NASA Contractor Cybersecurity Requirements

The National Aeronautics & Space Agency (NASA), like other federal government agencies, is subject to provisions in the Federal Acquisition Regulation made effective in June 2016 that require agencies to ensure that their contractors protect the security of electronic systems holding and transmitting “federal contract information,” a defined term. NASA is also subject to a number of other laws requiring agencies throughout the executive branch to ensure that their contractors protect the systems that hold other categories of information prepared or compiled by or for the Government, such as Personally Identifiable Information, Sensitive Personally Identifiable Information, Controlled Unclassified Information, Individually Identifiable Health Information, Educational Information, and Classified Information. (This list is not exhaustive.)

NASA Contractor Cybersecurity Requirements – NASA FAR SupplementIn addition to these baseline requirements, since January 24, 2011, NASA has required contractors and subcontractors to “protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure,” and, in particular, to adhere to requirements and identified in an Applicable Documents List (ADL) provided as an attachment to the contract. NASA defines “NASA Electronic Information” as “any data … or information (including information incidental to contract administration, such as financial, administrative, cost or pricing, or management information) that is processed, managed, accessed or stored on an IT system(s) in the performance of a NASA contract” (NASA FAR Supplement § 1852.204-76).


“NASA Electronic Information” encompasses more than the “Federal contract information” that is already protected by the basic Federal Acquisition Regulations. While Federal contract information is defined to exclude “simple transactional information, such as necessary to process payments” (FAR § 52.204-21), NASA Electronic Information expressly includes such information. Moreover, in contrast to the DOD’s cybersecurity rules, these NASA rules do not outline a procedure that potential contractors may employ to request permission to deviate from the agency’s cybersecurity requirements. See United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1244, 1245 (E.D. Cal. 2019).

When a NASA contractor or subcontractor knowingly violates these requirements, that may be the basis for a qui tam action under the False Claims Act. If you are thinking about blowing the whistle on cybersecurity violations, contact VSG at 202-537-5900 for a confidential conversation. Our lawyers have vast experience representing whistleblowers in government/defense contractor fraud lawsuits and are nationally recognized as leaders in winning rewards for our clients.