A new NASA inspector general’s report is brimming with frustration at the agency’s continued failure to implement a strong IT governance structure.
In an agency where IT is integral to the mission, NASA just can’t seem to keep track of its assets, the report says.
“The NASA Chief Information Officer (CIO) continues to have limited visibility into IT investments across the Agency and the process NASA developed to correct this shortcoming is flawed,” the report says.
NASA has made attempts to rectify this, the report acknowledges. For example in 2016 the agency implemented the Annual Capital Investment Review, a process designed to collect IT investment data from across the agency — a bid for compliance with the Federal Information Technology Acquisition Reform Act.
However, the Office of the CIO’s “insight into and control over the bulk of the Agency’s nearly $1.4 billion in annual IT funding remains limited,” the report says.
“This lack of authority and visibility over the majority of the IT budget limits the Agency’s ability to consolidate IT expenditures, realize cost savings, and drive improvements in the delivery of IT services,” the report states.
There’s also confusion on the personnel front — who is responsible for what, who reports to whom and more. NASA not only has a CIO and IT staff at the agencywide level, but each of NASA’s nine regional centers and the Jet Propulsion Lab have a CIO and resultant IT staff as well. Each of these centers works fairly independently. The tech consulting firm Forrester Research called them “10 Centers run like 10 cities” and described a certain fear of centralization that exists in the workforce.
The lack of clear understanding of IT assets also hinders NASA’s cybersecurity posture, the report states. Again, the issues have a lot to to with a distributed workforce and a lack of oversight on who is doing what. “While NASA’s Senior Agency Information Security Officer (SAISO) is responsible for managing Agency-wide IT security, the Mission Directorates and Centers operate hundreds of networks and have their own IT security personnel responsible for security, risk determination, and risk acceptance on those systems – yet none of these personnel report to the SAISO,” the report finds.
This isn’t the first time the IG has expressed concerns about NASA’s IT governance structure. The report mentions similar prior reprimands from 2005 and 2013 in which the IG suggested that the agency centralize and streamline its IT functions.
This time around, the IG makes five suggestions for how NASA should proceed, including that the agency address dispersed responsibilities and “implement a mitigation plan to address skill set and capability issues facing the OCIO in order to improve its credibility among its customers.”
In its response, NASA management formulated potential fixes for the recommendations and set completion dates in spring or summer 2018 for most.