by Douglas Messier
NASA faces “unnecessary risks that may threaten the confidentiality, integrity, and availability of information” due to its failure to correct flaws in its Agency Common System (ACS), according to a new report from the agency’s Office of Inspector General (OIG).
“During our review of the ACS system, we found that NASA has not taken corrective action to address a longstanding deficiency regarding controls previously assessed as ineffective. We also found that a software error permitted an unauthorized data change in the Agency’s information security database affecting the accuracy of the assessment status of a control,” the report said.
“Further, we found that NASA faced delays in its plans to authorize the Agency’s new hybrid common controls system, which serves as the central repository for the Agency’s hybrid common controls,” the document added. “Lastly, NASA did not develop cost estimates for the remediation of these control deficiencies. As a result, information systems throughout the Agency face unnecessary risks that may threaten the confidentiality, integrity, and availability of NASA’s information.”
OIG made five recommendations for improvements (see below). NASA concurred or partially concurred with the recommendations.
Selected excerpts from the report follow.
NASA Office of Inspector General
Office of Audits
December 22, 2020
To: Jeff Seaton, Authorizing Official
Acting Chief Information Officer
Robert L. Binkley, Information System Owner Deputy Associate Chief Information Officer for Cybersecurity and Privacy
Subject: Final Memorandum, Fiscal Year 2020 Federal Information Security Modernization Act Evaluation – An Agency Common System (IG-21-010, A-20-012-01)
We recommend that the Information System Owner:
- Develop a POA&M [Plan for Action and Milestones] or Risk-Based Decision document to address the deficiency in control SI-04.
- Ensure that control SI-04 is assessed as soon as possible and that all ACS system controls are assessed timely in accordance with FISMA requirements.
- Assign the personnel resources necessary to ensure the Agency’s security plans for systems that inherit the controls within the Agency’s new hybrid common controls system are updated and that those hybrid controls are removed from the ACS system security plan.
- Establish a process to ensure that cost estimates are developed and included for all POA&Ms for the ACS system prior to their establishment and approval in RISCS [Risk Information Security Compliance System] to ensure that costs are properly captured and included in submissions to OMB [Office of Management and Budget].
- Ensure that accurate cost estimates associated with the remediation of security weaknesses listed in POA&Ms are prepared and included for all open POA&Ms in the ACS system.
Management’s Response and Our Evaluation
We provided a draft of this memorandum to NASA management who concurred with three of our five recommendations and described actions they plan to take. We consider management’s comments to those recommendations responsive; therefore, the recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions.
Management did not concur with Recommendation 2, stating that while NASA policy requires systems to be assessed annually, it only requires controls to be assessed at least once within a three year period. Since management stated control SI-04 is currently being assessed, we consider the recommendation resolved, and it will be closed upon completion and verification of the planned corrective actions.
Further, management partially concurred with Recommendation 3, agreeing to delete and de-allocate the controls in the ACS system that have been determined to be either hybrid or otherwise non-common controls. While it is the individual system owners’ responsibility to ensure their system security plans are updated to reflect changes to the Agency’s hybrid controls, NASA developed guidance and reports to assist NASA information system owners with this transition and will communicate needed actions and implementation responsibilities in the future. We consider management’s comments and proposed actions responsive; therefore, the recommendation is resolved and will be closed upon completion and verification of the proposed corrective actions.