NASA’s Poor Cybersecurity Is An Operational Threat

Uploaded on 2019-03-27 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Government inspectors have uncovered serious deficiencies in NASA’s information security program which they claim could threaten operations. The findings come from the latest Office of the Inspector General (OIG) review of the space agency for fiscal year 2018, under the Federal Information Security Modernization Act of 2014 (FISMA).

The OIG tested the maturity of NASA’s infosec program via 61 metrics in five security function areas plus a subset of IT systems. This involved, testing systems against corresponding security documentation, and interviewing information system owners and security personnel.

Unfortunately, the report assessed NASA’s cybersecurity program as at Level 2 (Defined) for the second year in a row, well short of the Level 4 (Managed and Measurable) required by the Office of Management and Budget in order to be judged effective.

The inspectors also flagged two serious issues: missing, incomplete and inaccurate data in system security plans and control assessments not conducted in a timely manner.

“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” explained assistant inspector general for audits, Jim Morrison, in a letter to NASA’s CIO, Renee Wynn.
“Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”
The news is concerning given the willingness of nation state hackers to go after sensitive government IP, which could impact national security.
Yet it’s not the first time NASA has been called out for less than optimal cybersecurity: the agency received an even worse report card back in 2010 when the OIG inspected.
Last year, NASA also revealed that a server containing Social Security numbers and other identity data from current and former employees may have been compromised.

Infosecurity

You Might Also Read:

NASA Discloses A Data Breach:

« What's The Difference Between AI And Machine Learning?
Where On Earth Is Cloud Data Actually Stored? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Zscaler

Zscaler

Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud first world.

Tiro Security

Tiro Security

Tiro Security is a boutique company specializing in information security and IT audit recruitment and solutions.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

Duo Security

Duo Security

Duo combines security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools.

The Data Privacy Group

The Data Privacy Group

The Data Privacy Group provide expert professional services underpinned by world leading automation tools and a consulting team specialized in privacy and data protection.

Securicon

Securicon

Securicon provides expert consulting for application, system and network security.

AU10TIX

AU10TIX

AU10TIX’s smart forensic-level ID authentication technology links physical and digital identities, meets compliance mandates, and ensures your customers know their trust and safety come first.

Fortress Information Security

Fortress Information Security

Fortress Information Security is one of the largest cyber security providers of supply chain risk management and vulnerability risk management in the US.

Microland

Microland

Microland’s delivery of digital is all about making technology do more and intrude less for global enterprises. Our services include Cloud & Data Center, Networks, Cybersecurity and more.

NightDragon

NightDragon

NightDragon is a venture capital firm investing in innovative growth and late stage companies within the cybersecurity, safety, security, and privacy industry.

Logit.io

Logit.io

Logit.io is a log analysis & management platform that provides a scalable solution for hosting the open-source tools Elasticsearch, Logstash, and Kibana.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

PatchAdvisor

PatchAdvisor

PatchAdvisor core services include Vulnerability Assessments/Penetration Testing, Application Vulnerability Assessments, and Incident Response.

InfoSecTrain

InfoSecTrain

InfoSecTrain are a leading training and consulting organization dedicated to providing top-tier IT security training and information security services to organizations and individuals across the globe

Inroad Technologies

Inroad Technologies

Inroad Technologies provide IT services that help keep your business computers, servers and networks secure and trouble-free.

CyberNINES

CyberNINES

CyberNINES is a business specializing in helping US Department of Defense contractors become compliant and attest to federal cybersecurity regulation requirements.