In our last post on the Government Satellite Report, we shared part one of a two-part conversation with Andrew D’Uva, the President of the Providence Access Company. During our discussion, we talked about the CNSSP-12, a cybersecurity policy that impacts military satellites and commercial satellites that are used for national security missions.
During the first part of our discussion, we defined and explained CNSSP-12 and discussed how it has evolved and changed as it’s been reevaluated and refreshed over time to keep up with shifting threats. We also looked at how the policy has helped commercial satellite communications providers service the military more securely.
In part two of our discussion, Andrew shares his predictions for what the next iteration of CNSSP-12 will look like, discusses how it will impact the industry, and provides insights into how CNSSP-12 can shape space policy across the military in the very near future, thanks to the ongoing Wideband Satellite Analysis of Alternatives (AoA) being conducted by the Air Force.
Here is what Andrew had to say:
Government Satellite Report (GSR): The updated CNSSP-12 hasn’t been released yet, but can you tell us what changes you’re anticipating for commercial providers when the new, updated policy is revealed?
Andrew D’Uva: When the policy is released, I anticipate that we’ll see an increased focus from the government on verifying the security posture of these commercial solutions.
In the past, industry designed their systems and then – if they were going to play in the government and military market – they would go back and try to implement U.S. Government security requirements at a later stage. Now, they’re working to incorporate these things into these satellite systems at design time and maintain them throughout the system lifecycle. This shows industry is starting to think about security up front.
I anticipate that the new CNSSP-12 guidance will take advantage of that new attitude and incorporate much more information sharing between industry and government. This will ensure that the government is aware and informed about the steps that industry is taking to make their solutions reliable, robust, and secure.
This will lead government to require more security assurance systems in place for commercial satellite solutions, and more auditing. What I expect to see is much more focus on formalizing processes, taking a quality management approach, documenting things and making security part of the daily activities of managing these systems.
GSR: Will the CNSSP-12 refresh have any impact on the developing Wideband AoA and the USG’s ability to better harmonize commercial and military space architectures?
Andrew D’Uva: This is really an important question due to what is currently happening across the military in regard to satellite architectures. Up until now – in terms of SATCOM – the U.S. military has first relied on purpose-built satellites that they own and operate and looked to commercial meet excess demand. I’m talking about AEHF, WGS, and MUOS, which are used for different missions, including strategic nuclear command and control, tactical protected SATCOM, wideband SATCOM, and narrow-band, tactical SATCOM. All of those have performed well, and have their benefits and drawbacks.
Commercial wideband systems have been, until the recent introduction of managed services, largely transponded capacity where the Government’s focus was ensuring positive control of the commercial satellite bus, not necessarily the underlying communications services.
Looking forward, the government is trying to figure out if it makes sense to continue to use these siloes of purpose-built constellations and use commercial to fill in the rest, or, to what extent should commercial infrastructure solutions be part of meeting the baseline demand and integrated into an enduring architecture that spans both government and commercial capabilities.
Despite there being a two-decade track record of success in using commercial solutions securely, for the government to be really comfortable in advocating for an integrated architecture – which is supported by industry – they need to be confident in the level of security and mission assurance.
The security requirements like those in CNSSP-12, NIST cybersecurity framework and other cybersecurity guidance and policies will ensure that the SATCOM industry can continue to participate in an environment that is increasingly non-benign. The environment that we’re in and are moving into in the future is one in which our adversaries are seeking to do us harm through cyber effects. In this environment, the government needs to know that the security posture of wideband COMSATCOM systems is on par with purpose-built MILSATCOM systems.
I believe that many commercial systems are on par, but that’s not the perception of some military decision makers. I’ve had senior level defense decision makers tell me that MILSATCOM is held to a higher cybersecurity standard than COMSATCOM. However, COMSATCOM satellites are held to the same requirements contractually by DOD. A lot of government personnel don’t realize that – they think commercial is lesser than and not as secure as MILSATCOM. They don’t realize that COMSATCOM typically has secured locations, cleared personnel and high security standards. I’ve seen cases where once that’s understood, military leaders are willing to consider commercial solutions, including their unique benefits.
Since CNSSP-12 applies to both military and commercial satellites it should help military decision makers to adopt an enduring role in an integrated wideband SATCOM enterprise architecture for qualified COMSATCOM solutions.
Now, there are certain military SATCOM missions – such as nuclear command and control that are designed to work in a nuclear war environment – that requires a higher level of mission assurance than will ever be offered by commercial providers. Those special missions will always require costly, custom-built government satellites. But for most missions, COMSATCOM can fill that need if operators have implemented these security requirements. If some commercial offerors haven’t implemented them, those solutions may be fine for other commercial or government uses, but not for national security missions.
GSR: What does the COMSATCOM industry need from the military to make this a reality? How can the military incentivize the industry to incorporate CNSSP-12 requirements into their systems and service offerings?
Andrew D’Uva: The government needs to match its acquisition policy and practice to the policies that are levied. The government needs to move away from simply looking at the lowest priced solution as being the best solution. They first need to look at effectiveness and cyber security before looking at price. If there are participants in the acquisition process that don’t meet these security requirements, they need to be ruled out as not technically acceptable. Then the military can focus on competition among the multiple compliant suppliers.
That has not yet happened. There are many reasons, but they primarily have to do with the way that COMSATCOM typically has been funded. COMSATCOM is typically funded from Overseas Contingency Operations money, which is short-term money that is available to a Combatant Command and it’s not in the baseline DoD budget. Military purpose-built SATCOM programs, which are programs of record, don’t charge fees to the user when they’re utilized. This makes it seem that – from a user perspective – MILSATCOM is free while COMSATCOM costs money. The truth is that everything costs the taxpayer money.
So, it’s a function of how these budgeting processes work, and we need to fix that.
If you look at the FY18 NDAA, there is a section in there – Section 1601 – that assigns the Commander of Air Force Space Command as the DoD acquisition authority for COMSATCOM leases, in consultation with the DoD CIO. That is a major change and will be a very important one to watch in 2018.
For the very first time – when that change is done – the organization that builds the wideband SATCOM programs of record will be the same as the organization that has authority to lease COMSATCOM capacity.
In the past, DISA handled commercial leases and Space Command handled programs of record. The two sides never needed to make a budget or resource decision about how to best spend taxpayer dollars between those two acquisition approaches for SATCOM capabilities. But, a year from now, there will be one acquisition authority.
This will be the first time the DoD will be organizationally structured to make those decisions and spend the taxpayer’s money more effectively while still getting the resources and capabilities it needs. That also means that 2018 will be the first time that the government will be able to drive industry into participating in an integrated architecture. It’s a great opportunity for all of us to ensure the nation has the SATCOM capabilities it needs.