Information about http://oig.nasa.gov/NASA2007ManagementChallenges.pdf
National Aeronautics and Space Administration Office of Inspector…
Tags: administration office, consolidation act, financial officers act, government accountability office, institutional functions, integrated enterprise management, internal control, launch, managing risk, mission assurance, mission schedules, nasa, national aeronautics and space, national aeronautics and space administration, office of inspector general, oig, resource constraints, space shuttle, space vehicles, transitioning,Pages: 15
Language: english
Created: Wed Nov 14 10:07:09 2007
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
National Aeronautics and
Space Administration
Office of Inspector General
Washington, DC 20546-0001
NOV 1 3 2007
TO: Administrator
FROM: Inspector General
SUBJECT: NASA's Most Serious Management and Performance Challenges
As required by the Reports Consolidation Act of 2000, these are our views of the most
serious management and performance challenges facing NASA. Over the past year,
NASA has been working to address these challenges and improve Agency programs and
operations through various initiatives and by implementing recommendations made by
the Office of Inspector General (OIG) and other evaluative bodies, such as the
Government Accountability Office (GAO). An overarching challenge concerns how
NASA integrates diverse programmatic and institutional functions across geographically
dispersed operations. Each of the five challenges listed below, and summarized in the
enclosure, is colored by this overarching challenge.
· Transitioning from the Space Shuttle to the Next Generation of Space
Vehicles. Balancing schedule and resource constraints while maintaining the
capabilities required to fly the Space Shuttle safely and effectively and,
simultaneously, developing the next generation of space vehicles.
· Managing Risk to People, Equipment, and Mission. Effectively managing
risk, safety, and mission assurance controls to ensure reliable operations in the
context of aggressive launch and mission schedules, funding limitations, and other
future uncertainties.
· Financial Management. Ensuring that the Integrated Enterprise Management
Program (IEMP) improves NASA's ability to efficiently provide reliable
information to management, supports compliance with the Chief Financial
Officers Act and other Federal requirements, and strengthens the Agency's
Internal Control Program to address continued problems such as NASA's internal
controls over property, plant, and equipment and materials (PP&E).
· Information Technology (IT) Security. Improving management and operational
and technical controls to protect the information and information systems vital to
the Agency's mission.
· Acquisition and Contracting Processes. Developing adequate cost estimates,
managing program costs, and ensuring that NASA is using the most advantageous
acquisition and procurement strategies and safeguards to promote competition in
contracting and to maximize the Agency's ability to fulfill its missions.
2
Transitioning from the Space Shuttle to the next generation of space vehicles remains
on the list of challenges because of the complexity of balancing the human capital,
equipment, and property needs of the Space Shuttle Program with the needs of the
Constellation Program without compromising either program. The challenge arises
within the framework of a projected 5-year gap between the last expected flight of the
Space Shuttle in 2010 and the first projected flight of the Crew Exploration Vehicle
(CEV) in 2015.
That 5-year period will challenge NASA's ability to maintain employee skill sets,
efficiently utilize its infrastructure and suppliers, and provide adequate support to the
activities of the International Space Station (ISS). At issue is maintaining the critical
skills now present in the Space Shuttle workforce throughout the remaining Shuttle
flights while placing additional emphasis on defining the skill sets needed by the
Constellation Program. NASA's plans to rely on international partners and commercial
providers during the 5-year gap period to provide the support necessary to operate the ISS
will also be a challenge because the capabilities, schedules, and funding requirements for
NASA, its international partners, and commercial cargo vehicles are not yet firm enough
to ensure that the ISS mission objectives can be fulfilled.
NASA's role as the Nation's leader in space and aeronautics research and development
contains inherent risk management challenges. Continuing to confront the Agency are
operational and safety risks and mitigating these risks is a continuous challenge.
Even when the risk management system is robust, activities such as flying the Space
Shuttle involves the acceptance of substantial amounts of risks. For example,
notwithstanding risk mitigation efforts by the Agency subsequent to the Columbia
accident and since return to flight, foam continues to liberate from the external tank and
potentially threaten the orbiters and their crews. The alternative to managing (and
accepting) the risk would be to permanently ground the Shuttles. Grounding has
occurred for temporary periods to address specific issues or to conduct a comprehensive
review of issues. However, grounding the Shuttles prior to the planned retirement of the
Space Shuttle program in 2010 would result in a failure to accomplish the missions that
have been laid out for the program over the next 3 years. The Agency's willingness to
accept risks, such as those associated with continued Shuttle flights to accomplish the
mission, may reflect or it may exceed the Nation's tolerance for such risk. NASA refers
to the Shuttle as a test flight and experimental vehicle recognizing the risk inherent in the
program. A misalignment between the risk NASA accepts and the Nation's tolerance for
such risk will bear no negative consequence so long as NASA's risk acceptance is
rewarded with successful flights. Were tragedy to strike again, however, the merits of
manned space flight to the moon and Mars would likely be reevaluated.
NASA programs are constantly challenged by risks introduced by fiscal and schedule
tightening that result from internal weaknesses such as failing to adequately identify
requirements prior to program execution and not adequately overseeing contractor
performance. NASA programs are also challenged by risks associated with the
reprioritization of resources to meet continually evolving demands. These pressures can
be manifest in subtle and incremental ways. These fiscal challenges are not new and
3
NASA's past difficulty in developing systems within cost, schedule, and performance
parameters are well documented.
NASA's financial management remains on the list of challenges because of continued
internal control problems affecting the Agency's ability to produce complete and accurate
financial statements and provide sufficient evidence to support statements throughout the
fiscal year. These deficiencies have resulted in a disclaimer of opinion on its financial
statements by Independent Public Accountant audits since FY 2003. Many of the
deficiencies the audits disclosed resulted from a lack of effective internal control
procedures and data integrity issues. Although NASA has made progress in addressing
these deficiencies, during FY 2007, the auditors noted that similar inadequacies still exist.
Two of the most significant deficiencies involve the financial statement preparation
process and NASA's internal controls over property, plant, and equipment and materials
(PP&E). NASA's financial statement preparation process contains deficiencies affecting
NASA's ability to effectively accumulate, assemble, and analyze information to timely
develop its financial statements on a routine and recurring basis. Consistent with last
year's audit report, NASA's ongoing PP&E weakness is a result of NASA relying
primarily on a retrospective review of disbursements to determine amounts that should be
capitalized with a heavy dependence on contractors to identify assets created at a
contractor's location.
We have again included IT Security as a most serious management and performance
challenge because our work and that of the Agency continues to report that significant
weaknesses persist and many IT security challenges remain. Significant management and
operational and technical control weaknesses continue to impact the Agency's IT
Security Program and threaten the confidentiality, integrity, and availability of NASA
information and its systems. That threat is tangible in that the Agency continues to be a
target for criminal computer intrusions. For example, NASA OIG recently investigated a
series of unlawful computer intrusions into NASA's Earth Observation System networks.
Aside from the operational impact to the Agency`s mission, such as the temporary
suspension of automated processes, these intrusions cost NASA $1.5 million for incident
mitigation and clean-up costs alone.
Significant challenges include establishing an IT security internal control program;
enhancing intrusion detection and computer forensics with incident management
analysis; implementing improved NASA network security monitoring capabilities;
and managing IT asset and Internet protocol addresses. Although these challenges are
significant, NASA has taken tremendous steps in FY 2007 to bolster its IT security
defenses. Despite the progress NASA has made in improving its IT Security Program,
IT security is still a most serious management and performance challenge and is
recognized by the Agency as a material weakness.
Weaknesses in NASA's acquisition and contracting processes pose significant challenges
to NASA's ability to make informed investment decisions. GAO reported that NASA
still lacks a modern, fully implemented integrated financial management system to
provide accurate and reliable information on contract spending, has undisciplined
4
cost-estimating processes, and lacks the ability to obtain information needed to assess
contract progress. Audits and investigations completed by OIG and GAO in FY 2007
also continued to reveal systemic problems in areas such as knowledge-based
acquisitions and procurement process abuses. Challenges to the Agency include
implementation of changes to its acquisition approach and preventing and deterring
procurement fraud.
In FY 2008, the OIG will continue to conduct work that focuses on NASA's efforts to
meet these challenges as part of our overall mission to promote the economy and
efficiency of the Agency and to root out fraud, waste, and abuse.
Robert W. Cobb
Enclosure
NASA's Most Serious
Management and Performance Challenges
Transitioning from the Space Shuttle to the Next Generation of
Space Vehicles
NASA's challenge in transitioning from the Space Shuttle to the next generation of space
vehicles is multifaceted, as NASA must balance the mission, equipment, facility, and human
capital needs of the Space Shuttle Program (SSP) with the needs of the Constellation Systems
Program 1 without compromising the operations of either. The projected 5-year gap between
the last expected flight of the Space Shuttle in 2010 and the first projected flight of the Crew
Exploration Vehicle (CEV) in 2015 will challenge NASA's ability to retain certain employee
skill sets, efficiently utilize its infrastructure and suppliers, and adequately support the
activities of the International Space Station (ISS). NASA has not experienced a challenge of
this magnitude since the end of the Apollo Program and the beginning of the shuttle program.
To manage the transition effort, NASA has taken steps to establish a governance structure and
develop a transition plan. The transition is governed by representatives from the Space
Operations Mission Directorate (SOMD), the Exploration Systems Mission Directorate
(ESMD), and NASA's Mission Support Offices. SOMD is responsible for operating the SSP
until its retirement in 2010 and for managing the completion and use of the ISS. ESMD is
responsible for the Constellation Systems Program. The Mission Support offices are
responsible for providing the institutional capabilities needed to support the transition effort.
The transition's governing board's responsibilities include evaluating transition decisions to
ensure that those decisions promote efficiencies and synergies between the human space flight
programs; ensuring that existing infrastructure and resources evolve to support future
programs; and ensuring that strategies, decision-making, priorities, budgets, schedules, and
top-level requirements are coordinated across NASA.
In addition to establishing the governance structure, NASA finalized its "Human Space Flight
Transition Plan," which details how NASA will manage the transition activities, to include
acquisition, budget, data and records management, environmental management, human
capital, information technology, property, and transition metrics. Subsequent to finalizing the
plan, the Agency took action to address findings and recommendations from our report,
"NASA's Plan for Space Shuttle Transition Could Be Improved by Following Project
Management Guidelines," January 9, 2007, and GAO reports concerning the transition.
Those actions have improved NASA's plans for the overall transition and its various
component parts, such as human capital, property, and cost.
With the governance structure and initial transition plan in place, NASA can concentrate on
managing the transition through the 5-year gap period (20102015) between the last expected
flight of the Space Shuttle and the first projected flight of the CEV. During FY 2007, the
1
The Constellation Systems Program is responsible for developing the next-generation space vehicles and the
related exploration architecture systems.
Enclosure
Page 1 of 11
OIG, and GAO and other external entities including Congress, have focused on certain
aspects of the transition effort, specifically, the effects of the period between last SSP flight
and first CEV flight, on NASA's workforce and the sustainment of the ISS. Workforce issues
include maintaining the critical skills now present in the Space Shuttle workforce throughout
the remaining Shuttle flights while placing additional emphasis on defining the skill sets
needed by the Constellation Program, especially those that will be needed at Kennedy Space
Center. Although the workforce at other NASA Centers are engaged in development and
production activities for the new vehicles, Kennedy personnel's primary focus is launch and
maintenance. Skills related to these activities are more likely to deteriorate from lack of
use--i.e., the gap period effect. Therefore, the Constellation Program should adequately
define its needed skill sets and take the steps necessary to retain the workforce it will need.
Sustaining the ISS during the gap period is crucial to realizing the ISS research potential and
protecting the extensive United States and foreign investment in the ISS. NASA plans to rely
on international partners and commercial providers during the gap period to provide the
logistics support and crew rotation necessary to operate the ISS. However, the capabilities,
schedules, and funding requirements for NASA, its international partners, and commercial
cargo vehicles are not yet firm enough to ensure that the ISS mission objectives can be
fulfilled. If NASA does not commit sufficient resources to ensuring that logistics support to
the ISS can be realized after the final flight of the Space Shuttle, that lack of support will
seriously decrease the ISS's utility to the United States.
The Agency continues to acknowledge the difficulty that it faces in managing the transition
effort. It has commissioned outside studies to provide independent assessments of some of
the transition issues, to include the workforce concerns. We are also reviewing the
development of next-generation space vehicles and supporting equipment. In FY 2007, we
initiated an audit of the acquisition of the CEV Project and the Constellation Space Suit
System, focusing on the development of technical and safety requirements and the
achievement of project milestones.
The Agency has taken the requisite first steps to achieve a successful transition by enhancing
its knowledge base, engaging a management team, and developing a transition plan. NASA
should now concentrate its efforts on ensuring that the transition plans can be successfully
executed and that any unexpected problems can be resolved. If not, the Agency risks its
ability to move forward and timely meet its future goals of human space flight to the Moon
and beyond.
Managing Risk to People, Equipment, and Mission
NASA programs are constantly challenged by risks introduced by fiscal and schedule
tightening that result from internal weaknesses such as failing to adequately identify
requirements prior to program execution and not adequately overseeing contractor
performance. NASA programs are also challenged by risks associated with the
reprioritization of resources to meet continually evolving demands. In addition, NASA's role
as the Nation's leader in space and aeronautics research and development adds obstacles to its
risk management program because risk is inherent in crossing the thresholds of technology.
Enclosure
Page 2 of 11
In executing the President's Vision, NASA will use the Space Shuttle to complete the ISS and
then retire the Shuttle in 2010 while simultaneously developing new space vehicles that can
travel beyond low-Earth orbit to the Moon and beyond. Aside from the tremendous technical
challenges associated with these enterprises, accomplishment of those missions is susceptible
to budgetary constraints imposed through the appropriation process. The NASA
Administrator acknowledges this risk in his statement that "All of our programs proceed in a
`go-as-we-can-afford-to-pay' manner; so if we receive less funding than requested, we will
adjust our pace." The implications associated with this budgetary reality add ever-increasing
risk to an organization responsible for taking the Nation's lead in space and aeronautics
research and development and whose programs are designed to operate over several decades.
