Procedural
Requirements
Effective Date: July 26, 2022
Expiration Date: July 26, 2027
|
|
NASA Procedural Requirements |
NPR 1382.1B Effective Date: July 26, 2022 Expiration Date: July 26, 2027 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
The Govern chapter describes NASA’s governance structures to understand, manage, and prioritize privacy risk.
3.2.1 Overview
3.2.1.1 The Privacy Awareness and Training section relates to NASA’s initiatives to ensure that all NASA Users are aware of and trained on their roles and responsibilities related to PII.
3.2.1.2 Several OMB documents outline the privacy training requirements, including OMB Circular A-130, Managing Information as a Strategic Resource, OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy (02/11/2005), and OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (05/22/2007). Specifically, OMB M-07-16 requires that NASA is responsible for providing training to every user prior to them gaining access to NASA information and information systems, with a requirement for annual refresher training thereafter. Additionally, advanced training may be required depending on the privacy-related responsibilities of the NASA user.
3.2.1.3 NASA Privacy Training and Awareness procedures are governed by ITS-HBK-1382.07, Privacy Awareness and Training, and ITS-HBK-2810.06, IT Security Awareness, Training and Education.
3.2.2 Procedural Requirements
3.2.2.1 The SAOP shall:
a. Ensure NASA users complete training and education on their privacy responsibilities, including acceptable rules of behavior, when and how to report privacy related incidents, and consequences for violating this NPR.
b. Oversee the mandatory annual privacy training program.
c. Oversee a privacy awareness program.
3.2.2.2 The NASA CPO shall:
a. Review and approve all privacy awareness and training materials.
b. Develop privacy awareness and training materials.
c. Work with the Information Technology Security Awareness and Training Center (ITSATC) to ensure privacy awareness and training materials meet information security training requirements.
d. Ensure the privacy training:
(1) For the NASA user explains the policies and procedures for safeguarding PII collected and maintained at NASA.
(2) For the NASA user explains the privacy rules of behavior and consequences.
(3) For the NASA user with access to NASA data, explains that willful disclosure of information to individuals not entitled to Privacy Act records or sensitive privacy information in any form is strictly prohibited.
(4) For persons involved in the design, development, operation, or maintenance of any Privacy Act SOR, or in the maintenance of any record within any SOR, explains the requirements regarding the protection, use, and release of the Privacy Act records.
(5) For persons involved in the design, development, operation, or maintenance of any PII collection, explains the requirements regarding the protection, use, and release of the records.
e. Determine the annual training requirements for CPMs.
3.2.2.3 The CPM shall:
a. Complete privacy role-based training, as required.
b. Ensure awareness and training programs are conducted at the Center level.
3.2.2.4 The ISO shall:
a. Ensure that all NASA users who have access to PII or who develop or supervise procedures for handling PII are trained and are compliant with policies and procedures in NPD 1382.17, this directive, and referenced documents for safeguarding PII collected and maintained at or on behalf of NASA.
b. Ensure that persons involved in the design, development, operation, or maintenance of any Privacy Act SOR, or in the maintenance of any record in any SOR, are trained in the requirements regarding the protection, use, and release of the Privacy Act records.
c. Ensure that persons involved in the design, development, operation, or maintenance of any PII collection are trained in the requirements regarding the protection, use, and release of the records.
3.2.2.5 The NASA User shall:
a. Participate in mandatory privacy training prior to gaining access to NASA information and information systems, and yearly thereafter.
b. Participate in privacy role-based training, as required.
3.2.2.6 The Center Breach Response Team (BRT) members shall participate in annual BRT training and exercises.
3.3.1 Overview
3.3.1.1 The Privacy Accountability section relates to NASA’s initiatives to ensure accountability as related to compliance with applicable privacy protection requirements.
3.3.1.2 This section includes requirements that ensure NASA’s compliance with established privacy controls and includes internal reporting requirements and external reporting requirements.
3.3.1.3 NASA Privacy Accountability procedures are governed by ITS-HBK-1382.08-01, Privacy Accountability.
3.3.2 Internal Reporting Procedural Requirements.
3.3.2.1 Overview
a. Internal reporting requirements exist within NASA to internally track compliance with privacy laws, regulations, and NASA’s policies and procedures.
b. Internal reporting requirements include metrics, data calls, and status reports.
c. The results of internal reporting requirements are used to create metrics that allow the SAOP and the NASA CPO to evaluate the goals and objectives of the NASA privacy program.
3.3.2.2 The SAOP shall update NASA senior management on the status of Agency performance in meeting privacy goals and objectives.
3.3.2.3 The NASA CPO shall update the SAOP on privacy metrics annually as part of the 44 U.S.C. § 3551 reporting process.
