Cross-Pollination: IoT Cybersecurity Labeling Rules and the US DoD CMMC for Space Components

The introduction of the Cybersecurity Maturity Model Certification (CMMC) in 2020 has undeniably engendered change in the cybersecurity risk posture of defense contractors and suppliers. Steve Summers of NI notes in his Military Embedded Systems article that previous justifications for lax cybersecurity practices such as “I’ve already secured this device. You don’t need to check this; you can’t access this device remotely” will no longer be valid in a world where more traditional, attributable attack vectors are no longer viable.

Summers continues to cite landmark attacks such as Colonial Pipeline, Stuxnet that showed unauthorized access to computing hardware such as PLCs have catastrophic consequences. In the past few days, the Biden administration announced the US. Cyber Trust Mark Program focused on “enhancing transparency and protection against cyber threats in the growing Internet of Things (“IoT”) device space. This program is currently voluntary for manufacturers but poses an excellent opportunity to unify the supply chain around a common set of cybersecurity guidelines for manufacturing, testing, and integration.

The space and IoT industry are relatively stratified where most cross-pollination occurs for low-cost satellite manufacturers such as universities and startups focused on lowering cost of access to space. COTS components are prevalent in the ground segment where computing hardware and antennas are shared with other manufacturers and operators. Many of these components such as general-use processors, FPGAs, SDRs will continue to migrate into the space segment in the coming years. Ensuring that this hardware adheres to the guidelines of the US Cyber Trust Mark Program and the US DoD CMMC will reduce the headache for monitoring agencies such as the Cybersecurity and Infrastructure Security Agency, FCC, and NIST.