Information Security
NASA Needs to Remedy Vulnerabilities in Key Networks
Gao ID: GAO-10-4 October 15, 2009
The National Aeronautics and Space Administration (NASA) relies extensively on information systems and networks to pioneer space exploration, scientific discovery, and aeronautics research. Many of these systems and networks are interconnected through the Internet, and may be targeted by evolving and growing cyber threats from a variety of sources. GAO was directed to (1) determine whether NASA has implemented appropriate controls to protect the confidentiality, integrity, and availability of the information and systems used to support NASA's mission directorates and (2) assess NASA's vulnerabilities in the context of prior incidents and corrective actions. To do this, GAO examined network and system controls in place at three centers; analyzed agency information security policies, plans, and reports; and interviewed agency officials.
Although NASA has made important progress in implementing security controls and aspects of its information security program, it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates. Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. For example, it did not always sufficiently (1) identify and authenticate users, (2) restrict user access to systems, (3) encrypt network services and data, (4) protect network boundaries, (5) audit and monitor computer-related events, and (6) physically protect its information technology resources. In addition, weaknesses existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively. Specifically, it has not always (1) fully assessed information security risks; (2) fully developed and documented security policies and procedures; (3) included key information in security plans; (4) conducted comprehensive tests and evaluation of its information system controls; (5) tracked the status of plans to remedy known weaknesses; (6) planned for contingencies and disruptions in service; (7) maintained capabilities to detect, report, and respond to security incidents; and (8) incorporated important security requirements in its contract with the Jet Propulsion Laboratory. Despite actions to address prior security incidents, NASA remains vulnerable to similar incidents. NASA networks and systems have been successfully targeted by cyber attacks. During fiscal years 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information. To address these incidents, NASA established a Security Operations Center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture. Nevertheless, the control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services. They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-10-4, Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks
This is the accessible text file for GAO report number GAO-10-4
entitled 'Information Security: NASA Needs to Remedy Vulnerabilities in
Key Networks' which was released on October 15, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
October 2009:
Information Security:
NASA Needs to Remedy Vulnerabilities in Key Networks:
GAO-10-4:
GAO Highlights:
Highlights of GAO-10-4, a report to congressional committees.
Why GAO Did This Study:
The National Aeronautics and Space Administration (NASA) relies
extensively on information systems and networks to pioneer space
exploration, scientific discovery, and aeronautics research. Many of
these systems and networks are interconnected through the Internet, and
may be targeted by evolving and growing cyber threats from a variety of
sources.
GAO was directed to (1) determine whether NASA has implemented
appropriate controls to protect the confidentiality, integrity, and
availability of the information and systems used to support NASA‘s
mission directorates and (2) assess NASA‘s vulnerabilities in the
context of prior incidents and corrective actions. To do this, GAO
examined network and system controls in place at three centers;
analyzed agency information security policies, plans, and reports; and
interviewed agency officials.
What GAO Found:
Although NASA has made important progress in implementing security
controls and aspects of its information security program, it has not
always implemented appropriate controls to sufficiently protect the
confidentiality, integrity, and availability of the information and
systems supporting its mission directorates. Specifically, NASA did not
consistently implement effective controls to prevent, limit, and detect
unauthorized access to its networks and systems. For example, it did
not always sufficiently (1) identify and authenticate users, (2)
restrict user access to systems, (3) encrypt network services and data,
(4) protect network boundaries, (5) audit and monitor computer-related
events, and (6) physically protect its information technology
resources. In addition, weaknesses existed in other controls to
appropriately segregate incompatible duties and manage system
configurations and implement patches. A key reason for these weaknesses
is that NASA has not yet fully implemented key activities of its
information security program to ensure that controls are appropriately
designed and operating effectively. Specifically, it has not always (1)
fully assessed information security risks; (2) fully developed and
documented security policies and procedures; (3) included key
information in security plans; (4) conducted comprehensive tests and
evaluation of its information system controls; (5) tracked the status
of plans to remedy known weaknesses; (6) planned for contingencies and
disruptions in service; (7) maintained capabilities to detect, report,
and respond to security incidents; and (8) incorporated important
security requirements in its contract with the Jet Propulsion
Laboratory.
Despite actions to address prior security incidents, NASA remains
vulnerable to similar incidents. NASA networks and systems have been
successfully targeted by cyber attacks. During fiscal years 2007 and
2008, NASA reported 1,120 security incidents that have resulted in the
installation of malicious software on its systems and unauthorized
access to sensitive information. To address these incidents, NASA
established a Security Operations Center in 2008 to enhance prevention
and provide early detection of security incidents and coordinate agency-
level information related to its security posture. Nevertheless, the
control vulnerabilities and program shortfalls, which GAO identified,
collectively increase the risk of unauthorized access to NASA‘s
sensitive information, as well as inadvertent or deliberate disruption
of its system operations and services. They make it possible for
intruders, as well as government and contractor employees, to bypass or
disable computer access controls and undertake a wide variety of
inappropriate or malicious acts. As a result, increased and unnecessary
risk exists that sensitive information is subject to unauthorized
disclosure, modification, and destruction and that mission operations
could be disrupted.
What GAO Recommends:
GAO recommends that the NASA Administrator take steps to mitigate
control vulnerabilities and fully implement a comprehensive information
security program. In commenting on a draft of this report, NASA
concurred with GAO‘s recommendations and stated that it will continue
to mitigate the information security weaknesses identified.
To view the full report, click on [hyperlink,
http://www.gao.gov/products/GAO-10-4]. For more information, contact
Gregory C. Wilshusen, (202) 512-6244, wilshuseng@gao.gov or Dr.
Nabajyoti Barkakati, (202) 512-4499, barkakatin@gao.gov.
[End of section]
Contents:
Letter:
Background:
Control Weaknesses Jeopardize NASA Systems and Networks:
Despite Actions to Address Security Incidents, NASA Remains Vulnerable:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: NASA Organization Chart:
Appendix III: Missions of NASA Centers and the Jet Propulsion
Laboratory:
Appendix IV: Comments from NASA:
Appendix V: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Current Support of Mission Directorates by NASA Headquarters,
Centers, and JPL:
Table 2: Examples of Key Networks Supporting NASA's Mission
Directorates:
Table 3: Key NASA Information Security Responsibilities:
Figures:
Figure 1: NASA Headquarters, Centers, and the Jet Propulsion
Laboratory:
Figure 2: Examples of NASA Programs and Projects:
Figure 3: Simplified Illustration of Key Networks Supporting NASA
Programs and Projects:
Figure 4: Total Computer Security Incidents in Categories 1 through 5
Reported by NASA to US-CERT for Fiscal Years 2007-2008:
Abbreviations:
CIO: Chief Information Officer:
DSN: Deep Space Network:
FAR: Federal Acquisition Regulation:
FIPS: Federal Information Processing Standards:
FISMA: Federal Information Security Management Act:
IONet: Internet Protocol Operational Network:
IT: information technology:
JPL: Jet Propulsion Laboratory:
NASA: National Aeronautics and Space Administration:
NISN: NASA Integrated Services Network Mission and Corporate Network:
NIST: National Institute of Standards and Technology:
NSA: National Security Agency:
OMB: Office of Management and Budget:
POA&M: plans of action and milestones:
SOC: Security Operations Center:
US-CERT: United States Computer Emergency Readiness Team:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
October 15, 2009:
The Honorable John D. Rockefeller, IV:
Chairman:
The Honorable Kay Bailey Hutchison:
Ranking Member:
Committee on Commerce, Science, and Transportation:
United States Senate:
The Honorable Bart Gordon:
Chairman:
The Honorable Ralph M. Hall:
Ranking Member:
Committee on Science and Technology:
House of Representatives:
The National Aeronautics and Space Administration's (NASA) mission is
to pioneer the future in space exploration, scientific discovery, and
aeronautics research. To carry out its critical mission and business
operations, NASA depends on interconnected information systems. Many of
these systems are interconnected through the public telecommunications
infrastructure, including the Internet.
Government officials are concerned about attacks from individuals and
groups with malicious intent, such as criminals, terrorists, and
adversarial foreign nations. For example, in February 2009, the
Director of National Intelligence testified that foreign nations and
criminals have targeted government and private sector networks to gain
a competitive advantage and potentially disrupt or destroy them, and
that terrorist groups have expressed a desire to use cyber attacks as a
means to target the United States. To address such threats, NASA has
implemented computer security controls that are intended to protect the
confidentiality, integrity, and availability of its systems and
information.
In response to a congressional mandate,[Footnote 1] our objectives were
to (1) assess the effectiveness of NASA's information security controls
in protecting the confidentiality, integrity, and availability of its
networks supporting mission directorates and (2) assess the
vulnerabilities identified during the audit in the context of NASA's
prior security incidents and corrective actions. To accomplish these
objectives, we examined computer security controls on networks at three
centers supporting NASA's mission directorates to see whether resources
and information were safeguarded and protected from unauthorized
access. We conducted vulnerability assessments of network security with
the knowledge of NASA officials, but we did not perform unannounced
penetration testing during this review. We also reviewed and analyzed
NASA's security policies, plans, and reports.
We performed this performance audit at NASA headquarters in Washington,
D.C.; Goddard Space Flight Center in Greenbelt, Maryland; the Jet
Propulsion Laboratory in Pasadena, California; the Marshall Space
Flight Center in Huntsville, Alabama; and Ames Research Center in
Moffett Field, California, from November 2008 to October 2009. See
appendix I for further details of our objectives, scope, and
methodology.
We conducted our audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
Background:
Information security is a critical consideration for any organization
reliant on information technology (IT) and especially important for
government agencies, where maintaining the public's trust is essential.
The dramatic expansion in computer interconnectivity, and the rapid
increase in the use of the Internet, have changed the way our
government, the nation, and much of the world communicate and conduct
business. However, without proper safeguards, systems are unprotected
from attempts by individuals and groups with malicious intent to
intrude and use the access to obtain sensitive information, commit
fraud, disrupt operations, or launch attacks against other computer
systems and networks. This concern is well-founded for a number of
reasons, including the dramatic increase in reports of security
incidents, the ease of obtaining and using hacking tools, the steady
advance in the sophistication and effectiveness of attack technology,
and the dire warnings of new and more destructive attacks to come.
Cyber threats to federal information systems and cyber-based critical
infrastructures are evolving and growing. These threats can be
unintentional or intentional, targeted or nontargeted, and can come
from a variety of sources, such as foreign nations engaged in espionage
and information warfare, criminals, hackers, virus writers, and
disgruntled employees and contractors working within an organization.
Moreover, these groups and individuals have a variety of attack
techniques at their disposal, and cyber exploitation activity has grown
more sophisticated, more targeted, and more serious. As government,
private sector, and personal activities continue to move to networked
operations, as digital systems add ever more capabilities, as wireless
systems become more ubiquitous, and as the design, manufacture, and
service of IT have moved overseas, the threat will continue to grow. In
the absence of robust security programs, federal agencies have
experienced a wide range of incidents involving data loss or theft and
computer intrusions, underscoring the need for improved security
practices.
Recognizing the importance of securing federal agencies' information
and systems, Congress enacted the Federal Information Security
Management Act of 2002 (FISMA) to strengthen the security of
information and information systems within federal agencies.[Footnote
2] FISMA requires each agency to use a risk-based approach to develop,
document, and implement an agencywide security program for the
information and information systems that support the operations and
assets of the agency, including those provided or managed by another
agency, contractor, or other source.
