Master Adversary Management.
“The adversary suffers when their plans are known, broken, and turned against them.”
Four days ago the Space Cybersecurity Operations and Resilience department existed on paper. Today it holds Kestrel Orbital’s platform model, its threat catalogue, its attack paths, and the signatures and playbooks that watch them, and all three departments work from those artifacts, not around them. To close the week, you bring Satellite Operations and Satellite Design & Engineering to one table to take options away from the adversary. You drive the organization to align decomposition, contextualized threat modeling, converged detection engineering, and exposure management with real-world adversary profiles, to detect, disrupt, and deter adversaries targeting its platform. The measures you build feed NIS2’s continuity, backup, and supply-chain duties and Executive Order 14144’s backup-and-failover requirement for command and control.
DAY 5 START
Today you find the exposure that recurs across the week’s command-path work and build resilience measures that shrink, harden, or remove it before launch. Each department has taken its turn this week; now Satellite Operations and Satellite Design & Engineering sit at one table, with the Security Operations Center’s detections standing watch, to decide what changes. These are the continuity, backup, and supply-chain measures NIS2 requires, and the backup and failover Executive Order 14144 expects for command and control.
BUILD THE RESILIENCE MEASURES
Six artifacts on the table. Resilience needs both: operating procedures the crew can run when something goes wrong, and architectural changes that make the failure mode hard or impossible in the first place. So today, for the first time this week, both operating departments are in the room together, each bringing what only it can. The six artifacts below are what you walk together for every measure you enumerate.
Satellite Operations’ playbook for failover, abort, retry, and safe-mode. New measures must fit what the crew can run during a pass.
Satellite Design & Engineering’s current architecture map: what’s hardened, what isn’t, what can be rebuilt this cycle.
What subsystems already have backup paths, and which paths quietly share a single failure point.
Platform behavior when individual subsystems are taken off-line: what the mission can still do, what it can’t.
What architectural changes are already queued vs. proposed; what’s in scope this week vs. next.
Resilience patterns from prior incidents on this platform and peer platforms that worked , or didn’t.
ADVERSARY MANAGEMENT PROCESS
Inputs. The week’s attack-path and threat sets against the telecommand path, and a working session with Satellite Operations and Satellite Design & Engineering, building the continuity, backup, and supply-chain measures NIS2 requires and the failover EO 14144 expects for command and control. Output. One AN-RES element per measure, each anchored via TRE to the structural elements it protects. Six steps, fixed order. Set LAYER (always AN). Identify the resiliency objective (Anticipate / Withstand / Recover / Adapt). Set TAG (RES). Set ORDINAL. Enumerate the TRE. Write the Description. Constraint. Every element must carry a TRE and name its resiliency objective; a measure with no target and no objective is decoration, not resilience.
AN-RES).00 (AN:RES:Resilience Measure:00, AN:RES:Resilience Measure:01, and so on); one ordinal per distinct resilience measure.DIGITAL TWIN, THE TEST BENCH FOR RESILIENCE MEASURES
A digital twin is a high-fidelity virtual replica of the operational system, mirroring its hardware, software, environment, command behavior, and telemetry in near-real time. For a satellite, the twin pairs flight software, simulated subsystems (ADCS, EPS, comms, payload), and a model of the RF environment so a candidate change can be exercised end-to-end before it is uplinked. Day 5 leans on the twin because every AN-RES measure changes how the platform behaves under stress; some of those changes have second-order effects (loss of duty cycle, downlink margin, power budget, command latency) that you do not want to discover from a live mission. The twin is where resilience measures are validated, adversary scenarios are rehearsed, and trade-offs are quantified before anything ships to flight.
Apply a candidate resilience measure (new safe-mode trigger, fault-tolerance limit, recovery routine) to the twin first. Observe second-order effects on mission-capability, duty cycle, downlink margin, and power budget before the production platform ever sees the change.
Replay a Day-3 AN-ATT chain against the twin with the resilience measure in place, then without. Measure the delta. A measure that does not actually withstand or recover under the scenario it was designed for is rejected before flight.
The twin produces measurable outcomes for all four TRE objectives: Anticipate, Withstand (mission stays capable under attack), Recover (time-to-return-to-nominal), Adapt (posture updates after the run). Decisions move from opinion to data.
Satellite Operations and Satellite Design & Engineering staff rehearse incident response on the twin. Because the twin is identical to flight in every operator-visible way, the muscle memory and decisions trained on the twin transfer directly to a real incident when one happens.
Every resilience measure has a cost. The twin lets the departments run dozens of scenarios cheaply and produce the trade-off curve (resilience gain vs. duty-cycle loss, vs. downlink margin, vs. power budget) so the platform-owner decision is anchored in numbers, not gut-feel.
A twin run produces a reproducible, vendor-neutral artifact: input scenario, applied AN-RES measure, measured outcomes per TRE objective. The result could port across Space-ISAC members and form the empirical basis of #SpaceCollectiveDefense for resilience.
RULE · No resilience measure ships to flight without at least one twin run that shows what it does, what it costs, and how it changes the four NIST 800-160 v2 objectives. Measures without twin evidence go back to the engineering backlog.
USER SEGMENT RESILIENCE MEASURES
Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).
| ID | AN-RES ETEN |
|---|---|
AN:RES:Resilience Measure:00 |
Mandate phishing-resistant MFA on operator-console authentication and just-in-time access elevation: removes the value of stolen static credentials and constrains the window of any compromise.
PROTECTS (TRE)
AST:HW:Hardware:04 (console workstation), SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:15 (user-side ACA)COUNTERS
AN:ATT:Attack Path:00 (Console credential theft); AN:THR:Threat:01OBJECTIVE Anticipate , raises the cost and reduces the value of a credential-theft attempt.
OWNER Both , Satellite Operations owns the operational rollout and access-elevation procedure; Satellite Design & Engineering owns the identity-provider integration.
SOURCE NIST SP 800-63B (Phishing-Resistant MFA); NIST SP 800-160 v2 anticipate-objective guidance.
|
AN:RES:Resilience Measure:01 |
End-user application hash verification at the workstation, plus signed mission-product manifests: a tampered binary or modified mission product fails verification before it reaches the operator’s eyes.
PROTECTS (TRE)
AST:SW:Software:08 (end-user app SW), AST:DA:Data:04 (mission product data), SVC:DP:Data Plane:02 (mission product display)COUNTERS
AN:ATT:Attack Path:01 (End-user app tampering); AN:THR:Threat:00OBJECTIVE Withstand , the platform stays trustworthy even if upstream is compromised.
OWNER Satellite Design & Engineering , owns the signing pipeline and verification integration in the end-user app.
SOURCE NIST SP 800-193 (Platform Firmware Resilience) integrity guidance; NIST SP 800-160 v2 withstand-objective guidance.
|
GROUND SEGMENT RESILIENCE MEASURES
Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).
| ID | AN-RES ETEN |
|---|---|
AN:RES:Resilience Measure:02 |
Air-gap or strict zero-trust segmentation of the device management plane from external networks; require hardware-rooted attestation on any management-plane access; gate firmware pushes behind dual-approval workflow with a maintenance-window enforcement.
PROTECTS (TRE)
SVC:CP:Control Plane:08 (ground crypto), SVC:CP:Control Plane:09 (ground ACA), AST:SW:Software:03 (patch deployment SW), AST:DA:Data:02 (patch binaries)COUNTERS
AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style); AN:THR:Threat:02OBJECTIVE Anticipate , removes the high-impact path entirely by raising the barrier to management-plane access.
OWNER Both , Satellite Design & Engineering owns the segmentation and dual-approval rebuild; Satellite Operations owns the maintenance-window discipline.
SOURCE Viasat / CISA / SentinelLabs post-incident guidance from KA-SAT (2022); NIST SP 800-207 (Zero Trust Architecture).
|
AN:RES:Resilience Measure:03 |
Phishing-resistant MFA + short-lived session tokens + per-operator behavior baselines on ground-station service accounts: a stolen credential alone cannot authenticate, and an anomalous session is short-lived.
