United States Government Accountability Office Testimony Before the Subcommittee on Commerce Justice Science and Related Agencies Committee on Appropriations House of Representatives For Release on Delivery Expected at 10 00 a m ET Tuesday April 30 2019 2020 CENSUS Further Actions Needed to Reduce Key Risks to a Successful Enumeration Statement of Robert Goldenkoff Director Strategic Issues and Nick Marinos Director Information Technology and Cybersecurity GAO-19-431T April 30 2019 2020 CENSUS Further Actions Needed to Reduce Key Risks to a Successful Enumeration Highlights of GAO-19-431T a testimony before the Subcommittee on Commerce Justice Science and Related Agencies Committee on Appropriations House of Representatives Why GAO Did This Study What GAO Found The Bureau a component of the Department of Commerce Commerce is responsible for conducting a complete and accurate decennial census of the U S population The decennial census is mandated by the Constitution and provides vital data for the nation A complete count of the nation’s population is an enormous undertaking as the Bureau seeks to control the cost of the census implement operational innovations and use new and modified IT systems In recent years GAO has identified challenges that raise serious concerns about the Bureau’s ability to conduct a cost-effective count For these reasons GAO added the 2020 Census to its High-Risk list in February 2017 The 2020 Decennial Census is on GAO’s list of high-risk programs primarily because the Census Bureau Bureau 1 is using innovations that are not expected to be fully tested 2 continues to face challenges in implementing information technology IT systems and 3 faces significant cybersecurity risks to its systems and data Although the Bureau has taken initial steps to address risk additional actions are needed as these risks could adversely impact the cost quality schedule and security of the enumeration GAO was asked to testify about the reasons the 2020 Census remains on the High-Risk List and the steps the Bureau needs to take to mitigate risks to a successful census To do so GAO summarized its prior work regarding the Bureau’s planning efforts for the 2020 Census GAO also included preliminary observations from its ongoing work examining the IT systems readiness and cybersecurity for the 2020 Census This information is related to among other things the Bureau’s progress in developing and testing key systems and the status of cybersecurity risks • Innovations The Bureau is planning several innovations for the 2020 Census including allowing the public to respond using the internet These innovations show promise for controlling costs but they also introduce new risks in part because they have not been used extensively if at all in earlier enumerations As a result testing is essential to ensure that key IT systems and operations will function as planned However citing budgetary uncertainties the Bureau scaled back operational tests in 2017 and 2018 missing an opportunity to fully demonstrate that the innovations and IT systems will function as intended during the 2020 Census To manage risk to the census the Bureau has developed hundreds of mitigation and contingency plans To maximize readiness for the 2020 Census it will also be important for the Bureau to prioritize among its mitigation and contingency strategies those that will deliver the most cost-effective outcomes for the census • Implementing IT systems The Bureau plans to rely heavily on IT for the 2020 Census including a total of 52 new and legacy IT systems and the infrastructure supporting them To help improve its implementation of IT in October 2018 the Bureau revised its systems development and testing schedule to reflect among other things lessons learned during its 2018 operational test However GAO’s ongoing work has determined that the Bureau is at risk of not meeting near-term IT system development and testing schedule milestones for two upcoming 2020 Census operational deliveries including address canvassing i e verification of the location of selected housing units These schedule management challenges may compress the time available for the remaining system development and testing and increase the risk that systems will not function as intended It will be important that the Bureau effectively manages IT implementation risk to ensure that it meets near-term milestones for system development and testing and that it is ready for the major operations of the 2020 Census • Cybersecurity The Bureau has established a risk management framework that requires it to conduct a full security assessment for each system expected to be used for the 2020 Census and if deficiencies are identified to determine the corrective actions needed to remediate those deficiencies As of March 2019 the Bureau had over 500 corrective actions from its security assessments that needed to be addressed including nearly 250 that were considered “high-risk” or “very high-risk ” However of these 250 corrective actions the Bureau identified 115 as being delayed Further 70 of the 115 were delayed by 60 or more days According to the Bureau these corrective What GAO Recommends GAO is making two recommendations to