NASA's Mission and Organization:
The National Aeronautics and Space Act of 1958 (Space Act), as amended,
established NASA as the civilian agency that exercises control over
U.S. aeronautical and space activities and seeks and encourages the
fullest commercial use of space.[Footnote 3] NASA's mission is to
pioneer the future of space exploration, scientific discovery, and
aeronautics research. Its current and planned activities span a broad
range of complex and technical endeavors, including deploying a global
climate change research and monitoring system, returning Americans to
the Moon and exploring other destinations, flying the Space Shuttle to
complete the International Space Station, and developing new space
transportation systems.
NASA is composed of a headquarters office in Washington, D.C., nine
centers located around the country, and the Jet Propulsion Laboratory
(JPL), which is a Federally Funded Research and Development Center
[Footnote 4] under a contract with the California Institute of
Technology (see figure 1).
Figure 1: NASA Headquarters, Centers, and the Jet Propulsion
Laboratory:
[Refer to PDF for image: map of the U.S.]
The following locations are indicated on the map:
Ames Research Center (Moffett Field, CA);
Dryden Flight Research Center (Edwards Air Force Base, CA);
Glenn Research Center (Cleveland, OH);
Goddard Space Flight Center (Greenbelt, MD);
Jet Propulsion Laboratory (Pasadena, CA);
Johnson Space Center (Houston, TX);
Kennedy Space Center (Cape Canaveral, FL);
Langley Research Center (Hampton, VA);
Marshall Space Flight Center (Huntsville, AL);
NASA Headquarters (Washington, D.C.);
Stennis Space Center (Hancock County, MS).
Sources: NASA (data), Map Resources (map).
[End of figure]
Headquarters:
Headquarters is responsible for providing the agency's strategic
direction, top-level requirements, schedules, budgets, and oversight of
its mission. The NASA Administrator is responsible for leading the
agency and is accountable for all aspects of its mission, including
establishing and articulating its vision and strategic priorities and
ensuring successful implementation of supporting policies, programs,
and performance assessments. In this regard, the Office of the
Administrator has overall responsibility for overseeing the activities
and functions of the agency's mission and mission support directorates
and centers.
NASA Headquarters has the following four mission directorates that
define the agency's major lines of business or core mission segments:
* Aeronautics Research pursues long-term, innovative, and cutting-edge
research that develops tools, concepts, and technologies to enable a
safer, more flexible, environmentally friendly, and more efficient
national air transportation system. It also supports the agency's human
and robotic reentry vehicle research.
* Exploration Systems is leading the effort to develop capabilities for
sustained and affordable human and robotic missions. The directorate is
focused on developing the agency's next generation of human exploration
spacecraft designed to carry crew and cargo to low Earth orbit and
beyond, and partnering with industry and expanding the commercial
technology sector. The directorate's responsibilities include operating
the Lunar Reconnaissance Orbiter, Ares V Cargo Launch Vehicle, and
Orion Crew Exploration Vehicle.
* Science carries out the scientific exploration of Earth and space to
expand the frontiers of earth science, heliophysics, planetary science,
and astrophysics. Through a variety of robotic observatory and explorer
craft, and through sponsored research, the directorate provides virtual
human access to the farthest reaches of space and time, as well as
practical information about changes on Earth. The directorate's
responsibilities include operating the Cassini orbiter, Hubble Space
Telescope, and James Webb Space Telescope.
* Space Operations provides mission critical space exploration services
to both NASA customers and to other partners within the United States
and throughout the world. The directorate's responsibilities include
flying the Space Shuttle to assemble the International Space Station,
operating it after assembly is completed, and ensuring the health and
safety of astronauts.
* Each of the agency's four directorates is responsible and accountable
for mission safety and success for the programs and projects assigned
to it. Figure 2 contains images and artist renderings of some of the
spacecraft that are deployed or in development that support the
agency's programs and projects.
Figure 2: Examples of NASA Programs and Projects:
[Refer to PDF for image: photographs]
Left to right: row 1, International Space Station, Space Shuttle, and
Cassini orbiter; row 2, Hubble Space Telescope and James Webb Space
Telescope; row 3, Lunar Reconnaissance Orbiter, Ares V Cargo Launch
Vehicle, and Orion Crew Exploration Vehicle.
Source: NASA.
[End of figure]
NASA headquarters also consists of mission support offices and other
offices that advise the administrator and carry out the common or
shared services that support core mission segments. These support
offices include the Office of Chief Safety and Mission Assurance,
Office of Security and Program Protection, Office of the Chief
Financial Officer, Office of the Chief Information Officer, Office of
the Inspector General, and Office of Institutions and Management. See
appendix II for the agency's organization chart.
NASA Centers:
Centers are responsible for executing the agency programs and projects.
Each center has a director who reports to an Associate Administrator in
the Office of the Administrator. A key institutional role of center
directors is that of service across mission directorate needs and
determining how best to support the various programs and projects
hosted at a given center. Specific responsibilities include (1)
providing resources and managing center operations; (2) ensuring that
statutory, regulatory, fiduciary, and NASA requirements are met; and
(3) establishing and maintaining the staff and their competency.
Jet Propulsion Laboratory:
JPL is a Federally Funded Research and Development Center that is
operated by the California Institute of Technology using government-
owned equipment. The California Institute of Technology is under a
contract with NASA that is renegotiated every 5 years. JPL develops and
maintains technical and managerial competencies specified in the
contract in support of NASA's programs and projects including (1)
exploring the solar system to fully understand its formation and
evolution, (2) establishing continuous permanent robotic presence on
Mars to discover its history and habitability, and (3) conducting
communications and navigation for deep space missions.
Headquarters, centers, and JPL support multiple mission directorates by
taking on management responsibility and contributing to their programs
and projects. See appendix III for a description of the missions of the
individual centers and JPL. Table 1 identifies the mission directorates
supported by each of these entities.
Table 1: Current Support of Mission Directorates by NASA Headquarters,
Centers, and JPL:
Headquarters:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Ames Research Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Dryden Flight Research Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Glenn Research Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Goddard Space Flight Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Johnson Space Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Kennedy Space Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Langley Research Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Marshall Space Flight Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Stennis Space Center:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Jet Propulsion Laboratory:
Aeronautics Research: [Empty];
Exploration Systems: [Empty];
Science: [Empty];
Space Operations: [Empty].
Source: GAO analysis based on NASA data.
[End of table]
In fiscal year 2009, NASA had a budget of $17.78 billion and employed
approximately 18,000 civil service employees and utilized approximately
30,000 contractor employees. NASA's budget request for fiscal year 2010
is $18.686 billion, which is roughly a 5 percent increase from fiscal
year 2009. The agency's IT budget in fiscal year 2009 was $1.6 billion,
of which $15 million was dedicated to IT security.
NASA Partners with a Variety of Organizations:
The Space Act authorizes and encourages NASA to enter into partnerships
that help fulfill its mission. Thus, the agency engages in strategic
partnerships with other federal agencies, and a wide variety of
academic, private sector, and international organizations to leverage
their unique capabilities. For example, the agency partners with (1)
the space agencies of Canada, Japan, and Russia as well as European
Space Agency country members Belgium, Denmark, France, Germany, Italy,
Netherlands, Norway, Spain, Sweden, and the United Kingdom; (2) federal
agencies such as the Federal Aviation Administration, the Department of
Energy, the National Oceanic and Atmospheric Administration, and the
U.S. Air Force, Army, and Navy; (3) institutes, organizations, and
universities in India, Finland, France, Latin America, New Zealand, the
United Kingdom, and the United States; and (4) corporations such as
Boeing and Lockheed Martin.
Key Networks Supporting NASA's Mission Directorates:
NASA depends on a number of key computer systems and communication
networks to conduct its work. These networks traverse the Earth and
beyond providing critical two-way communication links between Earth and
spacecraft; connections between NASA centers and partners, scientists,
and the public; and administrative applications and functions. Table 2
lists several of the key networks supporting the agency.
Table 2: Examples of Key Networks Supporting NASA's Mission
Directorates:
Network: Enhanced Huntsville Operations Support Center System;
Managing entity: Marshall Space Flight Center;
Summary: The ground system responsible for integrated operational
payload flight control and planning for the International Space
Station.
Network: Flight Network;
Managing entity: Jet Propulsion Laboratory;
Summary: Includes (1) the Deep Space Network (DSN), which supports
NASA's deep space missions and provides critical communications and
tracking for multiple spacecraft including Cassini. The Flight Network
consists of radio antennae strategically located at communication
complexes in California, Spain, and Australia to ensure that as the
Earth turns, most spacecraft will have one of these complexes facing
them; (2) services and tools for conducting mission operations; (3)
infrastructure devices; (4) a Domain Name Server; and (5) e-mail.
Network: Integrated Collaborative Environment;
Managing entity: Marshall Space Flight Center;
Summary: A document management and life cycle management application at
Marshall used to manage drawings and documents and to automate
engineering processes for the Constellation Program, which includes the
Ares V Crew Launch Vehicle and Orion projects.
Network: Internet Protocol Operational Network (IONet);
Managing entity: Goddard Space Flight Center;
Summary: A NASA-wide network that supports mission-critical spacecraft
and science operations such as the Hubble Space Telescope and the Space
Shuttle. It is also known as the NASA Integrated Services Network
Mission Network (NISN).
Network: JPLNET;
Managing entity: Jet Propulsion Laboratory;
Summary: JPL's administrative network that provides connectivity to its
resources and hosts, the Internet, and NASA networks. JPLNET is not
part of the JPL Flight Network.
Network: NASA Integrated Services Network Mission and Corporate Network
(NISN);
Managing entity: Goddard Space Flight Center/Marshall Space Flight
Center;
Summary: Comprised of a mission network segment managed by Goddard and
a corporate network segment managed by Marshall. The mission network
segment (also known as the Internet Protocol Operational Network)
provides telecommunications systems and services for mission control,
science data handling, and program administration. Its customer base
includes all agency centers and headquarters, the DSN, most flight
mission programs, contractors, international partners, academia, and
government agencies.
Network: NASA Operational Messaging and Directory Service;
Managing entity: Marshall Space Flight Center;
Summary: The agency's mission support e-mail system. Many parts of NASA
have migrated to this system, and it is intended to be the corporate
centralized e-mail solution for nonflight activities.
Source: GAO analysis based on NASA data.
[End of table]
Transmission of Satellite Data to Networks:
Networks such as the DSN and the IONet send data to and receive data
from spacecraft via satellite relays and ground antennae. Satellite
telescopes accumulate status data such as the satellite's position and
health, and science data such as images and measurements of the
celestial object being studied. Data are stored onboard the satellite
and transmitted to Earth in batches via satellite relays and ground
antennae. For example, figure 3 illustrates how several of these
networks are connected and communicate with spacecrafts, such as the
Hubble Space Telescope, the International Space Station, and the
Cassini orbiter.[Footnote 5]
Figure 3: Simplified Illustration of Key Networks Supporting NASA
Programs and Projects:
[Refer to PDF for image: illustration]
Hubble Space Telescope:
International Space Station:
Link to:
Tracking and Data Relay Satellite System:
Link to:
New Mexico ground station:
Guam ground station:
Link to:
IONet;
Link to:
Other networks;
NASA centers;
NISN Corporate Network.
