[MUSIC] Today is Monday, April 7th, 2025. I'm Maria Varmazis. Hi from Space Symposium, and this is T-minus. [MUSIC] The first pressurized module and one of two foundational elements for NASA's Gateway has arrived in Arizona. >> Four. >> Amazon's project Kuiper is due to launch the first batch of operational satellites on April 9th. >> Three. >> A US Senate committee will hold a hearing on Jared Isakman's nomination to be NASA administrator on April 9th. >> Two. >> EtherFlux has raised $50 million in a Series A funding round. >> One. >> US Space Systems Command has awarded three national security space launch contracts, the SpaceX, ULA, and Blue Origin. [MUSIC] And AGIS Space Law will be bringing you their latest segment on Space Law 101. And today they're tackling cybersecurity regulations required for US federal contracts. It's a very informative chat, so we hope you'll stick around for that after today's headlines. [MUSIC] >> Happy Monday everybody from a sunny Colorado Springs. And N2K is at the space symposium this week to cover the event and to record AWS in orbit episodes. And if you're here, we hope you'll come by the AWS booth tomorrow morning from 9 a.m. local time to see us in action. We are in the North Hall at booth 1036. Let's get onto today's headlines then, shall we? Late last week, Reuters broke the news that SpaceX, United Launch Alliance, and Blue Origin were selected to receive contracts worth billions of dollars from the US Space Force's Space Systems Command for National Security Space launches. SpaceX has been awarded $5.92 billion, ULA $5.37 billion, and Blue Origin $2.39 billion. Whoa. The firm fixed price and definite delivery contracts cover the procurement of critical space support aimed at meeting national security objectives. This includes launch services, specialized mission services, accelerated mission support, rapid response and anomaly mitigation, special studies, launch service support, fleet monitoring, early integration studies, and mission assessment. Just about soup to nuts on that. Under SpaceX's contract, the company will serve as the requirement one provider and will receive 28 missions. ULA will be the requirement two provider and is expected to secure 19 missions. Both companies will conduct phase three lane two missions from fiscal year 2025 to 2029. Blue Origin, meanwhile, is expected to get seven missions starting in order year two as the requirement three provider. Who said there's no money in space, huh? Speaking of which, renewable energy company, Ether Flux has raised $50 million in a series A funding round. The company is working towards making space solar power a reality. In the past few months, they've been awarded government funding, grew the team and demonstrated power transmission in their lab. The company has now raised a total of $60 million. They say the new capital will be used to focus the mission, supporting the United States Department of Defense's complex energy challenges. We've got lots of big events happening this week and not just at Space Symposium. Firstly, the Senate Commerce, Science and Transportation Committee will hold a hearing on Jared Isakman's nomination to be NASA Administrator on April 9th. If confirmed, he will be the agency's 15th administrator. U.S. President Trump announced his intention to nominate the SpaceX astronaut in December. Reminder that Jared Isakman is a billionaire entrepreneur who has made two trips to orbit on Elon Musk's Crew Dragon spacecraft with more planned. In April, a group of 28 former NASA astronauts announced their support for Isakman in an open letter to the Senate. The letter stated that, "Jarrod has a genuine passion for space exploration and will bring a renewed energy and sense of purpose to NASA. And we will bring you more on that story later this week." Also expected this week, Amazon's Project Kuiper is due to launch the first batch of operational satellites on Wednesday. The mission named KA-01 for Kuiper Atlas I will see United Launch Alliance send 27 Kuiper satellites into low-Earth orbit from Cape Canaveral. Project Kuiper is expected to rival SpaceX's Starlink. The constellation will include more than 3,200 advanced low-Earth orbit satellites, and Amazon has secured more than 80 launches to deploy that initial constellation, with each one adding dozens of satellites to the network. The first pressurized module and one of two foundational elements for NASA's Gateway has arrived in Arizona last week. The Halo, which stands for Habitation and Logistics Outpost, is in the United States fresh off a transatlantic journey from Telus Alenia Space in Turin, Italy. The structure will undergo final outfitting at North of Grumman's Integration and Test Facility in Gilbert, before being integrated with Gateway's Power and Propulsion Element at NASA's Kennedy Space Center in Florida. Pair of modules will eventually launch together on a SpaceX Falcon Heavy rocket. And that's it for today's headlines. If you'd like to read more about any of the stories that I've mentioned, be