| SPR-2 |
The [spacecraft] shall ensure that sensitive information can only be accessed by personnel with appropriate roles and an explicit need for such information to perform their duties.{SV-CF-3,SV-AC-4}{AC-3(11),CM-12}
|
Space system sensitive information can include a wide range of candidate material: functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of link segment protections subject to disabling/bypassing, failure/anomaly resolution, and any other sensitive information related to architecture, software, and mission operations.
|
| SPR-7 |
The [organization] shall document and design a security architecture using a defense-in-depth approach that allocates the [organization]s defined safeguards to the indicated locations and layers: [Examples include: operating system abstractions and hardware mechanisms to the separate processors in the platform, internal components, and the FSW].{SV-MA-6}{CA-9,PL-7,PL-8,PL-8(1),SA-8(3),SA-8(4),SA-8(7),SA-8(9),SA-8(11),SA-8(13),SA-8(19),SA-8(29),SA-8(30)}
|
Spacecraft security cannot rely on a single control; layered defenses reduce the likelihood of catastrophic compromise. Documenting safeguard allocation across hardware, OS, firmware, and FSW ensures coverage across attack surfaces. This supports resiliency against both cyber intrusion and supply chain weaknesses. Clear documentation enables verification and independent assessment.
|
| SPR-8 |
The [organization] shall ensure that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.{SV-MA-6}{CA-7(5),PL-7,PL-8(1),SA-8(19)}
|
Independent controls that operate in isolation may create security gaps or conflicting behaviors. Coordinated safeguards ensure that encryption, authentication, partitioning, and monitoring functions reinforce each other rather than undermine availability or safety. This reduces bypass risk and improves fault/cyber response integration. Cohesive operation is essential for resilient mission assurance.
|
| SPR-9 |
The [organization] shall implement a security architecture and design that provides the required security functionality, allocates security controls among physical and logical components, and integrates individual security functions, mechanisms, and processes together to provide required security capabilities and a unified approach to protection.{SV-MA-6}{PL-7,SA-2,SA-8,SA-8(1),SA-8(2),SA-8(3),SA-8(4),SA-8(5),SA-8(6),SA-8(7),SA-8(9),SA-8(11),SA-8(13),SA-8(19),SA-8(29),SA-8(30),SC-32,SC-32(1)}
|
Security functionality must be intentionally distributed across physical and logical components rather than bolted on post-design. A unified architecture prevents inconsistent enforcement, duplicated controls, or unprotected interfaces. Integrated design reduces attack surface and improves verification of mission-critical protections.
|
| SPR-14 |
The [spacecraft] shall authenticate the ground station (and all commands) and other spacecraft before establishing remote connections using bidirectional authentication that is cryptographically based.{SV-AC-1,SV-AC-2}{AC-3,AC-17,AC-17(2),AC-17(10),AC-18(1),AC-20,IA-3(1),IA-4,IA-4(9),IA-7,IA-9,SA-8(18),SA-8(19),SA-9(2),SC-7(11),SC-16(1),SC-16(2),SC-16(3),SC-23(3),SI-3(9)}
|
Authorization can include embedding opcodes in command strings, using trusted authentication protocols, identifying proper link characteristics such as emitter location, expected range of receive power, expected modulation, data rates, communication protocols, beamwidth, etc.; and tracking command counter increments against expected values.
|
| SPR-32 |
The [spacecraft] shall provide or support the capability for recovery and reconstitution to a known state after a disruption, compromise, or failure.{SV-AV-5,SV-AV-6,SV-AV-7}{CP-4(4),CP-10,CP-10(4),CP-10(6),CP-13,IR-4,IR-4(1),SA-8(16),SA-8(19),SA-8(24)}
|
|
| SPR-34 |
The [spacecraft] shall recover to a known cyber-safe state when an anomaly is detected.{IR-4,IR-4(1),SA-8(16),SA-8(19),SA-8(21),SA-8(24),SI-3,SI-4(7),SI-10(6),SI-13,SI-17}
|
|
| SPR-46 |
The [spacecraft] shall monitor [Program‑defined telemetry points] for malicious commanding attempts and alert ground operators upon detection.{SV-AC-2,SV-IT-1,SV-DCO-1}{AC-17,AC-17(1),AC-17(10),AU-3(1),RA-10,SC-7,SC-16,SC-16(2),SC-16(3),SI-3(8),SI-4,SI-4(1),SI-4(13),SI-4(24),SI-4(25),SI-10(6)}
|
Telemetry-based detection enables identification of anomalous command patterns, replay attempts, and injection attacks. Early detection allows rapid containment before mission impact escalates. Onboard monitoring is critical when ground latency limits intervention. This supports proactive defense.
|
| SPR-48 |
The [spacecraft] shall implement cryptographic mechanisms to protect the integrity of audit information and audit tools.{SV-DCO-1}{AU-9(3),RA-10,SC-8(1),SI-3,SI-3(10),SI-4(24)}
|
Audit logs are essential for attribution and forensic analysis. If adversaries can modify audit data, detection and recovery become unreliable. Cryptographic integrity protections preserve evidentiary value.
|
| SPR-55 |
The [spacecraft] shall provide cyber threat status to the ground segment for the Defensive Cyber Operations team, per the governing specification.{SV-DCO-1}{IR-5,PM-16,PM-16(1),RA-3(3),RA-10,SI-4,SI-4(1),SI-4(24),SI-7(7)}
|
The future space enterprises will include full-time Cyber Defense teams supporting space mission systems. Their work is currently focused on the ground segment but may eventually require specific data from the space segment for their successful operation. This requirement is a placeholder to ensure that any DCO-related requirements are taken into consideration for this document.
|
| SPR-56 |
The [spacecraft] shall provide automated onboard mechanisms that integrate audit review, analysis, and reporting processes to support mission processes for investigation and response to suspicious activities to determine the attack class in the event of a cyber attack.{SV-DCO-1}{AU-6(1),IR-4,IR-4(1),IR-4(12),IR-4(13),PM-16(1),RA-10,SA-8(21),SA-8(22),SC-5(3),SI-3,SI-3(10),SI-4(7),SI-4(24),SI-7(7)}
|
* Identifying the class (e.g., exfiltration, Trojans, etc.), nature, or effect of cyberattack (e.g., exfiltration, subverted control, or mission interruption) is necessary to determine the type of response. The first order of identification may be to determine whether the event is an attack or a non-threat event (anomaly). The objective requirement would be to predict the impact of the detected signature.
