NASA looks to change course on cybersecurity with new contract

Shutterstock image 1170026143 Casimiro PT / 

NASA is aiming to correct longstanding cybersecurity management issues identified in a recent inspector general report through a unified IT contract that was scheduled to publish a request for proposals this month.

"Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity," according to a May 18 report by NASA's inspector general. "We found that NASA's ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture."

The IG links most of the agency's problems to its "enterprise architecture," or in other words, the core framework for how it manages IT. NASA, according to the watchdog, has for years had a "fragmented approach" to IT with multiple lines of authority.

The agency manages an online presence of 3,000 websites and 42,000 publicly accessible databases. While it has worked to improve its cybersecurity posture, the IG assessed NASA has been subjected to more than 6,000 cyberattacks in the past four years including phishing scams and malware.

In sum, the agency's posture exposes itself to a "higher-than-necessary risk" from cyber threats.

Among the watchdog's recommendations for change is to advance a wide-ranging cybersecurity management contract called CyPreSS – Cybersecurity and Privacy Enterprise Solutions and Services.

Cypress has a long list of IT service requirements including a security operations center, penetration testing, vulnerability management, supply chain risk management, training and awareness as well as identity, credential, and access management.

According to GovWin, a government contracting database maintained by Deltek, indicated the solicitation was expected to be released on May 17 and an award will announced in November with work expected to begin in February 2022. The federal System of Awards Management indicates the project is still in the pre-solicitation phase.

The IG also notes NASA's methods for assessments and authorizations of IT systems is inconsistent and ineffective across the agency.

"These inconsistencies can be tied directly to NASA's decentralized approach to cybersecurity. NASA plans to enter into a new Cybersecurity and Privacy Enterprise Solutions and Services…contract intended to eliminate duplicative cyber services, which could provide the Agency a vehicle to reset the [assessment and authorization] process to more effectively secure its IT system," the report states

Jeffrey Seaton, NASA's CIO, concurred with all of the IG's recommendations including one to develop the baseline requirements for the Cypress contract.

In response to the IG's recommendations, NASA will also establish an enterprise architecture program and begin tracking metrics on the effectiveness of its enterprise security architecture and conduct a cost assessment for the agency's 526 IT systems identified by the IG.

About the Author

Justin Katz is a former staff writer at FCW.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected