Two Decade NASA CIO Struggle To Implement Effective IT Governance
Hearing link, Hearing on Cybersecurity Infrastructure and Information Technology Management, Policies, and Practices at NASA
Prepared statements
– Rep. Kendra Horn
– Rep. Eddie Bernice Johnson
– Rep. Brian Babin
– Jeff Seaton, Chief Information Officer (Acting) National Aeronautics and Space Administration
– Diana L. Burley, Vice Provost for Research, American University
– Paul K. Martin, Inspector General, National Aeronautics and Space Administration
“Our concerns with NASA’s IT governance and security are long-standing and reoccurring. For more than two decades, NASA’s OCIO has struggled to implement an effective IT governance structure that aligns authority and responsibility commensurate with the Agency’s overall mission. Specifically, we have found that the Agency Chief Information Officer (CIO) and IT security officials have limited oversight and influence over IT purchases and security decisions within Mission Directorates and at NASA Centers. The decentralized nature of NASA’s operations coupled with its long-standing culture of autonomy hinder the OCIO’s ability to implement effective enterprise-wide IT governance. For example, in an August 2020 audit we found OCIO’s visibility into the process Centers use to authorize and approve IT systems and devices to access Agency networks remains limited.4 Although the NASA CIO is responsible for developing an Agency-wide information security program, OCIO relies on Center-based CIOs and IT security staff to implement and enforce the Agency’s information security policies. This practice has allowed Centers to tailor processes to meet their own priorities, which has in turn led to inconsistent implementation of NASA’s enterprise-wide IT security management. Such a decentralized approach to cybersecurity management limits OCIO’s ability to effectively oversee NASA’s information security activities and make informed decisions related to project timelines, costs, and efficiencies as well as realistically assess the overall security of NASA’s numerous IT systems.”
– Earlier posts on NASA IT
If they use today’s technology and wait 50 years, then the security problem will take care of itself, as the infrastructure will be so archaic that nobody will know how to get in.
The problem with OCIO is OCIO; they’re clueless about how the Agency conducts the business of being NASA. OCIO should rely more on their Center CIOs and allow them to do their jobs. There’s a difference between insight and oversight. OCIO’s oversight is negatively impacting NASA’s ability to do work. OCIO should have full insight into what the Centers and Mission Directorates are doing with IT and IT Security, however they should retard their long reach into Center activities, listen more and respect Center IT requirements, and provide usable solutions to help NASA do NASA work.
Amen brother. The OCIO is one of the largest risks to how I do research. Procurement follows very closely. I do have to say that recently the OCIO seems to be paying more attention to how NASA scientists and engineers work. So, there is hope.