Balancing IT Security

Home , Ames Research Center, Information assurance, Lori Garver, NASA Headquarters

National Aeronautics and Space Administration

IT Talk July - September 2012 Volume 2 • Issue 3

SAFEGUARD YOUR DATA

Balancing IT Security

www.nasa.gov IT Talk July - September 2012 Volume 2 • Issue 3

IT Talk In this Issue Jul - Sep 2012 Volume 2 • Issue 3 Balancing IT Security Office of the CIO NASA Headquarters 300 E Street, SW 3 www.nasa.gov Message from Washington, D.C. 20546 the CIO Chief Information Officer Linda Y. Cureton OCIO Chief of Staff John Hopkins Editor and Publication Manager 4 ICAM Modernization Eldora Valentine Project Slated for Graphic and Web Design Michael Porterfield FY2013

IT Talk is an official publication of the Office of the Chief Information Officer of the National Aeronautics and Protecting and Space Administration, Headquarters, Safeguarding NASA Washington, D.C. It is published by the OCIO office for all NASA Information and employees and external audiences. 6 Information Systems For distribution questions or to suggest a story idea, email: [email protected]

To read IT Talk online visit: Safeguarding Data nasa.gov/offices/ocio/ittalk 7 at NASA Centers For more info on the OCIO: v www.nasa.gov/ocio v insidenasa.nasa.gov/ocio (Internal NASA network only) v www.nasa.gov/open/ 12 I3P facebook.com/NASAcio twitter.com/NASAcio Updates Decommissioning Spacebook By Sarah Rigdon, OCIO-NASA Headquarters

Think back three years. In mid-2009, Message from enterprise-scale social media services were not what they are today, yet the CIO many large organizations were already aware of social media’s low cost ability By Linda Cureton to address collaboration needs. Goddard Space Flight Center (GSFC) saw the potential for social media but did not see many third-party applications that met them. Social media could improve business processes, encourage collaboration and information sharing, and The Agency is responsible for maintaining the security of build their community of stakeholders and all of its systems and data to prevent malicious activity and partners. Projects most often fail because thwart any sabotage of important assets. Recently I had to of barriers to communication. Social testify on Capitol Hill regarding theft of an unencrypted NASA media provides a space to communicate notebook computer that resulted in the loss of sensitive in ways that teams otherwise would not data. An impact assessment determined that the loss of that be able to do. Also, NASA’s innovation data did not create an increased risk or vulnerability. It was stands to benefit from platforms that also concluded that the loss of the data contained on the facilitate the intersection of disciplines. laptop did not impact any NASA mission operations. Emma Antunes, Web Manager at GSFC, Each employee must do their part to protect data. If you were created the homegrown Spacebook social to lose your Government smartphone, iPad, or laptop, what network. It featured user profiles, group would go through your mind first? Someone now has access workspaces (wikis, file sharing, discussion to all my important data, my photos? My boss is going to be forums, groups), and social bookmarks. It really mad, and it’s going to cost a lot to replace? How about was especially useful for small teams that the realization that someone now has access to all your work needed to collaborate without emailing files and can do real damage that could harm NASA? larger groups. And it was all developed using existing contracts, IT resources, and staff. NASA takes the issue of IT security very seriously, and we have made significant progress to better protect the In the past three years, the pace at which NASA users have adopted Spacebook is Agency’s IT systems. In this issue we’ll explore how our inverse to the pace at which third-party NASA Centers are going the extra mile to safeguard data. companies have launched enterprise social —Linda networking products. Spacebook has provided valuable lessons in user adoption. The OCIO decommissioned Spacebook on June 1, 2012, and is archiving all user accounts and content. John Hopkins, OCIO Chief of Staff, sees the positive side. “Something that we often fail to do in government is…to not close [applications] when they cease to be viable,” he said. Emma Antunes agrees: “We need to be agile and not be wedded to any one thing.” In shutting down Spacebook, NASA uses the lessons learned to build better tools and make better use of existing resources. v

NASA OCIO IT Talk July-September 2012 3 ICAM Modernization Project Slated for FY2013 By Kim Edmondson, MSFC

NASA’s Oracle Sun Product Suite 5-year plan in order to reach will begin fiscal year 2013 with a consists of the Identity Manager, this requirement. The Sun targeted completion prior to the end Access Manager, and Sun One Product Suite replacement is of that fiscal year. Implementation will Directory. The suite currently one aspect of NASA’s plan. include installation and configuration provides all of NASA with Identity of the replacement architecture, Innovative technologies that Management and Account ҆҆ migration of system integrations, Exchange (IdMAX) workflows for reduce the total cost of ownership, and migration of business process Identity, Credential, and Access specifically operational costs. workflow and data. Ing said, “Center Management (ICAM), eAuthentication ҆҆ Cutting-edge technology for representatives will be required to for access of applications and the long-term infrastructure. participate in the project via design Launchpad for user profiles, and the reviews and user acceptance tests.” NASA Enterprise Directory (NED). ҆҆ Improved user experience. NASA’s future ICAM capabilities, End-User Experience be it operations and maintenance ICAM Modernization Project End users will have an improved or required enhancements, are The NASA Enterprise Application experience using a Web 2.0 user dependent on continued product Competency Center (NEACC) interface that allows pop-up screens support. NASA’s current premier provides the internal operational and for ease of use. “The look and feel support contract with Oracle for the enhancement services of the Sun will be different than today, and it will Sun Product Suite will end in 2014. Product Suite for NASA. The NEACC be more of a mobile solution with The ICAM Working Group, led jointly has been tasked by the ICAM Working an anytime, anywhere capability for by NASA’s Office of Protective Group to begin preparation activities some services. To get prepared for Services and Office of the Chief for the ICAM Modernization Project, this future change, end users need to Information Officer, has determined which is a high priority for the Agency. be attentive to communications that that it is time for the Sun Product Suite The NEACC’s Sharon Ing, ICAM the project should begin distributing to be replaced. The replacement suite Modernization Project Manager says early Spring 2013,” said Ing. will provide NASA with the following: “the project’s main objectives during Look for NEACC’s “About Us” on ҆҆ Alignment with the Federal ICAM the formulation phase will be to define https://bReady.nasa.gov in the Roadmap (M-04-04, M-05-24, NASA’s requirements and select months to come for more details on M-11-11). This alignment has a the Sun Product Suite replacement this new NASA project. For more 5-year window for compliance; product by the end of fiscal year information about ICAM services, NASA has developed an ICAM 2012.” The implementation phase check out https://icam.nasa.gov. v

Examples of Sun Product Suite capabilities currently utilized at NASA.

