See edit history of this section
Post feedback on this section
- 1. The Requirement
- 2. Rationale
- 3. Guidance
- 4. Small Projects
- 5. Resources
- 6. Lessons Learned
- 7. Software Assurance
1. Requirements
3.11.3 The project manager shall identify cybersecurity risks, along with their mitigations, in flight and ground software systems and plan the mitigations for these systems.
1.1 Notes
Project Protection Plans describe the program’s approach for planning and implementing the requirements for information, physical, personnel, industrial, and counterintelligence/counterterrorism security, and for security awareness/education requirements in accordance with NPR 1600.1, NASA Security Program Procedural Requirements, NPD 1600.2, the NASA Security Policy, NPD 2810.1, and NPR 2810.1. Include provisions in the plan to protect personnel, facilities, mission-essential infrastructure, and critical program information from potential threats and vulnerabilities that may be identified during the threat and vulnerability assessment process.
1.2 History
1.3 Applicability Across Classes
Class A B C D E F Applicable?
Key: - Applicable | - Not Applicable
2. Rationale
Software systems have the potential to provide an entry point for actors to abuse or exploit the asset in an unexpected manner. Identifying the threats and risks as well as the planned mitigations for them early in the project life cycle helps to increase the overall security and enhance the reliability of the system. See also Topic 8.10 - Facility Software Safety Considerations.
3. Guidance
3.1 Threat Assessment
For flight and ground software, the project manager should assist the program manager by providing program and project information needed by the Agency team and the Information System Security Officer (ISSO) who are performing a threat assessment and/or threat summary to ensure that software defects (design, code, implementation, operations, development process, ...) with security ramifications are included in the assessment/summary and mitigations are captured in the Project Protection Plan. 362 Threat summaries and protection plans are drafted as early in the formulation as possible to minimize the impact of any protection-related design requirements. The project manager reviews the Project Protection Plan to ensure that mitigations for software defects with security ramifications are included in the Project Protection Plan created per NPR 7120.5. This assistance may be in the form of providing a list of software elements (operating systems, software tools, libraries, …) and software security process/strategies (static analysis tools, vulnerability testing, …) that are being used. The Project Protection Plan (and other security related documents) may require security clearances to view.
Security requirements for the acquisition, development, integration, and modification of software systems are found in NPR 2810.1. Security of Information and Information Systems (see IT System Security Plan sections) Sources of potential software security risks include the output of a NIST FIPS-199 (Standards for Security Categorization of Federal Information and Information Systems) assessment for the program, the system security plan (see below), and the program’s risk assessment report available from the ISSO. For NASA users, the Software Security website accessible to NASA users via the NEN is another source for guidance. Documents from the Consultative Committee for Space Data Systems (CCSDS) include potential security threats and may also be useful sources for guidance. CCSDS documents regarding security threats against space missions note that software threats applicable to space and ground segments include mistakes made by “users, system operators, and programmers [that] could result in loss of data, loss of spacecraft control, unauthorized spacecraft control, or loss of mission” 472:
- “Users or administrators can install unauthorized or un-vetted software, which might contain bugs, viruses, spyware, or which might simply result in system instability.” 472
- “System operators might configure a system incorrectly resulting in security weaknesses.” 472
- “Programmers may introduce logic or implementation errors which could result in system vulnerabilities or instability.”
- “External threat agents might attempt to exploit a vulnerability to inject software or configuration changes.” 472
This SWE requirement is to be implemented as early as possible in the project life cycle so that mitigations (secure coding standards and development processes, static code analysis, penetration tests, encryption schemes…) can be built-in or established upfront. Per the schedule in Appendix I of NPR 7120.5 082, a preliminary version of the Project Protection Plan is due at System Definition Review (SDR)/Mission Definition Review (MDR), a baseline is due at Preliminary Design Review (PDR), and appropriate updates are due at Critical Design Review (CDR), System Integration Review (SIR), Operational Readiness Review (ORR), and Mission Readiness Review (MRR)/Flight Readiness Review (FRR). Annual updates to the Project Protection Plan are expected once the system is in operation to accommodate changes in the threat environment. Documents like the PPP and SSP may levy requirements on the software systems that have to be addressed by the software engineering.