3.3.2.4 The CPM shall:
a. Update the NASA CPO, Center CIO, and Center CISO on the status of meeting the privacy requirements at the Center.
b. Respond to various privacy related mandates and requests for information from the NASA CPO and NASA PAO.
c. Report any Privacy (PII) or the Privacy Act violations to the CPO.
d. Track planned, in progress, and completed corrective actions taken to remedy deficiencies identified in compliance reviews.
e. Ensure the NASA MPII is up to date and accurately reflects all electronic and non-electronic collections of information for their respective Center.
f. Report all significant privacy related activities (e.g., BRT activities and privacy complaints) to the CPO.
3.3.2.5 The ISO shall:
a. Report to the CPM on the status of compliance with NASA Privacy requirements through the PTA and PIA processes accomplished in RISCS.
b. Control disclosures from their SOR and maintain accountings of all disclosures of information in accordance with Privacy Act NASA Regulations, 14 CFR pt. 1212.
3.3.2.6 The NASA User shall report any suspected or confirmed unauthorized disclosures of PII in any form to the Security Operations Center (SOC) in accordance with Agency IT security incident reporting procedures.
3.3.3 External Reporting Procedural Requirements.
3.3.3.1 Overview
NASA has a number of external reporting requirements, including those required by OMB, Department of Homeland Security (DHS), 44 U.S.C. § 3551, Office of the Inspector General (OIG), Government Accountability Office (GAO), and Congressional inquiries. For example, NASA is required to report annually to OMB or DHS under 44 U.S.C. § 3551 on privacy-related issues, including metrics on PIAs and SORNs.
3.3.3.2 The SAOP shall:
a. Ensure external reporting requirements are met.
b. Respond to external reporting requirements.
c. Approve NASA’s privacy reports required by OMB and 44 U.S.C. § 3551.
d. Develop and maintain a privacy reviews schedule.
a. Ensure that reviews are conducted as prescribed by the Privacy Act and OMB Circular A-130 and summarized in ITS-HBK-1382.08-01.
3.3.3.3 The NASA CPO shall:
a. Produce and provide NASA’s privacy reports required by OMB and 44 U.S.C. § 3551 to the NASA SAISO and the NASA SAOP.
b. Ensure that privacy reviews are conducted in accordance with the schedule outlined in ITS-HBK-1382.08.
3.3.3.4 The NASA PAO shall coordinate and conduct the Privacy Act and OMB Circular A-130 reviews in accordance with the schedule outlined in ITS-HBK-1382.08-01.
3.3.3.5 The CPM shall:
a. Coordinate 44 U.S.C. § 3551 privacy reporting data collection efforts for their Center and report to the NASA CPO, Center CIO, and Center CISO.
b. Coordinate the Privacy Act reviews as directed by the NASA PAO.
3.4.1 Overview
3.4.1.1 NASA is required by OMB to provide a mechanism for receiving and managing complaints from the public and from NASA users.
3.4.1.2 Specific information on the privacy complaints process is governed by ITS-HBK-1382.06-01, Privacy Notice and Redress—Web Privacy and Written Notice, Complaints, Access, and Redress.
3.4.2 Procedural Requirements
3.4.2.1 The SAOP shall:
a. Ensure policies and processes for filing and managing privacy complaints and inquiries are developed and maintained.
b. Ensure that complaints are recorded, tracked, and addressed.
3.4.2.2 The NASA CPO shall work with the SAOP to record, track, and address privacy complaints.
3.4.2.3 The CPM shall:
a. Receive and seek to address Center-level privacy complaints.
b. Report Center-level privacy complaints to the NASA CPO via the process defined in ITS-HBK-1382.06-01.
3.4.2.4 The ISO shall:
a. Receive and seek to address privacy complaints associated with the application, information system, or website.
b. Report application, information system, or website privacy complaints to the CPM.
3.5.1 Overview
3.5.1.1 NASA can impose penalties on a NASA user who violates this NPR for privacy related violations. Consequences may range from reprimand to suspension or removal. Specifically, the consequences for violating the privacy-related provisions of this NPR are defined in the Privacy Act, 44 U.S.C. § 3604, and the handbook on rules of behavior identified below.
3.5.1.2 Consequences for privacy-related violations are governed by ITS-HBK 1382.09-01, Privacy Rules of Behavior and Consequences.
3.5.2 Procedural Requirements
3.5.2.1 The SAOP shall outline the consequences and penalty guidelines related to privacy violations.
3.5.2.2 The NASA CPO shall:
a. Advise the SAOP on consequences for violating this NPR.
b. Advise the CPM on consequences for violating this NPR at the Center level.
c. Establish requirements and procedures for reporting known, suspected, or likely violations of the privacy requirements of this NPR.
3.5.2.3 The CPM shall provide support to the CPO to ensure adherence to the requirements of this NPR at the Center level.
