NASA Chief Information Officer Renee Wynn told House lawmakers Nov. 16 that its troubled Agency Consolidated End-user Services (ACES) contract is getting back on track through regular meetings and holding Hewlett-Packard Enterprise Services (HPES) more accountable for fixing long-term problems.
It may have to do with the fact that NASA Administrator Charles Bolden met with HPES CEO Meg Whitman in October.
A NASA spokeswoman confirmed Bolden and Whitman talked about ACES as well as agency IT security, the two organizations’ partnership and the delivery of services to the space agency.
“Bolden complimented Whitman on the company’s actions to remedy current issues and expressed optimism that these actions will yield results,” the spokeswoman wrote in an email to Federal News Radio. “Whitman pledged her commitment to ensure the delivery of quality services and continued collaboration with NASA, and indicated she understood the importance of NASA’s IT security posture.”
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
The meeting comes after Federal News Radio wrote a series of articles highlighting systemic problems with the $2.5 billion, 10-year ACES program and HPES.
Wynn told lawmakers on the House Oversight and Government Reform Subcommittee on IT that ACES still is operating under a 180-day conditional authority to operate (ATO).
A conditional ATO is not allowed under guidance from the Office of Management and Budget or in special publications from the National Institute of Standards and Technology. The six-month conditional ATO is expected to run out in January.
NIST special publication 800-137 Revision 1 stated: “The security authorization decision indicates to the information system owner whether the system is: (i) authorized to operate; or (ii) not authorized to operate. The terms and conditions for the authorization provide a description of any specific limitations or restrictions placed on the operation of the information system or inherited controls that must be followed by the system owner or common control provider. The authorization termination date, established by the authorizing official, indicates when the security authorization expires.”
In August 2009 and again in November 2013, OMB issued its annual FISMA guidance with a set of frequently asked questions including one about interim ATOs.
“Does OMB recognize interim authority to operate for security authorizations? No. Security authorization has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality governmentwide. Introducing additional inconsistency to the government’s security program would be counter to FISMA’s goals.”
And despite the meeting between Bolden and Whitman, the ACES contract is far from fixed. Sources say NASA and HPES still are struggling to patch systems under contract. Sources say workstations and devices under ACES are missing more than 140,000 critical patches.
The NASA spokeswoman could not confirm the number of missing critical patches, but did say there are substantial improvements.
“The number of patches to be applied to systems is dynamic as new patches are issued regularly. ACES continues to make steady progress in reducing the backlog of patches,” the spokeswoman said. “Since April 2016, we have made strides in working with HPES to reduce this number by nearly 70 percent and we’re continuing to make progress.”
Back in August, NASA data obtained by Federal News Radio showed devices under ACES were missing more than 378,000 critical patches.
Wynn told lawmakers in her written testimony that after Forrester conducted a Business Services Assessment, NASA decided to push more workstations to the ACES contract, even with the long-standing cyber problems.
Wynn wrote, “The OCIO will consolidate non-ACES workstations administration and support, where feasible and appropriate. A target was established for each NASA center to obtain at least 80 percent of their desktop, laptop, and workstation computing services through ACES. Further, the agency decided that using non-ACES systems would require waiver approval from the center CIO. Compliance with these objectives will be evaluated as part of the annual center functional reviews. Finally, the OCIO will develop a core suite of collaboration tools and standards to meet the majority of NASA requirements.”
But even with some progress under ACES, the space agency’s cybersecurity efforts still are troubling, as NASA will not implement two-factor authentication using smart identity cards for 100 percent of its users until early 2018.
“With our privileged users during the cyber sprint we made the 100-percent mark,” Wynn said during a hearing before the House Oversight and Government Reform subcommittee on IT. “For our unprivileged users, this is where we’ve benefited from having a permanent chief information security officer on board for a couple of months. She has taken a hard look at how we’ve measured it and who was considered in needing a [HSPD-12] card. For NASA, we will report one metric at the conclusion of fiscal 2016, our information is in process right now. We are changing the universe of who needs to be covered by this requirement. We will take a dip and then we will go back up. [NASA Administrator] Charlie Bolden already met with the new federal CISO to give his assurance that NASA will get to 100 percent. We believe it will take us to the early part of 2018 to make that, but we will make significant progress in fiscal 2017.”
According to the Performance.gov portal as of November 2015 — the most recent data available —NASA said 77 percent of non-privileged employees were using smart identity cards to log on to the network. The governmentwide average a year ago was 84 percent.
Additionally, Wynn said the agency still needs to come up with one set of high-valued assets it needs to protect, instead of a list from a cybersecurity perspective and another from a safety perspective.
“We also are taking a hard look at our processes and procedures to make sure we are doing the best we can do with tools and bringing in assistance from other federal agencies,” she said.
It’s also unclear if NASA will make the December deadline to implement the Homeland Security Department’s EINSTEIN 3A program.
“While we have experienced some challenges around deploying this technology at some centers, we are working with DHS to resolve technical issues and enable NASA to meet the Dec. 18, 2016 deadline for full deployment,” Wynn wrote in her prepared testimony.
Rep. Will Hurd (R-Texas), chairman of the subcommittee, credited Wynn for not signing the authority to operate for the ACES contract in July, and said this is the type of action more CIOs should be taking.
“I think this is actually a good news story because you obviously felt you had the authorities to do those kinds of things and you were using your technical judgment,” Hurd said. “I imagine a CIO letting a major system ATO expire turned some heads. These are the kinds of decisions we want to see more CIOs making. That’s the whole reason we are empowering you to make these types of decisions.”
Along with NASA, other CIOs offered similar examples of holding vendors accountable for systems that were suffering cyber challenges.
Rob Klopp, the Social Security Administration’s CIO, said a vendor running the agency’s call center system fell out of FISMA compliance.
Klopp said he revoked the ATO, issued a 90-day conditional ATO and told the vendor to fix the problems.
“In the end, it took us about a year to get that system completely compliant, but the pressure and threat of pulling the ATO is what allowed us to do it,” he said.
Jonathan Alboum, the Agriculture Department’s CIO, said he hasn’t faced similar situations where he didn’t feel comfortable signing a system’s ATO, but has support in the agency to make the right decisions if necessary.
USDA currently has systems without an full ATO, however. Alboum said his office annually assesses one-third of all of the controls for each of USDA’s 329 systems.
“It is possible during the assessment of those controls, we will find something that requires us to revoke an ATO and work with an agency to get that back into compliance,” he said. “The number of systems we have with a valid ATO is in flux because of this process. I think it’s a good thing if we find something that says we are not going to have an ATO for this system and work to correct it.”