b"<html>\n<title> - CYBERSECURITY AT NASA: ONGOING CHALLENGES AND EMERGING ISSUES FOR INCREASED TELEWORK DURING COVID 19</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                         CYBERSECURITY AT NASA:\n                 ONGOING CHALLENGES AND EMERGING ISSUES\n                 FOR INCREASED TELEWORK DURING COVID\t19\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 SUBCOMMITTEE ON SPACE AND AERONAUTICS\n\n                                 OF THE\n\n                      COMMITTEE ON SCIENCE, SPACE,\n                             AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                           SEPTEMBER 18, 2020\n\n                               __________\n\n                           Serial No. 116-81\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n \n \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n \n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n       \n       \n                            ______                       \n\n\n             U.S. GOVERNMENT PUBLISHING OFFICE \n 41-348 PDF           WASHINGTON : 2021 \n        \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n             HON. EDDIE BERNICE JOHNSON, Texas, Chairwoman\nZOE LOFGREN, California              FRANK D. LUCAS, Oklahoma, \nDANIEL LIPINSKI, Illinois                Ranking Member\nSUZANNE BONAMICI, Oregon             MO BROOKS, Alabama\nAMI BERA, California,                BILL POSEY, Florida\n    Vice Chair                       RANDY WEBER, Texas\nLIZZIE FLETCHER, Texas               BRIAN BABIN, Texas\nHALEY STEVENS, Michigan              ANDY BIGGS, Arizona\nKENDRA HORN, Oklahoma                ROGER MARSHALL, Kansas\nMIKIE SHERRILL, New Jersey           RALPH NORMAN, South Carolina\nBRAD SHERMAN, California             MICHAEL CLOUD, Texas\nSTEVE COHEN, Tennessee               TROY BALDERSON, Ohio\nJERRY McNERNEY, California           PETE OLSON, Texas\nED PERLMUTTER, Colorado              ANTHONY GONZALEZ, Ohio\nPAUL TONKO, New York                 MICHAEL WALTZ, Florida\nBILL FOSTER, Illinois                JIM BAIRD, Indiana\nDON BEYER, Virginia                  FRANCIS ROONEY, Florida\nCHARLIE CRIST, Florida               GREGORY F. MURPHY, North Carolina\nSEAN CASTEN, Illinois                MIKE GARCIA, California\nBEN McADAMS, Utah                    THOMAS P. TIFFANY, Wisconsin\nJENNIFER WEXTON, Virginia\nCONOR LAMB, Pennsylvania\n                                 ------                                \n\n                 Subcommittee on Space and Aeronautics\n\n                 HON. KENDRA HORN, Oklahoma, Chairwoman\nZOE LOFGREN, California              BRIAN BABIN, Texas, Ranking Member\nAMI BERA, California                 MO BROOKS, Alabama\nED PERLMUTTER, Colorado              BILL POSEY, Florida\nDON BEYER, Virginia                  MICHAEL WALTZ, Florida\nCHARLIE CRIST, Florida               MIKE GARCIA, California\nJENNIFER WEXTON, Virginia\n\n                         C  O  N  T  E  N  T  S\n\n                           September 18, 2020\n\n                                                                   Page\n\nHearing Charter..................................................     2\n\n                           Opening Statements\n\nStatement by Representative Kendra Horn, Chairwoman, Subcommittee \n  on Space and Aeronautics, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    10\n    Written Statement............................................    11\n\nStatement by Representative Brian Babin, Ranking Member, \n  Subcommittee on Space and Aeronautics, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    12\n    Written Statement............................................    14\n\nWritten statement by Representative Eddie Bernice Johnson, \n  Chairwoman, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................    15\n\n                               Witnesses:\n\nMr. Jeff Seaton, Chief Information Officer (Acting), National \n  Aeronautics and Space Administration\n    Oral Statement...............................................    16\n    Written Statement............................................    19\n\nThe Honorable Paul K. Martin, Inspector General, National \n  Aeronautics and Space Administration\n    Oral Statement...............................................    28\n    Written Statement............................................    30\n\nDr. Diana L. Burley, Ph.D., Vice Provost for Research, American \n  University\n    Oral Statement...............................................    39\n    Written Statement............................................    41\n\nDiscussion.......................................................    46\n\n              Appendix: Answers to Post-Hearing Questions\n\nMr. Jeff Seaton, Chief Information Officer (Acting), National \n  Aeronautics and Space Administration...........................    62\n\nThe Honorable Paul K. Martin, Inspector General, National \n  Aeronautics and Space Administration...........................    71\n\nDr. Diana L. Burley, Ph.D., Vice Provost for Research, American \n  University.....................................................    73\n\n\n                     CYBERSECURITY AT NASA: ONGOING\n\n                   CHALLENGES AND EMERGING ISSUES FOR\n\n                   INCREASED TELEWORK DURING COVID-19\n\n                              ----------                              \n\n\n                       FRIDAY, SEPTEMBER 18, 2020\n\n                  House of Representatives,\n             Subcommittee on Space and Aeronautics,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n     The Subcommittee met, pursuant to notice, at 11:01 a.m., \nvia Webex, Hon. Kendra Horn [Chairwoman of the Subcommittee] \npresiding.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n     Chairwoman Horn. Good morning, everyone. I'd like to \nwelcome our distinguished panel of witnesses, Members, and \nthose viewing remotely, to today's Space and Aeronautics \nSubcommittee hearing on ``Cybersecurity at NASA: Ongoing \nChallenges and Emerging Issues for Increased Telework During \nCOVID-19''.\n     In early 2020 the world was caught off guard with the \nrapid and dramatic onset of the coronavirus. NASA (National \nAeronautics and Space Administration), like many Federal \nagencies, and consistent with the Office of Management and \nBudget (OMB) Guidance, rapidly shifted to telework operations \nto ensure the health and safety of its more than 17,000 civil \nservant employees and extensive contractor workforce. To its \ncredit, NASA prepared for the transition, having held an \nagency-wide telework exercise in early March to test expanded \ntelework operations, and today 75 to 80 percent of NASA civil \nservants continue to work remotely, handling proposal reviews, \nproject oversight and inspections, development work, \nengineering analysis, and other activities.\n     The shift to increased telework at NASA raises many \nquestions, front and center, cybersecurity. What does the \nincrease and extended use of telework mean for protecting \nNASA's intellectual property, personally identifiable \ninformation (PII), and mission operations? How do the cyber \nchallenges related to increased telework affect the agency's \noverall cybersecurity risk posture, and what steps is NASA \ntaking to ensure the effectiveness of its cybersecurity efforts \nduring the pandemic and beyond? These are some of the questions \ntoday's hearing will explore, because what's clear is that NASA \nis a target. And I want to pause here for a moment to note an \narticle in The Hill today where the Justice Department has \nbrought charges against Iranian nationals for hacking U.S. \nsatellite companies, so I think this is incredibly timely. And \na recent NASA IG (Inspector General) report stated that, given \nNASA's mission, and valuable technical and intellectual capital \nit produces, the information maintained within the agency's IT \n(information technology) infrastructure presents a high value \ntarget for hackers and criminals.\n     In 2019 NASA Administrator Jim Bridenstine stated at an \nagency town hall that NASA is the most attacked agency in the \nFederal Government when it comes to cybersecurity. Past data \nbreaches and system intrusions at NASA and its facilities have \nresulted in large amounts of stolen data, installation of \nmalware, copying, modifying, and deleting sensitive files, and \naccessing NASA servers, including those supporting missions. \nThe Department of Homeland Security's (DHS's) Cybersecurity \nInfrastructure Security Agency, which is a mouthful, of \ncourse--but a very important agency has issued specific alerts \non vulnerabilities related to telework during the pandemic, and \nencourages organizations to adopt a heightened state of \ncybersecurity.\n     In April 2020 the agency's then Chief Information Officer \n(CIO) notified employees of increased hacking attempts on the \nagency's systems, and in June 2020 media articles reported that \nmalicious actors congratulated NASA and SpaceX on a crewed \ndemonstration flight, and then announced they had allegedly \nbreached and infected a NASA contractor, specifically one that \nprovides information technology cyber securities--and \ncybersecurity services to the agency. If true, that's a \nconcerning report, and part of the reason we're here today. \nProtecting NASA's IT and data during the pandemic demands \nvigilance, however, NASA's cybersecurity challenges don't begin \nand end with the COVID-19 crisis. Multiple NASA IG and GAO \n(Government Accountability Office) reports have identified \nweaknesses and ongoing concerns with NASA's information \nsecurity. Further, they've ranked this issue as a top agency \nchallenge. Ensuring effective cybersecurity at NASA becomes \neven more pressing given rapid advances in IT supply chain \nrisks, NASA's culture of openness and partnerships, and the \noverall increase in space activities.\n     NASA is a national treasure. Its missions continue to \ninspire both young and old, and NASA's cutting edge space \ntechnologies, research, and space flight experience are the \nenvy of the world. NASA's accomplishments wouldn't be possible \nwithout computers, software, and information systems. Will \nNASA, or any organization, ever be 100 percent risk free from \ncyber threats? Probably not. Is there room for improvement? \nAbsolutely there is. I hope that today's hearing will give an \nunderstanding of the challenges and risks posed by increased \ntelework, and whether or not NASA is organized and resourced \nsufficiently and effectively to mitigate those risks. The \nbottom line is we need to ensure that NASA has the tools that \nit needs, and takes the necessary actions to ensure the \nagency's success, safety, and security during COVID-19 and \nbeyond, and I look forward to our witnesses' testimony today.\n     [The prepared statement of Chairwoman Horn follows:]\n\n    Good morning. I'd like to welcome our distinguished panel \nof witnesses, Members, and those viewing remotely, to today's \nSpace and Aeronautics Subcommittee hearing on ``Cybersecurity \nat NASA: Ongoing Challenges and Emerging Issues for Increased \nTelework During COVID-19''.\n    In early 2020, the world was caught off guard with the \nrapid and dramatic onset of the coronavirus. NASA, like many \nFederal agencies, and consistent with Office of Management and \nBudget guidance, rapidly shifted to telework operations to \nensure the health and safety of its more than 17,000 civil \nservant employees and extensive contractor workforce.