4 www.nasa.gov Enabling NASA’s Mobile Workforce By Securing Application Data

By Jane Maples and Kellie White, MSFC-CIMA

Do you currently use a mobile ҆҆ Allows mobile devices device to access applications or outside of NASA locations Web sites? Have you ever stopped to access protected NASA to consider whether the information services and data. you are sending and accessing is ҆҆ Offers full whitelist and secure? What if you misplaced your blacklist filtering by user, phone for a period of time, or worse, device, application, application what if you lost it? Will unauthorized version, and Center. individuals be able to access those applications installed on your mobile ҆҆ Provides secure Web proxy device and initiate transactions on services for the CIMA mobile application *Web wrapper, your behalf? NASA’s Center for allowing wrapped Web sites to Internal Mobile Applications (CIMA) be accessed by mobile devices has worked to ensure the security outside of NASA locations. of data exchanged via any CIMA- provided mobile application. CIMA The Secure Mobile Access Point implemented by CIMA is effective relies upon Mobile Application responses. CIMA’s MAM solution is in securing the mobile application, Management (MAM), as opposed to looked upon as a viable approach but CIMA’s efforts don’t stop there. Mobile Device Management (MDM), for those agencies not requiring Currently, CIMA is working with to secure the mobile application. the mobile device to be locked Furthermore, an in-house-developed the ICAM team to further enhance the security of the installed mobile down for security concerns, such Secure Mobile Access Point (SMAP) as law enforcement agencies. and secure Identity, Credential, applications by implementing and Access Management (ICAM) an ICAM certificate–based In addition to CIMA’s proven services are leveraged for authentication for mobile devices. security approach, CIMA also authenticating and accessing all This additional security measure offers a vast array of mobile is expected to be deployed at CIMA mobile applications. This app consulting, development the end of the calendar year. multilayered security approach relies and hosting, and distribution upon Launchpad for authentication While other Federal agencies are services. CIMA’s catalog of mobile and an application-level personal struggling with the idea of Bring application services and products identification number (PIN) for Your Own Device (BYOD) and enable an organization to extend accessing CIMA-hosted mobile how to manage those devices, key enterprise information and applications. It secures or removes CIMA’s approach to securing your business processes anywhere, any all data at rest and provides a data is to manage the mobile time through any mobile device. secure channel between the mobile application as opposed to the If you would like to learn more about CIMA’s security approach application and the protected NASA mobile device. This is referred to and how to take advantage of enterprise services. Developers as Mobile Application Management this approach for your mobile can leverage SMAP for their (MAM). MAM is application- applications, or would like applications to provide the NASA centric, making it easier to target information regarding our service data and services they need in the things that matter most to NASA—the mobile apps and the offerings, please contact CIMA by a secure and timely manner. inherent data—while leaving the email at [email protected] Features of SMAP: personal device and data alone. and learn how CIMA is redefining business applications for NASA. ҆҆ Provides a secure mobile CIMA has presented their MAM public-access point for approach in various forums with *A Web wrapper is used to accessing protected NASA participation from other Federal deliver an existing Web site services and data. agencies, with very positive as a mobile application. v

NASA OCIO IT Talk July-September 2012 5 Protecting and Safeguarding NASA Information and Information Systems

What if This Were an Actual NASA Headline? By Evelyn Davis and Valarie Burks, NASA IT Security Division, OCIO

What if this article was the national the Agency more than $7 million. has given rise to rogue elements within headline across the United States? the cyber community who misuse In March 2012, the NASA Administrator Is NASA protecting and safeguarding the privileges of easy access to a issued an Agency-wide message on its information and information wide audience to cause damage to the importance of securing NASA systems? Is it possible to protect the security and economic fabric of laptops, iPads, and smartphones, and safeguard information and Federal and non-Federal entities. which was a major step to strengthen information systems 24/7? the role of the Chief Information Officer NASA strives to continue to be a How can any Federal agency protect (CIO) and IT security. The Administrator leader in innovation and technology and safeguard information and stated, “I take the issue of IT security across the Federal sector. To preserve information systems with the new very seriously—both for our equipment that legacy, cybersecurity at NASA challenges in cybersecurity? What is and the information stored on it. must be an agile, forward-thinking, the first step in meeting this type of Information security maintains the and cohesive organization thereby challenge? Over the last few years, integrity of our programs and ultimately allowing NASA to ensure that the NASA has promoted the Annual IT keeps our missions and people safe.” projects, programs, and missions are Security Awareness Training, which protected and safeguarded against is a mandate for all Federal and NASA has a wide array of the ongoing global threats from contractor employees. The training organizational operations that support cybercriminals, hackers, and organized is the first step toward teaching the its missions. These operations groups. To achieve this goal, all NASA NASA community how to protect and may have different risk tolerances. employees must take responsibility safeguard information. The importance Understanding these differences and for safeguarding the security of NASA of awareness and various activities the overall risk to the enterprise is information. As a united front, NASA such as WebEx training sessions challenging in such a large, diverse on protecting home computers and organization. To date, the Advanced employees can protect, prevent, and learning how to detect, prevent, and Persistent Threats, called APTs, have preserve information and information safeguard against the various malicious compromised computer networks systems—the key to beginning a code sent through email and Web sites virtually across every Government cybersecurity transformation at reinforces training and reminders. and department agency and invaded NASA. Cybersecurity challenges over the systems of nearly every major the next decade demand enhanced Recently, NASA’s Inspector General defense contractor. Therefore, the collaboration, communication, and pointed out in his testimony at a risk level has increased. Our need resources to meet the emerging and congressional hearing that the Agency to protect information systems and ever-changing threat environment. had experienced 5,408 computer the information stored on NASA security incidents in 2010 and 2011. The Office of the Chief Information equipment is greater than ever before. These intrusions resulted in the Officer and the IT Security installation of malicious software or The rapid growth of the Internet and its Division remain committed to unauthorized access which caused various facets, such as social media continued improvement of the IT significant disruptions to mission sites, wikis, blogs, and Web sites, to security posture as the NASA IT operations, theft of export-controlled disseminate information across the security program transforms and st data and technologies, and cost masses is no longer novel. This trend matures in the 21 century. v

6 www.nasa.gov Safeguarding Data at NASA Centers

Data has become the lifeline of every residents with informative activities and remediation of audit findings. Each business. So it’s no surprise that noteworthy presentations on topics system is audited based on existing safeguarding data at NASA Centers such as “Anatomies of Ownage,” software, patch levels, NASA baseline is an urgent priority. We asked “Case Studies of the Painfully Hacked,” configurations, and vulnerability-scan several NASA Centers what they’re and “Spot the Phishing Email,” as results. Future enhancements to doing to combat data corruption. well as other topics from Agency the application include the auditing authorities like the Computer Crimes of user accounts, privileges, and Ames Division of the Inspector General. ARC system logs, as well as expanding personnel are invited to participate the focus of audits from configuration The Ames Research Center (ARC) in “Hacker Jeopardy” and “What’s to general data protection. IT security team is responsible for Wrong With This Picture” games. managing IT security operations and Another way DFRC safeguards During the annual Ames Chili Cook- IT security training and awareness. NASA data is through the use of the off, they lure you into their booth with The IT security team also ensures NASA Access Management System award-winning chili and the promise that Ames complies with Federal (NAMS) tool to leverage enhanced of a free gadget if you “just, give Information Security Management system-specific internal access them your Social Security Number.” Act standards via the Assessment control. The system owner of the and Authorization program. The team is always considering the DFRC Lab & Engineering Seats IT merits of new security innovations system worked with the NAMS subject Vigilant to cybersecurity threats, the and is currently participating in an matter expert to create a customized team provides intrusion detection, Agency project assessing the best account management workflow to monitoring, and incident response— way to secure data on personal meticulously qualify and track Lab & often operating behind the scenes— devices (smartphones, tablets, etc.) Engineering Seat users. The workflow as Ames employees go about their to provide freedom of mobility while requires a detailed justification for daily tasks. A recent project identified protecting NASA assets. Vigilance and the use of a laboratory or engineering ARC staff and computers as having awareness are key, but if these fail, seat (versus a mainstream ACES a higher risk for malicious online the ARC IT security team is always seat), the user’s specific technical and real-world physical threats quick to act and minimize damage. requirements, a record of the user’s and how best to protect them. security training, and approval Among other provisions, the team from the user’s directorate. installed advanced data encryption, Dryden ensured Public-Key Infrastructure To support proactive data security, Goddard (PKI) credentials were current, and the Office of the Chief Information provided training to ensure personnel Security Officer at Dryden Flight Goddard Space Flight Center and proprietary data are secure. Research Center (DFRC) conducts continues to promote and educate regular audits on all information its employees on the importance of The IT security team provides ongoing technology assets. Dryden IT safeguarding data, namely Personally awareness activities via Web sites security personnel gather specific Identifiable Information (PII). and links to authoritative resources data pertaining to each system and For the past two years, Goddard has such as presentations and the IT record the data in a central audit a road show that is displayed in each security newsletter. The team hosts a repository: the Information Technology building’s lobby for approximately two monthly outreach meeting, providing Security Audit Database. The audit weeks at a time. The display provides technically advanced team members data and results are stored as digital a backdrop for the literature available (i.e., systems administrators) with forms within a Microsoft SharePoint to employees on PII, PKI, International the latest news on threats, malicious application; this application supports Traffic in Arms Regulations (ITAR), attack trends, Center incidents, and digital signatures, attachments, and Laptop Security, and Identity Theft, the opportunity for question-and- customizable data entry. Audits are as well as Security Operations Center answer sessions and networking. conducted on randomly selected (SOC) contact information, should a Security staff proactively meet with the machines from each security plan breach occur. During the first quarter Center’s research, science, and CMO present at DFRC on a monthly basis. of calendar year 2012, 75 posters organizations to ensure that the office The existing implementation uses were placed throughout the buildings is viewed as a friendly place to seek role-based account management at Goddard to raise awareness of data assistance in protecting the Agency. and supports further development to protection, as well breach-response The team participates during Cyber- include automated email notification information, which also educates Security Awareness Month, providing to relevant parties to facilitate people on how to respond should a

NASA OCIO IT Talk July-September 2012 7 breach occur. Additionally, Goddard before they go into production. NASA encryption software; ensuring that utilizes the marquee at the main NPR 1382.1 states, “PIAs must be hard-copy documents that contain SBU gates to post brief messages that conducted and made publicly available information are properly labeled and remind employees to protect their for all information technology (IT) routed with NASA’s SBU cover sheet; PII. Messages include the following: systems, including Web sites, which securing mobile devices while on travel; “ID Theft Can Happen to YOU!” collect and/or maintain Information and urging the importance of using “When in Doubt, Encrypt!” “Thumb in Identifiable Form (IIF) on members loaner devices when traveling abroad. Drives With PII Must Be Encrypted.” of the public.” To determine if a full Cybersecurity awareness is vital Privacy Impact Assessments (PIA) is The Center even orders educational when building a foundation for required, an Information and Privacy materials from the Federal ensuring the availability, integrity, and Threshold Analysis (IPTA) is completed, Trade Commission (FTC) and, confidentiality of NASA information and our developers are asked to most recently, the Credit Union and its systems. Once users are aware complete a worksheet that serves National Association (CUNA). of how and why it is important to as the initial analysis. The IPTA will protect NASA data, they can assist determine if the Web application should with being the first line of defense Glenn be provided to NASA Headquarters against cyber threats. Cybersecurity Glenn Research Center’s Information for further review and assessment. is everyone’s responsibility, and Technology Security Office (GRC ITSO) awareness is the first step. is working aggressively to strengthen Headquarters the information security posture at Cybersecurity is best deployed when Jet Propulsion Laboratory the Center and safeguard sensitive everyone is united in the efforts of Protecting the Jet Propulsion data. This is done first by protecting protecting NASA’s sensitive information. Laboratory’s (JPL’s) networks and the infrastructure with firewalls and NASA Headquarters collaborates with data in the face of an increasingly intrusion protection tools. Regular other NASA Centers (and other Federal sophisticated threat environment—while scans are run to detect vulnerabilities agencies) to learn and share techniques also making that data readily available and ensure proper remediation. and best practices for safeguarding to the scientists and engineers who Another way is to identify the personally data. These techniques are instrumental need it—presents a challenge. To meet identifiable information data being in ensuring that NASA employees are that challenge, JPL has implemented collected, stored, and transmitted exposed to current methodologies used a comprehensive IT security strategy, on the GRC network and ensuring for protecting NASA information, which two important aspects of which are the that it is properly protected. In some may also be applied for home use. cases, the amount of PII data being Application Security Program, which used can be reduced or eliminated. Recently, NASA Headquarters infuses IT security into all phases of hosted the cybersecurity awareness the development cycle, and Full Disk The process of identifying all PII presentations, “Protecting Your Privacy” Encryption, which addresses data data that flows through the Center’s and “Malware Self-Defense.” These protection for a mobile workforce. network can be challenging. One presentations were made possible Application Security—The of our processes is to utilize Cenzic through coordinated efforts with the Application Security Program focuses Hailstorm to scan Web sites and Web NASA Information Technology Security on securing applications from hackers applications for PII data collected on and Awareness Training Center at Glenn who attempt to obtain access to data internal and public-facing Web sites. Research Center. Via WebEx, audiences directly through the application, rather This is done by searching the form from various NASA Centers were able than exploiting vulnerabilities in the fields for input formats and terms, to collaborate and discuss personal operating systems. This program which support PII-type content. For experiences about how they used addresses five specific areas: example, a search can be performed specific methods for protecting NASA to check for formats usually used for data. The interaction made cybersecurity 1. Identify and track applications Social Security Numbers (SSNs) with knowledge-sharing fun and exciting. on both physical hosts and VM the use of a built-in script. Countless environments in the Application NASA Headquarters also provides other formats can be searched using Security Registry (ASR). This tailored cybersecurity awareness customized scripts. Approximately registry inventories all applications, sessions to organizations during all- 800 external and internal Web sites, gathers technical information hands meetings to address protecting applications, and interfaces have about those applications for NASA data while performing daily been scanned. We have plans to security purposes, and identifies business operations. During these scan another 600 credentialed sites. the responsible personnel. sessions, the focus is on protecting Another way we are safeguarding PII Sensitive But Unclassified (SBU) 2. Provide developers with application data is by working with the developers information (e.g., personally identifiable security-scanning tools that scan of all new sites and applications information) through the use of and analyze Web applications

8 www.nasa.gov and source code in multiple Directorate are also doing the following: IT security team introduced a Center- programming languages. wide campaign aimed at raising ҆ Coordinating IT security road shows ҆ awareness of a problem that spans all 3. Work with developers to for various offices center-wide organizations: unprotected sensitive implement security early in the ҆ Providing exhibits at key safety data stored on mobile devices. software life cycle through a ҆ events such as the Spring Safety, lifecycle security checklist. The 1st Annual KSC Spring Computer Health and Environmental Fair Cleaning campaign kicked off on 4. Provide security guidelines ҆ Conducting periodic webinars May 1, 2012. The goals of the for programming languages, ҆ on specific IT security month-long campaign were to: security checklists, and fixes topics for employees for common vulnerabilities. 1. Raise awareness of what files ҆ Presenting monthly IT Security are stored on the computer 5. Provide training and awareness ҆ safety topics to JSC’s senior staff and how to locate them. through periodic developer security training courses and a quarterly ҆҆ Encouraging employees to take all 2. Reinforce IT Security Training application security newsletter. available IT Security training courses objectives by showing users how to properly protect Full Disk Encryption—No matter ҆ Emailing monthly safety messages ҆ sensitive data using Entrust. how well we secure our data, our based on the agency’s Chief applications, and our networks, Information Security Officer’s 3. Reduce KSC’s potential risk a lost or stolen laptop containing awareness calendar, and exposure by having Data- unencrypted JPL data bypasses posting information on the at-Rest (DAR) installed. all on-lab security processes and center’s internal Website An intranet Web site was created that procedures. To protect JPL data consisted of helpful tips and techniques on these laptops from unintentional ҆҆ Partnering with the center’s to assist end users in cleaning their disclosure, all new laptops since JSC Safety Action Team and devices. It featured a video; a simple 2010 have been delivered with FDE providing IT security tips in cycle to find, organize, back up, delete, installed. At JPL, Pretty Good Privacy their monthly newsletters encrypt, and maintain files; Frequently (PGP) software is used to provide To further protect against future Asked Questions (FAQ) pages with Full Disk Encryption. To date, FDE threats and loss of NASA data, step–by-step directions and answers; is installed on nearly 4,000 systems, the team employs a wide range of and links to more information. Posters with plans to install it on all legacy tools that range from vulnerability and flyers were distributed throughout laptops by the end of the fiscal year. scans to anti-virus software installed the Center, the video played on kiosks JPL’s early adoption of FDE has allowed on employees’ computers. located in main building lobbies, and NASA to benefit from lessons learned A major issue that poses a risk to “helper sessions” were held, where and given the Agency a significant NASA’s information is loss or theft of anyone with questions or requiring head start in its own FDE deployment. mobile devices. The potential loss of additional assistance could tap into JPL continues to enhance this effort data such as Personally Identifiable technical support personnel ready to with plans to further integrate smart Information (PII), International Traffic provide hands-on help for laptops, card authentication and an expanded and Arms Regulations (ITAR), NASA smartphones, and other devices. effort to protect not only laptops but proprietary, budget, and technical data IT security personnel were readily any device that stores and processes can lead to dire consequences such as available to present information to ITAR, PII, and other sensitive data. compromised procurement proposals. organizations at staff meetings. The A smooth and seamless deployment Because the impact is unpredictable, payback was almost immediate of this critical technology strengthens JSC IT Security is currently focusing when users found sensitive files or JPL’s security posture and gives on educating employees on reporting located files they had long forgotten. confidence to our external partners. incidents as soon as possible. Feedback was extremely positive with users telling the IT staff that they were Johnson Kennedy going to perform the same checks on their home devices! Most importantly, As JSC’s Chief Information Security During the recent investigation of a lost we helped create a culture change of Officer, Mark Fridye’s goal is to reduce laptop at the Kennedy Space Center awareness and users learned how to the security threats through early (KSC) it was revealed that most users properly protect sensitive information. detection and employee awareness. were not aware of what information To make IT security awareness a was stowed away on their computers. part of JSC employees’ daily routine, As part of the mitigation efforts to Langley Fridye and the JSC IT Security team reduce NASA’s risk of sensitive data NASA-issued smartphones and within JSC’s Information Resources exposure, the Kennedy Space Center’s other handheld devices are highly

NASA OCIO IT Talk July-September 2012 9 vulnerable to information theft and compromised, sometimes the The strategy and architecture online security threats. In fact, only way to be sure that the virus being developed to efficiently and smartphones require the same security is removed is to completely wipe effectively manage continuously precautions as a laptop connected to its memory. Also, before leaving monitored life-cycle activities a NASA or public wireless network. on a trip, be sure to back up that leverage people, processes, your data—it only takes a few and technology. This is focused Here are five simple ways to minutes. If you happen to lose on data-centric approaches protect your NASA smartphone your phone, notify the NASA commensurate with a risk tolerance or any other handheld devices: Security Operational Center (SOC) based on National Institute of 1. Set a password or PIN on your at 1-877-627-2732 or via the SOC Standards and Technology (NIST) smartphone (NPR 2810.1A, Security email address at [email protected] requirements and standards. of Information Technology). as soon as possible. Remember, ҆ Privacy and Data Protection Setting a password is the simplest you should make regular backups ҆ Program Management—MSFC way to keep your data safe. This to preserve your information. is continuously integrating makes it less likely that anyone information privacy management will access your private data if Marshall and data-protection processes your phone is lost or stolen. The Marshall Space Flight Center and procedures into the System 2. Keep it up to date (NASA-STD- (MSFC) IT security leadership Development Life cycle and other 2804L, Minimum Interoperability team recognizes the importance enterprise activities. This approach Software Suite). of effectively providing data includes continuous monitoring and Make sure you are running the latest protection for both the Center and incident-response efforts in order to smartphone operating system version. the Agency. To provide holistic provide more detailed sensitivity and Just like a desktop or laptop comput- information assurance the data must risk factors to data while addressing er, staying up to date is your first line be considered the true asset to threats, vulnerabilities, and incidents. of defense from hackers and viruses. steward and protect. Therefore, we are actively developing strategies, 3. Be careful with apps. Stennis architectures, and solutions centered Make sure to download responsibly: Stennis Space Center (SSC) protects on identifying and protecting data as it is safer to use application its data with a combination of an asset throughout its life cycle. marketplaces provided by your technical and administrative controls. carrier or phone vendor than to Per OMB Circular A-130, We have implemented a strong download directly from the Web. Management of Federal Information continuous-monitoring program using Unless you are an information Resources, the term “information both Agency- and Center-provided security expert, you should only life cycle” means the stages tools. Since the installation of the download apps from the official app through which information M86 Web proxy, our incident rate stores. Even then, rogue malware can passes, typically characterized as originating from Web-surfing activity slip through vetting, so have a look creating or collecting, processing, has decreased significantly. SSC at the reviews by other users first. disseminating, using, storing, and has also implemented an aggressive disposing. MSFC IT security and vulnerability scanning program that 4. Turn off WiFi and Bluetooth. data protection strategies are identifies system vulnerabilities and The easiest way to stay safe (and being implemented to address helps discover all devices on the conserve battery) is to turn WiFi and risk throughout the enterprise network, both legitimate and rogue. Our Bluetooth off when you aren't using information life cycle. Some of integration of a risk and compliance them. When you use Bluetooth, these efforts include but are management system that complements make sure it is in nondiscoverable not limited to the following: the Risk Management System (RMS) mode. When you use WiFi, always has allowed SSC to streamline our try to use an encrypted network or ҆ Information Security Governance, ҆ Authorization and Accreditation (A&A) use a VPN. Otherwise, hackers can Risk, and Compliance Framework program. As a result, the enhanced easily “sniff” your data out of the Development—The data-asset- Plan of Action & Milestone (POA&M) air. Remember, if you aren't using focused framework being tracking helps us identify and mitigate WiFi or Bluetooth, you should turn implemented to address asset weaknesses in a timely manner. SSC off wireless communication features identification and inventorying, has also been consolidating hosting to prevent hackers from gaining data-sensitivity requirements locations, which brings more data into remote access to your smartphone. management, security operations, a tightly controlled environment that and IT risk management. 5. Back up your data. provides greater security, redundancy, If your smartphone is ҆҆ Continuous Monitoring Lifecycle— and configuration control. v

10 www.nasa.gov Collaboration that Pays NASA Back By John Sprague, End User Service Executive, & Ken Freeman NASA Security Operation Center Operations Manager Your NASA Operational Messaging and subject line. The emails have links to Web requiring that their systems be pulled off Directory Services (NOMAD) email and sites where malware can be downloaded line. The Center Incident Response Teams the NASA Security Operations Center to the users’ computers or contain bogus would review the system, and the System (SOC) teams are working together attachments. Many times, the SOC will first Administrator would then have to rebuild daily to “prevent” security-related learn about a hostile email when a user the system with the standard load and incidents and avoid lost productivity. reports it to the SOC as a possible phishing the user’s backup files before the Center attack. Other times, the SOC receives declares the system safe. This process A recent NOMAD Summary Report revealed third-party information from numerous estimates the user being nonproductive that during a 6-month period NASA government and commercial sources. for 10 hours and the average full cost received over 240,000 phishing attempts. of an employee’s time at $100 per hour As defined by Wikipedia, “phishing is Using a simple cost-avoidance (a rough figure commonly used). The 3 attempting to acquire information (and estimate model, the following percent figure is based upon one Center’s sometimes, indirectly, money) such as calculations can be made: experience where a well-crafted email usernames, passwords, and credit card 240,429 emails at 3 percent = 7,212.87 message was sent to all users at a Center. details by masquerading as a trustworthy Before it was stopped, about 3 percent entity in an electronic communication.” 7,212.87 × 10 hours of nonproductive of the users receiving the message went time = 72,128.7 hours Communications purporting to be from the whole nine yards and opened the popular social Web sites, auction sites, online $7,212.87 × 100 hours labor to fix = link and downloaded the malware. payment processors, or IT administrators are $7,212,870 in avoided lost productivity If you suspect you have received a commonly used to lure the unsuspecting. costs just in this 6-month period. Not phishing email, don’t click the link or Phishing is typically carried out by email included in this calculation were any open the attachment—report it or delete spoofing or instant messaging, and it lost data, which could be priceless. it, and we’ll all be the better for it! often directs users to enter details at a The cost-avoidance estimate is based For more information on SOC operations, fake Web site whose look and feel are upon a hypothesis that 3 percent of users please visit the SOC Web site at almost identical to the legitimate one. who receive an email with hostile links to https://share.nasa.gov/it/security/ops/ The SOC frequently requests NOMAD to malware would go the “whole nine yards” Pages/default.aspx. Please note block emails based upon an email’s “fishy” and unintentionally infect their computers, this is a NASA-internal site. v

NSSC Relocates Data Center to NCCIPS By Mae Mangieri, Communication Specialist, NSSC

As the NASA Shared Services Center “Over the past five years as the NSSC has protection from hurricanes and the (NSSC) continues to grow, so does the need continued to grow and mature, it became unexpected, especially since ‘Go Live’ of for its availability to NASA users. Twenty evident to us that our data center was not NASA’s 24/7 Enterprise Service Desk (ESD) months ago, the NSSC began planning up to the standard necessary for the NSSC at the NSSC,” said CSC Project Manager to improve the availability, reliability, and to be able to provide continuous services Tommy Thompson. “We also wanted to allow serviceability of its data center. On April 29, to all of our customers,” said NSSC Deputy for redundancy of both of our networking 2012, the NSSC completed this upgrade Chief Information Officer (CIO) Jim Walker. and power distribution as well as all the by relocating from its Tier-1 data center to The NSSC brought together four teams—CSC advantages that come from Tier 2.” the National Center for Critical Information (formerly Computer Sciences Corporation), The impact of this move is not insignificant. Processing and Storage (NCCIPS) facility, Science Applications International Corporation The data center’s relocation, enhanced located at Stennis Space Center. (SAIC), Hewlett-Packard Enterprise Services, infrastructure, and ability to better NCCIPS is a NASA-managed, Tier-2+ and the NCCIPS staff—to work in collaboration withstand natural disasters better postures shared data-services facility serving to ensure that the NSSC’s IT infrastructure was the NSSC for around-the-clock support multiple Federal agencies, and providing enhanced, and that the transition was completed under all adverse conditions. Critical efficiently with minimal interruption to services. robust electrical, cooling, and bandwidth personnel, financial, IT, and procurement infrastructure necessary to support the secure “We were looking for a way to provide data is now maintained in a nationally processing of critical Federal information. additional physical security and greater recognized and secure data center. v

NASA OCIO IT Talk July-September 2012 11 I3P Update

Communications Services (NICS) is to use a Java-based browser such as September 2012 will introduce a new line of On April 1, 2012, the Communications Internet Explorer, Firefox, or Safari. business to NEACC operations, allowing OE to leverage exciting reporting, dashboard, Services Office (CSO) and the NASA Data-at-Rest (DAR) encryption is being and mobile application capabilities. The Integrated Communications Services implemented on laptop computers and OE initiative is one of many ongoing or (NICS) contract completed transition at all desktop computers containing sensitive upcoming projects and initiatives in the NASA Centers. Many thanks are offered to information. A DAR general outreach NEACC’s pipeline. Key among those projects everyone who contributed to a successful message has been sent Agency-wide. In and initiatives is the continued build-out transition, especially the Center Transition July, general deployment of DAR begins for Managers. With the “transition” stage computers containing sensitive information. of critical application capabilities in the complete, the “transformation” phase of Integrated Collaborative Environment the NICS contract is now underway with The ACES team worked through the (ICE)—Product Lifecycle Management Line a number of transformation activities in backlog of Requests for Quotes (RFQs) of Business on the robust and secure ICE- development to enable the vision of the CSO within the Service Requests (SRs) system. enhanced infrastructure in support of the and Information Technology Infrastructure There is no longer a backlog of RFQs. tri-program missions. To further enable ICE, Integration Program (I3P). Examples of A new ACES Steady State Communications a cross-Agency team of functional experts these activities include the development of Process has been implemented in which has just wrapped up a series of workshops a long-term service-delivery strategy for all outreach messages are grouped into to define common, flexible configuration the local area network (LAN) and Agency four categories (alert, action, advisory, and management and detailed design processes voice services while incorporating the awareness) in order to ensure consistent to support tri-program needs. The NEACC near-term needs of the Centers and our messaging to our customers on all team is beginning to implement these customers. Working groups with both CSO/ ACES-related topics. The ACES News, new process capabilities in WindChill NICS and Center/customer participation a monthly e-newsletter that provides 10.0 and will continue to build them out have been initiated for both of these tasks. information to NASA end users about in a series of “sprints” running through During the transformation phase, ACES activities, products, services, and the summer and into the fall of 2012. collaboration among the Centers, customers, processes, has received great reviews. Office of the Chief Information Officer This is just one example of how the EUSO Enterprise Service Desk (ESD) (OCIO), and CSO/NICS will be key to the provides end-user-focused messaging. Over the last 6 months, the ESD has mutual achievement of the Agency, Center, been providing the NASA I3P community customer, and CSO’s goal of creating a Enterprise Applications Services (EAST) with a self-service Web portal (Tier secure, high-performance, integrated, The Enterprise Applications Service 0), service request capability, and and efficient network environment. Office (EASO) has been in close contact incident-submission and notification- with its service board—the Enterprise tool-subscription capabilities. Over this End-User Services (ACES) Applications Services Board (EASB)— period of time, we have seen customers All Centers have been transitioned to the over recent weeks in an effort to provide become more familiar with ESD and its Agency Consolidated End-User Services Rough Order of Magnitude (ROM) various offerings. This month, Systems Contract (ACES). The End-User Services estimates for 2013 initiatives by Line Requirements Reviews (SRRs) occurred Office (EUSO) is working diligently with the of Business (LOB). The EASB will make for ESD 1.2 and ESD enhancements. Centers and Hewlett-Packard Enterprise prioritization recommendations to the ESD 1.2 will implement two critical Services (HPES) to resolve issues related Business Systems Management Board, Information Technology Infrastructure Library to services provided by ACES. A weekly which has decisional authority over the (ITIL) modules: I3P Change Management meeting is held to review action items and budget that comes to the NASA Enterprise and I3P Problem Management. The I3P issues with the Agency CIO’s office and Application Competency Center (NEACC) Change Management module will be utilized ACES subject matter experts (SMEs). and which funds the Enterprise Applications to manage the process for controlling Services Technology (EAST) contract. Office Communicator Web Access is a new changes to ensure they benefit customers service available under ACES. Users can With shrinking budgets, the governance and the I3P program and are implemented now use Instant Messaging (IM) without the decisions and prioritization of Agency IT without interruption of services. The Change Office Communicator or Mac Messenger initiatives will provide critical guidance Management process may refer to system client. Office Communicator Web Access for the NEACC as the first Option Decision changes or process changes. There will allows you to use IM through a Web Package milestone approaches for EAST. be change categories for prioritization browser. Users do not need to be on site The NEACC’s scope continues to expand, purposes (process, service, governance, or connected to a NASA Center through with the ongoing transition of applications technical), and the module will outline a virtual private network (VPN) in order supporting the NASA Office of Education the roles and responsibilities necessary to use this service. The only requirement (OE). The completion of that transition in for efficient change implementation.

12 www.nasa.gov IT Operations I3P Problem Management involves root- NASA is also shifting to a new Web-services cause analysis to determine, reduce the model that uses Amazon Web Services Handbook impact of, and potentially resolve (via Change for cloud-based enterprise infrastructure. The I3P IT Operations Handbook Management) the cause of incidents. This This cloud-based model supports a (ITOH) is now available for use is separate from the Incident Management wide variety of Web applications and by the Information Technology process, which returns service to the user. sites using an interoperable, standards- Infrastructure Integration Program Problem Management will be both proactive based, and secure environment. (I3P) support personnel. The and reactive. Reactive Problem Management The acquisition strategy for Web Enterprise handbook covers a variety of topic minimizes the impact of incidents happening Service Technology WESTPRIME is to areas including I3P governance, now, while proactive Problem Management compete this requirement among several operations management, and will rely upon heavy utilization of trend analysis sources on the U.S. General Services communications. Users will find and event management to prevent incidents. that the ITOH contains links to Administration (GSA) Federal Supply many supporting documents in Both modules are based on ITIL v3 and Schedule (FSS) Information Technology 70. order to provide timely information. will utilize the same tool set used for The solicitation is scheduled to be released IT and resource approvers will the 1.0 and 1.1 elements of ESD. These in the July to August timeframe. NASA find the handbook especially modules will be primarily utilized by OCIO expects to release the Request for Quote helpful since it outlines critical points of contact within the I3P program (RFQ) for WESTPRIME by August 2012 areas that support their work. and Center CIO offices. The Operational and make an award selection by April Readiness Review (ORR) for ESD 1.2 Why do we need a handbook? 30, 2013. An industry day forum will be is expected to occur in October. I3P focuses on comprehensive conducted shortly after the release of the IT service management. It is At the same time, the ESD project team solicitation to discuss specific information more than just I3P contracts. is working on system enhancements that about the proposed acquisition necessary The processes, procedures, and will benefit CIO personnel, I3P providers, for the preparation of proposals. Topics governance have all changed in the I3P business office, and I3P customers. will include the proposed contract type, concert with the I3P contracts The enhancements are a collection of terms and conditions, and acquisition to provide enterprise IT services miscellaneous improvements to the basic planning schedules; the feasibility of that meet customers’ needs. ESD implementation. Based on customer the requirement, including performance The ITOH provides information feedback and lessons learned from requirements, statement of work, and about the processes, procedures, production use, slight modifications to the data requirements; the suitability of the and governance that customers initially requested design are necessary to proposal instructions and evaluation criteria, and those with an I3P role need. enhance the usability of the tool for NASA including the approach for assessing past The ITOH is a living document that will evolve over time. users. Several aspects of the tool will be performance information; the availability modified during this project, including of reference documents; and any other The difference between the ITOH interface design data being exchanged with industry concerns or questions. This handbook and documented the I3P contracts, features of notifications forum will be open to the public. procedures is that it provides and surveys, and the availability and links to documented Standard The goals of the WESTPRIME contract are to: display of information on the self-help Operating Procedures (SOPs). Web site. Enhancements will occur ҆҆ Enhance business and technical agility; Rather than a static list of SOPs, the ITOH is organized into sections continuously throughout the project. ҆҆ Eliminate vendor-specific dependencies; to help users find the procedure ҆ Drive down operational overhead ҆ they need. While the ITOH is for Web presence; Web Services and WESTPRIME presented in an outline form today, Web services are continuing under the ҆҆ Drive down the cost of custom future plans include adding an current vendor, whose contract has been Web and on-demand services for explanatory text to assist in the extended through April of 2013. Current missions, programs, and projects; navigation of the document. services include the following features: ҆ Increase NASA IT security; ҆ The handbook is always evolving. Explore collaborative services ҆҆ Web-content delivery ҆҆ You may send your feedback to across NASA Centers; and Corinne Irwin (corinne.s.irwin@ ҆҆ Web site development ҆ Improve online customer service delivery nasa.gov) or John Kasmark ҆҆ Content management ҆ through innovative technology. v ([email protected]). The ҆҆ Bandwidth management document is available at http:// ҆҆ Search capabilities ocio.ndc.nasa.gov/public/I3P%20 ҆҆ Collaboration services ITOH/Forms/AllItems.aspx. v ҆҆ Web hosting

NASA OCIO IT Talk July-September 2012 13 2012 Technology Summit By Irene Wirkus, NASA Emerging Technology and Desktop Standards

Recently, NASA’s Emerging Technology and ҆҆ Incorporating technologies that future iterations of NASA’s Desktop Computing Desktop Standards (ETADS) team hosted support, enhance, and secure mobile Standards, NASA‐STD‐2804 “Minimum Interop- its 2012 Technology Summit. The Summit devices and the remote worker. erability Software Suite” and NASA‐STD‐2805 “Minimum Hardware Configurations,” continue provided a forum for technology leaders to ҆҆ Incorporating technologies that enhance share insight on industry trends and brief interoperability and collaboration. to provide NASA users with desktop configurations consistent with industry trends and NASA NASA on product portfolios, roadmaps, ҆ Emerging and submerging ҆ requirements. The Summit also provided NASA and corporate direction. Participants in this industry standards. personnel with an opportunity to gain awareness year’s Summit included Apple, AT&T, Cisco, ҆҆ Emerging trends and regarding cutting edge technologies and services Dell, Fiberlink, Google, Hewlett-Packard, disruptive technology. that can assist them in their pursuit of mission Intel, Lenovo, Microsoft, Research in Motion ҆҆ Upcoming changes to the and project goals. Finally, the Summit served to Ltd. (BlackBerry), Verizon, and VMware. personal computer platform. promote an open and ongoing dialogue with in- The Summit, held at the Glenn Research ҆҆ Establishing a timeline for adoption of dustry leaders so they can better tailor their tech- Center in Cleveland, OH, was open to the Internet Protocol, version 6 (IPv6). nology suite to be attractive to Agency customers and supportive of NASA’s goals and obligations. entire NASA community and available The Summit offered a unique opportunity for via WebEx videoconferencing for those NASA to meet with industry IT leaders and dis- For more information about the 2012 Technology who could not attend in person. Vendor cuss ways to meet the IT challenges facing NASA Summit, along with video highlights, WebEx participants were asked to focus on the and the Federal Government. The knowledge recordings, and vendor presentations, visit the following topics during their presentations: gained from this exchange helps ensure that ETADS Web site at https://etads.nasa.gov. v

Cisco demonstrates its Intel briefing at ETADS. Hewlett-Packard presents the mobility solutions. Z1 “All-in-One” Workstation. International Space Apps Challenge By Nicholas Skytland-Open Government Initiative

The International Space Apps Challenge joined 90 other organizations, hosted the inaugural the front page of the British Broadcasting together over 2,000 people around the world in challenge in 25 cities, 17 countries, and Corporation’s (BBC’s) Web site. Gov 2.0 Radio creating solutions of global importance related online. The event brought together 2,083 (http://gov20radio.com/spaceapps/) provided to spaceflight. The code-a-thon-style event registered participants ages 16-70 to address special coverage for the event that included took place in cities on all seven continents 71 challenges grouped into four categories 45 interviews with organizers, experts, and on April 21 and 22, 2012. The event was including open-source software, open hardware, participants from all locations. The entire event part of the United States’ commitment to the citizen science platforms, and data visualization. was streamed online to thousands of people around the world, and although it’s hard to Open Government Partnership, a multilateral More than 100 unique solutions were developed measure the total viewership, the Twitter initiative between 55 nations pledging to in less than 48 hours during the event. All stream alone generated 3.3 million hits. promote transparency, participation, and solutions were developed in a completely collaboration between governments and open-source environment, and each has its own The International Space Apps Challenge citizens. The International Space Apps unique potential to go even further to address was an event unlike any of its kind, and Challenge upheld the pact to “promote world and space technology challenges. it set the stage for even more technology innovation through international collaboration.” development through international In addition to the technology developed, the collaboration in industries around the world. Space exploration was the ideal catalyst to event itself generated considerable media foster this culture of innovation, and NASA, in coverage for NASA, resulting in more than For more information visit collaboration with 9 government agencies and 100 articles, including being highlighted on http://spaceappschallenge.org. v

