| SPR-6 |
The [spacecraft] shall utilize automated mechanisms to protect sensitive information and detect and alert when sensitive information is accessed without satisfying defined criteria.{SV-DCO-1,SV-AC-1}{CM-12(1)}
|
Manual monitoring is insufficient in time-sensitive, communication-limited spacecraft environments. Automated detection of unauthorized access enables rapid identification of insider misuse, malicious code execution, or policy violations. This supports onboard intrusion detection and timely ground awareness. The mechanism should differentiate anomaly from normal operational variance.
|
| SPR-46 |
The [spacecraft] shall monitor [Program‑defined telemetry points] for malicious commanding attempts and alert ground operators upon detection.{SV-AC-2,SV-IT-1,SV-DCO-1}{AC-17,AC-17(1),AC-17(10),AU-3(1),RA-10,SC-7,SC-16,SC-16(2),SC-16(3),SI-3(8),SI-4,SI-4(1),SI-4(13),SI-4(24),SI-4(25),SI-10(6)}
|
Telemetry-based detection enables identification of anomalous command patterns, replay attempts, and injection attacks. Early detection allows rapid containment before mission impact escalates. Onboard monitoring is critical when ground latency limits intervention. This supports proactive defense.
|
| SPR-48 |
The [spacecraft] shall implement cryptographic mechanisms to protect the integrity of audit information and audit tools.{SV-DCO-1}{AU-9(3),RA-10,SC-8(1),SI-3,SI-3(10),SI-4(24)}
|
Audit logs are essential for attribution and forensic analysis. If adversaries can modify audit data, detection and recovery become unreliable. Cryptographic integrity protections preserve evidentiary value.
|
| SPR-55 |
The [spacecraft] shall provide cyber threat status to the ground segment for the Defensive Cyber Operations team, per the governing specification.{SV-DCO-1}{IR-5,PM-16,PM-16(1),RA-3(3),RA-10,SI-4,SI-4(1),SI-4(24),SI-7(7)}
|
The future space enterprises will include full-time Cyber Defense teams supporting space mission systems. Their work is currently focused on the ground segment but may eventually require specific data from the space segment for their successful operation. This requirement is a placeholder to ensure that any DCO-related requirements are taken into consideration for this document.
|
| SPR-56 |
The [spacecraft] shall provide automated onboard mechanisms that integrate audit review, analysis, and reporting processes to support mission processes for investigation and response to suspicious activities to determine the attack class in the event of a cyber attack.{SV-DCO-1}{AU-6(1),IR-4,IR-4(1),IR-4(12),IR-4(13),PM-16(1),RA-10,SA-8(21),SA-8(22),SC-5(3),SI-3,SI-3(10),SI-4(7),SI-4(24),SI-7(7)}
|
* Identifying the class (e.g., exfiltration, Trojans, etc.), nature, or effect of cyberattack (e.g., exfiltration, subverted control, or mission interruption) is necessary to determine the type of response. The first order of identification may be to determine whether the event is an attack or a non-threat event (anomaly). The objective requirement would be to predict the impact of the detected signature.
* Unexpected conditions can include RF lockups, loss of lock, failure to acquire an expected contact and unexpected reports of acquisition, unusual AGC and ACS control excursions, unforeseen actuator enabling's or actions, thermal stresses, power aberrations, failure to authenticate, software or counter resets, etc. Mitigation might include additional TMONs, more detailed AGC and PLL thresholds to alert operators, auto-capturing state snapshot images in memory when unexpected conditions occur, signal spectra measurements, and expanded default diagnostic telemetry modes to help in identifying and resolving anomalous conditions.
|
| SPR-57 |
The [spacecraft] shall monitor and collect all onboard cyber- data (from multiple system components), including identification of potential attacks and information about the attack for subsequent analysis.{SV-DCO-1}{AC-6(9),AC-20,AC-20(1),AU-2,AU-12,IR-4,IR-4(1),RA-10,SI-3,SI-3(10),SI-4,SI-4(1),SI-4(2),SI-4(7),SI-4(24)}
|
The spacecraft will monitor and collect data that provides accountability of activity occurring onboard the spacecraft. Due to resource limitations on the spacecraft, analysis must be performed to determine which data is critical for retention and which can be filtered. Full system coverage of data and actions is desired as an objective; it will likely be impractical due to the resource limitations. “Cyber-relevant data” refers to all data and actions deemed necessary to support accountability and awareness of onboard cyber activities for the mission. This would include data that may indicate abnormal activities, critical configuration parameters, transmissions on onboard networks, command logging, or other such data items. This set of data items should be identified early in the system requirements and design phase. Cyber-relevant data should support the ability to assess whether abnormal events are unintended anomalies or actual cyber threats. Actual cyber threats may rarely or never occur, but non-threat anomalies occur regularly. The ability to filter out cyber threats for non-cyber threats in relevant time would provide a needed capability. Examples could include successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels).