\n    To its credit, NASA prepared for the transition, having \nheld an agency-wide telework exercise in early March to test \nexpanded telework operations. Today, 75 to 80 percent of NASA \ncivil servants continue to work remotely handling proposal \nreviews, project oversight and inspections, development work, \nengineering analysis, and other activities.\n    The shift to increased telework at NASA raises many \nquestions. Front and center is cybersecurity.\n    <bullet> What does the increase and extended use of \ntelework mean for protecting NASA' intellectual property, \npersonally identifiable information, and mission operations?\n    <bullet> How do the cyber challenges related to increased \ntelework affect the agency's overall cybersecurity risk \nposture?\n    <bullet> And what steps is NASA taking to ensure the \neffectiveness of its cybersecurity efforts during the pandemic \nand beyond?\n    These are some of the questions today's hearing will \nexplore, because what's clear is that NASA is a target.\n    A recent NASA IG report stated, ``Given NASA's mission and \nthe valuable technical and intellectual capital it produces, \nthe information maintained within the Agency's IT \ninfrastructure presents a high-value target for hackers and \ncriminals.''\n    In early 2019, NASA Administrator Jim Bridenstine stated at \nan agency town hall that ``NASA is one of the--it is the most \nattacked agency in the Federal government when it comes to \ncybersecurity.'' Past data breaches and system intrusions at \nNASA and its facilities have resulted in large amounts of \nstolen data; installation of malware; copying, modifying, and \ndeleting sensitive files; and accessing NASA servers, including \nthose supporting missions.\n    The Department of Homeland Security's Cybersecurity and \nInfrastructure Security Agency--CISA--has issued specific \nalerts on vulnerabilities related to telework during the \npandemic and encourages organizations ``to adopt a heightened \nstate of cybersecurity.''\n    In April 2020, the agency's then-chief information officer \nnotified employees of increased hacking attempts on the \nagency's systems. And in June 2020, media articles reported \nthat malicious actors congratulated NASA and SpaceX on a crewed \ndemonstration flight, and then announced they had allegedly \nbreached and infected a NASA contractor, specifically one that \nprovides information technology and cybersecurity services to \nthe agency. If true, that's a concerning report, and part of \nthe reason we're here today.\n    Protecting NASA's IT and data during the pandemic demands \nvigilance. However, NASA's cybersecurity challenges don't begin \nand end with the COVID crisis. Multiple NASA IG and GAO reports \nhave identified weaknesses and ongoing concerns with NASA's \ninformation security; further, they have ranked the issue as a \ntop agency challenge.\n    Ensuring effective cybersecurity at NASA becomes even more \npressing, given rapid advances in IT, supply chain risks, \nNASA's culture of openness and partnerships, and the overall \nincrease in space activities.\n    NASA is a national treasure. Its missions continue to \ninspire both young and old and NASA's cutting-edge space \ntechnologies, research, and spaceflight experience are the envy \nof the world. NASA's accomplishments wouldn't be possible \nwithout computers, software, and information systems.\n    Will NASA or any organization ever be 100 percent risk-free \nfrom cyber threats? Probably not. Is there room for \nimprovement? Most definitely, yes.\n    I hope today's hearing will give us an understanding of the \nchallenges and risks posed by increased telework, and whether \nor not NASA is organized and resourced to effectively mitigate \nthose risks. Bottom line: we need to ensure that NASA has the \ntools and takes the necessary actions to ensure the agency's \nsuccess, safety, and security, during COVID, and beyond.\n    I look forward to our witnesses' testimony.\n\n     Chairwoman Horn. So I think we are--there he is----\n     Mr. Babin. Hey, Chairman.\n     Chairwoman Horn. Ranking Member Babin, I'm glad you were \nable--I know that technology can sometimes, speaking of \ntechnology, be a little bit of a challenge, but glad you made \nit through. So the Chair now recognizes Ranking Member Babin, \nand my good friend from Texas, for an opening statement.\n     Mr. Babin. Absolutely, thank you. We have three computers \nhere. We couldn't get on, but I got on with my telephone, any \nway we can do it, I'm glad to be with you.\n     Chairwoman Horn. And--innovation and ingenuity, I love it.\n     Mr. Babin. Absolutely. OK. Well, thank you so much. NASA \nis one of the best-known organizations in the entire world. Its \nsuccesses with the Mercury, Gemini, Apollo, Shuttle, and \nInternational Space Station programs, along with its \nbreathtaking scientific discoveries and jaw-dropping robotic \nprobes attract worldwide attention. Unfortunately, that \nattention comes with many challenges. The technologies that \nNASA develops are also sought after by criminal entities, \nunscrupulous foreign governments, and destructive vandals. \nBecause many of these technologies have both civil and military \napplications, these challenges are particularly great, and this \nis a topic that this Committee has focused on for decades.\n     Mr. Martin testified before the Investigations and \nOversight Subcommittee almost 10 years ago on the topic of \ninformation security. At that hearing he testified that an \nunencrypted laptop was stolen from NASA that resulted in the \nloss of the ``algorithms'' used to control the Space Station, \nas well as personally identifiable information, and \nintellectual property. Similarly, the U.S.-China Economic and \nSecurity Review Commission noted, in its 2011 report to \nCongress, that the Terra and Landsat 7 satellites experienced \nat least two separate instances of interference apparently \nconsistent with cyber activities against their command and \ncontrol systems.\n     More recently the NASA IG issued its yearly FISMA (Federal \nInformation Security Management Act) report in July, which \nfound that ``Information systems throughout the agency face an \nunnecessarily high level of risk that threatens the \nconfidentiality, the integrity, and availability of NASA's \ninformation.'' The report concluded that, ``It is imperative \nthe agency continue its efforts to strengthen its risk \nmanagement and governance practices to safeguard its data from \ncybersecurity threats.'' And last month the IG issued another \nreport on NASA's use of non-agency IT devices and found that \nNASA, ``is not adequately securing its networks from \nunauthorized access by IT devices.'' The NASA IG is currently \ntracking 25 open recommendations for the Office of the Chief \nInformation Officer. These do not include IT and cybersecurity \nrecommendations to mission directorates or other organizations \nin the NASA enterprise.\n     And while this may seem startling, there are specific \nreasons that many of the recommendations remain open. For \ninstance, agency-wide guidelines and best practices are often \ngeneral rules and principles that are not optimized to specific \nagencies unique capabilities, expertise, and challenges. For \ninstance, NASA is the world leader in designing, building, \noperating, and communicating with spacecraft. This expertise \nresides within the mission directorates, and at the centers who \nhave cultivated this expertise over many decades. In some \ninstances they actually developed the software, information \nsystems, and underlying technologies that industry and the rest \nof the government adopted and embraced. In even more extreme \ncircumstances, they continue to use one-off operating systems \nthat, while perhaps not compliant with OMB derived \ngovernmentwide guidance, are arguably more secure because of \ntheir uniqueness and their obscurity. Efforts to bring these \nsystems and technologies into compliance with a one-size-fits-\nall cookie cutter approach developed for commercial enterprise \nsystems could actually introduce more risk into the system. \nThis isn't to excuse NASA's cybersecurity shortcomings, as \nidentified by the IG and GAO over the years. Lost laptops, \nunsecured devices, unauthorized access to systems, and lapsed \nATOs, or authorization to operate, and poor inventory \nmanagement are all cause for concern. Which brings us to the \nsituation that NASA currently faces.\n     The COVID-19 challenge requires most of NASA's employees \nand contractors to work remotely. And while NASA has embraced \nteleworking for years, the expansion of this practice \nintroduces a larger target and more vulnerabilities for \nmalicious actors to exploit. In addition to teleworking \nchallenges, I'm also interested in understanding what level of \ninsight that NASA has on contractor cybersecurity as NASA moves \nmore to public-private partnerships. And finally, it's worth \nnoting that President Trump recently issued Space Policy \nDirective Number Five, focused on cybersecurity principles for \nspace systems. And while it is not COVID-focused specifically, \nit is particularly timely, given today's hearing and \ndemonstration of the administration's forward-looking \nleadership on this very topic.\n     I look forward to hearing more about these important \nissues, and what NASA plans to do to mitigate them, as well as \nwhat Congress and the administration can do to help. So, with \nthat, Madam Chair, I yield back.\n     [The prepared statement of Mr. Babin follows:]\n\n    NASA is one of the best-known organizations in the world. \nIts successes with the Mercury, Gemini, Apollo, Shuttle, and \nInternational Space Station programs--along with its \nbreathtaking scientific discoveries and jaw-dropping robotic \nprobes--attract worldwide attention. Unfortunately, that \nattention comes with challenges. The technologies that NASA \ndevelops are also sought-after by criminal entities, \nunscrupulous foreign governments, and destructive vandals. \nBecause many of these technologies have both civil and military \napplications, these challenges are particularly grave.\n    This is a topic that this Committee has focused on for \ndecades. One of our witnesses, NASA Inspector General Martin, \ntestified before the Investigations and Oversight Subcommittee \nalmost ten years ago on information security. At that hearing, \nhe testified that an unencrypted laptop was stolen from NASA \nthat ``resulted in the loss of the algorithms'' used to control \nthe space station, as well as personally identifiable \ninformation and intellectual property.\n    Similarly, the U.S. China Economic and Security Review \nCommission noted in its 2011 report to Congress that the Terra \nand Landsat-7 satellites ``experienced at least two separate \ninstances of interference apparently consistent with cyber \nactivities against their command and control systems.'' More \nrecently, the NASA Office of the Inspector General issued its \nyearly FISMA report in July, which found that ``. . . \ninformation systems throughout the Agency face an unnecessarily \nhigh level of risk that threatens the confidentiality, \nintegrity, and availability of NASA's information.'' The report \nconcluded that ``. . . it is imperative the Agency continue its \nefforts to strengthen its risk management and governance \npractices to safeguard its data from cybersecurity threats.'' \nAnd last month, the NASA Office of the Inspector General issued \nanother report on NASA's use of non-agency IT Devices that \nfound that ``NASA is not adequately securing its networks from \nunauthorized access by IT devices.'' The NASA Inspector General \nis currently tracking 25 open recommendations for the Office of \nthe Chief Information Officer. These do not include IT and \ncybersecurity recommendations to Mission Directorates or other \norganizations in the NASA enterprise.\n    While this may seem startling, there are specific reasons \nthat many of the recommendations remain open. For instance, \nagency-wide guidelines and best practices are often general \nrules and principles that are not optimized to specific \nagencies unique capabilities, expertise, and challenges. For \nexample, NASA is the world leader in designing, building, \noperating, and communicating with spacecraft. This expertise \nresides within the Mission Directorates and at the Centers who \nhave cultivated this skillset over decades. In some instances, \nthey actually developed the software, information systems, and \nunderlying technologies that industry and the rest of the \ngovernment adopted and embraced.\n    In even more extreme circumstances, they continue to use \none-off operating systems that, while perhaps not compliant \nwith OMB-derived government-wide guidance, are arguably more \nsecure because of their uniqueness and obscurity. Efforts to \nbring these systems and technologies into compliance with one-\nsize-fits-all, cookie-cutter approaches developed for \ncommercial and enterprise systems could actually introduce more \nrisk. This isn't to excuse NASA's cybersecurity shortcomings as \nidentified by the IG and GAO over the years. Lost laptops, \nunsecured devices, unauthorized access tosystems, and lapsed \nATOs (or ``Authorization to Operate''), and poor inventory \nmanagement are all cause for concern.\n    Which brings us to the situation NASA currently faces. The \nCOVID-19 challenge requires most of NASA's employees and \ncontractors to work remotely. While NASA has embraced \nteleworking for years, the expansion of this practice \nintroduces a larger target and more vulnerabilities for \nmalicious actors to exploit.\n    In addition to teleworking challenges, I am also interested \nin understanding what level of insight NASA has on contractor \ncybersecurity as NASA moves more to public-private \npartnerships. Finally, it's worth noting that President Trump \nrecently issued Space Policy Directive 5 focused on \ncybersecurity principles for space systems. While it is not \nfocused on COVID specifically, it is particularly timely given \ntoday's hearing and demonstrates the Administration's forward-\nlooking leadership on the topic.\n    I look forward to hearing more about these critical issues, \nwhat NASA plans to do to mitigate them, as well as what \nCongress and the Administration can do to help.\n    Thank you, I yield back.\n\n     Chairwoman Horn. Thank you, Ranking Member Babin, for your \nopening statement. I think it's safe to say we share many of \nthe same concerns in this area, and I'm excited and grateful \nfor the opportunity for this hearing today. If there are any \nMembers who wish to--at this point, if there are any Members \nwho wish to submit additional opening statements, your \nstatements will be added to the record at this point.\n    [The prepared statement of Chairwoman Johnson follows:]\n\n    Good morning Chairwoman Horn, Ranking Member Babin, and \nMembers of the Subcommittee. To our witnesses, welcome and \nthank you for being here.\n    As we ushered in 2020 and a new decade, none of us could \nhave predicted that we'd be here today, six months into a new \nway of living and working in order to protect our own and \nothers' health from COVID-19.\n    Thanks to the internet, information technology, and \ncommunication services, many Americans can continue to interact \nwith family and friends-albeit virtually-and work remotely. \nThat includes NASA's workforce.\n    To its credit, NASA is accomplishing a lot in this virtual, \ntelework environment, though some mission-essential employees \nare still working on-site.\n    <bullet> NASA and its partner, SpaceX, successfully carried \nout a commercial crew demonstration mission to the \nInternational Space Station;\n    <bullet> the Orion program completed key reviews to certify \nthat the crew vehicle is ready for flight;\n    <bullet> engineers are operating some science spacecraft \nfrom their homes; and\n    <bullet> the OSIRIS-REx team successfully completed a final \ndress rehearsal in advance of collecting samples from asteroid \nBennu next month.\n    I'm pleased that NASA's can-do spirit is prevailing, \ndespite the challenges of this pandemic. But with so many \nimportant NASA operations being carried out away from the \ninstitutional security of NASA facilities, I'm concerned about \ncybersecurity.\n    Space is hard and risky, and NASA has exceptional skills at \nmanaging risk. When it comes to cybersecurity and information \ntechnology management, however, NASA struggles.\n    The agency continues to lack a cybersecurity risk \nmanagement strategy, as recommended by GAO, and both GAO and \nthe NASA Inspector General have cited information security as a \ntop challenge for NASA.\n    Unfortunately, NASA's lagging performance on cybersecurity \nisn't new, it's a continuing problem. For many years, NASA IG \nand GAO reports have identified deficiencies and management \nchallenges in NASA's information security.\n    And now, with COVID, NASA-like other organizations-must \nprotect against cyber criminals and malicious actors who are \nincreasing their efforts to access government, business, and \npersonal data and IT systems while employees work from home.\n    I have no doubt that NASA officials are working hard to \nkeep the agency's IT systems and data safe, and I understand \nthey are making some progress.\n    However, long-standing, recommended actions to improve \nNASA's cybersecurity have been left undone. In addition, the \nagency's approach to IT security is fragmented and the Chief \nInformation Officer continues to lack the ability to manage \nNASA's cybersecurity efforts across the agency. NASA can and \nmust to better.\n    In closing, NASA is a catalyst for inspiration, an engine \nof discovery and innovation, and a world leader in the peaceful \nuses and exploration of outer space.\n    We can't afford to let bad actors and cyber criminals \nthreaten the safety and success of NASA's science, aeronautics \nresearch, space technology, and human spaceflight programs.\n    I look forward to hearing from our witnesses on what is \nneeded to ensure that robust and effective cybersecurity \nprotections are in place at NASA now, during COVID-19, and into \nthe future.\n    Thank you, and I yield back.\n\n     Chairwoman Horn. And now I'd like to introduce our \nwitnesses. Our first witness today is Mr. Jeff Seaton. In April \n2020 Mr. Seaton was named NASA's Chief--Acting Chief \nInformation Officer--Acting Chief Information Officer, let's \nsee if I can get that out right. Prior to his current position, \nMr. Seaton served as NASA's Deputy Chief Information Officer, \nand spent 7 years as the Chief Information Officer at NASA's \nLangley Research Center. He began his career with NASA in 1991 \nas a research engineer, designing robotic systems for space-\nbased applications, and also served as Langley's Chief \nTechnology Officer and Deputy CIO. Mr. Seaton received a \nBachelor's Degree and Master's Degree in Electrical Engineering \nfrom Virginia Tech. Welcome, Mr. Seaton. We're glad you're with \nus today.\n     Our next witness is Mr. Paul Martin, Inspector General for \nthe National Aeronautics and Space Administration. Mr. Martin \nhas been the NASA Inspector General since 2009, and prior to \nhis appointment at NASA, he served as the Deputy Inspector \nGeneral at the Department of Justice. He also spent 13 years at \nthe U.S. Sentencing Commission, including 6 years as the \ncommission's deputy staff director. Mr. Martin received a \nBachelor's Degree in Journalism from Pennsylvania State \nUniversity, and a Juris Doctorate from Georgetown University \nLaw Center. Welcome, Mr. Martin.\n     Our third and final witness today is Dr. Diana Burley. In \nJuly 2020 Dr. Burley was appointed as Vice Provost for Research \nand Professor of Public Administration at American University. \nPrior to her current position, Dr. Burley spent 13 years as a \nprofessor of human and organizational learning at George \nWashington University, where she was the inaugural Chair for \nthe Human and Organizational Learning Department, and the \nDirector of Executive Leadership doctoral program. She has also \nmanaged a multi-million-dollar computer science education and \nresource portfolio for the National Science Foundation. Dr. \nBurley received a Bachelor's Degree in Economics from The \nCatholic University of America, a Master's in Public Management \nand Policy from Carnegie Mellon University, and Master's and \nDoctoral Degrees in Organizational Science and Information \nPolicy, also from Carnegie Mellon University. Welcome, Dr. \nBurley.\n     As our witnesses, you should you know you each have 5 \nminutes for your spoken testimony. Your written testimony will \nbe included in the record for this hearing. When you have \ncompleted your spoken testimony, we will begin with questions, \nand each Member will have 5 minutes to question the panel. \nWe'll start today with Mr. Seaton. Mr. Seaton, you're \nrecognized for 5 minutes.\n\n                 TESTIMONY OF MR. JEFF SEATON,\n\n              CHIEF INFORMATION OFFICER (ACTING),\n\n         NATIONAL AERONAUTICS AND SPACE ADMINISTRATION\n\n     Mr. Seaton. Thank you, Chairwoman Horn, Ranking Member \nBabin, and Members of the Subcommittee on Space and \nAeronautics, for allowing me to appear before you today and \ntalk about NASA's information technology infrastructure, and \nour efforts to manage and protect that infrastructure during \nthe COVID-19 pandemic. Thankfully, due to strategic investments \nmade over the last several years, NASA was well positioned to \nkeep our missions moving forward by shifting the majority of \nour workforce to telework last March. As a result, NASA has \nnever been closed, and our workforce has continued to work \nremotely in a productive, and often creative, manner, despite \nthe highly contagious COVID-19 virus. With strict safety \nprotocols in place, NASA is now gradually allowing more \nemployees onsite, based on factors such as local conditions, \nand guidance from the CDC (Centers for Disease Control) and \nother Federal partners. Let me assure you, the safety of our \nworkforce remains our top priority. At the same time, \nprotecting and effectively operating our IT infrastructure \ncontinues to be another top, massive focus.\n     IT plays a critical role of every aspect of NASA's \nmissions. However, effective IT management is not an easy task. \nAs NASA's Acting Chief Information Officer, it's my job to \nbalance implementing innovative, mission-enabling IT \ncapabilities with operational efficiency and effective \ncybersecurity to guard against evolving threats. During the \npandemic the demands and expectations placed on NASA's IT \ninfrastructure have been incredibly high, and the threats from \nexternal actors remain an ongoing concern. However, with hard \nwork, dedication, and innovation, NASA's CIO team has risen to \nthe challenge of keeping our missions moving forward. For \nexample, OCIO (Office of the Chief Information Officer) helped \nrapidly develop software to track cases of onsite COVID-19 \nexposures, while also meeting all security and privacy \nrequirements. Additionally, with OCIO's help, NASA continues to \nhire and onboard new employees, contractors, and interns with \ninnovative approaches to provisioning and maintaining IT \nsystems and tools remotely.