Updated: This story was updated with comment from a NOAA spokesman.
The nation's weather satellite program over the course of a year suffered 10 data security incidents, including unauthorized access and probes by adversaries, according to a congressional auditor.
The $11.3 billion Joint Polar Satellite System is set to launch the program’s first next-gen spacecraft, the JPSS-1, in March 2017.
But the ground stations that handle satellite communications and data processing "remain at high risk of compromise," David Powner, the Government Accountability Office's director of IT management issues, said in a new report.
The satellite program, which is run by the National Oceanic and Atmospheric Administration, feeds prediction models and aids weather forecasters on the ground.
"NOAA has experienced several recent information security incidents regarding unauthorized access to Web servers and computers," Powner said in the audit, released Tuesday. The six episodes now considered closed matters "involved hostile probes, improper usage, unauthorized access, password sharing, and other IT-related security concerns."
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
On Wednesday, NOAA declined to provide more information due to national security.
"While NOAA cannot publicly comment on these specific incidents, due to reasons related to national security, all cyber security threats are taken seriously and addressed quickly. NOAA remains committed to maintaining the highest possible level of information security," agency spokesman John Leslie said in an emailed statement to Nextgov.
The Government Accountability Office had directed Nextgov to the agency for specifics, because of the sensitivity of the issue.
According to the audit, there is a discrepancy between the program office and agency incident response team over how many of the 10 cases have been handled fully.
Two of the four incidents the JPSS program office recommended be closed remain open. The NOAA incident response team ultimately is responsible for acting on the recommendation, according to the program office.
"Until NOAA and the JPSS program have a consistent understanding of the status of incidents, there is an increased risk that key vulnerabilities will not be identified or properly addressed," as well as "tracked to closure,” Powner said.
Agency officials told Powner work is underway on a new tool to improve the uniformity and timeliness of incident tracking.
The ground system is highly susceptible to compromise because, among other things, the agency has not executed nearly half of the recommended standard security controls and has not patched key vulnerabilities, the audit states.
As of August 2015, there were 1,400 critical and high-risk vulnerabilities that included outdated software, an obsolete Web server and old antivirus definitions. NOAA, which is part of the Commerce Department, is not scheduled to finish fixing the security holes until August of this year and January 2017.
By that time, the vulnerabilities will have been open to potential attack for between 17 and 22 months longer than required by the government, according to the audit.
Commerce Deputy Secretary Bruce Andrews, in a written response to the auditors, agreed with the findings but said “resource constraints and shifting priorities” have hampered efforts to keep pace with changing cybersecurity requirements and to avoid schedule slippages.
“We are responding to these challenges by working to establish repeatable processes and resilient information architecture that together enable mission achievement," he added.
NOAA is no stranger to network intrusions, like much of the federal government. Four agency websites were breached in fall 2014 by an Internet-based attack.
Then, Rep. Frank Wolf, R-Va., said NOAA told him the incident was tied to the Chinese government. In 2013, a hacker stole national environmental satellite data from a contractor's PC.
JPSS-1’s timely launch is critical to ensuring the agency's weather forecasts are accurate. NOAA’s current crop of joint polar-orbiting satellites are aging and have been running on borrowed time for years.