NASA Procedural Requirements

NPR 2810.1F Effective Date: January 03, 2022 Expiration Date: January 03, 2027

Subject: Security of Information and Information Systems

Responsible Office: Office of the Chief Information Officer

Chapter 1. Introduction

1.1 Introduction

1.1.1 Structure

1.1.1.1 This directive establishes the information security requirements and responsibilities for NASA, relative to the policy set forth in NPD 2810.1, NASA Information Security Policy. This directive does not negate any existing policies, procedures, memos, handbooks, etc., except where explicitly stated in section P.6 Cancellation. This document is intended to provide a framework for information security and serve as an avenue for the authorization of more in-depth documents (e.g., handbooks, memoranda).

1.1.1.2 This directive is organized into six chapters: (1) Introduction; (2) Identify; (3) Protect; (4) Detect; (5) Respond; and (6) Recover.

a. The chapters in this directive align to the functional areas of version 1.1 of the NIST Cybersecurity Framework (CSF).

b. Each chapter defines the overall intent of the functional area and the roles and responsibilities specific to the area. Each chapter provides references to where more detailed requirements, procedures, and information may be found.

1.1.2 Approach

1.1.2.1 NASA’s SAISO establishes the Agency's Cybersecurity and Privacy Program and its overall objectives and priorities. NASA Headquarters, Centers, satellite facilities, and support service contractor sites have the latitude to use their internal organizational structure to fulfill the roles and responsibilities described herein if the approach is consistent with this directive and more in-depth policy documents authorized by this directive.

1.1.2.2 NASA’s approach to information security is grounded in risk management. Just as a solid understanding of risk management principles is essential to the success of NASA’s space and aeronautics Missions, a solid understanding of these principles is essential to the protection of NASA information and information systems.

1.1.3 Legal Framework

1.1.3.1 Existing laws, regulations, and guidance govern NASA’s implementation of an information security program.

a. The primary statute governing information security is FISMA, which defines information security as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

b. This directive establishes how NASA implements the requirements of FISMA as they relate to NASA information and information systems.

c. The Clinger-Cohen Act states that the NIST FIPS are “compulsory and binding” 40 U.S.C.

§ 11331(b)(1)(C). FISMA also advocates that information security be based on “periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency,” Federal Agency Responsibilities, 44 U.S.C. § 3554(b)(1). FISMA provides flexibility regarding the application of information security controls.

1.1.3.2 To implement federal and NASA policies and requirements, FISMA allows for the delegation of responsibilities into various functional roles.

1.2 Roles and Responsibilities

1.2.1 Overview

1.2.1.1 The following are overarching roles and responsibilities related to the NASA Cybersecurity and Privacy Program. Specific roles and responsibilities, as related to information security controls, are referenced throughout the remainder of this directive in their respective chapters. Additional responsibilities may be defined in in-depth policy documents authorized by this directive.

1.2.1.2 Throughout this document roles and responsibilities are generally listed at the highest level possible, with the operating assumption that specific tasks and functions may be delegated as necessary unless explicitly prohibited.

1.2.1.3 For the Jet Propulsion Laboratory (JPL), the Agency CIO will designate the roles allocated for the United States federal government employees.

1.2.2 NASA Management Roles

1.2.2.1 The roles and responsibilities of NASA management are defined in NPD 1000.0, NASA Governance and Strategic Management Handbook, and further outlined in NPD 1000.3, The NASA Organization. The key roles and responsibilities specific to information security are summarized as follows:

1.2.2.2 The NASA Administrator shall:

a. Ensure the security of NASA's information and information systems.

b. Ensure that NASA implements the NIST Cybersecurity Framework.

1.2.2.3 The NASA CIO provides leadership, planning, policy direction, and oversight for the management of NASA information and information systems. The NASA CIO shall:

a. Ensure confidentiality, integrity, and availability of all NASA’s information assets throughout the system life cycle.

b. Ensure all NASA IT is in compliance with federal and NASA Cybersecurity and Privacy Program requirements.

c. Commission suitable governance bodies.

d. Evaluate and approve the designation of Authorizing Officials (AO).

e. Advise senior NASA officials concerning their information security responsibilities.

f. Ensure the NASA enterprise architecture integrates information security considerations into the strategic, capital, and investment planning process.

g. Encourage the maximum reuse and sharing of information security-related information throughout the NASA community.

h. Develop, implement, and maintain a Controlled Unclassified Information (CUI) program which is managed in accordance with Executive Order (E.O.) 13556, Controlled Unclassified Information, and Controlled Unclassified Information, 32 CFR, pt. 2002.

i. Be an employee of the United States Federal Government.

1.2.2.4 Officials in charge of Mission Directorates and Mission Support Offices shall:

a. Appoint an information security point of contact to represent the mission on Agency programmatic strategic cybersecurity initiatives and serve as a voting member of suitable governance bodies.

b. Ensure that resources are allocated to address information and information system security requirements developed under this directive for their information systems.

c. Ensure that their respective organizations, including missions, programs, projects, and institutions under their purview, comply with this directive, ensuring Operational Technology is also compliant.

d. Ensure that secure software development is being practiced for NASA projects per NPR 7150.2, NASA Software Engineering Requirements.

e. Ensure that secure system development is being practiced for NASA projects per NASA specifications and standards, including NASA-STD-1006, and the NASA Cybersecurity Requirements Technical Specification.

1.2.2.5 The Center Directors and the Director for Headquarters Operations shall:

a. With concurrence from the SAISO and the Center’s CIO, designate a Center Chief Information Security Officer (CISO) in writing.

b. Ensure the Center CISO has adequate staff, resources, budget, and authority to implement information security programs at their Center.

1.2.3 Information Security Roles

1.2.3.1 In addition, the following offices and roles support the development and execution of information security policy are listed in the following paragraph.

1.2.3.2 A Center CIO shall:

a. If they apply, execute the responsibilities, comparable to those of the NASA CIO, at the Center level.

b. Execute the responsibilities, comparable to those of the NASA CIO, with respect to NASA facilities and systems not located at a Center as designated by the CIO.

c. If the Center CIO assigns an Organizational Computer Security Official (OCSO) per section 1.2.3.3, designate Center-specific OCSO responsibilities, and any necessary interfaces with the Center CISO, in a Center-level formal policy.

d. Be an employee of the United States Federal Government.

1.2.3.3 A Center CIO may optionally assign OCSOs to facilitate the implementation and oversight of information security within their organization.

1.2.3.4 The SAISO shall:

a. Carry out the responsibilities delegated from the NASA CIO under FISMA (as provided for by 44 U.S.C § 3554(a)(3)(A)), as well as federal and NASA cybersecurity and privacy program requirements.

b. Establish and maintain an office with the mission and resources to ensure compliance with federal and NASA Cybersecurity and Privacy Program requirements.

c. Manage the NASA Cybersecurity and Privacy Program.

d. Keep the NASA Cybersecurity and Privacy Program current with changes in the information security environment and with changes in federal policy and guidelines.

e. Ensure that information security control assessments, authorizations, and OMB and FISMA reporting directives are completed across the Agency in a timely and cost-effective manner.

f. Serve as the NASA CIO's primary liaison with Center CISOs, AOs, Information System Owners (ISOs), and Information System Security Officers (ISSOs).

g. Oversee and arbitrate conflict resolution, relative to information security concerns, for all NASA-wide information systems.

h. Ensure the planning of a framework for the use and adoption of current and new information security technologies implemented throughout the Agency.

i. Maintain a process for planning, implementing, evaluating, and documenting remedial actions to address deficiencies and weaknesses in NASA's Cybersecurity and Privacy Program.

j. Manage the NASA system of Record for all Assessment and Authorization artifacts, including all System Security Plans. The current System of Record is Risk Information Security Compliance System (RISCS).

k. Develop, implement and manage a High Value Asset (HVA) program in accordance with Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02 Securing High Value Assets.

l. Develop, implement and manage a threat monitoring and incident response program, to include the NASA Security Operations Center, for NASA HVAs in accordance with DHS BOD 18-02.

m. Be an employee of the United States Federal Government.

1.2.3.5 A Center CISO shall:

a. Execute the Cybersecurity and Privacy Program at the Center level.

b. Assist the SAISO in enforcing NASA information security policies and procedures, and the Federal information security laws, directives, policies, and standards at the Center level.

1.2.3.6 An OCSO (if assigned per section 1.2.3.3) shall:

a. Ensure compliance with information security requirements.

b. Serve as their organization's representative to the Center CISO on information security matters.

c. Report the status of the organization's information security to the Center CISO and senior organization officials.

d. Be an employee of the United States Federal Government.

