After years in development, the U.S. Space Force has launched the Infrastructure Asset Pre-Approval Program (IA-Pre), establishing new cybersecurity requirements for commercial satellite communications providers working with the U.S. military.
The Commercial Satellite Communications Office (CSCO), a branch of Space Force’s acquisition arm, Space Systems Command, is running the program, which was developed to mitigate cybersecurity risks to Department of Defense missions relying on commercial satellite communication (COMSATCOM).
In the near term, only a few dozen commercial satcom providers will be affected by IA-Pre. Those with existing DoD contracts will have a little over three years to achieve full compliance with the new, high-impact baseline controls and get their products or services on CSCO’s Approved Products. In the future, all COMSATCOM solutions used by the military will go through IA-Pre’s rigorous process of evaluation, security control implementation and evaluation by a qualified third-party assessor.
Cole French is an information security professional with Kratos Defense & Security Solutions, which is on the list of CSCO-approved IA-Pre assessors. He noted that because IA-Pre is an asset-based evaluation, satcom operators will likely find it less onerous than programs like the Cybersecurity Maturity Model Certification (CMMC), which applies at the organizational level.
“Adding security to products can certainly be difficult, but not as difficult as layering security into an organization,” French noted. “I think it will be a little easier for people to get up to speed. As the process builds out and people understand it better, a lot more products will be able to be approved.”
Specific assets listed for approval by CSCO include commercial satellites, as well as elements of Tracking, Telemetry and Control (TT&C) ground stations and integrator networks that support solution development, management, maintenance or service delivery.
Part of a ‘Natural Evolution’ in Cybersecurity
The official IA-Pre rollout is less of a surprise and more of a critical milestone. The program has been in development since 2018 and industry participants have been providing input throughout the process. Some companies have been preparing for years to measure against the relevant NIST 800-53 controls—the National Security System Overlay and Space Overlay. More recently, Russia’s war in Ukraine reaffirmed the need to heighten cybersecurity standards while confirming what many satcom operators understood about the risks to commercial space assets.
“A lot of companies are trying very hard to embrace this. It’s a natural evolution of where some of them are going [with cybersecurity],” explained Andrew D’Uva, President of Providence Access Company, a strategic advisory firm helping satellite service providers with government compliance and cybersecurity. “Those few who ignore or think they can ignore that the requirements base is changing, eventually they won’t be in this market anymore.”
Even for satcom and network operators with stringent cybersecurity, the implementation phase of the IA-Pre rollout will be a heavy lift. Depending on whether an asset receives a low, moderate or high-risk security assessment, it could have to implement up to 500 security and privacy controls. That’s compared to about 50 controls used in CSCO’s Information Assurance Questionnaire (CIAQ), the current standard for assessing security capabilities.
Establishing whether an asset presents a low, moderate or high-impact security risk is the first step in the IA-Pre approval process. This involves a checklist of asset or product uses, security boundaries, data sensitivity, user access and a variety of other parameters. Once CSCO’s assigned officer determines an asset’s category, each applicable security control must be implemented up to a certain standard. A third-party auditor is responsible for reviewing documentation, conducting interviews and testing the system to identify any non-compliant controls. Anything that scores above a certain risk level needs to be documented and a plan is established to bring it within compliance. When every control is compliant, CSCO conducts a final assessment, after which the satcom asset and its rating can be added to the Approved Products List. Future compliance depends on continuous monitoring. The satcom supplier must issue regular updates and annual reports indicating any changes that could affect compliance with the applicable controls.
Preparing for Assessments: Sooner or Later?
CSCO has been running point on IA-Pre since fall 2018. In May, it opened applications for a limited number of commercial satcom suppliers to submit assets to be assessed in a soft rollout of the program.
Outside of the participants in the soft rollout, commercial operators aren’t lining up for assessments just yet. Requests for assessments likely won’t start before the end of the year. Most satcom contractors are taking the coming months to observe the initial rollout and prepare internal policies, procedures and practices to meet the high bar of IA-Pre.
Organizations with greater cybersecurity maturity should consider being assessed sooner rather than later, French recommended. Those with less should focus on maturing their cybersecurity practices before engaging with the new process.
“To that end, I’d strongly suggest that organizations consider a third-party advisor to assist them in moving cybersecurity forward,” he said.
Deciding when to enlist a third party depends on an organization’s priorities. Bringing in an advisor or assessor before new security controls are implemented can help identify issues sooner but can also lead to solving theoretical, rather than actual problems, French noted. Organizations that wait until controls have been implemented will have a more practical evaluation but may also incur added costs to remediate issues that could have been identified sooner.
Phasing Out CIAQs
The new requirements will soon replace the CIAQ, which has fewer security controls and is time-consuming for both contractors and the DoD. Instead of a questionnaire for every proposal, evaluating every solution at the contract or task order level, IA-Pre assesses only the asset and the systems immediately surrounding it.
For an asset to make it to the Approved Products List, the organization must address all the appropriate security controls and score below a minimum threshold of residual risk. Having a preapproved catalog not only improves the efficiency of Space Force acquisitions, but it makes it easier for vendors to reference assets that they may have incorporated into their own products or services. IA-Pre also replaces the existing self-assessment process with a CSCO-approved third-party auditor or Agent of the Security Control Assessor (ASCA).
Based on the most recent timeline, the CIAQ process will sunset by the end of 2023 and all new contracts will start to be built around IA-Pre compliance. By the end of 2025, any COMSATCOM hoping to work with the military will need to be 100% IA-Pre compliant.
Other commercial national security space providers stay engaged with this process, even if they don’t need to meet IA-Pre compliance, because the standards could be applied more broadly, according to D’Uva.
“I fully expect other parts of the government will pick up on this and reciprocally apply it once the program gets going. Because it’s just too easy not to,” he said. “Law enforcement, the intelligence community, other national security-connected federal agencies—I would expect this level of standard to apply to critical commercial categories given what we know about the threat environment.”
By the end of 2025, IA-Pre will be another item to cross off the checklist for COMSATCOM suppliers doing business with DoD. Space Force has acknowledged that IA-Pre will require a significant investment of resources and time for organizations wishing to renew or initiate military contracts. CSCO and the Cybersecurity and Infrastructure Security Agency (CISA) are offering assistance to organizations navigating the new regime and preparing for assessments. Space Force is also working with qualified third-party assessors to manage what will soon become a large flow of assets seeking qualification.
As the IA-Pre process accelerates into the new year, industry players should investigate how the requirements apply to them and start preparing for assessments, D’Uva emphasized.
“If you’re a communications satellite operator that either supplies satellite capacity or a managed solution, you should be involved,” he said. “If you’re a teleport operator that serves the U.S. Department of Defense, you should be involved. If you’re a prime contractor that is a system integrator, you should understand this and be involved.”
Explore More:
Podcast: Protecting Critical Infrastructure, Contracting with DoD and CMMC
Podcast: The Space ISAC, Cybersecurity and Innovation
Quantum Communications in Space: A Deeper Dive