sure to check them out in your show notes or over at space.ntuk.com. Hi, T-Minus Crew. If you would like daily updates from us directly in your LinkedIn feed, be sure to follow the official N2K T-Minus page over on LinkedIn. And if you're more interested in the lighter side of what we do here, we are @tminusdaily on Instagram. And that's where we're going to be posting a lot of behind-the-scenes videos from our time here at Space Symposium this week. So be sure to join us there. Links are in the show notes for you. Our partners at Aegis Space Law are tackling cyber security and space law in today's segment. We're back to talk about more space law. I'm Bailey Reichelt. I'm a partner and co-founder at Aegis Space Law. I'm here with my co-founder Jack Shelton. And we actually have a special guest, Ryan Bonner, CEO of DevCert, and friend of the firm, because we often find ourselves calling him to ask cyber security questions. Because as it turns out, if you're going to work in a highly regulated industry, cyber security is going to be part of those many regulations you're talking about. Ryan, do you want to give a bit of an introduction of yourself and what DevCert does? Sure. As you mentioned, we're doing a lot of work with organizations in the defense industrial base. And obviously, there's a big overlap there with the space industry. And so a lot of our efforts with different startups and existing defense contractors is really just applying a lot of the regulations that have to do with data safeguarding, data confidentiality that are buried somewhere down in contract clauses or in other places and bringing those up to the surface and helping implement them so that as industry moves towards more of a certification or third party assessment style of verification for these requirements, that no one's really caught in a spot where they can't participate or can't get an award. So the way that this normally comes up for us is we will get a new client in and they'll either want to be a US government contractor, whether it's defense or otherwise, maybe even NASA, or they will already be working with the government, either a prime or they're a subcontractor. And this gets flowed down to them. Cyber security provisions get flowed down to them. And federal acquisition regulations or the defense federal acquisition regulation supplements, FAR or DFARS. And sometimes companies don't always read all those flowdowns and they certainly don't look them all up to know what they mean when they sign up more than when they register in SAM. I don't know if you've ever seen that, but it turns out some people don't read all of those. And so one of the questions we often ask, especially if we're setting someone up, is, hey, did you know about these cybersecurity requirements, depending on your contract type, is kind of how onerous they are, and what it really takes to meet them. And we'll talk about that often alongside export controls, because that's going to be a flowdown as well. And we're going to explain to them, hey, you're a US company, you're subject to US export controls, but now you're looking to register to work with the government or accept a government contract, you are also going to have this thing you now have to deal with called controlled unclassified information. And there can be a link between export controls and CUI. Ryan, what do you normally tell people when you hit that moment? How do you explain the CUI export conundrum? - Yeah, I think that it's important to help organizations understand that not all export controlled information is controlled unclassified information, but there's a really significant overlap in some key areas that are going to affect most contractors moving into this particular part of the defense industrial base. And so when we think about that overlap, your contract clauses under DFARS will talk about something called controlled technical information. And when you visit the DoD's registry for CUI, that's kind of their compendium of all of the things that act as a CUI authority, you'll find in that category, controlled technical information, things like the USML and 22 CFR for the ITAR, and then also EAR and things of that nature, the supplements and the commerce control lists, listed as authorities for controlled technical information. So it's sort of that moment in time where you're like, okay, these in the guise of a DoD contractor, the same thing. So probably the easiest way to help organizations who are first learning that, understand the interrelationship is, I can create export controlled information all the time in a normal course of business. That doesn't mean it's necessarily CUI, but when I start to generate that information as deliverables on a DoD contract, or I get that kind of information to inform contract performance, I'm handling CUI in that context. - Yeah, that's really good information to have. And I think maybe for some of our listeners who might be hearing this for the first time, there even might be some value in explaining kind of