3.5.2.4 The ISO shall:
a. Meet publication requirements for Privacy Act SOR. Any official who willfully maintains a Privacy Act SOR without meeting the publication requirements is subject to possible criminal penalties or administrative sanctions, or both.
b. Be held accountable for privacy violations of this NPR; penalties range from criminal to administrative.
3.5.2.5 The NASA User shall be held accountable for violations of this NPR and related handbooks. Penalties may include reprimand, suspension, removal, or other administrative action, fines, additional privacy training, or other actions in accordance with applicable laws and Agency disciplinary policy.
3.5.2.6 NASA Users may:
a. Be subject to written reprimand, suspension, removal, or other administrative action under the following situations:
(1) Knowingly failing to implement and maintain information security controls required by this NPR for the protection of PII regardless of whether such action results in the loss of control or unauthorized disclosure of PII.
(2) Failing to report any known or suspected loss of control or unauthorized disclosure of PII.
(3) For managers, failing to adequately instruct, train, or supervise employees in their privacy responsibilities.
b. Be subject to criminal penalties for willful and intentional violations of the Privacy Act.
3.6.1 Overview
3.6.1.1 NASA provides a mechanism for redress and remedy from misuse or mishandling of PII and for correcting inaccuracies. Specifically, NASA provides the public and the NASA user with the opportunity to amend or correct their PII.
3.6.1.2 The redress process is governed by ITS-HBK-1382.06-01.
3.6.1.3 Additionally, NASA responds to the Privacy Act information requests in accordance with 14 CFR pt. 1212.
3.6.2 Procedural Requirements
3.6.2.1 The SAOP shall:
a. Ensure policies and procedures for redressing misuse or mishandling of PII and for correcting inaccuracies are maintained. The SAOP will ensure that the policies follow these guidelines:
(1) In accordance with the Plain Writing Act of 2010, 5. U.S.C. § 301, be in plain language and easy to read and understand.
(2) Explain the right of redress.
(3) Explain the process for complaining, seeking redress, and/or appealing adverse decisions.
(4) Provide a general timeline for the redress process.
(5) Identify the privacy policy related to PII being collected, processed, or maintained.
b. Permit individual access to the Privacy Act SOR in order to amend those Privacy Act records, as permitted in accordance with 14 CFR pt. 1212.
c. In accordance with the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, 5 U.S.C. § 101:
(1) Ensure the ability for NASA to accept remote identity-proofing and authentication for the purposes of allowing an individual to request access to their records or to provide prior written consent authorizing disclosure of their records under the Privacy Act.
(2) Ensure the ability for NASA to accept the access and consent forms from any individual properly identity-proofed and authenticated remotely through digital channels for the purpose of individual access to records for authorizing disclosure of the individual’s records to another person or entity, including a congressional office.
3.6.2.2 The NASA CPO shall assist the SAOP in redressing PII issues.
3.6.2.3 The PAO shall provide a Privacy Act record access request process for individuals seeking access to their individual NASA maintained record in 14 CFR pt. 1212.
3.6.2.4 The CPM shall forward any Privacy Act record access requests received to the relevant System Manager for processing in accordance with 14 CFR pt. 1212.
3.6.2.5 The System Manager (the ISO or IO) shall process Privacy Act record access requests from an individual seeking access to their individual NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act.
3.6.2.6 The Freedom of Information Act (FOIA) Officer shall process Privacy Act record access requests the Officer receives from an individual seeking access to the individual’s NASA maintained record in accordance with 14 CFR pt. 1212 and the Privacy Act in conjunction with the System Manager.
3.7.1 Overview
3.7.1.1 Privacy Rules of Behavior include the NASA user responsibilities outlined within the chapters of this NPR and the related handbooks in P.4.
3.7.1.2 Specific information on Rules of Behavior is governed by NID 2540.138, Acceptable Use of Government Office Property Including Information Technology.
3.7.2 Procedural Requirements
3.7.2.1 The SAOP shall:
a. Ensure Rules of Behavior for privacy are outlined within this NPR and maintained in the associated privacy handbook, ITS-HBK-1382.09-01.
b. Ensure that awareness and training materials include information on privacy Rules of Behavior.
3.8.1 Overview
3.8.1.1 NPR 2810.1 establishes requirements for cybersecurity risk management strategy to work in conjunction with requirements of NPR 8000.4, Agency Risk Management Procedural Requirements.
3.8.1.2 Management of privacy risk is an important component of NASA’s overall risk management strategy and is deeply related to cybersecurity risks.
3.8.2 Procedural Requirements
3.8.2.1 The SAISO shall ensure the Cybersecurity Risk Management Strategy required by NPR 2810.1, includes consideration of privacy risks within the context of the strategy.
3.8.2.2 The CPO shall work with the SAOP and the SAISO to ensure that privacy risk is incorporated into NASA’s overall risk management strategies.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.