United States Government Accountability Office Report to the Committee on Science Space and Technology House of Representatives May 2016 POLAR WEATHER SATELLITES NOAA Is Working to Ensure Continuity but Needs to Quickly Address Information Security Weaknesses and Future Program Uncertainties GAO-16-359 May 2016 POLAR WEATHER SATELLITES NOAA Is Working to Ensure Continuity but Needs to Quickly Address Information Security Weaknesses and Future Program Uncertainties Highlights of GAO-16-359 a report to the Committee on Science Space and Technology House of Representatives Why GAO Did This Study What GAO Found NOAA established the JPSS program in 2010 to replace aging polar satellites and provide critical environmental data used in forecasting the weather However the potential exists for a gap in satellite data if the current satellite fails before the next one is operational Because of this risk and the potential impact of a gap on the health and safety of the U S population and economy GAO added this issue to its High Risk list in 2013 and it remained on the list in 2015 The $11 3 billion Joint Polar Satellite System JPSS program has continued to make progress in developing the JPSS-1 satellite for a March 2017 launch However the program has experienced recent delays in meeting interim milestones including a key instrument on the spacecraft that was delivered almost 2 years later than planned In addition the program has experienced cost growth ranging from 1 to 16 percent on selected components and it is working to address selected risks that have the potential to delay the launch date GAO was asked to review the JPSS program GAO’s objectives were to 1 evaluate progress on the program 2 assess efforts to implement appropriate information security protections for polar satellite data 3 evaluate efforts to assess and mitigate a potential near-term gap in polar satellite data and 4 assess agency plans for a follow-on polar satellite program To do so GAO analyzed program status reports milestone reviews and risk data assessed security policies and procedures against agency policy and best practices examined contingency plans and actions as well as planning documents for future satellites and interviewed experts as well as agency and contractor officials What GAO Recommends GAO recommends that NOAA take steps to address deficiencies in its information security program and complete key program planning actions needed to justify and move forward on a follow-on polar satellite program NOAA concurred with GAO’s recommendations and identified steps it is taking to address them View GAO-16-359 For more information contact David A Powner at 202 512-9286 or pownerd@gao gov Although the National Oceanic and Atmospheric Administration NOAA established information security policies in key areas recommended by the National Institute of Standards and Technology the JPSS program has not yet fully implemented them Specifically the program categorized the JPSS ground system as a high-impact system and selected and implemented multiple relevant security controls However the program has not yet fully implemented almost half of the recommended security controls did not have all of the information it needed when assessing security controls and has not addressed key vulnerabilities in a timely manner see figure Until NOAA addresses these weaknesses the JPSS ground system remains at high risk of compromise Open Vulnerabilities Identified on the Current Joint Polar Satellite System’s Ground System Note The National Oceanic and Atmospheric Administration identifies vulnerabilities as critical high medium and low risk critical and high risk vulnerabilities pose an increased risk of compromise NOAA has made progress in assessing and mitigating a near-term satellite data gap GAO previously reported on weaknesses in NOAA’s analysis of the health of its existing satellites and its gap mitigation plan The agency improved both its assessment and its plan however key weaknesses remain For example the agency anticipates that it will be able to have selected instruments on the next satellite ready for use in operations 3 months after launch which may be optimistic given past experience GAO is continuing to monitor NOAA’s progress in addressing prior recommendations Looking ahead NOAA has begun planning for new satellites to ensure data continuity This program would include two new JPSS satellites and a smaller interim satellite However uncertainties remain on the expected useful lives of the current satellites and NOAA has not evaluated the costs and benefits of different launch scenarios based on up-to-date estimates Until it does so NOAA may not be making the most efficient use of the nation’s sizable investment in the polar satellite program United States Government Accountability Office Contents Letter 1 Background NOAA Continues to Develop JPSS but Selected Components Have Experienced Milestone Delays Cost Growth and Risks JPSS Information Security Program Has Deficiencies NOAA Made Progress in Assessing the Potential for a Satellite Data Gap and Has Improved Efforts to Plan and Implement Gap Mitigation Activities NOAA Is Planning to Develop More Polar Satellites but Uncertainties Remain on Timing and Requirements Conclusions Recommendations for Executive Action Agency Comments and Our Evaluation 3 19 23 33 45 50 51 52 Appendix I Objectives Scope and Methodology 55 Appendix II Key Publications Supporting the National Institute of Standards and Technology’s Information Security Risk Management Framework 58 NOAA’s Assessment of the Near-Term Health of the Polar Satellite Constellation 60 Appendix IV Comments from the Department of Commerce 61 Appendix V GAO Contact and Staff Acknowledgments 64 Table 1 Joint Polar Satellite System JPSS Instruments Table 2 Comparison of the Joint Polar Satellite System JPSS Program at Different Points in Time 10 Appendix III Tables Page i 13 GAO-16-359 Polar Weather Satellites Table 3 Elements of the National Institute of Standards and Technology’s Risk Management Framework Table 4 Changes in Key Milestone Dates for Joint Polar Satellite System JPSS Components between July 2013 and December 2015 Table 5 Changes in Cost Estimates for Joint Polar Satellite System Components between July 2013 and December 2015 Table 6 Guidelines for Developing Elements a Sound Contingency Plan Table 7 National Oceanic and Atmospheric Administration’s NOAA Progress in Developing a Sound Contingency Plan for Its Joint Polar Satellite System JPSS Table 8 Status of Gap Mitigation Options for National Oceanic and Atmospheric Administration NOAA Polar Satellites 16 19 21 37 38 41 Figures Figure 1 Configuration of Operational Polar Satellites Figure 2 Stages of Satellite Data Processing Figure 3 Simplified Visualization of Polar Satellite Program Components Figure 4 Overview of the National Institute of Standards and Technology’s Risk Management Framework for an Information Security Program Figure 5 Open Vulnerabilities Identified on the Current Joint Polar Satellite System Ground System Figure 6 Expected Life Span of Current Satellites in Joint Polar Satellite System JPSS Program as of December 2015 Figure 7 Expected Lives of Joint Polar Satellite System JPSS and Polar Follow-On Satellites Figure 8 Expected Lives of Joint Polar Satellite System JPSS Series Satellites with Extended Useful Life Estimate Figure 9 Suomi-National Polar-Orbiting Partnership S-NPP Availability over Time Page ii 5 6 9 15 15 28 34 47 49 60 GAO-16-359 Polar Weather Satellites Abbreviations ATMS ATO COSMIC CrIS DMSP DOD EON-MW FISMA JPSS Metop NASA NESDIS NIST NOAA NPOESS OMB OMPS PFO POA M POES S-NPP VIIRS Advanced Technology Microwave Sounder authorization to operate Constellation Observing System for Meteorology Ionosphere and Climate Cross-Track Infrared Sounder Defense Meteorological Satellite Program Department of Defense Earth Observing Nanosatellite-Microwave Federal Information Security Modernization Act of 2014 Joint Polar Satellite System Meteorological Operational satellite National Aeronautics and Space Administration National Environmental Satellite Data and Information Service National Institute of Standards and Technology National Oceanic and Atmospheric Administration National Polar-orbiting Operational Environmental Satellite System Office of Management and Budget Ozone Mapping and Profiler Suite Polar Follow-on plan of action and milestones Polar-orbiting Operational Environmental Satellites Suomi National Polar-orbiting Partnership Visible Infrared Imaging Radiometer Suite This is a work of the U S government and is not subject to copyright protection in the United States The published product may be reproduced and distributed in its entirety without further permission from GAO However because this work may contain copyrighted images or other material permission from the copyright holder may be necessary if you wish to reproduce this material separately Page iii GAO-16-359 Polar Weather Satellites 441 G St N W Washington DC 20548 May 17 2016 The Honorable Lamar Smith Chairman The Honorable Eddie Bernice Johnson Ranking Member Committee on Science Space and Technology House of Representatives Polar-orbiting satellites provide critical environmental data that are used in weather forecasting In 2010 the National Oceanic and Atmospheric Administration NOAA initiated the Joint Polar Satellite System JPSS program with assistance from the National Aeronautics and Space Administration NASA The JPSS program is to provide the next generation of polar-orbiting satellites replacing existing satellites as they reach the end of their useful lives The JPSS program includes three satellites the first of which was successfully launched in October 2011 NOAA plans to use the next satellite in the program as a replacement for that first satellite However the potential remains for a near-term satellite data gap Because of the criticality of satellite data to weather forecasting the possibility of a satellite data gap and the potential impact of a gap on the health and safety of the U S population and economy we added this issue to GAO’s High Risk List in 2013 and it remained on the list in 2015 1 Given your continuing concerns about the potential impact of a gap in polar satellite data you asked us to review the JPSS program and the potential for future gaps in polar satellite coverage Our objectives were to 1 evaluate NOAA’s progress on the JPSS satellite program with respect to schedule cost and key risks 2 assess NOAA’s efforts to plan and implement appropriate information security protections for polar satellite data 3 evaluate NOAA’s efforts to assess the probability of a near-term gap in polar satellite data as well as its progress in implementing key 1 GAO High Risk Series An Update GAO-15-290 Washington D C Feb 11 2015 Page 1 GAO-16-359 Polar Weather Satellites activities for mitigating a gap and 4 assess NOAA’s efforts to plan and implement a follow-on polar satellite program To evaluate NOAA’s progress on the JPSS satellite program with respect to schedule cost and key risks we compared project schedule and cost data to baseline targets between July 2013 and December 2015 reviewed key program risk areas and planned actions to mitigate risks and examined the effect of any schedule delays and risks on a potential gap in satellite data In addition we interviewed JPSS program office staff for details on schedule cost and risk information We assessed the reliability of cost schedule and risk data for the JPSS program by comparing information in program source reports at different points in time by comparing risk data to source documents such as risk registers and by following up on specific cost and schedule information in meetings with agency officials We found that these data were sufficiently reliable for our purposes To assess NOAA’s efforts to plan and implement appropriate information security protections for polar satellite data we compared information security policies and practices for the current and future state of the JPSS program against the Federal Information Security Modernization Act of 2014 and supporting guidance 2 We assessed the JPSS program’s efforts to categorize the security level of the system select implement and test security controls authorize the system for operations and monitor controls We also analyzed information on recent security incidents and NOAA’s response to them and interviewed key managers and staff To evaluate NOAA’s efforts to assess the probability of a near-term gap in polar satellite data as well as its progress in implementing key activities for mitigating a gap we analyzed NOAA’s analysis of polar satellite availability and gap mitigation plan against best practices in contingency planning examined progress and reporting on NOAA’s key gap mitigation activities and interviewed key officials In order to assess NOAA’s efforts 2 The Federal Information Security Modernization Act of 2014 Pub L No 113-283 128 Stat 3073 Dec 18 2014 largely supersedes the very similar Federal Information Security Management Act of 2002 Pub L No 107-347 116 Stat 2899 2946 Dec 17 2002 The 2002 act’s requirements that the National Institute of Standards and Technology establish standards and guidance for implementation of the act were not superseded and continue to apply Page 2 GAO-16-359 Polar Weather Satellites to plan and implement a follow-on polar satellite program we determined the scope expected cost timelines and key risks of the JPSS Polar Follow-On program analyzed documentation for key program milestones with respect to program criteria and charts of expected satellite life and interviewed JPSS program staff We conducted this performance audit from May 2015 to May 2016 in accordance with generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives Additional details on our objectives scope and methodology are provided in appendix I Background Since the 1960s the United States has operated two separate polarorbiting meteorological satellite systems the Polar-orbiting Operational Environmental Satellite POES series which is managed by NOAA and the Defense Meteorological Satellite Program DMSP which is managed by the Air Force These satellites obtain environmental data that are processed to provide graphical weather images and specialized weather products These satellite data are also the predominant input to numerical weather prediction models which are a primary tool for forecasting weather days in advance—including forecasting the path and intensity of hurricanes 3 The weather products and models are used to predict the potential impact of severe weather so that communities and emergency managers can help prevent and mitigate its effects Polar satellites also provide data used to monitor environmental phenomena such as ozone depletion and drought conditions as well as data sets that are used by researchers for a variety of studies such as climate monitoring Unlike geostationary satellites which maintain a fixed position relative to the earth polar-orbiting satellites constantly circle the earth in an almost north-south orbit providing global coverage of conditions that affect the weather and climate Each satellite makes about 14 orbits a day As the 3 According to NOAA 80 percent of the data assimilated into its National Weather Service numerical weather prediction models that are used to produce weather forecasts 3 days and beyond comes from polar-orbiting satellites Page 3 GAO-16-359 Polar Weather Satellites earth rotates beneath it each satellite views the entire earth’s surface twice a day Currently a NOAA NASA satellite called the Suomi National Polar-orbiting Partnership or S-NPP and two operational DMSP satellites are positioned so that they cross the equator in the early morning mid-morning and early afternoon In addition the government relies on a series of European satellites called the Meteorological Operational Metop satellites for satellite observations in the midmorning orbit 4 These polar-orbiting satellites are considered primary satellites for providing input to weather forecasting models In addition to these primary satellites NOAA the Air Force and a European weather satellite organization maintain older satellites that still collect some data and are available to provide limited backup to the operational satellites should they degrade or fail Figure 1 illustrates the current operational polar satellite constellation 4 The European Organisation for the Exploitation of Meteorological Satellites’ Metop program is a series of three polar-orbiting satellites dedicated to operational meteorology Metop satellites are planned to be flown sequentially over 14 years The first of these satellites was launched in 2006 the second was launched in 2012 and the final satellite in the series is expected to launch in 2018 Page 4 GAO-16-359 Polar Weather Satellites Figure 1 Configuration of Operational Polar Satellites Note DMSP—Defense Meteorological Satellite Program Metop—Meteorological Operational satellite and S-NPP—Suomi