| SPR-1 |
The [spacecraft] shall implement a reference monitor mechanism that mediates access between subjects and objects based on a defined set of rules, that is designed and configured to resist tampering or unauthorized alteration, providing a reliable and secure foundation for access control within the information system.{SV-AC-1,SV-AC-4,SV-SP-7}{AC-25}
|
A reference monitor provides the foundational enforcement point for all access control decisions within the spacecraft. Without a tamper-resistant mediation layer, compromised flight software or malicious code could directly access critical memory, processes, or hardware interfaces. The mechanism must be isolated from modifiable flight software to preserve integrity under adversarial conditions.
|
| SPR-2 |
The [spacecraft] shall ensure that sensitive information can only be accessed by personnel with appropriate roles and an explicit need for such information to perform their duties.{SV-CF-3,SV-AC-4}{AC-3(11),CM-12}
|
Space system sensitive information can include a wide range of candidate material: functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of link segment protections subject to disabling/bypassing, failure/anomaly resolution, and any other sensitive information related to architecture, software, and mission operations.
|
| SPR-95 |
The [spacecraft] shall enforce an attribute-based access control policy over subjects and objects as defined in AC-3(3).{SV-AC-1,SV-AC-4}{AC-3(13)}
|
Attribute-based access control (ABAC) enables dynamic, context-aware enforcement beyond static role assignments. This reduces privilege abuse and insider misuse by incorporating mission state, location, and environmental factors into decisions. ABAC supports least privilege while enabling operational flexibility. Proper enforcement limits lateral movement and unauthorized data access.
|
| SPR-97 |
All [spacecraft] commands which have unrecoverable consequence must have dual authentication prior to command execution. The [spacecraft] shall verify two independent cryptographic approvals prior to execution and shall generate an audit record binding both approver identifiers to the command identifier, time, and outcome.{SV-AC-4,SV-AC-8,SV-AC-2}{AU-9(5),IA-3,IA-4,IA-10,PE-3,PM-12,SA-8(15),SA-8(21),SC-16(2),SC-16(3),SI-3(8),SI-3(9),SI-4(13),SI-4(25),SI-7(12),SI-10(6),SI-13}
|
Commands with irreversible impact require heightened assurance to prevent catastrophic mission loss. Dual independent cryptographic approvals mitigate insider threat, key compromise, and single-point credential abuse. Binding approver identifiers to the audit trail strengthens accountability and deterrence. This reduces the probability of unauthorized hazardous command execution.
|
| SPR-156 |
The [spacecraft] shall enforce access restrictions associated with changes to the spacecraft.{SV-SP-9,SV-AC-4}{CM-5}
|
Configuration changes may introduce vulnerabilities. Restricting and auditing change access preserves baseline integrity. Controlled modification reduces insider threat. Change governance supports mission assurance.
|
| SPR-160 |
The [spacecraft] shall enforce access controls to restrict and monitor critical commands.{SV-AC-8,SV-AC-4}{AC-17(4)}
|
Critical commands will vary across missions and systems but commonly include commands resulting in maneuvering of the spacecraft or modifying on-board configurations/software.
|
| SPR-161 |
The [spacecraft] shall log and monitor critical activities to detect and respond to unauthorized or malicious activities.{SV-DCO-1,SV-AC-4}{AC-6(9),AC-17(4)}
|
Critical commands will vary across missions and systems but commonly include commands resulting in maneuvering of the spacecraft or modifying on-board configurations/software.
|
| SPR-164 |
The [spacecraft] shall implement access control mechanisms to ensure that individuals with privileged access only utilize their privileges as necessary to perform their official duties.{SV-AC-4}{AC-6(9)}
|
Privileged users must operate within defined boundaries. Monitoring and constraint reduce insider misuse. Privilege minimization lowers damage potential. Accountability deters abuse.
|
| SPR-177 |
The [spacecraft] shall automatically generate audit records of the configuration management access enforcement actions.{SV-AC-4,SV-DCO-1}{CM-5(1)}
|
Recording enforcement actions provides accountability for access control decisions. This enables detection of policy violations or privilege misuse. Audit visibility strengthens governance. Security controls must themselves be auditable.
|
| SPR-178 |
The [spacecraft] shall limit changes to system components and system-related information during operations.{SV-SP-9,SV-AC-4}{CM-5(5)}
|
Uncontrolled changes during operations introduce instability and increase exploitation risk. Restricting modifications reduces insider threat and unauthorized configuration drift. Operational stability is critical in space systems where rollback may be impossible. Controlled change windows preserve mission integrity.
