GAO Fears Cyber Weaknesses in 2020 Census Systems

Published: May 01, 2019

CENSUSCybersecurityGovernment PerformanceInformation Technology

In its latest audit of the 2020 Census, GAO adds two more recommendations to improve the Bureau’s cybersecurity efforts.

With less than a year to go from the start of the 2020 Census, the GAO is keeping a close watch on what promises to be the most innovative decennial count yet. Dubbed as one of its “high risk” programs, the GAO recently issued a report on the progress made in the risks related to the execution of the 2020 Census.  

Conduction of the upcoming census will be vastly different, partly due to an online response option for households and mobile device use by enumerators during non-response follow-up visits. Among other things, these changes call for a new set of IT applications and systems. In total, the bureau plans to use 52 IT systems and supporting infrastructure to conduct the 2020 Census.

The Census Bureau is heavily relying on contractor support to help develop a number of these systems, including the IT platform to be used in collecting data from households responding by phone or internet. Contractors are also responsible for the IT and telecommunications hardware in field offices and providing device-as-a-service capabilities in non-response follow-ups. Moreover, the Census Bureau is relying on a systems integration contractor to merge all key systems and infrastructure for the count.

In connection with preparations for the survey, the GAO reviewed the readiness of the agency’s IT systems for the 2020 Census by sorting through documentation on the planning and status of system development and testing. Moreover, GAO conducted reviews on security assessments and reports prepared by the Census Bureau and its federal partners.

Findings – IT Systems

Further IT development and testing must be done before the 2020 Census. Specifically, added functionalities absent from the End-to-End test, scaling system performance to support the number of respondents during the survey and addressing system defects identified during the 2018 test, make further testing and development even more critical. As a result, in October 2018, the Census Bureau organized a new development and testing schedule for its 52 systems and under 16 operational deliveries. Each of the operational deliveries have milestone dates for development, performance and scalability testing, and system deployment.

As of April 2019, the GAO found that six systems anticipated for use in two operational deliveries were at risk of not meeting milestone dates. The six systems would be needed in areas such as field assignment management and worker performance tracking during address canvassing, data collection during operations, business and support automation, and customer support for self-responses. The compressed time frame that these six system face pose even further risk as bureau officials will need to quickly finalize plans and decisions for the infrastructure related to the systems.

Findings - Cybersecurity Risks

In preparations leading up to the 2020 Census, the bureau has faced repeated cyber challenges related to completing security assessments, addressing security weaknesses, and resolving cybersecurity recommendations from DHS, among various other cyber concerns.

In its report, the GAO found that the bureau still faces reauthorization hurdles for various systems:

  • 14 of the 52 systems have authorization to operate and will not need to be reauthorized before they are used in the 2020 Census
  • 32 of the 52 systems have authorization to operate and may need to be reauthorized before they are used in the 2020 Census
  • Six of the 52 systems do not have authorization to operate and will need to be authorized before they are used in the 2020 Census

Moreover, as of March 2019, the GAO found that the Census Bureau still had 500 open plan of actions and milestones (POA&Ms) identified in security assessment activities, 247 of which are considered “high risk” or “very high risk.” Out of the 247, 115 POA&Ms are delayed, with 70 missing their scheduled completion dates by 60 or more days.

In terms of its coordination with DHS to ensure scalable and secure network connections for 2020 Census respondents and to improve its cybersecurity posture, the Census Bureau has only addressed a small handful of recommendations from DHS, with 13 out of 17 recommendations remaining to help strengthen cyber efforts.  

Other cyber challenges the GAO directs the agency to mitigate include, potential instances of phishing and disinformation on social media, protection of personal identifiable information, ensuring control within a cloud environment, and emphasis on contingency planning and incident response for all IT system used to support the 2020 Census.

Recommendations

All in all, the GAO has made 97 recommendations related to the 2020 Census, with 24 that remain open. Additionally, due to the GAO’s latest findings in cyber risks, the watchdog adds two more recommendations for the Census Bureau to further cybersecurity efforts related to the count:

  • Take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames.
  • Implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity weaknesses identified by DHS, and expeditiously address the identified deficiencies