The National Oceanic and Atmospheric Administration is still trying to eliminate more than 1,000 information security vulnerabilities on its satellite ground system, a congressional watchdog said Thursday.
NOAA reported to the Government Accountability Office Wednesday evening that it had made some recent progress chipping away at that number, reducing the 1,500 open critical and high-risk vulnerabilities it had outstanding since 2015 to about 1,200, said David Powner, director of IT Management Issues at the Government Accountability Office.
Open vulnerabilities to the Joint Polar Satellite System program’s ground system or its upgrade include: outdated software, an obsolete web server, and more than 200 instances of use of outdated definitions used to scan and identify viruses, according to Powner’s prepared testimony.
“NOAA has determined that the JPSS ground system is at a high risk of compromise due to the significant number of controls that are not fully implemented,” Powner said at a House Committee on Science, Space and Technology hearing Thursday.
The ground system handles satellite communications and data processing.
“NOAA needs to close these vulnerabilities much quicker,” Powner said.
Powner noted that NOAA has a system security plan and is working to close vulnerabilities.
But from August 2014 to August 2015, NOAA had 10 incidents of medium and high severity related to the system, Powner’s prepared testimony said, including “incidents involving unauthorized access to web servers and computers.”
Powner’s remarks were based in part on a May GAO report and a draft of another report expected to be released in September.
NOAA agreed with the GAO’s recommendations in the May report, but it noted that it would follow agency policy that lets it accept risk when “remediation cannot be performed as anticipated.”
The other report is focused on the way NOAA updates the timeline information for its polar satellites.
Officials said Thursday they were concerned about a potential eight-month satellite gap between using the current satellite, the Suomi National Polar-orbiting Partnership, and JPSS-1.
NOAA projects it would launch the JPSS-1 satellite in March 2017.
“There has been improvement in the JPSS program over the past few years, but there are still potential causes of concern,” Rep. Jim Bridenstine, R.-Okla., said in prepared remarks at the hearing.
The GAO has reported issues on the JPSS program since 2012, including technical problems, cost, management and risks.
The Commerce Department’s inspector general has also noted problems with the program in past years, including security issues.