PROTECTS (TRE)
AST:DA:Data:01 (ACA credentials), SVC:CP:Control Plane:09 (ground ACA), SVC:CP:Control Plane:13 (console ops)COUNTERS
AN:ATT:Attack Path:03 (Operator credential theft); AN:THR:Threat:03OBJECTIVE Anticipate , raises cost of credential theft and constrains the window.
OWNER Both , Satellite Design & Engineering owns identity-provider integration; Satellite Operations owns operational rollout and behavior-baseline maintenance.
SOURCE NIST SP 800-63B; NIST SP 800-207.
|
AN:RES:Resilience Measure:04 |
Dual-control commanding for high-impact actions (a second operator must approve before transmission); per-operator behavior baselines and pre-pass briefings make out-of-pattern actions stand out.
PROTECTS (TRE)
AST:HW:Hardware:04 (console workstation), AST:SW:Software:04 (console SW), SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:09 (ground ACA)COUNTERS
AN:ATT:Attack Path:04 (Privileged insider misuse); AN:THR:Threat:04OBJECTIVE Withstand , a single insider cannot act alone on high-impact sequences.
OWNER Both , Satellite Design & Engineering owns the dual-control workflow in the commanding software; Satellite Operations owns the operational discipline of peer review.
SOURCE NIST SP 800-53 SC-3 / AC-6 (separation of duties / least privilege); NIST SP 800-160 v2 withstand-objective guidance.
|
AN:RES:Resilience Measure:05 |
Microsegmentation of the operator network from mission-control hosts with explicit allow-list of east-west flows; logging and alerting on any flow outside the list.
PROTECTS (TRE)
AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW), SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:09 (ground ACA)COUNTERS
AN:ATT:Attack Path:05 (Lateral movement to mission control); AN:THR:Threat:05OBJECTIVE Anticipate , lateral movement becomes structurally hard or impossible.
OWNER Satellite Design & Engineering , owns the segmentation rebuild and allow-list maintenance.
SOURCE NIST SP 800-207 (Zero Trust); MITRE ATT&CK TA0008 mitigation guidance.
|
AN:RES:Resilience Measure:06 |
Immutable, isolated backups of launch-control state and patch binaries with quarterly tested restore drills; ensures restoration is faster than negotiation.
PROTECTS (TRE)
SVC:CP:Control Plane:10 (launch control), SVC:CP:Control Plane:12 (patch pipeline), AST:DA:Data:02 (patch binaries), AST:SW:Software:03 (patch deployment SW)COUNTERS
AN:ATT:Attack Path:06 (Ransomware against launch infrastructure); AN:THR:Threat:06OBJECTIVE Recover , restoration is fast enough to keep the launch cadence.
OWNER Both , Satellite Design & Engineering owns the backup architecture; Satellite Operations owns the quarterly restore drill cadence.
SOURCE CISA Stop Ransomware (Backup Guidance); NIST SP 800-160 v2 recover-objective guidance.
|
LINK SEGMENT RESILIENCE MEASURES
Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).
| ID | AN-RES ETEN |
|---|---|
AN:RES:Resilience Measure:07 |
Frequency-agile / spread-spectrum link operation with pre-arranged backup band; Satellite Operations switches bands automatically when noise floor exceeds threshold; Satellite Design & Engineering owns the agility waveform.
PROTECTS (TRE)
SVC:CP:Control Plane:05 (link ACA), SVC:HY:Hybrid:01 (FEC/ECC), SVC:HY:Hybrid:02 (T2 tracking), AST:SI:Signal:00 (uplink/downlink waveforms)COUNTERS
AN:ATT:Attack Path:07 (Jamming campaign); AN:THR:Threat:07OBJECTIVE Withstand , communications continue under sustained interference.
OWNER Both , Satellite Design & Engineering owns the frequency-agile waveform implementation; Satellite Operations owns the band-switching procedure.
SOURCE ITU interference-mitigation guidance; SPARTA SPACE-T1429 mitigation patterns.
|
AN:RES:Resilience Measure:08 |
Forward-secret session keys with short rotation intervals; replay-protection sequence numbering on the command waveform; out-of-band acknowledgement for command acceptance.
