[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]



 
                         CYBERSECURITY AT NASA:
                 ONGOING CHALLENGES AND EMERGING ISSUES
                 FOR INCREASED TELEWORK DURING COVID	19

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON SPACE AND AERONAUTICS

                                 OF THE

                      COMMITTEE ON SCIENCE, SPACE,
                             AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 18, 2020

                               __________

                           Serial No. 116-81

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
 


       Available via the World Wide Web: http://science.house.gov
       
       
       
                            ______                       


             U.S. GOVERNMENT PUBLISHING OFFICE 
 41-348 PDF           WASHINGTON : 2021 
        
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

             HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman
ZOE LOFGREN, California              FRANK D. LUCAS, Oklahoma, 
DANIEL LIPINSKI, Illinois                Ranking Member
SUZANNE BONAMICI, Oregon             MO BROOKS, Alabama
AMI BERA, California,                BILL POSEY, Florida
    Vice Chair                       RANDY WEBER, Texas
LIZZIE FLETCHER, Texas               BRIAN BABIN, Texas
HALEY STEVENS, Michigan              ANDY BIGGS, Arizona
KENDRA HORN, Oklahoma                ROGER MARSHALL, Kansas
MIKIE SHERRILL, New Jersey           RALPH NORMAN, South Carolina
BRAD SHERMAN, California             MICHAEL CLOUD, Texas
STEVE COHEN, Tennessee               TROY BALDERSON, Ohio
JERRY McNERNEY, California           PETE OLSON, Texas
ED PERLMUTTER, Colorado              ANTHONY GONZALEZ, Ohio
PAUL TONKO, New York                 MICHAEL WALTZ, Florida
BILL FOSTER, Illinois                JIM BAIRD, Indiana
DON BEYER, Virginia                  FRANCIS ROONEY, Florida
CHARLIE CRIST, Florida               GREGORY F. MURPHY, North Carolina
SEAN CASTEN, Illinois                MIKE GARCIA, California
BEN McADAMS, Utah                    THOMAS P. TIFFANY, Wisconsin
JENNIFER WEXTON, Virginia
CONOR LAMB, Pennsylvania
                                 ------                                

                 Subcommittee on Space and Aeronautics

                 HON. KENDRA HORN, Oklahoma, Chairwoman
ZOE LOFGREN, California              BRIAN BABIN, Texas, Ranking Member
AMI BERA, California                 MO BROOKS, Alabama
ED PERLMUTTER, Colorado              BILL POSEY, Florida
DON BEYER, Virginia                  MICHAEL WALTZ, Florida
CHARLIE CRIST, Florida               MIKE GARCIA, California
JENNIFER WEXTON, Virginia

                         C  O  N  T  E  N  T  S

                           September 18, 2020

                                                                   Page

Hearing Charter..................................................     2

                           Opening Statements

Statement by Representative Kendra Horn, Chairwoman, Subcommittee 
  on Space and Aeronautics, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    10
    Written Statement............................................    11

Statement by Representative Brian Babin, Ranking Member, 
  Subcommittee on Space and Aeronautics, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    12
    Written Statement............................................    14

Written statement by Representative Eddie Bernice Johnson, 
  Chairwoman, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................    15

                               Witnesses:

Mr. Jeff Seaton, Chief Information Officer (Acting), National 
  Aeronautics and Space Administration
    Oral Statement...............................................    16
    Written Statement............................................    19

The Honorable Paul K. Martin, Inspector General, National 
  Aeronautics and Space Administration
    Oral Statement...............................................    28
    Written Statement............................................    30

Dr. Diana L. Burley, Ph.D., Vice Provost for Research, American 
  University
    Oral Statement...............................................    39
    Written Statement............................................    41

Discussion.......................................................    46

              Appendix: Answers to Post-Hearing Questions

Mr. Jeff Seaton, Chief Information Officer (Acting), National 
  Aeronautics and Space Administration...........................    62

The Honorable Paul K. Martin, Inspector General, National 
  Aeronautics and Space Administration...........................    71

Dr. Diana L. Burley, Ph.D., Vice Provost for Research, American 
  University.....................................................    73


                     CYBERSECURITY AT NASA: ONGOING

                   CHALLENGES AND EMERGING ISSUES FOR

                   INCREASED TELEWORK DURING COVID-19

                              ----------                              


                       FRIDAY, SEPTEMBER 18, 2020

                  House of Representatives,
             Subcommittee on Space and Aeronautics,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

     The Subcommittee met, pursuant to notice, at 11:01 a.m., 
via Webex, Hon. Kendra Horn [Chairwoman of the Subcommittee] 
presiding.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

     Chairwoman Horn. Good morning, everyone. I'd like to 
welcome our distinguished panel of witnesses, Members, and 
those viewing remotely, to today's Space and Aeronautics 
Subcommittee hearing on ``Cybersecurity at NASA: Ongoing 
Challenges and Emerging Issues for Increased Telework During 
COVID-19''.
     In early 2020 the world was caught off guard with the 
rapid and dramatic onset of the coronavirus. NASA (National 
Aeronautics and Space Administration), like many Federal 
agencies, and consistent with the Office of Management and 
Budget (OMB) Guidance, rapidly shifted to telework operations 
to ensure the health and safety of its more than 17,000 civil 
servant employees and extensive contractor workforce. To its 
credit, NASA prepared for the transition, having held an 
agency-wide telework exercise in early March to test expanded 
telework operations, and today 75 to 80 percent of NASA civil 
servants continue to work remotely, handling proposal reviews, 
project oversight and inspections, development work, 
engineering analysis, and other activities.
     The shift to increased telework at NASA raises many 
questions, front and center, cybersecurity. What does the 
increase and extended use of telework mean for protecting 
NASA's intellectual property, personally identifiable 
information (PII), and mission operations? How do the cyber 
challenges related to increased telework affect the agency's 
overall cybersecurity risk posture, and what steps is NASA 
taking to ensure the effectiveness of its cybersecurity efforts 
during the pandemic and beyond? These are some of the questions 
today's hearing will explore, because what's clear is that NASA 
is a target. And I want to pause here for a moment to note an 
article in The Hill today where the Justice Department has 
brought charges against Iranian nationals for hacking U.S. 
satellite companies, so I think this is incredibly timely. And 
a recent NASA IG (Inspector General) report stated that, given 
NASA's mission, and valuable technical and intellectual capital 
it produces, the information maintained within the agency's IT 
(information technology) infrastructure presents a high value 
target for hackers and criminals.
     In 2019 NASA Administrator Jim Bridenstine stated at an 
agency town hall that NASA is the most attacked agency in the 
Federal Government when it comes to cybersecurity. Past data 
breaches and system intrusions at NASA and its facilities have 
resulted in large amounts of stolen data, installation of 
malware, copying, modifying, and deleting sensitive files, and 
accessing NASA servers, including those supporting missions. 
The Department of Homeland Security's (DHS's) Cybersecurity 
Infrastructure Security Agency, which is a mouthful, of 
course--but a very important agency has issued specific alerts 
on vulnerabilities related to telework during the pandemic, and 
encourages organizations to adopt a heightened state of 
cybersecurity.
     In April 2020 the agency's then Chief Information Officer 
(CIO) notified employees of increased hacking attempts on the 
agency's systems, and in June 2020 media articles reported that 
malicious actors congratulated NASA and SpaceX on a crewed 
demonstration flight, and then announced they had allegedly 
breached and infected a NASA contractor, specifically one that 
provides information technology cyber securities--and 
cybersecurity services to the agency. If true, that's a 
concerning report, and part of the reason we're here today. 
Protecting NASA's IT and data during the pandemic demands 
vigilance, however, NASA's cybersecurity challenges don't begin 
and end with the COVID-19 crisis. Multiple NASA IG and GAO 
(Government Accountability Office) reports have identified 
weaknesses and ongoing concerns with NASA's information 
security. Further, they've ranked this issue as a top agency 
challenge. Ensuring effective cybersecurity at NASA becomes 
even more pressing given rapid advances in IT supply chain 
risks, NASA's culture of openness and partnerships, and the 
overall increase in space activities.
     NASA is a national treasure. Its missions continue to 
inspire both young and old, and NASA's cutting edge space 
technologies, research, and space flight experience are the 
envy of the world. NASA's accomplishments wouldn't be possible 
without computers, software, and information systems. Will 
NASA, or any organization, ever be 100 percent risk free from 
cyber threats? Probably not. Is there room for improvement? 
Absolutely there is. I hope that today's hearing will give an 
understanding of the challenges and risks posed by increased 
telework, and whether or not NASA is organized and resourced 
sufficiently and effectively to mitigate those risks. The 
bottom line is we need to ensure that NASA has the tools that 
it needs, and takes the necessary actions to ensure the 
agency's success, safety, and security during COVID-19 and 
beyond, and I look forward to our witnesses' testimony today.
     [The prepared statement of Chairwoman Horn follows:]