the different levels of cybersecurity and how this has evolved. It feels like it's been very much a moving target for a few years now. Can you summarize kind of how these obligations for cybersecurity have evolved for both DoD and non-DoD contracts? - Absolutely, I think we have to peer a little bit into the future and try to help, prospective contractors understand what is culminating now and what the future might look like a year or two from now. So if you weren't already a defense contractor, you might not be aware that these requirements to apply safeguards to CUI when receiving it or generating it on a contract, have been in place for quite a few years now, since 2017, sometimes even earlier than that. And so as a result, you have this established set of requirements, there's 110 security requirements you need to meet that, you know, the DoD already expects you've made significant progress on or are finished implementing. And so new contract clauses are being added. The nomenclature for the clause we're focused on is DFARS 252.204-7021 or the 7021 clause. That's a clause that now requires these contractors to be certified in some way in regards to how well they've implemented these requirements. So that program is called CMMC, the Cybersecurity Maturity Model Certification. It has three levels. If we're really having a focused conversation for the space industry, ignore the first level for now, because that is not really the focus for the kinds of information you might be dealing with early on in a contract. You wanna be focused on CMMC level two or three. Level two perfectly matches the existing contractual obligations you've had for CUI for years. That's just making sure that you've met the 110 requirements that are already in place and that you've already agreed to implement. And then level three is sort of an upgrade, additional requirements that are stipulated for organizations who might be handling more sensitive data or participating on a program that has high value assets. What that is remains to be seen and that's a decision made at a program level. So really we encourage a lot of organizations to focus down on level two in the near term future because that's always going to be relevant for organizations handling export control data on these contracts. And I think that there's some really simple ways to try and understand how quickly that becomes relevant for contractors. The clause itself, which is sort of what opens the floodgates here for space contractors is going to go into effect sometime this year. We don't know exactly when, but when that kicks in, there will be kind of like a one year interlude period, phase one of a phased rollout, where you don't absolutely need to have an on paper certification yet. But I'll tell you right now, 12 months is not a lot of time to get all of these requirements in place if you're moving into this industry for the first time. It'll be a concerted effort to get that knocked out before the second phase hits, which is a requirement to have a formal paper certification to even be eligible for awards. So we've got this window of opportunity we have to squeeze ourselves inside of if you're trying to move into this area or simply maintain your status as a space contractor within defense contracts. - Many people listening to this might be thinking, okay, Bailey mentioned the FAR and the DFARS and they're maybe thinking this only applies to like traditional federal government contracting. I work with a lot of companies that are applying for SBIR and STTR contracts, which are these set asides for small businesses to do research and development. And most of the application process associated with SBIRs and STTRs is streamlined. It's relatively simple process compared to traditional FAR contracting. Do companies applying for SBIRs and STTRs also have to abide by all of these regulations because they seem kind of onerous? - Yeah, the DOD has been very clear that there's no step down or reduction in difficulty if you are a small business. There's no real breaks they're gonna cut you for that. And so there's no way to easily reduce these requirements to make them easier or less owners for small organizations, they're just isn't. And so in light of that, organizations who are pursuing SBIRs or even participating on OTAs, other transactional authorities, they need to be aware of the fact that in some way, these requirements will apply to you. And so whether you can navigate this early on and not necessarily have the DFARS clauses that govern, CUI safeguarding applied directly to something like an SBIR is gonna be a case by case determination. But I'll tell you right now, we've seen the DFARS 7012 clause for CUI safeguarding written in or added onto agreements and contracts that wouldn't normally have it. And we also see just the same requirements just being written in as special instructions in an award as well. So there's really not any easy outs. And I would say that over time, you're not gonna see any carve outs or exemptions unless you