\n     For NASA employees the pandemic has dramatically changed \nthe way that we work. While many employees already teleworked \nat least occasionally before the pandemic, having 90 percent of \nemployees teleworking at the same time has been game changing. \nNASA employees have significantly increased their use of \nvirtual collaboration tools, such as Webex and Microsoft Teams, \nso we can interact with each other face to face while sharing \nvirtual collaborative workspaces. Employees are dependent on \nNASA's virtual private network (VPN) to connect securely to \ninternal networks and systems. Before the pandemic, our highest \nVPN connection rate was about 12,000 users in a single day. \nToday our VPN is supporting almost 40,000 daily users, with an \navailability exceeding 99 percent, thanks to architectural and \ncapacity improvements implemented over the past 24 months.\n     Like other Federal agencies, NASA's IT infrastructure is \nunder constant attack from well-resourced and highly motivated \ndomestic and foreign adversaries, and we remain a popular \ntarget today. Therefore, we continue to strengthen our \ntechnical and procedural capabilities to proactively defend and \nprotect our systems and data. While the reported number of \nattempted cyber incidents continues to increase partly because \nwe have greater visibility into our network today, I'm \nconfident that NASA is appropriately addressing and \nstrengthening our response to these threats.\n     In Fiscal Year 2020 NASA developed a continuity of \noperations capability to further enhance our security \noperations center (SOC), located at the Ames Research Center. \nPreviously, if SOC operations were disrupted, we had a limited \nability to identify, detect, and respond to incidents. Today \nNASA SOC operations span multiple centers, allowing us to \nmaintain 24 by 7 SOC operations at all times, even if there is \nan isolated disruption. With strengthened tools and \ncapabilities, NASA is transitioning from a largely reactive to \na more proactive cybersecurity posture. As the pandemic \nworsened in April, NASA even moved the SOC to remote operations \nto ensure employee safety, and we did so without negatively \nimpacting our network or our cybersecurity capabilities.\n     In closing, I want to personally thank not only my OCIO \nstaff and leadership, but the entire NASA workforce for their \nhard work, and the personal sacrifices they've made during this \nchallenging time. Our employees are finding new ways to keep \nmissions moving forward, support each other, balance work and \nfamily pressures, and even dedicate their expertise and \npersonal time to developing technologies that are aiding in the \nnational response to the coronavirus. While no one is sure what \nthe future holds, NASA's senior leaders, including myself, are \ncommitted to keeping the NASA workforce safe, and providing \nthem with the IT tools and infrastructure they need to continue \nexecuting our missions. I want to assure you that protecting \nand evolving NASA's IT infrastructure is, and will remain, a \ntop agency priority. Thank you for the opportunity to testify \nbefore you today, and I look forward to answering any of your \nquestions. Thank you.\n     [The prepared statement of Mr. Seaton follows:]\n     \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     \n       \n     Chairwoman Horn. Thank you very much, Mr. Seaton. Mr. \nMartin, recognized--you are now recognized for your testimony.\n\n           TESTIMONY OF THE HONORABLE PAUL K. MARTIN,\n\n            INSPECTOR GENERAL, NATIONAL AERONAUTICS\n\n                    AND SPACE ADMINISTRATION\n\n     Mr. Martin. Thank you, Chairwoman Horn, Ranking Member \nBabin, and Members of the Subcommittee. The NASA Office of \nInspector General has conducted a significant amount of \noversight work to help NASA improve its information technology \ngovernance, while securing its networks and data from cyber \nattacks. Over the past 5 years we issued 16 audit reports, with \n72 recommendations related to IT governance and security. \nDuring this same period we've conducted more than 120 \ninvestigations involving intrusions, denial of service attacks, \nand data breaches on NASA networks, several of which have \nresulted in criminal convictions. My testimony today is \ninformed by this body of audit and investigative work.\n     The soundness and security of its data and IT systems is \ncentral to NASA's success. The agency spends more than $2.2 \nbillion a year on a portfolio of IT assets that include \nhundreds of information systems used to control spacecraft, \ncollect and process scientific data, and enable NASA personnel \nto collaborate with colleagues around the world. Given the \nvaluable technical and intellectual capital NASA produces, its \nIT systems present a high value target for cyber criminals. The \npast 6 months in particular has tested the agency, as more than \n90 percent of NASA's workforce moved from onsite to remote work \ndue to the pandemic. During this period, NASA has experienced \nan uptick in cyber threats, with phishing attempts doubling, \nand malware attacks rising substantially. This morning I offer \nthree observations about the state of NASA's IT security and \ngovernance to provide context for the scope of its challenges.\n     First, our concerns with NASA's IT governance security are \nwide-ranging and longstanding. For more than 2 decades NASA has \nstruggled to implement an effective IT governed structure that \naligns authority and responsibility commensurate with the \nagency's overall mission. Specifically, the agency's CIO has \nlimited oversight and influence over IT purchases and security \ndecisions within mission directorates and at NASA centers. This \nde-centralized nature of NASA's operations, coupled with its \nhistoric culture of autonomy, have hindered the CIO's ability \nto implement effective enterprise-wide IT governance. Moreover, \nNASA's connectivity with educational institutions, and other \noutside organizations, and its vast online presence of 3,000 \nweb domains, and more than 42,000 publicly accessible data \nsets, offer cyber criminals a larger target than most other \ngovernment agencies.\n     Second, despite positive forward momentum, the agency's IT \npractices continue to fall short of Federal requirements. For \nexample, in 2019, for the fourth year in a row, NASA \nperformance during our annual FISMA review remained at level \ntwo out of five, meaning the agency has issued, but has not \nconsistently implemented, important policies and procedures \ndefining its IT security program. And third, like many other \npublic and private organizations, NASA struggles to find the \nright balance between user flexibility and system security. For \nexample, for years NASA permitted personally owned and partner \nowned mobile IT devices to access non-public data, even if \nthose devices did not have a valid authorization. Today NASA \nemployees and partners can use non-agency mobile devices to \naccess e-mail if the user installs security software known as \nmobile device management.\n     However, an OIG (Office of Inspector General) audit last \nmonth found that NASA was not adequately securing its e-mail \nnetworks from unauthorized access by these personally owned \ndevices. Although NASA has deployed technologies to monitor \nunauthorized connections, it has not fully implemented controls \nto remove or block those devices. Moreover, the agency's \nDecember 2019 target for installing these controls was delayed \ndue to technological issues and pandemic-related center \nclosures. Until these enforcement controls are fully \nimplemented, NASA faces an elevated risk of a breach.\n     Finally, as part of its MAP (Mission Support Future \nArchitecture Program) initiative, NASA plans to centralize and \nconsolidate IT capabilities. The CIO's office expects to \ncomplete its MAP assessment by March 2021, with implementation \non its institutional systems beginning later that year. As MAP \nunfolds, we plan to assess whether this enterprise-level \nalignment has strengthened cybersecurity at NASA. I look \nforward to your questions.\n     [The prepared statement of Mr. Martin follows:]\n     \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     \n        \n     Chairwoman Horn. Thank you, Mr. Martin. Dr. Burley, you're \nrecognized for your testimony.\n\n            TESTIMONY OF DR. DIANA L. BURLEY, PH.D.,\n\n         VICE PROVOST FOR RESEARCH, AMERICAN UNIVERSITY\n\n     Dr. Burley. Thank you. Subcommittee Chairwoman Horn, \nRanking Member Babin, and distinguished Members of the \nCommittee, thank you for the opportunity to appear before you \ntoday. As the Nation continues to navigate the complex and \nuncertain environment of the global pandemic, it is vital that \nwe engage in a robust discussion on the cybersecurity related \nchallenges and emerging issues for increased telework during \nthis time. At American University we are guided by our \nstrategic plan, Changemakers for a Changing World. AU empowers \ngraduates to navigate, shape, and lead the future of work, and \nAU researchers are pushing the boundaries of discovery in \nhealthcare, data science, social equity, and security. In my \nremarks today, which are shaped by a decades-long career \nleading cybersecurity initiatives, I will highlight how the \ninterplay of these areas supports the development of a holistic \nstrategy to address cybersecurity issues surrounding the \nexponential growth in telework during this unprecedented time.\n     Concerns over exposure to COVID-19 have accelerated a mass \nmigration to virtual settings. While teleworking arrangements \nhave existed for years, never before had we seen the range and \nvolume of remote workers or remote working environments. \nEmployees across the spectrum of demographic categories and \ntechnical abilities are now working remotely, and engaging with \ntheir employers, colleagues, and customers through a digital \ninterface, and on a range of devices. Securing this activity \nnecessitates that we recognize both the technical needs and the \nenvironmental factors that shape that behavior. Consider the \nfollowing. Novice users and novice experiences create \nvulnerabilities. In the hurried transition to remote work, \nagencies did not have sufficient time to prepare novice users \nfor the complexity of their newly virtual working environments.\n     Where overall security is more reliant upon individual \ndecisions made by employees and non-employees alike, even \nseasoned users who have developed behaviors in accordance with \nonsite protections face new challenges, and can find themselves \nless prepared to avoid the vulnerabilities exposed by the \nremote working environments. Employees are working under \nduress. COVID-19 continues to drive economic instability, \nhealth-related concerns, anxiety, and confusion. Employees are \nworried about meeting their basic needs, and are less likely to \nattend to seemingly lower priorities like cybersecurity. Cyber \ncriminals exploit targets of opportunity. The shift in activity \nprovides a larger attack surface, and leads to more \nopportunities for cyber criminals to use social engineering \ntechniques such as fraud, misdirection, and disinformation to \nexploit those vulnerabilities.\n     Users bring their entire selves online. If we use the \npublic health analogy of treating the whole patient, we can \nstrengthen the efficacy of guidance to engage in robust cyber \nhygiene activities. In public health practice, successful \ntreatment is inextricably linked to the social and \nenvironmental conditions of its patients. Today, in the midst \nof the COVID-19 pandemic, we must recognize that while basic \ncyber hygiene practice is relatively doable under normal \ncircumstances, these are not normal times. Our workers are \ndistracted, frightened, and fatigued. This is especially true \nfor the most vulnerable users. As such, strategies to \nstrengthen the cybersecurity of teleworkers must consider the \nfull spectrum of user experiences and address the complex \nrealities of their needs.