| NODIS Library | Organization and Administration(1000s) | Search |

NPR 1600.4
Effective Date: August 01, 2012
Expiration Date: August 01, 2017
Printable Format (PDF)

(NASA Only)

Subject: Identity and Credential Management

Responsible Office: Office of Protective Services

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL |

Chapter 3. Enrollment and Credential Issuance

3.1 Overview

3.1.1 The NASA Identity Management and Credential Management Processes are designed to conform to the system-based model for identity proofing, registration, and issuance process that is described in NIST FIPS 201-1 and is represented diagrammatically in the document via Figure 3.1:

Figure 3.1

3.2 Chain of Trust

3.2.1 A chain of trust is followed which simultaneously captures the biometrics, photograph, identity source documents, and background investigation of the applicant and can be tied to the identity of that applicant at any point in the identity management process.

3.2.2 The credential is released to the applicant only after completion of the chain of trust by verifying that the biometric information contained on the credential matches the applicant.

3.3 NASA Credential Types

3.3.1 NASA uses both PIV credentials and non-PIV credentials. Access is granted via NASA PIV credentials. NASA PIV credentials allow physical only, logical only, and/or both physical and logical access to resources at NASA. Each NASA credential is linked to an established identity and shall go through the appropriate issuance steps as outlined in this chapter. See NPR 2810.1, for policy and procedures regarding NASA non-PIV credentials that allow access to only logical systems. NASA visitor badges are NASA non-PIV badges which allow only physical access to the issuing NASA Centers. For short-term visitors, Centers are authorized to issue Center-specific badges (i.e. NASA non-PIV badges) for physical access to that Center based on a risk-based determination documented as part of the permanent record. Requirements for the characteristics of these credentials, including printing elements and technology capabilities are detailed in Chapter 5, Characteristics of NASA Badges.

3.3.2 NASA PIV credentials shall be required for all persons who have been deemed as needing routine and regular access to NASA Centers, facilities, and IT systems and resources for a period exceeding 179 days in a 365-day period. These persons include all NASA employees, all NASA contractors, agreement partners, and non-NASA tenants in NASA facilities. NASA PIV credentials will be issued to both U.S. citizens and foreign nationals. NASA PIV credentials will be issued following the identity-proofing, registration, and issuance processes defined in this document for the management of identities of all new and current employees, contractors, and affiliates including foreign nationals.

3.3.3 NASA PIV credentials will be issued only after completion of a FBI fingerprint check and submission of a background investigation, which will be a National Agency Check and inquires (NACI) background investigation at a minimum. NASA PIV credentials will have an expiration date set for a period not to exceed five years from the Card Production Request (CPR) generation date. NASA PIV credentials will not be issued to individuals holding a Federal PIV credential issued by another Federal entity or to individuals holding a PIV-I credential issued by an organization whose PIV-I credentials conform to the Federal PIV-I standard. Exceptions to this policy may be made only when the exception has been documented and approved via the process described in section 1.4 of this document. The exception request will specifically explain why a non-NASA credential is not usable in the NASA ICAM services.

3.3.4 Any person (e.g., NASA employee, NASA contract personnel, non-NASA tenant, or other category of individuals such as volunteers, guest researchers, interns, grantees, etc.) who needs access to a NASA facility or NASA IT system and who will be affiliated with NASA and its Centers or facilities for a period of less than 180 days shall possess a NASA non-PIV Center-specific badge (e.g., a NASA temporary badge). The 180-day period begins the first day of affiliation and ends 180 calendar days later regardless of the work schedule. If an individual's affiliation extends for 180 days in a 365-day period, the individual will be issued a NASA PIV credential if the individual is a NASA employee (either a civil service or a Federal contractor employee). All other individuals who are not visitors, such as volunteers, construction workers, guest researchers, interns, grantees, etc., but who are determined to need intermittent access with no IT access may be exempted from the 180-day limit on use of a NASA non-PIV Center-specific badge consistent with risk-based assessments by CCS/CPS. Issuance of NASA non-PIV badges requires a minimum favorable adjudication of a National Crime Information Center (NCIC) name query and completion of steps 1-4 of section 3.5, On-Site Enrollment and Issuance Procedures of this NPR. Escort requirements for individuals with a NASA non-PIV badge will be based on risk-determination by the CCS.

3.3.5 NASA visitor badges shall be issued to individuals requiring access to a NASA Center for a period less than 30 days in any single visit and not more than a cumulative total of 29 days in a 365-day period. Escort requirements for individuals with visitor badges will be based on risk-determination by the CCS/CPSC.

