The OIG Audit Report found that NASA has “made progress in transitioning to a continuous monitoring program.” However, the agency still has a significant amount of work to accomplish. Specifically,
NASA needs to (1) create and maintain a complete, up-to-date record of IT components connected to Agency networks; (2) define the security configuration baselines that are required for its system components and develop an effective means of assessing compliance with those baselines; and (3) use best practices for vulnerability management on all its IT systems.
The report recognized that,
In May 2010, NASA announced a fundamental shift away from this “snapshot” C&A approach to real-time, device-level continuous monitoring. According to the Agency, this shift would enable near real-time risk management and ongoing security authorizations that reflect the true intent of applicable National Institute of Standards and Technology (NIST) guidance. NASA’s new approach emphasizes the importance of continuously monitoring components connected to NASA’s systems and focuses on critical controls that protect against the most common IT security incidents NASA has experienced.
The OIG report concluded that
NASA has not yet successfully transitioned from “snapshot” C&A processes to a fully implemented continuous monitoring program.
The complete audit report is attached below.
Leave a Reply