    Good morning. I'd like to welcome our distinguished panel 
of witnesses, Members, and those viewing remotely, to today's 
Space and Aeronautics Subcommittee hearing on ``Cybersecurity 
at NASA: Ongoing Challenges and Emerging Issues for Increased 
Telework During COVID-19''.
    In early 2020, the world was caught off guard with the 
rapid and dramatic onset of the coronavirus. NASA, like many 
Federal agencies, and consistent with Office of Management and 
Budget guidance, rapidly shifted to telework operations to 
ensure the health and safety of its more than 17,000 civil 
servant employees and extensive contractor workforce.
    To its credit, NASA prepared for the transition, having 
held an agency-wide telework exercise in early March to test 
expanded telework operations. Today, 75 to 80 percent of NASA 
civil servants continue to work remotely handling proposal 
reviews, project oversight and inspections, development work, 
engineering analysis, and other activities.
    The shift to increased telework at NASA raises many 
questions. Front and center is cybersecurity.
     What does the increase and extended use of 
telework mean for protecting NASA' intellectual property, 
personally identifiable information, and mission operations?
     How do the cyber challenges related to increased 
telework affect the agency's overall cybersecurity risk 
posture?
     And what steps is NASA taking to ensure the 
effectiveness of its cybersecurity efforts during the pandemic 
and beyond?
    These are some of the questions today's hearing will 
explore, because what's clear is that NASA is a target.
    A recent NASA IG report stated, ``Given NASA's mission and 
the valuable technical and intellectual capital it produces, 
the information maintained within the Agency's IT 
infrastructure presents a high-value target for hackers and 
criminals.''
    In early 2019, NASA Administrator Jim Bridenstine stated at 
an agency town hall that ``NASA is one of the--it is the most 
attacked agency in the Federal government when it comes to 
cybersecurity.'' Past data breaches and system intrusions at 
NASA and its facilities have resulted in large amounts of 
stolen data; installation of malware; copying, modifying, and 
deleting sensitive files; and accessing NASA servers, including 
those supporting missions.
    The Department of Homeland Security's Cybersecurity and 
Infrastructure Security Agency--CISA--has issued specific 
alerts on vulnerabilities related to telework during the 
pandemic and encourages organizations ``to adopt a heightened 
state of cybersecurity.''
    In April 2020, the agency's then-chief information officer 
notified employees of increased hacking attempts on the 
agency's systems. And in June 2020, media articles reported 
that malicious actors congratulated NASA and SpaceX on a crewed 
demonstration flight, and then announced they had allegedly 
breached and infected a NASA contractor, specifically one that 
provides information technology and cybersecurity services to 
the agency. If true, that's a concerning report, and part of 
the reason we're here today.
    Protecting NASA's IT and data during the pandemic demands 
vigilance. However, NASA's cybersecurity challenges don't begin 
and end with the COVID crisis. Multiple NASA IG and GAO reports 
have identified weaknesses and ongoing concerns with NASA's 
information security; further, they have ranked the issue as a 
top agency challenge.
    Ensuring effective cybersecurity at NASA becomes even more 
pressing, given rapid advances in IT, supply chain risks, 
NASA's culture of openness and partnerships, and the overall 
increase in space activities.
    NASA is a national treasure. Its missions continue to 
inspire both young and old and NASA's cutting-edge space 
technologies, research, and spaceflight experience are the envy 
of the world. NASA's accomplishments wouldn't be possible 
without computers, software, and information systems.
    Will NASA or any organization ever be 100 percent risk-free 
from cyber threats? Probably not. Is there room for 
improvement? Most definitely, yes.
    I hope today's hearing will give us an understanding of the 
challenges and risks posed by increased telework, and whether 
or not NASA is organized and resourced to effectively mitigate 
those risks. Bottom line: we need to ensure that NASA has the 
tools and takes the necessary actions to ensure the agency's 
success, safety, and security, during COVID, and beyond.
    I look forward to our witnesses' testimony.

     Chairwoman Horn. So I think we are--there he is----
     Mr. Babin. Hey, Chairman.
     Chairwoman Horn. Ranking Member Babin, I'm glad you were 
able--I know that technology can sometimes, speaking of 
technology, be a little bit of a challenge, but glad you made 
it through. So the Chair now recognizes Ranking Member Babin, 
and my good friend from Texas, for an opening statement.
     Mr. Babin. Absolutely, thank you. We have three computers 
here. We couldn't get on, but I got on with my telephone, any 
way we can do it, I'm glad to be with you.
     Chairwoman Horn. And--innovation and ingenuity, I love it.
     Mr. Babin. Absolutely. OK. Well, thank you so much. NASA 
is one of the best-known organizations in the entire world. Its 
successes with the Mercury, Gemini, Apollo, Shuttle, and 
International Space Station programs, along with its 
breathtaking scientific discoveries and jaw-dropping robotic 
probes attract worldwide attention. Unfortunately, that 
attention comes with many challenges. The technologies that 
NASA develops are also sought after by criminal entities, 
unscrupulous foreign governments, and destructive vandals. 
Because many of these technologies have both civil and military 
applications, these challenges are particularly great, and this 
is a topic that this Committee has focused on for decades.
     Mr. Martin testified before the Investigations and 
Oversight Subcommittee almost 10 years ago on the topic of 
information security. At that hearing he testified that an 
unencrypted laptop was stolen from NASA that resulted in the 
loss of the ``algorithms'' used to control the Space Station, 
as well as personally identifiable information, and 
intellectual property. Similarly, the U.S.-China Economic and 
Security Review Commission noted, in its 2011 report to 
Congress, that the Terra and Landsat 7 satellites experienced 
at least two separate instances of interference apparently 
consistent with cyber activities against their command and 
control systems.
     More recently the NASA IG issued its yearly FISMA (Federal 
Information Security Management Act) report in July, which 
found that ``Information systems throughout the agency face an 
unnecessarily high level of risk that threatens the 
confidentiality, the integrity, and availability of NASA's 
information.'' The report concluded that, ``It is imperative 
the agency continue its efforts to strengthen its risk 
management and governance practices to safeguard its data from 
cybersecurity threats.'' And last month the IG issued another 
report on NASA's use of non-agency IT devices and found that 
NASA, ``is not adequately securing its networks from 
unauthorized access by IT devices.'' The NASA IG is currently 
tracking 25 open recommendations for the Office of the Chief 
Information Officer. These do not include IT and cybersecurity 
recommendations to mission directorates or other organizations 
in the NASA enterprise.
     And while this may seem startling, there are specific 
reasons that many of the recommendations remain open. For 
instance, agency-wide guidelines and best practices are often 
general rules and principles that are not optimized to specific 
agencies unique capabilities, expertise, and challenges. For 
instance, NASA is the world leader in designing, building, 
operating, and communicating with spacecraft. This expertise 
resides within the mission directorates, and at the centers who 
have cultivated this expertise over many decades. In some 
instances they actually developed the software, information 
systems, and underlying technologies that industry and the rest 
of the government adopted and embraced. In even more extreme 
circumstances, they continue to use one-off operating systems 
that, while perhaps not compliant with OMB derived 
governmentwide guidance, are arguably more secure because of 
their uniqueness and their obscurity. Efforts to bring these 
systems and technologies into compliance with a one-size-fits-
all cookie cutter approach developed for commercial enterprise 
systems could actually introduce more risk into the system. 
This isn't to excuse NASA's cybersecurity shortcomings, as 
identified by the IG and GAO over the years. Lost laptops, 
unsecured devices, unauthorized access to systems, and lapsed 
ATOs, or authorization to operate, and poor inventory 
management are all cause for concern. Which brings us to the 
situation that NASA currently faces.
     The COVID-19 challenge requires most of NASA's employees 
and contractors to work remotely. And while NASA has embraced 
teleworking for years, the expansion of this practice 
introduces a larger target and more vulnerabilities for 
malicious actors to exploit. In addition to teleworking 
challenges, I'm also interested in understanding what level of 
insight that NASA has on contractor cybersecurity as NASA moves 
more to public-private partnerships. And finally, it's worth 
noting that President Trump recently issued Space Policy 
Directive Number Five, focused on cybersecurity principles for 
space systems. And while it is not COVID-focused specifically, 
it is particularly timely, given today's hearing and 
demonstration of the administration's forward-looking 
leadership on this very topic.
     I look forward to hearing more about these important 
issues, and what NASA plans to do to mitigate them, as well as 
what Congress and the administration can do to help. So, with 
that, Madam Chair, I yield back.
     [The prepared statement of Mr. Babin follows:]

    NASA is one of the best-known organizations in the world. 
Its successes with the Mercury, Gemini, Apollo, Shuttle, and 
International Space Station programs--along with its 
breathtaking scientific discoveries and jaw-dropping robotic 
probes--attract worldwide attention. Unfortunately, that 
attention comes with challenges. The technologies that NASA 
develops are also sought-after by criminal entities, 
unscrupulous foreign governments, and destructive vandals. 
Because many of these technologies have both civil and military 
applications, these challenges are particularly grave.
    This is a topic that this Committee has focused on for 
decades. One of our witnesses, NASA Inspector General Martin, 
testified before the Investigations and Oversight Subcommittee 
almost ten years ago on information security. At that hearing, 
he testified that an unencrypted laptop was stolen from NASA 
that ``resulted in the loss of the algorithms'' used to control 
the space station, as well as personally identifiable 
information and intellectual property.
    Similarly, the U.S. China Economic and Security Review 
Commission noted in its 2011 report to Congress that the Terra 
and Landsat-7 satellites ``experienced at least two separate 
instances of interference apparently consistent with cyber 
activities against their command and control systems.'' More 
recently, the NASA Office of the Inspector General issued its 
yearly FISMA report in July, which found that ``. . . 
information systems throughout the Agency face an unnecessarily 
high level of risk that threatens the confidentiality, 
integrity, and availability of NASA's information.'' The report 
concluded that ``. . . it is imperative the Agency continue its 
efforts to strengthen its risk management and governance 
practices to safeguard its data from cybersecurity threats.'' 
And last month, the NASA Office of the Inspector General issued 
another report on NASA's use of non-agency IT Devices that 
found that ``NASA is not adequately securing its networks from 
unauthorized access by IT devices.'' The NASA Inspector General 
is currently tracking 25 open recommendations for the Office of 
the Chief Information Officer. These do not include IT and 
cybersecurity recommendations to Mission Directorates or other 
organizations in the NASA enterprise.
    While this may seem startling, there are specific reasons 
that many of the recommendations remain open. For instance, 
agency-wide guidelines and best practices are often general 
rules and principles that are not optimized to specific 
agencies unique capabilities, expertise, and challenges. For 
example, NASA is the world leader in designing, building, 
operating, and communicating with spacecraft. This expertise 
resides within the Mission Directorates and at the Centers who 
have cultivated this skillset over decades. In some instances, 
they actually developed the software, information systems, and 
underlying technologies that industry and the rest of the 
government adopted and embraced.
    In even more extreme circumstances, they continue to use 
one-off operating systems that, while perhaps not compliant 
with OMB-derived government-wide guidance, are arguably more 
secure because of their uniqueness and obscurity. Efforts to 
bring these systems and technologies into compliance with one-
size-fits-all, cookie-cutter approaches developed for 
commercial and enterprise systems could actually introduce more 
risk. This isn't to excuse NASA's cybersecurity shortcomings as 
identified by the IG and GAO over the years. Lost laptops, 
unsecured devices, unauthorized access tosystems, and lapsed 
ATOs (or ``Authorization to Operate''), and poor inventory 
management are all cause for concern.
    Which brings us to the situation NASA currently faces. The 
COVID-19 challenge requires most of NASA's employees and 
contractors to work remotely. While NASA has embraced 
teleworking for years, the expansion of this practice 
introduces a larger target and more vulnerabilities for 
malicious actors to exploit.
    In addition to teleworking challenges, I am also interested 
in understanding what level of insight NASA has on contractor 
cybersecurity as NASA moves more to public-private 
partnerships. Finally, it's worth noting that President Trump 
recently issued Space Policy Directive 5 focused on 
cybersecurity principles for space systems. While it is not 
focused on COVID specifically, it is particularly timely given 
today's hearing and demonstrates the Administration's forward-
looking leadership on the topic.
    I look forward to hearing more about these critical issues, 
what NASA plans to do to mitigate them, as well as what 
Congress and the Administration can do to help.
    Thank you, I yield back.

