NASA has taken steps in recent years to strengthen cyber requirements in contracts, but has not issued mandatory security guidance for spacecraft acquisition policies and standards, the Government Accountability Office said in a report released Wednesday. I warned you in writing.
In 2019, the country's space agency released cybersecurity-related standards that established security requirements for all NASA programs and projects. However, the watchdog's audit found that authorities are “considering but have not yet put in place” legally enforceable cyber rules regarding the purchase of external spacecraft and related systems.
Instead, GAO noted that the cyber requirements of NASA's acquisition policy will include options such as the 2023 Best Practices Guide, which outlines “information on cybersecurity principles and controls, threat actor capabilities, and potential mitigation strategies, among other things.” I discovered that the guidance dictated.
The guide included principles for incorporating cybersecurity standards into spacecraft development programs, such as ensuring space systems are “protected from unauthorized access.”
In comments on the report, NASA CIO Jeffrey Seaton said that NASA is aware of “certain types of cyber threats” that could impact specific mission vehicles, from manned spacecraft to small satellites. It incorporates controls based on risk threats.” “It is not practical to develop a set of essential controls that can be applied to every type of mission spacecraft,” Seaton said.
The report also notes that NASA needs to be cautious when implementing new requirements “because the spacecraft is not physically accessible for post-launch repairs.”
However, the watchdog warned agencies that “in light of this dynamic environment, unless you establish a plan to update your policies and standards to ensure that essential cybersecurity controls are addressed, the information in the guide will remain in your program.” remains an option.”
“As a result, NASA is at risk of inconsistently reviewing and implementing cybersecurity controls to ensure that spacecraft used in support of NASA missions have layered and comprehensive defenses against cyberattacks. “We will no longer have complete assurance that this will be the case,” the GAO added.
GAO recommended that the agency “develop a time-bound implementation plan to update spacecraft acquisition policies and standards to incorporate the critical controls needed to protect against cyber threats.”
NASA agreed with the recommendation to update the policy, but disagreed with the need to establish a timeline for doing so. This was in part due to concerns that “transitioning traditional cybersecurity capabilities to the space environment requires careful consideration to avoid impacting spacecraft objectives.” and the ability to operate safely. ”
