Effective Date: August 01, 2012
Expiration Date: August 01, 2017
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL ||
4.1.1 This chapter outlines the requirements that NASA personnel shall follow in granting access by foreign nationals to NASA physical and/or IT resources for any purpose other than an appropriately authorized tour of facilities that is or would normally be conducted for the general public. The subsections outline the processes, procedures, and authorizations necessary to successfully obtain required access permissions in a timely manner. Upon completion of identity proofing and vetting, a specific threat determination shall be made prior to granting access that is consistent with the conditions specified in the relevant Technology Transfer Control Plan. These requirements apply to foreign national civil servants, contractors, researchers, international partners as defined via International Space Act Agreements (ISAA), high-level protocol visitors (HLPV), foreign nationals with the news media, NASA sponsored J-1 Visas, and visitors. Also included are the requirements for the processing of persons who have multiple citizenships and persons who are U.S. citizens working for foreign entities.
4.1.2 This NPR shall be the authoritative source for all identity management requirements specific to foreign nationals at NASA including, but not limited to, visit coordination, access approval, escort procedures, fingerprint checks, and background investigations for permanent, temporary, and visitor access. A foreign national is any person who is not a United States citizen. Lawful Permanent Residents (LPR) are not United States citizens; however, they are entitled by law to most of the same rights and privileges (and are held to the same accountability for such) as U.S. citizens. Therefore, LPRs will have identity proofing and vetting accomplished in the same manner as U.S. citizens.
4.1.3 Foreign nationals shall complete the following steps prior to being issued a NASA PIV credential:
a. Obtain visit approval for the visit or assignment;
b. The foreign national visitor is responsible for seeing that sponsorship is determined. If a foreign national is not under a contract where a COTR has been officially designated, the foreign national will provide information directly to their visit/assignment host, and the host will fulfill the duties of the sponsor as required herein; and
c. The foreign national visitor must begin the process long enough before the visit so that pre-visit identity vetting can be conducted and completed by the Center International Visit Coordinator (IVC), as described in this chapter.
4.1.4 Questions regarding the receipt and processing of access requests for foreign nationals or NASA contractor or grantee foreign national employees or visitors and the conduct of approved visits and other access shall be directed to the NASA Center or Component Facility IVC. If the criteria for processing a specific foreign national cannot be accommodated within one of the scenarios documented here, an exception request can be submitted to the NASA OPS for review and approval (see section 1.4 of this document).
4.2.1 NASA partners extensively with its foreign aeronautical, scientific, and technical counterparts in support of broad Agency objectives and program goals. Frequently, this working relationship results in the need for foreign national access to physical and IT resources. Visits also facilitate acquisition of information about foreign programs of interest to NASA and provide other benefits to the U.S. Government. All visits and other approved access will conform with Agency and national policies and regulations, including U.S. national security, nonproliferation and foreign policies, and export control laws and regulations. Record keeping related to tracking foreign national visits will be accomplished via the NASA Identity Management System.
4.2.2 Visits and other access for the purpose of implementing a mutually agreed program or project shall comply with the terms of the NASA/foreign partner program or project agreement, particularly the provisions in the agreement dealing with responsibilities of the parties and the transfer of data and goods. Discussion or other release of information by NASA personnel to a foreign national during a visit or other approved access that does not pertain to an agreed program or project will be limited to information releasable to the general public, i.e., unclassified, non-sensitive, and non-export-controlled. Visits, assignments, or IT access requests for foreign nationals from non-designated areas are coordinated and implemented at the Center through the IVC. Visits, assignments, or IT access requests for foreign nationals from designated areas (see Office of International and Interagency Relations (OIIR) Web page at http://oiir.hq.nasa.gov/nasaecp) are coordinated initially through the Center Export Administrator and the Center IVC, then forwarded to NASA Headquarters OIIR, Export Administrator, and Program points-of-contact (as necessary) for review and final approval. A foreign national will be provided access to NASA physical or IT assets only after final approval.
