Procedural
Requirements
Effective Date: July 26, 2022
Expiration Date: July 26, 2027
|
|
NASA Procedural Requirements |
NPR 1382.1B Effective Date: July 26, 2022 Expiration Date: July 26, 2027 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
| Para # | Requirement |
|---|---|
| 1.2.2.1a | Ensure the protection of PII within NASA’s information and information systems. |
| 1.2.2.1b | Assign a SAOP, who maintains the Agency’s privacy program and its overall objectives and priorities. |
| 4.2.2.1 | The Administrator shall ensure, in accordance with Social Security Number Fraud Prevention Act of 2017, Pub. L. 115-59, 131 Stat. 1152 (2017), NASA does not include a social security number (SSN) on any NASA-developed document sent by physical mail unless: a. The Administrator approves such inclusion; and b. Inclusion is necessary because: (1) Inclusion is required by law or regulation. (2) An SSN is needed to identify a specific individual and no other substitute is available. (3) Inclusion is needed to fulfill a compelling Agency business need. |
| Para # | Requirement |
|---|---|
| 1.2.2.11 | Contracting Officers (COs) or Agreement Managers shall ensure that the requirements of this directive are included and in scope for all NASA contracts, Space Act agreements, cooperative agreements, partnership agreements, or other agreements pursuant to which privacy information (e.g., PII, PHI, PAI) is being collected, processed, stored, or transmitted. |
| Para # | Requirement |
|---|---|
| 3.2.2.6 | The Center Breach Response Team (BRT) members shall participate in annual BRT training and exercises. |
| Para # | Requirement |
|---|---|
| 6.3.2.9 | The Center Chief Counsel shall advise the Center BRT on legal issues and review for legal sufficiency proposed notification materials. |
| Para # | Requirement |
|---|---|
| 1.2.2.8a | Ensure that all Center information and information systems comply with the provisions of this NPR. |
| 1.2.2.8b | Support the protection and management of PII at the Center and consult with the CPM on matters pertaining to privacy. |
| 1.2.2.8c | Support the CPM in protecting PII and/or Information in Identifiable Form (IIF) at the Center. |
| 1.2.2.8d | Ensure that Information Owners (IOs), Information System Owners (ISOs), and Data Owners (DOs) assess the privacy aspects of information collections and information systems for which they are responsible and ensure all required security safeguards are implemented in accordance with current NASA policy and procedural requirements for the collection, use, maintenance, and dissemination of personal information. |
| 5.6.2.3a | Examine and monitor the third party’s privacy policy when the Center uses a third-party website or application to evaluate risk and determine whether its use is acceptable to NASA. |
| 5.6.2.3b | Ensure the NASA Web Privacy Policy is incorporated into all Center public-facing NASA websites. |
| 5.7.2.2 | The Center CIO shall approve any multi-session Web Measurement and Customization Technology prior to use when no PII is collected as defined in ITS-HBK-1382.06-01, and annually thereafter. |
| 6.3.2.2 | The Center CIO shall advise the BRT when needed. |
| Para # | Requirement |
|---|---|
| 1.2.2.9 | The Center Chief Information Security Officer (CISO) shall support the CPM in protecting PII at the Center. |
| 6.2.2.2 | The Center CISO, jointly with the CPM, shall ensure that the protection of privacy information is maintained throughout the creation, transmission, storage, use, and disposition of information. |
| Para # | Requirement |
|---|---|
| 6.3.2.13 | The Center Human Resources Employee Relations Specialists may advise the civil servants’ supervisor(s) on corrective action, which may include formal or informal disciplinary action. |
| Para # | Requirement |
|---|---|
| 6.3.2.12 | The Center Human Resources Director may designate a Human Resources staff member to serve as a member of the BRT. The designated staff member will participate in gathering and documenting information and evidence about the role of any civil servant employee in the breach. |
| Para # | Requirement |
|---|---|
| 6.3.2.10 | The Center Office of Communications (or equivalent office) may: a. Advise on, and review, proposed notification materials and approaches. b. Generate releases and other public notifications as requested. |
| Para # | Requirement |
|---|---|
| 1.2.2.7a | Appoint a Center Privacy Manager (CPM). |
| 1.2.2.7b | Support the protection and management of PII at the Center and consult with the CPM on matters pertaining to privacy. |
| Para # | Requirement |
|---|---|
| 1.2.2.2a | Provide guidance to the SAOP. |
| 1.2.2.2b | Update NPD 1382.17, NASA Privacy Policy, to ensure NASA is current with changes in Federal privacy policy. |
| 5.6.2.1a | Ensure the NASA Web Privacy Policy is posted (or linked to) all public facing NASA websites. |
| 5.6.2.1b | Ensure the NASA Web Privacy Policy is posted (or linked to) on official NASA websites and applications hosted on third-party websites and applications. |
| 5.6.2.1c | Make the NASA Web Privacy Policy available through the NASA website. |
| 5.6.2.1d | Ensure that the NASA Web Privacy Policy is translated into a standardized machine-readable format. |
| Para # | Requirement |
|---|---|
| 6.3.2.11 | The CO/COR, in situations where the breach involves information maintained on NASA’s behalf by or on contractors, shall serve as the interface between the Government and contracted parties. |
