Procedural
Requirements
Effective Date: August 03, 2025
Expiration Date: August 03, 2030
|
|
NASA Procedural Requirements |
NPR 1600.4B Effective Date: August 03, 2025 Expiration Date: August 03, 2030 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
6.1.1 Ownership. A credential is not personal property but is the property of the U.S. Government. All personnel shall be responsible for adhering to the following requirements:
a. Appropriately safeguarding issued credentials.
b. Immediately reporting the loss or false use of a credential.
c. Challenging noncredentialled personnel.
d. Notifying the proper authority of a name change.
e. Properly displaying a credential when on NASA property.
f. Surrendering a credential upon resignation, retirement, or the direction of the issuing authority.
6.1.2 Reciprocity. PIV credentials issued by other Federal Government departments and agencies or CACs issued by DoD shall be accepted for the purpose of establishing the identity of the individual and as a credential for access when credential registration is successful.
6.1.3 Misuse. Forging, falsifying, or allowing misuse of a credential or other forms of NASA identification in order to gain unauthorized access to NASA physical and logical resources is punishable under 18 U.S.C. 799 by fine or imprisonment for not more than one year, or both, and may further result in termination of employment and access to NASA resources.
6.1.4 Production. Credentials shall only be produced by approved personalization service providers or at Centers using approved production processes.
6.1.5 Delivery. Unprinted or unfinalized credentials shall be shipped directly to a Center by the credential manufacturer. The PIF Manager or other appropriate authority will designate a point of contact that is responsible for receipt of, signing for, and inventory and storage of credential stock.
6.1.6 Stock protection. Credential stock will be accessible only by authorized personnel and maintained in a secure manner, pursuant to Section 6.2, Credential Inventory, Storage and Handling. Credential stock will be monitored through the use of a log which includes, at a minimum, the date of check in, the date of check out, and the name of the person(s) performing the credential stock check-ins or check-outs.
6.2.1 Credential stock, including credentials yet to be issued and returned credentials, shall be stored using the following minimum requirements:
a. Properly identified and treated as “controlled material” for inventory.
b. Segregated from classified materials, firearms, ammunition, or currency.
c. Stored in a secure area protected by the enterprise physical access control system (EPACS).
6.2.2 Credentials which are lost, stolen, or unaccounted for while in storage shall be reported immediately to the PIF manager after discovery. Credential details, including credential identification numbers and status, will be reported to the ICAM credentialing team within 24 hours of discovery in order to update the card management system. The PIF manager will forward a report outlining all pertinent facts to the AIMO no later than two days after receiving reports of the lost, stolen, or unaccounted for credentials.
6.2.3 Defective credentials shall be identified, reported, and delivered to the core technical team. The issuance official will record the defective credential identification number and the defective status in the credential storage log. A new credential will be created following Sections 3.3.8, Step 6: Credential Production.
6.2.4 All credential encoding failures shall be reported to the ICAM credentialing team within five days of discovery and include the identification number, failure description, and any other pertinent information.
6.3.1 All credentialing determinations shall adhere to the adjudication principles found in NPR 1600.3.
6.3.2 The authorizer shall make a credentialing determination of favorable or unfavorable based on the results of the database check, background investigation or continuous evaluation information.
6.3.3 A credentialing determination may occur at any time during the issuance process or after the issuance process has been completed and should be completed within 90 days of receiving the results of the database check, background investigation or continuous evaluation information.
6.3.4 When a favorable credentialing determination is made, the applicant’s record shall be updated to reflect a favorable credentialing determination and the background investigation indicator in the credential data model will be set to indicate background investigation completion.
6.3.5 When an unfavorable credentialing determination is made, the applicant’s record shall be updated to reflect an unfavorable credentialing determination and the credential will be suspended and confiscated. The sponsor will be notified of the denial decision.
6.3.5.1 The credential holder shall be provided the opportunity to appeal an unfavorable credentialing determination, pursuant to NPR 1600.3.
6.3.5.2 If the credential holder does not appeal, if the appeal is denied, or if the result of the appeal is an unfavorable credentialing determination, the credential shall be revoked.
6.3.5.3 If the result of the appeal is a favorable credentialing determination, the credential shall be reactivated and returned to the credential holder and the actions in section 6.3.4 shall be applied.
