A new report by the Government Accountability Office (GAO) has found that key NASA systems have not fully implemented essential cybersecurity risk management practices, potentially exposing the agency to cyber threats and mission disruptions.

“GAO reviewed NASA policies and guidance regarding cybersecurity risk management. GAO selected a nongeneralizable sample of two major projects and two associated systems for each project. For the four selected systems, GAO analyzed system authorization documentation and compared it to seven key cybersecurity risk management steps and associated activities. GAO also interviewed project and cybersecurity officials,” GAO said in the report.

While NASA fully or partially implemented all seven steps outlined by NIST— including preparation, control selection, and continuous monitoring — key activities were missing. 

Notably, NASA lacked an approved enterprise-wide risk assessment and failed to document system-level monitoring strategies. These gaps raise risks of delayed threat detection, data breaches, and operational disruptions to critical space systems. Stronger implementation is vital for mission resilience.

GAO issued 16 recommendations to strengthen NASA’s cybersecurity framework, including completing a risk assessment and clarifying monitoring guidelines. NASA agreed with seven, partially concurred with four and rejected five, citing sensitivity concerns.