National Polar-orbiting Partnership According to NOAA 80 percent of the data assimilated into its National Weather Service numerical weather prediction models that are used to produce weather forecasts 3 days and beyond comes from polar-orbiting satellites Specifically a single afternoon polar satellite provides NOAA 45 percent of the global coverage it needs for its numerical weather models NOAA obtains the rest of the polar satellite data it needs from other satellite programs including the Department of Defense’s DOD early morning satellites and the European mid-morning satellite Polar Satellite Data and Products Polar satellites gather a broad range of data that are transformed into a variety of products Satellite sensors observe different bands of radiation wavelengths called channels which are used for remotely determining information about the earth’s atmosphere land surface oceans and the space environment When first received satellite data are considered raw data To make them usable processing centers format the data so that they are time-sequenced and include earth-location and calibration information After formatting these data are called raw data records Page 5 GAO-16-359 Polar Weather Satellites The centers further process these raw data records into channel-specific data sets called sensor data records and temperature data records These data records are then used to derive weather and climate products called environmental data records These environmental data records include a wide range of atmospheric products detailing cloud coverage temperature humidity and ozone distribution land surface products showing snow cover vegetation and land use ocean products depicting sea surface temperatures sea ice and wave height and characterizations of the space environment Combinations of these data records raw sensor temperature and environmental data records are also used to derive more sophisticated products including outputs from numerical weather models and assessments of climate trends Figure 2 is a simplified depiction of the various stages of satellite data processing Figure 2 Stages of Satellite Data Processing Brief History of the NPOESS Satellite Program With the expectation that combining the POES and DMSP programs would reduce duplication and result in sizable cost savings a May 1994 Presidential Decision Directive required NOAA and DOD to converge the two satellite programs into a single one capable of satisfying both civilian and military requirements the National Polar-orbiting Operational Environmental Satellite System NPOESS 5 NPOESS satellites were 5 Presidential Decision Directive NSTC-2 “Convergence of U S Polar-orbiting Operational Environmental Satellite Systems” May 5 1994 Page 6 GAO-16-359 Polar Weather Satellites expected to replace the POES and DMSP satellites in the morning midmorning and afternoon orbits when they neared the end of their expected life spans To reduce the risk involved in developing new technologies and to maintain climate data continuity the program planned to launch a demonstration satellite in May 2006 6 The first NPOESS satellite was to be available for launch in March 2008 However in the years after the program was initiated NPOESS encountered significant technical challenges in sensor development program cost growth and schedule delays By March 2009 agency executives decided to use the planned demonstration satellite as an operational satellite because the schedule delays could have led to a gap in satellite data Eventually cost and schedule concerns led the White House’s Office of Science and Technology Policy to announce in February 2010 that NOAA and DOD would no longer jointly procure the NPOESS satellite system instead each agency would plan and acquire its own satellite system Specifically NOAA—with support from NASA— would be responsible for the afternoon orbit and DOD would be responsible for the early morning orbit The agencies would rely on European satellites for the mid-morning orbit Overview of the JPSS Program When the decision to disband NPOESS was announced NOAA and NASA immediately began planning for a new satellite program in the afternoon orbit called JPSS Key plans included     relying on NASA for system acquisition engineering and integration completing launching and supporting S-NPP acquiring and launching two satellites for the afternoon orbit called JPSS-1 and JPSS-2 developing and integrating five instruments on the two satellites 6 Originally called the NPOESS Preparatory Project in January 2012 the satellite’s name was changed to the Suomi National Polar-orbiting Partnership S-NPP satellite Page 7 GAO-16-359 Polar Weather Satellites   finding alternative host satellites for selected instruments7 that would not be accommodated on the JPSS satellites and providing ground system support for JPSS including S-NPP and data communications for other missions including the Metop satellite NOAA organized the JPSS program into flight and ground projects that have separate areas of responsibility Figure 3 depicts program components 7 NPOESS was to have included the Total and Spectral Solar Irradiance Sensor an environmental instrument used to monitor and capture total and spectral solar irradiance data the Search and Rescue Satellite-aided Tracking system which detects and locates aviators mariners and land-based users in distress and the Data Collection System which collects environmental data from platforms around the world and delivers them to users Page 8 GAO-16-359 Polar Weather Satellites Figure 3 Simplified Visualization of Polar Satellite Program Components Page 9 GAO-16-359 Polar Weather Satellites The flight project includes a set of five instruments the spacecraft and launch services Table 1 lists and describes the instruments Table 1 Joint Polar Satellite System JPSS Instruments Instrument Description Advanced Technology Microwave Sounder ATMS Provides atmospheric temperature and moisture data for operational weather and climate applications collects microwave radiation from earth’s atmosphere and surface Clouds and the Earth’s Radiant Energy a System Measures reflected sunlight and thermal radiation emitted by the earth helps provide measurements of the spatial and temporal distribution of the earth’s radiation Cross-Track Infrared Sounder CrIS Collects measurements of the infrared radiation emitted and scattered by the earth and atmosphere to determine the vertical distribution of temperature moisture and pressure in the atmosphere Ozone Mapping and Profiler Suite OMPS Collects data needed to measure the amount and distribution of ozone in the earth’s atmosphere including information on how ozone concentration varies with altitude Consists of two components nadir and limb that can be provided separately Visible Infrared Imaging Radiometer Suite VIIRS Collects images and radiometric data used to provide information on the earth’s clouds atmosphere ocean and land surfaces Provides imagery during the day as well as under extremely low light conditions at night Provides cloud imagery under sunlit conditions as well as infrared coverage for night and day cloud imaging Source GAO analysis of NOAA data GAO-16-359 a The Clouds and the Earth’s Radiant Energy System instrument is on S-NPP and is planned to fly on JPSS-1 NASA plans to provide a similar instrument called the Radiation Budget Instrument for JPSS-2 The ground project consists of ground-based systems that handle satellite communications and data processing The JPSS program is working to implement a critical upgrade to the JPSS ground system that will allow it to support both the S-NPP and all planned JPSS satellites The ground system’s versions are numbered the version that is currently in use is called Block 1 2 and the new version that is under development is called Block 2 0 While Block 2 0 is planned to replace Block 1 2 a JPSS program official stated that there will be a period of overlap of about 60 days during which both versions are operational and noted that Block 1 2 may stay online longer if warranted to address unanticipated problems on Block 2 0 In addition to multi-mission support program officials stated that the new iteration of the ground system will also have a different set of security requirements that are designed specifically for the JPSS system as opposed to the old requirements which were based on legacy needs Officials also stated that the upgrade will include an enhanced architecture that is more scalable to future changes and will allow NOAA to replace obsolete hardware and software Page 10 GAO-16-359 Polar Weather Satellites Program Costs Have Varied over Time Since its inception the composition and cost of the JPSS program have varied In 2010 NOAA estimated that the life-cycle costs of the JPSS program would be approximately $11 9 billion for a program lasting through fiscal year 2024 which included $2 9 billion in NOAA funds spent on NPOESS through fiscal year 2010 8 Following this the agency undertook a cost estimating exercise where it validated that the cost of the full set of JPSS functions from fiscal year 2012 through fiscal year 2028 would be $11 3 billion After adding the agency’s sunk costs which had increased to $3 3 billion through fiscal year 2011 the program’s lifecycle cost estimate totaled $14 6 billion Subsequently NOAA took steps to lower this estimate since it was $2 7 billion higher than the original estimate for JPSS at the time that NPOESS was disbanded In fiscal year 2013 NOAA officials agreed to cap the JPSS life-cycle cost at $12 9 billion and to merge funding for two climate sensors into the JPSS budget By October 2012 NOAA also decided to remove selected elements from the satellite program such as the number of ground-based receptor stations thus affecting the time it takes for products to reach end users and the number of interface data processing segments The administration then directed NOAA to begin implementing additional changes in the program’s scope and objectives in order to meet the agency’s highest-priority needs for weather forecasting and reduce estimated life-cycle costs from $12 9 billion to $11 3 billion By April 2013 NOAA had decided to among other things cancel one of two planned free-flyer 9 missions and transfer the remaining free-flyer mission to a new program within NOAA called the Solar Irradiance Data and Rescue mission 10 In addition requirements for certain climate sensors were moved to NASA As we reported previously NOAA also reduced the estimated life-cycle cost of the program by eliminating the operational 8 This figure does not include approximately $2 9 billion in sunk costs that DOD spent on NPOESS through fiscal year 2010 9 A free flyer is an alternative host satellite for the selected instruments that are not accommodated on the JPSS satellites 10 The Solar Irradiance Data and Rescue mission is to accommodate the Total and Spectral Solar Irradiance Sensor the Advanced Data Collection System and the Search and Rescue Satellite-Aided Tracking system Page 11 GAO-16-359 Polar Weather Satellites costs for the 3 years at the end of the JPSS mission the current life-cycle cost estimate includes operational costs through 2025 even though the JPSS-2 satellite is expected to be operational until 2028 11 Table 2 compares the planned cost schedule and scope of the JPSS program at different points in time 11 See GAO Polar Weather Satellites NOAA Needs to Prepare for Near-term Data Gaps GAO-15-47 Washington D C Dec 16 2014 and GAO Cost Estimating and Assessment Guide Best Practices for Developing and Managing Capital Program Costs GAO-09-3SP Washington D C March 2009 A life-cycle cost estimate should include operational costs through the entire estimated life of the program We also note that a statute governing NOAA’s development of major programs 33 U S C § 878a a 6 defines “life-cycle cost” as “the total of the direct indirect recurring and nonrecurring costs including the construction of facilities and civil servant costs and other related expenses incurred or estimated to be incurred in the design development verification production operation maintenance support and retirement of a program over its planned lifespan without regard to funding source or management control ” Page 12 GAO-16-359 Polar Weather Satellites Table 2 Comparison of the Joint Polar Satellite System JPSS Program at Different Points in Time Key area As of May 2010 As of June 2012 As of December 2014 2010-2024 2010-2028 2010-2025 Life cycle Estimated lifecycle cost Number of satellites $11 9 billion which includes about $2 9 $12 9 billion which includes about $11 3 billion which includes about billion spent through fiscal year 2010 on $2 9 billion spent through fiscal year $2 9 billion spent through fiscal the National Polar-orbiting Operational 2010 on NPOESS year 2010 on NPOESS Environmental Satellite System NPOESS 2 in addition to Suomi National Polarorbiting Partnership S-NPP 2 JPSS satellites in addition to SNPP 2 free flyer satellites 2 in addition to S-NPP Number of orbits 1 afternoon orbit 1 afternoon orbit 1 afternoon orbit Launch schedule S-NPP—no earlier than Sept 2011 JPSS-1 available in 2015 JPSS-2 available in 2018 Number of instruments S-NPP 5 a JPSS-1 5 JPSS-2 5 S-NPP—successfully launched in S-NPP—successfully launched in Oct 2011 Oct 2011 JPSS-1 by March 2017 JPSS-1 by March 2017 JPSS-2 by Dec 2022 JPSS-2 by Dec 2021 Free flyer-1 and -2 not determined S-NPP 5 JPSS-1 5 JPSS-2 5 Free flyer-1 and-2 1 sensor and 2 b user services systems S-NPP 5 JPSS-1 5 c JPSS-2 5 d No free flyers Source GAO analysis of NOAA DOD and task force data GAO-16-359 a The five instruments are the Advanced Technology Microwave Sounder Clouds and the Earth’s Radiant Energy System Cross-Track Infrared Sounder Ozone Mapping and Profiler Suite and Visible Infrared Imaging Radiometer Suite The National Oceanic and Atmospheric Administration NOAA committed to finding an alternative spacecraft and launch accommodation for the Total and Spectral Solar Irradiance Sensor the Advanced Data Collection System and the Search and Rescue Satellite-Aided Tracking system b NOAA planned to launch two stand-alone satellites called free-flyer satellites to accommodate instruments removed from the JPSS program the Total and Spectral Solar Irradiance Sensor the Advanced Data Collection System and the Search and Rescue Satellite-Aided Tracking system c In a fiscal year 2014 budget document responsibility for two instruments was moved from NOAA to NASA the Radiation Budget Instrument formerly known as the Clouds and the Earth’s Radiant Energy System and Ozone Mapping and Profiler Suite–Limb NOAA plans to accommodate these instruments on the JPSS-2 satellite as long as they do not impact the likelihood of mission success d NOAA canceled Free flyer-1 and established Free flyer-2 as a new program outside the JPSS program This new program called the Solar Irradiance Data and Rescue mission is to accommodate the Total and Spectral Solar Irradiance Sensor the Advanced Data Collection System and the Search and Rescue Satellite-Aided Tracking system Page 13 GAO-16-359 Polar Weather Satellites Requirements for Ensuring Information Security for the Nation’s Weather Forecasting Infrastructure Are Established in Law and Guidance Safeguarding federal computer systems and the systems supporting the nation’s infrastructures including the nation’s weather observation and forecasting infrastructure is essential to protecting national and economic security and public health and safety For government organizations information security is also a key element in maintaining the public trust Inadequately protected systems may be vulnerable to insider threats as well as the risk of intrusion by individuals or groups with malicious intent who could unlawfully access the systems to obtain sensitive information disrupt operations or launch attacks against other computer systems and networks Moreover cyber-based threats to federal information systems are evolving and growing Accordingly we designated information security as a government-wide high risk area in 1997 and it has remained on our high-risk list since then 12 Federal law and guidance specify requirements for protecting federal information and information systems The Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014 FISMA which largely supersedes the 2002 act require executive branch agencies to develop document and implement an agency-wide information security program to provide security for the information and information system that support operations and assets of the agency 13 The 2002 act also assigns certain responsibilities to the National Institute of Standards and Technology NIST which is tasked with developing for systems other than national security systems standards and guidelines that must include at a minimum 1 standards to be used by all agencies to categorize all of their information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels 2 guidelines recommending the types of information and information systems to