NASA has experienced more than 6000 cyber attacks in the last four years alone, according to an audit by the agency’s Office of the Inspector General.
The audit found that NASA’s ability to prevent, detect and mitigate cyber attacks is being limited by a disorganised approach to enterprise architecture.
While enterprise architecture and enterprise security architecture — the blueprints for how an organisation manages IT and security — has been in development at NASA for more than a decade, the implementation remains incomplete.
This has led to the manner in which NASA manages IT investments and operations remaining varied and ad hoc, the audit found.
Although NASA has taken steps to address cybersecurity challenges in the areas of network monitoring, identity management and strategic planning, a fragmented approach to IT has resulted in an overall cybersecurity posture that exposes NASA to a higher-than-necessary risk from cyber threats.
The audit recommended that the agency develop metrics to track the overall progress and effectiveness of enterprise architecture strategies, and work to identify and strengthen enterprise architecture gaps across the agency.
Other recommendations include determining each division’s annual cost for performing independent assessments and developing baseline requirements for a dedicated enterprise team to manage and perform these assessments for all NASA systems.
NASA management has concurred with the findings and agreed to implement the recommendations.