NASA is planning to release a request for bids this month for a unified IT contract to address long-standing cybersecurity management flaws noted in a recent Inspector General (IG) report.
According to a May 18 report by NASA’s Inspector General, “Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity,”
“We found that NASA’s ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture.”
Most of the agency’s problems, according to the IG, can be traced back to its “enterprise architecture,” or in other words, the core framework for how it manages IT. NASA has had a “fragmented approach” to IT for years, according to the watchdog, with several lines of authority.
The agency is in charge of 3,000 websites and 42,000 publicly available databases on the internet. While NASA has tried to enhance its cybersecurity posture, the IG estimated that over 6,000 cyberattacks, including phishing scams and malware, had been launched against it in the last four years.
In short, the agency’s position puts it at “a higher-than-necessary risk” from cyber-attacks.
Advancing a wide-ranging cybersecurity management contract termed CyPreSS – Cybersecurity and Privacy Enterprise Solutions and Services – is one of the watchdog’s recommendations for change.
A Security Operations Centre (SOC), penetration testing, vulnerability management, supply chain risk management, training and awareness, and identity, credential, and access management are among Cypress’s IT service requirements.
The solicitation was expected to be released on May 17 and an award will be made in November, with work starting in February 2022, according to GovWin, a government contracting database maintained by Deltek. The project is still in the pre-solicitation phase, according to the federal System of Awards Management.
NASA’s methodologies for assessing and authorising IT systems, according to the IG, are inconsistent and inadequate across the agency.
The report states “These inconsistencies can be tied directly to NASA’s decentralized approach to cybersecurity. NASA plans to enter into a new Cybersecurity and Privacy Enterprise Solutions and Services…contract intended to eliminate duplicative cyber services, which could provide the Agency a vehicle to reset the [assessment and authorization] process to more effectively secure its IT system,”
All of the IG’s recommendations were accepted by NASA’s CIO, Jeffrey Seaton, including one to set baseline requirements for the Cypress contract.
NASA will also establish an enterprise architecture program, begin tracking metrics on the effectiveness of its enterprise security architecture, and conduct a cost assessment for the agency’s 526 IT systems highlighted by the IG in response to the IG’s recommendations.