UTC
01
FUNCTION 01 FUNCTION 02 FUNCTION 03 FUNCTION 04 ADVERSARY MANAGEMENT FUNCTION 05
Function Five
ADVERSARY
MANAGEMENT

Master Adversary Management.

“The adversary suffers when their plans are known, broken, and turned against them.”

Four days ago the Space Cybersecurity Operations and Resilience department existed on paper. Today it holds Kestrel Orbital’s platform model, its threat catalogue, its attack paths, and the signatures and playbooks that watch them, and all three departments work from those artifacts, not around them. To close the week, you bring Satellite Operations and Satellite Design & Engineering to one table to take options away from the adversary. You drive the organization to align decomposition, contextualized threat modeling, converged detection engineering, and exposure management with real-world adversary profiles, to detect, disrupt, and deter adversaries targeting its platform. The measures you build feed NIS2’s continuity, backup, and supply-chain duties and Executive Order 14144’s backup-and-failover requirement for command and control.

MODULE FIVE
01/12
00
DAY 5 · Adversary Management

DAY 5 START

Today you find the exposure that recurs across the week’s command-path work and build resilience measures that shrink, harden, or remove it before launch. Each department has taken its turn this week; now Satellite Operations and Satellite Design & Engineering sit at one table, with the Security Operations Center’s detections standing watch, to decide what changes. These are the continuity, backup, and supply-chain measures NIS2 requires, and the backup and failover Executive Order 14144 expects for command and control.

MODULE FIVE
00/00
UTC
03
L1 · day 5 opens with both operating departments in the room

BUILD THE RESILIENCE MEASURES

Six artifacts on the table. Resilience needs both: operating procedures the crew can run when something goes wrong, and architectural changes that make the failure mode hard or impossible in the first place. So today, for the first time this week, both operating departments are in the room together, each bringing what only it can. The six artifacts below are what you walk together for every measure you enumerate.

OPERATING PROCEDURES
▷ ARTIFACT · 01
OPERATING PROCEDURES

Satellite Operations’ playbook for failover, abort, retry, and safe-mode. New measures must fit what the crew can run during a pass.

ARCHITECTURE REFERENCE
▷ ARTIFACT · 02
ARCHITECTURE REFERENCE

Satellite Design & Engineering’s current architecture map: what’s hardened, what isn’t, what can be rebuilt this cycle.

REDUNDANCY MAP
▷ ARTIFACT · 03
REDUNDANCY MAP

What subsystems already have backup paths, and which paths quietly share a single failure point.

DEGRADED MODES
▷ ARTIFACT · 04
DEGRADED MODES

Platform behavior when individual subsystems are taken off-line: what the mission can still do, what it can’t.

ENG ROADMAP
▷ ARTIFACT · 05
ENG ROADMAP

What architectural changes are already queued vs. proposed; what’s in scope this week vs. next.

PAST LESSONS
▷ ARTIFACT · 06
PAST LESSONS

Resilience patterns from prior incidents on this platform and peer platforms that worked , or didn’t.

MODULE FIVE
03/12
UTC
04
A2 · enumerating resilience-measure elements

ADVERSARY MANAGEMENT PROCESS

Inputs. The week’s attack-path and threat sets against the telecommand path, and a working session with Satellite Operations and Satellite Design & Engineering, building the continuity, backup, and supply-chain measures NIS2 requires and the failover EO 14144 expects for command and control. Output. One AN-RES element per measure, each anchored via TRE to the structural elements it protects. Six steps, fixed order. Set LAYER (always AN). Identify the resiliency objective (Anticipate / Withstand / Recover / Adapt). Set TAG (RES). Set ORDINAL. Enumerate the TRE. Write the Description. Constraint. Every element must carry a TRE and name its resiliency objective; a measure with no target and no objective is decoration, not resilience.