4.3.1 NASA Center or Component Facility IVC will directly receive and review all requests from, or on behalf of, foreign nationals for access to its buildings, installations, facilities, or IT resources. All foreign national access requests, other than for an appropriately authorized public tour, shall undergo an identity vetting process based on visit type, foreign national residency, and country affiliation. The Center IVC will approve the requests for foreign nationals from non-designated countries after obtaining appropriate Center approvals. Requests for foreign nationals from designated countries will be forwarded to and approved by Headquarters' OIIR before final approval by the Center IVC.
4.3.2 If the visit's purpose is for gathering information or conducting discussions in technological areas that NASA considers sensitive (e.g., for proprietary, national security, or export control reasons), then the visit shall be disapproved in the absence of a specific NASA programmatic interest. Requests should be approved only to the extent the foreign national understands that discussions and information provided by the NASA representatives will be confined to information that is releasable to the general public. All identity proofing and vetting for foreign nationals from non-designated countries will be performed at the Center. All current Center review processes may continue as they do now at each Center's discretion.
4.3.3 Only holders of active NASA PIV credentials shall be allowed to escort foreign nationals. Foreign nationals who hold valid NASA PIV credentials may escort other foreign nationals.
4.3.4 Centers shall accept as valid the identity vetting of their peer Centers as a baseline requirement. Additional identity vetting may be required should access requirements change (e.g., if the foreign national needs privileged access or the IT Security Plan warrants a higher-level investigation).
4.3.5 A person with multiple citizenships, all foreign, and when one or more of the citizenships is from a designated country, shall be processed as from a designated country.
4.3.6 NASA Center personnel shall apply the credentialing processes and standards as provided in the OPM Memorandum of July 31, 2008, Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12 to non-U.S. nationals who work as employees or contractor employees, including those who require long-term logical or physical access to NASA facilities. For individuals who are non-U.S. nationals in the United States or a U.S. territory for three years or more, a background investigation (i.e. NACI or equivalent) will be initiated after employment authorization is appropriately verified.
18.104.22.168 For foreign nationals who are in the U.S. or a U.S. territory for less than three years, NASA Center personnel shall delay the background investigation until the three-year requirement is met. In such cases, an alternative facility access identity credential may be issued as appropriate based on a risk determination. Before an alternative identity credential may be issued, the individual's employment authorization will be verified and an FBI fingerprint-based criminal history check will be completed. Center personnel will request an FBI Investigations File (name check search), a name check against the Terrorist Screening Database, and a USCIS Check against Systematic Alien Verification for Entitlements (SAVE). Some of these database checks may be requested directly from OPM or through automated tools such as NCIC and Visual Compliance.
22.214.171.124 Centers shall perform additional database checks to determine if there are changes to the foreign national's identity status. These status checks may be performed separately or through a Visual Compliance as follows:
a. Visual Compliance Unverified List;
b. Entities List;
c. Denied Persons List;
d. Debarred Parties List;
e. Specially Designated Nationals; and
f. Terrorist database.
4.3.7 Foreign national non-PIV credentials shall be issued for a maximum period of three years of date of visa/passport expiration, date of I-94/W expiration, or assignment end date, whichever comes first. Foreign nationals on visa waivers may have credentials issued for a period of three years of date of visa waiver expiration, date of I-94/W expiration, or assignment end date, whichever comes first. Foreign nationals on visa waivers will return their credential to the Center security office after each visit and will present their current passport to the Center security office to retrieve their credential at the beginning of each visit. When a foreign national with a visa waiver needs to stay in the U.S. beyond the 90 days, they are required to provide the visa information to the Center IVC.
4.3.8 To receive a PIV credential, foreign nationals who have been in the U.S. longer than three years shall complete the SF-85/NACI or the SF-85P Public Trust (via e-QIP if the person has an SSN) or a paper copy of the background investigation can be mailed to OPM if the foreign national does not have an SSN.
4.3.9 Foreign nationals with PIV credentials shall be allowed to access all Center perimeters without additional identity proofing or vetting. Additional access (physical or IT) will be determined by the physical or IT asset owner and coordinated through the receiving Center's International Visits Coordinator prior to the foreign national's arrival. Centers that use Physical Access Control Plans must ensure they are valid and accurate. Technology Transfer Control Plans (TTCP), as required by NPR 2190.1, NASA Export Control Program, will be updated as necessary. Physical access beyond the perimeter (escorted or not) is at the discretion of the Center security office. If required, the security office will issue a Center credential for access purposes.
4.3.10 Escort Requirements
126.96.36.199 Identity vetting requirements established by this NPR shall not preclude each Center security office from enacting additional requirements regarding access to the Center, buildings, or other secured areas. Access requirements for foreign nationals are outlined in the TTCP.
188.8.131.52 The IVC must work with the Center security office to determine escort requirements while the foreign national is located at the Center and to assure the foreign national sponsor understands and agrees to those requirements.
4.4.1 The requester for a foreign national shall be a currently employed NASA civil servant or contractor. The sponsor will be a NASA civil servant or a Jet Propulsion Laboratory (JPL) California Institute of Technology (Caltech) employee who is a U.S. citizen. The sponsor will perform a risk assessment based on the status of the foreign national and the assets that the foreign national is to access. This information is necessary to determine the level of investigation or escort requirements while the foreign national is at a NASA facility.
4.4.2 To expeditiously process the request, the sponsor shall ensure that the following information is provided to the IVC:
a. Full legal name;
b. Date of birth;
c. Place of birth;
d. Residence (including country);
f. Passport and visa information (including visa waiver);
g. SSN (if one is available);
h. Foreign national number (if no SSN is available);
i. Contact information;
j. Sponsor name;
k. Physical access requirements;
l. IT access requirements (on-site and/or remote);
m. Data access requirements (including export control license requirements);
n. NASA affiliation (civil servant, contractor, partner, etc.); and
o. Work description (includes purpose, program, authority, or other information that allows approvers to make an informed decision). The more information provided, the quicker the request can be processed.
4.5.1 The IVC will be a currently employed NASA civil servant or contractor. The IVC shall review the foreign national request and perform the following:
a. Confirm sponsorship.
b. Review with the project office and sponsor the access requirements, work description, dates of visit, assignment or length of IT access request, and sponsor's risk assessment. Review and approve TTCP which is described in NPR 2190.1, NASA Export Control Program.
c. Review with the Center security office broader security issues, including counterintelligence, counterterrorism, threats against national security, and pertinent data about country of origin (designated and high-threat countries). Determine appropriate level of investigation relative to physical and IT access requirements. Determine circumstances whereby escort-only status will be applied. Review and approve TTCP, if accessing NASA physical resources.
d. Ensure the Center security office begins the background investigation based on visit type, foreign national residency, and country affiliation commensurate with risk levels outlined in the TTCP.
e. Ensure the Counterintelligence/Counterterrorism Office performs their background investigation (as needed) and reports results back to the Center security office.
f. With the Export Control Office and the Center export administrator, review export control issues to ensure information being exchanged does not violate export control laws and make risk-based determination on access protocols. Review and approve TTCP, if accessing NASA IT resources.
g. With the Chief Information Security Officer (CISO), review IT access requirements (on-site and remote), and make risk-based determination on access protocols. Review and approve TTCP, if accessing NASA IT resources.
h. With the public affairs office (if the individual is a member of the press or a public affairs member with a foreign space agency), review access requirements and protocols.
i. With Headquarters' OIIR (if the individual is part of the NASA Exchange Visitor Program), obtain endorsement from the appropriate Mission Directorate/Mission Support Office at NASA Headquarters. Review and approve TTCP for physical and IT access.
j. Confirm all Center authorizations have been received.
