2020 Census: Further Actions Needed to Reduce Key Risks to a Successful Enumeration
In an effort to control rising costs, the Census Bureau plans to implement several innovations for the 2020 Census, including new IT systems.
This testimony describes why the 2020 Census, which we added to our High Risk List in February 2017, remains there today. It also covers the steps the Commerce Department and Census Bureau need to take to reduce risk. These include completing IT system development and testing and addressing cybersecurity issues.
We have made 97 recommendations on the 2020 Census. As of April 2019, 72 had been implemented. This testimony also makes 2 new recommendations to improve Bureau cybersecurity efforts.
A Census Worker Visits a Household to Collect Information
Photo of a Census worker approaching a house
What GAO Found
The 2020 Decennial Census is on GAO's list of high-risk programs primarily because the Census Bureau (Bureau) (1) is using innovations that are not expected to be fully tested, (2) continues to face challenges in implementing information technology (IT) systems, and (3) faces significant cybersecurity risks to its systems and data. Although the Bureau has taken initial steps to address risk, additional actions are needed as these risks could adversely impact the cost, quality, schedule, and security of the enumeration.
Innovations: The Bureau is planning several innovations for the 2020 Census, including allowing the public to respond using the internet. These innovations show promise for controlling costs, but they also introduce new risks, in part, because they have not been used extensively, if at all, in earlier enumerations. As a result, testing is essential to ensure that key IT systems and operations will function as planned. However, citing budgetary uncertainties, the Bureau scaled back operational tests in 2017 and 2018, missing an opportunity to fully demonstrate that the innovations and IT systems will function as intended during the 2020 Census. To manage risk to the census, the Bureau has developed hundreds of mitigation and contingency plans. To maximize readiness for the 2020 Census, it will also be important for the Bureau to prioritize among its mitigation and contingency strategies those that will deliver the most cost-effective outcomes for the census.
Implementing IT systems: The Bureau plans to rely heavily on IT for the 2020 Census, including a total of 52 new and legacy IT systems and the infrastructure supporting them. To help improve its implementation of IT, in October 2018, the Bureau revised its systems development and testing schedule to reflect, among other things, lessons learned during its 2018 operational test. However, GAO's ongoing work has determined that the Bureau is at risk of not meeting near-term IT system development and testing schedule milestones for two upcoming 2020 Census operational deliveries, including address canvassing (i.e., verification of the location of selected housing units). These schedule management challenges may compress the time available for the remaining system development and testing, and increase the risk that systems will not function as intended. It will be important that the Bureau effectively manages IT implementation risk to ensure that it meets near-term milestones for system development and testing, and that it is ready for the major operations of the 2020 Census.
Cybersecurity: The Bureau has established a risk management framework that requires it to conduct a full security assessment for each system expected to be used for the 2020 Census and, if deficiencies are identified, to determine the corrective actions needed to remediate those deficiencies. As of March 2019, the Bureau had over 500 corrective actions from its security assessments that needed to be addressed, including nearly 250 that were considered “high-risk” or “very high-risk.” However, of these 250 corrective actions, the Bureau identified 115 as being delayed. Further, 70 of the 115 were delayed by 60 or more days. According to the Bureau, these corrective actions were delayed due to technical challenges or resource constraints. Resolving identified vulnerabilities within the Bureau's established time frames can help reduce the risk that unauthorized individuals may exploit weaknesses to gain access to sensitive information and systems.
To its credit, the Bureau is also working with the Department of Homeland Security (DHS) to support its 2020 Census cybersecurity efforts. For example, DHS is helping the Bureau ensure a scalable and secure network connection for the 2020 Census respondents and to strengthen its response to potential cyber threats. During the last 2 years, as a result of these activities, the Bureau has received 17 recommendations from DHS to improve its cybersecurity posture. However, the Bureau lacks a formal process for tracking and completing corrective actions for these recommendations which would help to ensure that DHS's efforts result in improvements to the Bureau's cybersecurity posture.
