Procedural
Requirements
Effective Date: January 03, 2022
Expiration Date: January 03, 2027
|
|
NASA Procedural Requirements |
NPR 2810.1F Effective Date: January 03, 2022 Expiration Date: January 03, 2027 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL | |
| Para # | Requirement |
|---|---|
| 1.2.3.8a | Formally assume the responsibility for the operation of an information system or for the use of a designated set of common controls at an acceptable level of risk to the system, mission, and/or Agency. |
| 1.2.3.8b | Allocate sufficient resources to adequately protect information and information systems based on an assessment of organizational risks. |
| 1.2.3.8c | Assign Authorizing Official Designated Representatives (AODRs), as necessary. |
| 1.2.3.8d | Be an employee of the United States Federal Government. |
| 2.4.2.4a | Authorize to operate only systems posing an acceptable level of risk to Agency assets, data, and personnel for production operation. |
| 2.4.2.4b | Ensure that all systems undergo a complete system security assessment prior to granting an initial Authorization to Operate (ATO). |
| 2.4.2.4c | Approve or reject information system categorizations. |
| 2.4.2.4d | Grant or deny systems ATO based on an evaluation of risk to the security posture of their information systems. |
| 2.4.2.4e | Plan and assign resources for information security assessment and authorization activities. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 1.2.3.9a | Execute the responsibilities of the AO as delegated. |
| 1.2.3.9b | Be an employee of the United States Federal Government. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 2.3.3.3a | Ensure that contracting officials are aware of requirements related to information security. |
| 2.3.3.3b | Ensure the inclusion of information security requirements in all contracts and solicitations. |
| Para # | Requirement |
|---|---|
| 3.1.4.3 | The Center Chief of Security or the Assistant Administrator of the Office of Protective Services shall ensure the distribution and management of physical authenticators (i.e., PIV cards). |
| Para # | Requirement |
|---|---|
| 3.2.2.5 | The Assistant Administrator of the Office of the Chief Human Capital Officer shall ensure the availability of a NASA-wide platform for training delivery, as well as training results and training records management. |
| Para # | Requirement |
|---|---|
| 3.1.2.3a | Ensure the implementation of physical and environmental security controls. |
| 3.1.2.3b | Ensure the capability to monitor physical and environmental security controls. |
| 3.1.4.3 | The Center Chief of Security or the Assistant Administrator of the Office of Protective Services shall ensure the distribution and management of physical authenticators (i.e., PIV cards). |
| 3.4.10.4 | The Center Chief of Security under the policy guidance of the Assistant Administrator of Office of Protective Services shall implement personnel security controls. |
| Para # | Requirement |
|---|---|
| 1.2.3.2a | Execute the responsibilities, comparable to those of the NASA CIO, at the Center level. |
| 1.2.3.2b | Execute the responsibilities, comparable to those of the NASA CIO, with respect to NASA facilities and systems not located at a Center as designated by the CIO. |
| 1.2.3.2c | If the Center CIO assigns an Organizational Computer Security Official (OCSO) per section 1.2.3.3, designate Center-specific OCSO responsibilities, and any necessary interfaces with the Center CISO, in a Center-level formal policy. |
| 1.2.3.2d | Be an employee of the United States Federal Government. |
| 1.2.3.3 | A Center CIO may optionally assign OCSOs to facilitate the implementation and oversight of information security within their organization. |
| 2.2.3.1 | The head of Center Protective Services and the Center CIO shall coordinate Center-wide contingency planning efforts that provide for notification, activation, response, recovery, and reconstitution of a Center's information systems as a result of damage or disruption caused by a man-made or natural disaster. |
| 3.1.2.1 | The Center CIO shall work with the Center Chief of Security, and the Center Facilities organization to ensure physical and environmental controls are met for the information systems at their Centers. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 3.3.5.3 | The Center CIO shall ensure the integration of software and hardware necessary to support system and communications requirements at their Center. |
| 4.2.4.2 | The Center CIO shall ensure vulnerability scanning and remediation activities are being conducted at their Center using SAISO-required tools. |
| 5.1.2.3 | The Center CIO shall support information security investigations. |
| Para # | Requirement |
|---|---|
| 1.2.3.5a | Execute the Cybersecurity and Privacy Program at the Center level. |
| 1.2.3.5b | Assist the SAISO in enforcing NASA information security policies and procedures, and the Federal information security laws, directives, policies, and standards at the Center level. |
| 2.2.3.3a | Ensure implementation of those information system contingency planning procedures that provide for notification, activation, response, recovery, and reconstitution. |
| 2.2.3.3b | Oversee and arbitrate conflict resolution for all Center-wide information system contingency plans. |
| 2.2.3.3c | Ensure and support information system contingency plan tests, training, and exercises. |
| 2.4.2.2a | Identify and manage common threats to their Center. |
| 2.4.2.2b | Understand and communicate, with the AO, the ISO, the OCSO (if assigned), other Centers’ CISOs, and the SAISO any cybersecurity flaws associated with any information system. |
| 2.4.2.2c | Verify the correct application of information system categorization criteria and requirements. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 3.4.7.2 | The Center CISO shall ensure, in coordination with the Center Security Office, that sufficient equipment or services are available to facilitate media sanitization and data destruction in accordance with policy. |
| 3.4.10.2 | The Center CISO shall confirm that all personnel adhere to the limits of their delegated cybersecurity authority. |
| 3.4.11.2 | The Center CISO shall facilitate the implementation of NASA flaw remediation policies and procedures at their Center. |
| 3.6.3.1a | Ensure, in coordination with the Center Security Office, that sufficient equipment and services are available to facilitate media sanitization. |
| 3.6.3.1b | Use encryption solutions that are compliant with federal encryption standards, NIST guidance, and are in accordance with NASA requirements regarding the protection of sensitive information to guard portable and removable digital media devices. |
