The U.S. National Aeronautics and Space Administration (NASA) has again failed to implement an efficient cybersecurity program, according to a review by the NASA Office of Inspector General (OIG) for the fiscal year 2018.
The OIG has assessed NASA’s ability to manage cybersecurity risks, implement safeguards to ensure the delivery of critical services, detect cybersecurity events, respond to incidents, and restore capabilities or services disrupted by cybersecurity incidents.
Based on the analysis of NASA systems and interviews with the agency’s representatives, the OIG has assigned a Level 2 maturity rating to the organization’s cybersecurity program for a second year in a row.
The Federal Information Security Modernization Act of 2014 (FISMA) defines five levels of maturity: Level 1 (Ad-hoc), Level 2 (Defined), Level 3 (Consistently Implemented), Level 4 (Managed and Measurable), and Level 5 (Optimized).
Level 2 organizations have their policies, procedures and strategies formalized and documented, but they are not consistently implemented. The Office of Management and Budget requires organizations to get a rating of at least Level 4 for their cybersecurity program to be considered effective.
Auditors have identified two main areas of concern: system security plans containing missing, incomplete and inaccurate data; and failure to conduct information system control assessments in a timely manner.
“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” the OIG’s report reads. “Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the Agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”
A few months ago, NASA informed employees that their personal information, including social security numbers, may have been stolen after one of its servers had been breached. The agency claimed the incident did not impact any of its missions.
Related: Ex-NASA Contractor Pleads Guilty in Cyberstalking Scheme
Related: NASA Denies Drone Hack, Data Leak
Related: Exploit Payload Possibly Made It Onto NASA’s Orion Spacecraft

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 Working on Patch for BIG-IP Flaw That Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