be included in each category 12 GAO High-Risk Series Information Management and Technology GAO HR-97-9 Washington D C Feb 1 1997 13 The Federal Information Security Modernization Act of 2014 Pub L No 113-283 128 Stat 3073 Dec 18 2014 largely superseded the Federal Information Security Management Act of 2002 enacted as Title III E-Government Act of 2002 Pub L No 107-347 116 Stat 2899 2946 Dec 17 2002 As used in this report FISMA refers to the requirements in the 2014 law Many of the requirements of the 2002 law were unchanged by or incorporated into the 2014 law and continue in full force and effect Page 14 GAO-16-359 Polar Weather Satellites and 3 minimum information security requirements for information and information system in each category Accordingly NIST developed a risk management framework of standards and guidelines for agencies to follow in developing information security programs The framework addresses broad information-security and riskmanagement activities including categorizing the system’s impact level selecting implementing and assessing security controls authorizing the system to operate based on progress in remediating control weaknesses and an assessment of residual risk and monitoring the efficacy of controls on an ongoing basis Figure 4 shows an overview of this framework and table 3 describes the framework’s key activities and artifacts In addition appendix II describes relevant NIST publications Figure 4 Overview of the National Institute of Standards and Technology’s Risk Management Framework for an Information Security Program Page 15 GAO-16-359 Polar Weather Satellites Table 3 Elements of the National Institute of Standards and Technology’s Risk Management Framework Element Description Key artifacts Categorize the system Categorize the information system and the information processed stored and transmitted by that system as low-impact moderateimpact or high impact for the security objectives of confidentiality integrity and availability based on an impact analysis Risk Assessment Report–used to document risks and help make decisions on the impact level of the system Federal Information Processing Standard 199 system categorization decision—used to document the impact level of the system Select security controls Select an initial set of baseline security controls for the information Federal Information Processing Standard 200 system based on the security categorization tailor and supplement baseline controls—identifies the baseline the security control baseline as needed based on an organizational security controls that have been selected assessment of risk and local conditions Implement security controls Implement the security controls and describe how the controls are employed within the information system and its environment of operation System Security Plan—documents how the agencies plan to implement security controls Assess security controls Test and evaluate the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly operating as intended and producing the desired outcome with respect to meeting the security requirements of the system Security Controls Assessment—tests security controls to determine if they are implemented correctly operating as intended and producing desired outcomes Authorize the system A designated agency official provides the Authorization to Operate which certifies the system for operation based on security controls completion of remedial actions and acceptance of residual risks to organizational operations Plans of Action and Milestones—describe actions and timelines for addressing control weaknesses Authorization to Operate—documents approval to operate a system by the agency authorizing official Monitor controls Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness documenting changes to the system or its environment of operation conducting impact analyses on changes and reporting the security state of the system to designated officials Continuous Monitoring policies—used to document strategies for monitoring the effectiveness of controls Source GAO analysis of National Institute of Standards and Technology guidance GAO-16-359 Federal agencies face an evolving array of information security-based threats which put federal systems and information at an increased risk of compromise In September 2015 we reported that federal agencies showed weaknesses in several major categories of information system controls including access controls which limit or detect access to computer resources and configuration management controls which are intended to prevent unauthorized changes to information system Page 16 GAO-16-359 Polar Weather Satellites resources 14 Further in November 2015 we reported that over the past 6 years we had made about 2 000 recommendations to improve information security programs and associated security controls We noted that agencies had implemented about 58 percent of these recommendations 15 Recent GAO Reports Recommended Actions to Improve JPSS Management and Address the Risk of a Near-Term Satellite Gap Since 2012 we issued three reports on the JPSS program that highlighted technical issues component cost growth management challenges and key risks 16 In these reports we made a total of 11 recommendations to NOAA to improve the management of the JPSS program These recommendations included addressing key risks and establishing a comprehensive contingency plan consistent with best practices The agency agreed with these 11 recommendations As of December 2015 the agency had implemented 2 recommendations and was working to address the remaining 9 More specifically in September 2013 and December 2014 we reported that while NOAA had taken steps to mitigate an anticipated gap in polar satellite data it had not yet established a comprehensive contingency plan For example its plan did not fully identify risks to its contingency plans such as including recovery time objectives for key products identifying opportunities for accelerating calibration and validation of products and providing an assessment of available alternatives based on their costs and potential impacts In addition we found that NOAA had not prioritized these alternatives We recommended that NOAA revise its plan to among other things identify recovery time objectives for key products provide an assessment of alternatives based on costs and potential impacts and establish a schedule with meaningful timelines and 14 GAO Federal Information Security Agencies Need to Correct Weaknesses and Fully Implement Security Programs GAO-15-714 Washington D C Sept 29 2015 15 GAO Information Security Federal Agencies Need to Better Protect Sensitive Data GAO-16-194T Washington D C Nov 17 2015 16 GAO Polar Weather Satellites NOAA Needs To Prepare for Near-term Data Gaps GAO-15-47 Washington D C Dec 16 2014 Polar Weather Satellites NOAA Identified Ways to Mitigate Data Gaps but Contingency Plans and Schedules Require Further Attention GAO-13-676 Washington D C Sept 11 2013 and Polar-orbiting Environmental Satellites Changing Requirements Technical Issues and Looming Data Gaps Require Focused Attention GAO-12-604 Washington D C June 15 2012 Page 17 GAO-16-359 Polar Weather Satellites linkages among mitigation activities We also recommended that NOAA investigate ways to prioritize mitigation projects with the greatest potential benefit in the event of a gap NOAA agreed with these recommendations and stated it was taking steps to implement them In December 2014 we also found that while NOAA was providing oversight of its many gap mitigation projects and activities the agency’s oversight efforts were not consistent or comprehensive Specifically only one of three responsible entities obtained monthly progress reports and the three responsible agencies reported only on selected activities on a quarterly basis We recommended that NOAA ensure that relevant entities provide monthly and quarterly updates of progress on all gap mitigation projects during existing meetings NOAA agreed with this recommendation and stated it was taking steps to implement it At that time we also reported that NOAA had previously revised its estimate of how long a gap could last down to 3 months but that this estimate was based on inconsistent and unproven assumptions and did not account for the risk that space debris poses to the S-NPP satellite’s life expectancy We recommended that NOAA update the JPSS program’s assessment of potential polar satellite data gaps to include more accurate assumptions about launch dates and the length of the data calibration period as well as key risks such as the potential effect of space debris NOAA agreed with this recommendation and stated it was taking steps to implement it Page 18 GAO-16-359 Polar Weather Satellites NOAA Continues to Develop JPSS but Selected Components Have Experienced Milestone Delays Cost Growth and Risks Over the last year the JPSS program has continued to make progress in developing the JPSS-1 satellite In early 2015 the program completed two key instruments for the JPSS-1 satellite the CrIS and VIIRS instruments The program also completed its Systems Integration Review for the JPSS-1 satellite in February 2015 More recently the program completed the ATMS instrument and integrated the instruments on the spacecraft As of December 2015 the JPSS program reported that it remained on track to meet its planned launch date of March 2017 for the JPSS-1 satellite and still expected the JPSS-2 satellite to launch no later than November 2021 However the program has continued to experience delays in meeting interim milestones In 2014 we reported that key components of the JPSS-1 satellite had experienced delays 17 Since that time the program has continued to experience delays on key components ranging from 3 to 10 months In particular one component experienced almost 2 years of delay since July 2013 Table 4 provides details on specific key milestones Table 4 Changes in Key Milestone Dates for Joint Polar Satellite System JPSS Components between July 2013 and December 2015 Key milestone Planned date Planned actual as of July Planned date as date as of 2013 of July 2014 December 2015 Previously Additional Total reported delay delay from delay from from July 2013 July 2014 to July 2013 to to July 2014 December 2015 December 2015 Component completion CrIS instrument completion July 2014 VIIRS instrument completion October 2014 February 2015 3 months 4 months 7 months October 2014 November 2014 February 2015 1 month 3 months 4 months ATMS instrument completion March 2014 March 2015 January 2016 12 months 10 months 22 months Spacecraft completion April 2016 May 2016 September 2016 1 month 4 months 5 months August 2015 August 2015 March 2016 No delay 7 months 7 months Program-wide reviews Spacecraft PreEnvironmental Review 17 GAO-15-47 Page 19 GAO-16-359 Polar Weather Satellites Key milestone Planned date Planned actual as of July Planned date as date as of 2013 of July 2014 December 2015 Previously Additional Total reported delay delay from delay from from July 2013 July 2014 to July 2013 to to July 2014 December 2015 December 2015 Ground System Block 2 0 August 2015 Site Acceptance Test August 2015 March 2016 No delay 7 months 7 months JPSS-1 Flight Operations December Review 2015 December 2015 April 2016 No delay 4 months 4 months Source GAO analysis of NOAA data GAO-16-359 Note CrIS Cross-Track Infrared Sounder VIIRS Visible Infrared Imaging Radiometer Suite ATMS Advanced Technology Microwave Sounder As of January 2016 the program continued to experience technical challenges that could cause additional schedule delays and potentially affect the scheduled launch of the JPSS-1 satellite  A delay in completing a key component on the spacecraft called a gimbal 18 has in turn delayed the beginning of environmental testing Since November 2014 program officials moved the component’s planned completion date from April 2015 to February 2016  The JPSS ground system also has experienced recent delays The program experienced an unexpectedly high number of program trouble reports in completing an upgrade on the ground system A key milestone related to this upgrade was recently delayed from January to August 2016 Program officials stated that delays such as these are normal and anticipated on complex and technical space system development efforts like JPSS and that the program includes schedule reserves to address such challenges as they arise As of January 2016 the program reported it had 24 days of margin remaining to its launch readiness date of December 2016 and another 3 months of margin between that date and the launch commitment date of March 2017 However the margin of 24 days prior to the launch readiness date is less than the 1 9 months recommended by NASA’s development standards This margin is also a decrease from the 6 months of margin the program had in July 2014 Given this narrowing of available schedule reserves resolving the 18 A gimbal provides articulation for selected antennas responsible for transmitting stored data to communication satellites and ground systems Page 20 GAO-16-359 Polar Weather Satellites remaining technical issues discussed later in this report will be critical to achieving the planned launch date Costs Have Grown for Selected Components The JPSS program’s baseline life-cycle cost estimate remains at $11 3 billion but the cost of the flight segment has grown and the amount of reserve funds has decreased Specifically the cost of the flight segment grew by 8 percent from July 2013 to July 2014 and by another 2 percent in the period from July 2014 to December 2015 During those time frames the cost of the ground system remained relatively steady it dropped by 3 percent between 2013 and 2014 and then rose by 1 4 percent between 2014 and 2015 Over this 2-year period NOAA’s estimate for the program’s development maintenance and operations has grown from almost $10 4 billion to just under $10 7 billion meaning that the corresponding amount of reserve funds has decreased The program currently has about $648 million in reserve funding for unanticipated issues over the life of the program This is a 12 7-percent reduction in the amount of reserves between July 2014 and December 2015 Table 5 shows changes in cost estimates for JPSS program components between July 2014 and December 2015 as well as the overall percentage of change between July 2013 and December 2015 Table 5 Changes in Cost Estimates for Joint Polar Satellite System Components between July 2013 and December 2015 JPSS program components Flight segment Program estimate $M as of July 2013 Program estimate $M as of July 2014 Program estimate Percentage $M as of change July Dec 2015 2013–July 2014 Percentage change July 2014–Dec 2015 Total percentage change July 2013–Dec 2015 $2 758 $2 983 $3 037 8 2% 1 8% 10 1% Ground segment 1 318 1 274 1 292 -3 3% 1 4% -2 0% Program office includes satellite operations and sustainment 3 460 3 501 3 504 1 2% 0 1% 1 3% Legacy enacted 2 848 2 848 2 841 0% -0 3% -0 3% Life-cycle cost estimate 10 385 10 607 10 674 2 1% 0 6% 2 8% Life-cycle cost baseline a a b 0% -0 2% -0 2% 648 -23% -12 7% -32 8% Totals Amount of reserves 11 349 964 11 349 742 11 322 Source GAO analysis of NOAA data GAO-16-359 a Baseline cost as July 2013 b Baseline cost as of January 2015 Page 21 GAO-16-359 Polar Weather Satellites Within the flight segment selected components have continued to experience higher cost growth Since July 2014 the ATMS instrument’s cost increased by nearly 16 percent while the OMPS instrument’s cost has grown nearly 10 4 percent with a 7 percent increase between July and August 2015 In contrast during the same time period the VIIRS instrument’s cost decreased by 1 5 percent and the CrIS instrument’s cost decreased by 3 8 percent NOAA officials stated that they are using information gained from the development of JPSS-1 instruments to aid in developing instruments for JPSS-2 Leveraging this information will be important in controlling costs on future satellites Program officials stated that component cost increases such as these are normal and anticipated on complex and technical space system development efforts like JPSS The program director explained that reserves were included in the life cycle cost estimate to address these cost increases and that the program is continuing to work within its approved life-cycle cost estimate NOAA Has Identified Program Risks That Could Affect the Launch Schedule and Is Working to Address Them The JPSS program’s risk management guidance calls for identifying risks developing action plans for addressing the risks and reporting to management on key risks These action plans are to include a list of steps to mitigate the risks and when those steps are to be completed Since its inception in 2010 JPSS has identified and tracked key program risks Moreover the program office presents key risks during NOAA monthly program management council reviews Over the last 2 years NOAA has successfully closed four key risks These risks include components that directly impact cost