NASA CIO allows HPE contract to expire, refuses to sign-off on authority to operate

In the wake of continued security problems, NASA's CIO is sending a no-confidence signal to Hewlett Packard Enterprise

In the wake of continued security problems, NASA's CIO is sending a no-confidence signal to Hewlett Packard Enterprise, which received a $2.5 billion contract in 2011 to address problems with the agency's outdated and insecure information technology infrastructure.

In late July, CIO Renee Wynn, who took over the job last fall, took the unprecedented step of not signing off on the contract's "authority to operate," which expired on July 24.

"I have to applaud Renee for stepping up here," said government security expert Torsten George, vice president at Albuquerque, NM-based RiskSense, Inc. "You can almost call her a whistleblower. It's a bold move. Not a lot of people would have made that move, for career reasons."

NASA has seen a string bad cybersecurity news lately. At the beginning of the year, there was a hack by AnonSec where the group said it found default settings for administrator credentials at NASA computers, allowing them to steal employee information, flight logs, and other data.

In April, SecurityScorecard reported that NASA had the worst cybersecurity of all 600 U.S. government organizations.

In particular, the company found malware signatures indicating infected machines, SSL certificate issues, and insecure open ports. As a result, the agency got failing grades in IP reputation, network security, and patching.

According to a recent report by Federal News Radio, internal documents show that NASA has anywhere from hundreds of thousands to millions of out-of-date patches at every center across the country.

In addition, last November, NASA received an overall "F" grade for information technology from the House Committee on Oversight and Government Reform, included an "F" grade for risk assessment transparency.

Over the past six years, NASA's Office of the Inspector General issued 18 audit reports and made 85 recommendations designed to help improve NASA's IT security efforts, including issues related to acquisition of IT systems, cybersecurity vulnerabilities, IT security incident detection and handling capabilities, continuous monitoring tools, cloud computing technologies, web application security, and overall NASA IT governance.

Securing IT systems and data was a "top management challenge" for NASA, said inspector general Paul Martin in a letter to a U.S. Senate subcommittee overseeing the agency sent in late July.

HPE fails to fix problems

According to the contract, HPE was supposed to provide computing devices and services to more than 60,000 users to increase NASA's efficiency and "allow its employees to more easily collaborate in a secure computing environment."

Problems showed up early. According to NASA's inspector general, HPE failed to replace most computers in the first six months.

In a 2013 audit report, the inspector general said that multiple security patches were not applied in a timely matter, with some updates several months overdue.

Not all problems were due to HPE. NASA was responsible for some of the issues because of inefficient decision-making, problems setting up an ordering system, and inadequate oversight, the report said.

But the bottom line was that HPE wasn't delivering on its promises.

"HP is performing poorly under the contract even after taking into consideration the agency's failure to establish sound performance metrics," the report said.

Six months to shape up

According to George, Wynn made the right decision in denying the authority to operate.

"You don't want to end up in a few months seeing that there's been another breach, and she has to explain why she signed off," he said.

In theory, this means that insecure systems have to be closed off to outside access, he said. "Otherwise, they would present an attack surface that could be leveraged."

But there's a six-month grace period, he added.

"She used the authority to operate to get into the news, to elevate this message, but made an exception for 180 days to give people a chance to fix it," he added. "If not, after 180 days, she might go through and say, hey, let's shut everything down."

Issues go beyond NASA

But Wynn isn't just drawing attention to problems with the HPE contract. She's also drawing attention to the problems many government agencies are having to become compliant with the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) program.

"Agencies have to deal with hundreds of thousands of vulnerabilities across their IT environment and are often simply too overwhelmed to determine which vulnerabilities pose the highest risks," George said. "This move will hopefully raise enough awareness to force discussions on how to really operationalize cyber risk management."

Recent breaches at the Office of Personnel Management, the IRS, the FBI, and the Department of Homeland Security show that the problem is pervasive.

"It's a giant mess," George said.

The CDM came out of the Department of Homeland Security and NIST back in 2013, and was supposed to help address cybersecurity issues.

"In reality, not much has happened," said George. "A lot of agencies are still scratching their heads. There are a lot of different systems, a lot of contractors, and millions of vulnerabilities -- and they don't know where to start.

HPE declined to comment for this story.

NASA spokesman Karen Northon said that the agency is committed to holding vendors accountable if they don't meet their contractual obligations.

"The conditional Authority to Operate signed by NASA’s chief information officer is one mechanism by which the agency can ensure Hewlett Packard Enterprises takes the necessary steps to fully meet their obligations," she said.

"The agency will continue to work closely with HPE throughout the remediation process to ensure this goal is met and the required level of service is sustained through the life of the contract."

Join the CSO newsletter!

Error: Please check your email address.

More about FBIHewlett PackardHewlett Packard EnterpriseHPInc.IRSNASANews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts