Procurement News Notice |
|
PNN | 2569 |
Work Detail | A key NASA computer network managed by Hewlett Packard Enterprise has so many security holes that the space agency’s head of IT refused to sign off on a standard authority to operate, a new report said. “Letting an ATO (authority to operate) expire on a major agency network is unheard of in government,” said a report this week by Federal News Radio. Nearly every NASA employee and contractor uses the network, the station reported. Ames Research Center, a NASA agency at Moffett Field, has nearly 1,500 computers that fall under the HPE maintenance contract, according to the report. Within the HPE-managed system at Ames are almost 15,000 “critical” security flaws not remedied with patches, and across NASA as a whole, there are more than 375,000 vulnerabilities in the network HPE manages, the report said. Palo Alto’s HP Enterprise has a 10-year, $2.5 billion contract to manage the bulk of NASA’s personal computing hardware, software, mobile IT services and supporting infrastructure, according to the report. The firm won the contract in 2010. In a statement to SiliconBeat, NASA said it was “committed to ensuring that Americans are getting the best value for their tax dollars. “This means holding contractors accountable if and when they fail to meet their contractual obligations. The conditional Authority to Operate signed by NASA’s chief information officer is one mechanism by which the agency can ensure Hewlett Packard Enterprises takes the necessary steps to fully meet their obligations. The agency will continue to work closely with HPE throughout the remediation process to ensure this goal is met and the required level of service is sustained through the life of the contract.” A former chief information security officer at the Nuclear Regulatory Commission told Federal News Radio that in general, cyberattackers get into systems via unpatched flaws. “The fact that the overwhelming majority of successful attacks stem from unpatched vulnerabilities tells you that patching is a major problem in federal IT,” Pat Howard said. NASA confirmed to the radio station that the operating authority on the systems had been allowed to expire on July 24, and that chief information officer Renee Wynn signed a six-month conditional authority for the systems to continue operating. However, the station reported that internal NASA sources had revealed that the authority granted did not apply to laptops and desktop computers in NASA agencies. “Wynn’s decision to issue a ‘conditional’ ATO goes against long-standing policy from the Office of Management and Budget and the National Institute of Standards and Technology,” the report said. NASA responded that granting such a conditional authority was Wynn’s prerogative, in order to “ensure that she is aware of the underlying operational activities, and managing risk accordingly. “NASA continues to work with HPE to remediate vulnerabilities.” HPE referred SiliconBeat to NASA for comment on the report. NASA did not immediately respond to a request for comment. A spokeswoman for Ames said she would seek an official response to the report. Any responses from NASA or Ames may be added to this post in an update. Earlier this year, Federal News Radio reported that network security analysis firm SecurityScorecard had detected thousands of signals emanating from malware – including some of the world’s nastiest computer viruses – that had apparently infected NASA systems. NASA responded to the station, saying its “continuous monitoring tools and scans, a set of monitoring and scans performed by Department of Homeland Security, and various independent third-party audits of NASA’s computing environment do not support this claim of a broad malware infection in NASA’s IT infrastructure.” |
Country | United States , Northern America |
Industry | Information Technology |
Entry Date | 03 Sep 2016 |
Source | http://www.siliconbeat.com/2016/08/24/nasa-computer-network-a-security-mess-under-hp-enterprise-management-report/ |