NASA Procedural Requirements

NPR 1382.1B Effective Date: July 26, 2022 Expiration Date: July 26, 2027

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

Chapter 3 Govern

3.1 Overview

The Govern chapter describes NASA's governance structures to understand, manage, and prioritize privacy risk.

3.2 Awareness and Training

3.2.1 Overview

3.2.1.1 The Privacy Awareness and Training section relates to NASA's initiatives to ensure that all NASA Users are aware of and trained on their roles and responsibilities related to PII.

3.2.1.2 Several OMB documents outline the privacy training requirements, including OMB Circular A-130, Managing Information as a Strategic Resource, OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy (02/11/2005), and OMB Memorandum M-07-12, Preparing for and Responding to a Breach of Personally Identifiable Information (01/03/2017). Specifically, OMB M-07-12 provides guidance to prepare and respond to breach of PII. It also allows for agencies to streamline breach responses specific to the occurrences and damage caused as a result. To meet the guidance from OMB M-17-12 and its requirement for a tabletop exercise, NASA requires core BRT members to participate in an Incident Response Assessment (IRA) annually if a tabletop exercise or actual breach response activity is not conducted.

3.2.1.3 NASA Privacy Training and Awareness procedures are governed by ITS-HBK-2810.06, Cybersecurity and Privacy Awareness Training and Education.

3.2.2 Procedural Requirements

3.2.2.1 The SAOP shall:

a. Ensure NASA users complete training and education on their privacy responsibilities, including acceptable rules of behavior, when and how to report privacy related incidents, and consequences for violating this NPR.

b. Oversee the mandatory annual privacy training program.

c. Oversee a privacy awareness program.

3.2.2.2 The CPO shall:

a. Review and approve all privacy awareness and training materials.

b. Develop privacy awareness and training materials.

c. Work with the Information Technology Security Awareness and Training Center (ITSATC) to ensure privacy awareness and training materials meet information security training requirements.

d. Ensure the privacy training:

(1) For the NASA user explains the policies and procedures for safeguarding PII collected and maintained at NASA.

(2) For the NASA user explains the privacy rules of behavior and consequences.

(3) For the NASA user with access to NASA data, explains that willful disclosure of information to individuals not entitled to Privacy Act records or sensitive privacy information in any form is strictly prohibited.

(4) For persons involved in the design, development, operation, or maintenance of any Privacy Act SOR, or in the maintenance of any record within any SOR, explains the requirements regarding the protection, use, and release of the Privacy Act records.

(5) For persons involved in the design, development, operation, or maintenance of any PII collection, explains the requirements regarding the protection, use, and release of the records.

e. Determine the annual training requirements for APMs.

3.2.2.3 The APM shall complete privacy role-based training, per NASA Spec 2661.ODVr5.

3.2.2.4 The ISO shall:

a. Ensure that all NASA users who have access to PII or who develop or supervise procedures for handling PII are trained and are compliant with policies and procedures in NPD 1382.17, this directive, and referenced documents for safeguarding PII collected and maintained at or on behalf of NASA.

b. Ensure that persons involved in the design, development, operation, or maintenance of any Privacy Act SOR, or in the maintenance of any record in any SOR, are trained in the requirements regarding the protection, use, and release of the Privacy Act records.

c. Ensure that persons involved in the design, development, operation, or maintenance of any PII collection are trained in the requirements regarding the protection, use, and release of the records.

3.2.2.5 The NASA User shall participate in mandatory Cybersecurity and Privacy Awareness Training prior to gaining access to NASA information and information systems, and yearly thereafter.

3.2.2.6 The designated core BRT members shall participate an annually in actual BRT, a tabletop exercise, or an IRA conducted by the CSPD.

3.3 Privacy Accountability

3.3.1 Overview

3.3.1.1 The Privacy Accountability section relates to NASA's initiatives to ensure accountability as related to compliance with applicable privacy protection requirements.

3.3.1.2 This section includes requirements that ensure NASA's compliance with established privacy controls and includes internal reporting requirements and external reporting requirements.

3.3.1.3 NASA Privacy Accountability procedures are governed by the privacy laws, regulations, and NASA's policies and procedures on Privacy Accountability.

3.3.2 Internal Reporting Procedural Requirements.

3.3.2.1 Overview

a. Internal reporting requirements exist within NASA to internally track compliance with privacy laws, regulations, and NASA's policies and procedures.

b. Internal reporting requirements include metrics, data calls, and status reports.

c. The results of internal reporting requirements are used to create metrics that allow the SAOP and the NASA CPO to evaluate the goals and objectives of the NASA privacy program.

3.3.2.2 The SAOP shall update NASA senior management on the status of Agency performance in meeting privacy goals and objectives.

