The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration, and provide cost-effective IT security services in support of NASA's systems and e-Gov initiatives. The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, indentifies and implements risk-based security controls, and tracks security metrics to gauge compliance and effectiveness. The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures.
Publications from the NASA IT Security (ITS) Division that are relevant to the subject matter of this Wiki include:
NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR) (showing effective date) Edit
- NPR 1382.1A NASA Privacy Procedural Requirements (Aug. 10, 2007).
- NPD 1440.6H NASA Records Management (Mar. 24, 2008).
- NPR 1441.1D NASA Records Retention Schedules (w/Change 4, 1/31/08) (Feb. 24, 2003).
- NPD 2540.1G Personal Use of Government Office Equipment Including Information Technology (June 8, 2010).
- NPD 2800.1B Managing Information Technology (Mar. 20, 2009).
- NPR 2800.1B Managing Information Technology (w/Change 1, 9/17/04) (Sept. 17, 1998).
- NPD 2810.1D NASA Information Security Policy (Apr. 9, 2009).
- NPR 2810.1A Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) (May 16, 2006).
- NPD 2830.1 NASA Enterprise Architecture (Dec. 16, 2005).
- NPR 2830.1 NASA Enterprise Architecture Procedures (Feb. 9, 2006).
- NPR 7120.7 NASA Information Technology and Institutional Infrastructure Program and Project Management Requirements (Nov. 3, 2008).
- NPR 2841.1 Identity, Credential, and Access Management (NASA) (Jan. 6, 2016).
NASA Interim Directives (NID) (showing effective date) Edit
- NM2810-64 NASA Interim Directive: Information Technology Security and Efficiency Requirements (May 22, 2008).
NASA Interim Technical Requirements (NITR) (showing effective date) Edit
- NITR 2800_2 Email Services and Email Forwarding (Sept. 18, 2009)
- NITR 2800_1 NASA Information Technology Waiver Requirements and Procedures (Aug. 13, 2009).
- NITR-2830-1B Networks in NASA IP Space or NASA Physical Space (Feb. 12, 2009).
- NITR 1382_2 NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008 (Jan. 28, 2008).
IT Security Handbooks (ITS-HBK) Edit
- ITS-HBK-2810.0001A Format and Procedures for an IT Security Handbook (Mar. 29, 2011).
- ITS-HBK-2810.0002 Roles and Responsibilities Crosswalk (Jan. 3, 2012).
- ITS-HBK-2810.0201 Security Assessment and Authorization (May 6, 2011).
- ITS-HBK-2810.0202 Security Assessment and Authorization: FIPS 199 Moderate & High Systems (Oct. 24, 2012).
- ITS-HBK-2810.0203 Security Assessment and Authorization: FIPS 199 Low Systems (Oct. 24, 2012).
- ITS-HBK-2810.0204 Security Assessment and Authorization: Continuous Monitoring – Annual Security Control Assessments (Oct. 24, 2012).
- ITS-HBK-2810.0205 Security Assessment and Authorization: External Information Systems (Oct. 24, 2012).
- ITS-HBK-2810.0206 Security Assessment and Authorization: Extending and Information Systems Authorization to Operate Process and Templates (Oct. 24, 2012).
- ITS-HBK-2810.0207 Security Assessment and Authorization: Information System Security Plan Numbering Schema (Nov. 10, 2010).
- ITS-HBK-2810.0208 Security Assessment and Authorization: Plan of Action and Milestones (POA&M) (Aug. 21, 2012).
- ITS-HBK-2810.0301 Planning (May 6, 2011).
- ITS-HBK-2810.0302 Planning: Information System Security Plan Template, Requirements, Guidance and Examples (Feb. 9, 2011).
- ITS-HBK-2810.0401A Risk Assessment: Security Categorization, Risk Assessment, Vulnerability Scanning, Expedited Patching, & Organizationally Defined Values (Oct. 12, 2012).
- ITS-HBK-2810.0402 Risk Assessment: Procedures for Information System Security Penetration Testing and Rules of Engagement (Feb. 11, 2011).
- ITS-HBK-2810.0501 Systems and Service Acquisition (Nov. 21, 2011).
- ITS-HBK-2810.0601 Awareness and Training (May 6, 2011).
- ITS-HBK-2810.0701 Configuration Management (May 6, 2011).
- ITS-HBK-2810.0801 Contingency Planning (Apr. 26, 2012).
- ITS-HBK-2810.0802 Contingency Planning: Guidance and Templates for Plan Development, Maintenance, and Test (Feb. 11, 2011).
- ITS-HBK-2810.0901 Incident Response and Management (May 6, 2011).
- ITS-HBK-2810.0902 NASA Information Security Incident Management (Aug. 24, 2011).
- ITS-HBK-2810.0903 Targeted Collection of Electronic Data (Aug. 24, 2011).
- ITS-HBK-2810.1001 Maintenance (NASA) (May 6, 2011).
- ITS-HBK-2810.1101 Media Protection (July 13, 2012).
- ITS-HBK-2810.1102 Media Protection: Digital Media Sanitization (July 13, 2012).
- ITS-HBK-2810.1201 Physical and Environmental Protection (May 6, 2011).
- ITS-HBK-2810.1301 Personnel Security (May 6, 2011).
- ITS-HBK-2810.1401 System and Information Integrity (May 6, 2011).
- ITS-HBK-2810.1501 Access Control (Sept. 4, 2012).
- ITS-HBK-2810.1502A Access Control: Elevated Privileges (EP) (Jan. 3, 2012).
- ITS-HBK-2810.1601 Audit and Accountability (NASA) (May 6, 2011).
- ITS-HBK-2810.1701 Identification and Authentication (NASA) (May 6, 2011).
- ITS-HBK-2810.1801 System and Communications Protection (NASA) (May 6, 2011).