UTC
01
FUNCTION 05 FUNCTION 04 FUNCTION 03 FUNCTION 02 CONCEPT OF OPERATIONS FUNCTION 01
Function One
CONCEPT OF
OPERATIONS

Master Decomposition.

“The adversary suffers when you know your platform better than they ever can.”

You lead SCOR, Kestrel Orbital’s new Space Cybersecurity Operations and Resilience department, and today you drive the organization to understand its platform more deeply than the adversaries targeting it. Decomposition is the instrument you wield to make that understanding operational: every part of the platform named, placed inside one of four layers, anchored to its parent, and annotated so Security Operations, Satellite Operations, and Satellite Design & Engineering read the same platform the same way. The tree you build today feeds the asset management NIS2 requires, names the on-orbit and link segments Executive Order 14144’s command-and-control protections apply to, and produces elements the Space ISAC channel can share machine to machine.

MODULE ONE
01/56
00
DAY 1 · METEORSTORM and satellite control

DAY 1 START

Day one at Kestrel Orbital. SCOR’s first delivery starts with one task: decompose the telecommand path that keeps the satellite under control into shared enumerated elements, so Security Operations, Satellite Operations, and Satellite Design and Engineering can describe it the same way. Command and control is where Executive Order 14144 and the NIS2 Directive focus, so that is where your decomposition starts.

MODULE ONE
00/00
UTC
03

DAY 1

  • You will build Kestrel Orbital's new Space Cybersecurity Operations and Resilience (SCOR) department. Its mission is one unified view of the platform, context and enrichment together, shared by Security Operations, Satellite Operations, and Satellite Design & Engineering. You will give them one shared way to describe the command path of the platform, the scope Executive Order 14144 and the NIS2 Directive hold Kestrel Orbital to. You do not need to be the expert in each; your job is to build the team and give it a common language.
  • Today you decompose the telecommand path, the path that keeps the satellite under control, across the four layers from start to finish. That path is where the mandates focus, so it is where you start. You will leave able to name every part of it the same way, so all three departments can act on what you write. The model you use today already covers the environments Kestrel Orbital's business plan drives toward, maritime, aerial, and deep space, so nothing you name now needs renaming when those markets arrive.
  • Day 2 adds the threats to the command path you map today. Day 3 traces how an attacker would move against it, and what data you need to catch them. Day 4 turns that into the detections and response procedures the NIS2 reporting clocks assume. Day 5 builds the defenses that take options away from the attacker.
Day 1 Onboarding · Full Context

Day 1: METEORSTORM and Satellite Control

Welcome to your first week. Five days from now, you’re the person here who ties the Security Operations Center, the Satellite Operations Center, and Satellite Development & Engineering functions together. Right now those three departments don’t describe the platform the same way, and that’s the gap you are being trained to close. METEORSTORM is what makes the shared language work.

You are not the expert in everything, and you don’t need to be. No one person masters satellite RF engineering, flight dynamics, ground-segment networking, and detection engineering all at once. The Full Spectrum Space Cybersecurity Professional’s job is not to be the subject-matter expert for every topic. It is to convene the right people, build the cross-functional team, and give that team one shared language so each expert’s work connects to everyone else’s. You lead the transformation; the specialists supply the depth.

The five functions are your points of insertion. Decomposition, contextualized threat modeling, converged detection engineering, incident-response preparedness, and adversary management: at each one you bring the Security Operations Center, the Satellite Operations Center, and Satellite Development & Engineering to the same table and drive a concrete transformation no single department could deliver alone.

This is now policy, not just good practice. Recent U.S. and EU rules require coordinated cyber defense across the teams that build and operate space systems. Coordinating that defense across the three departments is precisely the Full Spectrum professional’s job.

Today is Day 1: METEORSTORM and satellite control. You work the data model: how to name any element on the platform so Security Operations, Satellite Operations, and Satellite Design & Engineering can all act on what you write. We’re focusing on the parts that keep the spacecraft listening to us. Get this wrong and we lose the bird; get this right and the rest of the week builds on solid ground.

The week ahead. Day 2 (Mod 02 · Contextualized Threat Modeling): you attach threats to the elements you decompose today. Day 3 (Mod 03 · Converged Detection Engineering): you enumerate the attack paths those threats enable and inventory the data and signals needed to detect each step. Day 4 (Mod 04 · Incident Response Preparedness): you turn yesterday’s paths and data sources into the signatures Security Operations will run, so IR knows exactly which playbook fires. Day 5 (Mod 05 · Adversary Management): you build the resilience measures that take options away from the adversary across Security Operations, Satellite Operations, and Satellite Design & Engineering.

Day-1 scope, plainly. METEORSTORM is tailored, so you decompose only what’s in scope and you can import an existing CONOPS rather than start from scratch. We’ll cover the four element types (PCE, SEG, SVC, AST) and walk a telecommand decomposition end-to-end. You’re not expected to memorize every element definition today. You’re expected to use the data model to maintain satellite control.

PCE-TE
Terrestrial
Terrestrial operational regime: ground-station facility with parabolic and phased-array antennas at dusk
PCE-AQ
Aquatic
Aquatic operational regime: downrange telemetry tracking vessel at sea with radar dome and satellite tracking antennas
PCE-AE
Aerial
Aerial operational regime: high-altitude long-endurance aircraft in the upper atmosphere with stratospheric horizon below
PCE-OR
Orbital
Orbital operational regime: LEO communications satellite over Earth at orbital sunset, solar arrays deployed
PCE-DS
Deep Space
Deep-space operational regime: cislunar or interplanetary probe with high-gain dish pointed back toward distant Earth
FULL SPECTRUM SPACE CYBERSECURITY PROFESSIONAL
Works across all five operational environments
Full Spectrum Space Cybersecurity Professional at a security-operations workstation with multiple screens showing live operational views of all five environments: terrestrial ground station, aquatic tracking vessel, aerial high-altitude platform, orbital satellite, and deep-space probe
MODULE ONE
03/56
00
L1 · Knowledge

Data Model

One standard data model for the whole of Kestrel Orbital's platform. Every part resolves to a single element in one of four layers (PCE, SEG, SVC, AST), so Security Operations, Satellite Operations, and Satellite Design & Engineering describe the same platform the same way. This is the context half of SCOR's mission, the structure everything else attaches to.

MODULE ONE
00/00
UTC
04
L1 · one vocabulary for Security Operations, Satellite Operations, and Satellite Design & Engineering

ONE VOCABULARY FOR THREE DEPARTMENTS

  • The three departments are not aligned. Security Operations, Satellite Operations, and Satellite Design & Engineering each name the same element on the spacecraft differently, so what one department knows does not carry cleanly to the other two.
  • METEORSTORM gives all three departments one controlled vocabulary. Every part of the platform is named by exactly one element, sorted into four layers: PCE, SEG, SVC, AST.
  • Today you start explaining the vocabulary to each department in terms of what it gets back: Security Operations writes detections that target an exact element, Satellite Operations uses the same names on console to know what’s degraded, and Satellite Design & Engineering routes patches against the same vocabulary. Three departments, one description, no translation loss.
L1 · Data Model Overview · Full Context

One Vocabulary for All Three Departments

Why this matters here. Right now if you ask Security Operations, Satellite Operations, and Satellite Design & Engineering to describe a single element on our spacecraft, you’ll get three different answers. That’s how enrichment gets lost between departments and how the bird ends up at risk because nobody’s holding the same picture. METEORSTORM fixes that by publishing one controlled vocabulary for naming elements on space platforms.

What you’ll do with it today. You put the four decomposition layers (PCE, SEG, SVC, AST) to work. Every part of our platform resolves to exactly one element in this vocabulary.

How the three departments use it. Security Operations uses the vocabulary to write detections that target an exact element. Satellite Operations uses it on console to know what’s degraded. Satellite Design & Engineering uses it to know what subsystem the patch goes against. Three departments, one description, no translation loss.

▷ THE FOUR DECOMPOSITION LAYERS
PCE PRIMARY CAPABILITY ENVIRONMENT LAYER

Operational zone in which a capability primarily exists or is exercised.

SEG SEGMENT LAYER

Service and asset enclaves that compose the system across environments.

SVC SERVICE LAYER

Functional planes that organize control and data responsibilities.

AST ASSET LAYER

Asset classes composing the system and its interfaces.

MODULE ONE
04/56
UTC
05
L1 · the two halves of the data model

TAXONOMY AND ONTOLOGY

  • Pick names from the published list (Taxonomic Element Nomenclature, TEN). It’s the controlled list of compliant names. Invent your own and you break the deal with Security Operations, Satellite Operations, and Satellite Design & Engineering.
  • Every element links up to its parent. Each element says “this lives inside that.” The chain ends at the environment the platform operates in (PCE).
  • These two rules are what you teach each department first, because together they let any enrichment element inherit all the context above it for free. You show Security Operations how to pivot from indicator to element to service to segment to environment in one query, and you show Satellite Operations and Satellite Design & Engineering how to read the same chain from their own ends of it.
L1 · The Two Halves of the Data Model

Two Rules Make the Vocabulary Usable

Rule one (taxonomy): pick names from the published list. The framework calls this the Taxonomic Element Nomenclature (TEN). Plain English: it’s the controlled list of compliant names. If you invent your own, you’ve broken the deal with Security Operations, Satellite Operations, and Satellite Design & Engineering.

Rule two (ontology): every element links up to its parent. The framework calls these Ontology Elements. Plain English: each element says “this lives inside that.” The chain ends at the environment the platform operates in.