|
| SPR-234 |
The [organization] shall develop and document program-specific identification and authentication policies for accessing the development environment and spacecraft. {SV-SP-10,SV-AC-4}{AC-3,AC-14,IA-1,SA-3,SA-3(1)}
|
Strong authentication prevents unauthorized development access. Development compromise can introduce malicious code. Documented policies ensure consistent enforcement. Identity governance supports supply chain integrity.
|
| SPR-262 |
The [organization] includes security awareness training on recognizing and reporting potential indicators of insider threat.{SV-AC-4}{AT-2(2),IR-4(6),IR-6,IR-6(2),PM-16}
|
Authorized users present significant risk vectors. Awareness training improves detection of anomalous behavior. Early reporting reduces insider dwell time. Human vigilance complements technical controls.
|
| SPR-281 |
The [organization] shall have an Insider Threat Program to aid in the detection and prevention of people with authorized access to perform malicious activities.{SV-AC-4}{AT-2(2),IR-4(6),IR-4(7),PM-12,PM-16}
|
Formal insider programs provide monitoring, reporting, and mitigation mechanisms. Behavioral analysis strengthens early detection. Structured governance reduces insider impact. Policy-backed programs improve deterrence.
|
| SPR-292 |
The [organization] shall ensure that role-based security-related training is provided to personnel with assigned security roles and responsibilities: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) at least annually thereafter.{SV-AC-4}{AT-3,CP-2}
|
Personnel must understand role-specific responsibilities. Tailored training reduces misuse. Continuous reinforcement maintains awareness. Human factors are central to defense.
|
| SPR-338 |
The [organization] shall define the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and [organization]s).{SV-AC-4}{AT-2}
|
Regular reinforcement maintains security awareness. Training frequency should reflect mission risk and evolving threat landscape. Structured scheduling ensures consistency. Ongoing education supports defense readiness.
|
| SPR-339 |
The [organization] shall ensure that basic security awareness training is provided to all information system users (including managers, senior executives, and [organization]s) as part of initial training for new users, when required by information system changes, and at frequency defined by the [organization].{SV-AC-4}{AT-2}
|
Baseline awareness reduces human error and insider risk. Training at onboarding and after system changes ensures up-to-date knowledge. All user levels require awareness, including executives. Human factors remain a core defense layer.
|
| SPR-340 |
The [organization] shall determine the mission-specific role security training based on the assigned roles and responsibilities of individuals and the specific security requirements of [organization] and the systems to which personnel have authorized access.{SV-AC-4}{AT-3}
|
Different roles carry different risk exposure. Tailored training ensures personnel understand mission-specific responsibilities. Context-driven education strengthens compliance. Role clarity reduces misuse risk.
|
| SPR-344 |
The [organization] shall have Insider Threat Program to aid in the prevention of people with authorized access to perform malicious activities.{SV-AC-4}{PM-12,AT-2(2),IR-4(7)}
|
Note: These are not spacecraft requirements but important to call out but likely are covered under other requirements by the customer.
|
| SPR-347 |
The [organization] shall establish a cross-discipline insider threat incident response & handling team.{SV-AC-4}{PM-12}
|
Complex insider risks require multi-domain coordination. Cross-functional teams improve detection and response. Unified oversight strengthens accountability. Structured programs deter malicious behavior.
|
| SPR-348 |
The [organization] shall establish policy and procedures to prevent unauthorized personnel from masquerading as personnel with valid access to areas where commanding of the spacecraft is possible.{SV-AC-4,SV-AC-1}{PM-12}
|
Unauthorized impersonation risks mission compromise. Physical and logical controls prevent access misuse. Clear policy deters credential abuse. Identity assurance is essential for command authority.
|
| SPR-350 |
The [organization] shall screen all personnel supporting management and development to ensure they meet the appropriate ADP/IT level designation requirements IAW DoD 5200.2-R prior to authorizing access to the information or system.{SV-AC-4}{PS-3}
|
Personnel vetting reduces insider risk exposure. Compliance with DoD screening standards ensures appropriate trust levels. Credentialed access must align with sensitivity. Governance strengthens workforce integrity.
