Procedural
Requirements
Effective Date: January 03, 2022
Expiration Date: January 03, 2027
|
|
NASA Procedural Requirements |
NPR 2810.1F Effective Date: January 03, 2022 Expiration Date: January 03, 2027 |
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL | |
3.1.1 Overview
3.1.1.1 This section establishes requirements for identity management and access control.
3.1.1.2 NPR 2841.1, Identity, Credential, and Access Management (ICAM) establishes requirements for issuance, management, verification, and revocation of identities and credentials. Such identities and credentials govern both physical and logical access to NASA assets.
3.1.2 Physical Access Policy
3.1.2.1 The Center CIO shall work with the Center Chief of Security, and the Center Facilities organization to ensure physical and environmental controls are met for the information systems at their Centers.
3.1.2.2 The ISO shall:
a. Approve personnel access to secured or restricted physical information system facilities and locations.
b. Establish and maintain a list of all personnel authorized to access secured or restricted physical information system facilities and locations.
c. Validate physical and environmental security controls and monitoring capabilities.
3.1.2.3 The Center Chief of Security, under the policy guidance of Assistant Administrator of the Office of Protective Services shall:
a. Ensure the implementation of physical and environmental security controls.
b. Ensure the capability to monitor physical and environmental security controls.
3.1.3 Remote Access Policy
3.1.3.1 The ISO shall:
a. Ensure only devices that are authorized and approved for remote access to the information system to which they are connecting are granted remote access in a manner consistent with organizational defined values.
b. Ensure that all remote access is routed through NASA CIO-authorized remote access points.
3.1.3.2 Program Managers and Project Managers shall ensure, with respect to any information system in a program or project under their control, that all remote access is routed through authorized NASA access control points.
3.1.3.3 The NASA User shall:
a. Use only NASA authorized and approved devices for remote access to NASA non-public information systems.
b. Take every reasonable effort to ensure the confidentiality, integrity, and availability of information and information systems used remotely and understand the consequences for mishandling.
3.1.4 Access Permissions and Authorization Policy
3.1.4.1 The ISO shall:
a. Administer accounts for their information systems in a way that provides separation of duties, avoids potential conflicts of interest, and grants NASA users the least privilege necessary to perform their respective duties.
b. Manage, in consideration of the IO, access to the information system, and with which privileges users will be authorized.
c. Ensure that any public facing service that requires a login is secured by multi-factor authentication (MFA).
d. Configure all systems and services to permit only authorized connections.
e. Manage all systems and services in a “deny by default, permit by exception” configuration for all ports, protocols, and services.
3.1.4.2 The IO may offer guidance to the ISO regarding management of access to the information system, and with which privileges users will be empowered.
3.1.4.3 The Center Chief of Security or the Assistant Administrator of the Office of Protective Services shall ensure the distribution and management of physical authenticators (i.e., PIV cards).
3.1.4.4 The NASA CIO shall ensure the distribution and management of any other authentication tokens.
3.1.5 Network Integrity Policy
3.1.5.1 The SAISO shall ensure that NASA maintains a Network Access Control Policy to monitor, control, prevent, or regulate device and system access to NASA networks.
3.1.6 Identity Policy
3.1.6.1 The NASA CIO shall provide a NASA-wide framework for identity and authentication management.
3.1.6.2 The ISO shall leverage the Agency identification and authentication framework for applications.
3.1.6.3 The NASA User shall protect identification and authentication information from unauthorized disclosure.
3.1.7 Authentication Policy
3.1.7.1 The SAISO shall:
a. Ensure dissemination of the NASA appropriate use policy statement, based on NPD 2540.1, Personal Use of Government Office Equipment Including Information Technology, and the NASA consent banner.
b. Ensure that the NASA consent disclaimer requirements for internal systems are met through the display of the appropriate use and consent banner statements.
3.1.7.2 The ISO shall:
a. Leverage the Agency identification and authentication framework for applications.
b. Maintain account management capabilities (e.g., account creation, privilege configuration, maintenance, and deletion) for information systems.
c. Ensure the appropriate use and warning banner is displayed by their information system.
d. Establish documented rules for appropriate use and protection of information (e.g., rules of behavior).
3.1.7.3 The NASA User shall comply with all appropriate use policies.
3.2.1 Overview
3.2.1.1 This section establishes requirements for information security awareness and training to ensure that NASA’s personnel and partners are trained to perform their cybersecurity-related duties and responsibilities consistent with NASA policies, procedures, and agreements.
3.2.2 Awareness and Training Policy
3.2.2.1 All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position.
3.2.2.2 The SAISO shall:
a. Develop, maintain, and promote NASA-wide information security awareness and training.
b. Define and make available all Agency information security awareness and training requirements. This includes general knowledge requirements that pertain to all NASA Users as well as role-based requirements targeted at managers, information security professionals, and others.
c. Define educational courses and materials that can be used to satisfy Agency information security awareness and training requirements.
d. Oversee the fulfillment of training requirements across the Agency and for external stakeholders, to include tracking and reporting on the completion of information security awareness and training requirements in the Agency system of record.
e. Maintain the NASA User Rules of Behavior and track user annual acceptance.
3.2.2.3 The ISO shall:
a. Allow access to information systems only to users who comply with all Agency information security awareness and training requirements.
b. Ensure all personnel supporting the information system whose roles include significant information security responsibilities or elevated privileges comply with the role-based information security awareness and training requirements.
3.2.2.4 The NASA User shall:
a. Comply with role-based information security and awareness training requirements.
b. Acknowledge acceptance of the Agency User Rules of Behavior annually.
3.2.2.5 The Assistant Administrator of the Office of the Chief Human Capital Officer shall ensure the availability of a NASA-wide platform for training delivery, as well as training results and training records management.
3.3.1 Overview
3.3.1.1 This section establishes requirements for data security to ensure that information and records are managed consistent with NASA’s risk management policies and procedures to protect the confidentiality, integrity, and availability of information.
3.3.2 Data-at-Rest Protection Policy
3.3.2.1 The ISO shall ensure that information stored on, transmitted or processed by their information system is protected by encryption performed in accordance with a NIST approved encryption algorithm provided through either:
a. A FIPS-140-2 or FIPS-140-3 cryptographic module validated through the Cryptographic Module Validation Program (CMVP), or
b. A cryptographic module approved for the protection of classified national security information.
In the event that the use of encryption is technically unfeasible or would demonstrably affect the system's ability to carry out its respective mission, functions, or operations approval shall be granted in writing from the NASA CIO before an Authorizing Official may consider granting an Authorization to Operate.
3.3.2.2 The NASA User shall secure and protect media under their control using access restriction and/or sanitization (in accordance with the requirements of section 3.4.7.1).
3.3.3 Data-in-Transit Protection Policy
3.3.3.1 The ISO shall ensure that NASA information under their control is protected by suitable encryption when in transit.
3.3.4 Asset Management Policy
3.3.4.1 NPR 4200.1, NASA Equipment Management Procedural Requirements governs management of assets throughout removal, transfers, and disposition.
3.3.5 Protections Against Data Leakage
3.3.5.1 The NASA CIO shall ensure that NASA develops, implements, and maintains adequate data leakage protection for Agency common system and communications infrastructure.
3.3.5.2 The SAISO shall ensure the provision of Center-level boundary protection for systems that share a common infrastructure or services.
3.3.5.3 The Center CIO shall ensure the integration of software and hardware necessary to support system and communications requirements at their Center.
3.3.5.4 The ISO shall ensure shared resource policies, denial of service protections, boundary protection, and transmission integrity and confidentiality are implemented.
3.3.6 Development and Testing Environment Policy
3.3.6.1 The ISO shall ensure, to the extent practicable, the separation of development and testing environment(s) from production environment(s).
3.3.7 System and Information Integrity Policy
3.3.7.1 The SAISO shall:
a. Ensure that the capabilities exist to comply with NASA requirements regarding System and Information Integrity including capabilities to detect and prevent the compromise of integrity by known threats (e.g., anti-virus software, block lists) and suspected threats (e.g., automated spam classification and filtering).
b. Ensure that data is protected against unauthorized access, tampering, alteration, loss, and destruction.
3.3.7.2 The ISO shall:
a. Implement data integrity protections on their information systems.
b. Test information system security functions in accordance with requirements, and document the frequency and processes related to the tests.
3.4.1 Overview
3.4.1.1 This section establishes securities, processes, and procedures to manage protection of information systems and assets.
3.4.2 Information Security Baseline Configuration Policy
3.4.2.1 The SAISO shall:
a. Create and maintain processes for development, approval, distribution, and verification of information security configuration baselines for covered articles, incorporating, for example, the concept of least functionality.
b. Create and maintain processes to monitor information security baseline configuration compliance.
c. Ensure information security baseline configurations conform to federal guidelines and requirements.
3.4.2.2 The ISO shall implement the requirements and settings defined in all applicable standards and specifications established by the Agency Security Configuration Standards (ASCS).
3.4.3 System Development Life Cycle Policy
3.4.3.1 The ISO shall ensure information security considerations are managed throughout their systems' development life cycle to protect NASA information.
3.4.4 Configuration Change Control Policy
3.4.4.1 The ISO shall create, implement, and maintain configuration change control policies and processes for their system as needed.
3.4.5 Backups of information
3.4.5.1 ISOs shall back up user-level and system-level information.
3.4.6 Physical Operating Environment Policy
3.4.6.1 The SAISO shall coordinate with OPS to ensure the development and maintenance standards and guidance for security of NASA information systems’ physical operating environments.
3.4.7 Data Destruction Policy
3.4.7.1 NASA policy is to facilitate suitable media sanitization and destruction of no longer needed data to reduce the risk of leakage of non-public NASA information to unauthorized persons or entities; provided, however, that such destruction only occurs in accordance with laws, regulations, guidance, and other NASA policies or directives governing retention and other aspects of data management.
3.4.7.2 The Center CISO shall ensure, in coordination with the Center Security Office, that sufficient equipment or services are available to facilitate media sanitization and data destruction in accordance with policy.
3.4.7.3 The OCSO (if assigned per section 1.2.3.3) shall be responsible for the sanitization of media and destruction of data according to policy for their organization.
