Census Needs to Prioritize IT-Related Decisions Sooner for 2030 Says GAO

Though it feels like the 2020 Census count just ended, the Census Bureau is already focused on the next decadal survey. The federal government’s oversight agency is also paying attention to the 2030 count. In a report issued last week, the GAO names several lessons learned from the 2020 count, urging the Census Bureau to take immediate action to avoid the same hiccups for 2030.

Among the lessons identified from the 2020 Census, the GAO found that the Census Bureau must improve research and testing activities to reduce risk to the 2030 Census. Additionally, the GAO found that the federal agency must progress in matters of IT development, privacy and cybersecurity.

Timing of IT-Related Decisions Directly Impacts Schedule, Scope and Cost

For the 2020 Census, the agency implemented an IT modernization initiative called CEDCaP, an enterprise-wide system delivery of all the agency’s survey data collection and processing functions. Nonetheless, schedule and cost issues arose surrounding CEDCaP as the agency delayed key decisions for the program prior to the 2020 Census. Specifically, decisions around building or buying CEDCaP capabilities were not made until May 2016, which affected the timeline to develop, test and integrate the system before 2018 testing. Moreover, delays caused the Census Bureau to limit the scope of the CEDCaP program, applying it only to the systems needed for the 2020 Census, and lacking delivery of enterprise-wide capabilities.

Furthermore, delayed IT decisions caused challenges in controlling IT costs for the 2020 Census program. For example, the bureau made the decision to award a technical integration contract for $866M, after the agency’s October 2015 original cost estimate. In 2017, the Bureau also changed its mind on mobile device capabilities for enumerators. Ultimately, IT cost estimates grew 45% from what was originally anticipated, from $3.4B in October 2015 to almost $5B in December 2017.  

Lessons learned? The GAO urges the Census Bureau to prioritize and make key IT-related decisions early on in the 2030 Census process to avoid schedule, scope and cost risks.

Communication and Schedule is Key in Differential Privacy         

The 2020 Census was the first time the agency used differential privacy to protect survey respondent data in publicly released statistical products. However, the agency ran into some challenges in implementing the new methodology for personally identifiable information. With the change in privacy processes, the Census Bureau was responsible for providing information on its use of differential privacy to the public. However, while the agency held webinars and used its website as a communication platform, it did not explain how it would apply differential privacy to data sets and the effects of differential privacy, making it difficult for data users to understand the change. Additionally, differential privacy implementation was delayed by the COVID-19 pandemic, with decisions on the matter coming six months later than anticipated. The delay also caused challenges in developing firm time frames for disclosure avoidance-related activities in future 2020 Census data products.

Lessons learned? The Census Bureau must demonstrate improved communication with data users about differential privacy, as well as consider publishing 2020 Census demonstration data products in more useful formats for data users to improve understanding.

Attention to Cybersecurity Risk Mitigation is Critical

The increased use of technology in the 2020 Census led to increased cybersecurity risk in the last decadal count. Due to the compressed time in developing and testing systems for the 2020 Census, (see above on delayed IT decisions) the Census Bureau faced challenges in mitigating cybersecurity risks with compressed security assessments. Moreover, the agency faced challenges in keeping up with, and meeting deadlines for, corrective actions for each weakness identified during security assessments. Given the magnitude of any decennial count, risks in cyber mitigation must be addressed.

Lessons learned? The agency must incorporate lessons learned into cybersecurity plans for the 2030 Census, including methodologies to address identified system weaknesses in a timely and effective manner.

Contractor Implications

Though it seems like there is still some time left before the 2030 Census, contractors should pay attention to the lessons learned identified by the GAO and other oversight bodies as the Census Bureau enters its decision phase for the next count. As the GAO report points out, FY 2022 through FY 2024 is the agency’s “Design Selection Phase,” where activities such as risk management plans, testing and research projects, and major design innovations will be decided on and selected. (Note: FY 2025 through FY 2028 is the agency’s “Development and Integration Phase” for operational plans release, life cycle cost estimates and initial tests of major field operations.) As a member of industry with a potential solution, process or concept for the upcoming decadal count, and given the GAO’s reproach on delayed IT-related decisions, there is no better time than now to approach the Census Bureau for the best chances in contributing to the 2030 Census survey.