Both internal and external influences continue to have an impact on funding for mission
directorates, programs, and projects. Funding for the Science Mission Directorate (SMD), for
example, continues to be impacted by competing priorities internal and external to NASA. In
a statement before the Committee on Commerce, Science and Transportation Subcommittee
on Space, Aeronautics and Related Sciences, United States Senate, the Administrator relied
heavily on the results of the Decadal Survey of the National Academy of Sciences to secure
schedule-assurance funding for several Earth Science projects. For example, the
Administrator stated that the SMD request for FY 2008 "includes additional funding for the
Global Precipitation Measurement (GPM) mission to improve schedule assurance in response
to the high priority placed on GPM in the Decadal Survey." This mission was first proposed
in FY 2001 but had never been a high enough priority to have funding made available to
move GPM out of the formulation phase.
Budget constraints and the emphasis on implementing the President's Vision and the Decadal
Survey priorities also impact the Aeronautics Research Mission Directorate. Affected is its
ability to effectively implement the tenets of the National Aeronautics Research Development
Policy, signed by the President on December 20, 2006, and its ability to effectively carry out
its responsibilities in the development of the Next-Generation Airspace Transportation
System. The National Research Council also acknowledged this impact in its report
Aeronautics Innovation, NASA's Challenges and Opportunities. The report references risks to
NASA missions in that, "despite strong private-sector support for a broad and robust federal
government role in civil aeronautics technology development, Congress and recent
administrations have not come to terms on what are widely regarded as nationally important
NASA aeronautics missions and the level of resources needed to address them effectively and
in a timely fashion."
Other challenges NASA faces in managing risk include its International cooperation
arrangements and commercial partnerships. The President's Vision directs NASA to pursue
opportunities for international partnership in support of the Nation's exploration goals. To
address this Agency objective, each of NASA's Mission Directorates is involved with
international cooperation at some level. NASA also plans to create and expand existing
partnerships with U.S. private industry to develop and implement the Nation's new
exploration systems, infrastructure, and technologies. Although international and commercial
partnerships are key to implementing the President's Vision, such partnerships involve risks
including changes in U.S. foreign relations policy, changes in the global economy, integration
and compatibility problems with NASA systems, and sustaining long-term commitments with
Enclosure
Page 3 of 11
those partners. Changes in any of these contingencies could ultimately impact mission
objectives. NASA will need to take the appropriate steps to sufficiently mitigate those risks.
NASA has also contributed to its own risk management challenges. For example, NASA's
approach to developing the new space vehicles involves the participation of nine Agency
Centers in the development process. This approach, while ensuring that each of the Centers
maintains a robust working environment, could increase the risks associated with product and
process integration, as program and project managers must ensure that although work is
performed at multiple geographic locations that the final product can be successfully
integrated and is consistent with the architectural design.
In addition, while work progresses on the development process, NASA must also focus on the
safe and successful completion of the remaining Shuttle flights. Foam liberation continues to
challenge the Space Shuttle Program, as the various problems with foam have been difficult to
predict and resolve from a holistic perspective. Each of the remaining shuttle flights may
encounter risks to mission completion because of different types of foam liberation incidents
requiring different mitigation procedures. Lastly, although it remains questionable whether
the alleged incidents of astronaut alcohol use in the immediate preflight period of the Space
Shuttle missions were based on fact, the allegations alone point to continued challenges--
perceived or actual--to NASA's safety culture.
With the Constellation Program, NASA has a unique opportunity to leverage the lessons
learned from the past concerning risk, risk management, and its safety culture. By virtue of
its design, the Constellation Program may avoid design risk issues that threaten the SSP but
important risk and safety decisions still need to be made. The key will be to ensure that the
process of making those risk and safety decisions is open, honest, and impartial and based on
a continuous risk management process.
For the next fiscal year, the OIG plans to dedicate considerable resources to reviewing the
Agency's risk management efforts. Our focus will include monitoring NASA's actions to
address the foam issue, following up on the Agency's actions taken in response to reports on
astronaut health and preflight use of alcohol 2 and examining external influences to NASA's
development and accomplishment of specific mission priorities.
Financial Management
Since 2003, NASA has not been able to produce auditable financial statements or provide
sufficient evidence to support statements throughout the fiscal year. NASA received a
disclaimer of opinion on its financial statements from Independent Public Accountant audits
by PricewaterhouseCoopers (PwC) in FY 2003 and by Ernst & Young (E&Y) in FY 2004
through FY 2007. These audit reports identified instances of noncompliance with generally
2
The review panel report "Astronaut Health Care System Review Committee Report" (undated) and the
August 28, 2007, NASA Office of Safety and Mission Assurance report "Space Flight Safety Review (Alcohol
Use in the Preflight Period)."