     Chairwoman Horn. Thank you, Ranking Member Babin, for your 
opening statement. I think it's safe to say we share many of 
the same concerns in this area, and I'm excited and grateful 
for the opportunity for this hearing today. If there are any 
Members who wish to--at this point, if there are any Members 
who wish to submit additional opening statements, your 
statements will be added to the record at this point.
    [The prepared statement of Chairwoman Johnson follows:]

    Good morning Chairwoman Horn, Ranking Member Babin, and 
Members of the Subcommittee. To our witnesses, welcome and 
thank you for being here.
    As we ushered in 2020 and a new decade, none of us could 
have predicted that we'd be here today, six months into a new 
way of living and working in order to protect our own and 
others' health from COVID-19.
    Thanks to the internet, information technology, and 
communication services, many Americans can continue to interact 
with family and friends-albeit virtually-and work remotely. 
That includes NASA's workforce.
    To its credit, NASA is accomplishing a lot in this virtual, 
telework environment, though some mission-essential employees 
are still working on-site.
     NASA and its partner, SpaceX, successfully carried 
out a commercial crew demonstration mission to the 
International Space Station;
     the Orion program completed key reviews to certify 
that the crew vehicle is ready for flight;
     engineers are operating some science spacecraft 
from their homes; and
     the OSIRIS-REx team successfully completed a final 
dress rehearsal in advance of collecting samples from asteroid 
Bennu next month.
    I'm pleased that NASA's can-do spirit is prevailing, 
despite the challenges of this pandemic. But with so many 
important NASA operations being carried out away from the 
institutional security of NASA facilities, I'm concerned about 
cybersecurity.
    Space is hard and risky, and NASA has exceptional skills at 
managing risk. When it comes to cybersecurity and information 
technology management, however, NASA struggles.
    The agency continues to lack a cybersecurity risk 
management strategy, as recommended by GAO, and both GAO and 
the NASA Inspector General have cited information security as a 
top challenge for NASA.
    Unfortunately, NASA's lagging performance on cybersecurity 
isn't new, it's a continuing problem. For many years, NASA IG 
and GAO reports have identified deficiencies and management 
challenges in NASA's information security.
    And now, with COVID, NASA-like other organizations-must 
protect against cyber criminals and malicious actors who are 
increasing their efforts to access government, business, and 
personal data and IT systems while employees work from home.
    I have no doubt that NASA officials are working hard to 
keep the agency's IT systems and data safe, and I understand 
they are making some progress.
    However, long-standing, recommended actions to improve 
NASA's cybersecurity have been left undone. In addition, the 
agency's approach to IT security is fragmented and the Chief 
Information Officer continues to lack the ability to manage 
NASA's cybersecurity efforts across the agency. NASA can and 
must to better.
    In closing, NASA is a catalyst for inspiration, an engine 
of discovery and innovation, and a world leader in the peaceful 
uses and exploration of outer space.
    We can't afford to let bad actors and cyber criminals 
threaten the safety and success of NASA's science, aeronautics 
research, space technology, and human spaceflight programs.
    I look forward to hearing from our witnesses on what is 
needed to ensure that robust and effective cybersecurity 
protections are in place at NASA now, during COVID-19, and into 
the future.
    Thank you, and I yield back.

     Chairwoman Horn. And now I'd like to introduce our 
witnesses. Our first witness today is Mr. Jeff Seaton. In April 
2020 Mr. Seaton was named NASA's Chief--Acting Chief 
Information Officer--Acting Chief Information Officer, let's 
see if I can get that out right. Prior to his current position, 
Mr. Seaton served as NASA's Deputy Chief Information Officer, 
and spent 7 years as the Chief Information Officer at NASA's 
Langley Research Center. He began his career with NASA in 1991 
as a research engineer, designing robotic systems for space-
based applications, and also served as Langley's Chief 
Technology Officer and Deputy CIO. Mr. Seaton received a 
Bachelor's Degree and Master's Degree in Electrical Engineering 
from Virginia Tech. Welcome, Mr. Seaton. We're glad you're with 
us today.
     Our next witness is Mr. Paul Martin, Inspector General for 
the National Aeronautics and Space Administration. Mr. Martin 
has been the NASA Inspector General since 2009, and prior to 
his appointment at NASA, he served as the Deputy Inspector 
General at the Department of Justice. He also spent 13 years at 
the U.S. Sentencing Commission, including 6 years as the 
commission's deputy staff director. Mr. Martin received a 
Bachelor's Degree in Journalism from Pennsylvania State 
University, and a Juris Doctorate from Georgetown University 
Law Center. Welcome, Mr. Martin.
     Our third and final witness today is Dr. Diana Burley. In 
July 2020 Dr. Burley was appointed as Vice Provost for Research 
and Professor of Public Administration at American University. 
Prior to her current position, Dr. Burley spent 13 years as a 
professor of human and organizational learning at George 
Washington University, where she was the inaugural Chair for 
the Human and Organizational Learning Department, and the 
Director of Executive Leadership doctoral program. She has also 
managed a multi-million-dollar computer science education and 
resource portfolio for the National Science Foundation. Dr. 
Burley received a Bachelor's Degree in Economics from The 
Catholic University of America, a Master's in Public Management 
and Policy from Carnegie Mellon University, and Master's and 
Doctoral Degrees in Organizational Science and Information 
Policy, also from Carnegie Mellon University. Welcome, Dr. 
Burley.
     As our witnesses, you should you know you each have 5 
minutes for your spoken testimony. Your written testimony will 
be included in the record for this hearing. When you have 
completed your spoken testimony, we will begin with questions, 
and each Member will have 5 minutes to question the panel. 
We'll start today with Mr. Seaton. Mr. Seaton, you're 
recognized for 5 minutes.

                 TESTIMONY OF MR. JEFF SEATON,

              CHIEF INFORMATION OFFICER (ACTING),

         NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

     Mr. Seaton. Thank you, Chairwoman Horn, Ranking Member 
Babin, and Members of the Subcommittee on Space and 
Aeronautics, for allowing me to appear before you today and 
talk about NASA's information technology infrastructure, and 
our efforts to manage and protect that infrastructure during 
the COVID-19 pandemic. Thankfully, due to strategic investments 
made over the last several years, NASA was well positioned to 
keep our missions moving forward by shifting the majority of 
our workforce to telework last March. As a result, NASA has 
never been closed, and our workforce has continued to work 
remotely in a productive, and often creative, manner, despite 
the highly contagious COVID-19 virus. With strict safety 
protocols in place, NASA is now gradually allowing more 
employees onsite, based on factors such as local conditions, 
and guidance from the CDC (Centers for Disease Control) and 
other Federal partners. Let me assure you, the safety of our 
workforce remains our top priority. At the same time, 
protecting and effectively operating our IT infrastructure 
continues to be another top, massive focus.
     IT plays a critical role of every aspect of NASA's 
missions. However, effective IT management is not an easy task. 
As NASA's Acting Chief Information Officer, it's my job to 
balance implementing innovative, mission-enabling IT 
capabilities with operational efficiency and effective 
cybersecurity to guard against evolving threats. During the 
pandemic the demands and expectations placed on NASA's IT 
infrastructure have been incredibly high, and the threats from 
external actors remain an ongoing concern. However, with hard 
work, dedication, and innovation, NASA's CIO team has risen to 
the challenge of keeping our missions moving forward. For 
example, OCIO (Office of the Chief Information Officer) helped 
rapidly develop software to track cases of onsite COVID-19 
exposures, while also meeting all security and privacy 
requirements. Additionally, with OCIO's help, NASA continues to 
hire and onboard new employees, contractors, and interns with 
innovative approaches to provisioning and maintaining IT 
systems and tools remotely.
     For NASA employees the pandemic has dramatically changed 
the way that we work. While many employees already teleworked 
at least occasionally before the pandemic, having 90 percent of 
employees teleworking at the same time has been game changing. 
NASA employees have significantly increased their use of 
virtual collaboration tools, such as Webex and Microsoft Teams, 
so we can interact with each other face to face while sharing 
virtual collaborative workspaces. Employees are dependent on 
NASA's virtual private network (VPN) to connect securely to 
internal networks and systems. Before the pandemic, our highest 
VPN connection rate was about 12,000 users in a single day. 
Today our VPN is supporting almost 40,000 daily users, with an 
availability exceeding 99 percent, thanks to architectural and 
capacity improvements implemented over the past 24 months.
     Like other Federal agencies, NASA's IT infrastructure is 
under constant attack from well-resourced and highly motivated 
domestic and foreign adversaries, and we remain a popular 
target today. Therefore, we continue to strengthen our 
technical and procedural capabilities to proactively defend and 
protect our systems and data. While the reported number of 
attempted cyber incidents continues to increase partly because 
we have greater visibility into our network today, I'm 
confident that NASA is appropriately addressing and 
strengthening our response to these threats.
     In Fiscal Year 2020 NASA developed a continuity of 
operations capability to further enhance our security 
operations center (SOC), located at the Ames Research Center. 
Previously, if SOC operations were disrupted, we had a limited 
ability to identify, detect, and respond to incidents. Today 
NASA SOC operations span multiple centers, allowing us to 
maintain 24 by 7 SOC operations at all times, even if there is 
an isolated disruption. With strengthened tools and 
capabilities, NASA is transitioning from a largely reactive to 
a more proactive cybersecurity posture. As the pandemic 
worsened in April, NASA even moved the SOC to remote operations 
to ensure employee safety, and we did so without negatively 
impacting our network or our cybersecurity capabilities.
     In closing, I want to personally thank not only my OCIO 
staff and leadership, but the entire NASA workforce for their 
hard work, and the personal sacrifices they've made during this 
challenging time. Our employees are finding new ways to keep 
missions moving forward, support each other, balance work and 
family pressures, and even dedicate their expertise and 
personal time to developing technologies that are aiding in the 
national response to the coronavirus. While no one is sure what 
the future holds, NASA's senior leaders, including myself, are 
committed to keeping the NASA workforce safe, and providing 
them with the IT tools and infrastructure they need to continue 
executing our missions. I want to assure you that protecting 
and evolving NASA's IT infrastructure is, and will remain, a 
top agency priority. Thank you for the opportunity to testify 
before you today, and I look forward to answering any of your 
questions. Thank you.
     [The prepared statement of Mr. Seaton follows:]
     
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     
       
     Chairwoman Horn. Thank you very much, Mr. Seaton. Mr. 
Martin, recognized--you are now recognized for your testimony.

           TESTIMONY OF THE HONORABLE PAUL K. MARTIN,

            INSPECTOR GENERAL, NATIONAL AERONAUTICS

                    AND SPACE ADMINISTRATION

     Mr. Martin. Thank you, Chairwoman Horn, Ranking Member 
Babin, and Members of the Subcommittee. The NASA Office of 
Inspector General has conducted a significant amount of 
oversight work to help NASA improve its information technology 
governance, while securing its networks and data from cyber 
attacks. Over the past 5 years we issued 16 audit reports, with 
72 recommendations related to IT governance and security. 
During this same period we've conducted more than 120 
investigations involving intrusions, denial of service attacks, 
and data breaches on NASA networks, several of which have 
resulted in criminal convictions. My testimony today is 
informed by this body of audit and investigative work.
     The soundness and security of its data and IT systems is 
central to NASA's success. The agency spends more than $2.2 
billion a year on a portfolio of IT assets that include 
hundreds of information systems used to control spacecraft, 
collect and process scientific data, and enable NASA personnel 
to collaborate with colleagues around the world. Given the 
valuable technical and intellectual capital NASA produces, its 
IT systems present a high value target for cyber criminals. The 
past 6 months in particular has tested the agency, as more than 
90 percent of NASA's workforce moved from onsite to remote work 
due to the pandemic. During this period, NASA has experienced 
an uptick in cyber threats, with phishing attempts doubling, 
and malware attacks rising substantially. This morning I offer 
three observations about the state of NASA's IT security and 
governance to provide context for the scope of its challenges.
     First, our concerns with NASA's IT governance security are 
wide-ranging and longstanding. For more than 2 decades NASA has 
struggled to implement an effective IT governed structure that 
aligns authority and responsibility commensurate with the 
agency's overall mission. Specifically, the agency's CIO has 
limited oversight and influence over IT purchases and security 
decisions within mission directorates and at NASA centers. This 
de-centralized nature of NASA's operations, coupled with its 
historic culture of autonomy, have hindered the CIO's ability 
to implement effective enterprise-wide IT governance. Moreover, 
NASA's connectivity with educational institutions, and other 
outside organizations, and its vast online presence of 3,000 
web domains, and more than 42,000 publicly accessible data 
sets, offer cyber criminals a larger target than most other 
government agencies.
     Second, despite positive forward momentum, the agency's IT 
practices continue to fall short of Federal requirements. For 
example, in 2019, for the fourth year in a row, NASA 
performance during our annual FISMA review remained at level 
two out of five, meaning the agency has issued, but has not 
consistently implemented, important policies and procedures 
defining its IT security program. And third, like many other 
public and private organizations, NASA struggles to find the 
right balance between user flexibility and system security. For 
example, for years NASA permitted personally owned and partner 
owned mobile IT devices to access non-public data, even if 
those devices did not have a valid authorization. Today NASA 
employees and partners can use non-agency mobile devices to 
access e-mail if the user installs security software known as 
mobile device management.
     However, an OIG (Office of Inspector General) audit last 
month found that NASA was not adequately securing its e-mail 
networks from unauthorized access by these personally owned 
devices. Although NASA has deployed technologies to monitor 
unauthorized connections, it has not fully implemented controls 
to remove or block those devices. Moreover, the agency's 
December 2019 target for installing these controls was delayed 
due to technological issues and pandemic-related center 
closures. Until these enforcement controls are fully 
implemented, NASA faces an elevated risk of a breach.
     Finally, as part of its MAP (Mission Support Future 
Architecture Program) initiative, NASA plans to centralize and 
consolidate IT capabilities. The CIO's office expects to 
complete its MAP assessment by March 2021, with implementation 
on its institutional systems beginning later that year. As MAP 
unfolds, we plan to assess whether this enterprise-level 
alignment has strengthened cybersecurity at NASA. I look 
forward to your questions.
     [The prepared statement of Mr. Martin follows:]
     
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     
        
     Chairwoman Horn. Thank you, Mr. Martin. Dr. Burley, you're 
recognized for your testimony.

            TESTIMONY OF DR. DIANA L. BURLEY, PH.D.,

         VICE PROVOST FOR RESEARCH, AMERICAN UNIVERSITY

     Dr. Burley. Thank you. Subcommittee Chairwoman Horn, 
Ranking Member Babin, and distinguished Members of the 
Committee, thank you for the opportunity to appear before you 
today. As the Nation continues to navigate the complex and 
uncertain environment of the global pandemic, it is vital that 
we engage in a robust discussion on the cybersecurity related 
challenges and emerging issues for increased telework during 
this time. At American University we are guided by our 
strategic plan, Changemakers for a Changing World. AU empowers 
graduates to navigate, shape, and lead the future of work, and 
AU researchers are pushing the boundaries of discovery in 
healthcare, data science, social equity, and security. In my 
remarks today, which are shaped by a decades-long career 
leading cybersecurity initiatives, I will highlight how the 
interplay of these areas supports the development of a holistic 
strategy to address cybersecurity issues surrounding the 
exponential growth in telework during this unprecedented time.
     Concerns over exposure to COVID-19 have accelerated a mass 
migration to virtual settings. While teleworking arrangements 
have existed for years, never before had we seen the range and 
volume of remote workers or remote working environments. 
Employees across the spectrum of demographic categories and 
technical abilities are now working remotely, and engaging with 
their employers, colleagues, and customers through a digital 
interface, and on a range of devices. Securing this activity 
necessitates that we recognize both the technical needs and the 
environmental factors that shape that behavior. Consider the 
following. Novice users and novice experiences create 
vulnerabilities. In the hurried transition to remote work, 
agencies did not have sufficient time to prepare novice users 
for the complexity of their newly virtual working environments.
     Where overall security is more reliant upon individual 
decisions made by employees and non-employees alike, even 
seasoned users who have developed behaviors in accordance with 
onsite protections face new challenges, and can find themselves 
less prepared to avoid the vulnerabilities exposed by the 
remote working environments. Employees are working under 
duress. COVID-19 continues to drive economic instability, 
health-related concerns, anxiety, and confusion. Employees are 
worried about meeting their basic needs, and are less likely to 
attend to seemingly lower priorities like cybersecurity. Cyber 
criminals exploit targets of opportunity. The shift in activity 
provides a larger attack surface, and leads to more 
opportunities for cyber criminals to use social engineering 
techniques such as fraud, misdirection, and disinformation to 
exploit those vulnerabilities.
     Users bring their entire selves online. If we use the 
public health analogy of treating the whole patient, we can 
strengthen the efficacy of guidance to engage in robust cyber 
hygiene activities. In public health practice, successful 
treatment is inextricably linked to the social and 
environmental conditions of its patients. Today, in the midst 
of the COVID-19 pandemic, we must recognize that while basic 
cyber hygiene practice is relatively doable under normal 
circumstances, these are not normal times. Our workers are 
distracted, frightened, and fatigued. This is especially true 
for the most vulnerable users. As such, strategies to 
strengthen the cybersecurity of teleworkers must consider the 
full spectrum of user experiences and address the complex 
realities of their needs.
     The points I have just outlined represent only a snapshot 
of the benefit of using a holistic approach to reduce the 
impact of cybersecurity related vulnerabilities. I have long 
advocated for this type of approach. Now, and with a greater 
sense of urgency, we must collaboratively develop interventions 
that address the dynamic interplay between technical and 
environmental variables that shape the cybersecurity posture 
across the broad range of teleworkers as they navigate the 
COVID-19 environment. I look forward to continued engagement 
with this esteemed Committee to develop concrete strategies 
that raise awareness of the threat, encourage actions that 
increase the cybersecurity of the Nation's employees, and 
protect our most vulnerable citizens. Thank you.
     [The prepared statement of Dr. Burley follows:]
     
