NASA's crap infosec could be 'significant threat' to space ops

NASA's Office of the Inspector General has once again concluded the American space agency's tech security practices are "not consistently implemented".

Confirmation that the US government department's infosec abilities are not up to scratch was a repeat of last year's federally mandated security audit, which also found that processes and procedures were below par.

Oversight personnel from NASA's Office of the Inspector General (OIG) criticised the space agency's staff for the "untimely [sic] performance of information security control assessments", saying it "could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the Agency's ability to protect the confidentiality, integrity, and availability of its data, systems, and networks."

Jim Morrison, assistant inspector general for audits within NASA's OIG, said in a letter [PDF]:

"In sum, we rated NASA's cybersecurity program at a Level 2 (Defined) for the second year in a row, which falls short of the Level 4 (Managed and Measurable) rating agency cybersecurity programs are required to meet by the Office of Management and Budget in order to be considered effective."

Two areas were of immediate concern to Morrison's inspectors: NASA system security plans "contained missing, incomplete, and inaccurate data" and control assessments were not carried out "in a timely manner", something the auditors described as "an indicator of a continuing control deficiency".

The OIG's annual review assessed "61 metrics in five security function areas," it said, testing "a subset of information systems to determine the maturity of their agency's information security program.”

Drilling down, OIG inspectors looked closely at seven "judgmentally selected Agency information systems along with their corresponding security documentation" to arrive at their verdict.

A rating of "Level 2 (Defined)" means, according to the NASA OIG, that "policies, procedures, and strategies are formalized and documented but not consistently implemented". This contrasts with Level 4, where successful American government agencies have "Quantitative and qualitative measures on the effectiveness of policies, procedures, and strategies [that are] are collected across the organization and used to assess them and make necessary changes".

More details are scheduled to emerge in the full US Federal Information Security Modernisation Act (FISMA) review of NASA for fiscal year 2019. ®