Saturn:
Link to:
Cassini orbiter:
Link to:
California ground station;
Spain ground station;
Australia ground station;
Link to:
Flight network;
Link to:
JPLNET;
Link to:
Internet.
IONet also links to Flight network.
NISN Corporate Network also links to Internet.
Source: GAO analysis of agency data.
[End of figure]
As shown above, the Cassini orbiter sends data directly to the ground
station antennae at the communication complexes in Australia,
California, and Spain. The Hubble Space Telescope and the International
Space Station send data to ground station antennae via the Tracking and
Data Relay Satellite System[Footnote 6] to ground stations in New
Mexico and Guam. Data received from spacecraft are stored at antenna
facilities until they are distributed to the appropriate locations
through ground communications such as IONet. When data are sent to
spacecraft these pathways are reversed.
Information and Information Systems Supporting NASA Need Protection:
Imperative to mission success is the protection of information and
information systems supporting NASA. One of the agency's most valuable
assets is the technical and scientific knowledge and information
generated by NASA's research, science, engineering, technology, and
exploration initiatives. The agency relies on computer networks and
systems to collect, access, or process a significant amount of data
that requires protection, including data considered mission-critical,
proprietary, and/or sensitive but unclassified information. For
example,
* the agencywide system controlling physical access to NASA facilities
stores personally identifiable information such as fingerprints, Social
Security numbers, and pay grades.
* an application for storing and sharing data such as computer-aided
design and electrical drawings, and engineering documentation for Ares
launch vehicles is being used by 7 agency data centers at 11 locations.
* Accordingly, effective information security controls are essential to
ensuring that sensitive information is adequately protected from
inadvertent or deliberate misuse, fraudulent use, improper disclosure
or manipulation, and destruction. The compromise or loss of such
information could cause harm to a person's privacy or welfare,
adversely impact economic or industrial institutions, compromise
programs or operations essential to the safeguarding of our national
interests, and weaken the strategic technological advantage of the
United States.
NASA's Information Security Program:
FISMA requires each federal agency to develop, document, and implement
an agencywide information security program to provide security for the
information and information systems that support the operations and
assets of the agency, including those provided or managed by other
agencies, contractors, or other sources. As described in table 3, NASA
has designated certain senior managers at headquarters and its centers
to fill the key roles in information security designated by FISMA and
agency policy.
Table 3: Key NASA Information Security Responsibilities:
NASA headquarters officials: NASA Administrator;
Key responsibilities: Responsible for implementing a comprehensive and
effective security program for the protection of people, property, and
information associated with the NASA mission. The administrator must
also ensure that the agency is in compliance with information security
standards and guidelines.
NASA headquarters officials: NASA Chief Information Officer (CIO);
Key responsibilities: Responsible for the NASA-wide IT security program
and has the management oversight responsibilities for ensuring the
confidentiality, integrity, and availability of IT resources. The CIO's
responsibilities are also met by (1) establishing policies and
requirements necessary to comply with FISMA and ensure that NASA
information and information systems are protected; (2) working with the
mission directorates, support offices, centers, and program managers to
reallocate funds to ensure that NASA complies with FISMA and the Office
of Management and Budget (OMB) directives; and (3) reporting to NASA
management and OMB on the status of the agency's IT Security Program.
NASA headquarters officials: NASA Deputy Chief Information Officer
(CIO) for IT;
Key responsibilities: Serves as the Senior Agency Information Security
Officer and is responsible for implementing the IT security program of
NASA; managing, coordinating, and maintaining the overall direction and
structure of the NASA IT Security Program; and establishing standard
operating procedures to ensure consistency of IT security objectives
and solutions.
NASA headquarters officials: Assistant Administrator for the Office of
Security and Program Protection;
Key responsibilities: Responsible for all aspects of classified
national security information matters, including establishing the
certification and accreditation policies, procedures, and guidance for
all classified IT systems operations. The Office of Security and
Program Protection Assistant Administrator's responsibilities include
coordinating with the Senior Agency Information Security Officer in the
issuance of IT security alerts regarding potential threats and exploits
that could affect NASA IT resources and networks.
NASA headquarters officials: NASA IT Security Officer;
Key responsibilities: Responsible for ensuring the effectiveness of
NASA IT security projects crossing agency centers and overseeing the
NASA IT Security Awareness and Training Program.
NASA headquarters officials: Manager, Competency Center for IT
Security;
Key responsibilities: The NASA CIO's authorized organization to provide
agencywide IT security leadership. The Competency Center for IT
Security Manager is responsible for involving mission directorates,
centers, and other stakeholders to ensure the timely introduction of
new agency standards and services and for engaging center personnel in
the definition and implementation of standards, guidelines, and
services.
Center officials: Center Director;
Key responsibilities: Responsible for protecting the center's missions
and programs, advocating support for IT security requirements, and
providing the resources necessary to implement IT security
requirements.
Center officials: Center Chief Information Officer (CIO);
Key responsibilities: Responsible for providing sufficient resources to
ensure compliance with agencywide IT security requirements, managing
the center's network infrastructure to protect information system
owners and to control unauthorized internet protocol addresses, and
establishing an IT security incident response capability.
Center officials: Center IT Security Manager;
Key responsibilities: Responsible for implementing the Center IT
Security Program, developing centerwide IT security policies and
guidance, and maintaining an incident response capability. The IT
Security Manager also ensures that center system security plans are
compliant with guidance from the Senior Agency Information Security
Officer and reports the center's IT security metrics status to center
and agency management.
System-specific officials: Information system owner;
Key responsibilities: Responsible for the successful operation and
protection of the system and its information. These individuals are
usually civil service personnel acting as program, project, and
functional managers but can be support service contractors or partners
under agreements with NASA. Information system owners oversee the IT
security of the systems or applications that are operated and managed
through a support service contract, grant, or agreement. For government-
owned, contractor-operated facilities such as JPL, a noncivil-service
individual, at an equivalent civil service management level, may serve
as the on-duty line manager.
System-specific officials: Information owner;
Key responsibilities: Responsible for the confidentiality, integrity,
and availability of information. Although information owners may have
their information processed by another organization, support service
contractor, or partner, they are ultimately responsible for
understanding any risk that another manager has accepted for the system
processing their information.
System-specific officials: Organization Computer Security Official;
Key responsibilities: Responsible for a particular organization's IT
security program. The Organization Computer Security Official serves as
the critical communication link to and from that organization and its
programs for all IT security matters. Specific responsibilities include
reporting the status of the organization's IT security posture and
suspected and actual IT security incidents to the Center IT Security
Manager.
System-specific officials: Information System Security Official;
Key responsibilities: The principal staff advisor to the information
system owner on all matters involving the IT security of the
information system, including physical and personnel security, incident
handling, and security training and education. The Information System
Security Official plays an active role in developing and updating
information system security plans and ensuring effective and timely
reporting of all incidents and suspected incidents in accordance with
center procedures.
System-specific officials: System administrator;
Key responsibilities: NASA civil service and support service contract
system administrators are the managers and technicians who design and
operate IT resources for their respective centers. They usually have
privileged access to NASA information resources. Specific
responsibilities include ensuring that security controls described in
system security plans are properly implemented and following the
center's incident response procedures.
Source: GAO analysis of NASA data.
[End of table]
Control Weaknesses Jeopardize NASA Systems and Networks:
Although NASA had implemented many information security controls to
protect networks supporting its missions, weaknesses existed in several
critical areas. Specifically, the centers did not consistently
implement effective electronic access controls, including user accounts
and passwords, access rights and permissions, encryption of sensitive
data, protection of information system boundaries, audit and monitoring
of security-relevant events, and physical security to prevent, limit,
and detect access to their networks and systems. In addition,
weaknesses in other information system controls, including managing
system configurations and patching sensitive systems, further increase
the risk to the information and systems that support NASA's missions. A
key reason for these weaknesses was that NASA had not yet fully
implemented key elements of its information security program. As a
result, highly sensitive personal, scientific, and other data were at
an increased risk of unauthorized use, modification, or disclosure.
NASA Did Not Sufficiently Control Access to Information Resources:
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized
access. Organizations accomplish this objective by designing and
implementing controls that are intended to prevent, limit, and detect
unauthorized access to computing resources, programs, information, and
facilities. Inadequate access controls diminish the reliability of
computerized information and increase the risk of unauthorized
disclosure, modification, and destruction of sensitive information and
disruption of service. Access controls include those related to (1)
user identification and authentication, (2) user access authorizations,
(3) cryptography, (4) boundary protection, (5) audit and monitoring,
and (6) physical security. Weaknesses in each of these areas existed
across the NASA environment.
Controls for Identifying and Authenticating Users Were Not Effectively
Enforced:
A computer system must be able to identify and authenticate different
users so that activities on the system can be linked to specific
individuals. When an organization assigns unique user accounts to
specific users, the system is able to distinguish one user from
another--a process called identification. The system must also
establish the validity of a user's claimed identity by requesting some
kind of information, such as a password, that is known only by the
user--a process known as authentication. The combination of
identification and authentication--such as user account/password
combinations--provides the basis for establishing individual
accountability and for controlling access to the system. National
Institute of Standards and Technology (NIST) states that (1)
information systems should uniquely identify and authenticate users (or
processes on behalf of users), (2) passwords should be implemented that
are sufficiently complex to slow down attackers, (3) information
systems should protect passwords from unauthorized disclosure and
modification when stored and transmitted, and (4) passwords should be
encrypted to ensure that the computations used in a dictionary or
password cracking attack against a stolen password file cannot be used
against similar password files.
NASA did not adequately identify and authenticate users in systems and
networks supporting mission directorates. For example, NASA did not
configure certain systems and networks at two centers to have complex
passwords. Specifically, these systems and networks did not always
require users to create long passwords. In addition, users did not need
passwords to access certain network devices. Furthermore, encrypted
password and network configuration files were not adequately protected,
and passwords were not encrypted. As a result, increased risk exists
that a malicious individual could guess or otherwise obtain user
identification and passwords to gain network access to NASA systems and
sensitive data.
User Access to NASA Systems Was Not Always Sufficiently Restricted:
Authorization is the process of granting or denying access rights and
privileges to a protected resource, such as a network, system,
application, function, or file. A key component of granting or denying
access rights is the concept of "least privilege." Least privilege is a
basic principle for securing computer resources and data that means
that users are granted only those access rights and permissions that
they need to perform their official duties. To restrict legitimate
users' access to only those programs and files that they need in order
to do their work, organizations establish access rights and
permissions. "User rights" are allowable actions that can be assigned
to users or to groups of users. File and directory permissions are
rules that are associated with a particular file or directory,
regulating which users can access it--and the extent of that access. To
avoid unintentionally giving users unnecessary access to sensitive
files and directories, an organization must give careful consideration
to its assignment of rights and permissions.
However, all three NASA centers we reviewed did not always sufficiently
restrict system access and privileges to only those users that needed
access to perform their assigned duties. For example, the centers did
not always restrict access to sensitive files and control unnecessary
remote access. In addition, NASA centers allowed shared accounts and
group user IDs and did not restrict excessive user privileges.
Furthermore, NASA centers did not effectively limit access to key
network devices through access control lists. As a result, increased
risk exists that users could gain inappropriate access to computer
resources, circumvent security controls, and deliberately or
inadvertently read, modify, or delete critical mission information.
