October - December 2018 Volume 8 • Issue 4

National Aeronautics and Space Administration

IT Talk October - December 2018 Volume 8 • Issue 4

Don’t let data...

slip through your fingers

www.nasa.gov IT Talk In this Issue Oct - Dec 2018 Volume 8 • Issue 4

Office of the CIO NASA Headquarters 300 E Street, SW Message Washington, D.C. 20546 3 from the CIO Chief Information Officer Renee Wynn Editor & Publication Manager Eldora Valentine Graphic & Web Designer Michael Porterfield Cybersecurity Copy Editor 4 @Home Meredith Isaacs

Don't Let Data IT Talk is an official publication of the Slip Through Office of the Chief Information Officer 6 Your Fingers of the National Aeronautics and Space Administration, Headquarters, Washington, D.C. It is published by the OCIO office for all NASA employees and external audiences. Cybersecurity For distribution questions or to suggest a story idea, email: and You: A Day [email protected] 9 in the Life To read IT Talk online visit: www.nasa.gov/offices/ocio/ittalk

For more info on the OCIO: v www.nasa.gov/ocio v inside.nasa.gov/ocio JPL Open (Internal NASA network only) Source Rover v www.nasa.gov/open/ 13 www.facebook.com/NASAcio Message from the NASA CIO

All of us need to do our part to ensure that our personal and work online lives are kept safe and secure. Everyone needs to remain diligent about protecting themselves from hackers and privacy breaches. Scammers of all sorts bombard us through pop-ups, viruses, phishing e-mails, and even phone calls. NASA works around the clock to protect mission and corporate systems, Agency data, and sensitive information. And protection of NASA’s data through better management of our IT footprint is a critical step in protecting NASA. Our annual cybersecurity training is intended to reinforce the importance of your role in protecting NASA’s data.

National Cybersecurity Awareness Month is an annual designation observed in October. I’m asking everyone to be more cautious and take steps to protect themselves.

• Be aware of phishing e-mails and do not click on unfamiliar links. • Do not send classified, sensitive but unclassified, or otherwise confidential information unencrypted through e-mail. • Choose passwords that are strong, long, easy to remember, and hard for others to guess. • Shut down, hibernate, or lock your laptop every night and whenever you take it out of the building. • Lock all mobile items overnight. • Don’t leave devices unattended in public places. • Avoid leaving devices in vehicles for long periods; short-term, they may be locked in trunks. Never leave them exposed in a parked car! • Encrypt all files that contain Personally Identifiable Information (PII). • And on a personal note, when using social networks, use the privacy settings to protect your personal information.

We have some great information in this issue to help you protect yourself and your organization against cyber threats.

I hope you enjoy reading this quarter’s issue.

OCIO and Center CIO leadership visiting Glenn Research Center in Cleveland, OH on August 6-10, 2018.

NASA OCIO IT Talk Oct - Dec 2018 3 Cybersecurity@Home

By Meredith Isaacs, Communications Specialist, NASA Headquarters

Cybersecurity awareness is essen- see a slow device, the collective bot- • Disable “remote access” tial at work and at home—following net can be used to overwhelm a Web on your router and com- online best practices should be part site or servers with requests. Keep plete software updates. of your whole day. But many of us your equipment from participating by do not have cybersecurity experts at protecting all networked devices. • Passwords lacking complex- home to set protections and guard ity and containing dictionary our information from unauthorized Unfortunately, there are a number words are easy to break. Com- access or loss, making our home of ways to be vulnerable at home: plex passwords and pass- networks and devices less secure. Are firewalls enabled? Do you run phrases are stronger. You can Recently, Carl Willis-Ford, Senior antivirus or anti-malware software also use a password manager. Solution Architect for Federal Health on your computer? How many items Systems, shared vulnerabilities and in your home are connected to the • Use whole-disk encryp- tips with NASA employees interested Internet? Where do you download tion for your computer; Win- in improving their home cybersecurity. apps? Do you reuse passwords? dows comes with BitLocker, while Apple has FileVault. Most homes have a number of Internet- According to Willis-Ford, there are sev- connected devices, as well as the eral simple steps you can take to pro- • Update your operating system equipment furnished by your Internet tect your home network and devices. and applications when prompted. service provider (ISP), including home assistants (like Amazon Echo or Google • Change the default Wi-Fi • Be a smart surfer and keep an Home), streaming devices (Roku, router and administrative eye out for potential traps like Chromecast, or Apple TV), appliances account passwords. phishing scams (fraudulent e- (thermostat, refrigerator, or printer), and mails trying to get you to send mobile devices (laptops, smartphones, • Ensure that the WPA2 security personal information or click or tablets). Each has its own cyber- protocol is enabled for Wi-Fi, re- nefarious links), fake deals, security vulnerabilities, in addition to quiring a password to connect. and scareware (phony pop- those from your own Internet activities. ups saying you are infected). • Enable firewalls for comput- For home users, cyber criminals are ers, devices, and routers. Your Follow these simple recommendations most interested in using your device ISP does not need those dis- to step up your home cybersecurity! in a botnet attack. While you may only abled to provide service.