Why both rules. Together they mean that any enrichment element you write inherits all the context above it for free. Security Operations pivots from an indicator to the element, to the service that element implements, to the segment that hosts it, to the environment the segment operates in, in one query. Satellite Operations and Satellite Design & Engineering read the same chain from different ends.

MODULE ONE
05/56
00
Layer 1 of 4 · the next group of elements

ENVIRONMENT LAYER

Where a space system operates: Terrestrial, Aquatic, Aerial, Orbital, and Deep Space. When a symptom appears, operations often cannot tell an environmental effect (space weather, atmospheric drag, radiation) from a cyber-physical adversary action. This layer is the enrichment that deconflicts the two, so a natural anomaly is not chased as an attack and an attack is not written off as weather.

MODULE ONE
00/00
UTC
11
L1 · the PCE decomposition layer

WHERE THE PLATFORM OPERATES

First layer, top of the chain. The Primary Capability Environment (PCE) records the environment our platform operates in. Every other layer points up to a PCE element, so getting this right matters because every downstream enrichment element inherits the context. The values you’ll see in the published taxonomy. Terrestrial, Aquatic, Aerial, Orbital, and Deep Space. For our satellite-control work today, two of these are in scope: Terrestrial (where the ground complex sits) and Orbital (where the bird flies). The others are reference for when you encounter the platforms that operate there. How the three departments use PCE. Security Operations inherits PCE context on every alert without re-deriving it. Satellite Operations reads PCE to know which regulatory regime and response posture applies. Satellite Design & Engineering reads it because the same hardware behaves differently on the ground than on orbit. With one shared PCE context, every alert, console call, and patch reads the same environment the same way, instead of three departments re-deriving it three different ways.

MODULE ONE
11/56
UTC
12
L1 · the PCE-TE taxonomic element

TERRESTRIAL

Definition. Surface-based operational zones on planetary bodies. This layer names the surface itself, the where. The ground stations, control centers, and other equipment that sit on it are named later, at the segment, service, and asset layers, not here.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
12/56
UTC
13
L1 · PCE-AQ taxonomic element

AQUATIC

Definition. Water-based operational zones, including but not limited to Earth’s maritime domains. This layer names the water itself, the where. The tracking ships, sea-launch platforms, and other equipment that operate on it are named later, at the segment, service, and asset layers, not here.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
13/56
UTC
14
L1 · PCE-AE taxonomic element

AERIAL

Definition. Atmospheric operational zones spanning lower, upper, and near-space regions. This layer names the air itself, the where. The balloons, drones, and high-altitude aircraft that fly in it are named later, at the segment, service, and asset layers, not here.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
14/56
UTC
15
L1 · the PCE-OR taxonomic element

ORBITAL

Definition. Operational zones within planetary or satellite orbits. This layer names the orbit itself, the where. The spacecraft and other equipment that operate there are named later, at the segment, service, and asset layers, not here.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
15/56
UTC
16
L1 · PCE-DS taxonomic element

DEEP SPACE

Definition. Operational zones beyond planetary orbital regimes. This layer names that region itself, the where. The deep-space probes, distant observatories, and other equipment that operate there are named later, at the segment, service, and asset layers, not here. A simple test: when no single planet or moon controls the path, you are in deep space.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
16/56
UTC
16
L1 · checkpoint · the environment layer

CHECKPOINT

Five questions on what the Primary Capability Environment layer adds: naming the environment the platform operates in, the context every other element inherits. Answer to confirm the section landed before you move on to the Segment layer.

MODULE ONE
16/56
00
Layer 2 of 4 · the next group of elements

SEGMENT LAYER

The platform's segments: Launch, Link, Ground, User, Aquatic, Low Altitude, High Altitude, Near Space, Space, and Deep Space.

MODULE ONE
00/00
UTC
17
L1 · the SEG decomposition layer

HOW THE PLATFORM IS DISTRIBUTED

Second layer, down from PCE. Adversaries don’t attack “the satellite”; they pick an enclave to operate against, like the link, the ground complex, the spacecraft bus, or the operator console. SEG records those enclaves so you can describe what you’re actually defending. For our satellite-control work today. Four SEG elements: Space (the bird), Link (the uplink/downlink), Ground (the command authority), User (the operator edge). Each one is a service-and-asset enclave bound to one or more PCE elements above. How the three departments use SEG. Security Operations scopes threat hunts to a SEG (“anything on the Link”). Satellite Operations holds the segmentation boundary. Satellite Design & Engineering owns the architecture decisions that put each asset inside the right enclave. The SEG boundary is the line your defenders hold.

MODULE ONE
17/56
UTC
18
L1 · SEG-LA taxonomic element

LAUNCH

Definition. Surface-based services and assets for primary launch operations. SEG-LA is the launch enclave: vehicle integration, propellant handling, range safety, launch control, and the surface-based procedures that take a payload from the ground to orbital insertion.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
18/56
UTC
19
L1 · the SEG-LI taxonomic element

LINK

Definition. Services and assets enabling platform communications across signal paths. SEG-LI names the link enclave, the service-and-asset package that carries telemetry, command, and mission product between the space, ground, and user segments. The link spans both the orbital (PCE-OR) and terrestrial (PCE-TE) regimes.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
19/56
UTC
20
L1 · the SEG-GR taxonomic element

GROUND

Definition. Surface-based services and assets for primary platform operations, serving as the primary locus of control plane activity. SEG-GR is the ground enclave that commands and configures the platform during operations, including the mission operations center, the network operations center, and the primary ground-station infrastructure.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
20/56
UTC
21
L1 · the SEG-US taxonomic element

USER

Definition. Services and assets for primary end-user operations. SEG-US is the end-user enclave: the customer-facing terminals, receivers, and applications that consume the mission product the platform delivers. Examples are direct-to-device terminals, GPS/GNSS receivers in vehicles and handsets, customer ground terminals for satellite broadband, and end-user applications that read the downlinked product. Per the framework, the user segment may also issue requests or commands back to other segments (for example, a user requesting an on-demand capture or a tasking change), but the enclave’s primary identity is end-user consumption, not platform operation.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
21/56
UTC
22
L1 · SEG-AQ taxonomic element

AQUATIC

Definition. Water-based services and assets for primary platform operations, not limited to Earth's maritime domains. SEG-AQ is the aquatic enclave that occupies a PCE-AQ regime: telemetry vessels, sea-launch platforms, undersea cables, and other water-based infrastructure the platform depends on.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
22/56
UTC
23
L1 · SEG-LO taxonomic element

LOW ALTITUDE

Definition. Aerial services and assets in the lower atmosphere. SEG-LO is the lower-atmosphere aerial enclave: drones, low-altitude relay aircraft, chase aircraft, and tethered platforms operating in the lower-atmosphere band. The framework defines the band relationally, not by absolute altitude.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
23/56
UTC
24
L1 · SEG-HI taxonomic element

HIGH ALTITUDE

Definition. Aerial services and assets above the lower atmosphere but below near space. SEG-HI is the upper-atmosphere aerial enclave: high-altitude balloons, long-endurance solar UAVs, and stratospheric observation aircraft operating above the lower atmosphere and below near space. The framework defines the band relationally, not by absolute altitude.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
24/56
UTC
25
L1 · SEG-NE taxonomic element

NEAR SPACE

Definition. Aerial services and assets above high altitude and below orbital regions. SEG-NE is the near-space aerial enclave: HAPS (high-altitude pseudo-satellites), persistent stratospheric relays, and suborbital sensor platforms operating above the upper atmosphere and below orbital regions. The framework defines the band relationally; above this band is PCE-OR territory.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
25/56
UTC
26
L1 · the SEG-SP taxonomic element

SPACE

Definition. Services and assets operating in planetary or satellite orbits. SEG-SP is the space enclave: spacecraft and on-orbit platforms executing the mission within the orbital regime. Per the framework, the space segment coincides with the Space Vehicle (SV).

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
26/56
UTC
27
L1 · SEG-DE taxonomic element

DEEP SPACE

Definition. Services and assets operating beyond planetary orbital regimes. Captures mission elements that live in interplanetary space, at Lagrange points, or beyond lunar orbit, where long communication latency and onboard autonomy dominate operations.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
27/56
UTC
00
L1 · checkpoint · the segment layer

CHECKPOINT

Five questions on the Segment layer: the enclaves the platform is distributed into and how each links up to its environment. Answer to confirm the section landed before you move on to the Service layer.

MODULE ONE
00/00
00
Layer 3 of 4 · the next group of elements

SERVICE LAYER

What runs on the platform: Control Plane, Data Plane, and Hybrid.

MODULE ONE
00/00
UTC
28
L1 · the SVC decomposition layer

WHAT THE PLATFORM DELIVERS

Third layer, down from SEG. Two enclaves tagged identically can still do completely different jobs. SVC records the function an enclave delivers, so you can say what’s actually at risk when something happens. Three values in the published taxonomy. Control Plane (the part that commands the platform). Data Plane (the part that moves mission product). Hybrid (services that do both, like Command and Data Handling). Services that span more than one segment set DISTRIBUTED to Y and list every participating SEG in PARENT, which is exactly the case for our cross-segment telecommand service. How the three departments use SVC. Security Operations writes detection rules at the SVC layer so the rule fires against the function, not the specific box (survives hardware refreshes). Satellite Operations writes the continuity plan at SVC (“telecommand authentication is offline, fall back to…”). Satellite Design & Engineering owns the SVC interface contract that every AST must implement.

MODULE ONE
28/56
UTC
29
L1 · the SVC-CP taxonomic element

CONTROL

Definition. Services for managing and orchestrating platform control functions. SVC-CP is the functional plane that moves command and platform state, distinct from SVC-DP which moves mission product. A control-plane service has PARENT = one or more segments and a DISTRIBUTED flag indicating whether it spans segments.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
29/56
UTC
30
L1 · the SVC-DP taxonomic element

DATA

Definition. Services for managing and orchestrating mission product functions. SVC-DP services move mission product, imagery, ephemeris, sensor outputs, and downstream data deliveries, distinct from SVC-CP services that manage command and platform state.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
30/56
UTC
31
L1 · the SVC-HY taxonomic element

HYBRID

Definition. Services integrating both control and data plane functionalities. SVC-HY services combine command (control plane) and mission product (data plane) functions in a single operational stack, such as the spacecraft Command and Data Handling subsystem (C&DH).

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
31/56
UTC
00
L1 · checkpoint · the service layer

CHECKPOINT

Five questions on the Service layer: the function each enclave delivers and how services link up to segments. Answer to confirm the section landed before you move on to the Asset layer.

MODULE ONE
00/00
00
Layer 4 of 4 · the next group of elements

ASSET LAYER

The individual parts: Hardware, Firmware, Software, Data, Signal, and Hybrid.

MODULE ONE
00/00
UTC
32
L1 · the AST decomposition layer

PLATFORM ASSETS

Fourth layer, bottom of the chain. Enrichment that names a service or a segment can’t be acted on by the people who actually patch, monitor, replace, or quarantine. Satellite Design & Engineering doesn’t patch “the control plane,” they patch a specific firmware image on a specific box at a specific site. AST is where the work happens. Six values in the published taxonomy. Hardware, Firmware, Software, Data, Signal, and Hybrid. Each AST element takes one or more SVC parents and an optional SUBSYSTEM tag (one physical asset often serves several services on space platforms). How the three departments use AST. Security Operations targets its work at specific AST instances rather than at abstract services. Satellite Operations logs incidents at AST resolution (“HSM #3 in the user segment is offline”). Satellite Design & Engineering owns the asset inventory, the patch pipeline, and the vulnerability management work at this layer. AST is where your three departments converge.

MODULE ONE
32/56
UTC
33
L1 · the AST-HW taxonomic element

HARDWARE

Definition. Physical hardware assets supporting platform operations. AST-HW assets are tangible parts of the platform that can be inventoried, photographed, and physically touched: antennas, consoles, on-board computers, sensors, actuators, power chains.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
33/56
UTC
34
L1 · the AST-FW taxonomic element

FIRMWARE

Definition. Embedded control code governing hardware functions. AST-FW assets are low-level code that ships with hardware, runs at boot, and lives below the operating system: bootloaders, microcontroller firmware, FPGA bitstreams, signed boot ROMs.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
34/56
UTC
35
L1 · the AST-SW taxonomic element

SOFTWARE

Definition. Applications and logic executing operational tasks. AST-SW assets are higher-level code that runs above firmware: applications, services, operating system software, container images, microservices, and other logic the platform depends on.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
35/56
UTC
36
L1 · the AST-DA taxonomic element

DATA

Definition. Information generated, processed, or consumed by the platform. Data is an AST element type in its own right. Mission product, configuration, key material, and ephemeris all enumerate alongside hardware and software.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
36/56
UTC
37
L1 · the AST-SI taxonomic element

SIGNAL

Definition. Communication channels and transmission frequencies. AST-SI assets are the carrier signals, waveforms, and frequency allocations the platform uses to move command and data, including telecommand uplinks, telemetry downlinks, mission-data carriers, and inter-satellite links.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
37/56
UTC
38
L1 · AST-HY taxonomic element

HYBRID

Definition. Composite elements combining multiple asset types. AST-HY assets are sealed appliances or integrated subsystems where hardware, firmware, and software are delivered as one unit and cannot be cleanly separated for inventory: programmable cryptographic appliances, integrated avionics packages, vendor-delivered turnkey subsystems.

Recorded the standard way. This element is named from the published taxonomy and slotted into the layer chain as a machine-readable identifier, so tools can query, correlate, and automate across all three departments instead of anyone re-translating by hand.

MODULE ONE
38/56
UTC
00
L1 · checkpoint · the asset layer

CHECKPOINT

Five questions on the Asset layer: the concrete elements that implement each service and how they link up. Answer to confirm the section landed before you move on to naming and enumeration.

MODULE ONE
00/00
00
L2 · Knowledge

Read and apply the data model

One standard taxonomy (how every element is named) and ontology (how each element links to the layer above), so the same element reads the same way to every department.

At Kestrel Orbital this is now working practice, not a proposal. Satellite Operations and Satellite Design & Engineering enumerated the platform together, and all three departments now name every element and link it upward by the same rules: the five fields every element carries, the two written forms it is cited in, and the parent chain that connects each asset to its service, segment, and environment.

MODULE ONE
00/00
UTC
07
L2 · the TEN form you read from the published taxonomy

READ THE DATA MODEL

Reading the data model means reading an element’s published type name, its Taxonomic Element Nomenclature (TEN). The framework writes it; you look it up and never invent it.

  • A TEN is written LAYER-TAG-LABEL-Definition. Example: PCE-OR-Orbital-Operational zones within planetary or satellite orbits.
  • A TEN names a category of element, not one specific thing, and carries the framework’s canonical Definition for that category. That Definition reads the same on every platform.
  • Every TEN is published in the controlled vocabulary. Class-level talk (“every SVC-CP is in scope”) uses the TEN. To name one real instance on your platform, you move to the ETEN on the next slide.
L2 · Read the Data Model · The TEN Form

The Taxonomic Element Nomenclature (TEN)

TEN is the published type name. Four hyphen-delimited fields: LAYER-TAG-LABEL-Definition. Example: PCE-OR-Orbital-Operational zones within planetary or satellite orbits. It names the orbital regime as a category, and the Definition is the framework’s canonical text, identical on every platform.

You read it, you do not invent it. Every TEN comes from the framework’s controlled vocabulary. When the three departments talk at the class level (“every SVC-CP service is in scope for command-link integrity”), they cite the TEN.

Next: applying it. To name one specific instance on the platform you operate, you produce its ETEN, the enumerated form, on the next slide.

MODULE ONE
07/56
UTC
08
A2 · the ETEN you produce when you enumerate

APPLY THE DATA MODEL

Applying the data model means producing an element’s Enumerated Taxonomic Element Nomenclature (ETEN): the five-field form that names one specific instance on the platform you operate. Your department writes it by walking the enumeration procedure once per in-scope element.

  • An ETEN is written LAYER:TAG:LABEL:ORDINAL:Description. Example: PCE:OR:Orbital:00:The orbital regime in which the Space Vehicle operates.
  • LAYER, TAG, and LABEL come straight from the published TEN. You add the two-digit ORDINAL (00, 01, 02) that tells instances apart and the per-instance Description that scopes this exact item.
  • TEN is what the framework gives you; ETEN is what you output. Anything that names a specific instance on the platform you operate is cited as an ETEN, on tickets, diagrams, and detections alike.
A2 · Apply the Data Model · The ETEN Form

The Enumerated Taxonomic Element Nomenclature (ETEN)

ETEN is the output of the enumeration you run on your platform. Five colon-delimited fields: LAYER:TAG:LABEL:ORDINAL:Description. Example: PCE:OR:Orbital:00:The orbital regime in which the Space Vehicle operates.

You produce it field by field. Take LAYER, TAG, and LABEL from the published TEN; add the two-digit ORDINAL for the specific instance and write the per-instance Description during the enumeration procedure.

The rule of thumb. TEN is what the framework gives you. ETEN is what you produce. Class-level references use the TEN; anything that names a specific instance on the platform you operate uses the ETEN.

MODULE ONE
08/56
00
A2 / S1 · Skill / Task

CONOPS Review

The mandates set your scope: Executive Order 14144’s protections attach to command and control of the space system, and the NIS2 Directive binds the ground infrastructure that carries it. The telecommand path is now decomposed end to end, from the operator console to the spacecraft, every element enumerated across the four layers. Review the CONOPS below before Day 2.

MODULE ONE
00/00
UTC
39
A1 · A2 · S1 · the telecommand CONOPS is enumerated, now review it for presentation

CONOPS TELECOMMAND

The decomposition is complete. Across Day 1, Kestrel Orbital’s three departments, the Security Operations Center, the Satellite Operations Center, and Satellite Development and Engineering, enumerated the telecommand path together: the command-and-control scope Executive Order 14144 and the NIS2 Directive hold the organization to. What you review now. For each layer (PCE → SEG → SVC → AST), the procedure the departments followed and the in-scope elements they produced, so you can confirm the work and prepare it for presentation. The deliverable. Two PCE elements, four SEG elements, twenty-three SVC elements, and twenty-five AST elements: fifty-four ETENs in canonical form, every parent link populated, one shared vocabulary all three departments can act on, ready to present and carry into Day 2.

▷ ENUMERATION · COMPLETE
L1 ✓
The four decomposition layers, the controlled vocabulary, and how each element links to the layer above, now shared across all three departments.
L2 ✓
The canonical five-field form LAYER:TAG:LABEL:ORDINAL:Description that every enumerated element carries.
Knowledge work complete: closed notebooks and a finished cup of coffee on a dark workspace desk at dusk, faded whiteboard diagrams of nested layer rings in the background, dimmed monitors, sense of focused study concluded before the hands-on phase begins
▷ REVIEW & PRESENT · NOW
A1 →
Confirm the telecommand path decomposes cleanly, PCE through AST, so each child names its parent.
A2 →
Confirm each in-scope element carries both forms: TEN (hyphenated) and ETEN (colon-delimited with description).
S1 →
Present one shared CONOPS: 54 ETENs, every parent link populated, that all three departments can act on.
Hands-on work starting now: an analyst's hands hover above a mechanical keyboard at a workstation, two curved monitors show empty structured-form templates ready to be filled, cyan task lighting on the desk, amber ambient lighting from the room, sense of focused energy at the moment enumeration work begins
MODULE ONE
39/56
UTC
40
A1 · reviewing the enumerated PCE layer

CONCEPT OF OPERATIONS · ENVIRONMENT

Whose input. Satellite Operations and Satellite Design and Engineering set the scope with the Security Operations Center: the command-and-control mission Executive Order 14144 and the NIS2 Directive hold Kestrel Orbital to, which on the telecommand path spans two environments, Terrestrial and Orbital. Output. One ETEN of the form PCE:TAG:LABEL:ORDINAL:Description per environment in scope. Five steps, fixed order. Set LAYER (always PCE). Set TAG (published two-letter code). Set LABEL (published English name). Set ORDINAL (00 for the first instance). Write the per-instance Description. Constraints. PCE elements have no PARENT; only what is in scope was enumerated. Review. Confirm each field follows the procedure before presenting the environments; because every department reads the same five-field form, no one has to re-translate it.

01
Enumerate the LAYER
LAYER = PCE (fixed; identifies this as a Primary Capability Environment element).
02
Select the TAG
One of TE, AQ, AE, OR, DS, matching the operating environment in which this instance of the platform exists or is exercised.
03
Enumerate the LABEL
The label from the taxonomy for the selected element: Terrestrial (TE), Aquatic (AQ), Aerial (AE), Orbital (OR), or Deep Space (DS).
04
Assign an ORDINAL NUMBER
Two-digit number starting at 00; increment for each additional instance of the same element. Two terrestrial sites become PCE:TE:Terrestrial:00 and PCE:TE:Terrestrial:01.
05
Write the DESCRIPTION
Human-readable name and scoping detail for this instance. Include geographic location, operational role, regulatory jurisdiction, redundancy posture, or any context downstream segments, services, assets, and analytic elements will need to reason about this environment.
Repeat for the next primary capability environment instance. When no more remain, the PCE layer is fully enumerated.
MODULE ONE
40/56
41
A1 · PCE elements enumerated for the telecommand example

ENVIRONMENTS

  • Telecommand starts at a ground operator and ends at a spacecraft. Two physical regimes are in play. Aquatic, aerial, and deep-space are out of scope for this example. We’d enumerate them only if the platform actually operated there.
  • Five PCE tags exist in the framework (TE, AQ, AE, OR, DS). We don’t invent. TE applies because the operator and ground systems are terrestrial. OR applies because the spacecraft is in orbit. That gives us two PCE elements to enumerate.
  • One Continental US ground footprint → PCE:TE:Terrestrial:00. One orbiting spacecraft → PCE:OR:Orbital:00. ORDINAL = 00 because each is the first (and only) of its kind in this scope. A second ground site would have been 01. Descriptions anchor the generic vocabulary to this specific platform.
A1 · PCE Enumeration Walkthrough for Telecommand

How the Two PCE Elements Were Decided

Scope first. The PCE layer answers “where does the platform physically operate?” For the telecommand example, we look at what telecommand actually touches: a ground operator pushing commands from a console in the continental US, and a spacecraft in orbit receiving and executing them. Two physical regimes, not five.

Why aquatic, aerial, and deep-space drop out. The published PCE vocabulary lists five regimes so the same framework can describe any space platform. For this specific platform’s telecommand path, the tracking vessel, aerial platform, and deep-space probe regimes aren’t in play. The tailoring rule says we enumerate only what’s in scope.

Pick from the published list. The two-letter TAG values are framework-published (TE, AQ, AE, OR, DS). We select TE for the terrestrial ground footprint and OR for the orbital regime. The TAG is never invented; if a regime doesn’t map to a published value, the framework hasn’t covered it yet and the gap is a framework-level discussion, not a per-department decision.

Ordinal 00 for the first (and only) instance. ORDINAL is a per-instance counter starting at 00. One ground footprint and one spacecraft means each PCE element is the first of its kind in this scope, so both take 00. If we later added a second ground site, it would become PCE:TE:Terrestrial:01 with its own description.

Description anchors the generic to the specific. The LABEL stays generic (“Terrestrial”) so the element remains comparable across platforms. The DESCRIPTION is per-instance, “Continental US surface operational regime where the platform ground stations, mission operations centers, and launch facilities are located”, and is what later defenders read when they need to know what this specific PCE actually is.

These two ETENs are the root of the decomposition. Every SEG you enumerate next will name one (or both, for the cross-environment link) as its PARENT. Every SVC under those SEGs and every AST under those SVCs ultimately traces back to one of these two PCEs. PCE is the only layer with no PARENT, these elements are the anchors.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
PCE-TE PCE:TE:Terrestrial:00:Continental US surface operational regime where the platform ground stations, mission operations centers, and launch facilities are located.
PCE-OR PCE:OR:Orbital:00:The orbital regime in which the Space Vehicle operates and executes uplinked commands.
In scope2 PCE elements
MODULE ONE
41/56
UTC
42
A1 · reviewing the enumerated SEG layer

CONCEPT OF OPERATIONS · SEGMENTS

Whose input. The environments are already enumerated. With the Security Operations Center, the two build-and-operate departments scoped the enclaves on the telecommand path: four segments, Space and Link (the segments EO 14144 covers at minimum) and Ground and User (the ground-based infrastructure NIS2 binds). Output. One ETEN of the form SEG:TAG:LABEL:ORDINAL:Description per enclave. Six steps, fixed order. Set LAYER (always SEG). Set TAG. Set LABEL. Set ORDINAL. Write Description. Set PARENT to one or more PCE ETENs. Constraints. Every SEG element names at least one PCE in PARENT; existing segment diagrams were imported and tagged rather than redrawn. Review. Confirm each segment links up to its environment before presenting; the shared vocabulary is what lets all three departments read the same enclave the same way.

01
Enumerate the LAYER
LAYER = SEG (fixed; identifies this as a Segment element).
02
Select the TAG
One of LA, LI, GR, US, AQ, LO, HI, NE, SP, DE, matching the segment role this instance plays in the mission architecture.
03
Enumerate the LABEL
The label from the taxonomy for the selected element: Launch (LA), Link (LI), Ground (GR), User (US), Aquatic (AQ), Low Altitude (LO), High Altitude (HI), Near Space (NE), Space (SP), or Deep Space (DE).
04
Assign an ORDINAL NUMBER
Two-digit number starting at 00; increment for each additional instance of the same element. Primary and backup ground segments become SEG:GR:Ground:00 and SEG:GR:Ground:01.
05
Enumerate the PARENT
The PCE instance(s) this segment operates within, drawn from PCE elements already enumerated (for example, PCE:TE:Terrestrial:00). Multiple parents are enumerated as a comma-separated list when the segment spans environments.
06
Write the DESCRIPTION
Human-readable name for the segment's role, the site or region it is housed at, redundancy posture, interfaces it exposes to other segments, and any operational context downstream services and assets will need.
Repeat for the next segment instance. When no more remain, the SEG layer is fully enumerated.
MODULE ONE
42/56
43
A1 · SEG elements enumerated for the telecommand example

SEGMENTS

  • Telecommand crosses four operational enclaves: an operator console (User), the ground mission-ops authority (Ground), the RF/optical uplink (Link), and the spacecraft executing the command (Space). Four enclaves on the path; four SEG elements to enumerate.
  • Ten SEG tags exist in the framework (LA, LI, GR, US, AQ, LO, HI, NE, SP, DE). We don’t invent. Four apply: SP, LI, GR, US. Launch, aquatic, low/high altitude, near-space, and deep-space don’t touch this telecommand path.
  • Each SEG element takes ORDINAL = 00 and names its PCE parent. SEG:SP:Space:00PCE:OR. SEG:GR:Ground:00 and SEG:US:User:00PCE:TE. SEG:LI:Link:00 spans both physical regimes, so it lists two parents, PCE:OR + PCE:TE, the first cross-environment link in the decomposition.
A1 · SEG Enumeration Walkthrough for Telecommand

How the Four SEG Elements Were Decided

Trace the command path first. The SEG layer answers “what operational enclave is doing the work?” For telecommand we follow the actual flow: an operator originates a command at a console (User), it’s authorized and prepared by mission operations on the Ground, transmitted over the Link as an RF or optical signal, and executed by the spacecraft in Space. Four enclaves on the path; four SEG elements.

Why the other six SEG tags drop out. The published vocabulary lists ten enclave types so the same framework covers any space platform. LA (Launch) doesn’t apply once the platform is operational. AQ, LO, HI, NE, DE are physical regimes the telecommand path doesn’t cross. Tailoring rule: enumerate only what’s in scope.

Pick from the published list. The two-letter TAG values are framework-published. SP for the space-segment enclave on orbit. GR for the ground-segment enclave hosting mission operations. US for the user-segment enclave at the operator console. LI for the link-segment enclave that carries the signal. Never invented.

