Current and former NASA employees are at risk of identity theft after the space agency discovered a cyber attack.

On Oct. 23, NASA found one of its servers containing personal data, including social security numbers, suffered a data breach.

“The agency will provide identity protection services to all potentially affected individuals,” said a NASA spokeswoman in an email to Federal News Network. “NASA does not believe that any agency missions were jeopardized by the intrusions. Once discovered, NASA took immediate action to secure the impacted servers and has been working to perform a forensic analysis since then — this process will take time. The ongoing investigation is a top NASA priority.”

SpaceRef first reported the cyber attack and loss of data.

NASA didn’t say how many employees were impacted by this data breach, but said in a Dec. 18 memo from Bob Gibbs, the assistant administrator and chief human capital officer, that the attack affected those who worked at NASA for a 12-year period.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” Gibbs writes. “Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

Systemic cyber challenges?

This data breach is the most recent example of NASA’s continued cybersecurity challenges.

NASA’s inspector general found in May that its security operations center has “fallen short of its original intent to serve as NASA’s cybersecurity nerve center. Due in part to the agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in [Office of the Chief Information Officer] leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the agency’s IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities.”

In the fiscal 2017 report on the Federal Information Security Management Act (FISMA)—the 2018 report isn’t out yet—the IG found NASA’s cyber posture is considered immature, a level two of the cyber framework, and configuration management continues to be a problem.

“For example, during this year’s review the compliance rate with NASA security baselines averaged 79 percent for Windows devices. However, for Windows servers — considered a higher risk because they provide services to other computer devices over a network — the compliance rate for implementation of secure configuration settings dropped to 49 percent,” the report states.

The Office of Management and Budget’s most recent cyber scorecard under the President’s Management Agenda shows NASA struggling with hardware and software asset management. The space agency is doing well with authorization management, meaning critical systems have an authority to operate, and mobile device management.

And finally, the latest Federal IT Acquisition Reform Act (FITARA) scorecard said NASA earned a “F” grade under the FISMA section for meeting only two of the four cross-agency priority goals. Overall, NASA received a B+ under FITARA.

All of these struggles continued after NASA put its main end-user network and systems at risk because of unpatched systems in 2016. At one point, NASA CIO Renee Wynn took the unusual step of not signing system authorizations because of the lack of basic cyber hygiene on the systems.

“NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems,” the spokeswoman said. “The agency is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.”


Bill Marion, deputy CIO, U.S. Air Force

The Air Force is about to join the still-small group of federal agencies who’ve found ways to dramatically accelerate the process of granting cybersecurity approvals for IT systems.

The Authority to Operate (ATO) process, a paperwork gauntlet that routinely consumes months of time before new systems are allowed to be connected to government networks, is a requirement of the Federal Information Security Management Act. FISMA tells CIOs they must know and accept the security risks each system carries with it.

But there’s no particular reason the system can’t work much more quickly, said Bill Marion, the Air Force’s deputy CIO. Service officials are expected to sign off on a new “fast-track” ATO policy within a matter of days, he said.

“We fundamentally believe this is going to help us bring capability faster,” he said last week at AFCEA NoVA’s annual Air Force IT Day. “It will bring us software modernization at a faster clip, but also provide better security.”

Marion said the new policy won’t be appropriate for every IT system, but in some ways, it will turn the traditional ATO process on its head. Rather than assessing every single system against the entire catalog of NIST security controls, the goal is to make intelligent decisions about which of those assessments really need to be performed at all for a particular system.

He offered an example: If the Army has already gone through the Risk Management Framework (RMF) and deployed a system the Air Force wants to use, does the Air Force really need to put itself through every one of those same painful paces?

“What do I think I’m going to find in that whole other 900 controls in RMF that we didn’t already flush out when we put that system in a hardened cloud computing center and put it through penetration tests? What do we expect to find, and is the juice worth the squeeze? Part of this is getting the decision in front of the approving official sooner, to then determine what parts of the RMF you even need to go through,” he said. “In some cases it may be very, very short. In some cases it may be truncated by a third, or half. It’s a fundamental retooling, but we are in a different world in how we’re managing risk.”