NASA Implemented Encryption Controls but Did Not Always Encrypt Network
Services and Sensitive Data:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information. A
basic element of cryptography is encryption. Encryption can be used to
provide basic data confidentiality and integrity by transforming plain
text into ciphertext using a special value known as a key and a
mathematical process known as an algorithm.[Footnote 7] The National
Security Agency (NSA) recommends encrypting network services. If
encryption is not used, sensitive information such as user ID and
password combinations are susceptible to electronic eavesdropping by
devices on the network when they are transmitted. In addition, the OMB
has recommended that all federal agencies encrypt all data on mobile
devices like laptops, unless the data has been determined to be
nonsensitive.
Although NASA has implemented cryptography, it was not always
sufficient or used in transmitting sensitive information. For example,
NASA centers did not always employ a robust encryption algorithm that
complied with federal standards to encrypt sensitive information. The
three centers we reviewed neither used encryption to protect certain
network management connections, nor did they require encryption for
authentication to certain internal services. Instead, the centers used
unencrypted protocols to manage network devices, such as routers and
switches. In addition, NASA had not installed full-disk encryption on
its laptops at all three centers. As a result, sensitive data
transmitted through the unclassified network or stored on laptop
computers were at an increased risk of being compromised.
Although NASA Segregated Sensitive Networks, System Boundary Protection
Was Not Always Adequate:
Boundary protection controls logical connectivity into and out of
networks and controls connectivity to and from network connected
devices. Unnecessary connectivity to an organization's network
increases not only the number of access paths that must be managed and
the complexity of the task, but the risk of unauthorized access in a
shared environment. NIST guidance states that firewalls[Footnote 8]
should be configured to provide adequate protection for the
organization's networks and that the transmitted information between
interconnected systems should be controlled and regulated.
Although NASA had employed controls to segregate sensitive areas of its
networks and protect them from intrusion, it did not always adequately
control the logical and physical boundaries protecting its information
and systems. For example, NASA centers did not adequately protect their
workstations and laptops from intrusions through the use of host-based
firewalls. Furthermore, firewalls at the centers did not provide
adequate protection for the organization's networks, since they could
be bypassed. In addition, the three centers had an e-mail server that
allowed spoofed e-mail messages and potentially harmful attachments to
be delivered to NASA. As a result, the hosts on these system networks
were at increased risk of compromise or disruption from the other lower
security networks.
Although NASA Monitored Its Networks, Monitoring Was Not Always
Comprehensive:
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is crucial
to determine who has taken actions on the system, what these actions
were, and when they were taken. According to NIST, when performing
vulnerability scans, greater emphasis should be placed upon systems
that are accessible from the Internet (e.g., Web and e-mail servers);
systems that house important or sensitive applications or data (e.g.,
databases); or network infrastructure components (e.g., routers,
switches, and firewalls). In addition, according to commercial vendors,
running scanning software in an authenticated mode allows the software
to detect additional vulnerabilities. NIST also states that the use of
secure software development techniques, including source code review,
is essential to preventing a number of vulnerabilities from being
introduced into items such as a Web service. NASA requires that audit
trails be implemented on NASA IT systems.
Although NASA regularly monitored its unclassified network for security
vulnerabilities, the monitoring was not always comprehensive. For
example, none of the three centers we reviewed conducted vulnerability
scans for such sensitive applications as databases. In addition, the
centers did not conduct source code reviews. Furthermore, not all
segments and protocols on center networks were effectively monitored by
intrusion detection systems. Moreover, NASA did not always configure
several database systems to enable auditing and monitoring of security-
relevant events and did not adequately perform logging of
authentication, authorization, and accounting activities. As a result,
NASA may not detect certain vulnerabilities or unauthorized activities,
leaving the network at increased risk of compromise or disruption.
Until NASA establishes detailed audit logs for its systems at these
facilities or compensating controls in cases where such logs are not
feasible, it risks being unable to determine if malicious incidents are
occurring and, after an event occurs, being unable to determine who or
what caused the incident.
Although NASA Had Various Physical Security Protections in Place,
Weaknesses Existed:
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and theft.
These controls restrict physical access to computer resources, usually
by limiting access to the buildings and rooms in which the resources
are housed and by periodically reviewing the access granted in order to
ensure that it continues to be appropriate. NASA policy requires that
its facilities and buildings be provided the level of security
commensurate with the level of risk as determined by a vulnerability
risk assessment. In addition, NASA policy requires enhanced security
measures for its mission essential infrastructure such as computing
facilities and data centers, including access control systems,
lighting, and vehicle barriers such as bollards or jersey barriers.
NIST policy also requires that federal agencies implement physical
security and environmental safety controls to protect IT systems and
facilities, as well as employees and contractors. These controls
include protections to prevent excessive heat and fires or unnecessary
water damage.
NASA had various protections in place for its IT resources. It
effectively secured many of its sensitive areas and computer equipment
and takes other steps to provide physical security. For example, all
three NASA centers issued electronic badges to help control access to
many of their sensitive and restricted areas. The agency also maintains
liaisons with law enforcement agencies to help ensure additional
security backup is available if necessary and to facilitate the
accurate flow of timely security information among appropriate
government agencies.
However, NASA's computing facilities may be vulnerable to attack
because of weaknesses in controls over physical access points,
including designated entry and exit points to the facilities where
information systems reside. NASA also neither enforced stringent
physical access measures for, and authorizations to, areas within a
facility, nor did it maintain and review at least annually a current
list of personnel with access to all IT-intensive facilities and
properly authenticate visitors to these facilities. In addition, we
were only able to obtain evidence that risk assessments were performed
for 11 of the 24 NASA buildings we visited, which contained significant
and sensitive IT resources. NASA also did not fully implement enhanced
security measures for its mission essential infrastructure such as
computing facilities and data centers. To illustrate, retractable
bollards that protect delivery doors, generators, and fuel tanks at the
data and communication centers were not operable and were in the "open"
retracted position. NASA also did not fully follow NIST safety and
security guidance. In addition, a data center that houses a large
concentration of sensitive IT equipment including the laboratory's
supercomputer had "wet pipe"[Footnote 9] automatic sprinkler
protection. This type of protection presents risks of water leaks that
could do considerable damage to the sensitive and expensive computer
equipment in the event of a fire. In addition, this data center's
critical cooling equipment and fans located at the rear of the facility
were not separately enclosed and protected. Although the facility's
perimeter is fenced, an unauthorized individual could scale the fence
and damage or sabotage the cooling equipment.
Because areas containing sensitive IT and support equipment were not
adequately protected, NASA has less assurance that computing resources
are protected from inadvertent or deliberate misuse including sabotage,
vandalism, theft, and destruction.
Weaknesses in Other Important Controls Increase Risk:
In addition to access controls, other important controls should be in
place to ensure the security and reliability of an organization's
information. These controls include policies, procedures, and control
techniques to (1) appropriately segregate incompatible duties and (2)
manage system configurations and implement patches. Weaknesses in these
areas could increase the risk of unauthorized use, disclosure,
modification, or loss of NASA's mission sensitive information.
Incompatible Duties Were Not Always Segregated:
Segregation of duties refers to the policies, procedures, and
organizational structure that help ensure that one individual cannot
independently control all key aspects of a process or computer-related
operation and thereby gain unauthorized access to assets or records.
Often segregation of incompatible duties is achieved by dividing
responsibilities among two or more organizational groups. Dividing
duties among two or more individuals or groups diminishes the
likelihood that errors and wrongful acts will go undetected because the
activities of one individual or group will serve as a check on the
activities of the other. Inadequate segregation of duties increases the
risk that erroneous or fraudulent transactions could be processed,
improper program changes implemented, and computer resources damaged or
destroyed.
NASA did not adequately segregate incompatible duties. For example, all
network users at two centers we reviewed had administrative privileges
to their local computer and could install unapproved software. Only
system administrators should have these privileges. As a consequence,
increased risk exists that users could perform unauthorized system
activities without detection.
Although NASA Maintained System Configurations and Installed Patches,
Shortcomings Existed:
Patch management is a critical process that can help alleviate many of
the challenges of securing computing systems.[Footnote 10] As
vulnerabilities in a system are discovered, attackers may attempt to
exploit them, possibly causing significant damage. Malicious acts can
range from defacing Web sites to taking control of entire systems,
thereby being able to read, modify, or delete sensitive information;
disrupt operations; or launch attacks against other organizations'
systems. After a vulnerability is validated, the software vendor may
develop and test a patch or work-around to mitigate the vulnerability.
Incident response groups and software vendors issue information updates
on the vulnerability and the availability of patches.
Although NASA had implemented innovative techniques to maintain system
configurations and install patches, shortcomings existed. For example,
all three NASA centers had not applied a critical operating system
patch or patches for a number of general third-party applications. As a
result, NASA had limited assurance that all needed patches were applied
to critical system resources, increasing the risk of exposing critical
and sensitive unclassified data to unauthorized access. Furthermore,
although the three centers had configured their e-mail systems to
prevent many common cyber attacks, they were still vulnerable to attack
because their systems allowed various file types as e-mail attachments.
These files could be used to install malicious software onto an
unsuspecting user's workstation, potentially compromising the network.
As a result, increased risk exists that an attacker could exploit known
vulnerabilities in these applications to execute malicious code and
gain control of or compromise a system.
NASA Has Not Fully Implemented Its Information Security Program:
A key reason for these weaknesses is that although NASA has made
important progress in implementing the agency's information security
program, it has not effectively or fully implemented an agencywide
information security program. FISMA requires agencies to develop,
document, and implement an information security program that, among
other things, includes:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems;
* policies and procedures that (1) are based on risk assessments, (2)
cost effectively reduce information security risks to an acceptable
level, (3) ensure that information security is addressed throughout the
life cycle of each system, and (4) ensure compliance with applicable
requirements;
* plans for providing adequate information security for networks,
facilities, and systems;
* periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, to be performed with a
frequency depending on risk, but no less than annually, and that
includes testing of management, operational, and technical controls for
every system identified in the agency's required inventory of major
information systems;
* a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in its information security
policies, procedures, or practices;
* plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency; and:
* procedures for detecting, reporting, and responding to security
incidents.
In addition, FISMA states the agency information security program
applies to the information and information systems provided or managed
by contractors or other sources.
We identified a number of shortcomings in key program activities. For
example, NASA had not always (1) fully assessed information security
risks; (2) fully developed and documented security policies and
procedures; (3) included key information in security plans; (4)
conducted comprehensive tests and evaluation of its information system
controls; (5) tracked the status of plans to remedy known weaknesses;
(6) planned for contingencies and disruptions in service; (7)
maintained capabilities to detect, report, and respond to security
incidents; and (8) incorporated important security requirements in its
contract with JPL. Until all key elements of its information security
program are fully and consistently implemented, NASA will have limited
assurance that new weaknesses will not emerge and that sensitive
information and assets are adequately safeguarded from inadvertent or
deliberate misuse, improper disclosure, or destruction.
