A new report from the Government Accountability Office (GAO) reveals that key NASA systems did not fully implement selected cybersecurity risk management activities – potentially exposing them to malicious cyber activities.
As part of its assessment, GAO analyzed two major NASA projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps from the National Institute of Standards and Technology (NIST).
The seven steps include: prepare, categorize systems, select controls, implement controls, assess control implementation, authorize the system, and continuously monitor security control effectiveness.
“NASA fully or partially implemented all steps of its cybersecurity risk management program for selected systems. However, partial determinations indicate that NASA did not perform key activities within the steps,” the report says.
For example, for the prepare step, GAO explains that “NASA did not have an approved organization-wide risk assessment. Such an assessment is essential to identifying and mitigating the highest priority cyber…
