An audit of NASA’s infosec preparedness against insider threats has warned it faces “serious jeopardy to operations” due to lack of protection for unclassified information.

A Monday report [PDF] found that NASA has done well, as required, in its efforts to defend and prevent insider threats to classified information – stuff that NASA defines as “Official information regarding the national security that has been designated Confidential, Secret, or Top Secret.”

The report found the agency has deployed defenses including user activity monitoring, adopted mandatory agency-wide insider threat training, and “created an insider threat reference website that assists employees and contractors with identifying threats, their risks, and follow-up information.” Procurement controls are being strengthened in ways that address risks of foreign influence.

But while the report is satisfied NASA has done well to protect its classified info, it notes that “the vast majority” of NASA tech is not classified, including plenty of “high-value assets and critical infrastructure.” Among those assets are “sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information.” Because that infrastructure is not classified, it’s not covered by the insider threat program.

And that’s a worry, because in 2021 NASA’s auditor found “incidents of improper use of NASA IT systems had increased from 249 in 2017 to 1,103 in 2020 – a 343 per cent growth; the most prevalent error was failing to protect Sensitive but unclassified (SBU) information.”

Among the booboos the auditors found were “sending unencrypted email containing SBU data, Personally Identifiable Information, or International Traffic in Arms Regulations data, any of which could expose the Agency to a risk that can affect national security, incur a loss of intellectual property, or compromise sensitive employee and contractor data.”

The report also mentions that in the last three years, NASA users have made over 12,000 requests for elevated privileges – just the sort of thing that could lead to more information reaching the wrong eyes.

Further complicating matters is that NASA’s infosec responsibilities are spread around different teams. The Office of Protective Services (OPS) is responsible for protecting against insider threats to classified info, but lacks resources to cover unclassified systems. The Office of the Chief Information Officer (OCIO) has responsibility for “data loss prevention and behavioral analysis, but has no defined responsibility to monitor unclassified systems for indicators of compromise specifically related to insider threats.”

Other US government agencies, the report notes, have already extended their insider threat defenses to cover unclassified info. The auditors suggest it is time for NASA to do likewise and to undertake two specific reforms:

  1. Establish a cross-discipline team to conduct an insider threat risk assessment to evaluate NASA’s unclassified systems and determine if the corresponding risk warrants expansion of the insider threat program to include these systems.
  2. Improve cross-discipline communication by establishing a working group that includes OPS, OCIO, procurement, human resources officials, and any other relevant agency offices to collaborate on wide-ranging insider threat-related issues for both classified and unclassified systems.

NASA management has agreed with the report’s findings, agreed to implement the recommendations, and set December 1, 2023, as the deadline for delivery.

Which suggests the changes outlined above might not be rocket science. ®