NASA has made progress implementing security controls and aspects of its information security program, but it has not always implemented appropriate controls to protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates, GAO has said.
It said the space agency has not consistently implemented effective controls to prevent, limit, and detect unauthorized access to its networks and systems.
After examining network and system controls at three NASA centers, analyzing agency information security policies, plans and reports, and interviewing agency officials, GAO said NASA did not always sufficiently identify and authenticate users.
It also said NASA did not always restrict user access to systems, encrypt network services and data, protect network boundaries, audit and monitor computer-related events, and physically protect IT resources.
According to GAO-10-4, weaknesses also existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches.
It said a key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.
