Specifically, the report, dubbed “NASA Needs to Remedy Vulnerabilities in Key Networks," and released late last week, said the space agency does not always sufficiently identify and authenticate users, nor does it encrypt network services; audit and monitor computer-related events or adequately protect its physical information technology resources.
Moreover, NASA networks and systems have been the targets of many successful cyberattacks, the report said. In a two-year period starting in 2007, NASA reported 1,120 security incidents that resulted in the installation of malicious software on its systems and unauthorized access to sensitive information.
“A key reason for these vulnerabilities is that NASA has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating effectively,” the report concluded.
The report made several recommendations to fix the problems, such as implementing an adequate incident detection program; conducting comprehensive security testing of security controls; and developing and implementing security policies for malware, physical protection and incident handling roles and responsibilities.
In a letter included in the report to Gregory Wilshusen, director of GAO information security issues, a NASA representative said the space agency "generally concurs" with the report's findings.“Many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve IT management and IT security program deficiencies,” Lori Garver, NASA deputy administrator, said. “We will continue to mitigate the information security weaknesses identified in this report."
The GAO also revealed that it would make 179 additional recommendations to address access control weaknesses identified during its investigation.