Effective Date: January 03, 2022
Expiration Date: January 03, 2027
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL ||
188.8.131.52 This section establishes requirements for identity management and access control.
184.108.40.206 NPR 2841.1, Identity, Credential, and Access Management (ICAM) establishes requirements for issuance, management, verification, and revocation of identities and credentials. Such identities and credentials govern both physical and logical access to NASA assets.
3.1.2 Physical Access Policy
220.127.116.11 The Center CIO shall work with the Center Chief of Security, and the Center Facilities organization to ensure physical and environmental controls are met for the information systems at their Centers.
18.104.22.168 The ISO shall:
a. Approve personnel access to secured or restricted physical information system facilities and locations.
b. Establish and maintain a list of all personnel authorized to access secured or restricted physical information system facilities and locations.
c. Validate physical and environmental security controls and monitoring capabilities.
22.214.171.124 The Center Chief of Security, under the policy guidance of Assistant Administrator of the Office of Protective Services shall:
a. Ensure the implementation of physical and environmental security controls.
b. Ensure the capability to monitor physical and environmental security controls.
3.1.3 Remote Access Policy
126.96.36.199 The ISO shall:
a. Ensure only devices that are authorized and approved for remote access to the information system to which they are connecting are granted remote access in a manner consistent with organizational defined values.
b. Ensure that all remote access is routed through NASA CIO-authorized remote access points.
188.8.131.52 Program Managers and Project Managers shall ensure, with respect to any information system in a program or project under their control, that all remote access is routed through authorized NASA access control points.
184.108.40.206 The NASA User shall:
a. Use only NASA authorized and approved devices for remote access to NASA non-public information systems.
b. Take every reasonable effort to ensure the confidentiality, integrity, and availability of information and information systems used remotely and understand the consequences for mishandling.
3.1.4 Access Permissions and Authorization Policy
220.127.116.11 The ISO shall:
a. Administer accounts for their information systems in a way that provides separation of duties, avoids potential conflicts of interest, and grants NASA users the least privilege necessary to perform their respective duties.
b. Manage, in consideration of the IO, access to the information system, and with which privileges users will be authorized.
c. Ensure that any public facing service that requires a login is secured by multi-factor authentication (MFA).
d. Configure all systems and services to permit only authorized connections.
e. Manage all systems and services in a “deny by default, permit by exception” configuration for all ports, protocols, and services.
18.104.22.168 The IO may offer guidance to the ISO regarding management of access to the information system, and with which privileges users will be empowered.
22.214.171.124 The Center Chief of Security or the Assistant Administrator of the Office of Protective Services shall ensure the distribution and management of physical authenticators (i.e., PIV cards).
126.96.36.199 The NASA CIO shall ensure the distribution and management of any other authentication tokens.
3.1.5 Network Integrity Policy
188.8.131.52 The SAISO shall ensure that NASA maintains a Network Access Control Policy to monitor, control, prevent, or regulate device and system access to NASA networks.
3.1.6 Identity Policy
184.108.40.206 The NASA CIO shall provide a NASA-wide framework for identity and authentication management.
220.127.116.11 The ISO shall leverage the Agency identification and authentication framework for applications.
18.104.22.168 The NASA User shall protect identification and authentication information from unauthorized disclosure.
3.1.7 Authentication Policy
22.214.171.124 The SAISO shall:
a. Ensure dissemination of the NASA appropriate use policy statement, based on NPD 2540.1, Personal Use of Government Office Equipment Including Information Technology, and the NASA consent banner.
b. Ensure that the NASA consent disclaimer requirements for internal systems are met through the display of the appropriate use and consent banner statements.
126.96.36.199 The ISO shall:
a. Leverage the Agency identification and authentication framework for applications.
b. Maintain account management capabilities (e.g., account creation, privilege configuration, maintenance, and deletion) for information systems.
c. Ensure the appropriate use and warning banner is displayed by their information system.
d. Establish documented rules for appropriate use and protection of information (e.g., rules of behavior).
188.8.131.52 The NASA User shall comply with all appropriate use policies.
184.108.40.206 This section establishes requirements for information security awareness and training to ensure that NASA’s personnel and partners are trained to perform their cybersecurity-related duties and responsibilities consistent with NASA policies, procedures, and agreements.
3.2.2 Awareness and Training Policy
220.127.116.11 All NASA officials listed in section 1.2 (relating to Roles and Responsibilities) shall complete any role-based training activities required of their position.
18.104.22.168 The SAISO shall:
a. Develop, maintain, and promote NASA-wide information security awareness and training.
b. Define and make available all Agency information security awareness and training requirements. This includes general knowledge requirements that pertain to all NASA Users as well as role-based requirements targeted at managers, information security professionals, and others.
c. Define educational courses and materials that can be used to satisfy Agency information security awareness and training requirements.
d. Oversee the fulfillment of training requirements across the Agency and for external stakeholders, to include tracking and reporting on the completion of information security awareness and training requirements in the Agency system of record.
e. Maintain the NASA User Rules of Behavior and track user annual acceptance.
22.214.171.124 The ISO shall:
a. Allow access to information systems only to users who comply with all Agency information security awareness and training requirements.
b. Ensure all personnel supporting the information system whose roles include significant information security responsibilities or elevated privileges comply with the role-based information security awareness and training requirements.
126.96.36.199 The NASA User shall:
a. Comply with role-based information security and awareness training requirements.
b. Acknowledge acceptance of the Agency User Rules of Behavior annually.
188.8.131.52 The Assistant Administrator of the Office of the Chief Human Capital Officer shall ensure the availability of a NASA-wide platform for training delivery, as well as training results and training records management.
184.108.40.206 This section establishes requirements for data security to ensure that information and records are managed consistent with NASA’s risk management policies and procedures to protect the confidentiality, integrity, and availability of information.
3.3.2 Data-at-Rest Protection Policy
220.127.116.11 The ISO shall ensure that information stored on, transmitted or processed by their information system is protected by encryption performed in accordance with a NIST approved encryption algorithm provided through either:
a. A FIPS-140-2 or FIPS-140-3 cryptographic module validated through the Cryptographic Module Validation Program (CMVP), or
b. A cryptographic module approved for the protection of classified national security information.
In the event that the use of encryption is technically unfeasible or would demonstrably affect the system's ability to carry out its respective mission, functions, or operations approval shall be granted in writing from the NASA CIO before an Authorizing Official may consider granting an Authorization to Operate.
18.104.22.168 The NASA User shall secure and protect media under their control using access restriction and/or sanitization (in accordance with the requirements of section 22.214.171.124).
3.3.3 Data-in-Transit Protection Policy
126.96.36.199 The ISO shall ensure that NASA information under their control is protected by suitable encryption when in transit.
3.3.4 Asset Management Policy
188.8.131.52 NPR 4200.1, NASA Equipment Management Procedural Requirements governs management of assets throughout removal, transfers, and disposition.
3.3.5 Protections Against Data Leakage
184.108.40.206 The NASA CIO shall ensure that NASA develops, implements, and maintains adequate data leakage protection for Agency common system and communications infrastructure.
220.127.116.11 The SAISO shall ensure the provision of Center-level boundary protection for systems that share a common infrastructure or services.
18.104.22.168 The Center CIO shall ensure the integration of software and hardware necessary to support system and communications requirements at their Center.
22.214.171.124 The ISO shall ensure shared resource policies, denial of service protections, boundary protection, and transmission integrity and confidentiality are implemented.
3.3.6 Development and Testing Environment Policy
126.96.36.199 The ISO shall ensure, to the extent practicable, the separation of development and testing environment(s) from production environment(s).
3.3.7 System and Information Integrity Policy
188.8.131.52 The SAISO shall:
a. Ensure that the capabilities exist to comply with NASA requirements regarding System and Information Integrity including capabilities to detect and prevent the compromise of integrity by known threats (e.g., anti-virus software, block lists) and suspected threats (e.g., automated spam classification and filtering).
b. Ensure that data is protected against unauthorized access, tampering, alteration, loss, and destruction.
184.108.40.206 The ISO shall:
a. Implement data integrity protections on their information systems.
b. Test information system security functions in accordance with requirements, and document the frequency and processes related to the tests.
220.127.116.11 This section establishes securities, processes, and procedures to manage protection of information systems and assets.
3.4.2 Information Security Baseline Configuration Policy
18.104.22.168 The SAISO shall:
a. Create and maintain processes for development, approval, distribution, and verification of information security configuration baselines for covered articles, incorporating, for example, the concept of least functionality.
b. Create and maintain processes to monitor information security baseline configuration compliance.
c. Ensure information security baseline configurations conform to federal guidelines and requirements.
22.214.171.124 The ISO shall implement the requirements and settings defined in all applicable standards and specifications established by the Agency Security Configuration Standards (ASCS).
3.4.3 System Development Life Cycle Policy
126.96.36.199 The ISO shall ensure information security considerations are managed throughout their systems' development life cycle to protect NASA information.
3.4.4 Configuration Change Control Policy
188.8.131.52 The ISO shall create, implement, and maintain configuration change control policies and processes for their system as needed.
3.4.5 Backups of information
184.108.40.206 ISOs shall back up user-level and system-level information.
3.4.6 Physical Operating Environment Policy
220.127.116.11 The SAISO shall coordinate with OPS to ensure the development and maintenance standards and guidance for security of NASA information systems’ physical operating environments.
3.4.7 Data Destruction Policy
18.104.22.168 NASA policy is to facilitate suitable media sanitization and destruction of no longer needed data to reduce the risk of leakage of non-public NASA information to unauthorized persons or entities; provided, however, that such destruction only occurs in accordance with laws, regulations, guidance, and other NASA policies or directives governing retention and other aspects of data management.
22.214.171.124 The Center CISO shall ensure, in coordination with the Center Security Office, that sufficient equipment or services are available to facilitate media sanitization and data destruction in accordance with policy.
126.96.36.199 The OCSO (if assigned per section 188.8.131.52) shall be responsible for the sanitization of media and destruction of data according to policy for their organization.