4.6.1 The IVC shall coordinate and provide final approval for identity vetting, physical access, and IT access for foreign nationals from non-designated countries. In circumstances where the IVC is not a civil servant with adjudicator authority, the Center security office's PIV authorizer will provide the final approval.
4.6.2 Centers or programs may specify restrictions regarding physical or IT access privileges or escort requirements that are more restrictive than those documented in this NPR.
4.6.3 If a foreign national will be accessing multiple Centers, the sponsor and Center IVC must collaborate with affected Centers to determine applicable access and escort restrictions.
4.6.4 If a foreign national will be accessing an IT resource from multiple locations (including remote), the sponsor and system owner must determine how that access will be provisioned at multiple locations.
4.6.5 The IVC shall coordinate input for identity vetting, physical access, and IT access for foreign nationals from designated countries. Once the IVC has determined that agreement has been reached on requirements, including completion of the TTCP, the IVC will forward all information to the Headquarters' OIIR desk officer. The Headquarters' OIIR desk will then return the approval to the IVC who will issue the final approval. In circumstances where the IVC is not a civil servant with adjudicator authority, the Center security office's PIV authorizer will provide the final approval.
4.7.1 Once all approvals have been received, the IVC will report to the foreign national's sponsor the terms and conditions of the on-site assignment which include, but are not limited to, the security and export control provisos. The sponsor shall ensure implementation of the foreign national's access credentials. The sponsor will ensure that the foreign national's access requirements as documented in the TTCP are adhered to throughout the foreign national's on-site assignment.
4.7.2 If a foreign national is denied access (all or in part), the IVC shall inform the sponsor who may request a further review with the CCS.
4.7.3 If a foreign national application has been outstanding for longer than 30 days from initial request, the IVC shall follow up with Center or Headquarters personnel to determine the cause(s) for the delay. Applications outstanding for longer than 30 days from initial request will be escalated to the AIMO for resolution.
4.8.1 If a foreign national is working for NASA at an overseas location, to the extent practicable, all aspects of "Processing On-Site Visit Requests" in paragraph 4.3 shall be performed. In instances where an NACI cannot be rendered, a determination will be made between the program manager and the CCS performing the investigation as to the level of investigation required. The foreign national will be given a physical access credential commensurate with the level of investigation performed and access requirements. Non-PIV credentials will expire at the end of the program/project or contract term. Investigation status information will be updated annually. Access to IT resources will be administered with a non-PIV credential.
4.8.2 If a foreign national is supporting NASA under an International Space Act Agreement (ISAA) and requires periodic access to NASA facilities, the foreign national shall be processed in accordance with procedures in paragraph 4.8.1. Visits or assignments over 30 days in duration generally require an ISAA or other agreement.
4.8.3 If a foreign national is visiting NASA periodically as an accredited news media representative, the IVC shall coordinate with the Center public affairs office to obtain requisite information. Once the IVC has determined that agreement has been reached on requirements, the IVC will coordinate with the CCS as to the level of investigation required. The foreign national will be given a physical access credential commensurate with the level of investigation performed and access requirements. Only non-PIV credentials will be issued. Investigation status information will be updated annually. Access to IT resources will be administered with a non-PIV credential.
4.8.4 If a foreign national is visiting NASA for a High-Level Protocol Visit (HLPV), the IVC shall coordinate with the Center protocol office to obtain requisite information. Once the IVC has determined that agreement has been reached on requirements, including completion of the TTCP (if necessary), the IVC will forward all information to the Headquarters' OIIR desk officer and Export Control Office (if TTCP was created) for review and approval.
4.8.5 Under the provisions of 22 CFR Part 62, and as approved by the Department of State, NASA is authorized to conduct an exchange visitor program and can authorize foreign nationals to be assigned to NASA installations on J-1 exchange visitor visas. NASA has authority to sponsor two exchange visitor categories: Research Scholars and Government Visitors. The regulations regarding these categories and the exchange visitor program in general can be found at 22 CFR 62.1 through 62.90.