PROTECTS (TRE)
SVC:CP:Control Plane:05 (link ACA), SVC:CP:Control Plane:09 (ground ACA), AST:SI:Signal:00 (uplink waveform), AST:DA:Data:00 (link ACA credentials)COUNTERS
AN:ATT:Attack Path:08 (Replay-and-spoof on uplink); AN:THR:Threat:08OBJECTIVE Anticipate , a captured waveform cannot be successfully replayed even if intercepted.
OWNER Satellite Design & Engineering , owns the crypto and protocol implementation.
SOURCE SPARTA SPACE-T1428 mitigation guidance; NIST SP 800-77 (Guide to IPsec) forward-secrecy guidance.
|
AN:RES:Resilience Measure:09 |
End-to-end downlink encryption from on-board encryptor to authorized ground receiver, with key-rotation cadence shorter than the time-to-break assumption; eliminates the value of passive interception.
PROTECTS (TRE)
SVC:HY:Hybrid:02 (T2 tracking), AST:SI:Signal:00 (downlink waveform), AST:SW:Software:01 (payload command encoder)COUNTERS
AN:ATT:Attack Path:09 (Downlink interception); AN:THR:Threat:09OBJECTIVE Anticipate , intercepted bits are unintelligible without the key.
OWNER Satellite Design & Engineering , owns the encryption architecture and key-management integration.
SOURCE SPARTA SPACE-T1427 mitigation guidance; NIST SP 800-57 key-management guidance.
|
SPACE SEGMENT RESILIENCE MEASURES
Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).
| ID | AN-RES ETEN |
|---|---|
AN:RES:Resilience Measure:10 |
Safe-mode triggers in flight software that reject command sequences violating defined operational envelopes (attitude, power, FTS); require dual-signoff on the ground for any command that would push the envelope; on-board veto on FTS commands outside arming windows.
PROTECTS (TRE)
SVC:CP:Control Plane:00 (ADCS), SVC:CP:Control Plane:02 (EPS), SVC:CP:Control Plane:03 (FTS), AST:HW:Hardware:00/01/02, AST:SW:Software:00, AST:FW:Firmware:00COUNTERS
AN:ATT:Attack Path:10 (Destructive bus attack); AN:THR:Threat:10OBJECTIVE Withstand , the platform refuses destructive sequences even if commanded.
OWNER Both , Satellite Design & Engineering owns the on-board safe-mode logic; Satellite Operations owns the dual-signoff procedure for envelope-pushing commands.
SOURCE SPARTA SPACE-T1029 mitigation guidance; NIST SP 800-160 v2 withstand-objective guidance.
|
AN:RES:Resilience Measure:11 |
On-board FSW attestation: cryptographically signed configuration with write-once enforcement; runtime hash verification of running images; on-ground correlation of every accepted command against attestation state.
PROTECTS (TRE)
SVC:HY:Hybrid:00 (C&DH), SVC:CP:Control Plane:01 (space-side crypto), AST:HW:Hardware:06 (OBC/OBDH), AST:FW:Firmware:01 (OBC firmware), AST:SW:Software:06 (C&DH FSW)COUNTERS
AN:ATT:Attack Path:11 (Command-path integrity attack); AN:THR:Threat:11OBJECTIVE Withstand , tampered FSW cannot run without detection at next boot or hash check.
OWNER Satellite Design & Engineering , owns the attestation architecture and write-once enforcement.
SOURCE NIST SP 800-193 (Platform Firmware Resilience); SPARTA SPACE-T1014 mitigation guidance.
|
AN:RES:Resilience Measure:12 |
Measured-boot firmware attestation with signed-vendor manifest; supply-chain provenance verification at integration; quarantine of any component whose hash does not match the signed expected value.
PROTECTS (TRE)
SVC:CP:Control Plane:03 (FTS), SVC:CP:Control Plane:04 (TCS), SVC:CP:Control Plane:02 (EPS), AST:FW:Firmware:00 (FTS), AST:FW:Firmware:01 (OBC), AST:FW:Firmware:02 (payload)COUNTERS
AN:ATT:Attack Path:12 (Supply-chain firmware compromise); AN:THR:Threat:12OBJECTIVE Anticipate , tampered firmware never reaches operational role.
OWNER Satellite Design & Engineering , owns the measured-boot architecture, signing pipeline, and supply-chain verification process.
SOURCE NIST SP 800-193 (Platform Firmware Resilience); SLSA framework supply-chain guidance.
|
AN:RES:Resilience Measure:13 |
End-to-end mission-product signing from the science instrument through to the ground consumer: payload data is signed on-board immediately after acquisition; downstream verification rejects any product whose signature is invalid.
PROTECTS (TRE)
SVC:DP:Data Plane:00 (mission data plane), SVC:DP:Data Plane:01 (payload data plane), AST:HW:Hardware:07 (payload electronics), AST:FW:Firmware:02 (payload firmware)COUNTERS
AN:ATT:Attack Path:13 (Payload-data tampering); AN:THR:Threat:13OBJECTIVE Withstand , tampered payload data is detected before it reaches mission consumers.
OWNER Satellite Design & Engineering , owns the on-board signing infrastructure and ground-side verification.
SOURCE SPARTA SPACE-T1059 mitigation guidance; NIST SP 800-160 v2 withstand-objective guidance.
|
WEEK COMPLETE · FOURTEEN RESILIENCE MEASURES
One measure per attack path, written with Satellite Operations and Satellite Design & Engineering. Every element names the structural element it protects via TRE, the attack path or threat it counters, the resiliency objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2), and the department(s) who own it. The Owner field is the week’s quiet proof of change: one artifact now assigns work across two departments in a language both sign.
| ID | Description | Counters |
|---|---|---|
AN:RES:Resilience Measure:00 |
Mandate phishing-resistant MFA on operator-console authentication and just-in-time access elevation: removes the value of stolen static credentials and constrains the window of any compromise. | AN:ATT:Attack Path:00 (Console credential theft); AN:THR:Threat:01 |
AN:RES:Resilience Measure:01 |
End-user application hash verification at the workstation, plus signed mission-product manifests: a tampered binary or modified mission product fails verification before it reaches the operator’s eyes. | AN:ATT:Attack Path:01 (End-user app tampering); AN:THR:Threat:00 |
AN:RES:Resilience Measure:02 |
Air-gap or strict zero-trust segmentation of the device management plane from external networks; require hardware-rooted attestation on any management-plane access; gate firmware pushes behind dual-approval workflow with a maintenance-window enforcement. | AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style); AN:THR:Threat:02 |
AN:RES:Resilience Measure:03 |
Phishing-resistant MFA + short-lived session tokens + per-operator behavior baselines on ground-station service accounts: a stolen credential alone cannot authenticate, and an anomalous session is short-lived. | AN:ATT:Attack Path:03 (Operator credential theft); AN:THR:Threat:03 |
AN:RES:Resilience Measure:04 |
Dual-control commanding for high-impact actions (a second operator must approve before transmission); per-operator behavior baselines and pre-pass briefings make out-of-pattern actions stand out. | AN:ATT:Attack Path:04 (Privileged insider misuse); AN:THR:Threat:04 |
AN:RES:Resilience Measure:05 |
Microsegmentation of the operator network from mission-control hosts with explicit allow-list of east-west flows; logging and alerting on any flow outside the list. | AN:ATT:Attack Path:05 (Lateral movement to mission control); AN:THR:Threat:05 |
AN:RES:Resilience Measure:06 |
Immutable, isolated backups of launch-control state and patch binaries with quarterly tested restore drills; ensures restoration is faster than negotiation. | AN:ATT:Attack Path:06 (Ransomware against launch infrastructure); AN:THR:Threat:06 |
AN:RES:Resilience Measure:07 |
Frequency-agile / spread-spectrum link operation with pre-arranged backup band; Satellite Operations switches bands automatically when noise floor exceeds threshold; Satellite Design & Engineering owns the agility waveform. | AN:ATT:Attack Path:07 (Jamming campaign); AN:THR:Threat:07 |
AN:RES:Resilience Measure:08 |
Forward-secret session keys with short rotation intervals; replay-protection sequence numbering on the command waveform; out-of-band acknowledgement for command acceptance. | AN:ATT:Attack Path:08 (Replay-and-spoof on uplink); AN:THR:Threat:08 |
AN:RES:Resilience Measure:09 |