01
Enumerate the LAYER
LAYER = AN (fixed; identifies this as an Analytic Layer element).
02
Identify the resiliency goal
One of Anticipate, Withstand, Recover, or Adapt per NIST SP 800-160 Volume 2. The goal is captured in the description and informs how the element will be reviewed for coverage and effectiveness.
03
Set the TAG to RES
The element identifies this as a Resilience-Measure element within the Analytic Layer (AN-RES).
04
Assign an ORDINAL
Two-digit ordinal starting at 00 (AN:RES:Resilience Measure:00, AN:RES:Resilience Measure:01, and so on); one ordinal per distinct resilience measure.
05
Enumerate the TRE
Target of Resilience: enumerate the structural elements the measure is intended to protect. AN-RES uses TRE, not TOE or TDM; TRE names the structural elements the measure makes more resilient.
06
Write the DESCRIPTION
Describe the measure, the resiliency goal it addresses (Anticipate / Withstand / Recover / Adapt), and the AN-ATT or AN-THR elements it counters. Cite the source: internal engineering, control-framework guidance, peer-shared pattern, or post-incident lesson.
Repeat for the next resilience measure. When every enumerated attack path and threat has at least one AN-RES enumerated across the four resiliency goals, the AN-RES coverage matrix is current.
MODULE FIVE
04/12
UTC
05
K1 · what a digital twin is and why we use it before touching the real platform

DIGITAL TWIN, THE TEST BENCH FOR RESILIENCE MEASURES

A digital twin is a high-fidelity virtual replica of the operational system, mirroring its hardware, software, environment, command behavior, and telemetry in near-real time. For a satellite, the twin pairs flight software, simulated subsystems (ADCS, EPS, comms, payload), and a model of the RF environment so a candidate change can be exercised end-to-end before it is uplinked. Day 5 leans on the twin because every AN-RES measure changes how the platform behaves under stress; some of those changes have second-order effects (loss of duty cycle, downlink margin, power budget, command latency) that you do not want to discover from a live mission. The twin is where resilience measures are validated, adversary scenarios are rehearsed, and trade-offs are quantified before anything ships to flight.

▷ VALUE · 01
TEST AN-RES BEFORE FLIGHT

Apply a candidate resilience measure (new safe-mode trigger, fault-tolerance limit, recovery routine) to the twin first. Observe second-order effects on mission-capability, duty cycle, downlink margin, and power budget before the production platform ever sees the change.

▷ VALUE · 02
REHEARSE ADVERSARY SCENARIOS

Replay a Day-3 AN-ATT chain against the twin with the resilience measure in place, then without. Measure the delta. A measure that does not actually withstand or recover under the scenario it was designed for is rejected before flight.

▷ VALUE · 03
MEASURE NIST 800-160 v2 OBJECTIVES

The twin produces measurable outcomes for all four TRE objectives: Anticipate, Withstand (mission stays capable under attack), Recover (time-to-return-to-nominal), Adapt (posture updates after the run). Decisions move from opinion to data.

▷ VALUE · 04
TRAIN OPERATORS SAFELY

Satellite Operations and Satellite Design & Engineering staff rehearse incident response on the twin. Because the twin is identical to flight in every operator-visible way, the muscle memory and decisions trained on the twin transfer directly to a real incident when one happens.

▷ VALUE · 05
QUANTIFY TRADE-OFFS

Every resilience measure has a cost. The twin lets the departments run dozens of scenarios cheaply and produce the trade-off curve (resilience gain vs. duty-cycle loss, vs. downlink margin, vs. power budget) so the platform-owner decision is anchored in numbers, not gut-feel.

▷ VALUE · 06
SHARE WITH PEER ORGANIZATIONS

A twin run produces a reproducible, vendor-neutral artifact: input scenario, applied AN-RES measure, measured outcomes per TRE objective. The result could port across Space-ISAC members and form the empirical basis of #SpaceCollectiveDefense for resilience.

RULE · No resilience measure ships to flight without at least one twin run that shows what it does, what it costs, and how it changes the four NIST 800-160 v2 objectives. Measures without twin evidence go back to the engineering backlog.

DTTWIN
MODULE FIVE
05/12
UTC
06
B1 · resilience measures protecting user-segment elements

USER SEGMENT RESILIENCE MEASURES

Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).