schedule and technical aspects of the program More specifically NOAA resolved risks involving a delay in the use of legacy polar data a delay in completing problem change reports related to the current ground system and issues stemming from the sale of a supplier of high-performance computing technology However as of November 2015 risks remained on both the flight and ground segment for JPSS that could potentially impact the planned completion of the spacecraft and ground system  JPSS-1 spacecraft component delivery The program has experienced issues with development of the gimbal component which as stated above facilitates the transmission of data to the ground system and other satellites The delivery date of the gimbal Page 22 GAO-16-359 Polar Weather Satellites component continues to slip and has begun to impact remaining integration and test activities The JPSS program office has taken steps to mitigate this risk by asking the prime spacecraft contractor to create a contingency plan on this issue and delaying environmental testing until production is completed However the significant delays and rework involved have already caused critical milestone dates to slip up to five times If this issue continues to consume program reserves it may further delay NOAA’s ability to begin environmental testing on other areas of the spacecraft thus delaying launch readiness  Ground segment issues The program is facing several issues in developing and testing the next version of the ground system Block 2 0 which could delay it from being operational when needed to support the JPSS-1 satellite Specifically a recent site acceptance test resulted in a higher-than-expected number of problem change requests in a new version of the ground system These have not yet been resolved The program is also experiencing challenges in testing the ground system’s requirements that may cause a delay in verifying some requirements until closer to launch Program officials reported that they are developing a contingency plan to deal with the open change requests and are re-planning the activities leading up to the completion of Block 2 0 in order to remove potential schedule conflicts between the ground and satellite testing schedules Similar to its efforts to manage the program’s cost and schedule the JPSS program office is actively monitoring these risks Close management and monitoring of costs schedules and risks will be essential to ensuring a successful and timely launch JPSS Information Security Program Has Deficiencies In accordance with FISMA and the NIST risk management framework NOAA has established security policies and procedures governing its organizations and programs in each of the framework areas The JPSS program implemented information security practices in the area of system categorization and made progress in implementing information security practices in each of the other risk management areas However the program has yet to fully implement the best practices and policies established by the organization and shortfalls exist in each of the remaining areas For example while the program has established plans of action to address control weaknesses it has not addressed systemic critical issues in a timely manner While required to remediate critical and high risk vulnerabilities within 30 days as of August 2015 the program Page 23 GAO-16-359 Polar Weather Satellites had over 1 400 critical and high risk vulnerabilities that were over 4 months old Federal Guidance and NOAA Policies Require Information Security Activities in Key Areas As described earlier FISMA requires federal agencies to develop document and implement an agency-wide information security program It also calls for agencies to perform key activities to protect critical assets in accordance with NIST’s risk management framework This framework provides broad information security and risk management activities which guide the life-cycle processes to be followed in developing information systems  System Categorization Programs are to categorize systems by identifying the types of information used selecting a provisional impact level modifying the rating based on mission-based factors and assigning a category based on the highest level of impact to confidentiality integrity and availability Programs select the initial impact levels using an assessment of threat events and their impact to operations  Selection and Implementation of Security Controls Programs are to determine protective measures or security controls to be implemented based on the system categorization results These security controls are documented in a System Security Plan Key controls include access controls incident response security assessment and authorization identification and authentication and configuration management Once controls are identified programs are to determine implementation actions for each of the designated controls These implementation actions are also specified in the System Security Plan  Assessment of Security Controls Programs are to develop a test plan that will determine which controls to test called a Security Controls Assessment prioritize and schedule assessments select and customize techniques and develop risk mitigation techniques to address weaknesses In addition to testing controls test plans may also include penetration testing which involves simulating attacks to identify methods for circumventing the security features of an application system or network and using tools or techniques commonly used by attackers  Authorization to Operate ATO Programs are to obtain security authorization approval in order to operate Resolving weaknesses and vulnerabilities identified during testing is an important step leading up Page 24 GAO-16-359 Polar Weather Satellites to achieving ATO Programs are to establish plans of action and milestones POA M to plan implement and document remedial actions to address any deficiencies in information security policies procedures and practices using POA Ms  System Categorization The JPSS Program Categorized the Ground System as a High-Impact System Monitoring of Security Controls Agencies are to monitor their security controls on an ongoing basis after deployment including assessing controls’ effectiveness and reporting on the security state of the system A key part of ongoing monitoring is handling incidents NIST guidance specifies procedures for implementing FISMA incident-handling requirements and includes guidelines on establishing an effective incident response program and detecting analyzing prioritizing and handling an incident In accordance with NOAA policy the JPSS program implemented key elements of the NIST framework regarding system categorization and identified the ground system as a high-impact system A high-impact system is one where the loss of confidentiality integrity or availability could be expected to have a severe or catastrophic adverse effect on organizational operations organizational assets or individuals Steps leading to this categorization included the following  The JPSS program identified several information types relevant to the JPSS mission including space operations environmental monitoring and forecasting contingency planning and continuity of operations  For each information type JPSS program officials identified security levels in the areas of confidentiality availability and integrity based on the nature of its mission Program officials chose these levels based on a detailed risk assessment which allowed them to determine the extent to which threats could adversely impact the organization and the extent to which agency systems are vulnerable to these circumstances or events  The program assigned an overall high-impact security level for its ground system based on the highest impact level for each of the component information types Page 25 GAO-16-359 Polar Weather Satellites Selection and Implementation of Security Controls The JPSS Program Established a System Security Plan but Has Not Fully Implemented a Significant Number of Key Controls In accordance with NOAA policy and NIST guidance the JPSS program established a System Security Plan for its ground system that identifies the key security controls it plans to implement based on its system security categorization and impact analyses Key control areas include access controls risk assessment incident response identification and authentication and configuration management However the program determined that the JPSS ground system is at a high risk of compromise to its confidentiality integrity and availability due to the significant number of controls that were not fully implemented According to program documentation as of June 2015 the JPSS program had fully implemented 53 percent of the baseline system security controls and partially implemented the remaining controls Moreover out of 17 control areas the JPSS program had fully implemented all of the controls for only one area incident response The program has not fully implemented security controls for the remaining 16 control areas The areas with the most partially implemented controls were physical protection access control audit and accountability and configuration management Program officials explained that there are so many partially implemented controls because the current ground system Block 1 2 was built under the predecessor NPOESS program to DOD moderate security standards When NPOESS was disbanded and NOAA initiated the JPSS program in 2010 the program took over development of the S-NPP satellite and ground system Program officials noted that NOAA’s early priorities were to transition the DOD contracts to NOAA and to establish the JPSS program office and that they were not able to begin planning to upgrade the ground system until 2012 NOAA acknowledged that they need to increase the security of the ground system and noted that they have been working to do that Program officials stated that they implemented compensating controls to mitigate the risks inherent in the Block 1 2 system These compensating controls include increased logging and monitoring of traffic to identify anomalies segmentation of the environment and increased staffing on remediating and patching weaknesses In addition program officials stated that they plan to implement the remaining controls when the program upgrades the ground system from Block 1 2 to Block 2 0 in August 2016 Page 26 GAO-16-359 Polar Weather Satellites Assessment of Security Controls The JPSS Program Assessed the Implementation of its Security Controls and Identified Security Weaknesses but the Assessment Had Significant Limitations In accordance with NOAA policy and the NIST framework the JPSS program developed a plan for assessing its security controls customized its testing approach to the ground system and implemented the assessment Specifically in 2015 a contractor working for NOAA’s National Environmental Satellite Data and Information Service NESDIS tested how the program implemented the controls identified in the System Security Plan and identified weaknesses in the required controls established by the program The results of this test called a Security Controls Assessment were documented in a subsequent report The Security Controls Assessment also included results of an annual penetration test that was conducted by a private sector company in May 2015 to verify the effectiveness of security controls The June 2015 Security Controls Assessment identified a large number of critical and high risk vulnerabilities and these numbers have been growing over time 19 Specifically the assessment identified 146 critical and 951 high risk vulnerabilities on Block 1 2 of the ground system as well as 102 critical and 295 high risk vulnerabilities on Block 2 0 of the ground system Figure 5 shows the number of open vulnerabilities on the Block 1 2 system by severity from the third quarter of 2014 to the second quarter of 2015 The program is currently working to address the vulnerabilities through the creation of plans of action to remediate them as discussed in the following section 19 NOAA assigns a risk level to each vulnerability Risk levels include low medium high and critical Vulnerabilities ranked as high and critical risks pose increased risk of compromise Page 27 GAO-16-359 Polar Weather Satellites Figure 5 Open Vulnerabilities Identified on the Current Joint Polar Satellite System Ground System Note NOAA identifies vulnerabilities as critical high medium and low risk Critical and high risk vulnerabilities pose an increased risk of compromise However the program’s assessment of its security controls had significant limitations Specifically the assessment team reported that it did not have all of the information it needed to plan or test the entire system and its artifacts In establishing procedures for the assessment the assessment team noted concerns regarding uncertainty about the physical locations for JPSS components inconsistencies in system inventory management and communication and information availability between different groups within JPSS including contractors Also in implementing the assessment the team encountered a discrepancy between the security scans and the asset inventory being assessed These shortcomings were noted again in a later security scan which according to the program office showed a struggle with understanding the rules of security scans using the assessment tool and maintaining a valid inventory According to NESDIS officials while the assessment team had the information it needed when it initiated its review the program continued to develop and revise the system Thus the inventory of system components that was assessed did not match the evolving system Moreover NOAA officials stated that the assessment attempted to account for the limitations by factoring a high likelihood and high impact of an unknown risk into the system’s overall risk score Page 28 GAO-16-359 Polar Weather Satellites These limitations increase the risk that devices in place on the current JPSS network have not been identified or tested As a result of these testing limitations the Security Controls Assessment may not have identified all of the system’s specific control weaknesses Authorization to Operate ATO The JPSS Program Implemented an ATO Process but Has Delayed Fixing Critical Weaknesses Consistent with FISMA requirements and NIST guidance NOAA has a process for authorizing its systems to operate In order to achieve ATO NOAA requires its programs to establish plans of actions and milestones POA M to address control weaknesses make satisfactory progress in completing POA Ms and resolve at least 80 percent of the POA Ms on or before their due dates NOAA also follows a Department of Commerce policy which requires it to remediate all vulnerabilities deemed critical or high risk within 30 days of discovery 20 The Commerce policy notes that vulnerabilities that are not remediated within 30 days must be managed through the POA M process or accepted with written justification by the authorizing official NOAA’s POA M policy requires mitigation of critical and high risk vulnerabilities within 30 days which NOAA officials explained that they interpreted as requiring mitigation within 30 days of establishment of a POA M In addition the Commerce policy calls for the authorizing official to officially accept the risk if the vulnerability cannot be remediated within the required timeframe The JPSS program has implemented the ATO process on both its current system Block 1 2 and planned system upgrade Block 2 0 in July 2015 and plans to obtain another ATO for both blocks by July 2016 The authorizing officials for the JPSS ground system are the Deputy Assistant Administrator at NESDIS and the NOAA Chief Information Officer To obtain its ATO the JPSS program made progress in addressing many of its security weaknesses through POA Ms Specifically the program assigned a level of criticality to each POA M and tracks and reports the status of all POA Ms at the monthly Program Management Council meetings The JPSS program office drafted POA Ms for deficiencies in both the existing ground system Block 1 2 and its planned ground system upgrade Block 2 0 Also the program office plans to remediate all critical and high risk vulnerabilities before going live with Block 2 0 in August 2016 20 High risk and critical are the two highest of the four categories for rating vulnerabilities Page 29 GAO-16-359 Polar Weather Satellites However the program has not complied with the Department of Commerce policy for remediating critical and high risk vulnerabilities within 30 days or with NOAA’s policy for remediating such POA Ms within 30 days After a security scan conducted in March 2015 identified over 1 000 critical and high risk vulnerabilities on Block 1 2 and almost 400 critical and high risk vulnerabilities on Block 2 0 the program established POA Ms to address these vulnerabilities These vulnerabilities included use of outdated software an obsolete web server and older virus definitions At the