The Office of the General Inspector of NASA (OIG) has published its annual audit of the capabilities and practice of NASA in the field of information security, which received a general assessment of “inefficiently”.
The review was carried out by the accounting company RMA Associates using quality standards of 5 levels of maturity of information security.
Level 4 is considered the standard of an effective cybersecurity program. According to the audit, NASA did not reach this level for any of the 9 measured capabilities for the period from October 1, 2021 to September 30, 2022.
Audit attributes a low NASA rating, since the agency simply does not have tools or data for understanding the location and state of its IT infrastructure, as well as there are no processes for determining risks or response to them.
NASA cannot identify and record all the network devices that it controls. To solve this problem, manual processes were adopted. The agency has not assessed the knowledge of the cybersecurity of personnel since 2016.
The organization did not introduce recommended data protection and confidentiality, so its network is vulnerable. Moreover, multifactorial authentication (MFA) has not been introduced, and the risk management system for supply chains has not yet been developed.
IT director of the agency provided a list of 17 recommended actions. NASA promised to fix the defense until November 17, 2023.