NASA Cybersecurity

NASA CybersecurityMarch 27th, 2015

NASA Strategy-Performance FrameworkAgency Priority Goals*: Target areaswhere agency leaders want to achievenear-term performance accelerationthrough focused senior leadershipattentionCAP Goals*: Presidential priority areasthat require active collaboration betweenmultiple departments and agenciesbecause they address long-standingchallenges for which no one agency hassole responsibility.NASA PerformanceFramework2014 Strategic PlanStrategic GoalTimelessStrategic ObjectiveUp to 10 yearsStrategic Objective Annual Review(SOAR)*: Starting with the 2014 strategicplans, every agency is required toconduct annual reviews of their strategicobjectives. These reviews highlight thoseareas where the agency is making“noteworthy progress” or has a “focusarea for improvement”. These annualreviews will provide input into budgetformulation and require the COO/PIO tomake final ranking determinations. (Note:SOAR reviews also allow us to conduct a“pulse check” of PG/API progress in Q2.)Performance GoalUp to 5 yearsCross-Agency Priority GoalUp to 5 years – reportingschedule varies*Requirements mandated by the GPRAModernization Act of 2010 and OMB Circular A-11Agency Priority Goal2 years – report quarterlyAnnual PerformanceIndicators1 year – report 3rd and4th quarter2

NASA Cybersecurity Continuous Monitoring FrameworkFunctions & Current CapabilitiesFUNCTIONIdentifyDESCRIPTIONDevelop organizational understandingto manage cyber risk to systems,assets, data, and capabilities.CYBERSECURITYOUTCOMES Assets (equipment/software/personnel) andinterconnections are all Known/Managed Vulnerabilities/Risks/Business Impacts are Known/Managed Roles/Responsibilities are clearly outlined Budget is effectively managed and reported Personnel management Contract managementProtectDetectDevelop and implement theappropriate safeguards to ensuredelivery of critical services.Develop and implement theappropriate activities to identify theoccurrence of a cybersecurity event. Remote access uses strong authentication (PIV,2-Factor) Patch levels compliant with agency policy Data at-rest and in-transit are protected Protections against data leaks are implementedNASA'S CYBERPROGRAMSSERVICE AREAS Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Staffing resources Budget planning Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology IT Security Electronic Data Warehouse (ITSEC-EDW) NASA Security Assessments Authorization Repository PGAT Support Vulnerability AssessmentGovernance Risk and ComplianceCloud SecurityNOC/SOC IntegrationIT Security and Management ProgramResources and Planning Program Agency Security Configuration Standards IT Security Awareness & Training Center Secure Web Coding Training Upgrade to Next Gen Firewalls/Web ApplicationFirewalls Agency Vulnerability Assessment & Remediation Assets (equipment/ software/personnel) andinterconnections activity monitored (CDM) Intrusion Prevention System Test exfiltration attempts are caught Anomalies and Events Attempts to access large volumes of data detected/investigated Security Continuous Monitoring Detection Processes All anomalies reported to SOC and US-CERT in SOC Data Loss Prevention Intrusion Detection System SOC Continuous Monitoring Network Data Loss Prevention Web Application Security Program (WASP)accordance with Federal policy Roles/Responsibilities are verified in incident responseRespondRecoverDevelop and implement theappropriate activities to takeaction regarding a detectedcybersecurity event.Develop and implement appropriateactivities to maintain plans forresilience and to restore anycapabilities or services impaired dueto a cyber event.testing Worst-case Incident Response Plan tested, updated within30-days of test results Established partnerships for surge resources/specialcapabilities (contracts/MOUs) All contracts handling Sensitive Information contain clauses Response Planning Communications Analysis Mitigation Improvements Web Application Security Program Penetration Testing Network Forensics Advanced Analytics CI - Threat Analysis Networks Forensics and Visibilityon protection/detection/reporting of information loss Business Continuity Plans are in place and fully testedfor all levels of incidents Recovery Plans incorporate lessons learned Recovery Planning Recovery activities are communicat ed to internal and Improvementsexternal stakeholders Ensure appropriate contingency plans are developed to Communicationscompensate for mission impact of remediation efforts SOC COOP Security Ops Center (SOC) Cont. of Operations Plan SOC Life Cycle Refresh ASUS Dell-Kace3