|
| SPR-351 |
The [organization], upon termination of individual employment, disables information system access within [TBD minutes] of termination.{SV-AC-4}{PS-4}
|
Prompt access revocation reduces residual insider risk. Delay creates opportunity for misuse. Defined timelines ensure enforceable standards. Termination governance protects system integrity.
|
| SPR-352 |
The [organization] shall maintain records of termination/revocation of any authenticators/credentials.{SV-AC-4}{PS-4}
|
Recordkeeping ensures accountability and traceability. Historical data supports audits and investigations. Documentation strengthens governance oversight. Proper revocation tracking reduces risk of reinstatement errors.
|
| SPR-353 |
The [organization] shall, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual.{SV-AC-4,SV-AC-1}{PS-4}
|
Immediate revocation prevents credential reuse. Deprovisioning reduces exposure window. Controlled offboarding supports lifecycle security. Identity lifecycle management is critical.
|
| SPR-354 |
The [organization], upon termination of individual employment, disables information system access within 3 minutes of termination.{SV-AC-4}{PS-4}
|
Immediate revocation reduces exposure window. Controlled offboarding supports lifecycle security. Reducing system access helps prevent abuse.
|
| SPR-356 |
The [organization] shall have a two-man rule to achieve a high level of security for systems with command level access to the spacecraft.(Under this rule all access and actions require the presence of two authorized people at all times.) {SV-AC-4}{PE-3}
|
Note: These are not spacecraft requirements but important to call out but likely are covered under other requirements by the customer.
|
| SPR-364 |
The [organization] shall identify, develop, and document the applicable program security awareness and training policies.{SV-AC-4}{AT-1}
|
Formal policy establishes training expectations. Documentation ensures consistency across lifecycle. Governance supports measurable compliance. Structured awareness enhances human resilience.
|
| SPR-394 |
The [organization] shall implement a two-person rule, or similar dual authorization mechanism, for all changes to the SV configuration, and such actions should only be conducted with documented change control board approval.{SV-AC-4}{CM-3(8)}
|
Dual authorization reduces insider threat and accidental misconfiguration. Change board approval ensures structured governance. Sensitive changes require accountability. Multi-party validation enhances resilience.
|
| SPR-410 |
The [organization] shall define, document, and approve access restrictions associated with changes to the spacecraft.{SV-AC-1,SV-AC-4}{CM-5}
|
Changes to spacecraft configuration must be controlled. Clear restrictions prevent unauthorized modification. Structured access governance reduces insider risk. Accountability supports traceability.
|
| SPR-412 |
The [organization] shall define the criteria (i.e.updates to physical controls) in addition to the frequency for providing refresher physical security awareness training to all information system users (including managers, senior executives, and [organization]s).{SV-AC-4}{AT-3(2)}
|
Physical access controls protect hardware integrity. Updated criteria reflect evolving threats. Regular reinforcement maintains vigilance. Human factors remain critical.
|
| SPR-413 |
Clear process ensures personnel understand physical safeguards. Structured training reduces unauthorized access risk. Education strengthens compliance. Physical security supports cyber resilience.{SV-AC-4}{AT-3(2)}
|
Clear process ensures personnel understand physical safeguards. Structured training reduces unauthorized access risk. Education strengthens compliance. Physical security supports cyber resilience.
|
| SPR-414 |
The [organization] shall identify and document training activities to include basic security awareness training (per AT-2) and role-based security related training (per AT-3).{SV-AC-4}{AT-4}
|
Formal documentation ensures traceable compliance. Clear identification distinguishes baseline vs role-based training. Governance ensures consistent implementation. Structured awareness strengthens defense posture.
|
| SPR-417 |
The [organization] shall use automated mechanisms to: prohibit changes to the system until designated approvals are received; document all implemented changes to the system; document proposed changes to the system; highlight proposed changes to the system that have not been approved or disapproved by [time_period]; notify [authorities] of proposed changes to the system and request change approval; notify [personnel] when approved changes to the system are completed; and prohibit changes to the system until designated approvals are received.{SV-AC-4,SV-SP-9}{CM-3(1)}
|
Automation enforces approval workflows and prevents unauthorized modification. Structured documentation improves audit traceability. Notifications ensure accountability. Automated governance reduces human error.
|
| SPR-418 |
The [organization] shall define a process to limit privileges to change system components and system-related information within a production or operational environment.{SV-AC-4,SV-AC-1}{CM-5(5)}
|
Operational environments require strict change control. Limiting privileges reduces insider exploitation risk. Controlled modification protects mission stability. Governance supports reliability.
