Paul K Martin said hackers took over Jet Propulsion Laboratory (JPL) computers and “compromised the accounts of the most privileged JPL users”.
He said the attack, involving Chinese IP addresses, was under investigation.
In a statement, Nasa said it had “made significant progress to protect the agency’s IT systems”.
Mr Martin’s testimony on Nasa’s cybersecurity was submitted to the House Committee on Science, Space and Technology’s Subcommittee on Investigations and Oversight.
State of security
In the document, he outlined how investigators believed the attack had involved “Chinese-based internet protocol [IP] addresses”.
He said that the attackers had “full system access” and would have been able to “modify, copy, or delete sensitive files” or “upload hacking tools to steal user credentials and compromise other Nasa systems”.
Mr Martin outlined how the agency suffered “5,408 computer security incidents” between 2010 and 2011.
He also noted that “between April 2009 and April 2011, Nasa reported the loss or theft of 48 Agency mobile computing devices”.
In one incident an unencrypted notebook computer was lost containing details of the algorithms – the mathematical models – used to control the International Space Station.
Nasa told the BBC that “at no point in time have operations of the International Space Station been in jeopardy due to a data breach”.
Mr Martin said Nasa was a “target-rich environment for cyber attacks”.
He said that the motivation of the hackers ranged from “individuals testing their skill to break into Nasa systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services”.
But while Mr Martin criticised aspects of Nasa’s cybersecurity he noted investigations had resulted in “arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia”.
Nasa said it was working to implement the security improvements Mr Martin suggested in his testimony.
However the chairman of the congressional subcommittee, Rep Paul Broun, quoted in an online report of proceedings, said: “Despite this progress, the threat to Nasa’s information security is persistent, and ever changing. Unless Nasa is able to constantly adapt – their data, systems, and operations will continue to be endangered.”