|
| SPR-58 |
The [spacecraft] shall generate cyber related audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, and the outcome of the event. For privileged or hazardous commands, the audit record shall include the approver identifiers and the command identifier.{SV-DCO-1}{AU-3,AU-3(1),AU-12,IR-4,IR-4(1),RA-10,SI-3,SI-3(10),SI-4(7),SI-4(24)}
|
Detailed audit records are essential for attribution, anomaly detection, and post-incident forensic reconstruction. Capturing what occurred, when, where, and by whom enables rapid differentiation between system fault and adversarial activity. Including approver identifiers for privileged or hazardous commands strengthens accountability and insider threat mitigation. Without complete audit context, recovery and containment decisions may be delayed or misinformed.
|
| SPR-59 |
The [spacecraft] shall attribute cyber attacks and identify unauthorized use of the platform by downlinking onboard cyber information to the mission ground station within [Program‑defined time ≤ 3 minutes].{SV-DCO-1,SV-IT-1,SV-IT-2}{AU-4(1),IR-4,IR-4(1),IR-4(12),IR-4(13),RA-10,SA-8(22),SI-3,SI-3(10),SI-4,SI-4(5),SI-4(7),SI-4(12),SI-4(24)}
|
Rapid transmission of cyber-relevant telemetry supports near-real-time ground-based fusion and correlation with enterprise security events. Delayed reporting increases risk of adversary persistence or mission degradation. Early attribution enables containment actions before cascading effects occur. Defined timeliness ensures detection capability aligns with operational tempo.
|
| SPR-60 |
The [spacecraft] shall integrate cyber related detection and responses with existing fault management capabilities to ensure tight integration between traditional fault management and cyber intrusion detection and prevention.{SV-DCO-1}{AU-6(4),IR-4,IR-4(1),RA-10,SA-8(21),SA-8(26),SC-3(4),SI-3,SI-3(10),SI-4(7),SI-4(13),SI-4(16),SI-4(24),SI-4(25),SI-7(7),SI-13}
|
The onboard IPS system should be integrated into the existing onboard spacecraft fault management system (FMS) because the FMS has its own fault detection and response system built in. SV corrective behavior is usually limited to automated fault responses and ground commanded recovery actions. Intrusion prevention and response methods will inform resilient cybersecurity design. These methods enable detected threat activity to trigger defensive responses and resilient SV recovery.
|
| SPR-61 |
The [spacecraft] shall protect information obtained from logging/intrusion-monitoring from unauthorized access, modification, and deletion.{SV-DCO-1}{AU-9,AU-9(3),RA-10,SI-4(7),SI-4(24)}
|
Monitoring data is a high-value target for attackers seeking to evade detection or erase traces of compromise. Protecting log integrity preserves evidentiary value and detection continuity. Unauthorized modification or deletion could mask malicious behavior or delay response. Cryptographic protection and access controls ensure monitoring mechanisms cannot be silently disabled.
|
| SPR-63 |
The [spacecraft] shall be able to locate the onboard origin of a cyber attack and alert ground operators within [Program‑defined time ≤ 3 minutes].{SV-DCO-1}{IR-4,IR-4(1),IR-4(12),IR-4(13),RA-10,SA-8(22),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(7),SI-4(12),SI-4(16),SI-4(24)}
|
The origin of any attack onboard the vehicle should be identifiable to support mitigation. At the very least, attacks from critical element (safety-critical or higher-attack surface) components should be locatable quickly so that timely action can occur.
|
| SPR-64 |
The [spacecraft] shall detect and deny unauthorized outgoing communications posing a threat to the spacecraft.{SV-DCO-1}{IR-4,IR-4(1),RA-5(4),RA-10,SC-7(9),SC-7(10),SI-4,SI-4(1),SI-4(4),SI-4(7),SI-4(11),SI-4(13),SI-4(24),SI-4(25)}
|
Outbound communications may indicate data exfiltration, covert channels, or compromised subsystem behavior. Monitoring and blocking unauthorized egress prevents leakage of mission data or cryptographic material. Many attacks rely on command-and-control or data extraction channels; egress control disrupts this persistence mechanism. Outbound traffic should be as tightly controlled as inbound command paths.
