Little progress on IT governance, says NASA IG

In 2013 NASA was told to tighten up its IT governance policies and give its CIO greater visibility into IT spending and acquisition decisions. Four years later, an inspector general report cites little progress and wonders whether the agency can effectively oversee its IT assets.

IG reports have consistently found a disorganized IT hierarchy in which the agency CIO lacks visibility into IT spending and acquisition decisions. The lack of progress in addressing these issues over the years casts "doubt on the [CIO] office's ability to effectively oversee the Agency’s IT assets," according to the report.

Auditors have continually zeroed in on the powers and authorities held by NASA's four mission directorates and 11 centers as one of the chief causes of the disorganization. While the CIO and senior agency information security officer (SAISO) are two of the top IT executives within the agency, neither appear to have direct authority over critical staff and decisions made below them. 

Despite setting up an annual capital investment review process in 2016 to track the agency's $1.4 billion in annual IT spending, the OCIO only controls about one-fourth of that budget, with the rest being spent by mission directorates and centers. This has led to more than 30 separate definitions of "information technology" within the agency and inaccurate reporting around total IT spending.

One issue at the space agency is negotiating between the advanced computing equipment needed for aeronautics research and for operating and collecting data from interplanetary space missions  and the commodity IT and software used to administer the agency.

NASA's reply comments, signed by Pamela Hanes, the acting deputy CIO, take note of this delicate balance.

"NASA is an agency focused on the success of complex space, science, exploration and aeronautics missions. The IT landscape necessary to accomplish NASA's missions is also complex and tightly integrated within a variety of mission products and capabilities. Recognition of this complexity has guided the approach and pace at which OCIO can move forward toward the ultimate goal of managing IT at NASA as a strategic resource," Hanes wrote.

Similarly, while the SAISO is charged with overseeing IT security across NASA, mission directorates and centers manage the security for hundreds of networks and have their own staff and personnel who do not report to the agency’s top security executive.

After the 2013 audit, NASA brought in Forrester Research to examine the agency's IT organization structure and culture. According to its audit, Forrester found a number of cultural barriers contributing to the problem, including a fear of centralization as well as a lack of confidence in OCIO and individual centers and program managers.

A follow-up report by the consultant in 2016 documented perceptions among NASA staff that OCIO was risk-averse and unwilling to stand behind its decisions, causing significant damage to the office's credibility within the agency.

While the agency set up three separate governance boards in response to the 2013 audit to better coordinate IT decision-making, this has apparently only added to the confusion. A survey of IT officials at the agency "found the governance structure immature, unstable, and difficult to understand," while half of center CISOs were "confused by the new board structure, specifically regarding the role of IT security within the agency's IT framework."

NASA partially agreed with a few of the IG recommendations on centralizing authority, but it pushed back against the idea of giving the agency CIO and SAISO the kind role envisioned by the agency watchdog. NASA also indicated that some of the security issues identified in the IG report will be offset by the rollout of phase one of the Continuous Diagnostics and Mitigation program at NASA, set for completion by June 30 of next year.