Commercial satellite providers seeking to sell their services to the US military will soon have to get third party certification that they are meeting cybersecurity standards, according to Air Force officials and industry executives.
The Air Force Commercial Satellite Communications Office, AFCSCO, which took over buying commercial satellite services for DOD at the end of last year, plans to have the Information Asset Pre-assessment program up and running early next year, said Andrew D’Uva, who heads the SatCom Industry Group—a trade association representing major satellite providers to the US government.
The program, known as IA Pre, was first proposed by Air Force officials last year, a spokesperson for Air Force Space Command, which houses AFCSCO, told Air Force Magazine. But moving satellite acquisition to AFCSCO from the Defense Information Systems Agency had caused delays in implementation. “This initiative is in the process of being coordinated fully,” the spokesperson said, promising that “more information will be made available as the program is finalized.”
IA Pre is an effort to “raise the cultural bar on cybersecurity” in the commercial satellite sector, D’Uva told Air Force Magazine. The aim is to ensure that commercial satellite services bought by the military ‘“will basically be at the same level” of cybersecurity as the services provided by the military’s own satellites, he said.
That will enable AFCSCO to seamlessly integrate commercial services into military communications, he said. “Moving to an enterprise architecture of a mixed set of capabilities [both military and commercial] will drive resilience and better service for the warfighter,” D’Uva explained.
Creating a pool of pre-certified cybersecure satcom suppliers would enable DOD to acquire those capabilities “very rapidly when required,” he added.
The move comes amid growing concerns that US adversaries could use online attacks to blind or cripple commercial satellites on which the US military increasingly relies.
“Commercial satellites do not require the same level of [cybersecurity] governance as satellites in the DOD and civilian [government] sectors, and they do not have standardized security,” according to a recent report about cybersecurity for satellites from the Aerospace Corp.—a non-profit that advises the government on complex space enterprise and systems engineering problems.
D’Uva welcomed the new IA Pre program, which he said would reward companies that invested in cybersecurity. Costly cybersecurity measures are hard to sustain “if your investments aren’t valued,” he said.
Satellite providers had made “a ton of investments” in cybersecurity and were “well-postured” to meet the new requirements, he said. He added that AFCSCO had been consulting with industry about the planned rules.
Currently the government “allows industry to self-certify, self-assess, and … in the commercial satcom area at least, they haven’t bothered to check the effectiveness of those controls. It’s a paper game,” D’Uva said.
IA Pre will require commercial satcom providers to implement security controls on their IT systems based on a catalogue produced by the National Institute for Standards and Technology, or NIST, known as Special Publication 800-53. The controls in 800-53 are mandatory in federal agencies and cover three different levels: Low impact, medium impact, and high impact—the most secure. Satcom providers will have to implement the high impact level controls, “plus a space overlay [of additional controls] for space vehicles,” D’Uva said.
He added that many details of the program, like who would conduct the third party certification, or how often it would be required, were still being finalized.
The IA Pre program is the latest effort by defense acquisition officials to introduce third party assessment or certification of cybersecurity requirements. A draft of the new Cybersecurity Maturity Model Certification, or CMMC, framework, which will apply at various levels to every DOD contractor, is out for comment already, and will be introduced next year.
D’Uva said that while CMMC included some of the 800-53 controls, the standards in IA Pre would be higher.