4.8.6 If a foreign national is visiting NASA as part of the NASA Exchange Visitor Program (J-1 Visa), the IVC shall coordinate with the Center sponsor to obtain requisite information and to ensure that the foreign national is part of an existing ISAA partnership. Once the IVC has determined that agreement has been reached on requirements, including completion of the TTCP (if necessary), the IVC will forward all information to the Headquarters OIIR desk officer and Export Control Office (if TTCP was created) for review and approval.
184.108.40.206 For a foreign national to be considered for the NASA Exchange Visitor Program, the host Center or Component Facility must document its request (with appropriate justification) in a memo to the cognizant Mission Directorate or Mission Support Office at NASA Headquarters with a copy to the Export Control Office and Interagency Liaison Division, OIIR, and, in parallel, contact the IVC to enter the request for review. If the Headquarters Office endorses the request, OIIR will review for final approval. If approved in principle, the OIIR will prepare an ISAA between NASA Headquarters and the foreign sponsoring entity (e.g., foreign space agency or foreign university) and, once executed, if all requirements associated with authorizing a J-1 Visa have been satisfied, the authorization will be issued, covering the period of the approved assignment.
220.127.116.11 No NASA funding is provided to the foreign national under the NASA Exchange Visitor Program. All funding must come from the foreign sponsor or from personal funds, and NASA must assess if the funds available are sufficient to sustain the individual for the period of the assignment. NASA provides office space and supplies and, if necessary and approved pursuant to NASA policies, computer and network access. The period of assignment for approved foreign national participants is generally from six months to three years. Foreign nationals from designated areas are ineligible for participation in the NASA Exchange Visitor Program.
4.9.1 If a foreign national has dual citizenship, the IVC shall determine if one of the countries of citizenship is the U.S. If one country of citizenship is the U.S., the identity vetting process will follow that for a U.S. citizen. The physical access credential provided the individual will be one for a U.S. citizen (PIV or Proximity). Physical access restrictions will be determined and agreed to by the Center Security Office (CSO) and the sponsor. If the foreign national has dual citizenship for two foreign countries, the IVC will determine the countries of citizenship. If both countries are non-designated, the foreign national identity will be vetted as non-designated. If any one country is designated, the foreign national identity must be vetted as designated.
4.9.2 U.S. citizens shall go through the same identity vetting process regardless of their employer (U.S. or foreign). All U.S. citizens are bound by the same Federal laws. The minimum identity vetting process for a full-time civil servant or contractor working at a NASA facility is the National Agency Check and Inquiries (NACI).
4.9.3 Physical access permissions are granted by the Center Security Office. IT access permissions are granted by IT system owners. A higher level of risk is associated with having access to either physical or IT resources and whether export controlled data is involved. All conditions contribute to whether access should be granted and whether a higher level identity vetting requirement is necessary (e.g., access to restricted areas, mission essential infrastructure, and sensitive or classified information).
4.9.4 Lawful Permanent Residents (LPR) shall undergo the same identity vetting as U.S. citizens. LPR identity records will be maintained in the NASA identity management system. The credential provided to LPRs will be the blue stripe LPR PIV credential. This credential will conform to the color coding requirements for Zone 15 described in NIST Special Publication 800-104. The letters "LPR" will be displayed superimposed on the NASA logo in the lower right-hand corner of the front of the PIV credential. In the event an LPR chooses not to complete the SF 85/85P required for issuance of a NASA PIV credential, then the LPR will only be issued an LPR non-PIV Center-specific badge following the requirements described in section 3.4.7.
4.10.1 For foreign nationals who have been a resident in the U.S. for less than three cumulative years, the following identity vetting process is required:
a. A visual compliance database check that reveals no violations or derogatory information; and
b. Reciprocity of vetting performed by Customs and Border Patrol officials at the port of entry FBI fingerprint check.