| Para # | Requirement |
|---|---|
| 1.2.2.11 | Contracting Officers (COs) or Agreement Managers shall ensure that the requirements of this directive are included and in scope for all NASA contracts, Space Act agreements, cooperative agreements, partnership agreements, or other agreements pursuant to which privacy information (e.g., PII, PHI, PAI) is being collected, processed, stored, or transmitted. |
| 6.3.2.11 | The CO/COR, in situations where the breach involves information maintained on NASA’s behalf by or on contractors, shall serve as the interface between the Government and contracted parties. |
| Para # | Requirement |
|---|---|
| 1.2.2.10a | Serve as the Center advisor to the Center Director, Center CIO, Center CISO, and Information System Owners (ISOs) on all matters pertaining to privacy. |
| 1.2.2.10b | Function as the primary Center point of contact/liaison to the NASA CPO and NASA PAO. |
| 1.2.2.10c | Work with ISOs to review and aid in ensuring compliance with all privacy requirements, as needed. |
| 1.2.2.10d | Validate the proper disposition and/or sanitization process for files and records (paper, electronic, or other media formats), which contain privacy information. |
| 1.2.2.10e | Ensure the NASA privacy program is implemented at the Center in accordance with NASA policy. |
| 1.2.2.10f | Ensure that IOs, ISOs, and DOs perform the required information collection assessments (i.e., PTAs and PIAs) and aid in the development of any additional documentation indicated as required upon completion of the PTA (or PIA if required). (This includes SORNs, Privacy Act Federal Register notices, and Privacy Act Statements.) |
| 1.2.2.10g | Serve as their Center’s liaison for the controlled unclassified information (CUI) program unless a different liaison is identified by the Center’s leadership. |
| 2.2.2.2 | The CPM shall ensure the MPII established per Section 2.2.1.1a accurately reflects all electronic and non-electronic collections of information for their respective Center and is current. |
| 2.3.2.3a | Assist ISOs in the completion of PTAs and, when needed, PIAs. |
| 2.3.2.3b | Conduct timely reviews of applications and information systems, including websites, PTAs and PIAs to ensure the ISO has addressed adequate protection of privacy and/or Privacy Act information (PAI). |
| 2.3.2.3c | Ensure the ISOs update PTAs and, when needed, PIAs. |
| 2.3.2.3d | Conduct annual PIA reviews. |
| 2.3.2.3e | Ensure procedures exists to dispose of data at the Center level according to NRRS 1441.1, NPR 2810.1, and NPR 2810.7. |
| 3.2.2.3a | Complete privacy role-based training, as required. |
| 3.2.2.3b | Ensure awareness and training programs are conducted at the Center level. |
| 3.3.2.4a | Update the NASA CPO, Center CIO, and Center CISO on the status of meeting the privacy requirements at the Center. |
| 3.3.2.4b | Respond to various privacy related mandates and requests for information from the NASA CPO and NASA PAO. |
| 3.3.2.4c | Report any Privacy (PII) or Privacy Act violations to the CPO. |
| 3.3.2.4d | Track planned, in progress, and completed corrective actions taken to remedy deficiencies identified in compliance reviews. |
| 3.3.2.4e | Ensure the NASA MPII is up to date and accurately reflects all electronic and non-electronic collections of information for their respective Center. |
| 3.3.2.4f | Report all significant privacy related activities (e.g., BRT activities and privacy complaints) to the CPO. |
| 3.3.3.5a | Coordinate 44 U.S.C. § 3551 privacy reporting data collection efforts for their Center and report to the NASA CPO, Center CIO, and Center CISO. |
| 3.3.3.5b | Coordinate Privacy Act reviews as directed by the NASA PAO. |
| 3.4.2.3a | Receive and seek to address Center-level privacy complaints. |
| 3.4.2.3b | Report Center-level privacy complaints to the NASA CPO via the process defined in ITS-HBK-1382.06-01. |
| 3.5.2.3 | The CPM shall provide support to the CPO to ensure adherence to the requirements of this NPR at the Center level. |
| 3.6.2.4 | The CPM shall forward any Privacy Act record access requests received to the relevant System Manager for processing in accordance with 14 CFR pt. 1212. |
| 4.2.2.4a | Work with ISOs to ensure that all PII is maintained with accuracy, relevance, timeliness, and completeness. |
| 4.2.2.4b | Coordinate annual review activities at the Center level with ISOs to ensure PII is collected in accordance with this policy and to reduce or eliminate unnecessary collections of PII. |
| 4.2.2.4c | Work with ISOs to eliminate the unnecessary use of SSNs. |
| 5.4.2.3 | The CPM shall work with ISOs and the PAO to ensure the Privacy Act Statement meets the requirements of the Privacy Act. |
| 5.5.2.3a | Work with ISOs in identifying the need for a Privacy Act SORN. |
| 5.5.2.3b | Assist the ISO in drafting a SORN for publication in the Federal Register, if not already covered under an existing SORN. |
| 5.5.2.3c | Provide the NASA PAO with draft SORNs, as required. |
| 5.5.2.3d | Conduct SORN reviews, as required. |
| 5.5.2.3e | Coordinate the review and approval of new draft SORNs and Privacy Act notice updates with ISOs and the NASA PAO. |
| 5.6.2.5 | The CPM shall assist the Center CIO in ensuring the NASA Web Privacy Policy is incorporated into all Center public facing NASA websites. |
| 5.7.2.4 | The CPM shall advise the ISO on Web Measurement and Customization Technology use and requirements. |
| 6.2.2.3 | The CPM, jointly with the Center CISO, shall ensure that the protection of privacy information is maintained throughout the creation, transmittal, storage, use, and disposition of information. |
| 6.3.2.4a | Ensure suspected loss, actual loss, and unauthorized access to PII are reported in accordance with NASA policy and procedures stated in ITS-HBK 1382.05-01. |
| 6.3.2.4b | Function as a core Center BRT member advising the BRT on privacy related policy, requirements, and procedures. |
| 6.3.2.4c | Ensure that the steps outlined in handbook-level guidance are met. |
| 6.3.2.4d | Participate in suspected PII breach initial investigations, determinations, reporting, and response efforts. |
| 6.3.2.4e | Produce reports and close out breach actions, as required. |
| 6.3.2.4f | Ensure necessary follow-up actions on remediation efforts, in coordination with the Center CISO, are conducted to reduce risk of repeat offenses. |
| Para # | Requirement |
|---|---|
| 1.2.2.5a | Oversee and manage the development and implementation of policy and procedure, guidance, directives, and requirements for NASA in support of compliance with Federal laws, statutes, and Government-wide policy as directed by the SAOP. |
| 1.2.2.5b | Ensure that NASA complies with privacy requirements within Federal statutes listed in this directive, including the collection, maintenance, use, and dissemination of privacy information. |
| 1.2.2.5c | Develop and maintain NASA privacy policies, procedural requirements, and handbooks as directed by the SAOP. |
| 1.2.2.5d | Establish Agency requirements and processes for conducting PTAs and PIAs for new or significantly changed applications, websites, or information systems, and make PIAs publicly available (unless public release is otherwise prohibited). |
| 1.2.2.5e | Oversee and provide guidance in the implementation and the day-to-day operation of the NASA-wide privacy program as directed by the SAOP. |
| 1.2.2.5f | Review NASA's compliance with information privacy laws, regulations, and policies annually to validate effectiveness and ensure conformity with current Federal policies and guidance as directed by the SAOP. |
| 2.3.2.2a | Implement Agency policy, requirements, and processes for conducting PTAs and PIAs, for new or revised applications and information systems. |
| 2.3.2.2b | Ensure PIAs are thorough and meet all applicable standards. |
| 2.3.2.2c | Ensure that completed PIAs are made publicly available for applications and information systems, including websites, which collect and/or maintain IIF on members of the public, consistent with Federal policy, unless otherwise prohibited. |
| 3.2.2.2a | Review and approve all privacy awareness and training materials. |
| 3.2.2.2b | Develop privacy awareness and training materials. |
| 3.2.2.2c | Work with the Information Technology Security Awareness and Training Center (ITSATC) to ensure privacy awareness and training materials meet information security training requirements. |
| 3.2.2.2d | Ensure the privacy training: (1) For the NASA user explains the policies and procedures for safeguarding PII collected and maintained at NASA. (2) For the NASA user explains the privacy rules of behavior and consequences. (3) For the NASA user with access to NASA data, explains that willful disclosure of information to individuals not entitled to Privacy Act records or sensitive privacy information in any form is strictly prohibited. (4) For persons involved in the design, development, operation, or maintenance of any Privacy Act SOR, or in the maintenance of any record within any SOR, explains the requirements regarding the protection, use, and release of the Privacy Act records. (5) For persons involved in the design, development, operation, or maintenance of any PII collection, explains the requirements regarding the protection, use, and release of the records. |
| 3.2.2.2e | Determine the annual training requirements for CPMs. |
| 3.3.2.3 | The NASA CPO shall update the SAOP on privacy metrics annually as part of the 44 U.S.C. § 3551 reporting process. |
| 3.3.3.3a | Produce and provide NASA's privacy reports required by OMB and 44 U.S.C. § 3551 to the NASA SAISO and the NASA SAOP. |
| 3.3.3.3b | Ensure that privacy reviews are conducted in accordance with the schedule outlined in ITS-HBK-1382.08. |
| 3.4.2.2 | The NASA CPO shall work with the SAOP to record, track, and address privacy complaints. |
| 3.5.2.2a | Advise the SAOP on consequences for violating this NPR. |
| 3.5.2.2b | Advise the CPM on consequences for violating this NPR at the Center level. |
| 3.5.2.2c | Establish requirements and procedures for reporting known, suspected, or likely violations of the privacy requirements of this NPR. |
| 3.6.2.2 | The NASA CPO shall assist the SAOP in redressing PII issues. |
| 3.8.2.2 | The CPO shall work with the SAOP and the SAISO to ensure that privacy risk is incorporated into NASA’s overall risk management strategies. |
| 4.2.2.3 | The NASA CPO shall coordinate and direct annual NASA-wide review activities to reduce or eliminate unnecessary collections of PII. |
| 5.3.2.1 | The CPO shall maintain Agency guidance for compliance with 15 U.S.C. §§ 6501-6506. |
| 5.6.2.4a | Review the NASA Web Privacy Policy to ensure compliance with this NPR and Federal requirements. |
| 5.6.2.4b | Recommend updates to the NASA Web Privacy Policy when needed. |
| 5.7.2.3 | The NASA CPO shall advise the SAOP on Web Measurement and Customization Technology use at NASA. |
| 6.3.2.3a | Assist the SAOP in fulfilling PII breach responsibilities. |
| 6.3.2.3b | Recommend to the SAOP to activate an Agency BRT when needed if such BRT is not already activated. |
| 6.3.2.3c | Maintain coordination and communication with the SAISO and the NASA SOC for incident reporting, tracking, and closure of sensitive PII breaches. |
| 6.3.2.3d | Provide overall direction to an Agency BRT for sensitive PII breaches. |
| 6.3.2.3e | Provide overall breach response guidance for sensitive PII BRT activities. |
| 6.3.2.3f | Update the SAOP on the status of the breach and breach response activities. |
| 6.3.2.3g | Submit, when needed, BRT findings and recommendations to the NASA SAOP for approval. |
| Para # | Requirement |
|---|---|
| 3.6.2.6 | The Freedom of Information Act (FOIA) Officer shall process Privacy Act record access requests the Officer receives from an individual seeking access to the individual’s NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act in conjunction with the System Manager. |
| Para # | Requirement |
|---|---|
| 3.6.2.5 | The System Manager (the ISO or IO) shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act. |
| Para # | Requirement |
|---|---|
| 1.2.2.12a | Acquire, develop, integrate, operate, modify, maintain, and dispose of information systems containing PII in a manner consistent with Federal statutes, regulation, and NASA privacy policies. |
| 1.2.2.12b | Ensure compliance with the Privacy Act for applications and information systems containing Privacy Act records. |
| 1.2.2.12c | Verify with the CO/Contracting Officer Representative (COR) that any contract that requires the operation of a System of Records (SOR) on behalf of NASA includes the clauses required per Federal Acquisition Regulations, 48 CFR pt. 24. |
| 1.2.2.12d | Notify the CO when purchase requests include services covered by the Privacy Act or Paperwork Reduction Act (44 U.S.C. § 3501), 44 U.S.C. § 3501 et seq. |
| 1.2.2.12e | Notify the CO when contractor services will require or include access to PII collected by or on behalf of NASA. |
| 1.2.2.12f | Verify that the contract statement of work identifies this NPR as outlining the NASA-specific requirements to be followed by the contractor. |
| 2.3.2.4a | Ensure that a PTA is conducted and approved for the applications and information systems, including websites, under their purview. |
| 2.3.2.4b | Ensure that a PIA is reviewed and approved for: (1) An information system that collects, maintains, or disseminates IIF from or about members of the public; or (2) An electronic collection of IIF for ten or more individuals, consistent with 44 U.S.C. § 3501. |
| 2.3.2.4c | Ensure that they conduct a re-evaluation of PTAs and, when needed, PIAs following significant modifications to all applications and information systems, including websites. |
| 2.3.2.4d | Ensure that a PIA is conducted prior to use of a third-party website or application that collects PII. |
| 2.3.2.4e | Review completed PTAs and PIAs annually to ensure ongoing accuracy. |
| 3.2.2.4a | Ensure that all NASA users who have access to PII or who develop or supervise procedures for handling PII are trained and are compliant with policies and procedures in NPD 1382.17, this directive, and referenced documents for safeguarding PII collected and maintained at or on behalf of NASA. |
| 3.2.2.4b | Ensure that persons involved in the design, development, operation, or maintenance of any Privacy Act SOR, or in the maintenance of any record in any SOR, are trained in the requirements regarding the protection, use, and release of the Privacy Act records. |
| 3.2.2.4c | Ensure that persons involved in the design, development, operation, or maintenance of any PII collection are trained in the requirements regarding the protection, use, and release of the records. |
| 3.3.2.5a | Report to the CPM on the status of compliance with NASA Privacy requirements through the PTA and PIA processes accomplished in RISCS. |
| 3.3.2.5b | Control disclosures from their SOR and maintain accountings of all disclosures of information in accordance with Privacy Act NASA Regulations, 14 CFR pt. 1212. |
| 3.4.2.4a | Receive and seek to address privacy complaints associated with the application, information system, or website. |
| 3.4.2.4b | Report application, information system, or website privacy complaints to the CPM. |
| 3.5.2.4a | Meet publication requirements for Privacy Act SOR. Any official who willfully maintains a Privacy Act SOR without meeting the publication requirements is subject to possible criminal penalties or administrative sanctions, or both. |
| 3.5.2.4b | Be held accountable for privacy violations of this NPR; penalties range from criminal to administrative. |
| 3.6.2.5 | The System Manager (the ISO or IO) shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act. |
| 4.2.2.5a | Eliminate the collection of information if the information is unnecessary to a NASA program and/or its associated mission. |
| 4.2.2.5b | Ensure that all privacy information is maintained with accuracy, relevance, timeliness, and completeness. |
| 4.2.2.5c | Ensure that Privacy Act records are collected and maintained in accordance with NASA Privacy Act policies. |
