Procedural
Requirements
Effective Date: October 03, 2024
Expiration Date: October 03, 2029
|
|
NASA Procedural Requirements |
NPR 2810.2A Effective Date: October 03, 2024 Expiration Date: October 03, 2029 |
| | TOC | Preface | Chapter1 | Chapter2 | AppendixA | AppendixB | AppendixC | ALL | |
1.1.1 Federal law, regulations, and policy require that NASA information, information technology (IT), and networks be protected. This directive outlines requirements and responsibilities to protect NASA information, IT systems, and networks while NASA Users are outside of the U.S.
1.1.2 IT devices and systems are vulnerable to eavesdropping, interception, and theft. Operating outside the U.S. increases these risks, mainly where telecommunication networks are owned or controlled by the host government. IT devices are always at risk for introducing malicious software, and such risks are greater when devices leave the user's physical control. These risks are the greatest when traveling to/through or from the Russian Federation (hereafter referred to as Russia) or countries on the NASA Office of International and Interagency Relations Designated Countries List (DCL). See P.4.e.
1.1.3 External directives and processes manage travel approval, concurrence, and authorization from non-OCIO entities, e.g., Office of International and Interagency Relations (OIIR) NPR 2190.1, NASA Export Control Program compliance, NPR 9710, General Travel Requirements, Office of Protective Services (OPS), Office of Procurement (OP), Office of the Chief Human Capital Officer (OCHCO), etc.
1.1.4 The OCIO shall confirm certain conditions are met before fulfilling the request for IT support for operations outside the U.S.
1.1.5 When travel will be to/through or from Russia or a country on the DCL, this support will take the form of specially configured OCIO Workplace and Collaboration Services (WCS)- managed loaner devices and not the devices NASA Users use regularly while inside the U.S., per NASA-SPEC-2675, International Travel Version 1.3. No other loaner device or devices that NASA Users use regularly will be used for travel outside the U.S to or from one of these countries.
1.1.6 The use of unauthorized devices to access non-public NASA information to conduct official NASA business is not allowed. This directive also covers downloaded information and information created during international travel.
1.2.1 NASA Users shall take outside the U.S. only NASA non-public information that is required to accomplish official duties.
1.2.2 NASA Users shall access, store, process, transmit or receive non-public NASA data only on authorized NASA devices, as specified in 1.1.5 above. Special handling may be required for data that is protected under export control, International Traffic in Arms Regulations, 22 Code of Federal Regulations (CFR) pts. 120-130, or Export Administration Regulations (EAR), 15 CFR pts. 730-774, as well as any unclassified information (CUI), including personally identifiable information (PII). NASA Users are responsible for ensuring that any CUI stored on a NASA device is handled in accordance with NPR 2810.7, Controlled Unclassified Information and that PII is handled in accordance with NPR 1382.1, NASA Privacy Procedural Requirements. NASA users are also responsible for ensuring that they have appropriate export authorizations, in accordance with NPR 2190.1, for use of export-controlled data during authorized travel.
1.2.3 NASA Users shall use an OCIO-authorized and secured access method, e.g., NASA Virtual Private Network (VPN) and/or other OCIO-approved secure access methods, to access non- public NASA data remotely.
1.2.4 NASA Users shall never use elevated privilege accounts for general user functions nor to access corporate resources, i.e., SharePoint, O365, etc.
1.2.5 If necessary, workstation admin access, as described in NASA-SPEC-2675, will be provisioned and the NASA User shall only use it in short durations to accomplish the required task.
1.2.6 If a non-loaner device is approved to be used outside the U.S., NASA Users shall back up the device prior to travel. This back up is critical for data identification and recovery in the event of compromise, loss, theft, etc. of the traveler's device.
1.3.1 NASA Users shall physically take or mail only the minimum amount of IT devices required to accomplish official duties outside the U.S.
1.3.2 NASA Users shall obtain Center Export Control approval, when necessary, to physically hand carry, take, or mail devices approved for use outside the U.S. if they include export controlled data and the pre-travel request process has not already provided that approval.
1.3.3 NASA Users shall use NASA IT devices for official business and not share them with unauthorized individuals.
a. Prior to any travel outside the United States with NASA IT devices, NASA Users shall obtain official approval.
b. NASA Users shall then initiate the prescribed ESD Service Request to request to take such a device outside the United States. The ESD Service Request (in the Service Catalog and also linked here: Service Request) will guide the NASA User and other organizations through the request, clearance, and approval process regarding the device and NASA information on the device. No devices may be taken or mailed outside the U.S. unless this process has been completed successfully.
c. If the NASA User is traveling to/through or from Russia or a country on the DCL, the service request process will ensure an OCIO WCS-managed loaner device will be issued instead and the NASA User may travel with this loaner device after the service request process is complete and the export letter authorizing travel outside the U.S. with the loaner identified device is provided by ESD.
d. NASA Users shall use only authorized NASA IT devices to store, process, transmit or receive NASA information while operating outside the U.S. All IT devices used during travel outside the U.S. to Russia or countries listed in the DCL are to comply with all NASA requirements for the protection of sensitive information as specified in NASA-SPEC-2675.
e. NASA Users shall not use personally furnished equipment to store, process, transmit or receive non-public NASA data while operating outside the U.S.
f. NASA Users with a NASA Mobile Device Management (MDM) solution installed on their personally owned devices shall not access the MDM solution while outside the U.S. They are responsible for uninstalling and unregistering the MDM solution from their devices prior to travel.
g. NASA Users shall only use OCIO WCS-provided Loaner Devices when traveling to/through or from Russia or a country on the DCL. These devices are configured with enhanced security standards to mitigate technical and operational risks of international travel to these countries.
h. NASA Users shall not connect authorized NASA IT devices to any non-NASA devices (e.g., removable media, smartphone, etc.) which are purchased, provided, or issued while outside of the U.S. (except for connecting removable storage media to presentation systems as explained below). The use of other U.S. Government resources is permitted for operational necessity, e.g., another US Government traveler's approved device.
