Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365
Privacy review finds breach response plan is a mess, training could be better, but protection regime mostly holds up
NASA's Office of Inspector General has run its eye over the aerospace agency's privacy regime and found plenty to like – but improvements are needed.
In an audit [PDF] published Tuesday, the OIG found NASA has a "comprehensive privacy program that includes processes for determining whether information systems collect, store, and transmit [personally identifiable information] PII; publishing System of Records Notices; and providing general privacy training to its workforce."
That's a welcome assessment, given NASA employs around 16,000 people and – as with all government agencies – collects PII about them and the contractors, partners, and members of the public it engages.
But the document also found the agency "needs to take additional steps to better protect individuals' personal information that it collects, uses, and maintains."
Among those steps is to turn on data loss protection (DLP) in Microsoft 365. NASA uses Microsoft's suite and is implementing its DLP capabilities. Currently, however, users self-report data losses – and did so 118 times from October 2021 to March 2023. But the data collected for those incidents "did not consistently identify the number of affected accounts, how the PII was disclosed, and root causes, nor was a risk rating assigned or lessons learned captured."
NASA therefore lacks the data to track and monitor PII leaks.
The agency is working to implement DLP in M365 but is doing so without having "fully established roles and responsibilities for the operation and maintenance of the DLP tool, including responding to potential breaches –incidents that involve PII—when identified."
Which may not be an entirely bad thing, because NASA's process for responding to a suspected or confirmed breach "is dispersed among several documents that conflict with each other," leaving the agency unsure when to assemble a Breach Response Team (BRT).
- NASA infosec again falls short of required US government standard
- NASA to launch 247 petabytes of data into AWS – but forgot about eye-watering cloudy egress costs before lift-off
- NASA's space nuclear power program is a hot mess
- Delays to NASA's in-orbit satellite refueling robot to push costs over $2B target
Even if NASA did know when to assemble a BRT, some of its members don't receive required annual training – such as participation in a tabletop exercise that simulates a breach response.
It's not just BRT people who miss out. The review also found NASA "Does not require all individuals assigned security and privacy roles to complete privacy role-based training."
Another issue is that NASA has overlapping rules on privacy reporting, so "information on whether collections of data are compliant with applicable laws and policies may be incomplete." That means the agency "could fail to notify the public about the information the agency is collecting and storing on their behalf and the safeguards that exist to protect their personal information."
The report lists recommendations to fix all of the above, and NASA management has agreed to implement all. However the space agency's plan to address one of the suggestions is not considered effective – namely a requirement for those with specific security and privacy roles to take privacy role-based training – so that one will be revisited. ®