Last week, I asked whether NASA was “slow rolling” a cybersecurity breakthrough called Gryphon X. It’s a proposal from Ames Research Center that many in the cybersecurity community believe could help secure critical infrastructure in a more active and proactive way, and also push the space agency back toward the front of the innovation pack.
This week, we are learning more about NASA’s plans to move forward with Gryphon X after all.
NASA Ames Chief Information Officer Jerry Davis sent an email response to questions detailing the current status of the proposal:
“Currently, Gryphon X is in the proposal and formulation stage. Newly proposed programs such as Gryphon X that involve expenditure of public funding must undergo a rigorous process to ensure that we are using those funds to clearly and efficiently meet the needs of the agency,” Davis wrote. “We intend to hold a stakeholders’ workshop this spring to further articulate Gryphon X’s goals and objectives, solicit feedback and further scope the program to meet NASA’s needs. After that, we’ll do a cost analysis to determine the life cycle cost of the program to meet requirements. Right now this is basically what we consider a very good and well thought-through idea, but there are many steps to flesh-out that idea and prove that it’s the best way to meet NASA’s needs, and that it deserves funding.”
Insight by Sonatype: Stephan Mitchev, acting CTO at USPTO, discusses how USPTO is looking at supply chain issues to address cybersecurity concerns. Dr. Stephen Magill, VP of product innovation at Sonatype, provides an industry perspective.
Davis added that like any good idea in the private sector, NASA must look at all aspects of the proposal to determine if moving from concept to operational capability makes sense.
The fact that NASA decided to talk publicly about Gryphon X and commit to taking a serious look at it is a significant change.
Over the last six months or more, NASA headquarters basically ignored the proposal, according to the Institute for Critical Infrastructure Technology (ICIT).
James Scott, ICIT’s co-founder and senior fellow, said the more public and private sector cyber experts hear about Gryphon X the more momentum it will get.
“Legislative community interest and pressure will be key with how rapidly or slowly the proposal evolves,” Scott said. “We don’t have the luxury of dragging our feet on this. We will be working hard this spring to build alliances on the Hill for this project and will make ourselves available to the media in order to keep Gryphon X positioned in its rightful place at the center of critical infrastructure cybersecurity conversations. I’m always asked by media and industry if the government is doing anything to fix the rampant cyber vulnerability problems that allow adversaries to eat our lunch for us day in and day out. Gryphon X is the only real, viable and doable proposal that we’ve seen from any of the agencies that can bring next generation, bleeding edge technology to our dilapidated critical infrastructure technology.”
ICIT is hosting a Resiliency & Enablement Forum on April 25 in Arlington, Virginia, featuring Davis talking about Gryphon X.
Davis, who has built his career around cybersecurity at NASA, the Veterans Affairs and Education departments, and John Stebel, developed the proposal.
“Gryphon X is a holistic approach to reducing cyber risks to NASA’s high value space and aerial assets, including support of ground-based infrastructure, which would not rely on traditional or commoditized cybersecurity solutions, processes, methodologies or thinking,” Davis said. “Gryphon X emphasizes the applied research, development, testing and evaluation of advanced cyber solutions through facilitation within a collaborative environment with communities of practice, which may be individuals and/or groups worldwide who represent other NASA centers, other government agencies, academia, commercial and private industry. Operationally, Gryphon X suggests that the best way to leverage collective thought leadership and advanced cyber solutions from around the world is to construct, host and make available to the communities of practice a physical facility at NASA in Silicon Valley with virtual capabilities where incubation of cyber solutions can take place.”
The public description and discussion of the Gryphon X proposal comes on the heels of my month-long investigation into NASA’s cybersecurity problems.
Part of the challenge for NASA is with its contract Hewlett-Packard Enterprise Services under the I3P program.
Now another piece of I3P is under scrutiny.
Rep. James Sensenbrenner (R-Wis.) sent a letter on Feb. 24 to NASA Administrator Charles Bolden questioning the space agency’s contracting practices under the NASA Integrated Communications Services (NICS) contract.
Sensenbrenner first questioned NASA back in November, and Bolden responded Feb. 18. A week later, Sensenbrenner asked a new set of questions a week later regarding a whistleblower’s “serious concerns about illegal expenditures and unethical activity.”
At the heart of the issue is whether NASA and its prime contractor SAIC, which won the NICS contract in 2011 under a $1.3 billion deal, have only one approved vendor to provide wired and wireless local area network services. NASA said it doesn’t, but Sensenbrenner wants more details based on information provided by a whistleblower.
But what’s truly interesting about Sensenbrenner’s questions is this is another example of NASA’s continued struggles with vendors under the I3P program.
HPE, which runs the Agency Consolidated End-user Services (ACES) contract, threatened to sue NASA for around $100 million, and in the end the agency paid HPE $35 million to settle a disagreement over the number of email boxes supported under the contract. Several sources told me that part of the reason for NASA’s cybersecurity problems is HPE’s lack of willingness or know-how to fix outdated or missing software patches.
So with SAIC now under scrutiny, this is now two out of four I3P contracts that are problematic for the agency.
Additionally, several government and industry sources said SAIC isn’t easy to work with as NASA tries to implement the continuous diagnostics and mitigation (CDM) program. I’m hoping for more details about that potential problem in the coming weeks.
My advice would be to keep an eye out in the next year or two for NASA to rethink the I3P program in its entirety as major portions have not lived up to expectations.