A Lack of Program Management Controls and Attention to IT Security Threatens the Success of NOAA’s Effort to Implement a Cloud-Based Common Ground System

The National Oceanic and Atmospheric Administration’s (NOAA’s) National Environmental Satellite, Data, and Information Service (NESDIS) provides access to global environmental data from satellites and other sources. Current NESDIS ground systems process data from NOAA and non-NOAA satellites and other observing systems. The computing architecture for many of NESDIS’ ground systems is currently located “on premises” rather than in the cloud and was developed with unique designs specific to each mission.NESDIS is transitioning some functionality from its current satellite ground systems to its cloud-based NESDIS Common Cloud Framework (NCCF). The NCCF is intended to provide greater flexibility, efficiency, cybersecurity, and cost effectiveness for the next generation of NESDIS missions.Our audit objective was to assess NESDIS’ progress implementing the NCCF. We found that (1) NESDIS’ effort to implement the NCCF lacks fundamental project management practices set forth in Department of Commerce policy, (2) NOAA is not reporting the NCCF’s financial, project, and performance data to the federal IT dashboard, (3) NESDIS’ penetration testing of the NCCF has been inadequate, and (4) the NCCF is built on a cloud platform that cannot support its security requirements.We made 11 recommendations to help NOAA ensure that the NCCF has appropriate management controls, complies with policy requirements, and meets security requirements.