End-to-end downlink encryption from on-board encryptor to authorized ground receiver, with key-rotation cadence shorter than the time-to-break assumption; eliminates the value of passive interception. | AN:ATT:Attack Path:09 (Downlink interception); AN:THR:Threat:09 |
AN:RES:Resilience Measure:10 |
Safe-mode triggers in flight software that reject command sequences violating defined operational envelopes (attitude, power, FTS); require dual-signoff on the ground for any command that would push the envelope; on-board veto on FTS commands outside arming windows. | AN:ATT:Attack Path:10 (Destructive bus attack); AN:THR:Threat:10 |
AN:RES:Resilience Measure:11 |
On-board FSW attestation: cryptographically signed configuration with write-once enforcement; runtime hash verification of running images; on-ground correlation of every accepted command against attestation state. | AN:ATT:Attack Path:11 (Command-path integrity attack); AN:THR:Threat:11 |
AN:RES:Resilience Measure:12 |
Measured-boot firmware attestation with signed-vendor manifest; supply-chain provenance verification at integration; quarantine of any component whose hash does not match the signed expected value. | AN:ATT:Attack Path:12 (Supply-chain firmware compromise); AN:THR:Threat:12 |
AN:RES:Resilience Measure:13 |
End-to-end mission-product signing from the science instrument through to the ground consumer: payload data is signed on-board immediately after acquisition; downstream verification rejects any product whose signature is invalid. | AN:ATT:Attack Path:13 (Payload-data tampering); AN:THR:Threat:13 |
DAY 5 COMPLETE · FULL WEEK IN HAND
What you built today. Fourteen AN-RES elements written with Satellite Operations and Satellite Design & Engineering, feeding the continuity, backup, and supply-chain duties NIS2 assigns and the command-and-control failover EO 14144 expects. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Every measure names the structural element it protects, the threat or attack path it counters, the resiliency objective (Anticipate / Withstand / Recover / Adapt), and the department(s) who own it , a Satellite Operations procedure, a Satellite Design & Engineering change, or both. End of week. You now hold a working decomposition, an anchored threat set, an attack-path set, a signature + playbook set, and a resilience-measure set against the same reference platform. Every set is written in the same five-field language: the evidence base the two regulators expect, and the substance the organization’s Space ISAC channel carries.
Your role here. Adversary management is the fifth and final function where a Full Spectrum professional drives change, and you don’t have to be the resilience engineer or the operator to lead it. Resilience needs both operating procedures and architectural change, and Satellite Operations and Satellite Design & Engineering can sometimes be provided by separate organizations from each other and from Security Operations. Your job is to build the cross-functional team and get them to commit measures together. Across the week, these five functions have been your deliberate points of insertion: each one is where you reach across organizational lines and transform how those departments defend the platform together.
The 2025 CNSS update also requires a hardware root-of-trust for secure reboot, and the DHS model lets operators share Indicators of Behavior to warn their peers. Compliance is not one-and-done: under FISMA and the NIST Risk Management Framework (SP 800-37 Rev. 2), a subset of security controls must be assessed at least annually, which is why resilience is a repeatable, cross-organizational process rather than a one-time fix. Sources: Air & Space Forces Magazine, Nov. 19, 2025; NIST SP 800-37 Rev. 2; FISMA.

DAY 5 COMPLETE
You built resilience measures across the platform. The week is complete: you carried one platform from decomposition all the way to resilience, with each department taking its turn at the table, and the five deliverables together support the organization’s response to Executive Order 14144 and the NIS2 Directive.
COURSE
COMPLETE.
Five days, five disciplines, one artifact set. You’re the person at your work-center who ties Security Operations, Satellite Operations, and Satellite Design & Engineering together.
A multiple-choice exam aligned with Module 05 KSAT areas. Drawn at random from a question bank covering Function FIVE's taxonomy element (AN-RES), its TARGET attachment (TRE), and the production flow into the next function. Exam scaffolding wired in next iteration.