time the POA Ms were established in August 2015 the 1 400 vulnerabilities were already over 4 months old The JPSS program set completion dates for the POA Ms of August 2016 for Block 2 0 and January 2017 for Block 1 2 These anticipated completion dates are 17 and 22 months later than required by Commerce and NOAA policies In addition to the POA Ms resulting from the Security Controls Assessment the JPSS program does not plan to address other POA Ms in a timely manner The program consistently establishes due dates for its POA Ms that are 1 to 3 years in the future This is illustrated by the following examples  NOAA created a POA M for upgrading its operating systems to supportable platforms and applying all recommended patches to the system to improve security posture and reduce its risk The issues associated with the unsupportable platforms are scheduled for completion in 2016 3 years after the POA M was opened  NOAA created a POA M in 2013 to improve configuration settings for its antivirus software This fix is also estimated to occur in late 2016 3 years after the issue was identified  In 2013 NOAA created a POA M to protect the integrity of data transmissions 21 This POA M would ensure that the system monitors for unauthorized access to the system and enforces authorization requirements NOAA plans to fully mitigate this weakness in late 2016 21 Remote access is any access to an organizational information system by a user or process acting on behalf of a user communicating through an external network for example the Internet Page 30 GAO-16-359 Polar Weather Satellites The extended time it takes the JPSS program to resolve vulnerabilities is a longstanding issue In August 2014 the Department’s Inspector General reported that it took the program 11 to 14 months to remediate high risk vulnerabilities identified between 2011 and 2013 22 The Inspector General noted that this slow rate of remediation was not sufficient to keep up with the rapid growth in the number of vulnerabilities Program officials also noted that it is often not possible to remediate critical and high risk vulnerabilities within 30 days because patches may not be available for selected components testing may take longer than 30 days and certain changes need to be coordinated with mission partners Program officials also stated that they plan to modify their internal procedures associated with the Federal Information Processing Standard 200 security control baseline analysis document to allow longer timelines when 30 days is not feasible Further in commenting on a draft of this report NOAA officials stated that the program decided to delay the due date for certain POA Ms on Block 1 2 that would require significant changes in architecture to coincide with the delivery of Block 2 0 While the 30 days called for in Commerce and NOAA policies may be challenging NOAA’s ground system has been operating for years with known vulnerabilities due to the backlog of unresolved POA Ms These vulnerabilities threaten the confidentiality integrity and availability of the ground system that supports S-NPP operations Until the program remediates these vulnerabilities and addressed POA Ms in a timely manner the JPSS program remains at increased risk of potential exploits 22 U S Department of Commerce Office of Inspector General Expedited Efforts Needed to Remediate High-Risk Vulnerabilities in the Joint Polar Satellite System’s Ground System—Final Memorandum Washington D C Aug 21 2014 Page 31 GAO-16-359 Polar Weather Satellites Monitoring of Security Controls The JPSS Program Planned and Implemented Monitoring Activities and NOAA Has Handled Multiple Incidents Affecting the JPSS Program but NOAA and JPSS Do Not Consistently Track Security Incidents In accordance with NOAA policy the JPSS program established a continuous monitoring plan to ensure information security controls are working Consistent with the plan the program conducts regular security control and vulnerability assessments monitors the status of remedial actions and briefs management on a monthly basis on security status The JPSS program also monitors potential security control weaknesses by tracking incidents and intrusions on which it reports to a NOAA-wide incident response team Like other federal agencies NOAA has experienced several recent information security incidents regarding unauthorized access to web servers and computers Specifically NOAA officials reported 10 medium and high severity incidents related to the JPSS ground system between August 2014 and August 2015 Of these NOAA has closed 6 of the 10 incidents The incidents that were closed involved hostile probes improper usage unauthorized access password sharing and other ITrelated security concerns According to NOAA officials the JPSS program office and the NOAA incident response team track all information security incidents However inconsistencies exist in the status of incidents being tracked Specifically there are differences between what is being tracked by the JPSS program office and what is closed by NOAA’s incident response team Two of the four incidents that were recommended for closure by the JPSS program office are currently still open according to the incident report JPSS program officials explained that they can only recommend the closure of an incident and the NOAA incident response team is ultimately responsible for closing an incident based on the information that was provided Thus the inconsistency in the status of incidents should be resolved when NOAA updates its tracking tool Until NOAA and the JPSS program have a consistent understanding of the status of incidents there is an increased risk that key vulnerabilities will not be identified or properly addressed Page 32 GAO-16-359 Polar Weather Satellites NOAA Made Progress in Assessing the Potential for a Satellite Data Gap and Has Improved Efforts to Plan and Implement Gap Mitigation Activities Over the last year NOAA made progress in assessing the potential for a satellite gap improved its satellite gap mitigation plan and completed multiple mitigation activities however key shortfalls remain on these efforts To ensure that satellites are available when needed satellite experts consider performing annual assessments of a satellite’s health and future availability to be a best practice The JPSS satellite program completed such assessments in 2013 2014 and 2015 and determined that a near-term gap in satellite data is unlikely but there are weaknesses in NOAA’s analysis Further government and industry best practices call for the development of contingency plans to maintain an organization’s essential functions in the case of an adverse event such as a gap in critical satellite-based data NOAA has developed such plans and has improved them over the last few years however shortcomings remain in its current plan In addition NOAA is in the process of implementing the activities it identified in the plan At the conclusion of our review program officials provided an update on the status of key mitigation activities and noted that they plan to continue to work to improve its gap mitigation plan in 2016 NOAA Data Show That a Near-Term Gap Is Unlikely but Weaknesses Remain in Underlying Analysis the Program Plans to Perform an Additional Assessment We previously reported that NOAA was facing a potential near-term gap in polar data between the expected end of useful life of the S-NPP satellite and the beginning of operation of the JPSS-1 satellite As of October 2013 NOAA officials stated that a 3-month gap was likely based on an analysis of the availability and robustness of the polar constellation In April 2015 NOAA revised its assumption of how long S-NPP will last by adding up to 4 years to its expected useful life Under this new scenario NOAA would not anticipate experiencing a near-term gap in satellite data because S-NPP would last longer than the expected start of operations for JPSS-1 Currently JPSS-1 is expected to be launched in March 2017 with a 3-month on-orbit check out period through June 2017 and JPSS-2 is expected to launch in November 2021 Figure 6 shows the latest estimate of the expected lives of NOAA’s polar satellites Page 33 GAO-16-359 Polar Weather Satellites Figure 6 Expected Life Span of Current Satellites in Joint Polar Satellite System JPSS Program as of December 2015 Note S-NPP—Suomi National Polar-orbiting Partnership While the outlook regarding the length of a potential gap has improved there are several reasons why a potential gap could still occur and last longer than NOAA anticipates For instance the S-NPP satellite could fail sooner than expected or the JPSS-1 satellite could either encounter delays during its remaining development and testing or fail upon launch or in early operations Under these scenarios a gap is still possible and could last for up to 5 years in the event of a launch failure If the JPSS-2 satellite were to be delayed or encounter problems as well a gap could be even longer Page 34 GAO-16-359 Polar Weather Satellites JPSS Improved Its Analysis of Polar Satellite Availability but Weaknesses Remain the Program Plans to Perform an Additional Assessment Space and satellite experts consider performing annual assessments of a satellite’s health and future availability to be a best practice For example the Department of Defense DOD requires annual assessments of the health of its satellite assets as part of its budget preparations 23 The assessments show among other things the probability that a specific satellite or instrument will be available for use at a given time in the future While this assessment is not required under NOAA policy in 2013 the JPSS program began performing an annual analysis of the expected availability of satellites in the polar constellation The program did this to get regular updates on the health of individual satellites and to help plan future satellite programs and launch dates According to program officials NOAA uses these analyses to support their strategies on gap mitigation Among other things the analyses show the likely availability of each satellite and instrument over time scenarios showing the effects on availability given impact from space debris and a life limiting factor on the ATMS instrument and scenarios for overall polar constellation availability See appendix III for more information on what the availability analysis shows for the current polar satellite constellation In December 2014 we reported that NOAA’s 2013 assessment of satellite availability had several limitations including inconsistent launch date plans unproven assumptions about on-orbit checkout and validation and exclusion of the risk of a potential failure due to space debris 24 Agency officials acknowledged the assessment’s limitations and completed updated assessments in December 2014 and November 2015 NOAA made specific improvements in its 2014 assessment Specifically NOAA  improved the underlying analysis of S-NPP quality through additional analysis of the existing life and health of the S-NPP satellite bus using data through mid-2014 23 U S Air Force Air Force Space Command Instruction 10-140 Satellite Functional Availability Planning Incorporating Change 1 Aug 21 2013 24 GAO-15-47 Page 35 GAO-16-359 Polar Weather Satellites  showed both individual instrument and overall satellite availability over time for the S-NPP and JPSS satellites  showed overall availability over time of all key performance parameter instruments regardless of satellite and for the constellation’s robustness criteria and  showed several availability scenarios depicting what would happen in the event of a loss of the JPSS-1 satellite In addition the November 2015 assessment made further improvements by including key factors that could have an effect on S-NPP’s useful life in its analysis Specifically the newer assessment includes actual instrument performance through mid-2015 assumptions about the risk of space debris and information on the health of S-NPP’s batteries These enhancements help to better conceptualize decisions NOAA will need to make in planning and launching future satellites However weaknesses remain in the latest assessment which decrease NOAA’s assurance that its satellite life estimates are reliable Specifically  NOAA assumes that JPSS-1 data from key instruments will be available to satellite data users for operational use 3 months after launch which is far less time than it took to calibrate and validate these instruments for operational use on S-NPP While initial satellites in a series are more difficult to calibrate and validate than subsequent ones and some unvalidated data may be available earlier this estimate which is 2 to 3 times faster than was experienced on SNPP appears to be overly optimistic This may mean that the JPSS-1 satellite takes longer to become operational than NOAA is planning  NOAA’s analysis of the degrading health of the S-NPP satellite is not consistent with the estimated life dates from its April 2015 flyout chart as shown in figure 6 Specifically the flyout chart shows S-NPP with an extended useful life through late 2020 while the assessment shows that there is only a 50 percent likelihood that S-NPP will be fully functioning in 2020 JPSS program officials stated that they plan to perform another assessment in 2016 Until it has a strong assurance of how long the JPSS satellites are likely to last using an assessment that includes assumptions that are more consistent with past experiences NOAA risks not adequately planning for mitigating a potential loss or not Page 36 GAO-16-359 Polar Weather Satellites communicating to its various stakeholders when its satellites are likely to fail NOAA Improved Its Contingency Plan in Key Areas but Selected Shortfalls Remain the Program Plans to Update its Contingency Plan Government and industry best practices call for the development of contingency plans to maintain an organization’s essential functions in the case of an adverse event A summary of guidelines for developing a sound contingency plan are identified in table 6 below Table 6 Guidelines for Developing Elements of a Sound Contingency Plan Category Description of key activities Identifying failure scenarios and impacts Includes defining failure scenarios conducting impact analyses that show the impact of failure scenarios defining minimum acceptable levels of outputs and recovery time objectives and establishing resumption priorities Developing contingency plans Includes identifying alternative solutions to address failure scenarios selecting contingency strategies from among alternatives based on costs benefits and impacts defining actions roles and responsibilities triggers and timelines for implementing contingency plans developing “zero-day” procedures ensuring that steps reflect priorities for resumption of products and recovery objectives and obtaining review and approval of the contingency plan from designated officials Validating and implementing contingency plans Includes identifying steps for testing contingency plans and conducting training exercises preparing for and executing tests validating test results for consistency against minimum performance levels executing applicable actions for implementation of contingency strategies communicating and coordinating with stakeholders to ensure that the strategies remain optimal for reducing potential impacts and updating and maintaining contingency plans as warranted Source GAO analysis of guidance documents from the National Institute of Standards and Technology Software Engineering Institute and GAO GAO-16-359 In October 2012 NOAA developed a contingency plan which it refers to as its gap mitigation plan which was subsequently updated in 2014 and in April 2015 In 2013 we reviewed NOAA’s original contingency plan and reported that it had shortcomings in nine areas including that the agency had not selected strategies from its plan to be implemented or developed procedures and actions to implement the selected strategies 25 We made 25 GAO-13-676 Page 37 GAO-16-359 Polar Weather Satellites a recommendation to establish a more comprehensive contingency plan for potential satellite data gaps which included these and other elements NOAA agreed with our recommendation and worked to implement it In 2014 we reviewed a revised plan and evaluated NOAA’s progress against the weaknesses we had previously identified 26 We reported that it had completed two of the nine areas made partial progress in five areas and made no progress in two areas In its most recent contingency plan NOAA fully addressed two of the remaining seven issues conducted work in four areas and had not addressed the remaining issue See table 7 for details on the seven areas that were not fully addressed during our prior reviews Table 7 National Oceanic and Atmospheric Administration’s NOAA Progress in Developing a Sound Contingency Plan for Its Joint Polar Satellite System JPSS February 2014 contingency plan weaknesses Status as of Feb 2014 plan Status as of April 2015 plan Description of progress