| NODIS Library | Legal Policies(2000s) | Search |

NASA
Procedural
Requirements

NPR 2810.7
Effective Date: October 22, 2021
Expiration Date: October 22, 2026

COMPLIANCE IS MANDATORY FOR NASA EMPLOYEES

Printable Format (PDF)

Subject: Controlled Unclassified Information

Responsible Office: Office of the Chief Information Officer

Chapter 1. Introduction

1.1 Overview

1.1.1 In November 2010, the United States President issued E.O. 13556 to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls” pursuant to and consistent with law, regulations, and Government-wide policies.

1.1.2 Prior to that time, more than 100 different markings for such information existed across the executive branch. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency specific policies are often hidden from public view has only aggravated these issues.

1.1.3 As a result, E.O. 13556 established the CUI Program to standardize and simplify the way the executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government-wide policies.

1.1.4 NARA and their ISOO is the CUI Executive Agent responsible for developing policy and providing oversight for the CUI Program.

1.2 Responsibilities

1.2.1 NARA established a CUI Registry on its website that serves as the authoritative reference for all CUI categories and markings.

1.2.2 Pursuant to E.O. 13556 and 32 CFR pt. 2002, the NASA Administrator shall:

a. Demonstrate personal commitment, commit senior management, and commit necessary resources to the successful implementation of the program established under this directive and in accordance with the E.O. 13556.

b. Designate a senior agency official (SAO) to direct and administer the information security program for managing and safeguarding CUI in accordance with the E.O. 13556.

c. Advise NARA of any changes to the designated SAO.

d. Approve policies to implement the CUI Program.

1.2.3 The NASA Chief Information Officer (CIO) is the designated SAO for CUI and shall:

a. Direct and oversee the NASA’s CUI Program.

b. Designate a CUI Program Manager (PM).

c. Ensure NASA has CUI implementing policies and plans.

d. Develop and execute current NASA-wide policies and procedures to manage a CUI program that complies with E.O. 13556 and 32 CFR pt. 2002.

e. Implement and monitor compliance for a CUI education and training program.

f. Ensure the training program for CUI includes sufficient information that allows all personnel to understand and carry out their obligations with respect to protecting, storing, transmitting, transporting, and destroying CUI.

g. Provide updates of the NASA’s CUI implementation and management efforts to NARA.

h. Assist in and respond to audits.

i. Manage the annual reporting requirements to NARA.

j. Develop and implement NASA’s CUI self-inspection program.

k. Establish and maintain a process to accept and manage challenges to CUI status (including improper or absence of marking) in accordance with laws, regulations, and Government-wide policies.

l. Establish and maintain processes and criteria for reporting and investigating misuse of CUI.

m. Submit to NARA any law, regulation, or Government-wide policy not already incorporated into the CUI Registry that the Agency proposes to use to designate unclassified information for safeguarding or dissemination controls.

n. Coordinate with NARA and the NASA CUI PM, any proposed law, regulation, or Government-wide policy that would establish, eliminate, or modify a category or subcategory of CUI, or change information controls relating to CUI.

o. Establish and maintain processes for handling CUI decontrol requests submitted by authorized holders.

p. Establish and maintain a mechanism by which authorized holders can contact a designated representative for instructions when they receive unmarked or improperly marked information that NASA has designated as CUI.

q. Coordinate with the Office of Procurement to ensure the Agency’s contracts reflect the most current Federal Acquisition Regulation (FAR) provisions.

r. Ensure that NASA CUI policy-related documents reflect current CUI guidance and requirements specified by NIST.

s. Coordinate with the Office of Protective Services (OPS) to ensure that Agency-level physical security controls for CUI are consistent with current physical security policy.

t. Issue guidance regarding requirements for protecting CUI within information technology (IT) systems and tools and when transmitting CUI via electronic means (e.g., email, Teams, etc.).

u. Retain a record of each waiver.

v. Include a description of all current waivers and waivers issued during the preceding year in the annual report to NARA, along with the rationale for each waiver and the alternate steps the Agency takes to ensure sufficient protection of CUI.

w. Notify authorized recipients and the public of these waivers through means such as notices or websites.

