Integration of Security Administrative Issues Conference

1
Integration of Security Administrative Issues
Conference

• Clint Herbert
• NASA Deputy Assistant Administrator
• Office of Security and Program ProtectionOctober
  5, 2005

2
Agenda

• Office of Security and Program Protection (OSPP)
  Mission
• OSPP Responsibilities
• OSPP Organization Drivers
• OSPP Pieces of the Identity Management System
• OSPP HSPD-12 Implementation

3
OSPP Mission

• OSPP provides policy formulation, oversight,
  coordination, and management of following
  Agencywide programs
• Security
• Physical
• Personnel
• Industrial
• Program
• Classified information management
• Unclassified information assurance
• COMSEC

4
OSPP Mission (concluded)

• Counterintelligence (CI)/Counterterrorism (CT)
• Threat analysis
• Threat briefings
• Intelligence community liaison
• Investigations (in conjunction with FBI)
• Foreign visitor management,
• Emergency Preparedness and Response,
• Continuity of Operations (COOP), and
• Homeland Security R D liaison.

5
OSPP Responsibilities

• Senior security, counterintelligence/counterterror
  ism, and emergency preparedness advisor to the
  NASA Administrator.
• Represents NASA on national-level policy-making
  groups for security, emergency preparedness, and
  COMSEC.
• Responsible for providing Agencywide executive
  and functional leadership, policy formulation,
  operational oversight, guidance, coordination,
  and advocacy for security, counterintelligence/cou
  nterterrorism, emergency preparedness and
  continuity of operations, processes, functions,
  and activities.

6
OSPP Responsibilities (continued)

• The AA for OSPP maintains liaison and establishes
  working relationships with counterparts in other
  Government agencies and industry and, serves as
  the primary point of contact for external
  Government agencies on matters involving
• security at NASA facilities,
• classified information management,
• personnel security,
• counterintelligence/counterterrorism,
• sabotage and espionage,
• emergency preparedness and response to include
  continuity of operations, and
• other activities related to the protection of
  people, property, and information.

7
OSPP Responsibilities (continued)

• Ensures information technology (IT) security
  policy compliance and operational coordination
  with the Office of the Chief Information Officer.
  
• Provides Agencywide oversight of unclassified IT
  Security Certification and Accreditation (CA)
• Assures independence of CA program
• Validates FIPS 199 classification of unclassified
  IT information (low, moderate, high)
• Sets requirements for identification and
  protection of sensitive but unclassified (SBU)
  controlled information

8
OSPP Responsibilities (concluded)

• Ensures coordination with the NASA Office of
  Inspector General (OIG) on suspected or actual
  criminal violations and issues of mutual concern,
  as appropriate.

9
OSPP Organization Drivers and Strategy

• Internal Drivers
• Ability to work across Centers as one Agency
• Improve NASAs Security and Program Protection
  Infrastructure
• Support Agency-wide applications (CBACS,
  Collaboration, E-Gov services, etc.)
• Integrated and standardized processes across
  Centers
• Identification and implementation of cost
  efficiencies through standardized processes
• Ensure timely and consistent security services to
  customers
• External Drivers
• Public Law
• Legislative Mandates
• Executive Orders
• Presidential Policy Directives
• Government and Industry Standards

• As a consequence of these drivers, the OSPPs
  strategy is to
• Manage the security and program protection
  infrastructure as an integrated Agency activity
• Provide an infrastructure that can evolve and
  adapt to emerging technologies and methodologies
• Provide information and services that enhance
  management and accountability of key program
  activities and assets
• Enable effective and efficient integration with
  Federal Law and Regulations, and Presidential
  Directives

10
OSPP Pieces of the Identity Management System

• IDMSThe Identity Management System is a
  Microsoft SQL Database that serves as a
  repository for verified and validated identities.
  
• CBACSThe Common Badging and Access Control
  System is a project that will create a common
  badging format across the Agency in a
  geographically dispersed Enterprise solution and
  a common access control methodology for doors and
  cameras.
• UUPICThe Uniform Universal Person Identification
  Code is a MS SQL database application that
  contains the unique identifiers for all NASA
  visitors, contractors, and civil servants.

11
OSPP HSPD-12 Implementation
HSPD-12 requires the Federal Government to
develop interoperable identity cards and
credentials that can be recognized and trusted by
all organizations (FIPS 201)

• The Agency will be required to
• Conduct NAC-I (as a minimum) and issue Smart
  Cards
• 5 CFR 731, EO 10450, and Chapters 3 4 NPR
  1600.1 remain applicable
• Government agencies have always previously been
  required to conduct at a minimum a NAC to
  determine suitability for government employment
  and/or access to government facilities or
  information
• Investigation types vary from NAC-I to LBI/MBI to
  BI to SSBI dependant upon individual position
  risk (low, moderate, and high) and sensitivity
  (SS, CS, and NCS) level designations

12
Summary

• OSPPs broad programmatic responsibilities impact
  all aspects of NASA operations.
• All OSPP policies and procedures interpret and
  implement external federal requirements
• NASA as a whole continues to struggle with
  compliance.
• OSPP/OCIO partnership in Information Assurance
  and IT Security will lead the agency into a more
  effective and accountable information security
  posture
• NASAs implementation of HSPD-12 requirements (5
  CFR 731, EO 10450, and NPR 1600.1, Chapters 2, 3,
  and 4 remain germane) will take a concerted and
  dedicated effort of center management, human
  resources, procurement, and security offices to
  be fully effective and compliant.

13
Q A