Effective Date: August 01, 2012
Expiration Date: August 01, 2017
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL ||
5.1.1 NASA PIV Credentials - The information on a NASA PIV credential exists in both visual printed and electronic forms. The NASA PIV credential shall be equipped with technologies that allow for physical access through a proximity antennae and logical access through an embedded chip.
a. NASA PIV credentials contain the following security and distinguishable features on the front of the card:
(1) Holographic overlay; and
(2) Smart chip.
b. NASA PIV credentials have the following printed vertically on the front of the badge:
(1) The photograph of the applicant in the top left corner;
(2) The legal name of the applicant, printed below the applicant photograph;
(3) Two badge expiration dates, one located in the upper right corner (MM YYYY format) and the second to the right of the applicant photograph, below the Agency identifier, and over the Agency logo (YYYYMMDD format);
(4) The NASA Agency identifier logo;
(5) The affiliation of the applicant, to the right of the applicant photograph and over the Agency logo;
(6) The NASA Agency identifier, to the right of the applicant photograph, below the affiliation, and over the Agency logo;
(7) The unique badge identification number, below the NASA Agency identifier and the affiliation color band; and
(8) Solid color band across the middle of the badge, over the full name with the color determined by the affiliation of the badge holder, per section 5.1.5, Visual Color Coding for Employee Type.
c. NASA PIV credentials have the following printed horizontally on the back of the badge:
(1) Return address;
(2) Applicant height;
(3) Applicant eye color;
(4) Applicant hair color; and
(5) Bar code.
5.1.2 NASA Temporary Badge - Temporary badges may be equipped with technologies that allow for physical access through a proximity antennae and/or logical access through an embedded chip. Temporary badges shall not resemble the NASA PIV credential.
a. Temporary badges will have the following printed vertically on the badge:
(1) The silhouette of a vertical Space Shuttle on the right side of the badge, located above the solid affiliation color area;
(2) The photograph of the applicant in the top left corner;
(3) The legal name of the applicant, printed below the applicant photograph;
(4) The NASA Agency identifier, to the right of the applicant photograph;
(5) The designation of the issuing Center, below the applicant name;
(6) The unique badge identification number, below the NASA Agency identifier;
(7) The badge expiration date that is 180 days or less from the date of Center/facility affiliation, below the badge identification number;
(8) Solid colored lower section based on the affiliation of the badge holder, per section 5.1.5, Visual Color Coding for Employee Type; and
(9) OPS mailing information on the bottom front of the badge.
b. Temporary badges have the following printed horizontally on the back of the card:
(1) Return address;
(2) Applicant height;
(3) Applicant eye color; and
(4) Applicant hair color.
5.1.3 NASA Visitor Badges - Centers may prescribe the topology for visitor badges as long as they meet the following criteria:
a. The legal name of the applicant;
b. The full name of the issuing Center; and
c. The full badge expiration date that is 29 days or less from the date of Center/facility affiliation.
5.1.4 NASA Center-specific badges - Center-specific badges will contain the following information:
a. The photograph of the applicant;
b. The legal name of the applicant; and
c. The name of the issuing Center (Center name may be common abbreviation, e.g., ARC, DFRC, etc., as appropriate).
5.1.5 Visual Color Coding for Employee Type - NASA PIV and Center-specific badges use colored markings on the badge to determine the affiliation of the badge holder. NASA PIV credentials use a color band through the name of the applicant, and Center-specific badges use a colored lower section below the photograph and including the name. Unless otherwise indicated, the color being used is for both NASA PIV and Center-specific badges as described in Table 5.1.5.
Table 5.1.5, PIV Credential Color Coding
|Employee Type||Color Coding|
|Federal Employee||A plain white color band.|
|Contractor Employee||Contractors will have a green color band. On the right side of the band is a "G" inside a white circle to assist individuals with visual impairment in recognizing the green color.|
|Contractors at the NASA Jet Propulsion Laboratory (JPL)||Contractors at the NASA Jet Propulsion Laboratory (JPL) who are U.S. citizens will be recognized by the addition of a solid silver color below the green contractor color band.|
|Interagency Personnel Agreement (IPA) Employee||A plain white color band. The lower right corner on the front of the badge the label "IPA" will appear in black letters.|
|Foreign Nationals||Foreign national badge characteristics take precedence over all other affiliation characteristics. Foreign national badges have a light blue color band. On the right side of the band is a "B" inside a white circle to assist individuals with visual impairment in recognizing the light blue color. Foreign national badges have a light blue color border around the applicant photo.|
|International Partners||International partners will have a flag of the applicant's country of citizenship in the lower right corner of the badge in addition to the light blue foreign national color band and border.|
|Emergency Response Officials||Emergency response officials (ERO) will be recognized by a Red stripe containing the words "Emergency Response Official" on the bottom of the badge in Zone 12 per the requirements of NIST Special Publication 800-104. The back of an ERO badge contains text stating their position as ERO and access permissions after verification of the badge holder's identity.|
5.1.6 Emergency Response Officials (ERO) Badges - Emergency Response Office badges shall be issued only to the following persons:
a. EROs to include individuals who are:
(1) Continuity of Operations (COOP) and Continuity of Governance (COG) personnel associated with COOP at a NASA Center or an alternate operating site during emergency/crisis situations. This includes only those persons who are members of the Emergency Relocation Group (ERG) and their respective support staff and Emergency Operation Center (EOC) personnel who are appropriately certified and trained.
