When it comes to cybersecurity, NASA is having trouble getting off the launch pad.
The U.S. Government Accountability Office (GAO) just finished its 2018 assessment of NASA's cybersecurity and risk management program.
The GAO evaluated NASA based on at-risk management components identified in the National Institute for Standards and Technology’s (NIST) guidance.
The report on NASA's information security program is titled, "Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses."
Areas where NASA information security needs to improve
According to the GAO, here is what NASA still needs to do.
- Establish an agency-wide approach to managing cybersecurity risk
- Define the agency's risk tolerance
- Work on accepted risk assessment methodologies
- Implement a process for consistently evaluating risk across the organization
- Create response strategies and approaches for monitoring risk over time
- Set priorities for risk management investments
- Establish an agency-wide approach to managing cybersecurity risk that includes an information security program plan that fully reflects the agency's IT security functions and services and agency-wide privacy controls for protecting information
- Establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities
NASA clearly has a lot of work to do on cybersecurity before it is adhering to NIST Cybersecurity Framework.
There was one bright spot the report noted, however: NASA’s new cybersecurity risk manager began work on April 2, 2018 and will report to the space agency's CIO.
Perhaps that will lead to a coordinated risk strategy—starting in "3, 2, 1...."
[Image courtesy of NASA]
