Final Memorandum, Review of NASA’s Information Security Program (IG-16-016; A-15-005-01), April 14, 2016.
“As part of our annual review of NASA’s compliance with the Federal Information Security Management Act of 2002 (FISMA) for fiscal year 2015, we reviewed a representative sample of 29 information systems from NASA Centers, Headquarters, and the Jet Propulsion Laboratory (JPL) and issued a summary report in October 2015. In that report, we concluded that although NASA had established programs to address each of the review areas identified by the Department of Homeland Security’s (DHS) FISMA guidance, the Agency needed to enhance its efforts in three areas: continuous monitoring management, configuration management, and risk management . We believe that weaknesses in these areas stem from missing requirements related to the Agency’s information system security program. This report focuses on whether NASA has implemented programmatic, Agency-wide information security requirements that are independent of any particular information system…Although NASA has made progress in meeting requirements in support of an Agency-wide information security program, it has not fully implemented key management controls essential to managing that program. Specifically, NASA lacks an Agency-wide risk management framework for information security and an information security architecture. In our judgment, this condition exists because the Office of the CIO (OCIO) has not developed an information security program plan to effectively manage its resources . In addition, the Office is experiencing a period of transition with different leaders acting in the Senior Security Officer role, which has caused uncertainty surrounding information security responsibilities at the Agency level. As a result, we believe NASA’s information security program could be improved to more effectively protect critical Agency information and related systems…”