In the waning hours of the Biden administration, the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity was released. The order is a sweeping opus that covers a variety of topics from space cybersecurity to post-quantum cryptography. The use of artificial intelligence (AI) for cybersecurity applications featured heavily and signals continued federal government interest in AI implementation. Outside of some of the other significant issues raised in the new EO, there was one section that will grab the attention of a small but growing community, the section on space cybersecurity. That space cybersecurity was mentioned in this EO is significant on its own, not having had a major policy update since Space Policy Directive-5 and the 2020 National Space Policy. Executive orders published with just days left in any presidential administration look more symbolic than concrete because they are so easily repealed and have no time to be implemented. The possible tragedy of this EO for the space community is that space cybersecurity was lumped in with other piecemeal cybersecurity policy directives at a time of extreme political division. While space has traditionally been a nonpartisan issue, repealing the executive orders of one’s predecessor makes for good political sport.
The space specific items in this EO should have come out as a directive from the National Space Council to ensure their survival. Time will tell whether the EO survives President Trump’s first 100 days in office, but space leaders and incoming government officials alike should take a close look at the body of space cybersecurity policy relative to the threat and seize this opportunity to build resilience into the space economy. Regardless of how long the EO is federal policy, space cybersecurity is in need of attention in the areas outlined by the EO: communications, ground stations and, by extension, a space cybersecurity workforce.
What does the EO say about space?
A clear theme throughout the EO is the use of the Federal Acquisition Regulation (FAR) to use federal contract requirements to drive adoption of cybersecurity standards. The section on space cybersecurity is no exception, as it gives a six-month deadline for a variety of federal agencies to recommend changes in cybersecurity requirements for space contracts to the FAR Council. While this requirement does not impose cybersecurity regulations directly on any private sector space company, it does put de facto requirements for cybersecurity on any company that contracts with the federal government. The bulk of the requirements surround the confidentiality of space communications. A malicious cyberattack against a spacecraft or habitation in the future would likely seek to disrupt communications in some way providing an enticing target. The specific communications requirements are:
encrypting commands to protect the confidentiality of communications;
ensuring commands are not modified in transit;
ensuring an authorized party is the source of commands; and
rejecting unauthorized command and control attempts.
The EO also mandates a study of ground stations that are owned, managed or operated by the Federal Civilian Executive Branch agencies. This study is to focus on whether each station is considered a major information system as defined by 44 U.S.C. 3505(c) — “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” The law goes on to stipulate that the heads of federal agencies must maintain an inventory of major information systems, which the new cybersecurity EO explicitly applies to space ground systems.
While the EO and 44 U.S.C. 3505(c) apply to the federal government only, commercial space operators should expect to see the evolution of improved cybersecurity standards for ground stations. Federal agencies are directed under the EO to provide recommendations on improving security of ground stations within 120 days of the EO’s issuance.
If the EO stays in place or if these provisions are retained, space operators and leaders should expect these items to turn into hard contract requirements. It is possible that the incoming administration may view these requirements as tantamount to regulation putting their survival as official federal policy in doubt. However, few would argue with the need to secure communications and to detect unauthorized commands to orbiting craft or craft transiting cislunar space. With the Artemis 2 mission scheduled for 2026, having humans aboard spacecraft in cislunar space for the first time in 53 years will require infrastructure and the means to protect it. These provisions have the potential to cause a significant shift in the space cybersecurity landscape, one that has been building since Russia’s 2021 hack of satellite communications as it began its invasion of Ukraine.
While there are more systems to consider in cybersecurity measures beyond communications and ground stations, the community needs a place to start. SPD-5 provided foundational principles but not specific guidance. While this guidance needs to be further refined, it adds much-needed direction on where the industry can focus its cybersecurity efforts. Leaders in the space community should work to create a set of cybersecurity standards around the systems that support critical functions in space and communications and ground stations are an excellent place to start. As cybersecurity efforts and requirements expand, operators should think about those systems most critical to sustained flight in low Earth orbit (LEO) and beyond for craft that include humans.
Building on Space Policy Directive-5
At the time of its release, SPD-5, which introduced a set of principles to guide the U.S. approach to the cybersecurity of space systems, incurred some criticism from observers pointing out that it was only a set of principles and had no enforcement mechanism. The updated 2020 National Space Policy also included cybersecurity as a major policy issue and that throughline carried into the Biden Administration with the 2021 publication of the Space Priorities Framework. Major space cybersecurity policy actions from the White House stalled after the Space Priorities Framework with the torch being passed to cabinet agencies concerned with space activities. The Department of Homeland Security published its space policy in 2022 while the Cybersecurity and Infrastructure Security Agency (CISA) published a list of cybersecurity recommendations for space operators in 2024. The DHS, CISA, and other space policies published in the intervening years all call out cybersecurity as a core component of their view of space and security and those policies are based on the principles of SPD-5.
