Effective Date: September 11, 2019
Expiration Date: September 11, 2024
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | ALL ||
3.1.1 The requirements detailed in this chapter are in addition to the CNSI requirements detailed in the previous chapter.
3.1.2 Procedures. The policies, procedures, and responsibilities outlined herein supersede all prior NASA SCI security program documents and policies of a similar kind, excepting those contained in NPR 1600.1, NPD 1600.4, this NPR, and all applicable national-level policies and procedures regarding SCI clearances and SCI Programs, including, but not limited to, all Cognizant Security Authority (CSA) and Office of the Director of National Intelligence (ODNI) directives.
3.1.3 Special Security Program. The NASA SCI program is designated as a Special Security Program. The Agency SSO/Intelligence Division Director or their designee(s) will regularly review current threat assessments detailing the criminal, espionage, sabotage, subversion, and terrorist threat environment from NASA’s Counterintelligence/Counterterrorism Division or law enforcement entity. Risk management-based countermeasures will be implemented accordingly against these threats.
3.1.4 Special Security Position Appointments. Each NASA Center Chief of Protective Services (CCPS) or their designee, or for NASA Headquarters, the Agency SSO/Intelligence Division Director or their designee, will appoint an SSO, Special Security Representative (SSR), or Assistant Special Security Officer (ASSO), in writing, and establish procedures for SCI indoctrinated personnel to communicate directly with their respective SSO concerning all SCI security related matters.
3.1.5 Public Disclosure of Classified Information. Information classified as SCI will not be published, released, or discussed with unauthorized persons, including the public media. Declassification of SCI for public release is not authorized without the prior written approval of the appropriate security executive agent. Requests for such declassification action will be forwarded through the Agency SSO/Intelligence Division Director.
3.1.6 The Assistant Administrator for Protective Services (AA, OPS) is responsible for the following:
a. Developing, coordinating, and promulgating all NASA national security program policies.
b. Directing the Director, Intelligence Division to administer the SCI security program for NASA and to serve as the Agency SSO.
3.1.7 The Agency SSO/ Intelligence Division Director (Hereafter referred to as the Agency SSO) is responsible for the following:
a. Administering security for the SCI program for NASA.
b. Serving as NASA’s representative to the United States Intelligence Community for all matters relating to NASA SCI security operations.
c. Advising the AA, OPS and agency leadership on agency-wide security for SCI operations.
d. Administering SCI governance security policies and procedures consistent with that of appropriate executive agents in the protection of National Security.
e. Retaining security cognizance over all NASA Center SCI programs, including Sensitive Compartmented Information Facilities (SCIFs).
f. Providing SCI security program oversight, direction, and guidance to all NASA Centers on SCI operations.
g. Notifying the Director of CI for Protective Services about any loss, compromise, or suspected compromise of SCI materials.
h. Administering uniform NASA SCI policy in accordance with established regulations and mandates on the interrelated disciplines of:
(1) Information Security (INFOSEC).
(2) Personnel Security (PERSEC).
(3) Physical Security.
(4) Technical Security - TEMPEST and Technical Surveillance Counter-Measures (TSCM).
(5) Information Systems Security.
(6) Security Education, Training, and Awareness (SETA).
(7) Industrial Security – contractor SCI program administration.
i. Developing and overseeing a program that ensures NASA’s compliance with SCI program requirements by performing reviews in accordance with NPD 1210.2.
(1) Reviewing all administrative actions relating to the Center’s SCI security program, including, but not limited to the following:
(a) Annual self-inspections.
(b) SETA material.
(c) PERSEC files.
(d) Administrative waivers.
(2) Providing a written report detailing the results of each inspection to the applicable Center Director with the following:
(a) All identified vulnerabilities.
(b) Corresponding corrective actions.
(c) A suspense date to complete all corrective actions and/or a request for the appropriate waivers.
j. The establishment of new SCIFs and SCIF modifications within NASA.
k. Ensuring all Scattered Castles data is accurate and submitted in a timely manner, to include: (1) A total records refresh is performed at least once every 30 days.
