Exclusive

NASA’s chief cyber executive to leave

NASA is looking for a new chief information security officer for the second time in a year.

Jeannette Hanna-Ruiz, the space agency’s associate chief information officer for IT security and senior agency information security official, is leaving after only eight months, according to an internal email obtained by Federal News Radio.

NASA CIO Renee Wynn said in the email that Hanna-Ruiz’s last day would be April 28 and Mike Witt would be acting CISO.

“I have greatly appreciated her leadership and all-encompassing insight into cybersecurity,” Wynn wrote in her email to staff. “Her immediate attention and enthusiasm toward improving NASA’s cybersecurity was inspiring and will be missed. Please join me in wishing her great success in her future.”

Jeannette Hanna-Ruiz, the space agency’s associate chief information officer for IT security and senior agency information security official, is leaving on April 28.

A NASA spokeswoman confirmed Hanna-Ruiz is leaving.

The spokeswoman said Witt joined NASA as its deputy CISO in February, coming from the Homeland Security Department where among his positions he was deputy director of US-CERT. He also worked at the IRS, the Consumer Financial Protection Bureau (CFPB), the Department of Defense (DoD), Riptech, Inc., and for the Army.

Hanna-Ruiz started at NASA in August 2016 after splitting time during her career in and out of government.

She worked for the White House’s National Security Staff during the early part of the Obama administration on the Cyberspace Policy Review, and worked on the Homeland Security Department-National Security Agency Joint Cyber Coordination Group.

Hanna-Ruiz came to NASA during a critical time when its cybersecurity was under scrutiny.

NASA was trying to remediate hundreds of thousands if not millions of missing patches, specifically on its end-user contract known as ACES. It’s inspector general found weaknesses in its continuous monitoring management, configuration management and risk management.

Additionally as Hanna-Ruiz came on board, Wynn had decided not to sign off on the authority to operate and give only a temporary or conditional ATO for the 10-year, $2.5 billion Agency Consolidated End-user Services (ACES) contract that Hewlett-Packard Services runs.

Problems with ACES didn’t get much better and by October, then-NASA Administrator Charles Bolden met with HPES CEO Meg Whitman to talk about ACES as well as agency IT security, the two organizations’ partnership and the delivery of services to the space agency.

It’s not just ACES, but the IG found in its 2016 Federal Information Security Management Act (FISMA) report that NASA lacks a mature cyber program, earning a score of 27 out of 100 under the Office of Management and Budget’s and DHS’ five-step maturity model.

“[W]hile NASA has established a risk management program consistent with FISMA requirements, the program lacks an integrated agencywide risk management strategy to support information security continuous monitoring,” the IG reported.

The IG recommended NASA:

  • Implement an integrated agencywide risk management strategy and obtain sufficient assurance that the security controls of systems operated by contractors meet FISMA requirements;
  • Fully implement secure configuration settings, improve hardware and software asset management; remediate configuration-related vulnerabilities; and enhance non-privileged Personal Identification Verification (PIV) credentials implementation and role-based training;
  • Develop comprehensive, agencywide information security, continuous monitoring (ISCM) policies, procedures and strategies;
  • Ensure sufficient incident monitoring and detection coverage.

In February, the IG found NASA’s cloud computing efforts have improved since its last audit in 2013, but “continued weaknesses in the agency’s risk management and governance practices impeded its progress toward fully realizing the benefits of cloud computing.”