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     
        
     Chairwoman Horn. Thank you very much, Dr. Burley. At this 
point we will begin our first--with our first round of 
questions, and the Chair recognizes herself for 5 minutes.
     Thank you to our witnesses today. It's clear that these 
are important issues, and there's a lot of things to tackle. 
And I want to start, Mr. Seaton, with some questions about 
contractors, as--and cybersecurity contractors, especially 
given the increased use, and the significant use of contractors 
within NASA's workforce. So I have a number of questions, I'm 
going to try and get through as many as we can. Some of them 
are just yes or no, then we'll get to a few other things.
     So what we know, and I mentioned the article today in The 
Hill, is that our systems are--there's a lot of information 
that hackers are very interested in, and the contractors that 
NASA works with are integral to our Nation's space agency. So 
my first question is, are there FAR clauses, Federal 
Acquisition Regulation clauses, that specifically refer to 
contractor cybersecurity requirements?
     Mr. Seaton. Yes, there are, and we include those in our 
agency contracts to ensure that our providers follow the 
cybersecurity requirement.
     Chairwoman Horn. OK. So let me follow up on that for a 
moment, because--so those are NASA cybersecurity requirements? 
Because we asked earlier this year about associated FAR 
language, and NASA's response was that there are no FAR 
requirements, there are no FAR clauses. But to--do those fall 
under NASA requirements in contracts?
     Mr. Seaton. We have a NASA FAR supplement, and to get 
specifics on what those requirements are included via that, I 
can certainly take a question for the record to get that.
     Chairwoman Horn. OK. Absolutely. And so, when those 
clauses are included, is it NASA that signs off on the 
cybersecurity? Are there waivers? What--who signs off on the 
requirements for cybersecurity, that they've been met?
     Mr. Seaton. Well, we have automated tools to be able to 
ensure that our contractors are complying with the requirements 
when they're connecting to any NASA system, just as any NASA 
employee would. So, as was mentioned in the earlier testimony, 
we've put in place controls, and are continuing to strengthen 
those controls, to ensure that only authorized devices can 
connect to our networks and systems.
     Chairwoman Horn. OK. And who has oversight of contractor 
cybersecurity protocols? Is that through your office? Are you 
able to conduct oversight and audits of cybersecurity practices 
by contractors?
     Mr. Seaton. Ultimately. I am the Acting Information 
Officer, and so cybersecurity is my responsibility, and so it 
would be me and my team that ensures compliance with the 
cybersecurity requirements.
     Chairwoman Horn. OK. And do you feel like you have 
sufficient oversight, and insight, and ability to do that 
within your authorized--within your authorities?
     Mr. Seaton. Yes, I would say that I do believe that, 
within NASA, I've been given the appropriate authority and 
support, but I will say that the environment is continuing to 
change, and it's a dynamic landscape, as IT is no longer just 
the computer and the laptop on your desk, but expands to 
operational technology work. IT is embedded within systems, and 
so I would say it's challenging with that evolving landscape, 
and so we continue to mature our processes.
     Chairwoman Horn. OK. Thank you. Stepping back to the 
challenges from this year during COVID-19, I'll have a question 
for Mr. Martin and Mr. Seaton, and hopefully we'll have time to 
get to Dr. Burley, about a broader--the memo, Mr. Seaton, that 
your predecessor published on April 8 warned of increased 
attempts in cyberattacks, and--especially during COVID-19, and 
I'm--my first question is--to you, actually, then to Mr. 
Martin, how has the rate of cyberattacks changed since that 
memo in April, and what steps has the OCIO taken to respond to 
those increased attempts?
     Mr. Seaton. Well, we have seen an increase in phishing 
attacks, and a lower level of some other attacks, but honestly, 
the change to the pandemic operating model is consistent with 
how NASA has operated in the past. We've supported a mobile 
workforce, and so have put in place controls and technologies 
to mitigate against some of these threats, including automated 
prevention of phishing attacks. Because, when it comes down to 
it, you and I are the most vulnerable part of our IT security 
environments, the people, and so we try to put in place 
automated controls to actually make that easier for our 
employees, and I've, seen significant improvements in phishing 
protections over the last 2 years.
     Chairwoman Horn. Thank you, and quickly, Mr. Martin, my 
time is coming to an end, but what is your confidence level in 
NASA's ability to sufficiently address and increase--the 
increase in cyber threats as reported by the OCIO?
     Mr. Martin. Overall I think they're making incremental 
improvement. They're heading in the right direction, but--and I 
think there's a real--new realization over the last couple 
years of the expanse and significance of the challenge, so I 
think we're very, very cautiously optimistic.
     Chairwoman Horn. Wonderful. Thank you very much. I now 
recognize Ranking Member Babin for 5 minutes of questions.
     Mr. Babin. Thank you, Madam Chair. I think I'm unmuted. 
Hopefully I am. I want to address this to Chief Information 
Officer Mr. Seaton. Two weeks ago President Trump signed Space 
Policy Directive Number Five, which focused on cybersecurity 
principles for space systems. SPD-5 states, ``It is the policy 
of the United States that executive departments and agencies 
will foster practices within government space operations, and 
across the commercial space industry, that protect space 
assets, and their supporting infrastructure, from cyber 
threats, and ensure continuity of operations.'' My question is 
this. As NASA increases its use of public/private partnerships, 
how will it ensure that contractors comply with this policy 
without implementing regulations?
     Mr. Seaton. Yeah, thank you for the question. Yeah, so 
SPD-5, we appreciate the administration and this Congress's 
focus on space cybersecurity, because that's critically 
important to us. We're currently in the process of reviewing 
and analyzing SPD-5, but the good news is we see a lot of 
consistency with best practices that we are already 
implementing, and will continue to look to strengthen our 
cybersecurity, both within our missions, as well as with our 
contract partners.
     Mr. Babin. Absolutely. Thank you so much. My next question 
would be to Inspector General Paul Martin. Your office issued a 
report on JPL, Jet Propulsion Laboratory's, cybersecurity 
management last year. JPL, unlike other NASA centers, is 
managed by a contractor, of course that's Cal Tech. The report 
highlights the fact that NASA's contract with Cal Tech did not 
include relevant requirements from NASA IT security policies. 
And so has the OIG conducted a review of other NASA contractors 
to determine if their contracts include necessary clauses 
pertaining to IT security, and if so, how many has your office 
conducted?
     Mr. Martin. Thank you, Mr. Babin. We have not conducted a 
separate audit looking at that specific issue. Although, if I 
could double back, the concerns we had when NASA entered into a 
new 5-year contract with Cal Tech, that the contract was absent 
the significant IT oversight provisions. We have since followed 
up and found out that JPL has issued, and NASA has accepted, 
and we've reviewed, and they do meet the criteria that we were 
concerned about. So the Federal imposed oversight, IT 
oversight, is going to happen at JPL, so we're pleased for 
that.
     Mr. Babin. OK. Thank you. And does the OIG conduct 
compliance audits to determine if contractors are fulfilling 
their contractual obligations pertaining to information 
security, and if so, how many has your office conducted there?
     Mr. Martin. Again, we conduct a significant number of 
program audits that look at the programs that are run by these 
contractors, and part of that review includes a detailed dive 
into the contracts to make sure that the IT security 
requirements are not only in the contract, but they're actually 
followed.
     Mr. Babin. Is this a more appropriate role for the NASA 
CIO or procurement office to conduct, rather than the OIG?
     Mr. Martin. Well, I think the--certainly the CIO's office 
and procurement have to ensure at the outset that the 
appropriate security issues and safeguards are contained in the 
contract themselves, and ongoing--good contract management 
would show that you need to ensure that they're being 
effective. Now, the OIG has limited capacity, like most 
organizations, and so we're going to try to target the more 
high risk, high value operations that NASA has to do a deep 
dive audit.
     Mr. Babin. OK. And then, as this very hearing 
demonstrates, NASA and the Nation have adopted 
videoconferencing to adapt to social distancing requirements. 
Has NASA identified any vulnerabilities with commercial 
videoconferencing platforms? Are certain videoconference not 
allowed for NASA use based on technical characteristics or 
concerns over foreign influence? I would just say--what every 
one of you have to say. Just a short, concise answer. 
Appreciate it.
     Mr. Seaton. Yes, I'll start with that, and say we have a 
set of approved tools that have gone through the appropriate 
security validation, which includes assessing any threats 
externally to those environments, and, outside of that, other 
tools are not approved for use within NASA.
     Mr. Babin. OK. And then----
     Mr. Martin. NASA OIG is using those approved tools.
     Mr. Babin. OK. All right, good. And, Dr. Burley, did you 
want to add to that at all?
     Dr. Burley. Most agencies and other organizations have 
their list of approved tools.
     Mr. Babin. OK. Well, Madam Chair, I've spent all my time, 
so I will yield back, and I want to thank all the witnesses. We 
appreciate it very much. Yield back.
     Chairwoman Horn. Thank you very much, Ranking Member 
Babin. And, Mr. Perlmutter, you're recognized for 5 minutes.
     Mr. Perlmutter. Thank you, Madam Chair, and I think one of 
the biggest problems with this remote stuff is when somebody 
like Dr. Babin is walking around with his phone, and I feel 
like we're in The Blair Witch Project, but that's a whole other 
problem. My questions are for you, Dr. Burley, and Mr. Seaton 
mentioned the most vulnerable spot for, you know, hacking and 
cybersecurity is the individual, the person. And when you were 
testifying, you talked about novice users, you know, not 
familiar with the equipment or security protocol, employees 
under duress, worried about their basic needs, and not the more 
refined things like cybersecurity, you know, that folks are 
having trouble because they're distracted, frightened, and 
fatigued, I think were your terms. So what--I mean, it almost 
feels not that the CIO should be involved, but the Personnel 
