Effective Date: July 10, 2013
Expiration Date: November 30, 2021
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL ||
a. The purpose of this document is to set forth the procedural requirements for safeguarding individual privacy through the protection of personally identifiable information (PII), regardless of format, which is collected, used, maintained, and disseminated by the National Aeronautics and Space Administration (NASA).
b. This NASA Procedural Requirement (NPR) is based on Federal requirements as listed in section P.4, Applicable Documents and Forms. State requirements such as those issued under California law, which are more restrictive than NASA policy, should be followed, as applicable.
a. This NPR is applicable to NASA Headquarters and NASA Centers, including Component Facilities and Technical and Service Support Centers.
(1) For the purposes of this NPR, NASA Headquarters is regarded as a Center. All stated Center requirements are also applicable to NASA Headquarters.
b. This language applies to the Jet Propulsion Laboratory (JPL), a Federally Funded Research and Development Center (FFRDC), other contractors, grant recipients, or parties to agreements only to the extent specified or referenced in the appropriate contracts, grants, or agreements.
c. This NPR applies to PII collected, stored, used, processed, disclosed, or disseminated in any format for use by or on behalf of NASA and includes PII collections that are maintained externally through a contract or outsourced to: (1) a Government Owned, Contractor Operated (GOCO) facility; (2) partners under the Space Act; (3) partners under the Commercial Space Act of 1997; or (4) commercial or university facilities.
(1) External collections that are not gathered on behalf of NASA or are merely incidental to a contract (e.g., PII in a contractor's payroll and personnel management system) are excluded from this NPR and are considered non-NASA data.
(2) This NPR does not apply to PII collected and/or maintained by NASA employees and contractors for personal use (e.g., contact information for family, relatives, and doctors), as allowed under NASA Policy Directive (NPD) 2540.1, Personal Use of Government Office Equipment Including Information Technology.
d. In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term "shall." The terms "may" or "can" denote discretionary privilege or permission, "should" denotes a good practice and is recommended but not required, "will" denotes expected outcome, and "are/is" denotes descriptive material.
a. National Aeronautics and Space Act, as amended, 51 United States Code (U.S.C.) § 20101 et seq.
b. E-Government (e-Gov) Act of 2002, as amended, 44 U.S.C. § 3601 et seq.
c. Privacy Act of 1974, as amended, 5 U.S.C. § 552a.
a. NASA Privacy Act Regulations, 14 Code of Federal Regulations (CFR) Part 1212.
b. The Federal Acquisition Regulations (FAR) Subpart 24.1 - Protection of Individual Privacy and the NASA FAR Supplement (NFS), Subpart 1824.1.
c. Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §6501, et seq., 16 C.F.R § 312.
d. Computer Matching and Privacy Protection Act of 1988, Public Laws (P.L.) 100-503.
e. Clinger-Cohen Act of 1996, 40 U.S.C. 11103.
f. Paperwork Reduction Act of 1995 (PRA), 44 U.S.C. § 3501, et seq.
g. Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541, et seq.
h. Office of Management and Budget (OMB) M-05-08, Designation of Senior Agency Officials for Privacy
i. OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information.
j. OMB Memorandum M-06-16, Protection of Sensitive Agency Information.
k. OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investment.
l. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
m. OMB Memorandum M-10-22, Guidance for Online use of Web Measurement and Customization Technologies, June 25, 2010.
n. OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
o. OMB Circular A-130, Management of Federal Information Resources
p. NPD 2540.1, Personal Use of Government Office Equipment Including Information Technology.
q. NPR 1441.1, NASA Records Retention Schedules.
r. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
s. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.
t. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).
u. Information Technology Security Handbook (ITS-HBK)-1382.02, Privacy Goals and Objectives.
v. ITS-HBK-1382.03, Privacy Risk Management and Compliance.
w. ITS-HBK-1382.04, Privacy and Information Security.
x. ITS-HBK-1382.05, Privacy Incident Response and Management.
y. ITS-HBK-1382.06, Privacy Notice and Redress.
z. ITS-HBK-1382.07, Privacy Training and Awareness.
aa. ITS-HBK-1382.08, Privacy Accountability.
bb. ITS-HBK-1382.09, Privacy Rules of Behavior and Consequences.
cc. ITS-HBK-2810.03, Planning
dd. ITS-HBK-2810.06, Awareness and Training.
ee. ITS-HBK-2810.09, Incident Response and Management.
ff. ITS-HBK-2810.11, Media Protection.
a. The obligation to measure performance is driven by Federal regulatory and NASA privacy requirements outlined within this NPR and the related handbooks. These measurements are based upon NASA's privacy goals and the objectives outlined by the Senior Agency Official for Privacy (SAOP), designed to provide substantive justification for decision making for the SAOP and senior management, which is utilized to measure the effectiveness of the NASA Privacy Program, its policies, and requirements.
b. The SAOP shall provide assessments and evaluations of the application of this NPR. This will consist of periodic reporting from the Centers, including information collected for the satisfaction of OMB and FISMA reporting requirements.
c. All covered entities are subject to privacy compliance reviews and evaluations by NASA.
a. NPR 1382.1, NASA Privacy Procedural Requirements, August 10, 2007.
b. NASA Information Technology Requirement (NITR)-1382-2, NASA Rules and Consequences Policy. Relative to Safeguarding Personally Identifiable Information (PII), January 28, 2008.
Larry N. Sweet
NASA Chief Information Officer
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | Chapter7 | Chapter8 | Chapter9 | AppendixA | AppendixB | AppendixC | AppedixD | AppendixE | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.