[Directives and Handbooks]
||Effective Date:||April 8, 1993
|INSTRUCTION||Expiration Date:||January 31, 1998 |
Responsible Office: AO / Chief Information Officer
Subject: ASSURING THE SECURITY AND INTEGRITY OF NASA AUTOMATED INFORMATION RESOURCES
This Instruction establishes policy and responsibilities for
ensuring appropriate levels of security and integrity for
NASA automated information processing installations,
systems, data, and related resources; and constitutes the
NASA Automated Information Security (AIS) Program.
This Instruction is applicable to NASA Headquarters and
a. This Instruction applies to all automated information
resources including computers, ancillary equipment,
software, firmware, services, and related resources
used in the acquisition, storage, manipulation,
management, movement, control, display, switching,
interchange, transmission, or reception of machine
readable data or information. It includes all
automated information resources maintained by or in
support of NASA organizations, functions, and programs
whether such resources are owned by or installed,
maintained, or operated at a NASA, contractor, or
b. Generally excluded are contractor or research facility
systems and resources not under NASA management
cognizance which are merely incidental to the contract.
The NASA Field Installations or Program Offices may,
individually, elect to include any information
resources exempted by this definition.
a. Public Law 100-235, the Computer Security Act of 1987.
b. Public Law 97-255, the Federal Managers Financial
c. Public Law 93-579 (5 U.S.C. 552), the Privacy Act of
d. Public Law 89-306 (40 U.S.C. 759), the Brooks Act of
e. Public Law 96-511 (44 U.S.C. 3501), the Paperwork
Reduction Act of 1980.
f. Public Law 81-152 (40 U.S.C. 471), the Federal Property
and Administrative Services Act of 1949.
g. Public Law 99-500, the Paperwork Reduction
h. Executive Order 12356, National Security Information.
i. National Security Decision Directive No. 145.
j. OMB Circular A-130, "Management of Federal Information
k. OMB Circular A-123, "Internal Control Systems."
l. Code of Federal Regulations (41 CFR Part 201), "Federal
Information Resources Management Regulations."
m. Federal Personnel Manual, Section 732.
n. National Telecommunications and Information Systems
Security Policy No. 200, "Access Control Protection."
a. The NASA programs depend on automated information
resources for essential support in accomplishing
operational, research, and management objectives. Many
agency programs and functions, involving important and
irreplaceable national resources, could not be
effectively carried out without automated information
support. These resources are relied upon to perform in
an accurate, reliable, accountable, and efficient
manner. Additionally, specific NASA missions
frequently require automated information support with
unique and specialized features for which backup
facilities and/or alternative processing sites are not
available or feasible.
b. Therefore, since the Agency's automated information
resources face identifiable risks of deliberate or
accidental misuse, loss, disruption, or destruction, it
is essential that steps be taken which are sufficient
to ensure that the following occur:
(1) systems and data have a high degree of integrity;
(2) the potential for abuse or misuse of automated
information resources is minimized; and
(3) continuity of operations is maintained.
a. It is NASA policy that automated information resources
shall be provided a level of security and integrity
consistent with the potential harm from their loss,
inaccuracy, alteration, unavailability, or misuse.
Specifically, actions shall be taken consistent with
management determinations of acceptable levels of risk,
sufficient to ensure that NASA automated information
systems and resources, whether maintained in-house or
under contract do the following:
(1) operate effectively and accurately;
(2) are protected from unauthorized alteration,
disclosure, or misuse of information processed,
stored, or transmitted;
(3) can maintain the continuity of automated
information support for significant NASA missions,
programs, and functions;
(4) incorporate management, general, and application
controls sufficient to provide cost-effective
assurance of the systems integrity and accuracy;
(5) have appropriate technical, personnel,
administrative, environmental, and access
b. Documentation of policies, standards, procedures,
guidelines, and responsibilities for implementation is
an essential part of the NASA AIS Program. Specific
actions taken, and planned to be taken to ensure the
security, integrity, and continuity of operations of
each NASA data processing installation and to identify
and certify all sensitive applications, together with
the planned schedule for completion or implementation,
shall be documented in an AIS Plan. Deviations from
automated information security policy, standards, or
procedures, as well as any significant deviations from
an AIS Plan will be reported to appropriate officials.
c. Copies of AIS plans and status reports will be
systematically provided to NASA Headquarters, Field
Installation, and/or appropriate Program Office senior
a. The Chief, NASA Security Office, is responsible for the
(1) Developing and implementing the AIS Program for
NASA. This includes: the development,
implementation, monitoring, and evaluation of the
NASA-wide AIS Plan; developing and promulgating
policies, guidelines, standards, and procedures;
regular monitoring of Field Installation AIS
programs and plans, and Program Office AIS plans;
and providing input to the NASA internal control
and budget development processes.
(2) Nominating official NASA representatives to
governmentwide and other boards, committees, and
organizations concerned with automated information
security and integrity. Such nominations will be
coordinated with and subject to concurrence by
other appropriate NASA officials.
