What GAO Found
The 2020 Census program is heavily dependent upon the Census Enterprise Data Collection and Processing (CEDCAP) program to deliver the key systems needed to support the 2020 Census redesign. However, GAO's preliminary findings showed that while the two programs have taken steps to coordinate their schedules, risks, and requirements, they lacked effective processes for managing their interdependencies. Specifically:
- Among tens of thousands of schedule activities, the two programs are expected to manually identify activities that are dependent on each other, and rather than establishing one integrated dependency schedule, the programs maintain two separate dependency schedules. This has contributed to misalignment in milestones between the programs.
- The programs do not have an integrated list of interdependent program risks, and thus they do not always recognize the same risks that impact both programs.
- Among other things, key requirements have not been defined for validating responses from individuals who respond to the census using an address instead of a Bureau-assigned identification number, because of the Bureau's limited knowledge and experience in this area. The lack of knowledge and specific requirements related to this critical function is concerning, given that there is less than a year and a half remaining before the Census end-to-end test begins in August 2017 (which is intended to test all key systems and operations to ensure readiness for the 2020 Census).
Officials have acknowledged these weaknesses and reported that they are taking, or plan to take, steps to address the issues. However, until these interdependencies are managed more effectively, the Bureau will be limited in understanding the work needed by both programs to meet milestones, mitigate major risks, and ensure that requirements are appropriately identified.
While the large-scale technological changes for the 2020 Decennial Census introduce great potential for efficiency and effectiveness gains, they also introduce many information security challenges. For example, the introduction of an option for households to respond using the Internet puts respondents more at risk for phishing attacks (requests for information from authentic-looking, but fake, e-mails and websites). In addition, because the Bureau plans to allow its enumerators to use mobile devices to collect information from households who did not self-respond to the survey, it is important that the Bureau ensures that these devices are adequately protected. The Bureau has begun efforts to address many of these challenges; as it begins implementing the 2020 Census design, continued focus on these considerable security challenges will be critical.
Why GAO Did This Study
The U.S. Census Bureau (which is part of the Department of Commerce) plans to significantly change the methods and technology it uses to count the population with the 2020 Decennial Census. The Bureau's redesign of the census relies on the acquisition and development of many new and modified systems. Several of the key systems are to be provided by an enterprise-wide initiative called CEDCAP, which is a large and complex modernization program intended to deliver a system-of-systems for all the Bureau's survey data collection and processing functions.
This statement summarizes preliminary findings from GAO's draft report on, among other things, the Bureau's management of the interdependencies between the CEDCAP and 2020 Census programs, and key information security challenges the Bureau faces in implementing the 2020 Census design. To develop that draft report, GAO reviewed Bureau documentation such as project plans and schedules and compared them against relevant guidance; and analyzed information security reports and documents.
GAO's draft report includes several recommendations to help the Bureau better manage CEDCAP and 2020 Census program interdependencies related to schedule, risk, and requirements. The draft report is currently with the Department of Commerce and the Bureau for comment.