NASA sold computers without properly scrubbing them, IG says
Connecting state and local government leaders
An inspector general's audit found that 10 NASA computers had been released to the public that had not been properly sanitized of sensitive information and that the agency has inadequate policies for the disposition of excess IT resources.
NASA is having some security problems in selling off excess hardware related to the retirement of the shuttle program. A NASA inspector general's audit found that the agency had released to the public 10 computers that had not had their memories wiped. Nine of them might have contained highly sensitive data.
The audit, filed by Inspector General Paul K. Martin, focused on the “disposition of shuttle-related IT” containing sensitive information. The 10 computers that the audit found from the Kennedy Space Center disposal facility “that were being prepared for sale on which NASA Internet Protocol information was prominently displayed.” Four more computers from the Kennedy site were confiscated that were being prepared for sale.
“Internet Protocol information could provide a hacker with the details needed to target specific NASA network assets and exploit weaknesses, resulting in the compromise of sensitive information,” the audit said.
The audit studied four NASA centers – Kennedy, Langley, Johnson and Ames – and found that no sanitization verification processes were being used at Johnson and Ames and that all four centers were either using improper sanitization methods or lacked oversight of the process for securing information in regards to the disposal or resale of excess IT equipment.
Related coverage:
Reusing hardware: Erase data but leave an audit trail
NASA poised to spend billions to consolidate IT services
The IG was not able to determine whether any of the computers actually did contain senstive information, according to the report. However, "[O]ur analysis of the computers we confiscated – one of which contained information subject to export control by [International Traffic in Arms Regulations] – and the type of work performed by these contractors raises serious concerns about the information that may have remained on the computers," the IG wrote.
The IG found that NASA has not notifed the appropriate agency or contractor personnel when computers failed sanitization testing. Also, IT equipment was not properly accounted for or tracked during the disposition and some computers that were awaiting final disposition contained external markings that revealed NASA IP information.
Nine of the 10 computers released were distributed to two NASA contractors and potentially had unsecured sensitive data on them based on the use-history of the devices. The 10th computer was determined not to be a risk factor because it had been used at a kiosk at Kennedy’s visitor center to provide general information to the public.
The audit said that NASA had both inadequate policies regarding data sanitization of excess IT material and what policies the agency did have in place were not adhered to.
The IG recommended that NASA’s CIO revise the IT disposition policy to include a sampling method of 20 percent as is the common standard set by the National Institute of Standards and Technology.
“We continue to urge NASA to develop a sampling methodology that conforms to the 20 percent standard recommended by NIST,” the audit said.