Summary

Tests done by GAO at one of NASA's 10 field centers found that mission-critical information systems were vulnerable to unauthorized access. GAO successfully penetrated several of these systems, including one responsible for calculating detailed positioning data for earth orbiting spacecraft and another that processes and distributes scientific data received from these spacecraft. At that point, GAO could have disrupted NASA's ongoing command and control operations and stolen, modified, or destroyed system software and data. A major factor enabling GAO to penetrate these systems is poor management of information technology security throughout NASA. The agency is aware of these deficiencies. GAO recommends that NASA implement an effective agencywide security program that includes improvements in five areas: assessing risks and evaluating needs, implementing policies and control, monitoring compliance with policy and effectiveness of controls, providing computer security training, and coordinating responses to security incidents.

GAO noted that: (1) tests GAO conducted at one of NASA's 10 field centers showed that some of NASA's mission-critical systems at that center are vulnerable to unauthorized access; (2) although some of the systems GAO targeted had effective security mechanisms that prevented GAO from gaining access, GAO successfully penetrated several mission-critical systems, including one responsible for calculating detailed positioning data for earth orbiting spacecraft and another that processes and distributes the scientific data received from these spacecraft; (3) having obtained access to these systems, GAO could have disrupted NASA's ongoing command and control operations and stolen, modified, or destroyed system software and data; (4) a major contributing factor to GAO's ability to penetrate these systems is that NASA was not effectively and consistently managing information technology (IT) security throughout the agency; (5) GAO found that NASA's program did not include key elements of a comprehensive IT security management program as outlined in GAO's May 1998 Executive Guide; (6) NASA did not effectively assess risks or evaluate needs; (7) 135 of the 155 mission-critical systems that GAO reviewed did not meet all of NASA's requirements for risk assessments; (8) NASA did not effectively implement policies and controls and its guidance did not specify what information can be posted on public World Wide Web sites nor how mission-critical systems should be protected from well-known internet threats; (9) NASA was not monitoring policy compliance or the effectiveness of controls and it had not conducted an agencywide review of IT security at its 10 field centers since 1991; (10) furthermore, the security of 60 percent of the systems that GAO reviewed had not been independently audited; (11) NASA was not providing required computer security training and it had no structured security training curriculum; (12) NASA did not centrally coordinate responses to security incidents; (13) NASA field centers were not reporting incidents to the NASA Automated Systems Incident Response Capability (NASIRC); (14) NASA management is aware that its IT security program needs improvement; (15) accordingly, in May 1998, NASA initiated a special review of its IT security program; (16) the review identified a number of shortcomings that are consistent with GAO's findings; and (17) although NASA is planning to address these shortcomings, at the time of GAO's review, few of the special review's recommendations had been implemented.