|
| SPR-65 |
The [spacecraft] shall select and execute safe countermeasures against cyber attacks prior to entering cyber-safe mode.{SV-DCO-1}{IR-4,RA-10,SA-8(21),SA-8(24),SI-4(7),SI-17}
|
These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker exquisitely—with or without ground aiding. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system." These countermeasures are likely executed prior to entering into a cyber-safe mode.
|
| SPR-66 |
The [spacecraft] shall be designed and configured so that encrypted communications traffic and data is visible to on-board security monitoring tools.{SV-DCO-1}{RA-10,SA-8(21),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(10),SI-4(13),SI-4(24),SI-4(25)}
|
Encryption must not blind onboard intrusion detection capabilities. Security tools require access to sufficient context (pre-encryption or post-decryption inspection points) to detect malicious patterns. Without visibility, encrypted channels become covert channels. Proper architectural placement ensures both confidentiality and detectability are preserved.
|
| SPR-67 |
The [spacecraft] shall be designed and configured so that spacecraft memory can be monitored by the on-board intrusion detection/prevention capability.{SV-DCO-1}{RA-10,SA-8(21),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(24),SI-16}
|
Many spacecraft attacks target memory corruption, firmware modification, or unauthorized process injection. Monitoring memory state enables detection of tampering, abnormal writes, or execution anomalies. Memory visibility supports early detection of wiper malware or boot-level compromise. This is essential for protecting deterministic flight software environments.
|
| SPR-69 |
The [spacecraft] shall alert in the event of the audit/logging processing failures.{SV-DCO-1}{AU-5,AU-5(1),AU-5(2),SI-3,SI-4,SI-4(1),SI-4(7),SI-4(12),SI-4(24)}
|
Failure of logging mechanisms may signal active tampering or resource exhaustion attacks. Immediate alerting ensures loss of visibility does not go unnoticed. Silent failure of audit systems creates blind spots exploitable by adversaries. Monitoring the monitors is critical to resilient detection.
|
| SPR-70 |
The [spacecraft] shall provide an alert immediately to [at a minimum the mission director, administrators, and security officers] when the following failure events occur: [minimally but not limited to: auditing software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity reaching 95%, 99%, and 100%] of allocated capacity, including security component failover events; alerts shall include component identity, time, and fault reason.{SV-DCO-1}{AU-5,AU-5(1),AU-5(2),SI-4,SI-4(1),SI-4(7),SI-4(12),SI-4(24),SI-7(7)}
|
Intent is to have human on the ground be alerted to failures. This can be decomposed to SV to generate telemetry and to Ground to alert.
|
| SPR-71 |
The [spacecraft] shall provide the capability of a cyber “black-box” to capture necessary data for cyber forensics of threat signatures and anomaly resolution when cyber attacks are detected. The [spacecraft] shall automatically route audit events to the alternate audit logging capability upon primary audit failure and shall resynchronize the alternate store to the primary upon recovery.{SV-DCO-1}{AU-5(5),AU-9(2),AU-9(3),AU-12,IR-4(12),IR-4(13),IR-5(1),SI-3,SI-3(10),SI-4,SI-4(1),SI-4(7),SI-4(24),SI-7(7)}
|
Similar concept of a "black box" on an aircraft where all critical information is stored for post forensic analysis. Black box can be used to record CPU utilization, GNC physical parameters, audit records, memory contents, TT&C data points, etc. The timeframe is dependent upon implementation but needs to meet the intent of the requirement. For example, 30 days may suffice.
|
| SPR-73 |
The [spacecraft], upon detection of a potential integrity violation, shall provide the capability to [audit the event and alert ground operators].{SV-DCO-1}{CM-3(5),SA-8(21),SI-3,SI-4(7),SI-4(12),SI-4(24),SI-7(8)}
|
One example would be for bad commands where the system would reject the command and not increment the Vehicle Command Counter (VCC) and include the information in telemetry.
|
| SPR-92 |
The [spacecraft] shall verify the correct operation of security- software and hardware mechanisms.{SV-DCO-1}{SA-8(21),SI-3,SI-6}
|
Security controls that fail silently create false confidence and blind spots. Continuous or periodic verification ensures cryptographic modules, access controls, logging mechanisms, and monitoring functions remain operational. Attackers often attempt to disable protections prior to executing malicious actions. Independent health checks preserve detection and enforcement reliability.
|
| SPR-161 |
The [spacecraft] shall log and monitor critical activities to detect and respond to unauthorized or malicious activities.{SV-DCO-1,SV-AC-4}{AC-6(9),AC-17(4)}
|
Critical commands will vary across missions and systems but commonly include commands resulting in maneuvering of the spacecraft or modifying on-board configurations/software.