3.3.2.3 The NASA CPO shall update the SAOP on privacy metrics annually as part of the 44 U.S.C. § 3551 reporting process.

3.3.2.4 The APM shall:

a. Respond to various privacy related mandates and requests for information from the NASA CPO and NASA PAO.

b. Report any Privacy (PII) or the Privacy Act violations to the CPO.

c. Track planned, in progress, and completed corrective actions taken to remedy deficiencies identified in compliance reviews.

d. Ensure the NASA MPII is up to date and accurately reflects all electronic and non-electronic collections of information.

e. Report all significant privacy related activities (e.g., BRT activities and privacy complaints) to the CPO.

3.3.2.5 The ISO shall:

a. Report TO APMS on the status of compliance with NASA Privacy requirements through the PTA and PIA processes accomplished in RISCS.

b. Control disclosures from their SOR and maintain accountings of all disclosures of information in accordance with Privacy Act NASA Regulations, 14 CFR pt. 1212.

3.3.2.6 The NASA User shall report any suspected or confirmed unauthorized disclosures of PII in any form to the Security Operations Center (SOC) in accordance with Agency IT security incident reporting procedures.

3.3.3 External Reporting Procedural Requirements.

3.3.3.1 Overview

NASA has a number of external reporting requirements, including those required by OMB, Department of Homeland Security (DHS), 44 U.S.C. § 3551, Office of the Inspector General (OIG), Government Accountability Office (GAO), and Congressional inquiries. For example, NASA is required to report annually to OMB or DHS under 44 U.S.C. § 3551 on privacy-related issues, including metrics on PIAs and SORNs.

3.3.3.2 The SAOP shall:

a. Ensure external reporting requirements are met.

b. Respond to external reporting requirements.

c. Approve NASA's privacy reports required by OMB and 44 U.S.C. § 3551.

d. Develop and maintain a privacy reviews schedule.

e. Ensure that reviews are conducted in accordance with the Privacy Act and OMB Circular A-130.

3.3.3.3 The CPO shall:

a. Produce and provide NASA's privacy reports required by OMB and 44 U.S.C. § 3551 to the NASA SAISO and the NASA SAOP.

b. Ensure privacy reviews are occur within the time frame set out in Table.1.

3.3.3.4 The NASA PAO shall coordinate and conduct the review directed by the Privacy Act and OMB Circular A-130 in accordance with designated timelines.

3.3.3.5 The APMs shall:

a. Coordinate privacy reporting data collection efforts for the Agency report to the NASA CPO.

b. Coordinate the Privacy Act reviews as directed by the NASA PAO.

3.4 Privacy Complaints

3.4.1 Overview

3.4.1.1 NASA is required by OMB to provide a mechanism for receiving and managing complaints from the public and from NASA users.

3.4.1.2 Specific information on the privacy complaints process is governed by ITS-HBK-1382.06-01, Web Privacy Notice and Redress—Web Privacy and Written Notice, Complaints, Access, and Redress.

3.4.2 Procedural Requirements

3.4.2.1 The SAOP shall:

a. Ensure policies and processes for filing and managing privacy complaints and inquiries are developed and maintained.

b. Ensure that complaints are recorded, tracked, and addressed.

3.4.2.2 The NASA CPO shall work with the SAOP to record, track, and address privacy complaints.

3.4.2.3 The APMs shall:

a. Receive and seek to address privacy complaints.

b. Report privacy complaints to the NASA CPO via the process defined in ITS-HBK-1382.06-01.

3.4.2.4 The ISO shall:

a. Receive and seek to address privacy complaints associated with the application, information system, or website.

b. Report application, information system, or website privacy complaints to the APM.

3.5 Privacy Consequences

3.5.1 Overview

3.5.1.1 NASA can impose penalties on a NASA user who violates this NPR for privacy related violations. Consequences may range from reprimand to suspension or removal. Specifically, the consequences for violating the privacy-related provisions of this NPR are defined in the Privacy Act, 44 U.S.C. § 3604, and the NAII 2540.1, NASA's Cybersecurity and Privacy Rules of Behavior.

3.5.1.2 Consequences for privacy-related violations are governed by NAII 2540.1.

3.5.2 Procedural Requirements

3.5.2.1 The SAOP shall outline the consequences and penalty guidelines related to privacy violations.

3.5.2.2 The CPO shall:

a. Advises the SAOP on consequences for violating this NPR.

b. Advises the APMs on consequences for violating this NPR.

c. Establish requirements and procedures for reporting known, suspected, or likely violations of the privacy requirements of this NPR.