* Unexpected conditions can include RF lockups, loss of lock, failure to acquire an expected contact and unexpected reports of acquisition, unusual AGC and ACS control excursions, unforeseen actuator enabling's or actions, thermal stresses, power aberrations, failure to authenticate, software or counter resets, etc. Mitigation might include additional TMONs, more detailed AGC and PLL thresholds to alert operators, auto-capturing state snapshot images in memory when unexpected conditions occur, signal spectra measurements, and expanded default diagnostic telemetry modes to help in identifying and resolving anomalous conditions.
|
| SPR-57 |
The [spacecraft] shall monitor and collect all onboard cyber- data (from multiple system components), including identification of potential attacks and information about the attack for subsequent analysis.{SV-DCO-1}{AC-6(9),AC-20,AC-20(1),AU-2,AU-12,IR-4,IR-4(1),RA-10,SI-3,SI-3(10),SI-4,SI-4(1),SI-4(2),SI-4(7),SI-4(24)}
|
The spacecraft will monitor and collect data that provides accountability of activity occurring onboard the spacecraft. Due to resource limitations on the spacecraft, analysis must be performed to determine which data is critical for retention and which can be filtered. Full system coverage of data and actions is desired as an objective; it will likely be impractical due to the resource limitations. “Cyber-relevant data” refers to all data and actions deemed necessary to support accountability and awareness of onboard cyber activities for the mission. This would include data that may indicate abnormal activities, critical configuration parameters, transmissions on onboard networks, command logging, or other such data items. This set of data items should be identified early in the system requirements and design phase. Cyber-relevant data should support the ability to assess whether abnormal events are unintended anomalies or actual cyber threats. Actual cyber threats may rarely or never occur, but non-threat anomalies occur regularly. The ability to filter out cyber threats for non-cyber threats in relevant time would provide a needed capability. Examples could include successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).
|
| SPR-58 |
The [spacecraft] shall generate cyber related audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, and the outcome of the event. For privileged or hazardous commands, the audit record shall include the approver identifiers and the command identifier.{SV-DCO-1}{AU-3,AU-3(1),AU-12,IR-4,IR-4(1),RA-10,SI-3,SI-3(10),SI-4(7),SI-4(24)}
|
Detailed audit records are essential for attribution, anomaly detection, and post-incident forensic reconstruction. Capturing what occurred, when, where, and by whom enables rapid differentiation between system fault and adversarial activity. Including approver identifiers for privileged or hazardous commands strengthens accountability and insider threat mitigation. Without complete audit context, recovery and containment decisions may be delayed or misinformed.
|
| SPR-59 |
The [spacecraft] shall attribute cyber attacks and identify unauthorized use of the platform by downlinking onboard cyber information to the mission ground station within [Program‑defined time ≤ 3 minutes].{SV-DCO-1,SV-IT-1,SV-IT-2}{AU-4(1),IR-4,IR-4(1),IR-4(12),IR-4(13),RA-10,SA-8(22),SI-3,SI-3(10),SI-4,SI-4(5),SI-4(7),SI-4(12),SI-4(24)}
|
Rapid transmission of cyber-relevant telemetry supports near-real-time ground-based fusion and correlation with enterprise security events. Delayed reporting increases risk of adversary persistence or mission degradation. Early attribution enables containment actions before cascading effects occur. Defined timeliness ensures detection capability aligns with operational tempo.
|
| SPR-60 |
The [spacecraft] shall integrate cyber related detection and responses with existing fault management capabilities to ensure tight integration between traditional fault management and cyber intrusion detection and prevention.{SV-DCO-1}{AU-6(4),IR-4,IR-4(1),RA-10,SA-8(21),SA-8(26),SC-3(4),SI-3,SI-3(10),SI-4(7),SI-4(13),SI-4(16),SI-4(24),SI-4(25),SI-7(7),SI-13}
|
The onboard IPS system should be integrated into the existing onboard spacecraft fault management system (FMS) because the FMS has its own fault detection and response system built in. SV corrective behavior is usually limited to automated fault responses and ground commanded recovery actions. Intrusion prevention and response methods will inform resilient cybersecurity design. These methods enable detected threat activity to trigger defensive responses and resilient SV recovery.
|
| SPR-61 |
The [spacecraft] shall protect information obtained from logging/intrusion-monitoring from unauthorized access, modification, and deletion.{SV-DCO-1}{AU-9,AU-9(3),RA-10,SI-4(7),SI-4(24)}
|
Monitoring data is a high-value target for attackers seeking to evade detection or erase traces of compromise. Protecting log integrity preserves evidentiary value and detection continuity. Unauthorized modification or deletion could mask malicious behavior or delay response. Cryptographic protection and access controls ensure monitoring mechanisms cannot be silently disabled.
|
| SPR-62 |
The [spacecraft] shall enter a cyber-safe mode when conditions that threaten the platform are detected, enters a cyber-safe mode of operation with restrictions as defined based on the cyber-safe mode.{SV-AV-5,SV-AV-6,SV-AV-7}{CP-10(6),CP-12,CP-13,IR-4,IR-4(1),IR-4(3),PE-10,RA-10,SA-8(16),SA-8(21),SA-8(24),SI-3,SI-4(7),SI-13,SI-17}
|
Cyber-safe mode provides a deterministic fallback posture when compromise or anomalous conditions threaten mission integrity. Restricting non-essential functions reduces attack surface and prevents further propagation of malicious activity. Defined restrictions ensure predictable behavior under cyber stress conditions. This supports survivability and controlled recovery rather than uncontrolled degradation.
|
| SPR-63 |
The [spacecraft] shall be able to locate the onboard origin of a cyber attack and alert ground operators within [Program‑defined time ≤ 3 minutes].{SV-DCO-1}{IR-4,IR-4(1),IR-4(12),IR-4(13),RA-10,SA-8(22),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(7),SI-4(12),SI-4(16),SI-4(24)}
|
The origin of any attack onboard the vehicle should be identifiable to support mitigation. At the very least, attacks from critical element (safety-critical or higher-attack surface) components should be locatable quickly so that timely action can occur.
|
| SPR-64 |
The [spacecraft] shall detect and deny unauthorized outgoing communications posing a threat to the spacecraft.{SV-DCO-1}{IR-4,IR-4(1),RA-5(4),RA-10,SC-7(9),SC-7(10),SI-4,SI-4(1),SI-4(4),SI-4(7),SI-4(11),SI-4(13),SI-4(24),SI-4(25)}
|
Outbound communications may indicate data exfiltration, covert channels, or compromised subsystem behavior. Monitoring and blocking unauthorized egress prevents leakage of mission data or cryptographic material. Many attacks rely on command-and-control or data extraction channels; egress control disrupts this persistence mechanism. Outbound traffic should be as tightly controlled as inbound command paths.
|
| SPR-65 |
The [spacecraft] shall select and execute safe countermeasures against cyber attacks prior to entering cyber-safe mode.{SV-DCO-1}{IR-4,RA-10,SA-8(21),SA-8(24),SI-4(7),SI-17}
|
These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker exquisitely—with or without ground aiding. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system." These countermeasures are likely executed prior to entering into a cyber-safe mode.
