United States Government Accountability Office GAO Report to Congressional Requesters May 2024 NASA CYBERSECURITY Plan Needed to Update Spacecraft Acquisition Policies and Standards GAO-24-106624 May2024 GAO NASA CYBERSECURITY Highlights Plan Needed to Update Spacecraft Acquisition Policies and Standards Highlights of GAO-24-106624, a report to congressional requesters Why GAO Did This Study What GAO Found NASA's space development project Spacecraft developed by the National Aeronautics and Space Administration portfolio includes 34 major projects, in (NASA) depend on software and IT, which, in turn, rely on cybersecurity to which NASA plans to invest more than prevent, detect, and respond to potential cyber incidents. A cyber incident could $83 billion. Spacecraft are operating in result in loss of mission data, decreased lifespan or capability of space systems: aheightened cyberthreat environment or the loss of control of space vehicles. Cyber threats and technology change with increased risks of attack and rapidly.Inresponse,thefederalgovernmentissuesgovernment-wide mission disruption. NASA has cybersecurity guidelines, such as the National Institute of Standards and identified civil space events that Technology's Risk Management Framework. demonstrate the need to better protect spacecraft against cyber threats. GAOwasaskedtoexaminethe cybersecurity requirements in NASA contracts for its spacecraft projects. This report assesses the extent to which NASA (1) incorporated cybersecurityinselected spacecraft contractsand(2)determinedwhethel additional cybersecurity updates, if any, are needed to its acquisition policiesandstandardsforspacecraft GAO reviewed NASA policies and standards regarding spacecraft cybersecurity. GAO selected a 10662 nongeneralizable sample of three Contracts for the selected NASA projects GAO reviewed required contractors to spacecraft projects, chosen because address cybersecurity, consistent with NASA standards. In 2019, NASA identified they represent different NASA centers and development stages, and include at least one robotic and one human spaceflight project. For these three, Element; Orion Multi-Purpose Crew Vehicle; and Spectro-Photometer for the GAO analyzed contracts and project HistoryoftheUniverse,EpochofRe-ionizationandIcesExplorerstarted documents. GAO also interviewed development before 2019. Nevertheless, GAO found these contracts include project and cybersecurity officials. requirements related to NAsA's spacecraft cybersecurity standards. Contracts What GAO Recommends also required contractors to demonstrate requirements are met through testing. GAO recommends NASA develop a Sincetheissuanceofits2019cybersecurityreguirements.NASAhas plan with time frames to update its considered,butnotyetimplemented,updatestoitsspacecraftacquisition policies and standards. In 2023, NASA issued a space best practices guide spacecraftacquisitionpoliciesto include essential controls. NASA containing information on cybersecurity principles and controls, threat actor agreed to update its policies but did not capabilities, and potential mitigation strategies, among other things. However, this guidance is optional for spacecraft programs. NAsA officials explained that agreetosetapianwithdatestodoso Without a plan, GAO maintains it is acquisition policies and standards is because of the length of time it takes to do unknown when implementation would occur. Accordingly, the so.GAOacknowledgesthatthestandards-settingprocess cantaketime,but itis recommendation remains valid. essential that NAsA do so for practices that should be required. However, View GAO-24-106624.For more information contact W. William Russell at (202) 512-4841 a result, NASA risks inconsistent implementation of cybersecurity controls and or [email protected],orKevinWalsh at (202) lacks assurance that spacecraft have a layered and comprehensive defense [email protected]. against attacks. UnitedStatesGovernmentAccountabilityOffice Conte