Following a review of the cybersecurity risk management at the National Aeronautics and Space Administration (NASA), the U.S. Government Accountability Office (GAO) assessed the extent to which NASA implemented cybersecurity risk management for selected major projects. GAO reviewed NASA’s policies and guidance regarding cybersecurity risk management. GAO selected a non-generalizable sample of two major projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps and associated activities. GAO also interviewed project and cybersecurity officials.
NASA fully or partially implemented all steps of its cybersecurity risk management program for selected systems. However, partial determinations indicate that NASA did not perform key activities within the steps. For example, for the ‘prepare’ step, NASA did not have an approved organization-wide risk assessment, which is essential to identifying and mitigating the highest priority cyber threats across the enterprise. In the ‘monitor’ step, selected systems lacked documented system-level continuous monitoring strategies, largely due to the absence of guidance on how to develop them.
GAO reviewed NASA’s space development project portfolio, which includes 36 major projects. Over the lifecycle of these projects, NASA plans to invest about US$80 billion in them. The watchdog was tasked with reviewing how NASA manages cybersecurity risks, and this report examines how well NASA has applied cybersecurity risk management across selected major projects.
GAO reviewed NASA’s policies and guidance regarding cybersecurity risk management. GAO selected a non-generalizable sample of two major projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps and associated activities. GAO also interviewed project and cybersecurity officials. The latest report is a public version of a sensitive report issued in March 2025. Information that NASA deemed sensitive has been omitted.
Spacecraft and space systems are operating in a cyber threat environment with increased risks of attack and mission disruption. To help protect systems at federal agencies such as NASA, the National Institute of Standards and Technology (NIST) developed cybersecurity risk management guidelines. The guidelines include seven key risk management steps: prepare, categorize systems, select controls, implement controls, assess control implementation, authorize the system, and continuously monitor security control effectiveness.
GAO assessed that without documented strategies that are fully understood by key cyber personnel, organizations face increased risks of data breaches, delayed detection of threats, and slower responses to attacks. The agency was asked to review cybersecurity risk management at NASA. This report assesses the extent to which NASA implemented cybersecurity risk management for selected major projects.
GAO reported in March 2025 that NASA had not fully implemented its cybersecurity risk management program for selected projects and associated systems. Specifically, of the seven Risk Management Framework (RMF) steps, the ‘implement’ step was fully implemented by all four selected systems, the ‘categorized’ step was fully implemented by three selected systems, and the remaining steps were partially implemented. Furthermore, the ‘prepare’ step includes five key activities carried out at the organization level. These preparatory tasks support all subsequent risk management activities. Of the five key activities, NASA fully implemented three, partially implemented one, and did not implement one.
Developing, implementing, and maintaining a comprehensive cybersecurity risk management program is critical to protecting NASA’s systems and information, detecting suspicious activity, and responding to incidents. Fundamentally, cybersecurity requires understanding the full scope of risks to a system or its data so that those risks can be addressed or accepted.
However, GAO assessed in its latest report that key NASA systems did not fully implement selected cybersecurity risk management activities. This could expose the systems to malicious cyber activities, such as loss of mission data. The lack of accuracy and completeness of the information used for its cybersecurity risk management process calls into question NASA’s oversight of risk management activities.
Until the issues with the agency’s risk management process are addressed, NASA cannot be sure that the systems helping to propel men and women to the moon and beyond are adequately protected.
GAO is making 16 recommendations to NASA to ensure that key activities within the risk management steps are being performed. These activities include preparing and approving an organization-wide cybersecurity risk assessment and updating its guidance to help ensure that selected systems have documented continuous monitoring strategies. In its comments on the sensitive version of the report, NASA concurred with seven recommendations, partially concurred with four recommendations, and did not concur with the remaining five recommendations. GAO maintains that all recommendations are warranted.
Last May, the GAO conducted a review of NASA’s cybersecurity practices and identified the need for a plan to update spacecraft acquisition policies and standards. Specifically, the agency was tasked with assessing the cybersecurity requirements outlined in NASA contracts for spacecraft projects.
