Despite being known as one of the most forward-thinking, innovative federal agencies, NASA still has ways to go in adopting cloud-computing technologies, according to an inspector general audit report released July 29.
“We found that weaknesses in NASA’s IT governance and risk management practices have impeded the agency from fully realizing the benefits of cloud computing and potentially put NASA systems and data stored in the cloud at risk,” the IG report stated.
The IG report highlighted several areas where NASA needed major improvements, specifically in management and security thoroughness. According to the IG, NASA’s Office of the Chief Information Officer had been unaware of all of the cloud services NASA had acquired or even which service providers the space agency used.
Only 20 percent of surveyed center and mission directorate CIOs said coordinating with the agency OCIO was fundamental before moving NASA data and systems to public clouds.
The report found major issues with security and risk management measures in NASA’s cloud-computing program. NASA failed to incorporate or follow best practices in its contracts for cloud-computing acquisition services. In four out of five contracts the IG examined, NASA agreed to a standard contract that didn’t address privacy, record management or performance metrics.
Furthermore, IT security requirements are not being met appropriately. For the past two years, the cloud service that delivers Internet to more than 100 NASA internal and public-facing websites operated without “written authorization or system security or contingency plans,” the report stated. In addition, the annual tests of security controls for this service had not even been performed.
The IG recommends NASA’s CIO create an office specifically for cloud computing. This office would be “authorized to promulgate an agency cloud-computing strategy; define related standards; and approve, coordinate and oversee agencywide acquisition and deployment of cloud-computing services.”
At the time of the audit, five NASA organizations had implemented cloud services, and two more were exploring them to improve operational efficiency in their centers. The report also called for increased cooperation between NASA centers and the agency OCIO to ensure only secure and approved cloud services are used.
“As NASA expands its use of public cloud services, it is imperative that the agency strengthen its governance and risk management practices to mitigate the chance that agency operations may be disrupted, data lost or public funds misused,” Inspector General Paul Martin wrote in the report.