NASA Procedural Requirements

NPR 1600.4A Effective Date: April 08, 2016 Expiration Date: August 08, 2024

Subject: Identity and Credential Management

Responsible Office: Office of Protective Services

Appendix A: Definitions

Access – With regard to NASA assets, the explicit granting of permission to enter and/or use NASA facilities, interact with NASA personnel, and/or use NASA information and related information processing services.

Access Control – The process of granting or denying specific access requests.

Access Control Plan (ACP) – For a program, project, or foreign national, the assets to which that foreign national may request access. For additional information, refer to NPR 2190.1, NASA Export Control Program. Formerly known as a Technology Transfer Control Plan (TTCP)/Security Technology Transfer Control Plan (STTCP).

Accreditation – Formal declaration by a Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode for the purpose of processing CNSI, using a prescribed set of safeguards. Accreditation Authority is synonymous with DAA.

Adjudication – A fair and logical Agency determination, based upon established adjudicative guidelines and sufficient investigative information, as to whether or not an individual's access to classified information, suitability for employment with the U.S. Government, or access to NASA facilities, information, or IT resources is in the best interest of national security or efficiency of the Government.

Alternate Agency Credential – Non-PIV credentials which have been approved by the AIMO as standard templates across the Agency and may allow physical and/or logical access to NASA facilities and systems. Formerly known as a Center-specific badges.

Asset – A system, object, person, or any combination thereof that has importance or value; includes contracts, facilities, property, records, unobligated or unexpended balances of appropriations, and other funds or resources.

Authentication – (1) The validation and confirmation of a person's claim of identity. (2) The validation and identification of a computer network node, transmission, or message. (3) The process of establishing confidence of authenticity. (4) Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to facilities and information systems.

Authorization – The privilege granted to a subject (e.g., individual, program, or process) by a designated official to do something, such as access information based on the individual's need to know.

Background Investigation – The process of looking up and compiling criminal records, commercial records, and financial records of an individual.

Badge – See definition for Credential. A physical credential with visual elements that enable an authorized person (e.g., security officer) to grant access using a NASA-approved authentication mechanism.

Center Chief of Protective Services (CCPS) – See definition for Center Chief of Security (CCS).

Center Chief of Security (CCS) – The senior Center security official who is responsible for management of the Center security program.

Certification – A formal process used by the certifying official to ensure that an individual has met all established training requirements as necessary to perform their security responsibilities.

Component Facilities – NASA-owned facilities not located on any NASA Center (e.g., Michoud Assembly Facility, Wallops Flight Facility, White Sands Test Facility, and NASA IV&V).

Contractor – For the purpose of this NPR, any non-NASA entity or individual working on a NASA installation or accessing NASA IT for an employer who is subject to Executive Order 11246.

Credential – A physical/tangible or electronic object through which data elements associated with an individual are bound to the individual's identity. Credentials utilize NASA-approved authentication mechanisms to grant physical and/or logical access to assets.

Designated Country – A country with which the United States has no diplomatic relations, a country determined by the Department of State to support terrorism, a country under Sanction or Embargo by the United States, and/or a country of Missile Technology Concern. A current list of NASA designated countries can be found in IdMAX or on the OIIR webpage at https://oiir.hq.nasa.gov/nasaecp.

Escort – The management of a visitor's movements and/or accesses through the constant presence and monitoring of the visitor. Escorts are trained and designated holders of a NASA PIV, DoD CAC, or other Federal agency PIV that has been registered in IdMAX.

Exception – The approved continuance of a condition authorized by the AA for OPS that varies from a requirement and implements risk management on the designated vulnerability.

Foreign National – Any person who is not a U.S. citizen or U.S. person (lawful permanent resident or protected individual).

Foreign National from a Designated Country – Any foreign national born in or with a citizenship from one or more designated countries.

Grant Recipient – Organization (i.e., universities, nonprofits, etc.) that has received a Federal award (grant or cooperative agreement) directly from NASA to carry out an activity under a NASA program.

High-Level Protocol Visit (HLPV) – Any visit by individuals representing or delegations of foreign heads of state or government, ambassadors or heads of foreign government ministries, or space agencies.

Identity – The set of attributes that uniquely identify an individual for the purpose of gaining logical and physical access to protected resources and identification in electronic transactions.

Identity Proofing – The process for providing sufficient information (e.g., identity history, credentials, and documents) to a Registration Authority (RA) when attempting to establish an identity or issue a credential.

Identity Source Document – A NASA-approved document used to verify aspects of a person's identity. The list of NASA-approved identity source documents can be found in the ICAM Portal.

Identity Verification – The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the credential or system and associated with the identity being claimed.

Identity Vetting – A review of information about a person for possible approval or acceptance. In this document, a vetted person has been reviewed to determine eligibility for access to NASA physical and/or logical assets.

International Partners – Foreign entities or persons who are involved in a particular international program or project under an International Space Act Agreement (ISAA).