Although NASA Has Developed Risk Assessments, They Were Not Always
Adequately Performed at Key Facilities:
A comprehensive risk assessment should be the starting point for
developing or modifying an agency's security policies and security
plans. Such assessments are important because they help to make certain
that all threats and vulnerabilities are identified and considered,
that the greatest risks are addressed, and that appropriate decisions
are made regarding which risks to accept and which to mitigate through
security controls. Appropriate risk assessment policies and procedures
should be documented and based on the security categorizations
described in FIPS Publication 199.[Footnote 11] OMB directs federal
agencies to consider risk when deciding what security controls to
implement. OMB states that a risk-based approach is required to
determine adequate security, and it encourages agencies to consider
major risk factors, such as the value of the system or application,
threats, vulnerabilities, and the effectiveness of current or proposed
safeguards. Identifying and assessing physical security risks are also
essential steps in determining what information security controls are
required. NASA policy states that vulnerability risk assessments for
buildings and facilities are to be performed at least every 3 years.
NASA had generally implemented procedures for assessing its security
risks and conducted risk assessments for the five systems and networks
we reviewed. It had also determined security categories for these
systems and networks. In addition, NASA had developed an executive
threat summary on cyber issues facing the agency. Also, NASA's Security
Operations Center (SOC) regularly issued threat analysis reports and
distributed them to offices within NASA responsible for security.
However, NASA had not fully assessed its risks. For example, it had not
conducted a comprehensive agencywide risk assessment that included
mission-related systems and applications. In addition, one center we
reviewed did not prepare an overall network risk assessment that
clearly articulated the known vulnerabilities identified in the
security plans and waivers.[Footnote 12] Furthermore, the waivers were
not elevated or aggregated and documented into an overall risk
management plan. NASA also could not demonstrate that it conducted
vulnerability risk assessments for 13 of the 24 buildings we visited
that contained significant and sensitive information resources. NASA
staff stated that some of the 13 buildings may have had risk
assessments performed in the past, but they could not provide copies of
the assessments or evidence to support these assertions. As a result,
NASA has limited assurance that computing resources are consistently
and effectively protected from inadvertent or deliberate misuse
including fraud or destruction.
Although NASA Developed Security Policies and Procedures, It Did Not
Always Include Key Elements:
Another key task in developing an effective information security
program is to establish and implement risk-based policies, procedures,
and technical standards that govern security over an agency's computing
environment. If properly implemented, policies and procedures should
help reduce the risk that could come from unauthorized access or
disruption of services. Because security policies and procedures are
the primary mechanisms through which management communicates views and
requirements, it is important that these policies and procedures be
established and documented. FISMA requires agencies to develop and
implement policies and procedures to support an effective information
security program. NIST also issued security standards and related
guidance to help agencies implement security controls, including
appropriate information security policies and procedures.
NASA developed and documented several information security policies and
procedures. For example, NASA established standard operating processes
that had been successful in producing a number of IT procedures
relating to certification and accreditation. However, NASA had not
always included all the necessary elements in its security policies and
procedures, as illustrated by the following examples:
* The agency did not have a policy for malware incident handling and
prevention.
* Although NASA defined some security roles, it did not define all
necessary roles and responsibilities for incident response and
detection. Presently the only formal role for managing incidents as
defined by NASA policy is the Information Technology Security Manager.
However, NASA policy did not clearly define roles and responsibilities
for incident response within NASA, such as an intrusion analyst or
incident response manager.
* NASA had not updated the policy for incident handling to reflect the
current environment. Although NASA has developed policy directives
pertaining to incident handling that all NASA centers are required to
follow, these documents had not been updated to reflect the November
2008 establishment of the SOC.
* Physical and environmental policies for the protection of NASA assets
were not adequately defined. NASA's policies do not adequately describe
physical access controls such as authorizing, controlling, and
monitoring physical access to sensitive locations. For example,
regarding monitoring, the agency's policy does not clearly require that
officials maintain and review at least annually a current list of
personnel with access to all IT-intensive facilities. Additionally,
NASA's policies did not provide clear and consistent guidance for
developing and implementing environmental safety controls. For
instance, the agency's policies and procedures lacked information on
fire protection and emergency power shutoff. NASA IT and physical
security policy staff acknowledged these shortcomings and stated that
new policies are being or will be drafted during this calendar year and
should be approved by NASA management around the end of calendar year
2010.
Until these policies are fully developed and documented across all
agency centers, NASA has less assurance that computing resources are
consistently and effectively protected from inadvertent or deliberate
misuse, including fraud or destruction.
NASA Prepared Security Plans but Did Not Always Include All Key
Information:
An objective of system security planning is to improve the protection
of IT resources. A system security plan provides a complete and up-to-
date overview of the system's security requirements and describes the
controls that are in place--or planned--to meet those requirements. OMB
Circular A-130 specifies that agencies develop and implement system
security plans for major applications and general support
systems[Footnote 13] and that these plans address policies and
procedures for providing management, operational, and technical
controls. NIST guidance states that these plans should be updated as
system events trigger the need for revision in order to accurately
reflect the most current state of the system. NIST guidance requires
that all security plans be reviewed and, if appropriate, updated at
least annually.
NASA generally prepared and documented security plans for the five
systems and networks we reviewed. In addition, NASA has developed and
mandated the use of the Risk Management System as the authoritative
source for the creation and storage of system security plans and
documentation. Most notably, JPL also employed a real-time
Certification and Accreditation document repository system, which
facilitates a more repeatable process and ensures consistency and
correctness.
However, NASA did not always include key information in system security
plans. For example, NASA did not always update one system security plan
with the results from its network risk assessment and threat analysis.
In addition, system interconnection security agreements were not always
signed for all external connections. Specifically, a center did not
have signed interconnection security agreements for any connections
with its partners and stakeholders. Furthermore, interconnection
security agreements for one network were still pending. Without a
security plan that describes security requirements and specific threats
as identified in the risk assessment, and without having signed
interconnection security agreements, NASA networks remain vulnerable to
threats.
NASA Conducted System Security Tests, but They Were Not Always
Comprehensive:
A key element of an information security program is to test and
evaluate policies, procedures, and controls to determine whether they
are effective and operating as intended. This type of oversight is a
fundamental element of a security program because it demonstrates
management's commitment to the program, reminds employees of their
roles and responsibilities, and identifies areas of noncompliance and
ineffectiveness. Analyzing the results of security reviews provides
security specialists and business managers with a means of identifying
new problem areas, reassessing the appropriateness of existing controls
(management, operational, technical), and identifying the need for new
controls. FISMA requires that the frequency of tests and evaluations be
based on risks and occur no less than annually.[Footnote 14]
NASA commissioned penetration testing using a rotational audit approach
that covered various NASA centers. The scope of the tests included
internal and external network-based penetration testing, Web
application testing against center-selected Web sites, war-driving to
identify rogue and unprotected wireless access points, configuration
testing on center workstations and networking devices, searches for
publicly available sensitive data, and social engineering scenarios
against help desk staff.
Although NASA conducted system security testing and evaluating on the
five systems and networks we reviewed, the tests were not always
comprehensive. For instance, NASA did not test all relevant security
controls and did not identify certain weaknesses that we identified
during our review. For example, our review revealed problems with a
firewall that were not identified by a test, including the fact that
the firewall can be bypassed. In addition, the network documentation
highlighted managerial control issues, such as the lack of policy, but
insufficient or limited attention was paid to testing weaknesses in
operational and technical controls. As a result, NASA could be unaware
of undetected vulnerabilities in its networks and systems and has
reduced assurance that its controls are being effectively implemented.
Remedial Action Plans Were Not Always Tracked Effectively:
Remedial action plans, also known as plans of action and milestones
(POA&M), can help agencies identify and assess security weaknesses in
information systems and set priorities and monitor progress in
correcting them. NIST guidance states that each federal civilian agency
must report all incidents and internally document remedial actions and
their impact. In addition, NASA policy states that all master and
subordinate IT system POA&Ms should be tracked and reported to the NASA
CIO in a timely manner so that corrective actions can be taken.
Although NASA has developed and implemented a remedial action process,
it did not always prepare remedial action plans for known control
deficiencies or report the status of corrective actions in a
centralized remediation tracking system maintained by the NASA CIO.
[Footnote 15] For example, NASA did not develop POA&Ms to correct
several weaknesses documented in one system's security assessment or to
address remediation threats documented in its risk assessment. In
addition, the NASA centers we reviewed did not always report remedial
action plans and the status of corrective actions into the central
Headquarters Risk Management System used for POA&Ms. Consequently,
senior management officials were not always aware of control weaknesses
that still remained outstanding. Without an effective remediation
program, identified vulnerabilities may not be resolved in a timely
manner, thereby allowing continuing opportunities for unauthorized
individuals to exploit these weaknesses and gain access to sensitive
information and systems.
NASA Did Not Always Adequately Plan for Contingencies:
Contingency planning is a critical component of information protection.
If normal operations are interrupted, network managers must be able to
detect, mitigate, and recover from service disruptions while preserving
access to vital information. Therefore, a contingency plan details
emergency response, backup operations, and disaster recovery for
information systems. It is important that these plans be clearly
documented, communicated to potentially affected staff, and updated to
reflect current operations. NIST also requires that all of an agency's
systems have a contingency plan and that the plans address, at a
minimum, identification and notification of key personnel, plan
activation, system recovery, and system reconstitution. NASA guidance
states that contingency plans should describe an alternate backup site
in a geographic area that is unlikely to be negatively affected by the
same disaster event (e.g., weather-related impacts or power grid
failure) as the organization's primary site. The guidance also states
that contingency plans should include contact information for disaster
recovery personnel.
NASA had developed contingency plans for the five systems and networks
we reviewed. However, shortcomings existed in several plans.
Specifically, (1) NASA did not approve the contingency plans for one
network and one system we reviewed; (2) it did not include contact
information for disaster recovery personnel at a center, even though
their roles and responsibilities for disaster recovery were described;
(3) NASA did not describe an alternate backup site for a center in a
geographic area outside of the primary site, and had not designated
backup facilities for a network we reviewed; and (4) the contingency
plan for a system we reviewed did not follow NASA's guidance on
contingency planning, since it did not include review and approval
signatures, information contact(s) and line of succession, and damage
assessment procedures. As a result, NASA is at a greater risk for major
service disruptions with respect to its important mission networks in
the event of a disaster to the primary facility.
NASA Has Implemented Incident Detection and Handling Capabilities, but
They Remain Limited:
Even strong controls may not block all intrusions and misuse, but
organizations can reduce the risks associated with such events if they
take steps to promptly detect and respond to them before significant
damage is done. NIST offers the following guidance for establishing an
effective computer security incident response capability. Organizations
should create an incident response policy, and use it as the basis for
incident response procedures, that defines which events are considered
incidents, establishes the organizational structure for incident
response, defines roles and responsibilities, and lists the
requirements for reporting incidents, among other items. In addition,
organizations should acquire the necessary tools and resources for
incident handing, including communications, facilities, and the
analysis of hardware and software.
NASA has established a computer security incident handling project to
respond to incidents. As part of this project, NASA has implemented a
SOC, within Ames Research Center, which is the central coordination
point for NASA's incident handling program and for reporting of
incidents to the United States Computer Emergency Readiness Team (US-
CERT).[Footnote 16] The SOC began operations in November 2008 and is
expected to enhance prevention and provide early detection of security
incidents and coordinate agency-level information related to NASA's IT
security posture. The SOC has implemented an agency hotline for
security incidents and a centralized incident management system for the
coordination, tracking, and reporting of agency incidents. It is
currently improving its infrastructure to support detection,
notification, investigation, and response to incidents in a timely
manner. In addition to the SOC, the three centers that we reviewed had
their own teams of incident responders that addressed and tracked
incidents at their centers.
