Cybersecurity’s Moon Shot

NASA is leading the way with a mandate to manage computer risks in real time.

While other federal agencies wait for the White House and lawmakers to conclude their battle over stalled cyber legislation, NASA now has its own mandate to manage cyber threats using real-time intelligence. Before breaking for campaign season, space fans in Congress quietly pushed through a workaround in a law that requires NASA to keep lawmakers posted on its efforts to continuously monitor vulnerabilities across agency computer networks.

The NASA reauthorization bill also requires the agency's chief information officer to create an information security awareness and education program for employees and contractors. These are steps NASA and a few other agencies, such as the State Department, have been taking since the spring to bolster cyber defenses in anticipation of an overhaul of the government's nearly decade-old information security law.

NASA officials say they welcome the new legislation and expect their progress on cyber surveillance will spur other agencies to catch up. For most federal computer systems, the only window into their security status is periodic summaries of incidents. Critics say the existing law-the 2002 Federal Information Security Management Act-focuses too much on paperwork documenting protocols and not enough on executing them.

The NASA legislation, which President Obama signed in October, also mandates an agency study to determine whether the constant-surveillance framework is more effective than other methods of managing security. Continuous reporting is expected to reduce the time and cost of complying with FISMA, supporters say.

"It's a direction where we've already been going because we think it's important," says Marion Meissner, acting deputy CIO for IT security at NASA. In May, Jerry Davis, then deputy CIO for IT security, relaxed requirements for certifying network compliance to let managers concentrate on creating an automated risk management process. Today, every NASA center has a near real-time dashboard, or status-tracking website, that provides daily updates on security configurations, patches and network vulnerability scanning, Meissner explains. "If what we do is successful and we can show a measured improvement, then other agencies will be able to do this as well," she says.

During the past several years, Government Accountability Office auditors have identified weaknesses in NASA networks that could threaten space missions. "These networks traverse the Earth and beyond, providing critical two-way communication links between Earth and spacecraft; connections between NASA centers and partners, scientists and the public; and administrative applications and functions," GAO officials wrote in a February report on the challenges key agency programs face.

Passage of the NASA provisions comes amid a White House effort to update information security policies governmentwide. As of this fall, agencies must use automated tools for transmitting data on computer inventories, security incidents and other indicators to a secure online inbox called CyberScope.

But many agencies are off target. "My bet is it won't be done in the next year," says James A. Lewis, a senior fellow at the nonpartisan Center for Strategic and International Studies who researches cybersecurity. Of the 24 major agencies, "a few of them are already there; a lot of them are not," Lewis adds. He had estimated between 20 percent and 25 percent of the major agencies would be online this fall.

NASA is an exception. "We're meeting all the reporting requirements for CyberScope using the new tool," Meissner says. "We believe we are one of the few agencies that are able to do that this year using automated summaries." Aside from monitoring patches, configurations and scans, the dashboard helps managers inventory their hardware, software and external connections. They can check how many assets are hooked up to the automated system to confirm supplies.

To comply with the new law, NASA officials next year will connect more data sources to the tool, known as the IT security enterprise data warehouse, so they can gather additional indicators. Data quality will be the big challenge, officials note. "Anytime you integrate complex systems it takes time to ensure you have accurate data," Meissner says.

The cyber alert technology is not aboard the International Space Station and will not be spacebound anytime soon. "The tools that we have are not deployed up there," Meissner says. "Communications between the ground and ISS may not have the bandwidth to monitor that kind of information."

A House committee proposal aimed at decreasing the risks of cloud computing didn't make it into the bill, but senators on both sides of the aisle say they would be willing to pass the provision in a separate NASA spending bill. Cloud computing, a private sector practice that is gaining popularity in the government, allows agencies to access hardware and applications on demand and online through a third-party provider, instead of maintaining server farms and paying for software licenses.

The space agency was a government pioneer in the cloud back in 2008, when it launched Nebula, a service that has made it easier for scientists to exchange massive data sets with research partners and the public.

The House Science and Technology Committee agreed to a last-minute bipartisan compromise bill that called for NASA to inform lawmakers of any instances when classified or sensitive information is exchanged in the cloud, as well as any measures taken to ensure the data is protected. But the House ended up voting on the Senate version, which didn't include the committee's proposal.

Meanwhile, the Homeland Security Department is helping other agencies transition to the new digital surveillance method. "I do think this will give us in the long run much higher fidelity information," says Greg Schaffer, DHS assistant secretary for cybersecurity and communications. He says the shift to real-time monitoring will be "a process," adding he cannot provide a specific timeline. Lewis notes, "It's a big change, and moving people from where they are now to a better place is a great first step."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

    Download
  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

    Download
  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

    Download
  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

    Download
  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

    Download
  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

    Download
  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

    Download
  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

    Download
  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

    Download
  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.

    Download

When you download a report, your information may be shared with the underwriters of that document.