![[NASA Logo]](../Images/nasaball.gif) |
NASA Procedures and Guidelines |
||||
This Document is Obsolete and Is No Longer Used.
|
|||||
|
|
|||||
|
|
||||
| | TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | Chapter10 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | AppendixJ | AppendixK | AppendixL | AppendixM | AppendixN | AppendixO | ALL | | |||||
1. Introduction. Homeland Security Presidential Directive (HSPD) 7, "Critical Infrastructure Identification, Prioritization, and Protection," directs that every Government agency establish a program to identify their critical infrastructure or key resources, prioritize and evaluate their critical infrastructure or key resources for vulnerabilities, and fund appropriate security enhancements necessary to mitigate identified vulnerabilities. NASA has elected to designate their critical infrastructure or key resources as "mission" essential vice "minimum" essential infrastructure (MEI) to better facilitate designation of vital, mission oriented critical infrastructure and key resource, operations, and equipment.
2. Purpose. To establish the roles and responsibilities of key Agency and Center personnel in the implementation and support of HSPD 7 and the Agency Critical Infrastructure Protection Plan (CIPP).
3. Critical Infrastructure Protection Plan (CIPP). The Agency CIPP implements the Agency critical infrastructure and key resources protection strategy. The CIPP shall be consulted whenever action impacting an MEI asset is being considered.
4. Criteria for Determining Agency Mission Essential Infrastructure (MEI). Agency MEI is defined as those essential facilities, missions, services, equipment, and interdependencies that enable the Agency to fulfill its national goals and Agency essential missions. For the purposes of the NASA MEI Protection Program, asset owners will use the following definitions when considering assets for inclusion:
a. A NASA infrastructure is to be considered critical, or a resource considered key, if its destruction or damage cause significant impact on the security of the nation - national economic security, national public health, safety, psychology, or any combination.
b. A NASA infrastructure or resource is to be considered mission critical if its damage or destruction would have a debilitating impact on the ability of NASA to perform its essential functions and activities.
c. Using paragraphs a & b above as guidance, NASA will use the following criteria to determine Agency critical infrastructure or key resource:
(1) Impact to National Security. Does the loss or compromise of the asset enable a hostile entity to disrupt or otherwise threaten the ability of NASA to satisfy critical missions in support of the National defense? Examples:
(a) Intelligence Functions
(b) Emergency Management Network
(c) Protection and Storage
(d) Nuclear Reactors Programs
(e) Defense and Transportation Programs
(2) Impact on Public Safety, Health, or Continuity of Government Services.
(a) Does the loss or compromise or the asset endanger or otherwise threaten the safety and health of the general public? Refers to:
1. NASA facilities and systems that protect the general public from hazardous materials.
2. Situations that could be generated using materials owned by NASA to create safety and health hazards.
3. Utilities, communications, or other similar systems on which other Agencies depend to accomplish their essential missions serving the general public.
4. Weather prediction or other systems on which other Agencies depend to accomplish their essential missions serving the general public.
(3) Impact on Economic Security. Does the loss or compromise of the asset enable the hostile entity to disrupt or otherwise threaten NASA's ability to satisfy its critical mission in support of the economic well being of the Nation? Refers to:
(a) Assets operated or controlled by NASA, its contractors, or its agents that, if compromised or destroyed, would cause irreparable harm to the economic stability of the Nation.
(4) Impact on Essential NASA Missions that:
(a) Have very high public visibility in terms of the general public's perception of NASA as a symbol of national pride.
(b) Are integral to the performance of NASA's mission, have a very large dollar value, or are difficult or impossible to replace in a reasonable period of time.
(c) The loss or compromise of the asset would enable a hostile entity to disrupt or otherwise threaten the ability of NASA to satisfy its Essential Missions. Refers to:
1. Critical elements of the NASA Strategic Enterprises that are absolutely required for NASA's Essential Mission capability.
2. Critical Infrastructure Interdependencies (e.g., IT resources, data, electric power, water, oil and gas, environmental control components, transportation, security and safety, buildings or facilities, telecommunications, telephone system, local area networks, wide-area networks, etc.) that are dependent on or support NASA's MEI and whose loss could directly impact NASA's essential mission capability. These assets need not be identified as separate MEI but shall be integrated into the Center MEI asset protection scheme, evaluated for security risk vulnerability and protected accordingly.
(5) Impact on Human Life. Does the loss or compromise of the asset endanger or otherwise threaten the life, health, or safety of personnel engaged in the performance of NASA's missions?
