NASA's Inspector General said this week it doubts the space agency can hit its own mandatory deadline to encrypt all laptops by December 21.
The IG's office has written scathing reports on NASA's the encryption efforts in the past year and the latest item was no exception:
"In our judgment, it is extremely unlikely that the Agency will meet its December goal primarily because the Agency does not have a full account of the number of [HP Enterprise Services-managed] ACES and non-ACES laptops in its possession. Without knowing the full universe of laptops that require encryption, the Agency cannot be sure that all of its laptops are protected with whole-disk encryption software.
This review examined a persistently troubling issue - the Agency's diffuse and decentralized control of its laptops and other computer equipment and, by extension, its lack of centralized oversight for the security of the data on these NASA-managed machines. Specifically, we found that NASA's full-disk encryption effort has been repeatedly delayed due to slow implementation of the ACES contract, the highly decentralized nature of IT management at the Agency, and a lack of sufficient internal controls. Moreover, the Agency does not have a reliable accounting of the number of ACES and non-ACES laptops in its possession and therefore will not likely be able to ensure that DAR software is installed on 100 percent of required machines by December 21, 2012."
The IG office noted that NASA owns or leases upwards of 60,000 desktop and laptop computers. As of December 2012, approximately 47,000 of these machines are managed by HP Enterprise Services, the IG stated. The remainders were acquired by NASA Centers and Mission Directorates through other means and are managed by NASA directly. NASA officials cannot identify with any certainty the exact numbers of ACES and non-ACES laptops in the Agency's possession. However, as of December 7, NASA was tracking the encryption status of more than 20,000 ACES-managed and more than 14,000 NASA-managed laptops, the IG stated.
Based on the results of this latest review, the IG recommended that NASA:
1. Ensure that the Administrator's prohibition on removing from NASA facilities any laptop that has not been fully encrypted (unless it has received a waiver from this requirement) is strictly enforced, including assigning a senior level official to coordinate with senior managers and IT officials at each NASA Center to monitor adherence to the directive.
2. Appoint a senior-level official to lead an expedited effort to develop accurate accounting for ACES and non-ACES laptops and for other mobile computing devices. This official should work closely with HP executives and NASA IT officials at Headquarters and the Centers to improve internal controls over the inventory.
3. Consider whether reducing the number of non-ACES devices would improve
accountability for laptop computers.
4. Work with HP to develop procedures to ensure that all new or "refreshed" laptops provided to NASA employees and contractors have the appropriate DAR [Data At Rest] software preinstalled.
5. In light of the poor coordination and decentralized nature of the laptop encryption process, re-examine the role of Agency IT officials for safeguarding the security of NASA laptop computers and other mobile computing devices, and ensure that NASA managers at Headquarters, in the field Centers, and in the Mission Directorates understand their individual responsibilities for protecting the integrity of NASA information and data.
The December 21 deadline arose after a NASA employee had an unencrypted laptop containing personal information on 10,000 current and former employees stolen from his car in October - it was the fourth such major security breach in a little over a year.
For its part NASA officials said they might miss the due date, but not by much, according to a report from Next.gov.com: "While NASA may not make its self-imposed deadline of Dec. 21 for encrypting all laptop computers (missing it by just a few working days), the agency has been working overtime to achieve this goal, encrypting more than 32,000 laptops, 3,000 just last week," NASA spokesman Michael Braukus stated in an email.
But attention to the encryption and security issues in general had been an ongoing problem with the space agency. The NASA Inspector General Paul Martin, earlier this year noted in a report that security problems have gotten so bad that the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station.
"NASA reported the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information, and third-party intellectual property. Encrypting sensitive data on notebooks and other mobile computing devices is a widely recognized best practice and an action required by the Office of Management and Budget," Martin stated.
"However, NASA has been slow to implement full-disk encryption on the notebook computers and other mobile computing devices it provides to its employees, potentially exposing sensitive information to unauthorized disclosure when such devices are lost or stolen. In fact, in its fiscal year (FY) 2010 report to Congress on FISMA implementation, the OMB reported a Government-wide encryption rate for these devices of 54%. However, as of February 1, 2012, only 1 percent of NASA portable devices/laptops have been encrypted," he stated.
Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft, Martin said.
The encryption problem was outlined in an overarching report that was highly critical of NASA IT security practices in general.
"In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems. These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries' objectives. Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million," Martin stated.
Check out these other hot stories: