Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

NASA’s Cybersecurity Program Gets Failing Grade

The U.S. National Aeronautics and Space Administration (NASA) has again failed to implement an efficient cybersecurity program, according to a review by the NASA Office of Inspector General (OIG) for the fiscal year 2018.

The U.S. National Aeronautics and Space Administration (NASA) has again failed to implement an efficient cybersecurity program, according to a review by the NASA Office of Inspector General (OIG) for the fiscal year 2018.

The OIG has assessed NASA’s ability to manage cybersecurity risks, implement safeguards to ensure the delivery of critical services, detect cybersecurity events, respond to incidents, and restore capabilities or services disrupted by cybersecurity incidents.

Based on the analysis of NASA systems and interviews with the agency’s representatives, the OIG has assigned a Level 2 maturity rating to the organization’s cybersecurity program for a second year in a row.

NASA cybersecurity program reviewedThe Federal Information Security Modernization Act of 2014 (FISMA) defines five levels of maturity: Level 1 (Ad-hoc), Level 2 (Defined), Level 3 (Consistently Implemented), Level 4 (Managed and Measurable), and Level 5 (Optimized).

Level 2 organizations have their policies, procedures and strategies formalized and documented, but they are not consistently implemented. The Office of Management and Budget requires organizations to get a rating of at least Level 4 for their cybersecurity program to be considered effective.

Auditors have identified two main areas of concern: system security plans containing missing, incomplete and inaccurate data; and failure to conduct information system control assessments in a timely manner.

“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” the OIG’s report reads. “Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the Agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”

A few months ago, NASA informed employees that their personal information, including social security numbers, may have been stolen after one of its servers had been breached. The agency claimed the incident did not impact any of its missions.

Related: Ex-NASA Contractor Pleads Guilty in Cyberstalking Scheme

Related: NASA Denies Drone Hack, Data Leak

Related: Exploit Payload Possibly Made It Onto NASA’s Orion Spacecraft

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...