Security News > 2022 > March > NASA in 'serious jeopardy' due to big black hole in security

An audit of NASA's infosec preparedness against insider threats has warned it faces "Serious jeopardy to operations" due to lack of protection for Unclassified information.

A Monday report [PDF] found that NASA has done well, as required, in its efforts to defend and prevent insider threats to Classified information - stuff that NASA defines as "Official information regarding the national security that has been designated Confidential, Secret, or Top Secret."

The report found the agency has deployed defenses including user activity monitoring, adopted mandatory agency-wide insider threat training, and "Created an insider threat reference website that assists employees and contractors with identifying threats, their risks, and follow-up information." Procurement controls are being strengthened in ways that address risks of foreign influence.

While the report is satisfied NASA has done well to protect its Classified info, it notes that "The vast majority" of NASA tech is not Classified, including plenty of "High-value assets and critical infrastructure." Among those assets are "Sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information." Because that infrastructure is not classified, it's not covered by the insider threat program.

That's a worry, because in 2021 NASA's auditor found "Incidents of improper use of NASA IT systems had increased from 249 in 2017 to 1,103 in 2020 - a 343 per cent growth; the most prevalent error was failing to protect Sensitive but Unclassified information."

Establish a cross-discipline team to conduct an insider threat risk assessment to evaluate NASA's unclassified systems and determine if the corresponding risk warrants expansion of the insider threat program to include these systems.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/15/nasa_insider_threat_audit/