LOADING...

Privacy New

Loading ...

Privacy

Privacy

NASA places a high priority on protecting all sensitive unclassified information (SBU) created, collected, maintained and managed by or on behalf of NASA.  Among the various categories of SBU, privacy  information, under the various labels of information in identifiable form (IIF), personally identifiable information (PII) and information subject to the Privacy Act of 1974 (Privacy Act Record), are among the most sensitive, requiring multiple levels of protection and compliance with Federal standards and laws.

NASA Agency policies and procedures for the protection of such information are written and developed specifically to ensure compliance with the numerous Federal laws, statutory Government-wide Office of Management and Budget (OMB), Federal Information Processing Standards (FIPS) and other requirements.

Meeting these requirements ensures NASA is in compliance with all related Federal laws and standards,  ensures NASA and the Federal Government retains the the public trust and protects the individuals from whom we collect Privacy information (public and government), from embarrassment, identity theft, credit fraud or other harm.  It is therefore mandatory that all system, application and information owners fully comply with NASA Privacy Policy and Procedures and for all employees to maintain a state of awareness and training that ensures they are cognizant and able to appropriately protect such information.

NASA Privacy and SBU Policies »
  • NASA SBU Interim Directive: NID 1600.55
  • NASA Privacy Policy: NPD 1382.17H
  • NASA Privacy Procedural Requirements: NPR 1382.1A
  • NASA Privacy Incident Response and Management Breach Response Team Handbook: ITS-HBK-1382.05-01
  • NASA Privacy Rules of Behavior and Consequences: ITS-HBK-1382.09-01
  • All other Privacy Related Policies, Procedures and Handbooks.  A consolidated resource for all of these policies and procedures is available internally to NASA through the Privacy Information Management Central Resource (hyperlink the title at left with http://pcat.nasa.gov).

Did You Know that all security incidents involving the breach of sensitive unclassified information (SBU), including personally identifiable information (PII), whether in electronic or physical form, confirmed or suspected, must be reported to the Security Operations Center (SOC) immediately upon discovery.


Sample Scenario »
NASA worker, a contractor working on behalf of NASA had their laptop stolen from the back seat of their car, having stopped at a local Quick Mart on their way home. While in the Quick Mart, a hooded individual smashed the rear window out of the vehicle, grabbed the entire laptop bag and ran. In the laptop bag, there was a laptop on which NASA data resided (known to the worker as being both Sensitive PII and SBU), a memory stick, and other peripheral devices, in addition to a notebook and some file folders full of additional information. Upon contacting the SOC, an initial assessment of the incident is made. The SOC interviewer asks a few relative questions, and records as much detail as possible. An incident ticket is opened on the following aspects of this incident:

  • Lost or stolen Government equipment
  • Potential compromise of PII (laptop, memory stick, CD/DVD, etc.)
    • Confirmed compromise of PII (as the folders in the laptop bag contained listings of names and SSNs)
  • Potential compromise of other SBU
  • Other details as derived

Once completed, the incident management system (IMS) automatically ensures the appropriate parties are informed and engaged, and steps are taken all in accordance with government requirements and any possible mitigation is put in place.

One factor is imperative to protection of information and any successful immediate limiting of any compromise: YOU! Both for the appropriate protection of the information you are in possession of, and for your ability to know exactly what to do first if you discover a potential compromise. YOU are often the first line of defense. Your actions can not only keep data from being compromised to begin with, but if compromised, your immediate reactions determine how quickly any necessary mitigation can be put into place to limit potential damages including:

  • Embarrassment, identity theft, credit fraud or other harm to individuals;
  • Damage to the public trust;
  • Damage to NASAs reputation, loss of monetary and man-hours assets and resources;
  • Embarrassment to the U.S. Government

Immediate action required on the part of any employee, contractor or affiliate upon discovery of any  potential loss or compromise of NASA PII:

REPORT IT TO THE NASA SOC at:
E-mail: soc@nasa.gov
Phone: 877-627-2732 (toll free)

NASA Officials for Privacy Related Matters
NASA Privacy Program Manager:
Bryan McCall
NASA Office of the Chief Information Officer
NASA Headquarters
Washington, DC 20546-0001
Contact: 202-358-1767

NASA Agency Privacy Act Officer:
Patti F. Stockman
NASA Office of the Chief Information Officer
NASA Headquarters
Washington, DC 20546-0001
Contact: 202-358-4787

NASA Center Privacy Central Resource: Internal NASA Privacy Central Resource (NASA Internal Only).

Page Last Updated: November 4th, 2013
Page Editor: Michael Porterfield