Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
Implementing a spacecraft reference monitor helps ensure mission software—especially at the payload level—does not bypass critical security checks. The biggest hurdle is often hardware limitations: older satellites may lack the kernel-level separation or privileged-instruction sets needed to isolate access control logic fully. Still, modern designs can integrate minimal hypervisors or microkernels that run security-relevant checks in protected memory regions. For instance, the reference monitor could govern attempts to modify flight software parameters or read from cryptographic memory. A tamperproof property might involve hardware-based memory protection or specialized chips for secure boot. While these features can increase cost and SWaP footprints, they prove valuable for high-assurance missions. If a platform cannot offer full reference-monitor capabilities, partial implementations like verifying command sequences' digital signatures still improve overall security and reliability.
| ID | Name | Description | D3FEND | |
| ID | Description | |
| Requirement | Rationale/Additional Guidance/Notes |
|---|---|
| The [spacecraft] shall implement a reference monitor mechanism that mediates access between subjects and objects based on a defined set of rules, that is designed and configured to resist tampering or unauthorized alteration, providing a reliable and secure foundation for access control within the information system.{AC-25} |
| ID | Name | Description | |
|---|---|---|---|