During the first part of our discussion, we defined and explained CNSSP-12 and discussed how it has evolved and changed as it’s been reevaluated and refreshed over time to keep up with shifting threats. We also looked at how the policy has helped commercial satellite communications providers service the military more securely.

In part two of our discussion, Andrew shares his predictions for what the next iteration of CNSSP-12 will look like, discusses how it will impact the industry, and provides insights into how CNSSP-12 can shape space policy across the military in the very near future, thanks to the ongoing Wideband Satellite Analysis of Alternatives (AoA) being conducted by the Air Force.

Here is what Andrew had to say:

Government Satellite Report (GSR): The updated CNSSP-12 hasn’t been released yet, but can you tell us what changes you’re anticipating for commercial providers when the new, updated policy is revealed?

Andrew D’Uva: When the policy is released, I anticipate that we’ll see an increased focus from the government on verifying the security posture of these commercial solutions.

In the past, industry designed their systems and then – if they were going to play in the government and military market – they would go back and try to implement U.S. Government security requirements at a later stage. Now, they’re working to incorporate these things into these satellite systems at design time and maintain them throughout the system lifecycle. This shows industry is starting to think about security up front.

I anticipate that the new CNSSP-12 guidance will take advantage of that new attitude and incorporate much more information sharing between industry and government. This will ensure that the government is aware and informed about the steps that industry is taking to make their solutions reliable, robust, and secure.

This will lead government to require more security assurance systems in place for commercial satellite solutions, and more auditing. What I expect to see is much more focus on formalizing processes, taking a quality management approach, documenting things and making security part of the daily activities of managing these systems.

GSR: Will the CNSSP-12 refresh have any impact on the developing Wideband AoA and the USG’s ability to better harmonize commercial and military space architectures?

Andrew D’Uva: This is really an important question due to what is currently happening across the military in regard to satellite architectures. Up until now – in terms of SATCOM – the U.S. military has first relied on purpose-built satellites that they own and operate and looked to commercial meet excess demand. I’m talking about AEHF, WGS, and MUOS, which are used for different missions, including strategic nuclear command and control, tactical protected SATCOM, wideband SATCOM, and narrow-band, tactical SATCOM. All of those have performed well, and have their benefits and drawbacks.

Commercial wideband systems have been, until the recent introduction of managed services, largely transponded capacity where the Government’s focus was ensuring positive control of the commercial satellite bus, not necessarily the underlying communications services.

Looking forward, the government is trying to figure out if it makes sense to continue to use these siloes of purpose-built constellations and use commercial to fill in the rest, or, to what extent should commercial infrastructure solutions be part of meeting the baseline demand and integrated into an enduring architecture that spans both government and commercial capabilities.

Despite there being a two-decade track record of success in using commercial solutions securely, for the government to be really comfortable in advocating for an integrated architecture – which is supported by industry – they need to be confident in the level of security and mission assurance.

The security requirements like those in CNSSP-12, NIST cybersecurity framework and other cybersecurity guidance and policies will ensure that the SATCOM industry can continue to participate in an environment that is increasingly non-benign. The environment that we’re in and are moving into in the future is one in which our adversaries are seeking to do us harm through cyber effects. In this environment, the government needs to know that the security posture of wideband COMSATCOM systems is on par with purpose-built MILSATCOM systems.

I believe that many commercial systems are on par, but that’s not the perception of some military decision makers. I’ve had senior level defense decision makers tell me that MILSATCOM is held to a higher cybersecurity standard than COMSATCOM. However, COMSATCOM satellites are held to the same requirements contractually by DOD. A lot of government personnel don’t realize that – they think commercial is lesser than and not as secure as MILSATCOM. They don’t realize that COMSATCOM typically has secured locations, cleared personnel and high security standards. I’ve seen cases where once that’s understood, military leaders are willing to consider commercial solutions, including their unique benefits.

Since CNSSP-12 applies to both military and commercial satellites it should help military decision makers to adopt an enduring role in an integrated wideband SATCOM enterprise architecture for qualified COMSATCOM solutions.

Now, there are certain military SATCOM missions – such as nuclear command and control that are designed to work in a nuclear war environment – that requires a higher level of mission assurance than will ever be offered by commercial providers. Those special missions will always require costly, custom-built government satellites. But for most missions, COMSATCOM can fill that need if operators have implemented these security requirements. If some commercial offerors haven’t implemented them, those solutions may be fine for other commercial or government uses, but not for national security missions.

