Procedural
Requirements
Effective Date: August 03, 2025
Expiration Date: August 03, 2030
|
|
NASA Procedural Requirements |
NPR 1600.4B Effective Date: August 03, 2025 Expiration Date: August 03, 2030 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
5.1.1 NASA issues PIV Smartcards, Agency Smart Badges, Center-specific badges, and visitor passes (collectively referred to as NASA credentials). PIV Smartcards and Agency Smart Badges allow physical and/or logical access to NASA assets. Center-specific badges allow physical access to NASA assets and do not allow logical access. Visitor Passes validate a visit request but require presentation of a primary identity source document prior to being granted physical access.
5.1.2 Logical-only access credentials and their usage are addressed by NPR 2841.1 and include, but are not limited to, username and password, hard tokens, and digital certificates.
5.1.3 Each NASA credential or logical-only credential shall be bound to an established identity and undergo the appropriate registration, enrollment, and issuance process for that specific credential.
5.1.4 All NASA credential templates shall be approved by the AIMO prior to their creation and utilization.
5.1.5 NASA credentials shall be created utilizing the ICAM infrastructure, in compliance with NPR 2841.1 and this NPR.
5.1.6 Persons holding a Federal PIV credential issued by another Federal entity or CAC issued by DoD and requiring access to NASA shall register their non-NASA PIV or CAC in the IdMAX system. If the non-NASA PIV or CAC does not work (i.e., unable to authenticate electronically) at the NASA Center and/or cannot be registered in IdMAX, an Agency Smart Badge may be issued to the individual to supplement their non-NASA PIV or CAC.
5.2.1 NASA PIV Smartcards shall be required for all NASA workers who have been deemed as needing routine and regular physical only, logical only, or both physical and logical access to NASA Centers, facilities, and IT systems and resources for a period exceeding 179 calendar days (beginning the first day of affiliation, regardless of work schedule) in a 365-day period and to whom issuance of a PIV does not represent a greater risk (e.g., interns affiliated for 180 days or more who have been submitted for an investigation but have no need for a PIV; individuals who do not need access to other NASA Centers or Federal facilities; additional cases as approved by the AIMO). The 179-day period begins the first day of affiliation and ends 179 calendar days later, regardless of the work schedule. If an individual’s affiliation extends for 180 calendar days in a 365-day period from the first day of affiliation regardless of the work schedule, the individual will be issued a NASA PIV credential. N.ASA PIV Smartcards will be issued to United States (U.S.) citizens and may be issued to foreign nationals.
5.2.2 NASA PIV Smartcards shall be issued following the identity proofing, registration, and issuance processes defined in this document.
5.2.3 NASA PIV Smartcards shall be issued only after favorable adjudication of an NCHC (also referred to as a fingerprint check) and submission of a background investigation, which will be a Tier I background investigation, at a minimum. Continued possession of the PIV Smartcard will be determined based on a credentialing determination of the returned background investigation.
5.2.4 NASA PIV Smartcards shall have an expiration date set for a period of five and a half (5.5) years from the Card Production Request (CPR) generation date.
5.2.5 NASA PIV Smartcards shall be accepted at all Centers for access to public areas within the NASA perimeter.
5.2.6 NASA PIV Smartcards shall not be issued to individuals holding a Federal PIV credential issued by another Federal entity or CAC issued by DoD. Reserve military personnel who are full-time NASA employees or contractors are exempt from this restriction and may be issued a NASA PIV credential in addition to their DoD CAC.
5.2.7 Physical Characteristics - The information on a NASA PIV credential exists in both visual printed and electronic forms. The NASA PIV credential shall be equipped with technologies that allow for physical access and logical access.
a. NASA PIV credentials contain the following security and distinguishable features on the front of the card:
(1) Holographic overlay.
(2) Smart chip.
b. NASA PIV credentials have the following printed in a vertical orientation on the front of the badge.
(1) The photograph of the applicant in the top left corner.
(2) The legal name of the applicant printed below the applicant photograph.
(3) Two badge expiration dates, one located in the upper right corner (MMM YYYY format) and the second to the right of the applicant photograph, below the Agency identifier and over the Agency logo (YYYYMMMDD format).
(4) The NASA Agency identifier logo, to the right of the applicant photograph and behind the affiliation, badge expiration, and NASA Agency identifier.
(5) The affiliation of the applicant, to the right of the applicant photograph and over the Agency logo.