the Bureau to 1 better ensure that cybersecurity weaknesses are addressed within prescribed time frames and 2 improve its process for addressing cybersecurity weaknesses identified by DHS View GAO-19-431T For more information contact Robert Goldenkoff at 202 512-2757 or by email at goldenkoffr@gao gov and Nick Marinos at 202 512-9342 or by email at marinosn@gao gov United States Government Accountability Office Further Actions Needed to Reduce Key Risks to a Successful Enumeration actions were delayed due to technical challenges or resource constraints Resolving identified vulnerabilities within the Bureau’s established time frames can help reduce the risk that unauthorized individuals may exploit weaknesses to gain access to sensitive information and systems To its credit the Bureau is also working with the Department of Homeland Security DHS to support its 2020 Census cybersecurity efforts For example DHS is helping the Bureau ensure a scalable and secure network connection for the 2020 Census respondents and to strengthen its response to potential cyber threats During the last 2 years as a result of these activities the Bureau has received 17 recommendations from DHS to improve its cybersecurity posture However the Bureau lacks a formal process for tracking and completing corrective actions for these recommendations which would help to ensure that DHS’s efforts result in improvements to the Bureau’s cybersecurity posture In addition to addressing risks which could affect innovations and the security of the enumeration the Bureau has the opportunity to improve its cost estimating process for the 2020 Census and ultimately the reliability of the estimate itself by reflecting best practices In October 2017 the 2020 Census life-cycle cost estimate was updated and is now projected to be $15 6 billion a more than $3 billion 27 percent increase over its earlier estimate GAO reported in August 2018 that although the Bureau had taken steps to improve its cost estimation process for 2020 it needed to implement a system to track and report variances between actual and estimated cost elements According to Bureau officials they plan to release an updated version of the 2020 Census life-cycle estimate in the spring of 2019 To ensure that future updates to the life-cycle cost estimate reflect best practices it will be important for the Bureau to implement GAO’s recommendation related to the cost estimate Over the past decade GAO has made 97 recommendations specific to the 2020 Census to help address these risks and other concerns Commerce has generally agreed with these recommendations and has taken action to address many of them However as of April 2019 24 of the recommendations had not been fully implemented Of the 24 open recommendations 11 were directed at improving the implementation of the innovations for the 2020 Census To ensure a cost-effective enumeration it will be important for the Bureau to address these recommendations Page ii GAO-19-431T Highlights Letter Letter Chairman Serrano Ranking Member Aderholt and Members of the Subcommittee We are pleased to be here today to discuss the U S Census Bureau’s Bureau progress in preparing for the 2020 Decennial Census Conducting the decennial census of the U S population is mandated by the Constitution and provides vital data for the nation The information that the census collects is used to apportion the seats of the House of Representatives redraw congressional districts allocate billions of dollars each year in federal financial assistance and provide a social demographic and economic profile of the nation’s people to guide policy decisions at each level of government Further businesses use census data to market new services and products and to tailor existing ones to demographic changes A complete count of the nation’s population is an enormous undertaking The Bureau a component of the Department of Commerce Commerce is seeking to control the cost of the 2020 Census while it implements several innovations and manages the processes of acquiring and developing information technology IT systems In recent years we have identified challenges that raise serious concerns about the Bureau’s ability to conduct a cost-effective count of the nation including issues with the agency’s research testing planning scheduling cost estimation systems development and cybersecurity risk management practices Over the past decade we have made 97 recommendations specific to the 2020 Census to help address these and other concerns Commerce has generally agreed with our recommendations and has made progress in implementing them However 24 of the recommendations had not been fully implemented as of April 2019 although the Bureau had taken initial steps to address many of them and one recommendation has been closed but not implemented We also added the 2020 Decennial Census to our high-risk list in February 2017 and it remains on our high-risk list today 1 As preparations 1 GAO High-Risk Series Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas GAO-19-157SP Washington D C Mar 6 2019 and High-Risk Series Progress on Many High-Risk Areas While Substantial Efforts Needed on Others GAO-17-317 Washington D C Feb 15 2017 