ID AN-RES ETEN
AN:RES:Resilience Measure:00
Mandate phishing-resistant MFA on operator-console authentication and just-in-time access elevation: removes the value of stolen static credentials and constrains the window of any compromise.
PROTECTS (TRE)
AST:HW:Hardware:04 (console workstation), SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:15 (user-side ACA)
COUNTERS
AN:ATT:Attack Path:00 (Console credential theft); AN:THR:Threat:01
OBJECTIVE Anticipate , raises the cost and reduces the value of a credential-theft attempt.
OWNER Both , Satellite Operations owns the operational rollout and access-elevation procedure; Satellite Design & Engineering owns the identity-provider integration.
SOURCE NIST SP 800-63B (Phishing-Resistant MFA); NIST SP 800-160 v2 anticipate-objective guidance.
AN:RES:Resilience Measure:01
End-user application hash verification at the workstation, plus signed mission-product manifests: a tampered binary or modified mission product fails verification before it reaches the operator’s eyes.
PROTECTS (TRE)
AST:SW:Software:08 (end-user app SW), AST:DA:Data:04 (mission product data), SVC:DP:Data Plane:02 (mission product display)
COUNTERS
AN:ATT:Attack Path:01 (End-user app tampering); AN:THR:Threat:00
OBJECTIVE Withstand , the platform stays trustworthy even if upstream is compromised.
OWNER Satellite Design & Engineering , owns the signing pipeline and verification integration in the end-user app.
SOURCE NIST SP 800-193 (Platform Firmware Resilience) integrity guidance; NIST SP 800-160 v2 withstand-objective guidance.
2MEASURES
MODULE FIVE
06/12
UTC
07
B1 · resilience measures protecting ground-segment elements

GROUND SEGMENT RESILIENCE MEASURES

Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).

ID AN-RES ETEN
AN:RES:Resilience Measure:02
Air-gap or strict zero-trust segmentation of the device management plane from external networks; require hardware-rooted attestation on any management-plane access; gate firmware pushes behind dual-approval workflow with a maintenance-window enforcement.
PROTECTS (TRE)
SVC:CP:Control Plane:08 (ground crypto), SVC:CP:Control Plane:09 (ground ACA), AST:SW:Software:03 (patch deployment SW), AST:DA:Data:02 (patch binaries)
COUNTERS
AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style); AN:THR:Threat:02
OBJECTIVE Anticipate , removes the high-impact path entirely by raising the barrier to management-plane access.
OWNER Both , Satellite Design & Engineering owns the segmentation and dual-approval rebuild; Satellite Operations owns the maintenance-window discipline.
SOURCE Viasat / CISA / SentinelLabs post-incident guidance from KA-SAT (2022); NIST SP 800-207 (Zero Trust Architecture).
AN:RES:Resilience Measure:03
Phishing-resistant MFA + short-lived session tokens + per-operator behavior baselines on ground-station service accounts: a stolen credential alone cannot authenticate, and an anomalous session is short-lived.
PROTECTS (TRE)
AST:DA:Data:01 (ACA credentials), SVC:CP:Control Plane:09 (ground ACA), SVC:CP:Control Plane:13 (console ops)
COUNTERS
AN:ATT:Attack Path:03 (Operator credential theft); AN:THR:Threat:03
OBJECTIVE Anticipate , raises cost of credential theft and constrains the window.
OWNER Both , Satellite Design & Engineering owns identity-provider integration; Satellite Operations owns operational rollout and behavior-baseline maintenance.
SOURCE NIST SP 800-63B; NIST SP 800-207.
AN:RES:Resilience Measure:04
Dual-control commanding for high-impact actions (a second operator must approve before transmission); per-operator behavior baselines and pre-pass briefings make out-of-pattern actions stand out.
PROTECTS (TRE)
AST:HW:Hardware:04 (console workstation), AST:SW:Software:04 (console SW), SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:09 (ground ACA)
COUNTERS
AN:ATT:Attack Path:04 (Privileged insider misuse); AN:THR:Threat:04
OBJECTIVE Withstand , a single insider cannot act alone on high-impact sequences.
OWNER Both , Satellite Design & Engineering owns the dual-control workflow in the commanding software; Satellite Operations owns the operational discipline of peer review.
SOURCE NIST SP 800-53 SC-3 / AC-6 (separation of duties / least privilege); NIST SP 800-160 v2 withstand-objective guidance.
AN:RES:Resilience Measure:05
Microsegmentation of the operator network from mission-control hosts with explicit allow-list of east-west flows; logging and alerting on any flow outside the list.
PROTECTS (TRE)
AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW), SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:09 (ground ACA)
COUNTERS
AN:ATT:Attack Path:05 (Lateral movement to mission control); AN:THR:Threat:05
OBJECTIVE Anticipate , lateral movement becomes structurally hard or impossible.
OWNER Satellite Design & Engineering , owns the segmentation rebuild and allow-list maintenance.
SOURCE NIST SP 800-207 (Zero Trust); MITRE ATT&CK TA0008 mitigation guidance.
AN:RES:Resilience Measure:06
Immutable, isolated backups of launch-control state and patch binaries with quarterly tested restore drills; ensures restoration is faster than negotiation.
PROTECTS (TRE)
SVC:CP:Control Plane:10 (launch control), SVC:CP:Control Plane:12 (patch pipeline), AST:DA:Data:02 (patch binaries), AST:SW:Software:03 (patch deployment SW)
COUNTERS
AN:ATT:Attack Path:06 (Ransomware against launch infrastructure); AN:THR:Threat:06
OBJECTIVE Recover , restoration is fast enough to keep the launch cadence.
OWNER Both , Satellite Design & Engineering owns the backup architecture; Satellite Operations owns the quarterly restore drill cadence.
SOURCE CISA Stop Ransomware (Backup Guidance); NIST SP 800-160 v2 recover-objective guidance.
5MEASURES
MODULE FIVE
07/12
UTC
08
B1 · resilience measures protecting link-segment elements

