Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
07/01/2016
Security Requirements & Policies | NASA logo
Thanks
Gift
Hall of Fame
Reward

Security Requirements & Policies | NASA

Security Requirements & Policies

The list below presents NASA Policies, Procedures, Technical Standards, and other guidance related to Information Security and Cybersecurity at NASA. These documents cover all areas of the NASA IT environment, including IT infrastructure services, IT applications, and highly specialized IT. The requirements apply to all IT resources and information systems that store, process or transmit NASA data, or that connect to NASA networks or systems, or that are located at NASA facilities.

Cybersecurity Hotline
Users can contact the new 24x7x365 NASA Security Operations Center (SOC) by phone, 1-877-NASA-SEC (877-627-2732) or via the SOC email address (soc@nasa.gov).

The NASA policy documents are available via the NASA Online Directives Information System (NODIS). For _ Cybersecurity related documents (e.g,. _ Cybersecurity Handbooks, Standards, Memoranda, and Archived Documents) contactMike Witt to request a copy. Contractors interested in doing business with NASA and/or providing IT services or solutions to NASA should use this list as a reference for information security requirements.

NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR)

Document, Subject, Effective Date

  • NPR 1382.1A, NASA Privacy Procedural Requirements, July 10, 2013
  • NPD 1382.17J, NASA Privacy Policy, June 29, 2016
  • NPD 1440.6I, NASA Records Management, September 10, 2014
  • NPR 1441.1E, NASA Records Management Program Requirements, January 29, 2015
  • NPD 2540.1H, Personal Use of Government Office Equipment Including Information Technology, February 24, 2016
  • NPD 2800.1B, Managing Information Technology, March 21, 2008 (pending update)
  • NPR 2800.1B, Managing Information Technology, March 20, 2009 (pending update)
  • NPD 2810.1E, NASA Information Security Policy, July 14, 2015 (pending update)
  • NPR 2810.1A, Security of Information Technology (Revalidated with Change 1, dated May 19, 2011), May 16, 2006 (pending update)
  • NPD 2830.1A, NASA Enterprise Architecture, November 2, 2011
  • NPR 2830.1A, NASA Enterprise Architecture Procedures, December 19, 2013
  • NPR 2841.1, Identity, Credential, and Access Management, March 9, 2016

IT Security and Training Handbooks (ITS-HBK)

