Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation

NASA Federal Information Security Modernization Act of 2014 Evaluation Report for Fiscal Year 2022

Submitting OIG: 
National Aeronautics and Space Administration OIG
Report Description: 
The Federal Information Security Modernization Act of 2014 requires the OIG to conduct an annual evaluation of NASA’s information security program. In this year’s review, we examined a sample of NASA- and contractor-owned information systems and assessed the effectiveness of information security policies, procedures, standards, and guidelines against the required metrics.
Date Issued: 
Monday, December 19, 2022
Agency Reviewed / Investigated: 
National Aeronautics and Space Administration
Submitting OIG-Specific Report Number: 
IG-23-006
Location(s): 
Agency-Wide
Type of Report: 
Inspection / Evaluation
Questioned Costs: 
$0
Funds for Better Use: 
$0
Number of Recommendations: 
17
View Document: 
AttachmentSize
PDF icon IG-23-006.pdf3.38 MB

Related Open Recommendations

Recommendation Number Recommendation Status Significant Recommendation Additional Details
1 Open No
Implement the necessary entity-wide oversight to monitor RISCS for delinquent ATOs and SARs and ensure the information system owners of the systems selected for testing in this evaluation complete delinquent ATOs and SARs so RISCS provides sufficient information to determine NASA’s risk exposure.
2 Open No
Design and implement the necessary entity-wide oversight, enforcement mechanisms, and controls to ensure all system-level BIAs are accurate and reviewed annually, as well as ensure the information system owners of the systems selected for testing in this evaluation complete a system-level BIA.
3 Open No
Review all information systems to determine if a BIA has been performed in accordance with NASA’s Information Technology Security Handbook (ITS-HBK), Contingency Planning (ITS-HBK-2810.08-01A).
4 Open No
Implement the necessary entity-wide oversight to monitor RISCS for accuracy and completeness, including reviewing portfolio-wide reports or dashboards demonstrating compliance with Federal requirements and enhancing decision-making.
5 Open No
Design and implement the necessary entity-wide oversight enforcement mechanisms and ensure the information system owner of the system selected for testing during this evaluation perform a system inventory of its software assets and licenses to ensure all software and license information are accurate and reviewed annually.
6 Open No
Develop policies, procedures, and processes to manage the cybersecurity risks of risk framing, risk response, and risk monitoring in accordance with NASA policy.
7 Open No
Document the NMI process in NASA’s ISCM Strategy to ensure its hardware inventory monitoring process is accurate, complete, and fully aligned with NASA’s other continuous monitoring guidance.
8 Open No
Develop a policy and implement the necessary entity-wide oversight to monitor risk through a risk register and a risk profile to provide enterprise-wide metrics to inform top management of its IT risks.
9 Open No
Implement the necessary oversight to monitor POA&Ms and RBDs in RISCS to identify ones that require action so it can ensure that the ISOs take the necessary action to review, update, and approve POA&Ms and RBDs, as necessary, before they become delinquent, taking into consideration the length of time required to obtain necessary approvals, and update RISCS.
10 Open No
Ensure that the system owners of the systems selected for testing in this evaluation address its past due POA&Ms and unapproved RBDs.

Pages

Displaying 10 of 17 Recommendations