Overview

Text Size

NASA IT Security
 
Contacts:
Valarie Burks
Deputy CIO IT Security

Dana Mellerio
Security Services Oversight & Planning

Howard Whyte
Security Operations

Dan Conway
Emerging Technology & I3P Security

Evelyn Davis
FISMA/Compliance/IT Security Awareness and Training

Willie Crenshaw
Governance, Risk & Compliance

Bryan McCall
Agency Privacy/CUI Program Manager

The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration, and provide cost-effective IT security services in support of NASA's systems and e-Gov initiatives. The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, indentifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness. The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures. NPD 2810.1, NASA Information Security Policy, and NPR 2810.1 Security of Information Technology, provide more details on IT security requirements at NASA.

IT Security Hotline

Users can contact the new 24x7x365 NASA Security Operations Center (SOC) by phone, 1-877-NASA-SEC (877-627-2732) or via the SOC email address (soc@nasa.gov).

NASA IT Security Requirements

The list below presents NASA Policies, Procedures, Technical Standards and other guidance related to Information Security and IT Security at NASA. These documents cover all areas of the NASA IT environment, including IT infrastructure services, IT applications, and highly specialized IT. The requirements apply to all IT resources and information systems that store, process or transmit NASA data, or that connect to NASA networks or systems, or that are located on NASA facilities.

For IT Security related documents (e.g,. IT Security Handbooks, Standards, Memoranda, and Archived Documents) contact Brenda Maxwell to request a copy. The NASA policy documents are available via the NASA Online Directives Information System (NODIS). Contractors interested in doing business with NASA and/or providing IT services or solutions to NASA should use this list as a reference for information security requirements.

