SV-SP-6 - 3rd Party Software

Software reuse, COTS dependence, and standardization of onboard systems using building block approach with addition of open-source technology leads to supply chain threat

ID: SV-SP-6

DiD Layer: S/C Software

CAPEC #: 310 | 313 | 446 | 538

NIST Rev5 Control Tag Mapping: AC-3 | AC-3(15) | CA-2(2) | CA-7 | CA-7(6) | CA-8 | CM-3 | CM-3(2) | CM-4 | CM-4(1) | CM-7 | CM-7(8) | CM-11 | CM-11(3) | CM-14 | PM-30 | PM-30(1) | RA-3 | RA-3(1) | RA-3(2) | RA-5 | RA-5(2) | RA-9 | RA-10 | SA-3 | SA-3(1) | SA-8 | SA-8(9) | SA-8(21) | SA-9 | SA-9(7) | SA-10 | SA-10(7) | SA-11 | SA-11(1) | SA-11(2) | SA-11(4) | SA-11(5) | SA-11(6) | SA-11(7) | SA-11(8) | SA-11(9) | SA-15 | SA-15(5) | SA-15(7) | SA-15(8) | SI-2 | SI-7 | SI-7(17) | SI-10 | SI-10(6) | SR-3 | SR-3(1) | SR-3(2) | SR-4 | SR-4(3) | SR-4(4) | SR-5 | SR-5(2) | SR-9 | SR-9(1) | SR-11 | SR-11(3)

