SPARTA v3.0 — What’s New?

The SPARTA framework offers space professionals a taxonomy of potential cyber threats to spacecraft and space missions. v3.0 includes some powerful new features.

Authors: Brandon Bailey, Brad Roeher, and Randi Tinney

The SPARTA framework continues to evolve, and with the release of SPARTA v3.0, we’re introducing a suite of powerful new features designed to further support our users’ missions. Thanks to feedback from our engaged user base, we’re able to identify the most commonly requested features and improvements for SPARTA and act on those. This update marks the completion of the single most requested feature since we launched SPARTA, as well as a handful of other noteworthy additions, including:

The creation of new Indicators of Behavior (IOBs), specifically designed to address the unique challenges of monitoring onboard activity, providing a proactive approach to detecting suspicious behaviors and emerging threats. These IOBs are something the community has been seeking for years, so we are thrilled to launch this initial set. All of the indicators are mapped to SPARTA techniques to further support tracking/reporting across the space enterprise.

• Added a new Space System Cybersecurity Questionnaire to help organizations evaluate their cybersecurity practices.
• Integrated Common Weakness Enumeration (CWE) class mappings to SPARTA techniques.
• Aligned the spacecraft decomposition with NIST SP 800–160 Vol. 1 and 2 principles.
• Made improvements to technique and countermeasure names to streamline automation and avoid collisions within certain tools/workflows.
• General bug fixes and aesthetic updates to the graphical user interface (GUI) to enhance usability.

Continue reading for a closer look at each of these new features and explore how they can help you enhance threat detection, resilience, and overall security for your space system.

Onboard Indicators of Behavior (IOBs)

SPARTA v3.0 introduces a new capability with the creation of IOBs, which is the first-ever comprehensive documentation of behavioral patterns that may indicate malicious activity on spacecraft. Funded by the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, this effort delivers a proactive approach to threat detection by identifying deviations from expected spacecraft behavior, rather than relying solely on known signatures.

Each IOB was created and then mapped to SPARTA techniques and documented using the Structured Threat Information Expression (STIX) format to support detection development, particularly for onboard intrusion detection systems (IDSs). To enhance usability, IOBs are organized into 10 mission-relevant categories, such as unauthorized command execution, encryption misuse, sensor manipulation, and more. These IOBs serve as a foundational baseline, and future releases will continue to expand and refine this work as threats evolve. This is a major development that required extensive work that cannot be articulated here for the sake of brevity. A more comprehensive deep dive into the IOBs is available in a dedicated article.

Space System Cybersecurity Questionnaire

To further support threat-informed risk assessments, SPARTA v3.0 introduces a new resource: the Space System Cybersecurity Questionnaire. This tool is designed to help organizations evaluate how well they are addressing cybersecurity across the entire space system (i.e., space, ground, and user segments). Rather than using rigid checklists or numeric scoring, this questionnaire presents open-ended, narrative-driven questions that encourage thoughtful reflection on current cybersecurity practices. The responses should capture nuanced implementation details and design considerations that may not surface through traditional compliance-based audits.

The questionnaire was developed using industry best practices and threat-informed insights from The Aerospace Corporation’s TOR-2021–01333 REV A and the SPARTA framework. Each question was carefully crafted to address specific threats and high-risk techniques, particularly those identified through SPARTA’s Notional Risk Scores (NRS). Informative references accompany each question to tie responses back to concrete threat vectors, SPARTA techniques, or example countermeasures. These references give evaluators context for why a question is being asked and help link the organization’s answers to known cybersecurity risks and defenses.

Because responses are narrative and not bound to a rigid scoring model, it is recommended that experienced cybersecurity subject matter experts (SMEs) compose or interpret the responses. Responses may vary significantly depending on the SME’s expertise, system-specific context, and familiarity with the threat landscape. However, this flexibility is also a strength because it allows evaluators to uncover gaps, strengths, and inconsistencies that rigid frameworks might overlook.

The questionnaire addresses a wide range of topics, including:

• Command link protection and replay resilience
• Insider threat strategies and telemetry anomaly logging
• Key management and secure software update validation
• Ground-system segmentation and space-segment subsystem isolation
• Secure-by-design principles, such as least privilege, defense in depth, and supply chain assurance

This questionnaire empowers organizations to self-assess their posture in a structured yet flexible manner, providing a baseline for internal evaluations or external reviews. It serves as both a conversation starter and a roadmap for developing a more resilient, mission-aware cybersecurity strategy. As with all components of SPARTA, this tool is grounded in real-world threats and practical engineering guidance, helping to bridge the gap between policy intent and implementation reality.

CWE Mapping: Bridging Weaknesses and Threats

The addition of CWE classes mapped to SPARTA techniques reflects our understanding that techniques fundamentally target weaknesses within spacecraft. CWE classes represent broad categories of software or hardware flaws that can be exploited. Mapping techniques to CWE classes allows us to establish a clear link between specific attack methods and the underlying weaknesses they exploit.

