LOADING...

IT Security

Loading ...

IT Security Division

Contacts:

Howard Whyte
Acting Division Director,
Security Operations Exec

Robert Binkley
PMO/Budget

Dan Conway
Security Integration Lead for OCIO Enterprise Services

Robert Powell
Security Services Oversight & Planning

Willie Crenshaw
Governance, Risk & Compliance

TBD
FISMA/Compliance/IT Security Awareness and Training

Bryan McCall
Agency Privacy/CUI Program Manager

The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration, and provide cost-effective IT security services in support of NASA's systems and e-Gov initiatives. The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, identifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness. The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures. NPD 2810.1, NASA Information Security Policy, and NPR 2810.1 Security of Information Technology, provide more details on IT security requirements at NASA.

IT Security Hotline
Users can contact the new 24x7x365 NASA Security Operations Center (SOC) by phone, 1-877-NASA-SEC (877-627-2732) or via the SOC email address (soc@nasa.gov).

NASA IT Security Requirements
The list below presents NASA Policies, Procedures, Technical Standards and other guidance related to Information Security and IT Security at NASA. These documents cover all areas of the NASA IT environment, including IT infrastructure services, IT applications, and highly specialized IT. The requirements apply to all IT resources and information systems that store, process or transmit NASA data, or that connect to NASA networks or systems, or that are located on NASA facilities.

The NASA policy documents are available via the NASA Online Directives Information System (NODIS). For IT Security related documents (e.g,. IT Security Handbooks, Standards, Memoranda, and Archived Documents) contact Mr. Howard Whyte to request a copy.  Contractors interested in doing business with NASA and/or providing IT services or solutions to NASA should use this list as a reference for information security requirements.
 

NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR)

Document Subject Effective Date
NPR 1382.1 NASA Privacy Procedural Requirements August 10, 2007
NPD 1382.17H NASA Privacy Policy August 24, 2009
NPD 1440.6H NASA Records Management March 24, 2008
NPR 1441.1D NASA Records Retention Schedules (w/Change 4, 1/31/08) February 24, 2003
NPD 2540.1G Personal Use of Government Office Equipment Including Information Technology June 8, 2010
NPD 2800.1B Managing Information Technology March 20, 2009
NPR 2800.1B Managing Information Technology (w/Change 1, 9/17/04) September 17, 1998
NPD 2810.1D NASA Information Security Policy April 9, 2009
NPR 2810.1A Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) May 16, 2006
NPD 2830.1 NASA Enterprise Architecture December 16, 2005
NPR 2830.1 NASA Enterprise Architecture Procedures February 9, 2006
NPR 7120.7 NASA Information Technology and Institutional Infrastructure Program and Project Management Requirements November 3, 2008
NPR 2841.1 Identity, Credential, and Access Management January 6, 2016

 

 

NASA Interim Directives (NID)

 

 

Document Subject Effective Date
NM2810-64 NASA Interim Directive: Information Technology Security and Efficiency Requirements May 22, 2008

 

 

NASA Interim Technical Requirements (NITR)

 

 

Document Subject Effective Date
NITR 2800_2 Email Services and Email Forwarding Sep 18, 2009
NITR 2800_1 NASA Information Technology Waiver Requirements and Procedures Aug 13, 2009
NITR-2830-1B Networks in NASA IP Space or NASA Physical Space Feb 12, 2009

 

 

IT Security Handbooks (ITS-HBK)

 

 

