| NODIS Library | Organization and Administration(1000s) | Search |

NPR 1382.1B
Effective Date: July 26, 2022
Expiration Date: July 26, 2027
Printable Format (PDF)

Subject: NASA Privacy Procedural Requirements

Responsible Office: Office of the Chief Information Officer

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |

Chapter 6 Protect

6.1 Overview

6.1.1 The Protect chapter describes NASA’s data processing safeguards and incident response plans and procedures.

6.1.2 Data processing safeguards are deeply intertwined with information security requirements, as nearly all privacy-related information will be stored on or processed by some manner of information system. Readers are directed to consult NPR 2810.1, which governs NASA information security requirements, for further information on NASA cybersecurity polices and risk management.

6.2 Privacy and Information Security

6.2.1 Overview The Privacy and Information Security section describes NASA’s initiatives for privacy and information security. This section addresses requirements that all NASA PII will be secured, as directed by the Privacy Act; 44 U.S.C. § 3601; OMB M-06-15, OMB M-06-19, OMB M-07-16; and NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). NASA has a responsibility to protect the confidentiality, integrity, and availability of NASA information and information systems. The categorization of information systems may be Low, Moderate, or High as defined in NIST SP 800-60 Rev.1, Guide for Mapping Types of Information and Information Systems to Security Categories and Federal Information Processing Standard Publications (FIPS PUB) 199. Information systems containing PII or aggregated contact information for NASA employees or contractors, such as a directory service, are categorized at a minimum Confidentiality level of Moderate. All PII is to be handled and protected as CUI in accordance with NPR 2810.7. NASA Privacy and Information Security procedures are governed by ITS-HBK-1382.04, Privacy and Information Security Overview.

6.2.2 Procedural Requirements The SAOP shall implement privacy policies and procedures to ensure the confidentiality and integrity of privacy information. The Center CISO, jointly with the CPM, shall ensure that the protection of privacy information is maintained throughout the creation, transmission, storage, use, and disposition of information. The CPM, jointly with the Center CISO, shall ensure that the protection of privacy information is maintained throughout the creation, transmittal, storage, use, and disposition of information. The ISO and User supervisors shall:

a. Ensure that access to PII is limited to those NASA users who have a need for access.

b. Ensure the protection of PII from unauthorized access or disclosure throughout its life cycle.

c. Ensure development and documentation of administrative, technical, and physical safeguards that protect against any anticipated threats or hazards to the security or integrity of records and against the potential of their unauthorized use in accordance with the requirements outlined in NPR 2810.1 and NPR 2810.7.

d. Ensure all computer-readable data extracts from databases containing PII are logged and verified, including information on whether the extracted data have been erased within 90 days or that the data’s use is still required.

e. Ensure PII is encrypted on any mobile medium (e.g., e-mail, memory stick, CD/DVD, etc.), at rest, and that other security controls are in place to render PII unusable by unauthorized individuals.

f. Ensure all required security controls are implemented and maintained. The NASA User shall:

a. Limit disclosure of information on individuals from a SOR only in accordance with 14 CFR pt. 1212 routine uses of the Privacy Act records published in the applicable SORN.

b. Request Privacy Act records only under appropriate authority.

c. Ensure that any PII on mobile devices is safeguarded, at a minimum, using encryption solutions which are compliant with Federal encryption algorithm standards and NIST guidance, and in accordance with NPR 1600.1, NASA Security Program Procedural Requirements for sensitive information.

d. Ensure that PII is protected during transmission, at a minimum, using encryption solutions which are compliant with Federal encryption algorithm standards, NIST guidance, and in accordance with NPR 1600.1.

e. Ensure that all PII transmitted or downloaded, in any format or media, to or from mobile devices is properly encrypted according to NPR 1600.1.

f. Label any mobile device or portable media containing PII in accordance with NPR 1600.1.

g. Remove PII from Agency premises or download and store PII remotely only under conditions prescribed in NPR 2810.7.

h. Ensure the proper disposition and/or sanitization of files, records, and/or media containing privacy information in accordance with the standards outlined in ITS-HBK-2810.11-02, Media Protection: Digital Media and Sanitization.

