NASA still has security gap
IG says space agency needs to improve the way it scans for potential vulnerabilities
"Information Technology Security Planning"
NASA has improved its security processes since a scathing General Accounting Office report found holes in some of the space agency's mission-critical systems. But NASA still needs to improve the way it scans for potential vulnerabilities, a new audit by the agency's inspector general says.
NASA has implemented nearly all of the recommendations from a May 1999 GAO report, which revealed that auditors were able to hack into several systems. Those systems included one responsible for calculating detailed positioning data for Earth-orbiting spacecraft and another that processes and distributes scientific data received from those spacecraft.
"Overall, the new policies that NASA established are adequate, but substantial work remains to fully implement them," the IG report stated.
The IG report, "Information Technology Security Planning," dated March 30 but released last week, says that NASA's current policies for scanning its computer systems for a limited number of vulnerabilities "do not result in an adequate assessment of the agency's IT system vulnerabilities."
"As a result, the IT security risks and metrics that NASA reports to the Congress may understate NASA's IT vulnerabilities and provide undue assurance on the integrity, availability and confidentially of information," according to the report, which has some portions redacted for security reasons.
NASA does not use scanning software to detect many types of vulnerabilities, the IG said.
The IG makes several recommendations in the report.
* NASA should include in its performance plan a description of the time and resources necessary to implement its IT security program.
* NASA should develop IT security metrics to cover the requirements of the Office of Management and Budget's requirements.
* NASA should select metrics for measuring the performance of its IT security program that ensures they accurately reflect the current risks.
* NASA should describe the extent of vulnerability testing used to calculate the IT security metrics that is presented to Congress as part of its annual performance plan.
NASA officials concurred with many of the recommendations. The agency's fiscal 2002 performance plan, for example, has been changed to make it clear that only a specified set of vulnerabilities is included in its metrics and that the scanned vulnerabilities may change from quarter to quarter.
Agency officials said that for now, it is not possible to "ensure" that the performance measurements accurately reflect NASA's IT security risk. "We have not claimed that the metric does this," NASA chief information officer Lee Holcomb said.
"We believe that our current vulnerability testing reflects a balance of effectiveness and cost," he said in a written response to the IG report. He noted, however, that the agency would work with the IG's office to further hone the balance between effective and exhaustive vulnerability testing.
NEXT STORY: Letter to the Editor