(2) Records, including briefings and debriefings, are updated at least weekly.
(3) All clearance denials, revocations, and suspensions are recorded within 24 hours of the decision.
k. The establishment of a standardized NASA SCI SETA program.
l. The establishment of an Agency-wide annual SCI self-inspection program.
m. Maintaining physical security and TEMPEST accreditations for NASA Centers and NASA contractors, as required.
n. Reviewing and providing concurrence on all SCI briefing materials relating to SCI indoctrination, debriefing, and execution of applicable Non-Disclosure Agreements (NDA) for NASA Centers.
3.1.8 The Center SSOs are responsible for the following:
a. The application and maintenance of Standard Operating Procedures (SOP) regarding NASA’s SCI security program.
b. Overseeing all administrative elements, as required, in accordance with National, Agency, and local policies and procedures.
c. Implementation of NASA’s SETA Program.
d. Ensuring all information, logical and in hard-copy form, relating to SCI security programs (PERSEC, physical security, INFOSEC, etc.) is properly maintained within an accredited SCIF.
e. Ensuring when using a contractor SSR that they are on a valid contract with the appropriate accesses authorized by a DD Form 254, Contract Security Classification Specification.
f. The duties of a SSR will be placed within the applicable performance work statement to ensure the appropriate knowledge, skills, and abilities are in place to meet the needs of the Center.
3.1.9 Center Directors or Officials-in-Charge (OIC), regardless of whether there is a SCIF at their Center, will appoint a civil servant SSO, in writing, to serve as the Center point-of-contact concerning all matters relating to SCI security and to administer National policy and directives (e.g. Intelligence Community Directives), as well as applicable NPRs, for their respective Centers. The designated SSO will have a requisite SCI clearance.
3.1.10 Special Security Representatives (SSR) and Assistant Special Security Officer (ASSO). The CCPS/CCS or their designee, or for Headquarters, the Agency SSO or their designee, may also appoint an SSR and/or ASSO to operate under the direction of the SSO to support day-to-day management and implementation of SCI security and administrative instructions for the SCI program located at that Center or at Headquarters. SSRs and ASSOs can be either civil servants or contractor, but will have the required skills, training, and experience to fulfill the specified duties.
3.2.1 It is the responsibility of each Center SSO to coordinate with the NASA National Security Systems (NSS) Team to ensure that documentation for information systems residing within their SCIF(s) is compliant with ICD 503/NIST 800-53 requirements.
3.2.2 The NASA NSS Team is responsible for the development and accreditation of classified information systems used in support of NASA SCI programs.
3.2.3 The NASA NSS Team develops and maintains an accreditation/certification support documentation package for system(s) for all Centers.
3.2.4 The Center SSO will approve all information systems and components prior to their physical introduction into a SCIF.
3.2.5 The Center SSOs and NASA NSS Team personnel will ensure systems are operated, maintained, and disposed of in accordance with ICD 503/NIST 800-53.
3.3.1 Center SSOs will conduct, at a minimum, annual self-inspections of their SCIF space.
3.3.2 SCIF self-inspections will utilize the Fixed Facility Checklist, to the extent possible, along with any self-inspection checklist approved by the Agency SSO.
3.3.3 Self-inspection findings will be provided in writing to the applicable CCPS/CCS and the Agency SSO by the Center SSO.
3.3.4 Functional Inspections.
220.127.116.11 A full inspection including a thorough review of all functional areas involving Center SCI security programs (e.g. security administration, information security, personnel security, physical security, technical security such as TEMPEST and TSCM, security education, information systems security, and other requirements outlined in this appendix) will be conducted by the AA, OPS or their designee as part of the Center’s functional review.
18.104.22.168 The functional inspection of the Center’s SCI security program will ensure compliance with the policies and procedures contained in this appendix and other applicable policy, regulations and directives.
3.3.5 Other Inspections.
22.214.171.124 The Agency SSO and/or their designee is authorized to conduct inspections as needed. Inspections will be announced by the Agency SSO unless they are aware of critical information requiring immediate remediation to prevent the likely unauthorized disclosure of SCI information.
126.96.36.199 Introduction of inspection equipment into a SCIF will be coordinated with the Center SSO prior to a site visit.
188.8.131.52 Periodic inspections may be scheduled based on threat, sensitivity, physical modifications, and past security performance.
184.108.40.206 Additional inspections may be conducted in the event of suspected compromise, loss of information, history of deficiencies, major facility modification, or change in threat level.
220.127.116.11 Inspectors will submit a written report following each inspection identifying any deficiencies and corrective action to be taken.
a. The report will be forwarded to appropriate CSA officials upon request.
b. All copies will be maintained within the inspected SCIF and by the Agency SSO and/or their designee.
18.104.22.168 Joint agency tenants of the SCIF will accept the results of CSA security reviews for validation of security compliance.
3.3.6 All written reports will be available to the ODNI or designee upon request.
Centers shall request the Agency SSO conduct a site survey prior to requesting SCIF accreditation by the CSA.
3.5.1 Contractors performing SCI work at NASA Centers shall have a DD Form 254 incorporated in their NASA classified contract, per NASA FAR Supplement subpt. 1804.4.
a. The DD Form 254 provides the contractor (or a subcontractor) with security requirements and the classification guidance necessary to perform on a classified contract. Center SSOs shall indicate the appropriate clearance and access levels required on the DD Form 254.
b. The Center SSO shall validate the contractor company’s Facility Security Clearance (FCL) level and current status of contract prior to processing a contractor for SCI access.
3.5.2 Contractors shall ensure SCI information in their custody at the Center is used or retained only in furtherance of a lawful and authorized U.S. Government purpose.
3.5.3 Contractors are not permitted to remove any SCI material from their respective Center SSO when their contract expires or closes out unless the U.S. Government has given the contractor expressed permission to retain classified material in accordance with current directives. If requested, this requirement will be included in item 13 or 14 of the DD Form 254.
3.6.1 Classification and control markings will be applied explicitly and uniformly when creating, disseminating, and using classified and unclassified information to maximize information sharing while protecting sources, methods, and activities from unauthorized or unintentional disclosure.
3.6.2 Documents containing SCI will be marked in accordance with the Intelligence Community Authorized Classification and Control Markings Register and Manual (CAPCO Register) issued by the Office of the Director of National Intelligence, Controlled Access Program Coordination Office.
3.6.3 Standard classification markings indicate the level of classification, the source of classification decisions and the agency and office of origin (“Classified by”), the reason for classification (“Reason”), and downgrading and declassification instructions (“Declassify on”).
3.6.4 Warnings notices (if applicable), intelligence control markings, portion markings, and page markings will be included in accordance with the CAPCO Register.
3.7.1 Storage of SCI material will be maintained and stored in an accredited SCIF, in accordance with the respective SCIF’s accreditation.
3.7.2 U.S. collateral classified information used in a SCIF will be stored in accordance with the SCIF accreditation.
3.8.1 Material specifically designated by the IC or the Agency SSO, as accountable SCI will employ document numbers and other similar systems to provide accountability.
3.8.2 Refer to the respective SCIF SOP for additional procedures.
3.9.1 All individuals requiring access to classified information systems will meet the following requirements prior to establishing accounts:
a. Complete the annual security training for clearance holders.
b. Coordinate approval through the Center COMSEC Officer, Center SSO, NASA NSS Team, and authorized approver at the discretion of the Center Director or designee.
3.9.2 The introduction and removal of media and/or hardware from a SCIF will be in accordance with document control procedures established by the Center SSO.
3.9.3 Each media item (e.g. CDs, DVDs, hard disk drives, etc.) brought into the SCIF will be externally labeled and controlled.
3.9.4 The Center SSO, in coordination with the NASA NSS Team, will maintain an inventory of all IS hardware resident within the SCIF.
3.10.1 SCI material will not be sent to a facility that does not have a SCIF, to an individual who is not SCI accessed, or does not have access to a SCIF.
