NHB 1620.3C NASA Security Handbook
NASA NHB 1620.3C, (PART 3)
HANDBOOK Effective Date February 1, 1993
_________________________________________________________________
Responsible Office: JL
Subject: NASA Security Handbook (PART 3 of 5)
PREFACE
CHAPTER 26: SECURITY AREAS
2600 GENERAL
1. To ensure the successful accomplishment of the NASA
mission, certain designated security areas may be
established and maintained by NASA and component
Installations to provide protection for property and
classified material in NASA or a NASA contractor's
possession.
2. This Chapter discusses the designation and maintenance
of security areas, the responsibilities and procedures
in connection with such areas, and the penalties that
may be enforced through court actions against
violators.
2601 DEFINITIONS
1. Restricted Area. An area in which security measures
are taken to safeguard and control access to property
and hazardous materials, or to protect operations that
are vital to the accomplishment of the mission assigned
to a NASA or component Installation. All facilities
designated under the NASA Resource Protection (NRP)
Program shall be restricted areas (as a minimum
designation).
2. Limited Area. An area in which security measures are
taken to safeguard classified material or unclassified
property warranting special protection in which
uncontrolled movement would permit access to classified
information. To prevent unauthorized access to such
property, visitors may be escorted or other internal
restrictions implemented.
3. Closed Area. An area in which security measures are
taken to safeguard classified material where entry to
the area alone provides visible or audible access to
classified material.
4. Temporary Security Area. An area in which security
measures are needed for 30 days or less. A temporary
security area may also be established if approval as a
permanent security area is pending.
2602 ESTABLISHMENT, MAINTENANCE, AND REVOCATION
1. Establishment. Directors of NASA Field Installations
and the Associate Administrator for Management Systems
and Facilities may establish, maintain, and protect
such areas as restricted, limited, or closed areas
depending on an area's vulnerability to unauthorized
access.
Note: The previous requirement to notify the NASA
Security Office of establishment and revocation of
security areas has been rescinded. That informa-tion
will be requested immediately prior to functional
management reviews of the Installation, and proper
designation and control will be an item of interest to
the functional management reviews team.
2. Maintenance. Security measures may vary according to
individual situations, but the following minimum
security measures will be taken in all security areas:
a. Post signs at entrances and at intervals along the
perimeter of the designated area to provide
reasonable notice to persons about to enter the
area. Signs should read as shown in Appendix G;
however, upon request, the Chief, NASA Security
Office, NASA Headquarters, may approve signs now
used pursuant to a State statute.
b. Regulation of authorized personnel entry and
movement within the area, denial of entry to
unauthorized persons or material, and prevention
of unauthorized removal of classified material.
3. Revocation. Once the need for a security area no
longer exists, the area will return to normal
procedures immediately or as soon as practical.
2603 ACCESS
Only those NASA employees, contractors, and visitors who
need access and who meet the following criteria may enter a
security area:
1. Restricted Area. Subject of an appropriate
investigation consistent with the mission/task being
performed (Automated Information Security [AIS],
Classified, NRP, Personnel Reliability Program [PRP])
other individuals must be escorted by an authorized
NASA employee or contractor.
2. Limited Area. To enter a limited area, individuals
must have a security clearance equal to the
classification of material in the area, or have
received a satisfactory NAC if access to classified
material is not required. All other individuals must
be escorted. Escorts must be authorized NASA employees
or contractors who meet access requirements and have
been formally authorized access to the area.
3. Closed Area. To enter a closed area, individuals must
have a security clearance equal to the classification
of the material in the area and a need-to-know.
Directors of NASA Field Installations and the Associate
Administrator for Management Systems and Facilities, NASA
Headquarters, may rescind previously granted authorizations
to enter security areas when an individual's clearance
and/or a need-to-know can no longer be justified, his or her
presence threatens the security or safety of the property,
or is no longer required for official purposes.
2604 VIOLATIONS
Policy
1. Removal of Unauthorized Persons/Removal for Non-
Compliance. The Directors of NASA Installations and
the Associate Administrator for Management Systems and
Facilities may order the removal of any person who
violates regulations of security areas.
2. Criminal Penalties for Violation. Anyone who willfully
violates, attempts to violate, or conspires to violate
any regulation or order involving a security area may
be subject to prosecution under 18 U.S.C. 799, which
provides penalties for a fine of not more than $5,000
or imprisonment for not more than 1 year,
or both.
2605 STANDARDS FOR IMPREST FUND AREAS
Policy
1. NASA will furnish adequate protection for funds and
personnel involved in imprest fund activities.
2. Standards will be implemented as Installation resources
allow and will be commensurate with such factors as
threat, location, and amount of funds stored and/or
handled.
3. A cashier will be provided with a separate and enclosed
work space to ensure protection of funds and vouchers
and to keep interference by other activities and
personnel of the office at a minimum. Where possible,
an imprest fund cage or room of substantial
construction with a window for paying and receiving
will be provided.
2606 DEFINITIONS
1. Cashier. A NASA employee who has been designated as a
cashier by the officer responsible for making
disbursements and is thereby authorized to perform
limited cash disbursements or other cash operations.
2. Imprest Fund. A fixed cash or petty cash fund advanced
by an official Government disbursing office to duly
authorized cashiers for cash operations.
2607 IMPREST FUND CAGES
1. Windows. Windows used for the exchange of funds will
be constructed to prevent persons outside the window
from reaching money drawers or storage areas. The size
and placement of window openings in relation to
countershelves will create a physical barrier to
prevent access from the outside. Windows will be
bullet-resistant and equipped with a "passthrough slot"
that will protect the cashier but permit communication
and transactions.
2. Doors. The cage doors will be solidly constructed and
fitted with a built-in dial type, changeable, three-
position combination lock for after-hours security.
The lock's combination will be changed at least every 6
months or on the departure or transfer of persons who
know the combination. It must also be changed when
compromise is suspected or the door is found open with
the cage unattended. During normal business hours, the
door will be kept locked and controlled by a separate
locking device, such as a normal key lock, to save wear
on the combination lock. Doors will have a bullet-
resistant peep hole so the cashier can identify persons
requesting entry.
3. Intrusion Alarms. The cage will be equipped with
magnetic door switches and a volumetric intrusion
detection system for after-hours security protection.
The control (day/night) box will be located within the
secured area and feature a ring-back system. The
system will be monitored at the nearest location of the
designated security response force.
4. Duress Alarms. The cage will be equipped with a
discreet duress alarm, such as a kick-bar, which will
sound an alarm at the nearest location of the security
response force. The trigger mechanism must be placed
in such a manner that the cashier can activate the
system without alerting the perpetrator.
5. Telephone. The cage will have a telephone, and
emergency numbers, including the number of the security
response force, will be posted in the cage.
6. Security Patrols. Random security patrols of the
Imprest Fund area during normal operating hours will be
established. Where feasible, after-hours checks of the
cage by roving security patrols are recommended.
7. Containers. Safes or Class 5, tool-resistant,
insulated or un-insulated containers appearing on GSA
or Federal Supply Schedules will be used to store
public funds. When more than one person in the Imprest
Fund Office has cash in his/her possession, each must
be provided with a separate security container for
storage. Combinations of containers must be changed
every 6 months or upon the departure or transfer of
persons who know the combination, and when compromise
of the combination is suspected.
2608 WAIVERS
ICS may waiver any of the preceding standards if he or she
considers them impractical or unnecessary due to
Installation-unique circumstances. A written record of the
waiver, along with justification, must be kept on record in
the Installation's Security Office.
CHAPTER 27: STANDARDS FOR SECURE CONFERENCE ROOMS
2700 GENERAL
This Chapter provides the necessary criteria to construct or
modify two types of secure conference rooms: A "Secure
Conference Room," which does not transmit information
electronically, and a "Secure Conference Processing Room,"
which does. See Chapter 48 for additional information.
2701 SECURE CONFERENCE ROOM CRITERIA
In a "Secure Conference Room," classified discussions at the
collateral Secret level or lower may be held if authorized,
but information is not electronically processed. The room
is thoroughly examined by Technical Surveillance
Countermeasures (TSCM) Specialist(s). Once the TSCM
Specialist(s) declares the conference room free of listening
devices and audio hazards, the room will be kept under
control to prevent the introduction of Clandestine Listening
Devices. The following specifications involving walls,
doors, ducts, and alarm systems apply to a Secure Conference
Room:
1. Walls. Perimeter walls, floors, and ceilings may be
constructed without regard to material or thickness as
long as such walls show no evidence of any attempt at
forced entry, and they achieve a minimum of 45 Sound
Transmission Coefficient sound attenuation. The
perimeter walls should extend from slab to slab with no
windows.
2. Doors. All doors (to include jamb) must be
soundproofed to achieve a minimum of 45 sound
attenuation. Any type of perimeter door is acceptable
if it is of sufficient strength to prevent forced entry
without evidence. The door must have a built-in
combination lock such as the Sergeant and Greenleaf
Model SM-8470 or equivalent. If the door is installed
with the hinges on the exterior, the hinge pins must be
spot welded or secured by a set screw threaded through
one point of the hinge and the hinge pin to prevent
access to the set screw when the door is closed. All
other doors must be sealed or barred on the inside with
a lockable security deadbolt such as a Sergeant and
Greenleaf model SM-1. Doors should be equipped with a
pneumatic door closer and peep-hole viewing device.
3. Ducts/Miscellaneous Openings. All openings over 580
square cm/90 square inches will be protected with steel
bars, 1.27 cm/1/2 inch in diameter, mounted 15.24 cm/6
inches on center vertically and horizontally, and
welded at all intersections.
4. Alarms. The requirements for a security alarm system
depend on the physical location of the room, number and
type of guards available, hours of operation, type of
construction, and the degree of threat. The Secure
Conference Room should be equipped with the following
systems as a minimum:
a. High-Security Balanced Magnetic Door Switches on
all doors.
b. A Volumetric Intrusion Detection Alarm System
within the room.
2702 SECURE CONFERENCE PROCESSING ROOM
In a "Secure Conference Processing Room," not only is classified
information at the collateral Secret level or lower discussed,
but it is electronically processed.
1. Walls. All walls must be extended from slab to slab
with material that will furnish physical protection
equal to that provided by the rest of the wall. Walls
with no windows must be constructed so that any attempt
at forced entry is evident, and they must achieve a
minimum of 45 sound attenuation.
2. Doors. The room will have only one entrance with the
following items installed:
a. A dial-type, three-position, built-in, group l-R
changeable combination lock;
b. A pneumatic door closer;
c. A peep-hole viewing device; and
d. A daytime access control device (e.g., a cipher
lock).
All other doors must be sealed or barred on the
inside with a lockable security deadbolt such as a
Sergeant and Greenleaf Model SM-l. All doors (to
include jamb) must be soundproofed to provide a
minimum of 45 sound attenuation.
e. Ducts. All ducts must be equipped with sound
baffles that provide a minimum of 45 sound
attenuation. Any ducts larger than 580.64 square
cm (90 square inches) must be fitted with steel
bars or alarms at the point of egress and be
equipped with duct traps.
f. Alarms. All doors must be equipped with a
balanced magnetic door switch, and the entire room
(above and below the false ceiling) must be
equipped with a volumetric intrusion detection
system. All control boxes for the system must be
located inside the room and the system monitored
by high security line supervision.
2703 TELEPHONES
1. All black (unsecured) telephone systems should be
removed from the Secure Conference Room and Secure
Conference Processing Room.
2. If a telephone is absolutely essential, an alternate
system using Telephone Security Group approved
equipment and methods may be used. Selection of the
system should be coordinated in advance with the NASA
Security Office TSCM representative.
2704 CLASSIFIED MEETINGS HELD IN ROOMS OTHER THAN SECURE
CONFERENCE ROOMS
The following measures will be taken when infrequent
classified meetings are held in rooms not configured per
paragraphs 2701 or 2702 above.
1. Meetings will be limited to collateral Secret or below.
2. Positive access control will be implemented.
3. A TSCM Specialist, if available, or Security Officer
will conduct a prior visual inspection and recommend
security procedures for the meeting.
2705 SPECIAL CASES
The preceding specifications do not apply to conference
areas where the level of security exceeds the collateral
Secret level. For these areas, additional guidance is
available on a case-by-case basis. The NASA Security
Office, NASA Headquarters, will be contacted for any
interpretation of these specifications.
CHAPTER 28: NASA RESOURCE PROTECTION (NRP) PROGRAM/PROTECTION
2800 GENERAL
1. The NRP Program is established per NMI 1600.2, "NASA
Security Program."
2. All NASA Installations will establish procedures to
implement the NRP Program. This Chapter establishes
NRP policy and provides guidance for its
implementation. All Installations under NASA's
jurisdiction will establish procedures to protect key
facilities under the NRP Program, as well as those
facilities approved for additional protection by the
Field Installation Director.
3. For NASA Installations in foreign countries, NRP
procedures will be as mutually agreed between the
responsible NASA program office and the host government
and will be consistent with the applicable
international agreements.
2801 SCOPE
The NRP Program is limited to that portion of the NASA
Security Program directed to the protection of designated
NRP resources. The NRP Program includes the planning and
implementation of security measures involving human threats,
internal and external. The NRP Program does not counter
natural disasters.
2802 DEFINITIONS
1. NRP Resources. Those assets identified by the
cognizant Program Office to be so crucial to the
success of NASA missions as to warrant an enhanced
level of protection over that routinely provided to
NASA facilities. Include NASA flight vehicles,
equipment, facilities, and other elements proposed as
components of NRP by NASA Installations, concurred with
by the cognizant program office and forwarded to the
Associate Administrator for Management Systems and
Facilities in the NASA-wide NRP Program. NRP resources
may include critical components and facilities
associated with the Space Shuttle, expendable launch
vehicles, associated upper stages, Spacelab, Space
Station Freedom, National Aerospace Plane,
communication and control capabilities, Government-
owned flight or experimental flight vehicles and
apparatus, and one-of-a-kind irreplaceable facilities,
such as, wind tunnels, aerodynamic simulators, unique
contractor sources of critical parts, propellants, and
production or assembly facilities.
2. Category A - Mission Critical Assets. Those assets
whose loss could cause the loss of a flight vehicle or
crew, the capability to process or launch a flight
mission, or the ability to conduct a critical program
of research.
3. Category B - Mission Essential Assets. Those assets
whose loss would significantly hamper the completion of
a flight operation or of carrying out an essential
research program. A maximum delay of up to 6 months to
restore lost capability must be acceptable for Category
B to apply. Each asset must be evaluated on a case-by-
case basis; if the above criteria cannot be satisfied,
then the asset must be upgraded to Category A.
4. NRP Program Plan. Consists of those security
enhancements prioritized and supported by a budget
plan, and submitted by a NASA Installation to the
Program Office for budget approval. The Plan is
reviewed by the SMWG and the Associate Administrator
for Management Systems and Facilities.
2803 POLICY
It is NASA policy to designate and provide reasonable and
affordable protection within acceptable risks to those vital
NRP resources for which the Agency is responsible. These
unique resources, which support agency and national goals,
cannot be reasonably replaced; therefore, they will be
protected as critical or essential NASA resources.
2804 NRP PROGRAM PLAN
The following guidance governs the preparation of the NRP
Program Plan:
1. Vulnerability assessments will be conducted for each
NRP facility/item. These assessments will categorize
potential adversary forces and weapons systems and will
develop probabilities or rankings of attack. The NASA
Headquarters postulated threat statements as locally
supplemented will be the basis for each Field
Installation in the conduct of the specific threat
assessments.
2. To sustain program survivability based on the
vulnerability assessment, the facilities and systems
associated with planning, training, and testing, and
the logistics and production capabilities that support
these operations, will be protected to the degree
necessary to preserve the facility/item.
3. The NRP System Security Standard, Appendix H, will be
used to establish specific security measures for NRP
resources.
4. The security measures will be implemented for the
duration of the program with appropriate security
intensification during critical operations.
5. Flight resources will be protected to the degree that
an ongoing flight can maintain safe operations and
program objectives are not jeopardized.
6. Equivalent levels of protection between NASA Field
Installations, DoD facilities, or other Government
agencies will be implemented where applicable.
7. When an NRP asset is mobile or temporary, the Program
Office must designate a responsible facility.
8. All NASA Installations must submit to the NASA
Headquarters Program Office and NASA Security Office
recommendations on assets proposed for inclusion in the
NASA NRP Program Plan with justification,
prioritization, and budget strategy clearly described.
9. NASA NRP Program Plan. Cognizant Program Offices will
review, prioritize, and incorporate proposed
Installation security enhancements into Program Office
plans. These plans will detail all approved
enhancements and the resources required to implement
them. Once approved, the Plan will provide the basis
for incorporation of NRP enhancements in budget
formulation and program implementation.
10. Installation Reviews. The adequacy of security
measures for each NRP resource will be continually
reviewed by each affected Field Installation. Any
reported incident or breach is to be assessed for
possible NRP impact and reported to the NASA
Headquarters Program Office and NASA Security Office.
11. Biennial Review. The NASA Security Office will review
the effectiveness of an Installation's security at
least every 2 years.
2805 RESPONSIBILITIES
1. The Associate Administrator for Management Systems and
Facilities is responsible for the NRP Program. These
duties include establishing overall policy and
guidance, and providing a focal point, internal and
external to NASA, for matters pertaining to NRP. This
office has overall responsibility for adjudication of
NRP issues.
2. Institutional Program and programmatic Associate
Administrators are responsible for reviewing plans for
NRP proposals, appointing representatives to the SMWG,
advocating the budget, and implementing enhancements.
3. Installation Directors are responsible for conducting
vulnerability assessments, preparing NRP proposals,
funding approved enhancements, and implementing
activities to be carried out at Installations.
4. The Chief, NASA Security Office, is responsible for
functional oversight of all NRP-related security
activities being carried out within the Agency,
chairing the SMWG, and conducting effectiveness reviews
of NRP activities at NASA Installations.
2806 PHYSICAL SECURITY RESPONSIBILITIES FOR NRP AND KEY
FACILITIES
1. The Installation Chief of Security (ICS) has the
following responsibilities:
a. Developing the threat assessment for the
Installation in accordance with Chapter 42 of this
Handbook.
b. Ensuring that security surveys are conducted to
determine the level of vulnerability of key
facilities, including all NRP facilities, to
theft, sabotage, terrorism, vandalism, and violent
demonstrations. The survey will be used to
establish a requisite level of protection that is
reasonable, affordable, practical, and
responsible.
c. Ensuring all key facilities are included in the
Installation security plan.
d. Developing countermeasures to specific
vulnerabilities of key facilities.
e. Seeking advice and assistance in the development
of specific physical security requirements from
Program Office Security Officials and Program
Managers.
f. Ensuring that key facilities are checked
periodically by the Installation Security Force.
g. Reporting threats and unusual incidents to NASA
Headquarters (per Chapter 41).
2. NASA Directors of Field Installations have the
following responsibilities:
a. Informing employees of their responsibility for
securing the facility;
b. Identifying the appropriate level of position
sensitivity needed for unescorted access to a key
facility;
c. Authorizing access to key facilities and providing
the means to identify individuals who have access;
and
d. Prohibiting unauthorized access to the facility.
3. NASA supervisors ensure that they and their personnel
know the criticality and vulnerability of the key
facility.
4. Employees (NASA and non-NASA) report to their
supervisors any known or suspected practice or
condition that does not provide proper safeguarding.
2807 GENERAL
Required physical security surveys may be confined to a
single building or extend to encompass an entire remote
site. Therefore, reports must be well written and flexible
enough to accurately document all survey efforts. (The ICS
can determine his/her own survey.)
1. Survey Personnel. Well trained survey teams, headed by
representatives from the Installation Security Office,
understand that protection problems are affected by the
nature of the operation, the criticality of the
resource, and its vulnerability. They know there is
rarely any single solution to the protection problems
of a given Installation. (The survey team may consist
of personnel from other offices.)
2. The Survey. A physical security survey is conducted
during the regular office hours of the Installation,
office, or facility being surveyed, and also during
nonduty hours when the threat of surreptitious entry is
probably highest.
3. Minimum Protection Standards. The survey team chief
must consider the minimum protection standards in this
Handbook and strike a careful balance between what
exists, what is desirable, and what is immediately
required to provide an acceptable degree of protection.
4. Required Surveys.
a. Ideally, initial surveys will be conducted before
a new activity is operational or as soon as is
practical to determine its ability to protect
critical and vulnerable resources.
b. Annual surveys will be conducted to determine the
facility's ability to continue to protect its
resources.
c. Special surveys will be conducted when the
perceived threat changes, or when changes alter
the protective capability of a facility, building,
activity, or Installation or when an Installation
Director requests it.
d. Followup surveys will be conducted until any
deficiency identified during a survey is corrected
or a waiver has been granted from JIS/NASA
Security Office.
5. Risk Assessment
1. Based on survey results, a risk assessment will be
presented to the Field Installation's Risk
Assessment Authority.
2. Directors of Field Installations are designated as
the RAA for the Installation. The RAA will decide
if any security standards will be waived.
Security standards for Category A, Mission
Critical Assets, and Category B, Mission Essential
Assets, are contained in Appendix H.
6. Plan of Action
1. Based on approval by the RAA, a plan of action is
developed to establish security measures for the
protection of the facility.
2. Specific measures are implemented in a programming
document or in operating procedures.
CHAPTER 29: SECURITY CONTROL CENTERS
2900 GENERAL
A properly configured Security Control Center is required
for the effective command and control of the security force.
2901 EQUIPMENT
At a minimum, the Security Control Center should include:
1. A radio base station with security force frequencies
and compatible frequencies with local law enforcement.
2. An Installation layout map depicting patrol areas, the
Installation perimeter, and jurisdictional
responsibilities.
3. Operating plans, checklists, and other documents
stating requirements including a copy of the
Installation security plan.
4. An intrusion detection system (IDS) annunciator panel.
If feasible, all Security Alarm Systems should
terminate at the Security Control Center.
5. A telephone system that includes direct lines to key
facilities and key law enforcement agencies.
6. A duress system that annunciates at another location
and provides direct response forces.
7. A self-initiating emergency power source to ensure
continued operation of the Security Control Center.
2902 ALARM SYSTEM OPERATIONS
1. Alarm Response Time. Site-specific tests will be made
periodically to ensure timely responses to alarms. If
an intruder can enter and depart within 10 minutes and
the response time is 15 minutes, then measures need to
be taken to improve response time. Results of the
response times shall be critiqued immediately for
possible improvement and, later, incorporated in the
facility's security survey.
2. Tests
a. Alarm equipment and circuits shall be tested at
least once a month by actual intrusion of the
protected area or object. Test results shall be
recorded noting the test date and the name of the
person who conducted the test.
b. When volumetric or proximity sensors are used,
sensitivity and walk tests shall be conducted
periodically to ensure that the degree of required
sensitivity is maintained.
c. False and nuisance alarm rates shall be recorded
and results analyzed to determine alarm system
performance.
d. All alarm equipment and circuits shall be serviced
by qualified personnel.
2903 ALARM SYSTEM POWER SOURCES
1. Alarm systems require a primary and auxiliary power
source.
2. Auxiliary power shall be supplied by batteries or
engine-driven generators. Switch over to the auxiliary
power must be automatic upon failure of the primary
power source. A signal shall be generated to alert the
Control Center that the system is operating on standby
power. If both power sources fail, a signal shall be
activated on the Security Control Center monitor to
indicate this condition.
3. Rechargeable batteries shall be kept fully charged and
nonrechargeable batteries shall be replaced whenever
the voltage drops 20 percent below the rated voltage.
A signal shall be activated on the Security Control
Center monitor to indicate when this condition exists.
4. Auxiliary power sources must be capable of maintaining
full operation of the alarm system for at least 8
hours.
5. The power supply, other than public utility, shall be
vented sufficiently to prevent deterioration of any of
its components as a result of operation under high
temperatures.
6. Power sources shall be serviced by qualified personnel.
2904 ALARM LINE SUPERVISION
Line supervision limits and line tamper alarm capability
shall be specified as follows:
1. Underwriter Laboratories' Class AA requirements shall
be met.
2. The line shall be continuously supervised so as to
detect any attempts to short, open, or substitute a
bogus signal for the legitimate "no alarm" signal.
CHAPTER 30: LOCKS AND LOCKING SYSTEMS
3000 GENERAL
1. Locks are the most generally utilized security devices;
however, with the exception of certain specially
designed combination locks, they are inadequate for
serious security applications and should not be
considered alone as appropriate security for classified
information or high value material/information. The
higher the values at risk, the less one can rely on any
lock, especially if it is used alone. In those
situations, locks, without other protective measures,
are simply inadequate.
2. Locks can, however, contribute to an overall crime
prevention plan. Various state-of-the-art lock systems
are available, but the selection of the lock must
address the ultimate questions of "What is the
potential highest value at risk at any given time in
the future?" and "Will the loss of such materials
create a requirement for expensive investigations by
the Inspector General (IG), FBI, or security
personnel?"
3001 POLICY
1. NASA Chiefs of Security normally oversee the lock
system program on their Centers.
2. The cognizant NASA Chief of Security should implement a
program to oversee the use of lock mechanisms at a NASA
Installation. This program should include the
following elements:
a. A rationale, stated purpose, and established
procedures;
b. A balance between security and convenience;
c. Selection and use of lock mechanisms;
d. Established levels of authorization for issuing
keys;
e. A current system that records the number of keys
issued, number of keys lost, and identities of
persons holding keys; and
f. Computerized records of the dates combinations are
due for change.
Note: For security purposes, records of the
combinations themselves should not be computerized.
CHAPTER 31: AIRCRAFT SECURITY
3100 PHYSICAL SECURITY RESPONSIBILITIES
1. The Installation Chief of Security (ICS) has the
following responsibilities to protect NASA aircraft:
a. Ensure that a security survey is conducted on
resident aircraft, hangars, ramps, and airfields.
The security survey will determine the level of
criticality and vulnerability of NASA flight
assets to theft, sabotage, terrorism, vandalism,
and air piracy. The survey will be used to
establish a requisite level of protection that is
reasonable, affordable, practical, and
responsible. Appendices I, J, K, L and M contain
guidelines which will assist in the accomplishment
of surveys.
b. Ensure that specific security measures for the
protection of NASA Aircraft are included in the
Installation Security Plan.
c. With the help of aircraft commanders, the ICS will
develop physical security requirements tailored to
the configuration of specific aircraft to be
included in the Pilot's Aircraft Check List.
d. Develop a system to detect the unauthorized
movement or taxiing of aircraft.
e. Develop an alerting system that promptly advises
the tower, fire department, security force, and
other appropriate authorities of such
insecurities.
f. Develop a response procedure in the event of the
unauthorized movement of an aircraft.
g. Report threat or unusual incidents to NASA
Headquarters, via the serious incident reporting
system, Chapter 41. The NASA Security Office will
advise the NASA Aircraft Management Office of all
security incidents involving NASA aircraft.
2. Aircraft Commanders have the following
responsibilities:
a. Carry out provisions of the Pilot's Aircraft Check
List, ensuring security of their aircraft at
transient domestic and international locations.
b. Prohibit unauthorized access to their aircraft.
c. Ensure that passengers are properly identified and
that baggage and packages are either associated
with passengers or are authorized NASA cargo. If
baggage is unaccompanied or cannot be identified,
it will be rejected.
d. Conduct security inspections of their aircraft
before placing it in service and after it has been
left unattended.
3101 BOMBS OR AIR PIRACY THREATS
1. In the event of a bomb threat, an Aircraft Commander
will conduct a security inspection on the ground before
the next flight or, if the aircraft is in flight,
immediately after its next landing. If the aircraft is
on the ground, a security inspection will be done
immediately.
2. If an act or suspected act of air piracy is committed,
the Aircraft Commander will notify the air traffic
controller immediately.
3. The ICS will also be notified of all such threats.
CHAPTER 32: CRIME PREVENTION PROGRAM (CPP)
3200 BACKGROUND
This Chapter highlights an Installation Crime Prevention
Program (ICPP). Crime prevention attempts to reduce,
eliminate, or neutralize opportunities and conditions that
tempt and cause individuals to commit crimes.
3201 OBJECTIVE
Although we can curb criminal access to certain "tools," it
is impossible totally to control capability. What we can
control is opportunity. Therefore, crime prevention within
NASA, and the ICPP in particular, will focus on reducing
criminal opportunity.
3202 CRIME ANALYSIS
1. Directly tied to risk assessment and how and where
security resources can be best applied, crime
analyses reveal patterns and trends in locations,
methods of operation (MO), correlations to other
crimes and MO, and time and profit.
2. Security education significantly enhances the success
of the ICPP. The key importance of such information is
its dissemination to all personnel to reduce criminal
opportunity.
3203 RESPONSIBILITIES
1. The Associate Administrator for Management Systems and
Facilities or the Installation Director ensures that
there are enough personnel, money, and other resources
to support the ICPP.
2. The Installation Chief of Security (ICS) builds a
progressive crime prevention program, including a
security education program.
CHAPTER 33: CONTROL AND ISSUANCE OF FIREARMS
3300 AUTHORITY
The Associate Administrator for Management Systems and
Facilities may direct the following officers and employees
to carry firearms on official duty:
1. The Chief, NASA Security Office, and designated
security personnel;
2. The Chief of Security, NASA Headquarters (Code JBF),
Operations, and designated security personnel;
3. The Chief of Security of each NASA Installation and
designated security personnel; and
4. NASA employees assigned to security duties, such as
couriers, guards, or plant protection personnel; and
5. NASA contractors and subcontractors engaged in the
protection of property owned by the United States and
located at facilities owned by or contracted to NASA.
3301 DEFINITIONS
1. Certifying Officials. The Chief, NASA Security Office;
Chief Headquarters Security Branch; Director of a NASA
Field Installation; or the Installation Chief of
Security.
2. Concealed Firearm. The carrying of a firearm that
cannot be detected by direct observation. For reasons
of safety, concealed firearms should normally be
carried in a hip or shoulder holster.
3. Unconcealed Firearm. The carrying of a firearm that
can be detected by casual or direct observation.
3302 RESPONSIBILITIES
1. NASA certifying officials (see paragraph 3301.1) must
ensure that all provisions of this Chapter are complied
with, and will assist NASA procurement personnel in
their obligations.
2. NASA procurement personnel prepare the statements of
work to be included in a purchase request for contract
guard service.
3. NASA employees and contractors to whom firearms are
issued are responsible for strict compliance with all
the conditions regarding the carrying and use of
firearms as established in this Chapter and Chapter 34,
"Application of Force."
4. NASA personnel and contractors will not carry firearms
outside the 50 states, the District of Columbia, and
Puerto Rico without the advance approval of the Chief,
NASA Security Office, NASA Headquarters.
3303 CERTIFICATION TO CARRY FIREARMS
The certifying official will issue a "Certificate of
Authority to Carry Firearms" (NASA Form 699A or 699B). The
following items define the forms, and their use and
procedures for certification:
1. NASA Form 699A is a certification to carry concealed
firearms which may be issued only to NASA employees,
other than uniformed guards. This form will be
prepared in triplicate and will indicate the date of
expiration (not to exceed 2 years). The original
certificate will be issued to the employee and a copy
forwarded to the NASA Security Office, NASA
Headquarters. Termination of employment or assignment
to duties not requiring the continuation of a
certification to carry firearms will require the return
of the original certificate to the certifying officer.
Exceptions to this requirement may be made only by the
Chief, NASA Security Office, NASA Headquarters.
2. NASA Form 699B is a certification to carry unconcealed
firearms, which may be issued only to NASA contractor
employees serving as uniformed guards. This form will
be prepared in duplicate and will indicate the date of
expiration (not to exceed the term of any applicable
guard service contract; otherwise, not to exceed 1
year). The form will also identify the specific nature
and location of official duties which require the
carrying of firearms. The original certificates will
be issued to the employee and will be retained in the
employee's possession while on official duty. One copy
of the certificate will be retained by the NASA
certifying official. All losses of certificates will
be reported immediately to the certifying official.
Upon termination of employment or assignment to duties
no longer needing certification to carry firearms, the
original certificate will be returned to the certifying
official. Exceptions to this requirement may be made
only by the certifying official.
3. NASA Forms 699A and 699B are serialized for control and
accountability purposes. Certifying officials maintain
appropriate accountability records, including
certification of destruction, for all forms in their
custody, and ensure that all unused forms are kept in a
secure storage container other than the one in which
the accountability records are stored.
4. Certifying officials cannot sign their own
certificates. Certificates authorizing the issue of a
weapon to a certifying official will be forwarded to
Code JIS for appropriate signature.
3304 CONDITIONS UNDER WHICH FIREARMS MAY BE CARRIED
1. Firearms may be carried only when all of the following
criteria are met:
a. When the individual is in immediate physical
possession of a valid NASA certification to
carry firearms;
b. When the individual has successfully completed a
qualification course for the firearm being carried
and the qualification is current (refer to
Appendices N and O);
c. When it is necessary and vital in the performance
of official NASA duties; and
d. With the knowledge and approval of a certifying
official.
2. The wide range of circumstances under which it may be
necessary to carry firearms requires consideration of
all pertinent factors, augmented by common sense and
good judgment.
3305 WEAPONS ABOARD COMMERCIAL AIRCRAFT
Federal Aviation Administration (FAA) Regulations prohibit
the carrying on or about his or her person or property a
deadly or dangerous weapon either concealed or unconcealed,
accessible to him or her while aboard a commercial aircraft.
The transport of classified documents or materials is not
considered justification for carrying a deadly or dangerous
weapon aboard a commercial aircraft. If extremely
compelling circumstances require a NASA employee to carry a
firearm aboard a commercial aircraft, the following steps
will be taken:
1. Preflight
a. A NASA Security Specialist will document the need
for an accessible firearm on official duty during
the period from the time the individual would
otherwise have checked it until the time it would
have been returned after deplaning.
b. The NASA Security Specialist will notify the
airline of the flight on which the individual
intends to have a firearm at least 1 hour prior to
flight departure or, in an emergency, as soon as
practical prior to flight departure.
c. The NASA Security Specialist will present the
documentation discussed above in subparagraph a, a
NASA Security Officer Credential, and a valid
Certificate of Authority to Carry Concealed
Firearms (NASA Form 699A) to the airline
representative.
d. Prior to boarding, the armed NASA Security
Specialist will request and receive a briefing
from the airline representative on the procedures
for carrying firearms aboard its aircraft. Each
armed person must be notified of the seat location
of other armed person(s) aboard the flight.
Discretion should be used to protect the
person's identity.
e. The Installation Chief of Security will notify and
receive concurrence from the Chief, NASA Security
Office, NASA Headquarters, of each instance where
it is necessary for armed NASA security personnel
to board commercial aircraft.
2. In-flight
a. During flight, an armed NASA Security Specialist
should never take independent law enforcement
action or intervene in an incident, such as a
fight between a crew member and an inebriated
passenger, or a hijacking, unless the captain
requests assistance.
b. A NASA Security Specialist shall not use
intoxicants while armed with a firearm.
3. Checking Firearms and Ammunition in Baggage. When not
required during flight, the firearm will be stored,
unloaded, in a locked container that the airline
considers appropriate for air transportation. Before
checking the baggage, the NASA Security Specialist must
declare to the airline representative, orally or in
writing, that the firearm is not loaded. Only the NASA
Security Specialist checking the baggage will retain
the key to the container.
3306 FIREARMS INSTRUCTION
1. The certifying official may designate a firearms
instructor, who will inform the certifying official in
writing of an individual's knowledge of the rules of
firearm safety and the content of this Handbook. In
cases involving a contractor guard force, the firearms
instructor may be appointed from the guard force
complement.
2. The following minimum standards will be met before a
firearms instructor or certifying official will
consider an individual qualified to carry firearms:
a. Recent firearms training and experience during
prior employment, such as the Federal Bureau of
Investigation, Secret Service, police, military,
or other significant and qualifying experience, if
individuals qualify under other provisions of this
Chapter within 30 days of the effective date.
These qualifications may be verified by employment
history or by a personal interview.
b. Appropriate NASA training, including firearms
safety procedures, followed by obtaining a
qualifying score on a recognized course as
specified in the next paragraph (3307).
3307 TRAINING
1. Personnel should be trained on firearm ranges
authorized by Federal, state, or municipal authorities.
Personnel may be certified after firing a qualifying
score at a Federally certified firearms course (see
Appendix O of this Handbook). The NASA Security
Office, NASA Headquarters, must approve the course and
minimum qualifying score selected by each Installation.
2. As soon as possible after certification, personnel
should receive testing/training in judgmental shooting
(whether to shoot or not to shoot), through NASA's
Firearms Training System (FATS).
3308 MAINTENANCE OF PROFICIENCY
1. Personnel authorized to carry firearms will be required
to fire a qualifying score on an approved course at
least once every 6 months.
2. All personnel authorized to carry firearms must
successfully complete testing/training on the FATS
annually, if possible, or as often as the system is
available at that NASA Installation.
3309 RECORDS
The certifying official or firearms instructor will maintain
records of personnel certified to carry firearms, including
the basis for qualification, qualifying scores, rounds
fired, and all other pertinent data. Records will be
maintained for 2 years.
3310 FIREARM STANDARDS
1. In the interest of effective performance and public
safety, firearms should not be less than 9mm and not
greater than .357 magnum caliber. Standard,
commercially manufactured ammunition should be
appropriate to the firearm. In the interest of safety
and accuracy, firearms should be manufactured in the
U.S.A. The use of foreign manufactured firearms of
high quality may be authorized by the certifying
official.
2. The use of personal weapons is prohibited. The use of
weapons other than those described above (automatic
rifles, shotguns, etc), must be justified on a case-by-
case basis and approved by the Chief, NASA Security
Office.
3. Firearms will be periodically inspected and kept in
good working order by a qualified gunsmith. Ammunition
holsters and related equipment will be periodically
inspected for deterioration and kept in good working
order.
3311 ACCOUNTABILITY OF FIREARMS
1. The control and custody of all firearms within a NASA
Installation will be under strict accountability at all
times and will be the ultimate responsibility of the
certifying official. The certifying official will
appoint a custodian of all firearms within the
Installation Security Office and within each contractor
guard force of each NASA Installation. Each custodian
will indicate the acquisition of all firearms in an
appropriate record, including the date and method of
acquisition, and full identifying data, that is, the
caliber, make, and serial number of each firearm.
2. Within 90 days after the effective date of this
Handbook, all certifying officials will furnish the
NASA Security Office, NASA Headquarters, the data
required in the above subparagraph 1, with the
exception of firearms possessed by contractor guard
forces. The initial report will include a complete
inventory of firearms. All subsequent changes will be
reported as they occur. Current contractor firearms
data will be maintained in the Installation Security
Office.
3. A receipt system for recording the issuance, transfer,
and return of all firearms will be maintained by the
custodian. Receipts will include the following details:
a. Dates of issuance, transfer, or return to custody;
b. Serial numbers of firearms;
c. Signatures of recipients; and
d. Signatures of custodians upon return of the
firearms.
Note: Both NASA personnel and contractor receipts will
be retained by each Installation for 1 year.
4. Lost, stolen or missing firearms will be reported
immediately to the NASA Security Office, NASA
Headquarters. The report will include all available
details concerning the event with a complete
description of the weapon. The report should not be
delayed pending a complete report of the circumstances.
A description of the lost, stolen, or missing firearm
will be provided to the FBI, and state and local
police.
3312 STORAGE AND EXCHANGE OF FIREARMS AND AMMUNITION
1. Loaded firearms will never be stored.
2. Firearms and ammunition will be stored separately in
secure places at all times. Storage containers with
built-in three-position combination locks are adequate.
Firearms and ammunition will not be stored with money,
drugs, precious materials, or classified information.
3. Weapons will not be exchanged on a guard post. Any
exchange necessary will be done only in an area where a
"clearing barrel" is provided.
NOTE: The provisions of this chapter do not apply to NASA
Inspector General Office personnel, whose authority is
derived from other sources.
CHAPTER 34: APPLICATION OF FORCE
3400 GENERAL
This Chapter establishes procedures to ensure that NASA
security force personnel exercise use of force in a manner
consistent with both NASA's security objectives and
recognized legal standards. The provisions of this chapter
do not apply to the Inspector General Office personnel,
whose authority is derived from other sources.
3401 DEFINITIONS
1. Ordinary Force. A degree of force which is neither
likely nor intended to cause death or great bodily
harm.
2. Reasonable Force. Only that force necessary to
overcome an opposing force.
3. Deadly Force. A degree of force which a reasonable
person would consider likely to cause death or serious
bodily harm.
4. Use of Force Report. A report used to document details
of the force exercised.
3402 PROCEDURES FOR DEADLY FORCE
1. Deadly force shall be used only in those circumstances
where the security force officer reasonably believes
that either he, she, or another person is in imminent
danger of death or serious bodily harm.
2. Use of firearms
a. If it becomes necessary to use a firearm in any of
the circumstances described in Section 1203b.106,
of NMI 1600.3, NASA security force personnel shall
comply with the following precautions whenever
possible:
(1) Give an order to halt before firing;
(2) Do not fire if shots are likely to harm
innocent bystanders; and
(3) Shoot to stop.
b. Warning shots are not authorized.
c. In the event that a security force officer
discharges a weapon while in a duty status, the
following steps shall be taken:
(1) The incident shall be reported to the
Installation Chief of Security who, in turn,
will report it to the NASA Security Office as
expeditiously as possible, with as many
details supplied as are available.
(2) The officer shall be promptly suspended from
duty with pay or reassigned to other duties
not involving the use of a firearm, as the
Installation Director or the Associate
Administrator for Management Systems and
Facilities deems appropriate, pending
investigation of the incident.
(3) The cognizant Installation Director or, for
incidents occurring at NASA Headquarters, the
Associate Administrator for Management
Systems and Facilities shall appoint an
investigating officer to conduct a thorough
investigation of the incident. Additional
personnel may also be appointed as needed to
assist the investigating officer. Upon
conclusion of the investigation, the
investigating officer shall submit a written
report of findings and recommendations to the
appropriate Installation Director or the
Associate Administrator for Management
Systems and Facilities.
(4) Upon conclusion of the investigation, the
Installation Director or the Associate
Administrator for Management Systems and
Facilities, with the advice of counsel, shall
determine the disposition appropriate to the
case.
3. Firearms will be periodically inspected and kept in
good working order by a qualified gunsmith.
Ammunition, holsters, and related equipment will be
periodically inspected for deterioration and kept in
good working order. Firearms and ammunition will be
securely stored separately in locked containers.
Loaded firearms will not be stored. Neither firearms,
nor ammunition, will be stored in the same containers
as money, drugs, precious materials, or classified
information. NASA Headquarters and each Installation
shall adopt procedures for the maintenance of records
with respect to the issuance of firearms and
ammunition.
3403 PROHIBITIONS
1. The unreasonable use of force, i.e., the use of force
in excess of the degree required to overcome
resistance, is considered misconduct. Such misconduct
shall result in administrative, civil, and/or criminal
action against the perpetrator.
2. Verbal abuse, verbal threats of violence, non-physical
threats, or non-violent resistance cannot be the basis
under any circumstances for the use of force.
3. Firing into or over crowds is strictly forbidden.
4. Firearms shall not be fired from or at a moving
vehicle.
5. Firearms shall not be fired when the safety of innocent
persons, or of property designated as a NASA Resource,
is endangered by the discharge of such weapon.
6. NASA security force personnel shall not draw a firearm
unless he or she intends to use deadly force.
7. Firearms shall not be discharged at escaping prisoners
who are handcuffed, regardless of pending charges or
conditions.
8. Firearms shall not be knowingly discharged at
juveniles, unless there is imminent danger of bodily
harm by the juvenile.
9. Firearms shall not be discharged while seeking to
apprehend misdemeanants or non-infamous felons.
3404 SECURITY FORCE EQUIPMENT
Security force equipment must be approved by the
Installation Chief of Security, with concurrence of the
Installation Chief Counsel and authorized by the
Installation Director or Associate Administrator for
Management Systems and Facilities.
3405 USE OF FORCE REPORT
1. The Installation Chief of Security will be responsible
for the preparation of the Use of Force Report, for the
following incidents:
a. Use of handcuffs;
b. Capstun, Mace, CS/CN;
c. K-9 dog bites/attacks;
d. Use of baton, straight or PR-24;
e. Use of physical force, pressure points, wrist
locks, etc.; and
f. Use of firearms in the line of duty.
2. The Use of Force Report is structured except for the
narrative. The narrative will include the following
details:
a. Specific circumstances that caused force to be
used and type of force/techniques used;
b. Extent of injuries inflicted or received;
c. Who inflicted and who received the injuries;
d. Witness statements;
e. A statement verifying that the amount of force
used by the security force personnel was in
keeping with NASA policy; and
f. The Use of Force Report will be forwarded within
24 hours to the Chief, NASA Security Office.
CHAPTER 35: ARREST AUTHORITY (AA)
3500 GENERAL
NASA is responsible for protecting vital national security
interests. To counteract vulnerabilities, Section 206 of
Public Law 100-685, November 17, 1988, amended Section 304
of the National Aeronautics and Space Act of 1958. This
Amendment authorized the Administrator to prescribe
regulations, as approved by the Attorney General, for the
conduct of Arrest Authority (AA). This policy is
established in NMI 1600.3, "Arrest Authority and Use of
Force by NASA Security Force Personnel," The provisions of
this chapter do not apply to NASA Inspector General office
personnel, whose authority is derived from other legal
sources.
