According to the Government Accountability Office (GAO), NASA’s projects for Earth, moon, and solar system exploration are at risk of disruption because their spacecraft and space systems operate in an increasingly complex and threatening cyber environment. The GAO’s recent reports have highlighted several critical vulnerabilities and gaps in NASA’s cybersecurity risk management practices.
Key Findings from the GAO
NASA has implemented the steps outlined by the National Institute of Standards and Technology (NIST) for cybersecurity risk management, but has not performed key activities within each step. Notably, NASA has not conducted an organization-wide risk assessment, which is essential for identifying and mitigating the highest priority cyber threats across the agency. The GAO found that selected systems lack documented, system-level continuous monitoring strategies, mainly due to the absence of clear guidance. This increases the risk of data breaches, delays in threat detection, and slower responses to attacks.
NASA’s current cybersecurity requirements for spacecraft acquisition are guided by optional best practices rather than mandatory standards. This leads to inconsistent implementation of cybersecurity controls and leaves NASA without full assurance that its spacecraft have comprehensive defenses against cyberattacks. The GAO warns that without a comprehensive and consistently applied cybersecurity risk management program, NASA’s space missions—including those to the Moon and beyond—face increased risks of mission disruption, data theft, and even catastrophic failure due to cyberattacks.
Implications and Recommendations
The lack of a robust cybersecurity framework and consistent implementation of controls means that spacecraft could be compromised, leading to loss of mission data, unauthorized access, or even loss of control over critical systems. In response to these findings, there have been legislative proposals—such as the Spacecraft Cybersecurity Act—that would mandate NASA to incorporate rigorous cybersecurity measures from the design and development phase of all spacecraft.
The GAO has made multiple recommendations, including the need for NASA to develop and approve an organization-wide cybersecurity risk assessment, update its guidance to ensure documented continuous monitoring strategies, and establish a plan with timelines to revise spacecraft acquisition policies to include essential cybersecurity controls. While NASA has agreed with some recommendations, it has resisted setting specific timelines, citing the complexity of space systems and the need for careful consideration.
