Text Size

Protecting and Safeguarding NASA Information and Information Systems
By Evelyn Davis and Valarie Burks, NASA IT Security Division, OCIO

What if this article was the national headline across the United States? Is NASA protecting and safeguarding its information and information systems? Is it possible to protect and safeguard information and information systems 24/7?

How can any Federal agency protect and safeguard information and information systems with the new challenges in cybersecurity? What is the first step in meeting this type of challenge? Over the last few years, NASA has promoted the Annual IT Security Awareness Training, which is a mandate for all Federal and contractor employees. The training is the first step toward teaching the NASA community how to protect and safeguard information. The importance of awareness and various activities such as WebEx training sessions on protecting home computers and learning how to detect, prevent, and safeguard against the various malicious code sent through email and Web sites reinforces training and reminders.

Recently, NASA’s Inspector General pointed out in his testimony at a congressional hearing that the Agency had experienced 5,408 computer security incidents in 2010 and 2011. These intrusions resulted in the installation of malicious software or unauthorized access which caused significant disruptions to mission operations, theft of export-controlled data and technologies, and cost the Agency more than $7 million.

In March 2012, the NASA Administrator issued an Agency-wide message on the importance of securing NASA laptops, iPads, and smartphones, which was a major step to strengthen the role of the Chief Information Officer (CIO) and IT security. The Administrator stated, “I take the issue of IT security very seriously—both for our equipment and the information stored on it. Information security maintains the integrity of our programs and ultimately keeps our missions and people safe.”

NASA has a wide array of organizational operations that support its missions. These operations may have different risk tolerances. Understanding these differences and the overall risk to the enterprise is challenging in such a large, diverse organization. To date, the Advanced Persistent Threats, called APTs, have compromised computer networks virtually across every Government and department agency and invaded the systems of nearly every major defense contractor. Therefore, the risk level has increased. Our need to protect information systems and the information stored on NASA equipment is greater than ever before.

The rapid growth of the Internet and its various facets, such as social media sites, wikis, blogs, and Web sites, to disseminate information across the masses is no longer novel. This trend has given rise to rogue elements within the cyber community who misuse the privileges of easy access to a wide audience to cause damage to the security and economic fabric of Federal and non-Federal entities.

NASA strives to continue to be a leader in innovation and technology across the Federal sector. To preserve that legacy, cybersecurity at NASA must be an agile, forward-thinking, and cohesive organization thereby allowing NASA to ensure that the projects, programs, and missions are protected and safeguarded against the ongoing global threats from cybercriminals, hackers, and organized groups. To achieve this goal, all NASA employees must take responsibility for safeguarding the security of NASA information. As a united front, NASA employees can protect, prevent, and preserve information and information systems—the key to beginning a cybersecurity transformation at NASA. Cybersecurity challenges over the next decade demand enhanced collaboration, communication, and resources to meet the emerging and ever-changing threat environment.

The Office of the Chief Information Officer and the IT Security Division remain committed to continued improvement of the IT security posture as the NASA IT security program transforms and matures in the 21st century.