Streamlining approval process

One reason the Air Force may feel comfortable with less quadruple-checking of those security controls on the front-end is that it’s become increasingly confident that it can spot and fix genuine cybersecurity problems after a given system is deployed.

In early 2017, it deployed a commercial tool developed by Tanium which lets Air Force cyber defenders scan the service’s entire network within a matter of minutes and automatically patch any security holes they find in real-time.

Officials ordered that the tool, which the Air Force calls Automated Remediation and Discovery (ARAD), be deployed on virtually all of its IT systems by May of 2017. Any systems that couldn’t employ the tool for one reason or another were deemed “high risk.”

The timing was fortuitous. The WannaCry ransomware attack struck computers across the globe that same month. But because of ARAD, the Air Force managed to effectively immunize its entire network from the malware in less than an hour, Marion said.

“That was game changing for us,” he said. “We had never done that before in our history. While we had been pretty fast, it typically took days or weeks to re-mediate something of that magnitude. And we did it at scale across the Air Force in 41 minutes.  We have to be able to act when something happens. This belief in defense-in-depth and network-perimeter-only security, I would argue, is a failing one in this globally connected world.”

Aside from the new availability of the ARAD tool, Marion said the Air Force’s move to the new, faster ATO process will be guided by two other major factors.

Understanding risk, benefits

Authorizing officials will need to see demonstrable evidence that any new system adheres to basic cyber hygiene, and at least some of those systems will be subjected to a new generation of penetration tests once they’re up and running, including the “bug bounties” that are becoming increasingly pervasive across government.

“I liken it to the USDA meat inspection process,” Marion said. “We don’t inspect every piece of meat, but every piece of meat could kill you. So we inspect and we review and we check our processes to make sure that bad things aren’t creeping their way back into the system. We’re finishing Hack the Air Force 3.0 right now, but we’ve got a whole series of pen tests and bug bounties planned for fiscal year 19, and they’re funded.”

It’s not yet clear how long the revamped ATO process will take, but Kessel Run, the Air Force’s new agile software development office, has been working on a “continuous ATO” model it calls “ATO in a day.”

“So this is the new world order: Make sure you’ve got a basic level of hygiene coming into the mix – that’s the price of entry – bringing the sensors and remediation tools that sit on top, and then bringing a bug bounty pen testing process,” he said.

Similar concepts have been proven out in other federal agencies, including at the National Geospatial Intelligence Agency, which used the same terminology when it began working on its own speedier security approval process.

NGA has managed to get the process down to three days.

“We are continuing to build the telemetry necessary, the business rules, the promotion path for code committed to our dev/ops pipeline and to promote that as quickly as possible to operational,” Matt Conner, the agency’s chief information security officer said in an August interview with Federal News Network. “We still haven’t realized the one-day ATO, but it’s out there.”

Read more of the DoD Reporter’s Notebook.


Catalogue Provides Enhanced Visibility into Cybersecurity Threats   

Frisco, TX., November 1, 2018 – HITRUST, a leading security and privacy standards development and certification organization, is releasing its Threat Catalogue to provide organizations with greater visibility into the threats and risks targeting their information, assets and operations.

In addition to helping organizations understand the threats targeting their organization and their associated risks, the Threat Catalogue also identifies the specific technical, physical and administrative controls needed to address these risks. This improves an organization’s visibility into how it manages threats and better enables management to prioritize security programs and align budgets and resources.

Join our webinar on November 29, 2018 to learn more about the HITRUST Threat Catalogue.  Click here to register. 