Enclosure
Page 4 of 11
accepted accounting principles, reportable conditions, 3 material weaknesses in internal
controls, and noncompliance with the Federal Financial Management Improvement Act of
1996 and the Improper Payments Information Act of 2002. Many of the deficiencies the
audits disclosed resulted from a lack of effective internal control procedures and from data
integrity issues. As shown in the following table, while NASA has made progress in
addressing deficiencies, internal control weaknesses still exist. The two remaining material
weaknesses involve NASA's financial statement preparation process and internal controls
over property, plant, and equipment and materials (PP&E).
Internal Control Deficiencies
Fiscal Year 2007 2006 2005 2004 2003
Independent Public Accountant E&Y E&Y E&Y E&Y PwC
Audit Opinion Disclaimer Disclaimer Disclaimer Disclaimer Disclaimer
material reportable
General Controls Environmenta -- -- --
weakness condition
Internal Control Deficiencies
Property, Plant, and Equipment material material material material material
and Materials weakness weakness weakness weakness weakness
Financial Statement Preparation material material material material material
Process and Oversight weakness weakness weakness weakness weakness
material material material
Fund Balance with Treasuryb -- --
weakness weakness weakness
Audit Trail and Documentation to material
-- -- -- --
Support Financial Statementsc weakness
Environmental Liability reportable reportable
-- -- --
Estimationd condition condition
a
The General Controls Environment weakness had mostly been resolved for FY 2005. The segregation of duties component of
this weakness was included in the Financial Statement Preparation Process and Oversight weakness for FYs 20052007.
b.
The Fund Balance with Treasury reconciliations weakness cited in FY 2005 had mostly been resolved; a weakness relating to
timely resolution of Budget Clearing Account balances was included in the overall Financial Statement Preparation Process and
Oversight weakness for FY 2006. This deficiency was resolved in FY 2007.
c
The weakness on Audit Trail cited in FY 2003 continued to exist in subsequent years (FYs 20042007); however, it was included
in the overall Financial Statement Preparation Process and Oversight weakness.
d
The deficiency cited for Environmental Liability Estimation had mostly been resolved for FY 2006. Control deficiencies
surrounding the software application used to prepare the estimates, and a lack of involvement by the appropriate Office of the
Chief Financial Officer in related accounting matters was included in the Financial Statement Preparation Process and Oversight
weakness for FYs 2006 and 2007.
During the FY 2007 audit, E&Y noted that NASA's financial statement preparation process
contains deficiencies affecting NASA's ability to effectively accumulate, assemble, and
analyze information to timely develop its financial statements on a routine and recurring
basis. For example, NASA personnel were unable to adequately describe how balances
reflected in the statements were derived and unable to provide reasons for unusual activity
and balances; also the review process missed mistakes and errors in the analyses. All of this
3
The term "significant deficiency" replaced "reportable condition," effective for FY 2007 reporting, with the
issuance of Statement on Auditing Standards No. 112, "Communicating Internal Control Related Matters
Identified in an Audit."
Enclosure
Page 5 of 11
suggests deficiencies in aspects of an effective supervision and review process and that
NASA's review process may not be fully effective. Although processes continue to be
improved, other issues such as data integrity, systems that are not fully integrated, evolving
account reconciliation, and periodic analysis processes directly affect and continue to provide
challenges to the development of auditable financial statements.
Consistent with the FY 2006 audit report, NASA's ongoing PP&E weakness is a result of not
having a process to determine at the point of budget formulation, obligation recognition,
contract development, accounts payable recognition, or disbursement, the value of property
NASA expects to buy, has contracted for, or has purchased. NASA relies primarily on a
retrospective review of disbursements to determine amounts that should be capitalized and
continues to depend heavily on contractors to identify any assets created at a contractor's
location. The retrospective review and dependence on contractor reporting increases the risk
that related costs will not be properly captured and capitalized. Beginning in FY 2008, NASA
plans to have sufficient controls in place to identify, within the Core Financial module, capital
acquisitions from project inception through the use of internal checklists, system identifiers,
revised contractor cost reporting mechanisms, and invoicing requirements. NASA also plans
to implement the Integrated Asset Management - PP&E module project to correct some of the
property deficiencies cited by NASA's financial statement auditors.
During FY 2007, NASA changed its accounting treatment of costs associated with space
exploration projects. Treatment changed from capitalizing costs of equipment acquired or
constructed for a particular research and development project and having no alternative future
uses to recognizing these costs as research and development expenses in the period incurred.
The cumulative effect of this change in accounting principle was a decrease in the PP&E
balance by approximately $12.7 billion. Even with the significantly decreased PP&E balance,
NASA still faces challenges in addressing the question of whether certain land-based assets
categorized with the space exploration projects are so unique that the remaining technology
and hardware are of no future use and cannot be salvaged or used in other research and
development projects.