| 4.2.2.5d | Conduct annual review activities to reduce or eliminate unnecessary collections of PII. |
| 4.2.2.5e | Avoid the collection of SSNs, in accordance with NPD 1382.17, unless required by statute or some another requirement mandating the use of SSNs. |
| 5.2.2.3 | The ISO shall work with the PAO to prepare and ensure publication of a notice in the Federal Register at least 30 days in advance of the establishment or revision of a matching program. |
| 5.3.2.2a | Ensure compliance with 15 U.S.C. §§ 6501-6506 for websites intended to be used by, or targeted to, children under the age of 13 that collect PII. |
| 5.3.2.2b | Ensure that notice is provided concerning what information is being collected from children by the operator, how the information will be used, and the operator’s disclosure practices. |
| 5.3.2.2c | Ensure verifiable parental approval is obtained for the collection, use, or disclosure of information from children. |
| 5.3.2.2d | Provide a process for parental review of information collected from the child. |
| 5.3.2.2e | Provide an opportunity for parental refusal to permit the operator’s future use of the information or future collection of information. |
| 5.3.2.2f | Provide a means for the parent to obtain the personal information collected from the child. |
| 5.4.2.4a | Ensure that individuals who are asked to provide information to be maintained in a Privacy Act SOR are presented at the point of collection with a Privacy Act Statement that: (1) Is presented either on the information collection sheet or screen, or via a separate sheet or screen that the individuals can print and retain; (2) Complies with the requirements outlined in 14 CFR §1212.602; and (3) Is in a format that the individual may be able to retain in a physical or hard copy. |
| 5.4.2.4b | Ensure that new NASA forms or Center forms created for the collection of SOR information provide the correct and specific Privacy Act Statement for that SOR. |
| 5.5.2.4a | Limit the maintenance of Privacy Act records on individuals that are retrievable by name or other personal identifier to only those instances for which a Privacy Act SORN has been published in the Federal Register. |
| 5.5.2.4b | Provide draft content to enable the PAO to complete a SORN for publication in the Federal Register, if not already covered under an existing SORN. |
| 5.5.2.4c | Work with the CPM and the NASA PAO to publish a SORN in the Federal Register. |
| 5.6.2.6a | Ensure that privacy policies clearly and concisely inform visitors of the collection of PII. |
| 5.6.2.6b | Ensure that Privacy Act notification is provided to anyone entering an information system containing Privacy Act records. |
| 5.6.2.6c | Incorporate the NASA Web Privacy Policy into public-facing NASA websites. |
| 5.7.2.5a | Ensure Web Measurement and Customization Technology use is compliant with requirements outlined in ITS-HBK-1382.06-01. |
| 5.7.2.5b | Ensure that the website utilizing approved Web Measurement and Customization Technology provides clear and conspicuous notice concerning the use of the technology and includes: (1) The nature of the information collected. (2) The purpose and use of the information. (3) Whether, and to whom, the information will be disclosed. (4) What privacy safeguards are applied to the information collected. (5) Consequences to the visitor, or NASA user, of opting out. |
| 5.7.2.5c | Seek a waiver from the SAOP to use Web Measurement and Customization Technology when required, as described in ITS-HBK-1382.06-01. |
| 6.2.2.4a | Ensure that access to PII is limited to those NASA users who have a need for access. |
| 6.2.2.4b | Ensure the protection of PII from unauthorized access or disclosure throughout its life cycle. |
| 6.2.2.4c | Ensure development and documentation of administrative, technical, and physical safeguards that protect against any anticipated threats or hazards to the security or integrity of records and against the potential of their unauthorized use in accordance with the requirements outlined in NPR 2810.1 and NPR 2810.7. |
| 6.2.2.4d | Ensure all computer-readable data extracts from databases containing PII are logged and verified, including information on whether the extracted data have been erased within 90 days or that the data’s use is still required. |
| 6.2.2.4e | Ensure PII is encrypted on any mobile medium (e.g., e-mail, memory stick, CD/DVD, etc.), at rest, and that other security controls are in place to render PII unusable by unauthorized individuals. |
| 6.2.2.4f | Ensure all required security controls are implemented and maintained. |
| 6.3.2.5a | Advise the BRT on the specifics of the affected information system(s) and/or information. |
| 6.3.2.5b | Advise on policies, processes, and impacts related to the breach. |
| 6.3.2.5c | Support recommendations from the BRT. |
| Para # | Requirement |
|---|---|
| 1.2.2.13a | Comply with all Federal laws, statutes, Government-wide, and NASA privacy policies and procedures in this and the referenced documents. |
| 1.2.2.13b | Protect all PII in the user’s custody (whether virtual, electronic, actual, or otherwise) from unauthorized disclosure, use, modification, or destruction so that the confidentiality, integrity, and availability of the information are preserved. |
| 3.2.2.5a | Participate in mandatory privacy training prior to gaining access to NASA information and information systems, and yearly thereafter. |