\n     The points I have just outlined represent only a snapshot \nof the benefit of using a holistic approach to reduce the \nimpact of cybersecurity related vulnerabilities. I have long \nadvocated for this type of approach. Now, and with a greater \nsense of urgency, we must collaboratively develop interventions \nthat address the dynamic interplay between technical and \nenvironmental variables that shape the cybersecurity posture \nacross the broad range of teleworkers as they navigate the \nCOVID-19 environment. I look forward to continued engagement \nwith this esteemed Committee to develop concrete strategies \nthat raise awareness of the threat, encourage actions that \nincrease the cybersecurity of the Nation's employees, and \nprotect our most vulnerable citizens. Thank you.\n     [The prepared statement of Dr. Burley follows:]\n     \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     \n        \n     Chairwoman Horn. Thank you very much, Dr. Burley. At this \npoint we will begin our first--with our first round of \nquestions, and the Chair recognizes herself for 5 minutes.\n     Thank you to our witnesses today. It's clear that these \nare important issues, and there's a lot of things to tackle. \nAnd I want to start, Mr. Seaton, with some questions about \ncontractors, as--and cybersecurity contractors, especially \ngiven the increased use, and the significant use of contractors \nwithin NASA's workforce. So I have a number of questions, I'm \ngoing to try and get through as many as we can. Some of them \nare just yes or no, then we'll get to a few other things.\n     So what we know, and I mentioned the article today in The \nHill, is that our systems are--there's a lot of information \nthat hackers are very interested in, and the contractors that \nNASA works with are integral to our Nation's space agency. So \nmy first question is, are there FAR clauses, Federal \nAcquisition Regulation clauses, that specifically refer to \ncontractor cybersecurity requirements?\n     Mr. Seaton. Yes, there are, and we include those in our \nagency contracts to ensure that our providers follow the \ncybersecurity requirement.\n     Chairwoman Horn. OK. So let me follow up on that for a \nmoment, because--so those are NASA cybersecurity requirements? \nBecause we asked earlier this year about associated FAR \nlanguage, and NASA's response was that there are no FAR \nrequirements, there are no FAR clauses. But to--do those fall \nunder NASA requirements in contracts?\n     Mr. Seaton. We have a NASA FAR supplement, and to get \nspecifics on what those requirements are included via that, I \ncan certainly take a question for the record to get that.\n     Chairwoman Horn. OK. Absolutely. And so, when those \nclauses are included, is it NASA that signs off on the \ncybersecurity? Are there waivers? What--who signs off on the \nrequirements for cybersecurity, that they've been met?\n     Mr. Seaton. Well, we have automated tools to be able to \nensure that our contractors are complying with the requirements \nwhen they're connecting to any NASA system, just as any NASA \nemployee would. So, as was mentioned in the earlier testimony, \nwe've put in place controls, and are continuing to strengthen \nthose controls, to ensure that only authorized devices can \nconnect to our networks and systems.\n     Chairwoman Horn. OK. And who has oversight of contractor \ncybersecurity protocols? Is that through your office? Are you \nable to conduct oversight and audits of cybersecurity practices \nby contractors?\n     Mr. Seaton. Ultimately. I am the Acting Information \nOfficer, and so cybersecurity is my responsibility, and so it \nwould be me and my team that ensures compliance with the \ncybersecurity requirements.\n     Chairwoman Horn. OK. And do you feel like you have \nsufficient oversight, and insight, and ability to do that \nwithin your authorized--within your authorities?\n     Mr. Seaton. Yes, I would say that I do believe that, \nwithin NASA, I've been given the appropriate authority and \nsupport, but I will say that the environment is continuing to \nchange, and it's a dynamic landscape, as IT is no longer just \nthe computer and the laptop on your desk, but expands to \noperational technology work. IT is embedded within systems, and \nso I would say it's challenging with that evolving landscape, \nand so we continue to mature our processes.\n     Chairwoman Horn. OK. Thank you. Stepping back to the \nchallenges from this year during COVID-19, I'll have a question \nfor Mr. Martin and Mr. Seaton, and hopefully we'll have time to \nget to Dr. Burley, about a broader--the memo, Mr. Seaton, that \nyour predecessor published on April 8 warned of increased \nattempts in cyberattacks, and--especially during COVID-19, and \nI'm--my first question is--to you, actually, then to Mr. \nMartin, how has the rate of cyberattacks changed since that \nmemo in April, and what steps has the OCIO taken to respond to \nthose increased attempts?\n     Mr. Seaton. Well, we have seen an increase in phishing \nattacks, and a lower level of some other attacks, but honestly, \nthe change to the pandemic operating model is consistent with \nhow NASA has operated in the past. We've supported a mobile \nworkforce, and so have put in place controls and technologies \nto mitigate against some of these threats, including automated \nprevention of phishing attacks. Because, when it comes down to \nit, you and I are the most vulnerable part of our IT security \nenvironments, the people, and so we try to put in place \nautomated controls to actually make that easier for our \nemployees, and I've, seen significant improvements in phishing \nprotections over the last 2 years.\n     Chairwoman Horn. Thank you, and quickly, Mr. Martin, my \ntime is coming to an end, but what is your confidence level in \nNASA's ability to sufficiently address and increase--the \nincrease in cyber threats as reported by the OCIO?\n     Mr. Martin. Overall I think they're making incremental \nimprovement. They're heading in the right direction, but--and I \nthink there's a real--new realization over the last couple \nyears of the expanse and significance of the challenge, so I \nthink we're very, very cautiously optimistic.\n     Chairwoman Horn. Wonderful. Thank you very much. I now \nrecognize Ranking Member Babin for 5 minutes of questions.\n     Mr. Babin. Thank you, Madam Chair. I think I'm unmuted. \nHopefully I am. I want to address this to Chief Information \nOfficer Mr. Seaton. Two weeks ago President Trump signed Space \nPolicy Directive Number Five, which focused on cybersecurity \nprinciples for space systems. SPD-5 states, ``It is the policy \nof the United States that executive departments and agencies \nwill foster practices within government space operations, and \nacross the commercial space industry, that protect space \nassets, and their supporting infrastructure, from cyber \nthreats, and ensure continuity of operations.'' My question is \nthis. As NASA increases its use of public/private partnerships, \nhow will it ensure that contractors comply with this policy \nwithout implementing regulations?\n     Mr. Seaton. Yeah, thank you for the question. Yeah, so \nSPD-5, we appreciate the administration and this Congress's \nfocus on space cybersecurity, because that's critically \nimportant to us. We're currently in the process of reviewing \nand analyzing SPD-5, but the good news is we see a lot of \nconsistency with best practices that we are already \nimplementing, and will continue to look to strengthen our \ncybersecurity, both within our missions, as well as with our \ncontract partners.\n     Mr. Babin. Absolutely. Thank you so much. My next question \nwould be to Inspector General Paul Martin. Your office issued a \nreport on JPL, Jet Propulsion Laboratory's, cybersecurity \nmanagement last year. JPL, unlike other NASA centers, is \nmanaged by a contractor, of course that's Cal Tech. The report \nhighlights the fact that NASA's contract with Cal Tech did not \ninclude relevant requirements from NASA IT security policies. \nAnd so has the OIG conducted a review of other NASA contractors \nto determine if their contracts include necessary clauses \npertaining to IT security, and if so, how many has your office \nconducted?\n     Mr. Martin. Thank you, Mr. Babin. We have not conducted a \nseparate audit looking at that specific issue. Although, if I \ncould double back, the concerns we had when NASA entered into a \nnew 5-year contract with Cal Tech, that the contract was absent \nthe significant IT oversight provisions. We have since followed \nup and found out that JPL has issued, and NASA has accepted, \nand we've reviewed, and they do meet the criteria that we were \nconcerned about. So the Federal imposed oversight, IT \noversight, is going to happen at JPL, so we're pleased for \nthat.\n     Mr. Babin. OK. Thank you. And does the OIG conduct \ncompliance audits to determine if contractors are fulfilling \ntheir contractual obligations pertaining to information \nsecurity, and if so, how many has your office conducted there?\n     Mr. Martin. Again, we conduct a significant number of \nprogram audits that look at the programs that are run by these \ncontractors, and part of that review includes a detailed dive \ninto the contracts to make sure that the IT security \nrequirements are not only in the contract, but they're actually \nfollowed.\n     Mr. Babin. Is this a more appropriate role for the NASA \nCIO or procurement office to conduct, rather than the OIG?\n     Mr. Martin. Well, I think the--certainly the CIO's office \nand procurement have to ensure at the outset that the \nappropriate security issues and safeguards are contained in the \ncontract themselves, and ongoing--good contract management \nwould show that you need to ensure that they're being \neffective. Now, the OIG has limited capacity, like most \norganizations, and so we're going to try to target the more \nhigh risk, high value operations that NASA has to do a deep \ndive audit.\n     Mr. Babin. OK. And then, as this very hearing \ndemonstrates, NASA and the Nation have adopted \nvideoconferencing to adapt to social distancing requirements. \nHas NASA identified any vulnerabilities with commercial \nvideoconferencing platforms? Are certain videoconference not \nallowed for NASA use based on technical characteristics or \nconcerns over foreign influence? I would just say--what every \none of you have to say. Just a short, concise answer. \nAppreciate it.\n     Mr. Seaton. Yes, I'll start with that, and say we have a \nset of approved tools that have gone through the appropriate \nsecurity validation, which includes assessing any threats \nexternally to those environments, and, outside of that, other \ntools are not approved for use within NASA.\n     Mr. Babin. OK. And then----\n     Mr. Martin. NASA OIG is using those approved tools.\n     Mr. Babin. OK. All right, good. And, Dr. Burley, did you \nwant to add to that at all?\n     Dr. Burley. Most agencies and other organizations have \ntheir list of approved tools.\n     Mr. Babin. OK. Well, Madam Chair, I've spent all my time, \nso I will yield back, and I want to thank all the witnesses. We \nappreciate it very much. Yield back.\n     Chairwoman Horn. Thank you very much, Ranking Member \nBabin. And, Mr. Perlmutter, you're recognized for 5 minutes.