(3) Establishing personnel security policies for
screening all NASA and contractor personnel
participating in the design, development,
operation, installation, and maintenance of NASA
automated information resources, as well as those
having access to NASA automated information
systems or data. These policies shall be
consistent with those established under the NASA
b. The Inspector General is responsible for periodic
reviews and evaluations of the NASA, Installations, and
Program Office automated information programs and
systems, to include those of NASA grantees and support
contractors, as deemed appropriate by the Office of
*c. The Associate Administrator for Procurement is
responsible for establishing policies to ensure that
appropriate technical, administrative, physical, and
personnel security control requirements are properly
set forth in solicitations and contracts for
acquisition of automated information resources and
construction of related facilities, together with any
instructions and/or claims or clauses to promote or
ensure contractor compliance.
d. The Associate Administrator for Safety and Mission
Quality is responsible for establishing policies,
standards, guidelines, and procedures consistent with
those established under this Instruction for assuring
the security and integrity of NASA's mission critical
automated information systems.
e. The Associate Administrator for Space Communications is
responsible for establishing policies, standards,
guidelines, and procedures for the security of
telecommunications transmission and reception. Where
such resources are used with automated information
systems or resources, the implementation of those
requirements shall be consistent with those established
under this Instruction.
f. The Program Associate Administrators are responsible
for implementing the requirements for security and
integrity of automated information systems directly
related to their program missions. This responsibility
includes developing and maintaining AIS plans
reflecting specific actions taken, and planned to be
taken to ensure the security, integrity, and continuity
of operations of automated information systems and
resources designed, developed, installed, or operated
at multiple Field Installations or physically disparate
locations, together with the planned schedule for
implementation of the Plan. These plans are to provide
for the following:
(1) The program-level implementation of the NASA AIS
(2) The establishment of program-level requirements
for mission critical or telecommunications
(3) The implementation of NASA, Department of Defense,
Department of Energy, or other Government agency
certification and accreditation requirements, as
appropriate, for installations and applications
processing, storing, or transmitting classified
g. The NASA Center Directors, and for NASA Headquarters
the Associate Administrator for Management Systems and
Facilities, are responsible for implementing and
maintaining Field Installation-level AIS programs.
Field Installation programs shall, at a minimum,
include management and internal control processes which
provide for the following:
(1) (a) Development, implementation, and monitoring
of an AIS Plan for the Field Installation and
for each data processing installation under
their jurisdiction. These plans must, at a
minimum, specify actions taken, and planned
to be taken to ensure the security,
integrity, end user contingency, disaster
recovery, and continuity of operations of
each such installation; actions taken, and
planned to be taken to identify and certify
all sensitive applications; actions taken to
assure that all acquisitions of automated
information resources adequately consider
security and integrity issues, and a schedule
for implementation of the Plan.
(b) Installation plans must also provide for the
implementation of NASA, Department of
Defense, Department of Energy, or other
Government agencies certification and
accreditation requirements, as appropriate,
for systems and applications processing,
storing, or transmitting classified
(2) Designation, in writing, of the individual(s) to
whom authority and responsibility for the
development, implementation, and monitoring of the
Field Installation-level AIS Plan has been
(3) Promulgation of directives that clearly describe
the Field Installation's AIS Program and the
responsibilities of data processing installation
and sensitive application security officials.
(4) Determination of which of the Field Installation's
information is sensitive.
(5) Identification of systems that process, store,
transfer, or communicate sensitive information
(6) Completion of periodic risk analyses of data
processing installations under the Installation's
cognizance. The size and scope of the risk
analyses should be appropriate to the subject
Installation. Risk management plans, sufficient
to appropriately address the results of all risk
analyses, shall be developed and included as a
part of the overall Field Installation Plan.
(7) Periodic evaluation and recertification of the
security safeguards in sensitive applications.
(8) Including appropriate security requirements in
specifications and/or statements of work for
acquisition or operation of information technology
installations, equipment, software, and related
(9) Developing and implementing a Field Installation
level automated information security awareness and
(10) Conforming with any additional policies or
programs established by the Headquarters offices
listed in subparagraphs a through h.
h. The NASA organizations, and contractors and grantees
acting on behalf of NASA, which initiate automated
information resources acquisitions are responsible for
assuring that appropriate technical, administrative,
physical, and personnel security requirements are
included in specifications, statements of work, or
requirements for the design, development, acquisition,
installation, operation, or maintenance of any
automated information resources not specifically
excluded by this Instruction.
8. THE NASA AUTOMATED INFORMATION SECURITY PROGRAM GUIDELINES
a. Standards, procedures, and guidelines for NASA AIS
programs and plans are described in Chapter 3 of NHB
2410.1, "Information Processing Resources Management."
The NASA AIS policies, standards, procedures, and
guidelines shall be consistent with the policies,
procedures, standards, and guidelines issued by
appropriate Federal agencies, including but not limited
to the following:
(1) Office of Management and Budget;
(2) Department of Commerce;
(3) General Services Administration;
(4) Department of Defense; and
(5) Office of Personnel Management.
b. Each NASA Center may develop supplemental site-specific
AIS Program guidelines as required.
NMI 2410.7B dated December 20, 1991.
/s/Daniel S. Goldin
*Changed by this revision.