| 4.2.2.3 | The Center CISO, supported by the CCRM, shall meet all continuous monitoring requirements. |
| 4.2.4.3 | The Center CISO shall ensure that all information systems and devices on NASA networks are scanned for vulnerabilities. |
| 5.1.2.4a | Coordinate with the SOC and the Agency Incident Response Manager to assist all incident response efforts and management policies, procedures, investigations, and reporting for all information systems at their Center. |
| 5.1.2.4b | Support the SOC and the Agency Incident Response Manager with all incident response tests, training, and exercises for their Center information systems. |
| 5.2.2.2 | The Center CISO shall coordinate between the incident response team and the Center privacy managers regarding breach response and handling of incidents related to sensitive information. |
| Para # | Requirement |
|---|---|
| 1.2.3.7a | Support the NASA cybersecurity Risk Executive function, as defined by NIST SP 800-37. |
| 1.2.3.7b | Serve as a cybersecurity risk management resource and as a subject matter expert on assessment and authorization for all personnel at their Center. |
| 1.2.3.7c | Provide oversight for the cybersecurity risk management activities carried out by Center and mission organizations to help ensure consistent and effective risk-based decisions, in accordance with NASA policies, procedures and organizational risk tolerance. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 1.2.2.5a. | With concurrence from the SAISO and the Center’s CIO, designate a Center Chief Information Security Officer (CISO) in writing. |
| 1.2.2.5b. | Ensure the Center CISO has adequate staff, resources, budget, and authority to implement information security programs at their Center. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 1.2.2.3a | Ensure confidentiality, integrity, and availability of all NASA’s information assets throughout the system life cycle. |
| 1.2.2.3b | Ensure all NASA IT is in compliance with federal and NASA Cybersecurity and Privacy Program requirements. |
| 1.2.2.3c | Commission suitable governance bodies. |
| 1.2.2.3d | Evaluate and approve the designation of Authorizing Officials (AO). |
| 1.2.2.3e | Advise senior NASA officials concerning their information security responsibilities. |
| 1.2.2.3f | Ensure the NASA enterprise architecture integrates information security considerations into the strategic, capital, and investment planning process. |
| 1.2.2.3g | Encourage the maximum reuse and sharing of information security-related information throughout the NASA community. |
| 1.2.2.3h | Develop, implement, and maintain a Controlled Unclassified Information (CUI) program which is managed in accordance with Executive Order (E.O.) 13556, Controlled Unclassified Information, and 32 CFR Part 2002, Controlled Unclassified Information. |
| 1.2.2.3i | Be an employee of the United States Federal Government. |
| 2.1.8.1a | Develop and maintain a NASA-wide Cybersecurity and Privacy Program. |
| 2.1.8.1b | Designate a SAISO. |
| 2.2.2.1a | Work with internal and external stakeholders to identify and communicate NASA’s role in the supply chain in order to inform the Supply Chain Risk Management (SCRM) requirements of section 2.6 of this document. |
| 2.2.2.1b | Work with internal and external stakeholders to identify and communicate NASA’s role in critical infrastructure. |
| 2.3.5.1 | Report to OMB on the status of NASA's Cybersecurity and Privacy Program. |
| 3.1.4.4 | The NASA CIO shall ensure the distribution and management of any other authentication tokens. |
| 3.1.6.1 | The NASA CIO shall provide a NASA-wide framework for identity and authentication management. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 3.3.5.1 | The NASA CIO shall ensure that NASA develops, implements, and maintains adequate data leakage protection for Agency common system and communications infrastructure. |
| 3.6.2.1 | The NASA CIO shall ensure the development and maintenance of a capability for the aggregation of NASA-wide information system logs. |
| 4.1.2.1 | The CIO shall collect information from the ISOs to determine the baseline of network operations and expected data flows for users and systems. |
| 5.1.2.1 | The CIO shall allocate resources for a NASA-wide SOC and Incident Response Teams. |
| Para # | Requirement |
|---|---|
| 1.2.3.14 | Contracting Officers, as defined in Federal Acquisition Regulation 2.101, or Agreement Managers as defined in NASA Advisory Implementing Instruction 1050.3B shall ensure that the requirements of this directive are included and in scope for all NASA contracts, Space Act agreements, cooperative agreements, partnership agreements, or other agreements pursuant to which NASA data is being processed and transmitted; IT devices are procured for a purpose that is not incidental to the contract, and/or IT devices are developed or used on a NASA network. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 2.2.3.1 | The head of Center Protective Services and the Center CIO shall coordinate Center-wide contingency planning efforts that provide for notification, activation, response, recovery, and reconstitution of a Center's information systems as a result of damage or disruption caused by a man-made or natural disaster. |
| Para # | Requirement |
|---|---|
| 1.2.3.12a | Exercise statutory or operational authority for specified information. |
| 1.2.3.12b | Ensure the selection of information security controls is suitable for the protection of information under their authority during generation, collection, processing, dissemination, and disposal. |
| 3.1.4.2 | The IO may offer guidance to the ISO regarding management of access to the information system, and with which privileges users will be empowered. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 1.2.3.10a | Acquire, develop, integrate, operate, modify, maintain, and dispose of information systems. |
| 1.2.3.10b | Ensure system-level implementation of all Agency and Center requirements. |
| 1.2.3.10c | Ensure information systems are categorized in a manner that reflects the criticality of their function, and the sensitivity of the information they generate, collect, process, store, or disseminate. |
| 1.2.3.10d | Allocate resources to protect information and information systems based on an assessment of system risks. |
| 1.2.3.10e | Ensure that information security controls are implemented according to a thorough risk-based analysis of their information systems' security postures. |
| 1.2.3.10f | Provide necessary assessment documentation, as required. |
| 1.2.3.10g | Take proper actions to identify, and minimize or eliminate, information system security deficiencies and weaknesses. |
| 1.2.3.10h | Communicate feedback to the Center CISO, OCSO (if assigned per section 1.2.3.3), and AO regarding the impact of Agency and Center-wide information security requirements on the operation of their information systems. |
| 1.2.3.10i | Ensure funding requests for information security requirements are included in annual budgeting submissions. |
| 1.2.3.10j | Utilize, to the extent possible, Agency-provided information system infrastructure. |
| 1.2.3.10k | Ensure that custom software developed for use on NASA information systems is implemented securely, in a manner that that reflects the criticality of its function, and the sensitivity of the information it generates, collects, processes, stores, or disseminates. |
| 1.2.3.10l | For a given program or project, develop a clear description of the information and system that is protected and evaluate the scope of information security resources that may be required for the project. |
| 1.2.3.10m | Appoint an Information Systems Security Officer (ISSO) to carry out provisions listed in 1.2.3.13. |
| 2.1.2.2a | Ensure that information system components are identified and documented. |
| 2.1.2.2b | Maintain, in the NASA system of record (i.e., RISCS), an accurate, up-to-date inventory of data, devices, systems, and facilities under their ownership monthly. |
| 2.1.2.2c | Provide such inventory to the Office of the Chief Information Officer (OCIO) in such manner and format that the SAISO determines. |
| 2.1.3.2a | Ensure the inventory required by section 2.1.2.1 includes all physical and virtual devices and systems. |
| 2.1.3.2b | Provide the NASA SAISO with such inventory. |
| 2.1.4.2a | Ensure the inventory required by section 2.1.2.1 includes all software platforms and applications. |
| 2.1.4.2b | Provide the NASA SAISO with such inventory. |
| 2.1.5.2a | Maintain and update documentation regarding system interconnections. |
| 2.1.5.2b | Provide the NASA SAISO with a mapping of information system communications and data flows. |
| 2.1.5.2c | Develop Memoranda of Agreements (MOA), Memoranda of Understandings (MOU), and Interconnection Security Agreements (ISA) for their systems. |
| 2.1.5.2d | Review and update such MOAs, MOUs, and ISAs annually. |
| 2.1.6.2 | An ISO shall provide the NASA SAISO, in the NASA system of record (i.e., RISCS), with an inventory of external information systems under their supervision. |
| 2.2.3.4a | Develop, test, implement, and maintain information system contingency plans. |
| 2.2.3.4b | Document assessment, recovery, and restoration procedures. |
| 2.2.3.4c | Ensure that the contingency plan documentation is maintained in a ready state and accurately reflects system requirements, procedures, organizational structure, and policies. |
| 2.2.3.4d | Ensure that recovery and restoration procedures outlined in information system contingency plans satisfy a risk-based analysis of the business needs and objectives of the information system and Agency at large. |
| 2.2.3.4e | Ensure that information system contingency plan documentation is at a level sufficient to permit a coordinated response at the Center and/or the Agency level. |
| 2.2.3.4f | Test, evaluate, and document contingency plans for accuracy, completeness, and effectiveness via a periodic test, training, and exercise program at a frequency in accordance with Agency Defined Values. |
| 2.3.2.2 | Maintain information security documentation in the NASA-wide information security document repository required by section 2.3.2.1b. |
| 2.3.5.3a | Develop and maintain a System Security Plan (SSP) for their information systems. |
| 2.3.5.3b | Ensure that all SSPs are developed and tailored to address the threats and associated risks faced by the system. |
| 2.3.5.3c | Ensure that required system and services acquisition policy and procedures are implemented for their information systems and documented in the associated SSPs. |
| 2.3.5.3d | Establish system-level rules of behavior. |
| 2.3.5.3e | Assist in the development of information security requirements for inclusion in solicitations and resulting contracts for acquisitions made in support of their information. |
| 2.4.2.5a | Assess information systems for risk in accordance with Agency policy and procedures. |
| 2.4.2.5b | Create POA&Ms or provide a documented AO acceptance of risk related to any identified system information security deficiencies or weaknesses. |
| 2.4.2.5c | Complete POA&M tasks. |
| 2.4.2.5d | Apply resources towards the mitigation of identified risks to minimize threats to system performance. |
| 2.4.2.5e | Ensure that systems that are identified as posing unacceptable risk to other Agency operations or resources are communicated to the Center CISO and AO and mitigated in a manner that ensures the protection of Agency assets, data, and personnel. |
| 2.4.2.5f | Inform key officials of pending assessment and authorization activities. |
| 2.4.2.5g | Plan and advocate for the availability of resources for assessment and authorization activities. |
| 2.4.2.5h | Perform an information system risk analysis for their systems that can be used to support development of Agency information security baselines. |
| 2.4.2.5i | Seek an authorization from the AO prior to the operation of an information system and if changes to the system or its operating environment warrant a reauthorization. |
| 2.6.2.2a | Understand the level of risk to an information system related to the information that is necessarily disclosed to vendors and suppliers during the acquisition process. |
| 2.6.2.2b | Establish a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements. |
| 3.1.2.2a | Approve personnel access to secured or restricted physical information system facilities and locations. |
| 3.1.2.2b | Establish and maintain a list of all personnel authorized to access secured or restricted physical information system facilities and locations. |
| 3.1.2.2c | Validate physical and environmental security controls and monitoring capabilities. |
| 3.1.3.1a | Ensure only devices that are authorized and approved for remote access to the information system to which they are connecting are granted remote access in a manner consistent with organizational defined values. |
| 3.1.3.1b | Ensure that all remote access is routed through NASA CIO-authorized remote access points. |