3501 RESPONSIBILITIES
1. The Associate Administrator for Management Systems and
Facilities is the designated Senior Agency Official for
AA and has the following responsibilities:
a. Directing the AA Program according to NASA
policies, objectives, and applicable laws and
regulations.
b. Ensuring compliance with the Attorney General's
Guidelines for Legislation Involving Federal
Criminal Law Enforcement Authority dated June 29,
1984.
c. Coordinating NASA requirements for AA with the
Office of the Attorney General Federal Bureau of
Investigation, Federal Law Enforcement Training
Center, and other Government agencies as required.
All such actions must be coordinated through Code
G.
d. Reviewing all NASA Field Installation nominations
and plans to implement AA, in consultation with
representatives designated by the General Counsel,
the Associate Administrator for Management Systems
and Facilities, and the appropriate Program
Associate Administrator.
e. Reviewing and approving appropriate administrative
actions to correct abuse or violations of any
provisions of this regulation.
2. The Chief, NASA Security Office, is designated the AA
Program Manager. The AA Program Manager has the
following responsibilities:
a. Informing the Senior Agency Official for AA of any
unresolved problems or any areas of interest in
which AA guidance is lacking, and any other
matters likely to impede NASA objectives.
b. Periodically reviewing the AA Program and
recommending to the Senior Official the
elimination of duplicative elements.
c. Recommending to the Senior Official of the AA
adequate internal safeguards and management
procedures.
d. The NASA-wide coordination, management and
collection of statistics summarizing NASA's use of
the AA program.
e. Accrediting training courses in AA in accordance
with the qualifications listed in paragraph 3503.
3. The Associate General Counsel for General Law or
designee serves as the Legal Counsel for the AA
Program.
4. Directors of NASA Installations and at Headquarters,
the Associate Administrator for Management Systems and
Facilities have the following responsibilities:
a. Assigning responsibilities and issuing procedures,
subject to prior NASA Headquarters approval, which
will implement these instructions.
b. Implementing and maintaining the Installation's AA
Program.
c. Forwarding the Annual Agency Arrest Authority
Report for the previous fiscal year no later than
October 15 through the appropriate Program
Associate Administrator to the Senior Agency
Official for AA.
d. Immediately reporting any abuse or violation of
this Handbook in writing through the appropriate
Program Associate Administrator to the Senior
Agency Official for AA.
e. Suspending immediately from duty with pay or
reassigning to other duties not involving AA any
person with AA creditably accused of violations of
AA procedures or instructions, pending
investigation of the incident.
f. At the conclusion of the investigation,
determining the case's disposition.
3502 IMPLEMENTATION
1. Federal, state, and local law enforcement agencies are
normally responsible for law enforcement at NASA
Headquarters and Installations.
2. Directors of NASA Installations and the Associate
Administrator for Management Systems and Facilities may
nominate NASA security employees or contractors for AA
when Federal, state, and local law enforcement agencies
cannot provide essential law enforcement services in a
timely and effective manner.
3. Prior to implementation of AA, Directors of NASA
Installations and the Associate Administrator for
Management Systems and Facilities shall coordinate with
their local FBI or U.S. Marshall Office about
procedures for the appropriate and timely transfer of
persons arrested.
4. Essential law enforcement services include the
protection of the lives of employees and contractors
and the protection of valuable property believed to be
in danger of espionage, sabotage, destruction,
terrorism, or robbery.
5. Law enforcement jurisdictions at NASA Installations
shall not be amended without the nondelegable
authorization of the Administrator.
3503 QUALIFICATIONS
AA shall not be performed unless the Director of the NASA
Installation or the Associate Administrator for Management
Systems and Facilities has the following assurances:
1. A written report by a physician within the limits of an
annual examination that the candidate to perform AA
duties is physically fit as well as emotionally stable.
2. That the candidate is currently a certified graduate in
accordance with the training described in, but not
limited to, Appendix N, "Arrest Authority Training
Curriculum."
3. That the candidate has completed required inservice
training in the following areas:
a. Use of Force training, intermediate to deadly
force;
b. Current qualification with assigned firearm,
Appendix O;
c. Judgmental shooting with the FATS or an equivalent
training system; and
d. NASA and Installation regulations concerning AA.
3504 PROCEDURES
1. Individuals authorized Arrest Authority will carry the
appropriate Miranda Advisement of Rights cards.
2. Policies on providing legal representation will be
coordinated with the servicing FBI or U.S. Marshall
offices, as well as the servicing NASA Legal Counsel's
office.
3. Procedures will be established for the proper
accounting and safeguarding of all property seized
incident to an arrest. This will include clear claim
of custody procedures as required.
4. Procedures will be established with appropriate U.S.
Attorney's offices of the process to obtain arrest
warrant as required.
CHAPTER 36: PATROL PROCEDURES
3600 GENERAL
1. Security forces are assigned to Installations to
protect personnel and property, provide traffic control
and direction, support crime prevention programs, and
provide day-to-day patrol services, as required.
2. To deter crime, security forces place priority on
preventive patrolling, but enough resources must be
available to permit such patrols to respond to
incidents.
3. It is NASA policy that driving under the influence of
an intoxicant and/or an illegal substance will not be
condoned on NASA Installations. Center Directors will
establish necessary procedures to detect, detain, and
process individuals reasonably suspected of driving
under the influence at their Centers. These procedures
will be consistent with local laws and established
agreements.
3601 SECURITY FORCE RESPONSE
1. Installation security forces will respond to reported
criminal incidents, legitimate requests for security
force services, duress alarms, calls for assistance,
and all intrusion detection alarms. They will respond
immediately to situations in which an individual's
safety is jeopardized, or when a crime has been
committed or is in progress.
2. Responses will be monitored at least once a month to
maintain readiness in protecting NASA personnel and
property.
3. Security forces will provide coverage of patrol zones
in a systematic but random manner, varying their timing
and route so there is not a predictable pattern.
3602 TYPES OF PATROLS
1. Vehicle Security Patrols. Under most circumstances
this is the most effective form of patrol. The vehicle
provides mobility and the ability to cover a large area
and carry equipment and personnel.
2. Foot Patrols. Foot patrols may be assigned to small
areas at Installations with high concentrations of
personnel or resources.
3. Radio. Each patrol will be equipped with a portable
intra-Installation radio.
3603 PATROL METHODS
1. Based on the principle that the most effective
deterrent to crime is security force visibility, and in
the interest of maintaining a posture of prevention as
opposed to apprehension, covert observation is
prohibited except in unusual situations and then only
when approved by the Installation Chief Counsel.
2. When driving patrol vehicles, security personnel will
demonstrate exemplary driving manners.
3. Hot pursuit in excess of the speed limit is not
authorized on NASA Installations.
4. Security force patrols must be certain that their
actions will not endanger life or property.
3604 PATROL COVERAGE
1. Patrol coverage will be based on the ICS assessment of
a facility's critical need and vulnerability. However,
each Installation must have at least one 24-hour
patrol.
2. When there is more than one patrol, each patrol area
must be designed to avoid duplication of work. Each
Installation must develop patrol deployment zones based
on critical need and vulnerability of facilities at
risk.
3. Security force patrol zones should be designed to
ensure a no longer than 5-minute response to Center
emergencies.
4. Critical and vulnerable facilities should be viewed at
least three times per shift. Where there is low
visibility due to the lack of protective lighting,
patrol must be increased significantly.
5. Patrol coverage must be provided for the following
places:
a. Flight lines, ramps, and hangars;
b. Areas designated under the NRP program;
c. Imprest Funds;
d. Banks and Credit Unions on Installation;
e. Nonappropriated funds facilities; and
f. Liquid Oxygen, Liquid Hydrogen, Liquid Nitrogen,
Hydrazine storage areas, and other hazardous
materials storage areas.
g. Controlled access rooms or security areas, as
described in Section 2603 ACCESS, which are
normally secured, or secured and alarmed, when
unattended (e.g., Restricted Areas, Limited Areas,
and Closed Areas).
CHAPTER 37: INSPECTION OF PERSONS AND PROPERTY
3700 POLICY
NASA reserves the right to conduct an inspection of any
person, including any property in the person's possession or
control, as a condition of admission to, or continued
presence on, any NASA Installation.
3701 RESPONSIBILITY
The Director for each Field Installation and the Associate
Administrator for Management Systems and Facilities are
responsible for implementing the provisions of this Chapter
in the event of bomb threats, unexplained loss of Government
property, drug countermeasures, or other unusual situations.
In the local implementation of this Chapter, the Directors
of NASA Installations (and component Installations) located
on Federal property under the control of other agencies will
coordinate their action with appropriate officials of the
other agencies concerned.
3702 PROCEDURES
1. All entrances to NASA Installations will be
conspicuously posted with the following notice:
PURSUANT TO NASA REGULATIONS, THE ENTRANCE OF
INDIVIDUALS TO, OR THEIR CONTINUED PRESENCE ON, THIS
INSTALLATION IS CONDITIONAL UPON THEIR CONSENT TO
INSPECTION OF THEIR PERSONS, AND OF PROPERTY IN THEIR
POSSESSION OR CONTROL.
2. Inspection pursuant to this Chapter will be conducted
only by NASA Specialists or members of the Installation
Security Force. Inspectors may be supplemented with
detection devices and/or sniffer dogs. Such
inspections will be conducted in accordance with the
following guidelines:
a. Consent to inspect regulations covering NASA
employees, contractors, and visitors to NASA
Installations can be issued in accordance with the
authority contained under Section 304(a) of the
National Aeronautics and Space Act of 1958, as
amended.
b. Consent to inspect must be obtained from the
person to be inspected giving permission for
general exploratory inspection while that person
is on the grounds of a NASA Installation. The
person may change their mind at any time and an
inspection will not be pursued further. See
subparagraphs h and i below.
c. The objects of inspection may include persons,
briefcases, luggage, vehicles, and any other
object in possession of the person at the time
inspection is made.
d. Certain classes of persons can be exempted from
inspection at the discretion of the NASA
Administrator.
e. Care must be taken to ensure that all authorized
inspecting personnel fully understand these
instructions.
f. Inspecting personnel should exercise good judgment
at all times prior to or while conducting an
inspection. They should avoid exceeding their
authority or exercising their authority with undue
severity.
g. When inspections are conducted by nonuniformed
Security Specialists, such persons will present
NASA Security Credentials to the subject of the
inspection.
h. If anyone should object to such an inspection,
that person can then simply be excluded from the
protected area, until the matter can be resolved.
i. If, during inspection, an individual is found to
be in unauthorized possession of items believed to
represent a threat to the safety or security of
the Installation, the individual will be denied
admission to, or be escorted from, the
Installation, and appropriate law enforcement
authorities will be notified immediately.
j. Installation instructions based upon the
requirements of this Chapter will be approved by
the Installation Chief Counsel and a copy of
approved instructions furnished to JIS/NASA
Security Office.
CHAPTER 38: LOST AND STOLEN PROPERTY
3800 PHYSICAL SECURITY
1. The NASA ICS has the following responsibilities:
a. Ensures that current security surveys are
conducted in storage areas and on loading docks.
The surveys will be used to establish a requisite
level of protection that is reasonable,
affordable, practical, and responsible.
Indicators of poor property management such as a
lack of audit trail of property transactions or
infrequent inventories should be reported to
logistics managers.
b. Ensures ample lighting for shipping and receiving
areas, including doors, windows, and other
possible points of entry.
c. Installs IDS's and provides patrols in vulnerable
areas.
d. Reports missing or stolen Government property
equipment to NASA Headquarters, Attn: JIS/NASA
Security Office. The report will be submitted as
a monthly summary to arrive no later than the 15th
of the following month. See Appendix P for the
Monthly Missing/Stolen Government Property Report
format.
2. Directors of NASA Field Installations will establish a
program designed to eliminate or reduce pilferage and
establish support programs to include accountability
and responsibility for Installation resources. They
must ensure that adequate controls and safeguards are
provided for protecting property.
3. All NASA employees are responsible for informing their
supervisors of conditions that may result in property
loss or theft.
CHAPTER 39: INVESTIGATIONS
3900 POLICY
1. The Inspector General (IG) is the focal point for
referrals of violations of Federal criminal law (except
those directly related to national security) to the
DOJ.
2. The IG is the focal point for referrals of violations
of state and local laws to state, county, and local
investigative and law enforcement authorities.
3. The NASA Security Office is the focal point for
referrals to the DOJ on matters directly relating to
violations of national security.
4. With the exception of crimes directly related to
national security (such as espionage, sabotage,
unauthorized release of classified information,
falsification of security forms, etc.), the IG is
responsible for investigating violations of law in
NASA. Local agreements may be concluded between the IG
Office and the Installation Security Office, which
provide for support of the IG investigative
responsibility.
5. The Installation Security Office may conduct
investigations of those crimes that the IG decides
not to investigate.
6. Focal points will be designated by the Installation
Security Office and the IG's Office at each NASA
Installation to ensure timely and effective
coordination between the two offices.
7. Investigations should be conducted by properly trained
civil service or contractor personnel. All actions and
findings must be thoroughly documented in a report of
investigation.
3901 RESPONSIBILITIES
1. Each Installation Chief of Security (ICS's) should
designate a point of contact to be responsible for
ensuring proper coordination with the IG Office. Local
IG offices are encouraged to make similar designations.
Realizing that situations may differ from one NASA
Installation to another, those designated focal points
should reach an informal (or formal) agreement
concerning referrals, notifications, and exchanges of
information which will satisfy the requirements of both
offices.
2. The Installation Security Office will promptly inform
and coordinate with the IG any incident which will
require referral to the DOJ (including the FBI) or
local law enforcement agencies. The Installation
Security Office will also inform the IG, by periodic
report or otherwise, of any incident involving the
theft of Government property. The timing and
methodology of this coordination should be addressed in
the working agreement cited above.
3. The Installation Security Office should establish
procedures to accomplish an exchange of relevant
information in cases that might evolve into situations
of continuing mutual interest (e.g., an offense
directly related to security such as compromise of an
information system, which might give rise to a
traditional Title 18 offense such as theft or misuse of
Government property), which could result in a joint
investigative effort.
4. The ICS's (to include Code JBF) will report and
coordinate matters pertaining to National Security with
the NASA Security Office.
3902 REFERENCES
1. The National Aeronautics and Space Act of 1958, as
amended.
2. The Inspector General Act of 1978, Public Law 95-452,
as amended.
3. NMI 1103.27, "Role and Responsibilities of the
Inspector General."
4. NMI 9950.1, "The NASA Investigations Program."
5. Chapter 1, "Personnel Security Program," this Handbook.
6. Memorandum of Understanding Between NASA and The
Inspector General, April 23, 1987.
CHAPTER 40: DEALING WITH DEMONSTRATIONS
4000 OBJECTIVES
The primary objectives in dealing with demonstrations are to
restrict demonstration activity to areas outside
Installations and to preserve peace while protecting the
rights of demonstrators to assemble peacefully and exercise
free speech.
4001 USE OF FORCE
1. Demonstrators who have illegally entered NASA property
will first be politely requested to leave voluntarily.
2. Only the minimum amount of force necessary will be used
to remove demonstrators who refuse to leave NASA
buildings or grounds. In most cases, stretchers,
gurneys, or wheelchairs shall be used to achieve the
minimum use of force.
