NASA's top watchdog talks IT

From his start as a Greenville, S.C., beat reporter to his current role in the nation’s capital, NASA Inspector General Paul Martin has long made it his job to point out organizations’ uncomfortable shortcomings.

“It’s sort of like straddling a barbed-wire fence,” Martin said of the IG job – you’ve got to keep a working relationship with your agency even as you rigorously audit its performance.

A mark of the IG’s outsider status is the way Martin talks about his agency. In answering questions about policy and practices, he refers to “Big NASA” (the IG office’s term for the non-IG parts of NASA) as “they,” not “we.”

One consistent theme through Martin’s work: NASA isn’t the perfect tech superstar some might think it to be, and its IT governance needs an overhaul.

Creative, open – too much so?

Before coming to NASA as IG in 2009, Martin served as deputy inspector general at the Justice Department.

That job gave him exposure to NASA’s polar opposite. There’s a “stark contrast” between the “innovative” culture at NASA and the “by-the-book law enforcement types” at DOJ, he said.

“My first day at NASA, their first question was, ‘PC or Apple?’” Martin recalled, saying it was “astonishing” coming from the Blackberry-only world of DOJ.

But that creativity and embrace of technology comes at a price.

Like other agencies, NASA has long lacked a complete IT inventory, which only heightens the vulnerability of its broad IT footprint.

NASA had more than 1,500 public-facing web applications – more than half of all federal websites – when Martin came on board, because of the agency’s mission to communicate openly with the American people and the fact that every time a new project would start, NASA would pop up a new website to house the data.

“From the IT security perspective, you are creating this incredible, rich target of opportunity for folks who want to hack into NASA’s systems,” Martin said.

NASA has since consolidated down to 1,200 websites, but those face mounting attacks.

“With NASA, we’ve got everything from hackers in the basement, seeing if [they] can get into a NASA system, just ’cause, to what appear to be foreign attacks, some may be state-sponsored, some may not be,” Martin said.

Many hackers are likely after the export-controlled designs NASA uses and, perhaps, information from NASA contractors that also do work with the Defense Department, Martin speculated.

FISMA isn’t the end-all

“I’m not sure that NASA has incredibly high marks for IT security,” Martin said.

This, despite the fact that NASA scored highly on its last Federal Information Security Management Act review: a 95 percent compliance rate, up from 91 percent in fiscal 2013 and well above its peer agencies’ average of 76 percent.

“They do well on our FISMA reviews,” Martin granted, “but the FISMA reviews up to this point really haven’t had a lot of teeth in them.”

FISMA addresses whether certain policies are in place, which has value, but “it doesn’t get down onto the ground nearly enough to find out whether those policies are translating into appropriate safeguards,” Martin said.

But there’s no other broad cyber security measure of its kind, and in the absence of a better FISMA, the solution is “active vigilance” from agencies and their IG offices, according to Martin.

NASA’s governance problem

With decentralization built into its character, NASA has long had a problem that would drive any IG nuts: an IT governance deficit.

“You would think the NASA CIO would have, certainly at least visibility over the whole agency’s IT spending, and/or you would think the NASA CIO would have control over some big portion of it,” Martin said.

But when his office audited spending in 2013, it found NASA’s CIO controlled 11 percent of IT spending.

“I was frankly shocked,” Martin said.

NASA’s 10 field centers controlled 27 percent of IT spending, and “the big kahuna,” mission directorates, controlled 62 percent, Martin recalled.

It was a bad situation for security.

“The CIO didn’t have the financial hammer,” Martin said. “The CIO is responsible for putting on IT security standards, but, you know, there’s no stick to enforce that when you only control 11 percent of the budget.”

NASA CIO Larry Sweet has instead resorted to using carrots, not sticks, in, say, his push for shared services. (Sweet’s office did not respond to a request for comment on this story.)

One-size-fits-all would be disastrous for an organization like NASA, which operates myriad unique projects and needs the expert judgment of managers intimately acquainted with tech needs, Martin noted.

“There is a balance,” he said. “You can’t wake up one day and say 100 percent of all IT spending goes through the agency CIO.”

But when the agency CIO doesn’t know spending is ballooning – as Sweet’s predecessor didn’t in 2010 when NASA IT spending was budgeted at $1.6 billion and actually hit $2 billion – something needs to change, Martin said.

“There’s control, and there’s even visibility of it,” he said, noting the security and financial benefits of having better inventories, avoiding duplication and finding deals with vendors.

Some progress has been made.

“NASA … is steadily working to improve its overall IT security posture … [and] develop more effective IT governance,” acknowledged the IG’s latest semiannual report.

“They’ve been slowly moving toward giving the agency CIO more authority and more visibility,” said Martin.

What’s next for NASA’s watchdog?

While he championed the importance of IT security, the only active IT audit Martin’s office has going is next year’s FISMA report.

Instead of specific focus on IT security in a dedicated audit, Martin said security is a crucial part of most audits across NASA.

But he could dive in on some cybersecurity-focused work.

“We haven’t done work to assess whether NASA spending levels on IT security are appropriate given the size of its IT footprint,” Martin said, “and as I’m sitting here talking I think that’d be a fascinating review to try to do, those comparisons, if they’re relevant across government.”

And he hopes to return soon to the IT governance issue, which has been staring down Sweet since he took the CIO job in 2013.

“I would like to fire up a follow-up review looking at how NASA is implementing our IT governance recommendations,” he said, but for now, it’s just a glimmer in his eye.