Identifying threats is a major component of a comprehensive risk analysis process for any organization seeking to protect their sensitive data. Following an asset inventory, information classification, and system categorization, the threat identification process helps determine what adverse events are relevant to the organization and must be controlled. For example, the increased frequency of ransomware intrusions required organizations – of all types and sizes – to re-examine their controls around data backup and restoration and ensure they could successfully recover their data if such an attack occurred.

“Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was essentially unavailable,” says Dr. Bryan Cline, vice president of standards and analytics at HITRUST. “Given its significance to the risk management process, we invested years identifying a complete set of threats at a level consistent with the controls used to address them.”

The HITRUST Threat Catalogue will be available free of charge and becomes an integral part of HITRUST’s risk management and compliance suite. It will help organizations ease the burden of analyzing and managing security and privacy risk by mapping these threats directly to the controls in the HITRUST CSF® framework. By ensuring organizations can identify threats to their sensitive information, assets and operations, they can prioritize and focus on specific controls that are relevant to them, and in turn, reduce risk.

The Threat Catalogue will also be used to help ensure the HITRUST CSF remains current and relevant to the changing environment by linking requirements to active threat intelligence. A thorough understanding of how well the CSF controls address existing and emerging threats will help HITRUST identify new control requirements or enhancements to requirements that may be needed to further mitigate associated risk.

In addition to mapping specific threats to controls used to limit organization’s exposure to risk, the catalogue also provides mappings to less comprehensive threat lists from other respected frameworks, such as the National Institute of Standards and Technology (NIST) Special Publication 800-30 and the European Network and Information Security Agency (ENISA) Threat Taxonomy.

HITRUST will update the Threat Catalogue regularly alongside the market-leading HITRUST CSF. This early release of the HITRUST Threat Catalogue allows public and private sector organizations to provide feedback prior to the document’s general release.

Interested parties are encouraged to download and review the catalogue after its release on Thursday, November 1st and submit comments by Monday, December 31st, 2018.

Click here to register for the HITRUST webinar on Thursday, November 29th discussing the benefits of the Threat Catalogue.

HITRUST Risk Management and Compliance Suite

Designed to leverage and integrate the best-in-class components for a comprehensive information risk management and compliance program – including a robust privacy and security framework, a scalable and transparent assurance program, catalogue of threats, shared security control responsibility assignment and assurance, an assessment and corrective action plan management platform, a third-party risk management process, and an assessment exchange. The HITRUST Suite offers organizations an integrated, updated and supported approach for information risk management and compliance which includes the following HITRUST programs and services – HITRUST CSF®, HITRUST CSF Assurance, HITRUST Assessor Program, HITRUST Threat Catalogue®, HITRUST Shared Responsibility Program, HITRUST MyCSF®, HITRUST Third Party Assurance Program and the HITRUST Assessment XChange.

Click here to read the press release.

The post HITRUST® Releases Threat Catalogue to Improve Risk Management appeared first on HITRUST.


