Overview

Text Size

NASA IT Security
 
Contacts:
Valarie Burks
Deputy CIO IT Security

Dana Mellerio
Cyber Security Program Management

Howard Whyte
Security Operations

Evelyn Davis
FISMA/Compliance/IT Security Awareness and Training

Bryan McCall
Agency Privacy Programs Manager/CUI

The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration, and provide cost-effective IT security services in support of NASA's systems and e-Gov initiatives. The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, indentifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness. The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures. NPD 2810.1, NASA Information Security Policy, and NPR 2810.1 Security of Information Technology, provide more details on IT security requirements at NASA.

IT Security Hotline

Users can contact the new 24x7x365 NASA Security Operations Center (SOC) by phone, 1-877-NASA-SEC (877-627-2732) or via the SOC email address (soc@nasa.gov).

NASA IT Security Requirements

The list below presents NASA Policies, Procedures, Technical Standards and other guidance related to Information Security and IT Security at NASA. These documents cover all areas of the NASA IT environment, including IT infrastructure services, IT applications, and highly specialized IT. The requirements apply to all IT resources and information systems that store, process or transmit NASA data, or that connect to NASA networks or systems, or that are located on NASA facilities.

For IT Security related documents (e.g. IT Security Handbooks, Standards, Memoranda, and Archived Documents) contact Brenda Maxwell to request a copy. Other NASA policy documents are available via the NASA Online Directives Information System (NODIS). Contractors interested in doing business with NASA and/or providing IT services or solutions to NASA should use this list as a reference for information security requirements.

DocumentSubjectEffective Date
NPR 1382.1NASA Privacy Procedural Requirements August 10, 2007
NPD 1382.17HNASA Privacy Policy August 24, 2009
NPD 1440.6HNASA Records Management March 24, 2008
NPR 1441.1DNASA Records Retention Schedules (w/Change 4, 1/31/08) February 24, 2003
NPD 2540.1G Personal Use of Government Office Equipment Including Information Technology June 8, 2010
NPD 2800.1BManaging Information Technology March 20, 2009
NPR 2800.1B Managing Information Technology (w/Change 1, 9/17/04)September 17, 1998
NPD 2810.1DNASA Information Security Policy April 9, 2009
NPR 2810.1ASecurity of Information Technology (Revalidated with Change 1, dated May 19, 2011) May 16, 2006
NPD 2830.1NASA Enterprise Architecture December 16, 2005
NPR 2830.1NASA Enterprise Architecture Procedures February 9, 2006
NPR 7120.7NASA Information Technology and Institutional Infrastructure Program and Project Management Requirements November 3, 2008
NPR 2841.1Identity, Credential, and Access ManagementJanuary 6, 2016
DocumentSubjectEffective Date
NM2810-64NASA Interim Directive: Information Technology Security and Efficiency RequirementsMay 22, 2008
DocumentSubjectEffective Date
NITR 2800_2Email Services and Email Forwarding Sep 18, 2009
NITR 2800_1NASA Information Technology Waiver Requirements and ProceduresAug 13, 2009
NITR-2830-1BNetworks in NASA IP Space or NASA Physical SpaceFeb 12, 2009
NITR 1382_2NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008Jan 28, 2008
DocumentSubjectEffective Date
ITS-HBK-0002 Roles and Responsibilities Crosswalk January 3, 2012
ITS-HBK-0201 Security Assessment and Authorization May 6, 2011
ITS-HBK-0301 Planning May 6, 2011
ITS-HBK-0401 Risk Assessment May 6, 2011
ITS-HBK-2810.05 Systems and Service Acquisition November 21, 2011
ITS-HBK-0601 Awareness and Training May 6, 2011
ITS-HBK-0701 Configuration Management May 6, 2011
ITS-HBK-0801 Contingency Planning April 26, 2012
ITS-HBK-0901 Incident Response and Management May 6, 2011
ITS-HBK-1001 Maintenance May 6, 2011
ITS-HBK-1101 Media Protection May 6, 2011
ITS-HBK-1201 Physical and Environmental Protection May 6, 2011
ITS-HBK-1301 Personnel Security May 6, 2011
ITS-HBK-1401 System and Information Integrity May 6, 2011
ITS-HBK 1501 Access Control December 21, 2011
ITS-HBK 1502 Access Control: Elevated Privileges (EP) January 3, 2012
ITS-HBK-1601 Audit and Accountability May 6, 2011
ITS-HBK-1701 Identification and Authentication May 6, 2011
ITS-HBK-1801 System and Communications Protection May 6, 2011
ITS-HBK 0205Security Assessment and Authorization: External Information SystemsNov 08, 2010
ITS-HBK 0206Security Assessment and Authorization: Extending and Information Systems Authorization to Operate Process and TemplatesNov 10, 2010
ITS-HBK-0001AFormat and Procedures for an IT Security HandbookMarch 29, 2011
ITS-HBK 1502 Access Control: Elevated Privileges (EP)Nov 8, 2010
ITS-HBK 0207Security Assessment and Authorization: Information System Security Plan Numbering SchemaNov 10, 2010
ITS-HBK 0204Security Assessment and Authorization: Continuous Monitoring – Annual Security Control AssessmentsNov 08, 2010
ITS-HBK 0302Planning: Information System Security Plan Template, Requirements, Guidance and Examples February 9, 2011
ITS-HBK 0402Risk Assessment: Procedures for Information System Security Penetration Testing and Rules of Engagement February 11, 2011
ITS-HBK 0202Security Assessment and Authorization: FIPS 199 Moderate & High SystemsNov 10, 2010
ITS-HBK 0203Security Assessment and Authorization: FIPS 199 Low SystemsNov 10, 2010
ITS-HBK-0035Digital Media Sanitization September 15, 2008
ITS-HBK 0802Contingency Planning: Guidance and Templates for Plan Development, Maintenance, and Test February 11, 2011
ITS-HBK 0902 NASA Information Security Incident Management August 24, 2011
ITS-HBK 0903 Targeted Collection of Electronic Data August 24, 2011
DocumentSubjectEffective Date
EA-STD 0001.0Standard for Integrating Applications into the NASA Access Management, Authentication, and Authorization InfrastructureAug 01, 2008
EA-SOP 0003.0Procedures for Submitting a NASA Agency Forest (NAF) Deviation Request and Transition Plan Aug 01, 2008
EA-SOP 0004.0Procedures for Submitting an Application Integration Deviation Request and Transition PlanAug 01, 2008
NASA-STD-2804-OMinimum Interoperability Software SuiteAugust 9, 2011
NASA-STD-2805-OMinimum Hardware ConfigurationsAugust 9, 2011
FromToSubjectEffective DatePosted Date
CIO, Assistant Administrator for Strategic Infrastructure Distribution Digital Media Sanitization and Disposal Interim Actions 8/3/2011 9/16/2011
Deputy CIO for Information Technology SecurityCenter CIOs, Mission Directorate CIOs, Center ITSMsSuspension of Certification and Accreditation Activity05/18/201011/22/2010
Deputy Chief Information Officer for IT SecurityODIN Program OfficeRemoval of Memory Stick Devices from the ODIN Enterprise Catalog6/2/20106/2/2010
Deputy CIO for Information Technology SecurityCenter CIOs, Mission Directorate CIOs, Center ITSMsImplementation Plan for NIST SP 800-53, Revision 3 Security Controls10/30/200910/30/2009
Chief Information Officer (Acting)Center CIOsDelegation of Waiver Authority and Responsibility for Selected Requirements for Managing Elevated User Privileges on NASA IT Devices9/24/20099/24/2009
Assistant Administrator for Security and Program Protection, Chief Information Officer (Acting)NASA Center DirectorsIdentity, Credential, and Access Management Business Process Leads8/27/20098/27/2009
