NASA unlikely to meet encryption deadline, says OIG
NASA isn't likely to meet its laptop encryption deadline of Dec. 21, 2012, despite being spurred by an Oct. 31 theft of a NASA-issued laptop that contained personal information on more than 10,000 current and former NASA employees and contractors, says the agency's office of inspector general.
In a Dec. 17 report (.pdf) NASA's OIG said "it is extremely unlikely that the Agency will meet its December goal" because NASA does not currently know how many laptops are connected to its systems, and whether they are managed under the Agency Consolidated End-User Service management contract held by HP Enterprise Services, or by NASA directly.
On Dec. 7, NASA reported it had encrypted as much as 84.4 percent of its ACES and non-ACES laptops, but auditors say that percetange "is inherently unreliable because… the agency has little certainty as to the total number of laptops in use."
The OIG report points specifically to a NASA statement saying there were roughly 20,500 HP-managed laptops requiring encryption while documents from HP noted that there were nearly 25,500 ACES laptops requiring the encryption.
"Without knowing the full universe of laptops that require encryption, the Agency cannot be sure that all of its laptops are protected with whole-disk encryption software," says OIG.
According to the report, laptop theft is an issue for NASA. In 2012 some 62 laptops were stolen and 45 were stolen in 2011, one of which contained control codes to the International Space Station.
Also as a result of the Oct. 31 theft, NASA has contracted with credit monitoring services to protect those whose identities were compromised, which the agency estimates will cost between $500,000 and $700,000, says the report.
The report recommends that NASA remove any non-encrypted laptops from its facilities, assign senior managers and IT officials at each center to monitor laptops, create a team to determine exactly how many laptops NASA has and are connected to its systems, develop an inventory control mechanism, reduce the number of non-ACES devices, develop an action plan to encrypt new devices and create a specific framework for encrypting laptops that specifies responsibilities.
- download the OIG report (.pdf)