SPD-5 was a starting point, and the space provisions in the new cybersecurity EO are clearly operationalizing what began as a principles-based approach. Using the FAR to put specific contractual recommendations around the security of communications and ground stations gives more specificity to space operators as they continue to build and innovate. Much more granular guidance is required, but look for that guidance to come in the form of the recommendations to the FAR Council mandated 180 days from the issue of the order.
Implications for the space critical infrastructure debate
Many in the commercial space community were disheartened by the omission of space from National Security Memorandum-22: Critical Infrastructure Security and Resilience. Some hoped that space would be designated as terrestrial critical infrastructure under the memorandum but were dismayed to find it left out entirely. The new cybersecurity EO makes a clear case that space systems play an important role in global critical infrastructure and communications resilience while the White House fact sheet makes explicit reference to Russia’s hack of satellite communications systems as it invaded Ukraine in 2021. This should be taken as a recognition of the importance of space functions to terrestrial activities, but also as a sign that the U.S. federal government is not ready to take action as strong or as permanent as a formal designation as critical infrastructure. It also highlights that federal government space policy is recognizing space activities and missions outside of LEO and taking steps to secure those activities the same as those in LEO. The launch of Artemis 2 is getting closer, and some kind of space-based infrastructure is going to be required to support this and future missions that carry human lives onboard. The EO takes the first step of mandating cybersecurity measures in communications and ground stations, but significantly more work is required to create an all-encompassing space infrastructure that supports space flight in cislunar and interplanetary space with humans onboard.
What’s next
The first 100 days of the Trump administration will tell the tale of how the newest pieces of cybersecurity guidance will impact the space economy. The EO could well be repealed quickly, but several aspects of the EO outside of space make that decision less simple. The EO also calls for more action on the preparation for post-quantum cryptography and for better security around third party software vendors. Along with space, those issues are largely nonpartisan and have a chance of survival. If the space provisions at least survive the administration change, expect to see new cybersecurity provisions hit the FAR within 12 to 18 months. These requirements will impact those space companies doing business with the federal government but, given the federal government’s buying power in this area, there’s also significant potential to transform the industry standard for cybersecurity across the board.
The National Space Council under the first Trump presidency was extremely active, publishing seven Space Policy Directives and a new National Space Policy. Space operators and leaders should expect the Trump National Space Council to produce more policy work than Biden and potentially look to include specific space cybersecurity guidance in a standalone space policy document rather than lumping it in with other cybersecurity policy directives in an EO. A broad cybersecurity EO was not the place for space cybersecurity guidance, but that doesn’t mean the guidance is bad. The federal government signaled what specific cybersecurity measures and systems it prioritizes for space systems and those priorities will not be limited to Biden Administration officials. Entities such as NASA, FAA, DOD, and DHS were at the table when this order was drafted and had input. These institutions will not completely turn over during the transition, so these requirements remain good guidelines for the space industry and are likely to be tweaked or built upon by a Trump National Space Council.
A broader theme for the space economy in this EO is the need to adopt strong cybersecurity policies and develop a technical and non-technical cybersecurity workforce. The cybersecurity for space issue has been ongoing since 2021 and the growth in LEO launches and the restart of cislunar missions in 2026 demand a strong supporting infrastructure that must be secured. Cybersecurity is a key component to keeping the equipment, people, and missions secure that leave our world for orbit or for other worlds.
Actions for space leaders
The final cybersecurity EO of the Biden administration may have a short life, but it can still be a productive one. For leaders in the space economy, it gives more specificity to ongoing space cybersecurity requirements that advance the issue in an era where space systems are recognized as globally critical, and missions are expanding beyond our orbit. The critical infrastructure debate must be left for another day, but securing the infrastructure that will safeguard the humans on future spacecraft and enable bolder missions is a need that we can all agree on. In that pursuit, space leaders should take the following actions:
Review existing federal government contracts for cybersecurity requirements.
Review internal cybersecurity policies and compliance requirements.
Create a plan to build encryption and cybersecurity measures into communications capabilities.
Determine whether product offerings constitute essential infrastructure to enable space missions to and beyond LEO.
Create a plan to bring more technical and non-technical cybersecurity talent into their workforce.
The Biden administration chose to provide space cybersecurity guidance in its final days, which is not how lasting policy is made. However, a more active National Space Council should be expected in the next four years, and space cybersecurity guidance is likely to become more specific whether in the form of this EO or a future Space Policy Directive. If we focus on the infrastructure that space missions will require and the security they will need, the space economy has the opportunity to build more resilience and enable more demand for space services and products.
Nick Reese is the co-founder and COO of Frontier Foundry and an adjunct professor at the NYU Center for Global Affairs. He is the former Director of Emerging Technology Policy at the U.S. Department of Homeland Security where he led space policy efforts for the department and advised the White House on space policy issues.
SpaceNews is committed to publishing our community’s diverse perspectives. Whether you’re an academic, executive, engineer or even just a concerned citizen of the cosmos, send your arguments and viewpoints to opinion@spacenews.com to be considered for publication online or in our next magazine. The perspectives shared in these op-eds are solely those of the authors.
