Purpose

This National Aeronautics and Space Administration (NASA) Procedures and Requirements (NPR) document implements the NASA Policy Directive (NPD) 2810.1, NASA Information Security Program. NPR 2810.1 establishes the procedures and requirements of the NASA Information Technology (IT) Security Program and provides direction designed to ensure that safeguards for the protection of the confidentiality, integrity, and availability of unclassified IT resources are integrated into and support NASA's missions, functional lines of business, and infrastructure based on risk-managed, cost-effective IT security and information security principles and practices.

Applicability

This NPR applies to all NASA employees, NASA support service contractors, NASA IT resources, and in NASA contracts, grants, purchase orders, and cooperative agreements, where appropriate, in achieving Agency missions, programs, projects, and institutional requirements. Facilities, resources, and personnel under a contract or part of a grant, an international partner agreement, or a volunteer associate's agreement from NASA to a college, university, research establishment, or associate's program are included in the applicability of this document unless specific sections are identified as being waived in the contract, grant, or cooperative agreement.

These procedures and requirements shall be implemented for unclassified NASA information and IT resources that are contracted out or outsourced to (1) another Center; (2) another Government Agency; (3) a Government owned, contractor operated (GOCO) facility; (4) partners under the Space Act; (5) partners under the Commercial Space Act of 1997; or (6) commercial or university facilities. These entities shall be subject to IT security compliance reviews and audits by NASA. Waivers to specific procedures and requirements shall be approved by the cognizant Mission Directorate, Center, or Headquarters Chief Information Officer (CIO) and by the NASA Office of the Chief Information Officer (OCIO).

Any IT resource in or behind the NASA assigned Internet Protocol (IP) address space shall follow NASA and Center policies and requirements and shall be subject to IT security compliance reviews and audits by NASA or its agents. Contractor, grant, international partner's, or research facility's computing and information resources that do not possess NASA information or IT resources, and that are not under direct NASA management cognizance, or are merely incidental to a contract, (e.g., a contractor's payroll and personnel system) are normally excluded from full review or audit to protect proprietary or privacy data.

These procedures and requirements do not apply to Classified National Security Information (CNSI). Specific policy and requirements for CNSI is contained in NPD 1600.2, NASA Security Policy, and NPR 1600.1, NASA Security Program Procedural Requirements.

For purposes of this NPR, NASA Headquarters is treated as a Center. Thus, all roles and responsibilities of the Center CIO are also applicable to the NASA Headquarters CIO. Further, all stipulated Center requirements are also applicable to NASA Headquarters.