Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements. And, as someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness.  Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.  

The Cloud Is Nebulous

Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula — after the stellar cloud formation. (I love nerd humor, don’t you?)

Photo Source: NASA

During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.

In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption.  But remember, NASA had already moved its noncritical data (like www.nasa.gov or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009.  Before anyone ever considered the rules for such an adoption of these services.

Audit Recommendations

NASA’s auditors had recommendations regarding cloud oversight failures. NASA’s failures are teachable moments for companies that are already in the cloud with no governance around how the technology is deployed.  How would your organization address the following recommendations from your auditors?

1. Establish a cloud-computing program management office with authority to promulgate cloud-computing strategy and related standards and approve, coordinate, and oversee agencywide acquisition of cloud-computing services.

·      For cloud governance to work, someone must have the authority and requirement to oversee the process for acquiring cloud technology.

2. Require the cloud service provider or broker to develop NIST-compliant security and contingency plans and conduct a test of the system’s security controls.

·      When your data is out of your control, things like continuity, redundant monitoring, disaster recovery, and disposal of data become very important.

·      Any framework will do, it doesn’t need to be NIST. But one thing is clear: Monitoring adherence to the framework is part of due diligence for cloud services.

3. Ensure that the responsible Information Security Officer review IT security documentation and control tests and authorize the system for operation, as appropriate.

·      This one seems like a no-brainer. Before going live in production, harden and secure the application and infrastructure environment.

It’s important to remember that giving your services to a cloud provider does not mean less governance and risk management for you — it actually requires more governance and risk management from you. 



Source: NASA REPORT NO. IG-13-021 (ASSIGNMENT NO. A-12-022-00)