|
| SPR-163 |
The [spacecraft] shall employ monitoring mechanisms to detect and respond to unauthorized or excessive use of external systems, safeguarding the organization's information and ensuring the integrity, confidentiality, and availability of its resources.Monitoring shall be performed on crosslink communications as well as space to ground communications (including direct to user tactical downlinks such as utilized in real-time imagery acquisition).{SV-AC-6,SV-DCO-1,SV-CF-1}{AC-20,AC-20(1)}
|
Monitoring detects anomalous bandwidth use, potential exfiltration, or misuse. Crosslinks are lateral movement pathways between spacecraft. Oversight protects enterprise integrity. Visibility supports coordinated response.
|
| SPR-165 |
The [spacecraft] shall generate audit records to capture changes made to audit record generation configurations by authorized users.{SV-DCO-1}{AU-12(3)}
|
Authorized users, including administrators, shall be identified, and the system shall record relevant information such as the user identity, date, time, and nature of changes made to the audit record generation settings.
|
| SPR-166 |
The [spacecraft] shall provide the capability to modify the set of audited events (e.g., cyber-relevant data).{SV-DCO-1}{AU-12(3),AU-14}
|
Flexibility allows adaptation to evolving threats. Adjustable audit scope ensures relevant telemetry is captured. This supports threat-driven monitoring strategies. Controlled modification preserves operational balance.
|
| SPR-167 |
The [spacecraft] shall be configured to allocate audit record storage capacity in accordance with 1 week audit record storage requirements.{SV-DCO-1}{AU-4,AU-5,AU-5(1),AU-5(2)}
|
Defined storage capacity prevents premature log overwriting. Retention ensures forensic reconstruction capability. Adequate capacity supports delayed downlink scenarios. Storage planning enhances accountability.
|
| SPR-168 |
The [spacecraft] shall downlink relevant audit log data to ground systems frequently enough to avoid any situation where audit storage capacity is exceeded.{SV-DCO-1}{AU-4(1)}
|
The frequency of offloading this data depends on the amount of data being audited/logged and will vary across missions/systems.
|
| SPR-169 |
The [spacecraft] shall attribute cyberattacks and identify unauthorized use of the spacecraft by downlinking onboard cyber information to the mission ground station within [mission-appropriate timelines minutes].{SV-DCO-1}{AU-4(1),SI-4(5)}
|
Requirement is to support offboard attribution by enabling the fusion of spacecraft cyber data with ground-based cyber data. This would provide end-to-end accountability of commands, data, and other data that can be used to determine the origin of attack from the ground system. Data should be provided within time constraints relevant for the particular mission and its given operational mode. Analysis should be performed to identify the specific timeliness requirements for a mission, which may vary depending on mission mode, operational status, availability of communications resources, and other factors. The specific data required should be identified, as well.
|
| SPR-170 |
The [spacecraft] shall alert in the event of the [organization]-defined audit/logging processing failures.{SV-DCO-1}{AU-5}
|
Audit failure may indicate tampering or resource exhaustion. Immediate alert prevents silent loss of visibility. Detection continuity is essential for defense. Monitoring integrity must be assured.
|
| SPR-171 |
The [spacecraft] shall routinely report audit log storage utilization along with traditional health and status data during pre-determined passes.{SV-DCO-1}{AU-5(1)}
|
Monitoring storage usage prevents overflow conditions. Predictable reporting supports proactive resource management. Integration with health telemetry ensures visibility. Log retention reliability must be maintained.
|
| SPR-172 |
The [organization] shall integrate terrestrial system audit log analysis as part of the standard anomaly resolution process to correlate any anomalous behavior in the terrestrial systems that correspond to anomalous behavior in the spacecraft.{SV-DCO-1}{AU-6(1),IR-5(1)}
|
Correlation across ground and space segments improves attribution accuracy. End-to-end visibility detects pivoting attacks. Integration strengthens anomaly resolution. Enterprise/Whole mission fusion enhances threat awareness.
|
| SPR-173 |
The [spacecraft] shall record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).{SV-DCO-1}{AU-8}
|
Standardized time enables cross-system correlation. Accurate timestamps are critical for forensic analysis. UTC/GMT alignment ensures interoperability. Consistent timekeeping supports coordinated response.
|
| SPR-174 |
The [spacecraft] shall record time stamps for audit records that provide a granularity of one Z-count (1.5 sec).{SV-DCO-1}{AU-8}
|
Fine granularity improves event reconstruction accuracy. Short time resolution enables sequencing analysis. Precise timestamps strengthen evidentiary value. Temporal precision aids detection logic.
