NASA Should Improve Employee Awareness of Requirements for Identifying and Handling Sensitive But Unclassified Information (Redacted)
IG-06-10-R NASA Should Improve Employee Awareness of Requirements for Identifying and Handling Sensitive But Unclassified Information (Redacted).
The Issue
The National Aeronautics and Space Act of 1958 (Space Act) requires NASA to “provide for the widest practicable and appropriate dissemination of information concerning its activities and the results thereof.” This must be accomplished in a manner consistent with U.S. laws and regulations, Federal information policy, intellectual property rights, and technology transfer protection requirements. NASA faces many challenges in balancing its Space Act mandate with the requirements to protect certain classes of information that are not suitable for dissemination to the public. Crucial to the success of meeting those challenges is the need for NASA to (1) ensure that its policies and procedures for sensitive but unclassified (SBU)1 information are complete and (2) create and maintain employee awareness of their responsibilities to safeguard SBU information.
Results
Overall, NASA’s policies and procedures for handling SBU information are consistent with Federal laws and regulations. Prior to November 2005, the Agency’s primary Security Program document did not cover all the types of SBU information that NASA uses, nor were SBU requirements in the Security Program document cross-referenced to other documents that contained additional requirements for specific types of SBU information. Revisions incorporated into the November 2005 version of NPR 1600.1, “NASA Security Program Procedural Requirements w/Change 1 (11/08/2005),” assuaged our concerns about the adequacy of the Agency’s policies and procedures for SBU information. However, we found that NASA lacks a comprehensive SBU training program for civil servants and contractors on the requirements for protecting SBU information
Management Action
In November 2005, NASA revised the requirements for SBU information. Specifically, the new policies and procedures increased the number of SBU information types recognized by NASA and cross-referenced several types of SBU information to other documents that contained additional requirements. Although the new requirements emphasized the importance of establishing and maintaining an adequate level of education and awareness to safeguard and prevent unauthorized disclosure of SBU information, they did not detail a comprehensive SBU training program. Therefore, we are recommending that NASA establish an Agency-wide comprehensive training program that specifies the policies and procedures for identifying and handling SBU information. In response to a draft of this report, the Assistant Administrator, OSPP, concurred with the recommendation and provided information on corrective actions planned (see Appendix D). We consider management’s comments to be responsive and the recommendation resolved, although it will remain open until all actions have been completed and verified. No response to this final report is required.
1 Until November 2005, NASA used the term Administratively Controlled Information, or ACI, to identify official information of a sensitive but unclassified nature that needed to be protected against inappropriate disclosure. Such information officially became Sensitive But Unclassified on November 8, 2005, when NASA issued its revised NASA Procedural Requirements (NPR) 1600.1, “NASA Security Procedural Requirements w/Change 1.”