|
| SPR-422 |
The [organization] shall establish and maintain an accountability mechanism for tracking individuals responsible for spacecraft components (e.g.assign components to individuals within inventory documentation).{SV-AC-4}{CM-8(4)}
|
Assigning responsibility enhances traceability and oversight. Accountability deters negligent handling. Clear ownership supports configuration integrity. Governance reinforces trust.
|
| SPR-430 |
The [organization] shall employ privileged access authorization to applications and components for vulnerability scanning activities.{SV-AC-4}{RA-5(5)}
|
Scanning requires elevated permissions. Controlled authorization prevents misuse. Clear privilege boundaries reduce exposure. Governance balances testing with protection.
|
| SPR-447 |
The [organization] shall have physical security controls to prevent unauthorized access to the systems that have the ability to command the spacecraft.{SV-AC-4}{PE-3}
|
Note: These are not spacecraft requirements but important to call out but likely are covered under other requirements by the customer.
|
| SPR-449 |
The [spacecraft] shall enforce mandatory access control over subjects and objects.{SV-AC-1,SV-AC-4}{AC-3,AC-3(3)}
|
MAC ensures centrally enforced policy cannot be overridden by subjects. Strong policy binding reduces discretionary abuse. Deterministic enforcement enhances mission protection. Strict separation strengthens confidentiality and integrity.
|
| SPR-451 |
The [spacecraft] shall ingest [organization]-defined revocation updates to onboard access control lists and attribute sets and shall enforce revocation within [Program-defined time] of receipt.{SV-AC-4,SV-AC-3}{AC-3(8)}
|
Timely revocation prevents continued access by compromised identities. Defined enforcement timelines reduce residual exposure. Structured update ingestion strengthens identity governance. Rapid revocation reduces insider and key compromise risk.
|
| SPR-452 |
The [spacecraft] shall deny commands, data requests, and connections from revoked identities and shall generate an audit record for each denial.{SV-AC-4,SV-DCO-1}{AC-3,AC-3(8),AU-2,AU-12}
|
Explicit denial and logging strengthens accountability. Automated enforcement reduces reliance on manual monitoring. Recorded denials support forensic investigation. Policy adherence strengthens defense.
|
| SPR-453 |
The [spacecraft] shall restrict any override of access control mechanisms to [Program-defined emergency conditions] and shall generate an auditable event for each invocation that includes the time, origin, justification code, affected functions, and exit status.{SV-AC-4}{AC-3,AC-3(10),AU-2,AU-3}
|
Overrides introduce risk and must be tightly constrained. Auditable invocation ensures accountability. Time-limited emergency use reduces misuse potential. Structured control preserves integrity.
|
| SPR-454 |
The [spacecraft] shall tag telemetry and logs produced during override and shall automatically restore standard enforcement when exit conditions are met or after [Program-defined timeout].{SV-AC-4,SV-DCO-1}{AC-3(10),AU-3,AU-12}
|
Override transparency ensures operators are aware of elevated state. Automatic restoration prevents lingering weakened posture. Structured tagging supports audit and review. Governance reduces accidental persistence.
|
| SPR-464 |
The [spacecraft] shall accept command and telemetry sessions from [organization]-authorized alternate ground or relay providers only when presented with valid cryptographic credentials and whitelisted link characteristics.{SV-IT-1,SV-AC-4,SV-MA-7}{AC-17,SC-23}
|
Accepting sessions only from authorized, cryptographically verified providers prevents rogue ground station compromise. Whitelisted link characteristics reduce spoofing risk. Strict admission control strengthens link-layer assurance. This supports TRANSEC alignment.
|
| SPR-465 |
The [spacecraft] shall provide configurable allowlists for external service providers and shall disable or revoke provider access within one contact upon Program direction.{SV-AC-4}{CP-2(7),AC-20}
|
External providers must be tightly governed. Configurable allowlists permit controlled flexibility. Revocation within one contact minimizes compromise dwell time. Agile credential governance strengthens mission continuity.
|
| SPR-513 |
The [organization] shall develop and maintain a phase‑ and mode‑aware access control policy for the mission that maps operator/station identities to command families and pass windows, defines on‑orbit key lifecycle (generation, activation, rotation, retirement), session establishment/renewal/teardown behaviors, and time‑synchronization assumptions across space and ground; the policy shall be validated in simulators/flatsats.{SV-AC-4,SV-AC-1}{AC-1,PL-2}
|
Access requirements vary by mission phase and spacecraft mode. Explicit mapping prevents inappropriate command authority. Simulator validation ensures policy feasibility. Context-aware governance supports Zero Trust principles.
