NASA has missed several key steps in an effective cyber risk management strategy, putting the civil space program’s systems and information at risk, according to a recent report from the U.S. Government Accountability Office (GAO).
“Cyber-based threats to sensitive data associated with NASA’s major mission projects are becoming increasingly prevalent,” according to the GAO report. “NASA leverages a large network of interconnected IT systems and data, including sensitive and proprietary data, to achieve its mission. Because of NASA’s high-profile mission, complex IT infrastructure, and large number of partnerships, it is important that NASA takes actions to adequately protect its systems and sensitive data.”
Attacks on NASA’s networks and other space infrastructure like satellites are not new, but attempts to steal critical information are increasingly common and complex, the report added, emphasizing the importance of continuous digital risk management.
The GAO measured NASA’s cyber risk management for select major projects against the risk management framework from the National Institute of Standards and Technology (NIST). Although NASA completed at least some core cybersecurity tasks in its projects, it had skipped a few critical ones, including an agencywide risk assessment to help the agency prioritize cyber threats and mitigate the highest risks. It also had not documented system-level continuous monitoring strategies because projects and departments lacked guidance on how to do so.
“Without documented strategies that are fully understood by key cyber personnel, organizations face increased risks of data breaches, delayed detection of threats, and slower responses to attacks,” the report said.
The NIST Risk Management Framework includes seven key steps, and NASA had partially implemented each of them in the projects GAO reviewed:
- Prepare: Essential activities to prepare the organization to manage security and privacy risks
- Categorize: Categorize the system and information processed, stored, and transmitted based on an impact analysis
- Select: Select the set of NIST SP 800-53 controls to protect the system based on the risk assessment
- Implement: Implement controls and document how those controls are deployed
- Assess: Assess to determine if the controls are in place, operating as intended, and producing desired results
- Authorize: Senior officials make risk-based decisions to authorize the system to operate
- Monitor: Continuously monitor control implementation and risks to the system
In its March 2025 report (a redacted version of which was publicly published in late June), the GAO made 16 recommendations to NASA about organizational risk management, including that the agency’s chief information officer update guidance to include oversight responsibilities for ensuring control baselines are properly applied and to provide more specific guidance about how to document assessment results.
NASA did not concur with the GAO’s recommendation that the CIO prepare and approve an organization-wide cybersecurity risk assessment.
“Specifically, NASA stated that instead of an organization-wide cybersecurity risk assessment, the agency uses a near-real time cybersecurity dashboard that aggregates and displays actionable risks that can be identified and remediated at the system level and satisfies the NIST RMF Prepare step,” the report said. “However, NASA did not provide evidence showing that the dashboard is sufficiently aggregating risk information for information systems in lieu of a documented organization-wide security risk assessment. Therefore, we believe the recommendation is warranted.”
