We generate customized corporate policy and procedure documentation focused on the global satellite industry cybersecurity standards.  Current U.S. Federal procurements require the commercial satellite communication (COMSATCOM) operators and satellite service providers to submit cybersecurity compliance documentation against a variety of cybersecurity standards.  The following list of baseline requirements are currently levied on the commercial satellite industry to include satellite operators, satellite service providers, teleport operators, satellite component manufacturers, and government prime contractors.

  • CMMC: The Cybersecurity Maturity Model Certification was released in January 2020 and is being integrated into the DoD acquisition process.  The standard is intended to replace the current DFAR 252.204-7012 NIST 800-171 requirements and will require 3rd party validation of the vendor's cybersecurity posture through a formal audit process. While CMMC is a DoD program, early indications suggest that other federal agencies may establish and recognize reciprocal programs, allowing suppliers to use their future DoD CMMC status to qualify for non-DoD federal contracts.

  • IA-PRE: The United States Space Force is in the development of updating its cybersecurity requirements for commercial communications satellite services toward requiring 3rd party assessments before placing ‘service-affecting IT systems (e.g., satellite, teleport facilities, etc.) on an Approved Product List (APL).  The standard is based on a selection of a large number of NIST 800-53 controls consistent with a National Security System High (NSS High).  

  • DISA CIAQv1: This is a custom reporting requirement created by DISA and now used by Space Force CSCO that is based on a subset of NIST 800-53 CUI controls with enhancements and assignments with an additional customized 6 Space Systems Security controls. (Responses provided at Task Order level)

  • SMC Matrix: Based on a subset of NIST 800-53 controls associated with either ground segments, space segments or both with enhancements and assignments and 6 Space Systems Security controls.  In addition to the matrix, the contractor is required to be compliant with Department of Defense (DOD) Instruction 8510.01, FAR 252.239-7010 Cloud Computing, FAR 252.204-7009 and FAR 252.204-7012.  A specific SMC pathfinder further required the spacecraft to be compliant with DoD's implementation of CNSSP-12 as required; this includes the use of NSA-approved encrypted command and encrypted telemetry systems.

  • Civil Agency (NOAA, NASA): Cybersecurity requirements are integrated into the contract award and require compliance with DFAR 252.204-7012.  The NIST 800-171 standard contains requirements for protecting controlled unclassified information (CUI) on non-federal systems.

  • DCSA ECP: The Defense Counterintelligence and Security Agency requires U.S. based subsidiaries of foreign-owned or parent organizations to maintain policies and practices that ensure the safeguarding of classified information and the execution of classified contracts or programs for the U.S, as well as protection for controlled unclassified information (CUI) and export-controlled information (e.g., ITAR, EAR), as part of the foreign ownership, control, and influence (FOCI) mitigation process. These approaches are in accordance with regulatory and contractual security requirements and the NISPOM and DoD 5220.22-M.  A set of requirements are based on a subset of NIST-based controls.

  • GSA MAS: Within the COMSATCOM categories of the General Service Administrations vendor onboarding process, cybersecurity requirements comprised of a subset of NIST 800-53 controls.  

  • GSA CS3: The GSA program to procure Complex Commercial Satcom Solutions (CS3) has within its vendor onboarding process, cybersecurity requirements comprised of a subset of NIST 800-53 controls similar but not the same as with the GSA MAS cybersecurity requirements for COMSATCOM procurements.