In a recently released audit report, the Office of Inspector General (IG) stated that “attacks on NASA networks are not a new phenomenon.” However, the complexity and severity of these attacks are increasing by the day. But still, NASA’s cybersecurity strategy seems to be “disorganized,” and requires immediate realignment, added the IG. Jeffrey Seaton, NASA’s CIO, agreed to the IG’s findings, which further stated their concern that the Office of the CIO (OCIO) has struggled to implement an effective IT governance structure that aligns authority and responsibility with the agency’s overall mission.
Is NASA’s cybersecurity readiness in question?
NASA has a large digital footprint with over 3,000 websites and more than 42,000 publicly accessible datasets. No wonder, the national space agency has faced more than 6,000 cyberattacks in the past four years alone.
Having agency-wide, strong cybersecurity practices is vital for NASA to protect itself from current and future threats in cyberspace. However, the IG’s report said, “We found that NASA’s ability to prevent, detect, and mitigate cyberattacks is limited by a disorganized approach to Enterprise Architecture (EA).”
The IG appreciated that the OCIO has made notable efforts to improve NASA’s cybersecurity readiness. In September 2019, NASA updated its IT strategy to identify critical activities, milestones, and resources needed to manage IT as a highly strategic resource. To further polish this strategy, the OCIO is also currently working on two important initiatives:
- Mission Support Future Architecture Program (MAP) – NASA’s various services like IT, human resources, finance, and procurement have been managed and operated separately at each center and/or headquarters. However, the MAP is being devised to bring it under centralized control so that it can be governed by consolidated cybersecurity capabilities rather than individualistic. The agency expects the MAP assessment to be complete by the end of 2021, and proceed with its implementation in January 2022.
- The Cybersecurity and Privacy Enterprise Solutions and Services (CyPrESS) Contract – It is a broad cybersecurity management contract that aims to eliminate duplication of cyber services amongst various centers of the agency. CyPrESS is not officially a subset of MAP but tends to work in tandem with it to deliver a centralized service model.
The IG is pleased with these initiatives but has suggested advancement in the CyPrESS to include services like security operations center (SOC), penetration testing, vulnerability management, supply chain risk management, training, and knowledge sharing, as well as identity, certificate, and access management. As per a government contracting database maintained by Deltek, the solicitation for awarding the contract to an experienced enterprise was scheduled to be published on May 17. However, according to the Federal System of Awards Management, the proposal is still in the pre-solicitation stage, which may put its February 2022 work initiation deadline in a jeopardy.
NASA has agreed to its shortcomings and based on the recommendations given by the IG’s audit report, create an enterprise architecture program; monitor metrics on the efficacy of its enterprise security architecture; and perform a cost evaluation for the agency’s 526 IT systems that have been classified in one of three risk exposure levels ranging from Low to High.