NASA has signed a $622.5 million cybersecurity contract with Booz Allen Hamilton to boost the agency’s IT security under its CyPrESS programme, announced last year.
The NASA Booz Allen contract, which was due to be awarded in February but appears to have slipped a few months, is the agency’s first ever enterprise cybersecurity contract. It will initially run from 31 May to 30 September 2023, with options to extend up to 30 September 2030.
The CyPrESS – Cybersecurity and Privacy Enterprise Solutions and Services – programme is one of two NASA initiatives to try and improve its hitherto woeful IT security. CyPrESS is aimed at eliminating the extensive IT security duplication, where each NASA centre handles its own cybersecurity, according to the NASA Office of Inspector General’s (OIG) 2021 annual report.
The other initiative is the Mission Support Future Architecture Program (MSFAP), under which “Center Chief Information Security Officers and cybersecurity staff will be realigned from the Center [Office of the CIO] to the Senior Agency Information Security Officer, moving the Agency towards an enterprise computing model that would centralize and consolidate IT capabilities, such as software management and cybersecurity” according to the OIG report.
It noted the current situation is fragmented: “The day-to-day work of NASA employees, missions are left to their own discretion to interpret and implement requirements and, importantly, absorb costs associated with cybersecurity. Smaller missions lack assets (people, tools, and funding) to devote to cyber efforts and tend to prioritize gathering science while putting cybersecurity low on their ‘to-do’ lists.”
Both the NASA Booz Allen contract and the MSFAP initiative are attempts to improve the agency’s hitherto woeful IT security. Cybersecurity has been a challenge for NASA for some time, with incidents such as the use of an unauthorised Raspberry Pi at JPL to breach the centre’s network and steal 500MB of data related to Mars missions.
A NASA OIG report on insider threats released in March warned the agency’s risk exposure is “significant and varied” – as The Stack reported at the time.
See: NASA warned on IT security over insider threat risk
Linked to the insider threat issue, the latest NASA OIG annual report noted “improper use incidents” – such as using unencrypted email to send “Sensitive but Unclassified” data, personal information or arms trafficking regulations data – increased 343% from 2017 to 2020, with 1,103 incidents that year.
The OIG also criticised NASA for “not adequately monitoring and enforcing the business rules” set for the agency’s 15,000 mobile devices – made worse due to home-working during the Covid-19 pandemic. And the OIG highlighted NASA’s issues with its assessment and authorisation (A&A) process.
“NASA is inconsistent and ineffective with its A&A process because of its decades-long decentralized approach to cybersecurity. Over the past 6 years, we have reported that certain types of assessment data have been ignored or discarded as irrelevant during the A&A process, leaving systems incorrectly categorized at lower risk impact levels than their criticality requires and resulting in increased vulnerability to cyber risks,” said the OIG report.
The same report also noted: “During the 2021 [Federal Information Security Management Act] evaluation, NASA’s information security program showed some improvement but still fell short of the Office of Management and Budget’s watermark for a program to be considered effective. Similarly, in July 2021 NASA received an overall FITARA grade of C+ given its challenges in managing cyber risks.”
Between the NASA Booz Allen contract for CyPrESS ,and MSFAP, the agency aims to tackle these issues by moving towards a more standard enterprise security architecture. This will still be challenging due to what the OIG refers to as “ambiguity” in the technical integration of the enterprise security architecture and NASA’s overall enterprise architecture – as well as “disjointed internal management structures and funding authorities”.
But the OIG did note the situation at NASA is improving, thanks in large part to keeping the same security chief for a while: “Most important has been the stability of having a tenured Senior Agency Information Security Officer in place for more than 4 years—longer than any other in NASA history. The continuity of leadership has been critical for the OCIO, and the Agency as a whole, to advance cybersecurity readiness.”