The U.S. Government Accountability Office (GAO) has painted a bleak picture of the NASA's IT security posture. An audit of the space agency's computer systems found weaknesses in several critical areas, especially in the way NASA implemented access controls like user accounts, passwords and the encryption of sensitive data. Here's the gist of the audit findings:

[NASA] did not always sufficiently identify and authenticate users, restrict user access to systems, encrypt network services and data, protect network boundaries, audit and  monitor computer-related events, and physically protect its information technology resources. In addition, weaknesses existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches. A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.

Specifically, it has not always fully assessed information security risks; fully developed and documented security policies and procedures; included key information in security plans; conducted comprehensive tests and evaluation of its information system controls; tracked the status of plans to remedy known weaknesses; planned for contingencies and disruptions in service; maintained capabilities to detect, report, and respond to security incidents; and incorporated important security requirements in its contract with the Jet Propulsion Laboratory.

The audiors warns that highly sensitive personal,  scientific, and other data were at an "increased risk" of unauthorized use, modification, or disclosure.

* Here's the GAO report [PDF]