NASA's IT Security vision "calls for integrated, secure and efficient information technology … Over the next three to five years the objectives of the vision include the ability to improve NASA's capability to predict, prevent and effectively contain potential IT security incidents," NASA CIO Linda Cureton told Congress in her own written testimony, which appears to be simultaneously claiming NASA already did all the security enhancing things the Inspector General's office recommended and that NASA was about to launch changes specifically to answer those recommendations.
Neither way matters much.
If NASA has already done all the things OIG thinks it should, it did them badly enough to not even be able to slow the Chinese down.
If it is about to do those things it at least recognizes it has been slipshod in its approach to security in the past.
The whole U.S. government has a well-deserved reputation for being really bad at IT security. Even the U.S. military is pretty bad at it. It doesn't serve much purpose to keep bashing federal agencies for not having the budgets or political will to fix their own security weaknesses. Security is secondary to what they do, which isn't an excuse, but is a mitigating factor.
NASA and the Pentagon, on the other hand, depend so heavily on IT, on digital data, on computer-controlled complex systems, robots, satellites and other cutting-edge technology that the technology and the IT security that protects it, has to be considered a core competency. Doing it badly directly affects the ability of the whole organization to fulfill its mission.
Potentially losing control of the International Space Station could put a huge trophy in the hands of a foreign government. It could also become a death trap for astronauts and a kinetic-energy bomb for anyone able to remotely shut off its environmental systems, open its doors or maneuver it into crashing into the Earth.
That doesn't make losing the keys any more colorful as the point of an anecdote; it makes losing them a lot less funny to anyone who worries about the destructive capacity of anything falling 250 miles to Earth.
Doing IT security so badly for so long, especially when you absolutely know better and don't even question the need to keep all your sensitive data safe from foreign intelligence services, means something far more damning for NASA than it would for the Dept. of Labor.
At NASA poor security isn't a joke, it's a threat to national security
NASA gets a pass from many people for its occasional flubs, because it's doing more exciting and innovative things than any other agency of the federal government.
If it were doing those things in a way that made its astronauts or the general public unsafe, NASA would be loudly and instantly criticized.