Cybersecurity Principles for Space Systems, 56155-56158 [2020-20150]

Agencies

• Executive Office of the President

[Federal Register Volume 85, Number 176 (Thursday, September 10, 2020)]
[Presidential Documents]
[Pages 56155-56158]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-20150]



[[Page 56153]]

Vol. 85

Thursday,

No. 176

September 10, 2020

Part V





The President





-----------------------------------------------------------------------



Space Policy Directive-5 of September 4, 2020--Cybersecurity Principles 
for Space Systems


                        Presidential Documents 



Federal Register / Vol. 85 , No. 176 / Thursday, September 10, 2020 / 
Presidential Documents

___________________________________________________________________

Title 3--
The President

[[Page 56155]]

                Space Policy Directive-5 of September 4, 2020

                
Cybersecurity Principles for Space Systems

                Memorandum for the Vice President[,] the Secretary of 
                State[,] the Secretary of Defense[,] the Attorney 
                General[,] the Secretary of Commerce[,] the Secretary 
                of Transportation[,] the Secretary of Homeland 
                Security[,] the Director of the Office of Management 
                and Budget[,] the Assistant to the President for 
                National Security Affairs[,] the Director of National 
                Intelligence[,] the Director of the Central 
                Intelligence Agency[,] the Director of the National 
                Security Agency[,] the Director of the National 
                Reconnaissance Office[,] the Administrator of the 
                National Aeronautics and Space Administration[,] the 
                Director of the Office of Science and Technology 
                Policy[,] the Chairman of the Joint Chiefs of Staff[, 
                and] the Chairman of the Federal Communications 
                Commission

                Section 1. Background. The United States considers 
                unfettered freedom to operate in space vital to 
                advancing the security, economic prosperity, and 
                scientific knowledge of the Nation. Space systems 
                enable key functions such as global communications; 
                positioning, navigation, and timing; scientific 
                observation; exploration; weather monitoring; and 
                multiple vital national security applications. 
                Therefore, it is essential to protect space systems 
                from cyber incidents in order to prevent disruptions to 
                their ability to provide reliable and efficient 
                contributions to the operations of the Nation's 
                critical infrastructure.

                Space systems are reliant on information systems and 
                networks from design conceptualization through launch 
                and flight operations. Further, the transmission of 
                command and control and mission information between 
                space vehicles and ground networks relies on the use of 
                radio-frequency-dependent wireless communication 
                channels. These systems, networks, and channels can be 
                vulnerable to malicious activities that can deny, 
                degrade, or disrupt space operations, or even destroy 
                satellites.

                Examples of malicious cyber activities harmful to space 
                operations include spoofing sensor data; corrupting 
                sensor systems; jamming or sending unauthorized 
                commands for guidance and control; injecting malicious 
                code; and conducting denial-of-service attacks. 
                Consequences of such activities could include loss of 
                mission data; decreased lifespan or capability of space 
                systems or constellations; or the loss of positive 
                control of space vehicles, potentially resulting in 
                collisions that can impair systems or generate harmful 
                orbital debris.

                The National Security Strategy of December 2017 states 
                that ``[t]he United States must maintain our leadership 
                and freedom of action in space.'' As the space domain 
                is contested, it is necessary for developers, 
                manufacturers, owners, and operators of space systems 
                to design, build, operate, and manage them so that they 
                are resilient to cyber incidents and radio-frequency 
                spectrum interference.

                Space Policy Directive-3 (SPD-3) of June 18, 2018 
                (National Space Traffic Management Policy), states that 
                ``[s]atellite and constellation owners should 
                participate in a pre-launch certification process'' 
                that should consider a number of factors, including 
                encryption of satellite command and control links and 
                data protection measures for ground site operations.

                The National Cyber Strategy of September 2018 states 
                that my Administration will enhance efforts to protect 
                our space assets and supporting infrastructure

[[Page 56156]]

                from evolving cyber threats, and will work with 
                industry and international partners to strengthen the 
                cyber resilience of existing and future space systems.

                Sec. 2. Definitions. For the purposes of this 
                memorandum, the following definitions shall apply:

                    (a) ``Space System'' means a combination of 
                systems, to include ground systems, sensor networks, 
                and one or more space vehicles, that provides a space-
                based service. A space system typically has three 
                segments: a ground control network, a space vehicle, 
                and a user or mission network. These systems include 
                Government national security space systems, Government 
                civil space systems, and private space systems.
                    (b) ``Space Vehicle'' means the portion of a space 
                system that operates in space. Examples include 
                satellites, space stations, launch vehicles, launch 
                vehicle upper stage components, and spacecraft.
                    (c) ``Positive Control'' means the assurance that a 
                space vehicle will only execute commands transmitted by 
                an authorized source and that those commands are 
                executed in the proper order and at the intended time.
                    (d) ``Critical space vehicle functions (critical 
                functions)'' means the functions of the vehicle that 
                the operator must maintain to ensure intended 
                operations, positive control, and retention of custody. 
                The failure or compromise of critical space vehicle 
                functions could result in the space vehicle not 
                responding to authorized commands, loss of critical 
                capability, or responding to unauthorized commands.

                Sec. 3. Policy. Cybersecurity principles and practices 
                that apply to terrestrial systems also apply to space 
                systems. Certain principles and practices, however, are 
                particularly important to space systems. For example, 
                it is critical that cybersecurity measures, including 
                the ability to perform updates and respond to incidents 
                remotely, are integrated into the design of the space 
                vehicle before launch, as most space vehicles in orbit 
                cannot currently be physically accessed. For this 
                reason, integrating cybersecurity into all phases of 
                development and ensuring full life-cycle cybersecurity 
                are critical for space systems. Effective cybersecurity 
                practices arise out of cultures of prevention, active 
                defense, risk management, and sharing best practices.