6.3 Privacy Incident Response and Management

6.3.1 Overview The Privacy Incident Response and Management section describes NASA’s response to incidents involving the breach of PII entrusted to NASA’s custody or managed by a contractor on NASA’s behalf. This section addresses breach response requirements within OMB M-06-19, and OMB M-07-16. The mechanism for response to a confirmed moderate or high-risk breach is a privacy BRT which is convened within 24 hours of the incident in accordance with ITS-HBK-1382.05, Privacy Incident Response: Breach Response Team Checklist and Management. In such a case, a Center BRT is convened when a breach of sensitive PII meets the threshold outlined in the handbooks associated with this directive. The BRT analyzes risk of identity theft in accordance with OMB requirements and NASA policies and guidelines, prepares recommendations for remediation and notification plans, drafts breach notification letters, determines the mechanism of public notice, assists the ISO in preparing Frequently Asked Questions (FAQs), notifies and continues to provide updates to the NASA CPO on the status of the breach and any related breach response activities, and submits findings and recommendations to the SAOP for approval. Non-governmental PII that is the property of the custodian, or entrusted to that person by friends or family, or a NASA contractor, grantee, etc., including corporate data used for non-governmental purposes but stored on NASA equipment is not covered by this NPR. While the limited personal use of government equipment may be permitted by NID 2540.138, NASA has no responsibility for the loss or compromise of such information. NASA privacy breach response procedures are governed by ITS-HBK 1382.05, and ITS-HBK-2810.09, Incident Response and Management.

6.3.2 Procedural Requirements The SAOP shall:

a. Establish, implement, and publish Agency PII breach response and management policies and procedures in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.

b. Review, approve, or amend BRT recommended actions and notification plans.

c. Advise NASA senior management on sensitive PII breaches and remediation progress.

d. Activate an Agency BRT if the situation warrants a NASA-wide activation.

e. Advise NASA senior management when notification and action plans need to be executed at a NASA-wide level.

f. Ensure that all NASA users receive incident reporting training as outlined in Chapter 3 of this NPR. The Center CIO shall advise the BRT when needed. The NASA CPO shall:

a. Assist the SAOP in fulfilling PII breach responsibilities.

b. Recommend to the SAOP to activate an Agency BRT when needed if such BRT is not already activated.

c. Maintain coordination and communication with the SAISO and the NASA SOC for incident reporting, tracking, and closure of sensitive PII breaches.

d. Provide overall direction to an Agency BRT for sensitive PII breaches.

e. Provide overall breach response guidance for sensitive PII BRT activities.

f. Update the SAOP on the status of the breach and breach response activities.

g. Submit, when needed, BRT findings and recommendations to the NASA SAOP for approval. The CPM shall:

a. Ensure suspected loss, actual loss, and unauthorized access to PII are reported in accordance with NASA policy and procedures stated in ITS-HBK 1382.05-01.

b. Function as a core Center BRT member advising the BRT on privacy related policy, requirements, and procedures.

c. Ensure that the steps outlined in handbook-level guidance are met.

d. Participate in suspected PII breach initial investigations, determinations, reporting, and response efforts.

e. Produce reports and close out breach actions, as required.

f. Ensure necessary follow-up actions on remediation efforts, in coordination with the Center CISO, are conducted to reduce risk of repeat offenses. The ISO shall:

a. Advise the BRT on the specifics of the affected information system(s) and/or information.

b. Advise on policies, processes, and impacts related to the breach.

c. Support recommendations from the BRT. The NASA User shall report any suspected or confirmed breach of any form of PII as an Information Security incident to the NASA SOC immediately upon discovery. The OIG shall investigate PII breaches involving suspected criminal intent and coordinate with the BRT on such matters. The Office of the General Counsel (OGC) shall advise all BRTs on legal issues and review for legal sufficiency all proposed notification materials. The Center Chief Counsel shall advise the Center BRT on legal issues and review for legal sufficiency proposed notification materials. The Center Office of Communications (or equivalent office) may:

a. Advise on and review proposed notification materials and approaches.

b. Generate releases and other public notifications as requested. The CO/COR, in situations where the breach involves information maintained on NASA’s behalf by or on contractors, shall serve as the interface between the Government and contracted parties. The Center Human Resources Director may designate a Human Resources staff member to serve as a member of the BRT. The designated staff member will participate in gathering and documenting information and evidence about the role of any civil servant employee in the breach. The Center Human Resources Employee Relations Specialists may advise the civil servants’ supervisor(s) on corrective action, which may include formal or informal disciplinary action.

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL |
| NODIS Library | Organization and Administration(1000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.