|
| SPR-515 |
The [spacecraft] shall enforce discretionary access on [organization]-defined payload data stores using short‑lived, purpose‑specific grants bound to execution windows or end‑of‑pass, with automatic expiration, audited changes/uses, and integrity checks on permission metadata that survive resets/SEUs.{SV-AC-4,SV-AC-1}{AC-3(4)}
|
Ephemeral grants reduce persistence risk. Execution-window binding prevents privilege creep. Surviving SEUs ensures metadata integrity. Time-bounded access supports least privilege.
|
| SPR-517 |
The [organization] shall correlate station/operator session activity with pass schedules and spacecraft mode, alert on off‑schedule access and command families invalid for the current mode, and retain results as audit evidence.{SV-AC-4,SV-AC-1,SV-AV-4}{AC-17,AC-17(1),SI-4,AU-6}
|
Off-schedule or mode-inconsistent commands signal compromise. Correlation across dimensions strengthens anomaly detection. Audit retention supports post-event review. Context validation strengthens mission assurance.
|
| SPR-518 |
The [organization] shall require external stations/relays to complete an onboarding certification demonstrating operator/facility vetting, key custody and revocation practices, RF configuration discipline, time synchronization, and adherence to pass scheduling and emergency procedures, with periodic re‑certification.{SV-MA-7,SV-AC-4}{AC-17,AC-20,AC-20(1),SR-6}
|
Relay and partner stations expand trust boundaries. Certification ensures consistent security practices. Periodic re-validation prevents drift. External governance strengthens link integrity.
|
| SPR-525 |
The [organization] shall enforce least privilege and separation of duties for audit data (distinct roles for viewing, exporting, administering logs), apply heightened protections to sensitive categories (e.g., crypto operations), and provide break‑glass pathways with strong auditing.{SV-AC-4}{AC-6,AU-9,AU-9(5)}
|
Separation of duties prevents misuse of logs. Break-glass pathways preserve emergency access with oversight. Heightened protections reduce tampering risk. Structured governance strengthens trust.
|
| SPR-530 |
The [spacecraft] shall enable selected maintenance capabilities only within time‑bounded and mode‑bounded windows, audit enable/disable events, auto‑revert on timeout/reset, and expose enabled/disabled capability state in telemetry.{SV-AC-8,SV-AC-4}{CM-7,CM-7(2),SA-8,SA-8(14),AC-3}
|
Maintenance capabilities expand risk surface. Time-limited activation reduces abuse window. Telemetry exposure ensures oversight. Auto-revert strengthens containment.
|
| SPR-533 |
The [spacecraft] and [organization] shall adapt identification and authorization based on mission context (e.g., anomaly response, unscheduled contact, safe mode) by tightening factors/keys, narrowing station whitelists, and enforcing geo/time and mode constraints, with telemetry cues and reversion to baseline.{SV-AC-4,SV-AC-1}{IA-1,IA-5,IA-10}
|
Threat posture varies by mission state. Adaptive controls tighten during anomalies. Telemetry cues ensure transparency. Contextual enforcement supports Zero Trust maturity.
|
| SPR-534 |
The [organization] shall deploy deception/canary artifacts in ground TT&C environments (e.g., decoy credentials, fake repositories, canary procedures that never propagate to flight) and integrate alerts into incident handling; mechanisms shall not induce hazardous commanding.{SV-AC-4,SV-MA-7}{IR-4,IR-4(12),SI-4}
|
Canary artifacts reveal credential misuse or lateral movement. Integration with incident handling accelerates response. Mechanisms must not impact flight safety. Controlled deception strengthens detection.
|
| SPR-545 |
The [spacecraft] shall bind session authenticity to station identity, operator role, spacecraft mode, and time/sequence and shall expose session parameters (IDs, counters, active role/mode) in telemetry; acceptance checks shall enforce geo/time/mode and station‑whitelist constraints with clear behavior on variance.{SV-AC-4,SV-AC-1}{SC-23,SC-23(1),SC-23(3)}
|
Station, role, mode, and time binding prevents misuse. Telemetry exposure ensures traceability. Constraint enforcement reduces impersonation risk. Context binding strengthens Zero Trust alignment.
|