|
| SPR-175 |
The [spacecraft] shall use internal system clocks to generate time stamps for audit records.{SV-DCO-1}{AU-8}
|
Using internal trusted clocks prevents manipulation via external time signals. Independent time generation strengthens integrity. This reduces risk of adversary-induced timeline distortion. Trusted time underpins reliable auditing.
|
| SPR-177 |
The [spacecraft] shall automatically generate audit records of the configuration management access enforcement actions.{SV-AC-4,SV-DCO-1}{CM-5(1)}
|
Recording enforcement actions provides accountability for access control decisions. This enables detection of policy violations or privilege misuse. Audit visibility strengthens governance. Security controls must themselves be auditable.
|
| SPR-181 |
The [spacecraft] shall employ advanced analytics capabilities within the IDS/IPS to address dynamic never-before-seen attacks using machine learning/adaptive technologies along with signature-based attacks. Models shall be trained and tuned using mission telemetry profiles to support predictive detection.{SV-DCO-1,SV-SP-1,SV-IT-2}{RA-3(4)}
|
Signature-based detection addresses known threats, while adaptive analytics detect novel or evolving behaviors. Spacecraft telemetry provides rich baseline data for predictive anomaly detection. Machine learning enhances early detection of zero-day or previously unseen tactics. Combining both approaches strengthens defense against advanced adversaries.
|
| SPR-195 |
The [spacecraft] shall audit the communications characteristics (signals, frequencies, etc.) associated with denied communications.{SV-IT-1,SV-AV-1,SV-DCO-1}{SC-7(9)}
|
Recording denied communications supports detection of probing and reconnaissance. Signal analysis may reveal adversary tactics or spoofing attempts. Visibility strengthens attribution and tuning of defenses. Denied attempts provide intelligence value.
|
| SPR-346 |
The [organization] shall implement, as part of an A&A process, a Continuous Monitoring Program (CMP) that evaluates the effectiveness of security control implementations on a recurring pre-defined basis.{SV-DCO-1}{CA-7,PM-31}
|
Ongoing evaluation detects drift in control effectiveness. Continuous monitoring strengthens adaptive defense. Recurring review identifies degradation early. Proactive oversight enhances resilience.
|
| SPR-349 |
The [organization] shall establish and maintain a comprehensive program for testing, training, and monitoring to ensure the effectiveness of security controls and incident response capabilities.{SV-DCO-1,SV-MA-5}{PM-14}
|
Integrated programs ensure controls remain effective. Continuous validation supports adaptive security posture. Combined testing and training reduce complacency. Holistic oversight strengthens mission readiness.
|
| SPR-365 |
The [organization] shall develop and maintain Audit and Accountability policy that specifies, at a minimum: the methods and procedures for auditing on-board events; the processes for capturing, recording, and reviewing audit logs; the criteria for audit event selection, frequency of audits, and data retention; the responsibilities for audit management and review.{SV-DCO-1}{AU-1}
|
Clear audit policy defines expectations for logging and review. Structured retention ensures forensic capability. Defined criteria strengthen monitoring consistency. Accountability deters misuse.
|
| SPR-366 |
The [organization] shall identify the applicable audit and accountability policies that cover the information on the spacecraft. {SV-DCO-1}{AU-1}
|
Ensuring policy applicability prevents coverage gaps. Alignment ensures consistent governance. Comprehensive audit scope strengthens detection capability. Policy clarity supports enforcement.
|
| SPR-367 |
The [organization] shall develop and document program-specific security assessment and authorization policies and procedures.{SV-DCO-1}{CA-1}
|
Structured A&A policies formalize evaluation processes. Defined methodologies ensure consistent risk evaluation. Clear authorization boundaries prevent ambiguity. Governance strengthens mission trust.
|
| SPR-368 |
The [organization] shall have policies that clearly describe the processes and methodologies for conducting security assessments, obtaining authorizations, and performing continuous monitoring activities.{SV-DCO-1}{CA-1}
|
Explicit procedural guidance reduces inconsistency. Defined methodologies improve repeatability. Continuous monitoring integrates assessment into operations. Governance ensures sustained oversight.
|
| SPR-371 |
The [organization] shall develop, document, and implement an incident response policy specifically tailored for its space operations that outlines procedures for detecting, reporting, responding to, and recovering from security incidents affecting the spacecraft.{SV-MA-5,SV-DCO-1}{IR-1}
|
Space-specific IR procedures account for latency and limited intervention. Tailored guidance ensures effective containment. Structured recovery planning reduces mission impact. Specialized policies enhance readiness.