However, NASA's capabilities to detect, report, and respond to security
incidents remain limited. The following are examples:
* The agency is not using a consistent definition of an incident.
Responders at several centers stated they were following the NIST/US-
CERT definition of an incident, which makes no distinction between an
event and an incident. Although a center's standard operating procedure
did not include a formal definition of a computer security incident,
the center personnel stated that incidents are only those that are
confirmed. However, a definition of what constitutes a "confirmed"
incident was not provided.
* The organizational structure for incident response roles and
responsibilities was outdated since it assigned central coordination
and analysis of incidents to an organization that no longer existed.
Although the SOC has developed an incident management plan, policies,
and procedures for responding to incidents, they were in draft and had
not been distributed to all the centers.
* Although two of the centers support mission related operations that
operate 24x7, the two centers' incident response teams were not staffed
around the clock.
* The business impacts of incidents were not adequately specified in
NASA incident documentation. NASA incident documentation contains
references to the fact that data subject to International Traffic in
Arms Regulations[Footnote 17] were stolen along with a laptop. However,
the precise data that were lost were described only in very general
terms so that the business impacts are not known. Moreover, although
agency officials stated that conducting root cause analyses is required
and part of the standard incident response workflow, there were many
incidents for which a detailed post-incident analysis was not
performed.
In addition, weaknesses in NASA's technical controls impact its
incident handling and detection controls. For example, two centers we
reviewed did not employ host-based firewalls on their workstations,
laptops, or devices. In addition, one network had limited incident
detection systems to detect malicious traffic coming from its internal
and off-site connections. Moreover, another network had no internal
incident detection system in place to monitor traffic, with the partial
exception of network incident detection coverage of ingress/egress for
it. Furthermore, one center had not adequately established and
implemented tools and processes to ensure timely detection of security
incidents.
As a result, there is a heightened risk that NASA may not be able to
detect, contain, eradicate, or recover from incidents, and improve the
incident handling process.
NASA Did Not Include Important Security Requirements in Its Contract:
The agencywide information security program required by FISMA applies
not only to information systems used or operated by an agency but also
to information systems used or operated by a contractor of an agency or
other agency on behalf of an agency. In addition, the Federal
Acquisition Regulation (FAR) requires that federal agencies prescribe
procedures for ensuring that agency planners on IT acquisitions comply
with the IT security requirements of FISMA, OMB's implementing
policies, including appendix III of OMB Circular A-130, and guidance
and standards from NIST.[Footnote 18] Appropriate policies and
procedures should be developed, implemented, and monitored to ensure
that the activities performed by external third parties are documented,
agreed to, implemented, and monitored for compliance.
However, NASA did not adequately incorporate information security
requirements in its contract with the JPL contractor. Although the
contract for JPL specified adherence to certain NASA security
policies,[Footnote 19] it did not require the contractor to implement
key elements of an information security program. For example, the
following NASA and FISMA requirements are not specifically referenced
in the JPL contract:
* Periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices performed with a frequency
depending on risk, but not less than annually, and including testing of
management, operational, and technical controls for every system.
* A process for planning, implementing, evaluating, and documenting
remedial actions to address any deficiencies in the information
security policies, procedures, and practices of the agency.
* Procedures for detecting, reporting, and responding to security
incidents.
* Plans and procedures to ensure continuity of operations for
information systems that support the operations and assets of the
agency.
In addition, NASA did not incorporate provisions in the contract to
allow it to perform effective oversight of the contractor's
implementation of the security controls and program. For example, the
JPL contract did not recognize the oversight roles of the NASA
Administrator, the NASA CIO, the senior agency information security
officer and other senior NASA managers as defined in NASA's policy.
[Footnote 20]
As a result, NASA faces a range of risks from contractors and other
users with privileged access to NASA's systems, applications, and data
since contractors that provide users with privileged access to agency/
entity systems, applications, and data can introduce risks to their
information and information systems.
Despite Actions to Address Security Incidents, NASA Remains Vulnerable:
NASA has experienced numerous cyber attacks on its networks and systems
in recent years. During fiscal years 2007 and 2008, NASA reported 1,120
security incidents to US-CERT in the following five US-CERT-defined
categories:
* Unauthorized access: Gaining logical or physical access without
permission to a federal agency's network, system, application, data, or
other resource.
* Denial of service: Preventing or impairing the normal authorized
functionality of networks, systems, or applications by exhausting
resources. This activity includes being the victim of or participating
in a denial of service attack.
* Malicious code: Installing malicious software (e.g., virus, worm,
Trojan horse, or other code-based malicious entity) that infects an
operating system or application. Agencies are not required to report
malicious logic that has been successfully quarantined by antivirus
software.
* Improper usage: Violating acceptable computing use policies.
* Scans/probes/attempted access: Accessing or identifying a federal
agency computer, open ports, protocols, service, or any combination of
these for later exploit. This activity does not directly result in a
compromise or denial of service.
* As noted in figure 4, the two most prevalent types of incidents
reported by NASA were malicious code[Footnote 21] and unauthorized
access.
Figure 4: Total Computer Security Incidents in Categories 1 through 5
Reported by NASA to US-CERT for Fiscal Years 2007-2008:
[Refer to PDF for image: pie-chart]
Denial of service; improper usage; and scans, probes, attempted access
(Cat 2, 4, and 5): 72;
Unauthorized access (Cat 1): 209;
Malicious code (Cat 3): 839.
Source: GAO analysis of US-CERT data.
[End of figure]
A NASA report stated that the number of malicious code attacks (839)
was the highest experienced by any of the federal agencies, which
accounted for over one-quarter of the total number of malicious code
attacks directed at federal agencies during this period. According to
an official at the US-CERT, NASA's high profile makes the agency an
attractive target for hackers seeking recognition, or for nation-state
sponsored cyber spying.
The impact of these and more recent incidents can be significant. The
following examples are illustrative:
* In 2009, NASA reported incidents involving unauthorized access to
sensitive data. For example, one center reported the theft of a laptop
containing data subject to International Traffic in Arms Regulations.
Stolen data included roughly 3,000 files of unencrypted International
Traffic in Arms Regulations data with information for Hypersonic Wind
Tunnel testing for the X-51 scramjet project and possibly personally
identifiable information. Another center reported the theft of a laptop
containing thermal models, review documentation, test plans, test
reports, and requirements documents pertaining to NASA's Lunar
Reconnaissance Orbiter and James Webb Space Telescope projects. The
incident report does not indicate whether this lost data was
unencrypted or encrypted or how the incident was resolved.
Significantly, these were not isolated incidents since NASA reported
209 incidents of unauthorized access to US-CERT during fiscal years
2007 and 2008.
* One center was alerted by the NASA SOC in February 2009 about traffic
associated with a Seneka Rootkit Bot.[Footnote 22] In this case, NASA
found that 82 NASA devices had been communicating with a malicious
server since January 2009. A review of the data revealed that most of
these devices were communicating with a server in the Ukraine. By March
2009, three centers were also infected with the bot attack.
* In October 2007, a total of 86 incidents related to the Zonebac
Trojan[Footnote 23] were reported by NASA centers. This particular form
of malware is capable of disabling security software and downloading
and running other malicious software at the whim of the attacker. US-
CERT reported in January 2008 on NASA's ongoing problems with Zonebac
and other malware infestations and recommended that the agency employ
consistent patching and user education practices to prevent such
infections from occurring.
* In July 2008, NASA found several hosts infected with the Coreflood
Trojan that is capable of frequently updating itself and stealing a
large number of user credentials that can be used to log onto other
machines within a domain. Investigation revealed that NASA computers
were infected and communicating with a hostile command and control
server.
These attacks can result in damage to applications, data, or operating
systems; disclosure of sensitive information; propagation of malware;
use of affected systems as bots; an unavailability of systems and
services; and a waste of time, money, and labor.
In response to these and other attacks, NASA has enhanced its incident
response capabilities and computer defensive capabilities at NASA's
centers. For example, the three centers that we reviewed had their own
teams of incident responders that addressed and tracked incidents at
their centers. In addition, the SOC was established in 2008 to enhance
prevention and provide early detection of security incidents and
coordinate agency-level information related to NASA's security posture.
The SOC has implemented an agency hotline for security incidents and an
incident management system for the coordination and tracking of agency
security incidents. It is currently improving its infrastructure to
support detection, notification, investigation, and response to
security incidents in a timely manner.
Despite actions to address security incidents, NASA remains vulnerable
to similar incidents going forward. The control vulnerabilities and
program shortfalls that we identified collectively increase the risk of
unauthorized access to NASA's sensitive information, as well as
inadvertent or deliberate disruption of its system operations and
services. They make it possible for intruders, as well as government
and contractor employees, to bypass or disable computer access controls
and undertake a wide variety of inappropriate or malicious acts. As a
result, increased and unnecessary risk exists that sensitive
information will be subject to unauthorized disclosure, modification,
and destruction and that mission operations could be disrupted.
Conclusions:
Information security weaknesses at NASA impair the agency's ability to
ensure the confidentiality, integrity, and availability of sensitive
information. The systems supporting NASA's mission directorates at the
three centers we reviewed have vulnerabilities in information security
controls that place mission sensitive information, scientific, other
data, and information systems at increased risk of compromise. A key
reason for these vulnerabilities is that NASA has not yet fully
implemented its information security program to ensure that controls
are appropriately designed and operating effectively.
NASA's high profile and cutting edge technology makes the agency an
attractive target for hackers seeking recognition, or for nation-state
sponsored cyber spying. Thus, it is vital that attacks on NASA computer
systems and networks are detected, resolved, and reported in a timely
fashion and that the agency has effective security controls in place to
minimize its vulnerability to such attacks. Despite actions to address
previous security incidents, the control vulnerabilities and program
shortfalls we identified indicate that NASA remains vulnerable to
future incidents. These weaknesses could allow intruders, as well as
government and contractor employees, to bypass or disable computer
access controls and undertake a wide variety of inappropriate or
malicious acts. Until NASA mitigates identified control vulnerabilities
and fully implements its information security program, the agency will
be at risk of unauthorized disclosure, modification, and destruction of
its sensitive information and disruption of critical mission
operations.
Recommendations for Executive Action:
To assist NASA in improving the implementation of its agencywide
information security program, we recommend that the NASA Administrator
direct the NASA CIO to take the following eight actions:
* Develop and implement comprehensive and physical risk assessments
that include mission-related systems and applications and known
vulnerabilities identified in the security plans and waivers.
* Develop and fully implement security policies and procedures for
malware, incident handling roles and responsibilities, and physical
environmental protection.
* Include key information for system security plans such as information
from risk assessments and signed system interconnection security
agreements.
* Conduct sufficient or comprehensive security testing and evaluation
of all relevant security controls including management, operational,
and technical controls.
* Develop remedial action plans to address any deficiencies and ensure
that master and subordinate IT system items are tracked and reported to
the agency CIO in a timely manner so that corrective actions can be
taken.
* Update contingency plans to include key information such as, contact
information and approvals, and describe an alternate backup site in a
geographic area that is unlikely to be negatively affected by the same
disaster event.
* Implement an adequate incident detection program to include a
consistent definition of an incident, incident roles and
responsibilities, resources to operate the program, and business
impacts of the incidents.
* Include all necessary security requirements in the JPL contract.