GAO maintains a high-risk program to focus attention on government operations that it identifies as high-risk due to their greater vulnerabilities to fraud waste abuse and mismanagement or the need for transformation to address economy efficiency or effectiveness challenges Page 1 GAO-19-431T for the next census continue to ramp up fully implementing our recommendations to address the risks jeopardizing the 2020 Census is more critical than ever At your request our testimony today will describe 1 why the 2020 Decennial Census remains a high-risk area and 2 the steps that Commerce and the Bureau need to take going forward to mitigate the risks jeopardizing a secure and cost-effective census The information in this statement is based primarily on our prior work regarding the Bureau’s planning efforts for 2020 2 For that body of work we reviewed among other things relevant Bureau documentation including the 2020 Census Operational Plan recent decisions on preparations for the 2020 Census and outcomes of key IT milestone reviews In the summer of 2018 we visited the Bureau’s 2018 End-to-End test site in Providence County Rhode Island to observe door-to-door field enumeration during the non-response follow-up an operation where enumerators personally visit to count the household We also discussed the status of our recommendations with Commerce and Bureau staff Other details on the scope and methodology for our prior work are provided in each published report on which this testimony is based In addition we included information in this statement from our ongoing work on the readiness of the Bureau’s IT systems for the 2020 Census Specifically we collected and reviewed documentation on the status and plans for system development and testing and for addressing cybersecurity risk for the 2020 Census This includes the Bureau’s integration and implementation plan memorandums documenting outcomes of security assessments and reports prepared by the Department of Homeland Security DHS for the Bureau on cybersecurity risks We also interviewed relevant agency officials 2 For example GAO 2020 Census Additional Steps Needed to Finalize Readiness for Peak Field Operations GAO-19-140 Washington D C Dec 10 2018 2020 Census Continued Management Attention Needed to Address Challenges and Risks with Developing Testing and Securing IT Systems GAO-18-655 Washington D C Aug 30 2018 2020 Census Bureau Has Made Progress with Its Scheduling but Further Improvement Will Help Inform Management Decisions GAO-18-589 Washington D C July 26 2018 and 2020 Census Actions Needed to Address Challenges to Enumerating Hard-to-Count Groups GAO-18-599 Washington D C July 26 2018 Page 2 GAO-19-431T We provided a copy of the applicable new information that we are reporting in this testimony to the Bureau and DHS for comment on April 12 2019 The Bureau provided technical comments which we addressed as appropriate We conducted the work on which this statement is based in accordance with generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives Background As shown in table 1 the cost of counting the nation’s population has been escalating with each decade The 2010 Census was the most expensive in U S history at about $12 3 billion and was about 31 percent more costly than the $9 4 billion 2000 Census in 2020 dollars 3 According to the Bureau the total cost of the 2020 Census in October 2015 was estimated at $12 3 billion and in October 2017 that cost estimate grew to approximately $15 6 billion approximately a $3 billion increase 4 Additionally Bureau officials told us that while the estimated cost of the census had increased to $15 6 billion it was nevertheless managing the 2020 Census to a lower cost of $14 1 billion Bureau officials explained that the $14 1 billion includes all program costs and contingency funds to cover risks and general estimating uncertainty The remaining $1 5 billion estimated cost is additional contingency for “unknown unknowns”—that is low probability events that could cause massive disruptions—and 3 According to the Bureau these figures rely on fiscal year 2020 constant dollar factors derived from the Chained Price Index from “Gross Domestic Product and Deflators Used in the Historical Tables 1940–2020” table from the Fiscal Year 2016 Budget of the United States Government 4 The historical life-cycle cost figures for prior decennials as well as the initial estimate for 2020 provided by Commerce in October 2017 differ slightly from those reported by the Bureau previously According to Commerce documents the more recently reported figures are “inflated to the current 2020 Census time frame fiscal years 2012 to 2023 ” rather than to 2020 constant dollars as the earlier figures had been Specifically since October 2017 Commerce and the Bureau have reported the October 2015 estimate for the 2020 Census as $12 3 billion this is slightly different than the $12 5 billion the Bureau had initially reported Page 3 GAO-19-431T several what-if scenarios such as an increase in the wage rate or additional supervisors needed to manage field operations 5 Table 1 The Cost of Previous Decennial Censuses and the Estimated Cost of the 2020 Census Benchmark Cost Explanation 2000 