HOUSTON — NASA’s strategy for the disposal of surplus space shuttle program assets has exposed sensitive data, including operational and maintenance technology information subject to U.S. export controls, through the release of computers and other Information Technology equipment, NASA Inspector General Paul K. Martin says in a Dec. 7 report.
The IG findings were based on a yearlong audit that was focused on property disposal activities at Kennedy and Johnson space centers as well as the Ames and Langley research centers.
While responding to security concerns raised by the IG staff during the audit that concluded in June , NASA’s chief information officer and assistant administrator for strategic infrastructure offered solutions that would not materialize until mid-2011 or not at all due to the expense or differences of opinion regarding who is responsible for verifying that hard drives and other equipment have been “sanitized” of sensitive information prior to release, Martin notes.
“The weaknesses we identified in NASA’s IT sanitation policy and procedures put NASA at risk of releasing sensitive information that could cause harm to its mission and violate federal laws and regulations that protect that information,” the 40-page report concludes. Martin urges the agency to act quickly to implement NASA-wide policies for the sanitation of IT equipment and establish clear procedures for verifying that sensitive information has been removed. NASA’s shuttle fleet is facing retirement next year.
According to the audit, Kennedy lacked a center-wide hard drive sanitation policy as the audit began, but initiated a “tiger team” to address the lapse as soon as the IG raised concerns. Kennedy, Johnson and Ames all used unapproved software for hard drive sanitation. Neither Johnson nor Ames was engaged in verifying the removal of sensitive information following sanitation procedures.
Kennedy’s verification process relied on an independent contractor. The screening of 730 computers and other pieces of IT hardware by the contractor found 14 computers that had not been fully sanitized. Though the computers had been tagged as noncompliant, no one at Kennedy took action to remove the data or prevent their sale.
Auditors at Kennedy also discovered hard drives removed from excess computers stored in an unsecured dumpster accessible to the public. Several pallets of computers at a Kennedy property disposal facility bore Internet protocol addresses that posed a potential security threat.
At Langley, the IG found that hard drives could be removed from computers without complying with tracking procedures.
No comments:
Post a Comment