In addition to addressing risks which could affect innovations and the security of the enumeration, the Bureau has the opportunity to improve its cost estimating process for the 2020 Census, and ultimately the reliability of the estimate itself, by reflecting best practices. In October 2017, the 2020 Census life-cycle cost estimate was updated and is now projected to be $15.6 billion, a more than $3 billion (27 percent) increase over its earlier estimate. GAO reported in August 2018 that although the Bureau had taken steps to improve its cost estimation process for 2020, it needed to implement a system to track and report variances between actual and estimated cost elements. According to Bureau officials, they plan to release an updated version of the 2020 Census life-cycle estimate in the spring of 2019. To ensure that future updates to the life-cycle cost estimate reflect best practices, it will be important for the Bureau to implement GAO's recommendation related to the cost estimate.
Over the past decade, GAO has made 97 recommendations specific to the 2020 Census to help address these risks and other concerns. Commerce has generally agreed with these recommendations and has taken action to address many of them. However, as of April 2019, 24 of the recommendations had not been fully implemented. Of the 24 open recommendations, 11 were directed at improving the implementation of the innovations for the 2020 Census. To ensure a cost-effective enumeration, it will be important for the Bureau to address these recommendations.
Why GAO Did This Study
The Bureau, a component of the Department of Commerce (Commerce), is responsible for conducting a complete and accurate decennial census of the U.S. population. The decennial census is mandated by the Constitution and provides vital data for the nation. A complete count of the nation's population is an enormous undertaking as the Bureau seeks to control the cost of the census, implement operational innovations, and use new and modified IT systems. In recent years, GAO has identified challenges that raise serious concerns about the Bureau's ability to conduct a cost-effective count. For these reasons, GAO added the 2020 Census to its High-Risk list in February 2017.
GAO was asked to testify about the reasons the 2020 Census remains on the High-Risk List and the steps the Bureau needs to take to mitigate risks to a successful census. To do so, GAO summarized its prior work regarding the Bureau's planning efforts for the 2020 Census. GAO also included preliminary observations from its ongoing work examining the IT systems readiness and cybersecurity for the 2020 Census. This information is related to, among other things, the Bureau's progress in developing and testing key systems and the status of cybersecurity risks.
GAO is making two recommendations to the Bureau to (1) better ensure that cybersecurity weaknesses are addressed within prescribed time frames, and (2) improve its process for addressing cybersecurity weaknesses identified by DHS.
Recommendations for Executive Action
|Department of Commerce||
Priority Rec.The Secretary of Commerce should direct the Director of the Census Bureau to direct the Census Bureau's Chief Information Officer (CIO) to take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames. (Recommendation 1)
The Secretary of Commerce agreed to this recommendation and the Bureau has implemented it. For example, the Bureau has implemented a dashboard to track their progress in implementing corrective actions for cybersecurity weaknesses, changed the way they resolve corrective actions, and held briefings to discuss open corrective actions that have been delayed. Further, the Bureau's Chief Information Officer prioritized the implementation of corrective actions for cybersecurity weaknesses. As a result of the Bureau's actions, the Bureau has successfully implemented corrective actions for cybersecurity weaknesses within prescribed timeframes, and as of January 2022 had zero delayed open corrective actions, including for those considered to be "high" or "very high" risk.
|Department of Commerce||
Priority Rec.The Secretary of Commerce should direct the Director of the Census Bureau to direct the Bureau's CIO to implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity weaknesses identified by DHS, and expeditiously address the identified deficiencies. (Recommendation 2)
The Secretary of Commerce agreed with our recommendation and has taken steps to implement it. Specifically, beginning in November 2019, the US. Census Bureau (Bureau) established a formal recommendation tracking mechanism to monitor the status of their activities to remediate cybersecurity findings identified by the Department of Homeland Security (DHS). As of October 2020, this tracking mechanism included key information for all of the Bureau's remediation activities, such as the source of each recommendation, a description of the remediation activities needed to complete each recommendation, the completion status of each recommendation, and estimated completion dates for all remediation activities. As a result of the Bureau's efforts to implement a formal recommendation tracking mechanism, the Bureau is better positioned to expeditiously address cybersecurity findings identified by DHS, and as of December 2020, has completed a majority of the remediation activities to close DHS recommendations.