Polar Weather Satellites:

NOAA Is Working to Ensure Continuity but Needs to Quickly Address Information Security Weaknesses and Future Program Uncertainties

GAO-16-359: Published: May 17, 2016. Publicly Released: May 17, 2016.

Additional Materials:

Contact:

David A. Powner
(202) 512-9286
pownerd@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The $11.3 billion Joint Polar Satellite System (JPSS) program has continued to make progress in developing the JPSS-1 satellite for a March 2017 launch. However, the program has experienced recent delays in meeting interim milestones, including a key instrument on the spacecraft that was delivered almost 2 years later than planned. In addition, the program has experienced cost growth ranging from 1 to 16 percent on selected components, and it is working to address selected risks that have the potential to delay the launch date.

Although the National Oceanic and Atmospheric Administration (NOAA) established information security policies in key areas recommended by the National Institute of Standards and Technology, the JPSS program has not yet fully implemented them. Specifically, the program categorized the JPSS ground system as a high-impact system, and selected and implemented multiple relevant security controls. However, the program has not yet fully implemented almost half of the recommended security controls, did not have all of the information it needed when assessing security controls, and has not addressed key vulnerabilities in a timely manner (see figure). Until NOAA addresses these weaknesses, the JPSS ground system remains at high risk of compromise.

Open Vulnerabilities Identified on the Current Joint Polar Satellite System's Ground System

Open Vulnerabilities Identified on the Current Joint Polar Satellite System's Ground System

Note: The National Oceanic and Atmospheric Administration identifies vulnerabilities as critical, high, medium, and low risk; critical and high risk vulnerabilities pose an increased risk of compromise.

NOAA has made progress in assessing and mitigating a near-term satellite data gap. GAO previously reported on weaknesses in NOAA's analysis of the health of its existing satellites and its gap mitigation plan. The agency improved both its assessment and its plan; however, key weaknesses remain. For example, the agency anticipates that it will be able to have selected instruments on the next satellite ready for use in operations 3 months after launch, which may be optimistic given past experience. GAO is continuing to monitor NOAA's progress in addressing prior recommendations.

Looking ahead, NOAA has begun planning for new satellites to ensure data continuity. This program would include two new JPSS satellites and a smaller interim satellite. However, uncertainties remain on the expected useful lives of the current satellites, and NOAA has not evaluated the costs and benefits of different launch scenarios based on up-to-date estimates. Until it does so, NOAA may not be making the most efficient use of the nation's sizable investment in the polar satellite program.

Why GAO Did This Study

NOAA established the JPSS program in 2010 to replace aging polar satellites and provide critical environmental data used in forecasting the weather. However, the potential exists for a gap in satellite data if the current satellite fails before the next one is operational. Because of this risk and the potential impact of a gap on the health and safety of the U.S. population and economy, GAO added this issue to its High Risk list in 2013, and it remained on the list in 2015.

GAO was asked to review the JPSS program. GAO's objectives were to (1) evaluate progress on the program, (2) assess efforts to implement appropriate information security protections for polar satellite data, (3) evaluate efforts to assess and mitigate a potential near-term gap in polar satellite data, and (4) assess agency plans for a follow-on polar satellite program. To do so, GAO analyzed program status reports, milestone reviews, and risk data; assessed security policies and procedures against agency policy and best practices; examined contingency plans and actions, as well as planning documents for future satellites; and interviewed experts as well as agency and contractor officials.

What GAO Recommends

GAO recommends that NOAA take steps to address deficiencies in its information security program and complete key program planning actions needed to justify and move forward on a follow-on polar satellite program. NOAA concurred with GAO's recommendations and identified steps it is taking to address them.

For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address the limitations we identified in the program's efforts to test security controls. NOAA's plan outlines several actions, and the agency plans to complete these actions by Summer 2017. We will continue to evaluate NOAA's progress in implementing its planned actions.

    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to establish a plan to address the limitations in the program's efforts to test security controls, including ensuring that any changes in the system's inventory do not materially affect test results.

    Agency Affected: Department of Commerce

  2. Status: Open

    Comments: NOAA agreed with our recommendation and has established a plan to address it. This plan includes multiple actions that are to be completed by the end of July 2017. We will continue to evaluate NOAA's progress.

    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to, when establishing plans of action and milestones to address critical and high risk vulnerabilities, schedule the completion dates within 30 days, as required by agency policy.

    Agency Affected: Department of Commerce

  3. Status: Open

    Comments: NOAA agreed with our recommendation and has made progress in addressing it. Specifically, NOAA developed a pilot of a new incident tracking and reporting system to manage its response activities. NOAA plans to complete additional steps to implement this recommendation. We will continue to evaluate NOAA's progress in addressing this recommendation.

    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to ensure that the agency and program are tracking and closing a consistent set of incident response activities.

    Agency Affected: Department of Commerce

  4. Status: Open

    Comments: NOAA agreed with this recommendation and provided some documentation on its efforts to evaluate different launch scenarios. However, the agency has not yet provided all of the documentation needed to confirm that this recommendation has been addressed. We continue to work with NOAA to obtain and review the documentation needed to address this recommendation.

    Recommendation: Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to evaluate the costs and benefits of different launch scenarios for the Polar Follow-on program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs.

    Agency Affected: Department of Commerce

 

Explore the full database of GAO's Open Recommendations »

Oct 4, 2017

Sep 18, 2017

Sep 6, 2017

Jul 13, 2017

Jun 21, 2017

Jun 13, 2017

May 18, 2017

May 15, 2017

Apr 11, 2017

Looking for more? Browse all our products here