NASA doesn't know what's on its network

According to a watchdog report, NASA can't provide an accurate count of the number of contractor-owned devices connected to its networks, and governance problems are hurting the agency's attempts to get a better handle on overall cybersecurity.

According to an Aug. 27 inspector general report, NASA is "not adequately securing its networks from unauthorized access" from partner and employee IT devices and doesn't have controls in place to remove or block devices as needed.

Because of these failures, "NASA remains vulnerable to cybersecurity attacks because enforcement controls to block unauthorized IT devices from accessing its networks and systems are not fully in place and operational," the report states.

The report offers a look at how the space agency ping-ponged between trying to crack down completely on shadow IT, including contractor and employee devices, and attempting to implement a management system to control access. In April 2018, NASA's CIO tried to take a tough line on shadow IT, banning personal devices. But that policy was relaxed in October of the same year, with rules put in place for employee and contractor devices to connect to networks and enterprise email.

The report references two security incidents at NASA: an October 2018 data breach in which data on current and former employees was stolen from an agency server and a 2019 instance of a contract employee using his personal computer to mine cryptocurrency via a NASA network. These events aren't directly linked to NASA's device management policy, however.

This May, NASA began to get more aggressive with users who were not keeping the operating systems on their network-connected personal devices up to date. The agency uninstalled its mobile device management system from users who hadn't updated, blocking them from agency e-mail.

By the agency's own count, there are almost 1,300 employee personal devices that can connect to the agency’s Microsoft Office 365 enterprise email system. According to NASA's CIO, there is not an "authoritative source" for a count of contractor and other partner-owned devices authorized to access NASA networks.

Part of the issue has to do with CIO authorities and contracting. While NASA has been trying to centralize technology budgeting and management as required under the Federal IT Acquisition Reform Act, the agency still faces cultural obstacles to central management, and technology officials at the different NASA centers retain significant authority and oversight. The agency has racked up some of the worst grades on the biannual FITARA scorecard released by the House Oversight Committee. On the latest iteration, NASA earned an F grade for CIO authorities and a D for transparency and risk management.

On the contracting side, NASA was supposed to have device management enforcement controls in place by December 2019, but that target has slipped, in part due to technical obstacles imposed by multiple contracts that require certification by different entities -- making overarching authentication a problem.

The report also notes that there are not enforcement controls in place to ensure that devices that violate supply chain controls aren't permitted to access agency systems.

NASA'S Office of Inspector General conducted its audit of the agency's network access and management controls from March 2019 through July 2020. The report only made one mention of the possible consequences of the COVID-19 pandemic on NASA's efforts to shore up its device controls, noting that "on-site work restrictions associated with the agency's response to the COVID-19 pandemic have negatively impacted the implementation schedule" of a network access control project and the Continuous Diagnostics and Mitigation program.

The report concluded that despite some improvements, NASA's "decentralized approach to cybersecurity management limits" the CIO's visibility into cybersecurity at the agency's far flung centers. "We acknowledge the inherent difficulty in balancing Center-specific flexibilities and desire for autonomy with the need for a robust, enterprise-wide approach to IT security," the auditors wrote. "However, in the face of persistent cybersecurity threats, NASA needs to quickly move to a more consistent, enterprise-wide approach to identifying and managing these risks."

NASA's Acting CIO Jeff Seaton agreed with the conclusions of the report and said that the risks cited therein would be addressed through policy changes and implementing technology tools before the close of 2021.