NASA Procedural Requirements

NPR 1600.1A Effective Date: August 12, 2013 Expiration Date: December 12, 2028

Subject: NASA Security Program Procedural Requirements (Updated with Change 1)

Responsible Office: Office of Protective Services

Appendix F. Identifying and Nominating NASA Assets for NASA Critical Infrastructure Identification, Prioritization, and Protection

F.1 Introduction.

PPD-21, "Critical Infrastructure Security and Resilience," directs that every Government agency establish a program to identify their critical infrastructure or key resources, prioritize and evaluate their critical infrastructure or key resources for vulnerabilities, and fund appropriate security enhancements necessary to mitigate identified vulnerabilities.

F.2 Purpose.

To establish the roles and responsibilities of key Agency and Center personnel in the implementation and support of PPD-21 and the Agency Critical Infrastructure Protection Program (CIPP).

F.3 CIPP.

The Agency CIPP implements the Agency critical infrastructure and key resources protection strategy. The CIPP shall be consulted whenever action impacting a NASA Critical Infrastructure (NCI) asset is being considered.

F.3.1 Criteria for Determining NCI.

F.3.1.1 Agency NCI is defined as those essential facilities, missions, services, equipment, and interdependencies that enable the Agency to fulfill its national goals and Agency essential missions. For the purposes of the NCI Protection Program, asset owners will use the following definitions when considering assets for inclusion:

a. A NASA infrastructure is to be considered critical, or a resource considered key, if its destruction or damage would cause significant impact on the security of the Nation — national economic security, national public health, safety, psychology, or any combination.

b. A NASA critical infrastructure where a cyber-security incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.

c. A NASA critical infrastructure or resource is to be considered mission critical if its damage or destruction would have a debilitating impact on the ability of NASA to perform its essential functions and activities.

d. Using paragraphs a, b, and c above as guidance, NASA will use the following criteria to determine Agency critical infrastructure or key resource:

(1) Impact to National Security. Does the loss or compromise of the asset enable a hostile entity to disrupt or otherwise threaten the ability of NASA to satisfy critical missions in support of national defense? Examples include:

(a) Intelligence functions.

(b) Emergency Management Network.

(c) Protection and storage.

(d) Nuclear reactors programs.

(e) Defense and transportation programs.

(2) Impact on Public Safety, Health, or Continuity of Government Services. Does the loss or compromise or the asset endanger or otherwise threaten the safety and health of the general public? This refers to:

(a) NASA facilities and systems that protect the general public from hazardous materials.

(b) Situations that could be generated using materials owned by NASA to create safety and health hazards.

(c) Utilities, communications, or similar systems on which other Agencies depend to accomplish their essential missions serving the general public.

(d) Weather prediction or other systems on which other Agencies depend to accomplish their essential missions serving the general public.

(3) Impact on Economic Security. Does the loss or compromise of the asset enable the hostile entity to disrupt or otherwise threaten NASA's ability to satisfy its critical mission in support of the economic well-being of the Nation? This refers to:

(a) Assets operated or controlled by NASA, its contractors, or its agents that, if compromised or destroyed, would cause irreparable harm to the economic stability of the Nation.

(4) Impact on Essential NASA Missions. Does the loss or compromise of the asset enable a hostile entity to disrupt or otherwise threaten the ability of NASA to satisfy its essential missions? This refers to:

(a) Critical elements of the NASA Strategic Enterprises that are absolutely required for NASA's mission capability.

(b) Critical Infrastructure Interdependencies (e.g., IT resources, data, electric power, water, oil and gas, and environmental control networks) that are dependent on or support NCI and whose loss could directly impact NASA's essential mission capability. These assets need not be identified as separate NCI but shall be integrated into the Center NCI asset protection scheme, evaluated for security risk assessments, and protected accordingly.

(c) Having very high public visibility in terms of the general public's perception of NASA as a symbol of national pride.

(d) Being integral to the performance of NASA's mission, having a very large dollar value, or are difficult or impossible to replace in a reasonable period of time.

(5) Impact on Human Life. Does the loss or compromise of the asset (e.g., telecommunications, telephone system, local area networks, wide-area components, transportation, security and safety, and buildings or facilities) endanger or otherwise threaten the life, health, or safety of personnel engaged in the performance of NASA's missions?

F.4 Appointment of Agency and Center Critical Infrastructure Assurance Officer (CIAO).

F.4.1 Per the CIPP, the NASA Administrator and Center Directors shall appoint, in writing, a senior member of their staff to perform the duties as the CIAO.