Document, Subject, Effective Date

  • ITS-HBK-2810.06-02, Awareness and Training: Role-Based Training, Feb. 5, 2016
  • ITS-HBK 1382.03-01, Privacy Risk Management and Compliance: Collections, PIAs and SORNs, Sep 25, 2012
  • ​ITS-HBK 1382.05-01, Privacy Incident Response and Management: Breach Response Team Checklist, Sep 25, 2012
  • ITS-HBK 1382.06-01, Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress, Sep 07, 2012
  • ITS-HBK 1382.07-01, Privacy Awareness and Training: Overview, Sept 07, 2012
  • ITS-HBK 1382.09-01, Privacy Rules of Behavior and Consequences: Overview, Sep 07, 2012
  • ITS-HBK 1382.08-01, Privacy Accountability: Overview, Aug 28, 2012
  • ITS-HBK 1382.02-01, Privacy Goals and Objectives, Jul 27, 2012
  • ITS-HBK 1382.03-02, Privacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN, Aug 04, 2017
  • ITS-HBK 1382.04-01, Privacy and Information Security: Overview, Aug 28, 2012
  • ITS-HBK 2810.09-04, Incident Response and Management: Guidelines for Data Spillage & Sanitization Procedures, Feb 27, 2014
  • ITS-HBK-2810.0001-B, Format and Procedures for IT Security Policies and Handbooks, Jun 19, 2014
  • NITR 2810.1, NASA Information Technology Security Disclaimer, Sept 30, 2014
  • ITS-HBK-1441.01.01, Records Retention and Disposition: Overview, Jul 02, 2014
  • ITS-HBK-1440.01.01, Records Planning & Management: Records Management & Records Life Cycle Overview, Jul 02, 2014
  • ITS-HBK-2841.03, Identity, Credential, and Access Management Services (ICAM), Aug 03, 2017
  • IT-SOP-2841.001-1, Identity and Credential Service Providers Federation Requests, Feb 01, 2011
  • IT-SOP-2841.002-A, Identity, Credential, and Access Management (ICAM): Services Deviation Requests, Feb 01, 2011
  • ITS-HBK-2810.02-02E, Security Assessment and Authorization, Dec 6, 2016 (pending update)
  • ITS-HBK-2810.02-04-A, Security Assessment and Authorization: Continuous Monitoring, Mar 18, 2014
  • ITS-HBK-2810.02-05, Security Assessment and Authorization: External Information Systems, Oct 11, 2016
  • ITS-HBK-2810.02-06, Security Assessment and Authorization: Extending an Information Systems Authorization to Operate Process and Template, Oct 24, 2012
  • ITS-HBK-2810.02-08A, Security Assessment and Authorization: Plan of Action and Milestones, Aug 31, 2016
  • ITS-HBK-2810.03-01, Planning, May 6, 2011
  • ITS-HBK-2810.04-01A, Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, and Organizationally Defined Values, Oct 12, 2012
  • ITS-HBK-2810.04-02A, Risk Assessment: Procedures for Information System Security Penetration Testing and Rules of Engagement, April 30, 2013
  • ITS-HBK-2810.04-03, Risk Assessment: Web Application Security Program, April 30, 2013
  • ITS-HBK-2810.05-01, System and Service Acquisition, Dec 1, 2011
  • ITS-HBK-2810.06-01, Security Awareness & Training, May 2, 2017
  • ITS-HBK-2810.07-01, Configuration Management, May 06, 2011
  • ITS-HBK-2810.08-01, Contingency Planning, May 02, 2017
  • ITS-HBK-2810.08-02, Contingency Planning: Guidance and Templates for Plan Development, Maintenance, and Test, Feb 11, 2011
  • ITS-HBK-2810.09-01, Incident Response & Management, May 6, 2011
  • ITS-HBK-2810.09-03, Incident Response & Management: Targeted Collection of Electronic Data, Aug 24, 2011
  • ITS-HBK-2810.10-01, Maintenance, May 02, 2017
  • ITS-HBK-2810.11-01, Media Protection, July 13, 2012
  • ITS-HBK-2810.11-02, Digital Media Sanitization, Jul 13, 2012
  • ITS-HBK-2810.12-01, Physical and Environmental Protection, May 02, 2017
  • ITS-HBK-2810.13-01, Personnel Security, May 02, 2017
  • ITS-HBK-2810.14-01, System and Information Integrity, Dec 1, 2014
  • ITS-HBK-2810.15-01, Access Control, May 2, 2017
  • ITS-HBK-2810.15-2A, Access Control: Managed Elevated Privileges (EP), Sept 20, 2012 (pending update and consolidation with ITS-HBK-2810.15-01)
  • ITS-HBK-2810.16-01, Audit and Accountability, May 02, 2017
  • ITS-HBK-2810.17-01, Identification and Authentication, May 02, 2017
  • ITS-HBK-2810.18-01, System and Communications Protection, Apr 6, 2011

Standards

Document, Subject, Effective Date

  • EA-STD 0001.0, Standard for Integrating Applications into the NASA Access Management, Authentication, and Authorization Infrastructure, Aug 01, 2008
  • EA-SOP 0003.0, Procedures for Submitting a NASA Agency Forest (NAF) Deviation Request and Transition Plan, Aug 01, 2008
  • EA-SOP 0004.0, Procedures for Submitting an Application Integration Deviation Request and Transition Plan, Aug 01, 2008
  • NASA-STD-2804P, Minimum Interoperability Software Suite, Sept 22, 2014
  • NASA-STD-2805P, Minimum Hardware Configurations, Sept 22, 2014

Memoranda

From, To, Subject, Effective Date, Posted Date

  • Acting Associate CIO for IT Security, Center Chief Information Officers & Associate CIO for Enterprise Services EMET Agent Installation, 3/7/2016, 3/7/2016
  • Acting Associate CIO for IT Security, Chief Information Officers, Recruitment and Retention of a Highly Qualified Federal Workforce, 11/05/2015, 11/13/2015
  • Acting Associate CIO for IT Security, Chief Information Officers, Cyber Hygiene Report Actions, 11/05/2015, 11/13/2015
  • Acting Associate CIO for IT Security, Chief Information Officers & Enterprise Service Executives, Cyber Hygiene Report Actions, 10/7/2015, 10/7/2015
  • Associate Chief Information Officer for Capital Planning and Governance, Chief Information Officers, Information Technology Security Division Handbook Expiration Dates, 9/17/2015, 9/17/2015
  • Associate IT Security Division Director (Acting), Chief Information Officers, Window Server 2003 Waiver Process, 8/18/2015, 8/19/2015
  • Office of the Chief Information Security Officer, Senior Agency Information Security Officer (SASIO), Request the Cancellation of HBK 2810.03-02 Planning: Information System Security Plan Template, Requirements, Guidance, and Examples, 7/27/2015, 7/27/2015
  • (Acting) Senior Agency Information Security Officer, Center/Mission Directorate Chief Information Officer (CIO), Chief Information Security Officers (CISO), and Information System Owners (ISO), Vulnerabilities in Unsupported or End of Life Software, 5/28/2015, 5/28/2015
  • (Acting) Senior Agency Information Security Officer, Distribution, Naming Pattern Memo, 5/28/2015, 5/28/2015
  • Office of the Chief Information Officer, (Acting) Senior Agency Information Security Officer, Expired Policy 2810-02.05 Security Assessment and Authorization: External Information Systems, 11/19/2014, 11/19/2014
  • Senior Agency Information Security Official (Acting), Distribution, Interim Guidance for Leveraging Cloud Services While Meeting Information Security Requirements, 1/28/2015, 1/28/2015
  • Valerie Burks, Center/Mission Directorate CIOs, Configuration Guidance for Computer Operating Systems, 12/17/2012, 12/17/2012
  • (Acting) Senior Agency Information Security Officer, Office of the CISO, Extension Verification 2810-02.05, 11/19/2014, 11/19/2014
  • NASA CIO and Deputy CIO for IT Security, Distribution, Updated Password Requirements for AA Accounts, 7/2/2014, 7/2/2014
  • Chief Information Officer, Distribution, Establishment and Maintenance of Secure Communications, 2/28/2014, 2/28/2014
  • Deputy Chief Information Officer for Information Technology Security, Distribution, Implementation of National Institute of Standards and Technology Special Publication 800-53, Revision 4, 12/19/2013, 12/19/2013
  • Chief Information Officer, Distribution, Minimum Security Requirements for Personal Mobile Devices, 8/27/2013, 8/27/2013
  • Office of the Chief Information Officer, Distribution, Delegation of Authorizing Official Designation to Center and Mission Directorate Chief Information Officers, 4/2/2013, 4/2/2013
  • Deputy CIO for Information Security, Distribution, NASA ACES Secure Virtual Team Meeting (SVTM) Approved for Secure Meetings and Communication of SBU Data, 2/5/2013, 2/5/2013
  • Deputy CIO for Information Technology Security, Center/Mission Directorate Chief Information Officers (CIO), Configuration Guidance for Computer Operating Systems, 12/17/2012, 12/17/2012
  • Associate Deputy Administrator, All NASA Employees, Breach of Personally Identifiable Information (PII) [Laptop DAR/Encryption], 11/13/2012, 11/13/2012
  • Chief Information Officer, All NASA Center CIO’s, Rescinding and/or Archiving Information Technology (IT) Security Memoranda, 9/20/2012, 9/20/2012
  • Charles F. Bolden, Jr., NASA Administrator, All NASA Employees, Protection of Sensitive Agency Information, 4/3/2012, 4/3/2012
  • Chief Information Officer (Acting), Center CIOs, Delegation of Waiver Authority and Responsibility for Vulnerability Scanning Requirements, 5/6/2009, 5/6/2009
  • Chief Information Officer (Acting), Officials-in-Charge of Headquarters Offices, NASA Center Directors, Roles and Responsibilities for Protecting NASA Sensitive But Unclassified (SBU) Information, 6/24/2015, 7/9/2015
  • Deputy CIO for IT Security, Center CIOs, Center ITSMs, FY 2009 Scanning and Vulnerability Elimination or Mitigation, 2/06/2009, 2/06/2009
  • Chief Information Officer, NASA CIOs, Mission Directorate CIOs, Center ITSMs, Center Human Resources Directors, IEMP, Requirement to Log and Verify Sensitive Data Extracts, 6/9/2008, 6/9/2008
  • Chief Information Officer, NASA CIOs, Mission Directorate CIOs, Center ITSMs, Center ITSMs, Center Human Resources Directors, IEMP, Remote Access to Personally Identifiable Information (PII), 6/9/2008, 6/9/2008
  • Deputy CIO for IT Security, Center CIOs, Mission Directorate CIOs, Agency Security Configuration Standards: Federal Desktop Core Configurations, 11/15/2007, 11/15/2007
  • Chief Information Officer, Center Chief Information Officers, Designation of FIPS-199 Impact Level for NASA OAIT Data Center Systems, 7/10/2007, 7/10/2007
  • Chief Information Officer, Center CIOs, Update of NASA Web site Privacy Policy, 11/28/2005, 11/28/2005
  • NASA Information Technology Warning Banner Update, August 9, 2017
  • Updated Guidance for Travelling Abroad with NASA IT Assets, May 17, 2017
  • Mandatory Training Requirement for Phishing Exercise Recurring-Clickers, June 2017

Cybersecurity & Privacy Division Archived Memoranda

FireBounty © 2015-2019

Legal notices