NASA Insider Threat Program – Security Boulevard

The Office of Inspector General has checked NASA Insider Threat Program:

Although NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agency’s information technology (IT) systems — many of which contain high-value assets or critical infrastructure — are unclassified and therefore are not covered by its current insider threat program. Therefore, the Agency could face a higher than necessary risk to its unclassified systems and data. While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding these systems to a multi-faceted security program could provide an additional level of program maturity and better protect agency resources. According to agency officials, expanding the insider threat program to unclassified systems would benefit the agency’s cybersecurity posture if incremental improvements, such as focusing on the most critical IT systems and people. at risk, were implemented. However, lingering concerns, including staffing issues, technology resource limitations, and lack of funding to support such expansion, should be addressed before improving the existing program.

The cross-disciplinary challenges of cybersecurity expertise further amplify the complexity of insider threats. At NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the Chief Information Officer. In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, insider threat risk mitigation is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key insights into weak points or gaps in business processes. and cybersecurity. In an era of growing concern about persistent threats from foreign influence, taking the proactive step of conducting a risk assessment to assess NASA’s unclassified systems ensures that deficiencies cannot be exploited in such a way as to undermine the Agency’s ability to carry out its mission.

*** This is a syndicated blog from the Security Bloggers Network of Schneier on safety written by Bruce Schneier. Read the original post at: https://www.schneier.com/blog/archives/2022/03/nasas-insider-threat-program.html

Ryan H. Bowman