US Space Force Starting Tests for Cybersecurity Initiative IA-Pre
In the coming months, the U.S. Space Force’s Space Systems Command (SSC) is to begin testing cybersecurity qualification of commercial satellite communication offerings (COMSATCOM) under the service’s Infrastructure Asset Pre-Approval Program (IA-Pre), SSC said last week.
“Our office will begin accepting IA-Pre applications for a limited number of assets to perform assessments,” Jared Reece, a program analyst in CSCO’s solutions branch, said in a May 26 statement. “IA-Pre’s roll-out signifies reaching another vital milestone for COMSATCOM mission assurance, and to counter near-peer adversaries’ cyberattacks that can negatively impact commercial satellites, which the U.S. military increasingly relies on for communications.”
While CSCO plans to give cybersecurity feedback over the summer to that small number of companies on their commercial satcom products, CSCO will begin the cybersecurity assessments in earnest this September. By September, 2025, CSCO wants to transition fully to IA-Pre.
The IA-Pre cybersecurity initiative “replaces a self-assessment process where commercial companies wanting to do business with DoD had previously submitted their required system information via a questionnaire,” SSC said. “The CSCO will then use this questionnaire for evaluation during the acquisition process. IA-Pre will supplant the CSCO Information Assurance Questionnaire (CIAQ) with newer requirements. It will ensure effective safeguards are applied and validated; and weaknesses are mitigated to reduce the cybersecurity risks which could impact DoD missions who use CSCO for services.”
IA-Pre may accelerate the acquisition process.
“If you’re a pre-approved [Space Force] supplier, you don’t require any additional evaluations when you’re making new submissions,” said Michael Wier, technical marketing engineer for cybersecurity at California-based Ingram Micro. “Your security posture score rides with each new submission. This means you have a much easier path to getting your submissions accepted than does a supplier who does not have that score.”
“A pre-authorized supplier has a much easier path to a contract,” he said. “That’s going to be really key, if you want to stay in this COMSATCOM business, and you’re a supplier, to get this done so you have a fast track in there. Those that still have to do project-by-project authorizations are probably going to be quite slow.”
The Pentagon Chief Information Officer and the National Security Agency (NSA) were to launch IA-Pre in January this year.
IA-Pre is to use third-party auditors certified by the Space Force Security Controls Assessor for the evaluation and cybersecurity scoring of satellites and end-to-end architectures.
“As industry progresses through the IA-Pre Program, the U.S. Space Force Authorizing Official (AO) will review their cybersecurity assessment results for approval,” SSC said on May 26. “CSCO will then place the industry partner and the assessed assets into an approved platform list. The industry partner will no longer require a cybersecurity evaluation prior to award of a contract for covered assets.”
CSCO said that it expects the first AO approvals next January and that “proposals for contracts will continue to be accepted using the CIAQ until that approach sunsets on/about September 2023.”
“At that time a rapid IA-Pre transition program will be put in its place for industry partners who have yet to achieve IA-Pre approval,” per CSCO. “Industry partners are encouraged to begin contacting CSCO for more information and to coordinate the next steps for transitioning to IA-Pre.”