Ordinal 00 for each first instance. One ground site, one space vehicle, one link, one console, each takes 00. A second ground station would have been SEG:GR:Ground:01 with its own description.

PARENT links to PCE. SEG elements name their PCE parent. SP sits in orbit, parent is PCE:OR:Orbital:00. GR and US sit on the surface, parent is PCE:TE:Terrestrial:00. LI is the special case, the signal physically crosses both regimes, so its PARENT is the comma-separated pair PCE:OR:Orbital:00, PCE:TE:Terrestrial:00. This is the framework’s mechanism for cross-environment elements.

Output: four SEG ETENs that anchor the next layer. Every SVC you enumerate next will name one or more of these four SEGs as its PARENT. The four-enclave shape is the ontology every later service and asset links up to for this telecommand example.

ElementLinks toFull ETEN
SEG-SP → PCE:OR:Orbital:00 SEG:SP:Space:00:Space-segment enclave: platform and payload subsystems on orbit.
SEG-LI → PCE:OR + PCE:TE SEG:LI:Link:00:Link-segment enclave: the RF/optical signal path between Space and Ground.
SEG-GR → PCE:TE:Terrestrial:00 SEG:GR:Ground:00:Ground-segment enclave: mission operations, command authority, cryptography, launch control.
SEG-US → PCE:TE:Terrestrial:00 SEG:US:User:00:User-segment enclave: operator consoles and end-user applications that consume mission product and originate commands.
In scope4 SEG elements
MODULE ONE
43/56
UTC
44
A1 · reviewing the enumerated SVC layer

CONCEPT OF OPERATIONS · SERVICES

Whose input. The segments are already enumerated. Satellite Operations named the services it runs and Satellite Design and Engineering the services it built: on the telecommand path, the twenty-three services that authorize, encrypt, carry, and execute commands, including the cryptography and command-acceptance (ACA) services the mandates’ duties land on. Output. One ETEN of the form SVC:TAG:LABEL:ORDINAL:Description per service. Seven steps, fixed order. Set LAYER (always SVC). Set TAG. Set LABEL. Set ORDINAL. Write Description. Set PARENT to one or more SEG ETENs. Set DISTRIBUTED to Y if cross-segment, otherwise N. Constraints. Cross-segment services list every participating SEG in PARENT and stay one service element, not duplicates. Review. Confirm the function each service delivers before presenting; naming the function, not the box, is what lets the Security Operations Center write detections that survive a hardware refresh.

01
Enumerate the LAYER
LAYER = SVC (fixed; identifies this as a Service element).
02
Select the TAG
One of CP (Control Plane), DP (Data Plane), or HY (Hybrid), matching the functional capability this service delivers.
03
Enumerate the LABEL
The label from the taxonomy for the selected element: Control Plane (CP), Data Plane (DP), or Hybrid (HY).
04
Assign an ORDINAL NUMBER
Two-digit number starting at 00; increment for each additional instance of the same element.
05
Enumerate the PARENT
The SEG instance(s) that host this service. A service spanning multiple segments lists every participating segment as a comma-separated PARENT (for example, SEG:GR:Ground:00, SEG:SP:Space:00).
06
Select DISTRIBUTED (Y or N)
Y if the service runs across more than one segment (PARENT lists two or more SEG elements); N if it runs on a single segment.
07
Write the DESCRIPTION
Human-readable name for the service, the capability it provides, and any protocol, model class, or cloud service model where relevant.
Repeat for the next service instance. When no more remain, the SVC layer is fully enumerated.
MODULE ONE
44/56
45
A1 · SVC elements enumerated for the Space segment

SERVICES SPACE SEGMENT

  • The space segment must control the platform (attitude, crypto, power, flight termination, thermal), move data (mission downlink/uplink, payload), and handle commands that cross both worlds (C&DH receives every uplinked command and routes mission data). Three kinds of capability mean we will need all three SVC tags.
  • Three SVC tags exist (CP, DP, HY). We use 5× CP for ADCS, space-side crypto, EPS, FTS, and TCS. 2× DP for mission and payload data planes. 1× HY for C&DH because it both commands the bus and routes mission data, that mix is what HY exists for.
  • Each instance gets its own ORDINAL within its tag: CP:00…04, DP:00…01, HY:00. PARENT = SEG:SP:Space:00 for all eight. DISTRIBUTED = N because each lives in this single segment. C&DH is HY for its capability mix, not for spanning segments.
A1 · SVC Enumeration Walkthrough · Space Segment

How the Eight Space-Segment Services Were Decided

Start from the segment’s job. The space segment for telecommand has to keep the platform alive on orbit, receive every uplinked command, execute or route those commands, and move payload data home. That capability mix decides which SVC tags get used.

Why all three SVC tags appear here. The framework publishes exactly three SVC values. CP is for control-plane work, managing the platform’s state. DP is for data-plane work, moving mission or payload data. HY is the deliberate exception for services that genuinely do both, where splitting them into separate CP and DP elements would misrepresent the operational reality.

Five Control-Plane services. ADCS (attitude), space-side cryptography, EPS (electrical power), FTS (flight termination), TCS (thermal). Each is a distinct platform-control capability that operates independently. Each gets its own ORDINAL inside the CP tag: SVC:CP:Control Plane:00 through :04.

Two Data-Plane services. One for the mission downlink/uplink data plane on the spacecraft (SVC:DP:Data Plane:00), one for the payload data plane (SVC:DP:Data Plane:01). Distinct because mission and payload data have different routing, prioritization, and crypto profiles.

One Hybrid: C&DH. Command and Data Handling is the canonical example of a service that’s both. It accepts every uplinked telecommand (control work) and routes mission/payload data through the bus (data work). Splitting it into a CP element and a DP element would hide the coupling that matters operationally. SVC:HY:Hybrid:00 with a description that names both responsibilities.

PARENT and DISTRIBUTED. All eight services name SEG:SP:Space:00 as PARENT. None spans multiple segments, each lives entirely on the spacecraft, so DISTRIBUTED = N for every one. C&DH being HY refers to its capability mix, not to multi-segment scope. Output: eight SVC ETENs under the Space segment, ready for AST elements to attach.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
SVC-CP SVC:CP:Control Plane:00:Attitude determination and control service (ADCS) orchestrating platform attitude.
SVC-CP SVC:CP:Control Plane:01:Cryptographic service, space-side.
SVC-CP SVC:CP:Control Plane:02:Electrical power management service (EPS) on the spacecraft.
SVC-CP SVC:CP:Control Plane:03:Flight termination service (FTS) on the spacecraft.
SVC-CP SVC:CP:Control Plane:04:Thermal control service (TCS) on the spacecraft.
SVC-DP SVC:DP:Data Plane:00:Mission downlink and uplink data plane on the SV.
SVC-DP SVC:DP:Data Plane:01:Payload data plane.
SVC-HY SVC:HY:Hybrid:00:Command and Data Handling service (C&DH) combining bus commanding and mission-data routing; receives every uplinked telecommand.
In scope8 SVC elements in SP
MODULE ONE
45/56
46
A1 · SVC elements enumerated for the Link segment

SERVICES LINK SEGMENT

  • The link must authenticate every uplinked command (ACA), detect and recover from attack on the channel, and route payload commands. It also has to keep the channel itself working: error correction (FEC/ECC) and tracking/telemetry (T2), both of which mix control signaling with data integrity.
  • 3× CP for the three command-control services (ACA, attack det/recovery, payload command). 2× HY for FEC/ECC and T2 because each genuinely fuses control and data. FEC corrects data bits using control logic; T2 tracks position while telemetering platform state. No DP: the link doesn’t host a standalone data plane separate from these hybrids here.
  • Ordinals continue the global counter inside each tag: CP:05, CP:06, CP:07; HY:01, HY:02 (HY:00 was C&DH on the space side). PARENT = SEG:LI:Link:00 for all five. DISTRIBUTED = N, these services live entirely on the link enclave, not across segments.
A1 · SVC Enumeration Walkthrough · Link Segment

How the Five Link-Segment Services Were Decided

What the link actually does. The link segment is where the signal lives. For telecommand it has to authenticate inbound commands so unauthorized traffic never reaches the spacecraft, detect attack patterns on the channel itself, route payload-bound commands cleanly, correct bit errors caused by the physical channel, and run the tracking and telemetry exchange that keeps both ends synchronized.

Three Control-Plane services. SVC:CP:Control Plane:05 is ACA on the link, the authentication gate every uplinked command crosses. :06 is attack detection and recovery on the link itself. :07 is the payload command service that handles payload-bound traffic separately from bus commands. Each is pure control work.

Two Hybrid services. SVC:HY:Hybrid:01 is FEC/ECC error handling, it operates on the actual data bits (data work) using control logic to compute parity and correct errors (control work). SVC:HY:Hybrid:02 is T2 (tracking and telemetry), it generates control-side ranging tones AND carries telemetry data downward. Both genuinely mix the two planes; splitting them would misrepresent the service.

Why no DP elements on the link. Mission and payload data on the link are carried by the HY services above. There’s no separate data-only plane to enumerate here; the data work is intrinsically coupled to the control logic of FEC/T2. On the spacecraft side, DP appears because the bus has dedicated data routing.

