| NODIS Library | Legal Policies(2000s) | Search |

NPR 2841.1
Effective Date: January 06, 2011
Expiration Date: January 06, 2027
Printable Format (PDF)

Subject: Identity, Credential, and Access Management (Revalidated w/change 2)

Responsible Office: Office of the Chief Information Officer

| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | AppendixA | AppendixB | AppendixC | ALL |


P.1 Purpose

This document establishes requirements and responsibilities for the policy set forth in NASA Policy Directive (NPD) 2800.1, in order to properly manage identity, credential, and access management (ICAM) services as an integrated end-to-end service to improve security, efficiency, and inter-Center collaboration. In order to meet Federal requirements established by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), and documented in the Federal ICAM Roadmap and Implementation Guidance, this NASA Procedural Requirement (NPR) establishes Agency-wide enterprise services that all Centers and applications will use.

P.2 Applicability

a. This NASA Procedural Requirement (NPR) is applicable to NASA Headquarters and NASA Centers, including Component Facilities and Technical and Service Support Centers. This language applies to the Jet Propulsion Laboratory (JPL), a Federally Funded Research and Development Center (FFRDC), other contractors, grant recipients, or parties to agreements only to the extent specified or referenced in the appropriate contracts, grants, or agreements.

b. In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term "shall." The terms: "may" or "can" denote discretionary privilege or permission, "should" denotes a good practice and is recommended, but not required, "will" denotes expected outcome, and "are/is" denotes descriptive material.

c. In this directive, all document citations are assumed to be the latest version unless otherwise noted.

P.3 Authority

a. NPD 1600.2, NASA Security Policy.

b. NPD 2190.1, NASA Export Control Program.

c. NPD 2800.1, Managing Information Technology.

d. NPD 2810.1, NASA Information Security Policy.

e. NPR 1600.1, NASA Security Program Procedural Requirements.

P.4 Applicable Documents and Forms

a. FIPS PUB 201-2 Personal Identity Verification (PIV) for Federal Employees and Contractors.

b. x.509 Certificate Policy For The U.S. Federal PKI Common Policy Framework.

c. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63, Electronic Authentication Guideline.

P.5 Measurement/Verification

a. Measurements used to determine compliance with this NPR are:

(1) Are assets properly registered in the asset registration system (ref. 3.6.a). To determine Center compliance with this NPR, the Office of the Chief Information Officer (OCIO) compares the asset registry with Information Technology (IT) System Security Plans, Internet Protocol (IP) address registrations, and other sources of asset data.

(2) Are assets properly utilizing Agency identities, credentials, and access management services. To determine Center compliance with this NPR, OCIO reviews reports from the asset registration system, IT System Security Plans, and information from ICAM services.

b. The Agency performs an Integrated Security Functional review of the ICAM program at each center once every three years. This review utilizes a comprehensive checklist to determine compliance with all Federal and NASA ICAM laws, policies and procedures, including this NPR. The most current checklist can be found here.

P.6 Cancellation.


| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | AppendixA | AppendixB | AppendixC | ALL |
| NODIS Library | Legal Policies(2000s) | Search |


This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.