184.108.40.206 The ISO shall be responsible for the sanitization of media and destruction of data according to policy for their information system.
220.127.116.11 The NASA User shall mitigate the risks of leakage of non-public NASA information to unauthorized persons or entities through the sanitization of media and destruction of data according to policy.
3.4.8 Protection Processes Improvement Policy
18.104.22.168 The SAISO shall identify, implement, and maintain a NASA-wide resource for the management of corrective action plans to mitigate information system security weaknesses.
22.214.171.124 The OCSO (if assigned per section 126.96.36.199) shall review and update their organization's SSPs in accordance with this directive and its associated handbooks.
188.8.131.52 The ISO shall review and update SSPs in accordance with this directive and its associated handbooks.
3.4.9 Effectiveness of Protection Technology
The SAISO shall ensure that the effectiveness of protection technology (e.g. continuous monitoring tools) is measured and shared to improve NASA’s information security posture.
3.4.10 Information Security and Human Resources Policy
184.108.40.206 The SAISO shall make all offices aware of requirements and expectations related to ICAM.
220.127.116.11 The Center CISO shall confirm that all personnel adhere to the limits of their delegated cybersecurity authority.
18.104.22.168 The ISO shall:
a. Provide oversight to ensure that personnel adhere to limits on access to information and information systems.
b. Manage or terminate access to secured resources following the transfer or termination of personnel.
22.214.171.124 The Center Chief of Security under the policy guidance of the Assistant Administrator of Office of Protective Services shall implement personnel security controls.
3.4.11 Vulnerability Management
126.96.36.199 The SAISO shall:
a. Develop and maintain a Vulnerability Management Plan.
b. Establish processes and systems for the management of vulnerability, flaw remediation, and information system monitoring.
c. Ensure the proper handling of vulnerability and patch advisories, including the aggregation of such information from sources both internal and external to the Agency and the Federal government, as well as the wide distribution of such information.
188.8.131.52 The Center CISO shall facilitate the implementation of NASA flaw remediation policies and procedures at their Center.
184.108.40.206 The ISO shall:
a. Ensure the completion of vulnerability and flaw remediation activities, and document and communicate residual risks, as necessary in accordance with Federal and Agency requirements.
b. Ensure that software updates and patches remediating security flaws are applied to their system in accordance with Federal and Agency requirements.
220.127.116.11 This section establishes requirements related to maintenance and repair (including remote maintenance) of information systems.
3.5.2 Maintenance and Repair Policy
18.104.22.168 The ISO shall:
a. Develop, maintain, and implement risk-based maintenance policy and procedures.
b. Adhere to change control and configuration management processes throughout the life cycle of their information systems.
c. Maintain oversight of those authorized to perform maintenance on the components of their information system.
d. Ensure that maintenance is logged for their system.
22.214.171.124 This section establishes requirements for management of technical information security solutions to ensure the security and resilience of systems and assets.
3.6.2 Audit and Logging Records Policy
126.96.36.199 The NASA CIO shall ensure the development and maintenance of a capability for the aggregation of NASA-wide information system logs.
188.8.131.52 The SAISO shall:
a. Maintain Agency information system record retention policies for logs, and minimum auditable events.
b. Develop and maintain log information security auditing capabilities for NASA information system logs.
184.108.40.206 The ISO shall:
a. Maintain auditing capabilities for their information system components.
b. Allocate audit record storage capacity for an information system in accordance with Agency records retention requirements.
c. Determine the priorities for audit log events, analysis, and responses. The manner of log collection, extent of the audited events, specific data per event, analysis of the event, and retention times of the audit data will be dependent upon risk levels and the technical capabilities of the components.
d. Ensure audit logs are controlled and protected from modification and unauthorized disclosure. This protection should exist throughout the life cycle of the log entry, through creation, transmission, aggregation, reduction, analysis, storage, and disposal of the log.
e. Ensure data in information systems are retained or destroyed in accordance with NASA Records Retention Schedule No 1441.1 (updated) May 18, 2020. .
3.6.3 Media Protection Policy
220.127.116.11 The Center CISO shall:
a. Ensure, in coordination with the Center Security Office, that sufficient equipment and services are available to facilitate media sanitization.
b. Use encryption solutions that are compliant with federal encryption standards, NIST guidance, and are in accordance with NASA requirements regarding the protection of sensitive information to guard portable and removable digital media devices.
18.104.22.168 The NASA User shall:
a. Protect removable media devices.
b. Use only media that complies with NASA Media Use Policy (as detailed in ITS-HBK-2810.11-2B Media Protection and Sanitization, Appendix C.)
c. Mitigate the risks of data loss by securing and protecting media under their control and the information contained within those devices through encryption, access restriction, and sanitization.
22.214.171.124 The OCSO (if assigned per section 126.96.36.199), in collaboration with ISOs, shall protect and sanitize media for their organization, including the protection of data at rest.
188.8.131.52 The ISO shall protect and sanitize media for their information system, including the protection of data at rest.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |
|| NODIS Library | Legal Policies(2000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.