In a separate report with limited distribution, we are also making 179
recommendations to address the 129 weaknesses identified during this
audit to enhance NASA's access controls.
Agency Comments and Our Evaluation:
In providing written comments on a draft of this report (reprinted in
appendix IV), the NASA Deputy Administrator concurred with our
recommendations and noted that many of the recommendations are
currently being implemented as part of an ongoing strategic effort to
improve information technology management and IT security program
deficiencies. In addition, she stated that NASA will continue to
mitigate the information security weaknesses identified in our report.
The actions identified in the Deputy Administrator's response will, if
effectively implemented, improve the agency's information security
program.
We are sending copies to interested congressional committees, the
Office of Management and Budget, the NASA Administrator, the NASA
Inspector General and other interested parties. The report also is
available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report, please
contact Gregory C. Wilshusen at (202) 512-6244 or Dr. Nabajyoti
Barkakati at (202) 512-4499. We can also be reached by e-mail at
wilshuseng@gao.gov or barkakatin@gao.gov. GAO staff who made major
contributions to this report are listed in appendix V.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Dr. Nabajyoti Barkakati:
Chief Technologist:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to (1) determine the effectiveness of
the National Aeronautics and Space Administration's (NASA) information
security controls in protecting the confidentiality, integrity, and
availability of its networks supporting mission directorates and (2)
assess the vulnerabilities identified during the audit in the context
of NASA's prior security incidents and corrective actions.
To determine the effectiveness of security controls, we reviewed
networks at three centers to gain an understanding of the overall
network control environment, identified its interconnectivity and
control points, and examined controls for NASA networks.
Using our Federal Information System Controls Audit Manual,[Footnote
24] which contains guidance for reviewing information system controls
that affect the confidentiality, integrity, and availability of
computerized information, National Institute of Standards and
Technology (NIST) standards and guidance, and NASA's policies,
procedures, practices, and standards, we evaluated controls by:
* developing an accurate understanding of the overall network
architecture and examining configuration settings and access controls
for routers, network management servers, switches, and firewalls;
* reviewing the complexity and expiration of password settings to
determine if password management was enforced;
* analyzing users' system authorizations to determine whether they had
more permissions than necessary to perform their assigned functions;
* observing methods for providing secure data transmissions across the
network to determine whether sensitive data were being encrypted;
* observing whether system security software was logging successful
system changes;
* observing physical access controls to determine if computer
facilities and resources were being protected from espionage, sabotage,
damage, and theft;
* inspecting key servers and workstations to determine whether critical
patches had been installed or were up-to-date; and:
* examining access responsibilities to determine whether incompatible
functions were segregated among different individuals.
Using the requirements identified by the Federal Information Security
Management Act of 2002 (FISMA), which establishes key elements for an
effective agencywide information security program, we evaluated five
NASA systems and networks by:
* analyzing NASA's policies, procedures, practices, standards, and
resources to determine their effectiveness in providing guidance to
personnel responsible for securing information and information systems;
* reviewing NASA's risk assessment process and risk assessments to
determine whether risks and threats were documented consistent with
federal guidance;
* analyzing security plans to determine if management, operational, and
technical controls were in place or planned and that security plans
reflected the current environment;
* analyzing NASA's procedures and results for testing and evaluating
security controls to determine whether management, operational, and
technical controls were sufficiently tested at least annually and based
on risk;
* examining remedial action plans to determine whether they addressed
vulnerabilities identified in NASA's security testing and evaluations;
* examining contingency plans to determine whether those plans
contained essential information, reflected the current environment, and
had been tested to assure their sufficiency;
* reviewing incident detection and handling policies, procedures, and
reports to determine the effectiveness of the incident handling
program; and:
* analyzing whether security requirements were implemented effectively
by the contractor.
We also discussed with key security representatives and management
officials whether information security controls were in place,
adequately designed, and operating effectively.
To assess NASA's vulnerabilities in the context of prior incidents and
corrective actions, we reviewed and analyzed United States Computer
Emergency Readiness Team (US-CERT) data on NASA's reported incidents,
examined NASA security incident reports in the last two fiscal years,
inspected plans for corrective actions and the implementation of the
Security Operations Center, and interviewed NASA officials on how NASA
corrected identified vulnerabilities.
We performed our audit at NASA headquarters in Washington, D.C.;
Goddard Space Flight Center in Greenbelt, Maryland; the Jet Propulsion
Laboratory in Pasadena, California; the Marshall Space Flight Center in
Huntsville, Alabama; and Ames Research Center at Moffett Field,
California, from November 2008 to October 2009 in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
[End of section]
Appendix II: NASA Organization Chart:
[Refer to PDF for image: organizational chart]
Top level:
Office of the Administrator:
Administrator;
Deputy Administrator;
Associate Administrator.
Reporting to the Office of the Administrator:
Chief of Staff;
Inspector General;
NASA Advisory Groups;
Chief Safety and Mission Assurance;
Program Analysis and Evaluation;
Chief Engineer;
Program and Institutional Integration;
Second level, reporting to the Office of the Administrator:
Mission Directorates:
Aeronautics Research;
Exploration Systems;
Science;
Space Operations.
Mission Support Offices:
Chief Financial Officer;
Chief Health and Medical Officer;
Chief Information Officer;
External Relations;
General Counsel;
Innovative Partnership Program;
Institutions and Management;
Security and Program Protection;
Strategic Communications.
NASA Centers:
Ames Research Center;
Dryden Flight Research Center;
Glenn Research Center;
Goddard Space Flight Center;
Jet Propulsion Laboratory;
Johnson Space Center;
Kennedy Space Center;
Langley Research Center;
Marshall Space Flight Center;
Stennis Space Center.
Source: NASA.
[End of figure]
[End of section]
Appendix III: Missions of NASA Centers and the Jet Propulsion
Laboratory:
NASA center: Ames Research Center;
Mission: Provides leadership in astrobiology, small-satellites, the
search for habitable planets, supercomputing, intelligent/adaptive
systems, advanced thermal protection, and airborne astronomy.
NASA center: Dryden Flight Research Center;
Mission: Performs flight research and technology integration to
revolutionize aviation and pioneer aerospace technology; validates
space exploration concepts; conducts airborne remote sensing, and
science missions; enables airborne astrophysics observation missions to
discover the origin, structure, evolution, and destiny of the universe;
and supports operations of the Space Shuttle and the International
Space Station.
NASA center: Glenn Research Center;
Mission: Develops critical space flight systems and technologies to
advance the exploration of our solar system and beyond while
maintaining leadership in aeronautics. In partnership with U.S.
industries, universities, and other government institutions, research
and development efforts focus on advancements in propulsion, power,
communications, nuclear, and human-related aerospace systems.
NASA center: Goddard Space Flight Center;
Mission: Expands the knowledge of Earth and its environment, the solar
system, and the universe through observations from space. The center
also conducts scientific investigations, develops and operates space
systems, and advances essential technologies.
NASA center: Johnson Space Center;
Mission: Hosts and staffs program and project offices; selects and
trains astronauts; manages and conducts projects that build, test, and
integrate human-rated systems for transportation, habitation, and
working in space; and plans and operates human space flight missions.
Programs that Johnson Space Center supports include the Space Shuttle
Program, the International Space Station Program, and the Constellation
Program.
NASA center: Kennedy Space Center;
Mission: Performs preflight processing, launch, landing, and recovery
of the agency's human-rated spacecraft and launch vehicles; the
assembly, integration, and processing of International Space Station
elements and flight experiments; and the acquisition and management of
Expendable Launch Vehicles for other agency spacecraft. The center
leads the development of ground systems supporting human-rated
spacecraft and launch vehicle hardware elements and hosts the
manufacturing of the Orion Crew Exploration Vehicles.
NASA center: Langley Research Center;
Mission: Pioneers the future in space exploration, scientific
discovery, and aeronautics through research and development of
technology, scientific instruments and investigations, and exploration
systems.
NASA center: Marshall Space Flight Center;
Mission: Performs systems engineering and integration for both human
and robotic missions. Marshall performs engineering design,
development, and integration of the systems required for space
operations, exploration, and science. The center also manages the
Michoud Assembly Facility, which supports the unique manufacturing and
assembly needs of current and future NASA programs and provides
critical telecommunications and business systems for the agency.
NASA center: Stennis Space Center;
Mission: Implements NASA's mission in areas assigned by three agency
mission directorates. The center manages and operates Rocket Propulsion
Test facilities and support infrastructure for the Space Operations and
Exploration Systems mission directorates, serves as Systems Engineering
Center for and manages assigned Applied Sciences program activities for
the Science mission directorate, and serves as federal manager and host
agency of a major government multiagency center.
NASA center: Jet Propulsion Laboratory;
Mission: A contractor-operated federally funded research and
development center that supports NASA's strategic goals by exploring
our solar system; establishing a continuous permanent robotic presence
at Mars to discover its history and habitability; making critical
measurements and models to better understand the solid Earth, oceans,
atmosphere, and ecosystems, and their interactions; conducting
observations to search for neighboring solar systems and Earth-like
planets, and help understand formation, evolution, and composition of
the Universe; conducting communications and navigation for deep space
missions; providing support that enables human exploration of the Moon,
Mars, and beyond; and collaborating with other federal and state
government agencies and commercial endeavors.
Source: GAO analysis of NASA data.
[End of table]
[End of section]
Appendix IV: Comments from NASA:
National Aeronautics and Space Administration:
Office of the Administrator:
Washington, DC 20546-0001:
October 9, 2009:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
United States Government Accountability Office:
Washington, DC 20548:
Dear Mr. Wilshusen:
NASA appreciates the opportunity to comment on your draft report
entitled, "Information Security: NASA Needs to Remedy Vulnerabilities
in Key Networks" (GAO-10-4). In the draft report, GAO makes a total of
eight recommendations intended to assist NASA in improving the
implementation of its Agency-wide information security program.
While NASA generally concurs with the GAO recommendations, I would like
to note that many of the recommendations are currently being
implemented as part of an ongoing strategic effort to improve
information technology (IT) management and IT security program
deficiencies previously identified through several NASA internal
assessments. The ubiquitous use and reliance on IT at NASA, mixed with
the rapidly changing and simple accessibility to new technology, make
the size, scope, and timeline for improving IT management and security
a complex, multiphase, and multiyear undertaking. Consequently, efforts
toward improving IT management and the IT security program are at
various stages of maturity. Although the IT security posture at NASA
has significantly improved over the last three years, NASA recognizes
there are still significant gaps that will require increased management
attention and more time to alleviate.
NASA views IT security not as a stand-alone set of activities, but
rather as an embedded component within all aspects of IT, including
management and governance. Deficiencies with IT security are often a
result of systemic issues in the management of IT. To this end, NASA
continues to implement improvements in IT management, adhering to the
previously developed strategy for providing an integrated, secure, and
efficient IT environment that supports the NASA mission.
Specifically, GAO recommends the following:
Recommendation 1: Develop and implement comprehensive and physical risk
assessments that include mission-related systems and applications and
known vulnerabilities identified in the security plans and waivers.
