Space Force: AI shifts compliance measurement

The Space Force says artificial intelligence is changing cyber compliance from periodic paperwork to a live readout of system health. (cyberscoop.com) Seth Whitworth, the acting chief information security officer and acting Associate Deputy Chief of Space Operations for Cyber and Data, said April 14 that artificial intelligence tools are helping defenders review risk across individual systems and across the broader enterprise. He spoke at AI Talks, an event presented by Scoop News Group. (cyberscoop.com) (aitalks.upgather.com) Whitworth said the service’s process for Authorities to Operate and related security certifications used to take three to 18 months and now “can now be done in weeks and days.” He said program managers can pull in large volumes of data and use artificial intelligence to spot patterns that inform real-time cybersecurity changes. (cyberscoop.com) An Authority to Operate is the formal approval that lets a system run after a risk review. The Defense Department’s 2022 continuous authorization memo said the old model focused too heavily on getting that approval once and not enough on monitoring risk after the approval was granted. (media.defense.gov) That memo called for “real-time or near real-time” security analytics, continuous monitoring of controls, and a dashboard that lets authorizing officials make real-time risk decisions. A March 21, 2024 implementation guide added a section on continuous authorization metrics, putting measurement at the center of the process. (media.defense.gov) (dodcio.defense.gov) The Space Force has been building toward that model in parallel with a broader push on data and artificial intelligence. In May 2024, the service published a Data and Artificial Intelligence Strategic Action Plan that called for “modern, adaptive, and agile” data and analytics across the enterprise. (spaceforce.mil) Its acquisition arm, Space Systems Command, also said in March 2024 that it was developing zero trust architecture from ground systems to satellites. That approach relies on continuous verification using real-time information from multiple sources rather than assuming any user or device is already trusted. (ssc.spaceforce.mil) The Pentagon’s October 2022 Zero Trust Strategy set the department-wide backdrop for that work and targeted fiscal year 2027 for implementation activities across the department. The strategy said perimeter defenses alone were no longer enough and described zero trust as a “never trust, always verify” model. (dodcio.defense.gov) (war.gov) Whitworth said he still gives artificial intelligence output “extra scrutiny” because he has not yet seen trusted validation, and he cited concerns including hallucinations and data poisoning. But he also said the tools give him a more useful picture of enterprise-wide cyber risk than narrow control assessments of single systems. (cyberscoop.com) The immediate change is not that compliance disappears. It is that the Space Force is trying to measure whether controls are actually working, with telemetry and dashboards feeding decisions in weeks, days, or near real time instead of waiting for the next certification cycle. (cyberscoop.com) (media.defense.gov)