In the wake of continued security problems, NASA's CIO is sending a no-confidence signal to Hewlett Packard Enterprise, which received a $2.5 billion contract in 2011 to address problems with the agency's outdated and insecure information technology infrastructure.
In late July, CIO Renee Wynn, who took over the job last fall, took the unprecedented step of not signing off on the contract's "authority to operate," which expired on July 24.
"I have to applaud Renee for stepping up here," said government security expert Torsten George, vice president at Albuquerque, NM-based RiskSense, Inc. "You can almost call her a whistleblower. It's a bold move. Not a lot of people would have made that move, for career reasons."
NASA has seen a string bad cybersecurity news lately. At the beginning of the year, there was a hack by AnonSec where the group said it found default settings for administrator credentials at NASA computers, allowing them to steal employee information, flight logs, and other data.
In April, SecurityScorecard reported that NASA had the worst cybersecurity of all 600 U.S. government organizations.
In particular, the company found malware signatures indicating infected machines, SSL certificate issues, and insecure open ports. As a result, the agency got failing grades in IP reputation, network security, and patching.
According to a recent report by Federal News Radio, internal documents show that NASA has anywhere from hundreds of thousands to millions of out-of-date patches at every center across the country.
In addition, last November, NASA received an overall "F" grade for information technology from the House Committee on Oversight and Government Reform, included an "F" grade for risk assessment transparency.
Over the past six years, NASA's Office of the Inspector General issued 18 audit reports and made 85 recommendations designed to help improve NASA's IT security efforts, including issues related to acquisition of IT systems, cybersecurity vulnerabilities, IT security incident detection and handling capabilities, continuous monitoring tools, cloud computing technologies, web application security, and overall NASA IT governance.
Securing IT systems and data was a "top management challenge" for NASA, said inspector general Paul Martin in a letter to a U.S. Senate subcommittee overseeing the agency sent in late July.
HPE fails to fix problems
According to the contract, HPE was supposed to provide computing devices and services to more than 60,000 users to increase NASA's efficiency and "allow its employees to more easily collaborate in a secure computing environment."
Problems showed up early. According to NASA's inspector general, HPE failed to replace most computers in the first six months.
In a 2013 audit report, the inspector general said that multiple security patches were not applied in a timely matter, with some updates several months overdue.
Not all problems were due to HPE. NASA was responsible for some of the issues because of inefficient decision-making, problems setting up an ordering system, and inadequate oversight, the report said.
But the bottom line was that HPE wasn't delivering on its promises.
"HP is performing poorly under the contract even after taking into consideration the agency's failure to establish sound performance metrics," the report said.
Six months to shape up
According to George, Wynn made the right decision in denying the authority to operate.
"You don't want to end up in a few months seeing that there's been another breach, and she has to explain why she signed off," he said.
In theory, this means that insecure systems have to be closed off to outside access, he said. "Otherwise, they would present an attack surface that could be leveraged."
But there's a six-month grace period, he added.
"She used the authority to operate to get into the news, to elevate this message, but made an exception for 180 days to give people a chance to fix it," he added. "If not, after 180 days, she might go through and say, hey, let's shut everything down."
Issues go beyond NASA
But Wynn isn't just drawing attention to problems with the HPE contract. She's also drawing attention to the problems many government agencies are having to become compliant with the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) program.
"Agencies have to deal with hundreds of thousands of vulnerabilities across their IT environment and are often simply too overwhelmed to determine which vulnerabilities pose the highest risks," George said. "This move will hopefully raise enough awareness to force discussions on how to really operationalize cyber risk management."
Recent breaches at the Office of Personnel Management, the IRS, the FBI, and the Department of Homeland Security show that the problem is pervasive.
"It's a giant mess," George said.
The CDM came out of the Department of Homeland Security and NIST back in 2013, and was supposed to help address cybersecurity issues.
"In reality, not much has happened," said George. "A lot of agencies are still scratching their heads. There are a lot of different systems, a lot of contractors, and millions of vulnerabilities -- and they don't know where to start.
HPE declined to comment for this story.
NASA spokesman Karen Northon said that the agency is committed to holding vendors accountable if they don't meet their contractual obligations.
"The conditional Authority to Operate signed by NASA’s chief information officer is one mechanism by which the agency can ensure Hewlett Packard Enterprises takes the necessary steps to fully meet their obligations," she said.
"The agency will continue to work closely with HPE throughout the remediation process to ensure this goal is met and the required level of service is sustained through the life of the contract."