NASA Federal Cybersecurity Self-Assessment:Vulnerabilities & Self-Assessment ProgressFramework FunctionsIdentifyProtectDevelop organizationalunderstanding to manage cyberrisk to systems, assets, data, andcapabilitiesDevelop and implement theappropriate safeguards to ensuredelivery of critical servicesDetectDevelop and implement theappropriate activities to identify theoccurrence of a cybersecurity eventRespondDevelop and implement theappropriate activities to take actionregarding a detected cybersecurityeventRecoverKey Activities Completed/Planned Actions for Next QuarterFunction DescriptionDevelop and implementappropriate activities to maintainplans for resilience and to restoreany capabilities or servicesimpaired due to a cyber eventCompleted RADAR ConOps language drafted to implementinto agency policyPlanned for NextQuarter Additional testing of security settings for MacV10.8 & V10.9 and RedHat V5 & V6 Clearly define asset managementroles/responsibilitiesCompleted Completed Data-at-Rest encryption assessmentacross all NASA Centers Perform weekly patching updates as defined inAgency policyPlanned for NextQuarter Progress towards all non-Windows 7 desktopsolution for PIV compliance Progress towards PIV access for privileged usersCompleted IDS deployed at TIC locationsPlanned for NextQuarter ITSEC-EDW and SOC will collaborate to ensurereporting to US-CERTCompleted Incident Response tabletop exercise completedQ4FY14Y Second Incident Response Plan test scheduledCompleted Alternative Processing Site designYThe Agency Self-Assessment isbased upon agency performanceand leadership judgment Focus is on progress and gapclosures* using the criteria below toguide ratingsYellow: Agency shows progress andis on target to strengthen its positionor close most identified gapsRed: Agency shows little progressand is not likely to close a majority ofidentified gapsGY SOC COOP plans will be completed next quarter Green: Agency shows progress andis on target to strengthen itscybersecurity posture or close allidentified gapsYPlanned for NextQuarterPlanned for NextQuarterProgress/ Risk Gap*For initial agency self-assessments: Agencies wereasked to use progress against the items outlined in the“PMC Cybersecurity Action” memo issued Sept. 16, 2014.For subsequent self-assessments, agencies have thelatitude to add activities via the “Planned Actions forNext Quarter” portion of the “Agency Self-AssessmentTemplate” to outline activities planned for the followingquarter.

Phishing Exercise UpdateCenter% of Opened Emails where the User Clicked the Link/Opened AttachmentQ3 FY14Q4 FY14Q1 FY15Agency FY15 GoalTrendQ2 ding patterns are difficult tocompare as different attacktechniques are used each quarter.20% of Agency users were includedin the phishing exercise conducted inFebruary 2015.Legend/Performance Change from Last Month:UnchangedImprovingDeclining

Personal Identification Verification(PIV) UpdateAgency FY 2015GoalOMB FY 2014 Cap GoalTargetTrend75%75%RCurrent Center ImplementationCenterEnterprise ImplementationPhase 2Phase 3% All% AllWindows/Mac/Unix/Linux Windows/Mac/Unix/LinuxDesktop Platforms w/Desktop Platforms IncludingSmartcard Required LoginMobile Devices w/(ECD Q4 FY16)Smartcard Required Login(ECD Q4 FY16)Phase 1% Windows 7 Desktop Platforms w/Smartcard Required Login(ECD March 31st, A Total84.1%JPL0.0% ** JPL included in FISMA inventoryreporting starting FY15.Windows PlatformsNASA Total62.1%Phase 4% System Owners w/Smartcard Required Login(ECD Q4 FY18)51.0%0.0% FISMA/Cross-Agency Priority PIV goals require user accountauthentication metrics (Phase 4) rather than machine based metrics.The intent is to progress towards user-based enforcement. Current metrics will positively change as PIV solutions are addressedfor non-Windows 7 desktop platforms. Validation of an industry solution for Mac/Unix/Linux systems willassist in the rollout of Phase 2. Derived credential implementation may assist in the rollout of Phase 3. Phase 4 rollout will require enterprise and local applications complywith mandatory smartcard login requirements.8.x, 7.x, Vista, Unsupported (XP)Legend/Performance Changefrom Last Month:UnchangedImprovingDeclining

Risk PostureLIKELIHOODVeryHighHigh 4Mod3Low2VeryLowRiskSeq.5y Exfiltration ofNASA Data SocialEngineering& Phishing SOC Cont. ofOperationsPlan Compromiseof AgencyWebsites112345VeryLowLowModHighVeryHighRisk NameTrendYIf advanced threats, coupledwith status quo network anddata defense continue then therisk of NASA data exfiltration willincrease to a very highlikelihood and consequencerating.YIf user education and borderprotection efforts digress thenthe risks associated with socialengineering and phishingattacks will remain high.YIf central SOC services aredisrupted, then central andcomprehensive IT securityincident detection and mitigationcapabilities will cease.CONSEQUENCEKEYRiskCriticalityHigh (Red)Status CodesMITIGATEPerformanceRiskMitigationMedium (Yellow)WATCHUnchanged Pre-Mitigation RiskRESEARCHIf web application protectionsand border protection effortsdigress then the risksassociated with websitecompromises will remain high.Low (Green)ACCEPTImprovingYELEVATEDeclining Current Risk StatusyCompromiseof UserAccounts &Lost DevicesLegend/Performance Change from Last Month:YStatusM,W,R,C,AStatementIf user education, systemencryption, standardizedauthentication and borderprotection efforts do notcontinue to progress, risksassociated with the compromiseof user accounts and the impactof lost devices will increase.UnchangedImprovingMitigations:Quarterly Phishing ExercisesIntrusion Prevention SysBreach PreventionWeb Application SecurityFramework Agency Security Perimeter Mitigations:Quarterly Phishing ExercisesIntrusion Prevention SysBreach PreventionAgency Security PerimeterMitigations: Completing the build-out ofan alternative processing sitefor data analysis and storage.COOP is funded, nowpending FAD approval. Mitigations:Intrusion Prevention SysBreach PreventionAgency Security PerimeterWeb Application SecurityFrameworkMitigations: User Education Data-At-Rest and PIVAuthentication Intrusion Prevention Systems Breach PreventionDeclining