Environmental liability estimation was not cited as a significant deficiency in the FYs 2006
and 2007 audits, but NASA still has not validated the software program that contains the
parametric cost-estimating models used to estimate a portion of its unfunded environmental
liability estimate. NASA also has not established a process to identify and record the clean-
up costs of removing, containing, and/or disposing of hazardous waste from its PP&E. The
amount could be substantial given the extent of NASA's property and the uses to which it has
served. In FY 2008, NASA plans to develop a workplan and implement procedures to
identify and record these costs in compliance with Federal accounting standards.
Ensuring the Agency's financial systems meet the requirements for Federal financial
management systems continues to be a serious challenge. During the FY 2007 audit, NASA's
management continued to identify certain transactions that were being posted incorrectly due
to improper configuration or design within the Core Financial module. In addition, the
auditors noted certain data element fields were either missing information or the information
was inaccurate.
Enclosure
Page 6 of 11
Although the inability of the Agency's financial management and business systems to provide
accurate and timely financial data has troubled NASA for several years, recent progress in
correcting this deficiency should be noted. In November 2006, NASA implemented the
Systems, Applications, and Products (SAP) Version Update (SVU) to the Core Financial
module to improve NASA's ability to enhance its financial tracking and reporting capabilities.
Some of the enhancements included a redesign of funds management and further automation
of adjustment accounting entries. Since the completion of the SVU rollout, however
challenges in system processing, configuration, and capabilities have surfaced and system
version limitations have required the implementation of compensating controls. As of
September 2007, the SVU Project Office was still stabilizing the SVU and deploying system
patches to resolve known issues.
The Agency also recently performed a gap analysis to determine where NASA's financial
management and business systems were not meeting the needs of NASA's mission projects.
Because of the gap analysis, steps are being taken to translate gaps into an integrated set of
business system requirements that will be compiled into an Agency Business Concept of
Operations. Once identified, however, those requirements will compete for financial resources
against other mission requirements and the available budget.
The Agency has also made recent progress with regard to internal controls. NASA recently
established the Office of Internal Controls and Management Systems (OICMS) to assist the
Agency in integrating both financial, institutional, and program-related internal control
activities and improving management's efficiency and level of oversight. Since its
establishment, OICMS has updated or is in the process of updating various guidance and
policy documents; developed oversight roles and responsibilities for the Senior Assessment
Team (SAT) and the Operations Management Council (OMC); and proposed a revised
Statement of Assurance process for FY 2007, which was endorsed by the OMC.
Some of the measures implemented by OICMS were a direct result of our "Audit of NASA's
Compliance with Federal Internal Control Reporting Requirements" (IG-07-025, August 14,
2007). During the audit, we found that NASA's FY 2006 guidance for assessing and
reporting on internal controls, and similar guidance being drafted for FY 2007, was
incomplete or lacked sufficient clarification and was not distributed in a timely manner for
either year. In addition, we found that the tools (i.e., training and communication) for
implementing the guidance were ineffective. Further, we found that there was not a clear
audit trail of documentation supporting the FY 2006 statements of assurance submitted by
NASA offices and Centers, which were the basis for NASA's Statement of Assurance signed
by the Administrator.
Although much progress has been made in developing and maintaining an effective Internal
Control Program, the Agency will likely face implementation challenges as it focuses on
identifying, assessing and reporting on programmatic internal controls. Challenges include
obtaining buy-in from Agency officials on the importance of assessing and reporting on
program-related internal controls and ensuring that these officials obtain a clear understanding
of how internal controls can directly influence their ability to effectively use resources and
improve program and project success. The Agency's continued emphasis on identifying,
Enclosure
Page 7 of 11
assessing, and addressing issues related to internal controls should further link management's
objectives with mission success.
Information Technology (IT) Security
Our criminal investigative efforts over the past 5 years confirm that the threats to NASA's
information are broad in scope, sophisticated, and sustained. Even more troubling is that the
threats appear to evolve along with new technologies and range from low-end hacking to
complex attacks aimed at some of NASA's most sensitive data. In addition, internal and
external audits and reviews of the Agency's IT security continue to identify systemic
management and technical and operational control weaknesses that impact the Agency's IT
Security Program and threaten the confidentiality, integrity and availability of NASA
information and its systems. The results of those reviews reflect significant challenges;
however, NASA has taken the initiative to identify significant internal control weaknesses
and taken tremendous steps to bolster its IT security defenses. Despite the progress that
NASA has made in improving its IT Security Program for FY 2007, IT security is still a
most serious management and performance challenge and is recognized by the Agency as
a material weakness.