3.5.2.3 APMs provide support to the CPO to ensure adherence to the requirements of this NPR at the Center level.

3.5.2.4 The ISO shall:

a. Meet publication requirements for Privacy Act SOR. Any official who willfully maintains a Privacy Act SOR without meeting the publication requirements is subject to possible criminal penalties or administrative sanctions, or both.

b. Be held accountable for privacy violations of this NPR. Penalties range from criminal to administrative.

3.5.2.5 The NASA User shall be held accountable for violations of this NPR and related handbooks. Penalties may include reprimand, suspension, removal, or other administrative action, fines, additional privacy training, or other actions in accordance with applicable laws and Agency disciplinary policy.

3.5.2.6 NASA Users may:

a. Be subject to written reprimand, suspension, removal, or other administrative action under the following situations:

(1) Knowingly failing to implement and maintain information security controls required by this NPR for the protection of PII regardless of whether such action results in the loss of control or unauthorized disclosure of PII.

(2) Failing to report any known or suspected loss of control or unauthorized disclosure of PII.

(3) For managers, failing to adequately instruct, train, or supervise employees in their privacy responsibilities.

b. Be subject to criminal penalties for willful and intentional violations of the Privacy Act.

3.6 Privacy Redress and Privacy Act Information Requests

3.6.1 Overview

3.6.1.1 NASA provides a mechanism for redress and remedy from misuse or mishandling of PII and for correcting inaccuracies. Specifically, NASA provides the public and the NASA user with the opportunity to amend or correct their PII.

3.6.1.2 The redress process is governed by ITS-HBK-1382.06-01.

3.6.1.3 Additionally, NASA responds request for information maintained in a system of records in accordance with 14 CFR pt. 1212.

3.6.2 Procedural Requirements

3.6.2.1 The SAOP shall:

a. Ensure policies and procedures for redressing misuse or mishandling of PII and for correcting inaccuracies are maintained. The SAOP will ensure that the policies follow these guidelines:

(1) Comply with the Plain Writing Act of 2010, 5. U.S.C. § 301, be in plain language and easy to read and understand.

(2) Explain the right of redress.

(3) Explain the process for complaining, seeking redress, and/or appealing adverse decisions.

(4) Provide a general timeline for the redress process.

(5) Identify the privacy policy related to PII being collected, processed, or maintained.

b. Permit individual access to the Privacy Act SOR in order to amend those Privacy Act records, as permitted in accordance with 14 CFR pt. 1212.

c. In accordance with the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, 5 U.S.C. § 101:

(1) Ensure the ability for NASA to accept remote identity-proofing and authentication for the purposes of allowing an individual to request access to their records or to provide prior written consent authorizing disclosure of their records under the Privacy Act.

(2) Ensure the ability for NASA to accept the access and consent forms from any individual properly identity-proofed and authenticated remotely through digital channels for the purpose of individual access to records for authorizing disclosure of the individual's records to another person or entity, including a congressional office.

3.6.2.2 The NASA CPO shall assist the SAOP in redressing PII issues.

3.6.2.3 The PAO shall provide a Privacy Act record access request process for individuals seeking access to their individual NASA maintained record in 14 CFR pt. 1212.

3.6.2.4 APMs shall forward any Privacy Act record access requests received to the relevant System Manager for processing in accordance with 14 CFR pt. 1212.

3.6.2.5 The System Manager (the ISO or IO) shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act.

3.6.2.6 The Freedom of Information Act (FOIA) Officer shall process Privacy Act record access requests the Officer receives from an individual seeking access to the individual's NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act in conjunction with the System Manager.

3.7 Privacy Rules of Behavior

3.7.1 Overview

3.7.1.1 Privacy Rules of Behavior include the NASA user responsibilities outlined within the chapters of this NPR and are stated in the Cybersecurity and Privacy Rules of Behavior agreed and signed by NASA users.

3.7.1.2 Additional information on Rules of Behavior is governed by NPD 2540.1, Acceptable Use of Government Office Property Including Information Technology.

3.7.2 Procedural Requirements

3.7.2.1 The SAOP shall ensure Rules of Behavior for privacy and consequences are outlined in this NPR and maintained in NASA's Cybersecurity and Privacy Rules of Behavior.

3.8 Risk Management Strategy

3.8.1 Overview

3.8.1.1 NPR 2810.1 establishes requirements for cybersecurity risk management strategy to work in conjunction with requirements of NPR 8000.4, Agency Risk Management Procedural Requirements.

3.8.1.2 Management of privacy risk is an important component of NASA's overall risk management strategy and is deeply related to cybersecurity risks.

3.8.2 Procedural Requirements

3.8.2.1 The SAISO shall ensure the Cybersecurity Risk Management Strategy required by NPR 2810.1, includes consideration of privacy risks within the context of the strategy.

3.8.2.2 The CPO shall work with the SAOP and the SAISO to ensure that privacy risk is incorporated into NASA's overall risk management strategies.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.