An audit of NASA cybersecurity practices during fiscal 2009 found that security control assessments and contingency plan testing went undone and that the NASA chief information officer was unaware of the cybersecurity holes.

The NASA inspector general, in a report dated Sept. 16, reviewed 29 moderate and high impact NASA and NASA contractor systems during fiscal 2009, which ended last Sept. 30.

Of those systems, only seven had been tested with sufficient documentation to allow auditors to conclude that the security controls had been tested once within the past year. Some security control assessments didn't bother with actual testing but instead relied on reviewing existing documentation or conducting interviews, auditors found.

In addition, NASA delivered documentation that it tested contingency plans in case of a system failure only in 15 of the 29 systems the inspector general reviewed. In the case of high impact systems included in the sample of 29 systems, NASA failed to show that those systems could be recovered and normal operations restored, were they to fail.

The audit lays the blame for the deficiencies squarely with the NASA CIO, Linda Cureton; they "resulted from a lack of effective oversight" by the office of the CIO, auditors wrote.

The CIO was unaware of the deficiencies in large measure because the agency lacks an independent verification and validation function, auditors added. Also, the agency lacks a policy for managing corrective actions, plan of action and milestones (POA&Ms).

Although NASA acquired a commercial system in 2005 to manage cybersecurity information and required by mid-2008 that all such information--including POA&Ms--be entered into the system, the system is underutilized, auditors found. Rather than use the system, NASA employees use Excel spreadsheets to track POA&Ms. Employees eschew the risk management system bought in 2005 "because OCIO implements RMS without following recognized software acquisition best practices," the report states.

For more:
- download the NASA report, IG-10-024 (.pdf)

Related Articles:
NASA moves away from C&A on IT systems
VA reports stolen laptops, BlackBerries and hints at health data policy changes
High-risk vulnerabilities found in key US-CERT system