References:
a. Fischer, E. A. (2012). Federal laws relating to cybersecurity: Discussion of proposed revisions. Washington, D.C.: Congressional Research Service.
b. Grossman, J. (2007). Cross-site scripting attacks. Boston, MA: Syngress.
c. Martin, P. K. (2012). NASA cybersecurity: An examination of the agency’s information security. Retrieved from http://oig.nasa.gov/.
d. NASA. (2011). Overview: NASA IT security. Retrieved from http://www.nasa.gov/.
e. NIST. (2007). Federal Information Security Management Act (FISMA) implementation project. Retrieved from http://csrc.nist.gov/publications/.
1. President Obama has declared cyber security threat to be the greatest challenge faced by America today. The President has urged Congress to strengthen the legal machinery of the country in addressing cyber security threat. Executive measures have also been implemented to mobilize information security programs in various federal agencies. NASA is a federal agency susceptible to cyber attacks as a repository of sensitive information. Achieving an effective information security program for NASA is imperative. Determining the cyber security preparedness of NASA requires analysis of its current cyber security posture. The memorandum reports on the cyber security posture of NASA in terms of the impact of cyber legislation on the agency, security standards applied by NASA, and analysis of the key elements of NASA’s cyber security profile.
2. Cyber legislations are catalysts in the development of NASA’s information security program. The Clinger-Cohen Act of 1996 created the Chief Information Officer (CIO) position at NASA and under the Office of the CIO is the IT Security Division. Policies on information security, especially privacy impact assessment and cyber security standards, were provided by the E-Government Act of 2002 and the Federal Information Security Management Act (FISMA) of 2002. Application of information security requirements, conducting internal evaluations, and cooperating with the GAO audit are also supported by cyber legislations. (Fischer, 2012)
3. Security standards set the threshold for NASA’s information security program. Standards relevant to cyber security are contained in FISMA and enshrined in the National Institute of Standards and Technology (NIST) standards and Federal Information Processing Standards (FIPS) (Grossman, 2007; NASA, 2011).
4. Analysis of NASA’s cyber security profile indicates that the agency has adopted security controls (management controls, operational controls and technical controls) in its information security program. These controls are interrelated to require an effective alignment of management, operational and technical controls. Management controls are crucial to achieving agency-wide awareness of the program to support implementation as well as in monitoring and maintaining the program. (NIST, 2007) To date, NASA has not achieved full agency-wide awareness, there are lapses in continuous monitoring, and the agency is not prepared for serious cyber attacks (Martin, 2012). Operational controls are important in coordinating roles and efforts to make these controls dependent on management and technical controls (NIST, 2007). Weaknesses in NASA’s information security program are the limited coordinating role of the CIO and lack of centralized system for coordination (Martin, 2012). Technical controls manage access to NASA’s information system as well as detect, analyze and report cyber threats (NIST, 2007). Encryption in laptop and mobile devices has not been fully achieved and modifications to cloud computing are still ongoing (Martin, 2012).
5. Findings show that while NASA has achieved progress in its information security program, there are areas for improvement in each of the category of controls. Given the susceptibility of the agency to cyber attacks, improvement in the weak areas in the three categories of controls should be addressed.
6. Improving NASA’s security requires the full implementation of its information security program with focus on the areas for improvement. An evaluation of NASA’s information security program showed that the major issues in the program emerge from the incomplete implementation of the program (Fischer, 2012; Martin, 2012). NASA should push for the complete implementation of its information security program to address key issues on cyber security.