[Directives and Handbooks]
[NASA Logo]
NASA Directive: NMI 2410.7C
MANAGEMENT Effective Date:April 8, 1993
INSTRUCTIONExpiration Date:January 31, 1998


Responsible Office: AO / Chief Information Officer

Subject: ASSURING THE SECURITY AND INTEGRITY OF NASA AUTOMATED INFORMATION RESOURCES

1.   PURPOSE

     This Instruction establishes policy and responsibilities for
     ensuring appropriate levels of security and integrity for
     NASA automated information processing installations,
     systems, data, and related resources; and constitutes the
     NASA Automated Information Security (AIS) Program.

2.   APPLICABILITY

     This Instruction is applicable to NASA Headquarters and
     Field Installations.

3.   SCOPE

     a.   This Instruction applies to all automated information
          resources including computers, ancillary equipment,
          software, firmware, services, and related resources
          used in the acquisition, storage, manipulation,
          management, movement, control, display, switching,
          interchange, transmission, or reception of machine
          readable data or information.  It includes all
          automated information resources maintained by or in
          support of NASA organizations, functions, and programs
          whether such resources are owned by or installed,
          maintained, or operated at a NASA, contractor, or
          research facility.

     b.   Generally excluded are contractor or research facility
          systems and resources not under NASA management
          cognizance which are merely incidental to the contract.
          The NASA Field Installations or Program Offices may,
          individually, elect to include any information
          resources exempted by this definition.

4.   AUTHORITY

     a.   Public Law 100-235, the Computer Security Act of 1987.

     b.   Public Law 97-255, the Federal Managers Financial
          Integrity Act.

     c.   Public Law 93-579 (5 U.S.C. 552), the Privacy Act of
          1974.

     d.   Public Law 89-306 (40 U.S.C. 759), the Brooks Act of
          1965.

     e.   Public Law 96-511 (44 U.S.C. 3501), the Paperwork
          Reduction Act of 1980.

     f.   Public Law 81-152 (40 U.S.C. 471), the Federal Property
          and Administrative Services Act of 1949.

     g.   Public Law 99-500, the Paperwork Reduction
          Reauthorization Act.

     h.   Executive Order 12356, National Security Information.

     i.   National Security Decision Directive No. 145.

     j.   OMB Circular A-130, "Management of Federal Information 
          Resources.

     k.   OMB Circular A-123, "Internal Control Systems."

     l.   Code of Federal Regulations (41 CFR Part 201), "Federal
          Information Resources Management Regulations."

     m.   Federal Personnel Manual, Section 732.

     n.   National Telecommunications and Information Systems
          Security Policy No. 200, "Access Control Protection."

5.   BACKGROUND

     a.   The NASA programs depend on automated information
          resources for essential support in accomplishing
          operational, research, and management objectives.  Many
          agency programs and functions, involving important and
          irreplaceable national resources, could not be
          effectively carried out without automated information
          support.  These resources are relied upon to perform in
          an accurate, reliable, accountable, and efficient
          manner.  Additionally, specific NASA missions
          frequently require automated information support with
          unique and specialized features for which backup
          facilities and/or alternative processing sites are not
          available or feasible.

     b.   Therefore, since the Agency's automated information
          resources face identifiable risks of deliberate or
          accidental misuse, loss, disruption, or destruction, it
          is essential that steps be taken which are sufficient
          to ensure that the following occur:

          (1)  systems and data have a high degree of integrity;

          (2)  the potential for abuse or misuse of automated
               information resources is minimized; and

          (3)  continuity of operations is maintained.

