According to the report, NASA networks and systems have been successfully targeted by cyber attacks. It said that during fiscal 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information.
Despite establishing a Security Operations Center to respond to these problems, GAO said the control vulnerabilities and program shortfalls that it identified have increased the risk of unauthorized access to NASA’s sensitive information, as well as inadvertent or deliberate disruption of its system operations and services, GAO said.
GAO recommended that the CIO take a number of actions including to develop and implement comprehensive and physical risk assessments that include mission-related systems and applications and known vulnerabilities identified in agency security plans and waivers.
It also said the CIO should develop and fully implement security policies and procedures for malware, incident handling roles and responsibilities, and physical environmental protection.
The CIO should further conduct sufficient or comprehensive security testing and evaluation of all relevant security controls including management, operational, and technical controls, as well as implement an adequate incident detection program, the report said.