(6) The NASA Agency identifier, to the right of the applicant photograph, below the affiliation, and over the Agency logo.
(7) The unique badge identification number, consisting of a three-digit Center code plus six unique digits, printed below the NASA Agency identifier and the affiliation color band.
(8) Solid color band, with an alphanumeric color indicator, across the middle of the badge, over the full name with the color determined by the affiliation of the badge holder.
c. NASA PIV credentials have the following printed horizontally on the back of the badge:
(1) The statement: “This credential is the property of the U.S. Government. Counterfeiting, altering, or misusing violates Section 499, Title 18 of the U.S. Code.”
(2) Return address.
(3) Applicant height.
(4) Applicant eye color.
(5) Applicant hair color.
(6) A 3x9 bar code of the unique badge identifier.
(7) Preprinted Agency card serial number.
(8) The PCI identification number consisting of a six-character department code, the Agency code for NASA, and a five-digit PIF number.
5.3.1 Agency Smart Badges are PIV-interoperable smartcards equipped with technologies that allow for physical and/or logical access that may be issued to any person who does not meet the requirements for a PIV (PIV-ineligible) and who needs unescorted access to a NASA Center and/or access to a NASA IT system. This includes NASA workers not exceeding the 179 day requirement, applicants awaiting their PIV, tenants on NASA Centers, foreign nationals in the U.S. for less than 3 years, foreign nationals unable to complete the Tier I investigation requirement, and individuals to whom issuance of a PIV represents a greater risk (e.g., interns affiliated for 180 days or more who have been submitted for an investigation but have no need for a PIV; individuals who do not need access to other NASA Centers or Federal facilities, additional cases as approved by the AIMO).
5.3.2 Agency Smart Badges shall be issued following the identity proofing, registration, and issuance processes defined in this document.
5.3.3 Agency Smart Badges shall be issued only after favorable adjudication of a completed NCHC.
5.3.4 Agency Smart Badges shall have an expiration date set for a period not to exceed three years from the Card Production Request (CPR) generation date.
5.3.5 The default expiration date of an Agency Smart Badge shall be 3 years.
5.3.6 Agency Smart Badges shall only allow access to the Center at which they were issued.
5.3.7 Agency Smart Badges issued for logical access only shall not be accepted for physical access to Centers.
5.3.8 Physical Characteristics - Agency Smart Badges shall be printed horizontally so as not to be confused with or resemble the NASA PIV credential.
a. NASA Agency Smart Badges contain the following security and distinguishable features on the front of the card:
(1) Holographic overlay.
(2) Smart chip.
b. Agency Smart Badges will have the following printed in a horizontal orientation on the front of the badge:
(1) The photograph of the applicant in the top left corner.
(2) The legal name of the applicant printed below the applicant photograph.
(3) The NASA Agency identifier logo in the center of the badge.
(4) Two badge expiration dates, one located above the NASA Agency identifier (MMDDYYYY format) and one above the Agency logo (MMM YYYY format).
(5) The designation of the issuing Center, on the right side, below the smartcard chip.
(6) The unique badge identification number, above the NASA Agency identifier.
(7) Solid colored affiliation color band on the bottom of the badge based on the affiliation of the badge holder.
(8) The affiliation of the applicant, in the center of the solid colored affiliation color band.
c. Agency Smart Badges have the following printed horizontally on the back of the card:
(1) The statement: “This credential is the property of the U.S. Government. Counterfeiting, altering, or misusing violates Section 499, Title 18 of the U.S. Code.”
(2) Return address.
(3) Applicant height.
(4) Applicant eye color.
(5) Applicant hair color.
(6) A 3x9 bar code of the unique badge identifier.
(7) Preprinted Agency card serial number.
(8) The PCI identification number consisting of a six-character department code, the Agency code for NASA, and a five-digit issuing facility number.
5.4.1 Center-specific badges shall allow physical-only access to the issuing NASA Center.
5.4.2 Center-specific badges may, at the discretion of the CCPS and based on a risk-based determination, documented as part of the permanent record, be issued to any person who needs non-electronic physical access to a NASA Center, does not need logical access, and does not qualify for a NASA PIV Smartcard or Agency Smart Badge. This may include seasonal interns, volunteers, construction workers, and others as approved by the AIMO. Escort requirements for individuals with a Center-specific badge will be included in the risk-determination made by the CCPS.
5.4.3 Center-specific badges shall be issued following the identity proofing, registration, and issuance processes defined in this document.
