NASA’s lack of a permanent security officer has hurt the agency’s ability to plan and improve its IT, according to an internal watchdog.
“Without a comprehensive information security program plan, we believe NASA will continue to struggle to identify the resources needed to implement requirements for its information security program, including the risk management framework and information security architecture,” Inspector General Paul Martin said in the report released last week.
NASA has struggled to move forward with these issues for the past 19 months, the report said, as the agency rotated three different senior security officers in and out instead of permanently filling the role. Without concrete leadership, the agency is struggling with its planning and oversight.
“We believe the absence of a permanent Senior Security Officer has contributed to uncertainty regarding the position’s responsibilities and resulted in a lack of strong leadership to manage the information security program,” the report said.
Currently, NASA doesn’t have an agencywide risk management process to deal with specific information security problems, the report said. But with an “information security program plan” that a security officer would help develop, NASA could better prevent and deal with cyberattacks, the report said, instead of leaving its tech in the open waters of malware.
Its information security architecture also needs to be improved to better the infrastructure’s performance. While NASA began to make improvements in February, they are not complete and still need work, the report said.
In response, CIO Renee Wynn agreed with the audit and said NASA will develop an agency-wide information security program plan that meets requirements established by the National Institute of Standards and Technology, including the use of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program. All of NASA’s information security program plans are to be fully implemented by Dec. 6, 2019, her office said.
Editor’s Note: This article was updated at April 22 to reflect a clarification from the NASA CIO’s office on the timing of information security plan.