Skip to main content
Report File
Date Issued
Submitting OIG
Department of Commerce OIG
Other Participating OIGs
Department of Commerce OIG
Agencies Reviewed/Investigated
Department of Commerce
Components
National Oceanic and Atmospheric Administration
Report Number
OIG-24-034-A
Report Description

The National Oceanic and Atmospheric Administration’s (NOAA’s) National Environmental Satellite, Data, and Information Service (NESDIS) provides access to global environmental data from satellites and other sources. Current NESDIS ground systems process data from NOAA and non-NOAA satellites and other observing systems. The computing architecture for many of NESDIS’ ground systems is currently located “on premises” rather than in the cloud and was developed with unique designs specific to each mission.NESDIS is transitioning some functionality from its current satellite ground systems to its cloud-based NESDIS Common Cloud Framework (NCCF). The NCCF is intended to provide greater flexibility, efficiency, cybersecurity, and cost effectiveness for the next generation of NESDIS missions.Our audit objective was to assess NESDIS’ progress implementing the NCCF. We found that (1) NESDIS’ effort to implement the NCCF lacks fundamental project management practices set forth in Department of Commerce policy, (2) NOAA is not reporting the NCCF’s financial, project, and performance data to the federal IT dashboard, (3) NESDIS’ penetration testing of the NCCF has been inadequate, and (4) the NCCF is built on a cloud platform that cannot support its security requirements.We made 11 recommendations to help NOAA ensure that the NCCF has appropriate management controls, complies with policy requirements, and meets security requirements.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
11
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 11 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

1. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS identifies the NCCF effort as a program or project in accordance with DAO 208-16.

2 Yes $0 $0

2. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS implements appropriate, formal management controls for the NCCF.

3 Yes $0 $0

3. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS delivers official requirements to OCS for development of the NCCF.

4 Yes $0 $0

4. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS directs OCS to comply with all aspects of NESDIS requirements management policy.

5 Yes $0 $0

5. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NCCF financial, project, and performance data is reported to OMB via the Federal IT Dashboard, in accordance with federal budget guidance.

6 Yes $0 $0

6. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS updates the NESDIS penetration testing process to ensure: (a) penetration testers have adquate access to examine all system components, (b) penetration test findings are documented in Plans of Action and Milestones (POA&Ms) in the security system of record, (c) penetration tests are conducted prior to the creation of the Security Assessment Report (SAR) that supports the annual authorization process, and (d) the SAR includes penetration test results and any testing limitations that testers encountered.

7 Yes $0 $0

7. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS includes root cause analysis and closure as part of the POA&M process.

8 Yes $0 $0

8. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS conducts an after-action review to determine the root cause(s) of the security weaknesses detailed in the OIG penetration test report and creates POA&M(s) to resolve the root cause(s).

9 Yes $0 $0

9. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS migrates the NCCF cloud system to a FedRAMP approved high-impact cloud platform or provides the equivalent protection.

10 Yes $0 $0

10. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS revises NCCF security documents to ensure security controls align with the high-impact security requirements.

11 Yes $0 $0

11. We recommend that the NOAA Administrator direct the NOAA Deputy Undersecretary of Operations to ensure NESDIS updates the NCCF's analysis of alternatives to include moving to a multi-region architecture and document a risk and cost-based decision on how NESDIS will meet the NCCF's availability requirements.

Department of Commerce OIG

United States