| NODIS Library | Legal Policies(2000s) | Search |

NPR 2810.1F
Effective Date: January 03, 2022
Expiration Date: January 03, 2027
Printable Format (PDF)

Subject: Security of Information and Information Systems

Responsible Office: Office of the Chief Information Officer

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |

Appendix A Definitions

Authorization to Operate. The formal acceptance, by an Authorizing Official, that the security of an information system’s operation is commensurate with the risk and magnitude of harm resulting from a compromise of that system’s confidentiality, integrity, and availability.

Boundary Protection. The security safeguards or countermeasures in place on an information system’s logical and physical perimeters.

Common Control. A security safeguard or countermeasure which may be designed, implemented, and assessed at a level which encompasses one or more information systems.

Continuous Monitoring. The ongoing, and often high-frequency, assessment of an information system’s security posture usually enabled through the use of automated tools which measure the effectiveness of specific security controls.

Cybersecurity. Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

Cyberspace. The interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.

Data Security. The combination of data-at-rest protection and data-in-transit protection that provides the confidentiality, availability, and integrity of data.

Elevated Privileges. A set of capabilities allowing a user to perform security-relevant functions.

External Information System. Any information system owned, operated, and managed by outside agencies, contractors, universities, or other organizations which store, process, or disseminate NASA-owned data under a contract or formal agreement, such as an interagency agreement, with NASA.

External information systems may be owned by outside agencies, contractors, universities, or other organizations and provide services to other customers besides NASA. These systems are usually not located on NASA owned/lease facilities, usually do not use NASA internet protocol (IP) addresses, and usually do not use NASA domain name service (DNS) entries.

Handbook. An Agency-level, SAISO-approved document which prescribes the best practices, policies, and procedures regarding various information system security topics.

Hybrid Control. A security safeguard or countermeasure which requires system-specific consideration and may also be partially designed, implemented, and assessed at a level which encompasses one or more information systems.

Information. Any knowledge that can be communicated regardless of its physical form or characteristics, which is owned by, produced by, produced for, or is under the control of NASA.

Information Security. The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information Security Baseline. Predefined sets of controls specifically assembled to address the protection needs of groups, organizations, or communities of interest.

Information Security Incident. Any adverse event or situation associated with a system that poses a threat to the system’s integrity, availability, or confidentiality. For example, an incident may result in or stem from any one of the following: a failure of security controls; an attempted or actual compromise of information; and/or waste, fraud, abuse, loss, or damage of government property or information.

Information System. A discrete set of resources designed and implemented for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. This term includes both Operational Technology and Information Technology.

Information Technology. Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data by the Agency. This includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.

Internal Information System. A system that is generally covered by an SSP developed by NASA or its contractors and exists for the sole purpose of supporting NASA’s mission or operations. These systems are often located on/at NASA owned/leased facilities, use NASA IP addresses, and/or use NASA DNS entries. Also called a NASA system or an Agency system.

Least Privilege. The concept of limiting the flexibility of use an information system user or component has, to the degree necessary to perform a specified role.

Media. Physical devices or writing surfaces including magnetic tapes, optical disks, magnetic disks, Large-Scale Integration memory chips, and printouts (but excluding display media) onto which information is recorded, stored, or printed within a system.

NASA Center. Any of the collection of facilities and installations designated by NASA, and usually grouped by function (e.g., research, construction, administration).

NASA User. Any explicitly authorized patron of a NASA information system.

Near Real-Time (Risk Assessment). An analysis of an information system’s security posture which closely reflects the immediate state of the system.

Network. A system implemented with a collection of connected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

Ongoing Authorizations. The continuous acceptance of an information system’s operation based on a real-time understanding of the system’s security posture.

Operational Control. The collection of strategic NIST SP 800-53 controls dedicated to information system security.

Operational Technology. Operational Technology: Hardware and software that is physically part of, dedicated to, or essential in real time to the performance, monitoring, or control of physical devices and processes..

Organization Defined Values. Those details of certain security controls that are meant to be determined by the managing entity.

Typically, a memo delivered annually by the OCIO that defines specific details of a security control’s implementation.

Physical Devices and Systems. A tangible asset that is used in the acquisition, storage, manipulation, management, movement control, display, switching, interchange, transmission, or reception of data or information.

Privileged User. A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

Program. A strategic investment by a Mission Directorate or Mission Support Office that has a defined architecture and/or technical approach, requirements, funding level, and a management structure that initiates and directs one or more projects. A program defines a strategic direction that the Agency has identified as needed to accomplish Agency goals and objectives.

Program Manager. A generic term for the person who is formally assigned to be in charge of the program. A program manager could be designated as a program lead, program director, or some other term, as defined in the program’s governing document.

Project. A specific investment identified in a Program Plan having defined requirements, a life-cycle cost, a beginning, and an end. A project also has a management structure and may have interfaces to other projects, agencies, and international partners. A project yields new or revised products that directly address NASA’s strategic needs.

Project Manager. A generic term that represents the position in charge of the project. A project manager could be designated as a project lead, project principal investigator, project scientist, research director, project executive, or some other term, as defined in the project’s governing document.

Risk Assessment. The value-based analysis of an information system’s security posture.

Risk Management. The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

Security Posture. The overall state of an information system’s confidentiality, integrity, and availability in the face of an ever-changing risk landscape.

Security-relevant function. Any manner of process or range of capabilities that can potentially impact the operation or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.

System Development Life Cycle. The full scope of activities conducted by ISOs associated with a system during its lifespan. The lifecycle begins with the project initiation phase and ends with the system disposal phase.

Technical Control. The collection of tactical NIST SP 800-53 controls dedicated to information system security.

| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |
| NODIS Library | Legal Policies(2000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.