The ability to answer the 2020 decennial count online has the Government Accountability Office taking a hard look at how the Census Bureau plans to safeguard the personally identifiable information (PII) of hundreds of millions of households from cyber attacks.
In its latest review, GAO found that Census, as of June, had reported 3,100 security weaknesses “that need to be addressed in the coming months.”
“Because the 2020 Census involves collecting personal information from over a hundred million households across the country, it will be important that the Bureau addresses system security weaknesses in a timely manner and ensures that risks are at an acceptable level before systems are deployed,” GAO wrote in the report it released Thursday.
Of those, Census considers 43 of those vulnerabilities “very high risk” or “high risk” weaknesses. In addition, the agency told GAO that 2,700 of those weaknesses were linked to IT infrastructure components being developed by its technical integration contractor, T-Rex Solutions.
“While the large-scale technological changes (such as Internet self-response) increase the likelihood of efficiency and effectiveness gains, they also introduce many cybersecurity challenges,” GAO wrote.
The agency also faces challenges staffing the program management office that oversees the contractor’s integration efforts. In June, Census told GAO that 33 of the office 58 positions were vacant, and that it had only made two new hires since October 2017.
“These vacancies increase the risk that the program management office may not be sufficiently staffed to provide adequate oversight of contractor cost, schedule, and performance,” GAO wrote.
Shrinking security tests from weeks to days
GAO reports that system development and testing delays have forced Census to shrink the window of time it’s scheduled for security reviews and final approval.
The Office of Information Security originally planned to allow at least six-to-eight weeks to perform security assessments for each system. However, given the compressed time frames, GAO found that in some cases, Census officials have had only five to eight days to complete some assessments.
“This resulted in systems being deployed before the security of all system components were assessed,” GAO wrote. “We concluded that, going forward, it would be important for these security assessments to be completed in a timely manner and that risks be at an acceptable level before the systems are deployed.”
Census has completed security assessments on 33 of the 44 IT systems needed to support the 2018 End-to-End Test in Providence County, Rhode Island. Another eight systems have gotten authorization from the agency but will need re-authorization due to “significant planned development or changes to the infrastructure environment,” like moving a system from a data center to the cloud.
Earlier this month, Census Chief Information Office Kevin Smith gave an in-depth look at how the agency plans to defend against internal and external cyber threats during a quarterly program management review.
While Census expects to handle 95 percent of its cybersecurity concerns through commercially available industry solutions, Smith said the agency is working with the Department of Homeland Security and members of the intelligence community to guard against new threats.
GAO raises questions over Census IT costs
GAO added the 2020 count to its list of high-risk government programs in 2017. Since then, the oversight agency has raised “serious concerns about the Bureau’s ability to conduct a cost-effective count of the nation.”
Between October 2015 and December 2017, the agency’s cost estimate for IT grew from $3.41 billion to nearly $5 billion. Census and GAO cited the need for more technical integration services and updated costs for its mobile devices contract played a significant role in the rising cost of IT.
“The amount of cost growth since the October 2015 estimate raises questions as to whether the Bureau has a complete understanding of the IT costs associated with the 2020 Census,” GAO wrote.
In the 2018 field test and the 2020 count, agency enumerators will use iPhones to record information when they go door-to-door to follow up with households. But those employees have encountered some touchscreen trouble with the devices.
“More specifically, in certain cases, the mobile device application did not identify that the enumerator had made a selection on the touch screen until after the enumerator attempted to select it multiple times,” GAO wrote.
In a statement to GAO, Commerce Secretary said the agency “has no substantive disagreements” with the report’s findings.
“While we agree that much work remains to prepare and implement our information technology (IT) systems for the 2020 census, we appreciate GAO’s recognition of the substantial progress we have made over the past year as a result of increased management focus in the areas of cost estimation, scheduling, IT security, contract management, and governance,” Ross said.