DocumentSubjectEffective Date
NPR 1382.1NASA Privacy Procedural Requirements August 10, 2007
NPD 1382.17HNASA Privacy Policy August 24, 2009
NPD 1440.6HNASA Records Management March 24, 2008
NPR 1441.1DNASA Records Retention Schedules (w/Change 4, 1/31/08) February 24, 2003
NPD 2540.1G Personal Use of Government Office Equipment Including Information Technology June 8, 2010
NPD 2800.1BManaging Information Technology March 20, 2009
NPR 2800.1B Managing Information Technology (w/Change 1, 9/17/04)September 17, 1998
NPD 2810.1DNASA Information Security Policy April 9, 2009
NPR 2810.1ASecurity of Information Technology (Revalidated with Change 1, dated May 19, 2011) May 16, 2006
NPD 2830.1NASA Enterprise Architecture December 16, 2005
NPR 2830.1NASA Enterprise Architecture Procedures February 9, 2006
NPR 7120.7NASA Information Technology and Institutional Infrastructure Program and Project Management Requirements November 3, 2008
NPR 2841.1Identity, Credential, and Access ManagementJanuary 6, 2016
DocumentSubjectEffective Date
NM2810-64NASA Interim Directive: Information Technology Security and Efficiency RequirementsMay 22, 2008
DocumentSubjectEffective Date
NITR 2800_2Email Services and Email Forwarding Sep 18, 2009
NITR 2800_1NASA Information Technology Waiver Requirements and ProceduresAug 13, 2009
NITR-2830-1BNetworks in NASA IP Space or NASA Physical SpaceFeb 12, 2009
NITR 1382_2NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008Jan 28, 2008
DocumentSubjectEffective Date
ITS-HBK-2810.00-01A Format and Procedures for an IT Security Handbook Mar 29, 2011
ITS-HBK-2810.00-02A Roles and Responsibilities Crosswalk May 2, 2013
ITS-HBK-2810.02-01 Security Assessment and Authorization May 6, 2011
ITS-HBK-2810.02-02 Security Assessment and Authorization: FIPS 199 Moderate & High Systems Oct 24, 2012
ITS-HBK-2810.02-03 Security Assessment and Authorization: FIPS 199 Low SystemsOct 24, 2012
ITS-HBK-2810.02-04 Security Assessment and Authorization: Continuous Monitoring – Annual Security Control AssessmentsOct 24, 2012
ITS-HBK-2810.02-05 Security Assessment and Authorization: External Information SystemsOct 24, 2012
ITS-HBK-2810.02-06 Security Assessment and Authorization: Extending and Information Systems Authorization to Operate Process and TemplatesOct 24, 2012
ITS-HBK-2810.02-07 Security Assessment and Authorization: Information System Security Plan Numbering SchemaNov 10, 2010
ITS-HBK-2810.02-08 Security Assessment and Authorization: Plan of Action and Milestones (POA&M) Aug 21, 2012
ITS-HBK-2810.03-01 Planning May 6, 2011
ITS-HBK-2810.03-02 Planning: Information System Security Plan Template, Requirements, Guidance and Examples Feb 9, 2011
ITS-HBK-2810.04-01A Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values October 12, 2012
ITS-HBK-2810.04-02 Risk Assessment: Procedures for Information System Security Penetration Testing and Rules of Engagement April 30, 2013
ITS-HBK-2810.04-03 Risk Assessment: Web Application Security Program April 30, 2013
ITS-HBK-2810.05-01 Systems and Service Acquisition Nov 21, 2011
ITS-HBK-2810.06-01 Awareness and Training May 6, 2011
ITS-HBK-2810.07-01 Configuration Management May 6, 2011
ITS-HBK-2810.08-01 Contingency Planning Apr 26, 2012
ITS-HBK-2810.08-02 Contingency Planning: Guidance and Templates for Plan Development, Maintenance, and Test Feb 11, 2011
ITS-HBK-2810.09-01 Incident Response and Management May 6, 2011
ITS-HBK-2810.09-02 NASA Information Security Incident Management Aug 24, 2011
ITS-HBK-2810.09-03 Targeted Collection of Electronic Data Aug 24, 2011
ITS-HBK-2810.10-01 Maintenance May 6, 2011
ITS-HBK-2810.11-01 Media Protection Jul 13, 2012
ITS-HBK-2810.11-02 Media Protection: Digital Media Sanitization Jul 13, 2012
ITS-HBK-2810.12-01 Physical and Environmental Protection May 6, 2011
ITS-HBK-2810.13-01 Personnel Security May 6, 2011
ITS-HBK-2810.14-01 System and Information Integrity May 6, 2011
ITS-HBK-2810.15-01 Access Control Sep 4, 2012
ITS-HBK-2810.15-02A Access Control: Elevated Privileges (EP) Jan 3, 2012
ITS-HBK-2810.16-01 Audit and Accountability May 6, 2011
ITS-HBK-2810.17-01 Identification and Authentication May 6, 2011
ITS-HBK-2810.18-01 System and Communications Protection May 6, 2011
DocumentSubjectEffective Date
EA-STD 0001.0Standard for Integrating Applications into the NASA Access Management, Authentication, and Authorization InfrastructureAug 01, 2008
EA-SOP 0003.0Procedures for Submitting a NASA Agency Forest (NAF) Deviation Request and Transition Plan Aug 01, 2008
EA-SOP 0004.0Procedures for Submitting an Application Integration Deviation Request and Transition PlanAug 01, 2008
NASA-STD-2804-OMinimum Interoperability Software SuiteAugust 9, 2011
NASA-STD-2805-OMinimum Hardware ConfigurationsAugust 9, 2011
FromToSubjectEffective DatePosted Date
Chief Information Officer Distribution Additional 90-day extension: Blanket waiver for use of Filevault 2.0 to meet Data at Rest (DAR) Encryption Requirements 5/7/2013 5/7/2013
Office of the Chief Information Officer Distribution Delegation of Authorizing Official Designation to Center and Mission Directorate Chief Information Officers 4/2/2013 4/2/2013
Deputy CIO for Information Technology Security Distribution NASA ACES Secure Virtual Team Meeting (SVTM) Approved for Secure Meetings and Communications of SBU Data 2/5/13 2/5/13
