Keith’s note: according to a new GAO report “Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements“: “The Administrator of the National Aeronautics and Space Administration should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. (Recommendation 17)” … “In written comments, reprinted in appendix XI, the National Aeronautics and Space Administration concurred with our recommendation and stated that it plans to address our recommendation by, among other things, creating a comprehensive plan to address all event logging requirements under a recently established Cybersecurity Improvement Portfolio. It also noted certain challenges it faces, such as data integration into the agency’s uniquely designed systems and resource constraints.” [Note: NASA’s response is on pages 63-64]. Previous NASA IT posts

NASA OIG: NASA’s Insider Threat Program “While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agencys information technology (IT) systems including many containing high-value assets or critical infrastructure are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data. … Further amplifying the complexities […]

Committee Leaders Request GAO Review of Cybersecurity Risks at NASA “Today, Chairwoman Eddie Bernice Johnson (D-TX), along with Ranking Member Frank Lucas (R-OK), Chairman of the Subcommittee on Space and Aeronautics Don Beyer (D-VA), and Ranking Member of the Subcommittee on Space and Aeronautics Brian Babin (R-TX) sent a letter to Comptroller General Gene Dodaro requesting the U.S. Government Accountability Office (GAO) conduct a review of the cybersecurity risks to […]

NASA OIG: NASA’s Cybersecurity Readiness, NASA OIG “The Chief Information Officer (CIO) has struggled to implement an effective IT governance structure that aligns authority and responsibility with the Agency’s overall mission. … In FY 2020, the OCIO spent $278 million on IT, $74 million of which was budgeted for institutional cybersecurity. Separate from the OCIO, mission offices in FY 2020 invested $169 million on missionbased cyber management at locations around […]

Solar Winds, Probably Hacked by Russia, Serves White House, Pentagon, NASA, Newsweek “Two unnamed sources told the outlet that the hackers entered U.S. systems through updates released by SolarWinds, a software company based in Austin, Texas that also provides services to the White House, Pentagon and NASA, according to their website. Additionally, the company provides services to the country’s leading telecommunications providers, as well as “more than 425 of the […]

Hearing link, Hearing on Cybersecurity Infrastructure and Information Technology Management, Policies, and Practices at NASA Prepared statements – Rep. Kendra Horn – Rep. Eddie Bernice Johnson – Rep. Brian Babin – Jeff Seaton, Chief Information Officer (Acting) National Aeronautics and Space Administration – Diana L. Burley, Vice Provost for Research, American University – Paul K. Martin, Inspector General, National Aeronautics and Space Administration “Our concerns with NASA’s IT governance and […]

Keith’s note: Today the White House is releasing Space Policy directive 5 (SPD-5) “Cybersecurity Principles for Space Systems” according to a media briefing with senior administration officials. This is the first policy for space systems to apply key cybersecurity principles to protect space systems for government and commercial operators. SPD-5 promotes SPD-3 “Space Traffic Management” including space debris issues and other government defense and security directives. SPD-5 notes that cybersecurity […]

OIG: NASA’s Policy and Practices Regarding the Use of Non-Agency Information Technology Devices “NASA is not adequately securing its networks from unauthorized access by IT devices. Although OCIO has deployed technologies to monitor unauthorized IT device connections, it has not fully implemented controls to remove or block these devices from accessing NASA’s networks and systems. The initial December 2019 target date for NASA to complete installation of these controls has […]

NASA OIG: Cybersecurity Management and Oversight at the Jet Propulsion Laboratory “Multiple IT security control weaknesses reduce JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals. … We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended […]

Keith’s note: From [email protected]: “Me and my colleagues are out of work during this shutdown with no prospect for ever getting back our lost wages. The federal government has a hard time recruiting people in my field because of a large salary difference with private sector companies. We choose a career with federal agencies because we believe in the mission of protecting the United States. NASA is going to lose […]