[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3404 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 3404
To require a report on Federal support to the cybersecurity of
commercial satellite systems, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 9, 2025
Mr. Peters (for himself and Mr. Cornyn) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require a report on Federal support to the cybersecurity of
commercial satellite systems, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Satellite Cybersecurity Act of
2025''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Appropriate congressional committees.--The term
``appropriate congressional committees'' means--
(A) the Committee on Commerce, Science, and
Transportation and the Committee on Homeland Security
and Governmental Affairs of the Senate; and
(B) the Committee on Energy and Commerce, the
Committee on Space, Science, and Technology, and the
Committee on Homeland Security of the House of
Representatives.
(2) Clearinghouse.--The term ``clearinghouse'' means the
commercial satellite system cybersecurity clearinghouse
required to be developed and maintained under section 4(b)(1).
(3) Commercial satellite system.--The term ``commercial
satellite system''--
(A) means a system that--
(i) is owned or operated by a non-Federal
entity that holds a license issued by the
United States for business operations; and
(ii) is composed of not less than 1 earth
satellite; and
(B) includes--
(i) any ground support infrastructure for
each satellite in the system; and
(ii) any transmission link among and
between any satellite in the system and any
ground support infrastructure in the system.
(4) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given the term in subsection
(e) of the Critical Infrastructure Protection Act of 2001 (42
U.S.C. 5195c(e)).
(5) Cybersecurity risk.--The term ``cybersecurity risk''
has the meaning given the term in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650).
(6) Cybersecurity threat.--The term ``cybersecurity
threat'' has the meaning given the term in section 2200 of the
Homeland Security Act of 2002 (6 U.S.C. 650).
(7) Secretary.--The term ``Secretary'' means the Secretary
of Commerce.
SEC. 3. REPORT ON COMMERCIAL SATELLITE CYBERSECURITY.
(a) Study.--The Comptroller General of the United States shall
conduct a study on the actions the Federal Government has taken to
support the cybersecurity of commercial satellite systems, including as
part of any action to address the cybersecurity of critical
infrastructure sectors.
(b) Report.--Not later than 2 years after the date of enactment of
this Act, the Comptroller General of the United States shall report to
the appropriate congressional committees on the study conducted under
subsection (a), which shall include information--
(1) on efforts of the Federal Government, and the
effectiveness of those efforts, to--
(A) address or improve the cybersecurity of
commercial satellite systems; and
(B) support related efforts with international
entities or the private sector;
(2) on the resources made available to the public by
Federal agencies to address cybersecurity risks and threats to
commercial satellite systems, including resources made
available through the clearinghouse;
(3) on the extent to which commercial satellite systems are
reliant on, or relied on by, critical infrastructure;
(4) that includes an analysis of how commercial satellite
systems and the threats to those systems are integrated into
Federal and non-Federal critical infrastructure risk analyses
and protection plans;
(5) on the extent to which Federal agencies are reliant on
commercial satellite systems and how Federal agencies mitigate
cybersecurity risks associated with those systems;
(6) on the extent to which Federal agencies are reliant on
commercial satellite systems that are owned wholly or in part
or controlled by foreign entities, or that have infrastructure
in foreign countries, and how Federal agencies mitigate
associated cybersecurity risks;
(7) on the extent to which Federal agencies coordinate or
duplicate authorities and take other actions focused on the
cybersecurity of commercial satellite systems; and
(8) as determined appropriate by the Comptroller General of
the United States, that includes recommendations for further
Federal action to support the cybersecurity of commercial
satellite systems, including recommendations on information
that should be shared through the clearinghouse.
(c) Consultation.--In carrying out subsections (a) and (b), the
Comptroller General of the United States shall coordinate with
appropriate Federal agencies and organizations, including--
(1) the Department of Commerce;
(2) the Office of the National Cyber Director;
(3) the Department of Homeland Security;
(4) the Department of Defense;
(5) the Department of Transportation;
(6) the Federal Communications Commission;
(7) the National Aeronautics and Space Administration;
(8) the National Executive Committee for Space-Based
Positioning, Navigation, and Timing;
(9) the National Space Council;
(10) the Department of Justice; and
(11) the Committee for the Assessment of Foreign
Participation in the United States Telecommunications Services
Sector.
(d) Briefing.--Not later than 2 years after the date of enactment
of this Act, the Comptroller General of the United States shall provide
a briefing to the appropriate congressional committees on the study
conducted under subsection (a).
(e) Classification.--The report made under subsection (b) shall be
unclassified but may include a classified annex.
SEC. 4. RESPONSIBILITIES OF THE DEPARTMENT OF COMMERCE.
(a) Small Business Concern Defined.--In this section, the term
``small business concern'' has the meaning given the term in section 3
of the Small Business Act (15 U.S.C. 632).
(b) Establishment of Commercial Satellite System Cybersecurity
Clearinghouse.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Secretary, in coordination with the
Chair of the Federal Communications Commission and the Director
of the Cybersecurity and Infrastructure Security Agency, shall
develop and maintain a commercial satellite system
cybersecurity clearinghouse.