NASA Response: Concur. NASA Procedural Requirements (NPR) 1620.2,
Physical Security Vulnerability Risk Assessments, supports NASA Center
management in meeting the responsibility of protecting NASA's assets in
a cost-effective manner. It is designed to assist security officers in
carrying out their responsibilities in support of management and the
NASA Security Program. The results of the physical security
vulnerability risk assessment are to be used to determine the
appropriate level of protection needed to safeguard these resources
adequately and economically. NPR 1620.3, Physical Security Requirements
for NASA Facilities and Property, establishes standardized physical
security requirements for specific categories of NASA assets. Paragraph
3.10 of NPR 1620.3 refers to securing Super Computing Facilities and
Data Centers. These NPR, Federal Information Security Management Act
(FISMA), and National Institute of Standards and Technology (NIST)
physical security requirements are incorporated into the Office of
Protective Services' (OPS) recently re-defined functional review
process. The OPS is on track for conducting a minimum of three
functional reviews per year. It is projected that all Centers will have
a completed comprehensive review by the end of 2011. Each Center will
be assessed on a three-year cycle to assure ongoing physical
protections of information technology assets are in place and in
working order. In addition, the OPS will provide direction to all
Centers to ensure that all vulnerability risk assessments older than
two years old are revalidated within 12 months. It is understood that
in many cases a level of security cannot be attained immediately due to
funding constraints and at times geographical and/or environmental
factors. In these cases, mitigating measures will be employed. In
addition, Center physical security personnel will coordinate more
closely with IT system owners in the preparation of system
certification and accreditation packages. As plans of actions and
milestones (POAMs) are developed, OPS will work collaboratively with
the Office of the CIO (OCIO) to assure comprehensive and integrated
security measures are implemented.
Recommendation 2: Develop and fully implement security policies and
procedures for malware, incident handling roles and responsibilities,
and physical environmental protection.
NASA Response: Concur. NASA's overarching security policy, NPR 2810.1B,
Security of Information Technology, is currently under revision. This
draft revision follows the requirements of NIST guidance contained
within Special Publication 800-53r3 and includes the addition of
policies and procedures for malware, incident handling roles and
responsibilities, and physical environmental protections. Planned
finalization and implementation of NPR 2810.1B is June 2010. NASA will
issue an interim directive by November I, 2009, communicating this
requirement.
Recommendation 3: Include key information for system security plans
such as information from risk assessments and signed system
interconnection security agreements.
NASA Response: Concur. NASA will ensure the update to NPR 2810.1B
includes the requirement to include key information from risk
assessments and signed interconnection security within system security
plans. Planned finalization and implementation of NPR 2810.1B is June
2010. NASA will issue an interim directive by November 1, 2009,
communicating this requirement.
Recommendation 4: Conduct sufficient or comprehensive security testing
and evaluation of all relevant security controls including management,
operational, and technical controls.
NASA Response: Concur. NASA has employed the services of a third-party
independent assessor to conduct a comprehensive security test and
evaluation of all relevant security controls, which includes
management, operational, and technical controls, on a three-year basis
or when there are significant changes to an information system. The
NASA Office of the Inspector General has formally verified that the
process used to evaluate the security controls as "Good." NASA is
scheduled to reevaluate the current process by January 1, 2010, and, if
necessary, make changes to improve the evaluation of security controls.
Recommendation 5: Develop remedial action plans to address any
deficiencies and ensure that master and subordinate IT system items are
tracked and reported to the agency CIO in a timely manner so that
corrective actions can be taken.
NASA Response: Concur. By June 1, 2010, NASA will ensure that all POAMs
from master and subordinate systems are located in a single
authoritative repository, which ensures centralized tracking of
security deficiencies and remediation.
Recommendation 6: Update contingency plans to include key information
such as contact information and approvals and describe an alternate
backup site in a geographic area that is unlikely to be negatively
affected by the same disaster event.
NASA Response: Concur. By January 1, 2010, NASA will direct the third-
party independent assessor of security controls to ensure that key
information such as contact information and approvals and, when
appropriate, that an alternate backup site is described, is included in
the contingency plans as those systems are recertified and accredited.
Recommendation 7: Implement an adequate incident detection program to
include a consistent definition of an incident, incident roles and
responsibilities, resources to operate the program, and business
impacts of the incidents.
NASA Response: Concur. NASA has implemented an adequate incident
detection program. In 2009, the United States Computer Emergency
Readiness Team formally validated that NASA has one of the best
incident detection programs in the Federal Government. NASA is credited
with identifying several zero-day vulnerabilities and exploits in
commercial software in the previous three years. Additionally, by June
1, 2010, NASA will:
* Build out its incident detection capability during phase II of the
Security Operations Center (SOC) implementation project;
* Articulate across the enterprise a consistent definition of an
incident;
* Articulate incident roles and responsibilities through the update of
the appropriate NASA policies and procedures relating to incident
management;
* Budget for the appropriate resources required to operate the incident
management program; and;
* Ensure that business impacts of enterprise-wide incidents or mission
critical activities are described during the reporting phase of the
incident's management life cycle.
Recommendation 8: Include all necessary security requirements in the
JPL contract.
NASA Response: Concur. NASA will develop security requirements for
potential modification of the existing Jet Propulsion Laboratory (JPL)
contract or follow-on by June 1, 2010. Any and all security
requirements must be reviewed and accepted by JPL before inclusion into
the legal and binding instrument.
We will continue measures to mitigate the information security
weaknesses identified in this report. If you have any questions or
require additional information, please contact Jerry Davis at 202-358-
1401.
Thank you again for the opportunity to review this draft report, and we
are looking forward to your final report to Congress.
Sincerely,
Signed by:
Lori B. Garver:
Deputy Administrator:
[End of section]
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gregory C. Wilshusen, (202) 512-6244, or wilshuseng@gao.gov Dr.
Nabajyoti Barkakati, (202) 512-4499, or barkakatin@gao.gov:
Staff Acknowledgments:
In addition to the individuals named above, West Coile and William
Wadsworth (Assistant Directors), Edward Alexander, Angela Bell, Mark
Canter, Saar Dagani, Kirk Daubenspeck, Neil Doherty, Patrick Dugan,
Denise Fitzpatrick, Edward Glagola Jr., Tammi Kalugdan, Vernetta
Marquis, Sean Mays, Lee McCracken, Kevin Metcalfe, Duc Ngo, Donald
Sebers, Eugene Stevens IV, Michael Stevens, Henry Sutanto, Christopher
Warweg, and Jayne Wilson made key contributions to this report.
[End of section]
Footnotes:
[1] National Aeronautics and Space Administration Authorization Act of
2008 Pub. L. No. 110-422, § 1001 (Oct. 15, 2008).
[2] FISMA was enacted as title III, E-Government Act of 2002, Pub. L.
No. 107-347 (Dec. 17, 2002).
[3] Pub. L. No. 85-568, § 102 (b) and (c) (1958) (codified as amended
at 42 U.S.C. § 2451 (b), (c), and (d)). The Department of Defense
retains the activities peculiar to or primarily associated with the
development of weapons systems, military operations, or the defense of
the United States. 42 U.S.C. § 2451 (c).
[4] Federally Funded Research and Development Centers meet some special
long-term research or development needs of the government and are
operated, managed, and/or administered by either a university or
consortium of universities, other not-for-profit or nonprofit
organizations, or an industrial firm, as an autonomous organization or
as an identifiable separate operating unit of a parent organization.
[5] Figure 3 is neither intended to be a comprehensive illustration of
the key mission network infrastructure at NASA, nor does it include
protective elements such as firewalls and routers that are used to
segregate networks. In addition, the drawing is purposely simplified
and does not describe in detail the numerous networks at each center.
Table 2 includes examples of other networks at Goddard, JPL, and
Marshall. In figure 3, "other networks" include those of other federal
agencies and NASA partners.
[6] The Tracking and Data Relay Satellite System consists of several
satellites in geostationary orbits around the Earth.
[7] A cryptographic algorithm and key are used to apply cryptographic
protection to data (e.g., encrypt the data or generate a digital
signature) and to remove or check the protection (e.g., decrypt the
encrypted data or verify the digital signature).
[8] A firewall is a hardware or software component that protects
computers or networks from attacks by blocking network traffic.
[9] Wet pipe equipment is filled with water up to the automatic
sprinkler head detection device. In contrast, dry pipe equipment does
not deliver water into the pipes until an emergency occurs. Other
automatic fire protection equipment does not use water but rather
contains elements that remove oxygen from the room to extinguish the
fire.
[10] GAO, Information Security: Continued Action Needed to Improve
Software Patch Management, [hyperlink,
http://www.gao.gov/products/GAO-04-706] (Washington, D.C.: June 2,
2004).
[11] National Institute of Standards and Technology, Standards for
Security Categorization of Federal Information and Information Systems,
Federal Information Processing Standards Publication (FIPS PUB) 199
(December 2003).
[12] The waivers process constitutes the mechanism by which to document
decisions to exceed the institutionally provided requirements and
protective measures or accept additional risks.
[13] OMB Circular A-130, Appendix III, defines a major application as
one that requires special attention to security due to the risk and
magnitude of harm resulting from the loss, misuse, or unauthorized
access to or modification of the information in the application. It
defines a general support system as an interconnected set of
information resources under the same direct management control that
shares common functionality. It normally includes hardware, software,
information, data, applications, communications, and people.
[14] 44 U.S.C. § 3544 (b) (5).
[15] The Deputy CIO also evaluated NASA's remedial action process in
October 2007 and stated that, due to the fragmented organization, not
every center reports to the CIO headquarters diligently on corrective
action plans for reported vulnerabilities discovered in the security
testing and evaluation.
[16] US-CERT is a component of the Department of Homeland Security and
is responsible for analyzing and addressing cyber threats and
vulnerabilities and disseminating cyber-threat warning information.
Federal agencies, including NASA, are required to report security
incidents to US-CERT.
[17] 22 C.F.R. Subchapter M Parts 120-130. The International Traffic in
Arms Regulations are promulgated by the U.S. Department of State under
the Arms Export Control Act (22 U.S.C. 2778) for the control of the
permanent and temporary export and the temporary import of defense
articles and defense services.
[18] The FAR was established to codify uniform policies for acquisition
of supplies and services by executive agencies. The FAR appears in the
Code of Federal Regulations in Title 48. See 48 C.F.R. 7.103 (u).
[19] The actual contract language says "Documents referenced in the
NASA policy 2810.1A are not applicable unless expressly incorporated in
the Contract."
[20] Chapter 2 of NASA Policy 2810.1A, the NASA Information Security
Policy Manual, outlining the roles and responsibilities of senior
management, IT Security System and Information owners, Center IT
Security Supporting Functions, certification and accreditation roles,
NASA Senior IT Security Management Working Relationships, etc. is
specifically "not accepted" in the JPL contract.
[21] Malicious code is also known as malware and, according to NIST,
has become the most significant external threat to most systems,
causing widespread damage and disruption, and necessitating extensive
recovery efforts within most organizations. Malware refers to a program
that is inserted into a system, usually covertly, with the intent of
compromising the confidentiality, integrity, or availability of the
victim's data, applications, or operating system or otherwise annoying
or disrupting the victim.
[22] "Bots" are infected machines under the control of persons other
than the intended users that are used as proxies for attacks on other
systems or for storage and distribution of pirated and other illicit
content.
[23] Trojan horses are nonreplicating programs that appear to be benign
but actually have a hidden malicious purpose. Some Trojan horses are
intended to replace existing files, such as system and application
executables, with malicious versions; others add another application to
systems instead of overwriting existing files.
[24] GAO, Federal Information System Controls Audit Manual (FISCAM),
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.:
February 2009).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: