back to article NASA infosec again falls short of required US government standard

The NASA Office of Inspector General (OIG) has published its annual audit of the aerospace agency's infosec capabilities and practices, which earned an overall rating of "Not Effective." The review was conducted by accounting firm RMA Associates using the Council of the Inspectors General on Integrity and Efficiency's Quality …

  1. Paul Crawford Silver badge

    I do wonder how other gov agencies really rate?

    1. Anonymous Coward
      Anonymous Coward

      On a scoring system of 1 - 5 about -5 if the auditors actually looked at everything that should be happening (and isn't) and all of the things that shouldn't be happening (and are).

    2. NoneSuch Silver badge
      Linux

      "I do wonder how other gov agencies really rate?"

      The US Gov IT guidelines are a very low bar and they can't even reach that.

  2. Little Mouse

    I guess there won't be any spontaneous whooping and cheering and slapping each other on the back today then.

  3. Joe Gurman

    About that

    "identified that low-budget missions scarcely think of infosec because they try to spend every cent on science"

    As someone who's been there and done that, I wonder if most readers, who probably think of NASA Projects as rolling in gigabucks, understand that in "Phase E" (post commissioning activities that follow launch), most if not all NASA space science missions operate on budgets considerably leaner than during Phases A - D (formulation, development, testing, integration, &c.). After one or sometimes two Congressionally mandated Senior Review cycles, the operating budgets are almost without exception, even for scientifically highly successful missions, put on a life-support budget, that is, one that barely provides for paying the Flight Operations Team (the folks who operate the spacecraft), the science operations team(s), either at a center or the various Principal Investigators' (PIs') institutions, and any non-Deep Space Network tracking and telemetry services (DSN services are paid for at a higher level in NASA's Science Mission Directorate budgets), and so on.

    At that point there's little or no funding for new science in project budgets, beyond the fairly routine analysis of sample software data to insure instrument health and safety and data integrity.

    Thus, NASA's uncrewed, science flight projects don't have to make a tradeoff between science and risk management (including IT security, mandated and otherwise); it's been made for them. For at least a decade, at two year intervals in our division of SMD, as a project scientist I requested modest increases in finding to cover increased IT security requirements. Never got one. That could be explained by the fact that the Senior Review panels were made up of scientists, some of the university research scientists who'd never been in mission ops and had no clue why, in the words of one, "Why are these things so expensive?" We did our best to explain, but the requirements appeared to be so foreign to university scientists with no direct mission experience that it was like talking a foreign language.

    I would hope that by now (I've been retired for four years) SMD management would take the IT sec requirements to heart and add people with experience in implementing successful IT security in mission/mission science operations to its Senior Review panels. And seriously consider what decent, thoughtful IT security

    costs.

    I'll just stop down off my soapbox now....

    P.S. As an example of what the costs are like, I had to dedicate at least 1/3 of the time of my most senior system/net admin to security compliance (more like 2/3 in years with then required triennial reviews), while not having any funds to replace her time. And that didn't count my time, or the time of the PI teams and other sys admins — with no offsetting funds. I got the impression that my management chain didn't appreciate, however, my response that stretching the staff so thin was a significant risk for mission success and possibly even mission survival because I had to make it in the "risk assessment" section of annual budget reviews.

    1. Jou (Mxyzptlk) Silver badge

      Re: About that

      Thank you for that insight!

      How many encryption attacks made it through? And how often they were saved by a working backup?

    2. Toe Knee

      Re: About that

      That’s some pretty horrific reading. Horrific, but not entirely unexpected…

      I certainly never had any idea as to the budgetary priorities of projects at different phases in their lifecycles. That any sufficiently large organization is a bureaucratic nightmare is shown once again.

      1. stiine Silver badge

        Re: About that

        Its actually worse that he stated.

        NASA's budget is controlled by the US House of representatives. They can, yearly and on a whim, decide to fund or not, any named project.

  4. Jou (Mxyzptlk) Silver badge

    Real infosec costs money, and is a very big hassle.

    It is a lot of work and organizing, and doing it right slows everything down. A lot. Webb would probably have taken another ten years to launch if you'd do the security at "level 5".

    On top of that: Infosec and science don't combine very well. The latter is rather keen to discover something new and tell the world about it.

    1. Cav Bronze badge

      Re: Real infosec costs money, and is a very big hassle.

      Having good info sec does not stifle the search for novelty and there is a world of difference between deliberately telling the world of discoveries and having someone hack your systems to get the data.

  5. mmccul

    Context missing

    I've participated in helping to analyze organizations against the very scale in question. Very few organizations I've reviewed would get even a level 2 rating in most target areas I was asked to review, including some that thought they were "pretty good" in infosec before I got there. A lot of the specifications required just for level 2 are missing from the vast majority of commercial shops.

    I'm not saying that NASA doesn't need to improve, but merely getting a "level 2" on several enclaves and categories doesn't necessarily mean they're much worse than I'd expect. The point of the maturity model is to help understand where you are so you can plan meaningful improvements over time that doesn't block the mission of the organization unnecessarily.

    For example, the detect category may be considered level 2 only if there are identified gaps against some of the directives to collect and analyze certain data sources that I've almost never seen even attempted outside government organizations. For any example I give, I'm sure there are shops that do it, but a lot of shops don't, and that's the point.

    From a process perspective, again, the level of detail required for a government shop is much higher than I see in the private sector. What we don't know from the article are the details of the gaps.

    Overall, the piece feels like a lot of necessary context is missing to understand how they really fare compared to a moderately security aware non-government shop of a reasonable size.

    1. Jou (Mxyzptlk) Silver badge

      Re: Context missing

      Well, comparing to what I experience in many situations: I just walk in, walk into the server room, do my admin stuff, and no one stops me or asks any questions. That includes companies where no one has ever seen me before, know my name or my face, and nobody was informed that anyone would come to do stuff. Their luck I am intended to be at such places and do what is intended or needed to do. This is what I call "level -1".

      I know the other way around as well, being blocked at all possible instances. And if they say "Sorry, it will take a bit time to check" and I say "no sorry, you do what you have to, else it would be a security risk".

  6. Ken G Silver badge
    Alien

    So when do we see photos of the alien?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like