|
| SPR-66 |
The [spacecraft] shall be designed and configured so that encrypted communications traffic and data is visible to on-board security monitoring tools.{SV-DCO-1}{RA-10,SA-8(21),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(10),SI-4(13),SI-4(24),SI-4(25)}
|
Encryption must not blind onboard intrusion detection capabilities. Security tools require access to sufficient context (pre-encryption or post-decryption inspection points) to detect malicious patterns. Without visibility, encrypted channels become covert channels. Proper architectural placement ensures both confidentiality and detectability are preserved.
|
| SPR-67 |
The [spacecraft] shall be designed and configured so that spacecraft memory can be monitored by the on-board intrusion detection/prevention capability.{SV-DCO-1}{RA-10,SA-8(21),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(24),SI-16}
|
Many spacecraft attacks target memory corruption, firmware modification, or unauthorized process injection. Monitoring memory state enables detection of tampering, abnormal writes, or execution anomalies. Memory visibility supports early detection of wiper malware or boot-level compromise. This is essential for protecting deterministic flight software environments.
|
| SPR-68 |
The [spacecraft] shall have on-board intrusion detection/prevention system that monitors the mission critical components or systems.{SV-AC-1,SV-AC-2,SV-MA-4}{RA-10,SC-7,SI-3,SI-3(8),SI-4,SI-4(1),SI-4(7),SI-4(13),SI-4(24),SI-4(25),SI-10(6)}
|
The mission critical components or systems could be GNC/Attitude Control, C&DH, TT&C, Fault Management.
|
| SPR-69 |
The [spacecraft] shall alert in the event of the audit/logging processing failures.{SV-DCO-1}{AU-5,AU-5(1),AU-5(2),SI-3,SI-4,SI-4(1),SI-4(7),SI-4(12),SI-4(24)}
|
Failure of logging mechanisms may signal active tampering or resource exhaustion attacks. Immediate alerting ensures loss of visibility does not go unnoticed. Silent failure of audit systems creates blind spots exploitable by adversaries. Monitoring the monitors is critical to resilient detection.
|
| SPR-70 |
The [spacecraft] shall provide an alert immediately to [at a minimum the mission director, administrators, and security officers] when the following failure events occur: [minimally but not limited to: auditing software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity reaching 95%, 99%, and 100%] of allocated capacity, including security component failover events; alerts shall include component identity, time, and fault reason.{SV-DCO-1}{AU-5,AU-5(1),AU-5(2),SI-4,SI-4(1),SI-4(7),SI-4(12),SI-4(24),SI-7(7)}
|
Intent is to have human on the ground be alerted to failures. This can be decomposed to SV to generate telemetry and to Ground to alert.
|
| SPR-71 |
The [spacecraft] shall provide the capability of a cyber “black-box” to capture necessary data for cyber forensics of threat signatures and anomaly resolution when cyber attacks are detected. The [spacecraft] shall automatically route audit events to the alternate audit logging capability upon primary audit failure and shall resynchronize the alternate store to the primary upon recovery.{SV-DCO-1}{AU-5(5),AU-9(2),AU-9(3),AU-12,IR-4(12),IR-4(13),IR-5(1),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(7),SI-4(24),SI-7(7)}
|
Similar concept of a "black box" on an aircraft where all critical information is stored for post forensic analysis. Black box can be used to record CPU utilization, GNC physical parameters, audit records, memory contents, TT&C data points, etc. The timeframe is dependent upon implementation but needs to meet the intent of the requirement. For example, 30 days may suffice.
|
| SPR-74 |
The [organization] shall define the security safeguards that are to be automatically employed when integrity violations are discovered.{SV-IT-2}{CP-2,SA-8(21),SI-3,SI-4(7),SI-4(12),SI-7(5),SI-7(8)}
|
Predefined safeguards ensure consistent and timely response to detected integrity violations. Ad hoc response increases uncertainty and recovery time. Automated actions may include isolation, reconstitution from gold images, or transition to cyber-safe mode. Defined response paths improve resilience and reduce operator burden during crisis.
|
| SPR-77 |
The [spacecraft] shall employ the principle of least privilege, allowing only authorized accesses processes which are necessary to accomplish assigned tasks in accordance with system functions.{SV-AC-6}{AC-3,AC-6,AC-6(9),CA-9,CM-5,CM-5(5),CM-5(6),SA-8(2),SA-8(5),SA-8(6),SA-8(14),SA-8(23),SA-17(7),SC-2,SC-7(29),SC-32,SC-32(1),SI-3}
|
Least privilege limits damage from compromised processes or insider misuse. Processes receive only the minimum access necessary for assigned functions. This reduces lateral movement and privilege escalation pathways. In deterministic spacecraft systems, privilege boundaries must be tightly defined and enforced.
|
| SPR-88 |
The [spacecraft] shall detect and recover from detected memory errors or transitions to a known cyber-safe state.{SV-IT-4,SV-AV-6}{IR-4,IR-4(1),SA-8(16),SA-8(24),SI-3,SI-4(7),SI-10(6),SI-13,SI-17}
|
Memory corruption may result from radiation, fault injection, or malicious manipulation. Detection prevents silent data corruption from propagating to mission-critical functions. Recovery mechanisms or safe-state transitions preserve availability. Rapid containment supports mission survivability.
|
| SPR-93 |
The [spacecraft] shall require multi‑factor authorization for: (a) all spacecraft operating system and application updates; (b) updates to task‑scheduling functionality; and (c) creation or update of onboard stored command sequences.{SV-SP-9,SV-SP-11}{AC-3(2),CM-3(8),CM-5,IA-2,PM-12,SA-8(8),SA-8(31),SA-10(2),SI-3(8),SI-7(12),SI-10(6)}
|
The intent is for multiple checks to be performed prior to executing these SV SW updates. One action is mere act of uploading the SW to the spacecraft. Another action could be check of digital signature (ideal but not explicitly required) or hash or CRC or a checksum. Crypto boxes provide another level of authentication for all commands, including SW updates but ideally there is another factor outside of crypto to protect against FSW updates. Multi-factor authorization could be the "two-man rule" where procedures are in place to prevent a successful attack by a single actor (note: development activities that are subsequently subject to review or verification activities may already require collaborating attackers such that a "two-man rule" is not appropriate).
|
| SPR-95 |
The [spacecraft] shall enforce an attribute-based access control policy over subjects and objects as defined in AC-3(3).{SV-AC-1,SV-AC-4}{AC-3(13)}
|
Attribute-based access control (ABAC) enables dynamic, context-aware enforcement beyond static role assignments. This reduces privilege abuse and insider misuse by incorporating mission state, location, and environmental factors into decisions. ABAC supports least privilege while enabling operational flexibility. Proper enforcement limits lateral movement and unauthorized data access.
|
| SPR-96 |
The [spacecraft] shall uniquely identify and authenticate the ground station and other spacecraft before establishing a remote connection.{SV-AC-1,SV-AC-2}{AC-3,AC-17,AC-17(10),AC-20,IA-3,IA-4,SA-8(18),SI-3(9)}
|
|
| SPR-97 |
All [spacecraft] commands which have unrecoverable consequence must have dual authentication prior to command execution. The [spacecraft] shall verify two independent cryptographic approvals prior to execution and shall generate an audit record binding both approver identifiers to the command identifier, time, and outcome.{SV-AC-4,SV-AC-8,SV-AC-2}{AU-9(5),IA-3,IA-4,IA-10,PE-3,PM-12,SA-8(15),SA-8(21),SC-16(2),SC-16(3),SI-3(8),SI-3(9),SI-4(13),SI-4(25),SI-7(12),SI-10(6),SI-13}
|
Commands with irreversible impact require heightened assurance to prevent catastrophic mission loss. Dual independent cryptographic approvals mitigate insider threat, key compromise, and single-point credential abuse. Binding approver identifiers to the audit trail strengthens accountability and deterrence. This reduces the probability of unauthorized hazardous command execution.
|
| SPR-98 |
The [spacecraft] shall have a method to ensure the integrity of which have unrecoverable consequence and validate their authenticity before execution.{SV-AC-2,SV-IT-2,SV-IT-1}{AU-9(5),IA-3,IA-4,IA-10,PE-3,PM-12,SA-8(15),SA-8(21),SC-16(2),SC-16(3),SI-3(8),SI-3(9),SI-4(13),SI-4(25),SI-7(12),SI-10(6),SI-13}
|
Hazardous commands must be cryptographically protected and validated prior to execution. Integrity and authenticity checks prevent replay, modification, or injection of destructive instructions. Without validation, RF interception or command path compromise could result in mission-ending actions. This ensures critical commands are both authorized and unaltered.
|
| SPR-99 |
The [spacecraft] shall recover from cyber-safe mode to mission operations within 20 minutes.{SV-MA-5}{CP-2(3),CP-2(5),IR-4,SA-8(24)}
|
Upon conclusion of addressing the threat, the system should be capable of recovering from the minimal survival mode back into a mission-ready state within defined timelines. The intent is to define the timelines and the capability to return back to mission operations.
|
| SPR-100 |
The [spacecraft] shall monitor [Program defined telemetry points] for malicious commanding attempts.{SV-AC-1,SV-AC-2}{SC-7,AU-3(1),AC-17(1)}
|
Source from AEROSPACE REPORT NO. TOR-2019-02178
Vehicle Command Counter (VCC) - Counts received valid commands
Rejected Command Counter - Counts received invalid commands
Command Receiver On/Off Mode - Indicates times command receiver is accepting commands
Command Receivers Received Signal Strength - Analog measure of the amount of received RF energy at the receive frequency
Command Receiver Lock Modes - Indicates when command receiver has achieved lock on command signal
Telemetry Downlink Modes - Indicates when the satellite’s telemetry was transmitting
Cryptographic Modes - Indicates the operating modes of the various encrypted links
Received Commands - Log of all commands received and executed by the satellite
System Clock - Master onboard clock
GPS Ephemeris - Indicates satellite location derived from GPS Signals
|
| SPR-227 |
The [organization] shall identify all locations (including ground and contractor systems) that store or process sensitive system information.{SV-CF-3,SV-SP-4,SV-SP-10}{AC-3(11),CM-12}
|
Space system sensitive information can include a wide range of candidate material: functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of link segment protections subject to disabling/bypassing, failure/anomaly resolution, and any other sensitive information related to architecture, software, and mission operations.
|
| SPR-228 |
The [organization] shall identify sensitive mission data (e.g.CPI) and document the specific on-board components on which the information is processed and stored.{SV-MA-4,SV-CF-3}{AC-3(11),CM-12}
|
Space system sensitive information can include a wide range of candidate material: functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of link segment protections subject to disabling/bypassing, failure/anomaly resolution, and any other sensitive information related to architecture, software, and mission operations.
|
| SPR-229 |
The [organization] shall protect documentation and Controlled Unclassified Information (CUI) as required, in accordance with the risk management strategy.{SV-CF-3,SV-SP-4,SV-SP-10}{AC-3,CM-12,CP-2,PM-17,RA-5(4),SA-3,SA-3(1),SA-5,SA-10,SC-8(1),SC-28(3),SI-12}
|
Documentation may reveal architecture details exploitable by adversaries. Proper handling prevents leakage. Protection of CUI supports regulatory compliance. Information governance complements technical controls.
|
| SPR-230 |
The [organization] shall identify and properly classify mission sensitive design/operations information and access control shall be applied in accordance with classification guides and applicable federal laws, Executive Orders, directives, policies, regulations, and standards.{SV-CF-3,SV-AV-5}{AC-3,CM-12,CP-2,PM-17,RA-5(4),SA-3,SA-3(1),SA-5,SA-8(19),SC-8(1),SC-28(3),SI-12}
|
* Mission sensitive information should be classified as Controlled Unclassified Information (CUI) or formally known as Sensitive but Unclassified. Ideally these artifacts would be rated SECRET or higher and stored on classified networks. Mission sensitive information can typically include a wide range of candidate material: the functional and performance specifications, the RF ICDs, databases, scripts, simulation and rehearsal results/reports, descriptions of uplink protection including any disabling/bypass features, failure/anomaly resolution, and any other sensitive information related to architecture, software, and flight/ground /mission operations. This could all need protection at the appropriate level (e.g., unclassified, SBU, classified, etc.) to mitigate levels of cyber intrusions that may be conducted against the project’s networks. Stand-alone systems and/or separate database encryption may be needed with controlled access and on-going Configuration Management to ensure changes in command procedures and critical database areas are tracked, controlled, and fully tested to avoid loss of science or the entire mission.
|
| SPR-231 |
The [organization] shall distribute documentation to only personnel with defined roles and a need to know.{SV-CF-3,SV-AV-5}{CM-12,CP-2,SA-5,SA-10}
|
Least privilege and need to know should be employed with the protection of all documentation. Documentation can contain sensitive information that can aid in vulnerability discovery, detection, and exploitation. For example, command dictionaries for ground and space systems should be handles with extreme care. Additionally, design documents for missions contain many key elements that if compromised could aid in an attacker successfully exploiting the system.
|
| SPR-232 |
The [organization] shall conduct a criticality analysis to identify mission critical functions and critical components and reduce the vulnerability of such functions and components through secure system design.{SV-SP-3,SV-SP-4,SV-AV-7,SV-MA-4}{CP-2,CP-2(8),PL-7,PM-11,PM-30(1),RA-3(1),RA-9,SA-8(9),SA-8(11),SA-8(25),SA-12,SA-14,SA-15(3),SC-7(29),SR-1}
|
During SCRM, criticality analysis will aid in determining supply chain risk. For mission critical functions/components, extra scrutiny must be applied to ensure supply chain is secured.
