Description of Driving Event:
Agency-Wide Computer System Vulnerabilities
Lesson(s) Learned:
Further analysis of NASA's planned agency-wide computer security system is needed to understand its vulnerabilities and the programs and activities to which the system should be applicable.
Recommendation(s):
Conduct a thorough analysis, together with the National Security Agency, to determine the level of computer security required by the Agency, the level of security that can be expected from the system and its most serious vulnerabilities. Also require all major mission or safety critical programs to have a qualified third party conduct a computer vulnerability analysis of their designs as soon as possible.
Evidence of Recurrence Control Effectiveness:
NASA concurs in principle with both parts of this recommendation. Regarding analysis with the National Security Agency (NSA), we conducted a thorough internal study in 1998 to determine the level of required computer security, and GAO audited our computer security the same year. In addition, we are using a combination of internal audits/tests and third-party audits/tests to determine our security at a technical level. Our metrics also provides ongoing information about the adequacy of our computer security. Finally, the NASA Inspector General has made computer security a high priority for audits and inspections. Thus, we are not sure that adding another layer of analysis by the NSA will add commensurate value. Every analysis or audit disturbs ongoing work, and, at some point, additional analyses can actually degrade security because they have negative marginal value. We will discuss with the NSA what services that they could provide, to establish whether contracting with them would add significant value above what is already underway. Regarding major mission systems, we believe that there is merit in the recommendation but wish to consult with owners of such systems before levying this requirement. We require that managers of all "special management attention" systems complete IT security plans and provide written authorization to operate those systems this fiscal year. We expect that all major mission or safety critical systems are included among the special management attention systems. Thus, these activities will provide a documented baseline for discussion regarding the value of third-party analyses.
Documents Related to Lesson:
N/A
Mission Directorate(s):
- Exploration Systems
- Aeronautics Research
Additional Key Phrase(s):
- Flight Operations
- Ground Operations
- Policy & Planning
- Risk Management/Assessment
- Security
- Software
Additional Info:
|