3.10.2 All SCI materials will be properly marked and, when required, have cover sheets attached.
3.10.3 Any loss, compromise, or suspected compromise of SCI materials will be immediately reported to the Center SSO and to the Agency SSO.
3.11.1 The preferred method of transporting SCI from one SCIF to another is via secure e-mail or other secure electronic means. Alternatively, SCI may be transported by SCI-indoctrinated persons or certified/designated couriers.
3.11.2 SCI materials sent between SCIFs within a Center will be hand carried by individuals who are properly briefed on courier procedures, possess a valid courier card or letter, and who are cleared to the same level as the material being transported.
3.11.3 The Center SSO will establish accountability and control for courier cards and authorization letters, in accordance with established regulations.
3.11.4 Transporting SCI materials within a single building or between two different locations will be done in accordance with national policies governing the transportation of SCI information.
3.12.1 All SCI transmissions will be conducted in accordance with current IC policies.
3.12.2 SCI will be processed only on a computer, or network of computers, that has been specifically certified and accredited for that level of classified information in an accredited location. Additionally, SCI materials may be electronically transferred between appropriately accredited machines (facsimile, computers, secure voice, secure e-mail, or any other means of telecommunication ensuring that such transmissions are made only to authorized recipients). It is essential to ensure that appropriate secure devices are used for any electronic transfer of SCI material.
3.12.3 Multi-Function Office Machines are devices that have the capability to copy, print, scan, and fax, either in a standalone or networked mode. When connected to a network, these devices assume the highest classification for which the network is accredited and will be labeled as such. If operated as a standalone or multi-function device, these devices assume the highest classification of copied documents and will be labeled with the highest classification level. Many of these devices have hard drives capable of holding thousands of images depending on the size and complexity of the images. The SSO will establish written procedures to protect the information contained within the hard drive and printed circuit boards/memory boards of these devices.
3.12.4 Reproduction. The SSO will establish procedures to ensure reproduction of SCI documents are consistent with operational necessity to ensure accountability and reduce the potential for an insider threat incident. The SSO will establish procedures for annual classified holdings retention review. Copies of documents are subject to the same control, accountability, and destruction procedures as the original documents. Extracts of documents will be marked according to content and treated as working materials.
3.12.5 Disposition General Provisions. Classified information no longer needed will be processed for appropriate disposition and destroyed in accordance with security standards governing the disposition of SCI.
3.13.1 Plans will be developed in coordination with the appropriate NASA Continuity of Operations (COOP) representative to protect, remove, or destroy classified material in case of fire, natural disaster, civil disturbance, terrorist activities, or any other emergency situation.
3.13.2 The Center SSO or designated SCI-indoctrinated individuals will handle classified material according to their emergency plan during an emergency, unless in the case of extenuating circumstances, while minimizing any risk to the greatest extent possible.
3.14.1 Determinations for individuals to obtain and retain access to classified information will be made with consideration of national security and, thus, granted accordingly.
3.14.2 The granting of access to SCI will be controlled under the strictest application of the “need-to-know” principle and in accordance with personnel security standards and procedures.
3.14.3 Positions that require access to SCI will be designated as “Special-Sensitive” and reflected in the NASA employee’s position description, as established in accordance with the procedures of the Office of Human Capital Management.
a. If TS/SCI access is requested but is not yet included in the employee position description, a completed SAR Form 2018a is submitted to the AA, OPS to waive this requirement until the employee’s position description is updated to reflect the designation.
3.14.4 Contractors requiring access to SCI shall be assigned to a valid contract with the appropriate accesses authorized by their DD Form 254.
3.14.5 A Tier 5 background investigation will be conducted on individuals under consideration for initial or continued access to SCI.
3.14.6 NASA’s Central Adjudication Facility (CAF) determines the Top Secret eligibility for civil service employees requiring access to SCI and is responsible for compiling and submitting the required documents for CSA approval. They will also facilitate the requests through final adjudication. When required for the adjudication process, the CAF will contact the appropriate Center Protective Services Office if any additional information is needed.
