NASA still has security gap

"Information Technology Security Planning"

NASA has improved its security processes since a scathing General Accounting Office report found holes in some of the space agency's mission-critical systems. But NASA still needs to improve the way it scans for potential vulnerabilities, a new audit by the agency's inspector general says.

NASA has implemented nearly all of the recommendations from a May 1999 GAO report, which revealed that auditors were able to hack into several systems. Those systems included one responsible for calculating detailed positioning data for Earth-orbiting spacecraft and another that processes and distributes scientific data received from those spacecraft.

"Overall, the new policies that NASA established are adequate, but substantial work remains to fully implement them," the IG report stated.

The IG report, "Information Technology Security Planning," dated March 30 but released last week, says that NASA's current policies for scanning its computer systems for a limited number of vulnerabilities "do not result in an adequate assessment of the agency's IT system vulnerabilities."

"As a result, the IT security risks and metrics that NASA reports to the Congress may understate NASA's IT vulnerabilities and provide undue assurance on the integrity, availability and confidentially of information," according to the report, which has some portions redacted for security reasons.

NASA does not use scanning software to detect many types of vulnerabilities, the IG said.

The IG makes several recommendations in the report.

* NASA should include in its performance plan a description of the time and resources necessary to implement its IT security program.

* NASA should develop IT security metrics to cover the requirements of the Office of Management and Budget's requirements.

* NASA should select metrics for measuring the performance of its IT security program that ensures they accurately reflect the current risks.

* NASA should describe the extent of vulnerability testing used to calculate the IT security metrics that is presented to Congress as part of its annual performance plan.

NASA officials concurred with many of the recommendations. The agency's fiscal 2002 performance plan, for example, has been changed to make it clear that only a specified set of vulnerabilities is included in its metrics and that the scanned vulnerabilities may change from quarter to quarter.

Agency officials said that for now, it is not possible to "ensure" that the performance measurements accurately reflect NASA's IT security risk. "We have not claimed that the metric does this," NASA chief information officer Lee Holcomb said.

"We believe that our current vulnerability testing reflects a balance of effectiveness and cost," he said in a written response to the IG report. He noted, however, that the agency would work with the IG's office to further hone the balance between effective and exhaustive vulnerability testing.

About the Author

Christopher J. Dorobek is the co-anchor of Federal News Radio’s afternoon drive program, The Daily Debrief with Chris Dorobek and Amy Morris, and the founder, publisher and editor of the, a leading blog for the Federal IT community.

Dorobek joined Federal News Radio in 2008 with 16 years of experience covering government issues with an emphasis on government information technology. Prior to joining Federal News Radio, Dorobek was editor-in-chief of Federal Computer Week, the leading news magazine for government IT decision-makers and the flagship of the 1105 Government Information Group portfolio of publications. As editor-in-chief, Dorobek served as a member of the senior leadership team at 1105 Government Information Group, providing daily editorial direction and management for FCW magazine,, Government Health IT and its other editorial products.

Dorobek joined FCW in 2001 as a senior reporter and assumed increasing responsibilities, becoming managing editor and executive editor before being named editor-in-chief in 2006. Prior to joining FCW, Dorobek was a technology reporter at, one of the first online community centers for current and former government employees. He also spent five years at Government Computer News, another leading industry publication, covering a variety of federal IT-related issues.

Dorobek is a frequent speaker on issues involving the government IT industry, and has appeared as a frequent contributor to NewsChannel 8’s Federal News Today program. He began his career as a reporter at the Foster’s Daily Democrat, a daily newspaper in Dover, N.H. He is a graduate of the University of Southern California. He lives in Washington, DC.


  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected