NASA NPR 2810.1 REV F
Security of Information and Information Systems
Publication Date: | 3 January 2022 |
Status: | active |
Page Count: | 78 |
scope:
Applicability
a. This directive applies to NASA Headquarters and all NASA Centers, including Component Facilities and Technical and Service Support Centers.
(1) For purposes of this directive, NASA Headquarters is treated as a Center. Further, all roles and responsibilities of a Center Chief Information Officer (CIO) apply to NASA Headquarters CIO and all stipulated Center requirements apply to NASA Headquarters.
b. This directive applies to contractors, recipients of grants, cooperative agreements, or other agreements only to the extent specified or referenced in the contracts, grants, or agreements.
c. This directive applies to all unclassified NASA information and NASA information systems, including those that are contracted out, outsourced to, or operated by:
(1) Government owned, contractor operated (GOCO) facilities;
(2) partners under the Space Act;
(3) partners under the Commercial Space Act of 1997;
(4) partners under cooperative agreements; or
(5) commercial or university facilities.
d. This directive does not apply to information systems that do not process NASA information, and are merely incidental to a contract (e.g., a contractor's payroll and personnel management system).
(1) In this directive, all mandatory actions (i.e., requirements) are denoted by statements containing the term "shall." The terms: "may" or "can" denote discretionary privilege or permission, "should" denotes a good practice and is recommended, but not required, "will" denotes expected outcome, and "are/is" denotes descriptive material.
e. This directive does not apply to Classified National Security Information (CNSI). CNSI is the responsibility of the Office of Protective Services (OPS) and is covered under CNSI policy and requirements contained in NASA Procedural Requirement (NPR) 1600.2, NASA Classified National Security Information (CNSI) and NPR 1600.1, NASA Security Program Procedural Requirements.
f. This directive applies to all NASA users of information systems (e.g., civil servants and contractors) when supporting Agency projects, programs, and missions.
g. In this directive all document citations are assumed to be the latest version unless otherwise noted.
Purpose
a. This directive establishes the information security requirements for the NASA Information Security Program. The procedural requirements herein prescribe roles, responsibilities, and conditions that directly or indirectly promote information security throughout the life cycle of all NASA information and information systems, including operational technology systems.
b. This directive identifies information security policies, procedures, and practices that are related to NASA's mission, and consistent with federal laws, executive orders, directives, policies, and regulations.
c. This directive aligns roles and responsibilities of information technology (IT) security personnel to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy and NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations.
d. This directive serves as a reference to the NASA community regarding specific information security roles and responsibilities, and it provides resources where more detailed information may be found.
e. This directive implements cybersecurity policy best practices and guidance, particularly those outlined by the NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations, NIST SP 800-37, NIST SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-60 Vol. 1 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, NIST 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, NIST SP 800-160 Vol. 2, Developing Cyber Resilient Systems - A Systems Security Engineering Approach, and NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, referenced NASA policy documents, specifications, and standards, and mandated by Federal Information Processing Standards (FIPS) across all corporate, project, and mission elements (ground and flight systems)