NASA still struggling with IT Security

Some time ago, I snarkely stated that InfoSec is not rocket science. Apparently it's much harder than that. According to the GOA director for acquisition and sourcing management, Cristina Chaplain's testimony before a House panel, NASA's IT Security is still having hiccups. As reported back in June, NASA fubar'd their PIV deployment and cost the taxpayers an additional $1 million dollars. Now, it looks like they are having difficulties controlling patching and AV implementations.

According to the testimony during 2007 and 2008, NASA reported over 1100 realized exploits where non-authorized access was obtained on sensitive information and malicious code was installed on NASA systems.

The deficiencies present real and credible dangers to NASA personnel and their operations. With these exploits, the opportunity to access, modify, or delete "mission critical" information is quantifiable.

If true, Ms. Chaplain's provides a ray of hope for the embattled organization:

"The deputy administrator also stated that NASA will continue to mitigate the information security weaknesses identified. The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program."

It is typical for businesses and government organizations to be concerned about the integrity of their data, but few other scenarios could create a more tangible need for the availability and accuracy of  their assets than in a multi-billion dollar venture where lives are at stake.

Let's hope that future news about NASA's IT Security is lauding their standing as an InfoSec role model rather than trying explain its role in a tragedy.