Category Identifying failure scenarios and impacts The plan did not address certain scenarios Partially such as the possibility of a loss of data addressed from the Department of Defense DOD and European partner satellites in morning orbits or a Japanese partner mission 26 Partially addressed NOAA determined that there were no options that could address the loss of data from DOD and the European satellites in the early and mid-morning orbits and that the other mitigation options listed in NOAA’s contingency plan would have to serve as mitigation for the potential loss of the DOD or European satellites’ data However the loss of data from DOD remains a significant risk Specifically the Air Force has not finalized its plans for launching the Defense Meteorological Satellite Program or beginning a new weather follow-on mission NOAA’s gap mitigation plan states that DMSP data contributes to numerical weather prediction forecast skill and that loss of data from any of the three orbits significantly raises the need for sound mitigation options GAO-15-47 Page 38 GAO-16-359 Polar Weather Satellites February 2014 contingency plan weaknesses Status as of Feb 2014 plan Status as of April 2015 plan The plan did not include recovery time objectives for key data products Not addressed Not addressed NOAA’s April 2015 plan did not include specific objectives for the recovery of key data products on which the development and implementation of mitigation options could be based For example it does not include information on how quickly NOAA needs to launch a replacement satellite such as those under development and listed in the plan should a primary satellite fail Partially addressed Fully addressed NOAA’s revised plan identifies approximately 35 contingency strategies in three general areas 1 understanding the probability and the impact of a gap 2 reducing the likelihood of a gap and 3 reducing the impact of a gap The plan also includes procedures and actions to implement selected strategies in each area See table 8 for more information on the gap mitigation activities NOAA had not yet assessed its alternative Not addressed strategies based on costs benefits and potential impacts Partially addressed In commenting on a draft of this report NOAA officials reported that the agency had completed several steps related to assessing the costs benefits and potential impacts of various mitigation options which resulted in the options included in the plan However NOAA’s plan does not include information on the cost benefit and potential impacts of its mitigation projects The plan did not identify opportunities for accelerating the calibration and validation phase—the time between launch and availability of operational products—for JPSS-1 Partially addressed Fully addressed NOAA has added language related to the acceleration of calibration and validation The April 2015 plan notes that certain key data records that are input to National Weather Service weather prediction models will be made available for operational use the day after the JPSS-1 satellite’s commissioning which is planned for approximately three months after launch Visible Infrared Imaging Radiometer Suite data records will also be made available at that time NOAA also reported that while these data products will not be fully validated and calibrated by that time they will be capable of gap mitigation in the event of loss of those products from the Suomi National Polar-orbiting Partnership SNPP Further the National Weather Service is to begin to evaluate the Advanced Technology Microwave Sounder and Cross-Track Infrared Sounder instruments immediately after launch as a part of the JPSS calibration validation The plan did not always identify specific actions with defined roles and responsibilities timelines and triggers Partially addressed Partially addressed While the plan identifies roles responsibilities and timelines for selected actions it does not consistently provide this information NOAA noted that it plans to provide more meaningful timelines and linkages among mitigation activities in a future plan update Description of progress Category Developing contingency plans The plan did not identify the contingency strategies NOAA selected to be implemented or establish procedures and actions to implement the selected strategies Page 39 GAO-16-359 Polar Weather Satellites February 2014 contingency plan weaknesses Status as of Feb 2014 plan Status as of April 2015 plan Description of progress Category Validating and implementing contingency plans NOAA had not yet initiated efforts to validate or implement its gap mitigation plan Partially addressed Partially addressed NOAA implemented several gap mitigation activities For example it completed selected observing system experiments However the agency intends to further define completion dates for testing and validating actions at some point in the future See table 8 for more information on the status of NOAA’s gap mitigation activities Source GAO analysis of NOAA documents GAO-16-359 In summary NOAA made progress by listing the contingency strategies it selected to be implemented and has integrated strategies identified after the 2014 plan was developed It also detailed plans to make JPSS-1 data available as soon as possible after launch However NOAA has not yet documented the JPSS program’s required recovery time and has not developed an integrated master schedule for gap mitigation activities The program updated the status of ongoing and planned mitigation activities in early 2016 and plans to issue an updated contingency plan later in 2016 NOAA Is Making Progress on Gap Mitigation Activities but None Can Fully Mitigate a Near-Term Gap in Satellite Data NOAA identified 35 gap mitigation activities and is making progress in implementing them These activities fall into three general categories 1 understanding the probability and the impact of a gap 2 reducing the likelihood of a gap and 3 reducing the impact of a gap As of January 2016 16 activities had been completed including transitioning the S-NPP satellite from a research satellite to a fully operational satellite Another 18 activities are ongoing including assimilating more observations from commercial aircraft observations and unmanned aerial systems into weather models and leveraging data and models from the European Center for Medium-range Weather Forecasts into National Weather Service weather models One other activity is planned for the future See table 8 below for details on these activities While these gap mitigation activities are important to help mitigate the impact of a satellite data gap NOAA acknowledges that no mitigation activities can fully replace polar-orbiting satellite observations Page 40 GAO-16-359 Polar Weather Satellites Table 8 Status of Gap Mitigation Options for National Oceanic and Atmospheric Administration NOAA Polar Satellites Mitigation action Status Understanding the probability and the impact of a gap 1 Create capacity to conduct routine Observing System Experiments and Observing System Simulation Experiments Completed NOAA procured hardware and software to conduct the experiments 2 Upgrade Observing System Simulation Experiments capability to assess the impact of a data gap and the performance of various mitigation options Completed NOAA performed a one-time upgrade of its two relevant supercomputers Reduce the likelihood of a gap 3 Provide continuous monitoring of spacecraft to preserve and maximize their lifetimes Completed NOAA provides continuous monitoring of the Suomi National Polar-orbiting Partnership S-NPP spacecraft 4 Perform avoidance maneuvers away from space debris Completed NOAA performs avoidance maneuvers as needed on an ongoing basis Two such maneuvers were performed in calendar year 2014 In addition during 2015 NOAA reported that it conducted one maneuver to avoid an approaching object and actively monitored three high-interest events that posed a potential risk to the spacecraft 5 Apply lessons learned from long-life NOAA and NASA missions Completed Results of a May 2013 meeting on this issue have been incorporated into JPSS program actions 6 Work to extend the life of S-NPP as much as possible Completed NOAA developed a plan to extend S-NPP’s life and implemented it The agency also reported that it implemented a procedure to extend the life of a key component on ATMS and that to date it has been successful 7 Keep JPSS-1 on schedule Ongoing As of January 2016 the Joint Polar Satellite System JPSS program is taking corrective actions to ensure that ongoing technical challenges are addressed so as to not impact the launch schedule 8 Keep JPSS-2 on schedule and continue to seek acceleration opportunities Ongoing NOAA plans call for a JPSS-2 accelerated launch readiness date in the fourth quarter of calendar year 2021 9 Make the JPSS program more robust and maintain continuity Ongoing The fiscal year 2016 budget includes funding for of critical weather data in the afternoon orbit beyond JPSS-2 by Polar Follow-On PFO activities accelerating procurements and developing gap mitigation efforts 10 Make the JPSS program more robust and maintain continuity of critical weather data in the afternoon orbit beyond JPSS-2 through funding options and planning Page 41 Ongoing NOAA is planning a PFO extension to the JPSS program including a robust architecture that is single-fault tolerant and requires two failures in the afternoon orbit to create a gap in Advanced Technology Microwave Sounder ATMS and Cross-Track Infrared Sounder CrIS instrument data The PFO extension to the JPSS program also includes the development of near-term gap mitigation options GAO-16-359 Polar Weather Satellites 11 Transition S-NPP into an operational system S-NPP data processing and distribution Completed NOAA obligated funds to enable full time 24 hours a day 7 days a week processing of all S-NPP data products This was completed in the second quarter of fiscal year 2014 Reduce the impact of a gap 12 Ensure continued data availability from Polar-orbiting Operational Environmental Satellites POES and Meteorological Operational Metop satellites including upgrading processing system to ensure data continuity Completed NOAA upgraded the processing system and continues to monitor data availability 13 Complete environmental testing for Metop-C U S instruments Completed As of January 2016 NOAA completed environmental testing on the instruments 14 Maintain Aqua data processing Completed NOAA is processing Aqua data 15 Assimilate Defense Meteorological Satellite Program DMSP Special Sensor Microwave Imager Sounder data Completed NOAA began assimilating data from the two newest DMSP satellites in January 2015 16 Improve assimilation of cloud-impacted radiances into NOAA Ongoing As of January 2016 NOAA is working to develop advanced techniques for assimilation of cloud-impacted microwave and infrared radiances in the operational global data assimilation system While it was supposed to be implemented by the first quarter of fiscal year 2016 it is currently scheduled for completion in the third quarter of fiscal year 2016 17 Improve atmospheric motion vectors Ongoing As of January 2016 NOAA is working to transfer atmospheric motion vector algorithms developed by the U S Navy and University of Wisconsin into NOAA operations While it was supposed to be implemented by the first quarter of fiscal year 2016 it is currently scheduled for completion in the third quarter of fiscal year 2016 18 Assimilate more commercial aircraft observations and targeted Ongoing As of January 2016 NOAA procured new aircraft observations from unmanned aerial systems data and had begun testing it The agency was also working to quantify the significance of observations from unmanned aircraft to high-impact weather predictions 19 Expand use of the Global Navigation Satellite System’s radio occultation data through the Constellation Observing System for Meteorology Ionosphere and Climate COSMIC-2 mission Ongoing As of December 2015 NOAA was working with its partners to support the development of the Constellation Observing System for Meteorology Ionosphere and Climate COSMIC-2 constellation which consists of two sets of six satellites and is currently on schedule The first set of COSMIC-2 satellites is planned to launch in 2017 and the second set in 2020 20 Develop the capability to assimilate soundings from advanced geostationary imagers Ongoing As of January 2016 NOAA had procured a ground system to process Japan’s Himawari-8 data using money from the Disaster Relief Appropriations Act 2013 It is now developing and testing geostationary imager radiance products which it plans to complete by the third quarter of fiscal year 2016 21 Develop improvements in data assimilation ensembling physical parameterizations and global modeling particularly for 4D hybrid data assimilation Ongoing As of January 2016 NOAA had an advanced 4Densemble-variational data assimilation system in preoperational testing Efforts to improve physical parameterizations and ensembles are progressing but a recent NOAA briefing noted that there are risks associated with its completion It is currently scheduled for completion in the third quarter of fiscal year 2016 Page 42 GAO-16-359 Polar Weather Satellites 22 Leverage European Center for Medium-range Weather Forecast products for global models Ongoing As of January 2016 NOAA was in the process of developing products with data from the European center’s synthetic soundings to replace lost polar satellite data The project also provides improved verification product sets for future use improves consistency in the official National Weather Service forecasts and minimizes edits at the local weather office level It is currently scheduled for completion in the fourth quarter of fiscal year 2016 23 Strengthen Direct Readout for Alaska and reduce data latency by improving expanding X-band data downlinks Completed NOAA installed X-band direct readout ground stations and processing hardware in Fairbanks AK Monterey CA Miami FL and Puerto Rico 24 Leverage Joint Center for Satellite Data Assimilation and the Center for Satellite Applications and Research capabilities for assimilation studies calibration and validation and product development Ongoing As of July 2015 the two centers were continually working to make the numerical weather prediction system increasingly resilient to partial data losses by assessing the impacts of various gap mitigation measures 25 Acquire operational and research high performance computing Completed A new research high performance computing system was delivered to the Office of Atmospheric Research in January 2015 and was fully available to users in March 2015 The National Weather Service operational system upgrade was completed in November 2015 26 Begin procurement of the Earth Observing NanosatelliteMicrowave satellite for gap mitigation of microwave atmospheric sounding data Planned NOAA planned to begin working on this procurement in fiscal year 2016 but the explanatory statement accompanying the Consolidated Appropriations Act 2016 explicitly states that it does not include funding for the Earth Observing Nanosatellite-Microwave satellite EON-MW The Department of Commerce has included funding for EON-MW in its budget submission to OMB for fiscal year 2017 27 Conduct polar system trades and analyses Ongoing To identify more efficient methods to provide data continuity while advancing capabilities to meet future requirements the National Environmental Satellite Data and Information Service is identifying future requirements for overall polar architecture development A recent study concluded that the most efficient way to provide continuity of key performance data is the extension of the JPSS series and the procurement of JPSS-3 and -4 NOAA has also conducted studies to recommend technology investment priorities and improvements in instrument technology 28 Continue to process Metop imagery and prepare for data from the European Organisation for the Exploitation of Meteorological Satellites’ Polar System-Second Generation Ongoing NOAA currently receives Metop data through an agreement with the European Organisation for the Exploitation of Meteorological Satellites and recently signed a subsequent agreement to receive data from that organization’s second generation of satellites once they are available 29 Explore options to leverage data from the Japanese Global Change Observation Mission Ongoing As of October 2015 NOAA was continuing discussions with the Japanese agency to explore use of data from the anticipated follow-on to its first global change observation mission on water as well as its first mission on climate Page 43 GAO-16-359 Polar Weather Satellites 30 To mitigate the potential loss of data from Ozone Mapping and Profiler Suite-Nadir OMPS-N NOAA will be prepared to use and leverage the less capable Global Ozone Monitoring Experiment-2 data from the Metop series of satellites through 2024 Ongoing As of October 2015 NOAA routinely ingests ozone data from