Document Subject Effective Date
ITS-HBK-2810.00-01B Format and Procedures for an IT Security Handbook Jun 19, 2014
ITS-HBK-2810.00-02 Roles and Responsibilities Crosswalk Jan 3, 2012
ITS-HBK-2810.02-01 Security Assessment and Authorization May 6, 2011
ITS-HBK-2810.02-02 Security Assessment and Authorization: FIPS 199 Moderate & High Systems Oct 24, 2012
ITS-HBK-2810.02-03 Security Assessment and Authorization: FIPS 199 Low Systems Oct 24, 2012
ITS-HBK-2810.02-04A Security Assessment and Authorization: Continuous Monitoring – Annual Security Control Assessments Mart 18, 2014
ITS-HBK-2810.02-05 Security Assessment and Authorization: External Information Systems Oct 24, 2012
ITS-HBK-2810.02-06 Security Assessment and Authorization: Extending and Information Systems Authorization to Operate Process and Templates Oct 24, 2012
ITS-HBK-2810.02-07 Security Assessment and Authorization: Information System Security Plan Numbering Schema Nov 10, 2010
ITS-HBK-2810.02-08A Security Assessment and Authorization: Plan of Action and Milestones (POA&M) Dec 11, 2013
ITS-HBK-2810.03-01 Planning May 6, 2011
ITS-HBK-2810.03-02 Planning: Information System Security Plan Template, Requirements, Guidance and Examples Feb 9, 2011
ITS-HBK-2810.04-01A Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values October 12, 2012
ITS-HBK-2810.04-02 Risk Assessment: Procedures for Information System Security Penetration Testing and Rules of Engagement April 30, 2013
ITS-HBK-2810.04-03 Risk Assessment: Web Application Security Program April 30, 2013
ITS-HBK-2810.05-01 Systems and Service Acquisition Nov 21, 2011
ITS-HBK-2810.06-01 Awareness and Training May 6, 2011
ITS-HBK-2810.07-01 Configuration Management May 6, 2011
ITS-HBK-2810.08-01 Contingency Planning Apr 26, 2012
ITS-HBK-2810.08-02 Contingency Planning: Guidance and Templates for Plan Development, Maintenance, and Test Feb 11, 2011
ITS-HBK-2810.09-01 Incident Response and Management May 6, 2011
ITS-HBK-2810.09-02 NASA Information Security Incident Management Aug 24, 2011
ITS-HBK-2810.09-03 Targeted Collection of Electronic Data Aug 24, 2011
ITS-HBK-2810.10-01 Maintenance May 6, 2011
ITS-HBK-2810.11-01 Media Protection Jul 13, 2012
ITS-HBK-2810.11-02 Media Protection: Digital Media Sanitization Jul 13, 2012
ITS-HBK-2810.12-01 Physical and Environmental Protection May 6, 2011
ITS-HBK-2810.13-01 Personnel Security May 6, 2011
ITS-HBK-2810.14-01 System and Information Integrity May 6, 2011
ITS-HBK-2810.15-01 Access Control Sep 4, 2012
ITS-HBK-2810.15-02A Access Control: Elevated Privileges (EP) Jan 3, 2012
ITS-HBK-2810.16-01 Audit and Accountability May 6, 2011
ITS-HBK-2810.17-01 Identification and Authentication May 6, 2011
ITS-HBK-2810.18-01 System and Communications Protection May 6, 2011

 

 

Standards

 

 

Document Subject Effective Date
EA-STD 0001.0 Standard for Integrating Applications into the NASA Access Management, Authentication, and Authorization Infrastructure Aug 01, 2008
EA-SOP 0003.0 Procedures for Submitting a NASA Agency Forest (NAF) Deviation Request and Transition Plan Aug 01, 2008
EA-SOP 0004.0 Procedures for Submitting an Application Integration Deviation Request and Transition Plan Aug 01, 2008
NASA-STD-2804-P Minimum Interoperability Software Suite March 14, 2014
NASA-STD-2805-P Minimum Hardware Configurations March 14, 2014

 

 

Memoranda

 

 