GSR: What does the COMSATCOM industry need from the military to make this a reality? How can the military incentivize the industry to incorporate CNSSP-12 requirements into their systems and service offerings?

Andrew D’Uva: The government needs to match its acquisition policy and practice to the policies that are levied. The government needs to move away from simply looking at the lowest priced solution as being the best solution. They first need to look at effectiveness and cyber security before looking at price. If there are participants in the acquisition process that don’t meet these security requirements, they need to be ruled out as not technically acceptable. Then the military can focus on competition among the multiple compliant suppliers.

That has not yet happened. There are many reasons, but they primarily have to do with the way that COMSATCOM typically has been funded. COMSATCOM is typically funded from Overseas Contingency Operations money, which is short-term money that is available to a Combatant Command and it’s not in the baseline DoD budget. Military purpose-built SATCOM programs, which are programs of record, don’t charge fees to the user when they’re utilized. This makes it seem that – from a user perspective – MILSATCOM is free while COMSATCOM costs money. The truth is that everything costs the taxpayer money.

So, it’s a function of how these budgeting processes work, and we need to fix that.

If you look at the FY18 NDAA, there is a section in there – Section 1601 – that assigns the Commander of Air Force Space Command as the DoD acquisition authority for COMSATCOM leases, in consultation with the DoD CIO. That is a major change and will be a very important one to watch in 2018.

For the very first time – when that change is done – the organization that builds the wideband SATCOM programs of record will be the same as the organization that has authority to lease COMSATCOM capacity.

In the past, DISA handled commercial leases and Space Command handled programs of record. The two sides never needed to make a budget or resource decision about how to best spend taxpayer dollars between those two acquisition approaches for SATCOM capabilities. But, a year from now, there will be one acquisition authority.

This will be the first time the DoD will be organizationally structured to make those decisions and spend the taxpayer’s money more effectively while still getting the resources and capabilities it needs. That also means that 2018 will be the first time that the government will be able to drive industry into participating in an integrated architecture. It’s a great opportunity for all of us to ensure the nation has the SATCOM capabilities it needs.

If you missed part one of our two-part conversation with Andrew D’Uva, click HERE to read it in its entirety.

The post Analyzing the Impact of the CNSSP-12 Refresh with Andrew D’Uva of Providence Access Company appeared first on SES Space and Defense.

One of the military’s largest concerns today involves the space domain. Space is increasingly congested and our adversaries are becoming increasingly capable of compromising and attacking our satellites. With many military IT capabilities, applications and services traveling over satellites, cybersecurity is becoming increasingly essential.

One of the policies that the government has put in place to ensure the security of the satellites the military is utilizing in-theater is Committee on National Security Systems Policy 12 (CNSSP-12). That policy is currently being reevaluated and refreshed, and new standards and requirements are scheduled to be released shortly.

To learn more about CNSSP-12, its history and its impact on the satellite industry, we sat down with Andrew D’Uva, the President of Providence Access Co. and the U.S. Industry Liaison on the Commercial Space Infosec Working Group (CSIWG), which is giving the satellite industry a voice in the CNSSP-12 refresh process.

During the first part of a two-part interview with Andrew, we define CNSSP-12, explore how it’s evolved over time, and how it helps the Commercial Satellite Communication or COMSATCOM industry serve the federal government. Here is what Andrew had to say:

Government Satellite Report (GSR): What is the CNSSP-12? Why is a review and update currently being done? What is the status of the CNSSP-12 review/update right now?

Andrew D’Uva: The CNSSP-12 is effectively the CNSS policy number twelve. It’s a formal policy of the CNSS, which is the Committee on National Security Systems – a U.S. government interagency committee comprised of the DOD, National Security Agency (NSA), Central Intelligence Agency (CIA), Defense Intelligence Agency (DIA), FBI, the branches of the military, and other national security-focused government agencies and entities.

The CNSS puts out policies and implementation guidance on a variety of information security issues by developing operating policies, procedures, guidelines, directives, instructions and standards. Issues can range from the use of cryptography, secure modes of communications and other security challenges facing the nation.

