Despite attempts to establish reviews over IT investments, NASA’s IT governance is falling behind, according to a recent agency inspector general report.

“In the four years since issuance of our IT governance report and the three years since completion of its own internal review, the Office of the Chief Information Officer (OCIO) has made insufficient progress to improve NASA’s IT governance, casting doubt on the office’s ability to effectively oversee the agency’s IT assets,” the report said. “Specifically, the NASA chief information officer continues to have limited visibility into IT investments across the agency and the process NASA developed to correct this shortcoming is flawed.”

NASA has long struggled with evaluations of its IT management, receiving an “F” on its October 2015 and May 2016 Federal Information Technology Acquisition Reform Act scorecard. The agency managed to bring their grade up to a “C-plus” in subsequent years, but still received an F on “agency CIO authority enhancements” on the most recent scorecard.

In 2016, NASA established the Annual Capital Investment Review (ACIR) as a response to FITARA requirements that agency CIOs have direct oversight over their agency’s IT investments. The ACIR would collect data about IT investments for review and approval by a senior IT governance board.

“Despite these efforts, the OCIO’s insight into and control over the bulk of the agency’s nearly $1.4 billion in annual IT funding remains limited, with the Mission Directorates and Centers controlling $739 million (53 percent) and $311 million (22 percent), respectively, in fiscal year 2017,” the report said. “This lack of authority and visibility over the majority of the IT budget limits the agency’s ability to consolidate IT expenditures, realize cost savings, and drive improvements in the delivery of IT services.”

The report also found that the lack of clearly defined roles and responsibilities for IT governance boards and an incomplete reporting structure for security hindered the agency from making any significant improvements to their IT structure.

The agency also suffers from a high turnover of senior IT managers, according to the report.

To improve the OCIO’s oversight of agency IT investments, the report made five recommendations:

  • Make necessary changes to the ACIR process to give the CIO appropriate oversight.
  • Complete the charters for all IT governance boards and educate personnel on their functions.
  • Complete the agency’s Business Services Assessment to define roles and responsibilities of the IT governance structure.
  • Address the dispersed security responsibilities within the agency and empower the Senior Agency Information Security Officer.
  • Create a plan to address IT skill set and capability issues within the agency.

NASA agreed with three of the recommendations and only partially agreed with two. According to the report, NASA’s proposed plan to address one of the partially agreed recommendations is insufficient to resolve the problem, meaning that the agency is only capable of resolving four of the five total problems.

“The Agency partially concurred with recommendations one and four, pointing to its on-going progress in gaining adequate visibility into NASA IT assets through refinements to the ACIR process as well as unifying NASA’s cybersecurity program under the SAISO through implementation of the federally mandated CDM program. With respect to recommendation one, we found the Agency’s corrective actions reflect concurrence and meet the intent of our recommendation,” the report said. “However, we do not find the Agency’s proposed actions to address recommendation four responsive. While the CDM program should improve the Agency’s visibility over network assets and provide greater insight into security vulnerabilities, successful implementation does not address our concerns about the dispersal of IT security responsibilities which results in the lack of authority and marginalization of the SAISO position. Therefore, recommendation four is unresolved pending further discussion with the OCIO.”

Jessie Bur covers federal IT and management.

Share:
In Other News
Load More