Census $9 4 billion Final cost of the 2000 Census 2010 Census $12 3 billion Final cost of the 2010 Census 2020 Census estimated cost in October 2015 $12 3 billion Initial cost estimate of the 2020 Census 2020 Census estimated cost in October 2017 $15 6 billion Revised cost estimate of the 2020 Census 2020 Census cost estimate less a portion of contingency funds $14 1 billion Cost estimate the Bureau is managing operations to for the 2020 Census Source GAO analysis of Census Bureau data GAO-19-431T Moreover as shown in figure 1 the average cost for counting a housing unit increased from about $16 in 1970 to around $92 in 2010 in 2020 constant dollars At the same time the return of census questionnaires by mail the primary mode of data collection declined over this period from 78 percent in 1970 to 63 percent in 2010 Declining mail response rates has led to higher costs because the Bureau sends temporary workers to each non-responding household to obtain census data Achieving a complete and accurate census has become an increasingly daunting task in part because the population is growing larger more diverse and more reluctant to participate in the enumeration In many ways the Bureau has had to invest substantially more resources each decade to conduct the enumeration 5 The $15 6 billion cost estimate for the 2020 Census includes a total of $2 6 billion in contingency funds Page 4 GAO-19-431T Figure 1 The Average Cost of Counting Each Housing Unit in 2020 Dollars Has Escalated Each Decade While the Percentage of Mail Response Rates Has Declined In addition to these external societal challenges that make achieving a complete count a daunting task the Bureau also faces a number of internal management challenges that affect its capacity and readiness to conduct a cost-effective enumeration Some of these issues—such as acquiring and developing IT systems and preparing reliable cost estimates—are long-standing in nature At the same time as the Bureau looks toward 2020 it also faces newly emerging and evolving uncertainties For example on March 26 2018 the Secretary of Commerce announced his decision to add a question to the decennial census on citizenship status On January 15 2019 the U S District Court for the Southern District of New York ruled on one of a number of legal challenges to the Secretary’s decision That ruling is being appealed thus leaving the use of the question uncertain The U S Supreme Court is scheduled to begin hearing arguments in April 2019 regarding the addition of the citizenship question to the census form In our prior work we have noted the risks associated with late Page 5 GAO-19-431T changes of any nature to the design of the census if the Bureau is unable to fully test those changes under operational conditions 6 The Bureau also faced budgetary uncertainties that according to the Bureau led to the curtailment of testing in 2017 and 2018 However the Consolidated Appropriations Act 2018 appropriated for the Periodic Censuses and Programs account $2 544 billion which more than doubles the Bureau’s request in the President’s Fiscal Year 2018 Budget of $1 251 billion 7 According to the explanatory statement accompanying the act the appropriation which is available through fiscal year 2020 is provided to ensure the Bureau has the necessary resources to immediately address any issues discovered during operational testing and to provide a smoother transition between fiscal year 2018 and fiscal year 2019 8 The availability of those resources enabled the Bureau to continue preparations for the 2020 Census during the 35 days when appropriations lapsed for the Bureau Moreover the Consolidated Appropriations Act 2019 appropriated for the Periodic Censuses and Programs account $3 551 billion 9 According to Bureau officials this level of funding for fiscal year 2019 is sufficient to carry out 2020 Census activities as planned Importantly the census is conducted against a backdrop of immutable deadlines In order to meet legally mandated reporting requirements census activities need to take place at specific times and in the proper sequence Thus it is absolutely critical for the Bureau to stay on schedule Figure 2 shows some dates for selected decennial events 6 GAO 2010 Census Little Time Remains to Address Operational Challenges GAO-09-408T Washington D C Mar 5 2009 7 Consolidated Appropriations Act 2018 Pub L No 115-141 Division B Title I Mar 23 2018 8 Joint explanatory statement of conference 164 Cong Rec H2045 H2084 daily ed Mar 22 2018 statement of Chairman Frelinghuysen specifically referenced in section 4 of the Consolidated Appropriations Act 2018 Pub L No 115-141 § 4 Mar 23 2018 9 Consolidated Appropriations Act 2019 Pub L No 116-6 Division C Title I Feb 15 2019 Page 6 GAO-19-431T Figure 2 Timeline of Selected Decennial Events a Indicates dates that are mandated by law Page 7 GAO-19-431T The Bureau Has Begun Opening Offices and Hiring Temporary Staff The Bureau has begun to open its area census offices ACO for the 2020 Census It has signed leases for all 248 ACOs of which 39 of the offices will be open for the address canvassing operation set to begin in August 2019 where staff verifies the location of selected housing units