Skip to main content

NASA Cybersecurity: Plan Needed to Update Spacecraft Acquisition Policies and Standards

GAO-24-106624 Published: May 01, 2024. Publicly Released: May 01, 2024.
Jump To:

Fast Facts

As cyber threats become more prevalent, so do threats to NASA's spacecraft—like the Orion Multi-Purpose Crew Vehicle. A cyberattack could lead to losing critical data, or possibly losing control of the spacecraft.

NASA issued a guide on space security in 2023 that includes principles and practices to help spacecraft development programs with cybersecurity. For example, one principle states a space system should protect against unauthorized access. However, the agency has not yet incorporated these practices into its spacecraft acquisition policies.

We recommended that NASA do so to ensure that spacecraft can resist cybersecurity threats.

Orion Multi-Purpose Crew Vehicle

Two workers on a lift next to the Orion Multi-Purpose Crew Vehicle inside a building.

Skip to Highlights

Highlights

What GAO Found

Spacecraft developed by the National Aeronautics and Space Administration (NASA) depend on software and IT, which, in turn, rely on cybersecurity to prevent, detect, and respond to potential cyber incidents. A cyber incident could result in loss of mission data, decreased lifespan or capability of space systems, or the loss of control of space vehicles. Cyber threats and technology change rapidly. In response, the federal government issues government-wide cybersecurity guidelines, such as the National Institute of Standards and Technology's Risk Management Framework.

Contracts for the selected NASA projects GAO reviewed required contractors to address cybersecurity, consistent with NASA standards. In 2019, NASA identified a set of cybersecurity requirements for spacecraft to address. For example, NASA requires spacecraft to protect positioning, navigation, and timing systems. The three spacecraft projects GAO reviewed—Gateway Power and Propulsion Element; Orion Multi-Purpose Crew Vehicle; and Spectro-Photometer for the History of the Universe, Epoch of Re-ionization and Ices Explorer—started development before 2019. Nevertheless, GAO found these contracts include requirements related to NASA's spacecraft cybersecurity standards. Contracts also required contractors to demonstrate requirements are met through testing.

Since the issuance of its 2019 cybersecurity requirements, NASA has considered, but not yet implemented, updates to its spacecraft acquisition policies and standards. In 2023, NASA issued a space best practices guide containing information on cybersecurity principles and controls, threat actor capabilities, and potential mitigation strategies, among other things. However, this guidance is optional for spacecraft programs. NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so. GAO acknowledges that the standards-setting process can take time, but it is essential that NASA do so for practices that should be required. However, officials stated that they did not have an implementation plan and time frame to incorporate additional security controls into acquisition policies and standards. As a result, NASA risks inconsistent implementation of cybersecurity controls and lacks assurance that spacecraft have a layered and comprehensive defense against attacks.

Why GAO Did This Study

NASA's space development project portfolio includes 34 major projects, in which NASA plans to invest more than $83 billion. Spacecraft are operating in a heightened cyber threat environment with increased risks of attack and mission disruption. NASA has identified civil space events that demonstrate the need to better protect spacecraft against cyber threats.

GAO was asked to examine the cybersecurity requirements in NASA contracts for its spacecraft projects. This report assesses the extent to which NASA (1) incorporated cybersecurity in selected spacecraft contracts and (2) determined whether additional cybersecurity updates, if any, are needed to its acquisition policies and standards for spacecraft.

GAO reviewed NASA policies and standards regarding spacecraft cybersecurity. GAO selected a nongeneralizable sample of three spacecraft projects, chosen because they represent different NASA centers and development stages, and include at least one robotic and one human spaceflight project. For these three, GAO analyzed contracts and project documents. GAO also interviewed project and cybersecurity officials.

Recommendations

GAO recommends NASA develop a plan with time frames to update its spacecraft acquisition policies to include essential controls. NASA agreed to update its policies but did not agree to set a plan with dates to do so. Without a plan, GAO maintains it is unknown when implementation would occur. Accordingly, the recommendation remains valid.

Recommendations for Executive Action

Agency Affected Recommendation Status
National Aeronautics and Space Administration The NASA Administrator should ensure that the Chief Engineer, the Chief Information Officer, and the Principal Advisor for Enterprise Protection develop an implementation plan with time frames to update its spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats. (Recommendation 1)
Open
NASA partially concurred with the recommendation in the report. NASA agreed with the need to ensure continuous improvement of policies and standards to protect against cyber threats. However, NASA disagreed with the need to develop an implementation plan with time frames to update its spacecraft acquisition policies and standards against cyber threats, because existing policies and processes allow programs to select appropriate protection controls. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

GAO Contacts

William Russell
Director
Contracting and National Security Acquisitions

Kevin Walsh
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Acquisition policyAgency evaluationsBest practicesCybersecurityCyberspace threatsInformation securityInformation systemsRisk managementSoftwareSpace systemsSpace vehicles