A new report from the Government Accountability Office (GAO) reveals that key NASA systems did not fully implement selected cybersecurity risk management activities – potentially exposing them to malicious cyber activities.
As part of its assessment, GAO analyzed two major NASA projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps from the National Institute of Standards and Technology (NIST).
The seven steps include: prepare, categorize systems, select controls, implement controls, assess control implementation, authorize the system, and continuously monitor security control effectiveness.
“NASA fully or partially implemented all steps of its cybersecurity risk management program for selected systems. However, partial determinations indicate that NASA did not perform key activities within the steps,” the report says.
For example, for the prepare step, GAO explains that “NASA did not have an approved organization-wide risk assessment. Such an assessment is essential to identifying and mitigating the highest priority cyber threats across the enterprise.”
“Regarding the monitor step, selected systems did not document system-level continuous monitoring strategies due in large part to the lack of guidance on how to do so,” it adds. “Without documented strategies that are fully understood by key cyber personnel, organizations face increased risks of data breaches, delayed detection of threats, and slower responses to attacks.”
GAO says that having a comprehensive cybersecurity risk management program “is critical to protecting NASA’s systems and information,” as well as to detecting and responding to incidents.
This is especially important for NASA, as GAO notes that spacecraft and space systems are operating in a cyber threat environment with “increased risks of attack and mission disruption.”
GAO is making 16 recommendations to NASA to ensure that key activities within NIST’s risk management steps are being performed. These include preparing and approving an organization-wide cybersecurity risk assessment, and updating its guidance to help make sure that selected systems have documented continuous monitoring strategies.
GAO provided a draft of the sensitive version of the report to NASA for review and comment. In its written comments, NASA concurred with seven recommendations, partially concurred with four recommendations, and did not concur with the remaining five recommendations.
“The written comments contain information that NASA deemed too sensitive to be released to the public, so we have omitted them from this report,” GAO explains.
Nevertheless, GAO maintains that all of its recommendations are warranted.