Metop-A B To begin using data from Metop-C calibration and validation of replacement products will be required after the satellite is launched in 2017 In addition NOAA scientists plan to evaluate Sentinel-5 and Sentinel-SP data for potential mitigation for Ozone Mapping and Profiler Suite-Nadir OMPS-N Sentinel-SP is scheduled for launch in 2016 31 NOAA will explore future options to use data from the European Polar System-Second Generation and Sentinel-SP Completed NOAA recently signed agreements with its European partners for use of data from the European Polar System-Second Generation and Sentinel-SP 32 Transition OMPS-L and the Radiation Budget Instrument requirements to NASA Completed As a result of fiscal year 2014 direction from Congress OMPS-L and Radiation Budget Instrument requirements were transitioned to NASA In addition NASA and NOAA agreed that NOAA would host the Radiation Budget Instrument on the JPSS-2 satellite provided it arrived in time to not impact JPSS-2’s schedule and NOAA is in the process of negotiating an agreement to host the OMPS-L instrument on JPSS-2 This agreement is expected to be completed by March 2016 In addition these sensors are tentatively planned for JPSS-3 and -4 however funding from NASA is currently uncertain 33 Prepare to collect targeted observations of high-impact events Ongoing In January 2016 NOAA officials reported that the agency had established a science team to help decide what types of data to collect In addition NOAA and NASA completed an interagency agreement to share data between the agencies The agencies also completed a preliminary Hurricane Unmanned Aerial System impact study in December 2014 Prototype missions were initiated in fiscal year 2014 and continued through the first quarter of fiscal year 2016 Further Pacific and Arctic storm and comprehensive oceanic storm impact studies were completed in the second quarter of fiscal year 2016 NOAA officials note that final project results will be provided to NOAA leadership by the second quarter of 2017 34 Provide X-band direct broadcast for sites over U S Page 44 Completed NOAA installed X-band direct readout ground stations and processing hardware in Fairbanks AK Monterey CA Miami FL and Puerto Rico NOAA has also transmitted reformatted direct broadcast data to its National Centers for Environmental Prediction GAO-16-359 Polar Weather Satellites 35 Accelerate global model advances Ongoing NOAA is working to improve current and nextgeneration global numerical weather prediction models and data assimilation The agency reported that it completed efforts to test a core model of its next generation global prediction system NOAA is on track to complete evaluation of test results by the second quarter of 2017 In addition an advanced 4Densemble-variational data assimilation system entered preoperational testing in April 2015 This system will make more complete usage of available satellite data and is expected to become operational by the second quarter of fiscal year 2016 Additionally work is progressing on improving physical parameterizations and multi-model ensembles Source GAO analysis of NOAA data GAO-16-359 NOAA Is Planning to Develop More Polar Satellites but Uncertainties Remain on Timing and Requirements NOAA has begun planning for new satellites to ensure the future continuity of polar satellite data This program is called the Polar FollowOn PFO According to NOAA officials PFO will allow for polar satellite coverage in the afternoon orbit into the 2030s NOAA plans to eventually manage PFO as an integrated program with the current JPSS program The PFO budget includes operational costs for both it and the current JPSS program after fiscal year 2025 NOAA officials have stated that part of its goal for the future satellite program is to provide “robustness” in order to minimize the chance of a data gap like the near-term one the agency is facing According to NOAA documentation the main objectives of the PFO program are to 1 have the earliest possible launch readiness for the JPSS-3 and JPSS-4 satellites in order to achieve robustness and 2 to minimize costs As recommended by a 2013 Independent Review Team NOAA would achieve robustness on its polar satellite program when 1 it would take two failures to create a gap in data for key instruments and 2 the agency would be able to restore the system to a two-failure condition within 1 year of a failure This means that NOAA would need a backup satellite in orbit to provide data in the event of one failure and that the agency would have the ability to launch another satellite within a year to replace an on-orbit need Achieving robustness would greatly minimize the chances of a single point of failure—that is a problem with one satellite causing an immediate loss of data NOAA has identified the satellites it plans to build as a part of PFO The PFO program is planned to include two more satellites in the JPSS series called JPSS-3 and JPSS-4 NOAA plans for these satellites to be nearly identical to the JPSS-2 satellite Each satellite will include the three instruments that are considered to be key performance parameters the Page 45 GAO-16-359 Polar Weather Satellites Advanced Technology Microwave Sounder ATMS the Cross-Track Infrared Sounder CrIS and the Visible Infrared Imaging Radiometer Suite VIIRS The satellites will also include the Ozone Mapping and Profiler Suite-Nadir OMPS-N These four instruments are environmental sensors that provide critical data used in numerical weather prediction and imagery NOAA also is planning for two climate instruments that are on JPSS-2— the Ozone Mapping and Profiler Suite-Limb OMPS-L and the Radiation Budget Instrument—to be hosted on JPSS-3 and JPSS-4 as well However according to NOAA these instruments are not essential and their funding from JPSS-2 onward is uncertain In addition to the JPSS-3 and JPSS-4 satellites PFO is planned to include a Cubesat satellite 27 Specifically NOAA plans to fly a satellite called the Earth Observing Nanosatellite–Microwave This satellite due to launch in 2020 would be able to replace some but not all ATMS data in the event of a gap between JPSS-1 and JPSS-2 Program officials have stated that because of its low cost and the experience the agency will gain from the mission NOAA will launch the Earth Observing Nanosatellite–Microwave regardless of the status of the remainder of the constellation Figure 7 shows the planned expected lives for all of the JPSS and PFO satellites 27 Cubesats are a class of smaller satellites made up of combined units of similar cubic shape Page 46 GAO-16-359 Polar Weather Satellites Figure 7 Expected Lives of Joint Polar Satellite System JPSS and Polar Follow-On Satellites Note S-NPP—Suomi National Polar-orbiting Partnership EON-MW—Earth-Orbiting Nanosatellite– Microwave NOAA has taken several steps in planning the PFO program Specifically it established goal launch dates high-level annual budget estimates and roles and responsibilities for NOAA offices that will play a role on the new program However NOAA is in the process of updating key formulation documents for PFO such as high-level requirements an updated concept of operations and project plan and budget information for key components Program officials stated that they expect to complete key documents by mid-2016 Page 47 GAO-16-359 Polar Weather Satellites Uncertainties Remain on Key Development Dates for PFO NOAA plans to develop the PFO satellites well before they are needed In general the agency makes a distinction between the date it wants to have a satellite available for launch called a launch readiness date and the actual planned launch date NOAA set the launch readiness dates for the JPSS-3 and JPSS-4 satellites as January 2024 and April 2026 respectively NOAA also has a contingency plan to launch the JPSS-3 satellite with only the two most important instruments ATMS and CrIS as early as 2023 if it is needed to mitigate a near-term satellite data gap due to unanticipated problems with JPSS-1 or JPSS-2 In contrast NOAA’s planned launch dates for JPSS-3 and JPSS-4 are 2 and 5 years later respectively NOAA currently plans beginning with JPSS-2 to launch a new satellite every 5 years in order to achieve a robust constellation of satellites Specifically planned launch dates for the JPSS-3 and JPSS-4 satellites are July 2026 and July 2031 respectively see figure 7 NOAA has given several reasons for planning to achieve launch readiness several years ahead of launch  According to NOAA officials this difference between planned launch readiness and actual launch dates called the “build-ahead” strategy is part of an effort to achieve the two robustness criteria as quickly as possible  NOAA officials also stated that early readiness would allow a “robust sparing strategy” for ATMS and CrIS According to NOAA this would allow for completed components from the JPSS-3 and JPSS-4 satellites to be substituted as needed if parts failed during integration and test of an earlier satellite  Additionally according to NOAA experienced contractor staff needed to complete development efficiently for the PFO satellites are in place now Such staff may not be available if there is an extended break in development time However uncertainties remain on whether it is necessary to develop both JPSS-3 and JPSS-4 early in order to achieve robustness For example while NOAA flyout charts for the polar constellation list the JPSS satellites starting with JPSS-1 as lasting only 7 years program officials have stated that they could last as long as 10 or 11 years In addition NOAA recently updated the flyout chart to show that S-NPP could last as long as 9 years based on past performance If the satellites last longer than expected then there could be unnecessary redundancy For example at the extended useful life estimate of 10 to 11 years JPSS-1 JPSS-2 and JPSS-3 would still be available in 2027 when JPSS-4 completes Page 48 GAO-16-359 Polar Weather Satellites development If NOAA were to delay launching JPSS-4 until it is needed the satellite could be in storage for 4 years Figure 8 shows anticipated satellite lifetimes with extended useful lives Figure 8 Expected Lives of Joint Polar Satellite System JPSS Series Satellites with Extended Useful Life Estimate Note S-NPP—Suomi National Polar-orbiting Partnership EON-MW—Earth-Orbiting Nanosatellite– Microwave Alternatively if the early satellites do not last longer than expected then there is an increased potential for future gaps in polar satellite coverage as there will be several periods in which only one satellite is on orbit Due to this uncertainty NOAA faces important decisions on timing the development and launch of the remaining satellites in the JPSS program Page 49 GAO-16-359 Polar Weather Satellites NOAA requires cost benefit studies for major programs to assist in making major decisions However the program did not evaluate the costs and benefits of launch scenarios based on the latest estimates of how long the satellites would last Such an analysis is needed to ensure robust coverage while minimizing program costs and could help determine the most cost-effective launch schedule For example if JPSS-4 development could be deferred the annual cost of PFO might be decreased A potential cost decrease is important because according to NOAA documentation the overall funding need for PFO is expected to be about $8 2 billion compared to about $11 3 billion for the full JPSS program through 2025 Until NOAA ensures that its plans for future polar satellite development are based on the full range of estimated lives of potential satellites the agency may not be making the most efficient use of the nation’s sizable investment in the polar satellite program Conclusions Facing a potential gap in weather satellite data NOAA has made progress in developing the JPSS-1 satellite and is on track to launch it in March 2017 However the agency continues to experience cost growth schedule delays and technical risks on key components In particular a component on the spacecraft has fallen more than 6 months behind schedule putting the spacecraft on the critical path leading up to the planned launch date Continued close management of costs schedules and risks will be essential to ensuring a successful and timely launch Given the increasing information security risks across the federal government building information security into ground systems is a critical component of the JPSS system development Although the JPSS program has assessed key risks established and evaluated security controls and remediated selected control weaknesses key deficiencies remain Specifically the team responsible for testing security controls did not have all the information it needed to test the entire system Also while the assessment found numerous vulnerabilities the program has not addressed them in a timely manner These security shortfalls put the program at risk of being compromised and there have been a number of security incidents affecting the ground system in recent years While NOAA’s incident response group has effectively addressed security incidents there are discrepancies between NOAA and the JPSS program on the status of incidents Such discrepancies make it more difficult to ensure that all incidents are identified addressed and tracked to closure Page 50 GAO-16-359 Polar Weather Satellites Until these deficiencies are addressed the polar satellite infrastructure will continue to be at increased risk of compromise To address the risk of a near-term satellite gap and to move to a more robust constellation of polar satellites NOAA has assessed the health of its operational satellites annually established and improved its gap mitigation plans and is beginning to plan a new satellite program to ensure coverage through 2038 While the JPSS program improved its satellite assessment and gap mitigation plans shortfalls remain including identifying recovery time objectives for key data products In prior reports we have made recommendations to NOAA to improve its satellite availability assessment and its gap mitigation plans We continue to believe that these recommendations are valid and if fully implemented would improve NOAA’s ability to assess and manage the risk of a gap in satellite data We will continue to monitor NOAA’s ongoing efforts to address our prior recommendations While NOAA is planning a follow-on polar satellite program to better ensure polar satellite coverage in the future the agency has not evaluated the costs and benefits of different launch scenarios based on its updated understanding of how long its satellites might last and uncertainties remain in determining appropriate dates for the development and launch of the satellites Unless NOAA makes launch decisions based on the most current estimates of useful life of its satellites the agency may not make the most effective and economical use of the nation’s sizable investment in polar satellites Recommendations for Executive Action Given the importance of addressing risks on the JPSS satellite program we are making the following four recommendations to the Secretary of Commerce Specifically we recommend that the Secretary direct the Administrator of NOAA to take the following actions    Establish a plan to address the limitations in the program’s efforts to test security controls including ensuring that any changes in the system’s inventory do not materially affect test results When establishing plans of action and milestones to address critical and high risk vulnerabilities schedule the completion dates within 30 days as required by agency policy Ensure that the agency and program are tracking and closing a consistent set of incident response activities Page 51 GAO-16-359 Polar Weather Satellites  Agency Comments and Our Evaluation Evaluate the costs and benefits of different launch scenarios for the PFO program based on updated satellite life expectancies to ensure satellite continuity while minimizing program costs We sought comments on a draft of our report from the Department of Commerce and NASA We received written comments from the Department of Commerce transmitting NOAA’s comments which are reprinted in appendix IV NOAA concurred with all four of our recommendations and identified steps it is taking to implement them In its comments NOAA wrote that it recognizes the need to close polar data gaps and to keep pace with changes in information security requirements however it noted that resource constraints and shifting priorities have presented challenges in meeting these objectives In response to our second recommendation to schedule completion dates for plans of actions and milestones POA M to address critical and high-risk vulnerabilities within 30 days as required by agency policy NOAA concurred and noted that JPSS would continue to follow agency policy NOAA explained that agency policy allows the authorizing official to accept and document risks when remediation of vulnerabilities cannot be performed as anticipated It further noted that there are two