How NASA sold security plan

'We are at a point were we are still reactive, and we want to get to a point were we can automate some processes and schedule maintenance.'

'David Nelson, NASA Deputy CIO

David Nelson illustrates how far NASA has come in securing its IT infrastructure when he describes an IT manager who, in 1998, didn't know if his systems were under attack or even secure enough to repel a hacker.

Now, as Nelson, NASA's deputy CIO for security, likes to tell it, that IT manager knows he has a good perimeter defense, has found and fixed vulnerabilities and knows the network's status at all times.

This 180-degree turn is a result of an IT security plan Nelson helped implement over the last three years. He said NASA, which will spend $105 million on IT security in fiscal 2002, has come a long way in improving its information assurance and is primed to move from competence to excellence.

Stone walls and firewalls

'Our security is more like a castle, where the only way in is through the drawbridge,' Nelson said. The difference between what it was and what it is now 'is like night and day for everyone here.'

Of course making the transition from sieve to castle was not easy.

Nelson said it was crucial to get NASA executives to buy in to the effort by determining how to measure progress and tying security to the agency's budget and mission.

After being sharply criticized in reports from the General Accounting Office and its inspector general, NASA commissioned an internal review on how to fix its security problems. Nelson, who came on board shortly after the commission began its work in 1998, used its 33 recommendations as a road map to improve security.

Support from NASA administrator Dan Goldin let Nelson tie security to each center's budget process. He said the CIO's office asked each center to calculate how much it spent on security. Then in meetings with center officials, Nelson and CIO Lee Holcomb convinced program and project mangers to place more emphasis on IT security.

NASA found that the more money its centers spent on security, the less damage they suffered at the hands of hackers, Nelson said. Since those meetings started, spending on security has nearly doubled.

Of those funds, little was allotted for training, but Nelson made it a priority. The CIO office produced a CD-ROM about security awareness and asked Glenn Research Center in Cleveland to develop an online course.

On the right track

The next step was to figure out what should be measured and how to determine success, Nelson said.

'In training, we measure how many people have completed the training and passed the exam,' he said. 'Or we measure system and application vulnerabilities and if the number is low enough, we know we are doing a good job.'

About 50,000 employees have trained using the Web system and more than 85,000 computers are scanned quarterly.

'We are at a point were we are still reactive, and we want to get to a point were we can automate some processes and schedule maintenance,' Nelson said.

'It is the duck theory of management, where you are placid on the surface but moving very fast underneath it all.'

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.