To listen to the Federal Newscast on your phone or mobile device, subscribe on PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • The Office of Personnel Management is changing regulations on direct hire authority. A proposed rule would give agency heads the task of issuing direct hire authorities to address recruiting challenges rather than OPM. The president’s executive order on chief information officers required OPM to propose new regulations on direct-hire authority. (Federal Register)
  • Postal employees received thanks for working to help find a suspect charged with allegedly sending 14 explosive devices through the mail. Gary Barksdale, deputy chief inspector of the Postal Inspection Service, thanked postal employees for serving as the law enforcement agency’s “eyes and ears” last week. FBI Director Chris Wray said his agency identified the suspect through a fingerprint on an envelope addressed to Rep. Maxine Waters (D-Calif.). The FBI also found DNA evidence on two additional packages containing explosives. (Federal News Network)
  • The Pentagon is creating one budget request for fiscal 2020 at $700 billion and another one at $733 billion. Deputy Secretary of Defense Pat Shanahan said the Defense Department had been working on the larger budget proposal for much of the past year. But made the smaller one after President Donald Trump asked all agencies to cut their requests by 5 percent. Shanahan said to get to that smaller number, the Pentagon will have to make some touch decisions about which investments in the research and development and acquisition areas are most important.
  • IBM became the latest government contractor to jump head first into a mega acquisition. Big Blue announced Sunday it is buying Red Hat for $34 billion in an all-cash deal. Red Hat provides open source enterprise software. IBM and Red Hat have partnered over the past 20 years, including more recently on open source cloud software. IBM said it will remain committed to Red Hat’s open governance, open source contributions and participation in the open source community and development model. (IBM)
  • A former Veterans Affairs employee pleaded guilty to taking bribes from three for profit schools in exchange for encouraging disabled veterans to enroll in those schools. The Department of Justice said James King admitted to demanding and taking cash to steer veterans to the schools. At the time, King was working as a program counselor for VA’s Vocational Rehabilitation and Employment program. DOJ said King facilitated almost $2.5 million in VA payments to the schools. Three people from the schools themselves also pleaded guilty to bribing King. (Department of Justice
  • The Office of Management and Budget set new cyber deadlines for agencies to reduce their risk profiles. Agencies have less than two years to move to a shared service for their security operations centers. In the 2019 Federal Information Security Management Act guidance released last week, OMB said agencies must develop and submit one enterprise-level cybersecurity operations maturation plan to OMB and DHS by April 2019. Then, by Sept. 30, 2020, they must migrate to a matured, consolidated and/or shared security operations center-as-a-service offering. Also in the FISMA guidance, OMB said agencies must implement a threat intelligence capability to identify deficiencies in their security defenses. (White House)
  • It’s going to take the Agriculture Department a little longer to transition to the Enterprise Infrastructure Solutions telecommunications contract. USDA’s Director of Enterprise Network Services said it will miss the May 2020 deadline as there isn’t enough time to reduce 14 unique infrastructures down to one. Meanwhile, the Department of Housing and Urban Development said its timetable is too close to call. But both departments are pushing forward, and intend to release requests for proposals next month. (Federal News Network)
  • State Department embassy construction is way behind schedule. Auditors found the agency won’t meet even half of its goal of 180 new, more secure embassies by the end of 2018. It’s only got 77 so far. The effort started during the Clinton administration, when a series of bombings prompted a long-term effort to replace buildings throughout the world. But the Government Accountability Office found staff shortages have slowed the effort, as well as poor collaboration with contractors. (Government Accountability Office)
  • OPM and the Equal Employment Opportunity Commission want to remind agencies of the resources they have to help employees self-identify disabilities and other conditions. Updates to the Rehabilitation Act require agencies to target a 12 percent participation rate for employees with disabilities. OPM acting Director Margaret Weichert and EEOC Commissioner Victoria Lipnic said agencies have several resources to help them meet those goals. (Chief Human Capital Officers Council)


In reply to Roman Zeltser.

Thank you for your question. The HITRUST requirement is in place to ensure an organization is managing its network and has current information that is updated periodically. The level of detail is not stipulated, so our recommendation would be to provide as much detail as you need in the course of managing your network. Often times, multiple diagrams may be necessary to achieve both functionality and requisite detail. Further, a determination as to whether the level of detail is sufficient – or not – is generally left to the HITRUST CSF Assessor firm, after which, HITRUST could potentially become involved through the QA process.


We had a discussion with my management regarding the network diagrams as the part of the HITRUST requirements. Should be they very detailed (i.e. IP addresses, DNS names of the involved systems) or it is enough to leave the description of functionality under each system? Thanks in advance for answering the question.


Dr. Cline, thank you for this information. In my relationship with my clients, it is the value of HITRUST by marrying the requirements within NIST, HIPAA and others that is a major selling point…for both the clients Executive Leadership to complete the “HITRUST Journey” and with their customers (and potential customers). You cannot present a stronger security message then with a HITRUST certification.

Warm regards, Cathlynn Nigh, CEO BEYOND LLC