3.4.7.4 The ISO shall be responsible for the sanitization of media and destruction of data according to policy for their information system.
3.4.7.5 The NASA User shall mitigate the risks of leakage of non-public NASA information to unauthorized persons or entities through the sanitization of media and destruction of data according to policy.
3.4.8 Protection Processes Improvement Policy
3.4.8.1 The SAISO shall identify, implement, and maintain a NASA-wide resource for the management of corrective action plans to mitigate information system security weaknesses.
3.4.8.2 The OCSO (if assigned per section 1.2.3.3) shall review and update their organization's SSPs in accordance with this directive and its associated handbooks.
3.4.8.3 The ISO shall review and update SSPs in accordance with this directive and its associated handbooks.
3.4.9 Effectiveness of Protection Technology
The SAISO shall ensure that the effectiveness of protection technology (e.g. continuous monitoring tools) is measured and shared to improve NASA’s information security posture.
3.4.10 Information Security and Human Resources Policy
3.4.10.1 The SAISO shall make all offices aware of requirements and expectations related to ICAM.
3.4.10.2 The Center CISO shall confirm that all personnel adhere to the limits of their delegated cybersecurity authority.
3.4.10.3 The ISO shall:
a. Provide oversight to ensure that personnel adhere to limits on access to information and information systems.
b. Manage or terminate access to secured resources following the transfer or termination of personnel.
3.4.10.4 The Center Chief of Security under the policy guidance of the Assistant Administrator of Office of Protective Services shall implement personnel security controls.
3.4.11 Vulnerability Management
3.4.11.1 The SAISO shall:
a. Develop and maintain a Vulnerability Management Plan.
b. Establish processes and systems for the management of vulnerability, flaw remediation, and information system monitoring.
c. Ensure the proper handling of vulnerability and patch advisories, including the aggregation of such information from sources both internal and external to the Agency and the Federal government, as well as the wide distribution of such information.
3.4.11.2 The Center CISO shall facilitate the implementation of NASA flaw remediation policies and procedures at their Center.
3.4.11.3 The ISO shall:
a. Ensure the completion of vulnerability and flaw remediation activities, and document and communicate residual risks, as necessary in accordance with Federal and Agency requirements.
b. Ensure that software updates and patches remediating security flaws are applied to their system in accordance with Federal and Agency requirements.
3.5.1 Overview
3.5.1.1 This section establishes requirements related to maintenance and repair (including remote maintenance) of information systems.
3.5.2 Maintenance and Repair Policy
3.5.2.1 The ISO shall:
a. Develop, maintain, and implement risk-based maintenance policy and procedures.
b. Adhere to change control and configuration management processes throughout the life cycle of their information systems.
c. Maintain oversight of those authorized to perform maintenance on the components of their information system.
d. Ensure that maintenance is logged for their system.
3.6.1 Overview
3.6.1.1 This section establishes requirements for management of technical information security solutions to ensure the security and resilience of systems and assets.
3.6.2 Audit and Logging Records Policy
3.6.2.1 The NASA CIO shall ensure the development and maintenance of a capability for the aggregation of NASA-wide information system logs.
3.6.2.2 The SAISO shall:
a. Maintain Agency information system record retention policies for logs, and minimum auditable events.
b. Develop and maintain log information security auditing capabilities for NASA information system logs.
3.6.2.3 The ISO shall:
a. Maintain auditing capabilities for their information system components.
b. Allocate audit record storage capacity for an information system in accordance with Agency records retention requirements.
c. Determine the priorities for audit log events, analysis, and responses. The manner of log collection, extent of the audited events, specific data per event, analysis of the event, and retention times of the audit data will be dependent upon risk levels and the technical capabilities of the components.
d. Ensure audit logs are controlled and protected from modification and unauthorized disclosure. This protection should exist throughout the life cycle of the log entry, through creation, transmission, aggregation, reduction, analysis, storage, and disposal of the log.
e. Ensure data in information systems are retained or destroyed in accordance with NASA Records Retention Schedule No 1441.1 (updated) May 18, 2020. .
3.6.3 Media Protection Policy
3.6.3.1 The Center CISO shall:
a. Ensure, in coordination with the Center Security Office, that sufficient equipment and services are available to facilitate media sanitization.
b. Use encryption solutions that are compliant with federal encryption standards, NIST guidance, and are in accordance with NASA requirements regarding the protection of sensitive information to guard portable and removable digital media devices.
3.6.3.2 The NASA User shall:
a. Protect removable media devices.
b. Use only media that complies with NASA Media Use Policy (as detailed in ITS-HBK-2810.11-2B Media Protection and Sanitization, Appendix C.)
c. Mitigate the risks of data loss by securing and protecting media under their control and the information contained within those devices through encryption, access restriction, and sanitization.
3.6.3.3 The OCSO (if assigned per section 1.2.3.3), in collaboration with ISOs, shall protect and sanitize media for their organization, including the protection of data at rest.
3.6.3.4 The ISO shall protect and sanitize media for their information system, including the protection of data at rest.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL | |
| | NODIS Library | Legal Policies(2000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.