Satellite Cybersecurity Act of 2025

The term appropriate congressional committees means—

(A) the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(B) the Committee on Energy and Commerce, the Committee on Space, Science, and Technology, and the Committee on Homeland Security of the House of Representatives.

The term clearinghouse means the commercial satellite system cybersecurity clearinghouse required to be developed and maintained under section 4(b)(1).

The term commercial satellite system —

(A) means a system that—

(i) is owned or operated by a non-Federal entity that holds a license issued by the United States for business operations; and

(ii) is composed of not less than 1 earth satellite; and

(B) includes—

(i) any ground support infrastructure for each satellite in the system; and

(ii) any transmission link among and between any satellite in the system and any ground support infrastructure in the system.

The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C. 5195c(e)).

The term cybersecurity risk has the meaning given the term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

The term cybersecurity threat has the meaning given the term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

The term Secretary means the Secretary of Commerce.

The Comptroller General of the United States shall conduct a study on the actions the Federal Government has taken to support the cybersecurity of commercial satellite systems, including as part of any action to address the cybersecurity of critical infrastructure sectors.

Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall report to the appropriate congressional committees on the study conducted under subsection (a), which shall include information—

(1) on efforts of the Federal Government, and the effectiveness of those efforts, to—

(A) address or improve the cybersecurity of commercial satellite systems; and

(B) support related efforts with international entities or the private sector;

(2) on the resources made available to the public by Federal agencies to address cybersecurity risks and threats to commercial satellite systems, including resources made available through the clearinghouse;

(3) on the extent to which commercial satellite systems are reliant on, or relied on by, critical infrastructure;

(4) that includes an analysis of how commercial satellite systems and the threats to those systems are integrated into Federal and non-Federal critical infrastructure risk analyses and protection plans;

(5) on the extent to which Federal agencies are reliant on commercial satellite systems and how Federal agencies mitigate cybersecurity risks associated with those systems;

(6) on the extent to which Federal agencies are reliant on commercial satellite systems that are owned wholly or in part or controlled by foreign entities, or that have infrastructure in foreign countries, and how Federal agencies mitigate associated cybersecurity risks;

(7) on the extent to which Federal agencies coordinate or duplicate authorities and take other actions focused on the cybersecurity of commercial satellite systems; and

(8) as determined appropriate by the Comptroller General of the United States, that includes recommendations for further Federal action to support the cybersecurity of commercial satellite systems, including recommendations on information that should be shared through the clearinghouse.

In carrying out subsections (a) and (b), the Comptroller General of the United States shall coordinate with appropriate Federal agencies and organizations, including—

(1) the Department of Commerce;

(2) the Office of the National Cyber Director;

(3) the Department of Homeland Security;

(4) the Department of Defense;

(5) the Department of Transportation;

(6) the Federal Communications Commission;

(7) the National Aeronautics and Space Administration;

(8) the National Executive Committee for Space-Based Positioning, Navigation, and Timing;

(9) the National Space Council;

(10) the Department of Justice; and

(11) the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.

Not later than 2 years after the date of enactment of this Act, the Comptroller General of the United States shall provide a briefing to the appropriate congressional committees on the study conducted under subsection (a).

The report made under subsection (b) shall be unclassified but may include a classified annex.

In this section, the term small business concern has the meaning given the term in section 3 of the Small Business Act (15 U.S.C. 632).

Not later than 180 days after the date of enactment of this Act, the Secretary, in coordination with the Chair of the Federal Communications Commission and the Director of the Cybersecurity and Infrastructure Security Agency, shall develop and maintain a commercial satellite system cybersecurity clearinghouse.

The clearinghouse—

(A) shall be publicly available online;

(B) shall contain publicly available commercial satellite system cybersecurity resources, including the voluntary recommendations consolidated under subsection (c)(1);

(C) shall contain appropriate materials for reference by entities that develop, operate, or maintain commercial satellite systems;

(D) shall contain materials specifically aimed at assisting small business concerns with the secure development, operation, and maintenance of commercial satellite systems; and

(E) may contain controlled unclassified information distributed to commercial entities through a process determined appropriate by the Secretary.

The Secretary shall maintain current and relevant cybersecurity information on the clearinghouse.

To the extent practicable, the Secretary shall establish and maintain the clearinghouse using an online platform, a website, or a capability in existence as of the date of enactment of this Act.

The Secretary, in coordination with the Secretary of Homeland Security, shall consolidate voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems.

The recommendations consolidated under paragraph (1) shall include materials appropriate for a public resource addressing, to the greatest extent practicable, the following:

(A) Risk-based, cybersecurity-informed engineering, including continuous monitoring and resiliency.

(B) Planning for retention or recovery of positive control of commercial satellite systems in the event of a cybersecurity incident.

(C) Protection against unauthorized access to vital commercial satellite system functions.

(D) Physical protection measures designed to reduce the vulnerabilities of a commercial satellite system’s command, control, and telemetry receiver systems.

(E) Protection against jamming, eavesdropping, hijacking, computer network exploitation, spoofing, threats to optical satellite communications, and electromagnetic pulse.

(F) Security against threats throughout a commercial satellite system’s mission lifetime.

(G) Management of supply chain risks that affect the cybersecurity of commercial satellite systems.

(H) Protection against vulnerabilities posed by ownership of commercial satellite systems or commercial satellite system companies by foreign entities.

(I) Protection against vulnerabilities posed by locating physical infrastructure, such as satellite ground control systems, in foreign countries.

(J) As appropriate, and as applicable pursuant to the maintenance requirement under subsection (b)(3), relevant findings and recommendations from the study conducted by the Comptroller General of the United States under section 3(a).

(K) Any other recommendations to ensure the confidentiality, availability, and integrity of data residing on or in transit through commercial satellite systems.

In implementing this section, the Secretary shall—

(1) to the extent practicable, carry out the implementation in partnership with the private sector;

(2) coordinate with—

(A) the Secretary of Homeland Security, the Office of the National Cyber Director, the National Space Council, the Chair of the Federal Communications Commission, and the head of any other agency determined appropriate by the Office of the National Cyber Director or the National Space Council; and

(B) the heads of appropriate Federal agencies with expertise and experience in satellite operations, including the entities described in section 3(c) to enable the alignment of Federal efforts on commercial satellite system cybersecurity and, to the extent practicable, consistency in Federal recommendations relating to commercial satellite system cybersecurity; and

(3) consult with non-Federal entities developing commercial satellite systems or otherwise supporting the cybersecurity of commercial satellite systems, including private, consensus organizations that develop relevant standards.

Not later than 1 year after the date of enactment of this Act, and every 2 years thereafter until the date that is 9 years after the date of enactment of this Act, the Secretary shall submit to the appropriate congressional committees a report summarizing—

(1) any partnership with the private sector described in subsection (d)(1);

(2) any consultation with a non-Federal entity described in subsection (d)(3);

(3) the coordination carried out pursuant to subsection (d)(2);

(4) the establishment and maintenance of the clearinghouse pursuant to subsection (b);

(5) the recommendations consolidated pursuant to subsection (c)(1); and

(6) any feedback received by the Secretary on the clearinghouse from non-Federal entities.

(1) proposed roles and responsibilities for relevant agencies; and

(2) as applicable, the extent to which cybersecurity threats to such systems are addressed in Federal and non-Federal critical infrastructure risk analyses and protection plans.

(1) designate commercial satellite systems or other space assets as a critical infrastructure sector; or

(2) infringe upon or alter the authorities of the agencies described in section 3(c).