| 3.1.4.1a | Administer accounts for their information systems in a way that provides separation of duties, avoids potential conflicts of interest, and grants NASA users the least privilege necessary to perform their respective duties. |
| 3.1.4.1b | Manage, in consideration of the IO, access to the information system, and with which privileges users will be authorized. |
| 3.1.4.1c | Ensure that any public facing service that requires a login is secured by multi-factor authentication (MFA) |
| 3.1.4.1d | Configure all systems and services to permit only authorized connections. |
| 3.1.4.1e | Manage all systems and services in a “deny by default, permit by exception” configuration for all ports, protocols, and services. |
| 3.1.6.2 | The ISO shall leverage the Agency identification and authentication framework for applications. |
| 3.1.7.2a | Leverage the Agency identification and authentication framework for applications. |
| 3.1.7.2b | Maintain account management capabilities (e.g., account creation, privilege configuration, maintenance, and deletion) for information systems. |
| 3.1.7.2c | Ensure the appropriate use and warning banner is displayed by their information system. |
| 3.1.7.2d | Establish documented rules for appropriate use and protection of information (e.g., rules of behavior). |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 3.2.2.3a | Allow access to information systems only to users who comply with all Agency information security awareness and training requirements. |
| 3.2.2.3b | Ensure all personnel supporting the information system whose roles include significant information security responsibilities or elevated privileges comply with the applicable role-based information security awareness and training requirements. |
| 3.3.2.1 | The ISO shall ensure that information stored on, transmitted, or processed by their information system is protected by encryption performed in accordance with a NIST approved encryption algorithm provided through either: a. A FIPS-140-2 or FIPS-140-3 cryptographic module validated through the Cryptographic Module Validation Program (CMVP), or b. A cryptographic module approved for the protection of classified national security information. In the event that the use of encryption is technically unfeasible or would demonstrably affect the system's ability to carry out its respective mission, functions, or operations approval shall be granted in writing from the NASA CIO before an Authorizing Official may consider granting an Authorization to Operate. |
| 3.3.3.1 | The ISO shall ensure that NASA information under their control is protected by suitable encryption when in transit. |
| 3.3.5.4 | The ISO shall ensure shared resource policies, denial of service protections, boundary protection, and transmission integrity and confidentiality are implemented. |
| 3.3.6.1 | The ISO shall ensure, to the extent practicable, the separation of development and testing environment(s) from production environment(s). |
| 3.3.7.2a | Implement data integrity protections on their information systems. |
| 3.3.7.2b | Test information system security functions in accordance with requirements, and document the frequency and processes related to the tests. |
| 3.4.2.2 | The ISO shall implement the requirements and settings defined in all applicable standards and specifications established by the Agency Security Configuration Standards (ASCS). |
| 3.4.3.1 | The ISO shall ensure information security considerations are managed throughout their systems' development life cycle to ensure the protection of NASA information. |
| 3.4.4.1 | The ISO shall create, implement, and maintain configuration change control policies and processes for their system as needed. |
| 3.4.5.1 | ISOs shall back up user-level and system-level information. |
| 3.4.7.4 | The ISO shall be responsible for the sanitization of media and destruction of data according to policy for their information system. |
| 3.4.8.3 | The ISO shall review and update SSPs in accordance with this directive and its associated handbooks. |
| 3.4.10.3a | Provide oversight to ensure that personnel adhere to limits on access to information and information systems. |
| 3.4.10.3b | Manage or terminate access to secured resources following the transfer or termination of personnel. |
| 3.4.11.3a | Ensure the completion of vulnerability and flaw remediation activities, and document and communicate residual risks, as necessary in accordance with Federal and Agency requirements. |
| 3.4.11.3b | Ensure that software updates and patches remediating security flaws are applied to their system in accordance with Federal and Agency requirements. |
| 3.5.2.1a | Develop, maintain, and implement risk-based maintenance policy and procedures. |
| 3.5.2.1b | Adhere to change control and configuration management processes throughout the life cycle of their information systems. |
| 3.5.2.1c | Maintain oversight of those authorized to perform maintenance on the components of their information system. |
| 3.5.2.1d | Ensure that maintenance is logged for their system. |
| 3.6.2.3a | Maintain auditing capabilities for their information system components. |
| 3.6.2.3b | Allocate audit record storage capacity for an information system in accordance with Agency records retention requirements. |
| 3.6.2.3c | Determine the priorities for audit log events, analysis, and responses. The manner of log collection, extent of the audited events, specific data per event, analysis of the event, and retention times of the audit data will be dependent upon risk levels and the technical capabilities of the components. |
| 3.6.2.3d | Ensure audit logs are controlled and protected from modification and unauthorized disclosure. This protection should exist throughout the life cycle of the log entry, through creation, transmission, aggregation, reduction, analysis, storage, and disposal of the log. |
| 3.6.2.3e | Ensure data in information systems are retained or destroyed in accordance with NASA Records Retention Schedule No 1441.1 (updated) May 18, 2020. |
| 3.6.3.4 | The ISO shall protect and sanitize media for their information system. This includes the protection of data at rest. |
| 4.1.2.3 | The ISO shall provide the CIO with a baseline of network operations and expected data flows for systems under their control. |
| 4.2.2.2a | Ensure capabilities to continuously monitor the security posture of their information system. |
| 4.2.2.2b | Ensure that SAISO-required cybersecurity monitoring tools are deployed to all components of their information system to collect information, and to track all events of interest. |
| 4.2.2.2c | Develop and implement a strategy for continuous monitoring of their information system, which is consistent with the Agency strategy for continuous monitoring. |
| 4.2.2.2d | Perform continuous monitoring of their information system and keep the AO informed of continuous monitoring results in support of the ongoing authorization of their information system, in accordance with NASA's implementation of the RMF. |
| 4.2.3.2 | The ISO shall ensure their system uses SAISO-required tools to detect malicious or unauthorized software and malicious or unauthorized changes to software or configuration. |
| 5.2.2.3a | Designate individuals responsible for incident response reporting and management of their information system. |
| 5.2.2.3b | Handle incident information in accordance with all data sensitivity requirements. |
| 5.2.2.3c | Support information security investigations. |
| Para # | Requirement |
|---|---|
| 1.2.3.13a | Serve as the principal advisor to the ISO on issues regarding information security. |
| 1.2.3.13b | Ensure a proper operational security posture is maintained for their information system. |
| 1.2.3.13c | Be responsible for the day-to-day security operations of their information system. |
| 2.3.5.4 | The ISSO shall assist in the development of information security requirements for inclusion in solicitations and resulting contracts for acquisitions made in support of their information systems. |
| 2.4.2.6a | Perform information system risk analyses in support of security control selection and tailoring, security control implementation including system configuration, and continuous monitoring. |
| 2.4.2.6b | In collaboration with the ISO and IO(s), perform the information system security categorization, ensuring that the selected data types reflect all information generated, collected, processed and disseminated by the information system. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 4.1.2.4 | The ISSO shall assist in developing event containment and remediation strategies to minimize impact to an information system. |
| 4.2.4.4 | The ISSO shall ensure that their information systems are regularly scanned for vulnerabilities or flaws that will then be remediated using SAISO-required tools, per 3.4.11.3. |
| 5.2.2.4 | The ISSO shall report all suspected or confirmed information security incidents in a timely manner. |
| Para # | Requirement |
|---|---|
| 1.2.2.2a | Ensure the security of NASA's information and information systems. |
| 1.2.2.2b | Ensure that NASA implements the NIST Cybersecurity Framework. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 3.1.3.3a | Use only NASA authorized and approved devices for remote access to NASA non-public information systems. |
| 3.1.3.3b | Take every reasonable effort to ensure the confidentiality, integrity, and availability of information and information systems used remotely and understand the consequences for mishandling. |
| 3.1.6.3 | The NASA User shall protect identification and authentication information from unauthorized disclosure. |
| 3.1.7.3 | The NASA User shall comply with all appropriate use policies. |
| 3.2.2.4a | Comply with applicable role-based information security and awareness training requirements. |
| 3.2.2.4b | Acknowledge acceptance of the Agency User Rules of Behavior annually. |
| 3.3.2.2 | The NASA User shall secure and protect media under their control using access restriction and/or sanitization (in accordance with the requirements of section 3.4.7.1). |
| 3.4.7.5 | The NASA User shall mitigate the risks of leakage of non-public NASA information to unauthorized persons or entities through the sanitization of media and destruction of data according to policy. |
| 3.6.3.2a | Protect removable media devices. |
| 3.6.3.2b | Not use any untrusted media (as detailed in ITS-HBK-2810.11-2B). |
| 3.6.3.2c | The NASA User shall mitigate the risks of data loss by securing and protecting media under their control, and the information contained within those devices, through the use of encryption, access restriction, and sanitization. |
| 5.2.2.5 | The NASA User shall report immediately all suspected, or actual, information security incidents to the SOC as outlined in the incident response and management handbook(s). |
| Para # | Requirement |
|---|---|
| 1.2.3.6a | Ensure compliance with information security requirements. |
| 1.2.3.6b | Serve as their organization's representative to the Center CISO on information security matters. |
| 1.2.3.6c | Report the status of the organization's information security to the Center CISO and senior organization officials. |
| 1.2.3.6d | Be an employee of the United States Federal Government. |
| 2.4.2.3a | Verify the correct application of information system categorization criteria and requirements for their organization. |
| 2.4.2.3b | Ensure the identification and management of common threats to their organization. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 3.4.7.3 | The OCSO (if assigned per section 1.2.3.3) shall be responsible for the sanitization of media and destruction of data according to policy for their organization. |
| 3.4.8.2 | The OCSO (if assigned per section 1.2.3.3) shall review and update their organization's SSPs in accordance with this directive and its associated handbooks. |
| 3.6.3.3 | The OCSO (if assigned per section 1.2.3.3), in collaboration with ISOs, shall protect and sanitize media for their organization. This includes the protection of data at rest. |
| Para # | Requirement |
|---|---|
| 1.2.2.4a | Appoint an information security point of contact to represent the mission on Agency programmatic strategic cybersecurity initiatives and serve as voting members of suitable governance bodies. |
| 1.2.2.4b | Ensure that resources are allocated to address information and information system security requirements developed under this directive for their information systems. |
| 1.2.2.4c | Ensure that their respective organizations, including missions, programs, projects, and institutions under their purview, comply with this directive, ensuring Operational Technology is also compliant. |
| 1.2.2.4d | Ensure that secure software development is being practiced for NASA projects per NPR 7150.2, NASA Software Engineering Requirements. |
| 1.2.2.4.e | Ensure that secure system development is being practiced for NASA projects per NASA specifications and standards, including NASA-STD-1006 and the NASA Cybersecurity Requirements Technical Specification. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
C.21.1 This section includes additional resources for Program and Project Managers to assist in compliance with this directive. Additional resources are available in Appendix E.