3. Verbal abuse or verbal threats alone by a demonstrator
cannot be the basis for use of physical force by
security force personnel.
4002 OUTSIDE LAW ENFORCEMENT
The ICS's shall make reasonable efforts to use nonarrest
methods to manage crowds. But if demonstrators are
disorderly or refuse to leave NASA buildings or grounds,
then law enforcement officers who have the appropriate
jurisdiction should be summoned for support. First, ensure
that sufficient law enforcement personnel are on hand and
then inform the demonstrators that they must leave the NASA
building or grounds within a brief period of time, such as
15 minutes, or face arrest. Should the demonstrators still
refuse to leave, law enforcement personnel may arrest them
and remove them from the building or grounds as quickly as
possible.
4003 DECISIONS AND RESPONSIBILITIES
1. Directors of NASA Installations and the Associate
Administrator for Management Systems and Facilities
make the following decisions:
a. When to request outside Federal, State, or County
officials to enter a NASA Installation to enforce
the law;
b. When to curtail activities, or to close the gates
of the Installation; and
c. When to dispatch response teams to demonstrations.
2. The ICS's has the following responsibilities:
a. Identify the group leadership and purpose of the
demonstration;
b. Determine the expected size, type, activity, and
time of planned demonstrations;
c. Evaluate and dispatch information to the JIS/NASA
Security Office;
d. Upon instructions from the Installation Director,
coordinate a plan of action with local law
enforcement officials;
e. Obtain appropriate support from the Installation
Public Affairs Office, the Installation Legal
Counsel, and the U.S. Attorney's Office;
f. Ensure that the Statement of Work for the contract
security force includes training in dealing with
demonstrators as an annual inservice training, and
as refersher training immediately prior to a
demonstration;
g. Ensure that all personnel who are authorized to
carry firearms under the provisions of Chapter 33,
and all personnel whose actions are governed by
the limitations and guidelines of Chapter 34
"Application of Force", receive training in
dealing with demonstrators as an annual inservice
training, and as refresher training immediately
prior to a demonstration; and
h. Maintain an event log commencing at the time
information is first received of a demonstration
and detailing thereafter all significant events,
times, places, and actions with the name of the
NASA official authorizing such actions.
CHAPTER 41: THREAT AND INCIDENT REPORTING
4100 GENERAL
All NASA Installations will implement a threat and incident
reporting system as required by NMI 1600.2, "NASA Security
Program", paragraph 5(i). Its purpose is to keep the
Administrator and senior management advised on a timely
basis of serious security-related incidents or threats that
may affect the NASA mission. Reports should be upchanneled
by security personnel who, by training and experience, are
able to ascertain pertinent information and deliver accurate
and complete, yet concise reports. Such information coming
to Management's attention from other sources can be
inaccurate or distorted and cause undue consternation. In
the event of serious threat information, this report will be
secondary to the notification of appropriate law enforcement
or response agencies. Refer to Appendix Q for format of
report.
4101 RESPONSIBILITIES
1. The Installation Chief of Security ensures that
incidents are reported to the NASA Security Office
during duty hours and followed up with a fax that
describes the incident.
2. The NASA Security Office will upchannel reported
information from the Chief, NASA Security Office (or
designated representative) to the Director, Logistics
and Security Division (Code JI). If considered
appropriate, the Director will in turn brief the
Associate Administrator for Management Systems and
Facilities (Code J), giving parallel notification to
the cognizant Program Office Security Officials(s).
The Associate Administrator will then decide whether or
not to brief either the NASA Administrator's Chief of
Staff/Executive Officer.
3. The cognizant Program Office Security Official is
responsible for making appropriate notifications within
their respective Program Office.
4. If a principal or designated representative is
unavailable at any of the cited levels, the information
will be automatically passed to the next level.
5. The person receiving the information in the NASA
Security Office will be responsible for initial
notification and conducting all followup until
officially relieved of that responsibility.
4102 REPORTABLE INCIDENTS
The following incidents are reportable. Any other type of
incident which might have security implications will also be
reported:
1. Felonies committed at NASA Installations;
2. Espionage;
3. Sabotage;
4. Bombing incidents. Bomb threats which severely impact
center activities also should be reported;
5. Actual demonstrations or strikes. Planned
demonstrations/strikes where violence is threatened
should be reported.
6. Shootings or other violent acts;
7. Incidents occurring on NASA property which result in
the death of a person;
8. Security related incidents in which the media has
become involved and negative publicity is expected;
9. An adverse event in an automated systems environment
that would be of concern of NASA management due to a
potential for public interest, embarrassment, or
occurrence at other access, theft, interruption to
computer/network services or protective controls,
damage, disaster, or discovery of a new vulnerability;
10. Threats against NASA property;
11. Threats that will impact NASA missions; and
12. Threats against NASA personnel.
CHAPTER 42: THREAT ASSESSMENT
4200 BACKGROUND AND POLICY
1. NASA personnel, facilities, and programs are subject to
a wide range of internal and external threats. Such
threats may be presented by natural forces associated
with weather, geological, seismic, or ocean-related
phenomena; by the technological sophistication of NASA
Research and Development (R&D) and test facilities and
programs, and the inherent risk of component and system
failure; and by both internal and external attempts to
disrupt Agency operations or compromise national
security.
2. Agency personnel must be aware of possible threats and
associated vulnerabilities to ensure effective
countermeasures are developed and implemented.
4201 THREAT ASSESSMENTS
1. The Chief, NASA Security Office, after
consultation/input from the Installation Chiefs of
Security, will publish an annual NASA Postulated Threat
Statement. Of significant importance are the Agency's
resources identified under the NASA Resource Protection
Program. However, threat assessments should transcend
formally designated NRP resources and assets, and cover
the full realm of NASA personnel and physical resources
and assets.
2. The ICS's will use the NASA Threat Statement in
developing a localized threat statement for their
Installation. These assessments, with analysis and
insight derived from various sources, will be used in
developing an Installation's security plan.
4202 THREATS
1. Although natural disasters and the extent of damage
they incur cannot be predicted, NASA security, safety,
and operational personnel must formulate viable
contingency plans that may be implemented if necessary.
2. Technological threats have increased dramatically with
advancements in technology. For instance, electric
power disruption or failure, or hazardous material
leaks, can be devastating to Agency personnel and
facilities. Likewise, the inherent risk of component
or system failure can compromise a proposed test, or
actual space flight, with significant life threatening
implications. Security personnel obviously share
concern with all NASA personnel in maintaining the
integrity of Agency systems and, fortunately, extensive
mechanical and human controls and back-up systems exist
to alert personnel of potential or existing threats to
minimize the impact of technological accidents.
3. Threats of significant concern are those generated
internally by disgruntled or malcontent civil service
and contractor employees. Such employees can cause
damage when they perceive that sufficient motivation
exists to warrant such activity. The range of targets
may vary considerably to include any of NASA's
personnel or physical assets, resulting in anything
from personnel casualties to incidental damage. The
growing threat of espionage by both hostile and
"friendly" sources is also of great concern.
4. NASA's activities have been particularly stimulating
and inviting to our adversaries and competitors, and
they have committed substantial resources to fund a
variety of space based signals, electronic
communications, and human intelligence initiatives.
Although much of the technology is disseminated
properly through established programs and channels,
much is acquired through covert methods.
5. Criminal threats through theft, fraud, corruption, and
the like, may also target Agency resources and
personnel.
6. Terrorist threats are very unpredictable. They are
best assessed through current intelligence information.
4203 COUNTERMEASURES
1. NASA employs a sound security program to counter these
threats through NMI 1600.2., "NASA Security Program."
2. The Security Program includes a Security Awareness
Program and the development of an Installation Security
Plan.
3. To ensure an Agencywide standard for reacting to
periods of increased security threats, the threat
conditions established in Chapter 43 will be employed
as required.
CHAPTER 43: THREAT CONDITIONS (THREATCON)
4300 GENERAL
The protection of NASA employees and assets from acts of
violence or coercion at NASA owned or leased property in the
U.S. or abroad will be given priority, especially during
periods of heightened threat. Although absolute protection
against such acts is not possible, protective procedures
will be based on the threat level, and reflect a balance
among the degrees of protection required, the resources
available, Agency mission requirements, and other pertinent
factors. In addition to assistance from the NASA Security
Office, NASA Installations should obtain support from local
representatives such as the FBI, Department of State, and
state and municipal law enforcement agencies.
4301 THREATCON
1. This Chapter establishes the NASA Threat Condition
(THREATCON) program. It is intended to standardize
terms and establish basic security policy that can be
implemented by the Administrator and Installation
Directors. These THREATCON's are also used by DoD and,
since we are co-located with DOD on many Installations,
this approach provides for a greater consistency to
threat reactions.
2. The Administrator will establish and may change, or
rescind NASA-wide THREATCON's. Installation Directors
may implement THREATCON's for their Center based on the
threat situation, but they may not change or rescind
THREATCON's established by the Administrator.
Installation Directors will implement THREATCON
established by the Administrator and may establish
threatcons for their Center based on a local threat
situation.
3. The NASA Security Office will monitor the threat status
in the Agency and maintain close liaison with national
level intelligence and security agencies for threat
information.
4. Field Installation security offices will maintain close
liaison with their supporting FBI offices and local law
enforcement agencies for threat information.
4302 DEFINITIONS
1. THREATCON Alpha. Implemented when there is a general
warning of possible hostile activity, the nature and
extent of which are unpredictable and response may be
long-term.
2. THREATCON Bravo. Implemented when there is an
increased and more predictable threat of hostile
activity even though no particular target has been
identified.
3. THREATCON Charlie. Implemented when an incident has
occurred or a confirmed intelligence report states that
hostile action is imminent.
4. THREATCON Delta. Implemented when an attack has
occurred or is underway.
4303 REQUIRED RESPONSE
1. THREATCON Alpha
a. Advise all employees of the condition;
b. Increase general security awareness;
c. Secure buildings, rooms, and storage areas not in
regular use;
d. Increase package security;
e. Check all deliveries; and
f. Conduct ID checks for entry.
2. THREATCON Bravo
a. Continue all THREATCON Alpha measures;
b. Require all employees to wear badges;
c. Conduct random package inspections;
d. Identify and monitor visitors;
e. Curtail special events and visitors; and
f. Increase guards and patrols.
3. THREATCON Charlie
a. Continue all THREATCON Bravo measures;
b. Inspect all packages;
c. Admit only essential visitors under escort;
d. Establish random Installation checkpoints;
e. Cancel special events;
f. Limit number of entry and exit points;
g. Perform a consent search on all entering vehicles;
h. Cancel vacations for security personnel;
i. Establish 24 hour patrols; and
j. Alert local law enforcement agencies.
4. THREATCON Delta
a. Continue all THREATCON Charlie measures;
b. Close the Installation to all visitors;
c. Limit entry and exit to a single point;
d. Augment security forces as necessary;
e. Minimize all administrative journeys and visits;
and
f. Frequently check the exterior of buildings and
parking areas.
CHAPTER 44: REFERRALS TO THE UNITED STATES SECRET SERVICE
4400 GENERAL
The United States Secret Service (U.S.S.S.) has requested
that NASA provide them with appropriate information to aid
in completion of their protective mission. NASA will
provide information as outlined in this Chapter.
4401 U.S.S.S. RESPONSIBILITIES
Under the direction of the Secretary of the Treasury, the
U.S.S.S. is authorized to protect the following persons:
1. The President, the Vice President (or other officer
next in the order of succession to the Office of the
President), the President-elect, and the Vice
President-elect.
2. The immediate families of those individuals listed in
paragraph 1 above.
3. Former Presidents and their spouses for their
lifetimes, except that protection of a spouse shall
terminate in the event of remarriage.
4. Children of a former President who are under 16 years
of age.
5. Visiting heads of foreign states or foreign
governments.
6. Other distinguished foreign visitors to the United
States and official representatives of the United
States performing special missions abroad when the
President directs that such protection be provided.
7. Major Presidential and Vice Presidential candidates
and, within 120 days of the general election, the
spouses of such nominees/candidates.
8. Foreign diplomatic missions located in Metropolitan
D.C. (and others as specified under statutes).
4402 NASA RESPONSIBILITIES
Any information that originates through NASA and may affect
the U.S.S.S.'s mission must be brought to the attention of
the Secret Service Intelligence Division, commercial
telephone number (202) 535-5731/Secure number: 5310.
Information falling in the following categories should be
promptly provided:
1. Information pertaining to a threat, plan, or attempt by
an individual, a group, or an organization to
physically harm or kidnap the persons protected by the
United States Secret Service or any other high
government officials.
2. Information pertaining to threats, incidents, or
demonstrations against foreign diplomatic missions
(embassies, chanceries, consulates).
3. Information pertaining to individuals, groups, or
organizations who have plotted, attempted, or carried
out assassinations or kidnapping of United States or
foreign senior government officials.
4. Information concerning the use of bodily harm,
assassination, or kidnapping as a political weapon
(this should include training and techniques used to
carry out the act).
5. Information pertaining to persons who insist upon
personally contacting high government officials for
redress of imaginary grievances, etc.
6. Information pertaining to any persons who make oral or
written statements about high government officials in
the following categories:
a. Threatening statements;
b. Irrational statements; and
c. Statements expressing unusual interest/fixation.
7. Information pertaining to terrorists (individuals,
groups) and their plans, capabilities, and activities
(bombings, etc.).
8. Information pertaining to the ownership or concealment
by individuals or groups of caches of firearms,
explosives, or other implements of war when it is
believed that their intended use is for other than
legal purposes.
9. Information concerning individuals who are perceived to
be acting irrationally in their efforts to make
personal contact with high government officials;
information concerning anti-American or anti-U.S.
Government demonstrations abroad; information
concerning anti-American and anti-U.S. Government
demonstrations in the U.S. involving serious bodily
injury or destruction of property or an attempt or
credible threat to commit such acts to further
political, social, or economic goals by said
intimidating and coercive tactics.
10. Information regarding civil disturbances
a. Please provide pertinent information to Secret
Service Intelligence Division commercial telephone
number: 202/535-5731. Secure number: 5310.
b. The Secret Service does not desire or solicit
information pertaining to individuals or groups
expressing legitimate criticism of, or political
opposition to, the policies and decisions of the
U.S. Government or its officials.
c. Future information that would impact, such as the
commencing and terminating of protection for
Presidential candidates, will be forwarded to NASA
on a timely basis.
CHAPTER 45: DEALING WITH THE MEDIA
4500 POLICY
1. Under NASA policy, NASA Security Offices will
disseminate as much information as practical concerning
its activities and results.
2. Information to the news media will be released
according to the provisions of NMI 1380.4, "Release of
Information to News and Information Media." Questions
about the application and implementation of NMI 1380.4
should be directed to the appropriate office cited in
the NMI.
3. NASA security personnel will cooperate with the news
media to the fullest extent possible while exercising
both their fiduciary and statutory responsibilities to
protect security information.
4501 RESPONSIBILITIES
1. NASA Installation Chiefs of Security (ICS's) should
designate a point of contact in their office to
coordinate any release of information to the news
media. This individual should ensure that appropriate
coordination is effected with both the media and
appropriate offices specified by NMI 1380.4 to ensure
that requests are dealt with promptly and that the
releases are properly made.
2. NASA security employees are ultimately responsible for
their own conduct while dealing with the media. They
should exercise caution to not prejudice, through word
or action, the Agency's security program. All
responses to the media should be "on the record" and
for distribution.