Lowest Threat Tier to
Create Threat Event: III

Notional Risk Rank Score: 22

Informational References

CENTRA Volume I - Cyber Content of Satellites

Low-Level Requirements

SPARTA ID	Requirement	Rationale/Additional Guidance/Notes
SPR-91	The [spacecraft] shall prevent the installation of Flight Software without verification that the component has been digitally signed.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-9}{CM-3,CM-3(8),CM-5,CM-5(3),CM-14,SA-8(8),SA-8(31),SA-10(2),SI-3,SI-7(12),SI-7(15)}	Requiring digital signature verification before installing flight software prevents unauthorized, malicious, or tampered code from being introduced into the spacecraft environment. Software supply chain compromise is a high-impact attack vector that can result in persistent control or loss of mission. Cryptographic validation ensures only approved and trusted binaries are executed. This maintains integrity of the trusted computing baseline.
SPR-116	The [organization] shall ensure reused TT&C software has adequate uniqueness for command decoders/dictionaries so that commands are received by only the intended satellite.{SV-SP-6}{AC-17(10),SC-16(3),SI-3(9)}	The goal is to eliminate risk that compromise of one command database does not affect a different one due to reuse. The intent is to ensure that one SV can not process the commands from another SV. Given the crypto setup with keys and VCC needing to match, this requirement may be inherently met as a result of using type-1 cryptography. The intent is not to recreate entire command dictionaries but have enough uniqueness in place that it prevents a SV from receiving a rogue command. As long as there is some uniqueness at the receiving end of the commands, that is adequate.
SPR-155	The [organization] shall ensure that software planned for reuse meets the fit, form, and function, and security as a component within the new application.{SV-SP-6,SV-SP-7,SV-SP-11}{CM-7(5)}	Reused components may introduce hidden vulnerabilities. Validation ensures compatibility and security alignment with new mission context. Prior approval does not guarantee safe reuse. Rigorous assessment prevents latent risk inheritance.
SPR-236	The [organization] shall implement a verifiable flaw remediation process into the developmental and operational configuration management process.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-5,SA-3,SA-3(1),SA-11,SI-3,SI-3(10)}	The verifiable process should also include a cross reference to mission objectives and impact statements. Understanding the flaws discovered and how they correlate to mission objectives will aid in prioritization.
SPR-241	The [organization] shall require the developer of the system, system component, or system services to identify organizational data that will be processed or stored on non-organizational systems.{SV-CF-3,SV-SP-6}{SA-4(12)}	Awareness of data location prevents uncontrolled exposure. Third-party systems may lack equivalent security. Explicit identification enables mitigation. Data governance strengthens risk management.
SPR-250	The [organization] shall verify that the scope of security testing/evaluation provides complete coverage of required security controls (to include abuse cases and penetration testing) at the depth of testing defined in the test documents.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-8,RA-5(3),SA-11(5),SA-11(7)}	* The frequency of testing should be driven by Program completion events and updates. * Examples of approaches are static analyses, dynamic analyses, binary analysis, or a hybrid of the three approaches
SPR-251	The [organization] shall maintain evidence of the execution of the security assessment plan and the results of the security testing/evaluation.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-8,SA-11}	Documented evidence provides traceability and accountability for security testing activities. Without retained artifacts, organizations cannot demonstrate due diligence or validate corrective actions. Preserved results support audits, mission reviews, and lessons learned. This strengthens governance and compliance posture.
SPR-252	The [organization] shall create and implement a security assessment plan that includes: (1) The types of analyses, testing, evaluation, and reviews of all software and firmware components; (2) The degree of rigor to be applied to include abuse cases and/or penetration testing; and (3) The types of artifacts produced during those processes.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-8,SA-11,SA-11(5)}	The security assessment plan should include evaluation of mission objectives in relation to the security of the mission. Assessments should not only be control based but also functional based to ensure mission is resilient against failures of controls.
SPR-254	The [organization] shall employ dynamic analysis (e.g.using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code).{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-8,CM-10(1),RA-3(1),SA-11(5),SA-11(8),SA-11(9),SI-3,SI-7(10)}	Dynamic testing uncovers runtime vulnerabilities not visible through static review. Techniques such as fuzzing and penetration testing simulate realistic adversarial behavior. Runtime validation improves detection of memory corruption, logic flaws, and unsafe state transitions. This reduces latent vulnerabilities prior to deployment.
SPR-255	The [organization] shall employ independent third-party analysis and penetration testing of all software (COTS, FOSS, Custom) associated with the system, system components, or system services.{SV-SP-1,SV-SP-3,SV-SP-6}{CA-2,CA-2(1),CA-8(1),CM-10(1),SA-9,SA-11(3),SA-12(11),SI-3,SI-3(10),SR-4(4),SR-6(1)}	Independent assessment reduces bias and uncovers blind spots in internal reviews. External testers provide objective validation of system resilience. Independent penetration testing strengthens confidence in defensive posture. Separation of duties enhances credibility and assurance.
SPR-265	The [organization] shall report identified systems or system components containing software affected by recently announced cybersecurity-related software flaws (and potential vulnerabilities resulting from those flaws) to [organization] officials with cybersecurity responsibilities.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-11}{IR-6,IR-6(2),SI-2,SI-3,SI-4(12),SR-4(4)}	Rapid reporting of vulnerable components enables proactive remediation. Awareness of newly disclosed flaws prevents exploitation. Coordination ensures mission-wide response. Visibility reduces systemic risk.
SPR-266	The [organization] shall determine the vulnerabilities/weaknesses that require remediation, and coordinate the timeline for that remediation, in accordance with the analysis of the vulnerability scan report, the mission assessment of risk, and mission needs.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-5,CM-3,RA-5,RA-7,SI-3,SI-3(10)}	Not all vulnerabilities carry equal mission impact. Risk-informed prioritization ensures critical flaws are addressed first. Coordinated timelines balance mission needs with security posture. Structured remediation strengthens governance.
SPR-267	The [organization] shall perform software component analysis (a.k.a.origin analysis) for developed or acquired software.{SV-SP-4,SV-SP-6}{CM-10,CM-10(1),RA-3(1),RA-5,SA-15(7),SI-3,SI-3(10),SR-4(4)}	Origin analysis identifies embedded third-party libraries and dependencies. Transparency reduces supply chain opacity. Knowing component lineage enables targeted vulnerability tracking. This mitigates inherited risk.
SPR-269	The [organization] shall ensure that the vulnerability scanning tools (e.g., static analysis and/or component analysis tools) used include the capability to readily update the list of potential information system vulnerabilities to be scanned.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,RA-5(1),RA-5(3),SI-3}	Threat landscapes evolve rapidly. Regular tool updates ensure detection coverage remains current. Outdated signatures create blind spots. Continuous improvement sustains effectiveness.
SPR-270	The [organization] shall perform vulnerability analysis and risk assessment of all systems and software. The analysis shall include results from hardware‑in‑the‑loop vulnerability scanning of flight software, firmware, and link‑segment interfaces.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,RA-5(3),SA-15(7),SI-3}	Integrated hardware-in-the-loop testing identifies operationally relevant weaknesses. Combined software, firmware, and interface scanning provides holistic coverage. Risk assessment ensures mitigation aligns with mission priorities. End-to-end analysis strengthens assurance.
SPR-271	The [organization] shall ensure that vulnerability scanning tools and techniques are employed that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (1) Enumerating platforms, custom software flaws, and improper configurations; (2) Formatting checklists and test procedures; and (3) Measuring vulnerability impact. Scanning shall cover flight software, firmware, and link‑segment interfaces in hardware‑in‑the‑loop environments.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,RA-5(3),SI-3}	Component/Origin scanning looks for open-source libraries/software that may be included into the baseline and looks for known vulnerabilities and open-source license violations.
SPR-273	The [organization] shall perform static source code analysis for all available source code looking for [[organization]-defined Top CWE List] weaknesses using complimentary set of static code analysis tools (i.e.more than one).{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,SA-11(1),SA-15(7)}	Static analysis detects coding weaknesses before execution. Using multiple tools increases detection coverage. Alignment with defined CWE priorities ensures focus on high-risk flaws. Early detection reduces downstream remediation cost.
SPR-274	The [organization] shall analyze vulnerability/weakness scan reports and results from security control assessments.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,SI-3}	Scan results require expert interpretation to avoid false positives or overlooked risks. Structured analysis ensures meaningful remediation. Correlating findings with mission context refines prioritization. Review strengthens governance.
SPR-275	The [organization] shall have automated means to evaluate adherence to coding standards.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-15,SA-15(7),RA-5}	Manual review cannot scale across the code base; you must have a way to scale in order to confirm your coding standards are being met. The intent is for automated means to ensure code adheres to a coding standard.
SPR-276	The [organization] shall perform component analysis (a.k.a.origin analysis) for developed or acquired software.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-15(7),RA-5}
SPR-278	The [organization] shall correct flaws identified during security testing/evaluation.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11}	Flaws that impact the mission objectives should be prioritized.
SPR-279	The [organization] shall perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Program-defined depth and coverage].{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11}	The depth needs to include functional testing as well as negative/abuse testing.
SPR-291	The [organization] shall use the threat and vulnerability analyses of the as-built system, system components, or system services to inform and direct subsequent testing/evaluation of the as-built system, component, or service.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-3(3),SA-11(2),SA-15(8),SI-3}	Security analysis should guide test design. Threat-informed evaluation improves relevance. Feedback loops strengthen defensive posture. Analytical alignment enhances coverage.