Software Engineering should be aware that per NPR 7150.2 083, “Software defects with security ramifications include implementation bugs such as buffer overflows and design flaws such as inconsistent error handling.” Security-related defects fall into several categories such as memory safety (e.g., dangling pointers), race conditions, secure input and output handling (e.g., validating an input message length), improper exception handling, etc. Compromises to user authentication, access rights and privileges, data confidentiality, and data integrity also contribute to software systems that are not secure. When identifying security risks in software, be sure to account for all types of information and assets in the system that require protection as well as all the ways the identified information and assets can be accessed.
See also SWE-156 - Evaluate Systems for Security Risks, Topic 7.22 - Space Security: Best Practices Guide, SWE-159 - Verify and Validate Risk Mitigations, and Topic 8.04 - Additional Requirements Considerations for Use with Safety-Critical Software. SWE-191 - Software Regression Testing,
3.2 Project Protection Plan
Project Protection Plans 362 are classified as documents (Secret). NASA has developed a process to incrementally lower classification levels of relevant threat information to Secret and worked with project management teams to obtain clearances for their personnel at that level. Program/Project managers can also be read in at the Secret level for short periods to review Project Protection Plans.
The first step in developing a PPP is to extract the viable threats (which are commonly referred to as protection threats) from a civil space system's threat summary and categorize them according to the NASA Risk Matrix Standard Scale. Protection threats are defined as any natural or manmade event, accident, or system with the ability to exploit a susceptibility of any part of a space system resulting in the potential damage, degradation, destruction, or denial of service to the mission. The next step is to determine the vulnerabilities in a space system by fusing space system susceptibilities with protection threats, where Threat X Susceptibility = Vulnerability, and then recommend protection measures to alleviate the risks posed by the unmitigated vulnerabilities. This process is iterated between the SPWG and a mission's project management team between issuance of the baseline PPP and before each succeeding [key decision point (KDP)] until launch. After launch, the PPPs are updated annually to accommodate changes in the threat environment. The desired result is an enhanced space system survivability.” See also SWE-157 - Protect Against Unauthorized Access, SWE-210 - Detection of Adversarial Actions,
For more information on the contents of a PPP, a PPP outline 060 is available on the section of the Community of Practice for Mission Resilience and Protection accessible to NASA users from the NEN.
Consult threat and risk models and examples such as those provided on the software security page of the NEN.
(4) System Security Plans are not owned by engineering, but engineering has input into the SSP. The SSP definition is documented in NPR 2810.1, they address the threats and risks associated with the system.
3.3 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook:
3.4 Center Process Asset Libraries
SPAN - Software Processes Across NASA
SPAN contains links to Center managed Process Asset Libraries. Consult these Process Asset Libraries (PALs) for Center-specific guidance including processes, forms, checklists, training, and templates related to Software Development. See SPAN in the Software Engineering Community of NEN. Available to NASA only. https://nen.nasa.gov/web/software/wiki 197
See the following link(s) in SPAN for process assets from contributing Centers (NASA Only).
SPAN Links |
---|
4. Small Projects
No additional guidance is available for small projects.
5. Resources
5.1 References
- (SWEREF-060) NASA Engineering Network. Accessed September, 2016. Formerly Space Asset Protection, The NASA Engineering Network (NEN) is accessible only to NASA users.
- (SWEREF-064) NIST SP 800-27, Revision A.
- (SWEREF-065) NIST SP 800-64 Revision 2.
- (SWEREF-081) NPR 1600.1A, Office of Protective Services, Effective Date: August 12, 2013, Expiration Date: December 12, 2021
- (SWEREF-082) NPR 7120.5F, Office of the Chief Engineer, Effective Date: August 03, 2021, Expiration Date: August 03, 2026,
- (SWEREF-083) NPR 7150.2D, Effective Date: March 08, 2022, Expiration Date: March 08, 2027 https://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=7150&s=2D Contains link to full text copy in PDF format. Search for "SWEREF-083" for links to old NPR7150.2 copies.
- (SWEREF-087) NPD 1600.2E, Office of Protective Services, Effective Date: April 28, 2004, Expiration Date: May 28, 2022
- (SWEREF-197) Software Processes Across NASA (SPAN) web site in NEN SPAN is a compendium of Processes, Procedures, Job Aids, Examples and other recommended best practices.