CNSS Policy 12 is the evolution of an earlier set of policies designed to apply to the cybersecurity of space systems used to support national security missions.

This policy isn’t new, although it periodically gets updated. In the past, it applied to the U.S. government at large. However, about ten years ago, it was updated to clarify that its requirements would apply to foreign and commercial systems used to support national security missions. That was the first time that the government said, “Here is a set of government requirements that apply to COMSATCOM operators and solution providers serving national security missions.”

In the past, COMSATCOM providers wouldn’t have to worry about a policy like this – they would just provide a commercial solution to the government. But the new, updated policy implied a number of cyber security requirements needed to be added to these systems due to their critical role in national security missions.

The policy was updated as part of a normal review process that is supposed to occur every few years. That review process is occurring again right now, with a new update anticipated to be released in early 2018. These updates and reviews are necessary because threats change, and the government’s approach to vulnerabilities has to change and evolve with them.

GSR: You mentioned that CNSSP-12 has been updated and changed over time. What has changed and what new requirements have been added?

Andrew D’Uva: CNSSP-12 levied a requirement in the past stating COMSATCOM systems that served national security missions would have to use what is called NSA-approved cryptography and cryptosystems to protect the satellite command uplink between the ground and satellite. That meant that satellite operators had to design, equip, and operate their satellites using a system that had been reviewed and approved by the NSA on their spacecraft that would apply an approved cryptographic system implementation to secure the commands between the ground and the satellites.

NSA-approved solutions protect the confidentiality and integrity of the commands, preventing third parties from seeing or altering commands in transit to the satellite. This was a requirement that applied to government systems in the past, but the CNSSP-12 policy effectively extended it to commercial systems.

As a result, almost all communications satellite companies that want to do business with the military have worked this into their satellites. It costs them more money and there’s more security involved, but it’s been largely accepted by industry. It has largely been a policy success for the government.

The policy change and update in 2012 involved a new requirement for securing the telemetry – the information traveling from the satellite to the ground regarding its health, safety and monitoring.

The update called for similar NSA-approved systems to be used to protect that information in the downlink direction. That has been slower to be adopted by industry because of a lack of available systems. However, we’re starting to see that get worked into COMSATCOM systems that are used for national security missions.

GSR: How does the CNSSP-12 enable commercial operators to better serve government needs?

Andrew D’Uva: Ultimately, all of these policies and policy changes are all about reliability and robustness. The government wants to use COMSATCOM and commercial imagery, but they want to be sure that those solutions are of high quality and available when needed. CNSSP-12 improved that resilience posture and made them more robust.

A satellite with these solutions – in contrast to one without them – is less vulnerable to being impacted by adversaries. With space becoming an increasingly contested environment, and with our adversaries recognizing the advantage that the U.S. military gains from its satellite infrastructure, this is an increasingly realistic concern for today and into the future.

GSR: How are the commercial operators participating in the CNSSP-12 refresh effort? How has this matured over time?

Andrew D’Uva: Up until this last refresh cycle, the government was the sole driver of the refresh activities. However, in the last refresh cycle, the government – specifically the NSA and DISA – established a working group called the Commercial Space Infosec Working Group (CSIWG), which was open to U.S. industry and designed to look at information security issues, including policy issues.

I serve as the U.S. Industry Liaison, and I lead the CSIWG with two other leaders from the NSA and DISA, respectively, along with a steering committee of industry executives. The CSIWG meets a couple of times a year at various sites, and – through the efforts of the NSA – they work to inform industry about the policy review process and get industry comments.

Through the CSIWG, industry leaders have authored a series of inputs and comments for the government. These comments specifically addressed the current policy, the role of commercial providers, the applicability of CNSSP-12 to commercial systems, as well as some technical issues with downlink telemetry and transmission security and how it is applied. The NSA then took these comments and inputs into the process for consideration.

The government hasn’t shared this revised CNSSP-12 yet with industry, but there are indications that some of that input was taken into account and worked into this guidance.

In part two of our two-part Q&A interview with Andrew D’Uva, he shares his predictions for what will change in the refreshed CNSSP-12, discusses how it will impact space policy for the military, and talks about the impact of CNSSP-12 on the SATCOM industry.

The post Demystifying the CNSSP-12 with Andrew D’Uva of Providence Access Company appeared first on SES Space and Defense.