|
| SPR-233 |
The [organization] shall identify the applicable physical and environmental protection policies covering the development environment and spacecraft hardware. {SV-SP-4,SV-SP-5,SV-SP-10}{PE-1,PE-14,SA-3,SA-3(1),SA-10(3)}
|
Development environments must be protected from tampering. Physical controls prevent hardware supply chain compromise. Policy clarity ensures consistent safeguards. Secure development underpins secure deployment.
|
| SPR-234 |
The [organization] shall develop and document program-specific identification and authentication policies for accessing the development environment and spacecraft. {SV-SP-10,SV-AC-4}{AC-3,AC-14,IA-1,SA-3,SA-3(1)}
|
Strong authentication prevents unauthorized development access. Development compromise can introduce malicious code. Documented policies ensure consistent enforcement. Identity governance supports supply chain integrity.
|
| SPR-235 |
The [organization] shall ensure security requirements/configurations are placed in accordance with NIST 800-171 with enhancements in 800-172 on the development environments to prevent the compromise of source code from supply chain or information leakage perspective.{SV-SP-4,SV-SP-10,SV-CF-3}{AC-3,SA-3,SA-3(1),SA-15}
|
Supply chain threats target development environments. Enhanced controls reduce risk of source code exfiltration. Compliance strengthens contractual and regulatory assurance. Development security directly impacts spacecraft integrity.
|
| SPR-236 |
The [organization] shall implement a verifiable flaw remediation process into the developmental and operational configuration management process.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-5,SA-3,SA-3(1),SA-11,SI-3,SI-3(10)}
|
The verifiable process should also include a cross reference to mission objectives and impact statements. Understanding the flaws discovered and how they correlate to mission objectives will aid in prioritization.
|
| SPR-237 |
The [organization] shall establish robust procedures and technical methods to perform testing to include adversarial testing (i.e.abuse cases) of the platform hardware and software.{SV-SP-2,SV-SP-1}{CA-8,CP-4(5),RA-5,RA-5(1),RA-5(2),SA-3,SA-4(3),SA-11,SA-11(1),SA-11(2),SA-11(5),SA-11(7),SA-11(8),SA-15(7)}
|
Abuse-case testing reveals design weaknesses before deployment. Red-teaming strengthens defensive posture. Proactive validation reduces operational risk. Testing must simulate realistic threat scenarios.
|
| SPR-238 |
The [organization] shall require subcontractors developing information system components or providing information system services (as appropriate) to demonstrate the use of a system development life cycle that includes [state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-9}{SA-3,SA-4(3)}
|
Select the particular subcontractors, software vendors, and manufacturers based on the criticality analysis performed for the Program Protection Plan and the criticality of the components that they supply. Examples of good security practices would be using defense-in-depth tactics across the board, least-privilege being implemented, two factor authentication everywhere possible, using DevSecOps, implementing and validating adherence to secure coding standards, performing static code analysis, component/origin analysis for open source, fuzzing/dynamic analysis with abuse cases, etc.
|
| SPR-245 |
The [organization] shall define processes and procedures to be followed when integrity verification tools detect unauthorized changes to software, firmware, and information.{SV-IT-2}{CM-3,CM-3(1),CM-3(5),CM-5(6),CM-6,CP-2,IR-6,IR-6(2),PM-30,SC-16(1),SC-51,SI-3,SI-4(7),SI-4(24),SI-7,SI-7(7),SI-7(10)}
|
Predefined response procedures reduce reaction time. Clear escalation paths improve containment. Consistent handling prevents confusion during incidents. Preparedness strengthens resilience.
|
| SPR-248 |
The [organization] shall employ Operations Security (OPSEC) safeguards to protect supply chain-related information for the system, system components, or system services. {CP-2(8),PM-30,SA-12(9),SC-38,SR-7}
|
Supply chain information can reveal vulnerabilities. OPSEC reduces adversary intelligence gathering. Controlled disclosure minimizes targeting risk. Information discipline strengthens strategic defense.
|
| SPR-249 |
The [organization] shall employ [Program-defined Operations Security (OPSEC) safeguards] to protect supply chain-related information for the system, system components, or system services.{SV-SP-3,SV-SP-4,SV-AV-7,SV-SP-11}{CP-2(8),PM-30,SA-12(9),SC-38,SR-7}
|
OPSEC safeguards may include: (1) Limiting the disclosure of information needed to design, develop, test, produce, deliver, and support the element for example, supplier identities, supplier processes, potential suppliers, security requirements, design specifications, testing and evaluation result, and system/component configurations, including the use of direct shipping, blind buys, etc.; (2) Extending supply chain awareness, education, and training for suppliers, intermediate users, and end users; (3) Extending the range of OPSEC tactics, techniques, and procedures to potential suppliers, contracted suppliers, or sub-prime contractor tier of suppliers; and (4) Using centralized support and maintenance services to minimize direct interactions between end users and original suppliers.
|
| SPR-259 |
The [organization] shall develop an incident response and forensics plan that covers the spacecrafts.{SV-MA-5}{CP-2,IR-1,IR-3,IR-3(2),IR-4(12),IR-4(13),IR-8,SA-15(10),SI-4(24)}
|
A structured response plan enables coordinated containment and recovery. Forensics planning ensures evidence preservation. Defined procedures reduce confusion during crisis. Incident readiness enhances resilience.
|
| SPR-262 |
The [organization] includes security awareness training on recognizing and reporting potential indicators of insider threat.{SV-AC-4}{AT-2(2),IR-4(6),IR-6,IR-6(2),PM-16}
|
Authorized users present significant risk vectors. Awareness training improves detection of anomalous behavior. Early reporting reduces insider dwell time. Human vigilance complements technical controls.
|
| SPR-281 |
The [organization] shall have an Insider Threat Program to aid in the detection and prevention of people with authorized access to perform malicious activities.{SV-AC-4}{AT-2(2),IR-4(6),IR-4(7),PM-12,PM-16}
|
Formal insider programs provide monitoring, reporting, and mitigation mechanisms. Behavioral analysis strengthens early detection. Structured governance reduces insider impact. Policy-backed programs improve deterrence.
|
| SPR-292 |
The [organization] shall ensure that role-based security-related training is provided to personnel with assigned security roles and responsibilities: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) at least annually thereafter.{SV-AC-4}{AT-3,CP-2}
|
Personnel must understand role-specific responsibilities. Tailored training reduces misuse. Continuous reinforcement maintains awareness. Human factors are central to defense.
