on-line for public access, reloaded with the validated 966,460 documents and metadata records. A small subset of approximately 248,000 documents, largely consisting of older documents, such as National Advisory Committee on Aeronautics materials, remain to be reviewed and will not be restored to public access until a thorough review is completed."

Marc's note: While the site has been updated and as Keith had previously mentioned, there are still approximate 248,000 older records that still need to be brought back online. The June 15th update makes no mention on how the review is progressing. We will update you as soon as we know more.

NASA taps long-time employee to be new CIO, Federal News Radio

"NASA tapped a long-time employee from the field to become its new chief information officer. Government sources confirmed that Larry Sweet is moving to NASA headquarters from the Johnson Space Center.

Sweet replaces Linda Cureton, who retired in April. Richard Keegan, the associate deputy administrator, has been the acting CIO since Cureton retired.

"I think it's absolutely wonderful. Larry is a strategist and understands the culture of the agency as a center CIO," said Cureton, who now is president of Muse Technologies. "He will likely focus on increasing collaboration among the centers. In addition, he will be tough on instilling accountability and performance excellence in the contractor community. Enterprise services will be his high priority."

Related: NASA OIG IT Report Highlights Governance Problems


Loading

 



Monthly Archives

About this Archive

This page is an archive of recent entries in the IT/Web category.

ISS News is the previous category.

Military Space is the next category.

Find recent content on the main index or look in the archives to find all content.