NASA Web Site Registration and Internet Publishing Content Guidelines
AD03
TO: Distribution
FROM: AD03/Sheila S. Cloud
SUBJECT: NASA Web Site Registration and Internet Publishing Content Guidelines
In light of the terrorist attacks of September 11, 2001, and the possibilities for further terrorist activity in their aftermath, Federal agencies must increase protection, not only of their personnel but also of their critical systems, facilities, stockpiles, and other assets from security breaches and harm, as well as from their potential use as weapons in and of themselves. NASA Headquarters has issued a memo on Web site registration and Internet publishing content guidelines delineating steps that must be taken to ensure that the electronic dissemination of Agency information is appropriate. A copy of the memo and the NASA Internet Publishing Content Guidelines can be found on the MSFC Office of the Chief Information Officer (CIO) home page at http://co.msfc.nasa.gov/ad03/cio-regs.html.
MSFC is taking the following steps in response to the memo from Headquarters:
1. All MSFC Internet Web site owners and curators of all Web sites on MSFC networks are directed to immediately remove or disable access to information that is not to be publicly available. Section 5.1 of the Internet Publishing Content Guidelines identifies categories of information that must not be published via the Internet.
2. All MSFC Web site owners must immediately register each of their Web sites with the MSFC Office of the CIO. The registration and approval process is outlined in the enclosed document. Web site registration is accomplished via the MSFC Web site at http://co.msfc.nasa.gov/ad03/web_reg.html.
3. For Web site approval, the site will have to meet the requirements of the content guidelines; be 508 compliant, have a 508 Compliance Plan in place, or have been granted a waiver due to an undue burden for not being 508 compliant; be covered by an IT Security Plan; and meet Export Control requirements.
4. Effective January 11, 2002, all unregistered, unapproved Web sites will be blocked from public access and limited to the MSFC network domain (“msfc.nasa.gov”) only. Procurement Web sites/pages made publicly available should be registered no later than 120 days from the November 16, 2001, memo from NASA Headquarters.
If you have any questions or concerns regarding this process, please contact Sheila Fogle, Office of the CIO, at 256-544-5638, or via e-mail at sheila.fogle@msfc.nasa.gov.
Sheila S. Cloud
Acting Chief Information Officer
Enclosure
Distribution:
SDL 3
MSFC Web Registration Process
All Marshall Space Flight Center (MSFC) Web sites are required to be registered, whether they are available to the public or not.
To register an MSFC Web site the following items must be completed:
1. MSFC Web pages must conform to all NASA policies pertaining to Web sites, including but not limited to 508 (see item 6) and export control compliance (see item 4).. Implementation details of these policies are documented at http://webwork.larc.nasa.gov/doc_2000/FedPolicyasof122200.pdf.
2. All MSFC Web sites must conform to the NASA Internet Publishing Content Guidelines. These guidelines are documented on the MSFC Office of the Chief Information Officer (CIO) home page at http://co.msfc.nasa.gov/ad03/cio-regs.html.
3. The Web site originator should submit Web site data by accessing the Web site registration page at http://co.msfc.nasa.gov/ad03/web_reg.html and completing all required information.
4. For Export Control Compliance, if it does not already exist, a MSFC Form 4312, Export Clearance Information Sheet, should be completed and sent to the Center Export Representative (CER) representing the organization. After the CER concurs he/she will mail a copy to the MSFC Export Control Office/VS01. A list of the Center Export Representatives can be found at http://SMO.msfc.nasa.gov/SMO/Export/. This will ensure that the Web site meets the Export Control requirements.
5. The Web site developer should also contact their Organizational Computer Security Official to determine if the Web site is covered by an existing Information Technology (IT) Security Plan. Current Web sites should be covered by an existing IT Security Plan as well as a contingency plan which is on file with the Risk Management Team in the Information Services Department (ISD), mail code AD33. If the Web site is an existing site and is not covered by an IT Security Plan, a plan should be developed and the process for a new Web site given below should be followed to provide the plan.
Developers of new Web sites should provide an IT Security Plan, along with a contingency plan to ISD. If the developer has an Entrust or Pretty Good Privacy key, the plan may be forwarded by electronic mail. If an encryption key is not available, the plan must be forwarded through the CenterÕs mail system properly packaged for sensitive material. This will allow certification that the new Web site will be covered by an IT Security Plan with a projected target date.
6. Section 8 of the Rehabilitation Act of 1973, as amended, requires Federal agenciesÕ electronic and information technology be accessible to people with disabilities. This is typically referred to as 508 Compliance. If a Web site is not currently 508 Compliant, Web site developers should ensure a 508 Compliance Plan has been provided to the MSFC Office of the CIO or an approved waiver for undue burden has been granted by the CIO Office. The template for the 508 Compliance plan can be found at http://co.msfc.nasa.gov/ad03/cio-regs.html. Completed plans should be e-mailed to linda.medal@msfc.nasa.gov.
7. When the Web site registration information has been completed and approval by the appropriate Center Export Representative has been given, an e-mail containing the link to the Web site should be sent to the MSFC CIO Representative, Sheila Fogle as well as Justin Jackson, Bob Keasling, and Linda Medal. The registration information as well as the Web site will then be reviewed to ensure that the Export Control, the Internet Publishing Content Guidelines, 508 Compliance, and the IT Security Plan requirements have all been met. An e-mail will be sent to either accept the Web site registration request for processing, or will specify noted discrepancies. Once any noted discrepancies are eliminated, the CIO representative should be notified and will inspect the Web site for corrected discrepancies. After these requirements have been satisfied, the CIO representative will approve the registration request. If a Web site is not approved, it will be blocked by the CenterÕs firewall.