The National Weather Service Should Further Strengthen Its Protection of Essential Operational Technology

View Report

Date Issued

Thursday, February 27, 2025

Submitting OIG

Department of Commerce OIG

Agencies Reviewed/Investigated

Department of Commerce

Components

National Oceanic and Atmospheric Administration

Report Number

OIG-25-012-I

Report Description

For our evaluation of the National Weather Service's (NWS's) protection of operational technology (OT), our objective was to determine whether NWS has implemented effective security controls for its critical OT. We found that I. NWS did not implement strong credential management for some OT systems, and II. NWS lacked complete vulnerability scanning coverage for some OT systems.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://www.oig.doc.gov/reports/?entry=25335

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1.	Yes	$0	$0
1. We recommend that the Under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator ensure the NWS Director implements review NWS OT systems to ensure that they (a) securely store credentials, including hashes; (b) have debugging disabled where appropriate; and (c) do not use default passwords.
2.	Yes	$0	$0
2. We recommend that the Under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator ensure the NWS Director implements remove insecure protocols such as HTTP and Telnet and follow OMB requirements to encrypt internal traffic.
4.	Yes	$0	$0
4. We recommend that the Under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator ensure the NWS Director implements conduct vulnerability scanning on all devices within an OT system in accordance with NOAA policy.