I do wonder how other gov agencies really rate?
NASA infosec again falls short of required US government standard
The NASA Office of Inspector General (OIG) has published its annual audit of the aerospace agency's infosec capabilities and practices, which earned an overall rating of "Not Effective." The review was conducted by accounting firm RMA Associates using the Council of the Inspectors General on Integrity and Efficiency's Quality …
Wednesday 21st December 2022 15:31 GMT Little Mouse
Wednesday 21st December 2022 15:42 GMT Joe Gurman
"identified that low-budget missions scarcely think of infosec because they try to spend every cent on science"
As someone who's been there and done that, I wonder if most readers, who probably think of NASA Projects as rolling in gigabucks, understand that in "Phase E" (post commissioning activities that follow launch), most if not all NASA space science missions operate on budgets considerably leaner than during Phases A - D (formulation, development, testing, integration, &c.). After one or sometimes two Congressionally mandated Senior Review cycles, the operating budgets are almost without exception, even for scientifically highly successful missions, put on a life-support budget, that is, one that barely provides for paying the Flight Operations Team (the folks who operate the spacecraft), the science operations team(s), either at a center or the various Principal Investigators' (PIs') institutions, and any non-Deep Space Network tracking and telemetry services (DSN services are paid for at a higher level in NASA's Science Mission Directorate budgets), and so on.
At that point there's little or no funding for new science in project budgets, beyond the fairly routine analysis of sample software data to insure instrument health and safety and data integrity.
Thus, NASA's uncrewed, science flight projects don't have to make a tradeoff between science and risk management (including IT security, mandated and otherwise); it's been made for them. For at least a decade, at two year intervals in our division of SMD, as a project scientist I requested modest increases in finding to cover increased IT security requirements. Never got one. That could be explained by the fact that the Senior Review panels were made up of scientists, some of the university research scientists who'd never been in mission ops and had no clue why, in the words of one, "Why are these things so expensive?" We did our best to explain, but the requirements appeared to be so foreign to university scientists with no direct mission experience that it was like talking a foreign language.
I would hope that by now (I've been retired for four years) SMD management would take the IT sec requirements to heart and add people with experience in implementing successful IT security in mission/mission science operations to its Senior Review panels. And seriously consider what decent, thoughtful IT security
I'll just stop down off my soapbox now....
P.S. As an example of what the costs are like, I had to dedicate at least 1/3 of the time of my most senior system/net admin to security compliance (more like 2/3 in years with then required triennial reviews), while not having any funds to replace her time. And that didn't count my time, or the time of the PI teams and other sys admins — with no offsetting funds. I got the impression that my management chain didn't appreciate, however, my response that stretching the staff so thin was a significant risk for mission success and possibly even mission survival because I had to make it in the "risk assessment" section of annual budget reviews.
Wednesday 21st December 2022 18:56 GMT Jou (Mxyzptlk)
Wednesday 21st December 2022 20:53 GMT Toe Knee
Re: About that
That’s some pretty horrific reading. Horrific, but not entirely unexpected…
I certainly never had any idea as to the budgetary priorities of projects at different phases in their lifecycles. That any sufficiently large organization is a bureaucratic nightmare is shown once again.
Wednesday 21st December 2022 18:52 GMT Jou (Mxyzptlk)
Real infosec costs money, and is a very big hassle.
It is a lot of work and organizing, and doing it right slows everything down. A lot. Webb would probably have taken another ten years to launch if you'd do the security at "level 5".
On top of that: Infosec and science don't combine very well. The latter is rather keen to discover something new and tell the world about it.
Wednesday 21st December 2022 23:44 GMT mmccul
I've participated in helping to analyze organizations against the very scale in question. Very few organizations I've reviewed would get even a level 2 rating in most target areas I was asked to review, including some that thought they were "pretty good" in infosec before I got there. A lot of the specifications required just for level 2 are missing from the vast majority of commercial shops.
I'm not saying that NASA doesn't need to improve, but merely getting a "level 2" on several enclaves and categories doesn't necessarily mean they're much worse than I'd expect. The point of the maturity model is to help understand where you are so you can plan meaningful improvements over time that doesn't block the mission of the organization unnecessarily.
For example, the detect category may be considered level 2 only if there are identified gaps against some of the directives to collect and analyze certain data sources that I've almost never seen even attempted outside government organizations. For any example I give, I'm sure there are shops that do it, but a lot of shops don't, and that's the point.
From a process perspective, again, the level of detail required for a government shop is much higher than I see in the private sector. What we don't know from the article are the details of the gaps.
Overall, the piece feels like a lot of necessary context is missing to understand how they really fare compared to a moderately security aware non-government shop of a reasonable size.
Thursday 22nd December 2022 08:43 GMT Jou (Mxyzptlk)
Re: Context missing
Well, comparing to what I experience in many situations: I just walk in, walk into the server room, do my admin stuff, and no one stops me or asks any questions. That includes companies where no one has ever seen me before, know my name or my face, and nobody was informed that anyone would come to do stuff. Their luck I am intended to be at such places and do what is intended or needed to do. This is what I call "level -1".
I know the other way around as well, being blocked at all possible instances. And if they say "Sorry, it will take a bit time to check" and I say "no sorry, you do what you have to, else it would be a security risk".
Friday 23rd December 2022 17:20 GMT Ken G