Enforce information flow control based on [Assignment: organization-defined metadata].
| ID | Name | Description | D3FEND | |
| ID | Description | |
| SV-AC-6 |
Three main parts of S/C. CPU, memory, I/O interfaces with parallel and/or serial ports. These are connected via busses (i.e., 1553) and need segregated. Supply chain attack on CPU (FPGA/ASICs), supply chain attack to get malware burned into memory through the development process, and rogue RTs on 1553 bus via hosted payloads are all threats. Security or fault management being disabled by non-mission critical or payload; fault injection or MiTM into the 1553 Bus - China has developed fault injector for 1553 - this could be a hosted payload attack if payload has access to main 1553 bus; One piece of FSW affecting another. Things are not containerized from the OS or FSW perspective; |
|
| Requirement |
|---|
| The [Program-defined security policy] shall state that information should not be allowed to flow between partitioned applications unless explicitly permitted by the Program's security policy. {SV-AC-6} {AC-4,AC-4(6)} |
| The spacecraft shall enforce approved authorizations for controlling the flow of information within the spacecraft and between interconnected systems based on the [Program defined security policy] that information does not leave the spacecraft boundary unless it is encrypted. {SV-AC-6} {AC-4,AC-4(6)} |
| The spacecraft shall, when transferring information between different security domains, implements the following security policy filters that require fully enumerated formats that restrict data structure and content: connectors and semaphores implemented in the RTOS. {SV-AC-6} {AC-4(14)} |
| The spacecraft shall use protected processing domains to enforce the policy that information does not leave the spacecraft boundary unless it is encrypted as a basis for flow control decisions. {SV-AC-6} {AC-4(2)} |
| ID | Name | Description | |
|---|---|---|---|