Air Force to require cybersecurity audits of commercial satellite communications providers
RESTON, Va. — The Air Force starting in 2020 will rate the cybersecurity of commercial satellite communications providers in an effort to increase the protection of military networks.
The new program is called Infrastructure Asset Pre-Assessment (IA-Pre) and will be run by the Air Force Space Command’s commercial satellite communications office, Andrew D’Uva, president of Providence Access Company, said Nov. 7 at the CyberSat 2019 conference.
D’Uva is a consultant who represents a coalition of satellite operators that provide services to the U.S. government.
“Since Air Force Space Command has taken over commercial satcom acquisition, they have started to think about cybersecurity in their end to end solutions,” D’Uva said.
By congressional mandate, the Air Force Space Command in December 2018 assumed responsibility for procuring commercial satcom services for the Department of Defense. The job previously belonged to the Defense Information Systems Agency.
D’Uva said the IA-Pre program will be launched sometime in 2020 and the details are being finalized. It will require satcom providers to undergo a third-party audit to ensure they meet NIST 800-53 cybersecurity standards set by the National Institute of Standards and Technology. The NIST 800-53 guidelines focus on the protection of the government’s most sensitive information.
The idea behind IA-Pre is to satisfy government demands for cybersecurity in satcom networks without unduly burdening companies with red tape, D’Uva said. “With IA-Pre you’ll be able to get pre-assessed by a third party. Once that’s done there will be no more paperwork.”
He said the program is an important step toward the integration of commercial and military satcom systems, something that the industry has pushed for. Giving the Air Force assurance that commercial systems are safe is part of that process, D’Uva said. “We’re doing this so comsatcom and milsatcom can move to a common architecture.”
The Air Force would create a database of pre-assessed commercial satcom services that were validated by an independent audit. How often companies would have to be audited is among the details that have not yet been decided. The pre-assessed vendors would be exempt from a cybersecurity evaluation each time they submit a proposal for a new contract opportunity.
New cybersecurity requirements for satcom providers are being introduced amid growing concerns about the vulnerabilities of space systems.
A new report by the Aerospace Corp. notes that the cyber threats aimed at satellites and other space assets are often overlooked in broader discussions about weaknesses in critical national infrastructure. “Neither space policy nor cybersecurity policy is prepared for the challenges created by the meshing of space and cyberspace, especially for the spacecraft,” the report says.
Spacecraft are targets of nation-state actors, says the report, so “additional spacecraft defenses must be implemented.” Satellites for decades have been considered relatively safe from cyber intrusions but “recent emerging threats have brought spacecraft into play as a direct target of an adversary,” the Aerospace study says. “Potential attacks targeting ground stations could result in a breach of the confidentiality or integrity of the downlinked data or potentially the satellite being disabled, destroyed, or deemed unreliable.”
With regard to commercial satellites, the report says these “do not require the same level of governance as satellites in the DoD and civilian sectors, and they do not have standardized security.” Both in government and commercial programs, the study says, “spacecraft have been built assuming a very limited range of cyber threats.”