| 3.2.2.5b | Participate in privacy role-based training, as required. |
| 3.3.2.6 | The NASA User shall report any suspected or confirmed unauthorized disclosures of PII in any form to the Security Operations Center (SOC) in accordance with Agency ITS incident reporting procedures. |
| 3.5.2.5 | The NASA User shall be held accountable for violations of this NPR and related handbooks. Penalties may include reprimand, suspension, removal, or other administrative action, fines, additional privacy training or other actions in accordance with applicable laws and Agency disciplinary policy. |
| 3.5.2.6 | NASA Users may: a. Be subject to written reprimand, suspension, removal, or other administrative action under the following situations: (1) Knowingly failing to implement and maintain information security controls required by this NPR for the protection of PII regardless of whether such action results in the loss of control or unauthorized disclosure of PII. (2) Failing to report any known or suspected loss of control or unauthorized disclosure of PII. (3) For managers, failing to adequately instruct, train, or supervise employees in their privacy responsibilities. |
| 3.5.2.6b | Be subject to criminal penalties for willful and intentional violations of the Privacy Act. |
| 4.2.2.6a | Not include an SSN on any NASA-developed document sent by physical mail unless the Administrator approves such inclusion in accordance with Section 4.2.2.1 of this directive. The process for gaining Administrator approval is governed by the CPO and detailed in ITS-HBK 1382.03-02, Privacy Annual Reporting Procedures: Reviewing and Reducing PII and Unnecessary Use of SSN. |
| 4.2.2.6b | Ensure, if ever including an SSN on a NASA-developed document sent by physical mail in accordance with Section 4.2.2.6a of this directive: (1) Where feasible, the SSN is partially redacted; and (2) The SSN is not visible on the outside of any such package. |
| 6.2.2.5a | Limit disclosure of information on individuals from a SOR only in accordance with 14 CFR pt. 1212 routine uses of the Privacy Act records published in the applicable SORN. |
| 6.2.2.5b | Request Privacy Act records only under appropriate authority. |
| 6.2.2.5c | Ensure that any PII on mobile devices is safeguarded, at a minimum, using encryption solutions which are compliant with Federal encryption algorithm standards and NIST guidance, and in accordance with current NASA Security Program Procedural Requirements for sensitive information. |
| 6.2.2.5d | Ensure that PII is protected during transmission, at a minimum, using encryption solutions which are compliant with Federal encryption algorithm standards, NIST guidance, and in accordance with NPR 1600.1, NASA Security Program Procedural Requirements for sensitive information. |
| 6.2.2.5e | Ensure that all PII transmitted or downloaded, in any format or media, to or from mobile devices is properly encrypted according to NASA Security Program Procedural Requirements for sensitive information. |
| 6.2.2.5f | Label any mobile device or portable media containing PII in accordance with current NASA Security Program Procedural Requirements for sensitive information. |
| 6.2.2.5g | Remove PII from Agency premises or download and store PII remotely only under conditions prescribed in NPR 2810.7. |
| 6.2.2.5h | Ensure the proper disposition and/or sanitization of files, records, and/or media containing privacy information in accordance with the standards outlined in ITS-HBK-2810.11-02, Media Protection: Digital Media and Sanitization. |
| 6.3.2.6 | The NASA User shall report any suspected or confirmed breach of any form of PII as an Information Security incident to the NASA SOC immediately upon discovery. |
| Para # | Requirement |
|---|---|
| 6.2.2.4a | Ensure that access to PII is limited to those NASA users who have a need for access. |
| 6.2.2.4b | Ensure the protection of PII from unauthorized access or disclosure throughout its life cycle. |
| 6.2.2.4c | Ensure development and documentation of administrative, technical, and physical safeguards that protect against any anticipated threats or hazards to the security or integrity of records and against the potential of their unauthorized use in accordance with the requirements outlined in NPR 2810.1 and NPR 2810.7. |
| 6.2.2.4d | Ensure all computer-readable data extracts from databases containing PII are logged and verified, including information on whether the extracted data have been erased within 90 days or that the data’s use is still required. |
| 6.2.2.4e | Ensure PII is encrypted on any mobile medium (e.g., e-mail, memory stick, CD/DVD, etc.), at rest, and that other security controls are in place to render PII unusable by unauthorized individuals. |
| 6.2.2.4f | Ensure all required security controls are implemented and maintained. |
| Para # | Requirement |
|---|---|
| 6.3.2.8 | The OGC shall advise all BRTs on legal issues and review for legal sufficiency all proposed notification materials. |
| Para # | Requirement |
|---|---|
| 6.3.2.7 | The OIG shall investigate PII breaches involving suspected criminal intent and coordinate with the BRT on such matters. |
| Para # | Requirement |
|---|---|
| 1.2.2.6a | Ensure compliance with requirements of the Privacy Act. |
| 1.2.2.6b | Oversee, manage, and implement the Privacy Act requirements for NASA. |
| 3.3.3.4 | The NASA PAO shall coordinate and conduct Privacy Act and OMB Circular A-130 reviews in accordance with the schedule outlined in ITS-HBK-1382.08-01. |
