IT Security

Loading ...

IT Security Division


Robert Binkley
PMO/Budget & Senior Agency Information Security Official (SAISO)

Dan Conway
Security Integration Lead for OCIO Enterprise Services

Willie Crenshaw
Governance, Risk & Compliance

Huyen Vu
Security Architecture/ Security Incident Management

Bryan McCall
Agency Privacy/CUI Program Manager

Robert Powell
Security Services Oversight & Planning

FISMA/Compliance/IT Security Awareness and Training

The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration, and provide cost-effective IT security services in support of NASA's systems and e-Gov initiatives. The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, identifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness. The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures. NPD 2810.1, NASA Information Security Policy, and NPR 2810.1 Security of Information Technology, provide more details on IT security requirements at NASA.

IT Security Hotline
Users can contact the new 24x7x365 NASA Security Operations Center (SOC) by phone, 1-877-NASA-SEC (877-627-2732) or via the SOC email address (soc@nasa.gov).

NASA IT Security Requirements
The list below presents NASA Policies, Procedures, Technical Standards and other guidance related to Information Security and IT Security at NASA. These documents cover all areas of the NASA IT environment, including IT infrastructure services, IT applications, and highly specialized IT. The requirements apply to all IT resources and information systems that store, process or transmit NASA data, or that connect to NASA networks or systems, or that are located on NASA facilities.

The NASA policy documents are available via the NASA Online Directives Information System (NODIS). For IT Security related documents (e.g,. IT Security Handbooks, Standards, Memoranda, and Archived Documents) contact Mr. Robert Binkley to request a copy.  Contractors interested in doing business with NASA and/or providing IT services or solutions to NASA should use this list as a reference for information security requirements.

NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR)

Document Subject Effective Date
NPR 1382.1A NASA Privacy Procedural Requirements July 10, 2013
NPD 1382.17H NASA Privacy Policy June 24, 2009
NPD 1440.6I NASA Records Management September 10, 2014
NPR 1441.1D NASA Records Management Program Requirements January 29, 2015
NPD 2540.1G Personal Use of Government Office Equipment Including Information Technology June 8, 2010
NPD 2800.1B Managing Information Technology March 21, 2008
NPR 2800.1B Managing Information Technology March 20, 2009
NPD 2810.1D NASA Information Security Policy May 9, 2009
NPR 2810.1A Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) May 16, 2006
NPD 2830.1A NASA Enterprise Architecture November 2, 2011
NPR 2830.1A NASA Enterprise Architecture Procedures December 19, 2013
NPR 2841.1 Identity, Credential, and Access Management January 6, 2011

NASA Interim Directives (NID)

Document Subject Effective Date
NM2810-64 NASA Interim Directive: Information Technology Security and Efficiency Requirements May 22, 2008
NID 7120.99 NASA Information Technology and Institutional Infrastructure Program and Project Management Requirements December 22, 2011

NASA Interim Technical Requirements (NITR)

Document Subject Effective Date
NITR 2800_2 Email Services and Email Forwarding Sep 18, 2009
NITR 2800_1 NASA Information Technology Waiver Requirements and Procedures Aug 13, 2009

IT Security Handbooks (ITS-HBK)