3.3.6 NASA non-PIV Center-specific badges shall be issued to accommodate unique situations of the Center not otherwise accommodated by NASA PIV credentials and NASA visitor badges. All NASA Center-specific badge templates will have the approval of the Agency Identity Management Official prior to their creation and utilization. NASA Center-specific badges will be issued upon completion of a favorable adjudication of an NCIC name query. This is a minimum requirement, and additional security measures may be employed at the discretion of the CCS/CPSC. Issuance of these badges will be based on a risk-based access determination by the CCS. NASA Center-specific badges may be issued to individuals who hold a PIV credential issued by another Federal Government agency or department if their current non-NASA PIV credential does not work at the NASA Center. This may include contractors from another NASA Center in the event that electronic verification of a requirement to access the NASA Center is not available at a point of entry. Issuance of NASA Center specific badges requires completion of steps 1-3 of section 3.5, On-Site Enrollment and Issuance Procedures, verification of a favorably adjudicated investigation, and capture of the individual's photograph, section 3.5.4, Step 4: Enrollment Process.

3.3.7 Logical access credentials and their usage are addressed by NPR 2810.1 and include, but are not limited to, username and password, RSA tokens, and digital certificates.

3.4 Applicant Categories

3.4.1 NASA employees are Federal civil servants employed and paid by NASA and also includes individuals employed and paid by other entities but working for NASA under an Intergovernmental Personnel Act (IPA) agreement. NASA employees include all Non-Appropriated Funds Instrumentality (NAFI) employees; these employees shall be issued a civil servant badge with the affiliation of NAFI.

3.4.2 NASA contractor employees are individuals working for a contracting organization or entity with the responsibility to perform activities for NASA.

3.4.3 NASA grantees are individuals who are working under a grant and performing activities for and/or at NASA Centers and facilities.

3.4.4 Detailees are either Federal employees from other-Federal agencies, U.S. military personnel, or non-Federal employees working at NASA through an IPA assignment. Any badges issued to a detailee shall be designated with an affiliation of NASA and will appear as a Federal employee badge. The Center PIF manager will coordinate with the Center Human Resources Office (HRO) to validate investigative and suitability results for detailees from other-agency partners. Government employees from other departments and agencies who do not have a PIV credential issued by their agency or department, and require identity verification and access at NASA, may be issued a NASA PIV credential or NASA Center-specific badge.

3.4.5 International partners are individuals working for agencies or organizations of foreign governments, foreign education institutions, foreign companies, or international organizations who are engaged in a program of international cooperation in work done pursuant to a Space Act Agreement as defined by NPD 1050.1H, Authority To Enter Into Space Act Agreements. A signed international agreement shall first be in effect for international partners to receive a foreign national NASA PIV credential.

3.4.6 Tenants are individuals who require physical access to a NASA facility but do not work directly for NASA including individuals requiring access pursuant to a Space Act, Economy Act agreements, etc. There may or may not be a "formal" agreement associated with a tenant (example: Credit Union). The tenant may require logical access to certain NASA applications. A tenant may work for another Government agency as either a civil servant or contractor and may have a PIV badge from their agency. Tenants include those entities and their contractors and employees under Economy Act, Space Act, Commercial Space Competitiveness Act (CSCA), or Commercial Space Launch Act (CSLA) agreements or those individuals needing physical or logical access based on the above authorities. Tenants shall be issued Center-specific badges.

3.4.7 Transients are individuals (i.e., construction workers, club members, childcare drop off/pickup, delivery drivers, retirees, center transits, and others approved by CCPS/Security who requires intermittent access for 180 days or more.) Transients shall be issued Center-specific badges.

3.5 On-Site Enrollment and Issuance Procedures for NASA Credentials

3.5.1 Step 1: Credential Request - A requester completes a credential request within the NASA Identity Management System for an applicant. The requester submits the request to the sponsor via the NASA Identity Management System. For civil servants, this information is submitted by the HRO via Workforce Transformation Tracking System (WTTS). The information submitted includes the following:

a. Name of the applicant;

b. Date of birth of the applicant;

c. Home address;

d. Social Security Number (SSN);

e. Position of the applicant;

f. Contact information for the applicant;

g. Name of the requester;

h. Organization of the requester; and

i. Contact information for the requester.

3.5.2 Step 2: Sponsorship - The sponsor validates the receipt of the request from the requester and reviews the data in the request. The sponsor reviews the Position Risk Determination in the NASA Identity Management System and approves or denies the request, establishing the need for a relationship between the applicant and NASA and the applicant's need for a PIV credential.

3.5.3 Step 3: Check for background investigation or database checks - The authorizer or investigation reviewer validates the receipt of the request from the sponsor. The authorizer and supporting staff review the OPM and other Federal databases and take appropriate steps to validate the applicant's investigation status with regard to a current investigation. If the applicant has an investigation on file or in progress that meets the investigative and reciprocity requirements, the authorizer submits the request to the enrollment official and the applicant proceeds to enrollment, section 3.5.4, Step 4: Enrollment process, for capture of enrollment data with flat fingerprints. If no investigation is on file or in progress, the authorizer coordinates initiation of an invitation in the OPM e-QIP for the applicant to complete the appropriate background investigation form and authorizes the enrollment official to obtain the applicant's flat and rolled fingerprints, I-9 documents, and photograph. If the applicant is requesting a non-PIV Center-specific badge then the authorizer or designee conducts the appropriate database check and approves the credential if the database check is favorable. The submission of the captured fingerprints to OPM is optional as determined by the CCS.