Department is really the--one of the keys here. So what do you 
see, whether it's NASA, or generally across the agencies, being 
done to help the individuals kind of get through this very 
anxious period and maintain cybersecurity?
     Dr. Burley. Thank you for your question. But--so you're 
absolutely right in that it needs to be a collaboration between 
the IT Department and the H.R. (human resources) Department. 
So, first, every agency has a set of cybersecurity awareness 
programs that they have in place, and that really guide not 
only behavior within the organization, within the walls, but 
also outside. Those awareness programs need to be adapted, 
recognizing that the employees are working in a different 
environment, they're working remotely, and they're working 
around other people. It's not just them. It's also----
     Mr. Perlmutter. Right.
     Dr. Burley [continuing]. Family members, and others who 
are in their environments. And so we have to take a hard look 
at those awareness programs, and recognize that they need to be 
adapted based on the current realities of work. And second, 
yes, absolutely, human resource professionals need to be 
involved to provide the kind of support to our employees that 
they need so that they are able to focus on not only doing 
their work, but doing their work in a secure manner.
     Mr. Perlmutter. And I guess I hadn't even thought of it, 
but obviously we should think of it, people are working from 
home, the kids are in the background, or, you know, whoever 
might be in the background, so it isn't like you're in the 
office at NASA headquarters, where everything's pretty safe and 
secure. So I think, Madam Chair, I'm going to yield back, but I 
do think this really is cooperation, certainly between the H.R. 
Department and all of the technology folks. And Mr.--I mean, 
all three of our speakers have sort of focused on that, but I--
in this pandemic, that's critical, and I yield back.
     Chairwoman Horn. Thank you very much, Mr. Perlmutter. Mr. 
Posey, you're recognized for 5 minutes.
     Mr. Posey. Thank you, Madam Chair, for holding this 
hearing on this important issue regarding cybersecurity at NASA 
during COVID-19. Just to recap, in June 2020 NASA's Inspector 
General stated NASA's high profile and sensitive technology 
makes the agency an attractive target for computer hackers and 
other bad actors. And, as stated earlier, during the COVID-19 
pandemic, many NASA and contractor employees are teleworking, 
and possibly making the agency a bigger target. In June 2020 
report the Inspector general said it's vital that the agency 
develop of its information security program to protect the 
confidentiality, integrity, and availability of its data, 
systems, and networks. This is not a new problem facing NASA. 
An assessment by the National Academy of Public Administration 
(NAPA) concluded back in 2014 that NASA networks are 
compromised, and that individuals are not being held 
accountable.
     It's not a new concern for us either. I included language 
in the House-passed NASA authorization bill back in 2015 to 
address this by requiring a report on how NASA would safeguard 
its networks and protect against control violations. The 
Inspector General also made the nine recommendations to NASA, 
including making sure the risk information security system 
compliance and data protection capabilities are updated to keep 
the data secure. And the Inspector General concluded that the 
threats are increasing, and that it is imperative for NASA to 
continue its efforts, and strengthen its risk management 
government practices to safeguard its data from cybersecurity 
threats.
     So, Inspector Martin, first, it was noted that NASA is an 
attractive target for computer hackers and bad actors. Is China 
one of those bad actors, and does China present a cybersecurity 
threat to NASA? And, besides securing its information 
technology, what steps has NASA done to secure its supply chain 
from China hackers? And has NASA, or the Inspector General, 
criminally reported a cybersecurity case involving China to the 
Department of Justice yet?
     Mr. Martin. Yes, yes, no. I'm joking. That was a lot of 
questions. China is one of the foreign entities out there. 
China's not the sole entity, country, out there that is seeking 
NASA's very valuable intellectual property. NASA is taking 
steps, and has been, to secure its intellectual property and 
its networks from attack both from China and from a series of 
other countries, and also local hackers. So yes, NASA is--we 
have conducted a series of criminal investigations, and we work 
with the FBI (Federal Bureau of Investigation) and 
counterintelligence officials when we get leads on these 
issues.
     Mr. Posey. Good, thank you. And Mr. Seaton, with 
cybersecurity threats increasing, has NASA taken the necessary 
actions to address the assessment of the National Academy of 
Public Administration back in 2014, and the nine 
recommendations identified by the Inspector General, to keep 
the data security?
     Mr. Seaton. Yes. I'm happy to report that we closed out 
all of the recommendations, there were quite a few, in the NAPA 
report, and those have been implemented, and I do think that 
they improved our security and our practices.
     Mr. Posey. OK, thank you. Dr. Burley, should the National 
Academy do another study to examine the vulnerabilities that 
teleworking presents?
     Dr. Burley. The opportunity for associations and National 
Academies to do studies gives us an in depth look, and so I 
would say yes.
     Mr. Posey. Thank you, Madam Chair. I yield back the 
remainder of my time.
     Chairwoman Horn. Thank you, Mr. Posey. The Chair now 
recognizes Mr. Beyer for 5 minutes.
     Mr. Beyer [continuing]. My mute button. Thank you, Madam 
Chair, very much. Mr. Seaton, thank you very much for joining 
us today. In your testimony you mentioned that in the course of 
the pandemic you were able to onboard new employees, new 
interns, and, amazingly, our office has been able to do the 
same, wonderful interns and new staff. We've also been able to 
safely ensure that all staff and interns have House-issued 
equipment, including laptops and phones. So the--in the OIG 
report, I was surprised that personally owned devices could 
connect to internal systems, and that OIG was critical of your 
not monitoring--enforcing the rules associated with granting 
access to the NASA networks. So how do you make sure that new 
employees will be given the proper equipment, and if they're 
not getting NASA issued equipment, how do we ensure that those 
personal devices are secured?
     Mr. Seaton. Yes, thanks, great question. We actually do 
require the use of NASA-provided equipment for our new 
employees and interns, so we do provide them with the tools 
that they need. Recently, within the last 2 years, it was my 
office that changed the policy that was referred to earlier, 
where, yes, previously we did allow personal devices to 
connect. That is no longer allowed by policy. The only 
allowance is for a mobile device that has a mobile device 
management software that we provide that creates a secure 
container, and a secure connection, back to our e-mail and 
calendaring systems, if an employee will consent to us managing 
their personal device with that software. That's the one case 
where we do allow that.
     Where we do have opportunities to continue to strengthen 
our architecture is implementing the automated controls to 
ensure that that is what's happening. So network access 
control, and the pandemic, has actually impacted our 
implementation there, pushing out that schedule into next year, 
but we've made significant progress through DHS, the CDM 
(Continuous Diagnostics and Mitigation) Program, to know what's 
on our network, and who's on our network, and have a little bit 
more to do there.
     Mr. Beyer. Good, good. Thank you. That's encouraging to 
know, because I'm sure the stuff you have is much more 
important than the thing that's on my network. Mr. Martin, you 
talked about the malicious intrusions in the NASA systems, you 
know, unauthorized access to Deep Space Network. Other than the 
personally identifiable information, what are they after, and 
how much of this is China, Russia, the other nations that are 
interested in space, and will this affect, or could this 
affect, our lunar missions or Mars mission, James Webb, and 
some of the really big important things that NASA's doing?
     Mr. Martin. Thank you, Congressman Beyer. NASA has vast 
troves of important intellectual capital that it has spent 
decades amassing, and so I think folks are--country actors are 
after that information, the innovations that NASA's so famous 
for around the world. There's everything from PII, there's 
contractual data on the systems, so there's just a vast and 
wide array. And, again, we've had--NASA, unfortunately, has 
been under attack from both domestic and foreign cyber 
criminals, and so it is just an ongoing, incredibly difficult 
issue to keep NASA's defenses up.
     Mr. Beyer. OK, thank you very much. And, Professor Burley, 
you know one of the challenges NASA has, obviously is that 
they're so decentralized. So many of us have NASA facilities 
near or close, and so a one size fits all is always going to be 
difficult. Are there other examples of systems, especially 
Federal systems, that are similarly decentralized that have 
been able to effectively secure their IT systems? Are there 
anybody for NASA to imitate or emulate?
     Dr. Burley. I think that the CIO from NASA would know 
better, but there are many different decentralized systems, 
both within the Federal Government and outside, that could be 
used as a guide to at least begin to think about best practices 
and other strategies for securing the networks.
     Mr. Beyer. Let me pivot to Mr. Seaton, then, quickly, 
because I know, like, Department of Commerce had 13 different 
CIOs. Do you have the same challenge within NASA?
     Mr. Seaton. Yeah. So there's one CIO, but there are center 
CIOs. They all report to me. We have a single IT strategy, and, 
for almost a decade now, we've been working to integrate and 
operate as a cohesive unit, acknowledging that there are some 
uniquenesses at our centers, but implementing consistent 
policies, and moving toward enterprise services and contracts. 
So I think we are moving in the enterprise direction very 
significantly.
     Mr. Beyer. Thank you very much. And, Madam Chair, I yield 
back.
     Chairwoman Horn. Thank you very much, Mr. Beyer. Mr. 
Garcia, you're recognized for 5 minutes.
     Mr. Garcia. Thank you, Madam Chairwoman, appreciate it, 
and appreciate the testimony and the witnesses today. Very 
exciting times for NASA, and also very challenging, with very 
unique dynamics in play here. I guess I've got a few questions, 
and probably directed to all of you, Mr. Seaton, Mr. Martin, 
and Dr. Burley. I come from a company where I was a program 
director for a large air breather program, and it was both 
classified and unclassified elements to it. One of the big 
challenges that we had as a large prime was that the classified 
