GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
The U.S. Government Accountability Office (GAO) conducted a review of NASA’s cybersecurity practices and identified the need for a plan to update spacecraft acquisition policies and standards. Specifically, the agency was tasked with assessing the cybersecurity requirements outlined in NASA contracts for spacecraft projects.
In its report, GAO disclosed that it reviewed NASA policies and standards regarding spacecraft cybersecurity. GAO selected a non-generalizable sample of three spacecraft projects, chosen because they represent different NASA centers and development stages, and include at least one robotic and one human spaceflight project. For these three, GAO analyzed contracts and project documents. GAO also interviewed project and cybersecurity officials.
GAO was asked to examine the cybersecurity requirements in NASA contracts for its spacecraft projects. The report assesses the extent to which NASA incorporated cybersecurity in selected spacecraft contracts and determines whether additional cybersecurity updates, if any, are needed to its acquisition policies and standards for spacecraft. The review focused on spacecraft, not the ground systems or the security of contractor information.
GAO is conducting separate work evaluating the extent to which NASA has implemented information security controls that are in accordance with guidelines and standards, as well as leading cybersecurity practices.
Since the issuance of its 2019 cybersecurity requirements, NASA has considered, but not yet implemented, updates to its spacecraft acquisition policies and standards. In 2023, NASA issued a space best practices guide containing information on cybersecurity principles and controls, threat actor capabilities, and potential mitigation strategies, among other things. However, this guidance is optional for spacecraft programs.
The GAO identified that NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so. GAO acknowledges that the standards-setting process can take time, but it is essential that NASA do so for practices that should be required.
However, officials stated that they did not have an implementation plan and time frame to incorporate additional security controls into acquisition policies and standards. As a result, NASA risks inconsistent implementation of cybersecurity controls and lacks assurance that spacecraft have a layered and comprehensive defense against attacks.
The watchdog identified that each of the selected NASA spacecraft contracts included cybersecurity-related requirements, including that the contractors demonstrate that they satisfied these requirements, consistent with NASA’s 2019 Space System Protection Standard. “All three projects in our review—Orion, Gateway PPE, SPHEREx—were in development before NASA issued the Space System Protection Standard. NASA required such programs to coordinate with the Office of the Chief Engineer to determine whether any of the requirements should be incorporated based on threats.”
It added Orion and Gateway PPE officials said that, following the release of the Space System Protection Standard, they reviewed their planned cybersecurity approach and determined their project’s requirements aligned with those in the standard. “The SPHEREx project protection plan indicated that the system requirements included all applicable requirements from the standard. Officials within the Office of the Chief Engineer agreed with the projects’ assessment.”
GAO added that its “review of the contract and system specification documents for each of the selected projects confirmed that each of the projects either included requirements related to meeting the Space System Protection Standard objectives or planned to address the risk of the threat through other means.”
In addition to addressing the Space System Protection Standard, there are additional examples of actions that projects took to address cybersecurity within the contract documents, such as the Gateway PPE contract included a requirement for the system to use the space data link security protocol, a communication standard intended to provide a structured approach to implementing security for communication between satellites and ground systems.
Additionally, the Orion contract included a requirement that satellite control functions be isolated from other functions. Isolating system components from each other, also known as segmentation, is a common approach to strengthening cybersecurity as it may allow portions of a system to continue working properly even if other parts of the system are compromised. The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) identified the lack of network segmentation as a common cybersecurity issue among large organizations.
Also, the SPHEREx contract included requirements to validate commands and reject invalid commands. This is a way to protect the spacecraft from malicious actors taking over the spacecraft, which may lead to loss of control resulting in damage, destruction, or loss of vehicle. CISA has identified numerous cybersecurity attacks that exploited improper input validation.
In its conclusion, the GAO report identified that preventing, detecting, and responding to cyber threats is critical to NASA’s information systems and its spacecraft. “Ensuring its spacecraft policies and standards incorporate guidelines that are foundational to effectively managing cybersecurity risks would enable NASA to make consistent, informed, risk-based decisions in the cybersecurity realm. While the contracts for spacecraft that we reviewed included requirements related to cybersecurity, it is important for NASA to ensure that cybersecurity practices are implemented consistently across spacecraft programs.”
It added that NASA has taken some important steps in identifying how best to protect spacecraft from cyberattacks. It is understandable that NASA must take a cautious approach to introducing cybersecurity changes that could affect spacecraft operations.
However, NASA should balance this caution with being proactive given the dynamic and evolving nature of cyber threats. “Ensuring updates to its spacecraft policies and standards are completed in a timely manner would provide NASA with greater confidence that its spacecraft are resilient to cybersecurity threats and reduce the risk of adverse consequences.”
GAO recommends that NASA establish a plan with timelines to revise its spacecraft acquisition policies to include necessary controls. The NASA Administrator should ensure key personnel develop an implementation plan with timelines to update these policies and standards to integrate essential controls against cyber threats. While NASA agreed to update its policies, it did not commit to setting a plan with specific dates. GAO asserts that without a defined plan, the timing of implementation remains uncertain, thus upholding the validity of the recommendation.
In March, the GAO conducted a review of the 13 OT (operational technology) cybersecurity products and services of the CISA. The review found that while 12 of the 13 non-federal entities reported positive experiences with CISA’s offerings, it also highlighted challenges by CISA and seven of them.
The U.S. White House announced earlier this week that President Joe Biden has signed a National Security Memorandum (NSM) to secure and enhance the resilience of the nation’s critical infrastructure sector. The move will replace a decade-old presidential policy document from President Barack Obama on critical infrastructure protection and launch a comprehensive effort to protect U.S. infrastructure against all threats and hazards, current and future.
Commenting on the action, Roman Arutyunov, co-founder and senior vice president of products at Xage Security wrote in an emailed statement “However, I believe it’s a missed opportunity to not include space as a critical infrastructure sector. The administration has said they plan to revisit whether to add it to the list but, given the rising threats posed by near-peer competitors, we cannot afford to wait.”
He added that after all, “the Space Force was designed to protect our society and people – from the highest ground of any battlefield – and that cannot be done without the right foundations and regulations in place.”
Related
