| NODIS Library | Legal Policies(2000s) | Search |

NASA Ball NASA
Procedural
Requirements
NPR 2810.1F
Effective Date: January 03, 2022
Expiration Date: January 03, 2027
COMPLIANCE IS MANDATORY FOR NASA EMPLOYEES
Printable Format (PDF)

Subject: Security of Information and Information Systems

Responsible Office: Office of the Chief Information Officer


| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |

Chapter 2. Identify Function

2.1 Asset Management

2.1.1 Overview

2.1.1.1 Section 2.1 establishes requirements and processes to identify and manage data, devices, systems, and facilities relative to NASA’s information security objectives and risk profile and risk posture.

2.1.2 Asset Management

2.1.2.1 The NASA SAISO shall ensure the maintenance of a NASA-wide information system inventory in the NASA system of record (i.e., RISCS).

2.1.2.2 An ISO shall:

a. Ensure that information system components are identified and documented.

b. Maintain, in the NASA system of record (i.e., RISCS), an accurate, up-to-date inventory of data, devices, systems, and facilities under their ownership monthly.

c. Provide such inventory to the Office of the Chief Information Officer (OCIO) in such manner and format that the SAISO determines.

2.1.3 Physical and Virtual Device and System Inventory

2.1.3.1 The NASA SAISO shall ensure the inventory required by section 2.1.2.1 is accurate and updated with all physical and virtual devices and systems.

2.1.3.2 An ISO shall:

a. Ensure the inventory required by section 2.1.2.1 includes all physical and virtual devices and systems.

b. Provide the NASA SAISO with such inventory.

2.1.4 Software Platform and Application Inventory

2.1.4.1 The NASA SAISO shall ensure the inventory required by section 2.1.2.1 is accurate and updated with all software platforms and applications.

2.1.4.2 The ISO shall:

a. Ensure the inventory required by section 2.1.2.1 includes all software platforms and applications.

b. Provide the NASA SAISO with such inventory.

2.1.5 System Interconnections

2.1.5.1 The NASA SAISO shall maintain the mapping of information system communications and data flows in the NASA system of record.

2.1.5.2 The ISO shall:

a. Maintain and update documentation regarding system interconnections.

b. Provide the NASA SAISO with a mapping of information system communications and data flows.

c. Develop Memoranda of Agreements (MOA), Memoranda of Understandings (MOU), and Interconnection Security Agreements (ISA) for their systems.

d. Review and update such MOAs, MOUs, and ISAs annually.

2.1.6 External Information Systems Catalog

2.1.6.1 The NASA SAISO shall ensure the inventory required by section 2.1.2.1 is accurate and updated with all external information systems.

2.1.6.2 An ISO shall provide the NASA SAISO, in the NASA system of record (i.e., RISCS), with an inventory of external information systems under their supervision.

2.1.7 Resource Prioritization Policy

2.1.7.1 The SAISO shall consider the value of information and information systems to NASA’s mission in the prioritization of information security effort and resources.

2.1.8 Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established in this section.

2.1.8.1 The NASA CIO shall:

a. Develop and maintain a NASA-wide Cybersecurity and Privacy Program.

b. Designate a SAISO.

2.1.8.2 The SAISO shall:

a. Manage the NASA Cybersecurity and Privacy Program.

b. Maintain and update, as needed to comply with federal and NASA requirements, NPD 2810.1, NPR 2810.1, and all related handbooks.

c. Publish and maintain such policies, procedures, NASA Information Technology Requirements (NITRs), specifications, standards, handbooks, and memoranda as may be necessary to implement the requirements of this directive.

2.2 Business Environment

2.2.1 Overview

2.2.1.1 This section establishes requirements to inform NASA’s information security roles, responsibilities, and risk management decisions.

2.2.2 Supply Chain and Critical Infrastructure Identification

2.2.2.1 The NASA CIO shall:

a. Work with internal and external stakeholders to identify and communicate NASA’s role in the supply chain in order to inform the Supply Chain Risk Management (SCRM) requirements of section 2.6 of this document.

b. Work with internal and external stakeholders to identify and communicate NASA’s role in critical infrastructure.

2.2.3 Contingency Planning

2.2.3.1 The head of Center Protective Services and the Center CIO shall coordinate Center-wide contingency planning efforts that provide for notification, activation, response, recovery, and reconstitution of a Center's information systems as a result of damage or disruption caused by a man-made or natural disaster.

2.2.3.2 The SAISO shall:

a. Develop and maintain Agency-level information system contingency planning policies, procedures, and guidance for NASA, as coordinated through OPS.

b. Develop and test information security contingency plans in place to continue fulfilling the business functions of NASA in support of the Agency's mission essential functions.

c. Ensure that Center CISOs are coordinating a Center-based information system contingency program.

d. Establish recovery metrics and objectives for information systems.

2.2.3.3 The Center CISO, in coordination with OPS, shall:

a. Ensure implementation of those information system contingency planning procedures that provide for notification, activation, response, recovery, and reconstitution.

b. Oversee and arbitrate conflict resolution for all Center-wide information system contingency plans.

c. Ensure and support information system contingency plan tests, training, and exercises.

2.2.3.4 The ISO shall:

a. Develop, test, implement, and maintain information system contingency plans.

b. Document assessment, recovery, and restoration procedures.

c. Ensure that the contingency plan documentation is maintained in a ready state and accurately reflects system requirements, procedures, organizational structure, and policies.

d. Ensure that recovery and restoration procedures outlined in information system contingency plans satisfy a risk-based analysis of the business needs and objectives of the information system and Agency at large.

e. Ensure that information system contingency plan documentation is at a level sufficient to permit a coordinated response at the Center and/or the Agency level.

f. Test, evaluate, and document contingency plans for accuracy, completeness, and effectiveness via a periodic test, training, and exercise program at a frequency in accordance with Agency Defined Values.

2.3 Governance

2.3.1 Overview

2.3.1.1 This section establishes the requirements to develop policies, procedures, and processes to manage and monitor NASA’s regulatory, legal, and risk environment and operations relating to information security.

2.3.1.2 The tenets and framework of NASA's Cybersecurity and Privacy Program are spelled out in this directive and related handbooks, and the Cybersecurity and Privacy Program Plan. The policies, procedures, milestones, metrics, and responsibilities of the Cybersecurity and Privacy Program together make up the Cybersecurity and Privacy Program Plan.

2.3.2 Cybersecurity Policy

2.3.2.1 The SAISO shall:

a. Develop and document a NASA-wide NASA Cybersecurity and Privacy Program that includes an overview and descriptions of measures of performance, enterprise information security architecture, critical infrastructure, risk management strategy, and an information security assessment and authorization process.

b. Provision a NASA-wide repository for information security documentation.

c. Review, update, and augment the NASA Cybersecurity and Privacy Program.

d. Ensure that the NASA Cybersecurity and Privacy Program plan, policy, and requirements are implemented.

e. Update and disseminate Organization Defined Values via a cybersecurity specification updated at least annually.

f. Define a process for the development, documentation, and maintenance of plans of action and milestones (POA&M) and for the acceptance of risk.

g. With respect to unclassified information systems, be responsible for ensuring NASA’s implementation of the NIST RMF.

2.3.2.2 The ISO shall maintain information security documentation in the NASA-wide information security document repository required by section 2.3.2.1b.

2.3.3 Coordination of Information Security

2.3.3.1 The SAISO shall:

2.3.3.2 Coordinate information security compliance with internal and external resources across the Agency.

a. Coordinate information security reviews with the NASA Office of the Inspector General (OIG) and other external entities such as the U.S. Government Accountability Office (GAO).

b. Work with the NASA Office of Procurement to oversee the development and maintenance of an information security clause and coordinate implementation with NASA Office of Procurement as provided in the NASA Federal Acquisition Regulations (FAR), 48 CFR Ch. 18.

2.3.3.3 The Assistant Administrator of Procurement shall:

a. Ensure that contracting officials are aware of requirements related to information security.

b. Ensure the inclusion of information security requirements in all contracts and solicitations.

2.3.3.4 Program Managers and Project Managers shall:

a. Ensure that projects or programs under their control implement the requirements of this directive.

b. Ensure that information security is incorporated into the planning and development of all information systems under their control by following the procedures outlined in NIST SP 800-160, Systems Security Engineering: Consideration for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

2.3.4 Management of legal and regulatory requirements

2.3.4.1 The SAISO shall:

a. Comply with OMB and FISMA reporting requirements.

b. Fulfill OMB and FISMA contingency plan testing requirements.

2.3.5 Governance and Management Processes

2.3.5.1 The NASA CIO shall report to OMB on the status of NASA's Cybersecurity and Privacy Program.

2.3.5.2 The SAISO shall:

a. Report to the NASA Administrator on the effectiveness of NASA's Cybersecurity and Privacy Program, including the progress of remedial actions, as required by FISMA.

b. Include information security resource requirements in programming and budgeting documentation.

2.3.5.3 The ISO shall:

a. Develop and maintain a System Security Plan (SSP) for their information systems.

b. Ensure that all SSPs are developed and tailored to address the threats and associated risks faced by the system.

c. Ensure that required system and services acquisition policy and procedures are implemented for their information systems and documented in the associated SSPs.

d. Establish system-level rules of behavior.

e. Assist in the development of information security requirements for inclusion in solicitations and resulting contracts for acquisitions made in support of their information.

2.3.5.4 The ISSO shall assist in the development of information security requirements for inclusion in solicitations and resulting contracts for acquisitions made in support of their information systems.

2.4 Risk Assessment

2.4.1 Overview

2.4.1.1 This section establishes requirements for the assessment of cybersecurity risk to NASA’s operations, assets, and individuals.

2.4.2 Risk Assessment Policy

2.4.2.1 The SAISO shall:

a. Identify and manage common cybersecurity threats to NASA.

b. Consistent with NPR 8000.4, Agency Risk Management Procedural Requirements, define and make available an RMF that describes a uniform methodology for risk assessment for all Agency internal and external systems.

c. Ensure the assessment, updating, and dissemination of information regarding Agency Common Controls.

d. Ensure the assessment, updating, and dissemination of information regarding those portions of Hybrid Controls that the Agency implements.

e. Manage the NASA-wide information security performance metrics program.

f. Work with the Information Sharing and Analysis Centers (ISACs) and other relevant information sharing fora.

2.4.2.2 The Center CISO shall:

a. Identify and manage common threats to their Center.

b. Understand and communicate, with the AO, the ISO, the OCSO (if assigned), other Centers’ CISOs, and the SAISO any cybersecurity flaws associated with any information system.

c. Verify the correct application of information system categorization criteria and requirements.

2.4.2.3 The OCSO (if assigned per section 1.2.3.3) shall:

a. Verify the correct application of information system categorization criteria and requirements for their organization.

b. Ensure the identification and management of common threats to their organization.

2.4.2.4 The AO shall:

a. Authorize to operate only systems posing an acceptable level of risk to Agency assets, data, and personnel for production operation.

b. Ensure that all systems undergo a complete system security assessment prior to granting an initial Authorization to Operate (ATO).

c. Approve or reject information system categorizations.

d. Grant or deny systems ATO based on an evaluation of risk to the security posture of their information systems.

e. Plan and assign resources for information security assessment and authorization activities.

2.4.2.5 The ISO shall:

a. Assess information systems for risk in accordance with Agency policy and procedures.

b. Create POA&Ms or provide a documented AO acceptance of risk related to any identified system information security deficiencies or weaknesses.

c. Complete POA&M tasks.

d. Apply resources towards the mitigation of identified risks to minimize threats to system performance.

e. Ensure that systems that are identified as posing unacceptable risk to other Agency operations or resources are communicated to the Center CISO and AO and mitigated in a manner that ensures the protection of Agency assets, data, and personnel.

f. Inform key officials of pending assessment and authorization activities.

g. Plan and advocate for the availability of resources for assessment and authorization activities.

h. Perform an information system risk analysis for their systems that can be used to support development of Agency information security baselines.

i. Seek an authorization from the AO prior to the operation of an information system and if changes to the system or its operating environment warrant a reauthorization.

2.4.2.6 The ISSO shall:

a. Perform information system risk analyses in support of security control selection and tailoring, security control implementation including system configuration, and continuous monitoring.

b. In collaboration with the ISO and IO(s), perform the information system security categorization, ensuring that the selected data types reflect all information generated, collected, processed and disseminated by the information system.

2.4.2.7 Program Managers and Project Managers shall:

a. With the support ISOs and ISSOs, understand and communicate to AOs any cybersecurity risks associated with any information system in a program or project under their control so that an assessment can be made of cybersecurity risk to Agency operations and resources.

b. Verify the proper application of information system categorization criteria and requirements for the programs and projects under their control.

2.5 Risk Management Strategy

2.5.1 Overview

2.5.1.1 This section establishes requirements for a cybersecurity risk management strategy to work in conjunction with requirements of NPR 8000.4.

2.5.2 Risk Management Strategy

2.5.2.1 The SAISO shall develop and implement a Cybersecurity Risk Management Strategy, which includes:

a. Definition of NASA’s risk management priorities and constraints for NASA high-value assets, and mission and institutional systems.

b. Documentation criteria as a basis for determination of NASA’s risk tolerances and assumptions.

c. Description of the importance of accurate and timely assessment of the likelihood and consequence severity of threats to NASA’s critical infrastructure within the unique threat environment for NASA operations.

d. Ensure the underlying basis for risk acceptance decisions by AOs across NASA conform to validated practices set forth in NPR 8000.4.

2.6 Supply Chain Risk Management

2.6.1 Overview

2.6.1.1 This section establishes requirements for SCRM.

2.6.2 SCRM Policy

2.6.2.1 The NASA SAISO shall:

a. In awareness of Office of Safety and Mission Assurance roles, develop, manage, and update NASA’s Cyber SCRM process.

b. Identify, prioritize, and assess suppliers and third-party partners of information systems using a cyber supply chain risk assessment process.

c. Work with program and procurement officials in NASA to ensure that:

(1) Contracts with suppliers and third-party partners implement measures designed to meet the objectives of this directive and the Cyber SCRM process required by section 2.6.2.1a.

(2) Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

(3) Response and recovery planning and testing are conducted with suppliers and third-party providers.

2.6.2.2 The ISO shall:

a. Understand the level of risk to an information system related to the information that is necessarily disclosed to vendors and suppliers during the acquisition process.

b. Establish a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.



| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |
 
| NODIS Library | Legal Policies(2000s) | Search |

DISTRIBUTION:
NODIS


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.