With less than a year until Census Day left, the Government Accountability Office (GAO) said that the Census Bureau’s critical census IT systems and cybersecurity mitigation and contingency plans are high-concern areas among the 360 active risks for the 2020 Census that GAO identified in a report today.
As of December 2018, the Bureau reported having 360 active risks related to the 2020 Census, and a significant majority of those risks were the areas of systems engineering and integration – which “manages the Bureau’s delivery of an IT ‘System of Systems’ to meet 2020 Census business and capability requirement” – as well as IT infrastructure.
GAO said these risks require mitigation plans to preemptively reduce incident risks, as well as contingency plans to help reduce or recover from the impact of an attack. Although 96 and 70 percent of risks had a mitigation and contingency plan, respectively, six areas – including cybersecurity and operations and systems integration – had insufficient mitigation and contingency plans that “if not properly managed, could adversely affect the cost and quality of the 2020 Census.”
On the operations and systems front, the Bureau plans to use 52 different IT systems to run 35 operations to support next year’s census. As of February, 39 of the 52 systems still required development work, and 43 required performance and scalability testing. To integrate key systems and infrastructure for the 2020 Census, a technical integration contractor is assisting, but the contractor – who plays a significant role in IT preparations – is not included in mitigation and contingency plans.
Furthermore, the operations and systems integration plans did not include all key activities, which is required of the 2020 Census risk management plan – which GAO notably added does not have a description of how the Bureau will monitor risk responses.
“When key activities are not included in risk mitigation and contingency plans, Bureau officials are hampered in their ability to make well-informed decisions regarding the activities employed to manage risks to the 2020 Census, including whether those activities are appropriate or should be changed to better ensure a cost-effective and complete enumeration,” GAO said.
The 2020 Census IT systems – including the internet-self response application, mobile device applications used for fieldwork, and data processing and storage systems – are also vulnerable to cybersecurity incidents like data breaches or denial of service attacks.
Although 2020 Census cybersecurity has been a risk area GAO has flagged previously, the GAO report added that the Bureau has not included all its key activities into its cybersecurity mitigation plan to address 17 cybersecurity recommendations the Department of Homeland Security has issued the Bureau over the last two years.
For instance, the Bureau updated its mitigation plan in September 2018 to include a new activity that leveraged cyber threat intelligence from other Federal agencies. However, GAO said this is not enough.
“Cyber threat intelligence is just one of several services being performed by outside agencies,” GAO said. “If the Bureau’s plan for mitigating cybersecurity risks to the census omits such key activities, then the Bureau is limited in its ability to track and assess those activities, and to hold individuals accountable for completing activities that could help manage cybersecurity risks.
GAO issued seven recommendations for the Bureau. This includes that the Bureau Director get approval of mitigation and contingency plans for all risks, create timeframes for developing and managing the approval, track progress in risk management plan updates, make risk owners accountable for carrying out risk management responsibilities, and update the Bureau’s antifraud strategy.
The Commerce Department, the Bureau’s parent agency, agreed with GAO’s findings and recommendations and said it will address them.