3.5.4 Step 4: Enrollment process - The enrollment official validates the receipt of the request from the authorizer. The sponsor advises the applicant that they will appear in-person before the enrollment official and present two forms of identity source documents in original form. The applicant appears in person before the authorized enrollment official and presents two forms of identity source documents in original form per USCIS Form I-9, one of which will be a Federal or state issued picture identification. The enrollment official inspects the source document for authenticity and validates the source document through visual or electronic scrutiny and, when necessary, with the authority or entity which issued it. Enrollment fingerprints - The applicant's fingerprints are captured. If the applicant currently has a favorable background investigation on file or in progress, only flat fingerprints are required. If no background investigation is on file or in progress, both flat and rolled fingerprints are required. In cases where there is difficulty in collecting fingerprints due to damage, injury, or deformity, NASA will process the credential with a designation of fingerprints as non-classifiable. The facial image collected from the applicant during enrollment can also be used for authenticating badge recipients covered under Section 508 of the Rehabilitation Act. Enrollment photograph - The applicant's photograph is captured which will include the entire face, from natural hairline to the chin, and may not be obscured by dark glasses, hats, etc. The facial expression shall be neutral (non-smiling) with a closed mouth. Eye patches that do not obscure an excessive portion of the face need not be removed. Individuals with temporary eye patches should be issued a temporary badge until such time when the patch is no longer necessary and an un-obscured, full-facial photograph can be captured. Waivers for religious reasons may be obtained by written application to the AA for OPS. Enrollment USCIS Form I-9 documentation - The enrollment official obtains and maintains legible photocopies or scanned copies of the original USCIS Form I-9 documentation. Any document that appears invalid (e.g., absence of security hologram or other known security features on a state issued driver's license, security features on a birth certificate or passport, smeared ink, etc.) are to be rejected by the enrollment official and reported to the proper authority for review. Photocopies of rejected documents are to be made and retained for a period not to exceed one year or until any appeal process is completed. USCIS Form I-9 documents that do not pass electronic examination are rejected and another approved USCIS Form I-9 document will be obtained and subjected to electronic scrutiny. In the event the applicant is required to provide documentation to resolve discrepancies or omissions in data collected, the enrollment official shall review the information with the applicant as necessary. The information submitted by the applicant will be used to update the applicant identity record. Enrollment subscriber agreement - For applicants requesting PIV credentials, the enrollment official shall provide the applicant with the Subscriber Agreement, (See Appendix D, Subscriber Agreement), and obtain an electronic signature of the applicant attesting to their reading and acceptance of the Subscriber Agreement.

3.5.5 Step 5: Adjudication process - If no investigation is on file or in progress, the fingerprints captured during enrollment shall be submitted to OPM with a request for a background investigation. The authorizer receives the results of the fingerprint check. If the fingerprint check comes back with a status of unclassifiable, the Center will use the results of a name check to process the PIV credential request. The authorizer makes a determination based upon receipt of the fingerprint check results or evidence of an acceptable existing background investigation (as found in section 3.5.3, Step 3: Check for background investigation), if the applicant is eligible to receive a PIV credential. If the adjudication of the available background investigation is favorable, the authorizer will submit a PIV credential issuance request to authorize the creation and issuance of a PIV credential. Final adjudication of the record is performed in compliance with NASA personnel security policies.

3.5.6 Step 6: Badge production process - The PIV authorizer submits a request for badge printing if the badge is to be printed remotely at a commercial facility or a shared service provider. The necessary information is included in a batch card creation request. The initialized and printed badges are returned to NASA and forwarded to the appropriate issuance officials where the credentials shall be held in a secure location. If the badge is to be produced locally, the issuance official will print the identity information onto the card and compare the photo to the identity database. The badge will be encoded with the identity and biometric data of the applicant. The encoded badge will be tested, and the applicant will be notified when the badge has been successfully encoded.

3.5.7 Step 7: Issuance process - The applicant appears before the issuance official, who establishes whether the badge was printed in a batch job, previously printed on-site, or is to be printed on-site. If the badge is printed in a batch job or previously printed on-site, the issuance official will obtain the card stock from storage. If the badge is to be printed on-site, the issuance official will obtain a blank badge from storage, verify the identity of the applicant against the database, and print the badge. The issuance official checks the printed badge to verify the identity of the applicant, conducts a biometric match, and encodes the badge with an applicant entered PIN number. Upon completion of the badge printing and encoding, the badge is officially released to the applicant. An approved electronically shielded badge holder shall be offered to the applicant in order to protect the badge and the privacy of information on the badge.

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL |
| NODIS Library | Organization and Administration(1000s) | Search |


This Document Is Uncontrolled When Printed.
Check the NASA Online Directives Information System (NODIS) Library
to Verify that this is the correct version before use: http://nodis3.gsfc.nasa.gov