PARENT and DISTRIBUTED. All five name SEG:LI:Link:00 as PARENT. The link segment itself spans two PCEs (orbital + terrestrial) but the services here are scoped to the link enclave, not multi-segment, so DISTRIBUTED = N for each. Output: five SVC ETENs ready for AST elements (waveform signals, ACA software, link credentials).

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
SVC-CP SVC:CP:Control Plane:05:Authentication and command-acceptance service (ACA) on the link; gates every uplinked command.
SVC-CP SVC:CP:Control Plane:06:Attack detection and recovery service on the link.
SVC-CP SVC:CP:Control Plane:07:Payload command service on the link.
SVC-HY SVC:HY:Hybrid:01:Error handling (FEC/ECC) on the uplink and downlink.
SVC-HY SVC:HY:Hybrid:02:Tracking and telemetry (T2) service on the link.
In scope5 SVC elements in LI
MODULE ONE
46/56
47
A1 · SVC elements enumerated for the Ground segment

SERVICES GROUND SEGMENT

  • The ground is where command authority lives. Five capabilities for telecommand: cryptography (ground-side), authentication and command-acceptance (ground ACA), launch control, autonomous flight safety (AFSS), and the patch update pipeline. All of these are governance-and-control work.
  • All five services here are pure Control Plane: they authorize, gate, schedule, and supervise. No DP because mission product is consumed at the User segment, not produced here. No HY because none of these services mixes control work with data routing.
  • Ordinals continue the global CP counter: CP:08, CP:09, CP:10, CP:11, CP:12. PARENT = SEG:GR:Ground:00 for all five. DISTRIBUTED = N, each ground service is bounded to this segment, not coordinated across multiple SEGs.
A1 · SVC Enumeration Walkthrough · Ground Segment

How the Five Ground-Segment Services Were Decided

What the ground does. The ground segment owns command authority. For telecommand it has to encrypt outbound commands and decrypt inbound telemetry (cryptography), gate commands before they leave (ACA), run launch operations when in scope (launch control), maintain autonomous flight-safety supervision (AFSS), and deliver patches to the spacecraft and ground systems (patch update pipeline).

Why all five are Control Plane. The CP tag covers services that manage and orchestrate platform behavior. Authentication, encryption, launch authorization, flight-safety supervision, and patch delivery are all governance, gating, and orchestration activities. None of them moves mission product as their primary purpose; the product flows are handled elsewhere.

Why no DP elements here. Mission product is consumed at the User segment (the end-user application), not generated or terminated at Ground. Ground sees command streams (control work) and telemetry summaries (also control work, for situational awareness). No standalone data plane to enumerate.

Why no HY elements here. Hybrid is reserved for services that genuinely mix CP and DP work in one operational unit (C&DH on space, FEC and T2 on the link). None of the ground services here has that mix, each is either authorization or supervision, never both data-and-control.

PARENT and DISTRIBUTED. All five name SEG:GR:Ground:00 as PARENT. None spans into another segment, the patch pipeline crosses into Space only as an outcome, not as a service boundary, and ACA on the ground is a separate element from ACA on the link (CP:05) and ACA on the user side (CP:15). DISTRIBUTED = N for each. Output: five CP ETENs under the Ground segment.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
SVC-CP SVC:CP:Control Plane:08:Cryptographic service, ground-side.
SVC-CP SVC:CP:Control Plane:09:Authentication and command-acceptance service (ACA) on the ground.
SVC-CP SVC:CP:Control Plane:10:Launch control service.
SVC-CP SVC:CP:Control Plane:11:Autonomous flight safety service (AFSS).
SVC-CP SVC:CP:Control Plane:12:Patch update pipeline service.
In scope5 SVC elements in GR
MODULE ONE
47/56
48
A1 · SVC elements enumerated for the User segment

SERVICES USER SEGMENT

  • The user segment is where commands originate and where mission product is consumed. Five capabilities for telecommand: satellite console operations, cryptography and key management (user-side), authentication and command-acceptance (user ACA), satellite-ground command transport, and the end-user application that consumes mission product.
  • 4× CP for console, key management, user ACA, and command transport, all control-side work. 1× DP for the end-user application that consumes mission product (pure data plane). No HY: each service has a clean control-or-data role here, no mixed cases.
  • Ordinals continue the global counters: CP:13, CP:14, CP:15, CP:16; DP:02 (DP:00 and DP:01 were on the space side). PARENT = SEG:US:User:00 for all five. DISTRIBUTED = N, each service is bounded to the user segment.
A1 · SVC Enumeration Walkthrough · User Segment

How the Five User-Segment Services Were Decided

What the user segment does. The user segment is the operational endpoint for telecommand. Commands originate here at an operator console, are encrypted and authenticated with user-side keys, transported up through the link to the spacecraft, and the resulting mission product comes back to the end-user application. Five distinct services cover that flow.

Four Control-Plane services. CP:13 is the satellite console, the operator interface itself. CP:14 is cryptography and key management on the user side, distinct from ground crypto (CP:08) and space crypto (CP:01) because the user holds its own keys and authority. CP:15 is user ACA, authentication before commands leave the console. CP:16 is the satellite-ground command transport service that hands commands off into the ground/link path.

One Data-Plane service. DP:02 is the end-user application data plane, the software that consumes mission product (imagery, telemetry summaries, downlinked data) and presents it to the operator. Pure data-plane work; no control authority over the spacecraft.

Why no Hybrid. Each user-segment service has a clean role. Console, keys, ACA, and transport are all control work. The end-user app is all data work. None genuinely fuses both at this segment, so HY isn’t needed here.

PARENT and DISTRIBUTED. All five name SEG:US:User:00 as PARENT. None spans into another segment. DISTRIBUTED = N for each. Output: five SVC ETENs under the User segment, completing the cross-segment service map for telecommand (8 SP + 5 LI + 5 GR + 5 US = 23 services total).

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
SVC-CP SVC:CP:Control Plane:13:Satellite console operations service.
SVC-CP SVC:CP:Control Plane:14:Cryptographic and key-management service, user-side.
SVC-CP SVC:CP:Control Plane:15:Authentication and command-acceptance service (ACA) on the user side.
SVC-CP SVC:CP:Control Plane:16:Satellite-ground command transport service.
SVC-DP SVC:DP:Data Plane:02:End-user application data plane consuming mission product.
In scope5 SVC elements in US
MODULE ONE
48/56
UTC
49
A1 · reviewing the enumerated AST layer

CONCEPT OF OPERATIONS · ASSETS

Whose input. The services are already enumerated. Satellite Design and Engineering supplied the concrete assets from its inventory lists, BOMs, and CMDB exports: on the telecommand path, the twenty-five hardware, software, firmware, data, and signal assets that implement the command-path services, ACA software and credentials among them. Output. One ETEN of the form AST:TAG:LABEL:ORDINAL:Description per element. Seven steps, fixed order. Set LAYER (always AST). Set TAG. Set LABEL. Set ORDINAL. Write Description. Set PARENT to one or more SVC ETENs (comma-separated when the asset serves several services). Set optional SUBSYSTEM tag. Constraints. Ordinals were used aggressively so unit-level detections resolve to the exact instance. Review. Confirm each asset traces up to its service before presenting; this is the resolution at which a detection fires and a patch lands, and where all three departments converge.

01
Enumerate the LAYER
LAYER = AST (fixed; identifies this as an Asset element).
02
Select the TAG
One of HW, FW, SW, DA, SI, HY, matching the category of the concrete element this instance represents.
03
Enumerate the LABEL
The label from the taxonomy for the selected element: Hardware (HW), Firmware (FW), Software (SW), Data (DA), Signal (SI), or Hybrid (HY).
04
Assign an ORDINAL NUMBER
Two-digit number starting at 00. Use a distinct ordinal for every physical or logical unit so unit-level detections resolve to the right instance.
05
Enumerate the PARENT
The SVC instance(s) this asset implements, drawn from SVC elements already enumerated. Comma-separate multiple parents when one physical asset serves several services (for example, SVC:CP:Control Plane:00, SVC:DP:Data Plane:00 for an antenna that carries both telecommand and payload data).
06
Consider the SUBSYSTEM (optional)
If this asset is part of a coherent group of assets that together deliver one service (for example, an antenna plus its controller plus its tracking software form an antenna subsystem), enumerate a short free-text SUBSYSTEM name that you reuse verbatim on every asset in the same group. Otherwise leave blank.
07
Write the DESCRIPTION
Human-readable name for the asset, make and model or software version where applicable, the site or segment it lives in, interfaces it exposes, and any operational context a detection signature or incident-response playbook will need.
Repeat for the next asset instance. When no more remain, the AST layer is fully enumerated.
MODULE ONE
49/56
50
A1 · AST elements enumerated for the Space segment

ASSETS SPACE SEGMENT

  • Eight space services need concrete elements behind them: ADCS sensors and flight software, EPS power chain, FTS hardware and firmware, thermal hardware, OBC and OBDH bus with boot firmware, C&DH flight software, payload electronics and payload repeater firmware. Eleven physical or coded things to enumerate.
  • Six AST tags exist (HW, FW, SW, DA, SI, HY). We use 6× HW for the physical hardware (sensors, power chain, FTS receiver, thermal, OBC, payload electronics), 2× SW for flight software (ADCS, C&DH), 3× FW for firmware in microcontrollers (FTS, OBC boot, payload repeater). No DA, SI, or HY at this segment.
  • Each AST tag carries its own ordinal counter. Each element names one or more SVC parents, the OBC hardware, for example, hosts the C&DH hybrid AND every CP service running on the bus, so its PARENT is a comma-separated list. SUBSYSTEM tag groups related assets that form a coherent unit (Bus, Payload).
A1 · AST Enumeration Walkthrough · Space Segment

How the Eleven Space-Segment Assets Were Decided

Start from the services. AST elements exist to give every SVC something concrete to attach to. The space segment has eight services, but the count of AST elements isn’t one-to-one, some services share hardware (the OBC hosts several control-plane services), some have multiple distinct assets (the EPS power chain spans solar arrays, batteries, and the PCDU). Walk each service and ask: what physical or coded element actually implements this?