6.   POLICY

     a.   It is NASA policy that automated information resources
          shall be provided a level of security and integrity
          consistent with the potential harm from their loss,
          inaccuracy, alteration, unavailability, or misuse.
          Specifically, actions shall be taken consistent with
          management determinations of acceptable levels of risk,
          sufficient to ensure that NASA automated information
          systems and resources, whether maintained in-house or
          under contract do the following:

          (1)  operate effectively and accurately;

          (2)  are protected from unauthorized alteration,
               disclosure, or misuse of information processed,
               stored, or transmitted;

          (3)  can maintain the continuity of automated
               information support for significant NASA missions,
               programs, and functions;

          (4)  incorporate management, general, and application
               controls sufficient to provide cost-effective
               assurance of the systems integrity and accuracy;
               and

          (5)  have appropriate technical, personnel,
               administrative, environmental, and access
               safeguards.

     b.   Documentation of policies, standards, procedures,
          guidelines, and responsibilities for implementation is
          an essential part of the NASA AIS Program.  Specific
          actions taken, and planned to be taken to ensure the
          security, integrity, and continuity of operations of
          each NASA data processing installation and to identify
          and certify all sensitive applications, together with
          the planned schedule for completion or implementation,
          shall be documented in an AIS Plan.  Deviations from
          automated information security policy, standards, or
          procedures, as well as any significant deviations from
          an AIS Plan will be reported to appropriate officials.

     c.   Copies of AIS plans and status reports will be
          systematically provided to NASA Headquarters, Field
          Installation, and/or appropriate Program Office senior
          management.

7.   RESPONSIBILITIES

      a.  The Chief, NASA Security Office, is responsible for the
          following:

          (1)  Developing and implementing the AIS Program for
               NASA.  This includes:  the development,
               implementation, monitoring, and evaluation of the
               NASA-wide AIS Plan; developing and promulgating
               policies, guidelines, standards, and procedures;
               regular monitoring of Field Installation AIS
               programs and plans, and Program Office AIS plans;
               and providing input to the NASA internal control
               and budget development processes.

          (2)  Nominating official NASA representatives to
               governmentwide and other boards, committees, and
               organizations concerned with automated information
               security and integrity.  Such nominations will be
               coordinated with and subject to concurrence by
               other appropriate NASA officials.

          (3)  Establishing personnel security policies for
               screening all NASA and contractor personnel
               participating in the design, development,
               operation, installation, and maintenance of NASA
               automated information resources, as well as those
               having access to NASA automated information
               systems or data.  These policies shall be
               consistent with those established under the NASA
               AIS Program.

     b.   The Inspector General is responsible for periodic
          reviews and evaluations of the NASA, Installations, and
          Program Office automated information programs and 
          systems, to include those of NASA grantees and support
          contractors, as deemed appropriate by the Office of
          Inspector General.

    *c.   The Associate Administrator for Procurement is
          responsible for establishing policies to ensure that
          appropriate technical, administrative, physical, and
          personnel security control requirements are properly
          set forth in solicitations and contracts for
          acquisition of automated information resources and
          construction of related facilities, together with any
          instructions and/or claims or clauses to promote or
          ensure contractor compliance.

      d.  The Associate Administrator for Safety and Mission
          Quality is responsible for establishing policies,
          standards, guidelines, and procedures consistent with
          those established under this Instruction for assuring
          the security and integrity of NASA's mission critical
          automated information systems.

      e.  The Associate Administrator for Space Communications is
          responsible for establishing policies, standards,
          guidelines, and procedures for the security of
          telecommunications transmission and reception.  Where
          such resources are used with automated information
          systems or resources, the implementation of those
          requirements shall be consistent with those established
          under this Instruction.

     f.   The Program Associate Administrators are responsible
          for implementing the requirements for security and
          integrity of automated information systems directly
          related to their program missions.  This responsibility
          includes developing and maintaining AIS plans
          reflecting specific actions taken, and planned to be
          taken to ensure the security, integrity, and continuity
          of operations of automated information systems and
          resources designed, developed, installed, or operated
          at multiple Field Installations or physically disparate
          locations, together with the planned schedule for
          implementation of the Plan.  These plans are to provide
          for the following:

          (1)  The program-level implementation of the NASA AIS
               Program;

          (2)  The establishment of program-level requirements
               for mission critical or telecommunications
               systems; and