6.4.1 NASA shall provide an electromagnetically opaque badge holder to physically protect the credential and electronically protect the information contained in the credential. Other holders found on the approved products list may be purchased by a Center at their discretion. Such holders are the responsibility of the purchasing Center to ensure that they are electromagnetically opaque.
6.4.2 Credentials shall be properly displayed and worn at all times while the bearer is on a NASA Center or component facility. Credentials will be worn above the waist on the outermost garment with the photograph visible.
6.4.3 The use of a permanent-type symbol or the affixing of any device (e.g., tenure pin, decals, etc.) on a PIV Smartcard or Agency Smart Badge (or any alteration or modification thereof) shall not be allowed.
6.4.4 The punching of holes or any alteration that affects the integrity of a PIV Smartcard or Agency Smart Badge shall not be allowed.
6.4.5 Access to non-public areas within a NASA Center perimeter may be accessed using NASA PIV Smartcards and Agency Smart Badges and will be handled on an as-needed basis in compliance with the policies established by that Center for access to facilities.
6.4.6 The visitor pass shall only be valid for the term issued, pursuant to section 5.5, Visitor Passes. The visitor pass will be returned at the end of the visit.
6.4.7 For logical access, smartcard credentials shall be placed in a card reader so the credential can be authenticated. Additional credential usage and permission requirements related to logical access are established in the Subscriber Agreement, provided to and signed by the applicant for:
a. Authorized uses of the credential.
b. Authorized uses of the PKI certificates and services provided with the credential.
c. Additional usage requirements for logical access credentials are established in NPR 2810.1.
6.4.8 For physical access, the credential shall be placed in proximity to the card reader so the credential can be authenticated. The credential may need to be removed from the badge holder and held directly to the card reader for authentication. For certain multi-factor physical access, the credential will be inserted into the card reader and a PIN and/or biometric provided.
6.5.1 Credential renewal shall occur prior to credential expiration and facilitate replacement of the credential without the need to repeat the full enrollment and reissuance procedures described in section 3.3, Enrollment and Issuance Procedures unless the existing enrollment is no longer valid.
6.5.2 Credential holders may apply for a renewal prior to the expiration date on their PIV credential, as allowed by IdMAX.
6.5.3 The renewal request shall be coordinated with the sponsor, who ensures personnel records are accurate and current before the issuance of a new credential.
6.5.4 A biometric match of the credential holder’s fingerprints shall be performed prior to the collection of new biometrics.
6.5.5 New biometrics shall be collected as described in section 3.3.6, Step 4: Enrollment Process.
6.5.6 The old and/or expired credential shall be collected and destroyed at the time of renewal issuance pursuant to section 6.14, Credential Destruction.
6.5.7 The authorizer shall approve the renewal and coordinate the request for a new background investigation to be performed, in accordance with NPR 1600.3.
6.5.8 If a renewal is in process and enrollment of new biometrics is not completed prior to the credential expiration, then the credential shall be re-issued as described in Section 6.6, Credential Re-issuance.
6.6.1 The old credential shall be revoked, pursuant to Section 6.8, Credential Revocation when the credential:
a. Has passed its expiration date without a renewal occurring.
b. Has been compromised.
c. Is lost, stolen, or damaged.
d. Requires a change in printed information (name change, citizenship change, etc.).
e. Card holder’s status or affiliation changes.
6.6.2 NASA PIV credentials shall not be re-issued for an individual transferring from one Center to another Center.
6.6.3 The applicant shall undergo the entire enrollment and issuance process, in accordance with section 3.3, Enrollment and Issuance Procedures.
6.6.4 Credential holders who have officially changed their name shall submit a request for a reissuance of their credential. The credential holder will be required to reenroll and provide approved identity source documentation that reflects the legal name change prior to enrollment occurring and issuance of the new credential.
6.7.1 Credentials that are disabled or locked-out due to a maximum of 15 consecutive invalid PIN entry attempts shall have their PIN reset. It is the responsibility of the credential holder to arrange for a PIN reset to occur.
6.7.2 Biometric verification of the applicant’s biometrics to the biometrics stored on the card shall occur prior to the PIN being reset.
6.7.2.1 If the biometrics cannot be matched after 3 tries or the fingerprints are unclassifiable, the applicant will be required to provide a primary identity source document to the enrollment official, or other designated official, who will compare the photographs on the credential, in the identity source document, and on the screen within the credential management system to confirm the identity of the individual. Once the identity is confirmed, the enrollment official will assist the applicant to perform a PIN reset.
6.7.3 PIN reset shall not require the reissuance of a credential.
6.8.1 Credentials shall be revoked under the following conditions:
a. Change in need for access.
b. Termination of employment, both voluntary and involuntary.
c. Unfavorable credentialing decision based on results of a background investigation or continuous evaluation.
d. Administrative action.
e. Death of the credential holder.
6.8.2 Revocation of a credential shall result in the following:
a. The credential holder’s relationship shall be set to “inactive.”
b. The credential shall be returned and terminated.
c. Notification shall be provided to the sponsor, and other appropriate personnel, of the credential revocation.
6.9.1 Lost and stolen credentials shall be reported to the Center PIF Manager immediately after discovery of the loss/theft. The lost/stolen credential will be suspended in accordance with section 6.11, Credential Suspension. If the credential is not reported found within 24 hours the credential will be revoked and/or disabled, cancelling all certificates and access privileges of that card. The identity of the credential holder itself will remain active, as only the card is disabled.
6.9.2 The credential holder shall, within three business days of reporting the loss/theft, appear in person at the badging office to verify loss/theft of the credential and be issued a new credential. The credential holder will be required to undergo a credential re-issuance per section 6.6, Credential Re-issuance.
6.9.3 It is the responsibility of NASA Centers to establish policy for the handling of multiple lost and stolen credentials. Centers may adopt one of the below methods for managing credential holders who report their credential as lost or stolen on multiple occasions. The following list is not comprehensive, and additional methods may be chosen by the Center:
a. Allow for the replacement of two credentials after which the credential holder will undergo awareness training for each subsequent lost credential prior to receiving the credential.
b. Implement a lost/stolen credential form which requires signature of the credential holder’s manager, sponsor, or other appropriate individual(s).
6.10.1 The credential holder will appear at the badging office to request a temporary replacement credential/pass for physical access.
6.11.1 Suspended credentials shall be immediately disabled and all related access, both physical and logical, shall be disabled.
6.11.2 Credentials shall be set to “suspended” and temporarily disabled in situations where the credential is at risk such as when the credential has been forgotten or misplaced and is no longer in the possession of the credential holder. Lost or stolen credentials will be handled pursuant to section 6.9, Lost and Stolen Credentials.
6.11.3 Credentials shall be set to “suspended” and temporarily disabled in situations where the credential holder presents a significant risk to the Agency (e.g., threat made by the credential holder against another person).
6.11.4 Credentials, and all related access, that have been suspended may be re-enabled or revoked in accordance with those processes and requirements.
6.12.1 Cardholders shall return credentials to NASA once an individual’s affiliation with NASA has ended. Credentials should be returned to the issuing authority no later than the last day of association with NASA. The issuing authority will be responsible for recording receipt of the credentials that are returned and properly storing the credentials until destruction. Credentials are not allowed to be kept as souvenirs.
6.12.2 Credentials may be placed in the mail for return to OPS at NASA Headquarters.
6.12.3 The responsibility of credential return oversight is:
a. HR for NASA civil servant.
b. Contract program manager for contractors.
c. Grant technical official for grantees.
d. The requester or sponsor for all other identities.
6.13.1 Credentials returned to the badging office that do not meet any of the requirements previously established in this chapter and are to be terminated shall have all data, certificates, and access privileges invalidated, revoked, and/or disabled. Credentials that are to be terminated will have their status set to “terminated,” and a reason will be supplied for the termination. Deactivation of a credential and associated identity, if necessary, will be completed within 18 hours of notification of the need for credential termination. Terminated credentials will be destroyed following the requirements in section 6.14, Credential Destruction.
6.14.1 Credentials meeting the following criteria shall be destroyed:
a. Expired credentials.
b. Credentials discovered or located after being declared lost or stolen.
c. Credentials that are damaged.
d. Terminated credentials.
e. Revoked credentials.
6.14.2 Credentials shall be thoroughly destroyed using heavy-duty crosscut shredders that are capable of smart card destruction, by depositing into a burn bag for burning, or by another method meeting National Security Agency compliant destruction procedures.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | ALL | |
| | NODIS Library | Organization and Administration(1000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.