|
| SPR-376 |
The [organization] shall implement an A&A process that establishes the extent to which a particular design and implementation meet a set of specified security requirements defined by the organization, government guidelines, and federal mandates.{SV-MA-6,SV-DCO-1}{CA-2}
|
Structured authorization ensures design compliance prior to deployment. Formal assessment reduces oversight gaps. Defined requirements provide measurable criteria. Governance supports mission confidence.
|
| SPR-377 |
The [organization] shall conduct control assessments of the information system using independent assessors.{SV-DCO-1}{CA-2(1)}
|
Independent assessors shall be individuals or entities external to the operational chain of command and not involved in the development, implementation, or operations of the system under assessment.
|
| SPR-378 |
The [organization] shall establish and maintain processes to manage and oversee independent assessors, including their qualifications, roles, and responsibilities.{SV-DCO-1}{CA-2(1),CA-7(1)}
|
Independent assessors shall be individuals or entities external to the operational chain of command and not involved in the development, implementation, or operations of the system under assessment.
|
| SPR-380 |
The [organization] shall maintain an up-to-date Plan of Action and Milestones (POA&M) that identifies, assesses, prioritizes, and documents specific actions to be taken to correct deficiencies in the spacecraft's security posture.{SV-DCO-1}{CA-5}
|
A living POA&M tracks remediation progress. Structured prioritization reduces overlooked deficiencies. Documentation ensures accountability. Transparent tracking strengthens governance.
|
| SPR-383 |
The [organization] shall employ independent assessors or assessment teams to monitor the effectiveness of security controls in the system on an ongoing basis.{SV-DCO-1}{CA-7(1)}
|
Independent review enhances objectivity. Ongoing evaluation detects control degradation. Separation strengthens trust. Independent oversight improves mission resilience.
|
| SPR-384 |
The [organization] shall modify control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process based on trend analysis of empirical data.{SV-DCO-1}{CA-7(3)}
|
Empirical data informs adaptive defense. Trend-driven adjustments prevent static control stagnation. Continuous refinement strengthens posture. Data-driven governance enhances effectiveness.
|
| SPR-385 |
The [organization] shall monitor, as part of the continuous monitoring strategy, the following: implementation of risk response measures; effectiveness of the risk response implementation; configuration changes that may impact security{SV-DCO-1}{CA-7(4)}
|
Monitoring risk response implementation ensures corrective actions are effective. Tracking configuration changes prevents drift. Continuous oversight reduces exposure window. Structured feedback loops strengthen resilience.
|
| SPR-386 |
The [organization] shall implement automated mechanisms to assist in the execution and implementation of the Continuous Monitoring Program (CMP).{SV-DCO-1}{CA-7(6)}
|
Automation ensures continuous monitoring activities are consistent, repeatable, and not dependent on manual effort. Space systems generate large volumes of telemetry that require automated analysis to detect trends and anomalies. Automation reduces human error and accelerates response timelines. This strengthens adaptive security posture over the mission lifecycle.
|
| SPR-408 |
The [organization] shall produce a plan for the continuous monitoring of security control effectiveness. The plan shall explicitly cover the space platform and link segment telemetry, automated anomaly detection, and SOC correlation of uplink, crosslink, and payload communications.{SV-DCO-1,SV-IT-1,SV-AV-1}{SA-4(8),CP-4(5),PM-31}
|
Comprehensive coverage ensures both onboard and communication segments are monitored. Telemetry-driven detection strengthens anomaly awareness. SOC correlation integrates space and ground visibility. Structured planning enhances detection capability.
|
| SPR-415 |
The [organization] shall engage relevant stakeholders to discuss performance impacts/tradeoffs for implementing the desired monitoring approach, document any deviations from initial desired approach, and ensure the Authorizing Official (AO) signs off on the risk posed by the exclusion of the functionality in question.{SV-DCO-1,SV-AV-3,SV-AV-2}{AU-2}
|
Aerospace work published in TOR-2019-02178 "Telemetry Security" provides examples of telemetry values that may be useful to monitor for indications of malicious onboard activity (not a comprehensive list):
Vehicle Command Counter (VCC)
Rejected Command Counter
Command Receiver On/Off Mode
Command Receivers Received Signal Strength
Command Receiver Lock Modes
Telemetry Downlink Modes
Cryptographic Modes
Received Commands
System Clock
GPS Ephemeris
Watchdog Timer (WDT)
|
| SPR-416 |
The [organization] shall identify and document the on-board events and values that will be monitored for indicators of unexpected or malicious activity.{SV-DCO-1,SV-IT-1}{AU-2}
|
Aerospace work published in TOR-2019-02178 "Telemetry Security" provides examples of telemetry values that may be useful to monitor for indications of malicious onboard activity (not a comprehensive list):
Vehicle Command Counter (VCC)
Rejected Command Counter
Command Receiver On/Off Mode
Command Receivers Received Signal Strength
Command Receiver Lock Modes
Telemetry Downlink Modes
Cryptographic Modes
Received Commands
System Clock
GPS Ephemeris
Watchdog Timer (WDT)
|
| SPR-434 |
The [organization] shall determine criteria for unusual or unauthorized activities or conditions for all communications to/from the spacecraft.{SV-DCO-1,SV-IT-1}{SI-4(4)}
|
Clear anomaly criteria enable consistent detection. Defined thresholds prevent subjective interpretation. Structured definitions strengthen monitoring logic. Proactive detection improves response speed.