From To Subject Effective Date Posted Date
CIO and the Deputy CIO for IT Security Distribution Updated Password Requirements for AA Accounts 7/2/2014 7/2/2014
Chief Information Officer Distribution Establishment and Maintenance of Secure Communications 2/28/2014 2/28/2014
Deputy Chief Information Officer for Information Technology Security Distribution Implementation ofNational Institute of Standards and Technology
Special Publication 800-53, Revision 4
12/19/2013 12/19/2013
Chief Information Officer Distribution Minimum Security Requirements for Personal Mobile Devices 8/27/2013 8/27/2013
Office of the Chief Information Officer Distribution Delegation of Authorizing Official Designation to Center and Mission
Directorate Chief Information Officers
4/2/2013 4/2/2013
Deputy CIO for Information Technology Security Distribution NASA ACES Secure Virtual Team Meeting (SVTM) Approved for Secure Meetings and Communications of SBU Data 2/5/13 2/5/13
Chief Information Officer Distribution Cancellation of PDM 2012-064 Data At Rest (DAR) Waiver Process and is·suance of
a new PDM addressing Alternate DAR Encryption Products
1/30/13 1/30/13
Deputy CIO for Information Technology Security CenterlMission Directorate ChiefInformation Officers (CIO) Configuration Guidance for Computer Operating Systems 12/17/12 12/17/12
Associate Deputy Administrator All NASA Employees Breach of Personally Identifiable Information (PII) [Laptop DAR/Encryption] 11/13/12 11/13/12
Chief Information Officer Center CIOs Rescinding and/or Archiving Information Technology (IT) Security Memoranda 9/20/2012 9/20/2012
Deputy CIO for Information Technology Security All NASA Center CIOs FY2012 FISMA Awareness and Training Reporting Metrics 9/12/2012 9/12/2012
OCIO Distribution Acceptance of other Federal IT Security Awareness Training to Satisfy NASA's FISMA Requirements 5/25/2012 5/25/2012
Charles F. Bolden, Jr., NASA Administrator All NASA Employees Protection of Sensitive Agency Information 4/3/2012 4/3/2012
CIO, Assistant Administrator for Strategic Infrastructure Distribution Digital Media Sanitization and Disposal Interim Actions 8/3/2011 9/16/2011
Chief Information Officer (Acting) Center CIOs Delegation of Waiver Authority and Responsibility for Selected Requirements for Managing Elevated User Privileges on NASA IT Devices 9/24/2009 9/24/2009
Assistant Administrator for Security and Program Protection, Chief Information Officer (Acting) NASA Center Directors Identity, Credential, and Access Management Business Process Leads 8/27/2009 8/27/2009
Chief Information Officer (Acting) Officials-in-Charge of Headquarters, Center CIOs, Mission Directorate CIOs Security and Support Policy for Smartphones 8/3/2009 8/3/2009
Chief Information Officer (Acting) Officials-in-Charge of Headquarters Offices, NASA Center Directors Roles and Responsibilities for Protecting NASA Sensitive But Unclassified (SBU) Information 4/27/2009 4/27/2009
Deputy CIO for IT Security Center CIOs, Center ITSMs FY 2009 Scanning and Vulnerability Elimination or Mitigation 2/06/2009 2/06/2009
Chief Information Officer Officials-in-Charge of Headquarters Offices, NASA Center Directors Personally Identifiable Information (PII) Incident Reporting 1/14/2009 1/14/2009
Chief Information Officer All NASA Civil Service and Contractor Employees Policy for Use of Removable Media, Such as USB Thumb Drives 11/21/2008 11/21/2008
Senior Agency Official for Privacy Official-in-Charge of Headquarters Offices, NASA Center Directors Personally Identifiable Information (PII) Responsibilities Statement 9/8/2008 9/8/2008
Chief Information Officer Center CIOs Deployment of the Software Refresh Portal 7/30/2008 7/30/2008
Chief Information Officer NASA CIOs, Mission Directorate CIOs, Center ITSMs, Center Human Resources Directors, IEMP Requirement to Log and Verify Sensitive Data Extracts 6/9/2008 6/9/2008
Chief Information Officer NASA CIOs, Mission Directorate CIOs, Center ITSMs, Center ITSMs, Center Human Resources Directors, IEMP Remote Access to Personally Identifiable Information (PII) 6/9/2008 6/9/2008
Deputy CIO for IT Security Center ITSMs Clarification on Requirement for Contractors to Complete NASA Annual IT Security Awareness Training 6/6/2008 6/6/2008
Deputy CIO for IT Security Center CIOs, Center ITSMs System Security Documentation in RMS 2/20/2008 2/20/2008
Chief Information Officer Center CIOs, Deputy CIOs Information Discovery 2/4/2008 2/4/2008
Deputy CIO for IT Security Center CIOs, Center ITSMs Decision to Cancel Procurement Information Circular (PIC) 04-03 (System Administrator Certification Program) 1/16/2008 1/16/2008
Chief Information Officer Official-in-Charge of Headquarters Offices, NASA Center Directors Release of NPD 2200.1A, Management of NASA Scientific and Technical Information 12/18/2007 12/18/2007
Deputy CIO for IT Security Center CIOs, Mission Directorate CIOs Agency Security Configuration Standards: Federal Desktop Core Configurations 11/15/2007 11/15/2007
Chief Information Officer Center Chief Information Officers Designation of FIPS-199 Impact Level for NASA's OAIT Voice Systems 7/10/2007 7/10/2007
Chief Information Officer Center Chief Information Officers Designation of FIPS-199 Impact Level for NASA OAIT Data Center Systems 7/10/2007 7/10/2007
Chief Information Officer Center Chief Information Officers Designation of FIPS-199 Impact Level for NASA OAIT LANs 7/10/2007 7/10/2007
Chief Information Officer (Acting) Center CIOs, Mission Directorate CIOs Meeting OMB Memoranda M-06-015 “Safeguarding Personally Identifiable Information;” M-06-016 “Protection of Sensitive Agency Information,” and M-06-019 “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments” 10/17/2006 10/17/2006
Deputy Administrator Administrator/Official-in-Charge of Headquarters Offices, NASA Center Directors Meeting NASA Information Technology Security Requirements 7/26/2006 7/26/2006
Deputy CIO for IT Security Center CIOs Designation of FIPS-199 Impact Level for NASA OAIT Desktop Systems 04/16/06 04/16/06
Chief Information Officer, Chief of Strategic Communications Official-in-Charge of Headquarters Offices, NASA Center Directors, Center CIOs, Mission Directorate CIOs Policy Governing NASA's Publicly Accessible Web sites 3/16/2006 3/16/2006
Chief Information Officer, Assistant Administrator of Public Affairs Center CIOs Update of NASA Web site Linking Policy 12/15/2005 12/15/2005
Chief Information Officer Center CIOs Update of NASA Web site Privacy Policy 11/28/2005 11/28/2005

 

Page Last Updated: November 20th, 2014
Page Editor: Michael Porterfield