LINK SEGMENT RESILIENCE MEASURES

Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).

ID AN-RES ETEN
AN:RES:Resilience Measure:07
Frequency-agile / spread-spectrum link operation with pre-arranged backup band; Satellite Operations switches bands automatically when noise floor exceeds threshold; Satellite Design & Engineering owns the agility waveform.
PROTECTS (TRE)
SVC:CP:Control Plane:05 (link ACA), SVC:HY:Hybrid:01 (FEC/ECC), SVC:HY:Hybrid:02 (T2 tracking), AST:SI:Signal:00 (uplink/downlink waveforms)
COUNTERS
AN:ATT:Attack Path:07 (Jamming campaign); AN:THR:Threat:07
OBJECTIVE Withstand , communications continue under sustained interference.
OWNER Both , Satellite Design & Engineering owns the frequency-agile waveform implementation; Satellite Operations owns the band-switching procedure.
SOURCE ITU interference-mitigation guidance; SPARTA SPACE-T1429 mitigation patterns.
AN:RES:Resilience Measure:08
Forward-secret session keys with short rotation intervals; replay-protection sequence numbering on the command waveform; out-of-band acknowledgement for command acceptance.
PROTECTS (TRE)
SVC:CP:Control Plane:05 (link ACA), SVC:CP:Control Plane:09 (ground ACA), AST:SI:Signal:00 (uplink waveform), AST:DA:Data:00 (link ACA credentials)
COUNTERS
AN:ATT:Attack Path:08 (Replay-and-spoof on uplink); AN:THR:Threat:08
OBJECTIVE Anticipate , a captured waveform cannot be successfully replayed even if intercepted.
OWNER Satellite Design & Engineering , owns the crypto and protocol implementation.
SOURCE SPARTA SPACE-T1428 mitigation guidance; NIST SP 800-77 (Guide to IPsec) forward-secrecy guidance.
AN:RES:Resilience Measure:09
End-to-end downlink encryption from on-board encryptor to authorized ground receiver, with key-rotation cadence shorter than the time-to-break assumption; eliminates the value of passive interception.
PROTECTS (TRE)
SVC:HY:Hybrid:02 (T2 tracking), AST:SI:Signal:00 (downlink waveform), AST:SW:Software:01 (payload command encoder)
COUNTERS
AN:ATT:Attack Path:09 (Downlink interception); AN:THR:Threat:09
OBJECTIVE Anticipate , intercepted bits are unintelligible without the key.
OWNER Satellite Design & Engineering , owns the encryption architecture and key-management integration.
SOURCE SPARTA SPACE-T1427 mitigation guidance; NIST SP 800-57 key-management guidance.
3MEASURES
MODULE FIVE
08/12
UTC
09
B1 · resilience measures protecting space-segment elements

SPACE SEGMENT RESILIENCE MEASURES

Each row is one AN-RES element written with Satellite Operations and Satellite Design & Engineering. The TRE field names the structural element the measure protects; Counters names the attack path or threat it removes the adversary’s option from; the Resiliency Objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2) names the kind of resilience; the Owner names which department carries it (a Satellite Operations procedure, a Satellite Design & Engineering change, or both).