Document Subject Effective Date
ITS-HBK 1382.03-01 Privacy Risk Management and Compliance: Collections, PIAs and SORNs Sep 25, 2012
ITS-HBK 1382.05-01 Privacy Incident Response and Management: Breach Response Team Checklist Sep 25, 2012
ITS-HBK 1382.06-01 Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress Sep 07, 2012
ITS-HBK 1382.07-01 Privacy Awareness and Training: Overview Sept 07, 2014
ITS-HBK 1382.09-01 Privacy Rules of Behavior and Consequences: Overview Sep 07, 2012
ITS-HBK 1382.08-01 Privacy Accountability: Overview Aug 28, 2012
ITS-HBK 1382.02-01 Privacy Goals and Objectives Jul 27, 2012
ITS-HBK 1382.03-02 Privacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN Sep 07, 2011
ITS-HBK 1382.04-01 Privacy and Information Security: Overview Aug 28, 2012
ITS-HBK 2810.09-04 Incident Response and Management: Guidelines for Data Spillage & Sanitization Procedures Feb 27, 2014
ITS-HBK-2810.0001-B Format and Procedures for IT Security Policies and Handbooks Jun 19, 2014
NITR 2810.1 NASA Information Technology Security Disclaimer Sept 30, 2014
ITS-HBK-1441.01.01 Records Retention and Disposition: Overview Jul 02, 2014
ITS-HBK-1440.01.01 Records Planning & Management: Records Jul 02, 2014
ITS-HBK-2841.001-A Identity, Credential, and Access Management Services Feb 01, 2011
IT-SOP-2841.001-A Identity and Credential Service Providers Federation Requests Feb 01, 2011
IT-SOP-2841.002-A Identity, Credential, and Access Management (ICAM): Service Deviation Requests Management & Records Life Cycle-Overview Feb 01, 2011
IT-STD-1441.1 NASA Records Retention Schedules May 07, 2014
ITS-HBK-2810.02-01 Security Assessment and Authorization May 06, 2011
ITS-HBK-2810.0002-A Roles and Responsabilities Crosswalk & Definitions May 02, 2013
ITS-HBK-2810.02-04-A Security Assessment and Authorization: Continuous Monitoring – Annual Security Control Assessments Mar 18, 2014
ITS-HBK-2810.02-05 Security Assessment and Authorization: External Information Systems Oct 24, 2012
ITS-HBK-2810.02-06 Security Assessment and Authorization: Extending and Information Systems Authorization to Operate Process and Templates Oct 24, 2012
ITS‐HBK‐2810.02-08-A Security Assessment and Authorization: Plan of Action amd Milestones (POA&M) Dec 11, 2013
ITS-HBK-2810.03-01 Planning May 6, 2011
ITS-HBK-2810.04-01-A Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values Oct 12, 2012
ITS-HBK-2810.04-02-A Risk Assessment: Procedures for Information System Security Penetration Testing and Rules of Engagement April 30, 2013
ITS-HBK-2810.04-03 Risk Assessment: Web Application Security Program April 30, 2013
ITS-HBK-2810.05-01 Systems and Service Acquisition Nov 21, 2011
ITS-HBK-2810.06a-01 Awareness and Training May 5, 2011
ITS-HBK-2810.07-01 Configuration Management May 06, 2011
ITS-HBK-2810.08-01 Contingency Planning May 06, 2011
ITS-HBK-2810.08-02 Contingency Planning: Guidance and Templates for Plan Development, Maintenance, and Test Feb 10, 2011
ITS-HBK-2810.09-01A Incident Response and Management Dec 30, 2014
ITS-HBK-2810.09-03 Targeted Collection of Electronic Data Aug 24, 2011
ITS-HBK-2810.10-01 Maintenance May 6, 2011
ITS-HBK-2810.11-01-A Media Protection July 13, 2012
ITS-HBK-2810.11-02 Media Protection: Digital Media Sanitization Jul 13, 2012
ITS-HBK-2810.12-01 Physical and Environmental Protection May 5, 2011
ITS-HBK-2810.13-01 Personnel Security May 6, 2011
ITS-HBK-2810.14-01 System and Information Integrity May 06, 2011
ITS-HBK-2810.15-01 Access Control Sep 4, 2012
ITS-HBK-2810.15-2A Access Control: Elevated Privileges (EP) Sept 20, 2012
ITS-HBK-2810.16-01 Audit and Accountability May 06, 2011
ITS-HBK-2810.17-01 Identification and Authentication Jan 17, 2011
ITS-HBK-2810.18-01 System and Communications Protection Apr 6, 2011


Document Subject Effective Date
EA-STD 0001.0 Standard for Integrating Applications into the NASA Access Management, Authentication, and Authorization Infrastructure Aug 01, 2008
EA-SOP 0003.0 Procedures for Submitting a NASA Agency Forest (NAF) Deviation Request and Transition Plan Aug 01, 2008
EA-SOP 0004.0 Procedures for Submitting an Application Integration Deviation Request and Transition Plan Aug 01, 2008
NASA-STD-2804P Minimum Interoperability Software Suite Sept 22, 2014
NASA-STD-2805P Minimum Hardware Configurations Sept 22, 2014