have very specific waivers signed off on for particular contracts. And I just, I don't see a lot of that happening in the SIVIR space. - Well, let me give you a fact pattern. So imagine you've got, let's say, three young people who've just graduated university, they're starting up a company, they're all engineers. You know, it's just them and their laptops and their cell phones right now. Let's say that they, you know, rent a little office space and they're gonna get going and they see an opportunity for a SIVIR or SDTR grant or contract and they wanna go ahead and apply for it. But they don't have any cybersecurity in place right now other than maybe, you know, VPNs and some anti-virus on their computers. What do they need to do? And what is the timeline before they can actually start going after these kinds of contracts or grants? - Sure, so for a startup like that, I would advise them to mostly look into what we would call cloud native technologies that can be sold to you for like individual seat licenses that don't have big minimums so that you can get some of the security tools you might not normally be buying as a brand new startup. And so, you know, things like logging capabilities and like you said, endpoint protection, vulnerability management tools, these are things that you can acquire for not as much money. If you can look at something that's more cloud native, as far as the overall timelines and things like that, most organizations will need 12 to 18 months in order to implement all these requirements. And so we're actually encouraged by the fact that very, very small startups might be able to do this faster than existing more structured organizations because they have, you know, fewer computers to secure, fewer services to manage and maintain and a much smaller data footprint that they can hopefully shape early. Really helpful, Ryan. I kind of want to bring us full circle a little bit. We've been talking about Sibbers, specifically Sibbers coming out under DoD, but there are also Sibber programs that could come out like under NASA. I think NASA tipping point is a, that was a Sibber program as well. My understanding is the cybersecurity requirements, they're there under the FAR, but they're not as complicated or onerous as the ones under the DFARS. Is that accurate? It was, if we're continuing to peer into our crystal ball in the future, what we're seeing is a new proposed federal acquisition clause, a FAR clause that will be in all contracts, all federal contracts, including things like NASA or, you know, other major agencies. And it's going to require these same security requirements implemented across the board. So I think that the days of more lax requirements on the NASA side are starting to shrink and compress. And we're going to start to see third party verification kick in there as well. Thank you for coming on. And I just want to let everyone listening know cybersecurity is part of the space industry. And we hope that you just go ahead and embrace it because the stuff you're making is really cool and we have to protect it. (upbeat music) We'll be right back. Welcome back. They say old is gold. It's certainly true of music and fashion. So why not in space? Let's go back to 1958, shall we? And the often forgotten second satellites that the United States sent to space, Vanguard One. Where is it now? And would you be surprised? Maybe not, maybe. To find out that the Vanguard One micro satellite is indeed still up there. Actually, it just celebrated 67 years of circling our planet. Now it's no longer transmitting, of course, but it is still there like a time capsule in orbit. And a team that includes aerospace engineers, historians and writers have proposed some how-to options for an up-close look and possible retrieval of Vanguard One. It was the first satellite to generate power using solar cells. And now there is some interest in studying them. A flyby or even a possible retrieval could allow researchers to review the condition of the solar cells, batteries and metals, along with the record of micrometeorite or debris strikes over such a long time. The team have proposed the option of Vanguard One being placed into a lower orbit for retrieval or taken to the International Space Station to be repackaged for a ride to Earth. That's a really cool idea. We hope that whatever they do, they don't destroy what was obviously made to last. (upbeat music) That is it for T-Minus for April 7th, 2025, brought to you by N2K CyberWire. For additional resources from today's report, check out our show notes at space.n2k.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in this rapidly changing space industry. If you like the show, please share our rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to space@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot Peltzman and Tre Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I am your host, Maria Varmazis. Thanks for listening. We'll see you tomorrow. (upbeat music) - T minus. - I'm done. (thunder rumbling) [MUSIC]