4502 FOREIGN MEDIA
Operating within any constraints applied to foreign visitors
by the respective NASA Installation, foreign media
representatives will be accorded the same courtesy and
cooperation as that accorded to the U.S. media.
CHAPTER 46: COMMUNICATIONS SECURITY (COMSEC)
4600 REFERENCES
1. National Security Directive No. 42, July 5, 1990.
2. NTISSI 4000 Series On Communications Security (COMSEC).
(Multiple dates).
3. NTISSI No. 7000, "TEMPEST Countermeasures for
Facilities," October 17, 1988.
4. NACSIM 5203, "Guidelines for Facility Design and
Red/Black Installation," June 30, 1982.
5. NTISSIP Nr. 1. National Policy on Application of
Communications Security to U.S. Civil and Commercial
Space Systems, June 17, 1985.
6. National Communications Security Committee (NCSC)-6,
"National Policy Governing the Disclosure or Release of
Communications Security Information to Foreign
Governments and International Organizations," January
16, 1981.
7. National Communications Security Committee (NCSC)-1,
"National Policy for safeguarding and Control of COMSEC
Material, January 16, 1991.
4601 GENERAL
This Chapter establishes the responsibilities and provides
guidelines for implementation of a totally integrated NASA
Communications Security Program.
4602 DEFINITIONS
Communications Security (COMSEC). The protection resulting
from all measures designed to deny unauthorized persons
information of value which might be derived from the
possession and study of telecommunications, or to mislead
unauthorized persons in their interpretation of the results
of such possession and study. COMSEC includes the following
types of security:
1. Cryptosecurity. The provision of technically sound
crypto-systems and their proper use.
2. Transmission Security. All measures designed to
protect transmissions from interception and
exploitation by means other than cryptanalysis.
3. Physical Security. All physical measures necessary to
safeguard classified equipment, material, and documents
from access thereto or observation thereof by
unauthorized persons.
4. Emission Security. Frequently referred to as TEMPEST.
All measures taken to deny unauthorized persons
information of value that might be derived from
intercept and analysis of compromising emanations from
cryptoequipment and telecommunications systems. TEMPEST
countermeasures are considered on a case-by-case basis
consistent with the policy and procedures established
in NTISSI No. 7000.
4603 BACKGROUND
1. Secure Communications. The security of Federal
telecommunications is a national responsibility
requiring all participants' adherence to policy.
Experience has shown that failure to plan and integrate
appropriate telecommunications security measures early
in a system's life-cycle, whether it be a classic
acquisition program or a purely research and
development effort, has caused many problems relating
to adequacy and optimization of COMSEC measures based
on limited program funds. NASA participants
responsible for COMSEC must satisfy the requirements of
the National Security Telecommunications and
Information Systems Security Committee (NSTISSC), and
the departments and agencies of the Federal Government,
throughout the life-cycle of various programs.
2. The Secretary of Defense is the U.S. Government's
Executive Agent for COMSEC. The Director, National
Security Agency (NSA), is the national manager for
COMSEC matters.
3. All types of nonsecure telecommunications are
vulnerable to interception and exploitation by foreign
signals intelligence (SIGINT). SIGINT incorporates
communications intelligence (COMINT), electronic
intelligence (ELINT), and telemetry intelligence
(TELINT). COMINT has the greatest impact on NASA
telecommunications on a day-to-day basis. Prime
sources of valuable COMINT include clear voice and
data, or unencrypted telephone/radio, and unencrypted
facsimile (Fax) communications. Foreign Intelligence
Services, using various intercept platforms, have a
worldwide COMINT capability. In addition to the
traditional nations utilizing Hostile Intelligence
Services (HoIS) as a threat to our communications, it
is estimated that a growing number of nations are
developing SIGINT capabilities to gain an economic and
technological edge over the United States. This is
particularly true as strategic emphases shift from
military strength to economic competitiveness. Still
other elements are using information gained from the
interception of communications for furthering their
terrorist and/or criminal activities.
4. The application of COMSEC measures protects
telecommunications from foreign intelligence
exploitation and ensures the authenticity of such
communications. Encryption with an approved
cryptosystem and radio silence are the best defenses
against HoIS and adversarial COMINT efforts.
5. Communications circuits can be protected by appropriate
physical, acoustical, electrical or electromagnetic
safeguards, such that classified data can be
transmitted on these links in clear text (when
information is transmitted to or from an area not under
access controls consistent with that required for the
classification of the information). These circuits
must be formally approved as a Protected Distribution
System (PDS). The following COMSEC measures may also
be required:
a. Authentication;
b. Proper operator skills, discipline and training;
c. Safeguarding and control of COMSEC material;
d. Transmission security;
e. COMSEC awareness; and
f. Command emphasis on COMSEC matters.
6. COMSEC measures should be periodically reevaluated
because of advances in SIGINT technology.
4604 POLICY
1. NASA cannot totally protect its communications systems
and networks from intercept and exploitation. However,
NASA will comply fully with national COMSEC policy by
ensuring that U.S. Government national security systems
shall be secured by such means as are necessary to
prevent compromise, denial of service, or exploitation.
National security systems that are operated and
maintained by U.S. Government contractors must likewise
be secured.
2. It is NASA policy to comply with national policy and
measures shall be instituted within NASA to ensure:
a. Classified information is transmitted securely by
telephone, and digital data are exchanged between
mainframes, personal computers (PC), Fax machines,
and video teleconferencing. Classified
information transmitted from an area not under
access controls will be secured by encryption or a
PDS. Fiber optic lines can also be adequately
protected by Intrusion Detection Optical
Communications Systems approved by NSA.
b. Government or Government contractor sensitive
national security-related information transmitted
over NASA telecommunications links will be
protected by approved COMSEC techniques.
c. COMSEC requirements for NASA telecommunications
systems, including space operations, shall be
identified during preliminary design reviews,
development, installation, and operation.
3. Command uplinks, classified payload information and
information revealing classified aspects of a mission,
will be transmitted only by secure means. NASA
protection of unclassified satellite and space systems
command/control uplinks will be determined by the
responsible NASA program office in coordination with
Code JIS and the National Security Agency.
4. Upon determination by data owners that sensitive
unclassified information requires cryptographic
protection, the Data Encryption Standard (DES) should
be employed except under the following circumstances:
a. Compliance with the standard would adversely
affect the accomplishment of the mission of an
operation of a Federal computer system.
b. Compliance would cause a major adverse financial
impact on the operator, which is not offset by
Government savings.
5. The following items shall be cryptographically
protected by the use of NSA-endorsed COMSEC equipment:
Classified, Unclassified Government, or Government-
derived sensitive information involving intelligence
activities; cryptographic activities; direct command
and control of military forces; equipment which is an
integral part of a weapon or weapon system; direct
fulfillment of a military or intelligence mission; and
other items related to national security.
6. Commercially developed privacy or security equipment
using the DES or a commercial algorithm shall not be
used to protect or encrypt any form of classified data
within NASA.
7. NASA should consider only commercial telecommunications
equipment that meets Federal Information Processing
Standard Publication 140 (General Security Requirements
for Equipment Using the Data Encryption Standard) for
the protection of unclassified national security-
related sensitive information.
8. NSA- and National Institute of Standards and Technology
(NIST) approved techniques may be used separately, or
in various combinations, to protect the transmission of
unclassified sensitive information. There are a number
of cryptographic products and associated keying
materials acceptable for this purpose:
a. Type I Products. May be used to protect both
classified and unclassified information.
b. Type II Products. May be used only to protect
unclassified information and are handled as
Endorsed for Unclassified Cryptographic Items
(EUCI).
9. Only NSA-produced keying material shall be used to
encrypt classified information.
10. Only NSA-produced or -endorsed authentication systems
shall be used for NASA telecommunications systems.
12. TEMPEST countermeasure(s) determination decisions and
Red/Black separation criteria will be coordinated with
the NASA COMSEC Manager prior to the following actions:
a. The acquisition and installation of all
telecommunications and automated information
systems equipment and facilities which
electrically or electromagnetically generate,
store, process, transfer, or communicate NASA
classified information.
b. Installation of an unclassified system in a
facility that has existing classified processing
systems.
13. The NASA TEMPEST policy is in consonance with national
policy, requiring the use of TEMPEST countermeasures in
proportion to the threat of exploitation and the
associated potential damage to national security.
a. NASA and NASA contractors shall strictly adhere to
NTISSI 7000, TEMPEST Countermeasures For
Facilities, when determining the applicable
TEMPEST countermeasures for NASA and NASA-owned
contractor equipment, systems, and facilities that
process classified national security information.
b. Prior to making a TEMPEST countermeasure(s)
determination and implementation, the NASA
Installation TEMPEST Officer/TEMPEST Focal Point
should always review a security and cost analysis
and coordinate with the NASA COMSEC Manager.
14. Applicable PDS requirements shall be addressed early in
the facility design phase, and coordinated with the
NASA COMSEC Manager prior to approval.
15. NASA telecommunications systems shall be continually
assessed for threat and vulnerability, and should be
protected through the continuous use of safeguards such
as COMSEC, computer security, and administrative,
procedural, physical, and personnel security controls.
4605 RESPONSIBILITIES
1. NASA's primary authority for managing an Agencywide
communications security program has been delegated
through the Associate Administrator for Management
Systems and Facilities (Code J), through the Director,
Logistics and Security Division (Code JI), to the
Chief, NASA Security Office (Code JIS).
2. Code JI is responsible for programming, funding, and
allocating resources to support NASA COMSEC management
activities and ensuring that NASA implements national
COMSEC policies, directives, criteria, standards, and
doctrine.
3. Code JIS is responsible for overall COMSEC Program
management, including policy and oversight. Specific
responsibilities include designating a management
official knowledgeable in both communications and
communications security management principles and
practices, to serve as the NASA COMSEC Manager and
apprising Installation Directors, through appropriate
Associate Administrators, of COMSEC audits and
recommending appropriate improvements.
4. NASA COMSEC Custodian and Alternate COMSEC Custodian
selection criteria and responsibilities are outlined in
the NASA Communications Security Manual:
Receiving, storing, shipping, and accounting for
all material issued to NASA accounts, and
maintaining accurate records of these
transactions.
5. NASA Program Managers are responsible for ensuring that
Government-prescribed communications security policies,
standards, guidelines, and procedures are promulgated
and implemented in all organizations under their
management by:
a. Ensuring compliance with all security
requirements, standards, and procedures applicable
to secure communications systems; and ensuring
only COMSEC materials distributed through the
COMSEC Material Control System (CMCS) are used.
b. Ensuring COMSEC requirements are considered from
the conceptual stage for all new facilities,
systems, and applications through which classified
or unclassified Government or Government-derived
national security-related information is to be
processed.
c. Ensuring the NASA COMSEC Manager's involvement and
concurrence is obtained from the conceptual stage
for all COMSEC systems.
d. Ensuring secure communications systems are
approved by the NASA COMSEC Manager prior to
commencing classified or unclassified, but
sensitive, operation.
e. Coordinating with the NASA COMSEC Manager, prior
to the release of any Requests for Proposals
(RFP), Statements of Work (SOW), or other contract
packages where COMSEC measures may be required.
f. Ensuring that contracts that require the
transmission of classified and/or sensitive
Government-derived national security-related
information, by and between NASA and NASA
contractors, identify the requirement for COMSEC
protection.
g. Ensuring that contracts involving the electrical
processing of classified information by NASA
contractors at Government-owned facilities
(including Sensitive Compartmented Information
Facility [SCIF's]), the DD Form 254 (DOD Contract
Security Classification Specification) and other
contractual documents will specify that TEMPEST
control measures will comply with NTISSI 7000.
h. Identifying and prioritizing COMSEC requirements
to protect NASA telecommunications and providing
such information to the NASA COMSEC Manager.
i. Providing validated, qualitative, and quantitative
operational requirements for COMSEC material,
equipment, and systems to the COMSEC Central
Office of Record (COR), Code JIS, through their
supporting COMSEC Custodians.
j. Determining operational requirements for secure
communications with NASA participants in other
countries. Program managers, in coordination with
the NASA COMSEC Manager, will collaborate with NSA
and appropriate foreign governments or
international military authorities to identify and
recommend the COMSEC material and procedures to be
used to satisfy validated requirements. Such
actions shall be limited to COMSEC matters for
each specific release authorized by national
authorities.
6. Field Installations. NASA Field Installations are
responsible for the following actions:
a. Naming a COMSEC representative responsible for
consulting with the NASA COMSEC Manager on COMSEC
issues impacting on their respective Field
Installation operation, and attending any COMSEC
conferences or working groups prescribed by the
NASA COMSEC Manager.
b. Naming a TEMPEST single focal point familiar with
national TEMPEST threat and vulnerability
assessment methodology, who shall be responsible
for coordinating with the NASA COMSEC Manager
details concerning TEMPEST countermeasure(s)
applications.
Note: NASA Installations with only moderate
COMSEC requirements may choose to designate their
primary COMSEC Office as their COMSEC Custodian
and their TEMPEST single point of contact. A
single individual may be designated for these
functions with the concurrence of the NASA COMSEC
Manager.
c. Ensuring Field Installation COMSEC custodians
coordinate the following with the NASA COMSEC
Manager:
All Field Installation COMSEC account-related
matters, all day-to-day business with NSA,
and those COMSEC account transactions
impacting on NASA COMSEC COR operations,
along with issues and initiatives that impact
on the overall NASA COMSEC program.
4606 COMSEC EVALUATION
Staff assistance visits including an audit of each NASA
COMSEC account will be conducted periodically. NASA
contractor accounts established solely for the purpose of
servicing NASA will continue to be audited by NSA.
CHAPTER 47: COMPUTER SECURITY
4700 INTRODUCTION
1. NASA has one of the largest, most complex computer
environments in the Federal Government. These Centers
manage computer resources on a decentralized basis at a
large number of Data Processing Installations (DPI's),
many of which are operated under contract. The
computer system configurations range from the largest
mainframe and supercomputers to minicomputers,
microcomputers, and intelligent/engineering
workstations. Computing operations support Earth and
space mission functions ranging from administrative
computing in office settings to scientific and
engineering computing in academic, research center,
production plant, and space vehicle environments.
Protecting such diverse environments involves a
continuing management process of balancing user needs
for unrestricted access to information with the
sometimes conflicting requirements to control access
and preserve integrity. Increasing incidents of
international electronic intrusions and electronic
worm/virus penetrations are expected to become more
technically complex and widespread.
2. Public law (Computer Security Act of 1987 (PL 100-
235))and national policy require Federal agencies to
establish security programs for all automated
information systems, whether maintained in-house or
commercially. Not only does NASA's public image depend
on the reliability and security of computer resources
but also, and of greatest importance, human life often
depends on such resources.
4701 LEVEL OF PROTECTION
Selection of protective measures should be based on risk
assessments and cost/benefit ratios in relation to the
sensitivity, criticality, and/or value of the automated
information to prevent unauthorized access, alteration,
destruction, removal (e.g., theft), disclosure, and delays.
4702 BUILT-IN SECURITY
Some automated systems are acquired "off the shelf" and can
be used immediately. Others are specially developed over
months or even years. Once a system is fully operational,
security options are somewhat limited. However, if security
is designed into the development of hardware and software,
security options increase dramatically and security costs
drop substantially. Therefore, NASA managers should address
the security requirements in the early planning stages, and
throughout the entire life-cycle of automated systems.
