Effective Date: January 03, 2022
Expiration Date: January 03, 2027
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL ||
a. This directive establishes the information security requirements for the NASA Information Security Program. The procedural requirements herein prescribe roles, responsibilities, and conditions that directly or indirectly promote information security throughout the life cycle of all NASA information and information systems, including operational technology systems.
b. This directive identifies information security policies, procedures, and practices that are related to NASA's mission, and consistent with federal laws, executive orders, directives, policies, and regulations.
c. This directive aligns roles and responsibilities of information technology (IT) security personnel to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy and NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations.
d. This directive serves as a reference to the NASA community regarding specific information security roles and responsibilities, and it provides resources where more detailed information may be found.
e. This directive implements cybersecurity policy best practices and guidance, particularly those outlined by the NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations, NIST SP 800-37, NIST SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-60 Vol. 1 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, NIST 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, NIST SP 800-160 Vol. 2, Developing Cyber Resilient Systems – A Systems Security Engineering Approach, and NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, referenced NASA policy documents, specifications, and standards, and mandated by Federal Information Processing Standards (FIPS) across all corporate, project, and mission elements (ground and flight systems).
a. This directive applies to NASA Headquarters and all NASA Centers, including Component Facilities and Technical and Service Support Centers.
(1) For purposes of this directive, NASA Headquarters is treated as a Center. Further, all roles and responsibilities of a Center Chief Information Officer (CIO) apply to NASA Headquarters CIO and all stipulated Center requirements apply to NASA Headquarters.
b. This directive applies to contractors, recipients of grants, cooperative agreements, or other agreements only to the extent specified or referenced in the contracts, grants, or agreements.
c. This directive applies to all unclassified NASA information and NASA information systems, including those that are contracted out, outsourced to, or operated by:
(1) Government owned, contractor operated (GOCO) facilities;
(2) partners under the Space Act;
(3) partners under the Commercial Space Act of 1997;
(4) partners under cooperative agreements; or
(5) commercial or university facilities.
d. This directive does not apply to information systems that do not process NASA information, and are merely incidental to a contract (e.g., a contractor's payroll and personnel management system).
(1) In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term “shall.” The terms: “may” or “can” denote discretionary privilege or permission, “should” denotes a good practice and is recommended, but not required, “will” denotes expected outcome, and “are/is” denotes descriptive material.
e. This directive does not apply to Classified National Security Information (CNSI). CNSI is the responsibility of the Office of Protective Services (OPS) and is covered under CNSI policy and requirements contained in NASA Procedural Requirement (NPR) 1600.2, NASA Classified National Security Information (CNSI) and NPR 1600.1, NASA Security Program Procedural Requirements.
f. This directive applies to all NASA users of information systems (e.g., civil servants and contractors) when supporting Agency projects, programs, and missions.
g. In this directive all document citations are assumed to be the latest version unless otherwise noted.
a. Freedom of Information Act, 5 U.S.C. § 552, et seq.
b. Privacy Act of 1974, 5 U.S.C. § 552a.
c. Violation of Regulations of National Aeronautics and Space Administration, 18 U.S.C. § 799.
d. Inspector General Act of 1978, 5 U.S.C. App. III.
e. Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510, et seq.
f. Clinger-Cohen Act of 1996, 40 U.S.C. § 11101 et seq.
g. Federal Information Technology Acquisition Reform Act (FITARA) of 2014, 40 U.S.C. § 11319 et seq.
h. E-Government Act of 2002, 44 U.S.C. § 101.
i. Paperwork Reduction Act of 1995, 44 U.S.C. § 3501, et seq.
j. Federal Information Security Management Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq.
k. Export Control Reform Act of 2018, 50 U.S.C. 4801-4852.
l. National Aeronautics and Space Act, 51 U.S.C. § 20113(e).
m. Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, E.O. 13800, 82 FR 22391 (2017).
n. Availability of Agency Records to Members of the Public, 14 Code of Federal Regulations (CFR) pt. 1206.
o. Export Administration Regulations, 15 CFR pts. 730-774.
p. International Traffic in Arms Regulations, 22 CFR pts. 120-130.
q. National Telecommunications and Information System Security (NTISS) 1, National Policy on Application of Communications Security to U.S. Civil and Commercial Space Systems, June 17, 1982.
r. NTISS 100, National Policy on Application of Communications Security to Command Destruct Systems, February 17, 1988.
s. Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, December 2003.
t. HSPD-12, Policies for a Common Identification Standard for Federal Employees and Contractors, August 2004.
u. HSPD-20, National Continuity Policy.
v. GAO-09-232G, Federal Information System Controls Audit Manual (FISCAM).
a. NASA Federal Acquisition Regulations (FAR) Supplement, 48 CFR Chapter 18.
b. NPD 1000.0, NASA Governance and Strategic Management Handbook
c. NPD 1000.3, The NASA Organization
d. NPD 2540.1, Personal Use of Government Office Equipment Including Information Technology.
e. NPD 2810.1, NASA Information Security Policy.
f. NASA Records Retention Schedule No 1441.1 (updated) May 18, 2020.
g. NPR 1600.1, NASA Security Program Procedural Requirements.
h. NPR 1600.2, NASA Classified National Security Information (CNSI).
i. NPR 2841.1, Identity, Credential, and Access Management.
j. NPR 4200.1, NASA Equipment Management Procedural Requirements.
k. NPR 8000.4, Agency Risk Management Procedural Requirements.
l. NASA Advisory Implementing Instruction (NAII) 1050.3, NASA Partnership Guide.
m. NASA-STD-1006, Space System Protection Standard.
n. NASA-SPEC-2600, Enumeration of ASCS Cybersecurity Requirements.
o. NIST Special Publication (SP) 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
p. NIST SP 800-171, Rev 2 Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations.
q. NIST SP 800-46, Guide to Enterprise Telework and Remote Access, and Bring Your Own Device (BYOD) Security.
r. NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
s. NIST SP 800-60, Volumes 1 and 2, Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices.
t. NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security and Organizations.
u. NIST SP 800-160 Vol. 2, Developing Cyber Resilient Systems – A Systems Security Engineering Approach.
v. NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
w. ITS-HBK-2810.11-2B Media Protection and Sanitization.
x. Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-02 Securing High Value Assets.
a. Federal regulatory and NASA requirements drive the obligation to measure performance and reduce cost. These measurements will be based upon NASA's goals and objectives and be designed to provide substantive justification for decision-making. The measures will be used to measure the effectiveness of the information security program, policies, and requirements.
b. The NIST Cybersecurity Framework is the fundamental basis of such measurement.
c. The Senior Agency Information Security Officer (SAISO) will provide assessments or audit of the application of this directive. Assessments and audits will consist of reporting from the Centers, including information collected for the satisfaction of Office of Management and Budget (OMB) and FISMA reporting requirements.
d. All covered entities are subject to information security compliance reviews and audits by NASA.
a. NPR 2810.1A, Security of Information Technology, dated May 16, 2006.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | Chapter6 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | ALL |
|| NODIS Library | Legal Policies(2000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.