Golden Dome for America (GDA) Cybersecurity Requirements

On May 20, 2025, the US Secretary of Defense (SECDEF) announced support for the Golden Dome for America (GDA), a next-generation missile defense shield formalized in Executive Order (EO) 14186. The proposed “Golden Dome” will include space-based interceptors and sensors.

Per the US Department of Defense’s (DoD’s) memorandum, “The GDA's success will rely upon bold vision, innovation, and cutting-edge technology provided by the Defense Industrial Base (DIB). DIB companies, both large and small, are the targets of malicious cyber actors' intent on theft of intellectual property, disruption of operations, or espionage. GDA is a system of systems, reliant on numerous technologies integrated into a holistic system. To that end, the DoD must ensure the security of the GDA program through the application of supply chain requirements for the entirety of the GDA DIB ecosystem.”

Golden Dome For America (GDA) Cybersecurity Requirements

Based on this recent DoD memorandum, GDA vendors must address the following cybersecurity requirements:

1. From a cybersecurity controls perspective, GDA vendors must:
   1. Implement NIST SP 800-53 R5 controls in accordance with DoDI 8510.01 (Risk Management Framework for DoD Systems);
   2. Harden systems, applications and services according to the DoD’s Security Technical Implementation Guides (STIGs); and
   3. Implement a tamper protection program for the system, system components and/or system service(s) (e.g., logical and/or physical tampering).
2. From a data protection perspective, GDA implementations with Controlled Unclassified Information (CUI) must conform to NIST SP 800-171 and possibly select NIST SP 800-172 controls, based on the type of CUI in the contract:
   1. At a minimum, CMMC Level 2 certification is required; and
   2. For components treated as a target for Advanced Persistent Threats (APTs) will require “enhanced protections” and  a CMMC Level 3 certification will be required.
3. From a Supply Chain Risk Management (SCRM) perspective, GDA vendors must:
   1. Adhere to NIST SP 800-161 R1 to implement an Information and Communications Technology Supply Chain Risk Management (ICT-SCRM) capability;
   2. Maintain a Supply Chain Risk Management Plan (SCRM Plan); and
   3. Perform supplier assessments and reviews.
4. GDA vendors must subscribe to the National Security Agency Cybersecurity Collaboration Center (NSA CCC) threat intelligence sharing service.
5. GDA vendors that develop or utilize custom software must:
   1. Utilize secure development practices that conform to:
      1. EO 14028; and
      2. NIST SP 800-218 for a Secure Software Development Framework (SSDF); and
   2. Provide attestation of secure development practices according to the Cybersecurity Infrastructure and Security Agency (CISA) Secure Software Development Attestation Form (SSDAF).
6. For GDA vendors that handle classified information for US government agencies or foreign governments, the GDA must have an Insider Threat Program (ITP) that:
   1. Gathers, integrates and reports relevant and available information indicative of a potential or actual insider threat; and
   2. Conforms with:
      1. EO 13587; and 
      2. Presidential Memorandum "National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs".
7. GDA vendors must assess supply chain risks in accordance with:
   1. DFARS 252.239-7018; and
   2. Chapter 3 of the DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs (referred to as the Risk Management Guide (RMG)).
8. GDA vendors must provide applicable Bills of Materials (BOMs), based on their product/service:
   1. Hardware BOM (HBOM);
   2. Software BOM (SBOM);
   3. Firmware BOM (FBOM);
   4. Microelectronics BOM (MBOM);
   5. Chemical BOM (CBOM); and 
   6. Raw Materials BOM (RBOM).
9. GDA vendors must adhere to FAR clause 52.204-24 (Section 889 of FY 2019 NDAA) that prohibits certain telecommunications and video surveillance services or equipment (Huawei, ZTE, Hytera, Hikvision and Dahua).
10. GDA vendors with National Security Systems (NSS) will be verified in Supplier Performance Risk System (SPRS) that none of the proposed products appear on the NSS Restricted list in accordance with 10 U.S.C. 3252.
11. For Commercial Off-the-Shelf (COTS) products that are National Information Assurance Partnership (NIAP) certified, the GDA vendor must:
    1. Implement its Protection Profile (PP); and
    2. Address newly identified vulnerabilities.
12. GDA vendors must generate and maintain the following evidence of due diligence and due care:
    1. Hardware and software inventory list;
    2. Hardware and device certifications and approvals;
    3. Incident Response Plan (IRP);
    4. Software Certification test results or attestations/memorandums;
    5. SCRM Policy; and
    6. List of all implemented Security Technical Implementation Guides (STIG).