4703 RESPONSIBILITIES
1. In the development of automated information resources,
scientists and engineers should focus on NASA's goal of
cost-effective protection without inhibiting innovative
technology and its advancement.
2. Anyone who manages, designs, programs, operates, or
uses NASA automated information resources must
contribute to the security of NASA automated
information.
4704 BENEFITS
Everyone benefits from a secure system:
1. Restricting access can greatly contribute to an
information system's integrity.
2. Systems subject to a quality assurance/certification
process are more efficient.
3. Technology used in a controlled environment is more
reliable.
4705 REFERENCES
See NHB 2410.9, "NASA Automated Information Security
Handbook," and NMI 2410.7, "Assuring the Security and
Integrity of NASA Automated Information Resources," for more
detailed information.
CHAPTER 48: TECHNICAL SURVEILLANCE COUNTERMEASURES (TSCM)
4800 DEFINITIONS
1. Technical Surveillance (TS). Covert installation or
modification of equipment to monitor (visually or
audibly) activities within the target areas or to
acquire classified information by technical means.
2. Technical Surveillance Countermeasures (TSCM). Those
measures taken to prevent, detect, and neutralize
efforts to acquire classified information by technical
surveillance.
4801 PROGRAM
A TSCM program includes the following three distinct
categories:
1. Nullification. Measures taken to nullify or prevent
the placement of technical surveillance devices.
Nullification techniques include soundproofing
conference rooms (including vents); removing telephones
from security areas or installing protective devices on
those which cannot be removed; removing excess wiring;
inspecting utility tunnels and crawl spaces near
security areas; and using noise generators or music to
mask sensitive conversation.
2. Detection. TSCM surveys and detailed physical and
electronic inspections of sensitive areas are conducted
to detect technical surveillance devices or technical
security hazards.
4802 JUSTIFICATION, GUIDANCE AND SUPPORT
1. If an ICS decides a TSCM program is warranted, the ICS
should implement the program. To facilitate training
and sharing of information, the ICS should ensure that
all TSCM technicians/specialists are cleared for access
to Special Intelligence (SI) information. In support
of classified projects, reports and administrative
documents generated by the program will be classified,
protected, and distributed in accordance with Security
Classification Guide Number 17 and Policy Guidance
Memorandum Number 5.
2. The Security Operations Office of the NASA Security
Office, with the assistance of a designated TSCM
technician from a NASA Field Installation, will provide
the following support:
a. Disseminating pertinent technical security
information applicable to TSCM operations;
b. Coordinating initial and advanced training for
TSCM technicians/ specialists; and
c. Coordinating TSCM support between NASA Field
Installations as requested.
3. The NASA Security Office will review NASA TSCM programs
at Headquarters and at Field Installations as a part of
scheduled Functional Management Reviews (FMR's).
CHAPTER 49: NASA SYSTEMS ACQUISITION MANAGEMENT PROGRAM
4900 PURPOSE
This Chapter establishes formats, contents, and procedures
for a NASA System Acquisition Protection Management Program.
The objective of the NSAP Management Program is to adopt a
"systems security" approach in NASA acquisitions by
introducing provisions for security as early as possible in
the system design, acquisition or modification processes,
thereby making such provisions an integral part of future
NASA systems whenever appropriate. The NSAP Management
Program is implemented by establishing definitive NASA
guidance in the acquisition or modification of systems,
equipment, and facilities; analyzing security design and
engineering vulnerabilities; and developing recommendations
consistent with other design and operational considerations.
NSAP supports the development of programs and standards to
provide life-cycle security for critical NASA resources.
This policy is established in NMI 1600.2, "NASA Security
Program," paragraph 5d.
4901 APPLICABILITY
NSAP tasks are selectively applied in contract
specifications, requests for proposals, statements of work,
and NASA in-house efforts requiring an NSAP management
program. The word "contractor" includes NASA activities
that develop systems, equipment, and facilities.
4902 TASK DESCRIPTIONS AND APPLICATION
1. Task descriptions are tailored as needed and applied to
system acquisition protection management programs.
When preparing a proposal, the contractor may include
additional and modified tasks as long as supporting
rationale is provided.
2. NASA and industrial organizations responsible for
system acquisition protection management programs must
select tasks which can materially aid in attaining
overall security objectives in a cost-effective manner.
Once tasks have been selected, they may be tailored.
Further, the timing and depth required during the
various acquisition phases are often driven by
interface with other ongoing program activities. For
these reasons, specific rules are not defined for all
task requirements.
4903 DEFINITIONS
1. Acquisition Program. Directed procurement efforts for
a NASA program, facility, or institution funded through
NASA appropriations. This program may include
development or modifications to existing systems.
2. Adversary Models. Composites of adversary mission or
program objectives, adversary mission or program
scenarios, and success criteria which could threaten
each potential design of an operational or support
system.
3. Adversary Scenario. A set of tactics which a potential
adversary could use to accomplish a mission or program
objective.
4. Concept Exploration. Beginning at Mission/Program Need
Determination, the initial phase of the system
acquisition process. During this phase, the
acquisition strategy is developed, system alternatives
are proposed and examined, and the systems program
requirements document is expanded to support subsequent
phases. Successful completion of this phase
constitutes milestone I.
5. Configuration Item (CI). Hardware and software, or any
of its discrete portions, designated by NASA for
configuration management. CI's may vary widely in
complexity, size, and type, from an aircraft, or an
electronic or space system, to a test meter. During
development and initial production, CI's are only those
specification items referenced directly in a contract
(or an equivalent in-house agreement). During the
operation and maintenance period, any repairable item
designated for separate procurement is a configuration
item.
6. Contract Data Requirements List (CDRL). Document used
to order ("buy") and request delivery of data. Tells
contractor what data to deliver, when and how it will
be accepted, and where to look for instructions.
7. Contract Work Breakdown Structure (CWBS). The complete
work breakdown structure for a contract, developed and
used by a contractor in accordance with the contract
statement of work.
8. Cost Tradeoffs. The tradeoffs between nonrecurring and
recurring costs accrued in system acquisition and the
operational life cycle.
9. Countermeasure. A design or procedural measure taken
to counter a known or postulated covert or overt
vulnerability. It includes deterrence, detection,
discrimination, alarm, and response activities.
10. Critical Design Review (CDR). Determines if the detail
design satisfies the performance and engineering
specialty requirements of the development.
Specification establishes detail design compatibility
between the item and other items of equipment
facilities. Computer programs and personnel assess
producibility and risk areas, and review the
preliminary product specifications. The CDR is
conducted during full scale development.
11. Demonstration and Validation. Normally, the second
phase in the acquisition process, following Milestone
I. Consists of the following steps necessary to
resolve or minimize problems identified during concept
exploration; verify preliminary design and engineering,
build prototypes, accomplish necessary planning, fully
analyze tradeoff proposals, and prepare contract. The
objective is to validate the choice of alternatives and
to provide the basis for determining whether or not to
proceed into full-scale development.
12. Electronic Security. The protection resulting from all
measures designed to deny unauthorized persons
information of value which might be derived from the
interception and study of friendly noncommunications
electromagnetic radiations.
13. Facilities. Land, buildings, structures, or other real
property improvements separately identified on the real
property records. Facilities are categorized as
technical support real property, critical subsystems,
nontechnical support real property (NSRP), and
industrial facilities. Refer to NHB 8831.2.
14. Full-Scale Development (FSD). Normally the third phase
in the acquisition process, following Milestone II.
The systems/equipment and the principal items necessary
for its support are fully developed, engineered,
designed, fabricated, tested, and evaluated. The
intended output is, as a minimum, a preproduction
system which closely approximates the final product,
the documentation necessary to enter the production
phase, and the test results which demonstrate that the
product will meet stated requirements.
15. Integrated Logistics Support. A composite of all the
support considerations necessary to ensure a system is
effectively and economically supported for its life
cycle. An integral part of all other aspects of system
acquisition and operations.
16. Life Cycle Cost (LCC). Includes all categories, both
contract and in-house, and all related appropriations.
It is the total cost to NASA for a system over its full
life, and includes the cost of development,
procurement, operation, support and, where applicable,
disposal.
17. Maintainability. A measure of the time or maintenance
resources needed to keep an item operating or to
restore it to operational status (or serviceable
status). Maintainability may be expressed as the time
to do maintenance (for example, maintenance downtime
per sortie); as a usage rate (for example, maintenance
work hours per flying hour); as the number of staff
members required (for example, maintenance personnel
per operational unit); or as the time to restore a
system to operational status (for example, mean
downtime).
18. Maintenance Concept. A description of maintenance
considerations and constraints. The operating
activity, with the help of implementing and supporting
activities, develops a preliminary maintenance concept
and submits it as part of the preliminary system
operational concept for each alternate solution. The
preliminary maintenance concept is refined during the
validation phase and becomes the system maintenance
concept during full-scale engineering development. The
maintenance concept is expanded in scope and detail and
becomes the maintenance plan.
19. Operational Test and Evaluation (OT&E). Test and
evaluation, initial operational test and evaluation,
and follow-on OT&E conducted in as realistic and
operational environment as possible to estimate the
prospective system utility, operational effectiveness,
and operational suitability. In addition, OT&E
provides information on organization, personnel
requirements, and policy. It may also provide data to
support or verify material in operating instructions,
publications, and handbooks.
20. Preliminary Design Review (PDR). Conducted on each
configuration item to evaluate the progress, technical
adequacy and risk resolution of the selected design
approach. Conducted to also determine its compatibility
with performance and engineering specialty requirements
of the development specification, and to establish the
existence and compatibility of the physical and
functional interfaces between the item and other items
of equipment, facilities, computer programs, and
personnel.
21. Production and Deployment. Normally the fourth phase
in the acquisition process following Milestone III.
Systems are procured, items are manufactured,
operational elements are trained, and the systems are
deployed.
22. Program Area Analysis (PAA). Continuous analysis of
assigned program responsibilities to identify
deficiencies in the current or projected capabilities
to meet essential program needs, and to identify
opportunities for the enhancement of capability through
more effective systems and less costly methods.
23. Program Security Official (PSO). The PSO serves as the
first point of contact externally, and as the focal
point internally, on program security matters within
the responsibility of the Program Office Associate
Administrator. Primary responsibility for program
security rests with the Program Office Associate
Administrators.
24. Security Criteria. The set of requirements that should
be met to enable the security system to provide a
maximum degree of effective deterrence at the lowest
cost.
25. Security Subsystem. That part of a system which is
added specifically for the performance of security
functions and not categorized as components of other
subsystems.
26. Security System. The aggregate of all mechanical and
electronic equipment countermeasures and security
disciplines in a system which contribute to its
security.
27. Subsystem. An element of a system that, in itself, may
constitute a system.
28. System Acquisition Protection. An element of system
engineering that applies scientific and engineering
principles to identify security risks and minimize or
contain vulnerabilities associated with these risks.
It uses mathematical, physical, and related scientific
disciplines, and the principles and methods of
engineering design and analysis to specify, predict,
and evaluate the invulnerability of systems to security
threats.
29. System Acquisition Protection Management. An element
of program management that ensures system security
tasks are completed. These tasks include developing
security requirements and objectives; planning,
organizing, identifying, and controlling the efforts
that help achieve maximum security and survivability of
the system during its life cycle; and interfacing with
other program elements to ensure security functions are
effectively integrated into the total system
engineering effort.
30. System Acquisition Protection Management Plan (SAPMP).
A formal document that fully describes the planned
security tasks required to meet system security
requirements, including organizational
responsibilities, methods of accomplishment,
milestones, depth of effort, and integration with other
program engineering, design and management activities,
and related systems.
31. Technology Tradeoffs. Tradeoffs among risks; that is,
the effect of technology on the development of new
hardware, software, or procedures.
32. Threat Validation. A documented confirmation by NASA
or other Government agencies that the intelligence
contained in a threat assessment applies to the program
tasks and is consistent with current intelligence
community estimates.
33. Vulnerability. In system acquisition protection, the
susceptibility of systems or components to overt or
covert security threats that would result in the loss
of resources. Security vulnerability is measured in
terms of function or absence of function design.
34. Work Breakdown Structure (WBS). A product-oriented
family tree division of hardware, software, services,
and other work tasks which organizes, defines, and
graphically displays the product to be produced, as
well as the work to be accomplished to achieve the
specified product.
4904 REQUIREMENTS
1. A NASA System Acquisition Protection (NSAP) Management
Program shall be developed, consistent with other
design and operational considerations, for all major
systems to support economical achievement of overall
program objectives. All NASA in-house efforts and
contracts for major systems shall require a NSAP
Management Program tailored for each program in
coordination with the PSO. To be considered efficient,
the NSAP management program accomplishes the following:
a. Enhances the operational readiness and program
success of the resource;
b. Identifies and reduces potential vulnerabilities
to security threats;
c. Provides management information essential to
system security planning; and
d. Minimizes its own impact on overall program cost,
schedule, and performance.
2. Systems acquisition is divided into the following four
phases: concept exploration, demonstration and
validation, full-scale development, and production and
deployment. During each of the four phases, the
following general NSAP requirements are accomplished:
a. In the concept exploration phase, develop system
security criteria, describe the baseline security
system design, and conduct security threat and
vulnerability studies.
b. In the demonstration and validation phase, through
a series of analyses, validate the baseline
security system design described during the
concept exploration phase, and prepare preliminary
performance specifications for security hardware
and software. Identified threats and
vulnerabilities are processed through system
design modifications and risk management.
c. In the full-scale development phase, the security
system should be fully designed and integrated.
Security system hardware and software should be
acquired or developed against the specifications
prepared in the demonstration and validation
phase.
d. In the production and deployment phase, implement
the security system design via production and
conduct deployment planning.
3. Purpose. The NSAP program establishes, as part of each
major acquisition development and upgrade program,
appropriate procedures to identify security risks and
resulting actions to eliminate or contain associated
vulnerabilities. Further, it provides a means to
ensure that necessary security requirements (physical,
personnel, technical, communications, and information
security, etc.) are adequately considered and, when
appropriate, incorporated in the overall system
development program.
4. Application Guidance. NSAP requirements exist, in
various degrees, throughout the life cycle of a major
development and/or upgrade program. As such, the NSAP
program shall be tailored to facilitate continuation of
the NSAP objectives through each of the following
acquisition phases: Concept Exploration, Demonstration
and Validation, Full-Scale Development, and Production
and Deployment. It shall also accommodate
modifications, test and evaluation, and research and
development.
5. Task Requirements
a. Concept Exploration Phase. The primary output of
the NSAP program during this phase is the
identification of a broad range of security
criteria and concepts which satisfy operational
conditions and program requirements. These
criteria are conceptualized early in the system
acquisition process. At the beginning of the
Concept Exploration Phase, the managing activity
will evaluate available information from
operational requirements documentation used to
explore concepts for integrated security
solutions. During this early phase, all possible
security requirements shall be consolidated and
evaluated to achieve a defined security concept.
Ultimately these system security requirements
shall be validated (Demonstration and Validation
Phase) as part of the definition of system
security criteria.
(l) System Acquisition Protection Management Plan
(SAPMP). The SAPMP shall be developed to
describe the contractor's security
engineering and management approach,
including how the contractor will interact
with NASA subcontractors and vendors, and the
anticipated level of contribution from each.
