The National Aeronautics and Space Administration (NASA) needs to complete key activities within various steps of its cybersecurity risk management program, the US Government Accountability Office (GAO) says in a new report.
According to the GAO, NASA’s projects for Earth, moon, and solar system exploration risk disruption due to the cyber threat environment its spacecraft and space systems operate in.
NASA has implemented the steps defined by NIST’s cybersecurity risk management guidelines (which include preparation, system categorization, control selection, control implementation, control implementation assessment, system authorization, and continuous monitoring of the effectiveness of controls), but did not perform key activities within each step, the GAO says.
According to the report, NASA did not perform an organization-wide risk assessment, otherwise “essential to identifying and mitigating the highest priority cyber threats across the enterprise”.
Additionally, system-level continuous monitoring strategies have not been documented for the assessed systems, mainly due to lack of guidance on the matter. Without these documented strategies, the watchdog says, organizations face increased risks of data breaches, delays in threat detection, and slow attack response.
“Developing, implementing, and maintaining a comprehensive cybersecurity risk management program is critical to protecting NASA’s systems and information, detecting suspicious activity, and responding to incidents,” the GAO says.
“Without a strong risk management program covering the selected systems, NASA faces increased risks that cyber incidents could result in loss of mission data, or decreased lifespan or capability of space systems,” the agency continues.
In its report, GAO makes 16 recommendations to NASA to help it improve its security stance by performing key activities within the risk management steps, including making an organization-wide cybersecurity risk assessment and ensuring that continuous monitoring strategies are documented.
Per the recommendations, NASA should: prepare and approve the assessment; ensure that the documented impact on system confidentiality, integrity, and availability matches each system’s risk; update its guidance to include oversight responsibilities; and should update its guidance on documenting assessment results.
Related: GAO Tells Coast Guard to Improve Cybersecurity of Maritime Transportation System
Related: CISA’s OT Attack Response Team Understaffed: GAO
Related: GAO: Federal Agencies Yet to Fully Implement Incident Response Capabilities
