NASA’s Office of the Inspector General (OIG) has found that the agency failed to implement an enterprise-wide information security program and that it had inaccurate and incomplete security plans for six information systems.
The OIG said in a report that four out of six systems were operating without contingency plans or with outdated plans meant to meet requirements under the Federal Information Security Modernization Act (FISMA).
The report also states that many of NASA’s common controls for information systems were “other than satisfied” and that the Office of the Chief Information Officer (OCIO) is yet to address deficiencies through a system security plan (SSP).
According to the IG, NASA must issue clarifying policy guidances and ensure that agency-wide oversight procedures identify risk assessment operations and corrective actions.
The IG noted that having information systems with outdated or no contingency plans puts the agency “at an unnecessarily high risk” and is "threatening the confidentiality, integrity, and availability of NASA information maintained in those systems."