The contractor shall also describe methods
which shall be implemented to ensure program
schedules are maintained. The SAPMP applies
to these requirements.
(2) Threat Definition and Analysis. Threat
definition is, in most cases, provided by
intelligence sources in the form of a
statement and/or scenarios which identify
anticipated adversaries, their skills,
capabilities, dedication, and size. A threat
analysis is accomplished to further identify
adversary program objectives as they pertain
to the system and provide a preliminary
estimate of the effect of the threat on each
conceptual system baseline or design
alternative. This analysis shall include a
credible worst case threat extending over the
projected life of the system. The threat
environment, as defined at this point,
represents a best quantitative estimate
available, on the basis of current threat
information, and is used to validate system
acquisition protection criteria.
(3) Preliminary System Acquisition Protection
Concept (PSAPC). Based on the threat
definition, vulnerability analysis, and
existing security systems already in place,
if any, a preliminary system acquisition
protection concept shall be developed. The
PSAPC is generally prepared by NASA and will
be provided to the contractor for use and
possible update during subsequent program
phases. However, NASA may task the
contractor to prepare this document. The
PSAPC may be general in nature, but as a
minimum shall describe program task,
operational systems, operational environment,
and personnel/human resources, equipment and
employment issues. The PSAPC, coupled with
threat definitions and operational
requirements documents provided by the
managing activity, serves as source material
for further defining system acquisition
protection requirements. Data Item
Description-2 (DID-2), PSAPC, applies to
these requirements. See Appendix R.
(4) Acquisition Protection Requirements
Definition. Acquisition protection program
requirements shall be developed to support
the proposed system acquisition protection
security concept, including a discussion on
each security element identified in the
SAPMA. Documents made available by the
managing activity include threat assessments,
operational concepts, program statements,
etc. General system characteristics or
capabilities that might be required to
adequately secure the system are also
identified.
(5) Technology Assessments and Cost Studies.
Ultimately, security technologies must be
deployed which will satisfy defined
requirements, support the operational
concepts, and secure the system against
defined threats and vulnerabilities. To do
this, both Government developed and
commercially available hardware shall be
assessed. Preliminary assessments shall be
made of hardware and/or software
applicability, operability, suitability,
supportability, and/or affordability of
various technological options.
(6) Logistics Support. Prepare a Logistics
Support Plan or an appendix to the overall
system logistics support plan. The plan
shall identify management objectives and
procedures for accommodating logistics
requirements associated with security systems
and subsystems.
(7) Security Training Requirements. Training
requirements and anticipated skill levels
necessary to effectively operate and maintain
security systems shall be identified. Course
material to support training requirements
shall be developed.
(8) Preliminary Security Vulnerability Analysis.
A vulnerability analysis of the preliminary
baseline design shall be conducted. DID-3,
Security Vulnerability Analysis, applies to
these requirements. See Appendix R. This
analysis includes the following actions:
(a) Identifying logical security
vulnerabilities of the system in its
projected operational environments and
addressing general threats stated in
threat definition documents;
(b) Defining security system functional
requirements which may effectively
secure the system from exploitation; and
(c) Choosing candidate safeguards and
safeguard configurations to mitigate or
reduce identified vulnerabilities.
(9) Security Classification Requirements. A
security classification guide is provided by
NASA and used to identify specific
classification decisions for contractor
prepared deliverables.
b. Demonstration and Validation Phase. The goal of
the Demonstration and Validation Phase is to
translate qualitative security criteria, developed
during the Concept Exploration Phase, into
quantitative security criteria for specifications
that can be used during the Full-Scale Development
Phase. This phase is concerned with "validating"
the system acquisition protection concept and
selecting specific "design-to" requirements on the
basis of a series of analyses, trade studies, and
prototypes, etc.
(1) Threat Assessment and Adversary Program
Analysis. An adversary program analysis
shall be conducted. DID-4, Adversary Program
Analysis, applies to these requirements. See
Appendix R. This analysis shall include the
following tasks:
(a) Adversary program scenarios. Using the
information from the threat analysis
conducted in the Conceptual Phase,
program objectives shall be determined
and approaches that potential
adversaries could use shall be
described. Physical paths by which the
adversary could execute each scenario
shall be analyzed.
(b) Estimating adversary success criteria.
(c) Cataloging adversary program objectives
and success criteria according to each
variation in the design of the system.
(d) Synthesizing adversary models.
(e) Recommending safeguards and
configurations for security tradeoff
analysis.
(2) Preliminary System Acquisition Protection
Concept (PSAPC). The PSAPC prepared during
the Conceptual Phase shall be updated and
expanded. DID-2, PSAPC, applies to these
requirements. See Appendix R.
(3) Review Security Regulatory Requirements.
NASA security program regulatory requirements
shall be evaluated and potential deviations
identified, assessed, and validated.
(4) Security Vulnerability Analysis. Update the
security vulnerability analysis of each
candidate safeguard and each adversary model.
Security vulnerabilities of each proposed
safeguard shall be evaluated, and the
candidates ranked according to their
effectiveness. DID-3, Security Vulnerability
Analysis, applies to these requirements. See
Appendix R.
(5) Security System Tradeoff Analysis. A
security system tradeoff analysis shall be
conducted using approved candidate
safeguards. Variables to be considered shall
include security effectiveness and cost of
facilities, manpower, equipment, schedule,
system performance impacts, supportability,
maintainability, technology, etc. The
program schedule will be the ultimate
discriminator.
(6) Subsystem and System Specification Inputs.
Preliminary specification inputs shall be
developed to identify general system security
requirements, specific security hardware and
software definition, and security
qualification requirements. These inputs
shall be designed to be incorporated into
system development and product
specifications. DID-5, System/Subsystem
Specification, applies to these requirements.
See Appendix R.
(7) Manpower Impact Assessments. Human resources
requirements associated with the deployment
of security systems shall be identified.
c. Full-Scale Development Phase. The primary goals
of the NSAP program in this phase are to develop
the hardware, firmware, and software components of
the pre-production prototype system according to
system specification; verify compliance with
specification requirements supported by
engineering development tests; qualify security
subsystems; and document the information required
to enter the production phase.
(1) System Acquisition Protection Requirements
Definition. System acquisition protection
requirements shall be defined. This task is
part of the system requirements analysis that
implements the system acquisition protection
and logistics support analysis objectives.
It shall include the NSAP program
requirements as derived from an operational
analysis and an assembly, installation, and
checkout technical analysis. The results of
this task shall be included in the system
design review.
(2) System Acquisition Protection Management Plan
(SAPMP). This plan, which is initially
developed in the Concept Exploration Phase
and updated in the Validation Phase, shall be
further expanded during Full-Scale
Development. The plan describes the
contractor's system acquisition protection
management approach in detail. It shall
include an approach for analytical
verification analysis. DID-l, System
Acquisition Protection Management Plan,
applies to these requirements. See Appendix
R.
(3) Subsystem and Interface Specifications.
Develop subsystem and interface
specifications. Subsystem and interface
specifications detail components and piece
parts procured separately and define the
design, function, and procedural interfaces
in the development and operation of the
Government Furnished Equipment
(GFE)/subsystem.
(4) System Acquisition Protection Design. This
task uses system acquisition protection
requirements to perform a preliminary design
of the major subsystems that comprise the
overall security system. The following
analysis and testing shall be performed to
validate components that may be required to
ensure functional performance of the
preliminary designs.
(a) Component Screening. Candidate GFE and
Contractor Furnished Equipment (CFE)
security system components performing
given functions shall be identified and
selected for analysis to satisfy
specification requirements.
(b) Component Response Analysis. Selected
components shall be analyzed to
determine if their response to the
specified environments and stimuli are
acceptable.
(c) Engineering Test. At the preliminary
design stage, tests shall be performed
on simulated components such as
breadboard circuits, nonproduction
assemblies, etc., to provide data that
complements or supplements the response
analysis.
(5) Subsystem Verification Analysis. This
analysis verifies that each subsystem meets
the requirements of the system acquisition
protection criteria and security requirements
in applicable subsystem, interface,
component, and test specifications. It shall
be performed to assess the inherent
capability of the security system at the
subsystem level.
(a) Threat Rejection Logic. During the
Validation Phase, a number of adversary
models that might possibly engage the
system were synthesized. The number of
adversary models used to perform
tradeoff analysis was probably large
initially. However, many alternatives
will have since been discarded because
they have ceased to be relevant for one
of three possible reasons: (a) the
adversary program objective is now out
of scope as a practical goal; (b) there
are no longer any plausible means to
satisfy program objectives; or (c) the
adversary threat is not (or is no
longer) officially considered viable.
The first two reasons may be related to
the system design or operational
concepts as presently defined. The
third is related to the official
estimate of the vulnerability incident
to threat and risk assessments.
Adversary models shall be evaluated and
a small number of them selected for
detailed analysis.
(b) Detailed Adversary Modeling. The
remaining adversary models shall be
revised according to current threat
projections and developed in sufficient
detail to model all the important
variables. These models may be used
again in system level verification
analysis.
(c) Subsystem Response Modeling. During the
period between preliminary design review
and critical design review, the design
of the security system is in a continual
state of detailed development. The
process of screening components,
software, procedures, etc., is an
interactive process. Promising
components shall be selected for
response modeling. This modeling shall
be of sufficient detail to permit a
thorough description of subsystem
critical functional and subsystem
responses to specified environments and
threat stimuli.
(d) Subsystem Qualification Testing.
Subsystem qualification testing shall be
performed as directed by the appropriate
NASA Headquarters Program Office.
(e) System Verification Analysis. This
analysis shall be conducted to verify
compliance with security requirements in
system specification and to assess the
capability of the system as a whole to
counter the specified security threats
and contain associated vulnerabilities.
(f) System Response Modeling. System
response modeling shall be conducted.
The inputs to these models include the
subsystem response models that have been
performed in the subsystem verification
analysis and modified to account for the
physical and functional interfaces
between subsystems. Engineering
development testing is required to model
total response.
(g) System Response Analysis. System
response analysis shall be conducted
using the detailed adversary models of
the subsystem verification analysis and
the system response models.
d. Production and Deployment Phases. The goal of the
NSAP program during this phase is to ensure that
defined security requirements are met in the
operational system.
(1) Acceptance Testing. Acceptance testing shall
be monitored and supported as necessary to
ensure Configuration Items (CI's), including
changes, meet security requirements. Test
methods, as well as results, shall be
examined.
(2) Training. Initial training on security
systems shall be monitored and analyzed to
ensure a system is adequate and that
personnel with appropriate skill levels can
operate and maintain the system.
(3) Program Management Responsibility Transfer
(PMRT) Support. PMRT shall be supported as
necessary. This support shall include the
following tasks:
(a) Preparing the security portion of the
agreement to transfer program management
support to NASA.
(b) Analyzing feedback from the operational
activity's experience in actually
operating the system.
(4) Product Security. Security must be provided
for essential products at key assembly plants
and facilities. NASA outlines protection
criteria for assembly plants, facilities, and
critical components not yet delivered. The
contractor provides input to the Product
Security Programs and may be tasked to
include product security requirements in the
SSMP. If this tasking is to take place after
contract formation, it must be done through
the contracting officer. DID-l applies to
these requirements. See Appendix R.
4905 DATA ITEM DESCRIPTION (DID)
1. Intended Use. These DID's are used by NASA and NASA
contractors for those programs that require selective
application of acquisition protection program
management.
2. Data Requirements. When these DID's are used in an
acquisition, the data requirements will all be
developed as specified by an approved DID (see Appendix
R) and delivered in accordance with instructions
incorporated into the contract. When the provisions of
these data requirements are invoked, the data specified
in Appendices R and S shall be delivered by the
contractor in accordance with the contract or purchase
order requirements.
CHAPTER 50: OPERATIONS SECURITY (OPSEC)
5000 BACKGROUND
On January 22, 1988, the President signed National Security
Decision Directive (NSDD) 298, which established a National
OPSEC program and required executive departments or
agencies, assigned or supporting national security missions
with classified or sensitive activities, to establish a
formal OPSEC program. Agencies with minimal activities
affecting national security are not required to establish a
formal program; however, they must cooperate with other
departments and agencies to minimize damage to national
security when OPSEC problems arise.
5001 OBJECTIVE
Security programs and procedures already exist to protect
classified information. However, items of information
generally available to the public and certain detectable
activities can reveal the existence of, and sometimes
details about, classified or sensitive information or
undertakings. Such indicators may assist those seeking to
neutralize or exploit U.S. actions in the area of national
security. OPSEC is a systematic and proven process through
which the Government and its supporting contractors can
promote operational effectiveness. The process can deny
potential adversaries information by identifying,
controlling, and protecting generally unclassified evidence
concerning the planning and execution of sensitive
activities.
5002 POLICY
1. NASA Headquarters has few activities that could affect
national security; therefore, it does not require a
formally established organizational OPSEC program.
2. Some NASA Installations may now, or will at a later
date, have programs which could require the application
of OPSEC procedures.
3. NASA programs should be reviewed on a case-by-case
basis for the possible inclusion of OPSEC in program
security.
5003 RESPONSIBILITIES
1. The ICS's are responsible for the following activities:
a. Identifying, in conjunction with program managers
and program security officials, projects which may
require implementation of OPSEC measures.
b. Designing and implementing a project OPSEC plan,
as required, through application of the following
steps:
(l) Identification of critical information;
(2) Analysis of threat;
(3) Analysis of vulnerabilities;
(4) Assessment of risks; and
(5) Application of appropriate countermeasures.
c. Appointing an OPSEC coordinator to work closely
with the program manager to ensure that OPSEC
measures are considered at all stages of the
project.
d. Submitting a copy of the project OPSEC plan to the
NASA Security Office and to their Program Office
Security Official.
2. The NASA Security Office is responsible for the
following activities:
a. Representing NASA at the Interagency OPSEC Support
Staff.
b. Reviewing OPSEC plans and making suggestions for
changes or improvements if required;
c. Providing inter-Agency support and cooperation
with respect to OPSEC programs;
d. Conducting a review of OPSEC procedures and
projects to assist in the improvement of any OPSEC
measures as part of the functional review program
in coordination with the program security
officials;
e. Coordinating OPSEC matters involving more than one
NASA Installation; and
f. Furnishing OPSEC coordinators current threat
information.
5004 PROGRAM DEVELOPMENT
1. The Interagency OPSEC Support Staff (IOSS) is tasked by
the Executive Agent for Interagency OPSEC training,
National Security Agency, to provide national level
OPSEC training and act as a consultant to executive
departments and agencies establishing OPSEC programs.
NASA Installations developing OPSEC programs may call
upon this group for advice or assistance as necessary.
2. The IOSS OPSEC Program Development Procedural Guide
serves as an excellent guide when establishing programs
and is attached as Appendix T to this Handbook.
Appendix U defines appropriate terms.
3. To aid standardization of terms in NASA OPSEC programs,
a glossary of OPSEC terms, definitions, and acronyms is
included as Appendix F of this Handbook. Installation
Security Offices establishing OPSEC projects should
adopt these terms whenever possible.
4. The Security Operations Section of the NASA Security
Office will maintain national level liaison with other
agencies involved with OPSEC and will act as a
coordinator for contact with those agencies as
requested.