| 3.6.2.3 | The PAO shall provide a Privacy Act record access request process for individuals seeking access to their individual NASA maintained record in 14 CFR pt. 1212. |
| 5.2.2.2 | The NASA PAO shall work with the ISO to prepare and publish a notice in the Federal Register at least 30 days in advance of the establishment or revision of a matching program. |
| 5.4.2.2 | The NASA PAO shall work with the CPM to ensure the Privacy Act Statement meets the requirements of the Privacy Act. |
| 5.5.2.2a | Review and revise draft SORNs in cooperation with the system manager. |
| 5.5.2.2b | Coordinate the Agency and OMB reviews of SORNs and obtain SAOP signature for SORN submission to the Federal Register for publication through the NASA Federal Register Liaison Officer. |
| 5.5.2.2c | Coordinate with CPMs in determining whether an existing NASA or other government SORN covers Privacy Act records maintained by NASA. |
| Para # | Requirement |
|---|---|
| 1.2.2.4 | The Senior Agency Information Security Officer (SAISO) shall provide necessary management and resources in support of the NASA-wide privacy program as established by the SAOP. |
| 3.8.2.1 | The SAISO shall ensure the Cybersecurity Risk Management Strategy required by NPR 2810.1, includes consideration of privacy risks within the context of the strategy. |
| Para # | Requirement |
|---|---|
| 1.2.2.3a | Provide overall responsibility and accountability for ensuring NASA's implementation of privacy information protections. |
| 1.2.2.3b | Ensure that NASA is compliant with applicable Federal laws, regulations, policies, guidelines, and NASA privacy program requirements. |
| 1.2.2.3c | Develop and maintain a NASA-wide privacy program. |
| 1.2.2.3d | Develop, maintain, and monitor NASA privacy goals and objectives. |
| 1.2.2.3e | Approve handbooks related to this NPR. |
| 1.2.2.3f | Assign a Chief Privacy Officer (CPO) to oversee the NASA-wide privacy program. The Chief Privacy Officer was formerly called the Privacy Program Manager. |
| 1.2.2.3g | Assign a NASA Privacy Act Officer (PAO) responsible for oversight of NASA's compliance with the Privacy Act. |
| 1.2.2.3h | Advise senior NASA officials concerning their responsibilities to protect privacy information. |
| 1.2.2.3i | Evaluate legislative, regulatory, and other guidelines and policies related to privacy. |
| 1.2.2.3j | Ensure that a Privacy Threshold Analysis (PTA) is conducted for any new, or significantly changed, applications, websites, information systems (including third party applications and information systems and collections of information provided for by external service providers who are collecting information on behalf of NASA), and all non-electronic information collections to determine whether there are any privacy implications or other regulatory compliance requirements Guidance for conducting PTAs is in ITS-HBK-1382.03-01, Privacy- Collections, PIAs, and SORNs. |
| 1.2.2.3k | Ensure when initial assessments via the PTA process calls for the completion of a full Privacy Impact Assessment (PIA), one will be initiated and completed, in accordance with ITS-HBK-1382.03-01, prior to actively collecting any information. |
| 1.2.2.3l | Reviews and approves PIAs. |
| 2.2.2.1a | Ensure the establishment and maintenance of the NASA Master Privacy Information Inventory (MPII). |
| 2.2.2.1b | Work with the SAISO to ensure the information system inventory required by NPR 2810.1, Security of Information and Information Systems, includes information on data processing systems processing PII. |
| 2.3.2.1a | Establish Agency policy, requirements, and process for conducting PTAs and/or PIAs for new or revised applications and information systems to limit the identification of individuals. |
| 2.3.2.1b | Assess the impact of technology on privacy and the protection of personal information. |
| 2.3.2.1c | Evaluate and approve or disapprove all completed PIAs. |
| 2.3.2.1d | Ensure that data is disposed of at the Agency level according to NRRS 1441.1, NASA Records Retention Schedules, NPR 2810.1, and NPR 2810.7. |
| 3.2.2.1a | Ensure NASA users complete training and education on their privacy responsibilities, including acceptable rules of behavior, when and how to report privacy related incidents, and consequences for violating this NPR. |
| 3.2.2.1b | Oversee the mandatory annual privacy training program. |
| 3.2.2.1c | Oversee a privacy awareness program. |
| 3.3.2.2 | The SAOP shall update NASA senior management on the status of Agency performance in meeting privacy goals and objectives. |
| 3.3.3.2a | Ensure external reporting requirements are met. |
| 3.3.3.2b | Respond to external reporting requirements. |
| 3.3.3.2c | Approve NASA's privacy reports required by OMB and 44 U.S.C. § 3551. |
| 3.3.3.2d | Develop and maintain a privacy reviews schedule. |
| 3.4.2.1a | Ensure policies and processes for filing and managing privacy complaints and inquiries are developed and maintained. |
| 3.4.2.1b | Ensure that complaints are recorded, tracked, and addressed. |
| 3.5.2.1 | The SAOP shall outline the consequences and penalty guidelines related to privacy violations. |