elements fell under NISPOM (National Industrial Security 
Program Operating Manual) requirements, which I think were 
effectively what Chairwoman Horn was asking about on the 
classified side, as far as our compliance and requirements. 
Those requirements led to onerous costs to suppliers, and to 
the lower level supply chain folks.
     What is NASA doing, I guess, to make sure that the small 
businesses that are a critical element of your supply chain 
aren't necessarily getting overwhelmed with either 
cybersecurity requirements, or cybersecurity development work, 
software development work, and therefore almost being dissuaded 
from entering into this industry, into this support chain? Are 
we able to provide GFI, or government furnished IP (Internet 
Protocol) to make sure and flow down to the lower level 
suppliers to make sure that they're baking in some of these 
cybersecurity elements into their respective programs, or how 
do we communicate, I guess, with those lower tier supply chain 
folks? I guess, Mr. Seaton, we can start with you.
     Mr. Seaton. Sure. I will say that is a challenge. Making 
sure that all of our suppliers and providers appreciate the 
significance of cybersecurity, and are building that into the 
solutions they deliver, is a requirement of doing business 
today, right, today with supply chain risk management. Just in 
August Section 889 was enacted, that requires us to certify 
that anybody we're doing business with complies with supply 
chain restrictions that are Federal-wide. So we're working with 
our providers and suppliers to make sure they understand, and 
that they build that into their practices.
     Mr. Garcia. Yeah, I just, you know, we ought to just make 
sure we're balancing the risk mitigation efforts, which are 
absolutely critical and essential. We have to do it with the 
cost elements, and the, you know, just making sure that we're 
not driving some of these key suppliers out of business, or out 
of our industry, or out of your business, right? I know that's 
a delicate balancing act as well.
     Mr. Seaton. True. The cost of having a compromise is 
significant too, though, so you're right, it is a balancing 
act, and we'll continue to try to work.
     Mr. Garcia. Are the primes, or tier one suppliers, 
actively looking to package up programs or software, you know, 
programs to download to the lower level suppliers, or is it 
sort of ad hoc, depending on what the threat is, and what the 
threat mitigation measure is?
     Mr. Seaton. Yeah. Unfortunately, I really can't speak to 
the individual practices of the companies and suppliers.
     Mr. Garcia. OK. And then I guess just characterizing 
classified versus unclassified, are you able to speak to what 
percentage of your networks are on unclassified networks, and 
is one of the sides lagging the other? In other words, do you 
see, you know, more threats on the classified side, or fewer 
threats, but maybe more, you know, more critical impact to 
those networks? Or how would you characterize the deltas there 
between unclassed versus the high side?
     Mr. Seaton. Yes, and my office is responsible for the 
unclassified side. We work with our Office of Protective 
Services on the classified side. I can't really speak in this 
forum to kind of the division there, but I will say that 
oftentimes compromises on the unclassified side can be used to 
propagate to other systems that--and so that's a concern, even 
on the unclassified side.
     Mr. Garcia. OK, great. Yeah. And, Mr. Martin or Dr. 
Burley, I don't know if you guys care to comment on either of 
those topics there.
     Mr. Martin. We have little or no work on the classified 
side at NASA.
     Mr. Garcia. OK. That's good to know. OK. So I would just, 
you know, we hosted a small business summit with Kevin McCarthy 
as well, and with the NASA Administrator Bridenstine a couple 
of weeks ago. The cost of entry into the supply chain for all 
space programs is pretty high for some of these small 
suppliers, so I would just end with let's try to enable them, 
let's make sure we're giving them the tools to be successful 
and be able to defend not only their networks but yours, 
obviously, as your suppliers as we navigate this challenge, and 
hopefully look to synergize lessons learned and download those 
through contract requirement flow-down documents accordingly. 
So, really appreciate your guys' time, and good luck with the 
upcoming launches as well, guys, thank you. I yield back.
     Chairwoman Horn. Thank you, Mr. Garcia. And now, for the 
honorary Member of our Subcommittee, who is reliable and with 
us, Mr. Weber, you're recognized for 5 minutes. If we can get 
you unmuted. There you go.
     Mr. Weber. There we go. There's a lot of people who want 
to mute me, but nonetheless, thank you for that, Chairwoman, 
and I appreciate the opportunity of being here. You actually 
asked a question to Mr. Seaton earlier, I think, about how many 
intrusion attempts per month that NASA identified last year, 
and I want to kind of follow up on that by saying how does that 
compare, Mr. Seaton, to the intrusion attempts per month this 
year during COVID? Are you making a distinction there?
     Mr. Seaton. Yeah, so--not that direct comparison, and we 
see fluctuations based on our insight, and that insight, as I 
mentioned, is increasing, so sometimes that is the cause for a 
higher number. But we have seen an increase in phishing attacks 
and malware attacks at various times throughout the pandemic. 
That hasn't been steady, it's been fluctuating.
     Mr. Weber. Any idea or guess, 10 percent, 20 percent, five 
percent, increase?
     Mr. Seaton. At one point, over a given period of time, we 
saw a doubling of phishing attacks, but, again, there have been 
other weeks where it's been lower. So I do think, because of 
the pandemic, people are looking for the opportunity to attack, 
and will continue to.
     Mr. Weber. Well, there's been a lot of discussion about, 
you know, having personal devices, and being at home, and those 
kinds of security firewalls, if you will. And if it's sensitive 
information, I know you said you worked with the FBI and some 
of their forces, or task force, I forget the terminology you 
used, that sensitive information, if you could get it to us, it 
would be interesting for us to have, get it to my staff. And I 
want to follow up in your discussion with Mr. Garcia. You all 
talked about, well, before I do that, let me go to Mr. Martin 
really quick.
     Mr. Martin, understanding that this hearing is supposed to 
be merely focused on cyber threats during COVID, since you're 
here with us, I thought it'd be appropriate to discuss some of 
the things we've been talking about with China, for example. 
Intellectual property threats to the aerospace U.S. supply 
chain, you all talked about it a little bit, I think, with Mr. 
Garcia. During this week's Air Force Association Aerospace and 
Cyber Conference it was revealed that a longtime DOD 
(Department of Defense) and NASA launch provider, UL Lab, 
proactively, I don't know if you're familiar with this, 
proactively identified and cut ties with the supplier that was 
a security risk due to Chinese ownership. Were you aware of 
that, Mr. Martin?
     Mr. Martin. I was not, Congressman.
     Mr. Weber. OK. Well, in comments earlier, I think I'll go 
back to Mr. Seaton, with his exchange with Garcia, he said he 
couldn't speak to suppliers or speak for the suppliers. Is that 
what you were saying to Mr. Garcia?
     Mr. Seaton. I said that I could not speak to how they were 
structuring their business operations to meet the Federal 
requirements.
     Mr. Weber. Shouldn't that be something that we're looking 
at? I mean, I don't mean to sound too skeptical, but shouldn't 
NASA and actually, all of our U.S. space and defense companies 
should be taking a proactive posture to know exactly what 
safeguards are in place for a supply chain?
     Mr. Seaton. Totally agree. So how they go about doing it, 
is what I'm saying, that we're not in their business 
operations. Validating that they are complying with the 
requirements is something that we've been doing for years with 
our supply chain risk management efforts, ensuring the things 
that we buy are free of risks through coordination with the 
FBI, and now making sure that, even within their organizations, 
they do not have IT equipment provided by prohibited providers. 
So, yes, we are actively involved in ensuring that level of 
compliance.
     Mr. Weber. Well, you say how they go about it you're not 
necessarily involved in, but shouldn't there be some level of 
protocol, for lack of a better term, some threshold, some 
safeguard, they have to meet minimum safeguards, and somebody 
has to be looking over their shoulder in that regard? Is that 
fair to say?
     Mr. Seaton. Yeah. Again, compliance with our cybersecurity 
requirements is absolutely critical, and that is our 
responsibility. How they--their business practices is what I'm 
saying that we are not getting in the middle of.
     Mr. Weber. Would you say that, in this particular 
instance, where that supplier was identified, that it would be 
worthwhile to go back and see exactly how that happened, how 
that supplier got the proverbial camel's nose under the tent?
     Mr. Seaton. I think it's in the Federal Government's best 
interest to understand where vulnerabilities emanate from, so, 
certainly.
     Mr. Weber. Whose responsibility is that?
     Mr. Seaton. I think it's a shared responsibility.
     Mr. Weber. Between who?
     Mr. Seaton. Between the Federal agencies that are 
responsible for our cybersecurity policy, as well as an agency 
that would be interacting with a specific provider.
     Mr. Weber. Is that something you could follow up with our 
office on, and tell us who those agencies are, and who has 
responsibility for that agency? And I'm talking about 
addressing this particular instance, and how it was discovered, 
and how we got there, and what steps are going to be taken to 
prevent similar occurrences. Can you follow up with us on that?
     Mr. Seaton. Certainly. We'll take that as a question for 
the record, yes.
     Mr. Weber. OK. Well, I appreciate that. Madam Chair, I 
yield back.
     Chairwoman Horn. Thank you very much, Mr. Weber. 
Appreciate your questions, and, as always, your participating 
in the Subcommittee. I think--I have a few more questions I 
want to follow up with, and we'll have an opportunity for the 
Members to do another round of questions, if everyone is 
available to stay, since we're still--we still have time.
     I have--I want to follow up on a couple of things, going 
back to some of the earlier questions about--one about the 
unauthorized devices, or personal devices, and then I do want 
to follow up Mr.--on Mr. Weber's line of questions a little bit 
more. Mr. Martin, the August 2020 IG report on unauthorized 
devices, which was of course just this year, on NASA's network 
cites CIO's office, saying that there--currently no 
authoritative way to obtain the number of partner-owned IT 
devices. And I know, Mr. Seaton, you mentioned that you're not 
