Exclusive

NASA’s ‘act of desperation’ demonstrates continued cyber deficiencies

One of NASA’s main networks used by almost every employee and contractor and managed by Hewlett Packard Enterprise is in such bad shape, the agency’s chief information officer could no longer accept the risk and let the cybersecurity authorization expire.

Renee Wynn, NASA’s new CIO, didn’t sign off on the authority to operate (ATO) for systems and tools under the $2.5 billion Agency Consolidated End-user Services (ACES) contract, which HPE won in 2010. Under the 10-year contract, HPE provides and manages most of NASA’s personal computing hardware, agency-standard software, mobile information technology services, peripherals and accessories, associated end-user services and supporting infrastructure.

A NASA spokeswoman confirmed the ATO expired on July 24. She said Wynn signed a “conditional” ATO for the systems under ACES, but internal NASA sources said the authorization is just for the management tools and not for the desktops, laptops and other end user devices.

Federal News Radio conducted an exclusive data center survey to assess how agencies are storing data. Download the results.

“NASA continues to work with HPE to remediate vulnerabilities,” the spokeswoman said. “As required by NASA policy, system owners must accomplish this remediation within a specified period of time. For those vulnerabilities that cannot be fully remediated within the established time frame, a Plan of Actions and Milestones (POAM) must be developed, approved, and tracked to closure.”

Letting an ATO expire on a major agency network is unheard of in government.

Multiple federal cyber experts said agencies know at least a year in advance when an authorization and accreditation needs to be renewed.

“It’s pretty rare. It’s like a unicorn. You just don’t see it. It sounds like an act of desperation in a way,” said a former federal chief information security officer, who requested anonymity because their current company still does business with the government. “It could be that they are trying to bring bigger guns into the battle. If they let the ATO expire, they are drawing more attention to the problem; meaning the agency’s inspector general could get involved in something like that. Normally, you see it coming and can line up a contractor to get work performed before the ATO lapses. So maybe NASA is trying to make a point here, or butted heads so hard they just allowed ATO to expire to get someone’s attention.”

NASA Machines on ACES Contract Run by HP Enterprise  as of April 2016
Center Total ACES Machines Total ACES Critical Not Patched Average Critical per ACES System
Ames Research Center 1,483 14,458 9.7
Armstrong Flight Research Center 1,105 10,679 9.7
Glenn Research Center 3,060 25.463 8.3
Goddard Space Flight Center 4,599 46,072 10.0
Headquarters 1,594 15,571 9.8
Johnson Space Center 8,864 85,643 9.7
Kennedy Space Center 6,332 67,402 10.6
Langley Research Center 3,292 29,185 8.9
Marshall Space Flight Center 7,063 66,203 9.4
NASA Shared Services Center 677 6,718 9.9
Stennis Space Center 1,305 10,635 8.1
Total 39,374 378,029 9.6

Wynn’s decision to issue a “conditional” ATO goes against long-standing policy from the Office of Management and Budget and the National Institute of Standards and Technology.

NIST special publication 800-137 Revision 1 stated “The security authorization decision indicates to the information system owner whether the system is: (i) authorized to operate; or (ii) not authorized to operate. The terms and conditions for the authorization provide a description of any specific limitations or restrictions placed on the operation of the information system or inherited controls that must be followed by the system owner or common control provider. The authorization termination date, established by the authorizing official, indicates when the security authorization expires.”

NASA spokeswoman said a conditional authorization “is fully within the prerogative of the federal authorizing official (AO) to ensure that she is aware of the underlying operational activities and managing risk accordingly.”

Will the upcoming presidential transition impact your decision to retire? Take our online survey.

“Working closely with the contractor, Hewlett Packard Enterprises (HPE), NASA’s chief information officer signed a 180-day authorization on July 29 that includes mutually agreeable assurance mechanisms,” the spokeswoman said.

A government cyber official said the idea of a conditional or interim ATO doesn’t pass muster any more — especially in light of all the cyber problems the government continually faces and OMB’s cyber sprint.

“If you are operating without an ATO, you are putting yourself at grave risk because you are accepting known risks and not trying to better understand risk in general and deal with it,” the official said. “A few years ago, this was something more commonplace because of limited resources and prioritization of sorts. Agencies were dealing with the worst and most serious problems, but I think it’s more accurate to describe current environment as one where it’s less acceptable because of a better understanding of issues and policy requirements like the Cybersecurity National Action Plan (CNAP) that you have to deal with this issue.”

The ATO expiration and use of a conditional approval is a symptom of the larger problem and another chapter in NASA’s ongoing cybersecurity struggles, caused in large part by its deteriorating relationship with Hewlett Packard Enterprise.

As I reported in February, NASA’s contract with HPE is troublesome and fraught with cyber risks, and therefore putting networks and data at jeopardy.

The poor relationship came to a head in 2014 when HPE threatened to sue NASA and received a $35 million settlement over a disagreement about the terms of the ACES contract.

Since then, NASA sources said HPE has held the upper hand and blamed the agency for a lack of prioritization over the cyber challenges.

Now, Wynn is sending a message to both NASA and HPE that the security of the desktops, laptops and other end-user devices cannot be assured.

NASA center security officer, who requested anonymity to talk about the ACES situation, said as of April 2016 more than 53,000 systems were missing 426,000 critical patches across all of NASA. Of that, more than 38,000 were machines under the ACES contract, which were missing more than 378,000 patches.

“The issue of ACES security vulnerabilities has been known within NASA for the six years this contract has been in place. Chief information security officers from all centers have been complaining about the issues to the ACES service office and the agency CIO at headquarters for just as long,” the security officer said. “No one has seemed to care about the severity of this issue.”

