NASA spent $1.4 billion, or 7.6 percent of its $18.5 billion budget, on information technology, but continues to struggle with security and governance, according to the space agency’s annual report.
The report highlights how NASA has struggled with managing its roughly 500 information systems for controlling spacecraft, collecting and processing data and enabling basic enterprise functions such as collaboration.
In the report, NASA noted:
Over the last 7 years, we have issued 24 audit reports containing over 119 recommendations designed to improve NASA’s IT governance and IT security efforts. Although the Agency has made progress in this area, we remain concerned about the state of the Agency’s IT governance, its acquisition of IT systems, cybersecurity vulnerabilities, IT security incident detection and handling capabilities, continuous monitoring tools, cloud-computing services, and web application security.
In particular, information technology governance has been an issue for two decades. NASA’s Office of the Chief Information Officer (OCIO) lacks the structure and visibility to control IT investments. NASA outlined those findings in a 2013 audit and found that subsequent reform efforts didn’t progress.
NASA added that it has reported more than 3,000 computer security incidents related to malicious software or unauthorized access to agency computers over the past two years. NASA has expanded network penetration testing, deployed intrusion detection systems and added systems to prevent phishing to name a few.
While those security moves are a good start, NASA said that it hasn’t developed an agency-wide strategy to security. One big problem is turnover in the CIO and security roles.
NASA said in its annual report:
Specifically, the CIO continues to have limited visibility into IT investments across NASA and the process the Agency developed to correct those shortcomings is flawed. Moreover, the OCIO continues its decade-long struggle to establish an effective enterprise architecture. While the OCIO has made changes to its three senior advisory boards over the past few years, these boards have yet to make strategic decisions that substantively impact how IT at NASA is managed. Consequently, slow implementation of the OCIO’s revised IT governance structure has left many Agency IT officials operating under the previous inefficient and ineffective framework, and as of July 2017 the OCIO had not finalized the roles and responsibilities for IT management at NASA… Further, lingering confusion regarding security roles coupled with poor IT inventory practices negatively impacts NASA’s security posture. Finally, the OCIO continues to have limited influence over IT management within the Mission Directorates and at Centers due to the autonomous nature of NASA’s operations and its lack of credibility on IT issues in the eyes of many of its customers.
The lack of governance is also hurting NASA’s ability to secure its systems. NASA manages about 1,200 publicly accessible Web databases, half of the U.S. government’s non-military footprint.
NASA also added that the lack of governance and security processes has hampered its shift to cloud computing. The governance and security posture at NASA is also a handicap as the agency adopts more operational tech such as the Internet of things.