5.4.4 Center-specific badges shall be issued only after favorable review of an NCHC, at a minimum.
5.4.5 Center-specific badges shall have an expiration set for a period not to exceed the earlier of the agreement end date or 3 years from the date of issuance.
5.4.6 Center-specific badges shall only allow access to the Center at which they were issued.
5.4.7 Physical Characteristics – Center-Specific Badges shall be printed vertically and with design characteristics which do not cause confusion with or resemble the NASA PIV smartcard or Agency Smart Badge.
a. The photograph of the applicant.
b. The legal name of the applicant.
c. The name of the issuing Center (Center name may be common abbreviation, e.g., ARC, AFRC, etc., as appropriate).
d. The full badge expiration date if the badge will be used for physical access.
5.5.1 Visitor passes shall allow non-electronic physical-only access to the issuing NASA Center when presented along with a NASA-approved identity source document.
5.5.2 NASA visitor passes may be issued to visitors requiring non-electronic, escorted physical-only access to a NASA Center.
5.5.3 Visitor passes shall be issued only after review and inspection of a primary NASA-approved identity source document. A second NASA-approved identity source document may be required at the discretion of the CCPS.
5.5.4 Visitor passes may be issued without fingerprint capture.
5.5.5 Centers may require additional vetting (e.g., NCIC or NCHC) prior to issuance of a visitor pass.
5.5.6 Visitor passes shall have an expiration set for a period not to exceed 29 days from the date of issuance.
5.5.7 Visitor passes shall only allow access to the Center at which they were issued.
5.5.8 Physical Characteristics – Visitor passes shall not be printed to resemble the NASA PIV smartcard or Agency Smart Badge. Visitor passes will utilize an Agency template from EVAMS and contain the following as minimum criteria:
a. The legal name of the applicant.
b. The full name of the issuing Center.
c. The full badge expiration date.
5.6.1 The Derived PIV Credential is an additional common identity credential under Homeland Security Presidential Directive-12 and Federal Information Processing Standards (FIPS) 201 that is issued by NASA, primarily for mobile authentication.
5.6.2 Derived credentials shall be issued by NASA following the processes established in FIPS 201 and NPR 2841.1, or other NPR established by the OCIO for derived credentials.
5.7.1 Visual Color Coding for Affiliation Type - NASA PIV and Agency Smart Badges shall use colored markings on the badge to identify the affiliation of the badge holder. NASA PIV credentials use a color band through the name of the applicant, and Agency Smart Badges use a band on the bottom of the credential and include the affiliation. The band will include a single capital letter identifying the color in the band (e.g., “G” for green), located within a white circle with a black outline on the right of the band. The purpose of the letter is to assist individuals with visual impairment in recognizing the color.
5.7.2 Contractors at NASA JPL who are U.S. citizens shall have a solid silver color below the green contractor color band.
5.7.3 IPA employees shall include the label “IPA” in black letters on the front of the badge.
5.7.4 Press corps and media shall include the label “PRESS” printed vertically down the right side of the Agency Smart Badge or Center-specific badge.
5.7.5 Emergency Response Officials (ERO) Credentials
5.7.5.1 The ERO designation shall only be applied to NASA PIV credentials.
5.7.5.2 ERO credentials shall contain a red strip containing the words “Emergency Response Official” at the bottom of the badge.
5.7.5.3 ERO credentials shall include, on the back of the credential, text stating “After credential verification, the EMERGENCY RESPONSE OFFICIAL should be given access to controlled areas.”
5.7.5.4 ERO credentials shall only be issued to those individuals performing a role identified in NPR 8715.2, NASA Emergency Management Program Procedural Requirements. These roles include, but are not limited to, Center and facility emergency and disaster response personnel, NASA and OIG sworn law enforcement officials, Continuity of Operations (COOP) personnel, Continuity of Governance (COG) personnel, and personnel in the Emergency Relocation Group (ERG), and personnel deployed to support the NASA National Response Framework (NRF) Emergency Support Function (ESF) Annexes.
5.7.5.5 ERO credentials shall only be issued to those individuals who have completed the requisite training established for that specific role in NPR 8715.2.
5.7.6 Foreign National Credentials
5.7.6.1 Foreign national badge characteristics shall take precedence over all other affiliation characteristics.
5.7.6.2 Foreign national badges shall have a light blue color border around the applicant photo.
5.7.6.3 Foreign nationals requiring escort will be recognized by red lettered “ESCORT ONLY” across the middle of the badge.
