What GAO Found
The $11.3 billion Joint Polar Satellite System (JPSS) program has continued to make progress in developing the JPSS-1 satellite for a March 2017 launch. However, the program has experienced recent delays in meeting interim milestones, including a key instrument on the spacecraft that was delivered almost 2 years later than planned. In addition, the program has experienced cost growth ranging from 1 to 16 percent on selected components, and it is working to address selected risks that have the potential to delay the launch date.
Although the National Oceanic and Atmospheric Administration (NOAA) established information security policies in key areas recommended by the National Institute of Standards and Technology, the JPSS program has not yet fully implemented them. Specifically, the program categorized the JPSS ground system as a high-impact system, and selected and implemented multiple relevant security controls. However, the program has not yet fully implemented almost half of the recommended security controls, did not have all of the information it needed when assessing security controls, and has not addressed key vulnerabilities in a timely manner (see figure). Until NOAA addresses these weaknesses, the JPSS ground system remains at high risk of compromise.
Open Vulnerabilities Identified on the Current Joint Polar Satellite System's Ground System
Note: The National Oceanic and Atmospheric Administration identifies vulnerabilities as critical, high, medium, and low risk; critical and high risk vulnerabilities pose an increased risk of compromise.
NOAA has made progress in assessing and mitigating a near-term satellite data gap. GAO previously reported on weaknesses in NOAA's analysis of the health of its existing satellites and its gap mitigation plan. The agency improved both its assessment and its plan; however, key weaknesses remain. For example, the agency anticipates that it will be able to have selected instruments on the next satellite ready for use in operations 3 months after launch, which may be optimistic given past experience. GAO is continuing to monitor NOAA's progress in addressing prior recommendations.
Looking ahead, NOAA has begun planning for new satellites to ensure data continuity. This program would include two new JPSS satellites and a smaller interim satellite. However, uncertainties remain on the expected useful lives of the current satellites, and NOAA has not evaluated the costs and benefits of different launch scenarios based on up-to-date estimates. Until it does so, NOAA may not be making the most efficient use of the nation's sizable investment in the polar satellite program.
Why GAO Did This Study
NOAA established the JPSS program in 2010 to replace aging polar satellites and provide critical environmental data used in forecasting the weather. However, the potential exists for a gap in satellite data if the current satellite fails before the next one is operational. Because of this risk and the potential impact of a gap on the health and safety of the U.S. population and economy, GAO added this issue to its High Risk list in 2013, and it remained on the list in 2015.
GAO was asked to review the JPSS program. GAO's objectives were to (1) evaluate progress on the program, (2) assess efforts to implement appropriate information security protections for polar satellite data, (3) evaluate efforts to assess and mitigate a potential near-term gap in polar satellite data, and (4) assess agency plans for a follow-on polar satellite program. To do so, GAO analyzed program status reports, milestone reviews, and risk data; assessed security policies and procedures against agency policy and best practices; examined contingency plans and actions, as well as planning documents for future satellites; and interviewed experts as well as agency and contractor officials.
GAO recommends that NOAA take steps to address deficiencies in its information security program and complete key program planning actions needed to justify and move forward on a follow-on polar satellite program. NOAA concurred with GAO's recommendations and identified steps it is taking to address them.
Recommendations for Executive Action
|Department of Commerce||Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to establish a plan to address the limitations in the program's efforts to test security controls, including ensuring that any changes in the system's inventory do not materially affect test results.|
|Department of Commerce||Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to, when establishing plans of action and milestones to address critical and high risk vulnerabilities, schedule the completion dates within 30 days, as required by agency policy.|
|Department of Commerce||Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to ensure that the agency and program are tracking and closing a consistent set of incident response activities.|
|Department of Commerce||Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to evaluate the costs and benefits of different launch scenarios for the Polar Follow-on program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs.|