|
| SPR-293 |
The [organization] shall employ techniques to limit harm from potential adversaries identifying and targeting the [organization]s supply chain.{SV-SP-4,SV-SP-5,SV-SP-6}{CP-2,PM-30,SA-9,SA-12(5),SC-38,SR-3,SR-3(1),SR-3(2),SR-5(2)}
|
Adversaries often exploit supplier relationships. Protective measures reduce reconnaissance and manipulation. Supply chain resilience strengthens mission integrity. Proactive defense mitigates systemic exposure.
|
| SPR-317 |
The [organization] shall employ [organization]-defined techniques to limit harm from potential adversaries identifying and targeting the Program supply chain.{SV-SP-3,SV-SP-4,SV-AV-7,SV-SP-11}{SR-3(2),SC-38}
|
Examples of security safeguards that the organization should consider implementing to limit the harm from potential adversaries targeting the organizational supply chain, are: (1) Using trusted physical delivery mechanisms that do not permit access to the element during delivery (ship via a protected carrier, use cleared/official couriers, or a diplomatic pouch); (2) Using trusted electronic delivery of products and services (require downloading from approved, verification-enhanced sites); (3) Avoiding the purchase of custom configurations, where feasible; (4) Using procurement carve outs (i.e., exclusions to commitments or obligations), where feasible; (5) Using defensive design approaches; (6) Employing system OPSEC principles; (7) Employing a diverse set of suppliers; (8) Employing approved vendor lists with standing reputations in industry; (9) Using a centralized intermediary and “Blind Buy” approaches to acquire element(s) to hide actual usage locations from an untrustworthy supplier or adversary Employing inventory management policies and processes; (10) Using flexible agreements during each acquisition and procurement phase so that it is possible to meet emerging needs or requirements to address supply chain risk without requiring complete revision or re-competition of an acquisition or procurement; (11) Using international, national, commercial or government standards to increase potential supply base; (12) Limiting the disclosure of information that can become publicly available; and (13) Minimizing the time between purchase decisions and required delivery.
|
| SPR-338 |
The [organization] shall define the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and [organization]s).{SV-AC-4}{AT-2}
|
Regular reinforcement maintains security awareness. Training frequency should reflect mission risk and evolving threat landscape. Structured scheduling ensures consistency. Ongoing education supports defense readiness.
|
| SPR-339 |
The [organization] shall ensure that basic security awareness training is provided to all information system users (including managers, senior executives, and [organization]s) as part of initial training for new users, when required by information system changes, and at frequency defined by the [organization].{SV-AC-4}{AT-2}
|
Baseline awareness reduces human error and insider risk. Training at onboarding and after system changes ensures up-to-date knowledge. All user levels require awareness, including executives. Human factors remain a core defense layer.
|
| SPR-343 |
The [organization] shall develop and document program-specific access control policies for controlling information flow and leakage on-board the spacecraft.{SV-AC-1,SV-CF-1,SV-CF-3}{AC-1,AC-3,AC-3(3),AC-3(4),AC-3(13)}
|
Access control policies must reflect mission architecture and threat environment. Formal documentation ensures consistent enforcement. Leakage prevention requires clear governance. Policy clarity supports compliance and auditing.
|
| SPR-344 |
The [organization] shall have Insider Threat Program to aid in the prevention of people with authorized access to perform malicious activities.{SV-AC-4}{PM-12,AT-2(2),IR-4(7)}
|
Note: These are not spacecraft requirements but important to call out but likely are covered under other requirements by the customer.
|
| SPR-345 |
The [organization] shall update the inventory of spacecraft components as an integral part of component installations, removals, and spacecraft updates.{SV-MA-4,SV-SP-4}{CM-8(1),CA-7,CM-2,CM-3}
|
Accurate inventory enables vulnerability tracking and incident response. Lifecycle updates prevent undocumented changes. Asset visibility strengthens security management. Configuration awareness reduces blind spots.
|
| SPR-346 |
The [organization] shall implement, as part of an A&A process, a Continuous Monitoring Program (CMP) that evaluates the effectiveness of security control implementations on a recurring pre-defined basis.{SV-DCO-1}{CA-7,PM-31}
|
Ongoing evaluation detects drift in control effectiveness. Continuous monitoring strengthens adaptive defense. Recurring review identifies degradation early. Proactive oversight enhances resilience.
|
| SPR-347 |
The [organization] shall establish a cross-discipline insider threat incident response & handling team.{SV-AC-4}{PM-12}
|
Complex insider risks require multi-domain coordination. Cross-functional teams improve detection and response. Unified oversight strengthens accountability. Structured programs deter malicious behavior.
|
| SPR-348 |
The [organization] shall establish policy and procedures to prevent unauthorized personnel from masquerading as personnel with valid access to areas where commanding of the spacecraft is possible.{SV-AC-4,SV-AC-1}{PM-12}
|
Unauthorized impersonation risks mission compromise. Physical and logical controls prevent access misuse. Clear policy deters credential abuse. Identity assurance is essential for command authority.
|
| SPR-349 |
The [organization] shall establish and maintain a comprehensive program for testing, training, and monitoring to ensure the effectiveness of security controls and incident response capabilities.{SV-DCO-1,SV-MA-5}{PM-14}
|
Integrated programs ensure controls remain effective. Continuous validation supports adaptive security posture. Combined testing and training reduce complacency. Holistic oversight strengthens mission readiness.
|
| SPR-350 |
The [organization] shall screen all personnel supporting management and development to ensure they meet the appropriate ADP/IT level designation requirements IAW DoD 5200.2-R prior to authorizing access to the information or system.{SV-AC-4}{PS-3}
|
Personnel vetting reduces insider risk exposure. Compliance with DoD screening standards ensures appropriate trust levels. Credentialed access must align with sensitivity. Governance strengthens workforce integrity.
|
| SPR-351 |
The [organization], upon termination of individual employment, disables information system access within [TBD minutes] of termination.{SV-AC-4}{PS-4}
|
Prompt access revocation reduces residual insider risk. Delay creates opportunity for misuse. Defined timelines ensure enforceable standards. Termination governance protects system integrity.
|
| SPR-352 |
The [organization] shall maintain records of termination/revocation of any authenticators/credentials.{SV-AC-4}{PS-4}
|
Recordkeeping ensures accountability and traceability. Historical data supports audits and investigations. Documentation strengthens governance oversight. Proper revocation tracking reduces risk of reinstatement errors.
|
| SPR-353 |
The [organization] shall, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual.{SV-AC-4,SV-AC-1}{PS-4}
|
Immediate revocation prevents credential reuse. Deprovisioning reduces exposure window. Controlled offboarding supports lifecycle security. Identity lifecycle management is critical.
|
| SPR-354 |
The [organization], upon termination of individual employment, disables information system access within 3 minutes of termination.{SV-AC-4}{PS-4}
|
Immediate revocation reduces exposure window. Controlled offboarding supports lifecycle security. Reducing system access helps prevent abuse.
