1、Lessons Learned Entry: 1149Lesson Info:a71 Lesson Number: 1149a71 Lesson Date: 2000-02-01a71 Submitting Organization: HQa71 Submitted by: David M. LengyelSubject: Agency-Wide/Computer Hardware-Software/Computer Security Description of Driving Event: Implementation of NASA Agency-Wide Computer Securi
2、ty PlanLesson(s) Learned: NASA has initiated an agency-wide program to deal with general computer security. Significant parts of NASAs initial plan depend upon the voluntary compliance of system users including contractors.Recommendation(s): Expand the agency-wide security system development work to
3、 include less dependence on human compliance with the system. NASA should also require contractors to participate in its security efforts.Evidence of Recurrence Control Effectiveness: NASA concurs with both parts of the recommendation. Regarding less dependence on human compliance, all NASA Centers
4、have installed software and hardware tools that automatically scan for hostile code, system vulnerabilities, and hostile intrusions. These tools are not perfect; they require human oversight. However, they do reduce the amount of manual labor and the amount of human discretion involved in finding an
5、d dealing with attacks. NASA is exploring with vendors the possibility of applying artificial intelligence techniques to identify patterns in intrusion detection data that may not be obvious. This field has not yet matured to the point that products or services are available, but we are hopeful that
6、, in a year or two, prototype products may be available for evaluation. These products would reduce the amount of manual analysis required to identify attacks, Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHSand they would make it easier to correlate data
7、 from different Centers.We also use audits and metric reports to verify that human compliance has been adequate. For example, this year we will engage a third party to perform a technical audit of IT security provisions at three NASA Centers. Metric reports on security plans, training, and system vu
8、lnerabilities help us to track performance, thereby reducing discretion in compliance with NASA policy.However, IT security evolves rapidly. New threats must be countered manually until they are well enough understood for defense to be automated. Thus, we expect to rely on human intellect and energy
9、 to identify and deal with novel developments.Regarding requiring contractors to participate in its security efforts, we issued for comments, in January, a draft regulation to be included in the NASA supplement to the Federal Acquisition Regulations. This regulation would require NASA contractors, w
10、ho operate computers or network systems on behalf of NASA, to adhere to appropriate provisions of NASA policies and procedures for information technology security. Comments on this draft have been dispositioned, and we expect the final regulation to be issued shortly. Also we are including contracto
11、rs, such as the Consolidated Space Operations Contract, the Outsourcing Desktop Initiative for NASA, and the USA vendors, in various fora that coordinate IT security across systems operated on behalf of NASA. Although this effort is recent, we are seeing good cooperation. We expect integration of co
12、ntractors to help maintain a seamless NASA IT security posture.Documents Related to Lesson: N/AMission Directorate(s): a71 Space Operationsa71 Exploration SystemsAdditional Key Phrase(s): a71 Aerospace Safety Advisory Panela71 Computersa71 Flight Operationsa71 Ground Operationsa71 Policy & Planninga71 Risk Management/Assessmenta71 Securitya71 SoftwareProvided by IHSNot for Resale-,-,-Additional Info: Approval Info: a71 Approval Date: 2002-03-18a71 Approval Name: Bill Loewya71 Approval Organization: HQa71 Approval Phone Number: 202-358-0528Provided by IHSNot for Resale-,-,-
