NASA's Chief Information Officer Is Not Doing Their Job (Update)
Audit of NASA’s Information Technology Supply Chain Risk Management , NASA OIG
“While NASA has improved its supply chain risk management efforts since the process was first mandated in 2013, we identified pervasive weaknesses in the Agency’s internal controls and risk management practices that lead us to question the sufficiency of its current efforts. NASA’s risk assessment process, when followed, often consists of a cursory review of public information obtained from Internet searches or unverified assertions from manufacturers or suppliers that the IT and communications products or services being acquired do not pose a risk of cyber-espionage or sabotage. Further, we found NASA does not consistently coordinate with the FBI in its review process. In addition, contrary to best practices the Agency’s supply chain risk management practices do not require testing of IT and communication products to determine their authenticity and vulnerability to cyber-espionage or sabotage prior to their acquisition and deployment. Moreover, Agency policy excludes specific IT systems and flight hardware, such as equipment operated on the International Space Station, from risk assessment requirements. Overall, the Agency’s weak controls have resulted in the purchase of non-vetted IT and communication assets, some of which we found present significant security concerns to Agency systems and data. In addition to our longstanding concerns about NASA’s IT governance and security practices, the Agency compounds its security vulnerabilities by relying on ineffectual processes and information in its efforts to prevent risky IT products from entering its network environment.”
NASA OIG Audit of NASA’s Security Operations Center, NASA OIG
“Since its inception a decade ago, the SOC has fallen short of its original intent to serve as NASA’s cybersecurity nerve center. Due in part to the Agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in OCIO leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the Agency’s IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities. Industry best practice for an effective SOC recommends a charter signed by stakeholders that explicitly details authorities and responsibilities. Such a charter would allow the SOC to more effectively push for the resources and the cooperation required to execute its mission. However, after 10 years the NASA SOC has no charter to govern its operations or outline its authorities. In addition, the SOC has no roadmap for moving from its current state to a future state of operation, a critical management tool for establishing priorities for continual improvement.”
GAO: NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses, GAO
“NASA’s IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer’s visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended. NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures.”
Keith’s update: In less than 48 hours three reports – one from GAO, two from the NASA OIG – have been released that show continued problems with the way that the NASA Chief Information Officer Renee Wynn has not been fixing problems with NASA IT. If you go to the NASA CIO website there is no mention of this report – or any other reports that cite weaknesses in how the CIO manages NASA’s IT infrastructure. Just what is it that Renee Wynn has been doing? None of the problems that were blatantly obvious when she arrived at NASA have been fixed.
If you read her “IT Talk” quarterly news letter, her office seems to be preoccupied with everything but the important things that need to be fixed. Indeed, much of what her office likes to parade around as accomplishments has little if anything to do with what the CIO is supposed to be doing.
– GAO and OIG Agree: NASA CIO Is Underperforming, earlier post
– OIG: NASA’s Operational Technology Systems Are Inadequate and Disjointed, earlier post
– NASA Still Has No Effective Information Security Program, earlier post
– NASA CIO Drops The Ball On ACES Authorization, earlier post
– Previous NASA IT Posts
The supply chain business is 99% make-work for the FBI. Since the FBI has no real way to investigate what goes on in most foreign factories/assembly plants, they have to rely on what vendors provide and/or what’s available to the public. A few high school students could do the job just as well, but Congress wanted to make a big deal out of this. The other 1%, that ends up in space, has to be qualified, and if the people doing the qualification can’t determine whether there’s malware burned in, they shouldn’t be doing QA.
In the course of ordinary business my interaction with clients has become almost exclusively via PDF-based documents.
Unlike NASA IT, sometimes my clients aren’t up to speed on the finer points of creating documents that are to be shared via email or Dropbox. And they will complain when, for instance, a file is very large.
So, looking at the quarterly reports that are produced by the IT office, I wondered what the heck could be included in an 11 page file that becomes 8mb. Must be a lot of pictures, I thought.
And I was right. Still, opening that 8mb file in Acrobat Pro, and choosing Save As… reduced file size yields a file that’s only 1.8mb, with no discernible degradation.
Is this nitpicking?
Let me first make it clear that this is just my personal opinion, I do not represent anybody, official or unofficial.
The central problem is that neither IT management nor the IG have actual hands-on experience with configuring network hosts, using logs to track intrusion attempts, or improving usability by resolving human factors problems. Consequently they focus on creating and complying with complex administrative requirements which have no direct effect on the information system.
Years ago IT was in-house within each organization, at the user level with desktop and research systems and at the center level with center-wide networking. IT personnel had experience with the systems they managed and contact with their users. However agency management found this too complex and decide to outsource essentially all IT and create an external entity which would handle all the messy techncal details. This has led to responses to technical problems which are administrative in nature, and must then be implemented by technical contractors which have no input into the actual policy, creating frustration at all levels.