1.2.4 The NASA CUI PM (as designated by the NASA SAO) shall:

a. Manage the day-to-day operations of NASA’s CUI Program, as directed by the CUI SAO.

b. Coordinate CUI policy development and updates.

c. Serve as NASA’s official representative to NARA on NASA’s CUI Program operations and related matters, including submission of required reports.

d. Serve as NASA’s official representative on the Interagency CUI Advisory Council to advise NARA on the development and issuance of policy and implementation guidance for the CUI Program.

e. Serve as NASA’s primary subject matter expert in CUI, advising NASA offices on their CUI programs to ensure CUI operations comply with government requirements.

f. Investigate and lead mitigation efforts for incidents involving CUI.

g. Inform the CUI SAO of any significant CUI incidents as well as any incident trends.

h. Issue guidance regarding requirements for:

(1) protecting CUI within IT systems;

(2) transmitting CUI from NASA information systems;

(3) physical protections for CUI materials; and

(4) destruction of CUI materials.

i. Convey requirements for training and reporting to NASA organizations.

j. Act as the primary point of contact for CUI reporting and audit responses.

k. Organize and oversee CUI training efforts.

l. Maintain an internal website that contains information about the CUI Program, with a section for each Center to list their frequently encountered CUI categories and special instructions.

m. In collaboration with the OPS, manage NASA physical self-inspections of areas storing and processing CUI materials.

n. Develop and maintain reporting mechanisms (e.g., 1-800 numbers, dedicated email addresses) and procedures for the timely reporting of incidents involving CUI.

o. Develop a phased, high-level implementation plan and post it to the NASA CUI webpage and ensure that the plan includes the targeted date of full implementation of the program as directed by the NASA CUI SAO.

1.2.5 Center Directors shall:

a. Ensure that the Center has the ability to destroy CUI when NASA no longer needs the information, and NASA Records Retention Schedules (NRRS) 1441.1 no longer require retention of the records.

b. In accordance with NASA NPD 1440.6, NASA Records Management, July 11, 2019, ensure CUI is destroyed, including CUI in electronic form, in a manner that makes it unreadable, indecipherable, and irrecoverable in accordance with current NIST guidelines and the requirements of this directive (see section 2.14).

c. Ensure that physical materials that contain CUI have CUI markings as per 32 CFR § 2002.20.

d. Ensure their Centers protect all CUI in accordance with NASA policy and guidelines to ensure that all individuals and entities, with whom NASA shares or intends to share CUI, including contractors, grant recipients, and cooperative partners exercise the same care and remove any CUI controls on the information once CUI is decontrolled.

Note: These specific Center requirements will include or identify all CUI that is routinely handled by personnel. The NASA CUI webpage will be the central repository for these guidelines and any specific Center requirements.

1.2.6 Center Directors may issue local policies that complement overarching requirements identified in this directive.

1.2.7 The Center CIOs and HQ CIO shall:

a. For NASA systems within their purview, assess systems that contain CUI and ensure that all Federal information technology systems that process CUI are categorized at no less than the Federal baseline of moderate confidentiality impact level per NIST FIPS Publication 199, Standards for Security Categorization of FIPS PUB 199.

b. Ensure security requirements and controls from FIPS PUB 199, FIPS PUB 200, and NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations Rev.5 (NIST SP 800-53) for Federal Information Systems that process, store, or transmit CUI are applied.

c. Ensure the Agency applies NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST SP 800-171), when establishing security requirement agreements to protect CUI’s confidentiality on non-Federal Information Systems.

d. Document methods for protecting CUI on public-facing websites and in cloud-based systems implemented at the Center.

e. Ensure information systems that contain CUI have CUI markings or warnings as per 32 CFR pt. 2002.

f. Designate CUI Liaisons and alternates to the CUI PM.

1.2.8 CUI Liaisons and alternates shall:

a. Complete all required CUI training.

b. Conduct oversight actions to ensure compliance within their area of responsibility and report findings to the NASA CUI PM.

c. Serve as their office or organization’s CUI subject matter expert, responding to inquiries from their organizations and consulting with the CUI PM on questions beyond their expertise.

d. Ensure all personnel within their organization complete training as required and report the status of training to the NASA CUI PM.

e. Conduct annual self-inspections of their CUI Program according to the guidance provided by the CUI PM.

f. Provide input from their respective offices on all other reporting requirements to the CUI PM.

g. Report instances of substantiated CUI misuse, violation, or infractions in accordance with the NASA Cybersecurity and Privacy Rules of Behavior. Track and report such instances to the CUI PM.

h. Confirm their status as a CUI Liaison with the CUI PM on an annual basis (by the dates designated by the CUI PM) and provide notification within five business days if their status changes.

i. Use the CUI Handbook to guide their duties in the Liaison role.

