NASA relies on a series of computer networks to carry out its various missions, including controlling spacecraft like the International Space Station and conducting science missions like the Hubble Telescope. Therefore, it is imperative that NASA protect its computer networks from cyber attacks that could disrupt operations or result in the loss of sensitive data. In this audit, we evaluated whether NASA protected information technology (IT) assets on its Agency-wide mission computer network from Internet-based cyber attacks. Specifically, we assessed whether NASA adequately protected these IT assets from Internet-based attacks by regularly assessing risks and identifying and mitigating vulnerabilities. We also reviewed internal controls as appropriate. Details of the audit's scope and methodology are in Appendix A. We found that computer servers on NASA's Agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks. These deficiencies occurred because NASA had not fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected. In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network.1 However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011. Until NASA addresses these critical deficiencies and improves its IT security practices, the Agency is vulnerable to computer incidents that could have a severe to catastrophic effect on Agency assets, operations, and personnel. In order to strengthen the Agency's IT security program, we urge NASA to expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA's Agency-wide mission network. We also recommend that NASA Mission Directorates (1) immediately identify Internet-accessible computers on their mission networks and take prompt action to mitigate identified risks and (2) continuously monitor Agency mission networks for Internet-accessible computers and take prompt action to mitigate identified risks. Finally, to help ensure that all threats and vulnerabilities to NASA's IT assets are identified and promptly addressed, we recommend that NASA's Chief Information Officer, in conjunction with the Mission Directorates, conduct an Agency-wide IT security risk assessment. In response to a draft of this report, the Chief Information Officer and Mission Directorates concurred with our recommendations. The Chief Information Officer stated that she will work with the Mission Directorates and Centers to develop a comprehensive approach to ensure that Internet-accessible computers on NASA's mission networks are routinely identified, vulnerabilities are continually evaluated, and risks are promptly mitigated by September 30, 2011. In addition, the Chief Information Officer said she will develop and implement a strategy for conducting an Agency-wide risk assessment by August 31, 2011. The full text of NASA's comments can be found in Appendix B. We consider the Chief Information Officer's proposed actions to be responsive to our recommendations.