By Eduard Kovacs
The U.S. National Aeronautics and Space Administration (NASA) has again failed to implement an efficient cybersecurity program, according to a review by the NASA Office of Inspector General (OIG) for the fiscal year 2018.
The OIG has assessed NASA’s ability to manage cybersecurity risks, implement safeguards to ensure the delivery of critical services, detect cybersecurity events, respond to incidents, and restore capabilities or services disrupted by cybersecurity incidents.
Based on the analysis of NASA systems and interviews with the agency’s representatives, the OIG has assigned a Level 2 maturity rating to the organization’s cybersecurity program for a second year in a row.
The Federal Information Security Modernization Act of 2014 (FISMA) defines five levels of maturity: Level 1 (Ad-hoc), Level 2 (Defined), Level 3 (Consistently Implemented), Level 4 (Managed and Measurable), and Level 5 (Optimized).
Level 2 organizations have their policies, procedures and strategies formalized and documented, but they are not consistently implemented. The Office of Management and Budget requires organizations to get a rating of at least Level 4 for their cybersecurity program to be considered effective.
Auditors have identified two main areas of concern: system security plans containing missing, incomplete and inaccurate data; and failure to conduct information system control assessments in a timely manner.
“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” the OIG’s report reads. “Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the Agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”
A few months ago, NASA informed employees that their personal information, including social security numbers, may have been stolen after one of its servers had been breached. The agency claimed the incident did not impact any of its missions.