The Satellite Cybersecurity Act of 2025 directs the Comptroller General to study the federal actions that support the cybersecurity of commercial satellite systems, including links to critical infrastructure protection. It also requires the creation of a Commercial Satellite System Cybersecurity Clearinghouse, a publicly accessible online resource hosting voluntary guidance and reference materials for industry.
At a Glance
What It Does
The bill directs the Comptroller General to study federal actions to support satellite cybersecurity and to prepare a report within 2 years. It also requires the Secretary of Commerce to establish a Commercial Satellite System Cybersecurity Clearinghouse within 180 days and consolidate voluntary recommendations for industry use.
Who It Affects
US-licensed commercial satellite operators, ground-support providers, and federal agencies that rely on satellite services, plus private sector cybersecurity researchers and standards bodies.
Why It Matters
It creates a formal, centralized mechanism for sharing best practices and coordinating federal action to reduce cybersecurity risk across a critical, globally connected asset class.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Definitions set the terms for what counts as a commercial satellite system, critical infrastructure, and the keys players. The core of the bill is a two-pronged approach: a governmental study and a structured private-sector information-sharing framework.
First, the Comptroller General must assess what the government has done to support satellite cybersecurity and report back within two years, outlining effectiveness and gaps, including how these efforts interact with broader critical infrastructure work. Second, the Department of Commerce must stand up a Commercial Satellite System Cybersecurity Clearinghouse within 180 days.
This clearinghouse will host publicly available resources, voluntary recommendations, and materials to assist operators and small businesses in secure development, operation, and maintenance of satellite systems. The bill also directs consolidation of voluntary cybersecurity recommendations in coordination with Homeland Security and other agencies, and requires a strategy within 120 days laying out roles, responsibilities, and how cybersecurity threats are incorporated into federal and non-federal risk analyses.
The report authorized by the bill can include a classified annex, but the primary material is unclassified.
The Five Things You Need to Know
The Comptroller General must conduct a study on federal actions to support satellite cybersecurity and report within 2 years.
A Commercial Satellite System Cybersecurity Clearinghouse must be established within 180 days and be publicly accessible online.
The clearinghouse will host voluntary cybersecurity recommendations and reference materials for industry use.
The Secretary must coordinate with DHS, the National Cyber Director, Space Council, and FCC to consolidate recommendations.
A strategy identifying agency roles and integration with risk analyses must be delivered within 120 days.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions
This section defines the key terms used in the act: what constitutes a commercial satellite system, the meaning of critical infrastructure for purposes of the bill, cybersecurity risk and threat definitions, the scope of the clearinghouse, and who is the Secretary (the Secretary of Commerce). It also identifies the “appropriate congressional committees” for reporting and oversight.
Report on Commercial Satellite Cybersecurity
This section tasks the Comptroller General with conducting a study on federal steps to support satellite cybersecurity, including alignment with critical infrastructure actions. It requires a substantive report to the appropriate congressional committees within two years, detailing government efforts, resource allocations, reliance on foreign or foreign-owned systems, and integration into risk analyses and protection plans. The report may include a classified annex as needed.
Responsibilities of the Department of Commerce
This section requires the Secretary to establish a commercial satellite system cybersecurity clearinghouse within 180 days, publicly available online, containing voluntary recommendations and reference materials for industry. It also directs ongoing maintenance of up-to-date resources, including materials tailored to small businesses, with possible controlled unclassified information distributed through appropriate channels.
Strategy
This section obligates the Secretary, in coordination with the National Space Council and other agencies, to submit a strategy within 120 days outlining roles, responsibilities, and how cybersecurity threats are accounted for in federal and non-federal risk analyses related to satellite systems.
Rules of Construction
This section clarifies that nothing in the act designates satellite systems as a standalone critical infrastructure sector and that authorities of the agencies described in Section 3(c) remain unchanged.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Licensed US-registered commercial satellite system operators and service providers, who gain clearer guidance and risk-mitigated operating environments.
- Ground-support infrastructure entities that enable satellite operations and could benefit from standardized cybersecurity resources.
- Federal agencies that rely on commercial satellites (e.g., Commerce, Homeland Security, DoD, NASA, FCC) through better risk awareness and coordinated strategies.
- Private-sector cybersecurity firms and industry standards bodies that contribute to and benefit from consolidated best-practice materials.
- Non-federal entities developing or operating satellites that can access shared resources to improve cybersecurity.
Who Bears the Cost
- Federal agencies will incur costs to establish, run, and coordinate the clearinghouse and related reporting.
- Commercial operators and service providers may bear costs to implement recommended practices or align with the clearinghouse resources, even though recommendations are voluntary.
- Small business concerns could incur resource burdens to adopt and implement cybersecurity measures and participate in the clearinghouse ecosystem.
- Private sector entities contributing to the clearinghouse’s materials may face participation and information-sharing costs for collaborative standards work.
Key Issues
The Core Tension
The central dilemma is balancing robust cybersecurity improvements with the private sector’s regulatory burden and the risks associated with foreign ownership or foreign-controlled infrastructure, all while preserving innovation and timely action. The bill’s reliance on voluntary recommendations and interagency coordination aims to minimize mandates but may slow or dilute impact unless the clearinghouse becomes widely used and trusted.
The act relies on a voluntary consolidation of cybersecurity recommendations and creates a public clearinghouse rather than imposing mandatory standards. This reduces regulatory burden but may limit enforceability or uniform adoption across the industry.
The bill requires significant interagency coordination and private-sector participation, which could be challenging to harmonize across agencies with overlapping authorities. There is deliberate flexibility around handling foreign ownership and foreign-based infrastructure, but that flexibility also raises questions about how risk is managed when critical components originate abroad.
Classification provisions allow a potentially sensitive annex, which could complicate information sharing and transparency.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.