                The United States must manage risks to the growth and 
                prosperity of our commercial space economy. To do so 
                and to strengthen national resilience, it is the policy 
                of the United States that executive departments and 
                agencies (agencies) will foster practices within 
                Government space operations and across the commercial 
                space industry that protect space assets and their 
                supporting infrastructure from cyber threats and ensure 
                continuity of operations.

                The cybersecurity principles for space systems set 
                forth in section 4 of this memorandum are established 
                to guide and serve as the foundation for the United 
                States Government approach to the cyber protection of 
                space systems. Agencies are directed to work with the 
                commercial space industry and other non-government 
                space operators, consistent with these principles and 
                with applicable law, to further define best practices, 
                establish cybersecurity-informed norms, and promote 
                improved cybersecurity behaviors throughout the 
                Nation's industrial base for space systems.

                Sec. 4. Principles. (a) Space systems and their 
                supporting infrastructure, including software, should 
                be developed and operated using risk-based, 
                cybersecurity-informed engineering. Space systems 
                should be developed to continuously monitor, 
                anticipate, and adapt to mitigate evolving malicious 
                cyber activities that could manipulate, deny, degrade, 
                disrupt, destroy, surveil, or eavesdrop on space system 
                operations. Space system configurations should be 
                resourced and actively managed to achieve and maintain 
                an effective and resilient cyber survivability posture 
                throughout the space system lifecycle.

                    (b) Space system owners and operators should 
                develop and implement cybersecurity plans for their 
                space systems that incorporate capabilities to

[[Page 56157]]

                ensure operators or automated control center systems 
                can retain or recover positive control of space 
                vehicles. These plans should also ensure the ability to 
                verify the integrity, confidentiality, and availability 
                of critical functions and the missions, services, and 
                data they enable and provide. At a minimum, space 
                system owners and operators should consider, based on 
                risk assessment and tolerance, incorporating in their 
                plans:

(i) Protection against unauthorized access to critical space vehicle 
functions. This should include safeguarding command, control, and telemetry 
links using effective and validated authentication or encryption measures 
designed to remain secure against existing and anticipated threats during 
the entire mission lifetime;

(ii) Physical protection measures designed to reduce the vulnerabilities of 
a space vehicle's command, control, and telemetry receiver systems;

(iii) Protection against communications jamming and spoofing, such as 
signal strength monitoring programs, secured transmitters and receivers, 
authentication, or effective, validated, and tested encryption measures 
designed to provide security against existing and anticipated threats 
during the entire mission lifetime;

(iv) Protection of ground systems, operational technology, and information 
processing systems through the adoption of deliberate cybersecurity best 
practices. This adoption should include practices aligned with the National 
Institute of Standards and Technology's Cybersecurity Framework to reduce 
the risk of malware infection and malicious access to systems, including 
from insider threats. Such practices include logical or physical 
segregation; regular patching; physical security; restrictions on the 
utilization of portable media; the use of antivirus software; and promoting 
staff awareness and training inclusive of insider threat mitigation 
precautions;

(v) Adoption of appropriate cybersecurity hygiene practices, physical 
security for automated information systems, and intrusion detection 
methodologies for system elements such as information systems, antennas, 
terminals, receivers, routers, associated local and wide area networks, and 
power supplies; and

(vi) Management of supply chain risks that affect cybersecurity of space 
systems through tracking manufactured products; requiring sourcing from 
trusted suppliers; identifying counterfeit, fraudulent, and malicious 
equipment; and assessing other available risk mitigation measures.

                    (c) Implementation of these principles, through 
                rules, regulations, and guidance, should enhance space 
                system cybersecurity, including through the 
                consideration and adoption, where appropriate, of 
                cybersecurity best practices and norms of behavior.
                    (d) Space system owners and operators should 
                collaborate to promote the development of best 
                practices, to the extent permitted by applicable law. 
                They should also share threat, warning, and incident 
                information within the space industry, using venues 
                such as Information Sharing and Analysis Centers to the 
                greatest extent possible, consistent with applicable 
                law.
                    (e) Security measures should be designed to be 
                effective while permitting space system owners and 
                operators to manage appropriate risk tolerances and 
                minimize undue burden, consistent with specific mission 
                requirements, United States national security and 
                national critical functions, space vehicle size, 
                mission duration, maneuverability, and any applicable 
                orbital regimes.

                Sec. 5. General Provisions. (a) Nothing in this 
                memorandum shall be construed to impair or otherwise 
                affect:

(i) the authority granted by law to an executive department or agency, or 
the head thereof; or

(ii) the functions of the Director of the Office of Management and Budget 
relating to budgetary, administrative, or legislative proposals.

                    (b) This memorandum shall be implemented consistent 
                with applicable law and subject to the availability of 
                appropriations.

[[Page 56158]]

                    (c) This memorandum is not intended to, and does 
                not, create any right or benefit, substantive or 
                procedural, enforceable at law or in equity by any 
                party against the United States, its departments, 
                agencies, or entities, its officers, employees, or 
                agents, or any other person.
                    (d) The Secretary of Commerce is authorized and 
                directed to publish this memorandum in the Federal 
                Register.
                
                
                    (Presidential Sig.)

                THE WHITE HOUSE,

                    Washington, September 4, 2020

[FR Doc. 2020-20150
Filed 9-9-20; 11:15 am]
Billing code 3510-07-P