NASA Unpatched Machines including Those under ACES Contract as of April 2016
Center Total Machines Total Critical Not Patched Average Critical per System
Ames Research Center 2.466 19,030 7.7
Armstrong Flight Research Center 1,434 11,623 8.1
Glenn Research Center 3,460 27,260 7.9
Goddard Space Flight Center 9,344 58,076 6.2
Headquarters 1,756 15,910 9.1
Johnson Space Center 10,655 96,606 9.1
Kennedy Space Center 7,812 69,806 8.9
Langley Research Center 4,136 34,023 8.2
Marshall Space Flight Center 9,849 76,864 7.8
NASA Shared Services Center 810 6,865 8.5
Stennis Space Center 1,461 10,890 7,5
Total 53,183 426,953 8.0

Pat Howard, a former CISO at the Nuclear Regulatory Commission and the Department of Housing and Urban Development, who is not familiar with NASA’s security patch situation, said generally speaking, patching systems is one of the most difficult tasks for agencies.

“The fact that the overwhelming majority of successful attacks stem from unpatched vulnerabilities tells you that patching is a major problem in federal IT,” said Howard, now the program manager of CDM/CMaaS for Kratos Technology and Training Solutions. “I think the inability to keep software patched is largely because of the huge amount and variety of software assets that have to be patched coupled with the frequency of needed software updates. Additionally, the damage an untested patch can cause further complicates the problem.”

NASA’s Wynn is trying to hold HPE more accountable. The NASA spokeswoman said the agency mandated HPE give them a prioritized remediation plan within seven days of the ATO expiring.

“HPE must provide a biweekly status update of each of the actions captured ensuring that each status is validated by the End User Services Office IT and Security Staff,” the spokeswoman said. “This ATO is valid for 180 calendar days.”

An HPE spokesperson told Federal News Radio that the company “doesn’t respond on behalf of its clients.”

But the fact Wynn had to let the ATO expire to get HPE and the agency to work more closely together is a sure sign of bigger problems.

A source familiar with the inner workings of NASA’s IT and IT security environment said the direct cause of these failures is contracting errors — caused jointly by the procurement staff and the IT and general management at NASA — that failed to list the specific security measures the contractor was to perform.

“By including only general security clauses, they left a security hole that catalyzed the massive security problems at NASA,” the source said. “This same problem is being repeated across the government even today as new contracts are being signed and extensions are being authorized for IT support contracts without the specific high-priority security measures that enable defensible environments.”

The problem with contracting isn’t new. The Federal Acquisition Regulations Council has, over the years, tried to add more clauses and requirements to get agencies and contractors to pay more attention to cyber policies.

President Barack Obama’s 2013 Executive Order required the General Services Administration and the Defense Department to work together to develop recommendations to improve cybersecurity in acquisitions, which they did in January 2014.

As part of that effort, GSA since June 2015 has been working on a cyber risk profile and indicators for IT acquisitions.

And just this past May, the FAR Council issued a new rule detailing the cyber requirements for contractors to apply to “covered” systems.

But despite long-standing efforts, the cyber expert said NASA, like nearly every agency, doesn’t hold contractors accountable by putting clauses in contracts requiring them to deliver safe software in the first place, and then if there are problems, fix them in a timely manner.

Advertisement
“The solution is to cancel the HPE contract and renegotiate it and include clauses that say no software that doesn’t meet a standard configuration gets put on the network,” the source said. “They could use the U.S. Government Baseline Configuration as a starting point. They could require the top five critical controls that the Homeland Security Department is pushing.”

The sources said the problem isn’t with the CIO, but the contracting shop.

“We have seen these types of cyber problems solved through contracting and we’ve never seen it solved through operations,” the source said. “No one has come up with a way of keeping vulnerabilities in check if they do not have a standard configuration.”

The NASA spokeswoman said any discussion about canceling or changing HPE’s contract is “premature.”

But as one government cyber official told me, letting an ATO expire for a major system will undoubtedly attract the attention of auditors and may force NASA’s hand to act more quickly.

In April, the IG found the agency was making progress in meeting agencywide security, but not fully implemented key controls, including a risk management framework and an information security architecture.

“In our judgment, this condition exists because the Office of the CIO (OCIO) has not developed an information security program plan to effectively manage its resources. In addition, the Office is experiencing a period of transition with different leaders acting in the Senior Security Officer role, which has caused uncertainty surrounding information security responsibilities at the agency level,” the auditors wrote. “As a result, we believe NASA’s information security program could be improved to more effectively protect critical agency information and related systems.”

In June, NASA received an analysis from Forrester that also highlighted IT security management challenges. Forrester said NASA’s CIO organization needs to upgrade how it managers vendors, particularly around direction setting and control.

Forrester also found NASA needs to ensure the chief information security officer directly reports to the CIO.

NASA CIO Wynn is making some changes starting with a new CISO. The NASA spokeswoman said Jeanette Hanna-Ruíz, who started Aug. 8 as the agency’s new chief information security officer, reports directly to Wynn.

“NASA is carefully reviewing and considering the advice provided by Forrester as we move forward in implementing the Business Services Assessment,” the spokeswoman said.

But in the meantime, NASA’s network and data continues to face a higher risk because of the problems with the ACES contract. A recent report by SC Magazine highlighted and reminded us of a 2013 hack, which NASA lost employee email and password login credentials. While it’s unclear from which network hackers stole the data, it’s a real reminder that NASA, like every agency, needs to stay vigilant against attacks and vulnerabilities. And multiple sources continue to say NASA and HPE are not doing nearly enough to keep hackers at bay thus leaving their employees and data susceptible to cyber attack.

Read more of the Reporter’s Notebook.