allowing that anymore, but it seems that that's still 
happening. So, Mr. Martin, I'm wondering what the risks are of 
not being able to identify, and why that may be the case, from 
your perspective, in this report? And then, Mr. Seaton, I want 
to follow up with you about what NASA's doing to improve its 
understanding and insight into those devices. So, Mr. Martin, 
if you want to start with that?
     Mr. Martin. Sure. If I could say at the outset, NASA--as I 
said in my oral remarks, NASA has been searching for that 
balance between user flexibility and system security, and 
during the 10 years that I've been at NASA, it has somewhat 
wildly lurched from those extremes. I remember early on, a 
number of years ago, where they had a BYOD policy, which was a 
bring your own device policy, and that's how sort of forward 
leaning NASA was about allowing employees, and even 
contractors, to use their personal devices.
     Now, in the last couple years, NASA has taken a much more 
measured approach, and have focused recently, but there are 
still gaps that remain in the security of these mobile devices. 
So, as you indicated, in the report that we issued just last 
month, they have implemented software, but they haven't fully 
implemented the controls to remove or block devices from NASA 
systems that shouldn't be on that NASA system. And they're also 
not adequately monitoring the business rules for granting 
access with a personal device to NASA's network. They're not 
enforcing consistently the business need for that, and they're 
also not ensuring that each of the mobile devices, the personal 
mobile devices that connect to the system, don't violate supply 
chain rules.
     Chairwoman Horn. OK. Thank you very much, Mr. Martin. Mr. 
Seaton, I know you've taken steps in that direction. Can you 
speak to, I know there's been a delay, but the--what you're 
doing, what NASA's doing, to address these holes? It sounds 
like you've made progress, but what are--what is NASA and what 
is the CIO doing to address these other outstanding issues?
     Mr. Seaton. Sure. Actually, as an agency, I believe--I 
think we have been a leader in implementing the--DHS's 
continuous diagnostic and mitigation program, where CDM phase 
one identified what was on the network, and so we had tools in 
place to automatically detect what's on the network. Phase two, 
which we are in the middle of implementing right now, is 
controlling who is on the network, and that gets to the network 
access control element that Mr. Martin spoke of. And, again, I 
think in the--we will in the coming year, be able to enable 
those controls to be able to have a technology-based way to 
enforce the policy that has been issued by my office.
     Chairwoman Horn. Thank you very much. And, just following 
up on a couple of Mr. Weber's questions, in terms of the 
insight, getting back to the--some of the first questions about 
contractor requirements, and how we control for suppliers and 
information, there's a balance between overly burdensome 
requirements and the opportunity for bad actors to influence or 
to gain access, and I'm wondering, Mr. Martin, what you see as 
potential authorities that NASA may need to be able to have 
additional insight, or control, or contracting provisions to 
ensure that there's compliance all the way up and down the 
supply chain. Is it with the primes, or are there other 
provisions that may be needed?
     Mr. Martin. I'm actually going to answer that question by 
focusing in house on NASA. We have commented for the last--we 
did an audit in 2014, and a follow-up in 2017, and one of our 
concerns was just how NASA is structured, where--is Jeff, or 
whoever's sitting in the CIO's position, doesn't have full 
insight into all of NASA's systems. In fact, doesn't have full 
control over the IT spend, and enforcing the IT security 
requirements, particularly in mission systems and center 
systems. Jeff and his colleagues have full control over what's 
known as the institutional systems, but they make up about 25 
or 30 percent of NASA's overall budget, so the lack of insight 
and oversight wielding the stick that controls the money on the 
end of it is a real governance issue.
     Chairwoman Horn. Thank you very much, Mr. Martin. And, Mr. 
Seaton, do you want to speak to that quickly? It sounds like 
you need--to be able to do that you need additional 
authorities, or insight and oversight.
     Mr. Seaton. Actually, I think that that has been changing. 
I sit on the Agency Program Management Council, the Mission 
Support Council, and the Acquisition Strategy Council as a full 
member, so I have insight into major agency decisions, and the 
administration fully supports the programs and plans that we're 
putting in place, and then the collaboration with the missions 
to ensure their systems are secure, where we now have much more 
widespread, effective, consistent approaches to authorities to 
operate. And I've been working with the Council of Deputies 
within NASA to ensure that we have the appropriate mission 
leadership, senior executives, designated as authorizing 
officials for those mission systems. So I do think we're making 
significant progress, excuse me.
     Chairwoman Horn. Thank you very much, Mr. Seaton. Mr. 
Babin, you're recognized for 5 minutes. Do you have more 
questions?
     Mr. Babin. Yes. Can you hear me? OK, thank you. I do have 
some more questions. I wanted to address this to all the 
witnesses, if possible. How many intrusion attempts per month 
did NASA identify last year? How does that compare to the 
intrusion attempts per month this year, during COVID? And if 
this information is sensitive, please provide a response to the 
staff after the hearing concludes.
     Mr. Seaton. Yeah. If I could take the specifics as a 
question for the record, but I can speak in more general terms. 
As I mentioned before, I think the measurement of intrusions 
continues to fluctuate based on our insight into the network, 
and that has increased. So, in some cases, where we see an 
increase in intrusions, it's because we're seeing more of 
what's happening, and we're to the point now we've got, I 
think, a pretty solid visibility into our network today. But 
then a comparison of specific month by month, we'll have to 
take that and get back to you.
     Mr. Babin. OK. All right. Thank you. I think I will yield 
back for Madam Chair.
     Chairwoman Horn. Thank you very much, Mr. Babin. Mr. 
Beyer, you're recognized.
     Mr. Beyer. Madam Chair, I have no more questions. I keep 
learning, but I yield back.
     Chairwoman Horn. Excellent. Thank you. Mr. Garcia?
     Mr. Garcia. Thank you, Madam Chair. Just a real quick 
question. You know, the old adage that the best defense is a 
good offense is kind of appropriate here. Mr. Seaton, are you 
happy with the support that you're getting form other 
government agencies? In terms of the development at a national 
level we develop offensive cyber capabilities. That informs 
your defensive cyber techniques and vulnerabilities. Are you 
comfortable and satisfied with the communications, I'll just 
say, to other government agencies that should be informing you 
as to where the state-of-the-art is going, in terms of 
offensive cyber capabilities which may, you know, be in the 
hands of the bad guys, and be within our own domestic networks? 
If not, where can we help to maybe, you know, improve your 
ability to leverage the developments of other equities outside 
of NASA?
     Mr. Seaton. Yeah, I think the administration's been very 
supportive of our need to continue with the appropriate focus 
on cybersecurity, and I think that NASA has effective 
relationships with our counterparts that can provide us 
counterintelligence information, as well as, you know, best 
practices on cybersecurity, the Federal CIO Council, the CIOs 
across the Federal agencies engaging to share information is 
another effective mechanism for that information sharing.
     Mr. Garcia. OK. So the historical, I'll call it just 
historical evidence over the last call it two years, though, 
have there been any surprises, I guess, from the threats where 
it was a completely unknown rider coming in through an unknown 
technique or vulnerability that really hadn't been discussed? I 
know that there's sensitivities around how much you can say 
here, but, you know, any sort of unknown riders that just 
completely caught you off guard that we ultimately found out 
another equity throughout the government maybe had been aware 
of?
     Mr. Seaton. Yeah. I think, because of the dynamic 
landscape, we're going to face surprises. We want to minimize 
those, right?
     Mr. Garcia. Sure, sure. Yeah.
     Mr. Seaton. But I will say that there have been times when 
other agencies have observed activity, and contacted NASA, and 
then we would partner on that. So, again, I think the 
communication mechanism--mechanisms are there.
     Mr. Garcia. That's good. Well, that's encouraging to hear. 
A lot of these lessons learned have been learned, you know, 
several times before, so we can avoid duplication of lessons 
learned, especially in this cyber domain. That's a huge benefit 
to you guys.
     Mr. Seaton. Certainly.
     Mr. Garcia. Thank you. I yield back, Madam Chair.
     Chairwoman Horn. Thank you very much, Mr. Garcia, and 
thank you to all of our Members for their thoughtful, 
intentional questions, and to all of our witnesses. It's clear 
that these are critically important issues that NASA is facing, 
as well as some important lessons learned during COVID-19, as 
Dr. Burley stated, that these are not normal times, so our 
strategies during COVID-19 are important, but also inform 
cybersecurity more broadly. And I think that it sounds as--that 
NASA is making progress, but that, as a--as the authorizing 
Committee, we want to ensure that you have sufficient 
authorities and funding capabilities to have strong 
cybersecurity practices and protocol in place, and we continue 
to move forward with the recommendations and implementations 
from the GAO, and other strategies that ensure not just the 25 
percent that you have authority--direct authority over, but the 
contractors, especially given some of the things that we have 
seen.
     So, unless any of our Members have further questions, 
we'll bring this hearing to a close today. I want to thank 
again the witnesses for your testimony, and for your time, and 
for what you do. The record will remain open for 2 weeks for 
additional statements from the Members, and additional 
questions of the Committee, or that the Committee or Members 
may ask of the witnesses. Thank you all again for your time. 
The witnesses are excused, and the hearing is now adjourned. 
Thanks, everybody.
     [Whereupon, at 12:20 p.m., the Subcommittee was 
adjourned.]

                                Appendix

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
                   
Responses by Mr. Jeff Seaton

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


Responses by the Honorable Paul K. Martin

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


Responses by Dr. Diana L. Burley, Ph.D.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]