5.7.6.4 International Partners shall have a flag of the applicant’s country of citizenship in the lower right corner of the badge.
5.8.1 The digital data stored on the NASA credential supports physical and/or logical access use, encryption, and signing capability and provides security and authentication protection for the credential and credential holder.
5.8.1.1 Card Holder Unique Identifier (CHUID) - The CHUID is used by access control applications and is the only data that is accessible through both the contact and contactless interfaces. Applications can read this data without any action from the badge holder. The CHUID is composed of the following data elements which shall not be modified during post-issuance updates:
a. Federal Agency Smart Credential Number (FASC-N).
b. NASA Agency code.
c. System code identifying the original issuing Center.
d. A credential number.
e. Credential holder’s Uniform Universal Personal Identification Code (UUPIC).
f. Expiration date.
5.8.1.2 Digital certificates for card authorization key (CAK), authentication, signing, and encryption are encoded to the smartcard in accordance with FIPS 201 and FIPS 140.
5.8.1.3 Biometrics (typically fingerprints of the right and left index fingers) are stored as minutiae templates that represent a specific biometric but cannot be reverse engineered to recreate an image of that biometric.
5.8.1.4 Digital Representation of Printed Information - Certain items printed on the front and back of the card are stored on the smartcard as a security and authentication measure, including name, affiliation, organization, badge expiration date, Agency card serial number, and issuer identification.
5.8.1.5 Photograph - The facial image used in creating the photo printed on the front of the badge is stored in the badge. A facial image is required, and obscuring headwear may not be worn for the photograph.
5.8.1.6 The PIN is used to secure and protect the electronic data stored on the PIV credential. The PIN is used by the PIV credential holder to allow applications to access data and as part of the authentication process. It is stored in a secure section of the smart card, separate from the rest of the PIV credential digital data. All PIV credential data, with the exception of the CHUID, require the PIV credential holder to enter their PIN before an application can either access or use the data. The PIN is a minimum of a six-digit number selected by the credential holder and written to the credential during finalization. It shall not be stored in any system and should not be written down or otherwise recorded by the credential holder or any other person. The credential is automatically locked after no more than 15 consecutive tries of entering an invalid PIN. Credential PIN reset details and requirements for resetting a PIN are identified in Section 6.7, Credential PIN Reset.
5.9.1 UUPIC Number / Employee Number - A UUPIC is a component of NASA Identity Management that uniquely identifies a NASA identity. The Identity Management system is managed by OPS, working in concert with the OCIO and the Office of the Chief Human Capital Officer (OCHCO), to ensure proper functioning, assignment, use, and protection of the UUPIC.
5.9.2 UUPIC Characteristics - UUPICs shall only be issued through the population of seed data (name, unique identifier (SSN, foreign national visitor number, etc.), and date of birth) into the UUPIC repository. This information is required for all NASA identities including, but not limited to, civilians, contractors, partners, and remote IT system users that require a NASA identity. Any request for a UUPIC will be initiated via an approved identity creation workflow method. The reliable assignment of the UUPIC to persons uses at least two unique attributes, in addition to name attributes, from approved identity source documents. The ICAM database is the authoritative source of the UUPIC numbers. UUPIC numbers will be issued in random sequence, consistent with NASA policy, and will meet the following requirements:
a. Be a nine-digit numerical code without any significance as to the characteristics of the individual.
b. Be treated as a string to preserve UUPICs with leading 0s.
c. Cannot be created or derived based on other data contained in the UUPIC application.
5.9.3 UUPIC Usage - The UUPIC shall serve as a replacement for the SSN by providing a unique identifier that can serve as a data point across NASA information systems. The UUPIC may not be used as a login identifier or user account name for any information systems, databases, Web sites, etc. The UUPIC may be available to NASA employees for lookup and may be used for positive identification of individuals within NASA information systems. The UUPIC may not be used for purposes other than those described in this policy without the concurrence of OPS. With the exception of account initiation in IdMAX, use of the UUPIC for any identification purposes outside those needed for positive identification of individuals across and only within information systems is prohibited without the consent of OPS. The UUPIC may never be posted on any Internet accessible Web site. Any deviation from this policy will be coordinated with OPS through OCIO in advance. Requests for a UUPIC will be initiated via the approved NASA on-boarding workflow for civil servants and contractors. UUPIC numbers are stored internally along with the first, middle, and last names and other information necessary to uniquely associate the UUPIC with a person.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.