1.2.9 Contracting Officers, Contract Specialists, and Agreement Managers shall include CUI security clauses and standards in their assigned contracts and agreements that deal with CUI. Consider incorporating elements of model statements of work, task statements, and deliverables shared on the NASA CUI website.

1.2.10 Contracting Officer Representatives (CORs) shall:

a. Identify the types of CUI in the contract or potentially shared as part of the activity covered by their assigned contracts.

b. Include the CUI requirements of this policy in all pertinent contracts and agreements. Consider incorporating elements of model statements of work, task statements, and deliverables shared on the NASA CUI website.

c. Ensure contractors receive training on CUI within 30 days of contract award or prior to accessing CUI, whichever occurs first.

d. Report any violations of CUI requirements by contractors to the CO and CUI PM.

1.2.11 Supervisors and Managers shall:

a. Review and ensure that all CUI products for their organization are properly marked in accordance with this policy.

b. Annually verify that:

(1) All physical safeguarding measures for individual workspaces are adequate for the protection of CUI (i.e., prevention of unauthorized access) in compliance with this directive.

(2) All electronic safeguarding measures are adequate for the protection of CUI (i.e., prevention of unauthorized access).

c. Ensure that all personnel under their purview receive required CUI training.

1.2.12 Information Owners (IO) and Information System Owners (ISO) shall:

a. Ensure all CUI collected under their purview is properly designated using a category or subcategory approved by the CUI Executive Agent and published in the CUI Registry.

b. Ensure the secure transmission and storage of CUI in accordance with Federal law, regulations, Government-wide and NASA policies and these procedural requirements. See Sections 2.13–2.15, and 2.20.

1.2.13 Executive Branch personnel including NASA Civil Servants that receive NASA CUI shall:

a. Complete all initial, recurring, and CUI Specified assigned CUI training within the required timeframes.

b. Manage, mark, and protect CUI in accordance with this policy, the E.O. 13556, the CFR 32 pt. 2002.02, the NASA CUI Handbook, and NARA CUI Marking Handbook.

c. Ensure that sensitive information currently stored as legacy material that is annotated as For Official Use Only (FOUO), SBU, or that contains other legacy security markings is re-marked as CUI before the information leaves NASA.

Note: Only markings that are contained in the NARA CUI Registry may be used to annotate CUI.

d. Report CUI violations to NASA Security Operations Center (SOC).

Note: CUI violations may also be reported to line management.

1.2.14 Non-Executive Branch entities and individuals, including but not limited to contractors, contractor employees, detailees, guest researchers, interns, shall, to the extent specified in agreements entered into pursuant to Chapter 2.10:

a. Complete all initial, recurring, and CUI Specified assigned CUI training within the required timeframes.

b. Manage, mark, and protect CUI in accordance with this policy, E.O. 13556, 32 CFR pt. 2002, and the NASA CUI Handbook.

Note: Only markings that are contained in the NARA CUI Registry may be used to annotate CUI.

d. Report CUI violations to NASA SOC.

1.2.15 The NASA Senior Agency Official for Privacy (SAOP) shall advise the CUI SAO and CUI PM on all policies, procedures, laws, regulations, and guidance relating to the Privacy Act of 1974, 5 U.S.C. § 552a, and Personally Identifiable Information (PII) and coordinate with the CUI SAO and CUI PM to ensure consistency between privacy policy and CUI requirements.

Note: The NASA SAOP may delegate this function to the Agency Privacy Officer.

1.2.16 The NASA Chief FOIA Officer shall:

a. Advise the CUI SAO and CUI PM on all policies, procedures, laws, regulations, and guidance pertaining to the disclosure of information for requests for records made under Freedom of Information Act (FOIA), 5 U.S.C § 552 and 5 U.S.C. § 552a.

b. Coordinate with the CUI SAO and CUI PM to resolve any conflicts between 5 U.S.C § 552 and CUI requirements.

Note: The NASA Chief FOIA Officer may delegate this function to Center FOIA Officers.

1.2.17 The NASA Chief Data Officer (CDO) shall consult, if needed, with the SAO for CUI and the CUI PM to ensure required safeguards are applied to protect CUI in NASA digital assets.