The 2020 Census Faces Challenges: Information Security

Published: November 15, 2017

CENSUSCybersecurityInformation Technology

The Census Bureau needs to complete critical steps in information security for the 2018 dress rehearsal before the decennial census.

The Census Bureau under the Department of Commerce recently came under fire once again for the 2020 Census, this time for issues ranging from procurement to information security. The upcoming count is being defined by numerous changes including automated collection methods, an internet-self response option, and use of third party and geographic tools in address lists. However, these changes introduce various information security challenges. Concerns are growing that the bureau may run out of time in developing and testing all of the systems needed for the decennial census. In a GAO report the watchdog found that as of August 2017, only 9%, or 4 out of the 43 systems in the 2018 End-to-End Test, had completed development and testing.

Specifically, the report highlights two security challenges facing the bureau: ensuring personally identifiable information (PII) is appropriately accessed and completing security assessments in time with acceptable risk levels.

The first challenge is particularly significant since 77% of the 43 systems for the census contain PII. The Census Bureau’s risk management framework calls for complete security documentation and an approved authorization to operate for each system prior to use in the 2018 End-to-End test. At the time the report was conducted, none of the 43 systems were fully authorized. Although 37 systems had an authorization to operate, all needed to be reauthorized for varying reasons. Meanwhile, two systems had not obtained authorization to operate and the remaining four did not provide the GAO with proper documentation concerning an authorization status.

The bureau to must finalize all of the security controls for the census systems, which entails assessing controls, developing plans to remediate control weaknesses and determining if remediation can be fully implemented before systems are needed for the test. Given this, it is important that enough time is given for complete and sound security tests, however, the GAO fears that shortened time frames will lead to reduced testing for security. According to a statement by GAO Comptroller, Gene Dodaro, “Bureau officials are evaluating options to decrease the impact of these delays on integration testing and security review activities by, for example, utilizing additional staff.”

Commerce’s Secretary, Wilbur Ross, testified at a Senate committee hearing that the bureau is working with other agencies including the intelligence community to secure census systems. In fact, Ross stated that 39 cybersecurity tools have been put in place through contracts with 24 considered upgrades from the last census. In his opening testimony, Ross stated that as of the end of October 2017, 24 systems had been developed and tested and fully integrated into 2020 operations with an Authority to Operate. The remaining systems are currently scheduled for deployment in the spring.