NASA is consistently missing the mark on documenting and implementing key IT management and cybersecurity practices.
It’s not for lack of trying, a Government Accountability Office report published Tuesday notes — it’s just that the space agency doesn’t quite have its proverbial ducks in a row.
“NASA continues to pursue efforts to improve IT strategic planning, workforce planning, IT governance, and cybersecurity, but consistently lacks the documented processes needed to ensure that policies and leading practices are fully addressed,” the report states.
IT is super important to NASA’s mission, and the agency spends heftily on it. In fiscal year 2018, for example, the agency planned $1.6 billion in IT spending. This central role of technology, GAO argues, is what makes NASA’s adherence to effective planning and management strategies so important.
The report runs though NASA’s four major IT management weaknesses in order.
The agency’s IT strategic plan, for example, has been improved in recent years but still doesn’t address all key elements. The plan aligns with NASA strategy and identifies the agency’s mission, GAO says, but it fails to identify “interdependencies” between IT projects. It also only partially includes the strategies the agency plans to use to achieve its desired IT results.
When it comes to workforce planning, GAO identifies eight components of an effective workforce planning effort, ranging from “establish and maintain a workforce planning process,” to “assess gaps in competencies and staffing” and, ultimately, find ways to fill those gaps. GAO found that of these eight components, NASA has partially implemented five. “The Office of the CIO has had IT workforce planning efforts underway since 2015 that are intended to address the workforce planning activities listed above,” the report states, “however, the office has not finalized or implemented any of the planned actions.”
NASA’s IT governance structure is another work in progress. The agency has established the necessary governance boards, GAO found, but it has not “fully implemented” the oversight processes necessary to ensure that the agency CIO has visibility into IT investments. GAO notes that this area has long been of concern to NASA’s inspector general — the office has issued 24 reports over the past 7 years, the GAO report states, most centered on how the agency’s decentralized mission IT investment process limits oversight of those investments.
GAO seems to concur with the IG’s assessment. “Until NASA addresses these [IT governance] weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended,” the report states.
The report identifies cybersecurity as a final area where NASA is making improvements but has failed to address various important components. “Although NASA continues cybersecurity improvement efforts, important elements of an effective cybersecurity approach have not been completed, including establishing a risk management strategy, an information security program plan, and updated policies and procedures,” the GAO report states. And until this is taken care of, the report continues, “NASA may be limited in its ability to strengthen its risk posture, including ensuring effective cybersecurity across partnerships with commercial entities, federal agencies, and other countries.”
The GAO report ends with 10 recommendations for improving NASA’s IT management. The agency concurred with seven, partially concurred with two and did not concur with one of these recommendations. GAO, however, maintains that all are valid.
The report was publicly released on Tuesday as Renee Wynn, NASA’s CIO, gave remarks on how the agency’s IT and cybersecurity work supports its mission at the McAfee Security Through Innovation Summit.
As an agency, Wynn said, NASA is all about sharing data freely and on its own terms. This, she said, takes good information security. According to the GAO, there’s room for improvement in NASA’s security approach and practices.