Changes to NPR 8000.4 Reflect Increased Relevancy of Cyber-Related Threats
April 22, 2022
Revision C of NPR 8000.4, Agency Risk Management Procedural Requirements went into effect on April 19, 2022 The changes made primarily reflect the increasing relevance of cyber-related threats and incidents across both government agencies and the private sector. The update reflects an action item from the NASA Enterprise Protection Board (EPB) to the Office of Safety and Mission Assurance (OSMA) to make the subject of cybersecurity and cyber risk explicit within NPR 8000.4.
While meeting this action item, OSMA also determined that the update offered the opportunity to more completely align the document with NASA updated directives and evolving institutional roles and responsibilities. Specifically, Revision C reflects
- The directives of NPD 1000.0C, NASA Governance and Strategic Management Handbook concerning the establishment and communication of risk leadership principles throughout the implementation and application of Risk Management (RM) processes and activities.
- Decision accountability of center directors concerning handling and/or acceptance of institutional risk, consistent with the recent transition to the Mission Support enterprise structure,
- Assignment of responsibility to Technical and other Institutional Authorities (e.g., Institutional Safety Authorities) to assure that RM processes addressing their areas of responsibility are implemented in accordance with the NASA Procedural Requirements (NPR).
Overview of the Major Changes
NPR 8000.4C includes the following new subjects and related requirements not explicitly addressed in earlier versions:
- The subjects of cybersecurity and cybersecurity risk are addressed via the following specific provisions of the updated NPR:
- Operational definitions are provided for the terms “cybersecurity;” “cybersecurity risk;” and the related terms “information system,” “intentional threat,” “physical security,” “potential vulnerability,” “threat,” “threat source,” and “vulnerability.”
- Cybersecurity and physical security are identified as key domains of interest and focus for RM processes and activities.
- NPR cybersecurity and cybersecurity risk requirements are defined in such a way as to be aligned and consistent with the U.S. Government regulations and standards applicable to Cybersecurity, and traceable to the cybersecurity requirements of NPD 2810.1.
- Assertion that RM requirements apply not only to the risk types resulting from accidental conditions, as routinely addressed in traditional approaches to risk assessment and management, but also to risk originating from intentional threats or agents, such as those which may be active in cybersecurity risk scenarios.
- Practical guidance is provided for how standard representations and communication of risk can be adapted to realistically represent cybersecurity risk scenarios.
- Organizational roles and responsibilities concerning cybersecurity and information system related risk acceptance decisions are identified and discussed.
- Risk leadership principles are introduced and addressed in the NPR update as follows:
- The NPR provides definitions for the terms “risk acceptance,” “risk posture” and “risk tolerance.”
- The NPR assigns to managers at all levels of the agency organization the responsibility to implement the risk leadership principles defined at the higher executive level, onto practical definition of risk posture and risk tolerance limits.
- The NPR asserts that the manager of a NASA organizational unit must ensure that the content of that unit’s Risk Management Plan be consistent with the risk leadership principles the unit is expected to apply.
- The NPR establishes a requirement for traceability of risk acceptance decisions to the risk posture established for projects or missions.
- Important accountability and responsibility themes identified during the NPR extensive agencywide review process as needing discussion and clarification also are addressed:
- Center director risk acceptance accountability was identified according to the definitions of institutional roles and responsibilities and consistent with the Mission Support enterprise structure.
- Responsibility for assuring that that RM processes, affecting specific areas of a technical and/or institutional nature, are implemented in accordance with the NPR provisions is identified as pertaining to the correspondingly cognizant Technical and Institutional Authorities.
NASA personnel likely to be involved in RM or risk-related decision-making, either within programs and projects or within broader enterprise level and institutional activities, are expected to take the necessary steps to comply with the requirements of the revised NPR, including the orderly modification of existing RM plans and processes, as necessary to make such plans and process consistent and compliant with the NPR requirements and guidance.
Contact Homayoon Dezfuli, System Safety technical fellow within the Office of Safety and Mission Assurance, if additional information or clarification is needed.