NASA Administrator Jim Bridenstine made a special appearance at an Information Technology Council meeting on July 24, 2018.

4 www.nasa.gov Cybersecurity & Cloud Computing By Anthony Flores, John Gordon, and Odom Ouk NASA IT Ops/Cybersecurity Pathway Interns “Nobody understands the cloud; it’s a mystery!” —Jason Segel, Actor

Though it is ubiquitous these days, “the What does this mean for you cloud” can still be a concept as disconcert- as a NASA employee? ing in its unseen nature as it is admired for We are happy to inform you that NASA, its proven value. With its ever-increasing like all other Federal agencies, is currently relevance over the past decade, the term now undergoing a large shift toward the use of What To Expect attracts reactions from reverent admiration, cloud-based services. Some of the benefits to eye-rolls, to cautionary tales of anonymous offered by a cloud environment include exploitation. Cloud computing continues to increased agility, security, and scalability. with O365 be a game-changer that can exponentially However, agencies must still be able to identify improve how enterprises operate and pave and apply procedures to secure mission- By Emily Townsend, EUSO Communica- the way for future advances. However, as with critical cloud-based assets in alignment with tions Lead, Marshall Space Flight Center any young technology, it faces a challenge agency policies and compliance consider- in terms of its acceptance within established ations that accompany this cloud shift—the NASA has begun migrating early adopt- enterprises such as NASA—what is it, how cloud and you have a role in this change. ers to Office 365. This migration is im- does it work, and how secure is it really? portant for the agency. It is key to trans- What can I do to operate securely within forming and improving our customer What is the cloud? cloud environments while at work? experience, modernizing our IT systems, The National Institute of Standards and • Only use cloud services that you know and staying up-to-date with industry. Technology (NIST) defines cloud computing are approved for NASA use. If you are O365 provides the Agency with modern, as “a model for enabling convenient, on- not sure, check first with your Cen- innovative, and collaborative technolo- demand network access to a shared pool of ter’s Cybersecurity organization. gy, and allows our customers increased configurable computing resources that can be • Do not use personal cloud accounts mailbox sizes, online storage capabil- rapidly provisioned and released with mini- to store or process NASA data. ities with OneDrive, and larger atten- mal management effort or service provider • Understand the sensitivity of your dance per Skype meeting. interaction.” For instance, Office 365 provides information and do not store or process standard Microsoft Office applications that information using cloud services that Initially, NASA will implement Outlook, can be conveniently accessed in the cloud as are not suitable for the type of informa- Skype, OneNote, and OneDrive (which software as a service (SaaS) applications, re- tion with which you are working. includes personal storage and file sync lieving NASA of much of the burden (capacity • Make sure you fully understand the and share within NASA). In the mean- management, maintenance, etc.) of operat- information provided in the cloud-based time, other parts of Microsoft Office (i.e., ing its own e-mail servers and other related segments of FY 2019’s mandatory an- Word, Excel, Access, and PowerPoint) services, thereby allowing NASA to focus on nual Cybersecurity training—it will help will continue to function as they do to- its core mission: exploration and discovery. you ensure that your cloud use is safe day. Other O365 features, including ad- and NASA interests are protected. ditional collaboration capabilities, will Why do I need to know this? roll out in spring 2019. The increase in security breaches and data Most organizations hold a wealth of sensi- theft has urged business leaders to seek vi- tive information, and the astronomical All NASA e-mail–enabled customers able cybersecurity solutions, one of which is volume of data constantly in transit to the will receive an Office 365 account. Of- the increased adoption of cloud computing. cloud inevitably creates a temptingly lucra- fice 365 will be configured as an inter- The NASA Enterprise Cloud A&A Framework, tive target for cyber criminals. The intensity nal service and will require an approved coupled with the Federal Risk Authorization of even one successful breach can have NASA device and PIV card or Agency Management Program (FedRAMP), enables severe consequences. Data breaches are not Smart Badge to gain access. NASA to have a framework for holistically limited to outside attackers; sensitive data measuring effectiveness, enforcing policy, and can also be compromised by human error. Refer to What You Can Expect with NA- holding vendors accountable from a security Ultimately, we—the cloud service provider, SA’s Office 365 (https://inside.nasa.gov/ perspective. Ensuring accountability serves to organization, and users—all play a vital role system/files/o365_whattoexpect_0. build trust in cloud-provisioning strategies as in maintaining a secure and private cloud pdf) for more information. For FAQs, enterprises, such as NASA placing increased computing environment. Please be sure to do O365 training videos, and a list of Cen- focus on cybersecurity and moving more your part in keeping NASA’s cloud use safe! ter points of contact, visit https://inside. and more information from NASA-operated, nasa.gov/office-365. And stay tuned for on-premise IT infrastructure to cloud-based References: additional communication from the End solutions that have consistently applied • https://nvlpubs.nist.gov/nistpubs/legacy/ User Services Program Office and from security mechanisms that are validated sp/nistspecialpublication800-145.pdf your Center! continuously in alignment with FedRAMP. • https://cloud.cio.gov/strategy/