Six Hardware elements. ADCS sensors (star trackers, gyros, magnetometers). The electrical power chain (solar arrays + battery + PCDU). FTS receiver and ordnance. Thermal control hardware (heaters, radiators, MLI). The on-board computer with its OBDH bus. Payload electronics. Each is a distinct physical thing that can be patched, replaced, or quarantined.

Two Software elements. ADCS flight software (controls attitude) and C&DH flight software (handles command processing and data routing). Each is a distinct code base with its own update cadence.

Three Firmware elements. FTS firmware (the autonomous flight-termination logic). OBC boot firmware (brings the bus up). Payload repeater firmware (signal repeating in the payload chain). Firmware is separate from software because it sits in non-volatile hardware and changes through a different signing/uplink path.

Why no DA, SI, or HY on Space. Data assets (mission product, cryptographic keys) live where they’re generated or held, mission product flows to the User segment, keys live in the User HSM and Ground credential store. Signal assets live on the Link. Hybrid AST elements would be appropriate when one physical asset genuinely fuses two categories (a software-defined radio that’s simultaneously hardware and firmware, for instance); none of the space-segment assets here are HY by that test.

PARENT can name multiple SVCs. The framework allows AST PARENT to be a comma-separated list of SVCs when one physical asset serves several services. The OBC hardware here is the canonical case, it hosts C&DH (HY:00) and several CP services (ADCS, EPS, FTS) all running on the same processor. Modelling it as a single AST with multiple SVC parents preserves the physical reality; modelling it as N duplicate AST elements would hide the shared-resource attack surface.

SUBSYSTEM groups the bus. The optional SUBSYSTEM field can tag related elements (Bus = OBC + OBDH + C&DH FSW + boot FW + power chain) so Satellite Design & Engineering can query the asset inventory by physical subsystem regardless of which service each individual AST anchors to.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
AST-HW AST:HW:Hardware:00:ADCS sensors (star trackers, gyros, magnetometers).
AST-SW AST:SW:Software:00:ADCS flight software.
AST-HW AST:HW:Hardware:01:Electrical power chain hardware (solar arrays, battery, PCDU).
AST-HW AST:HW:Hardware:02:FTS receiver and ordnance hardware.
AST-FW AST:FW:Firmware:00:FTS firmware governing flight-termination logic.
AST-HW AST:HW:Hardware:03:Thermal control hardware (heaters, radiators, MLI).
AST-HW AST:HW:Hardware:06:On-board computer (OBC) and OBDH bus hardware.
AST-FW AST:FW:Firmware:01:OBC boot firmware and bus-controller firmware.
AST-SW AST:SW:Software:06:C&DH flight software handling command processing and data routing.
AST-HW AST:HW:Hardware:07:Payload electronics hardware.
AST-FW AST:FW:Firmware:02:Payload repeater firmware.
In scope11 AST elements in SP
MODULE ONE
50/56
51
A1 · AST elements enumerated for the Link segment

ASSETS LINK SEGMENT

  • Five link services need elements behind them. The uplink waveform itself, a physical signal that carries every command. The authentication credentials the ACA service consumes, a stored data object. The payload command encoder software. Three concrete things.
  • 1× SI for the uplink waveform. Signal is the only tag that fits a transmitted RF/optical waveform as a first-class element. 1× DA for the ACA credentials (session keys and certificates stored at the link). 1× SW for the payload command encoder. No HW or FW: the link is the channel itself; the physical transmitters/receivers belong to the Space and Ground segments at the endpoints.
  • SI:00 (first signal element), DA:00 (first data element), SW:01 (continuing the global SW counter). PARENT names the link SVCs each asset implements, the credentials are read by ACA (CP:05) and may also be referenced by error handling (HY:01), a legitimate multi-parent case. No SUBSYSTEM grouping needed at this segment.
A1 · AST Enumeration Walkthrough · Link Segment

How the Three Link-Segment Assets Were Decided

The link is a channel, not a host. Unlike Space, Ground, and User, the link segment doesn’t hold its own physical hardware boxes. The link is what passes between the two endpoints. The assets that live AT the link are the signal itself, what travels on it, and the cryptographic material the channel needs to authenticate that traffic.

The waveform is a Signal asset. AST:SI:Signal:00 is the uplink waveform, the RF or optical modulation that carries telecommand frames from Ground to Space. Signal is a first-class AST tag precisely so we can attribute attacks to the carrier itself (jamming, spoofing, replay) rather than to whatever transmitter happens to be generating it.

The credentials are a Data asset. AST:DA:Data:00 is the link ACA credential store, session keys, certificates, and any anti-replay state the link authentication needs. DA is the right tag because the credentials are stored data, distinct from the SW that uses them and the HW that physically holds them.

The encoder is Software. AST:SW:Software:01 is the payload command encoder that formats payload-bound telecommands before they hit the waveform. Distinct code base from the C&DH FSW on the spacecraft because it runs in the link path and has its own update cadence.

Why no HW or FW here. Physical transmitters and antennas live in the Ground and Space segments at the endpoints, that’s where they’re mounted, patched, and replaced. Firmware-level modem logic is similarly an endpoint asset. The link itself, conceptually, is just the medium.

PARENT may be multi-valued. The credentials (DA:00) are read by ACA (CP:05) and can also be referenced by error handling (HY:01) when integrity checks need them. The new framework cardinality means a single DA element with a comma-separated PARENT preserves that shared use; we don’t need duplicate DA elements for each service that reads the keys.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
AST-SI AST:SI:Signal:00:TC uplink waveform on the link.
AST-DA AST:DA:Data:00:Link ACA credentials including session keys and certificates.
AST-SW AST:SW:Software:01:Payload command encoder software.
In scope3 AST elements in LI
MODULE ONE
51/56
52
A1 · AST elements enumerated for the Ground segment

ASSETS GROUND SEGMENT

  • Five ground services need elements behind them. Ground ACA software performing authentication. The credential store the ACA reads. Patch binaries staged for uplink. The patch deployment pipeline software that builds, signs, and pushes them. Four concrete things.
  • 2× SW for ground ACA and the patch pipeline (two distinct code bases). 2× DA for the credential store and the patch binaries (two stored data artifacts with different sensitivity profiles). No HW at this scope, server hardware is consolidated with the services hosted on it rather than enumerated separately. No FW, SI, or HY.
  • SW:02, SW:03 (continuing the global SW counter). DA:01, DA:02 (continuing past link DA:00). PARENT links each AST to the ground SVC it implements, the credential store may serve both ground ACA (CP:09) and ground cryptography (CP:08), a legitimate multi-parent case under the new framework cardinality.
A1 · AST Enumeration Walkthrough · Ground Segment

How the Four Ground-Segment Assets Were Decided

Ground assets are mostly code and data. The ground segment’s job for telecommand is to authorize and prepare commands. That work shows up at the AST layer as software (the services running it) and data (the credentials and binaries those services consume or produce).

Two Software elements. AST:SW:Software:02 is the ground ACA software, the authentication and command-acceptance code path. AST:SW:Software:03 is the patch deployment pipeline, the build/sign/uplink toolchain. Each is a distinct code base with its own change-control process.

Two Data elements. AST:DA:Data:01 is the ACA credential store (master keys, CA data, anti-replay state). AST:DA:Data:02 is the patch binaries themselves, the actual firmware and software images staged for uplink. Different sensitivity profiles: keys must never leave the HSM-backed store; binaries must be signed and integrity-verified before transit.

Why no HW. The physical servers hosting ground services aren’t enumerated at this scope. They could be, if your platform’s threat model puts physical server compromise in scope, you’d add AST:HW elements for them, but for the telecommand example the abstraction stops at the code and data the services run on.

PARENT may be multi-valued. The credential store (DA:01) is read by ground ACA (CP:09) AND ground cryptography (CP:08). Under the new cardinality rule we list both as a comma-separated PARENT on the one DA element rather than duplicating it. The patch pipeline (SW:03) consumes the binaries (DA:02) and may also be invoked by AFSS (CP:11) when emergency patches are needed.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
AST-SW AST:SW:Software:02:Ground ACA software performing command authentication on the ground.
AST-DA AST:DA:Data:01:ACA credential store (master keys, certificate authority data).
AST-DA AST:DA:Data:02:Patch binaries for firmware and software updates.
AST-SW AST:SW:Software:03:Patch deployment pipeline software.
In scope4 AST elements in GR
MODULE ONE
52/56
53
A1 · AST elements enumerated for the User segment

ASSETS USER SEGMENT

  • Five user services need elements behind them. The operator console (hardware and the software running on it). The user HSM hardware and the cryptographic keys held inside it. The user-side ACA software. The end-user application and the mission product data it consumes. Seven concrete things.
  • 2× HW for operator console hardware and the HSM. 3× SW for console operator software, user ACA software, and the end-user app. 2× DA for the cryptographic keys (held in the HSM) and the mission product data (consumed by the app). No FW, SI, or HY at this segment.
  • HW:04, HW:05 (continuing past space HW:00–03). SW:04, SW:05, SW:08 (skipping space-side SW:06–07). DA:03, DA:04. PARENT links each AST to the user SVC(s) it implements, the HSM hardware serves both crypto/key-management (CP:14) and user ACA (CP:15), one of several legitimate multi-parent cases on this segment.
A1 · AST Enumeration Walkthrough · User Segment

How the Seven User-Segment Assets Were Decided

User-segment assets span the full mix. Unlike Ground (mostly code and data), the User segment has physical hardware (the console the operator actually touches, the HSM), code (console software, ACA, end-user app), and data (keys, mission product). All three categories show up here because the user is where command origination and product consumption physically happen.

