Description of Driving Event:
Implementation of NASA Agency-Wide Computer Security Plan
Lesson(s) Learned:
NASA has initiated an agency-wide program to deal with general computer security. Significant parts of NASA's initial plan depend upon the voluntary compliance of system users including contractors.
Recommendation(s):
Expand the agency-wide security system development work to include less dependence on human compliance with the system. NASA should also require contractors to participate in its security efforts.
Evidence of Recurrence Control Effectiveness:
NASA concurs with both parts of the recommendation. Regarding less dependence on human compliance, all NASA Centers have installed software and hardware tools that automatically scan for hostile code, system vulnerabilities, and hostile intrusions. These tools are not perfect; they require human oversight. However, they do reduce the amount of manual labor and the amount of human discretion involved in finding and dealing with attacks. NASA is exploring with vendors the possibility of applying artificial intelligence techniques to identify patterns in intrusion detection data that may not be obvious. This field has not yet matured to the point that products or services are available, but we are hopeful that, in a year or two, prototype products may be available for evaluation. These products would reduce the amount of manual analysis required to identify attacks, and they would make it easier to correlate data from different Centers. We also use audits and metric reports to verify that human compliance has been adequate. For example, this year we will engage a third party to perform a technical audit of IT security provisions at three NASA Centers. Metric reports on security plans, training, and system vulnerabilities help us to track performance, thereby reducing discretion in compliance with NASA policy. However, IT security evolves rapidly. New threats must be countered manually until they are well enough understood for defense to be automated. Thus, we expect to rely on human intellect and energy to identify and deal with novel developments. Regarding requiring contractors to participate in its security efforts, we issued for comments, in January, a draft regulation to be included in the NASA supplement to the Federal Acquisition Regulations. This regulation would require NASA contractors, who operate computers or network systems on behalf of NASA, to adhere to appropriate provisions of NASA policies and procedures for information technology security. Comments on this draft have been dispositioned, and we expect the final regulation to be issued shortly. Also we are including contractors, such as the Consolidated Space Operations Contract, the Outsourcing Desktop Initiative for NASA, and the USA vendors, in various fora that coordinate IT security across systems operated on behalf of NASA. Although this effort is recent, we are seeing good cooperation. We expect integration of contractors to help maintain a seamless NASA IT security posture.
Documents Related to Lesson:
N/A
Mission Directorate(s):
- Space Operations
- Exploration Systems
Additional Key Phrase(s):
- Aerospace Safety Advisory Panel
- Computers
- Flight Operations
- Ground Operations
- Policy & Planning
- Risk Management/Assessment
- Security
- Software
Additional Info:
|
