NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses
Highlights
What GAO Found
The National Aeronautics and Space Administration (NASA) has not yet effectively implemented leading practices for information technology (IT) management. Specifically, GAO identified weaknesses in NASA's IT management practices for strategic planning, workforce planning, governance, and cybersecurity.
NASA has not documented its IT strategic planning processes in accordance with leading practices. While NASA's updated IT strategic plan represents improvement over its prior plan, the updated plan is not comprehensive because it does not fully describe strategies for achieving desired results or describe interdependencies within and across programs. Until NASA establishes a comprehensive IT strategic plan, it will lack critical information needed to align resources with business strategies and investment decisions.
Of the eight key IT workforce planning activities, the agency partially implemented five and did not implement three. For example, NASA does not assess competency and staffing needs regularly or report progress to agency leadership. Until NASA implements the key IT workforce planning activities, it will have difficulty anticipating and responding to changing staffing needs.
NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended.
NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures.
NASA Implementation of Cybersecurity Risk Management Practices
|
Practice |
Status |
|
Executive oversight of risk |
While NASA has designated a risk executive, the agency lacks a dedicated office to provide comprehensive executive oversight of risks. |
|
Cybersecurity risk management strategy |
NASA lacks an agency-wide cybersecurity risk management strategy; one is currently in development. |
|
Information security program plan |
NASA developed a draft agency-wide information security program plan; however, the plan does not yet fully address leading practices. |
|
Policies and procedures |
Policies and procedures for protecting NASA's information systems are in place, but the agency has not kept them current or integrated. |
Source: GAO analysis of National Aeronautics and Space Administration documentation. | GAO-18-337
As NASA continues to collaborate with other agencies and nations and increasingly relies on agreements with private companies to carry out its missions, the agency's cybersecurity weaknesses make its systems more vulnerable to compromise. Until NASA leadership fully addresses these leading practices, its ability to ensure effective management of IT across the agency and manage cybersecurity risks will remain limited.
Why GAO Did This Study
NASA depends heavily upon IT to conduct its work. The agency spends at least $1.5 billion annually on IT investments that support its missions, including ground control systems for the International Space Station and space exploration programs.
The National Aeronautics and Space Administration Transition Authorization Act of 2017 included a provision for GAO to review the effectiveness of NASA's approach to overseeing and managing IT, including its ability to ensure that resources are aligned with agency missions and are cost effective and secure. Accordingly, GAO's specific objective for this review was to determine the extent to which NASA has established and implemented leading IT management practices in strategic planning, workforce planning, governance, and cybersecurity. To address this objective, GAO compared NASA IT policies, strategic plans, workforce gap assessments, and governance board documentation to federal law and leading practices. GAO also assessed NASA IT security plans, policies, and procedures against leading cybersecurity risk management practices.
Recommendations
GAO is making 10 recommendations to NASA to address the deficiencies identified in NASA IT strategic planning, workforce planning, governance, and cybersecurity. NASA concurred with seven recommendations, partially concurred with two, and did not concur with one. GAO maintains that all of the recommendations discussed in this report remain valid.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to develop a fully documented IT strategic planning process, including methods by which the agency defines its IT needs and develops strategies, systems, and capabilities to meet those needs. (Recommendation 1) |
Closed – Implemented
NASA partially concurred with this recommendation. In July 2018, NASA reported that it intended to finalize documentation of its process for developing the NASA IT Strategic plan in 2018. In November 2018, NASA's Office of the Chief Information Officer provided a copy of the newly approved guidance--version 1 of NASA's IT Strategic Planning Process. In the guidance, the agency documented responsibility for IT strategic planning, the development process, the schedule, how the guidance is to be disseminated, and how the Office of the Chief Information Officer plans to develop the related roadmap. Specifically, the guidance explains that the office coordinates an integrated roadmap with input from each NASA IT program to provide a comprehensive strategy over the duration of the strategic plan. The roadmap is intended to identify key achievements, options, and decision points to meet NASA's long-term IT-related priorities and investments. While it does not describe the methods for developing the roadmap in detail, the guidance outlines the roadmap's major components and steps the development process may include, such as identifying critical information technologies, capabilities, services, and infrastructure requirements needed to address agency problems; determining possible pathways or decision points; establishing a timeline with key sequences, dependencies, and qualitative risks; and developing a rough order of magnitude phased cost plan. By documenting how it intends to accomplish the activities outlined in the strategic plan, NASA has improved the likelihood that the agency will clearly articulate what it seeks to accomplish and identify the IT resources needed to achieve desired results.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to update the IT strategic plan for 2018 to 2021 and develop associated implementation plans to ensure it fully describes strategies the agency will use to achieve the desired results and descriptions of interdependencies within and across programs. (Recommendation 2) |
