NASA ahead of the curve in real-time IT security
Agency's dashboard system among the first to report to FISMA's CyberScope in real time
- By Dan Rowinski
- Dec 17, 2010
NASA is making progress in monitoring and securing its sensitive-information databases.
A report from NextGov says NASA is ahead of schedule on its mandate from Congress and the Obama administration to improve its cybersecurity and institute reporting technologies to be able to more readily comply with Federal Information Security Management Act.
“Our efforts in these matters are simply out of necessity,” Marion Meissner, acting deputy CIO of IT Security at NASA, told GCN. “The option to stall just isn’t there when it comes to ensuring the security of our agency’s systems. Luckily, with features like the IT security dashboard providing quick and topical information for everyone from upper management to system administrators, we got a lot of support driving these initiatives.”
The system NASA is implementing is called the IT Security Enterprise Data Warehouse (ITSEC-EDW) and consists of dashboards that continually monitor network systems and generate the automated reports that are sent to CyberScope -- FISMA’s inbox for IT security reports. NASA uses commercial products that meet security protocols. One product is installed on more than 80,000 machines in the sprawling NASA system and “provides patch management data, system inventories, configuration data, and FISMA reporting information,” according to NASA.
NASA is one of the first government agencies to enable real-time monitoring and report generation on risk management and is ahead of schedule in the process. The agency is on a timeline through the NASA Authorization Act of 2010, signed by President Barack Obama on Oct. 11.
Kundra says agencies ready for real-time FISMA reporting tool
NASA lab: Cloud is safe for mission-critical data
“While our specific products and implementations may be unique to NASA, the same basic principles are used by other agencies such as the State Department,” Meissner said.
In section 1207 of the Authorization Act the stipulation for creating and reporting security protocols is outlined. It states that NASA’s CIO must update Congress 120 days (and twice a year from then on) after the implementation of the act on the agency’s “efforts to implement a system to provide dynamic, comprehensive, real-time information regarding risk of unauthorized remote, proximity, and insider use or access, for all information infrastructure under the responsibility of the chief information officer.”
The size and scope of NASA makes cybersecurity a difficult matter. Add to that the large amount of data coming through the system and IT security becomes very challenging.
“Current estimates predict rapid climbs in the millions of rows of data we process on a regular basis, and we just can’t keep up unless we continue to work together as diligently as we have been," Meissner said.
The next integration challenge into ITSEC-EDW system will be adding data from NASA’s mobile workforce. Currently NASA pulls in a large amount of data from mobile sources on a weekly basis but hopes to make that daily by summer 2011.
“Empowering our mobile workforce is also high on our list of challenges,” Meissner said. “Pulling all of that information and pushing updates and fixes to our roaming users is difficult to do effectively and efficiently.”
Dan Rowinski is a staff reporter covering communications technologies.