According to a new report by NASA’s Office of Inspector General (OIG), NASA is not adequately securing its networks from unauthorized access by IT devices, and has not fully implemented controls to remove or block unauthorized IT devices from accessing the agency’s networks and systems.
“The initial December 2019 target date for NASA to complete installation of these controls has been delayed due to technological challenges and changes in OCIO mission priorities and requirements,” the OIG report said. “Until the enforcement controls are fully implemented, NASA remains vulnerable to cybersecurity attacks.”
According to the report, NASA had allowed personally-owned and partner-owned IT devices to access non-public data through its networks through April 2018, until agency’s the CIO “clarified existing NASA requirements to disallow connection” of these devices.
Due to push-back from employees and partners who told OCIO that requirement would hurt productivity, the CIO established new requirements allowing these devices to securely access NASA’s email system if the user installed security software via a Mobile Device Management (MDM) application.
“While OCIO established a process to implement MDM on personal mobile devices, it is not adequately monitoring and enforcing the business rules necessary for granting such access,” the OIG said in its new report. OIG added that NASA OCIO did not establish monitoring and enforcement requirements when planning the MDM project, and NASA data is at risk to viruses, malware, or hacking because of that.
The OIG made five recommendations to NASA, all of which the agency agreed to. The recommendations include:
- Fully implementing Network Access Control and Continuous Diagnostics and Mitigation at all agency centers to detect, prevent, and remove unauthorized IT devices;
- Incorporating applicable IT policy and requirements documents for IT systems lifecycle management in accordance with National Institute of Standards and Technology special publication 800-124;
- Defining requirements and implementing controls to monitor and enforce MDM business rules;
- Revising cybersecurity policy, guidance, and requirements that provides OCIO with a level of oversight of enterprise-wide IT management to ensure consistency; and
- Revising the NASA Strategy to Improve Network Security to implement controls that ensure adequate Senior Agency Information Security Officer visibility into cybersecurity practices.