Overview

NASA IT Security
 
Contacts:

Jerry Davis
Deputy CIO IT Security

Marion Meissner
Security Architecture and Engineering

Teresa Fryer
Governance and Oversight

Dana Mellerio
Security Operations

The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration, and provide cost-effective IT security services in support of NASA's systems and e-Gov initiatives. The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, indentifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness. The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures. NPD 2810.1, NASA Information Security Policy, and NPR 2810.1 Security of Information Technology, provide more details on IT security requirements at NASA.

IT Security Hotline

Users can contact the new 24x7x365 NASA Security Operations Center (SOC) by phone, 1-877-NASA-SEC (877-627-2732) or via the SOC email address (soc@nasa.gov).

NASA IT Security Requirements

The list below presents NASA Policies, Procedures, Technical Standards and other guidance related to Information Security and IT Security at NASA. These documents cover all areas of the NASA IT environment, including IT infrastructure services, IT applications, and highly specialized IT. The requirements apply to all IT resources and information systems that store, process or transmit NASA data, or that connect to NASA networks or systems, or that are located on NASA facilities.

Contractors interested in doing business with NASA and/or providing IT services or solutions to NASA should use this list as a reference for information security requirements.

DocumentSubjectEffective Date
NPR 1382.1 NASA Privacy Procedural Requirements August 10, 2007
NPD 1382.17G NASA Privacy Policy August 24, 2004
NPD 1440.6H NASA Records Management March 24, 2008
NPR 1441.1D NASA Records Retention Schedules (w/Change 4, 1/31/08) February 24, 2003
NPD 2540.1F Personal Use of Government Office Equipment Including Information Technology May 25, 2005
NPD 2800.1B Managing Information Technology March 21, 2008
NPR 2800.1 Managing Information Technology (w/Change 1, 9/17/04)September 17, 1998
NPD 2810.1D NASA Information Security Policy April 7, 2004
NPR 2810.1A Security of Information Technology May 16, 2006
NPD 2830.1 NASA Enterprise Architecture December 16, 2005
NPR 2830.1 NASA Enterprise Architecture Procedures February 9, 2006
NPR 7120.7 NASA Information Technology and Institutional Infrastructure Program and Project Management Requirements November 3, 2008
DocumentSubjectEffective Date
NM2810-64NASA Interim Directive: Information Technology Security and Efficiency RequirementsMay 22, 2008
DocumentSubjectEffective Date
NITR 2800_2Email Services and Email ForwardingSeptember 18, 2009
NITR 2810_14AManaging Elevated User Privileges on NASA Desktop and Laptop ComputersAugust 17, 2009
NITR 2800_1NASA Information Technology Waiver Requirements and ProceduresAugust 13, 2009
NITR 2810_21System and Services Acquisition Policy and ProceduresApr 28, 2009
NITR 2810_20System and Communications Protection Policy and ProceduresMarch 11, 2009
NITR 2810_23NASA Authorizing Official (AO) Procedural RequirementMar 01, 2009
NITR 2830_1ANetworks in NASA Internet Protocol (IP) Space or NASA Physical SpaceFebruary 12, 2009
NITR 2810_22Media Protection Policy and Procedures January 7, 2009
NITR 2810_17System Maintenance Policy and Procedures November 12, 2008
NITR 2810_19Audit and Accountability Policy and Procedures November 12, 2008
NITR 2810_15Contingency Planning June 9, 2008
NITR 2810_12Continuous Monitoring May 18, 2008
NITR 1382_2NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008 January 28, 2008
NITR 1382_1Personally Identifiable Information (PII) Breach Response Policy December 21, 2007
DocumentSubjectEffective Date
ITS-HBK-0004Managed Elevated Privileges (EP) Implementation Guidance HandbookOctober 20, 2009
ITS-SOP 0001.AFormat and Procedures for Producing IT Security SOPsFebruary 19, 2009
ITS-SOP 0002NASA's Target Vulnerability Selection Procedures June 1, 2003
ITS-SOP 0004.ANASA's Information Technology Requirement (NITR) Procedures September 29, 2008
ITS-SOP 0005.BProcedure for completing a NASA IT Security Program or System Assessment June 19, 2007
ITS-SOP 0007.BSystem Security Plan Numbering Schema April 17, 2008
ITS-SOP 0008Procedure for Initiating and Managing Targeted Monitoring of electronic Data (being updated) March 3, 2006
ITS-SOP 0012.BPatch Selection and Reporting Procedures (being updated) July 20, 2007
ITS-SOP 0016.CIT Security Plan Template, Requirements, Guidance and Examples April 17, 2008
TS-SOP 0017AIT Security Penetration Test Plan and Rules of EngagementJune 11, 2009
ITS-SOP 0021Network Security Vulnerability Scanning (new memo released on 2/6/09) October 5, 2005
ITS-SOP 0022.ADetermining Cost Impact of Information Technology Security Incidents October 18, 2007
ITS-SOP 0030.CIT System Certification & Accreditation Process for FIPS 199 Moderate & High Systems July 7, 2008
ITS-SOP 0031.CIT System Certification & Accreditation Process for FIPS 199 Low Systems July 7, 2008
ITS-SOP 0033External System Identification and IT Security Requirements July 19, 2007
ITS-SOP 0035Digital Media Sanitization September 15, 2008
ITS-SOP 0040Contingency Planning July 7, 2008
ITS-SOP 0043Procedure for Selecting and tailoring NIST SP 800-53 Common Security Controls June 6, 2007
ITS-SOP 0044Procedure for Responding to a Breach of PII December 21, 2007
ITS-SOP 0046AProcedure for Review and Reducing PII February 27, 2009
DocumentSubjectEffective Date
EA-STD 0001.0Standard for Integrating Applications into the NASA Access Management, Authentication, and Authorization InfrastructureAug 01, 2008
EA-SOP 0003.0Procedures for Submitting a NASA Agency Forest (NAF) Deviation Request and Transition Plan Aug 01, 2008
EA-SOP 0004.0Procedures for Submitting an Application Integration Deviation Request and Transition PlanAug 01, 2008
NASA-STD-2804LMinimum Interoperability Software SuiteJune 24, 2008
NASA-STD-2805LMinimum Hardware ConfigurationsJune 24, 2008
FromToSubjectEffective Date
Deputy CIO for Information Technology SecurityCenter CIOs, Mission Directorate CIOs, Center ITSMsImplementation Plan for NIST SP 800-53, Revision 3 Security Controls10/30/2009
Chief Information Officer (Acting)Center CIOsDelegation of Waiver Authority and Responsibility for Selected Requirements for Managing Elevated User Privileges on NASA IT Devices9/24/2009
Assistant Administrator for Security and Program Protection, Chief Information Officer (Acting)NASA Center DirectorsIdentity, Credential, and Access Management Business Process Leads8/27/2009
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOsTwo-Factor Token Infrastructure8/5/2009
Chief Information Officer (Acting)Officials-in-Charge of Headquarters, Center CIOs, Mission Directorate CIOsSecurity and Support Policy for Smartphones8/3/2009
Deputy Chief Information Officer for IT SecurityCenter CIOsNASA "Secure WebEx" Now Approved for Secure Meetings and Communication of SBU Data6/23/2009
Deputy Chief Information Officer for IT SecurityCenter CIOsCertification and Accreditation Notices5/21/2009
Chief Information Officer (Acting)Center CIOsRevised Deadline for Compliance with Requirements for Managing Elevated User Privileges5/12/2009
Chief Information Officer (Acting)Center CIOsDelegation of Waiver Authority and Responsibility for Vulnerability Scanning Requirements5/6/2009
Chief Information Officer (Acting)Officials-in-Charge of Headquarters Offices, NASA Center DirectorsRoles and Responsibilities for Protecting NASA Sensitive But Unclassified (SBU) Information4/27/2009
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsFY 2009 Scanning and Vulnerability Elimination or Mitigation2/06/2009
Chief Information OfficerOfficials-in-Charge of Headquarters Offices, NASA Center DirectorsPersonally Identifiable Information (PII) Incident Reporting1/14/2009