SPR-293	The [organization] shall employ techniques to limit harm from potential adversaries identifying and targeting the [organization]s supply chain.{SV-SP-4,SV-SP-5,SV-SP-6}{CP-2,PM-30,SA-9,SA-12(5),SC-38,SR-3,SR-3(1),SR-3(2),SR-5(2)}	Adversaries often exploit supplier relationships. Protective measures reduce reconnaissance and manipulation. Supply chain resilience strengthens mission integrity. Proactive defense mitigates systemic exposure.
SPR-294	The [organization] shall use threat modeling and vulnerability analysis to inform the current development process using analysis from similar systems, components, or services where applicable.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11(2),SA-15(8)}
SPR-295	The [organization] shall perform and document threat and vulnerability analyses of the as-built system, system components, or system services.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11(2),SI-3}	Formal records preserve findings and mitigation strategies. Documentation supports lifecycle traceability. Transparent records enhance oversight. Governance requires evidence.
SPR-296	The [organization] shall conduct an Attack Surface Analysis and reduce attack surfaces to a level that presents a low level of compromise by an attacker.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11(6),SA-15(5)}	Reducing exposed interfaces lowers exploitation probability. Quantified surface reduction strengthens resilience. Structured assessment aligns design with mission risk tolerance. Minimization enhances defensive posture.
SPR-306	The [organization] shall conduct a supplier review prior to entering into a contractual agreement with a sub [organization] to acquire systems, system components, or system services.{SV-SP-4,SV-SP-6}{PM-30,PM-30(1),RA-3(1),SA-8(9),SA-8(11),SA-9,SA-12(2),SR-5(2),SR-6}	Pre-contract review ensures vendor security posture. Due diligence reduces third-party risk exposure. Structured evaluation strengthens procurement governance. Supplier trust must be verified.
SPR-313	The [organization] shall develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of organization-defined systems, system components, or system services.{SV-SP-4,SV-SP-5,SV-SP-6}{SR-2}	Structured SCRM planning identifies lifecycle risks. Comprehensive coverage ensures holistic oversight. Risk planning mitigates systemic exposure. Governance extends beyond deployment.
SPR-318	The [organization] shall ensure that the controls included in prime contracts are also included in the contracts of subcontractors.{SV-SP-4,SV-SP-6}{SR-3(3)}	Security gaps in subcontractors create systemic vulnerabilities. Flow-down requirements enforce consistent standards. Contractual alignment strengthens supply chain assurance. Uniform governance reduces weak links.
SPR-331	The [organization] shall test software and firmware updates related to flaw remediation for effectiveness and potential side effects on mission systems in a separate test environment before installation.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CM-3,CM-3(1),CM-3(2),CM-4(1),CM-4(2),CM-10(1),SA-8(31),SA-11(9),SI-2,SI-3,SI-3(10),SI-7(10),SI-7(12),SR-5(2)}	This requirement is focused on software and firmware flaws. If hardware flaw remediation is required, refine the requirement to make this clear.
SPR-337	The [organization] shall ensure that the list of potential system vulnerabilities scanned is updated [prior to a new scan] {SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5(2),SI-3}	Outdated vulnerability signatures reduce detection capability. Updating scan definitions ensures coverage against emerging threats. Proactive updates prevent blind spots. Continuous refresh strengthens scanning effectiveness.
SPR-374	The [organization] shall develop and maintain an overarching document that details policies and procedures regarding system and services acquisition.{SV-SP-4,SV-SP-6}{SA-1}	Acquisition governance ensures security requirements flow into procurement. Structured oversight reduces supply chain risk. Comprehensive documentation supports compliance. Early integration improves lifecycle protection.F377
SPR-391	The [organization] shall release updated versions of the mission information systems incorporating security-relevant software and firmware updates, after suitable regression testing, at a frequency no greater than [Program-defined frequency [90 days]].{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CM-3(2),CM-4(1)}	On-orbit patching/upgrades may be necessary if vulnerabilities are discovered after launch. The system should have the ability to update software post-launch.
SPR-392	The [organization] shall review proposed changes to the spacecraft, assessing both mission and security impacts.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-10,CM-3(2)}	Changes may introduce unintended security regression. Structured review balances mission needs with risk tolerance. Joint mission-security assessment prevents single-domain blind spots. Integrated evaluation supports safe modernization.
SPR-395	The [organization] shall prohibit the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CM-7(8)}	Closed binaries from unverified sources limit vulnerability inspection. Source availability supports transparency and review. Prohibiting opaque code reduces hidden malicious logic risk. Supply chain integrity depends on verifiability.
SPR-396	The [organization] shall perform configuration management during system, component, or service during [design; development; implementation; operations].{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-10}	Configuration discipline ensures traceability from design through operations. Lifecycle oversight prevents undocumented changes. Structured management supports rollback and audit. Configuration integrity underpins mission assurance.
SPR-397	The [organization] shall create prioritized list of software weakness classes (e.g., Common Weakness Enumerations) to be used during static code analysis for prioritization of static analysis results.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11(1),SA-15(7)}	The prioritized list of CWEs should be created considering operational environment, attack surface, etc. Results from the threat modeling and attack surface analysis should be used as inputs into the CWE prioritization process. There is also a CWSS (https://cwe.mitre.org/cwss/cwss_v1.0.1.html) process that can be used to prioritize CWEs. The prioritized list of CWEs can help with tools selection as well as you select tools based on their ability to detect certain high priority CWEs.
SPR-398	The [organization] shall perform a manual code review of all flight code.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11(4)}	Flight code governs mission-critical behavior. Manual review detects subtle logic flaws missed by automation. Human expertise enhances safety assurance. Defense-in-depth requires layered validation.
SPR-399	The [organization] shall define acceptable coding languages to be used by the software developer.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-15}	Standardized languages reduce complexity and maintenance burden. Approved languages support secure development practices. Language governance strengthens code quality and review consistency. Reduced heterogeneity improves assurance.
SPR-400	The [organization] shall define acceptable secure coding standards for use by the software developers.{SV-SP-1,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-15}	Secure coding standards mitigate common vulnerability patterns. Structured guidance reduces CWE-class weaknesses. Enforcing standards promotes predictable behavior. Governance supports sustainable security hygiene.
SPR-401	The [organization] shall correct reported cybersecurity-related information system flaws.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SI-2}	* Although this requirement is stated to specifically apply to cybersecurity-related flaws, the Program office may choose to broaden it to all SV flaws. * This requirement is allocated to the Program, as it is presumed, they have the greatest knowledge of the components of the system and when identified flaws apply.
SPR-402	The [organization] shall identify, report, and coordinate correction of cybersecurity-related information system flaws.{SV-SP-1,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SI-2}	Centralized reporting ensures timely remediation. Coordinated correction prevents repeated exposure. Documentation strengthens audit traceability. Rapid flaw management reduces exploitation window.
SPR-406	The [organization] shall track security advisories, patches/updates, and ensure compliance with license agreements and usage restrictions for all software within the SBOM.{SV-SP-6,SV-SP-4}{CM-10}	Software dependencies evolve over time. Tracking advisories prevents latent vulnerability exposure. SBOM transparency enables rapid risk assessment. Compliance monitoring strengthens lifecycle resilience.
SPR-407	The [organization] shall maintain a Software Bill of Materials (SBOM) for all software code utilized and continuously update/revise the SBOM for each step in the software lifecycle (to include the deployment of that software).{SV-SP-6,SV-SP-4}{CM-8}	Continuous SBOM updates ensure accurate dependency tracking. Lifecycle revision captures changes in deployed components. Accurate SBOMs enable vulnerability correlation. Transparency enhances supply chain integrity.
SPR-431	The [organization] shall include the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition of a system, system component, or system service: a.Functional security requirements; b.Strength of mechanism requirements; c.Security assurance requirements; d.Controls needed to satisfy the security requirements.e.Security documentation requirements; f.Requirements for protecting security documentation; g.Description of the system development environment and environment in which the system is intended to operate; h.Allocation of responsibility or identification of parties responsible control implementation and continuous monitoring/enforcement throughout the system life cycle; and i.Acceptance criteria.{SV-SP-4,SV-SP-6}{SA-4}	Security must be embedded in procurement documentation. Explicit criteria prevent ambiguity. Defined acceptance standards ensure compliance. Acquisition governance strengthens supply chain assurance.
SPR-527	The [organization] shall ingest vendor advisories, SBOM deltas, and provenance changes for components/toolchains into the Continuous Monitoring Program and correlate exposure with the “as‑flown” configuration to prioritize mitigations.{SV-SP-6,SV-SP-4,SV-DCO-1}{CA-7,CA-7(6),CM-8}	Exposure must be evaluated against actual deployed versions. SBOM deltas enable precise mitigation prioritization. Continuous ingestion strengthens responsiveness. Configuration awareness improves risk management.
SPR-537	The [organization] shall define event‑driven triggers for rapid risk reassessment (e.g., new images/bitstreams, key rotations, partner‑station onboarding, notable anomalies, vendor advisories) and rehearse fast‑turn evaluations in a twin/flatsat to drive decisions within one or two passes.{SV-SP-6,SV-SP-9}{RA-3,RA-3(1),CA-7}	Triggers ensure timely re-evaluation after impactful events. Flatsat rehearsal validates mitigation feasibility. Rapid cycles align with limited contact windows. Structured agility strengthens mission defense.

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
REC-0008		Gather Supply Chain Information	Threat actors map the end-to-end pathway by which hardware, software, data, and people move from design through AIT, launch, and on-orbit sustainment. They catalog manufacturers and lots, test and calibration houses, logistics routes and waypoints, integrator touchpoints, key certificates and tooling, update and key-loading procedures, and who holds custody at each handoff. They correlate this with procurement artifacts, SBOMs, BOMs, and service contracts to locate where trust is assumed rather than verified. Particular attention falls on exceptions, engineering builds, rework tickets, advance replacements, depot repairs, and urgent field updates, because controls are frequently relaxed there. The result is a prioritized list of choke points (board fabrication, FPGA bitstream signing, image repositories, CI/CD runners, cloud artifact stores, freight forwarders) where compromise yields outsized effect.
	REC-0008.03	Known Vulnerabilities	Adversaries correlate discovered component and software versions with public and private vulnerability sources to assemble a ready exploit catalog. Inputs include CPE/CVE mappings, vendor advisories, CWE-class weaknesses common to selected RTOS/middleware, FPGA IP core errata, cryptographic library issues, and hardware stepping errata that interact with thermal/power regimes. They mine leaked documents, demo code, bug trackers, and community forums; pivot from ground assets to flight by following shared libraries and tooling; and watch for lag between disclosure and patch deployment. Even when a vulnerability seems “ground-only,” it may expose build systems or update paths that ultimately control flight artifacts.
IA-0001		Compromise Supply Chain	Adversaries achieve first execution before the spacecraft ever flies by inserting malicious code, data, or configuration during manufacturing, integration, or delivery. Targets include software sources and dependencies, build systems and compilers, firmware/bitstreams for MCUs and FPGAs, configuration tables, test vectors, and off-the-shelf avionics. Inserted artifacts are designed to appear legitimate, propagate through normal processes, and activate under routine procedures or specific modes (e.g., safing, maintenance). Common insertion points align with where trust is assumed, vendor updates, mirrors and registries, CI/CD runners, programming stations, and “golden image” repositories. The result is pre-positioned access that blends with baseline behavior, often with delayed or conditional triggers and strong deniability.
	IA-0001.01	Software Dependencies & Development Tools	This technique targets what developers import and the tools that transform source into flight binaries. Methods include dependency confusion and typosquatting, poisoned container/base images, malicious IDE plugins, and compromised compilers, linkers, or build runners that subtly alter output. Because flight and ground stacks frequently reuse open-source RTOS components, crypto libraries, protocol parsers, and build scripts, an upstream change can deterministically reproduce a backdoor downstream. Attackers also seed private mirrors or caches so “trust-on-first-use” locks in tainted packages, or abuse CI secrets and environment variables to pivot further. Effects range from inserting covert handlers into command parsers, to weakening integrity checks in update paths, to embedding telemetry beacons that exfiltrate build metadata helpful for later stages.
	IA-0001.02	Software Supply Chain	Here the manipulation targets software delivered to flight or ground systems: altering source before build, swapping signed binaries at distribution edges, subverting update metadata, or using stolen signing keys to issue malicious patches. Space-specific vectors include mission control applications, schedulers, gateway services, flight tables and configuration packages, and firmware loads during I&T or LEOP. Adversaries craft payloads that pass superficial validation, trigger under particular operating modes, or reintroduce known weaknesses through version rollback. “Data payloads” such as malformed tables, ephemerides, or calibration products can double as exploits when parsers are permissive. The objective is to ride the normal promotion pipeline so the implant arrives pre-trusted and executes as part of routine operations.
EX-0009		Exploit Code Flaws	The adversary executes actions on-board by abusing defects in software that runs on the vehicle, ranging from application logic in flight software to libraries, drivers, and supporting services. Outcomes range from arbitrary code execution and privilege escalation to silent logic manipulation (e.g., bypassing interlocks, suppressing alarms) that appears operationally plausible. The hallmark of this technique is that the attacker co-opts existing code paths, often rarely used ones, to run unintended behavior under nominal interfaces. These attacks may be extremely targeted and tailored to specific coding errors introduced as a result of poor coding practices or they may target known issues in the commercial software components.
	EX-0009.03	Known Vulnerability (COTS/FOSS)	Using knowledge of the software composition on-board, the adversary maps components and versions to publicly or privately known defects and then crafts inputs to trigger them. Typical targets include standard libraries (libc, STL), cryptographic and compression libraries, protocol stacks (CCSDS implementations, IP over space links, SpaceWire bridges), filesystems and parsers (FITS/CCSDS packetization, custom table formats), and vendor SDKs for radios, sensors, or payloads. Triggers arrive as well-formed but malicious packets, frames, or files whose edge-case fields exercise version-specific bugs, overflowing a parser, bypassing an authentication check, or causing a kernel/driver fault that reboots into a more permissive mode. Because these flaws are documented somewhere, exploitation emphasizes matching the exact build and build-time options used on the mission.
EX-0010		Malicious Code	The adversary achieves on-board effects by introducing executable logic that runs on the vehicle, either native binaries and scripts, injected shellcode, or “data payloads” that an interpreter treats as code (e.g., procedure languages, table-driven automations). Delivery commonly piggybacks on legitimate pathways: software/firmware updates, file transfer services, table loaders, maintenance consoles, or command sequences that write to executable regions. Once staged, activation can be explicit (a specific command, mode change, or file open), environmental (time/geometry triggers), or accidental, where operator actions or routine autonomy invoke the implanted logic. Malicious code can target any layer it can reach: altering flight software behavior, manipulating payload controllers, patching boot or device firmware, or installing hooks in drivers and gateways that bridge bus and payload traffic. Effects range from subtle logic changes (quiet data tampering, command filtering) to overt actions (forced mode transitions, resource starvation), and may include secondary capabilities like covert communications, key material harvesting, or persistence across resets by rewriting images or configuration entries.
	EX-0010.01	Ransomware	Ransomware on a spacecraft encrypts data or critical configuration so that nominal operations can no longer proceed without the attacker’s cooperation. Targets include mass-memory file stores (engineering telemetry, payload data), configuration and command tables, event logs, on-board ephemerides, and even intermediate buffers used by downlink pipelines. Some variants interfere with key services instead of bulk data, e.g., encrypting a command dictionary or table index so valid inputs are rejected, or wrapping the payload data path in an attacker-chosen cipher so downlinked products appear as noise. By denying access to on-board content or control artifacts at scale, attackers convert execution into bargaining power or irreversible mission degradation.
	EX-0010.02	Wiper Malware	Wipers deliberately destroy or irreversibly corrupt data and, in some cases, executable images to impair or end mission operations. Destructive routines may overwrite with patterns or pseudorandom data, repeatedly reformat volumes, trigger wear mechanisms on non-volatile memory, or manipulate low-level translation layers so recovery tools see a blank or inconsistent device. Activation can be immediate or staged, sleeping until a specific time, pass, or maintenance action, and may be paired with anti-recovery steps such as erasing checksums, undo logs, or golden images. Because wipers operate at storage and image layers that underpin many subsystems, collateral effects can cascade: autonomy enters safing without viable recovery paths, downlinks carry only noise, and subsequent updates cannot be authenticated or applied. The defining feature is irreversible loss of data or executables as the primary objective, rather than concealment or monetization.
	EX-0010.03	Rootkit	A rootkit hides the presence and activity of other malicious components by interposing on the mechanisms that report system state. On spacecraft this can occur within flight software processes, at OS kernel level, inside separation kernels/hypervisors, or down in system firmware where drivers and initialization routines run. Techniques include API and syscall hooking, patching message queues and inter-process communication paths, altering task lists and scheduler views, filtering telemetry packets and event logs, and rewriting sensor or health values before they are recorded or downlinked. Rootkits may also hook command handlers and gateways so certain opcodes, timetags, or sources are silently accepted or ignored while external observers see normal acknowledgments. Because many missions rely on deterministic procedures and limited observability, even small alterations to reporting can make malicious actions appear as plausible mode transitions or benign anomalies. Persistence often pairs with the concealment layer, with the rootkit reinjecting companions after resets or rebuilds by monitoring for specific files, tables, or image loads and modifying them on the fly.
	EX-0010.04	Bootkit	A bootkit positions itself in the pre-OS boot chain so that it executes before normal integrity checks and can shape what the system subsequently trusts. After seizing early control, the bootkit can redirect image selection, patch kernels or flight binaries in memory, adjust device trees and driver tables, or install hooks that persist across warm resets. Some variants maintain shadow copies of legitimate images and present them to basic verification routines while steering actual execution to a modified payload; others manipulate fallback logic so recovery modes load attacker-controlled code. Because the boot path initializes memory maps, buses, and authentication material, a bootkit can also influence key/counter setup and gateway configurations, creating conditions favorable to later tactics. The central characteristic is precedence: by running first, the implant defines the reality higher layers observe, ensuring that every subsequent component launches under conditions curated by the attacker.
LM-0005		Virtualization Escape	The adversary pivots across partitions by abusing the mechanisms a separation kernel or hypervisor exposes for inter-partition communication and device sharing. Paths include message ports/queues, shared-memory windows, virtual NICs and bridges, hypercalls, and common driver backends (e.g., storage or DMA engines without strict IOMMU bounds). A foothold in a less-trusted partition, often a payload or guest OS, can be turned into access to a higher-privilege domain by crafting traffic that exploits parser flaws in port services, racing management channels, or coercing backend drivers to perform out-of-bounds operations. Once the boundary is crossed, the actor can reach bus gateways, file systems, or control applications hosted in adjacent partitions and continue movement under the guise of permitted inter-partition exchanges.