F.4.2 The AA, OPS has been designated by the NASA Administrator as the NASA CIAO. The NASA CIAO, in coordination with Center CIAO's, shall coordinate and oversee all aspects of the Agency NCIPP.

F.4.3 The Agency CIO and Center CIO's, respectively, are responsible for coordinating and overseeing all aspects of the protection of Agency and individual Center cyber-infrastructure assets and interdependencies and will coordinate all critical and/or key cyber-infrastructure identification, prioritization, and protection requirements with the NASA CIAO. Together, the NASA CIAO and CIO set the tone for the success of the Agency NCIPP.

F.5 Procedures for Nominating NASA Assets for Consideration for Inclusion Under the NCIPP.

Procedures for identifying, nominating, and assessing initial Agency and Center NCI were established and implemented in 1999 to enable the Agency to meet national level mandates. Those procedures were implemented, and the Agency successfully identified and assessed all existing NCI and met all initial milestones.

F.6 Procedures for Adding/Deleting NASA Assets to the NCI Inventory.

F.6.1 At a minimum, all proposed changes to the NCI list shall be coordinated by the Center with the responsible Headquarters Mission Directorate Associate Administrator, the Center's CIO, CCPS/CCS, and CIAO.

F.7 Using the criteria outlined in paragraph F.3.1 above, personnel responsible for the Center and/or Agency asset deemed a candidate for inclusion or deletion under the NCIPP shall follow the below procedure to determine the appropriateness of the NCI designation or deletion. F.7.1 Nominating IT Assets.

a. The system owner, in coordination with the Center CIO, Chief of Security, IT System Security Manager, and the Center CIAO, shall propose IT system inclusion or deletion on the Agency NCI inventory to the Center Director.

b. Upon final determination that the asset must be designated or deleted as an NCI, a written proposal shall be prepared for the Center Director's approval.

c. Upon the Center Director's approval, the Center CIO shall forward the fully justified proposal to the NASA Deputy CIO for ITS.

d. The NASA Deputy CIO for ITS, in consultation with the Center ITS Manager, shall recommend acceptance or rejection of the proposal to the NASA CIO.

e. Based on the recommendation of the NASA Deputy CIO for ITS, the NASA CIO shall coordinate with the NASA CIAO and either approve or reject the proposed change.

f. Upon approval, the Center IT Security Manager and System Owner shall conduct an appropriate IT NCI system assessment using requirements established in NPR 2810.1.

g. Appropriate mitigation plans shall be prepared and implemented to address all vulnerabilities, or if the proposal is disapproved, the NASA CIO will coordinate with the affected Center CIO and Mission Directorate Associate Administrator to establish the appropriate appeals process, if warranted.

h. Upon approval to delete an IT asset from the NCI list, the NASA CIO shall notify the requesting Center Director, Center CIO, and Center CIAO of the decision and submit appropriate information to the NASA CIAO so they will update/distribute the NCI list, accordingly.

F.7.2 Nominating Physical Assets.

a. Facility owner, in coordination with the CCPS/CCS and the Center CIAO, shall propose facility inclusion or deletion on the Agency NCI inventory to the Center Director.

b. Upon final determination that the asset must be designated or deleted as a NCI, a written proposal shall be prepared for the Center Director's approval.

c. Upon Center Director's approval, the CCPS/CCS shall forward the fully justified proposal to the NASA CIAO, with copies to the manager of the Mission Directorate Associate Administrator.

d. The NASA CIAO, in consultation with the CCPS/CCS and Mission Directorate Associate Administrator, shall recommend acceptance or rejection of the proposal to the NASA CIAO.

e. The NASA CIAO shall either approve or reject the proposed change.

f. If the proposal is approved, the NASA CIAO shall modify and distribute the updated NCI list, and notify the requesting Center Director; CCPS/CCS; AA, OPS; and Center CIAO of the decision.

g. Upon approval of request for designation as an NCI, the CCPS/CCS and Center CIAO shall ensure the following is accomplished.

(1) Conduct a physical security vulnerability risk assessment.

(2) Prepare and implement appropriate mitigation plans to address all vulnerabilities.

h. If the proposal is disapproved, the CIAO shall coordinate with the affected Center CIAO and Mission Directorate Associate Administrator to establish the appropriate appeals process, if warranted.

F.8 Upon approval to delete a physical asset from the NCI list, the NASA CIAO shall notify the requesting Center Director; CCPS/CCS; Agency CIO; AA, OPS; and Center CIAO of the decision and update and distribute the NCI list, accordingly.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.