S 3511 Reported in Senate

Satellite Cybersecurity

Last month, the Senate Homeland Security and Governmental Affairs Committee published their Report for S 3511, Satellite Cybersecurity Act. The Committee met on March 30th, 2022 and adopted substitute language and one additional amendment before ordering the bill reported favorably. The new version of the bill modifies some of the reporting requirements and makes changes to the satellite cybersecurity recommendations process. Subsequent technical changes were made to the bill “by mutual agreement of the Chairman and Ranking Member” (Committee Report, pg 4).

GAO Report Changes

Changes were made to §3(b) of the bill regarding the GAO reporting requirements. First it changes the 1-year report mandate to 2 years. The changes also include adding two additional areas of coverage:

• The extent to which Federal agencies are reliant on commercial satellite systems owned wholly or in part or controlled by foreign entities, and how Federal agencies mitigate associated cybersecurity risks, and

• The extent to which Federal agencies are reliant on commercial satellite systems with physical structures, such as satellite ground control systems, in foreign countries, and how Federal agencies mitigate associated cybersecurity risks.

Section 3(c) of the bill makes changes to the list of agencies with which the GAO is required to consult in the preparation of their report. While the earlier version of the bill required them to consult with NIST and the FAA, the list was changed to reflect the Department of Commerce and the Department of Transportation instead. The new version also adds the National Executive Committee for Space-Based Positioning, Navigation, and Timing to the list of agencies.

Cybersecurity Recommendations

In §4(c), the Committee changed the basic concept behind the requirement of listing cybersecurity recommendations for commercial satellite systems. Where the original bill required CISA to ‘develop voluntary cybersecurity recommendations’, the new version changes the verb from ‘develop’ to ‘consolidate’, changing the focus of CISA’s actions.

The Committee also added two additional requirements to be addressed in the recommendations consolidated by CISA:

• Protection against vulnerabilities posed by ownership of commercial satellite systems or commercial satellite system companies by foreign entities, and

• Protection against vulnerabilities posed by locating physical infrastructure, such as satellite ground control systems, in foreign countries.

Section 4(d) was completely rewritten, expanding the earlier ‘consultation’ requirements to a broader set of implementation instructions. The new requirements include instructions to “carry out the implementation as a public-private partnership”. The ‘consultation’ requirements for federal agencies were changed to reflect coordination with those agencies. Finally, in consulting with non-Federal agencies, language was added to specifically add “private, consensus organizations that develop relevant standards.”

Moving Forward

While there was (not unexpectedly) strong bipartisan support for this bill in Committee for this bill, the bill is not likely to be considered by the Senate leadership to be important enough to be considered under regular order on the floor of the Senate. The time and effort to go through the debate and amendment process would interfere with the agenda of the Senate as we go into the last four months of the session. There is a remote chance that the bill could be considered under the unanimous consent process, but that has a high potential for being blocked for political reasons having nothing to do with the bill. This bill is much more likely to be added to a major bill (such as the upcoming NDAA) as part of the substitute language or as a floor amendment.