ID AN-RES ETEN
AN:RES:Resilience Measure:10
Safe-mode triggers in flight software that reject command sequences violating defined operational envelopes (attitude, power, FTS); require dual-signoff on the ground for any command that would push the envelope; on-board veto on FTS commands outside arming windows.
PROTECTS (TRE)
SVC:CP:Control Plane:00 (ADCS), SVC:CP:Control Plane:02 (EPS), SVC:CP:Control Plane:03 (FTS), AST:HW:Hardware:00/01/02, AST:SW:Software:00, AST:FW:Firmware:00
COUNTERS
AN:ATT:Attack Path:10 (Destructive bus attack); AN:THR:Threat:10
OBJECTIVE Withstand , the platform refuses destructive sequences even if commanded.
OWNER Both , Satellite Design & Engineering owns the on-board safe-mode logic; Satellite Operations owns the dual-signoff procedure for envelope-pushing commands.
SOURCE SPARTA SPACE-T1029 mitigation guidance; NIST SP 800-160 v2 withstand-objective guidance.
AN:RES:Resilience Measure:11
On-board FSW attestation: cryptographically signed configuration with write-once enforcement; runtime hash verification of running images; on-ground correlation of every accepted command against attestation state.
PROTECTS (TRE)
SVC:HY:Hybrid:00 (C&DH), SVC:CP:Control Plane:01 (space-side crypto), AST:HW:Hardware:06 (OBC/OBDH), AST:FW:Firmware:01 (OBC firmware), AST:SW:Software:06 (C&DH FSW)
COUNTERS
AN:ATT:Attack Path:11 (Command-path integrity attack); AN:THR:Threat:11
OBJECTIVE Withstand , tampered FSW cannot run without detection at next boot or hash check.
OWNER Satellite Design & Engineering , owns the attestation architecture and write-once enforcement.
SOURCE NIST SP 800-193 (Platform Firmware Resilience); SPARTA SPACE-T1014 mitigation guidance.
AN:RES:Resilience Measure:12
Measured-boot firmware attestation with signed-vendor manifest; supply-chain provenance verification at integration; quarantine of any component whose hash does not match the signed expected value.
PROTECTS (TRE)
SVC:CP:Control Plane:03 (FTS), SVC:CP:Control Plane:04 (TCS), SVC:CP:Control Plane:02 (EPS), AST:FW:Firmware:00 (FTS), AST:FW:Firmware:01 (OBC), AST:FW:Firmware:02 (payload)
COUNTERS
AN:ATT:Attack Path:12 (Supply-chain firmware compromise); AN:THR:Threat:12
OBJECTIVE Anticipate , tampered firmware never reaches operational role.
OWNER Satellite Design & Engineering , owns the measured-boot architecture, signing pipeline, and supply-chain verification process.
SOURCE NIST SP 800-193 (Platform Firmware Resilience); SLSA framework supply-chain guidance.
AN:RES:Resilience Measure:13
End-to-end mission-product signing from the science instrument through to the ground consumer: payload data is signed on-board immediately after acquisition; downstream verification rejects any product whose signature is invalid.
PROTECTS (TRE)
SVC:DP:Data Plane:00 (mission data plane), SVC:DP:Data Plane:01 (payload data plane), AST:HW:Hardware:07 (payload electronics), AST:FW:Firmware:02 (payload firmware)
COUNTERS
AN:ATT:Attack Path:13 (Payload-data tampering); AN:THR:Threat:13
OBJECTIVE Withstand , tampered payload data is detected before it reaches mission consumers.
OWNER Satellite Design & Engineering , owns the on-board signing infrastructure and ground-side verification.
SOURCE SPARTA SPACE-T1059 mitigation guidance; NIST SP 800-160 v2 withstand-objective guidance.
4MEASURES
MODULE FIVE
09/12
UTC
10
S1 · the week’s full enumerated resilience-measure set

WEEK COMPLETE · FOURTEEN RESILIENCE MEASURES

One measure per attack path, written with Satellite Operations and Satellite Design & Engineering. Every element names the structural element it protects via TRE, the attack path or threat it counters, the resiliency objective (Anticipate / Withstand / Recover / Adapt per NIST SP 800-160 v2), and the department(s) who own it. The Owner field is the week’s quiet proof of change: one artifact now assigns work across two departments in a language both sign.

