Procurement Information Circular

January 26, 2004       



PURPOSE:  To revise guidance on NASA’s System Administrator Security Certification Program requirements by removing the phrase “lead administrator” to eliminate any confusion regarding applicability of the requirement to all system administrators that meet the definition contained in paragraph (C) of the Guidance section of this PIC, and to revise the date for completion of the certification by all system administrators to June 1, 2004.


BACKGROUND:  Given an increasingly hostile cyber environment, NASA’s recruitment and retention of qualified and security-conscious system administrators is essential for the protection of NASA’s systems and data.  A system administrator’s ability to properly install, configure, operate, maintain, and secure systems in today’s computing environment is the best defensive measure available to an organization.    


In accordance with OMB A-130, Management of Federal Information Resources, direction to ensure “knowledgeable” systems administrators are maintaining the systems of the Federal Government, NASA’s Chief Information Officer (CIO) has established the NASA System Administrator Information Technology (IT) Security Certification Program.  The intent of the program is to independently audit or validate that NASA has system administrators with an appropriate level of knowledge and skill.  This Agency–wide program applies to all system administrators – civil servants and contractors --administering systems on NASA IP address space.


This Certification will require all system administrators to demonstrate knowledge and skills in applying security principals on the operating systems for which they have responsibility, and an understanding and application of Network and Internet security.  NASA has elected to outsource the assessment examinations to a third party and will cover the cost of the two required exams. 


All system administrators that meet the definition of “system administrator” contained in paragraph (C) of the Guidance section below, must be NASA 3rd Party Certified by June 1, 2004.



   (A) The requirement for System Administrator Security Certification must be included in all current contracts that include system administrator responsibilities.

   (B) Future contracts that include system administrator responsibilities must include the requirement for System Administrator Security Certification. 

   (C) The following is recommended for inclusion in the SOW:

   “ In addition to any other requirements of this contract, all individuals who perform tasks as a system administrator or have authority to perform tasks normally performed by system administrator shall be required to demonstrate knowledge appropriate to those tasks. This demonstration, referred to as the NASA System Administrator Security Certification, is a NASA funded two-tier assessment to verify that system administrators are able to –

       1.   Demonstrate knowledge in system administration for the operating systems for which they have responsibility.

               2.  Demonstrate knowledge in the understanding and application of Network and Internet Security.


Certification is granted upon achieving a score above the certification level on both an Operating System test and the Network and Internet Security Test.  The Certification earned under this process will be valid for three years.  The criteria for this skills assessment has been established by the NASA Chief Information Officer.  The objectives and procedures for this certification can be obtained by contacting the IT Security Awareness and Training Center at (216) 433-2063.   


A system administrator is one who provides IT services, network services, files storage, web services, etc. to someone else other than themselves and takes or assumes the responsibility for the security and administrative controls of that service or machine.  A lead system administrator has responsibility for information technology security (ITS) for multiple computers or network devises represented within a system; ensuring all devices assigned to them are kept in a secure configuration (patched/mitigated); and ensuring that all other system administrators under their lead understand and perform ITS duties.  An individual that has full access or arbitrative rights on a system or machine that is only servicing themselves does not constitute a "system administrator" since they are only providing or accepting responsibility for their system. An individual that is only servicing themselves is not required to obtain a System Administrator Certification.”


EFFECTIVE DATE:  This PIC is effective as dated and shall remain in effect until canceled or superseded.


CANCELLATION:  PIC 03-16 is superseded by this PIC


HEADQUARTERS CONTACT:  Celeste Dalton, Code HK, (202) 358-1645, e-mail:



James Balinskas

Director, Contract Management Division