We help clients design and implement effective cybersecurity compliance programs, including generating customized corporate policy and procedure documentation focused on the global satellite industry cybersecurity standards.

 

Current U.S. Federal procurements require commercial satellite communication (COMSATCOM) operators and service providers to submit cybersecurity compliance documentation against multiple cybersecurity standards.  

We generate customized corporate policy and procedure documentation focused on the global satellite industry cybersecurity standards.  Current U.S. Federal procurements require the commercial satellite communication (COMSATCOM) operators and satellite service providers to submit cybersecurity compliance documentation against a variety of cybersecurity standards.  The following list of baseline requirements is currently levied on the commercial satellite industry to include satellite operators, satellite service providers, teleport operators, satellite component manufacturers, and government prime contractors.

The government levies various baseline COMSATCOM requirements on offerors including satellite and teleport operators, service providers, component manufacturers, and government prime and subcontractors:

  • IA-PRE: The United States Space Force has announced an update to enhance its requirements for commercial communications satellite services, including requiring 3rd party Government-sanctioned assessments before placing ‘service-affecting information systems’ (e.g., satellite, teleport facilities, etc.) on an Approved Platforms List (APL).  The standard is based on a selection of many NIST 800-53 controls consistent for high-impact National Security Systems.

  • CNSSP-12: The Committee on National Security Systems Policy 12 requires government and all commercial satellite operators to use command and telemetry security systems that have been approved by the National Security Agency (NSA). Approval requires the implementation of approved solutions across the system development life cycle. We can assist with the selection, integration, and operation of approved systems.

  • CMMC: The Cybersecurity Maturity Model Certification was released in January 2020, refreshed in late 2021, and is being integrated into the DoD acquisition process.  The standard is intended to replace the current DFAR 252.204-7012 NIST 800-171 requirements and will require 3rd party validation of the vendor's cybersecurity posture through a formal audit process. Currently, the CMMC program is being updated with CMMC version 2.0.

  • Civil Agency (NOAA, NASA): Integrated contractual cybersecurity requirements include DFARS 252.204-7012, incorporating the NIST 800-171 requirements to protect controlled unclassified information (CUI) on and to report cyber incidents.

  • DCSA Electronic Communications Plan (ECP): The Defense Counterintelligence and Security Agency requires U.S. companies that are foreign-owned to maintain electronic communications policies and practices that ensure the safeguarding of classified information and the execution of classified contracts or programs for the U.S, as well as protection for controlled unclassified information (CUI) and export-controlled information (e.g., ITAR, EAR), as part of the foreign ownership, control, and influence (FOCI) mitigation process. These approaches align with regulatory and contractual security requirements and the NISPOM.  Requirements comprise a subset of NIST-based controls. We have advised companies on how to implement an effective ECP, ranging from technology selection to backing policies and procedures. 

  • Space Systems Command Cybersecurity Compliance Matrix: Based on a subset of NIST 800-53 controls associated with either ground segments, space segments, or both with enhancements and assignments and six Space Systems Security controls.  In addition to the matrix, the contractor is required to be compliant with Department of Defense (DOD) Instruction 8510.01, FAR 252.239-7010 Cloud Computing, FAR 252.204-7009, and FAR 252.204-7012.  A specific pathfinder further required the spacecraft to be compliant with DoD's implementation of CNSSP-12 as required; this includes the use of NSA-approved encrypted command and encrypted telemetry systems.

  • DISA CIAQv1: This is a custom reporting requirement created by DISA and now used by Space Force CSCO that is based on a subset of NIST 800-53 CUI controls with enhancements and assignments with an additional customized six Space Systems Security controls. Responses provided at Task Order level.

  • GSA MAS: Within the COMSATCOM categories of the General Service Administrations vendor onboarding process, cybersecurity requirements include a subset of NIST 800-53 controls.  

  • GSA CS3: The GSA program to procure Complex Commercial Satcom Solutions (CS3) has within its vendor onboarding process, cybersecurity requirements drawn from NIST 800-53 controls which differ from the GSA MAS requirements.