| Para # | Requirement | Related Roles | Additional Resources |
|---|---|---|---|
| 1.2.3.11a | Allocate resources to protect information and information systems under their control based on an assessment of system risks. | SAISO Center CISO ISO | SSP |
| 1.2.3.11b | Ensure identified cybersecurity risks accepted by AOs are also reflected in the program or project risk database(s)/system(s). | AO | Program/ Project Risk Database(s)/ System(s) |
| 1.2.3.11c | Include cybersecurity as part of the program and project plans for projects (e.g., incorporate the requirements of all applicable cybersecurity standards and specifications). | SAISO Center CISO ISO | SSP |
| 1.2.3.11d | Identify and coordinate with ISOs for information systems under their control ensuring greater integration of cybersecurity and mission personnel. | Center CIO Center CISO ISO | |
| 1.2.3.11.e | Identify and coordinate with ISOs for information systems outside their control that support and impact their mission. | ISO | |
| 1.2.3.11.f | Ensure that all information systems under Program Managers’ and Project Managers’ control are fully compliant with the requirements of this directive. | AO AODR SAISO | ATO package |
| 2.3.3.4a | Ensure that projects or programs under their control implement the requirements of this directive. | ISO ISSO AO | ATO package |
| 2.3.3.4b | Ensure that information security is incorporated into the planning and development of all information systems under their control by following the procedures outlined in NIST SP 800-160. | ISO ISSO | SSP Handbook ITS-HBK-2810.03-02B, Planning |
| 2.4.2.7a | With the support of ISOs and ISSOs, understand and communicate to AOs any cybersecurity risks associated with any information system in a program or project under their control so that an assessment can be made of cybersecurity risk to Agency operations and resources. | ISO ISSO AO | SSP ATO package |
| 2.4.2.7b | Verify the proper application of information system categorization criteria and requirements for the programs and projects under their control. | ISO ISSO AO | SCAR POA&M ATO package |
| 3.1.3.2 | Program Managers and Project Managers shall ensure, with respect to any information system in a program or project under their control, that all remote access is routed through authorized NASA access control points. | ISO | SSP |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| Para # | Requirement |
|---|---|
| 1.2.3.4a | Carry out the responsibilities delegated from the NASA CIO under FISMA (as described by section 3554(a)(3)(A) of title 44, United States Code), as well as federal and NASA Cybersecurity and Privacy Program requirements. |
| 1.2.3.4b | Establish and maintain an office with the mission and resources to ensure compliance with federal and NASA Cybersecurity and Privacy Program requirements. |
| 1.2.3.4c | Manage the NASA Cybersecurity and Privacy Program. |
| 1.2.3.4d | Keep the NASA Cybersecurity and Privacy Program current with changes in the information security environment and with changes in federal policy and guidelines. |
| 1.2.3.4e | Ensure that information security control assessments, authorizations, and OMB and FISMA reporting directives are completed across the Agency in a timely and cost-effective manner. |
| 1.2.3.4f | Serve as the NASA CIO's primary liaison with Center CISOs, AOs, Information System Owners (ISOs), and Information System Security Officers (ISSOs). |
| 1.2.3.4g | Oversee and arbitrate conflict resolution, relative to information security concerns, for all NASA-wide information systems. |
| 1.2.3.4h | Ensure the planning of a framework for the use and adoption of current and new information security technologies implemented throughout the Agency. |
| 1.2.3.4i | Maintain a process for planning, implementing, evaluating, and documenting remedial actions to address deficiencies and weaknesses in NASA's Cybersecurity and Privacy Program. |
| 1.2.3.4j | Manage the NASA system of Record for all Assessment and Authorization artifacts, including all System Security Plans. The current System of Record is Risk Information Security Compliance System (RISCS). |
| 1.2.3.4k | Develop, implement and manage a High Value Asset (HVA) program in accordance with Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02. |
| 1.2.3.4l | Develop, implement and manage a threat monitoring and incident response program, to include the NASA Security Operations Center, for NASA HVAs in accordance with Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02. |
| 1.2.3.4m | Be an employee of the United States Federal Government. |
| 2.1.2.1 | The NASA SAISO shall ensure the maintenance of a NASA-wide information system inventory in the NASA system of record (i.e., RISCS). |
| 2.1.3.1 | The NASA SAISO shall ensure the inventory required by section 2.1.2.1 is accurate and updated with all physical and virtual devices and systems. |
| 2.1.4.1 | The NASA SAISO shall ensure the inventory required by section 2.1.2.1 is accurate and updated with all software platforms and applications. |
| 2.1.5.1 | The NASA SAISO shall maintain the mapping of information system communications and data flows in the NASA system of record. |
| 2.1.6.1 | The NASA SAISO shall ensure the inventory required by section 2.1.2.1 is accurate and updated with all external information systems. |
| 2.1.7.1 | The SAISO shall consider the value of information and information systems to NASA’s mission in the prioritization of information security effort and resources. |
| 2.1.8.2a | Manage the NASA Cybersecurity and Privacy Program. |
| 2.1.8.2b | Maintain and update, as needed to comply with federal and NASA requirements, NPD 2810.1, NPR 2810.1, and all related handbooks. |
| 2.1.8.2c | Publish and maintain such policies, procedures, NASA Information Technology Requirements (NITRs), specifications, standards, handbooks, and memoranda as may be necessary to implement the requirements of this directive. |
| 2.2.3.2a | Develop and maintain Agency-level information system contingency planning policies, procedures, and guidance for NASA, as coordinated through OPS. |
| 2.2.3.2c | Ensure that Center CISOs are coordinating a Center-based information system contingency program. |
