NASA infosec again falls short of required standard

[theregister.com] 1 month ago

The NASA Office of Inspector General (OIG) has published its annual audit of the aerospace agency's infosec capabilities and practices, which earned an overall rating of "Not Effective."

The review was conducted by accounting firm RMA Associates using the Council of the Inspectors General on Integrity and Efficiency's Quality Standards for Inspection and Evaluation and using reporting metrics spelled out in the Federal Information Security Modernization Act of 2014, which define five levels of infosec maturity.

  1. Ad Hoc
  2. Defined
  3. Consistently Implemented
  4. Managed and Measurable
  5. Optimized.

Level 4 – Managed and Measurable – is considered the benchmark for an effective infosec program. As the chart below shows, NASA did not reach that level for any of the nine capabilities measured, across the period from October 1, 2021, through September 30, 2022.

NASA's FY 2022 Infosec maturity

NASA's FY 2022 Infosec maturity – click to enlarge

The audit attributes NASA's poor rating to the agency just not having the tools or data to understand the disposition and state of its IT infrastructure, and to lacking the processes to frame or respond to risks.

Among the document's findings is that NASA can't identify and record all the network devices it operates. Manual processes were adopted to sort that out. The agency hasn't completed a cybersecurity workforce assessment since 2016 so is not well placed to understand if it has the skills needed to defend itself properly.

The organization has not implemented recommended data protection and privacy standards so that regime has blind spots. Multi-factor authentication is not universal. The supply chain risk management regime is not yet mature.

While the agency's incident response processes are mature, "additional controls and processes need to be designed and implemented" for it to score a Level 4 rating.

We could go on, but you get the idea: NASA infosec isn't great.

The agency's CIO has therefore been given a list of 17 recommended actions. NASA agrees with most and in a letter responding to the audit gave November 17, 2023, as the estimated completion date for each.

NASA acted on all the recommendations from last year's infosec audit, and appears to have sorted out all but one. But as NASA's financial year commences on October 1, that November 17 deadline could see the agency's 2022/23 audit contain more painful reading.

NASA consistently scores low ratings when its infosec is assessed: the agency also scored a Level 2 rating in 2019, was earlier this year found to be unready to handle insider threats, and has identified that low-budget missions scarcely think of infosec because they try to spend every cent on science.

Which is noble but scary given that NASA operates extensive shared services and cybercrooks love landing in one ill-defended location and then spreading as far as possible.

Seeing as NASA works on lots of secret projects, the persistent immaturity at the agency clearly has the potential for very nasty consequences. ®