| NODIS Library | Legal Policies(2000s) | Search |

NPR 2810.7
Effective Date: October 22, 2021
Expiration Date: October 22, 2026
Printable Format (PDF)

Subject: Controlled Unclassified Information

Responsible Office: Office of the Chief Information Officer

| TOC | Preface | Chapter1 | Chapter2 | AppendixA | AppendixB | AppendixC | ALL |


P.1 Purpose

a. This directive establishes Agency-wide requirements for the protection of Controlled Unclassified Information (CUI).

b. This directive outlines personnel responsibilities and procedural requirements for the management of CUI to assist NASA Centers and Component Facilities in executing the NASA CUI program designed to protect people, property, and information.

c. This directive establishes Agency procedures for the proper implementation and management of a uniform system for categorizing, safeguarding, and decontrolling CUI generated by, for, or in the possession of NASA.

d. All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI. CUI serves as the exclusive designation for identifying and controlling such unclassified information throughout NASA. All safeguarding or dissemination controls for unclassified information will be consistent with the CUI Program.

P.2 Applicability

a. This directive is applicable to NASA Headquarters and all NASA Centers, including Component Facilities, Federally Funded Research and Development Centers (FFRDCs) and Technical and Service Support Centers.

b. This directive is applicable to all NASA civil service employees who require access to CUI in the performance of their duties.

c. Consistent with Controlled Unclassified information (CUI), Accessing and Disseminating, 32 CFR § 2002.16; and Chapter 2 of this directive, the requirements of this directive should be made applicable to all individuals and entities with whom NASA shares or intends to share CUI, including:

(1) Government owned, contractor operated (GOCO) facilities;

(2) Partners under the Space Act;

(3) Partners under the Commercial Space Act of 1997;

(4) Partners under cooperative agreements; or

(5) Commercial or university facilities.

d. All document citations in this directive are assumed to be the latest version unless otherwise noted.

e. In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term “shall.” The terms: “may” or “can” denote discretionary privilege or permission, “should” denotes a good practice and is recommended, but not required, “"will” denotes expected outcome, and “are/is” denotes descriptive materials.

P.3 Authority

a. The National Aeronautics and Space Act, 51 United States Code (U.S.C.) § 20132.

b. Executive Order (E.O.) 13556, Controlled Unclassified Information.

c. Controlled Unclassified Information, 32 CFR pt. 2002.

P.4 Applicable Documents and Forms

a. Freedom of Information Act (FOIA), 5 U.S.C § 552.

b. Privacy Act of 1974, 5 U.S.C. § 552a.

c. Whistleblower Protection Act, 5 U.S.C. § 2302.

d. Accessing and Disseminating, 32 CFR § 2002.16.

e. NASA Policy Directive (NPD) 2521.1, Communications and Material Review.

f. NASA Procedural Requirement (NPR) 1600.2, NASA Classified National Security Information (CNSI).

g. NPD 1440.6, NASA Records Management.

h. NPR 1441.1, NASA Record Management Program Requirements.

i. NPR 2810.2, Possession and Use of NASA Information and Information Systems Outside of the United States and United States Territories.

j. NPR 8000.4, Agency Risk Management Procedural Requirements.

k. NPR 9710.1, General Travel Requirements.

l. National Archives and Records Administration (NARA) CUI Marking Handbook (https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf).

m. NASA CUI Handbook (https://cset.nasa.gov/wp-content/uploads/2021/05/ITS-HBK-CUI_v1.0.0.pdf).

n. National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004 (FIPS PUB 199).

o. NIST FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 (FIPS PUB 200).

p. NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations, September 2020 (updated 12-10-2020) (NIST SP 800-53).

q. NIST SP 800-88, Revision 1, Guidelines for Media Sanitization, December 2014 (NIST SP 800-88).

r. NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, Revision 2, February 2020.

P.5 Measurement/Verification

a. To determine Center compliance with E.O. 13556, Controlled Unclassified Information, 32 CFR pt. 2002, and this directive, NASA HQ, Mission Directorates, Center Directors, and Center Chief Information Security Officers (CISOs) will determine and document compliance through annual self-assessments (see self-inspections at 2.21) and reviews conducted by the Office of the Chief Information Officer (OCIO). Each year OCIO will provide guidance from the CUI Executive Agent to help the Center CUI Liaisons complete the self-inspection process for their organization.

b. The NARA Information Security Oversight Office (ISOO), as the CUI executive agent, maintains continuous relationships with agency counterparts on all matters relating to the CUI Program and 32 CFR pt. 2002. ISOO also conducts on-site assessments to monitor agency compliance. Each year ISOO gathers statistical data regarding each agency’s security classification program. ISOO analyzes and reports this data, along with other relevant information in its Annual Report to the President. NASA follows ISOO guidance and is subject to ISOO inspections and reviews.

c. Internal and external auditors responsible for ensuring Agency compliance and effective implementation of the E.O. 13556 will evaluate the NASA CUI program.

P.6 Cancellation

a. NASA Interim Directive (NID) 1600.54, Safeguarding Sensitive But Unclassified Information (SBU), dated October 2, 2007.

b. NID 1600.55, Sensitive But Unclassified (SBU) Information, dated October 16, 2007.

c. NID 2810.135, Controlled Unclassified Information, dated February 2, 2021.

d. NASA Policy Statement (NPS) 1600.99, Safeguarding Sensitive But Unclassified Information, dated October 2, 2016.

e. NASA Requirement Waiver (NRW) 1400-48, Waiver for NID 1600-54 and NID 1600-55, dated, December 16, 2011.

f. NRW 1600-34, Waiver for NID 1600-54, dated December 15, 2011.

| TOC | Preface | Chapter1 | Chapter2 | AppendixA | AppendixB | AppendixC | ALL |
| NODIS Library | Legal Policies(2000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.