14 www.nasa.gov Passion Turned to Productivity at NASA Ames Research Center (ARC)

By Penny Hubbard, CIO Communications, AMES

Computer science is a passion for not only on theoretical, but also on Evan Ye, an INSPIRE* intern at ARC applied aspects of school subjects.” Evan had the amazing opportunity during the summer of 2011. He’s He was involved in INSPIRE, a to utilize his programming skills in a always been intrigued by “how a NASA educational program for real team environment, while learning mere snippet of code can harness high school students interested in about NASA, working with teams, and a computer’s power,” he said. science, technology, engineering, opening doors to other programming Building on this fascination, Evan and mathematics (STEM) careers. opportunities. NASA gained a learned how to command computing He also went through an extensive valuable and time-saving program— application process to become an power, turning it into a success story part passion, part inspiration, and intern, and he was paired with mentor at NASA, writing an autonomous all Information Technology. network diagramming program. Dr. S. Terry Brugger at Ames. Since Evan interned at NASA, Dr. Brugger provided the project As Evan honed his curiosity into he’s graduated with honors in the programming skills, he learned description, skills, and aptitude needed top 5 percent of his class and C and Java languages, pursuing for the project, as well as the testing for received the President’s Education more sophisticated programs. He the final program. Evan worked with Dr. Award—sponsored by the U.S. learned a gaming program in middle Brugger to evaluate existing processes Department of Education. He will be school, discovering that he loved and gather requirements for network “figuring out how to make objects diagramming. Initially, it was a time- attending the University of California, in the game act appropriately.” As consuming, manual-entry process. Berkeley, this fall, studying electrical captain of his high school chess club, He wrote a program that takes NASA engineering and computer science. network data from a spreadsheet and Evan combined two of his favorite *For more information about the activities by writing a full-fledged automatically produces a network diagram from it. The significant Interdisciplinary National Science chess-interface program. He had productivity enhancements saved days Project Incorporating Research and many setbacks writing the code, but of effort for Dr. Brugger, and there is Education Experience (INSPIRE), his determination saw him through. interest in using Evan’s autonomous visit http://www.nasa.gov/offices/ Evan wanted a practical scenario to network diagramming program for education/programs/descriptions/ utilize what he had learned, “to focus other systems across the Agency. INSPIRE_Project.html. v National Job Shadow Day

Recently Stennis Space Center and the group in broadcast remarks. descriptions of their background, the NASA Shared Services Center held Participants then attended a variety of education and job responsibilities a National IT Job Shadow Day event. workshop and seminar presentations, which allowed time for the participants About 170 high school and elementary including IT speed mentoring, a to ask questions. The mentoring girls from area schools visited Stennis cryogenics demonstration and a session was followed by tours of IT Space Center to participate in a day of “Dress for Success” fashion show. facilities. The girls left with a better activities to promote careers in science understanding of how information The mentoring session began with and mathematics. Stennis Space technology is used at NASA and remarks by the SSC CIO, Dinna L. Center Director Patrick Scheuermann with a broader idea of what they Cottrell and the NSSC Deputy CIO, welcomed the girls to the rocket can do beyond high school. Jim Walker. The IT speed mentoring engine test facility, and NASA Deputy session was conducted by employees The day-long activities concluded with Administrator Lori Garver addressed from the SSC’s and NSSC’s Offices of a keynote address by Retired U.S. the CIO and Army Col. Sheila Varnado, executive supporting director of R3SM (Recover, Rebuild, contracts. Restore Southeast Mississippi), The mentors and a simulcast presentation gave brief from NASA Headquarters. v

170 high school and elementary girls from the area schools

NASA OCIO IT Talk July-September 2012 15 Stennis IT Expo

On June 21, 2012 Stennis Space Chief Technologist for ASRC Research http://sscintranet.ssc.nasa.gov/ Center held its 8th Annual Information and Technology Solutions (ARTS), specialfeatures/dar.asp (this link is Technology (IT) Expo which was who presented ASRC’s IT Expertise internal to Stennis employees only). sponsored by the Center’s Office of and Strategic Capabilities; and Bobby IT Expo attendees also obtained the Chief Information Officer (OCIO). Collins, Senior Engineer / Collaboration information on Applications The event highlighted services and Technologist with SAIC who presented capabilities are available through the on “Video Teleconferencing.” Support, IT Security, Video NASA SSC OCIO and its Production and Audio support contractors. They Visual Services, Records include ASRC Research and and Documentation Technology Solutions (ARTS) Management, SSC which provides Information Online Web Ordering

and Technical Services (ITS), Service (OWEB), and the IT Talk HP Enterprise Services, Stennis Data Center. which provides Agency Product information was Consolidated End User provided by several ACES HP Services (ACES); and Science Enterprise Services vendors Applications International which included Apple, Corporation (SAIC), which AT&T, Citrix, Konica, KST, provides support for NASA’s Lenovo, Microsoft, Verizon, Integrated Communication Services. The NASA Shared Cisco, and Symantec. Services Center (NSSC) Stennis CIO Dinna Cottrell tours booth The IT Expo provided a also showcased the Agency great opportunity for SSC Enterprise Service Desk (ESD). A seminar entitled “What is Data employees, NASA, resident agencies, An executive session launched the At Rest (DAR)” was offered to and contractor employees to meet annual Information Technology Expo with participants of the IT Expo. DAR with technology providers and opening remarks from SSC CIO, Dinna protects NASA’s data on computers obtain details on their products and L. Cottrell. The speakers at the executive while they are powered off. All Agency services. Door prizes were drawn session included Senior Vice President laptops and desktop computers for attendees who registered. For and General Manager of HP, Marilyn that store sensitive information will more information on the highlighted Crouther, who presented on HPES receive DAR by September 10th services or capabilities, call the Capabilities, Dr. Pedro J. Medelius, 2012. For more information go to SSC OCIO at 228-688-6246. v

National Aeronautics and Space Administration

Office of the Chief Information Officer 300 E Street, SW (1225 Eye Street) Washington, DC 20546 www.nasa.gov