Priya PatelTLDR:
- NASA has not issued mandatory security guidance for its spacecraft acquisition policies and standards.
- The agency uses optional best practices guides for cybersecurity requirements.
In a recent report, the Government Accountability Office (GAO) warned that while NASA has taken steps to enhance cyber requirements, it lacks enforceable cybersecurity rules for its spacecraft acquisition policies. While the agency released cybersecurity standards in 2019, it has not implemented mandatory security guidance for outside spacecraft purchases. Instead, NASA relies on optional best practices guides, such as a 2023 guide that outlines cybersecurity principles and controls. The GAO recommended that NASA develop an implementation plan with time frames to update its spacecraft acquisition policies to ensure essential cybersecurity controls are in place. NASA agreed with the recommendation but expressed concerns about the impact of transitioning traditional cybersecurity capabilities into space environments.