\n     Mr. Perlmutter. Thank you, Madam Chair, and I think one of \nthe biggest problems with this remote stuff is when somebody \nlike Dr. Babin is walking around with his phone, and I feel \nlike we're in The Blair Witch Project, but that's a whole other \nproblem. My questions are for you, Dr. Burley, and Mr. Seaton \nmentioned the most vulnerable spot for, you know, hacking and \ncybersecurity is the individual, the person. And when you were \ntestifying, you talked about novice users, you know, not \nfamiliar with the equipment or security protocol, employees \nunder duress, worried about their basic needs, and not the more \nrefined things like cybersecurity, you know, that folks are \nhaving trouble because they're distracted, frightened, and \nfatigued, I think were your terms. So what--I mean, it almost \nfeels not that the CIO should be involved, but the Personnel \nDepartment is really the--one of the keys here. So what do you \nsee, whether it's NASA, or generally across the agencies, being \ndone to help the individuals kind of get through this very \nanxious period and maintain cybersecurity?\n     Dr. Burley. Thank you for your question. But--so you're \nabsolutely right in that it needs to be a collaboration between \nthe IT Department and the H.R. (human resources) Department. \nSo, first, every agency has a set of cybersecurity awareness \nprograms that they have in place, and that really guide not \nonly behavior within the organization, within the walls, but \nalso outside. Those awareness programs need to be adapted, \nrecognizing that the employees are working in a different \nenvironment, they're working remotely, and they're working \naround other people. It's not just them. It's also----\n     Mr. Perlmutter. Right.\n     Dr. Burley [continuing]. Family members, and others who \nare in their environments. And so we have to take a hard look \nat those awareness programs, and recognize that they need to be \nadapted based on the current realities of work. And second, \nyes, absolutely, human resource professionals need to be \ninvolved to provide the kind of support to our employees that \nthey need so that they are able to focus on not only doing \ntheir work, but doing their work in a secure manner.\n     Mr. Perlmutter. And I guess I hadn't even thought of it, \nbut obviously we should think of it, people are working from \nhome, the kids are in the background, or, you know, whoever \nmight be in the background, so it isn't like you're in the \noffice at NASA headquarters, where everything's pretty safe and \nsecure. So I think, Madam Chair, I'm going to yield back, but I \ndo think this really is cooperation, certainly between the H.R. \nDepartment and all of the technology folks. And Mr.--I mean, \nall three of our speakers have sort of focused on that, but I--\nin this pandemic, that's critical, and I yield back.\n     Chairwoman Horn. Thank you very much, Mr. Perlmutter. Mr. \nPosey, you're recognized for 5 minutes.\n     Mr. Posey. Thank you, Madam Chair, for holding this \nhearing on this important issue regarding cybersecurity at NASA \nduring COVID-19. Just to recap, in June 2020 NASA's Inspector \nGeneral stated NASA's high profile and sensitive technology \nmakes the agency an attractive target for computer hackers and \nother bad actors. And, as stated earlier, during the COVID-19 \npandemic, many NASA and contractor employees are teleworking, \nand possibly making the agency a bigger target. In June 2020 \nreport the Inspector general said it's vital that the agency \ndevelop of its information security program to protect the \nconfidentiality, integrity, and availability of its data, \nsystems, and networks. This is not a new problem facing NASA. \nAn assessment by the National Academy of Public Administration \n(NAPA) concluded back in 2014 that NASA networks are \ncompromised, and that individuals are not being held \naccountable.\n     It's not a new concern for us either. I included language \nin the House-passed NASA authorization bill back in 2015 to \naddress this by requiring a report on how NASA would safeguard \nits networks and protect against control violations. The \nInspector General also made the nine recommendations to NASA, \nincluding making sure the risk information security system \ncompliance and data protection capabilities are updated to keep \nthe data secure. And the Inspector General concluded that the \nthreats are increasing, and that it is imperative for NASA to \ncontinue its efforts, and strengthen its risk management \ngovernment practices to safeguard its data from cybersecurity \nthreats.\n     So, Inspector Martin, first, it was noted that NASA is an \nattractive target for computer hackers and bad actors. Is China \none of those bad actors, and does China present a cybersecurity \nthreat to NASA? And, besides securing its information \ntechnology, what steps has NASA done to secure its supply chain \nfrom China hackers? And has NASA, or the Inspector General, \ncriminally reported a cybersecurity case involving China to the \nDepartment of Justice yet?\n     Mr. Martin. Yes, yes, no. I'm joking. That was a lot of \nquestions. China is one of the foreign entities out there. \nChina's not the sole entity, country, out there that is seeking \nNASA's very valuable intellectual property. NASA is taking \nsteps, and has been, to secure its intellectual property and \nits networks from attack both from China and from a series of \nother countries, and also local hackers. So yes, NASA is--we \nhave conducted a series of criminal investigations, and we work \nwith the FBI (Federal Bureau of Investigation) and \ncounterintelligence officials when we get leads on these \nissues.\n     Mr. Posey. Good, thank you. And Mr. Seaton, with \ncybersecurity threats increasing, has NASA taken the necessary \nactions to address the assessment of the National Academy of \nPublic Administration back in 2014, and the nine \nrecommendations identified by the Inspector General, to keep \nthe data security?\n     Mr. Seaton. Yes. I'm happy to report that we closed out \nall of the recommendations, there were quite a few, in the NAPA \nreport, and those have been implemented, and I do think that \nthey improved our security and our practices.\n     Mr. Posey. OK, thank you. Dr. Burley, should the National \nAcademy do another study to examine the vulnerabilities that \nteleworking presents?\n     Dr. Burley. The opportunity for associations and National \nAcademies to do studies gives us an in depth look, and so I \nwould say yes.\n     Mr. Posey. Thank you, Madam Chair. I yield back the \nremainder of my time.\n     Chairwoman Horn. Thank you, Mr. Posey. The Chair now \nrecognizes Mr. Beyer for 5 minutes.\n     Mr. Beyer [continuing]. My mute button. Thank you, Madam \nChair, very much. Mr. Seaton, thank you very much for joining \nus today. In your testimony you mentioned that in the course of \nthe pandemic you were able to onboard new employees, new \ninterns, and, amazingly, our office has been able to do the \nsame, wonderful interns and new staff. We've also been able to \nsafely ensure that all staff and interns have House-issued \nequipment, including laptops and phones. So the--in the OIG \nreport, I was surprised that personally owned devices could \nconnect to internal systems, and that OIG was critical of your \nnot monitoring--enforcing the rules associated with granting \naccess to the NASA networks. So how do you make sure that new \nemployees will be given the proper equipment, and if they're \nnot getting NASA issued equipment, how do we ensure that those \npersonal devices are secured?\n     Mr. Seaton. Yes, thanks, great question. We actually do \nrequire the use of NASA-provided equipment for our new \nemployees and interns, so we do provide them with the tools \nthat they need. Recently, within the last 2 years, it was my \noffice that changed the policy that was referred to earlier, \nwhere, yes, previously we did allow personal devices to \nconnect. That is no longer allowed by policy. The only \nallowance is for a mobile device that has a mobile device \nmanagement software that we provide that creates a secure \ncontainer, and a secure connection, back to our e-mail and \ncalendaring systems, if an employee will consent to us managing \ntheir personal device with that software. That's the one case \nwhere we do allow that.\n     Where we do have opportunities to continue to strengthen \nour architecture is implementing the automated controls to \nensure that that is what's happening. So network access \ncontrol, and the pandemic, has actually impacted our \nimplementation there, pushing out that schedule into next year, \nbut we've made significant progress through DHS, the CDM \n(Continuous Diagnostics and Mitigation) Program, to know what's \non our network, and who's on our network, and have a little bit \nmore to do there.\n     Mr. Beyer. Good, good. Thank you. That's encouraging to \nknow, because I'm sure the stuff you have is much more \nimportant than the thing that's on my network. Mr. Martin, you \ntalked about the malicious intrusions in the NASA systems, you \nknow, unauthorized access to Deep Space Network. Other than the \npersonally identifiable information, what are they after, and \nhow much of this is China, Russia, the other nations that are \ninterested in space, and will this affect, or could this \naffect, our lunar missions or Mars mission, James Webb, and \nsome of the really big important things that NASA's doing?\n     Mr. Martin. Thank you, Congressman Beyer. NASA has vast \ntroves of important intellectual capital that it has spent \ndecades amassing, and so I think folks are--country actors are \nafter that information, the innovations that NASA's so famous \nfor around the world. There's everything from PII, there's \ncontractual data on the systems, so there's just a vast and \nwide array. And, again, we've had--NASA, unfortunately, has \nbeen under attack from both domestic and foreign cyber \ncriminals, and so it is just an ongoing, incredibly difficult \nissue to keep NASA's defenses up.\n     Mr. Beyer. OK, thank you very much. And, Professor Burley, \nyou know one of the challenges NASA has, obviously is that \nthey're so decentralized. So many of us have NASA facilities \nnear or close, and so a one size fits all is always going to be \ndifficult. Are there other examples of systems, especially \nFederal systems, that are similarly decentralized that have \nbeen able to effectively secure their IT systems? Are there \nanybody for NASA to imitate or emulate?\n     Dr. Burley. I think that the CIO from NASA would know \nbetter, but there are many different decentralized systems, \nboth within the Federal Government and outside, that could be \nused as a guide to at least begin to think about best practices \nand other strategies for securing the networks.\n     Mr. Beyer. Let me pivot to Mr. Seaton, then, quickly, \nbecause I know, like, Department of Commerce had 13 different \nCIOs. Do you have the same challenge within NASA?\n     Mr. Seaton. Yeah. So there's one CIO, but there are center \nCIOs. They all report to me. We have a single IT strategy, and, \nfor almost a decade now, we've been working to integrate and \noperate as a cohesive unit, acknowledging that there are some \nuniquenesses at our centers, but implementing consistent \npolicies, and moving toward enterprise services and contracts. \nSo I think we are moving in the enterprise direction very \nsignificantly.\n     Mr. Beyer. Thank you very much. And, Madam Chair, I yield \nback.\n     Chairwoman Horn. Thank you very much, Mr. Beyer. Mr. \nGarcia, you're recognized for 5 minutes.