(2) Requirements.--The clearinghouse--
(A) shall be publicly available online;
(B) shall contain publicly available commercial
satellite system cybersecurity resources, including the
voluntary recommendations consolidated under subsection
(c)(1);
(C) shall contain appropriate materials for
reference by entities that develop, operate, or
maintain commercial satellite systems;
(D) shall contain materials specifically aimed at
assisting small business concerns with the secure
development, operation, and maintenance of commercial
satellite systems; and
(E) may contain controlled unclassified information
distributed to commercial entities through a process
determined appropriate by the Secretary.
(3) Content maintenance.--The Secretary shall maintain
current and relevant cybersecurity information on the
clearinghouse.
(4) Existing platform or website.--To the extent
practicable, the Secretary shall establish and maintain the
clearinghouse using an online platform, a website, or a
capability in existence as of the date of enactment of this
Act.
(c) Consolidation of Commercial Satellite System Cybersecurity
Recommendations.--
(1) In general.--The Secretary, in coordination with the
Secretary of Homeland Security, shall consolidate voluntary
cybersecurity recommendations designed to assist in the
development, maintenance, and operation of commercial satellite
systems.
(2) Requirements.--The recommendations consolidated under
paragraph (1) shall include materials appropriate for a public
resource addressing, to the greatest extent practicable, the
following:
(A) Risk-based, cybersecurity-informed engineering,
including continuous monitoring and resiliency.
(B) Planning for retention or recovery of positive
control of commercial satellite systems in the event of
a cybersecurity incident.
(C) Protection against unauthorized access to vital
commercial satellite system functions.
(D) Physical protection measures designed to reduce
the vulnerabilities of a commercial satellite system's
command, control, and telemetry receiver systems.
(E) Protection against jamming, eavesdropping,
hijacking, computer network exploitation, spoofing,
threats to optical satellite communications, and
electromagnetic pulse.
(F) Security against threats throughout a
commercial satellite system's mission lifetime.
(G) Management of supply chain risks that affect
the cybersecurity of commercial satellite systems.
(H) Protection against vulnerabilities posed by
ownership of commercial satellite systems or commercial
satellite system companies by foreign entities.
(I) Protection against vulnerabilities posed by
locating physical infrastructure, such as satellite
ground control systems, in foreign countries.
(J) As appropriate, and as applicable pursuant to
the maintenance requirement under subsection (b)(3),
relevant findings and recommendations from the study
conducted by the Comptroller General of the United
States under section 3(a).
(K) Any other recommendations to ensure the
confidentiality, availability, and integrity of data
residing on or in transit through commercial satellite
systems.
(d) Implementation.--In implementing this section, the Secretary
shall--
(1) to the extent practicable, carry out the implementation
in partnership with the private sector;
(2) coordinate with--
(A) the Secretary of Homeland Security, the Office
of the National Cyber Director, the National Space
Council, the Chair of the Federal Communications
Commission, and the head of any other agency determined
appropriate by the Office of the National Cyber
Director or the National Space Council; and
(B) the heads of appropriate Federal agencies with
expertise and experience in satellite operations,
including the entities described in section 3(c) to
enable the alignment of Federal efforts on commercial
satellite system cybersecurity and, to the extent
practicable, consistency in Federal recommendations
relating to commercial satellite system cybersecurity;
and
(3) consult with non-Federal entities developing commercial
satellite systems or otherwise supporting the cybersecurity of
commercial satellite systems, including private, consensus
organizations that develop relevant standards.
(e) Report.--Not later than 1 year after the date of enactment of
this Act, and every 2 years thereafter until the date that is 9 years
after the date of enactment of this Act, the Secretary shall submit to
the appropriate congressional committees a report summarizing--
(1) any partnership with the private sector described in
subsection (d)(1);
(2) any consultation with a non-Federal entity described in
subsection (d)(3);
(3) the coordination carried out pursuant to subsection
(d)(2);
(4) the establishment and maintenance of the clearinghouse
pursuant to subsection (b);
(5) the recommendations consolidated pursuant to subsection
(c)(1); and
(6) any feedback received by the Secretary on the
clearinghouse from non-Federal entities.
SEC. 5. STRATEGY.
Not later than 120 days after the date of the enactment of this
Act, the Secretary, jointly with the National Space Council and the
Office of the National Cyber Director, in coordination with the
Secretary of Homeland Security, the Director of the Office of Space
Commerce, the Chair of the Federal Communications Commission, and the
heads of other relevant agencies, shall submit to the appropriate
congressional committees a strategy for the activities of Federal
agencies to address and improve the cybersecurity of commercial
satellite systems, which shall include an identification of--
(1) proposed roles and responsibilities for relevant
agencies; and
(2) as applicable, the extent to which cybersecurity
threats to such systems are addressed in Federal and non-
Federal critical infrastructure risk analyses and protection
plans.
SEC. 6. RULES OF CONSTRUCTION.
Nothing in this Act shall be construed to--
(1) designate commercial satellite systems or other space
assets as a critical infrastructure sector; or
(2) infringe upon or alter the authorities of the agencies
described in section 3(c).
<all>