(1) When required to connect authorized NASA IT removable storage media to a presentation system, e.g., projector, display screen, NASA Users shall not reconnect the removable media to any other NASA device or system unless they have been cleared by NASA Security Operations Center (SOC) Cybersecurity Incident Response Team (CIRT).
(2) When information is provided, e.g., presentations via NASA IT removable media, the NASA User shall surrender the media to the NASA SOC CIRT.
(3) The NASA SOC CIRT shall then clear, sanitize, or destroy the removable media devices.
(4) NASA Users shall not connect the removable media to any NASA IT device unless and until the media has been cleared.
(5) NASA Users shall not connect any device to public USB charging outlets (such as those in airports, hotel lobbies, etc.). Instead, NASA Users should always use electrical power outlets for charging a device.
i. NASA Users shall, upon return from travel outside the U.S., surrender all OCIO WCS- provided loaner devices back to the ESD.
(1) The NASA User shall surrender all loaner devices within one business day of return to their home residence in the U.S. This cannot be waived.
(2) The NASA User shall not, upon return from Russia or a country on the DCL, use the loaner device to access any NASA network to include on-premises, wireless, Mission network, etc. prior to surrendering it.
(3) OCIO WCS shall wipe and reload all loaner devices received with a new fresh image.
1.4.1 NASA Users shall ensure that all NASA IT devices and NASA information remain in their possession and are safeguarded commensurate with pre-travel security briefings at all times while outside the U.S.
1.4.2 NASA Users shall not:
a. Store authorized NASA IT devices in checked luggage.
b. Leave devices unattended in vehicles.
c. Leave devices unattended in public areas, i.e., airports, restaurants, conference rooms.
d. Allow unauthorized users to use the device (includes mobile hotspots).
e. Leave devices in sleep mode vs hibernate or shut down mode when not in use.
f. In any other way lose control of authorized NASA IT devices.
1.4.3 NASA Users traveling outside the U.S. with an authorized NASA IT device shall adhere to the requirements outlined in Sec. 1.4.4 a thru g when engaged or interfered with by U.S. Government or Foreign Government Authorities while traveling outside the U.S., specifically when entering or exiting sovereign borders.
1.4.4 U.S. Government and Foreign Government authorities may include but are not limited to;
U.S. Customs and Border Protection (CBP), Transportation Security Administration (TSA), and/or their foreign country equivalent.
a. If U.S. Government or Foreign Government authorities confiscate or attempt to confiscate a NASA-issued IT device, the NASA User shall show their NASA credentials and request to retain custody and control of the device, noting that the device in question is the property of the U.S. Government.
b. If U.S. Government or Foreign Government authorities insist on examining or confiscating the device, the NASA User shall comply with the request to surrender the device.
c. If U.S. Government or Foreign Government authorities request access information for the NASA IT device, such as user identification or password, the NASA User shall restate their official status and that the device in question is the property of the U.S. Government.
d. If U.S. Government or Foreign Government authorities insist on device access information, the NASA User shall request to input the information directly onto the device.
e. If the NASA User is denied the ability to input the information directly and required to provide it to the U.S. or foreign authorities, they shall do so.
f. If the device is returned following the occurrence of any of the incidents above in Section 1.4, the NASA User shall power off the device and not power the device on again except for emergency contact purposes.
g. The NASA User shall not connect the device to a NASA system or network until cleared by the NASA SOC CIRT.
1.4.5 The NASA User shall contact the NASA SOC at soc@nasa.gov or 1-877-NASA-SEC (1- 877-627-2732), and their supervisor immediately, but no longer than 24 hours after any of the following incidents:
a. If the NASA User is unable to maintain control of the authorized IT device.
b. If the device is lost, stolen, damaged, or suspected to have been tampered with.
c. If any of the incidents described in Sec. 1.4 occurs.
d. Unusual or suspicious activity by the device or operating system.
1.4.6 In addition to the SOC, a NASA User shall contact NASA Counterintelligence (NASA CI) at counterintelligence@nasa.gov immediately, but no longer than 24 hours after any of the following incidents:
a. Attempts by any foreign nationals or representatives of a foreign Government to possess or access NASA IT devices or information.
b. Unusual or suspicious overtures by any foreign entity to acquire NASA CUI or other sensitive information outside established official channels.
| TOC | Preface | Chapter1 | Chapter2 | AppendixA | AppendixB | AppendixC | ALL | |
| | NODIS Library | Legal Policies(2000s) | Search | |
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.