ID	Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0025	Supplier Review	Conduct a supplier review prior to entering into a contractual agreement with a contractor (or sub-contractor) to acquire systems, system components, or system services.	PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-11 \| SA-11(3) \| SA-17 \| SA-2 \| SA-3 \| SA-8 \| SA-9 \| SR-11 \| SR-3(1) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2) \| SR-6	D3-OAM \| D3-ODM \|	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| A.8.25 \| A.8.27 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22
CM0026	Original Component Manufacturer	Components/Software that cannot be procured from the original component manufacturer or their authorized franchised distribution network should be approved by the supply chain board or equivalent to prevent and detect counterfeit and fraudulent parts, materials, and software.	AC-20(5) \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-10(4) \| SA-11 \| SA-3 \| SA-8 \| SA-9 \| SR-1 \| SR-11 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(1) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2)	D3-OAM \| D3-ODM \| D3-AM \| D3-FV \| D3-SFV \|	A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29
CM0004	Development Environment Security	In order to secure the development environment, the first step is understanding all the devices and people who interact with it. Maintain an accurate inventory of all people and assets that touch the development environment. Ensure strong multi-factor authentication is used across the development environment, especially for code repositories, as threat actors may attempt to sneak malicious code into software that's being built without being detected. Use zero-trust access controls to the code repositories where possible. For example, ensure the main branches in repositories are protected from injecting malicious code. A secure development environment requires change management, privilege management, auditing and in-depth monitoring across the environment.	AC-17 \| AC-18 \| AC-20(5) \| AC-3(11) \| AC-3(13) \| AC-3(15) \| CA-8 \| CA-8(1) \| CM-11 \| CM-14 \| CM-2(2) \| CM-3(2) \| CM-3(7) \| CM-3(8) \| CM-4(1) \| CM-5(6) \| CM-7(8) \| CP-2(8) \| MA-7 \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| RA-3(2) \| RA-5 \| RA-5(2) \| RA-9 \| SA-10 \| SA-10(4) \| SA-11 \| SA-11(1) \| SA-11(2) \| SA-11(4) \| SA-11(5) \| SA-11(6) \| SA-11(7) \| SA-11(8) \| SA-15 \| SA-15(3) \| SA-15(5) \| SA-15(7) \| SA-15(8) \| SA-17 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4(12) \| SA-4(3) \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(19) \| SA-8(30) \| SA-8(31) \| SA-9 \| SC-38 \| SI-2 \| SI-2(6) \| SI-7 \| SR-1 \| SR-11 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(2) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(2) \| SR-6 \| SR-6(1) \| SR-7	D3-AI \| D3-AVE \| D3-SWI \| D3-HCI \| D3-NNI \| D3-OAM \| D3-AM \| D3-OM \| D3-DI \| D3-MFA \| D3-CH \| D3-OTP \| D3-BAN \| D3-PA \| D3- FAPA \| D3- DQSA \| D3-IBCA \| D3-PCSV \| D3-PSMD \|	A.8.4 \| A.5.14 \| A.6.7 \| A.8.1 \| A.5.14 \| A.8.1 \| A.8.20 \| A.8.9 \| A.8.9 \| A.8.31 \| A.8.19 \| A.5.30 \| A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.8.8 \| A.5.22 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| A.8.28 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.9 \| A.8.28 \| A.8.30 \| A.8.32 \| A.8.29 \| A.8.30 \| A.8.28 \| A.5.8 \| A.8.25 \| A.8.28 \| A.8.25 \| A.8.27 \| A.6.8 \| A.8.8 \| A.8.32 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22 \| A.5.22
CM0007	Software Version Numbers	When using COTS or Open-Source, protect the version numbers being used as these numbers can be cross referenced against public repos to identify Common Vulnerability Exposures (CVEs) and exploits available.	AC-3(11) \| CM-2 \| SA-11 \| SA-5 \| SA-8(29)	D3-AI \| D3-SWI \|	A.8.4 \| A.8.9 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.29 \| A.8.30
CM0010	Update Software	Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times. Release updated versions of the software/firmware systems incorporating security-relevant updates, after suitable regression testing, at a frequency no greater than mission-defined frequency [i.e., 30 days]. Ideally old versions of software are removed after upgrading but restoration states (i.e., gold images) are recommended to remain on the system.	CM-3(2) \| CM-3(7) \| CM-3(8) \| CM-4 \| CM-4(1) \| CM-5(6) \| CM-7(5) \| SA-10(4) \| SA-11 \| SA-3 \| SA-8 \| SA-8(30) \| SA-8(31) \| SA-8(8) \| SA-9 \| SI-2 \| SI-2(6) \| SI-7	D3-SU \|	A.8.9 \| A.8.9 \| A.8.9 \| A.8.31 \| A.8.19 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| A.6.8 \| A.8.8 \| A.8.32