From To Subject Effective Date Posted Date
Associate CIO for IT Security, Acting Chief Information Officers & Enterprise Service Executives Cyber Hygiene Report Actions 10/7/2015 10/7/2015
Associate Chief Information Officer for Capital Planning and Governance Chief Information Officers Information Technology Security Division Handbook Expiration Dates 9/17/2015 9/17/2015
Associate IT Security Division Director (Acting) Chief Information Officers Window Server 2003 Waiver Process 8/18/2015 8/19/2015
Associate IT Security Division Director (Acting) Chief Information Officers FY15 IT Security and Privacy Awareness Training Reminder 8/18/2015 8/19/2015
Office of the Chief Information Security Officer Senior Agency Inforamtion Security Officer (SASIO) Request the Cancellation of HBK 2810.03-02 Planning: Information System Security Plan Template, Requirements, Guidance, and Examples 7/27/2015 7/27/2015
(Acting) Senior Agency Information Security Officer Center/Mission Directorate Chief Information Officer (CIO), Chief Information Security Officers (CISO), and Information System Owners (ISO) Vulnerabilities in Unsupported or End of Life Software 5/28/2015 5/28/2015
(Acting) Senior Agency Information Security Officer Distribution Naming Pattern Memo 5/28/2015 5/28/2015
Office of the Chief Information Officer (Acting) Senior Agency Information Security Officer Expired Policy 2810-02.05 Security Assessment and Authorization: External Information Systems 11/19/2014 11/19/2014
Senior Agency Information Security Official (Acting) Distribution Interim Guidance for Leveraging Cloud Services While Meeting Information Security Requirements 1/28/2015 1/28/2015
Valerie Burks Center/Mission Directorate CIOs Configuration Guidance for Computer Operating Systems 12/17/2012 12/17/2012
(Acting) Senior Agency Information Security Officer Office of the CISO Extension Verification 2810-02.05 11/19/2014 11/19/2014
NASA CIO and Deputy CIO for IT Security Distribution Updated Password Requirements for AA Accounts 7/2/2014 7/2/2014
Chief Information Officer Distribution Establishment and Maintenance of Secure Communications 2/28/2014 2/28/2014
Deputy Chief Information Officer for Information Technology Security Distribution Implementation ofNational Institute of Standards and Technology Special Publication 800-53, Revision 4 12/19/2013 12/19/2013
Chief Information Officer Distribution Minimum Security Requirements for Personal Mobile Devices 8/27/2013 8/27/2013
Office of the Chief Information Officer Distribution Delegation of Authorizing Official Designation to Center and Mission
Directorate Chief Information Officers
4/2/2013 4/2/2013
Deputy CIO for Information Security Distribution NASA ACES Secure Virtual Team Meeting (SVTM) Approved for Secure Meetings and Communication of SBU Data 2/5/2013 2/5/2013
Deputy CIO for Information Technology Security CenterlMission Directorate ChiefInformation Officers (CIO) Configuration Guidance for Computer Operating Systems 12/17/2012 12/17/2012
Associate Deputy Administrator All NASA Employees Breach of Personally Identifiable Information (PII) [Laptop DAR/Encryption] 11/13/2012 11/13/2012
Chief Information Officer All NASA Center CIO's Rescinding and/or Archiving Information Technology (IT) Security Memoranda 9/20/2012 9/20/2012
Charles F. Bolden, Jr., NASA Administrator All NASA Employees Protection of Sensitive Agency Information 4/3/2012 4/3/2012
Chief Information Officer (Acting) Center CIOs Delegation of Waiver Authority and Responsibility for Vulnerability Scanning Requirements 5/6/2009 5/6/2009
Chief Information Officer (Acting) Officials-in-Charge of Headquarters Offices, NASA Center Directors Roles and Responsibilities for Protecting NASA Sensitive But Unclassified (SBU) Information 4/27/2009 4/27/2009
Deputy CIO for IT Security Center CIOs, Center ITSMs FY 2009 Scanning and Vulnerability Elimination or Mitigation 2/06/2009 2/06/2009
Chief Information Officer NASA CIOs, Mission Directorate CIOs, Center ITSMs, Center Human Resources Directors, IEMP Requirement to Log and Verify Sensitive Data Extracts 6/9/2008 6/9/2008
Chief Information Officer NASA CIOs, Mission Directorate CIOs, Center ITSMs, Center ITSMs, Center Human Resources Directors, IEMP Remote Access to Personally Identifiable Information (PII) 6/9/2008 6/9/2008
Deputy CIO for IT Security Center CIOs, Mission Directorate CIOs Agency Security Configuration Standards: Federal Desktop Core Configurations 11/15/2007 11/15/2007
Chief Information Officer Center Chief Information Officers Designation of FIPS-199 Impact Level for NASA OAIT Data Center Systems 7/10/2007 7/10/2007
Chief Information Officer Center CIOs Update of NASA Web site Privacy Policy 11/28/2005 11/28/2005

IT Security Division Archived Memoranda

Page Last Updated: October 8th, 2015
Page Editor: Michael Porterfield