NASA gets its IT security off the critical list
Reducing number of systems, deploying patch management are among improvements
- By Patience Wait
- Jan 20, 2006
NASA has improved its IT security enough over the past year that the space agency's inspector general has removed the issue from his list of most serious challenges.
Scott Santiago, NASA's deputy CIO for IT security, said the ongoing consolidation of IT systems deployed throughout NASA and investment in an agencywide patch management program are among the reasons the agency improved its standing.
'There's been a concerted effort, driven by [the Office of Management and Budget], to implement consistent practices across the federal government, and NASA has been working diligently to ensure that our processes, policies and procedures have been brought into alignment with that direction,' Santiago said.
He said the CIO's office has reduced the number of systems it oversees from 1,550 to 1,266, which has helped improve its cybersecurity. 'We've made progress in reducing the number of systems, consolidating them [and] the controls im- plemented within them,' Santiago said. 'We are continuing to work through and reduce the number of systems as we're able to collapse them and look at them from a more strategic standpoint.'
The agency also has focused on training employees and contractors in security best practices, he said.
NASA had a lot of room to improve. In the fiscal 2004 House Government Reform Committee's Federal Computer Security Report Card, NASA got a D- for the second year in a row. In OMB's Federal Information Security Management Act report to Congress, NASA showed solid progress on system security and privacy controls, testing contingency plans and including security costs in a system's lifecycle, but got a poor rating from the IG on the quality of its certification and accreditation process.
To improve on its C&A process, Santiago said the space agency implemented a central database to track and monitor progress.
NASA has been working for some time on identity management, even before OMB released Homeland Security Presidential Directive 12, which calls on all agencies to comply with a single identification standard for federal employees, Santiago said.
'I applaud the fact that at the federal level there's an initiative to deal with identity, but with the state of the technology, the aggressive schedule [set by OMB] is going to be difficult to meet,' he said.
Robert Cobb, the agency's IG, recently issued a report outlining NASA's most serious management and performance challenges. He credited NASA CIO Patricia Dunnington for responding to IT security recommendations made in the IG's October 2004 report.
Still on the list, however, is NASA's struggle to implement an integrated financial management system.
For the third year in a row, the agency's financial statements received a disclaimer from the independent auditor because of internal control deficiencies, Cobb said. NASA has made some progress, Cobb added, such as reorganizing the lines of authority so that chief financial officers in the agency's 10 centers now report to agency CFO Gwendolyn Brown.
Cobb said NASA needs 'viable corrective action plans to address the repeated internal control weaknesses it faces.'