Overcoming Information Security Vulnerabilities

What Needs to Be Done | Key Reports

GAO has reported that NASA remains vulnerable to disruptions in its information technology network. Information security is a critical consideration for any organization reliant on information technology and especially important for NASA, which depends on a number of key computer systems and communication networks to conduct its work. NASA established a Security Operations Center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture.

NASA has made important progress in implementing security controls and aspects of its information security program. However, NASA has not always implemented sufficient controls to protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates. Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems.

A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively. Further, the Office of the Inspector General (OIG) found that NASA’s IT security program has not fully implemented key Federal Information Security Management Act requirements.

NASA OIG audits and assessments during the past year reported finding significant and recurring internal control weaknesses in NASA’s IT security control monitoring and cyber-security oversight.

^ Back to topWhat Needs to Be Done

GAO has recommended actions the NASA Administrator should take to mitigate control vulnerabilities and fully implement a comprehensive information security program, including: developing and implementing comprehensive and physical risk assessments; conducting sufficient security testing and evaluation of all relevant security controls; and implementing an adequate incident detection program. The NASA Deputy Administrator noted that NASA is implementing many of these recommendations as part of an ongoing NASA strategic effort to improve information technology management and information technology security program deficiencies. The actions identified by the Deputy Administrator, if effectively implemented, will improve the agency’s information security program.
Highlights of GAO-10-4 (PDF)

^ Back to topKey Reports

NASA

Key Management and Program Challenges
GAO-10-387T, Feb 3, 2010

Information Security

NASA Needs to Remedy Vulnerabilities in Key Networks
GAO-10-4, Oct 15, 2009

More Reports

GAO Contact

Gregory C. Wilshusen

Director, Information Security Issues

wilshuseng@gao.gov

(202) 512-6244

Overcoming Information Security Vulnerabilities

^ Back to topWhat Needs to Be Done

^ Back to topKey Reports

NASA

Information Security

Business Modernization

Property Management

National Aeronautics and Space Administration

Business Modernization

Financial Audit

National Aeronautics and Space Administration

NASA

Business Modernization

Information Technology

Business Modernization

Business Modernization

GAO Contact

Home

Reports and Testimonies

Comptroller General

Legal Decisions & Bid Protests

About GAO

Topics in the News

FraudNet/Reporting Fraud

E-mail Updates

Contact GAO

Careers

Multimedia

Featured Topics

Help

Ordering GAO Publications

Site Map