Following a review of the cybersecurity risk management at the National Aeronautics and Space Administration (NASA), the U.S. Government Accountability Office (GAO) assessed the extent to which NASA implemented cybersecurity risk management for selected major projects. GAO reviewed NASA’s policies and guidance regarding cybersecurity risk management. GAO selected a non-generalizable sample of two major projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps and associated activities. GAO also interviewed project and cybersecurity officials.
NASA fully or partially implemented all steps of its cybersecurity risk management program for selected systems. However, partial determinations indicate that NASA did not perform key activities within the steps. For example, for the ‘prepare’ step, NASA did not have an approved organization-wide risk assessment, which is essential to identifying and mitigating the highest priority cyber threats across the enterprise. In the ‘monitor’ step, selected systems lacked documented…