\n     Mr. Garcia. Thank you, Madam Chairwoman, appreciate it, \nand appreciate the testimony and the witnesses today. Very \nexciting times for NASA, and also very challenging, with very \nunique dynamics in play here. I guess I've got a few questions, \nand probably directed to all of you, Mr. Seaton, Mr. Martin, \nand Dr. Burley. I come from a company where I was a program \ndirector for a large air breather program, and it was both \nclassified and unclassified elements to it. One of the big \nchallenges that we had as a large prime was that the classified \nelements fell under NISPOM (National Industrial Security \nProgram Operating Manual) requirements, which I think were \neffectively what Chairwoman Horn was asking about on the \nclassified side, as far as our compliance and requirements. \nThose requirements led to onerous costs to suppliers, and to \nthe lower level supply chain folks.\n     What is NASA doing, I guess, to make sure that the small \nbusinesses that are a critical element of your supply chain \naren't necessarily getting overwhelmed with either \ncybersecurity requirements, or cybersecurity development work, \nsoftware development work, and therefore almost being dissuaded \nfrom entering into this industry, into this support chain? Are \nwe able to provide GFI, or government furnished IP (Internet \nProtocol) to make sure and flow down to the lower level \nsuppliers to make sure that they're baking in some of these \ncybersecurity elements into their respective programs, or how \ndo we communicate, I guess, with those lower tier supply chain \nfolks? I guess, Mr. Seaton, we can start with you.\n     Mr. Seaton. Sure. I will say that is a challenge. Making \nsure that all of our suppliers and providers appreciate the \nsignificance of cybersecurity, and are building that into the \nsolutions they deliver, is a requirement of doing business \ntoday, right, today with supply chain risk management. Just in \nAugust Section 889 was enacted, that requires us to certify \nthat anybody we're doing business with complies with supply \nchain restrictions that are Federal-wide. So we're working with \nour providers and suppliers to make sure they understand, and \nthat they build that into their practices.\n     Mr. Garcia. Yeah, I just, you know, we ought to just make \nsure we're balancing the risk mitigation efforts, which are \nabsolutely critical and essential. We have to do it with the \ncost elements, and the, you know, just making sure that we're \nnot driving some of these key suppliers out of business, or out \nof our industry, or out of your business, right? I know that's \na delicate balancing act as well.\n     Mr. Seaton. True. The cost of having a compromise is \nsignificant too, though, so you're right, it is a balancing \nact, and we'll continue to try to work.\n     Mr. Garcia. Are the primes, or tier one suppliers, \nactively looking to package up programs or software, you know, \nprograms to download to the lower level suppliers, or is it \nsort of ad hoc, depending on what the threat is, and what the \nthreat mitigation measure is?\n     Mr. Seaton. Yeah. Unfortunately, I really can't speak to \nthe individual practices of the companies and suppliers.\n     Mr. Garcia. OK. And then I guess just characterizing \nclassified versus unclassified, are you able to speak to what \npercentage of your networks are on unclassified networks, and \nis one of the sides lagging the other? In other words, do you \nsee, you know, more threats on the classified side, or fewer \nthreats, but maybe more, you know, more critical impact to \nthose networks? Or how would you characterize the deltas there \nbetween unclassed versus the high side?\n     Mr. Seaton. Yes, and my office is responsible for the \nunclassified side. We work with our Office of Protective \nServices on the classified side. I can't really speak in this \nforum to kind of the division there, but I will say that \noftentimes compromises on the unclassified side can be used to \npropagate to other systems that--and so that's a concern, even \non the unclassified side.\n     Mr. Garcia. OK, great. Yeah. And, Mr. Martin or Dr. \nBurley, I don't know if you guys care to comment on either of \nthose topics there.\n     Mr. Martin. We have little or no work on the classified \nside at NASA.\n     Mr. Garcia. OK. That's good to know. OK. So I would just, \nyou know, we hosted a small business summit with Kevin McCarthy \nas well, and with the NASA Administrator Bridenstine a couple \nof weeks ago. The cost of entry into the supply chain for all \nspace programs is pretty high for some of these small \nsuppliers, so I would just end with let's try to enable them, \nlet's make sure we're giving them the tools to be successful \nand be able to defend not only their networks but yours, \nobviously, as your suppliers as we navigate this challenge, and \nhopefully look to synergize lessons learned and download those \nthrough contract requirement flow-down documents accordingly. \nSo, really appreciate your guys' time, and good luck with the \nupcoming launches as well, guys, thank you. I yield back.\n     Chairwoman Horn. Thank you, Mr. Garcia. And now, for the \nhonorary Member of our Subcommittee, who is reliable and with \nus, Mr. Weber, you're recognized for 5 minutes. If we can get \nyou unmuted. There you go.\n     Mr. Weber. There we go. There's a lot of people who want \nto mute me, but nonetheless, thank you for that, Chairwoman, \nand I appreciate the opportunity of being here. You actually \nasked a question to Mr. Seaton earlier, I think, about how many \nintrusion attempts per month that NASA identified last year, \nand I want to kind of follow up on that by saying how does that \ncompare, Mr. Seaton, to the intrusion attempts per month this \nyear during COVID? Are you making a distinction there?\n     Mr. Seaton. Yeah, so--not that direct comparison, and we \nsee fluctuations based on our insight, and that insight, as I \nmentioned, is increasing, so sometimes that is the cause for a \nhigher number. But we have seen an increase in phishing attacks \nand malware attacks at various times throughout the pandemic. \nThat hasn't been steady, it's been fluctuating.\n     Mr. Weber. Any idea or guess, 10 percent, 20 percent, five \npercent, increase?\n     Mr. Seaton. At one point, over a given period of time, we \nsaw a doubling of phishing attacks, but, again, there have been \nother weeks where it's been lower. So I do think, because of \nthe pandemic, people are looking for the opportunity to attack, \nand will continue to.\n     Mr. Weber. Well, there's been a lot of discussion about, \nyou know, having personal devices, and being at home, and those \nkinds of security firewalls, if you will. And if it's sensitive \ninformation, I know you said you worked with the FBI and some \nof their forces, or task force, I forget the terminology you \nused, that sensitive information, if you could get it to us, it \nwould be interesting for us to have, get it to my staff. And I \nwant to follow up in your discussion with Mr. Garcia. You all \ntalked about, well, before I do that, let me go to Mr. Martin \nreally quick.\n     Mr. Martin, understanding that this hearing is supposed to \nbe merely focused on cyber threats during COVID, since you're \nhere with us, I thought it'd be appropriate to discuss some of \nthe things we've been talking about with China, for example. \nIntellectual property threats to the aerospace U.S. supply \nchain, you all talked about it a little bit, I think, with Mr. \nGarcia. During this week's Air Force Association Aerospace and \nCyber Conference it was revealed that a longtime DOD \n(Department of Defense) and NASA launch provider, UL Lab, \nproactively, I don't know if you're familiar with this, \nproactively identified and cut ties with the supplier that was \na security risk due to Chinese ownership. Were you aware of \nthat, Mr. Martin?\n     Mr. Martin. I was not, Congressman.\n     Mr. Weber. OK. Well, in comments earlier, I think I'll go \nback to Mr. Seaton, with his exchange with Garcia, he said he \ncouldn't speak to suppliers or speak for the suppliers. Is that \nwhat you were saying to Mr. Garcia?\n     Mr. Seaton. I said that I could not speak to how they were \nstructuring their business operations to meet the Federal \nrequirements.\n     Mr. Weber. Shouldn't that be something that we're looking \nat? I mean, I don't mean to sound too skeptical, but shouldn't \nNASA and actually, all of our U.S. space and defense companies \nshould be taking a proactive posture to know exactly what \nsafeguards are in place for a supply chain?\n     Mr. Seaton. Totally agree. So how they go about doing it, \nis what I'm saying, that we're not in their business \noperations. Validating that they are complying with the \nrequirements is something that we've been doing for years with \nour supply chain risk management efforts, ensuring the things \nthat we buy are free of risks through coordination with the \nFBI, and now making sure that, even within their organizations, \nthey do not have IT equipment provided by prohibited providers. \nSo, yes, we are actively involved in ensuring that level of \ncompliance.\n     Mr. Weber. Well, you say how they go about it you're not \nnecessarily involved in, but shouldn't there be some level of \nprotocol, for lack of a better term, some threshold, some \nsafeguard, they have to meet minimum safeguards, and somebody \nhas to be looking over their shoulder in that regard? Is that \nfair to say?\n     Mr. Seaton. Yeah. Again, compliance with our cybersecurity \nrequirements is absolutely critical, and that is our \nresponsibility. How they--their business practices is what I'm \nsaying that we are not getting in the middle of.\n     Mr. Weber. Would you say that, in this particular \ninstance, where that supplier was identified, that it would be \nworthwhile to go back and see exactly how that happened, how \nthat supplier got the proverbial camel's nose under the tent?\n     Mr. Seaton. I think it's in the Federal Government's best \ninterest to understand where vulnerabilities emanate from, so, \ncertainly.\n     Mr. Weber. Whose responsibility is that?\n     Mr. Seaton. I think it's a shared responsibility.\n     Mr. Weber. Between who?\n     Mr. Seaton. Between the Federal agencies that are \nresponsible for our cybersecurity policy, as well as an agency \nthat would be interacting with a specific provider.\n     Mr. Weber. Is that something you could follow up with our \noffice on, and tell us who those agencies are, and who has \nresponsibility for that agency? And I'm talking about \naddressing this particular instance, and how it was discovered, \nand how we got there, and what steps are going to be taken to \nprevent similar occurrences. Can you follow up with us on that?\n     Mr. Seaton. Certainly. We'll take that as a question for \nthe record, yes.\n     Mr. Weber. OK. Well, I appreciate that. Madam Chair, I \nyield back.\n     Chairwoman Horn. Thank you very much, Mr. Weber. \nAppreciate your questions, and, as always, your participating \nin the Subcommittee. I think--I have a few more questions I \nwant to follow up with, and we'll have an opportunity for the \nMembers to do another round of questions, if everyone is \navailable to stay, since we're still--we still have time.\n     I have--I want to follow up on a couple of things, going \nback to some of the earlier questions about--one about the \nunauthorized devices, or personal devices, and then I do want \nto follow up Mr.