|
| SPR-452 |
The [spacecraft] shall deny commands, data requests, and connections from revoked identities and shall generate an audit record for each denial.{SV-AC-4,SV-DCO-1}{AC-3,AC-3(8),AU-2,AU-12}
|
Explicit denial and logging strengthens accountability. Automated enforcement reduces reliance on manual monitoring. Recorded denials support forensic investigation. Policy adherence strengthens defense.
|
| SPR-454 |
The [spacecraft] shall tag telemetry and logs produced during override and shall automatically restore standard enforcement when exit conditions are met or after [Program-defined timeout].{SV-AC-4,SV-DCO-1}{AC-3(10),AU-3,AU-12}
|
Override transparency ensures operators are aware of elevated state. Automatic restoration prevents lingering weakened posture. Structured tagging supports audit and review. Governance reduces accidental persistence.
|
| SPR-456 |
The [spacecraft] shall implement OS or hardware enforcement for these restrictions and shall log any attempted access violations.{SV-AC-1,SV-DCO-1}{AC-3,AC-3(11)}
|
Hardware-enforced policy is harder to bypass than software-only controls. Logging violations supports detection and response. Layered enforcement strengthens assurance. Technical barriers reinforce governance intent.
|
| SPR-460 |
The [spacecraft] shall record transitive forwarding decisions and rejections in cyber relevant audit data for downlink.{SV-DCO-1}{CA-3(7),AU-3,AU-12}
|
Audit records of forwarding and rejection decisions enable forensic reconstruction. Visibility into routing logic prevents covert channel abuse. Logged rejections demonstrate enforcement of policy. Downlink visibility strengthens ground oversight.
|
| SPR-469 |
The [spacecraft] shall log component activation, deactivation, replacement, and firmware updates with timestamps that map to UTC.{SV-SP-9,SV-DCO-1}{AU-3,AU-8}
|
Lifecycle logging ensures traceability. UTC mapping supports synchronized forensic analysis. Transparent change history reduces repudiation. Logging strengthens accountability.
|
| SPR-475 |
The [organization] shall implement automated mechanisms to ingest, validate, and distribute space-relevant threat intelligence to [organization]-defined recipients, and to format uplinkable indicators or signatures for onboard detection capabilities where applicable.{SV-DCO-1,SV-IT-1}{SI-5,PM-16(1)}
|
Timely ingestion and distribution of space-relevant intelligence reduces exposure. Formatting indicators for onboard use supports proactive detection. Automation accelerates defensive posture. Integration supports adaptive security.
|
| SPR-495 |
The [spacecraft] shall detect impending failure of security components and initiate controlled failover to preserve confidentiality, integrity, and availability.{SV-MA-5,SV-DCO-1}{SI-4,SI-13,CP-10}
|
Early detection prevents cascading compromise. Controlled switchover maintains CIA properties. Structured alerting enhances situational awareness. Fault handling preserves assurance.
|
| SPR-514 |
The [spacecraft] shall emit a standardized accept/reject reason code for every telecommand, including mode/precondition results, parameter/range/sequence checks, and rate/temporal‑limit evaluations, and shall include the code in downlinked audit.{SV-DCO-1}{AU-3,AU-12}
|
Consistent reason codes enhance operator clarity and forensic traceability. Transparent rejection rationale reduces ambiguity. Downlinked codes support ground analysis. Deterministic feedback strengthens accountability.
|
| SPR-519 |
The [spacecraft] shall cryptographically bind audit records to their origin using per‑record MACs/signatures or sequence‑linked hashes and include station/operator ID and selected RF/link indicators (e.g., SNR/BER, frame counters) when available; ground shall verify and log the results.{SV-IT-2,SV-AC-2,SV-DCO-1}{AU-3,AU-3(1),AU-9,AU-9(2),AU-10}
|
Per-record signatures prevent tampering or replay. Sequence linkage detects gaps. Including RF indicators enhances forensic value. Verified logging strengthens evidentiary integrity.
