Security issues at NASA highlight challenges in control effectiveness

A report released this month by GAO on what it views as deficiencies in the information security program and security control effectiveness at the National Aeronautics and Space Administration (NASA) serves to highlight once again the challenge for organizations to move beyond compliance to ensure implemented security controls are actually doing what they are intended to do. Testing and demonstrating the effectiveness of security controls is a persistent challenge for all agencies, not just NASA, and the identified inconsistent and incomplete risk assessment procedures and security policies are also issues shared by many other agencies. What may be most notable about the findings in the report is the relatively basic level of some of the control weaknesses found at some of NASA’s facilities, including poorly implemented password-based access controls, non-functional physical security mechanisms, and less than comprehensive vulnerability scanning and intrusion detection.

NASA has had an unusual level of variability in its overall security program, at least as measured through the FISMA reporting process. While the agency has been trending better since fiscal 2006, when it received a D- on the FISMA scorecard, its progress since then has not equaled the level (B-) it achieved in 2005. The details in the most recent (FY2008) report to Congress give some indications of the NASA infosec program as work in progress, with strengths in C&A process, training of security personnel, and privacy compliance, and with gaps in testing of security controls and contingency plans, and in general employee security awareness training. NASA’s written response to the GAO report (which, as is typically the practice, was provided to the agency for comment prior to its public release) concurs with all eight of GAO’s findings and recommendations, but notes that a number of these recommendations are already being addressed by program improvements underway as the result of internal assessments.