| 3.6.2.1a | Ensure policies and procedures for redressing misuse or mishandling of PII and for correcting inaccuracies are maintained. The SAOP will ensure that the policies follow these guidelines: (1) In accordance with the Plain Writing Act of 2010, 5. U.S.C. § 301, be in plain language and easy to read and understand. (2) Explain the right of redress. (3) Explain the process for complaining, seeking redress, and/or appealing adverse decisions. (4) Provide a general timeline for the redress process. (5) Identify the privacy policy related to PII being collected, processed, or maintained. |
| 3.6.2.1b | Permit individual access to the Privacy Act SOR, in order to amend those Privacy Act records, as permitted in accordance with 14 CFR pt. 1212. |
| 3.6.2.1c | In accordance with the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, Pub. L. 116-50, 133 Stat. 1073 (2019): (1) Ensure the ability for NASA to accept remote identity-proofing and authentication for the purposes of allowing an individual to request access to their records or to provide prior written consent authorizing disclosure of their records under the Privacy Act. (2) Ensure the ability for NASA to accept the access and consent forms from any individual properly identity-proofed and authenticated remotely through digital channels for the purpose of individual access to records or for authorizing disclosure of the individual's records to another person or entity, including a congressional office. |
| 3.7.2.1a | Ensure Rules of Behavior for privacy are outlined within this NPR and maintained in the associated privacy handbook, ITS-HBK-1382.09-01. |
| 3.7.2.1b | Ensure that awareness and training materials include information on privacy Rules of Behavior. |
| 4.2.2.2a | Limit the collection of PII to that which is legally authorized, consistent with Federal and NASA privacy requirements, and to the minimum extent necessary. |
| 4.2.2.2b | Ensure that PII is collected only when necessary for the proper performance of NASA’s functions and mission support. |
| 4.2.2.2c | Conduct annual review activities to reduce or eliminate unnecessary collections of PII. |
| 5.2.2.1a | Establish a Data Integrity Board that is responsible for approving, overseeing, and coordinating the matching program before any ISO may engage in a computer matching program as defined by the Privacy Act. |
| 5.2.2.1b | Provide guidance on computer matching agreements. |
| 5.4.2.1 | The SAOP shall provide guidance on the use of Privacy Act Statements. |
| 5.5.2.1a | Provide guidance on the development and publication of SORNs in such way that limits the formulation of inferences about individuals’ behavior or activities. |
| 5.5.2.1b | Review and issue all SORNs for publication in the Federal Register. |
| 5.6.2.2a | Ensure the NASA Web Privacy Policy: (1) Includes description of the information being collected. (2) Includes the purpose for the collection. (3) Includes the official use of, or need for, the collected information. (4) Specifies what information NASA collects automatically (e.g., user’s internet protocol (IP) address, location, and time of visit) and identifies the use for which it is collected (e.g., site management or security purposes). (5) Informs visitors as to whether their provision of the requested information is voluntary. (6) Informs visitors on how to grant consent for the use of voluntarily provided information. (7) Informs visitors on how to grant consent for NASA to utilize the information that the website collects for a use other than statutorily mandated or authorized routine uses under the Privacy Act. (8) Notifies visitors of their rights under the Privacy Act for SOR. (9) Incorporates information to meet the requirements of 15 U.S.C. §§ 6501-6506, where needed. (10) Includes information on the redress mechanism. (11) Notifies visitors as to how the Agency handles unsolicited e-mail, including the fact that the sender’s privacy is not guaranteed. |
| 5.6.2.2b | Disclose, in the applicable NASA Web Privacy Policy, a third party’s involvement in Agency applications when they are embedded within a NASA website. |
| 5.7.2.1a | Ensure the NASA Privacy Policy describes the use of third-party websites and applications, as outlined by OMB. |
| 5.7.2.1b | Evaluate and approve or disapprove waivers for web measurement and customization technology that collects PII prior to use of that technology, as defined in ITS-HBK-1382.06, and annually thereafter. |
| 6.2.2.1 | The SAOP shall implement privacy policies and procedures to ensure the confidentiality and integrity of privacy information. |
| 6.3.2.1a | Establish, implement, and publish Agency PII breach response and management policies and procedures in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
| 6.3.2.1b | Review, approve, or amend BRT recommended actions and notification plans. |
| 6.3.2.1c | Advise NASA senior management on sensitive PII breaches and remediation progress. |
| 6.3.2.1d | Activate an Agency BRT if the situation warrants a NASA-wide activation. |
| 6.3.2.1e | Advise NASA senior management when notification and action plans need to be executed at a NASA-wide level. |
| 6.3.2.1f | Ensure that all NASA users receive incident reporting training as outlined in Chapter 3 of this NPR. |
| 1.2.2.3a | Provide overall responsibility and accountability for ensuring NASA’s implementation of privacy information protections. |
| 1.2.2.3b | Ensure that NASA is compliant with applicable Federal laws, regulations, policies, guidelines, and NASA privacy program requirements. |
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.