|
| SPR-520 |
The [spacecraft] shall implement tiered audit retention with overwrite protection for [organization]-defined high‑value categories (e.g., crypto events, command outcomes, mode changes) and expose buffer health/occupancy and retention decisions in telemetry; priorities shall be tunable by phase/mode.{SV-DCO-1}{AU-4,AU-4(1),AU-11}
|
High-value events require overwrite protection. Tunable priorities align storage with mission phase. Telemetry exposure ensures transparency. Structured retention strengthens audit survivability.
|
| SPR-521 |
The [spacecraft] shall prevent execution of [organization]-defined hazardous procedures when minimal auditing cannot be assured (e.g., verified buffer availability or local shadow log), while allowing essential safing actions; operator feedback shall distinguish “blocked due to no audit” from other rejects.{SV-AC-8,SV-DCO-1}{AC-3,AU-5,AU-5(2)}
|
Certain operations require audit traceability. Blocking when audit is unavailable prevents blind execution. Essential safing remains permitted. Conditional enforcement strengthens accountability.
|
| SPR-522 |
The [organization] shall implement a canonical time base and identifiers (station ID, session ID, command ID/APID, image/bitstream IDs) across TT&C front ends, consoles, and on‑board logs and shall de‑duplicate and gap‑detect during aggregation with rules for the source of truth for command history.{SV-IT-1,SV-AC-2,SV-DCO-1}{AU-6,AU-6(4),AU-8,IA-4}
|
Unified identifiers prevent ambiguity in command history. Gap detection identifies dropped or spoofed entries. Clear source-of-truth logic prevents dispute. Time discipline strengthens forensic precision.
|
| SPR-523 |
The [organization] shall define and implement a common audit schema for flight and ground that supports event tiering, consistent identifiers/time bases, and dynamic elevation/suppression of categories by phase/mode; ground aggregators shall normalize and integrity‑check records.{SV-DCO-1}{AU-1,AU-6,AU-12}
|
Normalization supports cross-domain correlation. Tiered categories enable adaptive visibility. Integrity checks prevent log injection. Structured schema strengthens systemic monitoring.
|
| SPR-524 |
The [spacecraft] shall protect on‑board audit storage using ECC and periodic scrubbing, commit markers/journaling to survive partial writes, redundant partitions/devices where available, and prioritized retention for high‑value events.{SV-IT-4,SV-DCO-1}{AU-9,AU-9(3)}
|
ECC and journaling preserve log integrity under fault. Redundant partitions improve survivability. Prioritized retention protects high-value evidence. Durable logging strengthens mission accountability.
|
| SPR-527 |
The [organization] shall ingest vendor advisories, SBOM deltas, and provenance changes for components/toolchains into the Continuous Monitoring Program and correlate exposure with the “as‑flown” configuration to prioritize mitigations.{SV-SP-6,SV-SP-4,SV-DCO-1}{CA-7,CA-7(6),CM-8}
|
Exposure must be evaluated against actual deployed versions. SBOM deltas enable precise mitigation prioritization. Continuous ingestion strengthens responsiveness. Configuration awareness improves risk management.
|
| SPR-535 |
The [organization] shall define space‑specific incident reporting thresholds, timelines aligned to pass cadence, distribution lists (including partners/regulators), and approved artifact formats (sanitized as required) to support coordinated response.{SV-DCO-1}{IR-6}
|
Pass cadence requires unique timing considerations. Defined thresholds ensure rapid escalation. Coordinated artifact formats improve response efficiency. Structured communication strengthens resilience.
|
| SPR-536 |
The [organization] shall capture on‑board and ground evidence, produce an “as‑run” timeline with decisions/assumptions, and feed findings into updated playbooks, training, twin/flatsat scenarios, risk registers, and baselines, verifying changes via rehearsal.{SV-DCO-1}{IR-4,CA-7}
|
Post-incident reconstruction improves institutional learning. Feeding findings into twins and training strengthens preparedness. Verification via rehearsal ensures improvement. Continuous feedback supports maturity.
|
| SPR-538 |
The [spacecraft] shall budget CPU/power/memory for security functions (crypto, logging, verification), implement graceful degradation (e.g., summarize logs, throttle verification) that preserves TT&C and safing, and expose telemetry showing throttling decisions and residual capacity.{SV-AV-1,SV-DCO-1}{PE-9,SA-8(8),SC-6,CP-2}
|
Security must not starve essential TT&C. Explicit resource budgeting ensures sustained enforcement. Graceful degradation preserves mission priority. Telemetry visibility supports oversight.
|