In the wake of continued security problems, NASA's CIO is sending a no-confidence signal to Hewlett Packard Enterprise, which received a $2.5 billion contract in 2011 to address problems with the agency's outdated and insecure information technology infrastructure.
In late July, CIO Renee Wynn, who took over the job last fall, took the unprecedented step of not signing off on the contract's "authority to operate," which expired on July 24.
"I have to applaud Renee for stepping up here," said government security expert Torsten George, vice president at Albuquerque, NM-based RiskSense, Inc. "You can almost call her a whistleblower. It's a bold move. Not a lot of people would have made that move, for career reasons."
NASA has seen a string bad cybersecurity news lately. At the beginning of the year, there was a hack by AnonSec where the group said it found default settings for administrator credentials at NASA computers, allowing them to steal employee information, flight logs, and other data.
In April, SecurityScorecard reported that NASA had the worst cybersecurity of all 600 U.S. government organizations.
In particular, the company found malware signatures indicating infected machines, SSL certificate issues, and insecure open ports. As a result, the agency got failing grades in IP reputation, network security, and patching.
According to a recent report by Federal News Radio, internal documents show that NASA has anywhere from hundreds of thousands to millions of out-of-date patches at every center across the country.
In addition, last November, NASA received an overall "F" grade for information technology from the House Committee on Oversight and Government Reform, included an "F" grade for risk assessment transparency.
Over the past six years, NASA's Office of the Inspector General issued 18 audit reports and made 85 recommendations designed to help improve NASA's IT security efforts, including issues related to acquisition of IT systems, cybersecurity vulnerabilities, IT security incident detection and handling capabilities, continuous monitoring tools, cloud computing technologies, web application security, and overall NASA IT governance.
Securing IT systems and data was a "top management challenge" for NASA, said inspector general Paul Martin in a letter to a U.S. Senate subcommittee overseeing the agency sent in late July.
HPE fails to fix problems
According to the contract, HPE was supposed to provide computing devices and services to more than 60,000 users to increase NASA's efficiency and "allow its employees to more easily collaborate in a secure computing environment."
Problems showed up early. According to NASA's inspector general, HPE failed to replace most computers in the first six months.
In a 2013 audit report, the inspector general said that multiple security patches were not applied in a timely matter, with some updates several months overdue.
Sign up for Computerworld eNewsletters.