NASA Official Speaks to Cybersecurity ‘Language Gap’ in the Agency
Getting cybersecurity right at a federal agency means learning to speak the language of the program and mission managers who actually run the IT systems you’re trying to protect against hackers and cyberspies, said Rob Powell, a senior advisor on cybersecurity in the Office of the CIO (OCIO) at NASA.
“The culture at NASA is that sometimes mission managers speak one language and corporate CIO, corporate cyber policy, speaks a different language,” he told the audience during a May 13 CyberLEO keynote.
Relationships are also vital in that culture, he said: “When I first came to NASA, I had somebody tell me, ‘Nothing happens at this agency unless there’s a relationship.’”
That was a bit of an exaggeration, he added, “But I will tell you that relationships absolutely help. When you can look across the table from somebody and develop some rapport … it makes a big difference.”
Powell said his first task in the job he started in 2016 was to start building bridges and connections and developing the relations.
More importantly, he had to learn to speak to program and mission leaders in their own language to address their priorities. “It forced me to get out of my mentality of cyber is everything,” he said. “I eat, sleep and breathe cyber. But guess what? For the program managers, cyber is just one of the myriad of risks that they have to balance. … And if you cannot clearly articulate the cybersecurity issue in terms of the risks to their programs, the potential for mission failure or mission success — they won’t have time for it.”
To deal with that language gap, Powell said the agency had drafted a document outlining the 30 most critical cybersecurity controls based on the threat landscape, likelihood, and consequences.
After feedback from mission and flight managers about other cybersecurity best practices and standards promulgated within NASA, the new draft was couched in terms familiar to those managers, Powell explained. “We wrote those controls to be specific to the flight community at NASA. So they would understand not only what we’re asking them to implement, but also how they could validate each of those controls as having been implemented in a flight program environment.”
The draft is out for comment within the agency, he said, and although NASA leaders hope to publish it when it was finalized, it is not currently public.
Other cyber challenges at NASA include issues with the ways cyber risk is quantified, he said. Although there is a long-established practice of drawing up risk management plans for NASA programs, some of those plans don’t include a cyber component, because many program managers didn’t know how to quantify the cyber risk, he said.
Powell said office of the CIO worked with program managers to help them understand the different evaluation criteria, critical assets, and critical data, and then show them how they can use those tools “such that when the program risk management boards met, they had a clear understanding of the cyber risks at the program level and resources could be allocated as needed.”
NASA’s new Administrator Bill Nelson powered the agency’s commitment to address the language gap and other cyber initiatives. “From day one, they made it clear to OCIO leadership and agency mission leadership that cyber is at the top of their priority list.”
Powell added it is “a great experience working at an agency where our leadership embraces cyber, so our mission leaders understand that the agency leadership is pushing on this. That makes my job a lot easier.”
Read more coverage of CyberLEO: