NASA's Inspector General said this week it doubts the space agency can hit its own mandatory deadline to encrypt all laptops by December 21.
The IG's office has written scathing reports on NASA's the encryption efforts in the past year and the latest item was no exception:
"In our judgment, it is extremely unlikely that the Agency will meet its December goal primarily because the Agency does not have a full account of the number of [HP Enterprise Services-managed] ACES and non-ACES laptops in its possession. Without knowing the full universe of laptops that require encryption, the Agency cannot be sure that all of its laptops are protected with whole-disk encryption software.
This review examined a persistently troubling issue - the Agency's diffuse and decentralized control of its laptops and other computer equipment and, by extension, its lack of centralized oversight for the security of the data on these NASA-managed machines. Specifically, we found that NASA's full-disk encryption effort has been repeatedly delayed due to slow implementation of the ACES contract, the highly decentralized nature of IT management at the Agency, and a lack of sufficient internal controls. Moreover, the Agency does not have a reliable accounting of the number of ACES and non-ACES laptops in its possession and therefore will not likely be able to ensure that DAR software is installed on 100 percent of required machines by December 21, 2012."
The IG office noted that NASA owns or leases upwards of 60,000 desktop and laptop computers. As of December 2012, approximately 47,000 of these machines are managed by HP Enterprise Services, the IG stated. The remainders were acquired by NASA Centers and Mission Directorates through other means and are managed by NASA directly. NASA officials cannot identify with any certainty the exact numbers of ACES and non-ACES laptops in the Agency's possession. However, as of December 7, NASA was tracking the encryption status of more than 20,000 ACES-managed and more than 14,000 NASA-managed laptops, the IG stated.
Based on the results of this latest review, the IG recommended that NASA:
1. Ensure that the Administrator's prohibition on removing from NASA facilities any laptop that has not been fully encrypted (unless it has received a waiver from this requirement) is strictly enforced, including assigning a senior level official to coordinate with senior managers and IT officials at each NASA Center to monitor adherence to the directive.
2. Appoint a senior-level official to lead an expedited effort to develop accurate accounting for ACES and non-ACES laptops and for other mobile computing devices. This official should work closely with HP executives and NASA IT officials at Headquarters and the Centers to improve internal controls over the inventory.
3. Consider whether reducing the number of non-ACES devices would improve
accountability for laptop computers.
4. Work with HP to develop procedures to ensure that all new or "refreshed" laptops provided to NASA employees and contractors have the appropriate DAR [Data At Rest] software preinstalled.
5. In light of the poor coordination and decentralized nature of the laptop encryption process, re-examine the role of Agency IT officials for safeguarding the security of NASA laptop computers and other mobile computing devices, and ensure that NASA managers at Headquarters, in the field Centers, and in the Mission Directorates understand their individual responsibilities for protecting the integrity of NASA information and data.
The December 21 deadline arose after a NASA employee had an unencrypted laptop containing personal information on 10,000 current and former employees stolen from his car in October - it was the fourth such major security breach in a little over a year.