ID Description Counters
AN:RES:Resilience Measure:00 Mandate phishing-resistant MFA on operator-console authentication and just-in-time access elevation: removes the value of stolen static credentials and constrains the window of any compromise. AN:ATT:Attack Path:00 (Console credential theft); AN:THR:Threat:01
AN:RES:Resilience Measure:01 End-user application hash verification at the workstation, plus signed mission-product manifests: a tampered binary or modified mission product fails verification before it reaches the operator’s eyes. AN:ATT:Attack Path:01 (End-user app tampering); AN:THR:Threat:00
AN:RES:Resilience Measure:02 Air-gap or strict zero-trust segmentation of the device management plane from external networks; require hardware-rooted attestation on any management-plane access; gate firmware pushes behind dual-approval workflow with a maintenance-window enforcement. AN:ATT:Attack Path:02 (Long-dwell ground-network intrusion , KA-SAT-style); AN:THR:Threat:02
AN:RES:Resilience Measure:03 Phishing-resistant MFA + short-lived session tokens + per-operator behavior baselines on ground-station service accounts: a stolen credential alone cannot authenticate, and an anomalous session is short-lived. AN:ATT:Attack Path:03 (Operator credential theft); AN:THR:Threat:03
AN:RES:Resilience Measure:04 Dual-control commanding for high-impact actions (a second operator must approve before transmission); per-operator behavior baselines and pre-pass briefings make out-of-pattern actions stand out. AN:ATT:Attack Path:04 (Privileged insider misuse); AN:THR:Threat:04
AN:RES:Resilience Measure:05 Microsegmentation of the operator network from mission-control hosts with explicit allow-list of east-west flows; logging and alerting on any flow outside the list. AN:ATT:Attack Path:05 (Lateral movement to mission control); AN:THR:Threat:05
AN:RES:Resilience Measure:06 Immutable, isolated backups of launch-control state and patch binaries with quarterly tested restore drills; ensures restoration is faster than negotiation. AN:ATT:Attack Path:06 (Ransomware against launch infrastructure); AN:THR:Threat:06
AN:RES:Resilience Measure:07 Frequency-agile / spread-spectrum link operation with pre-arranged backup band; Satellite Operations switches bands automatically when noise floor exceeds threshold; Satellite Design & Engineering owns the agility waveform. AN:ATT:Attack Path:07 (Jamming campaign); AN:THR:Threat:07
AN:RES:Resilience Measure:08 Forward-secret session keys with short rotation intervals; replay-protection sequence numbering on the command waveform; out-of-band acknowledgement for command acceptance. AN:ATT:Attack Path:08 (Replay-and-spoof on uplink); AN:THR:Threat:08
AN:RES:Resilience Measure:09 End-to-end downlink encryption from on-board encryptor to authorized ground receiver, with key-rotation cadence shorter than the time-to-break assumption; eliminates the value of passive interception. AN:ATT:Attack Path:09 (Downlink interception); AN:THR:Threat:09
AN:RES:Resilience Measure:10 Safe-mode triggers in flight software that reject command sequences violating defined operational envelopes (attitude, power, FTS); require dual-signoff on the ground for any command that would push the envelope; on-board veto on FTS commands outside arming windows. AN:ATT:Attack Path:10 (Destructive bus attack); AN:THR:Threat:10
AN:RES:Resilience Measure:11 On-board FSW attestation: cryptographically signed configuration with write-once enforcement; runtime hash verification of running images; on-ground correlation of every accepted command against attestation state. AN:ATT:Attack Path:11 (Command-path integrity attack); AN:THR:Threat:11
AN:RES:Resilience Measure:12 Measured-boot firmware attestation with signed-vendor manifest; supply-chain provenance verification at integration; quarantine of any component whose hash does not match the signed expected value. AN:ATT:Attack Path:12 (Supply-chain firmware compromise); AN:THR:Threat:12
AN:RES:Resilience Measure:13 End-to-end mission-product signing from the science instrument through to the ground consumer: payload data is signed on-board immediately after acquisition; downstream verification rejects any product whose signature is invalid. AN:ATT:Attack Path:13 (Payload-data tampering); AN:THR:Threat:13
14MEASURES
MODULE FIVE
10/12
UTC
11
Work role ability confirmation · what you are now able to perform at your work center