In January 2007, the Agency completed a comprehensive security review of the NASA
IT Security Program. The IT security review (1) assessed Headquarters and Center
implementation of existing requirements, (2) evaluated the effectiveness of the Agency's
organizational structure, (3) verified the accuracy of incident and status reports, and
(4) evaluated the effectiveness of policy enforcement efforts. The review identified
significant challenges in implementing and maintaining a comprehensive IT Security
Program across a large array of networks and information systems. Significant challenges
include establishing an IT security internal control program; enhancing intrusion detection
and computer forensics with incident management analysis; implementing improved
NASA network security monitoring capabilities; and managing IT asset and Internet
protocol address.
The Agency's IT security review identified challenges similar to those that the OIG has
identified in previous audits and reviews. For example, NASA cited its current IT
organizational reporting structure as a management control deficiency. NASA reported that
the organizational structure and roles and responsibilities of its IT personnel varied by site.
The fragmentation of IT resources and lack of clearly documented roles and responsibilities
contributed to the Agency's inability to hold individuals accountable for implementing and
complying with NASA policies, procedures, and standards and did not promote timely and
consistent communication and reporting. The Agency attributed the lack of compliance to
many causes including a lack of available, knowledgeable, and trained personnel to
implement those policies. These operational control weaknesses resulted in the
implementation of key IT security functions being managed on an individual-by-individual
basis and an inconsistent execution of compensating technical controls such as patch
management and incident response.
Enclosure
Page 8 of 11
The review resulted in recommendations that the NASA Office of the Chief Information
Officer (OCIO) is aggressively addressing, in accordance with OCIO's March 23, 2007,
corrective action plan. Noteworthy examples of corrective actions include over 90 percent of
the Agency's systems obtaining compliance with OMB guidance by October 1, 2007;
establishing a working group to design and develop requirements for an Incident Response
Capability system; and the issuance of supplemental guidance to further define external
systems and ensure consistent implementation of IT security policies and procedures.
In FY 2007, our audit of the incident detection and response process and the results of the
Agency's internal review found similar systemic weaknesses. In our audit, "Controls over the
Detection, Response, and Reporting of Network Security Incidents Needed Improvement at
Four NASA Centers Reviewed" (IG-07-014, June 19, 2007), we reported that the controls in
place at the four Centers we visited did not provide reasonable assurance that network
security incidents were detected, resolved, and reported in a timely manner. NASA's internal
review also identified areas where the incident detection and response process could be
improved. NASA plans to more clearly define the roles for incident response, consolidate the
management of incident detection and response capabilities to more effectively respond to
incidents, and ensure that NASA implements appropriate prevention measures.
Other similar issues identified during our FY 2007 audits and reviews included deficiencies
related to access to sensitive information and configuration management. In addition, several
NASA Centers have experienced IT security incidents, which the OIG is investigating. The
cumulative effect of these internal control weaknesses and those reported by the Agency led
to the continued reporting of NASA's IT security as a material weakness, adversely affecting
Agency resources for, and support to, NASA's mission. However, continued reporting of
IT security as a material weakness allows for management's continued focus and strategic
resource allocation to fully address the IT Security Program's shortcomings. During
FY 2008, we will continue to work with the OCIO to identify and successfully mitigate
known deficiencies in an effort to potentially downgrade IT security as a material weakness
in the near future.
Acquisition Processes and Contract Management
Given that NASA expends most of its budget through contracts and other procurement
vehicles, weaknesses in NASA's acquisition and contracting processes pose significant
challenges to the Agency's ability to make informed investment decisions. GAO first
identified NASA's contract management as a high-risk area in 1990 and reiterated that
assessment in 2005 and 2007, reporting that NASA lacked a modern, fully implemented,
integrated financial management system to provide accurate and reliable information on
contract spending; that NASA used undisciplined cost estimating processes in project
development; and that NASA project managers were unable to obtain information needed to
assess contract progress. Although GAO has recently reported on NASA's progress in
mitigating the deficiency, OIG and GAO audits and investigations continue to reveal systemic
problems in areas such as knowledge-based acquisition and procurement process abuses.
Enclosure
Page 9 of 11
In the most recent update to its high-risk series, GAO credited NASA with developing its
draft corrective action plan, "NASA Plan for Improvement in the GAO High Risk Area of
Contract Management," June 2007. NASA finalized that Plan in October 2007, and GAO is
currently satisfied that the Plan targets problems and issues that their reports have found are
contributing to high risk in contract management. The overall objective of the Corrective
Action Plan (CAP) is to develop an Agency-wide coordinated approach to improving
NASA's program/project management, particularly on how best to assure the mitigation of
potential issues in acquisition decisions and better monitor contractor performance. NASA
has developed initial metrics to track results that indicate the impact of the initiatives
encompassed in the CAP. The seven initiatives included in the CAP involve improving
(1) program/project requirements and implementation practices, (2) the Agency's strategic
acquisition approach, (3) contractor cost performance monitoring, (4) project management
training and development, (5) life-cycle cost/schedule management processes; (6) IEMP
processes, and (7) procurement processes and policies.
