Skip to main content

Polar Weather Satellites: NOAA Is Working to Ensure Continuity but Needs to Quickly Address Information Security Weaknesses and Future Program Uncertainties

GAO-16-359 Published: May 17, 2016. Publicly Released: May 17, 2016.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The $11.3 billion Joint Polar Satellite System (JPSS) program has continued to make progress in developing the JPSS-1 satellite for a March 2017 launch. However, the program has experienced recent delays in meeting interim milestones, including a key instrument on the spacecraft that was delivered almost 2 years later than planned. In addition, the program has experienced cost growth ranging from 1 to 16 percent on selected components, and it is working to address selected risks that have the potential to delay the launch date.

Although the National Oceanic and Atmospheric Administration (NOAA) established information security policies in key areas recommended by the National Institute of Standards and Technology, the JPSS program has not yet fully implemented them. Specifically, the program categorized the JPSS ground system as a high-impact system, and selected and implemented multiple relevant security controls. However, the program has not yet fully implemented almost half of the recommended security controls, did not have all of the information it needed when assessing security controls, and has not addressed key vulnerabilities in a timely manner (see figure). Until NOAA addresses these weaknesses, the JPSS ground system remains at high risk of compromise.

Open Vulnerabilities Identified on the Current Joint Polar Satellite System's Ground System

Open Vulnerabilities Identified on the Current Joint Polar Satellite System's Ground System

Note: The National Oceanic and Atmospheric Administration identifies vulnerabilities as critical, high, medium, and low risk; critical and high risk vulnerabilities pose an increased risk of compromise.

NOAA has made progress in assessing and mitigating a near-term satellite data gap. GAO previously reported on weaknesses in NOAA's analysis of the health of its existing satellites and its gap mitigation plan. The agency improved both its assessment and its plan; however, key weaknesses remain. For example, the agency anticipates that it will be able to have selected instruments on the next satellite ready for use in operations 3 months after launch, which may be optimistic given past experience. GAO is continuing to monitor NOAA's progress in addressing prior recommendations.

Looking ahead, NOAA has begun planning for new satellites to ensure data continuity. This program would include two new JPSS satellites and a smaller interim satellite. However, uncertainties remain on the expected useful lives of the current satellites, and NOAA has not evaluated the costs and benefits of different launch scenarios based on up-to-date estimates. Until it does so, NOAA may not be making the most efficient use of the nation's sizable investment in the polar satellite program.

Why GAO Did This Study

NOAA established the JPSS program in 2010 to replace aging polar satellites and provide critical environmental data used in forecasting the weather. However, the potential exists for a gap in satellite data if the current satellite fails before the next one is operational. Because of this risk and the potential impact of a gap on the health and safety of the U.S. population and economy, GAO added this issue to its High Risk list in 2013, and it remained on the list in 2015.

GAO was asked to review the JPSS program. GAO's objectives were to (1) evaluate progress on the program, (2) assess efforts to implement appropriate information security protections for polar satellite data, (3) evaluate efforts to assess and mitigate a potential near-term gap in polar satellite data, and (4) assess agency plans for a follow-on polar satellite program. To do so, GAO analyzed program status reports, milestone reviews, and risk data; assessed security policies and procedures against agency policy and best practices; examined contingency plans and actions, as well as planning documents for future satellites; and interviewed experts as well as agency and contractor officials.

Recommendations

GAO recommends that NOAA take steps to address deficiencies in its information security program and complete key program planning actions needed to justify and move forward on a follow-on polar satellite program. NOAA concurred with GAO's recommendations and identified steps it is taking to address them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to establish a plan to address the limitations in the program's efforts to test security controls, including ensuring that any changes in the system's inventory do not materially affect test results.
Closed – Implemented
NOAA agreed with our recommendation and established a plan to address limitations in the program's efforts to test security controls. Specifically, NOAA developed and executed a plan that outlined several actions and milestones, including validating a baseline inventory for JPSS with its system contactor. NOAA also leveraged its governance policies to better manage system changes impacting the JPSS program. As of June 2018, NOAA executed its plan and demonstrated that its system inventory was validated to support its ongoing assessment and monitoring efforts.
Department of Commerce Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to, when establishing plans of action and milestones to address critical and high risk vulnerabilities, schedule the completion dates within 30 days, as required by agency policy.
Closed – Implemented
NOAA agreed with our recommendation and took steps to address it. Specifically, NOAA approved and implemented a remediation policy that tailors the Department's requirements to prioritize categories of affect devices based on the level of exposure and risk. Among the requirements, the updated policy requires that all critical and high vulnerabilities be remediated within 30 days for certain categories of devices.
Department of Commerce Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to ensure that the agency and program are tracking and closing a consistent set of incident response activities.
Closed – Implemented
NOAA agreed with our recommendation and has implemented the necessary actions to track and close a consistent set of incident response activities. More specifically, NOAA developed a new incident tracking and reporting system to manage its response activities between its response group and NOAA's line offices. Additionally, NOAA demonstrated that the system was used to track and close a subset of low, moderate, and high severity incidents across NOAA and within JPSS.
Department of Commerce Given the importance of addressing risks on the JPSS satellite program, the Secretary of Commerce should direct the Administrator of NOAA to evaluate the costs and benefits of different launch scenarios for the Polar Follow-on program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs.
Closed – Implemented
NOAA agreed with this recommendation and took steps to address it. In July 2016, the agency provided documentation summarizing its evaluation of three different launch scenarios for the Polar Follow-on program based on cost and mission risks. In November 2016, the agency provided a study on the life expectancy of the polar satellites, which had been used to inform the planning assumptions for the three launch scenarios. In August 2018, agency officials described how the information on anticipated funding levels and satellite life expectancy were used to inform decision-makers in selecting the optimal launch cadence.

Full Report

GAO Contacts

Topics

Cost analysisCost overrunsData collectionEnvironmental dataEnvironmental monitoringInformation securityInformation technologyInternal controlsPolar satellitesProgram evaluationProgram managementWeather forecasting