NASA suffers breach of employee data

Current and former NASA employees are at risk of identity theft after the space agency discovered a cyber attack.

On Oct. 23, NASA found one of its servers containing personal data, including social security numbers, suffered a data breach.

“The agency will provide identity protection services to all potentially affected individuals,” said a NASA spokeswoman in an email to Federal News Network. “NASA does not believe that any agency missions were jeopardized by the intrusions. Once discovered, NASA took immediate action to secure the impacted servers and has been working to perform a forensic analysis since then — this process will take time. The ongoing investigation is a top NASA priority.”

SpaceRef first reported the cyber attack and loss of data.

NASA didn’t say how many employees were impacted by this data breach, but said in a Dec. 18 memo from Bob Gibbs, the assistant administrator and chief human capital officer, that the attack affected those who worked at NASA for a 12-year period.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” Gibbs writes. “Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

Systemic cyber challenges?

This data breach is the most recent example of NASA’s continued cybersecurity challenges.

NASA’s inspector general found in May that its security operations center has “fallen short of its original intent to serve as NASA’s cybersecurity nerve center. Due in part to the agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in [Office of the Chief Information Officer] leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the agency’s IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities.”

In the fiscal 2017 report on the Federal Information Security Management Act (FISMA)—the 2018 report isn’t out yet—the IG found NASA’s cyber posture is considered immature, a level two of the cyber framework, and configuration management continues to be a problem.

“For example, during this year’s review the compliance rate with NASA security baselines averaged 79 percent for Windows devices. However, for Windows servers — considered a higher risk because they provide services to other computer devices over a network — the compliance rate for implementation of secure configuration settings dropped to 49 percent,” the report states.

The Office of Management and Budget’s most recent cyber scorecard under the President’s Management Agenda shows NASA struggling with hardware and software asset management. The space agency is doing well with authorization management, meaning critical systems have an authority to operate, and mobile device management.

And finally, the latest Federal IT Acquisition Reform Act (FITARA) scorecard said NASA earned a “F” grade under the FISMA section for meeting only two of the four cross-agency priority goals. Overall, NASA received a B+ under FITARA.

All of these struggles continued after NASA put its main end-user network and systems at risk because of unpatched systems in 2016. At one point, NASA CIO Renee Wynn took the unusual step of not signing system authorizations because of the lack of basic cyber hygiene on the systems.

“NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems,” the spokeswoman said. “The agency is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.”