Space Force Readies Long-Delayed Cybersecurity Standards for Commercial Satcom Providers

Within 30 days, the Space Force office that buys commercial satellite services for the Department of Defense will publish a timeline for the implementation of new cybersecurity standards that private-sector satellite communication providers must meet if they want to compete for contracts to supply the Air Force and other military services, according to officials and industry executives.

“By the end of September, we want to put that [timeline] out to industry so that they can start planning internally to be able to accommodate for any cost impacts it might have for them,” Jared Reece, a program analyst with the Space Force Commercial Satellite Communications Office (CSCO) told Air Force Magazine on the sidelines of the Satellite 2021 conference.

First publicly mooted in 2019, the much-delayed Infrastructure Asset Pre-Assessment (IA-Pre) program will require satcom providers to get on-site, third-party assessors to validate their compliance with cybersecurity standards before they can bid on CSCO contracts to sell their services to the U.S. military, Reece said.

The Space Force already maintains a list of certified third-party assessors—known as Agents of the Security Control Assessor (ASCA)—who help validate contractor compliance with existing security standards under the DOD’s Risk Management Framework. “The preference is to use those,” said Reece, “because they’re validated providers of those assessment capabilities.”

The move to finally implement IA-Pre comes amid growing concerns that near-peer adversaries could use cyberattacks to blind or cripple commercial satellites on which the U.S. military increasingly relies for its communications.

The IA-Pre standards have yet to be published, but industry sources said they will be based on those set by the National Institute for Standards and Technology (NIST) in its Special Publication 800-53, with an overlay of additional measures specific to the space sector. Reece said the standards would cover spacecraft, ground stations, teleports, and vendors’ business IT networks.

Industry representatives have been involved in drawing up the plans for IA-Pre and welcomed the news. “We’re very encouraged that from the national level down, we’re actually seeing this emphasis on ensuring that we’ve got a [satcom] network, which is provided in the most secure posture, and is evaluated accordingly,” said Rebecca Cowen-Hirsch, senior vice president of U.S. government strategy and policy for U.K.-based satcom provider Inmarsat. IA-Pre would provide CSCO the capability to “actually discriminate between those [providers] that have made the investments versus those that are just providing bare minimum [security] capability.”

Indeed, Reece said, the aim of IA-Pre was to “level the [cybersecurity] playing field between MilSatCom [the military’s own satellite communications] and ComSatCom [the commercial capabilities it buys in from the private sector], as they start to be integrated more and more in the warfighter’s toolbag.”

By creating a kind of “approved products list” of space assets that are pre-certified as cyber secure, CSCO also hopes to speed the acquisition process and reduce the administrative burden on both the contractors and the Space Force, Reece said.

“We need to have a good understanding of [the security posture of] what we’re going to be buying,” he said. “And we need to do it beforehand. So that we have it and, when we need [to buy services], we can do it quickly.”

Currently, he said, the self-assessment required as part of the acquisition process is slow and repetitive. Because CSCO often issues contracts for an individual customer—a particular combatant command, for instance—that are bid on by the same group of suppliers, “We end up doing assessments of the same solution over and over again in the acquisition cycle, which slows us down.”

Earlier this year, Space Force Vice Chief of Space Operations Lt. Gen. David D. Thompson told the 2021 C4ISR Conference that the role of CSCO could be expanded to cover the purchase of remote sensing, data analysis, and ISR services, as well as communications.

Reece noted that, as it prepares for that change, CSCO is weighing whether it needs to create specific new IA-Pre standards for Earth observation imagery and other intelligence, surveillance, and reconnaissance satellite services. But he said the aim would be to maintain a common framework for all satellite services, with new requirements only where additional services diverged from satcom in the technologies they used.

“They’re still spacecraft. There’s still data. There are a number of things that apply [to both satcom and ISR services], so the only thing you really have to look at in depth is the deltas,” he said.