- (SWEREF-273) NASA SP-2016-6105 Rev2,
- (SWEREF-361) NASA-STD-1006A, Approved 7/15/2022, PUBLIC: Upload Publicly Available Standard https://standards.nasa.gov/sites/default/files/standards/NASA/A/0/2022-07-15-NASA-STD-1006A-Approved.pdf
- (SWEREF-362) Mission Resilience and Protection key document, Available in NEN, Mission Resilience and Protection Community of Practice. Formerly "Space Asset Protection", Updated Jan 23, 2023
- (SWEREF-403) NPR 2810.1F, Office of the Chief Information Officer, Effective Date: January 03, 2022, Expiration Date: January 03, 2027,
- (SWEREF-470) NASA/SP-2014-3705, NASA, September, 2014.
- (SWEREF-472) Green Book, Issue 2, CCSDS 350.1-G-2, Consultative Committee for Space Data Systems (CCSDS), December 2015. From site: https://public.ccsds.org/publications/greenbooks.aspx.
- (SWEREF-473) Wilson, Tom, Space Commission Staff Member. Prepared for the Commission to Assess United States National Security Space Management and Organization.Retrieved 12:15 PM August 5, 2015 from http://fas.org/spp/eprint/article05.html.
- (SWEREF-589) Public Lessons Learned Entry: 8501.
- (SWEREF-590) Public Lessons Learned Entry: 1148.
- (SWEREF-591) Public Lessons Learned Entry: 1133.
5.2 Tools
NASA users find this in the Tools Library in the Software Processes Across NASA (SPAN) site of the Software Engineering Community in NEN.
The list is informational only and does not represent an “approved tool list”, nor does it represent an endorsement of any particular tool. The purpose is to provide examples of tools being used across the Agency and to help projects and centers decide what tools to consider.
6. Lessons Learned
6.1 NASA Lessons Learned
The NASA Lessons Learned database contains the following lessons learned related to software security:
- Verify That Test Equipment Cannot be Interrupted by Extraneous Computer Processes. Lesson Number 8501 589: ”Many computers used for specialized purposes in test facilities are general-purpose computers that may also be configured to perform office functions. Processes extraneous to flight system testing (e.g., code updates, scheduled file backups, e-mail downloads, and security scans) may occur intermittently on these units without user interaction or knowledge, particularly when they are connected to institutional networks. Should an extraneous process interrupt an active test, significant test time may be lost and the test article or support equipment may be damaged.”
- International Space Station (ISS) Program/Computer Hardware-Software/Downlink Encryption. Lesson Learned Number 1148 590: “NASA has taken positive steps for upgrading the security on the ISS uplink by adopting a more robust encryption scheme.”
- Computer Hardware-Software/International Space Station/Uplink Encryption. Lesson Learned Number 1133 591: “The recent compromising of the Data Encryption Standard (DES) suggests that the ISS command uplink may not be sufficiently protected.”
6.2 Other Lessons Learned
No other Lessons Learned have currently been identified for this requirement.
7. Software Assurance
7.1 Tasking for Software Assurance
1. Confirm that cybersecurity risks, along with their mitigations, are identified and managed.
Also, Software Assurance may need to review the PPP, SSP, and other products that affect the software system.
7.2 Software Assurance Products
None identified at this time.
Objective Evidence
- The project's risks list.
7.3 Metrics
- # of Risks identified in each life cycle phase (Open, Closed).
- # of Risks by Severity (e.g., red, yellow, green) over time.
- # of Risks with mitigation plans vs. total # of Risks.
- # of Risks trending up over time.
- # of Risks trending down over time.
- # of Cybersecurity Risks identified (Open, Closed, Severity).
- # of Cybersecurity Risks with Mitigations vs. # of Cybersecurity Risks identified.
- # of Cybersecurity mitigation implementations identified from the security vulnerabilities and security weaknesses
- # of Cybersecurity mitigation implementations identified with associated test procedures vs. # of Cybersecurity mitigation implementations identified
See also Topic 8.18 - SA Suggested Metrics.
7.4 Guidance
Assure that cybersecurity risks, along with their mitigations, are identified and managed. See the SA guidance on SWE-156 - Evaluate Systems for Security Risks.
See the guidance from section 3.0.
See also Topic 7.22 - Space Security: Best Practices Guide, and 8.04 - Additional Requirements Considerations for Use with Safety-Critical Software
7.5 Additional Guidance
Additional guidance related to this requirement may be found in the following materials in this Handbook: