An audit of the space agency's computer systems found weaknesses in several critical areas, especially in the way NASA implemented access controls like user accounts, passwords and the encryption of sensitive data.
Here's the gist of the GAO audit findings:
[NASA] did not always sufficiently identify and authenticate users, restrict user access to systems, encrypt network services and data, protect network boundaries, audit and monitor computer-related events, and physically protect its information technology resources. In addition, weaknesses existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.
Specifically, it has not always fully assessed information security risks; fully developed and documented security policies and procedures; included key information in security plans; conducted comprehensive tests and evaluation of its information system controls; tracked the status of plans to remedy known weaknesses; planned for contingencies and disruptions in service; maintained capabilities to detect, report, and respond to security incidents; and incorporated important security requirements in its contract with the Jet Propulsion Laboratory.
The auditors warned that highly sensitive personal, scientific, and other data were at an "increased risk" of unauthorized use, modification, or disclosure.
The scathing report comes on the heels of hacking incidents that have haunted NASA, an independent government agency that manages aviation and space flight. Between 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information.
* Here's the GAO report [PDF]