Space agency's early moves into cloud were poorly managed, may have exposed the organization to risk, inspector general reports.
NASA's Next 5 Missions
(click image for larger view)
NASA has scored low marks from its own auditor on its progress in adopting cloud computing technologies. In a report published Monday, the NASA Office of Inspector General concluded that weaknesses in the body's IT governance and risk management practices have "impeded" it from gaining the full benefits of cloud.
For example, several NASA centers moved systems and data into the public cloud without the knowledge or consent of NASA's Office of the CIO (OCIO), while it struck deals with suppliers using contracts that "failed to fully address the business and IT security risks unique to the cloud environment." Of five deals the IG looked at closely, not one came close to meeting "recommended best practices for ensuring data security," it said. At the same time, NASA seems to have signed deals that had no clauses for making sure contractor performance would be measured, reported and enforced, or whether these new cloud partners had the right federal privacy, discovery, or data retention and destruction credentials or procedures in place.
The IG also reported that one or two "moderate impact" NASA IT systems ran in a public cloud environment for about two years without authorization from its OCIO, and without any "security or contingency plan" or test of any systems' security controls. That's because, it said, the agency's IT leadership wasn't aware of all the cloud services and suppliers that various NASA departments were using, nor was any of it centrally managed.
This occurred in spite of the NASA OCIO's Federal Risk and Authorization Management Program (or FedRAMP) compliant plan for getting cloud into the organization. However, it appears that plan wasn't rolled out to departments to help them get the most compliant deals.
Even so, NASA hasn't bet the farm on cloud just yet, spending only $10 million of its $1.5 billion yearly IT budget on the technology. In addition, according to the audit, so far about a million dollars a year of IT savings are being garnered by cloud.
Still, as many as 75% of new IT programs are projected to have some cloud element between now and 2018. Also, a big chunk of its public data could be there and as much as 40% of heritage systems, too. As the study stresses, "As NASA moves more of its systems and data to the cloud, it is imperative that the agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."
The report lists a set of recommendations for recently appointed NASA CIO Larry Sweet to rectify the agency's first cloud moves. It noted that Sweet's team "concurred with our recommendations and proposed corrective actions," but committed to follow its suggested means of improving the agency's IT governance and risk management practices "subject to the availability of funds."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.