3.14.7 SCI requests for contractor personnel will also be processed by the CAF.
3.14.8 Evaluation of the information developed by investigation regarding an individual’s loyalty and suitability for SCI access will be conducted by the CSA.
3.14.9 CSA approval timeframes depend on backlog and composition of access requests. Additional documents or other information may be required at the request of the CSA.
3.15.1 SCI access for all NASA employees and contractors is granted exclusively by the CSA. As a condition for continued SCI access, NASA SCI clearance holders are required to follow all current CSA and ODNI reporting requirements and regulations. NASA policy or procedure does not supersede CSA and ODNI directives or policies.
3.15.2 Foreign contacts. Foreign contacts as defined in the ODNI Security Executive Agent Directive 3 (SEAD 3) will be reported to the Center SSO and CSA or their designee(s) via NASA reporting mechanism.
3.15.3 Foreign contact information will be provided by NASA employees and contractors to the Center SSO in a timely manner. The Center SSO will forward foreign contacts and other required reporting information to NASA’s CAF when received.
3.15.4 Foreign travel. Advance written notice will be provided to the CSA or their designee(s) for persons currently approved or applying for SCI access who anticipate or plan any travel, whether official or unofficial, to or through, or who are being assigned to duty in, foreign countries and areas, except as noted in current CSA and ODNI directives and policies. This includes those with pending indoctrination. All unofficial travel will be reported through the NASA Foreign Travel Reporting Tool. An automated travel notification, via the NASA foreign travel reporting tool, will be provided to the NASA CAF, and NASA Counterintelligence Office (CI) to receive appropriate defensive security briefings prior to travel.
3.15.5 When traveling to a foreign designated country or Russia, notify the servicing NASA CI office to receive appropriate defensive CI and counterterrorism briefing prior to travel.
3.15.6 Clearance holders shall report any suspicious activity experienced the foreign travel to the Center SSO and the NASA CI office.
3.15.7 Foreign and Suspicious Activities. Any suspicious activities as defined and detailed in SEAD 3 and other current ODNI directives and policies will be reported by NASA employees and contractors to the Center SSO in a timely manner. The Center SSO will forward the foreign activities information to the NASA CAF. The NASA CAF will report relevant information to the CSA.
3.15.8 Reportable Actions by Others. In accordance with current ODNI directives and policies, individuals observing suspicious actions or specific behaviors incongruent with standards for those having SCI access will be reported to the servicing NASA CI office and/or NASA Insider Threat Program, per NPD 1600.9, for further evaluation.
3.16.1 Documents pertaining to SCIF construction will be submitted to the Agency SSO or their designee(s) via an approved system. This pertains to either new facility construction or modification to an accredited facility.
3.16.2 Pre-Construction. At a minimum, the following will be submitted to the Agency SSO or their designee(s) prior to the Initial Site Survey and construction:
a. SCIF justification approval request
b. Construction Security Plan
c. Fixed Facility Checklist
d. Initial drawings
e. TEMPEST Checklist
3.16.3 Mid-Construction. Additional information may be requested by the CSA during any phase of construction (e.g. updated drawing, photos, etc) and should be submitted in a timely manner to the Agency SSO or their designee(s).
3.16.4 Final Accreditation. Prior to final accreditation of the facility, in addition to any updates to required documents, the SOP and an Emergency Action Plan will be submitted for approval.
Any use agreements regarding NASA SCIFs (e.g. MOU. MOA, etc.) will be coordinated through the Agency SSO or their designee(s). This includes both program and agency agreements.
3.18.1 Documents will be sent in accordance with directives regarding transmissions based on classification and sensitivity. The following documents should be sent electronically:
a. Personnel Security documents
b. CSA additional information responses
c. Physical Security documents
(1) Documents, including photos pertaining to new or reaccreditation of SCIFs;
(2) Co-Use Agreements
d. Information regarding account access.
e. Matters pertaining to Public Key Infrastructure (PKI).
