IT/Web: December 2020 Archives

NASA OIG: Fiscal Year 2020 Federal Information Security Modernization Act Evaluation - An Agency Common System

"... We found that NASA had not assessed the Agency common control entitled SI-04, Information System Monitoring, since April 2015. Moreover, the control was classified in 2015 as "other than satisfied," but system security officials still had not taken appropriate action to address the control deficiency by developing either a POA&M or Risk-Based Decision document. Based on discussions with system security officials, both the overdue control assessment and the failure to develop either a POA&M or Risk-Based Decision document were the result of an oversight. However, we believe the oversight was caused, in part, by the Agency Office of the Chief Information Officer (OCIO) not prioritizing and allocating the personnel resources needed to address control weaknesses in the ACS system. Since the system has the ability to affect all NASA systems that inherit controls from it, we are concerned that NASA's failure to address the control deficiency could negatively affect the appropriate monitoring of all NASA systems."

"... Continued delays in accomplishing the work necessary to authorize the hybrid common controls system occurred because the OCIO did not prioritize the work and allocate the necessary personnel resources to meet their intended timetable. Based on discussions with the ACS security control manager, the OCIO assigned only two people on a part-time basis to address several known issues involving the ACS system and to develop the new hybrid common controls system. Consequently, the development and authorization of the new hybrid common controls system fell behind schedule."

"... We found that NASA did not develop or include cost estimates for remediation of any of the nine POA&Ms we tested. According to a representative from the OCIO, this occurred because, as a general practice, cost estimates are not included for POA&Ms. We take exception with this, as it is contrary to NASA guidance and inconsistent with best practices for administration and management of remediation efforts for known security weaknesses and vulnerabilities associated with information security controls."

- Two Decade NASA CIO Struggle To Implement Effective IT Governance, earlier post
- The NASA Office of the Chief Information Officer Is Still Broken, earlier post
- Earlier posts

Solar Winds, Probably Hacked by Russia, Serves White House, Pentagon, NASA, Newsweek

"Two unnamed sources told the outlet that the hackers entered U.S. systems through updates released by SolarWinds, a software company based in Austin, Texas that also provides services to the White House, Pentagon and NASA, according to their website. Additionally, the company provides services to the country's leading telecommunications providers, as well as "more than 425 of the U.S. Fortune 500."

CISA Issues Emergency Directive To Mitigate The Compromise Of SolarWinds Orion Network Management Products, CISA

"The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."

Keith's note: NASA has not said anything publicly about this. And if you ask them they won't say anything publicly about this. FWIW a cursory scan of recent reports on NASA IT efforts shows them to be lacking - in the extreme. So it stands to reason that they are concerned about this.

- Two Decade NASA CIO Struggle To Implement Effective IT Governance, earlier post
- Previous posts on NASA IT security


Loading

 



Monthly Archives

About this Archive

This page is an archive of entries in the IT/Web category from December 2020.

IT/Web: November 2020 is the previous archive.

IT/Web: January 2021 is the next archive.

Find recent content on the main index or look in the archives to find all content.