NASA System Security Plan

NASA System Security Plan

Ashley Hudson

CSIA 412

June 29, 2014

Introduction.

The purpose of NASA’s System Security Plan (SSP) is to provide an overview of the security requirements and the controls that are in place to ensure the confidentiality, integrity and availability of its network and properties.

Also to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

“This Information Security Plan has been implemented across the spectrum of organization of NASA, it will outline standards based procedures that ensure the provision of appropriate security controls with regards to different elements of Information Security, and how the relevant roles and responsibilities are applied accordingly throughout the organization” (NASA, 2011), In addition this policy will: 1) include security categorizations; 2) list management, technical, and operational controls, and finally these controls will be used across the Information Systems provided and used within NASA to ensure that it is in compliance with the Federal Information Security Management Act of 2002 (FISMA) andNational Institute of Standards and Technology (NIST) which are the primary guiding agencies that have been establish to help secure NASA’s network.

1. SYSTEM IDENTIFICATION/SCOPE OF ASSESSMENT

1.1 System Name/Title/Unique Identifier

System Name: Earth Observing System Data and Information System (EOSDIS).

1.2 Security Categorization

For federal agencies and their associated information systems the Federal Information Systems Management Act (FISMA) mandates that the confidentiality, integrity, and availability of all such systems would need to be protected and this is overseen through Federal Information Processing Standards (FIPS) 199 which determines the impact which would be realized through a security breach as being Low (limited negative impact), Moderate (serious negative impact), and High (catastrophic/severe negative impact). Based on such categorizations, EOSDIS would be deemed as being Moderate in terms of the potential impact of a security breach (NIST, 2014).

1.2.1 Information System Type– EOSDIS is an Enterprise Information System(NASA, 2014).

1.2.2 Scope of Assessment– The scope of this assessment is to determine the extent to which security controls are implemented and deployed with regards to the overall security profile which is propagated throughout NASA directly.

2. Management CONTROL

Management controls are designed as a means of producing internal security policies and procedures which will be will protect systems from a variety of risks as well as ensuring that there are appropriate plans in place to provide the most effective security implementations(NIST, 2010).

2.1 Selected Control– Security Assessment and Authorization

These security controls are designed to be fully compliant with FISMA.

2.1.1 Family Control #1 – CA-2 Security Assessments

2.1.2 Implementation Status:All security controls that have been developed and implemented will be regularly assessed to ensure that their ability to deliver confidentiality, integrity, and availability across the EOSDIS system is not impaired in any way.

2.1.3 Implementation of Control:The mandatory requirements outline regular security control assessments with one being carried out at least every three years.

2.2.1 Family Control #2 CA-5 Plan of Action and Milestones

Once a security assessment is completed it will provide an overall report as to the respective issues which may need to be revised and corrected accordingly. This will ultimately be developed through a Plan of Action and Milestones (POAM) document and schedule as to when the identified security issues would be corrected. The various action steps will also be monitored accordingly.

2.2.2 Implementation Status:Not yet fully complaint

2.2.3 Implementation of Control:The EOSDIS implementation should have an evaluation and a POAM created in line with auditing, analysis, and review of Information Systems.

3. Technical controls are implemented to protect the systems directly through software or hardware means. These will often be developed to ensure appropriate access or to detect security breaches and issues that are determined within the network and associated systems(NIST, 2010)..

3.1 Selected Control– AC-1 Access Control

3.1.1 Family Control #1Specific permissions are granted to users as part of an allocation of resources and responsibilities. Such a control will reduce the potential area for an attack within the EOSDIS environment.

3.1.2 Implementation Status:

3.1.3 Implementation of Control:This has been partially implemented within NASA although there have been elements of accounts being determined as in appropriate in terms of their levels of access that are provided.

3.2.1 Family Control #2 - AC-1 Account Management

The management of user accounts is essential in ensuring that accounts are created, deleted and modified as and when required.

3.2.1 Family Control #2

3.2.2 Implementation Status:Not yet fully complaint

3.2.3 Implementation of Control:Account management for EOSDIS, along with other NASA systems is based on the understanding of group memberships and the needs for each type of application accordingly.

4. Operational CONTROL

4.1 Operational controls are designed to facilitate the administration and management of security within NASA and EOSDIS in particular(NIST, 2010).

4.1.1 Family Control #1– IR-2 Incident Response Training.

Incident Response Training provides all relevant NASA personnel with the ability to recognize a security incident and understand how it should be responded to specifically.

4.1.2 Implementation Status:In place (fully compliant with NIST SP 800-53).

4.1.3 Implementation of Control:All personnel are informed as to the benefits of appropriate procedures for escalation and reporting with regular updates provided through training and awareness schemes.

4.2.1 Family Control #2 – IR-6 Incident Reporting In addition to training, the concept of Incident Reporting will ensure that the most appropriate information is used when incidents are note and reported.

4.2.2 Implementation Status:Implementation Status: Not fully implemented.

4.2.3 Implementation of Control:As there is a mandatory requirement for incidents to be reported to the overseeing authorities when they are discovered this would be a fundamental implementation as part of necessary Incident Response solutions.

5. CONCLUSIONS/RECOMMENDATIONS

The Information Security policy and procedures which are apparent within NASA and specifically with regards to the EOSDIS solution shows that while there are broad elements in place which should be considered as delivering a foundation for security within the organization there are further elements which need to be fully implemented to ensure that full compliance with FISMA and NIST standards and regulations is met and assured on an ongoing basis.

On the whole the organization is attempting to be compliant on a universal scale but there are significant areas and elements whereby there are failings and limitations with the current implementation of policies and procedures, despite the underlying foundation of security standards and guidelines that are apparently derived from NIST for example.

5.2 Recommendations

It would be recommended that priorities are evaluated as part of an overall security review within NASA and across systems such as EOSDIS to understand the relative urgency with which security should be amended and revised accordingly. As a result there are several recommendations which should be implemented as a priority to ensure that the overall compliance is achieved:

1. Perform system-wide audit with comprehensive and detailed results as to the compliance or non-compliance of systems and processes;
2. Action steps should be scheduled to correct any issues accordingly;
3. Roles & Responsibilities required for all personnel should be defined;
4. Reporting should be implemented at regular intervals across all Information Systems so that their status and efficiency can be determined. This is particularly relevant to the reporting of any specific incidents;
5. Review the NIST guidelines and ensure the main priorities are encompassed within the organization and its objectives directly.

References

National Aeronautics & Space Administration. (2011, February 14). 2011 NASA Strategic Plan. Retrieved from NASA:

National Aeronautics & Space Administration. (2014, May 22). IT Security Division. Retrieved from NASA:

National Institute of Standards & Technology. (2014, April 1). FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) IMPLEMENTATION PROJECT. Retrieved from National Institute of Standards & Technology:

National Institute of Standards and Technology. (2010, June). Guide for Assessing the Security Controls in Federal Information Systems and Organizations. Retrieved from NIST Special Publications:

NIST. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Retrieved from National Institute of Standards and Technology: