In a special review made a couple of days ago, NASA Inspector General Paul Martin revealed that it was unlikely that the agency would be able to meet the December 21 deadline to deploy full disk encryption on all laptops.
Shortly after the incident, the agency promised to accelerate the whole-disk encryption process, outlined back in December 2010 when NASA signed an Agency Consolidated End User Services (ACES) contract with HP to obtain a wide range of IT services.
Back in November 2011, a similar acceleration of the encryption process was ordered after a laptop was stolen from an employee’s car.
At the time, the agency began identifying critical users and started encrypting their work devices, but the process had a few slip-ups and the staffer whose laptop was stolen this October wasn’t identified as a critical user.
After this latest incident, NASA promised to encrypt the hard drives of all laptop computers by December 21. However, according to the inspector general’s review, that’s unlikely to happen.
“In our judgment, it is extremely unlikely that the Agency will meet its December goal primarily because the Agency does not have a full account of the number of ACES and non-ACES laptops in its possession,” Martin wrote in his report.
“Without knowing the full universe of laptops that require encryption, the Agency cannot be sure that all of its laptops are protected with whole-disk encryption software.”
The report concludes that the full-disk encryption effort has been delayed repeatedly because of the decentralized nature of the agency’s IT management, the lack of sufficient internal controls, and the slow implantation of the ACES contract.