Lawful Permanent Resident (LPR) – An individual defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3). A foreign national, legally permitted to reside and work within the U.S. and issued the Permanent Resident Card (PRC) or Alien Registration Receipt Card (ARRC) (Form I-551), also known as a Green Card. LPRs may be employed in the Federal sector for specific needs or under temporary appointments per 5 CFR, Part 7, Section 7.4). LPRs may not be granted access to classified national security information (CNSI). LPRs are not prohibited from accessing export controlled commodities, but must still have a work-related "need-to-know" and are still considered foreign nationals under immigration laws. Replaces the term "Permanent Resident Alien (PRA)."

Limited privileged access – Granted to a user to use system-level commands and files to bypass security controls for part of a system.

Logical Access – Access to information records, data, and information technology systems and applications.

Long-term – Any access by a foreign national for a period of 30 calendar days or more in a 365-day period. An individual requiring long-term access is defined as temporary (30 to 179 calendar days in a 365-day period) or permanent (180 calendar days or more in a 365-day period).

National Criminal History Check (NCHC) – A background check procedure performed by the FBI Criminal Justice Information Services Division. This check returns a listing of certain information taken from fingerprint submissions retained by the FBI in connection with arrests and, in some instances, Federal employment, naturalization, or military service. If any results related to an arrest are found, the results will include the name of the agency submitting the fingerprints to the FBI, the date of the arrest, the arrest charge, and the disposition of the arrest, if known to the FBI. Commonly referred to as an identity history summary check or fingerprint check.

National Crime Information Center (NCIC) – A background check procedure performed by the FBI. This check involves a search of the records stored in the FBI Central Records System Universal Index for any appearance of the name, as well as close phonetic variants and permutations of that name. If any occurrences of the name are found, relevant paper and electronic files are retrieved from local FBI offices and from other law-enforcement agencies and analyzed. Commonly referred to as a name check, name query, or name search.

Privileged Access – Access granted to a user so that files, processes, and system commands are readable, writable, executable, and/or transferable. This allows a user to bypass security controls.

Protected Persons – A non-U.S. citizen allowed into the country under "refugee," "displaced person," and "religious or political" persecution status.

Revocation – The removal of an individual's eligibility to access physical or logical assets based upon an adjudication that continued access poses a risk to the Agency.

Risk-Based Determination – An official acknowledgement by a management official that they accept the risk posed by not implementing a recommendation or requirement, designed to reduce or mitigate the risk.

Risk Management – A means whereby NASA management implements select measures designed to reduce or mitigate known risks.

Short-term – Any visit enabling physical-only access for a period of up to but not exceeding 29 calendar days in a 365-day period. An individual requiring short-term physical-only access is defined as a visitor. These visits are generally escorted.

Smartcard – Credential issued with an individual's unique vetted identity information encoded and physically printed on the exterior and with embedded integrated circuits which can process data.

Tenant – Any individual or organization not affiliated with NASA who occupies land or property within the NASA perimeter.

Tier I Background Investigation – The minimum background investigation required for issuance of a PIV credential. This investigation includes checks of claimed identity information (date and place of birth, citizenship/status, and social security number), criminal history (law enforcement agencies), military service (conduct and discharge), educational history, employment history, Federal debt, terrorism, conduct, alcohol abuse, and drug use/involvement. For credentialing purposes, this is valid for ten years, at which point a reinvestigation must occur.

Tour – A subset of visit; a guided excursion, generally offered to the general public, by which escorted access is granted to non-public areas of interest on a Center.

Transient – A person (i.e., construction worker, club member, childcare drop off/pickup, delivery driver, retiree, Center transit, and others requested by Center Chiefs of Protective Services/Security and approved by the AIMO) who requires intermittent physical-only access for 180 calendar days or more in a 365-day period.

U.S. Citizen (U.S. National) – As defined by 8 U.S.C. Chapter 12, Subchapter III and in Parts I and II, any individual having been born in the United States or certain territories or outlying possessions of the United States and subject to the jurisdiction of the United States; born abroad to a parent or parents who were citizens at the time of birth while meeting certain other requirements; or granted citizenship after fulfilling the requirements necessary to be granted naturalization.

U.S. Person (non-U.S. Citizen) – For the purpose of implementing protection and accountability under the International Traffic in Arms Regulations (ITAR); a person who is an LPR as defined by 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3).

Visa – Issued by the Department of State, a visa indicates eligibility to seek entry to the United States for a specific purpose. Admission to the U.S. for a specified status and duration is controlled by Department of Homeland Security Customs and Border Protection inspectors.

Visa Waiver – The Visa Waiver Program (VWP) allows citizens of participating countries to travel to the United States without a visa for stays of 90 days or less, when they meet all requirements, per Department of State rules and regulations. Travelers must be eligible to use the VWP and have a valid Electronic System for Travel Authorization (ESTA) approval prior to travel.

Visit – Any means by which, and any duration for which, access is obtained to non-public NASA assets.

Visitor – Any person who needs physical-only access to a NASA facility for less than 30 calendar days in a 365-day period.

Waiver – The approved continuance of a condition authorized by the AA for OPS that varies from a requirement and implements risk management on the designated vulnerability.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.