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOsTwo-Factor Token Infrastructure8/5/20098/5/2009
Chief Information Officer (Acting)Officials-in-Charge of Headquarters, Center CIOs, Mission Directorate CIOsSecurity and Support Policy for Smartphones8/3/20098/3/2009
Deputy Chief Information Officer for IT SecurityCenter CIOsNASA "Secure WebEx" Now Approved for Secure Meetings and Communication of SBU Data6/23/20096/23/2009
Deputy Chief Information Officer for IT SecurityCenter CIOsCertification and Accreditation Notices5/21/20095/21/2009
Chief Information Officer (Acting)Center CIOsRevised Deadline for Compliance with Requirements for Managing Elevated User Privileges5/12/20095/12/2009
Chief Information Officer (Acting)Center CIOsDelegation of Waiver Authority and Responsibility for Vulnerability Scanning Requirements5/6/20095/6/2009
Chief Information Officer (Acting)Officials-in-Charge of Headquarters Offices, NASA Center DirectorsRoles and Responsibilities for Protecting NASA Sensitive But Unclassified (SBU) Information4/27/20094/27/2009
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsFY 2009 Scanning and Vulnerability Elimination or Mitigation2/06/20092/06/2009
Chief Information OfficerOfficials-in-Charge of Headquarters Offices, NASA Center DirectorsPersonally Identifiable Information (PII) Incident Reporting1/14/20091/14/2009
Chief Information OfficerAll NASA Civil Service and Contractor EmployeesPolicy for Use of Removable Media, Such as USB Thumb Drives11/21/200811/21/2008
Deputy CIO for IT SecurityCenter CIOsNASA Security Operations Center Operations and NASIRC Transition10/29/200810/29/2008
Chief Information OfficerMemorandum for RecordInformation Technology Management Board Decisions Regarding NCI Firewall Settings and SharePoint 2007 Pilots10/8/200810/8/2008
Deputy CIO for IT SecurityCenter ITSMs, Center CAOsCertification and Accreditation Direction for FY099/17/20089/17/2008
Senior Agency Official for PrivacyOfficial-in-Charge of Headquarters Offices, NASA Center DirectorsPersonally Identifiable Information (PII) Responsibilities Statement9/8/20089/8/2008
Chief Information OfficerCenter CIOsDeployment of the Software Refresh Portal7/30/20087/30/2008
Chief Information OfficerNASA CIOs, Mission Directorate CIOs, Center ITSMs, Center Human Resources Directors, IEMPRequirement to Log and Verify Sensitive Data Extracts6/9/20086/9/2008
Chief Information OfficerNASA CIOs, Mission Directorate CIOs, Center ITSMs, Center ITSMs, Center Human Resources Directors, IEMPRemote Access to Personally Identifiable Information (PII)6/9/20086/9/2008
Deputy CIO for IT SecurityCenter ITSMsClarification on Requirement for Contractors to Complete NASA Annual IT Security Awareness Training6/6/20086/6/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMs, Center Training OfficersDecision to Disallow Substitutions for Basic and Managers Information Technology Security Awareness Training2/21/20082/21/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsSystem Security Documentation in RMS2/20/20082/20/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsSupplemental FY08 Guidance for Agency Security Configurations Standards and FDCC Reporting2/20/20082/20/2008
Chief Information OfficerCenter CIOs, Deputy CIOsInformation Discovery2/4/20082/4/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsDecision to Cancel Procurement Information Circular (PIC) 04-03 (System Administrator Certification Program)1/16/20081/16/2008
Chief Information OfficerOfficial-in-Charge of Headquarters Offices, NASA Center DirectorsRelease of NPD 2200.1A, Management of NASA Scientific and Technical Information12/18/200712/18/2007
Chief Information OfficerCenter CIOs, Mission Directorate CIOsData at Rest Freeze11/15/200711/15/2007
Deputy CIO for IT SecurityCenter CIOs, Mission Directorate CIOsAgency Security Configuration Standards: Federal Desktop Core Configurations11/15/200711/15/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA's OAIT Voice Systems7/10/20077/10/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA OAIT Data Center Systems7/10/20077/10/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA OAIT LANs7/10/20077/10/2007
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOs, Center ITSMsFY 2007 and FY 2008 Patch Management and Security Configuration Metrics4/4/20074/4/2007
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOsMeeting OMB Memoranda M-06-015 “Safeguarding Personally Identifiable Information;” M-06-016 “Protection of Sensitive Agency Information,” and M-06-019 “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”10/17/200610/17/2006
Deputy AdministratorAdministrator/Official-in-Charge of Headquarters Offices, NASA Center DirectorsMeeting NASA Information Technology Security Requirements7/26/20067/26/2006
Deputy CIO for IT SecurityCenter CIOsDesignation of FIPS-199 Impact Level for NASA OAIT Desktop Systems04/16/0604/16/06
Chief Information Officer, Chief of Strategic CommunicationsOfficial-in-Charge of Headquarters Offices, NASA Center Directors, Center CIOs, Mission Directorate CIOsPolicy Governing NASA's Publicly Accessible Web sites3/16/20063/16/2006
Chief Information Officer, Assistant Administrator of Public AffairsCenter CIOsUpdate of NASA Web site Linking Policy12/15/200512/15/2005
Chief Information OfficerCenter CIOsUpdate of NASA Web site Privacy Policy11/28/200511/28/2005
 
› Back To Top