Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The National Reconnaissance Office is attempting to lower barriers to entry for commercial satellite firms competing for NRO business, including through tiered cybersecurity requirements that don’t ask as much from companies, at least at first.
The tiered cybersecurity requirements are a feature of new contracts the NRO awarded last month to five companies under a Broad Agency Announcement the agency has just begun using to test out commercial capabilities, according to Pete Muend, the director of the NRO’s commercial systems program office.
“Cybersecurity is critically important to everything that the NRO does,” Muend said on Inside the IC.
“We did go out of our way to start at a fairly approachable level that the commercial providers would not be hard pressed to meet, but actually put those hooks in place to be able to accelerate and enhance their cybersecurity posture to better meet our needs in the future,” Muend said.
The cybersecurity of defense and intelligence contractors is a perpetual concern for agencies. The Defense Department initiated the Cybersecurity Maturity Model Certification program to address the problem, but the effort has been plagued by concerns about its costs driving businesses out of the defense industrial base.
Muend said the NRO uses “a number of tiers of cybersecurity trust.”
“It extends from a very low barrier to entry, something that we would call an ‘unverified provider’ that really is the bare minimum that a company would have to accomplish to really hold the federal government contract,” he said.
The tiered approach then moves to what NRO terms an “industrial standard provider,” Muend continued, “that more leverages a lot of the best of breed of U.S. government standards, from [National Institute of Standards and Technology] standards to the DoD CMMC posture.”
The higher levels are “what we would consider a secure provider that does leverage some formal authorization and accreditation for parts of their architecture,” Muend said.
The tiered framework is also featured in the NRO’s Electro-Optical Commercial Layer contract, which is currently under source selection. Muend said the tiers were developed in conjunction with the National Geospatial-Intelligence Agency.
Muend’s office is leading the NRO’s efforts to forge a closer relationship with the commercial satellite sector. The secretive spy satellite agency is looking to tap into a fast-growing commercial space market. The number of satellites circling the Earth grew by 37% to 3,371 in 2020, according to the Satellite Industry Association.
The first five awards under the NRO’s new BAA framework went to five synthetic aperture radar satellite companies: Airbus, U.S.; Capella Space; ICEYE, U.S.; PredaSAR; and Umbra.
While the NRO declined to confirm the next area of interest under the BAA, officials previously said the agency is also interested in hyper-spectral imaging, radio-frequency sensing and other remote sensing “phenomenologies” that come out of the commercial sector.
The five satellite radar firms are each on an initial six-month contract, with options to extend out to 30 months. The NRO will initially work with the companies on modeling and simulation data, before validating those performance assessments with actual on-orbit data, according to Muend.
If it’s found to be useful, the contracts also include the option for the NRO to begin purchasing imagery and other data, he said.
To start things off, the NRO also asked the companies to provide a concept-of-operations for how they would strengthen their cybersecurity approach over time.
“Because for us to take more and more advantage of these of these companies and the capabilities that they can bring to bear, the more trust we can have in their architecture, I think the more opportunities we’ll all have in the future,” Muend said.