NASA Inspector General Paul K. Martin today released a report that found significant challenges with NASA’s ongoing transition from an information technology (IT) security oversight approach that relied on periodic, static assessments to one that emphasizes ongoing and continuous monitoring of Agency systems.

The Federal Information Security Management Act of 2002 (FISMA) requires NASA and other Federal agencies to annually report on the security posture of their information systems. Prior to May 2010, NASA assessed the security posture of its systems using a “snapshot” certification and accreditation (C&A) process in which the Agency assessed security on a periodic schedule and at a fixed point in time. However, in May 2010 NASA announced a new approach that emphasizes the need to continuously monitor components connected to NASA’s systems and focuses on critical controls that protect against the most common IT security incidents NASA has experienced.

The Office of Inspector General (OIG) reviewed NASA progress in this transition to determine whether the Agency was establishing a solid foundation for a continuous monitoring program.

We found that NASA has not successfully transitioned from its former “snapshot” C&A process to a fully implemented continuous monitoring program. Specifically, we found that NASA needs to (1) create and maintain a complete, up-to-date record of IT components connected to Agency networks; (2) define the security configuration baselines that are required for its system components and develop an effective means of assessing compliance with those baselines; and (3) use best practices for vulnerability management on all its IT systems.

The OIG review concluded that failure to make improvements in each of these areas will limit NASA’s ability to accurately assess the security of its IT systems under this new continuous monitoring approach.

The full report can be found on the OIG’s website at http://oig.nasa.gov/ under “OIG Audit Reports” or at the following link: http://oig.nasa.gov/audits/reports/FY12/IG-12-006.pdf

Please contact Renee Juhans at (202) 358-1220 if you have questions.