          (3)  The implementation of NASA, Department of Defense,
               Department of Energy, or other Government agency 
               certification and accreditation requirements, as
               appropriate, for installations and applications
               processing, storing, or transmitting classified
               information.

      g.  The NASA Center Directors, and for NASA Headquarters
          the Associate Administrator for Management Systems and
          Facilities, are responsible for implementing and
          maintaining Field Installation-level AIS programs.
          Field Installation programs shall, at a minimum,
          include management and internal control processes which
          provide for the following:

          (1)  (a)  Development, implementation, and monitoring
                    of an AIS Plan for the Field Installation and
                    for each data processing installation under
                    their jurisdiction.  These plans must, at a
                    minimum, specify actions taken, and planned
                    to be taken to ensure the security,
                    integrity, end user contingency, disaster
                    recovery, and continuity of operations of
                    each such installation; actions taken, and
                    planned to be taken to identify and certify
                    all sensitive applications; actions taken to
                    assure that all acquisitions of automated
                    information resources adequately consider
                    security and integrity issues, and a schedule
                    for implementation of the Plan.

               (b)  Installation plans must also provide for the
                    implementation of NASA, Department of
                    Defense, Department of Energy, or other
                    Government agencies certification and
                    accreditation requirements, as appropriate,
                    for systems and applications processing,
                    storing, or transmitting classified
                    information.

          (2)  Designation, in writing, of the individual(s) to
               whom authority and responsibility for the 
               development, implementation, and monitoring of the
               Field Installation-level AIS Plan has been
               delegated.

          (3)  Promulgation of directives that clearly describe
               the Field Installation's AIS Program and the
               responsibilities of data processing installation
               and sensitive application security officials.

          (4)  Determination of which of the Field Installation's
               information is sensitive.

          (5)  Identification of systems that process, store,
               transfer, or communicate sensitive information
               requiring protection.

          (6)  Completion of periodic risk analyses of data
               processing installations under the Installation's
               cognizance.  The size and scope of the risk
               analyses should be appropriate to the subject
               Installation.  Risk management plans, sufficient
               to appropriately address the results of all risk
               analyses, shall be developed and included as a
               part of the overall Field Installation Plan.

          (7)  Periodic evaluation and recertification of the
               security safeguards in sensitive applications.

          (8)  Including appropriate security requirements in
               specifications and/or statements of work for
               acquisition or operation of information technology
               installations, equipment, software, and related
               services.

          (9)  Developing and implementing a Field Installation
               level automated information security awareness and
               training program.

          (10) Conforming with any additional policies or
               programs established by the Headquarters offices
               listed in subparagraphs a through h.

     h.   The NASA organizations, and contractors and grantees
          acting on behalf of NASA, which initiate automated
          information resources acquisitions are responsible for
          assuring that appropriate technical, administrative,
          physical, and personnel security requirements are
          included in specifications, statements of work, or
          requirements for the design, development, acquisition,
          installation, operation, or maintenance of any
          automated information resources not specifically
          excluded by this Instruction.

8.   THE NASA AUTOMATED INFORMATION SECURITY PROGRAM GUIDELINES

     a.   Standards, procedures, and guidelines for NASA AIS
          programs and plans are described in Chapter 3 of NHB
          2410.1, "Information Processing Resources Management."
          The NASA AIS policies, standards, procedures, and
          guidelines shall be consistent with the policies,
          procedures, standards, and guidelines issued by
          appropriate Federal agencies, including but not limited
          to the following:

          (1)  Office of Management and Budget;

          (2)  Department of Commerce;

          (3)  General Services Administration;

          (4)  Department of Defense; and

          (5)  Office of Personnel Management.

     b.   Each NASA Center may develop supplemental site-specific
          AIS Program guidelines as required.

9.   CANCELLATION

     NMI 2410.7B dated December 20, 1991.

                                        /s/Daniel S. Goldin
                                        Administrator

DISTRIBUTION:
SDL 1

*Changed by this revision.