Cybersecurity Directive Implementation Going Slowly

CompTIA Senior Director-Public Sector David Logsdon said the National Cybersecurity Center's Space Information Sharing and Analysis Center plans to report in November on perceived gaps in the space policy directive. Pace said he had hoped space agencies would have started talking more explicitly in acquisitions and requests for proposals about cybersecurity expectations. Until such principles start being part of competitive considerations in acquisitions, "it's hard to get companies to start taking that seriously," he said, noting interagency discussions are needed. He said government should be more aggressive in industry outreach with Department of Homeland Security threat briefings, and more active in international engagement via standards bodies. Added Logsdon, “If we don't do it, the Chinese will." The space policy directive deliberately took "a soft approach" instead of a prescriptive one, to get grassroots buy-in, said Lockheed Martin Vice President-Technology Policy and Regulation Jennifer Warren. She said there's more to be done in adoption and implementation, but the directive had some success in raising awareness about the need to think of cybersecurity beyond just satellites to the broader ecosystem including earth stations and supply chains. Timelines for implementation should be aspirational, with voluntary steps companies could take "to get that gold star." A lot of focus has been on technical issues like standards and nomenclature, but more thought should go to nontechnical issues of personnel security and insider threats, Pace said. "Every traitor in prison had a security clearance." Viasat Government Systems Chief Technology Officer Phil Mar urged paying more attention to smaller, emerging space companies, where cybersecurity often is a last-minute concern.