CM0011	Vulnerability Scanning	Vulnerability scanning is used to identify known software vulnerabilities (excluding custom-developed software - ex: COTS and Open-Source). Utilize scanning tools to identify vulnerabilities in dependencies and outdated software (i.e., software composition analysis). Ensure that vulnerability scanning tools and techniques are employed that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (1) Enumerating platforms, custom software flaws, and improper configurations; (2) Formatting checklists and test procedures; and (3) Measuring vulnerability impact.	CM-10(1) \| RA-3 \| RA-5 \| RA-5(11) \| RA-5(3) \| RA-7 \| SA-11 \| SA-11(3) \| SA-15(7) \| SA-3 \| SA-4(5) \| SA-8 \| SA-8(30) \| SI-3 \| SI-3(10) \| SI-7	D3-AI \| D3-NM \| D3-AVE \| D3-NVA \| D3-PM \| D3-FBA \| D3-OSM \| D3-SFA \| D3-PA \| D3-PSA \| D3-PLA \| D3-PCSV \| D3-FA \| D3-DA \| D3-ID \| D3-HD \| D3-UA \|	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.7
CM0012	Software Bill of Materials	Generate Software Bill of Materials (SBOM) against the entire software supply chain and cross correlate with known vulnerabilities (e.g., Common Vulnerabilities and Exposures) to mitigate known vulnerabilities. Protect the SBOM according to countermeasures in CM0001.	CM-10 \| CM-10(1) \| CM-11 \| CM-11(3) \| CM-2 \| CM-5(6) \| CM-7(4) \| CM-7(5) \| CM-8 \| CM-8(7) \| PM-5 \| RA-5 \| RA-5(11) \| SA-10(2) \| SA-10(4) \| SA-11 \| SA-11(3) \| SA-3 \| SA-4(5) \| SA-8 \| SA-8(13) \| SA-8(29) \| SA-8(30) \| SA-8(7) \| SA-9 \| SI-7	D3-AI \| D3-AVE \| D3-SWI \|	A.8.9 \| A.8.19 \| A.8.19 \| A.5.9 \| A.8.9 \| A.5.32 \| A.8.19 \| A.8.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30
CM0013	Dependency Confusion	Ensure proper protections are in place for ensuring dependency confusion is mitigated like ensuring that internal dependencies be pulled from private repositories vice public repositories, ensuring that your CI/CD/development environment is secure as defined in CM0004 and validate dependency integrity by ensuring checksums match official packages.	CM-10(1) \| CM-11 \| CM-2 \| CM-5(6) \| RA-5 \| SA-11 \| SA-3 \| SA-8 \| SA-8(30) \| SA-8(7) \| SA-8(9) \| SA-9 \| SI-7	D3-LFP \| D3-UBA \| D3-RAPA \| D3-MAC \|	A.8.9 \| A.8.19 \| A.8.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30
CM0015	Software Source Control	Prohibit the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.	CM-11 \| CM-14 \| CM-2 \| CM-4 \| CM-5(6) \| CM-7(8) \| SA-10(2) \| SA-10(4) \| SA-11 \| SA-3 \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(19) \| SA-8(29) \| SA-8(30) \| SA-8(31) \| SA-8(7) \| SA-9 \| SI-7	D3-PM \| D3-SBV \| D3-EI \| D3-EAL \| D3- EDL \| D3-DCE \|	A.8.9 \| A.8.9 \| A.8.19 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30
CM0016	CWE List	Create prioritized list of software weakness classes (e.g., Common Weakness Enumerations), based on system-specific considerations, to be used during static code analysis for prioritization of static analysis results.	RA-5 \| SA-11 \| SA-11(1) \| SA-15(7) \| SI-7	D3-AI \| D3-AVE \|	A.8.8 \| A.8.29 \| A.8.30 \| A.8.28
CM0017	Coding Standard	Define acceptable coding standards to be used by the software developer. The mission should have automated means to evaluate adherence to coding standards. The coding standard should include the acceptable software development language types as well. The language should consider the security requirements, scalability of the application, the complexity of the application, development budget, development time limit, application security, available resources, etc. The coding standard and language choice must ensure proper security constructs are in place.	PL-8 \| PL-8(1) \| SA-11 \| SA-11(3) \| SA-15 \| SA-3 \| SA-4(9) \| SA-8 \| SA-8(30) \| SA-8(7) \| SI-7	D3-AI \| D3-AVE \| D3-SWI \| D3-DCE \| D3-EHPV \| D3-ORA \| D3-FEV \| D3-FR \| D3-ER \| D3-PE \| D3-PT \| D3-PS \|	A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.5.8 \| A.8.25
CM0018	Dynamic Testing	Employ dynamic analysis (e.g., using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code). Testing should occur (1) on potential system elements before acceptance; (2) as a realistic simulation of known adversary tactics, techniques, procedures (TTPs), and tools; and (3) throughout the lifecycle on physical and logical systems, elements, and processes. FLATSATs as well as digital twins can be used to perform the dynamic analysis depending on the TTPs being executed. Digital twins via instruction set simulation (i.e., emulation) can provide robust environment for dynamic analysis and TTP execution.	CA-8 \| CA-8(1) \| CM-4(2) \| CP-4(5) \| RA-3 \| RA-5(11) \| RA-7 \| SA-11 \| SA-11(3) \| SA-11(5) \| SA-11(8) \| SA-11(9) \| SA-3 \| SA-8 \| SA-8(30) \| SC-2(2) \| SC-7(29) \| SI-3 \| SI-3(10) \| SI-7 \| SR-6(1)	D3-DA \| D3-FBA \| D3-PSA \| D3-PLA \| D3-PA \| D3-SEA \| D3-MBT \|	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.7
CM0019	Static Analysis	Perform static source code analysis for all available source code looking for system-relevant weaknesses (see CM0016) using no less than two static code analysis tools.	CM-4(2) \| RA-3 \| RA-5 \| RA-7 \| SA-11 \| SA-11(1) \| SA-11(3) \| SA-11(4) \| SA-15(7) \| SA-3 \| SA-8 \| SA-8(30) \| SI-7	D3-PM \| D3-FBA \| D3-FEMC \| D3-FV \| D3-PFV \| D3-SFV \| D3-OSM \|	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.28