|
| SPR-355 |
The [organization] shall implement policies and procedures to support operations security (OPSEC) to protect information about the capabilities and intentions of organizations by identifying, controlling, and protecting information related to the planning and execution of sensitive organizational activities.{SV-CF-3}{SC-38}
|
Information critical to organizational mission and business functions may include user identities, components in use, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.
|
| SPR-435 |
For FPGA pre-silicon artifacts that are developed, coded, and tested by a developer that is not accredited, the [organization] shall be subjected to a development environment and pre-silicon artifacts risk assessment by [organization]. Based on the results of the risk assessment, the [organization] may need to implement protective measures or other processes to ensure the integrity of the FPGA pre-silicon artifacts.{SV-SP-5}{SA-3,SA-3(1),SA-8(9),SA-8(11),SA-12,SA-12(1),SR-1,SR-5}
|
DOD-I-5200.44 requires the following:
4.c.2 “Control the quality, configuration, and security of software, firmware, hardware, and systems throughout their lifecycles... Employ protections that manage risk in the supply chain… (e.g., integrated circuits, field-programmable gate arrays (FPGA), printed circuit boards) when they are identifiable (to the supplier) as having a DOD end-use. “ 4.e “In applicable systems, integrated circuit-related products and services shall be procured from a Trusted supplier accredited by the Defense Microelectronics Activity (DMEA) when they are custom-designed, custommanufactured, or tailored for a specific DOD military end use (generally referred to as application-specific integrated circuits (ASIC)). “ 1.g “In coordination with the DOD CIO, the Director, Defense Intelligence Agency (DIA), and the Heads of the DOD Components, develop a strategy for managing risk in the supply chain for integrated circuit-related products and services (e.g., FPGAs, printed circuit boards) that are identifiable to the supplier as specifically created or modified for DOD (e.g., military temperature range, radiation hardened).
|
| SPR-436 |
The [organization] shall require the developer of the system, system component, or system services to demonstrate the use of a system development life cycle that includes [state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-9}{SA-3,SA-4(3)}
|
Examples of good security practices would be using defense-in-depth tactics across the board, least-privilege being implemented, two factor authentication everywhere possible, using DevSecOps, implementing and validating adherence to secure coding standards, performing static code analysis, component/origin analysis for open source, fuzzing/dynamic analysis with abuse cases, etc.
|
| SPR-452 |
The [spacecraft] shall deny commands, data requests, and connections from revoked identities and shall generate an audit record for each denial.{SV-AC-4,SV-DCO-1}{AC-3,AC-3(8),AU-2,AU-12}
|
Explicit denial and logging strengthens accountability. Automated enforcement reduces reliance on manual monitoring. Recorded denials support forensic investigation. Policy adherence strengthens defense.
|
| SPR-454 |
The [spacecraft] shall tag telemetry and logs produced during override and shall automatically restore standard enforcement when exit conditions are met or after [Program-defined timeout].{SV-AC-4,SV-DCO-1}{AC-3(10),AU-3,AU-12}
|
Override transparency ensures operators are aware of elevated state. Automatic restoration prevents lingering weakened posture. Structured tagging supports audit and review. Governance reduces accidental persistence.
|
| SPR-455 |
The [spacecraft] shall restrict access to flight software executables, cryptographic material, command dictionaries, and [organization]-defined sensitive payload data to the privileged execution domain and shall deny all other access by default.{SV-AC-1,SV-AC-3,SV-IT-3}{AC-3(11),AC-6}
|
Flight executables and cryptographic materials are high-value targets. Restricting access reduces exploitation pathways. Default deny enforces least privilege. Segmentation enhances resilience.
|
| SPR-456 |
The [spacecraft] shall implement OS or hardware enforcement for these restrictions and shall log any attempted access violations.{SV-AC-1,SV-DCO-1}{AC-3,AC-3(11)}
|
Hardware-enforced policy is harder to bypass than software-only controls. Logging violations supports detection and response. Layered enforcement strengthens assurance. Technical barriers reinforce governance intent.
|
| SPR-460 |
The [spacecraft] shall record transitive forwarding decisions and rejections in cyber relevant audit data for downlink.{SV-DCO-1}{CA-3(7),AU-3,AU-12}
|
Audit records of forwarding and rejection decisions enable forensic reconstruction. Visibility into routing logic prevents covert channel abuse. Logged rejections demonstrate enforcement of policy. Downlink visibility strengthens ground oversight.
|
| SPR-468 |
The [spacecraft] shall detect and report the connection of any unauthorized or unknown component to onboard interfaces.{SV-SP-5,SV-SP-4}{PE-20,CM-8(3),SI-4}
|
Hardware implants pose existential mission risk. Detection of unknown components prevents covert insertion. Automated alerting reduces dwell time. Inventory integrity supports physical security.
|
| SPR-479 |
The [organization] shall define, baseline, and maintain the purposing of the space platform and link segment, including intended objectives, authorized capabilities, prohibited functions, and operational constraints, and shall use this baseline to bound requirements, updates, and on-orbit operations.{SV-AC-8,SV-MA-6}{PM-32,PL-8}
|
Defining authorized and prohibited functions prevents scope creep. Clear purposing bounds updates and operational use. Governance limits misuse potential. Structured baseline supports disciplined operations.
|
| SPR-490 |
The [spacecraft] shall ensure cross domain exchanges occur only through [organization] defined, verified guards that enforce format, rate, and content checks.{SV-AC-6,SV-IT-2}{AC-4,SC-7,SC-32(1)}
|
Verified guards ensure controlled data exchange. Format and rate checks prevent covert channel exploitation. Enforced mediation supports mandatory control. Guarded exchange strengthens isolation.
|
| SPR-495 |
The [spacecraft] shall detect impending failure of security components and initiate controlled failover to preserve confidentiality, integrity, and availability.{SV-MA-5,SV-DCO-1}{SI-4,SI-13,CP-10}
|
Early detection prevents cascading compromise. Controlled switchover maintains CIA properties. Structured alerting enhances situational awareness. Fault handling preserves assurance.
|
| SPR-514 |
The [spacecraft] shall emit a standardized accept/reject reason code for every telecommand, including mode/precondition results, parameter/range/sequence checks, and rate/temporal‑limit evaluations, and shall include the code in downlinked audit.{SV-DCO-1}{AU-3,AU-12}
|
Consistent reason codes enhance operator clarity and forensic traceability. Transparent rejection rationale reduces ambiguity. Downlinked codes support ground analysis. Deterministic feedback strengthens accountability.
|
| SPR-516 |
The [organization] shall define,and the [spacecraft] shall enforce,guardrails for any unauthenticated discovery beacons (if used), limiting content to non‑sensitive signals that cannot enable timing/key inference, preventing state change via those paths, narrowing content in safe mode, and validating behavior in simulators/flatsats.{SV-CF-2,SV-IT-1}{AC-4,AC-14}
|
Discovery mechanisms can leak sensitive timing or state information. Guardrails restrict beacon content to non-sensitive data. Controlled discovery reduces inference risk.