1.2.3.7 The Center Cybersecurity Risk Manager (CCRM) shall:

a. Support the NASA cybersecurity Risk Executive function, as defined by NIST SP 800-37.

b. Serve as a cybersecurity risk management resource and as a subject matter expert on assessment and authorization for all personnel at their Center.

c. Provide oversight for the cybersecurity risk management activities carried out by Center and mission organizations to help ensure consistent and effective risk-based decisions, in accordance with NASA policies, procedures and organizational risk tolerance.

1.2.3.8 An AO shall:

a. Formally assume the responsibility for the operation of an information system or for the use of a designated set of common controls at an acceptable level of risk to the system, mission, and/or Agency.

b. Allocate sufficient resources to adequately protect information and information systems based on an assessment of organizational risks.

c. Assign Authorizing Official Designated Representatives (AODRs), as necessary. Once designated, an AO may not further delegate their risk acceptance role as AO. However, AOs are encouraged to assign AODRs to support AO visibility into, and management of, their information systems’ cybersecurity posture.

d. Be an employee of the United States Federal Government.

1.2.3.9 An AODR shall:

a. Execute the responsibilities of the AO as delegated.

b. Be an employee of the United States Federal Government.

1.2.3.10 An ISO shall:

a. Acquire, develop, integrate, operate, modify, maintain, and dispose of information systems.

b. Ensure system-level implementation of all Agency and Center requirements.

c. Ensure information systems are categorized in a manner that reflects the criticality of their function, and the sensitivity of the information they generate, collect, process, store, or disseminate.

d. Allocate resources to protect information and information systems based on an assessment of system risks.

e. Ensure that information security controls are implemented according to a thorough risk-based analysis of their information systems' security postures.

f. Provide necessary assessment documentation, as required.

g. Take proper actions to identify, and minimize or eliminate, information system security deficiencies and weaknesses.

h. Communicate feedback to the Center CISO, OCSO (if assigned per section 1.2.3.3), and AO regarding the impact of Agency and Center-wide information security requirements on the operation of their information systems.

i. Ensure funding requests for information security requirements are included in annual budgeting submissions.

j. Utilize, to the extent possible, Agency-provided information system infrastructure.

k. Ensure that custom software developed for use on NASA information systems is implemented securely, in a manner that that reflects the criticality of its function, and the sensitivity of the information it generates, collects, processes, stores, or disseminates.

l. For a given program or project, develop a clear description of the information and system that is protected and evaluate the scope of information security resources that may be required for the project.

m. Appoint an Information Systems Security Officer (ISSO) to carry out provisions listed in 1.2.3.13.

1.2.3.11 Program Managers and Project Managers shall:

a. Allocate resources to protect information and information systems under their control based on an assessment of system risks.

b. Ensure identified cybersecurity risks accepted by AOs are also reflected in the program or project risk database(s)/system(s).

c. Include cybersecurity as part of the program and project plans for projects (e.g., incorporate the requirements of all applicable cybersecurity standards and specifications).

d. Identify and coordinate with ISOs for information systems under their control ensuring greater integration of cybersecurity and mission personnel.

e. Identify and coordinate with ISOs for information systems outside their control that support and impact their mission.

f. Ensure that all information systems under Program Managers’ and Project Managers’ control are fully compliant with the requirements of this directive.

1.2.3.12 An Information Owner (IO) shall:

a. Exercise statutory or operational authority for specified information.

b. Ensure the selection of information security controls is adequate for the protection of information under their authority during generation, collection, processing, dissemination, and disposal.

1.2.3.13 An Information System Security Officer (ISSO) shall:

a. Serve as the principal advisor to the ISO on issues regarding information security.

b. Ensure a proper operational security posture is maintained for their information system.

c. Be responsible for the day-to-day security operations of their information system.

1.2.3.14 Contracting Officers, as defined in Federal Acquisition Regulation 2.101, or Agreement Managers as defined in NAII 1050.3, NASA Partnership Guide, shall ensure that the requirements of this directive are included and in scope for all NASA contracts, Space Act agreements, cooperative agreements, partnership agreements, or other agreements pursuant to which NASA data is being processed and transmitted; IT devices are procured for a purpose that is not incidental to the contract, and/or IT devices are developed or used on a NASA network.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.