Title page

Contents

Highlights 2

Letter 5

Background 7

System Requirements 8

Federal Cybersecurity Policy 8

Government-wide Cybersecurity Standards and Guidance 9

NASA Enterprise Protection Program 11

NASA Management of Space Flight and Information Technology Projects 11

Overview of Selected Spacecraft Projects 13

Prior GAO Work 16

Selected NASA Spacecraft Contracts Require Contractors to Address NASA's 2019 Cybersecurity-Related Requirements 17

NASA Has Considered but Not Implemented Further Cybersecurity Updates to Its Spacecraft Acquisition Policies and Standards 20

Conclusions 22

Recommendation for Executive Action 22

Agency Comments and Our Evaluation 22

Appendix I: Objectives, Scope, and Methodology 27

Appendix II: Comments from the National Aeronautics and Space Administration 30

Appendix III: GAO Contacts and Staff Acknowledgments 33

Table 1. Selected Projects GAO Reviewed Included Protection Requirements from Space System Protection Standard (NASA-STD-1006) 18

Table 2. NASA Projects Selected for Review 27

Figure 1. Steps of National Institute of Standards and Technology's (NIST) Risk Management Framework 10

Figure 2. Gateway Power and Propulsion Element 14

Figure 3. Orion Multi-Purpose Crew Vehicle 15

Figure 4. Spectro-Photometer for the History of the Universe, Epoch of Reionization and Ices Explorer 16