NASA Procedural Requirements

NPR 2810.2 Effective Date: October 29, 2019 Expiration Date: October 29, 2024

Subject: Possession and Use of NASA Information and Information Systems Outside of the United States and United States Territories (Updated with Administrative Change 1)

Responsible Office: Office of the Chief Information Officer

Preface

P.1 Purpose

a. This NASA Procedural Requirements (NPR) document establishes requirements and responsibilities for the use and handling of NASA information and information technology (IT) by NASA personnel traveling or other activities associated with official NASA business outside of the United States (U.S.) and U.S. territories.

b. Use of IT outside of the U.S. and U.S. territories creates risks to NASA information, information systems, and personnel that are greater than those risks present during work and travel within the U.S.

P.2 Applicability

a. This NPR is applicable to NASA, including Component Facilities and Technical and Service Support Centers. This language applies to the Jet Propulsion Laboratory (JPL), a Federally Funded Research and Development Center (FFRDC), contractors, grant recipients, or parties to agreements only to the extent specified or referenced in the appropriate contracts, grants, or agreements.

b. In this NPR, all mandatory actions (i.e., requirements) are denoted by statements containing the term "shall." The terms "may" or "can" denote discretionary privilege or permission; "should" denotes a good practice and is recommended, but not required; "will" denotes expected outcome; and "are/is" denotes descriptive material.

c. This NPR covers all government furnished property (GFP) and NASA-issued IT devices, such as laptops, tablets, Universal Serial Bus (USB) storage devices, cell phones, and smartphones or other devices that store, process, transmit, or receive NASA information, when such devices are used or carried on international travel.

d. This NPR covers any and all non-public NASA information regardless of format and medium of storage, transport, and use. The use of unauthorized devices to access non-public NASA information for the conduct of official NASA business, including while on foreign travel, is not allowed. This NPR also covers downloads of information and information created during international travel.

e. In this directive, all document citations are assumed to be the latest version unless otherwise noted.

P.3 Authority

a. Export Administration Regulations (EAR), 15 Code of Federal Regulations (CFR) pts. 730 774.

b. International Traffic in Arms Regulations (ITAR), 2 CFR pts. 120-130.

c. NPR 1382.1, NASA Privacy Procedural Requirements.

d. NPR 1660.1, NASA Counterintelligence and Counterterrorism.

e. NPR 2190.1, NASA Export Control Program.

f. NPR 2810.1, Security of Information Technology.

g. NPR 9710.1, Travel.

h. NASA Information Technology Strategic Plan, Fiscal Years 2018-2021.

i. Information Technology Security (ITS)-Handbook (HBK) 2810.02-2, Security Assessment and Authorization.

j. ITS-HBK-2810.07.01, Configuration Management.

k. ITS-HBK-2810.11-01, Media Protection.

l. NASA Advisory Implementing Instruction (NAII) 2190.1, NASA Export Control Program Operations Manual.

m. Office of International and Interagency Relations Memorandum: Update on Training Requirements for NASA Official International Travel, November 28, 2018.

n. Designated Countries List: http://oiir.hq.nasa.gov/nasaecp/index.html

P.4 Applicable Documents and Forms

a. Export Administration Regulations (EAR), 15 CFR pts. 730-774.

b. International Traffic in Arms Regulations (ITAR), 2 CFR pts. 120-130.

c. NPR 1382.1, NASA Privacy Procedural Requirements.

d. NPR 1660.1, NASA Counterintelligence and Counterterrorism.

e. NPR 2810.1, Security of Information Technology.

f. ITS-HBK 2810.02-2, Security Assessment and Authorization.

g. ITS-HBK-2810.07.01, Configuration Management.

P.5 Measurement/Verification

Performance measures relative to implementation of this policy are outlined in NASA's IT Strategic Plan and Federal Information Security Modernization Act (FISMA) Reporting. Verification is ensured through the NASA Chief Information Officer (CIO) internal controls program, and the Agency's annual Statement of Assurance process.

P.6 Cancellation

NID 2810.107A, Use of NASA Information and Information Systems while Outside of the U.S. and Territories, May 16, 2016.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.