Those familiar with the CWE structure may notice the mapping was done at the CWE class level, as opposed to base weaknesses. This level of mapping was done to provide the right level of abstraction for understanding how adversarial methods operate. By aligning techniques with CWE classes, we capture the concept that techniques attack the absence or insufficiency of security practices, rather than a specific flaw that is essentially a manifestation of the CWE. This approach helps space system developers and engineers see how each technique could leverage general weaknesses within their systems, making it easier to implement countermeasures and/or secure-by-design principles and not rely solely on vulnerability patching.

In practice, this means that when a technique is identified, users can trace it back to the associated CWE class and understand which types of weaknesses are at risk of being targeted and exploited. This relationship guides both defensive planning and vulnerability assessment, helping teams prioritize mitigations that address the root causes of exploitation rather than just the symptoms. By integrating CWE classes into SPARTA techniques, we enable a more systematic and comprehensive approach to securing space systems against cyber threats.

As part of this work, we leveraged a prioritization approach using the Common Weakness Scoring System (CWSS). This process allowed us to evaluate and rank CWEs based on their relevance and impact within the context of a spacecraft. Leveraging a customized CWSS model to emphasize factors most critical to mission assurance, namely, technical and mission impact, likelihood of exploitation, and confidence in the findings. The methodology considered whether the weakness could realistically be exploited, how severe the impact might be (leveraging CVSS metrics), and how often these weaknesses have been linked to known vulnerabilities (based on CVE associations). In general CWSS should be applied for a specific system, but this prioritization was based on a generic exemplary spacecraft model.

Performing this analysis not only informed our CWE-to-technique mappings, but also created a risk-based lens through which secure-by-design principles could be derived via NIST SP 800–160 Volume 1 and Volume 2.

NIST SP 800–160 Integration

SPARTA v3.0 features the integration of NIST SP 800–160 Volume 1 and Volume 2 into our spacecraft threat modeling approach. Volume 1 focuses on systems security engineering, while Volume 2 emphasizes cyber resiliency. We applied these principles directly to our spacecraft decomposition for the spacecraft bus, mapping SPARTA techniques to each subsystem and identifying the relevant threats that could affect the spacecraft bus components.

Further, we extended this effort by leveraging the CWE-to-technique mappings described previously. For each spacecraft component (command and data handling system, thermal control, propulsion, communications, etc.) we prioritized the most applicable CWE classes. This prioritized list of weaknesses was then used to guide which security and resiliency principles from NIST SP 800–160 should be applied during design for the spacecraft bus component. For instance, a component (e.g., flight software) with high-risk race condition weaknesses (CWE-362) might call for the following resilience techniques per Volume 2: Attribute-based Usage Restriction, Predefined Segmentation, Dynamic Resource Awareness, or Integrity Checks.

SPARTA now contains this system-by-system decomposition of the spacecraft that not only highlights applicable SPARTA techniques but also brings forward a prioritized set of weaknesses to defend against. These are directly tied to secure-by-design and resilient-by-design principles, giving engineers guidance to architect each spacecraft component with built-in protections. This integration of threat information via techniques, known weaknesses, and trusted design practices offers a first-of-its-kind blueprint for designing components of a spacecraft that are secure and resilient from the ground up. While not a one-size-fits-all solution, this framework provides an invaluable starting point that streamlines design efforts by aligning threat-informed engineering with proven design principles. Engineers are still expected to down-select and tailor the appropriate security and resiliency techniques based on mission-specific constraints, but much of the foundational threat modeling work has already been done by the SPARTA community to accelerate secure system development.

Final Enhancements in SPARTA v3.0

Several updates were made to further improve usability, automation, and technical relevance:

· Added new techniques focused on Space Domain Awareness (SDA), a growing area of concern as space becomes more congested and contested. These techniques highlight how adversaries might exploit gaps in orbital monitoring, proximity operations, or constellation visibility to gain an operational advantage, bringing cybersecurity and SDA into tighter alignment.

· Refined the naming of several techniques and countermeasures to support more seamless integration with automated tooling and reduce friction in data pipelines. These updates were made specifically to eliminate name collisions, improve pattern clarity, and enhance STIX-compatible automation workflows used for threat sharing, detection logic, and analysis platforms. Previously, techniques from different parent tactics that had the same title were creating difficulties in some tooling across the user base.

· SPARTA’s GUI received a series of improvements to enhance clarity, usability, and navigation for both first-time users and seasoned analysts. These changes reflect feedback from the community and align with our goal of making SPARTA not just technically robust but also user-friendly and accessible.

· Released the latest STIX v3.0 bundle, which reflects all updated techniques, mappings, and indicators to include the newly introduced IOBs. This ensures that users integrating SPARTA into their cyber-tooling ecosystems have access to the most current, machine-readable threat data.

These updates round out SPARTA v3.0 as the most complete and operationally aligned release to date, bringing together threat intelligence, vulnerability mapping, secure-by-design principles, and actionable artifacts to help defend today’s space missions. As always, we’ll continue to evolve SPARTA as the threat landscape shifts and community needs grow.