What GAO Found
The 2020 Decennial Census is on GAO’s list of high-risk programs primarily because the Department of Commerce’s Census Bureau (Bureau) (1) is using innovations that are not expected to be fully tested, (2) continues to face challenges in implementing information technology (IT) systems, and (3) faces significant cybersecurity risks to its systems and data. Although the Bureau has taken initial steps to address risk, additional actions are needed as these risks could adversely impact the cost, quality, schedule, and security of the enumeration.
Innovations. The Bureau is planning several innovations for the 2020 Census, including allowing the public to respond using the internet. These innovations show promise for controlling costs, but they also introduce new risks, in part, because they have not been used extensively, if at all, in earlier enumerations. As a result, testing is essential to ensure that key IT systems and operations will function as planned. However, citing budgetary uncertainties, the Bureau scaled back operational tests in 2017 and 2018, missing an opportunity to fully demonstrate that the innovations and IT systems will function as intended during the 2020 Census. To manage risk to the census, the Bureau has developed hundreds of mitigation and contingency plans. To maximize readiness for the 2020 Census, it will also be important for the Bureau to prioritize among its mitigation and contingency strategies those that will deliver the most cost-effective outcomes for the census.
Implementing IT systems. The Bureau plans to rely heavily on IT for the 2020 Census, including a total of 52 new and legacy IT systems and the infrastructure supporting them. To help improve its implementation of IT, in October 2018, the Bureau revised its systems development and testing schedule to reflect, among other things, lessons learned during its 2018 operational test. However, GAO’s ongoing work has determined that the Bureau is at risk of not meeting near-term IT system development and testing schedule milestones for five upcoming 2020 Census operational deliveries, including self-response (e.g., the ability to respond to the 2020 Census through the internet). These schedule management challenges may compress the time available for the remaining system development and testing, and increase the risk that systems will not function as intended. It will be important that the Bureau effectively manages IT implementation risk to ensure that it meets near-term milestones for system development and testing, and that it is ready for the major operations of the 2020 Census.
Cybersecurity. The Bureau has established a risk management framework that requires it to conduct a full security assessment for nearly all the systems expected to be used for the 2020 Census and, if deficiencies are identified to determine the corrective actions needed to remediate those deficiencies. As of the end of May 2019, the Bureau had over 330 corrective actions from its security assessments that needed to be addressed, including 217 that were considered “high-risk” or “very high-risk.” However, of these 217 corrective actions, the Bureau identified 104 as being delayed. Further, 74 of the 104 were delayed by 60 or more days. According to the Bureau, these corrective actions were delayed due to technical challenges or resource constraints. GAO recently recommended that the Bureau take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames. Resolving identified vulnerabilities more timely can help reduce the risk that unauthorized individuals may exploit weaknesses to gain access to sensitive information and systems.
To its credit, the Bureau is also working with the Department of Homeland Security (DHS) to support its 2020 Census cybersecurity efforts. For example, DHS is helping the Bureau ensure a scalable and secure network connection for the 2020 Census respondents and to strengthen its response to potential cyber threats. During the last 2 years, as a result of these activities, the Bureau has received 42 recommendations from DHS to improve its cybersecurity posture. GAO recently recommended that the Bureau implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity findings identified by DHS. Implementing the recommendation would help better ensure that DHS’s efforts result in improvements to the Bureau’s cybersecurity posture.
In addition to addressing risks which could affect innovations and the security of the enumeration, the Bureau has the opportunity to improve its cost estimating process for the 2020 Census, and ultimately the reliability of the estimate itself, by reflecting best practices. In October 2017, the 2020 Census life-cycle cost estimate was updated and is now projected to be $15.6 billion, a more than $3 billion (27 percent) increase over its earlier estimate. GAO reported in August 2018 that although the Bureau had taken steps to improve its cost estimation process for 2020, it needed to implement a system to track and report variances between actual and estimated cost elements. According to Bureau officials, they planned to release an updated version of the 2020 Census life-cycle estimate in the spring of 2019; however, they released the update on July 15, 2019. GAO will review the released documentation to see whether the revised estimate will address the recommendations. To ensure that future updates to the life-cycle cost estimate reflect best practices, it will be important for the Bureau to implement GAO’s recommendation related to the cost estimate.
Over the past decade, GAO has made 107 recommendations specific to the 2020 Census to help address these risks and other concerns. The Department of Commerce has generally agreed with these recommendations and has taken action to address many of them. However, as of July 2019, 32 of the recommendations had not been fully implemented. While all 32 open recommendations are important for a high-quality and cost-effective enumeration, 10 are directed at managing the risks introduced by the Bureau’s planned innovations for the 2020 Census. To ensure a high-quality and cost-effective enumeration, it will be important for the Bureau to address these recommendations.
Why GAO Did This Study
The Bureau is responsible for conducting a complete and accurate decennial census of the U.S. population. The decennial census is mandated by the Constitution and provides vital data for the nation. A complete count of the nation’s population is an enormous undertaking as the Bureau seeks to control the cost of the census, implement operational innovations, and use new and modified IT systems. In recent years, GAO has identified challenges that raise serious concerns about the Bureau’s ability to conduct a cost-effective count. For these reasons, GAO added the 2020 Census to its High-Risk list in February 2017.
GAO was asked to testify about the reasons the 2020 Census remains on the High-Risk List and the steps the Bureau needs to take to mitigate risks to a successful census. To do so, GAO summarized its prior work regarding the Bureau’s planning efforts for the 2020 Census. GAO also included preliminary observations from its ongoing work examining the IT systems readiness and cybersecurity for the 2020 Census. This information is related to, among other things, the Bureau’s progress in developing and testing key systems and the status of cybersecurity risks.
What GAO Recommends
Over the past decade, GAO has made 107 recommendations specific to the 2020 Census to help address issues raised in this and other products. The Department of Commerce has generally agreed with the recommendations. As of July 2019, 32 of the recommendations had not been fully implemented.
For more information, contact Robert Goldenkoff at (202) 512-2757 or email@example.com and Nick Marinos at (202) 512-9342 or by email at firstname.lastname@example.org.