Not all problems were due to HPE. NASA was responsible for some of the issues because of inefficient decision-making, problems setting up an ordering system, and inadequate oversight, the report said.
But the bottom line was that HPE wasn't delivering on its promises.
"HP is performing poorly under the contract even after taking into consideration the agency's failure to establish sound performance metrics," the report said.
Six months to shape up
According to George, Wynn made the right decision in denying the authority to operate.
"You don't want to end up in a few months seeing that there's been another breach, and she has to explain why she signed off," he said.
In theory, this means that insecure systems have to be closed off to outside access, he said. "Otherwise, they would present an attack surface that could be leveraged."
But there's a six-month grace period, he added.
"She used the authority to operate to get into the news, to elevate this message, but made an exception for 180 days to give people a chance to fix it," he added. "If not, after 180 days, she might go through and say, hey, let's shut everything down."
Issues go beyond NASA
But Wynn isn't just drawing attention to problems with the HPE contract. She's also drawing attention to the problems many government agencies are having to become compliant with the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) program.
"Agencies have to deal with hundreds of thousands of vulnerabilities across their IT environment and are often simply too overwhelmed to determine which vulnerabilities pose the highest risks," George said. "This move will hopefully raise enough awareness to force discussions on how to really operationalize cyber risk management."
Recent breaches at the Office of Personnel Management, the IRS, the FBI, and the Department of Homeland Security show that the problem is pervasive.
"It's a giant mess," George said.
The CDM came out of the Department of Homeland Security and NIST back in 2013, and was supposed to help address cybersecurity issues.
"In reality, not much has happened," said George. "A lot of agencies are still scratching their heads. There are a lot of different systems, a lot of contractors, and millions of vulnerabilities -- and they don't know where to start.
HPE declined to comment for this story.
NASA spokesman Karen Northon said that the agency is committed to holding vendors accountable if they don't meet their contractual obligations.
"The conditional Authority to Operate signed by NASA’s chief information officer is one mechanism by which the agency can ensure Hewlett Packard Enterprises takes the necessary steps to fully meet their obligations," she said.
"The agency will continue to work closely with HPE throughout the remediation process to ensure this goal is met and the required level of service is sustained through the life of the contract."
Sign up for CIO Asia eNewsletters.