Chief Information Officer Distribution Cancellation of PDM 2012-064 Data At Rest (DAR) Waiver Process and issuance of a new PDM addressing Alternate DAR Encryption Products 1/30/13 1/30/13
Deputy CIO for Information Technology Security CenterlMission Directorate ChiefInformation Officers (CIO) Configuration Guidance for Computer Operating Systems 12/17/12 12/17/12
Associate Deputy Administrator All NASA Employees Breach of Personally Identifiable Information (PII) [Laptop DAR/Encryption] 11/13/12 11/13/12
Chief Information Officer Center CIOs Rescinding and/or Archiving Information Technology (IT) Security Memoranda 9/20/2012 9/20/2012
Deputy CIO for Information Technology Security All NASA Center CIOs FY2012 FISMA Awareness and Training Reporting Metrics 9/12/2012 9/12/2012
OCIO Distribution Acceptance of other Federal IT Security Awareness Training to Satisfy NASA's FISMA Requirements 5/25/2012 5/25/2012
Charles F. Bolden, Jr., NASA Administrator All NASA Employees Protection of Sensitive Agency Information 4/3/2012 4/3/2012
CIO, Assistant Administrator for Strategic Infrastructure Distribution Digital Media Sanitization and Disposal Interim Actions 8/3/2011 9/16/2011
Chief Information Officer (Acting)Center CIOsDelegation of Waiver Authority and Responsibility for Selected Requirements for Managing Elevated User Privileges on NASA IT Devices9/24/20099/24/2009
Assistant Administrator for Security and Program Protection, Chief Information Officer (Acting)NASA Center DirectorsIdentity, Credential, and Access Management Business Process Leads8/27/20098/27/2009
Chief Information Officer (Acting)Officials-in-Charge of Headquarters, Center CIOs, Mission Directorate CIOsSecurity and Support Policy for Smartphones8/3/20098/3/2009
Chief Information Officer (Acting)Officials-in-Charge of Headquarters Offices, NASA Center DirectorsRoles and Responsibilities for Protecting NASA Sensitive But Unclassified (SBU) Information4/27/20094/27/2009
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsFY 2009 Scanning and Vulnerability Elimination or Mitigation2/06/20092/06/2009
Chief Information OfficerOfficials-in-Charge of Headquarters Offices, NASA Center DirectorsPersonally Identifiable Information (PII) Incident Reporting1/14/20091/14/2009
Chief Information OfficerAll NASA Civil Service and Contractor EmployeesPolicy for Use of Removable Media, Such as USB Thumb Drives11/21/200811/21/2008
Senior Agency Official for PrivacyOfficial-in-Charge of Headquarters Offices, NASA Center DirectorsPersonally Identifiable Information (PII) Responsibilities Statement9/8/20089/8/2008
Chief Information OfficerCenter CIOsDeployment of the Software Refresh Portal7/30/20087/30/2008
Chief Information OfficerNASA CIOs, Mission Directorate CIOs, Center ITSMs, Center Human Resources Directors, IEMPRequirement to Log and Verify Sensitive Data Extracts6/9/20086/9/2008
Chief Information OfficerNASA CIOs, Mission Directorate CIOs, Center ITSMs, Center ITSMs, Center Human Resources Directors, IEMPRemote Access to Personally Identifiable Information (PII)6/9/20086/9/2008
Deputy CIO for IT SecurityCenter ITSMsClarification on Requirement for Contractors to Complete NASA Annual IT Security Awareness Training6/6/20086/6/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsSystem Security Documentation in RMS2/20/20082/20/2008
Chief Information OfficerCenter CIOs, Deputy CIOsInformation Discovery2/4/20082/4/2008
Deputy CIO for IT SecurityCenter CIOs, Center ITSMsDecision to Cancel Procurement Information Circular (PIC) 04-03 (System Administrator Certification Program)1/16/20081/16/2008
Chief Information OfficerOfficial-in-Charge of Headquarters Offices, NASA Center DirectorsRelease of NPD 2200.1A, Management of NASA Scientific and Technical Information12/18/200712/18/2007
Deputy CIO for IT SecurityCenter CIOs, Mission Directorate CIOsAgency Security Configuration Standards: Federal Desktop Core Configurations11/15/200711/15/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA's OAIT Voice Systems7/10/20077/10/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA OAIT Data Center Systems7/10/20077/10/2007
Chief Information OfficerCenter Chief Information OfficersDesignation of FIPS-199 Impact Level for NASA OAIT LANs7/10/20077/10/2007
Chief Information Officer (Acting)Center CIOs, Mission Directorate CIOsMeeting OMB Memoranda M-06-015 “Safeguarding Personally Identifiable Information;” M-06-016 “Protection of Sensitive Agency Information,” and M-06-019 “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments”10/17/200610/17/2006
Deputy AdministratorAdministrator/Official-in-Charge of Headquarters Offices, NASA Center DirectorsMeeting NASA Information Technology Security Requirements7/26/20067/26/2006
Deputy CIO for IT SecurityCenter CIOsDesignation of FIPS-199 Impact Level for NASA OAIT Desktop Systems04/16/0604/16/06
Chief Information Officer, Chief of Strategic CommunicationsOfficial-in-Charge of Headquarters Offices, NASA Center Directors, Center CIOs, Mission Directorate CIOsPolicy Governing NASA's Publicly Accessible Web sites3/16/20063/16/2006
Chief Information Officer, Assistant Administrator of Public AffairsCenter CIOsUpdate of NASA Web site Linking Policy12/15/200512/15/2005
Chief Information OfficerCenter CIOsUpdate of NASA Web site Privacy Policy11/28/200511/28/2005
 
› Back To Top