| 2.2.3.2d | Establish recovery metrics and objectives for information systems. |
| 2.3.2.1a | Develop and document a NASA-wide NASA Cybersecurity and Privacy Program that includes an overview and descriptions of measures of performance, enterprise information security architecture, critical infrastructure, risk management strategy, and an information security assessment and authorization process. |
| 2.3.2.1b | Provision a NASA-wide repository for information security documentation. |
| 2.3.2.1c | Review, update, and augment the NASA Cybersecurity and Privacy Program. |
| 2.3.2.1d | Ensure that the NASA Cybersecurity and Privacy Program plan, policy, and requirements are implemented. |
| 2.3.2.1e | Update and disseminate Organization Defined Values via a cybersecurity specification updated at least annually. |
| 2.3.2.1f | Define a process for the development, documentation, and maintenance of plans of action and milestones (POA&M) and for the acceptance of risk. |
| 2.3.2.1g | With respect to unclassified information systems, be responsible for ensuring NASA’s implementation of the NIST RMF. |
| 2.3.3.2 | Coordinate information security compliance with internal and external resources across the Agency. |
| 2.3.3.2a | Coordinate information security reviews with the NASA Office of the Inspector General (OIG) and other external entities such as the U.S. Government Accountability Office (GAO). |
| 2.3.3.2b | Work with the NASA Office of Procurement to oversee the development and maintenance of an information security clause and coordinate its implementation in the NASA Federal Acquisition Regulations (FAR) with the NASA Office of Procurement. |
| 2.3.4.1a | Comply with OMB and FISMA reporting requirements. |
| 2.3.4.1b | Fulfill OMB and FISMA contingency plan testing requirements. |
| 2.3.5.2a | Report to the NASA Administrator on the effectiveness of NASA's Cybersecurity and Privacy Program, including the progress of remedial actions, as required by FISMA. |
| 2.3.5.2b | Include information security resource requirements in programming and budgeting documentation. |
| 2.4.2.1a | Identify and manage common cybersecurity threats to NASA. |
| 2.4.2.1b | Consistent with NPR 8000.4, define and make available an RMF that describes a uniform methodology for risk assessment that applies to all Agency internal and external systems. |
| 2.4.2.1c | Ensure the assessment, updating, and dissemination of information regarding Agency Common Controls. |
| 2.4.2.1d | Ensure the assessment, updating, and dissemination of information regarding those portions of Hybrid Controls that the Agency implements. |
| 2.4.2.1e | Manage the NASA-wide information security performance metrics program. |
| 2.4.2.1f | Work with the applicable Information Sharing and Analysis Centers (ISACs) and other relevant information sharing fora. |
| 2.5.2.1 | The SAISO shall develop and implement a Cybersecurity Risk Management Strategy, which includes: |
| 2.5.2.1a | Definition of NASA’s risk management priorities and constraints for NASA high-value assets and mission and institutional systems. |
| 2.5.2.1b | Documentation criteria as a basis for determination of NASA’s risk tolerances and assumptions. |
| 2.5.2.1c | Description of the importance of accurate and timely assessment of the likelihood and consequence severity of threats to NASA’s critical infrastructure within the unique threat environment for NASA operations. |
| 2.5.2.1d | Ensure the underlying basis for risk acceptance decisions by AOs across NASA conform to validated practices set forth in NPR 8000.4. |
| 2.6.2.1a | In awareness of Office of Safety and Mission Assurance roles, develop, manage, and update NASA’s Cyber SCRM process. |
| 2.6.2.1b | Identify, prioritize, and assess suppliers and third-party partners of information systems using a cyber supply chain risk assessment process. |
| 2.6.2.1c | Work with program and procurement officials in NASA to ensure that: |
| 2.6.2.1c.(1) | Contracts with suppliers and third-party partners implement measures designed to meet the objectives of this directive and the Cyber SCRM process required by section 2.6.2.1a. |
| 2.6.2.1c.(2) | Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. |
| 2.6.2.1c.(3) | Response and recovery planning and testing are conducted with suppliers and third-party providers. |
| 3.1.5.1 | The SAISO shall ensure that NASA maintains a Network Access Control Policy to monitor, control, prevent, or regulate device and system access to NASA networks. |
| 3.1.7.1a | Ensure dissemination of the NASA appropriate use policy statement, based on NPD 2540.1, Personal Use of Government Office Equipment Including Information Technology, and the NASA consent banner. |
| 3.1.7.1b | Ensure that the NASA consent disclaimer requirements for internal systems are met through the display of the appropriate use and consent banner statements. |
| 3.2.2.1 | All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position. |
| 3.2.2.2a | Develop, maintain, and promote NASA-wide information security awareness and training. |
| 3.2.2.2b | Define and make available all Agency information security awareness and training requirements. This includes general knowledge requirements that pertain to all NASA Users as well as role-based requirements targeted at managers, information security professionals, and others. |
| 3.2.2.2c | Define educational courses and materials that can be used to satisfy Agency information security awareness and training requirements. |
| 3.2.2.2d | Oversee the fulfillment of training requirements across the Agency and for external stakeholders, to include tracking and reporting on the completion of information security awareness and training requirements in the Agency system of record. |
| 3.2.2.2e | Maintain the NASA User Rules of Behavior and track user annual acceptance. |
| 3.3.5.2 | The SAISO shall ensure the provision of Center-level boundary protection for systems that share a common infrastructure or services. |
| 3.3.7.1a | Ensure that the capabilities exist to comply with NASA requirements regarding System and Information Integrity including capabilities to detect and prevent the compromise of integrity by known threats (e.g., anti-virus software, block lists) and suspected threats (e.g., automated spam classification and filtering). |
| 3.3.7.1b | Ensure that data is protected against unauthorized access, tampering, alteration, loss, and destruction. |
| 3.4.2.1a | Create and maintain processes for development, approval, distribution, and verification of information security configuration baselines for covered articles, incorporating, for example, the concept of least functionality. |
| 3.4.2.1b | Create and maintain processes to monitor information security baseline configuration compliance. |
| 3.4.2.1c | Ensure information security baseline configurations conform to federal guidelines and requirements. |
| 3.4.6.1 | The SAISO shall coordinate with OPS to ensure the development and maintenance standards and guidance for security of NASA information systems’ physical operating environments. |
| 3.4.8.1 | The SAISO shall identify, implement, and maintain a NASA-wide resource for the management of corrective action plans to mitigate information system security weaknesses. |
| 3.4.9 | The SAISO shall ensure that the effectiveness of protection technology (e.g. continuous monitoring tools) is measured and shared to improve NASA’s information security posture. |
| 3.4.10.1 | The SAISO shall make all offices aware of requirements and expectations related to ICAM. |
| 3.4.11.1a | Develop and maintain a Vulnerability Management Plan. |
| 3.4.11.1b | Establish processes and systems for the management of vulnerability, flaw remediation, and information system monitoring. |
| 3.4.11.1c | Ensure the proper handling of vulnerability and patch advisories, including the aggregation of such information from sources both internal and external to the Agency and the Federal government, as well as the wide distribution of such information. |
| 3.6.2.2a | Maintain Agency information system record retention policies for logs, and minimum auditable events. |
| 3.6.2.2b | Develop and maintain log information security auditing capabilities for NASA information system logs. |
| 4.1.2.2a | Ensure the capability to detect anomalous events on NASA information systems and networks. |
| 4.1.2.2b | Establish procedures for detecting, analyzing, and responding to anomalous events. |
| 4.2.2.1a | Develop and implement a strategy for continuous monitoring of NASA information systems. |
| 4.2.2.1b | Define the acceptability, and requirements for use, of cybersecurity monitoring tools for use across the agency. |
| 4.2.3.1a | Define requirements for tools to detect malicious or unauthorized software and malicious or unauthorized changes to software or configuration. |
| 4.2.3.1b | Ensure such detection capability extends to mobile devices having access to NASA networks. |
| 4.2.4.1a | Define requirements for tools to scan NASA information systems for vulnerabilities. |
| 4.2.4.1b | Regularly review and approve the use of Agency tools for vulnerability scanning. |
| 4.3.2.1a | Ensure that detection processes and procedures comply with all requirements (e.g., law, regulations, guidance, or other NASA NPDs and NPRs). |
| 4.3.2.1b | Establish a process to test and continuously improve detection processes and procedures. |
| 5.1.2.2a | Implement and manage a NASA-wide SOC. |
| 5.1.2.2b | Designate an Agency Incident Response Manager for cybersecurity incidents. |
| 5.1.2.2c | Develop and maintain a NASA-wide Incident Response Plan, which shall contain processes and procedures for detecting, reporting, analyzing, and responding to information security incidents. |
| 5.1.2.2d | Oversee all activities related to incident response and management. |
| 5.2.2.1a | Include elements providing for coordination with internal and external stakeholders (e.g., external support from law enforcement agencies) in the incident response plan required by section 5.1.2.2c. |
| 5.2.2.1b | Support investigations into information security incidents related to criminal activity, counterintelligence, or counterterrorism. |
| 5.2.2.1c | Support investigations into information security incidents initiated by the Office of the General Counsel, the Office of Chief Human Capital Officer, a Center's Office of Human Resources, and a Center's Office of the Chief Counsel. |
| 5.2.2.1d | Refer any suspected criminal, counterintelligence, or counterterrorism activity to the OIG and OPS. |
| 5.2.2.1e | Ensure that incidents are reported to external agencies as directed by laws and regulations. |
| 5.3.2.1 | The SAISO shall include elements in the Incident Response Plan that provide for analysis of information security incidents as required by section 5.1.2.2c. |
| 5.4.2.1 | The SAISO shall include elements that provide for containment and mitigation of information security incidents in the Incident Response Plan required by section 5.1.2.2c. |
| 5.5.2.1 | The SAISO shall incorporate lessons learned from current or prior information security incidents in the Incident Response Plan required by section 5.1.2.2c. |
| 6.1.2.1 | The SAISO shall develop and maintain a NASA-wide Incident Recovery Plan, which contains processes and procedures for incorporating lessons learned from incident response activities. The Incident Recovery Plan may be executed during or after information security incidents and may be included in the Incident Response Plan. |
| 6.2.2.1 | The SAISO shall incorporate lessons learned from current or prior incidents in the Incident Recovery Plan required by section 6.1.2.1. |
| 6.3.2.1 | The SAISO shall ensure the plan required by section 6.1.2.1 includes: |
| 6.3.2.1a | A public relations management strategy that works to restore trust in NASA’s mission capabilities. |
| 6.3.2.1b | Procedures for communications with internal and external stakeholders as well as executive and management teams. |
| 2.2.3.2b | Develop and test information security contingency plans in place to continue fulfilling the business functions of NASA in support of the Agency's mission essential functions. |
| 6.3.2.1 | The SAISO shall ensure the plan required by section 6.1.2.1 includes: |
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL | |
| | NODIS Library | Legal Policies(2000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.