NASA doesn't know if its spacecraft have adequate cyber defenses, GAO warns

A close-up view of a BIRDS-2 satellite deployment in August 2018.

A close-up view of a BIRDS-2 satellite deployment in August 2018. Serena Auñón-Chancellor/NASA

The agency encourages its spacecraft programs to use an optional best practices guide when it comes to implementing cybersecurity requirements.

NASA has taken steps in recent years to enhance the cyber requirements included in its contracts but has not issued mandatory security guidance for its spacecraft acquisition policies and standards, the Government Accountability Office warned in a report released on Wednesday.

The nation’s space agency released cybersecurity-related standards in 2019 that established security requirements for all NASA programs and projects. The watchdog audit noted, however, that the agency “has considered, but not yet implemented” enforceable cyber rules for its purchases of outside spacecraft and related systems.

Instead, GAO found that cyber requirements for NASA’s acquisition policies are directed by optional guidance, such as a 2023 best practices guide that outlined “information on cybersecurity principles and controls, threat actor capabilities and potential mitigation strategies, among other things.”

The guide included principles for incorporating cybersecurity standards into spacecraft development programs, such as ensuring that space systems can “protect against unauthorized access.”

In his comments on the report, NASA CIO Jeffrey Seaton noted that the agency "incorporates controls based on their specific type of cyber and risk threats," that could impact specific mission vehicles, from crewed spacecraft to small satellites. Seaton said that it's "not feasible to develop one set of essential controls applicable to all types of mission spacecraft."

The report also notes that NASA has to be cautious when introducing new requirements “because they do not have physical access to the spacecraft for repairs after launch.”

The watchdog warned the agency, however, that “without establishing a plan to update its policies and standards to ensure they address essential cybersecurity controls in light of this dynamic environment, information in the guide remains optional for programs”

“As a result, NASA risks inconsistent consideration and implementation of cybersecurity controls and will not have full assurance that the spacecraft used to support NASA missions have a layered and comprehensive defense against cyberattacks,” GAO added. 

GAO recommended that the agency “develop an implementation plan with time frames to update its spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats.”

While NASA agreed with the recommendation to update its policies, it disagreed with the need to establish a timeline for doing so because, in part, of concerns that “transitioning traditional cybersecurity capabilities into a space environment requires careful consideration to avoid impacts to the spacecraft’s objectives and the ability to operate safely.”