NASA's Chief Information Officer Is Not Doing Their Job

NASA OIG Audit of NASA's Security Operations Center, OIG

"Since its inception a decade ago, the SOC has fallen short of its original intent to serve as NASA's cybersecurity nerve center. Due in part to the Agency's failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in OCIO leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the Agency's IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities. Industry best practice for an effective SOC recommends a charter signed by stakeholders that explicitly details authorities and responsibilities. Such a charter would allow the SOC to more effectively push for the resources and the cooperation required to execute its mission. However, after 10 years the NASA SOC has no charter to govern its operations or outline its authorities. In addition, the SOC has no roadmap for moving from its current state to a future state of operation, a critical management tool for establishing priorities for continual improvement."

GAO: NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses, GAO

"NASA's IT governance does not fully address leading practices. While the agency revised its governance boards, updated their charters, and acted to improve governance, it has not fully established the governance structure, documented improvements to its investment selection process, fully implemented investment oversight practices and ensured the Chief Information Officer's visibility into all IT investments, or fully defined policies and procedures for IT portfolio management. Until NASA addresses these weaknesses, it will face increased risk of investing in duplicative investments or may miss opportunities to ensure investments perform as intended. NASA has not fully established an effective approach to managing agency-wide cybersecurity risk. An effective approach includes establishing executive oversight of risk, a cybersecurity risk management strategy, an information security program plan, and related policies and procedures."

Keith's note: In less than 24 hours two reports - one from GAO, the other from the NASA OIG - have been released that show continued problems with the way that the NASA Chief Information Officer Renee Wynn has not been fixing problems with NASA IT. If you go to the NASA CIO website there is no mention of this report - or any other reports that cite weaknesses in how the CIO manages NASA's IT infrastructure. Just what is it that Renee Wynn has been doing? None of the problems that were blatantly obvious when she arrived at NASA have been fixed. If you read her "IT Talk" quarterly news letter, her office seems to be preoccupied with everything but the important things that need to be fixed. Indeed, much of what her office likes to parade around as accomplishments has little if anything to do with what the CIO is supposed to be doing.

- GAO and OIG Agree: NASA CIO Is Underperforming, earlier post
- OIG: NASA's Operational Technology Systems Are Inadequate and Disjointed, earlier post
- NASA Still Has No Effective Information Security Program, earlier post
- NASA CIO Drops The Ball On ACES Authorization, earlier post
- Previous NASA IT Posts

from NASA Watch https://ift.tt/2LovwET
via IFTTT