From: Government Accountability Office
Posted: Tuesday, May 17, 2016
NOAA Is Working to Ensure Continuity but Needs to Quickly Address Information Security Weaknesses and Future Program Uncertainties
What GAO Found
The $11.3 billion Joint Polar Satellite System (JPSS) program has continued to make progress in developing the JPSS-1 satellite for a March 2017 launch. However, the program has experienced recent delays in meeting interim milestones, including a key instrument on the spacecraft that was delivered almost 2 years later than planned. In addition, the program has experienced cost growth ranging from 1 to 16 percent on selected components, and it is working to address selected risks that have the potential to delay the launch date.
Although the National Oceanic and Atmospheric Administration (NOAA) established information security policies in key areas recommended by the National Institute of Standards and Technology, the JPSS program has not yet fully implemented them. Specifically, the program categorized the JPSS ground system as a high-impact system, and selected and implemented multiple relevant security controls. However, the program has not yet fully implemented almost half of the recommended security controls, did not have all of the information it needed when assessing security controls, and has not addressed key vulnerabilities in a timely manner (see figure). Until NOAA addresses these weaknesses, the JPSS ground system remains at high risk of compromise.
NOAA has made progress in assessing and mitigating a near-term satellite data gap. GAO previously reported on weaknesses in NOAA's analysis of the health of its existing satellites and its gap mitigation plan. The agency improved both its assessment and its plan; however, key weaknesses remain. For example, the agency anticipates that it will be able to have selected instruments on the next satellite ready for use in operations 3 months after launch, which may be optimistic given past experience. GAO is continuing to monitor NOAA's progress in addressing prior recommendations.
Looking ahead, NOAA has begun planning for new satellites to ensure data continuity. This program would include two new JPSS satellites and a smaller interim satellite. However, uncertainties remain on the expected useful lives of the current satellites, and NOAA has not evaluated the costs and benefits of different launch scenarios based on up-to-date estimates. Until it does so, NOAA may not be making the most efficient use of the nation's sizable investment in the polar satellite program.
Why GAO Did This Study
NOAA established the JPSS program in 2010 to replace aging polar satellites and provide critical environmental data used in forecasting the weather. However, the potential exists for a gap in satellite data if the current satellite fails before the next one is operational. Because of this risk and the potential impact of a gap on the health and safety of the U.S. population and economy, GAO added this issue to its High Risk list in 2013, and it remained on the list in 2015.
GAO was asked to review the JPSS program. GAO's objectives were to (1) evaluate progress on the program, (2) assess efforts to implement appropriate information security protections for polar satellite data, (3) evaluate efforts to assess and mitigate a potential near-term gap in polar satellite data, and (4) assess agency plans for a follow-on polar satellite program. To do so, GAO analyzed program status reports, milestone reviews, and risk data; assessed security policies and procedures against agency policy and best practices; examined contingency plans and actions, as well as planning documents for future satellites; and interviewed experts as well as agency and contractor officials.
What GAO Recommends
GAO recommends that NOAA take steps to address deficiencies in its information security program and complete key program planning actions needed to justify and move forward on a follow-on polar satellite program. NOAA concurred with GAO's recommendations and identified steps it is taking to address them.
For more information, contact David A. Powner at (202) 512-9286 or firstname.lastname@example.org.
// end //