3.19.1 NASA personnel seeking to have their clearances passed to other federal agencies or contractor facilities where SCI access is required will complete NF 1833 under the terms of either a Visit Authorization Request (VAR) or Perm Cert as defined below, and submit it to the Center SSO.
a. Visit Authorization Requests (aka Term Cert) - Visits authorized for a period of less than 90 days.
b. Perm Certs—Visits authorized for a period greater than 90 days and not to exceed 12 months under the following terms and conditions:
(1) Requestor visits the agency/facility regularly with the first visit occurring within 30 days of the submission of the request.
(2) SSO will maintain a record-keeping capability, preferably electronic, for tracking Perm Cert expiration dates and make appropriate notifications to Perm Cert holders of impending expirations 30 days prior to actual expiration dates.
3.19.2 It is the responsibility of the requesting individual to obtain the necessary information from their point of contact required to complete the NF 1833.
3.19.3 Using the information obtained in NF 1833, the Center SSO will prepare and transmit a VAR or Perm Cert in the manner preferred by the receiving security office. This may include the use of NASA letterhead or Center-specific VAR form that contains all the necessary clearance and personal identification information required by the receiving SSO at the site to be visited. Acceptable methods of transmission may include the use of an unclassified email (encrypted to protect personal identifying information), email on SCI-level network, classified fax, or unclassified fax.
3.19.4 Visit Requests and Perm Certs records will be retained for a period of five years. Center SSOs will provide the Agency SSO details regarding all clearances passed.
3.19.5 Visitors to NASA SCIFs. Visitors from external agencies requesting access to NASA SCIFs will use the VAR and Perm Cert validity time-frame standards of less than 90 days for VARs and greater than 90 days for Perm Certs. VARs and Perm Certs should be submitted to the respective NASA Center SSO at least five working days prior to their arrival whenever possible.
Note: A VAR is not required when the NASA POC sponsoring the visit supplies the names, social security numbers, and government or contractor affiliations sufficient to validate each visitor in Scattered Castles or determine that a formal VAR is required otherwise.
a. Verification of clearance and access for all visitors may be accomplished through either of the methods below:
(1) Scattered Castles. The Scattered Castles database is the authoritative source for personnel security access approval verifications regarding SCI and other controlled access programs, visit certifications, and documented exceptions to personnel security standards.
(2) VAR or Perm Certs sent from the visiting agency if security clearances/accesses cannot be validated in Scattered Castles.
b. If clearances/accesses are not found or shown to be active in Scattered Castles for non-NASA affiliated contractors visiting NASA SCIFs, their VAR or Perm Cert requests will be submitted to NASA via their government sponsoring agency by any of these methods: electronic transmission, visit requests in the format generated by security management applications, or on organizational letterhead to the respective Center SSO with cognizance over that specific SCIF, at least five working days prior to their arrival.
c. Each Center SSO or SSR is responsible for verification and validation of all persons entering SCIFs.
3.19.6 Use of Scattered Castles. ICD 704, mandates the recognition, use, and reciprocity of the Scattered Castles database to validate clearance/access levels.
3.19.7 For eligibility for a Scattered Castles account, an individual will, at a minimum, have the following:
a. TS/SCI access.
b. Valid JWICS account.
c. Valid PKI certificate.
3.19.8 Requests for Scattered Castles access will be submitted through the CCPS to the Agency SSO.
3.19.9 Only the Agency SSO may grant access to Scattered Castles.
3.19.10 Misuse of the Scattered Castles database will result in immediate revocation of access.
3.20.1 Annual refresher training is mandatory for all SCI-indoctrinated individuals.
3.20.2 Center SSOs will provide the required training, which should cover, at a minimum, all security training required by Executive Order or policy, including reinforcing the SCI training provided during the security orientation and indoctrination as well as informing cleared individuals of any changes in security regulations and policies.
3.20.3 Non-compliance with completing the annual training requirement may result in the suspension of an individual’s SCI access.
3.20.4 Refresher training will be documented in writing for each SCI-indoctrinated individual on the “Certification of Completion of Annual SCI Refresher Training” form or input for retention into NASA’s training database. 3.20.5 Training records will be retained for a period of five years.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.