(2) Disaster response personnel for each facility who possess NIMS training or professional certifications.
b. Personnel to be deployed to support the NASA National Response Framework (NRF) Emergency Support Function (ESF) Annexes. Support personnel may not be issued the ERO PIV credential unless they possess the above mentioned NIMS training or professional certifications.
c. NASA, special agents, NASA, security police, or security officers who have graduated from NASA Federal Law Enforcement Training and members of the NASA Inspector General (IG) staff who are sworn law enforcement officers.
d. Center protective services and security staff who provide support, or other security functions for emergency/contingency operations as deemed necessary by the CCPS/CCS so long as they possess the above mentioned NIMS training or professional certifications
e. Center Directors, Deputy Center Directors, and Directors of Center Operations and their deputies.
5.1.7 Personnel who will be fulfilling support duties shall be issued a NASA PIV credential, without the ERO designation, to facilitate verification of identity and ease movement through the various checkpoints. Support personnel may not be issued the ERO PIV credential unless they possess the above mentioned NIMS training or professional certifications.
5.1.8 Table 5.1.8 details the color coding for Center-specific badges:
Table 5.1.8, Color Coding for Badges
|Employee Type||Color Coding|
|Contractor||Non-PIV contractors will be recognized by a blue lower section. Non-PIV contractors at JPL who are U.S. citizens will be recognized by a silver lower section with red lettering for the "JPL" Center designation on their Center-specific badges.|
|Foreign Nationals||Non-PIV foreign nationals will be recognized by a blue lower section designation on their Center-specific badges.|
|Detailees||Non-PIV Detailees will be recognized by a white lower section designation on their Center-specific badges.|
|Interns and Grantees||Interns and grantees will be recognized by a Center-specific badge with a white lower section designation on their Center-specific badges.|
5.1.9 Badges for Press Corps - The press corps shall be recognized by the word "PRESS" printed vertically down the right side of the Center-specific badge. U.S. press corps will be further recognized by a brown lower section. Foreign national press will also contain all characteristics from the foreign national color coding as detailed in Table 5.1.5.
5.2.1 Data printed on a NASA PIV credential shall consist of:
a. Name (last name, first name, and middle initial);
c. Affiliation (civil servant, detailees, contractor, grantee, or foreign national, etc.);
d. Badge expiration date;
e. Badge number consisting of a three-digit Center code plus six unique digits and printed as a number on the front, and a 3x9 bar code on the back;
f. Height, eye color, and hair color;
g. Agency card serial number; preprinted and used for tracking card stock; and
h. Issuer Identification consisting of a six character department code, the agency code for NASA, and a five-digit issuing facility number.
5.2.2 The digital data stored on the NASA PIV credential supports physical and/or logical access use, encryption, and signing capability and provides security and authentication protection for the PIV credential and PIV credential holder.
188.8.131.52 Card Holder Unique Identifier (CHUID) - The CHUID is used by access control applications and is the only data that is accessible through both the contact and contactless interfaces. Applications can read this data without any action from the badge holder. The CHUID is composed of:
a. Federal Agency Smart Credential Number (FASC-N);
b. NASA Agency code;
c. System code identifying the original issuing Center;
d. A credential number;
e. PIV credential holder's UUPIC; and
f. Expiration date.
184.108.40.206. Digital Certificates
a. PKI X.509 certificates are used for authentication of the PIV credential and digital signing, encryption, and authentication of the PIV credential holder.
b. Credentials used for logical access have a certificate for PIV credential authentication. Additional certificates are loaded based on the duties and needs of the PIV credential holder.
220.127.116.11 Biometrics (typically fingerprints of the right and left index fingers) are stored as minutiae templates that represent a specific biometric, but cannot be reverse-engineered to re-create an image of that biometric.
