NASA might be moving away from enforcing provisions of the Federal Information Security Management Act, but Congress wants to know whether its new approach does a better job.

In a provision approved as part of the NASA authorization bill for fiscal 2011 through fiscal 2013 sent for presidential signature Sept. 30, Congress directs NASA to provide, within four months, an assessment of whether its efforts have "demonstrably and quantifiably reduced network risk compared to alternative methods of measuring security."

NASA took a step away from FISMA when then-Deputy Chief Information Officer For IT Security Jerry Davis (now at the Veterans Affairs Department) informed system administrators in a May memo that certification and accreditation would no longer be a strict requirement.

However, the NASA inspector general has since castigated the NASA chief information officer for being unaware of cybersecurity holes within NASA systems.

The authorization bill also requires NASA to set up a cybersecurity education program mandatory for any employee of contractor using  agency information systems.  

For more:
- read the text of the NASA authorization bill (the cybersecurity provisions are in section 1207)

Related Articles:
NASA CIO unaware of cybersecurity holes, says IG
NASA moves away from C&A on IT systems
NASA past performance ratings higher for cost plus contracts than fixed price