Continued Challenges in Implementing and Securing IT Systems for the 2020 Census

The government’s watchdog agency was recently asked to testify on the Census Bureau’s progress in preparing for the 2020 Census. In response, a report was released with analysis from the ongoing 2018 End-to-End test as well as insight into the Bureau’s planning for the decennial survey. The GAO found risks in both the agency’s control costs as well as decisions to scale back originally planned testing. However, the GAO also found that there remains challenges in implementing and securing key IT systems to be used for the 2020 Census. In particular, difficulties exist in the Census Bureau’s efforts to manage testing and development schedules, governance over contracts and costs. Lastly, the GAO found that the Bureau has not addressed key security risks in order to protect its systems and data.

Scheduling Management

In review of the systems used for the 2018 tests, the GAO discovered that as of April 2018, 30 of the 44 systems had completed all development activities and only 8 of the 44 systems had completed all testing (system and integration) activities. Moreover, many of the systems are designated to perform under several operations for the End-to-End Test. As such, the GAO found that the Bureau completed the development and testing for all systems in 9 of the 14 operations. Due to challenges the agency has come across during systems development, many IT milestone dates have been pushed, causing the Bureau to have reduced time available to conduct final security reviews and approvals for the systems being used. The Office of Information Security at the Census Bureau originally anticipated 6 to 8 weeks to perform security assessments for each system. However, with a more compressed schedule to date, the office will only have 5 to 8 days to complete certain assessments. The below table provided by the GAO reveals the development and testing status for systems involved in End-to-End Test operations as of April 2018:

Contract Management

The GAO also found issues in the agency’s abilities to manage contractor support for the Census. Contractor support is being used in a variety of functions for the 2020 Census, from providing the IT platform to collect data from internet and phone responses to providing the devices used by enumerators in non-response follow-ups. Notably, the bureau is depending on a technical integration contractor to integrate key systems and infrastructure for the decennial event. Unfortunately, the GAO found that a lack of staffing and resources is unavailable to oversee the integration contractor. Specifically, 34 of the 58 employee positions within the governing office were vacant as of February 2018, resulting in concern over the cost, schedule and performance of the contractor.

IT Cost Growth

In an October 2015 cost estimate, the Census Bureau estimated that total IT costs for the 2020 Census from FY 2012 through FY 2023 would be $3.41B. In an updated cost estimate from December 2017, the Bureau revealed that IT costs had grown to $4.97B. The $1.56B increase is largely due to costs associated with the CEDCaP program as well as cost overruns in certain IT contracts such as technical integration and mobile devices. GAO provides the breakdown by category of the IT costs within the bureau’s latest cost estimate:

Governance and Internal Coordination

In one of few instances of praise by the GAO, oversight and governance over the 2020 Census has improved. The GAO found that Bureau officials have begun meeting with the Secretary of Commerce on a monthly basis and with the Under Secretary of Commerce for Economic Affairs on a weekly basis to provide status updates on the 2020 Census. Furthermore, the Commerce Acting CIO has been keeping watch over the Census Bureau’s IT system readiness. Two new assistant directors within the Decennial Directorate were also recently installed to oversee different aspects of the 2020 Census program. Lastly, the GAO found that the Census Bureau CIO will be part of a governance board to oversee all of the operations and technology for the 2020 Census to ensure continued monitoring and control of IT costs, schedules and performance.

Information Security

As previously discussed, the Census Bureau needed to complete critical steps to secure its information systems and data for the 2018 tests. According to the bureau’s risk management framework, each of the 44 systems for the 2018 test must have complete security documentation and approved authorization to operate. However, the GAO found that:

• 6 of the 44 systems are fully authorized to operate through the completion of the End-to-End Test
• 32 systems have current authorization to operate but will need to be reauthorized before completion of the 2018 test due to additional development work planned for those systems
• 6 systems have not yet obtained any authorization to operate

In addition to the compressed time frame for development and testing of systems, the GAO found that the Census Bureau has “not finalized all of the security controls to be implemented; assessed those controls; developed plans to remediate control weaknesses; and determined whether there is time to fully remediate any deficiencies before the systems are needed for the test.”