NASA balks on timeline to incorporate cyber into spacecraft acquisition policies
The Government Accountability Office is concerned that NASA still hasn’t incorporated cybersecurity practices into required agency policies, particularly for its major spacecraft projects. Without these requirements, NASA could end up with “inconsistent implementation of cybersecurity controls,” the auditing agency warned in a new report sent to Congress.
“NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so. GAO acknowledges that the standards-setting process can take time, but it is essential that NASA do so for practices that should be required,” the report stated.
Spacecraft are incredibly dependent on software and IT, the report concludes. Even though the space agency has included cybersecurity elements in some of its contracts, they need to be standardized. For this reason, the GAO is recommending that the chief engineer, the chief information officer, and the principal advisor for enterprise protection develop a specific timeline for actually updating “its spacecraft acquisition policies and standards” to deal with cybersecurity threats.
Yet NASA pushed back on some of the recommendations. Per the report, NASA’s CIO said it was “not feasible” for there to be one set of essential controls for all mission spacecraft. GAO pushed back on that response, writing that “NASA should leverage its space security guide to determine the controls that address the likely threats to its spacecraft.”
NASA was also not interested in establishing a timeline, saying that it needed to carefully consider requirements. The space agency said that it had systems in place for dealing with the risks of space.
“While we do not dispute this, we note that NASA’s space security guide recognizes that NASA does not currently have a cybersecurity risk management framework for end-to-end integrated space mission systems,” the auditing agency said in response. “Without a plan with identified timeframes, it is unknown when the agency will actually perform an update to incorporate, if necessary, any additional cybersecurity controls.”