A NASA Inspector General (IG) report released Monday, "NASA Faces Significant Challenges in Transitioning to a Continuous Monitoring Approach for Its Information Technology Systems" [PDF], finds just that: The agency has a lot of work to do as it moves from certification and accreditation-based (C&A) security assessments to continuous monitoring of the over 120,000 IT components that connect to NASA's networks.

Mission Control, Johnson Space Center during the flight of Space Shuttle Challenger, STS-41C. Photo: NASA.

Download the NASA Inspector General Report [PDF]

Background

By all accounts, NASA is a high-profile target for cyberattackers. According to the report, in 2009 and 2010, NASA reported 5,621 cybersecurity incidents that could have resulted in the installation of malware or loss of sensitive data. High-profile examples of intrusions range from a British national looking for UFO evidence in 2002 to multiple incidents involving Romanian hackers and alleged satellite disruptions in 2007 and 2008.

In April 2010, the Office of Management and Budget (OMB) updated its guidelines for agencies complying with the reporting requirements of the Federal Information Security Management Act of 2002 (FISMA), shifting from periodic C&A security assessments (in NASA's case, every three years) to continuous monitoring.

The move to continuous monitoring reflects a government-wide desire to respond more quickly and with more agility to potential threats, as well as a desire to use automation to leverage limited personnel resources. However, implementation of successful continuous monitoring relies on three main elements, and the NASA IG found significant problems with each one.

Maintaining Complete and Accurate IT Component Inventories

NASA's tool for keeping track of its IT components is its IT Security – Enterprise Data Warehouse (ITSEC-EDW) database. In a sampling of 289 components, the IG found that the "overwhelming majority" were not included in the database, with 61 percent not present at all, and an additional 32 percent missing patch agent or vulnerability data.

Implementing Effective Security Configuration Management

After an organization determines its IT component inventory, it then has to ensure and monitor that those components have properly maintained security baseline settings. For systems running Microsoft Windows XP and Vista, the baseline settings (found in the National Institute of Standards and Technology [NIST] Federal Desktop Core Configuration [FDCC]) were checked automatically. However, NASA had no process for automatically monitoring and reporting the baseline settings for its Windows Server, Linux and Unix systems, which had baseline settings determined by the Center for Internet Security (CIS) Security Configuration Benchmarks.

In its report, the IG found a wide variance in components' compliance with CIS benchmarks, also noting that in some cases NASA's non-compliant IT components were actually more secure than the benchmark. In addition, the IG noted that the CIS Compliance Assessment Tool (CAT) can only be run against one of NASA's 120,000+ components at a time, noting dryly that "CAT may not be a viable tool for continuously monitoring NASA's systems."

Monitoring and Managing Vulnerabilities

Last, the report found that NASA's monthly scans for high-impact vulnerabilities (those that pose the most risk to the system) capture only a small fraction of the known high-impact vulnerabilities in NASA's systems. In one example, NASA's typical vulnerability scan, a non-credentialed scan that does not use administrator rights to view installed software, found 59 high-impact vulnerabilities, whereas a followup credentialed scan found 2,644.

Recommendations

The Inspector General's recommendations included having the NASA CIO:

• Expedite the development of content, metrics and monitoring for applying secure baseline configuration settings for IT components, with a priority on its Windows Server systems (the most common attack vector)
• Institute NASA-wide credentialed vulnerability scanning
• Verify the application of security baseline configurations and performance of credentialed scans

In addition, associate administrators for mission directorates and center chief information security officers were tasked with using CIS benchmarks (with documented deviations) for its non-Windows systems until NASA-specific baseline security configurations were provided by the Office of the CIO, and ensuring that IT components were properly entered into ITSEC-EDW.

NASA management concurred with all of the IG's recommendations, with a plan to complete implementation of all aspects by January 31, 2013.

For additional information about cybersecurity opportunities for government contractors, see the GovWin IQ free summary report, Federal Information Security Market, 2011-2016.

Joe Loong is the managing editor of GovWin from Deltek, the network He can be reached at joeloong@govwin.com, or follow him on Twitter @joelogon.