NASA OCIO IT Talk Oct - Dec 2018 5 Don't Let Data Slip Through Your Fingers

By Jeff Sinnamon, OCIO Information Technology Security Specialist, NASA Headquarters

NASA users generate, process, and these data off onto a USB stick so I The next step is to identify what you store data every day. It is an important can take it to the contractor’s office; need to do with the data. Are other part of everyone’s job to make sure there’s no problem with that, right? NASA employees the only ones who that these data are available to need to see the data? What about support NASA’s missions while at the Unfortunately, just one shortcut in contractors or university partners? same time ensuring that the data are handling data can do significant Are any of them foreign nationals? secured appropriately. When creating, harm to your computer, your Do you need to just send data out, processing, storing, or transmitting any colleagues’ computers, NASA, or do you need to collaborate? The data, it is every user’s responsibility and even the entire Federal answers to these questions will help to ensure that the data are handled Government. It just takes one time. you identify what your use cases in accordance with applicable are, which will drive what service or laws and Agency policies and on The use of unauthorized services tools will help you meet your needs. a system approved for the data. or tools to handle NASA data not only increases the risk to Agency Finally, you need to identify services Doing so can be a significant missions in the event of disclosure, and tools that can address your challenge, especially considering but it can also result in significant use cases. At NASA, the best the wide variety of data types here financial penalties to the Agency resource is the team led by your at NASA. Sensitive But Unclassified if the data were proprietary or Center Information Security Officer (SBU), Personally Identifiable procurement-related. The disclosure (CISO). https://inside.nasa.gov/ Information (PII), Proprietary, of data can also result in penalties at ocio/content/nasa-center-chief- Procurement Sensitive, Export the individual level. As an example, information-security-officers-cisos- Controlled, International Traffic in Arms mishandling of data governed by and-assessment-and-authorization Regulations (ITAR), and other labels the ITAR can result in a maximum They can direct you to the tools and can appear to be overwhelming to penalty of a $1,000,000.00 fine services that are approved for the even the most experienced of users. and 20 years’ imprisonment (22 types of data you are using. They also U.S. Code section 2778). have access to the Risk Information The desire to keep a task on schedule Security Compliance System (RISCS), and meet deadlines can be a powerful The good news is that there are which has the latest information on enticement to use whatever tool approved services and tools available what tools and services are approved. or system is easiest to get the job to help you do your job and stay within done. Common questions that are the bounds of the law and policy. The The data that we collect, create, raised include the following: What first step is to know what types of and share at NASA are valuable and harm can really come from using data you are working with and make can lead to amazing things. The any common commercial service or sure that the data are appropriately information deserves to be protected tool to store or transmit data? Do labeled. Your program manager or accordingly. Please take some time I really have to encrypt that e-mail data owner can help you with any during this Cybersecurity Awareness when not everyone who needs this questions you may have in this area Month of October to review your data presentation has an encryption and direct you to the appropriate types and use cases, as well as the certificate? It’s easier to just copy training or policy documents. tools and services you are using.

