NASA Procedural Requirements

NPR 1382.1B Effective Date: July 26, 2022 Expiration Date: July 26, 2027

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

Change Log

Change #	Approver	Date Approved	Description/Comments
1	CPO	10/11/2024	Throughout the text: Administrative updates were made throughout the text to use OCIO transformation terminology for personnel formerly known as center privacy managers (CPMs) to agency privacy managers (APMs). Clarified and revised lettering and numbering of paragraphs.
2	CPO	10/11/2024	In P.4: Updates were made to reference the documents currently in effect, while the those rescinded were edited out. Formal references of privacy and other handbooks were updated to reflect current titles.
3	CPO	10/11/2024	In 1.1: Updates were made to clarify identify function as outlined in the risk management framework.
4	CPO	10/11/2024	In 1.2.2.5: Added CPO's responsibility to review and approve PIAs and ensure that program managers have completed privacy-related information.
5	CPO	10/11/2024	Throughout the text: Updates were added to reflect NASA OCIO transformation process agency-centered approach. APMs' roles were updated to reflect such approach.
6	CPO	10/11/2024	Added the reference to Paperwork Reduction Act and Paperwork Reduction Act Officer since it became part of CPO's area of responsibility.
7	CPO	10/11/2024	In 2.2: Changes were made to reiterate SAOP's authority /to establish and maintain the NASA Master Privacy Information Inventory (MPII).
8	CPO	10/11/2024	In 2.3.2.2: Updates were made to edit out the role of Center CISO in ensuring when a PIA or PTA are warranted for application, websites, and information systems. It also aligns with the reformed roles of the Center CISOs.
9	CPO	10/11/2024	In 2.3.2.3: Further clarifications were made to stress APMs' responsibility to review the PTA & PIAs on information collections to ensure ISO has adequately addressed information protected under the Privacy Act.
10	CPO	10/11/2024	Throughout: The reference(s) to ITS-HBK-1382.09-01, Rules of Behavior was edited out in favor of the NASA Cybersecurity and Privacy Rules of Behavior document (NAII 2540.1) now in NAMS and available to every NASA user to sign then revalidate annually.
11	CPO	10/11/2024	Included: A reference was added to OMB M-24-11, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence.
12	CPO	10/11/2024	Throughout: Edited out the references to the following Privacy handbooks as rendered redundant and overtaken by revised handbooks and documents: ITS-HBK-1382.07-01, Privacy Awareness and Training ITS-HBK-1382.08-01, Privacy Accountability ITS-HBK-1382.09-01, Privacy Rules of Behavior
13	CPO	10/11/2024	Privacy and Awareness section was updated to reflect findings/recommendations of the NASA Inspector General and GAO pertaining to breach response training. Namely: NASA requires core BRT members to participate in an incident response assessment (IRA) when a tabletop exercise or actual breach response activity has not been conducted. Added a definition for Incident Response Assessment (IRA). Clarified the definition of the breach, an incident endangering the integrity of an information system violation of policies and security protocols centering around the collection and protection of the PII.
14		2/3/25	Administrative edits made to comply with executive actions.

| TOC | ChangeLog | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | ALL |

| NODIS Library | Organization and Administration(1000s) | Search |

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.