4.10.2 The foreign national non-PIV Center-specific (foreign national blue) badge shall be issued. The term of issue will be the length of assignment or time in which the foreign national has resided in the U.S. for three years, whichever is shorter.
4.10.3 Foreign nationals who have been residing in the U.S. for three years cumulatively or greater shall be asked to complete the SF 85/85P, so that an appropriate OPM investigation may be conducted. Foreign nationals are eligible for issuance of a NASA PIV credential upon favorable adjudication of an NACI investigation or higher. In the event a foreign national chooses not to complete the SF 85/85P, required for full identity vetting, the Center security office will require a minimum annual revalidation of the visual compliance database search along with an NCIC check. The foreign national blue credential will be issued based on the results of the identity vetting revalidation, and the term of issue will be the length of assignment.
4.11.1 For foreign national visits of 29 days or less, the following shall be required:
a. A visual compliance database check that reveals no violations or derogatory information;
b. Reciprocity of vetting performed by Customs and Border Patrol at the port of entry; and
c. An appropriate credential issued for the type of visit as defined by the CCS.
4.11.2 For foreign national temporary employees whose assignments will last 30 to 179 days, the same procedures as described in section 4.11.1 shall be applied. A non-PIV foreign national credential may be issued for this assignment category.
4.11.3 For foreign national permanent employees whose assignments will last 180 days or more, the following conditions shall be applicable:
a. A foreign national who has resided in the U.S. for 36 months or greater may complete SF 85/85P to initiate an OPM investigation and upon completion and favorable adjudication may be issued a NASA PIV credential.
b. A foreign national who has resided in the U.S. for less than 36 months will undergo identity vetting as described in section 4.10.1 and may be issued a non-PIV foreign national credential.
4.12.1 In accordance with the Federal Information Systems Management Act (FISMA), the OMB Circular A-130, and NPR 2810.1, NASA has established security requirements and procedures to assure an adequate level of protection for NASA IT systems that includes the appropriate screening of individuals having access to NASA IT systems. The level of reliability checks and/or investigations is dependent on the sensitivity of the information to be handled and the risk of magnitude of loss or harm that could be caused by the individual.
4.12.2 Foreign national "limited privileged" access to IT systems shall be allowed only if the foreign national is involved in a program under an ISAA. The sponsor will verify that an ISAA is in place and has accountability for ensuring the security of IT system data being accessed by the foreign national.
4.12.3 IT remote access ONLY for foreign nationals will be enabled by the requestor's sponsor. There is no Federal requirement for identity vetting. NASA collects basic information that allows an approximation of IT access assurance of user ID/password and/or RSA token access. When the capability is available to perform in-person identity verification through trusted agents, remote IT only access users will undergo the identity verification process. Until that capability is available, an NCIC is performed as an identity proofing check. The worker's sponsor, in coordination with the IT system owner, shall determine whether identity vetting is warranted based on the security requirements of the system documented in the IT System Security Plan. If identity vetting is required, the investigation should be conducted and recorded. If fingerprints are captured, ensure the following:
18.104.22.168 When fingerprints are captured at a location other than the Center security office, the transmission of those fingerprints to the Center security office shall be from a valid law enforcement agency or other accredited fingerprint provider. To ensure a chain of trust, the fingerprint cards will be delivered to the Center security office by the entity that took the fingerprints.
4.12.4 Any foreign national having access to NASA data shall provide a written certification that they fully understand and will adhere to NASA rules and regulations regarding the integrity and confidentiality of NASA data being accessed. This certification may be a completed NASA IT Security Training or a signed document signaling understanding of IT access requirements as outlined in NPR 2810.1. Either of these activities will satisfy the completion of NASA IT Security Training requirement prior to activation of IT access. Recertification will be performed annually as outlined in NPR 2810.1.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||