NASA’s Poor Cybersecurity Is An Operational Threat

Uploaded on 2019-03-27 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Government inspectors have uncovered serious deficiencies in NASA’s information security program which they claim could threaten operations. The findings come from the latest Office of the Inspector General (OIG) review of the space agency for fiscal year 2018, under the Federal Information Security Modernization Act of 2014 (FISMA).

The OIG tested the maturity of NASA’s infosec program via 61 metrics in five security function areas plus a subset of IT systems. This involved, testing systems against corresponding security documentation, and interviewing information system owners and security personnel.

Unfortunately, the report assessed NASA’s cybersecurity program as at Level 2 (Defined) for the second year in a row, well short of the Level 4 (Managed and Measurable) required by the Office of Management and Budget in order to be judged effective.

The inspectors also flagged two serious issues: missing, incomplete and inaccurate data in system security plans and control assessments not conducted in a timely manner.

“We consider the issue of missing, incomplete, and inaccurate information security plan data to be an indicator of a continuing control deficiency that we have identified in recent NASA OIG reviews,” explained assistant inspector general for audits, Jim Morrison, in a letter to NASA’s CIO, Renee Wynn.
“Likewise, the untimely performance of information security control assessments could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”
The news is concerning given the willingness of nation state hackers to go after sensitive government IP, which could impact national security.
Yet it’s not the first time NASA has been called out for less than optimal cybersecurity: the agency received an even worse report card back in 2010 when the OIG inspected.
Last year, NASA also revealed that a server containing Social Security numbers and other identity data from current and former employees may have been compromised.

Infosecurity

You Might Also Read:

NASA Discloses A Data Breach:

« What's The Difference Between AI And Machine Learning?
Where On Earth Is Cloud Data Actually Stored? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

IOActive

IOActive

IOActive serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture.

Virtustream

Virtustream

The Virtustream Enterprise Class Cloud provides a secure, highly available, Infrastructure as a Service (IaaS) to enterprises and government customers.

Junglemap

Junglemap

Junglemap provide nanolearning training courses on ransomware, information security and GDPR.

ecsec

ecsec

ecsec is a specialized vendor of security solutions including information security management, smart card technology, identity management, cloud computing and electronic signature technology.

Slovenian Digital Coalition

Slovenian Digital Coalition

Slovenian Digital Coalition is a coalition working in the field of smart cities, e-commerce, e-skills, e-inclusion, cyber security, internet and other areas related to developing the digital society.

SafeLogic

SafeLogic

SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements.

MicroEJ

MicroEJ

MicroEJ is a software vendor of cost-driven solutions for embedded and IoT devices.

SAIFE

SAIFE

SAIFE has adapted a Software Defined Perimeter approach and paired it with a Zero Trust model that defines access by the user, their device, and where they are located.

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance is a global, non-profit industry association which is working to enable a secure connected future.

Kyndryl

Kyndryl

Kyndryl has a comprehensive portfolio that leverages hybrid cloud solutions, business resiliency, and network services to help optimize your IT workloads and transformations.

Rausch Advisory Services

Rausch Advisory Services

Rausch delivers solutions that address compliance, enterprise risk, information technology and human resource capital.

Purple Team

Purple Team

Purple Team is an expert cybersecurity and managed security service provider focused on arming your IT infrastructure with both red team and blue team services.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

Tsaaro Academy

Tsaaro Academy

Tsaaro Academy is a unique privacy certification training platform and here you earn a privacy certification CEH, CISM and DPO from India’s No.1 Privacy training platform.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.

e-Safer

e-Safer

e-Safer's mission is to provide solutions and services that ensure a safer digital environment.