DAY 5 COMPLETE · FULL WEEK IN HAND

What you built today. Fourteen AN-RES elements written with Satellite Operations and Satellite Design & Engineering, feeding the continuity, backup, and supply-chain duties NIS2 assigns and the command-and-control failover EO 14144 expects. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Every measure names the structural element it protects, the threat or attack path it counters, the resiliency objective (Anticipate / Withstand / Recover / Adapt), and the department(s) who own it , a Satellite Operations procedure, a Satellite Design & Engineering change, or both. End of week. You now hold a working decomposition, an anchored threat set, an attack-path set, a signature + playbook set, and a resilience-measure set against the same reference platform. Every set is written in the same five-field language: the evidence base the two regulators expect, and the substance the organization’s Space ISAC channel carries.

Your role here. Adversary management is the fifth and final function where a Full Spectrum professional drives change, and you don’t have to be the resilience engineer or the operator to lead it. Resilience needs both operating procedures and architectural change, and Satellite Operations and Satellite Design & Engineering can sometimes be provided by separate organizations from each other and from Security Operations. Your job is to build the cross-functional team and get them to commit measures together. Across the week, these five functions have been your deliberate points of insertion: each one is where you reach across organizational lines and transform how those departments defend the platform together.

From the field · policy evidence

The 2025 CNSS update also requires a hardware root-of-trust for secure reboot, and the DHS model lets operators share Indicators of Behavior to warn their peers. Compliance is not one-and-done: under FISMA and the NIST Risk Management Framework (SP 800-37 Rev. 2), a subset of security controls must be assessed at least annually, which is why resilience is a repeatable, cross-organizational process rather than a one-time fix. Sources: Air & Space Forces Magazine, Nov. 19, 2025; NIST SP 800-37 Rev. 2; FISMA.

DAY 5 COMPLETE · RESILIENCE WRITTEN WITH SATOPS + SATDEV/ENG
Both operating departments in the room because resilience needs operating procedures and architectural change
Full Spectrum Space Cybersecurity Professional briefing the same three departments with the same platform vocabulary on the wall, threat markers, attack-path lines, and detection badges all visible from prior days, with new purple resilience-measure shields overlaid on specific elements showing where the platform has been hardened. A four-quadrant resilience-objectives map (Anticipate, Withstand, Recover, Adapt) sits as a small inset on the lower-right of the board. Dark operations center setting.
MODULE FIVE
11/12
00
DAY 5 COMPLETE · Adversary Management

DAY 5 COMPLETE

You built resilience measures across the platform. The week is complete: you carried one platform from decomposition all the way to resilience, with each department taking its turn at the table, and the five deliverables together support the organization’s response to Executive Order 14144 and the NIS2 Directive.

MODULE FIVE
00/00
UTC
END
COURSE COMPLETE COURSE COMPLETE
Function FIVE complete

COURSE
COMPLETE.

Five days, five disciplines, one artifact set. You’re the person at your work-center who ties Security Operations, Satellite Operations, and Satellite Design & Engineering together.

STARTING POINT
the outputs of Concept of Operations through Incident Response Preparation in place. No resilience measures yet; the structural elements where the adversary keeps finding leverage remain exposed.
FINISH LINE
An enumerated resilience-measure set (AN-RES) that systematically removes adversary attack surface, each measure shrinks, hardens, or eliminates the structural elements that recurred across the threat set and the attack-path set. Each AN-RES attaches via TRE to the structural element it removes from play, mapped to one of the four TRE objectives (per NIST SP 800-160 v2): Anticipate, Withstand, Recover, Adapt. Course complete.
▷ MODULE 05 ASSESSMENT

A multiple-choice exam aligned with Module 05 KSAT areas. Drawn at random from a question bank covering Function FIVE's taxonomy element (AN-RES), its TARGET attachment (TRE), and the production flow into the next function. Exam scaffolding wired in next iteration.

END
MODULE FIVE
12/12
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each element links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).