Senior Agency Information Security OfficerCenter CIOs, Mission Directorate CIOs, Center ITSMsAgency Organization-Defined Information Technology Security Controls12/19/2008
Chief Information OfficerAll NASA Civil Service and Contractor EmployeesPolicy for Use of Removable Media, Such as USB Thumb Drives11/21/2008
Deputy CIO for IT SecurityCenter CIOsNASA Security Operations Center Operations and NASIRC Transition10/29/2008
Chief Information OfficerMemorandum for RecordInformation Technology Management Board Decisions Regarding NCI Firewall Settings and SharePoint 2007 Pilots10/8/2008
Deputy CIO for IT SecurityCenter ITSMs, Center CAOsCertification and Accreditation Direction for FY099/17/2008
Senior Agency Official for PrivacyOfficial-in-Charge of Headquarters Offices, NASA Center DirectorsPersonally Identifiable Information (PII) Responsibilities Statement9/8/2008
Chief Information OfficerCenter CIOsDeployment of the Software Refresh Portal7/30/2008
Chief Information OfficerNASA CIOs, Mission Directorate CIOs, Center ITSMs, Center Human Resources Directors, IEMPRequirement to Log and Verify Sensitive Data Extracts6/9/2008
Chief Information OfficerNASA CIOs, Mission Directorate CIOs, Center ITSMs, Center ITSMs, Center Human Resources Directors, IEMPRemote Access to Personally Identifiable Information (PII)6/9/2008
Deputy CIO for IT SecurityCenter ITSMsClarification on Requirement for Contractors to Complete NASA Annual IT Security Awareness Training6/6/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMs, Center Training OfficersDecision to Disallow Substitutions for Basic and Managers Information Technology Security Awareness Training2/21/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsSystem Security Documentation in RMS2/20/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsSupplemental FY08 Guidance for Agency Security Configurations Standards and FDCC Reporting2/20/2008
Chief Information OfficerCenter CIOs, Deputy CIOsInformation Discovery2/4/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsDecision to Cancel Procurement Information Circular (PIC) 04-03 (System Administrator Certification Program)1/16/2008
Chief Information OfficerOfficial-in-Charge of Headquarters Offices, NASA Center DirectorsRelease of NPD 2200.1A, Management of NASA Scientific and Technical Information12/18/2007
Chief Information OfficerCenter CIOs, Mission Directorate CIOsData at Rest Freeze11/15/2007
Deputy CIO for IT SecurityCenter CIOs, Mission Directorate CIOsAgency Security Configuration Standards: Federal Desktop Core Configurations11/15/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA's OAIT Voice Systems7/10/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA OAIT Data Center Systems7/10/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA OAIT LANs7/10/2007
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOs, Center ITSMsFY 2007 and FY 2008 Patch Management and Security Configuration Metrics4/4/2007
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOsMeeting OMB Memoranda M-06-015 “Safeguarding Personally Identifiable Information;” M-06-016 “Protection of Sensitive Agency Information,” and M-06-019 “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”10/17/2006
Deputy AdministratorAdministrator/Official-in-Charge of Headquarters Offices, NASA Center DirectorsMeeting NASA Information Technology Security Requirements7/26/2006
Deputy CIO for IT SecurityCenter CIOsDesignation of FIPS-199 Impact Level for NASA OAIT Desktop Systems04/16/06
Chief Information Officer, Chief of Strategic CommunicationsOfficial-in-Charge of Headquarters Offices, NASA Center Directors, Center CIOs, Mission Directorate CIOsPolicy Governing NASA's Publicly Accessible Web sites3/16/2006
Chief Information Officer, Assistant Administrator of Public AffairsCenter CIOsUpdate of NASA Web site Linking Policy12/15/2005
Chief Information OfficerCenter CIOsUpdate of NASA Web site Privacy Policy11/28/2005