5. Appointment of Agency and Center Critical Infrastructure Assurance Officer (CIAO). Per the CIPP, the NASA Administrator and Center Directors shall appoint, in writing, a senior member of their staff to perform the duties as the CIAO.
a. The Assistant Administrator for Security and Program Protection has been designated by the NASA Administrator as the NASA CIAO. The NASA CIAO, in coordination with Center CIAO's, shall coordinate and oversee all aspects of the Agency MEIPP.
b. The Agency Chief Information Officer (CIO) and Center CIO's, respectively, are responsible for coordinating and overseeing all aspects of the protection of Agency and individual Center cyber-infrastructure assets and interdependencies and will coordinate all critical and/or key cyber-infrastructure identification, prioritization, and protection requirements with the NASA CIAO. Together, the NASA CIAO and CIO set the tone for the success of the Agency MEIPP.
6. Procedures for Nominating NASA Assets for Consideration for Inclusion Under the NASA MEIPP.
Procedures for identifying, nominating, and assessing initial Agency and Center MEI were established and implemented in 1999 to enable the Agency to meet National level mandates. Those procedures were implemented, and the Agency successfully identified and assessed all existing MEI and met all initial milestones.
7. Procedures for Adding/Deleting NASA Assets to the MEI Inventory. At a minimum, all proposed changes to the MEI list shall be coordinated by the Center with the responsible Headquarters Mission Directorate Associate Administrator, the Center's CIO, Center Chief of Security, and CIAO, as appropriate.
Using the criteria outlined in paragraph 4 above, personnel responsible for the Center and/or Agency asset deemed a candidate for inclusion or deletion under the MEIPP shall follow the below procedure to determine the appropriateness of the MEI designation or deletion.
a. For IT Assets:
(1) System owner, in coordination with the Center CIO, Chief of Security, IT System Security Manager, and the Center CIAO, shall propose IT System inclusion/deletion on the Agency MEI inventory to the Center Director.
(2) Upon final determination that the asset must be designated or deleted as an MEI, a written proposal shall be prepared for the Center Director's approval.
(3) Upon the Center Director's approval, the Center CIO shall forward the fully justified proposal to the NASA Deputy CIO for ITS with copies to the manager of the Principal Center of Information Technology Security (PCITS) and the Mission Associate Administrator CIO.
(4) The NASA Deputy CIO for ITS, in consultation with the Manager PCITS, Center ITS Manager, and Mission Directorate Associate Administrator CIO shall recommend acceptance or rejection of the proposal to the NASA CIO.
(5) Based on the recommendation of the NASA Deputy CIO for ITS, the NASA CIO shall coordinate with the NASA CIAO and either approve or reject the proposed change.
(6) Upon approval, the Center IT Security Manager and System IT Security Manager shall conduct an appropriate IT MEI system assessment using requirements established in NPR 2810.10.
(7) Appropriate mitigation plans shall be prepared and implemented to address all vulnerabilities, or if the proposal is disapproved, the NASA CIO shall coordinate with the affected Center CIO and Mission Directorate Associate Administrator to establish the appropriate appeals process, if warranted.
(8) Upon approval to delete an IT asset from the MEI list, the NASA CIO shall notify the requesting Center Director, Center CIO, and Center CIAO of the decision and submit appropriate information to the NASA CIAO so they shall update/distribute the MEI list, accordingly.
b. For physical assets:
(1) Facility owner, in coordination with the Center Chief of Security (CCS) and the Center CIAO, shall propose facility inclusion or deletion on the Agency MEI inventory to the Center Director.
(2) Upon final determination that the asset must be designated or deleted as an MEI, a written proposal shall be prepared for the Center Director's approval.
(3) Upon Center Director's approval, the Center CCS shall forward the fully justified proposal to the NASA CIAO, with copies to the manager of the Mission Directorate Associate Administrator.
(4) The NASA CIAO, in consultation with the CCS and Mission Directorate Associate Administrator, shall recommend acceptance or rejection of the proposal to the NASA CIAO.
(5) The NASA CIAO shall either approve or reject the proposed change.
(6) If the proposal is approved, the NASA CIAO shall modify and distribute the updated NASA MEI list, and notify the requesting Center Director, Center Chief of Security, and Center CIAO of the decision.
(7) Upon approval of request for designation as an MEI, the CCS and Center CIAO, shall ensure the following is accomplished.
(a) Conduct of an appropriate physical security assessment.
(b) Prepare and implement appropriate mitigation plans to address all vulnerabilities.
(8) If the proposal is disapproved, the CIAO shall coordinate with the affected Center CIAO and Mission Directorate Associate Administrator to establish the appropriate appeals process, if warranted.
(9) Upon approval to delete a physical asset from the MEI list, the NASA CIAO shall notify the requesting Center Director, Center Chief of Security, Agency CIO, and Center CIAO of the decision and update and distribute the MEI list, accordingly.
| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | Chapter10 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | AppendixJ | AppendixK | AppendixL | AppendixM | AppendixN | AppendixO | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |