Deactivated with issuance of PIC 04-03 on 1/26/2004

National Aeronautics and Space Administration Washington, DC 20546

Procurement Information Circular

PIC 03-16 June 23, 2003

SYSTEM ADMINISTRATOR SECURITY CERTIFICATION PROGRAM

PURPOSE: To provide guidance on NASA’s System Administrator Security Certification Program.

BACKGROUND: Given an increasingly hostile cyber environment, NASA’s recruitment and retention of qualified and security-conscious system administrators is essential for the protection of NASA’s systems and data. A system administrator’s ability to properly install, configure, operate, maintain, and secure systems in today’s computing environment is the best defensive measure available to an organization.

In accordance with OMB A-130, Management of Federal Information Resources, direction to ensure “knowledgeable” systems administrators are maintaining the systems of the Federal Government, NASA’s Chief Information Officer (CIO) has established the NASA System Administrator Information Technology (IT) Security Certification Program. The intent of the program is to independently audit or validate that NASA has system administrators with an appropriate level of knowledge and skill. This Agency– wide program applies to all lead system administrators – civil servants and contractors --administering systems on NASA IP address space.

This Certification will require all system administrators to demonstrate knowledge and skills in applying security principals on the operating systems for which they have responsibility, and an understanding and application of Network and Internet security. NASA has elected to outsource the assessment examinations to a third party and will cover the cost of the two required exams.

In a memo dated March 13, 2003 to the Enterprise and Center CIO’s and IT Security Managers, the CIO required that all networked devices have at least

Page 1 of 3

one assigned system administrator with IT security responsibilities to be NASA 3rd Party Certified by September 8, 2003.

GUIDANCE: (A) The requirement for System Administrator Security Certification must be included in all current contracts that include system administrator responsibilities. A listing of affected contracts can be obtained from each Center CIO. (B) Future contracts that include system administrator responsibilities must include the requirement for System Administrator Security Certification. (C) Efforts should be made to reach bilateral agreement on the impact of this change. Advise the Center CIO if bilateral agreement cannot be achieved in time to allow for Certification by September 8, 2003. (D) The following is recommended for inclusion in the SOW:

“ In addition to any other requirements of this contract, all individuals who perform tasks as a system administrator or have authority to perform tasks normally performed by system administrator shall be required to demonstrate knowledge appropriate to those tasks. This demonstration, referred to as the NASA System Administrator Security Certification, is a NASA funded two-tier assessment to verify that system administrators are able to –

1. Demonstrate knowledge in system administration for the operating systems for which they have responsibility. 2. Demonstrate knowledge in the understanding and application of Network and Internet Security.

Certification is granted upon achieving a score above the certification level on both an Operating System test and the Network and Internet Security Test. The Certification earned under this process will be valid for three years. The criteria for this skills assessment has been established by the NASA Chief Information Officer. The objectives and procedures for this certification can be obtained by contacting the IT Security Awareness and Training Center at (216) 433-2063.

A system administrator is one who provides IT services, network services, files storage, web services, etc. to someone else other than themselves and takes or assumes the responsibility for the security and administrative controls of that service or machine. A lead system administrator has responsibility for information technology security (ITS) for multiple computers or network devises represented within a system; ensuring all devices assigned to them are kept in a secure configuration (patched/mitigated); and ensuring that all other system administrators under their lead understand and perform ITS duties. An individual that has full access or arbitrative rights on a system or machine that is only servicing themselves does not constitute a "system administrator" since they are only providing or accepting

Page 2 of 3

responsibility for their system. An individual that is only servicing themselves is not required to obtain a System Administrator Certification.”

EFFECTIVE DATE: This PIC is effective as dated and shall remain in effect until canceled or superceded.

HEADQUARTERS CONTACT: Celeste Dalton, Code HK, (202) 358-1645, e- mail: [email protected].

//s//

R. Scott Thompson Director, Contract Management Division

Page 3 of 3