Closed – Implemented
NASA has taken multiple actions to address this recommendation. In December 2018, NASA's IT Council approved publication of the NASA IT Strategic Plan update. The Office of the Chief Information Officer updated the NASA IT Strategic Plan in September 2019, to include additional metrics, address feedback and clarify alignment with NASA's 2018 Strategic Plan. The plan also included out-year metrics designed to depict a full target state. The agency developed program plans that included details about how six IT programs aligned with NASA's strategic plan and IT strategic plan. NASA's program plans were designed to provide implementation plans by describing the business outcomes, strategies, major actions, and performance measures to achieve the desired outcomes of each program. NASA reported that the detailed IT implementation plans were intended to be more dynamic than the four-year NASA IT Strategic Plan and adjustable to accommodate tactical, technological, and operational changes. The program plans we reviewed described how NASA also planned to use program roadmaps and integrated master schedules to document interdependencies within and across programs. By taking these actions to strengthen IT strategic planning, NASA should be better positioned to achieve the desired results and manage interdependencies within and across programs.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to address, in conjunction with the Chief Human Capital Officer, gaps in IT workforce planning by fully implementing the eight key IT workforce planning activities noted in this report. (Recommendation 3) |
Open
NASA did not concur with this recommendation. As of October 2019, the agency reported that the Office of the Chief Information Officer was beginning its involvement with the agency's Mission Support Architecture Program which aims at re-aligning mission support functions from a decentralized model to an enterprise model. The office's participation in the re-alignment effort had an estimated completion date in fiscal year 2023. As of February 16, 2024, NASA had not provided another update. We will continue to monitor the implementation of this recommendation.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to institute an effective IT governance structure by completing planned improvement efforts and finalizing charters to fully establish IT governance boards, clearly defining roles and responsibilities for selecting and overseeing IT investments, and ensuring that the governance boards operate as intended. (Recommendation 4) |
Closed – Implemented
NASA has implemented the recommendation. NASA Office of the Chief Information Officer had updated the charters for its governance boards. The agency had also established six IT program plans that defined roles and responsibilities for selecting and overseeing IT investments. The Information Technology Council and CIO Leadership Team had also conducted annual reviews since 2018 that, among other things, examined the extent to which the governing boards were operating as intended. By taking these actions to improve its governance boards and processes, NASA should be better positioned to implement and maintain effective IT governance.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to update policies and procedures for selecting investments to provide a structured process, including thresholds and criteria needed for, among other things, evaluating investment risks as part of governance board decision making, and outline a process for reselecting investments. (Recommendation 5) |
Closed – Implemented
NASA has taken multiple actions to address this recommendation. In March 2019, the Office of the Chief Information Officer's Capital Planning and Governance Office had issued supplementary guidance on its processes for selecting investments that addressed certain elements of this recommendation. In November 2019, the agency also provided guidance describing thresholds and criteria needed for evaluating investments and for identifying and managing risks as part of its governance process. By taking these actions, NASA should be positioned to employ more effective processes for selecting IT investments.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to address weaknesses in oversight practices and ensure routine oversight of all investments by taking action to document criteria for escalating investments among governance boards and establish procedures for tracking corrective actions for underperforming investments. (Recommendation 6) |
Closed – Implemented
NASA concurred with this recommendation. In July 2018, NASA reported that the agency intended to address this recommendation by documenting its approach for governing IT investments. In February 2020, NASA reported that the agency remained committed to taking action to address this recommendation and reported that the Office of the Chief Information Officer had established a process to govern IT investment funds and had planned additional modifications for that framework. In November 2020, NASA reported that it intended to pilot the process in FY21 for its IT modernization fund. NASA also planned to incorporate lessons learned and feedback upon conclusion of the pilot, with the goal of baselining the IT Investment Handbook. In July 2021, NASA established version 1.0 of its IT Investment Handbook. In October 2021, we reviewed the agency's handbook and requested that the NASA provide additional documentation of actions taken to address this recommendation. In December 2021, NASA provided additional evidence and explanations of its actions to address this recommendation including governance board reviews, independent assessments, and monthly reviews of investments that did not meet all established criteria.