--on Mr. Weber's line of questions a little bit \nmore. Mr. Martin, the August 2020 IG report on unauthorized \ndevices, which was of course just this year, on NASA's network \ncites CIO's office, saying that there--currently no \nauthoritative way to obtain the number of partner-owned IT \ndevices. And I know, Mr. Seaton, you mentioned that you're not \nallowing that anymore, but it seems that that's still \nhappening. So, Mr. Martin, I'm wondering what the risks are of \nnot being able to identify, and why that may be the case, from \nyour perspective, in this report? And then, Mr. Seaton, I want \nto follow up with you about what NASA's doing to improve its \nunderstanding and insight into those devices. So, Mr. Martin, \nif you want to start with that?\n     Mr. Martin. Sure. If I could say at the outset, NASA--as I \nsaid in my oral remarks, NASA has been searching for that \nbalance between user flexibility and system security, and \nduring the 10 years that I've been at NASA, it has somewhat \nwildly lurched from those extremes. I remember early on, a \nnumber of years ago, where they had a BYOD policy, which was a \nbring your own device policy, and that's how sort of forward \nleaning NASA was about allowing employees, and even \ncontractors, to use their personal devices.\n     Now, in the last couple years, NASA has taken a much more \nmeasured approach, and have focused recently, but there are \nstill gaps that remain in the security of these mobile devices. \nSo, as you indicated, in the report that we issued just last \nmonth, they have implemented software, but they haven't fully \nimplemented the controls to remove or block devices from NASA \nsystems that shouldn't be on that NASA system. And they're also \nnot adequately monitoring the business rules for granting \naccess with a personal device to NASA's network. They're not \nenforcing consistently the business need for that, and they're \nalso not ensuring that each of the mobile devices, the personal \nmobile devices that connect to the system, don't violate supply \nchain rules.\n     Chairwoman Horn. OK. Thank you very much, Mr. Martin. Mr. \nSeaton, I know you've taken steps in that direction. Can you \nspeak to, I know there's been a delay, but the--what you're \ndoing, what NASA's doing, to address these holes? It sounds \nlike you've made progress, but what are--what is NASA and what \nis the CIO doing to address these other outstanding issues?\n     Mr. Seaton. Sure. Actually, as an agency, I believe--I \nthink we have been a leader in implementing the--DHS's \ncontinuous diagnostic and mitigation program, where CDM phase \none identified what was on the network, and so we had tools in \nplace to automatically detect what's on the network. Phase two, \nwhich we are in the middle of implementing right now, is \ncontrolling who is on the network, and that gets to the network \naccess control element that Mr. Martin spoke of. And, again, I \nthink in the--we will in the coming year, be able to enable \nthose controls to be able to have a technology-based way to \nenforce the policy that has been issued by my office.\n     Chairwoman Horn. Thank you very much. And, just following \nup on a couple of Mr. Weber's questions, in terms of the \ninsight, getting back to the--some of the first questions about \ncontractor requirements, and how we control for suppliers and \ninformation, there's a balance between overly burdensome \nrequirements and the opportunity for bad actors to influence or \nto gain access, and I'm wondering, Mr. Martin, what you see as \npotential authorities that NASA may need to be able to have \nadditional insight, or control, or contracting provisions to \nensure that there's compliance all the way up and down the \nsupply chain. Is it with the primes, or are there other \nprovisions that may be needed?\n     Mr. Martin. I'm actually going to answer that question by \nfocusing in house on NASA. We have commented for the last--we \ndid an audit in 2014, and a follow-up in 2017, and one of our \nconcerns was just how NASA is structured, where--is Jeff, or \nwhoever's sitting in the CIO's position, doesn't have full \ninsight into all of NASA's systems. In fact, doesn't have full \ncontrol over the IT spend, and enforcing the IT security \nrequirements, particularly in mission systems and center \nsystems. Jeff and his colleagues have full control over what's \nknown as the institutional systems, but they make up about 25 \nor 30 percent of NASA's overall budget, so the lack of insight \nand oversight wielding the stick that controls the money on the \nend of it is a real governance issue.\n     Chairwoman Horn. Thank you very much, Mr. Martin. And, Mr. \nSeaton, do you want to speak to that quickly? It sounds like \nyou need--to be able to do that you need additional \nauthorities, or insight and oversight.\n     Mr. Seaton. Actually, I think that that has been changing. \nI sit on the Agency Program Management Council, the Mission \nSupport Council, and the Acquisition Strategy Council as a full \nmember, so I have insight into major agency decisions, and the \nadministration fully supports the programs and plans that we're \nputting in place, and then the collaboration with the missions \nto ensure their systems are secure, where we now have much more \nwidespread, effective, consistent approaches to authorities to \noperate. And I've been working with the Council of Deputies \nwithin NASA to ensure that we have the appropriate mission \nleadership, senior executives, designated as authorizing \nofficials for those mission systems. So I do think we're making \nsignificant progress, excuse me.\n     Chairwoman Horn. Thank you very much, Mr. Seaton. Mr. \nBabin, you're recognized for 5 minutes. Do you have more \nquestions?\n     Mr. Babin. Yes. Can you hear me? OK, thank you. I do have \nsome more questions. I wanted to address this to all the \nwitnesses, if possible. How many intrusion attempts per month \ndid NASA identify last year? How does that compare to the \nintrusion attempts per month this year, during COVID? And if \nthis information is sensitive, please provide a response to the \nstaff after the hearing concludes.\n     Mr. Seaton. Yeah. If I could take the specifics as a \nquestion for the record, but I can speak in more general terms. \nAs I mentioned before, I think the measurement of intrusions \ncontinues to fluctuate based on our insight into the network, \nand that has increased. So, in some cases, where we see an \nincrease in intrusions, it's because we're seeing more of \nwhat's happening, and we're to the point now we've got, I \nthink, a pretty solid visibility into our network today. But \nthen a comparison of specific month by month, we'll have to \ntake that and get back to you.\n     Mr. Babin. OK. All right. Thank you. I think I will yield \nback for Madam Chair.\n     Chairwoman Horn. Thank you very much, Mr. Babin. Mr. \nBeyer, you're recognized.\n     Mr. Beyer. Madam Chair, I have no more questions. I keep \nlearning, but I yield back.\n     Chairwoman Horn. Excellent. Thank you. Mr. Garcia?\n     Mr. Garcia. Thank you, Madam Chair. Just a real quick \nquestion. You know, the old adage that the best defense is a \ngood offense is kind of appropriate here. Mr. Seaton, are you \nhappy with the support that you're getting form other \ngovernment agencies? In terms of the development at a national \nlevel we develop offensive cyber capabilities. That informs \nyour defensive cyber techniques and vulnerabilities. Are you \ncomfortable and satisfied with the communications, I'll just \nsay, to other government agencies that should be informing you \nas to where the state-of-the-art is going, in terms of \noffensive cyber capabilities which may, you know, be in the \nhands of the bad guys, and be within our own domestic networks? \nIf not, where can we help to maybe, you know, improve your \nability to leverage the developments of other equities outside \nof NASA?\n     Mr. Seaton. Yeah, I think the administration's been very \nsupportive of our need to continue with the appropriate focus \non cybersecurity, and I think that NASA has effective \nrelationships with our counterparts that can provide us \ncounterintelligence information, as well as, you know, best \npractices on cybersecurity, the Federal CIO Council, the CIOs \nacross the Federal agencies engaging to share information is \nanother effective mechanism for that information sharing.\n     Mr. Garcia. OK. So the historical, I'll call it just \nhistorical evidence over the last call it two years, though, \nhave there been any surprises, I guess, from the threats where \nit was a completely unknown rider coming in through an unknown \ntechnique or vulnerability that really hadn't been discussed? I \nknow that there's sensitivities around how much you can say \nhere, but, you know, any sort of unknown riders that just \ncompletely caught you off guard that we ultimately found out \nanother equity throughout the government maybe had been aware \nof?\n     Mr. Seaton. Yeah. I think, because of the dynamic \nlandscape, we're going to face surprises. We want to minimize \nthose, right?\n     Mr. Garcia. Sure, sure. Yeah.\n     Mr. Seaton. But I will say that there have been times when \nother agencies have observed activity, and contacted NASA, and \nthen we would partner on that. So, again, I think the \ncommunication mechanism--mechanisms are there.\n     Mr. Garcia. That's good. Well, that's encouraging to hear. \nA lot of these lessons learned have been learned, you know, \nseveral times before, so we can avoid duplication of lessons \nlearned, especially in this cyber domain. That's a huge benefit \nto you guys.\n     Mr. Seaton. Certainly.\n     Mr. Garcia. Thank you. I yield back, Madam Chair.\n     Chairwoman Horn. Thank you very much, Mr. Garcia, and \nthank you to all of our Members for their thoughtful, \nintentional questions, and to all of our witnesses. It's clear \nthat these are critically important issues that NASA is facing, \nas well as some important lessons learned during COVID-19, as \nDr. Burley stated, that these are not normal times, so our \nstrategies during COVID-19 are important, but also inform \ncybersecurity more broadly. And I think that it sounds as--that \nNASA is making progress, but that, as a--as the authorizing \nCommittee, we want to ensure that you have sufficient \nauthorities and funding capabilities to have strong \ncybersecurity practices and protocol in place, and we continue \nto move forward with the recommendations and implementations \nfrom the GAO, and other strategies that ensure not just the 25 \npercent that you have authority--direct authority over, but the \ncontractors, especially given some of the things that we have \nseen.\n     So, unless any of our Members have further questions, \nwe'll bring this hearing to a close today. I want to thank \nagain the witnesses for your testimony, and for your time, and \nfor what you do. The record will remain open for 2 weeks for \nadditional statements from the Members, and additional \nquestions of the Committee, or that the Committee or Members \nmay ask of the witnesses. Thank you all again for your time. \nThe witnesses are excused, and the hearing is now adjourned. \nThanks, everybody.\n     [Whereupon, at 12:20 p.m., the Subcommittee was \nadjourned.]\n\n                                Appendix\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n\n\n                   Answers to Post-Hearing Questions\n                   \nResponses by Mr. Jeff Seaton\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\nResponses by the Honorable Paul K. Martin\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\nResponses by Dr. Diana L. Burley, Ph.D.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 <all>\n</pre></body></html>\n"