The U.S. Space Force finally rolled out new cybersecurity standards for its commercial satellite vendors on May 28, saying those who could meet them might be able to charge more.
“We expect that cost [of security] to be reflected in the services that we’re buying,” Space Force official Jared Reece told Air Force Magazine. “If we’re going to want a more secure solution, we’re going to have to be willing to pay for that capability.”
The Commercial Satellite Communications Office, or CSCO, the office in Space Systems Command where Reece works, buys private sector satellite bandwidth for the U.S. military services. CSCO will begin third party cybersecurity assessments in September, Reece explained, piloting the process with a handful of volunteer vendors.
“Based on our conversations with industry, there’s a number of companies itching to go,” he said.
The Infrastructure Asset Pre-Assessment program, or IA-Pre, that Reece manages at CSCO, is designed to pre-qualify particular commercial assets, like a satellite constellation and its ground system, as meeting federal cybersecurity standards.
IA-Pre grew out of concerns about the ability of peer and near-peer adversaries to use cyberweapons to cripple commercial satellite networks on which the U.S. military increasingly relies. These fears were dramatically realized by the Russian malware hack that knocked thousands of users of Viasat’s KA-SAT European network—including large swathes of the Ukrainian military—offline, just as the tanks rolled across the border.
Viasat executives told Air Force Magazine back in March that the hackers would not have been able to execute their attack on any of the networks the company operates for the U.S. military.
IA-Pre replaces the current questionnaire-based process, where vendors self-attest to meeting cyber standards every time they submit a bid. Instead, they undergo a one-off third party assessment, plus mandatory follow-up reporting on a monthly basis. Once a system passes the assessment and is in compliance, it can be added to the Approved Platforms List, or APL, Reece said.
Having an APL of pre-certified cybersecure assets will speed up procurement of commercial services and avoid unnecessary duplication of cybersecurity acquisition requirements, Reece said last year, enabling CSCO to be more agile in its ability to onboard new capabilities.
But vendors will be incentivized to comply with IA-Pre because of changes in the acquisition rules that govern the way CSCO buys commercial services.
“I don’t have any misconceptions that everyone is going to be ready to go on day one,” he said. As IA-Pre requirements are phased in to CSCO contracts over the next three years or so, Reece said, the incentives for vendors to get on the APL by undergoing a third party IA-Pre assessment would sharpen, as compliance became a tradeoff factor, allowing vendors to potentially charge more.
Reece said CSCO has replaced the Lowest Price Technically Acceptable standard, which drove military acquisition officials to choose the lowest bidder who promised to meet the requirement, with a new pricing philosophy called Best Value Tradeoff, where they can choose a higher priced bid, if it represents better value for the government, based on certain factors that can be traded off against higher prices.
“As we implement this into our contracts, and it becomes a preference, and that’s the focus of the tradeoff criteria, hopefully that will incentivize industry to get their assessment scheduled and get their assets on the APL,” Reece said.
A key deadline will be September 2023, when CSCO will begin to sunset the questionnaire process, according to a Space Systems Command factsheet, meaning vendors will no longer have a choice about getting on the APL.
IA-Pre, first mooted to industry in 2018, and made public the following year, has taken years to finalize, but Reece said the time was needed to do “due diligence” to ensure the program would work, and to secure vendor buy-in.
Other efforts to impose federal cyber standards on vendors in the broader defense industrial base, like the Cybersecurity Maturity Model Certification, or CMMC, have stumbled amid industry criticism.
“Commercial industry’s involvement is critical to ensure our success,” said Clare Grason, CSCO division chief and Reece’s boss, in a press statement announcing the roll out.
“We couldn’t really release anything until we really kind of solidified our feedback from industry and really developed a program that could be implemented successfully,” said Reece.
Alexander Purves, chief commercial officer with the Providence Access Company, a satellite consultancy, said the extended timeline was understandable in view of the pandemic and the fact that the functions and personnel of CSCO had moved twice as IA-Pre was being developed—from the Defense Information Systems Agency to the Air Force in 2018 and then to Space Force in 2020—all the while developing and managing over 100 major satellite procurements every year.
“I do not see this as a delay in IA-Pre, I see this as a competing number of pressures on the Space Force to do many things with a small team,” he said.
Because CSCO had been very transparent about the standards as they were being developed, releasing drafts for public comment and incorporating much industry feedback, Purves said, there was a “silver lining” to the postponed implementation. “The timeline lag has provided the industry time to get prepared,” he said.
Purves said many satellite vendors were near ready for their third party assessment, as they had been tracking the draft requirements as they evolved.
The tail end of compliance, he said, would likely be the subcontractors, who supply ground station services or rent antenna time to satellite operators. It would take time for IA-Pre to trickle down to those vendors, he argued.
“The third party infrastructure will lag behind and I’m not saying that as a negative. As a practicality, it’s not on the top of their to do list when the program has not yet been released and when they may not have any direction from their prime contractors or others further up the [supply] chain,” he said.