The following audit report has been posted to the NASA Office of
Inspector General web site: Information Technology Security Planning
(IG-01-022, March 30, 2001)

To access the report, please go to:

Synopsis: The NASA Office of Inspector General has completed an audit
of System Information Technology Security Planning. We found that NASA
had established processes to ensure information technology (IT)
security is considered as a part of the Agency’s strategic information
resource program planning. NASA had established many new IT security
policies in response to the General Accounting Office (GAO) report
number GAO/AIMD-99-47, “Information Security, Many NASA Mission-
Critical Systems Face Serious Risks,” May 1999, and NASA’s internal
“Information Technology Security Program Review,” August 1998. The new
policies are adequate, but substantial work remains to fully implement

Management’s Response: NASA concurred with all but one recommendation.
It only partially concurred with our recommendation to select
vulnerability performance indicators that accurately reflect NASA’s IT
security risk. NASA was concerned about the amount of additional
testing for vulnerabilities that might be required. Nonetheless, NASA
has already changed the metric to scan for an updated list of
vulnerabilities and is planning to update the metric periodically. In
addition, the Chief Information Officer has agreed to work
collaboratively with the Office of Inspector General on the amount of
testing required.

To comment on this report, please send an e-mail to