Two Hardware elements. AST:HW:Hardware:04 is the operator console, the workstation, monitors, keyboard, and any peripherals. AST:HW:Hardware:05 is the hardware security module (HSM) that physically holds and protects user-side cryptographic keys.

Three Software elements. SW:04 is the console operator software (the application the operator drives the platform through). SW:05 is the user-side ACA software that signs outbound commands. SW:08 is the end-user application that consumes mission product. Each is a distinct code base with its own update cadence and trust boundary.

Two Data elements. DA:03 is the cryptographic keys held inside the HSM, never extracted, but enumerated as a DA asset so they appear in inventory and dependency analysis. DA:04 is the mission product data, downlinked imagery, telemetry summaries, or whatever the end-user app actually consumes.

PARENT genuinely needs multi-valued lists here. The HSM hardware (HW:05) serves both user cryptography/key-management (CP:14) and user ACA (CP:15), one physical box, two services. The keys themselves (DA:03) similarly serve both. The console hardware (HW:04) hosts the console software (CP:13) and any operator workflow within the satellite-ground transport service (CP:16). Under the new cardinality rule each of these becomes a single AST with a comma-separated PARENT list, preserving the actual physical reality.

Output: the full 54-element decomposition is complete. 2 PCE + 4 SEG + 23 SVC + 25 AST = 54 ETENs, every parent link populated. This is the Day-1 deliverable that hands off to Module 02 for threat attachment.

ElementFull ETEN (LAYER:TAG:LABEL:ORDINAL:Description)
AST-HW AST:HW:Hardware:04:Operator console hardware (workstation, peripherals).
AST-SW AST:SW:Software:04:Console operator software.
AST-HW AST:HW:Hardware:05:User-side hardware security module (HSM).
AST-DA AST:DA:Data:03:Cryptographic keys held by user-side HSM.
AST-SW AST:SW:Software:05:User-side ACA software for outbound command signing.
AST-SW AST:SW:Software:08:End-user application software.
AST-DA AST:DA:Data:04:Mission product data consumed by end-user application.
In scope7 AST elements in US
MODULE ONE
53/56
00
B1 · Build · Ability

CONOPS Presentation

You present the validated telecommand decomposition to the three departments: every asset traces to a service, a segment, and an environment, with no orphans. An unbroken parent chain is what makes the decomposition usable as evidence, enrichment on any element carries its full structural context, and the elements EO 14144 and NIS2 concern can be produced on demand.

MODULE ONE
00/00
UTC
54
B1 · the Day-1 deliverable · what you hand off to your three departments

ONE SHARED CONOPS

  • Fifty-four ETENs across four decomposition layers, every parent link populated, scoped to satellite command and control, the scope Executive Order 14144 and the NIS2 Directive set. Formalized and downloadable behind the CONOPS button. This is the work product you walk into the next meeting carrying.
  • Each department already knew its own pieces in depth. What changes today is that Security Operations, Satellite Operations, and Satellite Design & Engineering all now refer to those pieces with the same names. The CONOPS is the shared dialog, not a new inventory for any one department. The translation tax between rooms is gone.
  • With the taxonomy and ontology in place, Module 02 (Contextualized Threat Modeling) attaches threats to these named elements. The CONOPS is the shared taxonomy and ontology every later function writes against, and the same procedure transfers to the platform you operate at your work center.
B1 · Day-1 Deliverable · Full Context

Your CONOPS Is the Canvas Every Later Function Paints On

Your Day-1 work product, complete. Fifty-four ETENs across four decomposition layers (PCE, SEG, SVC, AST), every parent link populated, scoped to the satellite-control mission. This is what you walk into the next meeting carrying. The full inventory is formalized in the downloadable CONOPS workbook.

What changes for the three departments. None of these departments is new to the platform. Security Operations, Satellite Operations, and Satellite Design & Engineering each already understand the parts they own in depth, often more deeply than anyone outside that department. What the CONOPS adds is a single naming scheme they all use. When Security Operations refers to an element by its ETEN, Satellite Operations recognizes it, and Satellite Design & Engineering can point at the same concrete asset, without re-mapping between local vocabularies. The CONOPS is the shared dialog that lets three deep-domain departments act as one cyber-defense unit.

The reference build. Two PCE elements, four SEG enclaves along the command path, twenty-three services, and twenty-five assets. Every line is an enumerated element your department produced by walking the procedure. The same procedure transfers to the platform you operate at your work center.

Handoff to Function Two. The CONOPS is the taxonomy and ontology every later function writes against. Module 02 (Contextualized Threat Modeling) attaches threats to these elements next. Module 03 enumerates attack paths against them. Module 04 builds the detection signatures. Module 05 builds the resilience measures. None of those functions has anywhere to attach if this CONOPS is missing or incomplete, which is why Day 1 ends here, with the structural decomposition locked.

▷ WHAT GETS BUILT
SCOPE: SATELLITE COMMAND AND CONTROL · EO 14144 / NIS2
2
PCE · ENVIRONMENTS
Orbital and Terrestrial
4
SEG · SEGMENTS
Space, Link, Ground, User
23
SVC · SERVICES
Control plane, data plane, and hybrid
25
AST · ASSETS
Hardware, firmware, software, data, and signal
Total: 54 enumerated taxonomic elements (PCE + SEG + SVC + AST).
CONOPS · THE DAY-1 WORK PRODUCT
MODULE ONE
54/56
UTC
55
Work role ability confirmation · what you are now able to perform at your work center

DAY 1 COMPLETE

You built the thing the whole program hangs on. Not notes, not a diagram: a working CONOPS of the telecommand path that three departments can act on together, the foundation every later function attaches to.

  • A 54-element CONOPS of the telecommand path, run end to end: 2 PCE, 4 SEG, 23 SVC, 25 AST, every PARENT link populated, no orphans. Signed and downloadable, scoped to the command-and-control mission Executive Order 14144 and the NIS2 Directive hold Kestrel Orbital to.
  • Yesterday the three departments described the same platform three different ways. Today Security Operations, Satellite Operations, and Satellite Design & Engineering share one. The translation tax between rooms is gone, and enrichment on any element now carries its full chain of context.
  • Pass the end-of-module exam (10 questions, 90% to qualify). Then Day 2 puts the CONOPS to work: Module 02 attaches real, contextualized threats to the exact elements you named today. Every element you enumerated becomes something an adversary has to get through.
DAY 1 COMPLETE · ONE SHARED CONOPS
You, briefing all three departments from one shared description of the platform
Full Spectrum Space Cybersecurity Professional standing in front of a board displaying the METEORSTORM common vocabulary, briefing three small audiences representing Security Operations, Satellite Operations, and Satellite Design and Engineering. The board shows the four nested decomposition layers (PCE, SEG, SVC, AST) and the canonical five-field ETEN form. Dark operations center setting with cyan task lighting on the board and amber ambient lighting on the room.
Day 1 Complete · Full Context

Handing Off to Day 2 (Threat Modeling)

What you built today. A 54-ETEN decomposition of the telecommand path, run end to end on the reference satellite: 2 PCE, 4 SEG, 23 SVC, 25 AST, every PARENT link populated, no orphans, every chain reaching back to a PCE root. Your CONOPS is signed and downloadable.

The common dialog is live. Each department already understood its own pieces in depth. What changes now is that Security Operations, Satellite Operations, and Satellite Design & Engineering all refer to those pieces with the same names. The CONOPS is the shared dialog that lets three deep-domain departments act as one cyber-defense unit.

Day 2 and the exam. You now have your first CONOPS completed. Take the end-of-module exam (10 questions, 90% to pass) to qualify. Tomorrow: Day 2 / Module 02 attaches contextualized threats to the elements you decomposed today.

MODULE ONE
55/56
00
DAY 1 COMPLETE · METEORSTORM and satellite control

DAY 1 COMPLETE

You decomposed the telecommand path, the command-and-control scope Executive Order 14144 and the NIS2 Directive set, into shared enumerated elements the whole organization reads the same way. Tomorrow, Day 2 anchors real adversary threats to the elements you enumerated.

MODULE ONE
00/00
UTC
56
FUNCTION 05 FUNCTION 04 FUNCTION 03 FUNCTION 02 CONTEXTUALIZED THREAT MODELING FUNCTION 02
Function 01 complete · Function 02 next

CONTEXTUALIZED
THREAT MODELING.

Decomposition done. Contextualized Threat Modeling attaches threats to the elements you just built.

▷ MODULE 01 ASSESSMENT

End-of-module exam: 10 multiple-choice questions aligned with the decomposition discipline’s KSAT areas (Knowledge, Skills, Abilities, Tasks). Score 90% to qualify. Save your results as a PDF when you finish.

MODULE ONE
56/56
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each instrument links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).