|
| SPR-517 |
The [organization] shall correlate station/operator session activity with pass schedules and spacecraft mode, alert on off‑schedule access and command families invalid for the current mode, and retain results as audit evidence.{SV-AC-4,SV-AC-1,SV-AV-4}{AC-17,AC-17(1),SI-4,AU-6}
|
Off-schedule or mode-inconsistent commands signal compromise. Correlation across dimensions strengthens anomaly detection. Audit retention supports post-event review. Context validation strengthens mission assurance.
|
| SPR-519 |
The [spacecraft] shall cryptographically bind audit records to their origin using per‑record MACs/signatures or sequence‑linked hashes and include station/operator ID and selected RF/link indicators (e.g., SNR/BER, frame counters) when available; ground shall verify and log the results.{SV-IT-2,SV-AC-2,SV-DCO-1}{AU-3,AU-3(1),AU-9,AU-9(2),AU-10}
|
Per-record signatures prevent tampering or replay. Sequence linkage detects gaps. Including RF indicators enhances forensic value. Verified logging strengthens evidentiary integrity.
|
| SPR-522 |
The [organization] shall implement a canonical time base and identifiers (station ID, session ID, command ID/APID, image/bitstream IDs) across TT&C front ends, consoles, and on‑board logs and shall de‑duplicate and gap‑detect during aggregation with rules for the source of truth for command history.{SV-IT-1,SV-AC-2,SV-DCO-1}{AU-6,AU-6(4),AU-8,IA-4}
|
Unified identifiers prevent ambiguity in command history. Gap detection identifies dropped or spoofed entries. Clear source-of-truth logic prevents dispute. Time discipline strengthens forensic precision.
|
| SPR-523 |
The [organization] shall define and implement a common audit schema for flight and ground that supports event tiering, consistent identifiers/time bases, and dynamic elevation/suppression of categories by phase/mode; ground aggregators shall normalize and integrity‑check records.{SV-DCO-1}{AU-1,AU-6,AU-12}
|
Normalization supports cross-domain correlation. Tiered categories enable adaptive visibility. Integrity checks prevent log injection. Structured schema strengthens systemic monitoring.
|
| SPR-525 |
The [organization] shall enforce least privilege and separation of duties for audit data (distinct roles for viewing, exporting, administering logs), apply heightened protections to sensitive categories (e.g., crypto operations), and provide break‑glass pathways with strong auditing.{SV-AC-4}{AC-6,AU-9,AU-9(5)}
|
Separation of duties prevents misuse of logs. Break-glass pathways preserve emergency access with oversight. Heightened protections reduce tampering risk. Structured governance strengthens trust.
|
| SPR-527 |
The [organization] shall ingest vendor advisories, SBOM deltas, and provenance changes for components/toolchains into the Continuous Monitoring Program and correlate exposure with the “as‑flown” configuration to prioritize mitigations.{SV-SP-6,SV-SP-4,SV-DCO-1}{CA-7,CA-7(6),CM-8}
|
Exposure must be evaluated against actual deployed versions. SBOM deltas enable precise mitigation prioritization. Continuous ingestion strengthens responsiveness. Configuration awareness improves risk management.
|
| SPR-530 |
The [spacecraft] shall enable selected maintenance capabilities only within time‑bounded and mode‑bounded windows, audit enable/disable events, auto‑revert on timeout/reset, and expose enabled/disabled capability state in telemetry.{SV-AC-8,SV-AC-4}{CM-7,CM-7(2),SA-8,SA-8(14),AC-3}
|
Maintenance capabilities expand risk surface. Time-limited activation reduces abuse window. Telemetry exposure ensures oversight. Auto-revert strengthens containment.
|
| SPR-534 |
The [organization] shall deploy deception/canary artifacts in ground TT&C environments (e.g., decoy credentials, fake repositories, canary procedures that never propagate to flight) and integrate alerts into incident handling; mechanisms shall not induce hazardous commanding.{SV-AC-4,SV-MA-7}{IR-4,IR-4(12),SI-4}
|
Canary artifacts reveal credential misuse or lateral movement. Integration with incident handling accelerates response. Mechanisms must not impact flight safety. Controlled deception strengthens detection.
|
| SPR-536 |
The [organization] shall capture on‑board and ground evidence, produce an “as‑run” timeline with decisions/assumptions, and feed findings into updated playbooks, training, twin/flatsat scenarios, risk registers, and baselines, verifying changes via rehearsal.{SV-DCO-1}{IR-4,CA-7}
|
Post-incident reconstruction improves institutional learning. Feeding findings into twins and training strengthens preparedness. Verification via rehearsal ensures improvement. Continuous feedback supports maturity.
|
| SPR-537 |
The [organization] shall define event‑driven triggers for rapid risk reassessment (e.g., new images/bitstreams, key rotations, partner‑station onboarding, notable anomalies, vendor advisories) and rehearse fast‑turn evaluations in a twin/flatsat to drive decisions within one or two passes.{SV-SP-6,SV-SP-9}{RA-3,RA-3(1),CA-7}
|
Triggers ensure timely re-evaluation after impactful events. Flatsat rehearsal validates mitigation feasibility. Rapid cycles align with limited contact windows. Structured agility strengthens mission defense.
|
| SPR-538 |
The [spacecraft] shall budget CPU/power/memory for security functions (crypto, logging, verification), implement graceful degradation (e.g., summarize logs, throttle verification) that preserves TT&C and safing, and expose telemetry showing throttling decisions and residual capacity.{SV-AV-1,SV-DCO-1}{PE-9,SA-8(8),SC-6,CP-2}
|
Security must not starve essential TT&C. Explicit resource budgeting ensures sustained enforcement. Graceful degradation preserves mission priority. Telemetry visibility supports oversight.
|
| SPR-546 |
The [organization] shall restrict removable media and peripheral device use within TT&C enclaves to [organization]-approved cases, enforce port/media controls on modulation chains and control hosts, and re‑validate enable/disable states after maintenance.{SV-MA-7,SV-SP-4}{SC-41,MP-7}
|
Media introduces malware and exfiltration risk. Port controls limit unauthorized insertion. Re-validation ensures configuration integrity post-maintenance. Controlled access strengthens enclave protection.
|
| SPR-550 |
The [spacecraft] shall provide authenticated, auditable commands to inhibit or narrow subsystems/functions without risking loss of recovery paths, with explicit telemetry confirming resultant state; ground systems shall provide authenticated RF‑transmitter inhibits and rack‑level power controls with audit.{SV-AC-8,SV-MA-7}{PE-10,AC-6,AC-6(5),IA-2}
|
Controlled inhibit functions enable safe containment. Explicit telemetry confirms resultant state. Ground RF inhibits add physical-layer safety. Auditable containment strengthens operational control.
|