CM0021	Software Digital Signature	Prevent the installation of Flight Software without verification that the component has been digitally signed using a certificate that is recognized and approved by the mission.	AC-14 \| CM-11 \| CM-11(3) \| CM-14 \| CM-5(6) \| IA-2 \| SA-10(1) \| SA-11 \| SA-4(5) \| SA-8(29) \| SA-8(31) \| SA-9 \| SI-7 \| SI-7(1) \| SI-7(12) \| SI-7(15) \| SI-7(6)	D3-CH \| D3-CBAN \| D3-FV \| D3-DLIC \| D3-EAL \| D3-SBV \|	A.8.19 \| A.5.16 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30
CM0047	Operating System Security	Ensure spacecraft's operating system is scrutinized/whitelisted and has received adequate software assurance previously. The operating system should be analyzed for its attack surface and non-utilized features should be stripped from the operating system. Many real-time operating systems contain features that are not necessary for spacecraft operations and only increase the attack surface.	CM-11(3) \| CM-7 \| CM-7(5) \| CM-7(8) \| PL-8 \| PL-8(1) \| SA-15(6) \| SA-3 \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(19) \| SA-8(30) \| SI-3(8)	D3-AVE \| D3-OSM \| D3-EHB \| D3-SDM \| D3-SFA \| D3-SBV \| D3-PA \| D3-SCA \| D3-FCA \|	A.8.19 \| A.8.19 \| A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28
CM0069	Process White Listing	Simple process ID whitelisting on the firmware level could impede attackers from instigating unnecessary processes which could impact the spacecraft	CM-11 \| CM-7(5) \| PL-8 \| PL-8(1) \| SI-10(5)	D3-MAC \| D3-EAL \| D3-EDL \|	A.8.19 \| A.8.19 \| A.5.8
CM0005	Ground-based Countermeasures	This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://csrc.nist.gov/pubs/ir/8401/final). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.	AC-1 \| AC-10 \| AC-11 \| AC-11(1) \| AC-12 \| AC-12(1) \| AC-14 \| AC-16 \| AC-16(6) \| AC-17 \| AC-17(1) \| AC-17(10) \| AC-17(2) \| AC-17(3) \| AC-17(4) \| AC-17(6) \| AC-17(9) \| AC-18 \| AC-18(1) \| AC-18(3) \| AC-18(4) \| AC-18(5) \| AC-19 \| AC-19(5) \| AC-2 \| AC-2(1) \| AC-2(11) \| AC-2(12) \| AC-2(13) \| AC-2(2) \| AC-2(3) \| AC-2(9) \| AC-20 \| AC-20(1) \| AC-20(2) \| AC-20(3) \| AC-20(5) \| AC-21 \| AC-22 \| AC-3 \| AC-3(11) \| AC-3(13) \| AC-3(15) \| AC-3(4) \| AC-4 \| AC-4(23) \| AC-4(24) \| AC-4(25) \| AC-4(26) \| AC-4(31) \| AC-4(32) \| AC-6 \| AC-6(1) \| AC-6(10) \| AC-6(2) \| AC-6(3) \| AC-6(5) \| AC-6(8) \| AC-6(9) \| AC-7 \| AC-8 \| AT-2(4) \| AT-2(5) \| AT-2(6) \| AT-3 \| AT-3(2) \| AT-4 \| AU-10 \| AU-11 \| AU-12 \| AU-12(1) \| AU-12(3) \| AU-14 \| AU-14(1) \| AU-14(3) \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(1) \| AU-5(2) \| AU-5(5) \| AU-6 \| AU-6(1) \| AU-6(3) \| AU-6(4) \| AU-6(5) \| AU-6(6) \| AU-7 \| AU-7(1) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| AU-9(4) \| CA-3 \| CA-3(6) \| CA-3(7) \| CA-7 \| CA-7(1) \| CA-7(6) \| CA-8 \| CA-8(1) \| CA-9 \| CM-10(1) \| CM-11 \| CM-11(2) \| CM-11(3) \| CM-12 \| CM-12(1) \| CM-14 \| CM-2 \| CM-2(2) \| CM-2(3) \| CM-2(7) \| CM-3 \| CM-3(1) \| CM-3(2) \| CM-3(4) \| CM-3(5) \| CM-3(6) \| CM-3(7) \| CM-3(8) \| CM-4 \| CM-5(1) \| CM-5(5) \| CM-6 \| CM-6(1) \| CM-6(2) \| CM-7 \| CM-7(1) \| CM-7(2) \| CM-7(3) \| CM-7(5) \| CM-7(8) \| CM-7(9) \| CM-8 \| CM-8(1) \| CM-8(2) \| CM-8(3) \| CM-8(4) \| CM-9 \| CP-10 \| CP-10(2) \| CP-10(4) \| CP-2 \| CP-2(2) \| CP-2(5) \| CP-2(8) \| CP-3(1) \| CP-4(1) \| CP-4(2) \| CP-4(5) \| CP-8 \| CP-8(1) \| CP-8(2) \| CP-8(3) \| CP-8(4) \| CP-8(5) \| CP-9 \| CP-9(1) \| CP-9(2) \| CP-9(3) \| IA-11 \| IA-12 \| IA-12(1) \| IA-12(2) \| IA-12(3) \| IA-12(4) \| IA-12(5) \| IA-12(6) \| IA-2 \| IA-2(1) \| IA-2(12) \| IA-2(2) \| IA-2(5) \| IA-2(6) \| IA-2(8) \| IA-3 \| IA-3(1) \| IA-4 \| IA-4(9) \| IA-5 \| IA-5(1) \| IA-5(13) \| IA-5(14) \| IA-5(2) \| IA-5(7) \| IA-5(8) \| IA-6 \| IA-7 \| IA-8 \| IR-2 \| IR-2(2) \| IR-2(3) \| IR-3 \| IR-3(1) \| IR-3(2) \| IR-3(3) \| IR-4 \| IR-4(1) \| IR-4(10) \| IR-4(11) \| IR-4(12) \| IR-4(13) \| IR-4(14) \| IR-4(3) \| IR-4(4) \| IR-4(5) \| IR-4(6) \| IR-4(7) \| IR-4(8) \| IR-5 \| IR-5(1) \| IR-6 \| IR-6(1) \| IR-6(2) \| IR-7 \| IR-7(1) \| IR-8 \| MA-2 \| MA-3 \| MA-3(1) \| MA-3(2) \| MA-3(3) \| MA-4 \| MA-4(1) \| MA-4(3) \| MA-4(6) \| MA-4(7) \| MA-5(1) \| MA-6 \| MA-7 \| MP-2 \| MP-3 \| MP-4 \| MP-5 \| MP-6 \| MP-6(3) \| MP-7 \| PE-3(7) \| PL-10 \| PL-11 \| PL-8 \| PL-8(1) \| PL-8(2) \| PL-9 \| PM-11 \| PM-16(1) \| PM-17 \| PM-30 \| PM-30(1) \| PM-31 \| PM-32 \| RA-10 \| RA-3(1) \| RA-3(2) \| RA-3(3) \| RA-3(4) \| RA-5 \| RA-5(10) \| RA-5(11) \| RA-5(2) \| RA-5(4) \| RA-5(5) \| RA-7 \| RA-9 \| SA-10 \| SA-10(1) \| SA-10(2) \| SA-10(7) \| SA-11 \| SA-11(2) \| SA-11(4) \| SA-11(7) \| SA-11(9) \| SA-15 \| SA-15(3) \| SA-15(7) \| SA-17 \| SA-2 \| SA-22 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4 \| SA-4(1) \| SA-4(10) \| SA-4(12) \| SA-4(2) \| SA-4(3) \| SA-4(5) \| SA-4(7) \| SA-4(9) \| SA-5 \| SA-8 \| SA-8(14) \| SA-8(15) \| SA-8(18) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SA-8(24) \| SA-8(29) \| SA-8(9) \| SA-9 \| SA-9(1) \| SA-9(2) \| SA-9(6) \| SA-9(7) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(6) \| SC-13 \| SC-15 \| SC-16(2) \| SC-16(3) \| SC-18(1) \| SC-18(2) \| SC-18(3) \| SC-18(4) \| SC-2 \| SC-2(2) \| SC-20 \| SC-21 \| SC-22 \| SC-23 \| SC-23(1) \| SC-23(3) \| SC-23(5) \| SC-24 \| SC-28 \| SC-28(1) \| SC-28(3) \| SC-3 \| SC-38 \| SC-39 \| SC-4 \| SC-45 \| SC-45(1) \| SC-45(2) \| SC-49 \| SC-5 \| SC-5(1) \| SC-5(2) \| SC-5(3) \| SC-50 \| SC-51 \| SC-7 \| SC-7(10) \| SC-7(11) \| SC-7(12) \| SC-7(13) \| SC-7(14) \| SC-7(18) \| SC-7(21) \| SC-7(25) \| SC-7(29) \| SC-7(3) \| SC-7(4) \| SC-7(5) \| SC-7(7) \| SC-7(8) \| SC-7(9) \| SC-8 \| SC-8(1) \| SC-8(2) \| SC-8(5) \| SI-10 \| SI-10(3) \| SI-10(6) \| SI-11 \| SI-12 \| SI-14(3) \| SI-16 \| SI-19(4) \| SI-2 \| SI-2(2) \| SI-2(3) \| SI-2(6) \| SI-21 \| SI-3 \| SI-3(10) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(12) \| SI-4(13) \| SI-4(14) \| SI-4(15) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(20) \| SI-4(22) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-5 \| SI-5(1) \| SI-6 \| SI-7 \| SI-7(1) \| SI-7(17) \| SI-7(2) \| SI-7(5) \| SI-7(7) \| SI-7(8) \| SR-1 \| SR-10 \| SR-11 \| SR-11(1) \| SR-11(2) \| SR-11(3) \| SR-12 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(1) \| SR-3(2) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2) \| SR-6 \| SR-6(1) \| SR-7 \| SR-8 \| SR-9 \| SR-9(1)	Nearly all D3FEND Techniques apply to Ground \|	5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.15 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.16 \| A.5.18 \| A.8.2 \| A.8.16 \| A.5.15 \| A.5.33 \| A.8.3 \| A.8.4 \| A.8.18 \| A.8.20 \| A.8.2 \| A.8.4 \| A.5.14 \| A.8.22 \| A.8.23 \| A.8.11 \| A.8.10 \| A.5.15 \| A.8.2 \| A.8.18 \| A.8.5 \| A.8.5 \| A.7.7 \| A.8.1 \| A.5.14 \| A.6.7 \| A.8.1 \| A.8.16 \| A.5.14 \| A.8.1 \| A.8.20 \| A.5.14 \| A.7.9 \| A.8.1 \| A.5.14 \| A.7.9 \| A.8.20 \| A.6.3 \| A.8.15 \| A.8.15 \| A.8.6 \| A.5.25 \| A.6.8 \| A.8.15 \| A.7.4 \| A.8.17 \| A.5.33 \| A.8.15 \| A.5.28 \| A.8.15 \| A.8.15 \| A.8.15 \| A.5.14 \| A.8.21 \| 9.1 \| 9.3.2 \| 9.3.3 \| A.5.36 \| 9.2.2 \| A.8.9 \| A.8.9 \| 8.1 \| 9.3.3 \| A.8.9 \| A.8.32 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.19 \| A.8.19 \| A.5.9 \| A.8.9 \| A.5.2 \| A.8.9 \| A.8.19 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.8.6 \| A.5.30 \| A.5.30 \| A.5.29 \| A.7.11 \| A.5.29 \| A.5.33 \| A.8.13 \| A.5.29 \| A.5.16 \| A.5.16 \| A.5.16 \| A.5.17 \| A.8.5 \| A.5.16 \| A.6.3 \| A.5.25 \| A.5.26 \| A.5.27 \| A.8.16 \| A.5.5 \| A.6.8 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.24 \| A.7.10 \| A.7.13 \| A.8.10 \| A.8.10 \| A.8.16 \| A.8.10 \| A.7.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.5.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.8.10 \| A.5.10 \| A.7.9 \| A.7.10 \| A.5.10 \| A.7.10 \| A.7.14 \| A.8.10 \| A.5.10 \| A.7.10 \| A.5.8 \| A.5.7 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| 4.4 \| 6.2 \| 7.4 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 9.1 \| 9.2.2 \| 10.1 \| 10.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.22 \| A.5.7 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| 8.1 \| A.5.8 \| A.5.20 \| A.5.23 \| A.8.29 \| A.8.30 \| A.8.28 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.9 \| A.8.28 \| A.8.30 \| A.8.32 \| A.8.29 \| A.8.30 \| A.5.8 \| A.8.25 \| A.8.25 \| A.8.27 \| A.8.6 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.23 \| A.8.12 \| A.5.10 \| A.5.14 \| A.8.20 \| A.8.26 \| A.5.33 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.14 \| A.5.10 \| A.5.33 \| A.6.8 \| A.8.8 \| A.8.32 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16 \| A.5.6 \| A.8.11 \| A.8.10 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22 \| A.5.22
CM0032	On-board Intrusion Detection & Prevention	Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.	AU-14 \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(2) \| AU-5(5) \| AU-6(1) \| AU-6(4) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| CA-7(6) \| CM-11(3) \| CP-10 \| CP-10(4) \| IR-4 \| IR-4(11) \| IR-4(12) \| IR-4(14) \| IR-4(5) \| IR-5 \| IR-5(1) \| PL-8 \| PL-8(1) \| RA-10 \| RA-3(4) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SC-16(2) \| SC-32(1) \| SC-5 \| SC-5(3) \| SC-7(10) \| SC-7(9) \| SI-10(6) \| SI-16 \| SI-17 \| SI-3 \| SI-3(10) \| SI-3(8) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(13) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-4(7) \| SI-6 \| SI-7(17) \| SI-7(8)	D3-FA \| D3-DA \| D3-FCR \| D3-FH \| D3-ID \| D3-IRA \| D3-HD \| D3-IAA \| D3-FHRA \| D3-NTA \| D3-PMAD \| D3-RTSD \| D3-ANAA \| D3-CA \| D3-CSPP \| D3-ISVA \| D3-PM \| D3-SDM \| D3-SFA \| D3-SFV \| D3-SICA \| D3-USICA \| D3-FBA \| D3-FEMC \| D3-FV \| D3-OSM \| D3-PFV \| D3-EHB \| D3-IDA \| D3-MBT \| D3-SBV \| D3-PA \| D3-PSMD \| D3-PSA \| D3-SEA \| D3-SSC \| D3-SCA \| D3-FAPA \| D3-IBCA \| D3-PCSV \| D3-FCA \| D3-PLA \| D3-UBA \| D3-RAPA \| D3-SDA \| D3-UDTA \| D3-UGLPA \| D3-ANET \| D3-AZET \| D3-JFAPA \| D3-LAM \| D3-NI \| D3-RRID \| D3-NTF \| D3-ITF \| D3-OTF \| D3-EI \| D3-EAL \| D3-EDL \| D3-HBPI \| D3-IOPR \| D3-KBPI \| D3-MAC \| D3-SCF \|	A.8.15 \| A.8.15 \| A.8.6 \| A.8.17 \| A.5.33 \| A.8.15 \| A.8.15 \| A.5.29 \| A.5.25 \| A.5.26 \| A.5.27 \| A.5.8 \| A.5.7 \| A.8.12 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16

SV-SP-6 - 3rd Party Software

Informational References

High-Level Requirements

Low-Level Requirements

Related SPARTA Techniques and Sub-Techniques

Related SPARTA Countermeasures