situations which may result in remediation taking longer than the policy requires 1 when applying patches to a system that must remain static while in development and testing and 2 when applying patches to a complex operational system that requires analysis and testing prior to deployment in order to protect the availability of the system While we acknowledge that there are valid reasons that remediating a POA M might take longer than the 30 days required by agency policy the JPSS program did not follow agency policy in that it did not schedule completion of key POA Ms within 30 days and did not have documentation from the authorizing official accepting the risk of a delayed remediation schedule for critical and high-risk vulnerabilities as we note in this report Moving forward NOAA noted that it plans to update its FIPS 200 compliance document to include steps to obtain and document risk acceptance from the authorizing official We agree that updating this plan and implementing it will help ensure that the program is better aligned with agency policy and in a better position to remediate or accept vulnerabilities In response to our fourth recommendation to evaluate the costs and benefits of different launch scenarios for the PFO program based on updated satellite life expectancies NOAA concurred and noted in its letter that it had evaluated the costs and benefits of different launch scenarios Page 52 GAO-16-359 Polar Weather Satellites using the latest estimates of satellite lives as part of its budget submission We discussed this with program officials in April 2016 Program officials explained that the program determined it would minimize costs by building the satellites as soon as possible and it would minimize risks by planning to launch the satellites at a cadence that would meet the program’s goals for a robust polar constellation However the agency did not provide sufficient supporting evidence or artifacts Without documentation showing specific comparisons of options with respect to cost totals and overall risk the assumptions NOAA used and the processes and time frames in which NOAA’s decisions were reached we were not able to validate the agency’s results NOAA also stated in its letter that it will continue to update its analysis based on among other things updated satellite life expectancies and information gained from award of future spacecraft and instrument contracts Doing so would help ensure that the agency is making the most efficient use of investments in the polar satellite program NOAA also provided technical comments which we have incorporated into our report as appropriate In its technical comments NOAA officials referred to our finding that the satellite availability assessment is not consistent with the estimated life dates in its flyout chart noting that 1 its flyout charts are not intended to depict a satellite’s estimated life and 2 our focus on S-NPP’s 50 percent likelihood of functioning in 2020 is inappropriate because JPSS-1 will be the primary operational satellite in 2020 However the flyout charts show “planned mission life” according to NOAA requirements It is misleading to show a mission life extending through late 2020 if the agency’s estimate of the satellite’s health puts it at only a 50 percent likelihood of full functionality Furthermore while JPSS-1 should be the primary satellite and S-NPP should be a secondary satellite in 2020 the status of S-NPP’s health would become paramount if JPSS-1 experienced a failure on launch or on orbit On March 16 2016 an audit liaison for NASA provided an e-mail stating that the agency would provide any input it might have to NOAA for inclusion in NOAA’s comments We are sending copies of this report to the appropriate congressional committees the Secretary of Commerce the Administrator of NASA the Director of the Office of Management and Budget and other interested parties In addition the report will be available at no charge on the GAO website at http www gao gov Page 53 GAO-16-359 Polar Weather Satellites If you or your staff have any questions on the matters discussed in this report please contact me at 202 512-9286 or at pownerd@gao gov Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report GAO staff who made major contributions to this report are listed in appendix V David A Powner Director Information Technology Management Issues Page 54 GAO-16-359 Polar Weather Satellites Appendix I Objectives Scope and Methodology Our objectives were to 1 evaluate the National Oceanic and Atmospheric Administration’s NOAA progress on the Joint Polar Satellite System JPSS program with respect to schedule cost and key risks 2 assess NOAA’s efforts to plan and implement appropriate information security protections for polar satellite data 3 evaluate NOAA’s efforts to assess the probability of a near-term gap in polar satellite data as well as its progress in implementing key activities for mitigating a gap and 4 assess NOAA’s efforts to plan and implement a follow-on polar satellite program To evaluate NOAA’s progress on the JPSS satellite program with respect to schedule cost and key risks we compared actual or anticipated completion dates for important flight and ground project milestones against previously anticipated completion dates between July 2013 and December 2015 and explored the root causes of recent delays We also compared cost data for program instruments and other components to previous data for those same components to determine differences over time We compared monthly management reports on key program risks to determine the status of major remaining program risks and to determine which risks had been closed We also compared risk data to source documents such as risk registers In addition we interviewed JPSS program office staff for details on schedule cost and risk information We assessed the reliability of monthly reports on the JPSS program’s schedule cost and risk information by comparing these data to other program artifacts and through interviews with knowledgeable officials We found these data to be sufficiently reliable for our purposes In order to assess NOAA’s efforts to plan and implement appropriate information security protections for polar satellite data we compared Commerce and NOAA information security policies and JPSS program information security practices to selected Federal Information Security Modernization Act of 2014 FISMA requirements as well as implementing guidance from the Office of Management and Budget and the National Page 55 GAO-16-359 Polar Weather Satellites Appendix I Objectives Scope and Methodology Institute of Standards and Technology NIST 1 Specifically we assessed policies and practices in the areas outlined in NIST’s Risk Management Framework system categorization selection implementation and assessment of security controls authorization to operate and ongoing monitoring We obtained and analyzed key artifacts supporting the JPSS program’s efforts to address these risk management areas including the program’s system categorization results the System Security Plan the System Controls Assessment report Authorization to Operate documentation incident reports and the program’s continuous monitoring plan We interviewed key managers and staff from the JPSS program office and the NOAA Office of the Chief Information Officer to better understand their information security policies and practices We assessed the reliability of the agency’s information on controls and vulnerabilities by comparing it to supporting documentation and artifacts and found that the data were sufficiently reliable for our purpose of reporting on shortfalls in agency practices To evaluate NOAA’s efforts to assess the probability of a near-term gap in polar satellite data as well as its progress in implementing key activities for mitigating a gap we analyzed NOAA’s methodology for determining the expected length of a potential gap and compared it against other gap estimates and availability requirements We reviewed NOAA’s April 2015 polar satellite gap mitigation contingency plan and compared it to best practices in contingency planning developed by leading government and industry sources2 as well as shortfalls we previously identified in NOAA’s 1 The Federal Information Security Modernization Act of 2014 Pub L No 113-283 128 Stat 3073 Dec 18 2014 largely superseded the Federal Information Security Management Act of 2002 enacted as Title III E-Government Act of 2002 Pub L No 107-347 116 Stat 2899 2946 Dec 17 2002 As used in this report FISMA refers to the requirements in the 2014 law Many of the requirements of the 2002 law were unchanged by or incorporated into the 2014 law and continue in full force and effect See also NIST Standards for Security Categorization of Federal Information and Information Systems FIPS Publication 199 Gaithersburg Md February 2004 Minimum Security Requirements for Federal Information and Information Systems FIPS Publication 200 Gaithersburg Md March 2006 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach SP 800-37 Revision 1 Gaithersburg Md February 2010 and Security and Privacy Controls for Federal Information Systems and Organizations SP 800-53 Revision 4 Gaithersburg Md April 2013 2 Sources include the National Institute of Standards and Technology and the Software Engineering Institute’s Capability Maturity Model Integration Page 56 GAO-16-359 Polar Weather Satellites Appendix I Objectives Scope and Methodology October 2012 and February 2014 contingency plans We evaluated the status of NOAA’s gap mitigation activities We interviewed officials from the JPSS program as well as NOAA’s Office of Atmospheric Research National Weather Service and NOAA Satellite Data and Information Service staff for further information on satellite availability details and gap mitigation activities We assessed the reliability of NOAA’s assessment of satellite availability by comparing it to underlying analyses prior assessments and shortfalls we identified on prior assessments We found the data to be sufficiently reliable for our purpose of reporting on strengths and weaknesses of the agency’s assessment In order to assess NOAA’s efforts to plan and implement the JPSS Polar Follow-On PFO program we analyzed program documentation to determine the scope expected cost timelines and key risks affecting the program We compared this information against other NOAA and JPSS program documentation and identified key information that has yet to be completed for the PFO program We also met with JPSS program staff for further insights on their plans for the PFO program We conducted our work at NOAA and its component offices—including the offices of the JPSS program—and the facilities of a program contractor We conducted this performance audit from May 2015 to May 2016 in accordance with generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives Page 57 GAO-16-359 Polar Weather Satellites Appendix II Key Publications Supporting the National Institute of Standards and Technology’s Information Security Risk Management Framework The National Institute of Standards and Technology NIST developed a risk management framework of standards and guidelines for agencies to follow in developing information security programs Relevant publications include the following  Federal Information Processing Standard 199 Standards for Security Categorization of Federal Information and Information Systems requires agencies to categorize their information systems as lowimpact moderate-impact or high-impact for the security objectives of confidentiality integrity and availability 1 The potential impact values assigned to the respective security objectives are the highest values from among the security categories that the agency identifies for each type of information resident on those information systems  Federal Information Processing Standard 200 Minimum Security Requirements for Federal Information and Information Systems specifies minimum security requirements for federal agency information and information systems and a risk-based process for selecting the security controls necessary to satisfy these minimum security requirements 2  NIST Special Publication 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach explains how to apply a risk management framework to federal information systems including security categorization security control selection and implementation security control assessment information system authorization and security control monitoring 3  NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to 1 NIST Standards for Security Categorization of Federal Information and Information Systems FIPS Publication 199 Gaithersburg Md February 2004 2 NIST Minimum Security Requirements for Federal Information and Information Systems FIPS Publication 200 Gaithersburg Md March 2006 3 NIST Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach SP 800-37 Revision 1 Gaithersburg Md February 2010 Page 58 GAO-16-359 Polar Weather Satellites Appendix II Key Publications Supporting the National Institute of Standards and Technology’s Information Security Risk Management Framework protect organizational operations assets individuals other organizations and the nation from a diverse set of threats including hostile cyber-attacks natural disasters structural failures and human errors The guidance includes privacy controls to be used in conjunction with the specified security controls to achieve comprehensive security and privacy protection 4 4 NIST Security and Privacy Controls for Federal Information Systems and Organizations SP 800-53 Revision 4 Gaithersburg Md April 2013 Page 59 GAO-16-359 Polar Weather Satellites Appendix III NOAA’s Assessment of the Near-Term Health of the Polar Satellite Constellation In November 2015 the National Oceanic and Atmospheric Administration NOAA updated its assessment of the availability the existing Suomi National Polar-orbiting Partnership S-NPP satellite over time The agency determined that there is an 80 percent likelihood that S-NPP will be able to provide key measurements until data from the next Joint Polar Satellite System satellite called JPSS-1 are available if JPSS-1 is launched in March 2017 and available to begin operation in September 2017 see figure 9 Figure 9 Suomi National Polar-orbiting Partnership S-NPP Availability over Time Page 60 GAO-16-359 Polar Weather Satellites Appendix IV Comments from the Department of Commerce Appendix IV Comments from the Department of Commerce Page 61 GAO-16-359 Polar Weather Satellites Appendix IV Comments from the Department of Commerce Page 62 GAO-16-359 Polar Weather Satellites Appendix IV Comments from the Department of Commerce Page 63 GAO-16-359 Polar Weather Satellites Appendix V GAO Contact and Staff Acknowledgments Appendix V GAO Contact and Staff Acknowledgments GAO Contact David A Powner 202 512-9286 or pownerd@gao gov Staff Acknowledgments In addition to the contact named above Colleen Phillips Assistant Director Shaun Byrnes Analyst-in-Charge Chris Businsky Kara Lovett Epperson Torrey Hardee Franklin Jackson and Lee McCracken made key contributions to this report 100102 Page 64 GAO-16-359 Polar Weather Satellites GAO’s Mission The Government Accountability Office the audit evaluation and investigative arm of Congress exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people GAO examines the use of public funds evaluates federal programs and policies and provides analyses recommendations and other assistance to help Congress make informed oversight policy and funding decisions GAO’s commitment to good government is reflected in its core values of accountability integrity and reliability Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website http www gao gov Each weekday afternoon GAO posts on its website newly released reports testimony and correspondence To have GAO e-mail you a list of newly posted products go to http www gao gov and select “E-mail Updates ” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white Pricing and ordering information is posted on GAO’s website http www gao gov ordering htm Place orders by calling 202 512-6000 toll free 866 801-7077 or TDD 202 512-2537 Orders may be paid for using American Express Discover Card MasterCard Visa check or money order Call for additional information Connect with GAO Connect with GAO on Facebook Flickr Twitter and YouTube Subscribe to our RSS Feeds or E-mail Updates Listen to our Podcasts and read The Watchblog Visit GAO on the web at www gao gov To Report Fraud Waste and Abuse in Federal Programs Contact Website http www gao gov fraudnet fraudnet htm E-mail fraudnet@gao gov Automated answering system 800 424-5454 or 202 512-7470 Congressional Relations Katherine Siggerud Managing Director siggerudk@gao gov 202 5124400 U S Government Accountability Office 441 G Street NW Room 7125 Washington DC 20548 Public Affairs Chuck Young Managing Director youngc1@gao gov 202 512-4800 U S Government Accountability Office 441 G Street NW Room 7149 Washington DC 20548 Please Print on Recycled Paper