18.104.22.168 Digital Representation of Printed Information - Certain items printed on the front and back of the card are stored on the chip as a security and authentication measure including name; affiliation; organization; badge expiration date; Agency card serial number; and issuer identification.
22.214.171.124 Photograph - The facial image used in creating the photo printed on the front of the badge is stored in the badge. A facial image is required, and obscuring headwear may not be worn for the photograph.
126.96.36.199 The Personal Identification Number (PIN) is used to secure and protect the electronic data stored on the PIV credential. The PIN is used by the PIV credential holder to allow applications to access data and as part of the authentication process. It is stored in a secure section of the smart card, separate from the rest of the PIV credential digital data. All PIV credential data, with the exception of the CHUID, require the PIV credential holder to enter their PIN before an application can either access or use the data. The PIN is a minimum of a six digit number selected by the PIV credential holder and written to the PIV credential during finalization. It is not stored in the identity management system and should not be written down or otherwise recorded by the PIV credential holder. The PIV credential is automatically locked after no more than 15 consecutive tries of entering an invalid PIN. PIV credential PIN reset details and requirements for resetting a PIN are identified in Section 6.7.
5.3.1 UUPIC System Management - The UUPIC system is the database and application that stores personnel information required for the creation of unique identities, and that generates the UUPIC. This system shall be owned by OPS, working in concert with the OCIO and OHCM, to ensure proper functioning, assignment, use, and protection of the UUPIC system. OPS are responsible for administrative identity management in the UUPIC system. The UUPIC system will be treated as a high confidentiality, integrity, and reliability system. Access to the system will be controlled by two-factor authentication, firewalls, and encryption techniques. The UUPIC generated by the system may be available to NASA employees for lookup and may be used for positive identification of individuals within NASA information systems. However, the UUPIC may not be used as a login identifier or user account name for any information systems, databases, Web sites, etc. Additionally the UUPIC may not be used for purposes other than those described above without the concurrence of the AIMO and the Director of Agency Workforce Systems, within OHCM (or assigned delegate), with the exception of account initiation in the identity management system. System owners requiring access to the UUPIC system will submit a signed Service Level Agreement (SLA) and/or MOU to OPS.
5.3.2 Approval to Access the UUPIC System - The system owner requiring access to the UUPIC system shall submit a signed SLA/MOU to the ICAM Logical Access Management team detailing the purpose for accessing the UUPIC system. The ICAM Logical Access Management team will work with the system owner to ensure proper documentation and authority to access the UUPIC system. The ICAM Logical Access Management team will make a recommendation to approve or disapprove UUPIC system access to the AIMO. In the event of a denial for UUPIC access, the requesting system owner may appeal by sending a letter, along with the SLA/MOU, to OPS and OCIO. OPS and OCIO will respond with a final decision within 60 days of receipt of the appeal.
5.3.3 UUPIC Characteristics - UUPICs shall only be issued through the population of seed data (name, SSN, or foreign national visitor number for foreign nationals without a SSN, and date of birth) into the UUPIC database. This information is required for all NASA civilians, contractors, partners, and virtual IT system users. Any request for an UUPIC will be initiated via an approved work-flow method. The UUPIC database will auto-populate the NIMS, IDMS, and EPACS upon returning a UUPIC number. The reliable assignment of the UUPIC to persons uses at least two unique attributes, in addition to name attributes, from the documents as specified in the Department of Justice Form I-9, Employment Verification Data. The Agency directory is used as the UUPIC repository for general access to the UUPIC number. UUPIC numbers will be issued in random sequence, consistent with NASA policy, and will meet the following requirements:
a. Is a nine-digit numerical code without any significance as to the characteristics of the individual;
b. Is displayed as a set of 3 x 3 x 3 numbers, for example: 123 456 789; and
c. Cannot be reverse engineered based on other data contained in the UUPIC application.
5.3.4 UUPIC Usage - The UUPIC shall serve as a replacement for the SSN by providing a unique identifier that can serve as a data point across NASA information systems. Therefore, the UUPIC may not be used as a login identifier or user account name for any information systems, databases, Web site, etc. With the exception of account initiation in NIMS, use of the UUPIC for any identification purposes outside those needed for positive identification of individuals across and only within information systems is prohibited without the consent of the AIMO. The UUPIC may never be posted on any Internet accessible Web site. Any deviation from this policy will be coordinated with OPS through OCIO in advance. Requests for an UUPIC will be initiated via the approved workflow method. The UUPIC database will auto-populate the appropriate identity management systems upon returning a UUPIC number. UUPIC numbers are stored internally along with the first, middle, and last names and other information necessary to uniquely associate the UUPIC with a person.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||