6 www.nasa.gov NASA’s IT Strategic Plan— Cybersecurity By Jonathan Walsh, IT Strategic Planner, and Meredith Isaacs, Communications Specialist, NASA Headquarters The global cybersecurity landscape is ever-changing. Malicious actors continually strive to find new ways to threaten companies, Government institutions, and private individuals in a quest to steal data and disrupt operations. Therefore, it is of national interest for NASA to maintain the confidentiality and integrity of its data and information systems while also making its data and systems available for mission success. To ensure the confidentiality, integrity, and avail- By Meredith Isaacs, Communications Specialist, NASA Headquarters ability of its data and systems, NASA identified Cybersecurity as an Information Technology (IT) When protecting NASA’s networks ation and authorization process, are Strategic Goal for Fiscal Years 2018–2021. Efforts and data, understanding who and connected, the Agency reduces the to safeguard NASA’s data and IT assets include what are accessing and attaching to risk of data loss. strengthening the Agency’s cybersecurity capa- Agency networks is paramount. With bilities, deploying new processes and tools to this information, cybersecurity person- NASA also has many associates support risk-based decision making, and using nel can assess risk, mitigate threats, involved our work, from civil servants an innovative employee education program to and protect NASA and its people from and contractors, to university and cover a wide variety of cybersecurity topics. malicious actors. The Department of industry cooperatives, to international Homeland Security (DHS) expects partnerships. Through appropriate vet- In accordance with this goal, NASA has adopted the frequency of cyberattacks on all ting and credentialing, we verify that the National Institute of Standards and Technology networks to increase. From amateurs those with access should have access. (NIST) cybersecurity framework to identify, protect, to professionals, malicious actors look detect, respond, and recover from threats, risk, for connections to Agency networks to NASA takes very seriously any threat and incidents. The Agency is actively implement- disrupt, steal, or sabotage. We must against our devices, networks, data, ing the Department of Homeland Security (DHS) be careful of who and what we allow and people. To protect the Agency, we Continuous Diagnostics and Mitigation (CDM) to connect to our networks, avoiding partner with DHS and other Federal tools to modernize NASA’s threat detection and those with bad intentions and pre- institutions to secure our networks, as- response capabilities. Educational opportuni- venting unauthorized access due to sess threats, and mitigate intrusions. ties encompass improved cybersecurity training innocent mistakes. Efforts include operating under a risk for all personnel, periodic anti-phishing exer- management framework, monitoring cises, and role-based training, among others. Many vulnerabilities result from the networks, employing firewalls, vetting As NASA better safeguards its data and IT assets, actions of those unaware that they and credentialing users attached to we can expect to see continued improvement in have introduced risk to our networks. the network, maintaining 24/7 cyber- the Agency’s cybersecurity posture resulting from By attaching an unauthorized device security operations, and conducting changes such as mobile device management, hard- to an Agency computer or network user outreach and education. ware and software asset management, reduced du- (like a personal phone or USB drive) or plication of cybersecurity tools, updated data clas- downloading unauthorized software, But there are always opportunities sification protocols, and an increase in educational users have unknowingly introduced for all of us to help protect NASA. Do opportunities featuring the latest training methods. greater risk to the computer, network, not download unapproved software, and our data. Today, we are also sur- attach unauthorized personal devices By supporting the achievement of NASA’s Cy- rounded by Internet of Things (IoT) to NASA’s networks and computers, bersecurity goal and objectives, we will help the devices (found in cars, in accessories use unauthorized cloud services, or Agency to securely unleash the power of data. on our bodies, in appliances, etc.), let others have access to your Agency To view NASA’s IT Strategic Plan for Fiscal Years which can make completing tasks devices. 2018–2021, visit . easier while also risking compromise https://www.nasa.gov/ocio/itsp or use against us. By ensuring that Remember, cybersecurity begins and Questions about NASA’s IT Strategic Plan? only authorized devices and software, ends with you! E-mail [email protected]. which have completed NASA’s evalu-

NASA OCIO IT Talk Oct - Dec 2018 7 A Look at Goddard’s Secure Lab Enclave Jeff Simpson, IT Manager and Directorate IT Security Engineer, Goddard Space Flight Center

The Secure Lab Enclave (SLE) is a directorates that were isolated from other tools used for scientific research Center-wide solution at Goddard other NASA networks and thus caused and mission operations. Some or all Space Flight Center (GSFC) designed inefficiencies to lab owners when they of these systems may involve com- and developed as a joint effort be- needed to transfer data. These labs puters whose configurations are tween the Sciences and Exploration develop and test instrumentation that "locked in" and static due to their Directorate (Code 600) and the Infor- is core and critical to NASA's scientific tested hardware interfaces and require mation Technology and Communica- research and space flight missions. special care to protect while allow- tions Directorate (Code 700) to provide They also have traditionally operated ing the mission goals to be fulfilled. a networked environment that inde- completely isolated from any external pendent Center science and engineer- networks. While this practice is largely Several labs are operational in the ing labs can operate as needed to secure, it often imposes inefficiencies Secure Lab Enclave as pilot projects. support their local operational require- or even significant burdens on the lab These include the Code 600 Laser ments. The goal is to maximize the owners and staff to transfer electronic Lab, otherwise known as Goddard security provided to these labs while data between the lab systems and oth- Laser for Absolute Measurement of managing the operational impact to er NASA systems for further analysis, Radiance (GLAMR); the Code 600 one-of-a-kind and legacy systems. The processing, or dissemination. The isola- Direct Readout Lab (DRL) for live sat- SLE environment provides a means tion of the labs also significantly imped- ellite data through the SLE; the Code to protect these lab computers and ed the ability to implement effective se- 500 Space Test Complex (STC); and instrumentation from hostile network curity controls and to remotely monitor the Code 400 RESTORE-L (mission and Internet activity through the use or control lab equipment during long- project in development). Additional of GSFC-managed and multilayered duration tests. The SLE provides a se- lab requirements are being evaluated security controls like firewalls, two- cure means to improve efficiencies with for the pilot program, and the SLE factor authentication, and Continuous these lab operational requirements. is expecting an Operational Readi- Diagnostics and Mitigation (CDM) tools ness Review (ORR) and production and security standards applied to lab Candidate labs for this SLE are those status to be ready during the fourth equipment where applicable, while al- with computers or other IT equipment quarter of calendar year 2018. lowing completion of mission lab tasks. used to control/interface with other delicate hardware instruments such Additional information on the Secure The need for the SLE became appar- as preflight development equipment, Lab Enclave solution is available from ent after realizing there were many in-flight clones, or postflight instru- Jeffrey Simpson at jeffrey.m.simpson@ labs GSFC supports across multiple ments, as well as spectrometers and nasa.gov (Goddard Code 730).

Members of Goddard’s SLE Team (from L to R): Mike Nestor, Jeff Simpson, Tony Taylor, and Matt Matthews. Not pictured: Roger Banting, Greg Goucher, Adrian Misiak, Marilyn Nhan, Dan Corso, and Nima Sheybani-Agdam.

8 www.nasa.gov Cybersecurity & You: A Day in the Life

Enable the WPA-2 security When teleworking, use Don’t leave Agency protocol and firewall on your your NASA-approved devices or sensitive Wi-Fi router, protecting the device and VPN. information in view. network and devices. AT HOME AT

NASA SOC Keep 877-627-2732 your smartcard Secure data, information, with and equipment at your you. workstation.

Lock your computer when away from your

AT WORK AT desk.

When traveling, regularly Lock NASA devices & info account for Agency devices. in your trunk while in transit. ON TRAVEL

Protect your devices at all times: • Don’t leave them in public places When leaving for the day, • Report all incidents to the SOC stow your badge. • Use strong passwords • Connect for updates • Combat phishing • Lock the screen Remember, Cybersecurity Begins & Ends with YOU! IN PUBLIC

NASA OCIO IT Talk Oct - Dec 2018 9 Johnson Space Center Wins the Hitachi Transformation Award By Thomas Kromis, JSC Information Resources Directorate Communications Lead, Johnson Space Center

The Hitachi Enterprise Transformation customer needs, agency priorities of today but also provide a solution Category Winner for the Transforma- for meeting mission goals, and both with potential for the future. tion Award is the Information Resourc- enhancing and exploring new tech- es Directorate (IRD) at Johnson Space nologies such as cloud technology. The technology and approach to Center (JSC). This award recognizes This was a journey of several years archiving data through the Hitachi the partnership between the Interna- of researching new technology with solution allow IRD to meet evolving tional Space Station (ISS) and IRD in multiple vendors. Moore states that stakeholder needs and support the the development of a new system to “demands have changed: volume, mission, now and in the future, while meet the growing imagery needs for quality, density and provide flexibil- also reducing costs for both the Gov- the ISS. It also recognizes companies ity” and that IRD “needed a system ernment and the customer. Leveraging that use Hitachi solutions to accelerate that could adapt to our growing and cloud technology satisfies the needs their business transformation in in- expanding requirements.” This effort of IRD customers while also providing novative and successful ways with the produced innovative ways to archive a hybrid approach to storing data. This goal of inspiring business and IT lead- data and to secure and separate data practice allows IRD customers to ben- ers in all industries. The IRD Director, while engaging with IRD customers to efit from the exploration of innovative Annette Moore, formally accepted the better understand and capture their technologies to improve the process, award and spoke at the Hitachi NEXT requirements. design, and accessibility of data for event in San Diego in 2018. This was a their customers. premier event for the digital revolution Moore commented that what was for business leaders who embrace the important was that we joined in a Historical imagery and records are digital economy and base decisions partnership that “grows with us” and necessary to support research as on data to ensure success. “brings new ideas, strategies and NASA looks to develop the next gen- technologies—even ones not originally eration of space operations. The IRD In 2013, IRD identified future problems considered.” After diligent consider- Storage Operations Manager, Heather with the process, design, and ac- ation and a Decision Analysis Review, Thomas, agreed “Hitachi allows us to cessibility of data for IRD customers. IRD recognized that Hitachi could, not grow with our customers.” IRD created three key focus areas: only, meet the current mission needs

Kirk Shireman, ISS Program Manager and Annette Moore, IRD Director and JSC Chief Information Officer cut the ribbon at the Hitachi Content Platform Ribbon Cutting November 6, 2017 (photographer: Robert Markowitz - NASA - Johnson Space Center)

10 www.nasa.gov Federal Information Technology Acquisition Reform Act (FITARA): WHAT IS IT?

In December 2014, a new Federal strategy and acquisition plan pre- interchange, transmission, or reception of law was enacted by Congress called viously approved by the CIO. data or information by an executive agency. It FITARA. This new law enhanced the also includes computers, ancillary equipment Chief Information Officer’s (CIO’s) The CFO is to partner with the CIO in (including imaging peripherals, input, output, authority and accountability in re- managing IT as a strategic resource storage devices necessary for security and viewing and approving all IT require- across the Agency by working with surveillance), peripheral equipment designed ments before a contract action. Mission Directorates and Centers to to be controlled by the central process- utilize IT data to drive decision making unit of a computer, software, firmware In order to comply with this new ing, reduce duplication and inefficien- and similar procedures, services (including law, the CIO’s office has been work- cies, and optimize IT management. support services), and related resources. ing very closely with both the Office of Procurement (OP) and the Chief Because this is such a large under- …will include all commodity IT (hardware Financial Officer’s (CFO’s) Office taking, the CIO has delegated review and software), ground systems, mis- to establish new policies and pro- and approval authority to the Center sion control centers, and data centers. cesses to ensure compliance. All CIOs to ensure that they are taking three offices have a significant role action at their Centers. Each Center Onboard flight avionics and flight software in implementing this new mandate. CIO is expected to work closely with that are a non-severable and an integral part the OP and report monthly to the of the flight system are not considered IT for In summary, the CIO is required to Agency CIO the requirements their the purpose of OMB IT budget reporting.... review and approve acquisition strate- office has reviewed and approved. gies and acquisition plans that contain Defining a device/service as IT does IT. If there is no acquisition strategy In order to know what to report, not exclude its classification as an or acquisition plan, the CIO shall employees need to understand what R&D or engineering device/service. review and approve the action itself. IT is. The Agency established a tiger team several months ago to define IT: Everyone’s hard work in trying to The OP shall ensure that the Agency implement this law is greatly appreci- shall initiate no contract actions or Information Technology (IT) is any equip- ated. We have made great strides but interagency agreements that in- ment or interconnected system or subsystem still have some work to do, and the clude IT unless they are reviewed of equipment that is used in the automatic Office of the CIO will need your con- and approved by the CIO or are acquisition, storage, manipulation, manage- tinued support to make this happen. consistent with the acquisition ment, movement, control, display, switching, JPL Data Scientist Michael Cox Honored as a 2018 Rising Star By Whitney Haggins, IT Communication Strategist, Jet Propulsion Laboratory, California Institute of Technology The Government Innovation Awards, capabilities from experiments to an Government (e.g., Alexa for Work). Cox presented by Federal Computer Week, operational state with excellent user also served as a lead for the immensely Government Computing News, and benefits at an astounding rate. successful JPL Open Source Rover Washington Technology & Defense project, and between two AWS re:Invent Systems, have named Michael “Mik” He was instrumental in the creation of conferences, Cox has delivered com- Cox, a Data Scientist and Internet of multiple Intelligent Digital Assistants plex live demonstrations in two IoT Things (IoT) Team Lead in the Office of for JPL. Some of these are one for the State of the Union addresses. the Chief Information Officer (CIO), as Acquisition Division, an IoT prototype one of their 2018 Rising Stars. Cox be- “ShopBot” that enables approved users Cox is the only NASA/Federally Funded comes the Jet Propulsion Laboratory’s to swipe their JPL badge to turn on Research and Development Center (JPL's) fourth consecutive Rising Star machine shop equipment, and mul- (FFRDC) representative on the 2018 list, honoree and the fifth since 2010. tiple Chatbots. Cox has collaborated which can be found at https://fcw.com/ with several industry partners who are articles/2018/08/23/rising-stars-2018. Tasked with rapidly exploring innova- designing and releasing new products, The complete profiles for all the 2018 tive new capabilities that will enhance services, and technologies. His input Rising Stars will be available this fall. JPL in its mission to use the emerging has made a positive impact on the in- Cox and his fellow honorees will be technology trends, Cox, by teaming dustry partners’ development, ultimately officially recognized at the November 8 with end users and industry devel- enabling several to be deemed accept- Government Innovation Awards Dinner opers, has successfully taken many able for use by NASA and the Federal in Tysons Corner, VA.

NASA OCIO IT Talk Oct - Dec 2018 11 IT Expo at NASA Headquarters By Scott Johnson, IT Communications Lead, NASA Headquarters

NASA Headquarters’ Information ligence; document management; the survey service was demonstrated in Technology and Communications Divi- managed cloud environment; mobile real time as participants took a brief sion (ITCD) hosted “A Day with ITCD,” application development; SharePoint; exit survey on iPads. “Trending topics” its annual IT Expo, recently. The event surveys; and Web applications. were also highlights, including NASA provided an interactive forum to build digital communications, machine awareness of IT products and services learning, automated document tag- available at NASA Headquarters to It is my belief that you can't win ging, and Internet of Things network support mission success. Attendees over today's business customers analysis. Augmented and virtual reality were able to visit exhibits and receive with yesterday's fragmented IT were demonstrated, along with virtual details on an array of IT topics, such delivery methods. As a result, the goggles—a big hit with attendees. as Microsoft Office 365, the software HQ IT Expo is an element of my library, records and forms manage- strategy to meet business where Visitors were also engaged through ment, IT security, and Google G-Suite IT can provide the most benefit. games such as Wheel of Fortune, software. —Victor Thompson, NASA a “Who am I?” game for getting to Headquarters Chief Information know the ITCD team, and raffles. Mini The purpose of the expo was not only Officer & Director, ITCD workshops were held on topics such to inform, but to also provide attend- as Enterprise License Management ees with solutions to IT challenges and Team (ELMT) ordering, postmaster and requirements. On-the-spot consulta- Live demonstrations were provided NASA Enterprise Directory (NED) self- tions were made available so attend- to showcase products and services, service options, the service catalog, ees could receive instant resolution including multimedia, video develop- and Contracts IT Security 101. to issues or questions and, if neces- ment, ACES software downloads, sary, receive followup by ITCD after backups, mobile device management The event was a success in large the event. Topics included SATERN (MDM), smart conference rooms, part due to the collaboration between registration; Identity, Credential, and mobility solutions, teleconferencing Headquarters ITCD, its contractor Access Management (ICAM); NASA tools (Skype, WebEx, and Adobe), partners, and vendors. It was a learn- Operational Messaging and Directory and telework tools. Visitors were ing experience for both attendees and (NOMAD); the service catalog; infor- able to see new technologies in use, presenters as information was ex- mation security; training; 508 compli- such as an interactive expo map on a changed, challenges were discussed, ance/user accessibility; business intel- large touch screen. The Headquarters and solutions were presented.

Live demonstrations of augmented reality (AR) and virtual Attendees try out conference room technology at the Head- reality (VR) were just some of the showcased items at the quarters IT Expo. Headquarters IT Expo.

12 www.nasa.gov BSA Corner JPL Open Source Rover: By Meredith Isaacs, Communications Specialist, NASA Headquarters Global Release and a 2018 As we enter the final quarter of 2018, we look Government Innovation back over the course of NASA’s IT Business Services Assessment (BSA) and the progress made by IT organizations, services, and per- Award Winner sonnel. The Business Services Steering Com- By Tom Soderstrom, Mik Cox, and Eric Junkins, Office of the Chief Information mittee designed the BSA to find ways to opti- Officer, Jet Propulsion Laboratory, California Institute of Technology mize mission support services, including IT. The JPL Open Source Rover was re- previous coding knowledge. In addi- With approval from the Mission Support leased on July 31, 2018. From its sim- tion, for individuals who wish to add Council, the Office of the Chief Informa- ple beginning as an idea at a JPL Pitch hardware components like a robotic tion Officer began implementing seven Deci- Day event, it was initially built by JPL arm, we included additional mounting sion Areas (Roles and Responsibilities, Gover- interns with advice from experienced holes and extra power on the rover nance, Computing Services, Communications, JPLers. Targeted to high schoolers to support new experiments. Three Workstations, Collaboration, and IT Security) and robotics clubs, the Open Source California high schools have already in early 2016. At the time, IT was character- Rover platform has a parts list of included it in their fall 2018 curricu- ized by decentralized collaboration, end user, $2,500 and incorporates several IT lum. We plan to use it ourselves as a and cybersecurity services, which increased concepts, including inexpensive com- platform to build and test advanced costs and inefficiencies; limited CIO oversight mercial off-the-shelf parts and Inter- concepts in AI, sensors, and robotics and insight; and too many data centers and net of Things devices, 3D printing, a automation. unrealized potential for cloud usage. modular and expandable software and hardware stack, and of course open There is a tremendous demand for Over the course of implementation, IT estab- sourcing and crowdsourcing. NASA and robotics from the public, lished the IT Capital Investment Review and and many articles have been written Center Functional Review for greater invest- We chose to release this project in praising JPL and NASA for the Open ment and compliance insight; adopted a cy- a low-cost, modern way, fitting the Source Rover project and its release bersecurity risk framework for heightened ethos of open source and hobbyists. to the general public. It already has network and data protection; supported com- A welcoming Web page introduces the over 4,000 stars on GitHub, and over munications, cybersecurity, and end user en- concept (https://opensourcerover.jpl. 90,000 people from around the globe terprise service migration; closed 55 data nasa.gov) and links directly to the build have visited the Web site. centers and adopted a Cloud First strategy; instructions on GitHub and a forum and established six IT service programs to Web site for community discussion. To view a video of the rover conquer- manage and deliver enterprise services for There have already been productive ing a rock pile constructed by Cub our customers. discussions, and we expect many Scouts to “stump the rover” at a Cub more, along with additions and modi- Scout event, please visit https://drive. We are proud of all of the work done in find- fications to the rover. The team finds google.com/open?id=178wY9DKKWu ing efficiencies, reducing duplication, and op- these discussions to be truly reward- C0pjoxl9LDq2l4Ix84RfjL. timizing IT. We are also excited about what ing and a wonderful opportunity to is still to come, including Office 365 deploy- engage with the global citizenry. It is ment this fall, additional contract consolida- an example of how JPL and NASA tion and strategic sourcing for cost-effective care about the next generation and services, and modernized IT delivering criti- new ways of working. cal IT services efficiently and securely. The rover was built to be extended. Over time, one journey leads to the next. As We hope that people will incorporate the IT BSA trails off, on the horizon is an op- components like solar panels, ac- portunity for greater efficiencies, savings, celerometers, science payloads, and and support for our people. We look forward advanced programming with Internet The JPL Open Source Rover was to the next turn in IT transformation! of Things and artificial intelligence (AI) recently selected as the 2018 winner and that they will share their results, in the Government Innovation awards For information enabling others to learn from their put on by 1105 Media publications. about the IT BSA, work. The software stack for the rover This is the first time JPL has won this visit https://in- is built on a Raspberry Pi and common award. See https://governmentinnova- side.nasa.gov/ motor controllers. This combination tionawards.com/. ocio/bsa. allows builders to easily add their own improvements with minimal

NASA OCIO IT Talk Oct - Dec 2018 13 OCIO Awards Congratulations to the NASA Office of And huge applause also goes to NASA’s the Chief Information Officer (OCIO) Team Web and Managed Cloud Services Office for winning the RSA Excellence Archer for winning the Box Orchestration award Award! NASA utilizes RSA Archer for IT at the Box Works 18 Summit. The award and security risk management using the recognizes customers that have leveraged RSA Archer Assessment and Authoriza- Box to make the biggest impact on internal tion (A&A) use case. NASA has standard- processes and tools to boost collaboration ized and coordinated their entire A&A and content management through cloud process using RSA Archer, allowing the platforms. The Web and Managed Cloud leadership tier to see all security plans Services Office is the first Federal cus- and make sound risk-based decisions via tomer to successfully implement a FISMA an automated process. The project has Moderate environment that meets Interna- IT Talk

also allowed NASA to work closely with tional Traffic in Arms Regulations (ITAR). IT Talk October - December 2018 Volume 8 • Issue 4 the Department of Homeland Security to improve reporting for the Federal Informa- This month, two teams from the OCIO are tion Security Management Act (FISMA). being recognized during the Agency Honor Awards ceremony. Both are receiving the prestigious Group Achievement Award, honoring outstanding group accomplish- ment that has contributed substantially to NASA’s mission. Congratulations to both of these teams, and thank you for securely Also receiving the Group Achievement unleashing the power of data. Award is our Cyber Executive Order Tiger Team. Led by NASA’s Senior Agency The first team receiving the award is the Information Security Officer (SAISO) and Extravehicular Activity (EVA) Enterprise Associate CIO for Cybersecurity and Pri- Data Integration Team, for their work vacy, Mike Witt, the tiger team analyzed resolving the EVA suit data silos discov- NASA’s mission, corporate, and physical ered after an incident during a spacewalk cybersecurity risk and identified areas of when the suit began taking on water. improvement under the National Institute The team was able to help the EVA office of Standards and Technology guidelines. consolidate their data for improved safety and decision making.

National Aeronautics and Space Administration S Office of the Chief Information Officer 300 E Street, SW Washington, DC 20546 www.nasa.gov