NASA did not develop information technology (IT) security performance measures that fully addressed security program performance requirements in the Government Information Security Reform Act (Security Act) and the Office of Management and Budget guidance for reporting on the Security Act. Although the NASA Chief Information Officer established fiscal year 2002 Agencywide IT security performance measures for unclassified systems, based on our audit work, the measures either did not fully accomplish NASA's intended Agencywide IT security program goals or did not ensure that NASA information, data, and systems were adequately protected. Management concurred with our recommendations and plans to take responsive corrective actions.

This report contains information that may not be releasable to the general public.