First-ever online census lags on tech issues

Plans for a first-ever online census are lagging on IT readiness, a government watchdog says, and there's still work to do securing systems and data.

The Government Accountability Office pointed to schedule management, contract oversight, growing IT costs and cybersecurity as risk areas facing the bureau as it transitions from dress rehearsal to the main event.

"Given the schedule delays and cost increases previously mentioned, and the vast amount of development, testing, and security assessments left to be completed, we remain concerned about executive-level oversight of systems and security," auditors wrote.

Around the beginning of the 2018 end-to-end test, the bureau delayed some scheduled IT delivery dates, which led to systems that "subsequently experienced problems during the end-to-end test," GAO noted.

The bureau is relying on contractor support to deliver many of its tech capabilities for the 2020 count. As of June 2018, 33 of the bureau's 58 positions in its government program management office were vacant. In October 2017, GAO reported this office had 35 vacancies.

On IT costs, the bureau currently estimates it will spend $4.97 billion over the lifecycle of the census. In the past, GAO has knocked Census for unreliable cost estimates, and stated it is reviewing the reliability of this estimate.

And while the bureau has recently made public efforts to quell concerns over data security and possible cyber threats, GAO highlighted outstanding work needed to shore up cybersecurity.

The large-scale technology changes and the vast collection of personal information "introduce many cybersecurity challenges," auditors noted.

GAO identified about 3,100 "security weaknesses" Census needs to address — 43 of which "were considered 'very high risk' or 'high risk' weaknesses." Around 2,700, "were related to the infrastructure components being developed by the technical integration contractor," which, along with the bureau, are "currently working to address these" weaknesses.

Auditors also noted that, as of June 2018, because systems used in the end-to-end test and the decennial count "are not yet fully developed, the bureau has not finalized all of the security controls to be implemented; assessed those controls; developed plans to remediate control weakness; and determined whether there is time to fully remediate any deficiencies before the systems are needed for the test."

GAO did not make new recommendations in the report, but noted the bureau has yet to fully implement 32 of a total 93 recommendations made over the past decade.

Commerce Secretary Wilbur Ross responded to the findings, saying the department has "no substantive disagreements with the findings in the report."

He did, however, note updates that have taken place since GAO conducted its review in June. He said that now, all but one of the 44 systems used in the 2018 test have passed security authorizations, and the final one is expected to be completed before October.

Additionally, he pointed out Census is working with the intelligence community and the private sector on cybersecurity and that the bureau now holds "a weekly meeting where decennial senior leadership meets to review contract performance status."

Steven Dillingham, the White House's pick to take over as permanent Census director, still awaits Senate confirmation.