|
| National Aeronautics and Space Administration | The Administrator should ensure that the Chief Information Officer fully defines policies and procedures for developing the portfolio criteria, creating the portfolio, and evaluating the portfolio. (Recommendation 7) |
Closed – Implemented
NASA concurred with this recommendation. In July 2018, NASA reported that it had begun updating policies and procedures for developing the portfolio criteria. In April 2019, NASA provided copies of its updated guidance. Among other things, the guidance described criteria for the portfolio and defined policies and procedures for creating the portfolio. In January 2021, the agency also provided standard operating procedures for the IT portfolio process that included procedural steps for evaluating the portfolio. By enhancing its policies and procedures for developing, creating, and evaluating the IT portfolio, NASA should have greater assurance it is identifying and selecting the appropriate mix of IT projects that best meet its mission needs.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes a cybersecurity strategy that, among other things, makes explicit the agency's risk tolerance, accepted risk assessment methodologies, a process for consistently evaluating risk across the organization, response strategies and approaches for monitoring risk over time, and priorities for risk management investments. (Recommendation 8) |
Open
NASA concurred with this recommendation. In July 2018, NASA reported that it had hired a Chief Cybersecurity Risk Officer in April 2018 and that it had also approved a charter for an agency-wide Cybersecurity Integration Team. Since 2020, NASA has been developing and refining plans for its cybersecurity risk management strategy. As of October 2023, NASA reported that the agency had drafted a cybersecurity risk management strategy and submitted the strategy for review by stakeholders. NASA plans to submit the plan to OCIO governance boards and take actions to finalize the strategy in 2024. We will continue to monitor the implementation of this recommendation.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes an information security program plan that fully reflects the agency's IT security functions and services and agency-wide privacy controls for protecting information. (Recommendation 9) |
Closed – Implemented
NASA concurred with this recommendation. In November 2018, the agency published the information security program plan, incorporating updates to NASA's approach to implementing information security program requirements related to the NIST SP 800-53 Revision 4 program management control family. NASA also reported that the agency had developed the plan in consultation with and concurrence from the Office of Management and Budget and that the plan reflected the current state of NASA's security and privacy functions, services, and agency common controls for protecting information. Our review of the plan confirmed that the agency had addressed the weaknesses associated with this recommendation. Specifically, the plan described the majority of the security functions and services that are to be carried out by the Office of the Chief Information Officer's Cybersecurity and Privacy Division to address the relevant federal statutory and regulatory requirements, including managing the IT security program to correct known vulnerabilities, reduce barriers to cross-center collaboration, and provide cost-effective IT security services in support of NASA's information systems and Office of Federal CIO initiatives. The plan also identified the agency-wide privacy controls derived from standards promulgated pursuant to federal law and guidance that, according to the agency, were an integral part of its security program. Implementing this plan should provide the agency with greater assurance that it has established oversight over security controls for its systems and defined and established information security requirements essential to agency-wide operations.
|
| National Aeronautics and Space Administration | The Administrator should direct the Chief Information Officer to establish an agency-wide approach to managing cybersecurity risk that includes policies and procedures with well-defined roles and responsibilities that are integrated and reflect NASA's current security practices and operating environment. (Recommendation 10) |
Closed – Implemented
NASA concurred with this recommendation. NASA updated its IT security policy and procedures as of January 2022 and issued an updated standard operating procedure in July 2022 governing the review and update of security handbooks and associated documents. We reviewed the updated policy and procedures and identified updates NASA had made related to this recommendation. Specifically, the agency had updated its policy and procedures to align with more current guidance from the National Institute for Science and Technology, add guidance for mission directorates and mission support offices, and provide greater clarity about the cybersecurity and privacy roles and responsibilities of different officials. By taking these actions to update and improve the integration of its IT security policies and procedures, NASA has greater assurance that officials throughout the agency will address risks and apply appropriate cybersecurity and privacy controls to NASA systems.
|