NASA Procedures and Guidelines
This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov
NPR 1382.1A Eff. Date: July 10, 2013 Cancellation Date:	NASA Privacy Procedural Requirements
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |

Chapter 4 - Privacy and Information Security

4.1 Privacy and Information Security Overview

4.1.1 The Privacy and Information Security chapter relates to NASA's initiatives for privacy and information security. This chapter addresses requirements that all NASA PII shall be secured, as directed by the Privacy Act; e-Gov Act; OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information; OMB Memorandum M-06-16, Protection of Sensitive Agency Information; OMB Memorandum M-06-19, Reporting Incidents Involving PII and Incorporating the Cost for Security in Agency Information Technology Investment; OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; and NIST SP 800-122, Guide for Protecting the Confidentiality of Personally Identifiable Information (PII).

4.1.2 NASA has a responsibility to protect the confidentiality, integrity, and availability of NASA information and information systems. The categorization of information systems may be Low, Moderate, or High as defined in NIST SP 800-60 and Federal Information Processing Standards (FIPS). Information systems containing PII are categorized at a minimum Confidentiality level of Moderate. Information systems with non-sensitive PII may be categorized at a Confidentiality level of Low, as permitted by the information types.

4.1.3 All PII shall be handled and protected as sensitive information (i.e., SBU/CUI) in accordance with current NASA Security Program Procedural Requirements for sensitive information.

4.1.4 NASA Privacy and Information Security procedures are governed by ITS-HBK-1382.04, Privacy and Information Security.

4.2 Privacy and Information Security Policy

4.2.1 The SAOP shall implement privacy policies and procedures to ensure the confidentiality and integrity of privacy information.

4.2.2 The Center CISO, jointly with the CPM, shall ensure that the protection of privacy information is maintained throughout the creation, transmission, storage, use, and disposition of information.

4.2.3 The CPM, jointly with the Center CISO, shall ensure that the protection of privacy information is maintained throughout the creation, transmittal, storage, use, and disposition of information.

4.2.4 The ISO and User supervisors shall:

a. Ensure that access to PII is limited to those NASA users who have a need for access.

b. Ensure the protection of PII from unauthorized access or disclosure throughout its life cycle.

c. Ensure the information types used within the security plan, and which contain PII, are categorized at a minimum Confidentiality level of Moderate during the FIPS assessment. This does not affect information types that only include non-sensitive PII.

d. Ensure development and documentation of administrative, technical, and physical safeguards that protect against any anticipated threats or hazards to the security or integrity of records and against the potential of their unauthorized use in accordance with the requirements outlined in NPR 2810.

e. Ensure all computer-readable data extracts from databases containing PII are logged and verified to the extent possible, including information on whether the extracted data have been erased within 90 days or that the data's use is still required.

f. Ensure PII is encrypted on any mobile medium (e.g., e-mail, memory stick, CD/DVD, etc.), at rest, and that other security controls are in place to render PII unusable by unauthorized individuals.

4.2.5 The NASA User shall:

a. Limit disclosure of information on individuals from a SOR as provided only in accordance with 14 CFR 1212 routine uses of the Privacy Act records published in the applicable SORN.

b. Request Privacy Act records only under appropriate authority.

c. Ensure that any PII on mobile devices is safeguarded, at a minimum, using encryption solutions which are compliant with Federal encryption algorithm standards and NIST guidance, and in accordance with current NASA Security Program Procedural Requirements for sensitive information.

d. Ensure that PII is protected during transmission, at a minimum, using encryption solutions which are compliant with Federal encryption algorithm standards, NIST guidance, and in accordance with current NASA Security Program Procedural Requirements for sensitive information.

e. Ensure that all PII transmitted or downloaded, in any format or media, to or from mobile devices is properly encrypted according to NASA Security Program Procedural Requirements for sensitive information.

f. Label any mobile device or portable media containing PII in accordance with current NASA Security Program Procedural Requirements for sensitive information.

g. Remove PII from Agency premises or download and store PII remotely only under conditions prescribed in current NPRs for sensitive information.

h. Ensure the proper disposition and/or sanitization of files, records, and/or media containing privacy information in accordance with the standards outlined in ITS-HBK-2810.11, Media Protection.

DISTRIBUTION:
NODIS