NASA's Office of Inspector General (OIG) has released its annual audit of NASA's information security capabilities and practices, which received an overall rating of "Ineffective".
The review was conducted by the accounting firm RMA Associates using quality standards of the 5 levels of information security maturity.
- Ad Hoc;
- Consistently Implemented;
- Managed and Measurable;
Level 4 is considered the benchmark for an effective cybersecurity program. According to the audit, NASA did not achieve this level in any of the 9 measured capabilities between October 1, 2021 and September 30, 2022.
The audit assigns a low rating to NASA because the agency simply does not have the tools or data to understand the location and health of its IT infrastructure, and there are no processes to identify or respond to risks.
NASA cannot identify and record all of the network devices it controls. To solve this problem, manual processes have been adopted. The agency has not conducted an assessment of staff cybersecurity knowledge since 2016.
The organization has not implemented recommended data protection and privacy standards, so its network is vulnerable. Moreover, multi-factor authentication (MFA) has not been implemented, and the supply chain risk management system has not yet been developed.
The agency's IT director was given a list of 17 recommended actions. NASA has promised to fix the defenses by November 17, 2023.