GAO cited steps that NASA needs to take in order to improve contract management and
program oversight. The CAP's initiatives encompass those steps. One step is to develop an
integrated financial management system that provides cost information that program
managers and cost estimators can use to develop credible estimates and to compare budgeted
and actual cost with the work performed on a contract. A second step is to ensure that NASA
obtains from its contractors the financial data and performance information needed to assess
progress on its contracts. A third step is to develop the full complement of analytical tools
and trained staff needed to perform cost analyses, including earned value management, which
will alert program managers of potential cost overruns and schedule delays and enable them
to take corrective action to mitigate the problems.
To further reduce the risk of cost and schedule runs and performance delays, NASA is also
challenged to fully implement a knowledge-based acquisition approach. NASA revised its
acquisition policy in 2005 and again in 2007 in response to multiple GAO reports that
criticized NASA's approach to acquisition. Specifically, GAO stated that NASA's
acquisition framework did not provide the information needed to make major investment
decisions, which contributed to NASA's difficulties in meeting cost, schedule, and
performance objectives for its programs and projects. To address those concerns, NASA
revised its acquisition policy to require requirements validation, realistic cost and schedule
estimates, and technology maturation before design finalization; major decision reviews
between each life-cycle phase; and additional oversight from activities independent of the
program and/or project.
The policy revisions were a positive step in improving NASA's ability to successfully
complete its programs and projects within cost, schedule, and performance parameters.
However, implementation of that policy has created its own challenges because it
fundamentally changed NASA's approach to acquisition. Personnel within the Exploration
Systems Mission Directorate (ESMD), who are responsible for managing the new space
vehicles, are having to balance the need to timely develop the new vehicles with the discipline
necessary to follow and comply with the revised guidance. In addition, ESMD has had to
adjust to the increased level of oversight and the additional effort necessary to respond to the
concerns of the oversight activities. NASA has a unique opportunity to improve its processes
Enclosure
Page 10 of 11
concurrently with the acquisition of the new space vehicles. However, successful
implementation of those processes will depend on management's commitment to change
and ability to encourage compliance by all personnel involved in the acquisition process.
Over the past year, audits and investigations have also continued to reveal systemic
procurement process abuses by NASA employees and contractors. Systemic process abuses
ranged from inadequate internal controls and noncompliance with regulatory and program
guidance to actual fraud and misuse of Government funds. We reported in "Internal Controls
to Detect and Prevent Unauthorized and Potentially Fraudulent Purchase Card Transactions at
Four NASA Centers Were Not Always Followed" (IG-07-012, August 29, 2007), that internal
controls designed to detect and prevent unauthorized and potentially fraudulent transactions
were not always followed. Of the 1,749 transactions we reviewed, 186 transactions were
questioned as being a potential misuse of Government funds as they involved missing
supporting documentation, unauthorized charges that were not disputed, or prohibited items
that were purchased. Those transactions were referred to our Office of Investigations.
Because effective and efficient procurement practices are critical to NASA's success in
achieving its overall mission, we made recommendations to the Agency to improve its
internal control process, one of which was that NASA should establish policies and
procedures to hold employees accountable for not complying with regulatory and program
guidance. The Agency concurred with our recommendations or the intent of the
recommendations, and all have been closed by this office since appropriate corrective action
has been taken to address them. In our efforts to detect and prevent fraud, our investigations
have also identified systemic problems with contractors. Recent examples include contractors
submitting fraudulent invoices, which resulted in prison sentences and millions of dollars in
restitution being paid to NASA.
During the past few years, the OIG has collaborated closely with the Agency to promote
NASA's implementation of a new Agency-wide Acquisition Integrity Program (AIP). The
program is designed to enhance NASA's internal control framework for ensuring integrity in
its contracts, promoting competition in contracting, and identifying and addressing
wrongdoing by contractors. As part of this, a remedy coordination official will ensure that
there is an Agency-wide approach to NASA's administration of civil, administrative, and
contractual remedies resulting from investigations, audits, or other examinations related to
procurement activities. The program provides NASA with a more structured and thoughtful
approach for administering contract remedies, sharing best practices, improving internal
controls, and raising employee awareness of procurement fraud indicators.
AIP training is being introduced in tiers, with all NASA employees being designated to
receive it. In March 2007, the NASA Office of General Counsel and the OIG started
providing AIP training to NASA senior management and senior program and project
managers. The OIG introduced NASA managers to the program by providing information on
our responsibilities related to preventing fraud, waste, and providing case examples of recent
activity. During FY 2008, the OIG will continue its collaboration by providing the Agency
with our input into the training for NASA's attorneys, contracting officers, and technical
representatives. This training reinforces NASA's commitment to fighting fraud, waste, and
abuse and educates NASA employees about fraud indicators and how to respond.
Enclosure
Page 11 of 11