The remaining 209 offices will begin opening this fall In 2010 the Bureau opened 494 census offices The Bureau has been able to reduce its infrastructure because it is relying on automation to assign work and to record payroll Therefore there is less paper—field assignments maps and daily payroll forms—to manually process For the 2020 Census the Bureau is refining its recruiting and hiring goals but tentatively plans to recruit approximately 2 24 million applicants and hire nearly 500 000 temporary field staff from that applicant pool for two key operations address canvassing and nonresponse follow-up where they visit households that do not return census forms to collect data in person In 2010 the Bureau recruited 3 8 million applicants and hired 628 000 temporary workers to conduct the address canvassing and nonresponse follow-up field operations According to Bureau officials it has reduced the number of temporary staff it needs to hire because automation has made field operations more efficient and there is less paper As of April 15 2019 for its early operations efforts which includes hiring listers for address canvassing the Bureau has processed approximately 264 000 applicants which represent 128 4 percent of its 205 000 recruiting goal The Bureau is also in the process of hiring approximately 1 500 partnership specialists needed by June 2019 to help increase awareness and participation in the 2020 Census in minority communities and hard-to-reach populations As of April 17 2019 the Bureau has hired 467 partnership specialists and another 329 applicants are waiting to have their background checks completed Moreover Bureau officials also stated that the current economic environment i e the low unemployment rate compared to the economic environment of the 2010 Census has not yet impacted their ability to recruit staff The Bureau will continue to monitor the impact of low unemployment on its ability to recruit and hire at the local and regional levels Page 8 GAO-19-431T The Bureau Plans to Rely Heavily on IT for the 2020 Census For the 2020 Census the Bureau is significantly changing how it intends to conduct the census in part by re-engineering key census-taking methods and infrastructure and making use of new IT applications and systems For example the Bureau plans to offer an option for households to respond to the survey via the internet and enable field-based enumerators 10 to use applications on mobile devices to collect survey data from households To do this the Bureau plans to utilize 52 new and legacy IT systems and the infrastructure supporting them to conduct the 2020 Census A majority of these 52 systems have been tested during operational tests in 2017 and 2018 For example the Bureau conducted its 2018 End-toEnd test which included 44 of the 52 systems and was intended to test all key systems and operations in a census-like environment to ensure readiness for the 2020 Census Nevertheless additional IT development and testing work needs to take place before the 2020 Census Specifically officials from the Bureau’s Decennial Directorate said they expect that the systems will need to undergo further development and testing due to among other things the need to add functionality that was not part of the End-to-End test scale system performance to support the number of respondents expected during the 2020 Census and address system defects identified during the 2018 End-to-End test To prepare the systems and technology for the 2020 Census the Bureau is also relying on significant contractor support For example it is relying on contractors to develop a number of systems and components of the IT infrastructure including the IT platform that is intended to be used to collect data from households responding via the internet and telephone and for non-response follow-up activities Contractors are also deploying the IT and telecommunications hardware in the field offices and providing device-as-a-service capabilities by procuring the mobile devices and cellular service to be used for non-response follow-up 11 10 Enumerators are Census Bureau employees who travel from door-to-door throughout the country to try to obtain census data from individuals who do not respond through other means including the internet on paper or by phone 11 In non-response follow-up if a household does not respond to the census by a certain date the Bureau will send out employees to visit the home The Bureau’s plan is for these enumerators to use a census application on a mobile device provided by the Bureau to capture the information given to them by the in-person interviews Page 9 GAO-19-431T In addition to the development of technology the Bureau is relying on a technical integration contractor to integrate all of the key systems and infrastructure The contractor’s work is expected to include among other things evaluating the systems and infrastructure and acquiring the infrastructure e g cloud or data center to meet the Bureau’s scalability and performance needs integrating all of the systems and assisting with technical performance and scalability and operational testing activities 2020 Census Identified by GAO as a High-Risk Area In February 2017 we added the 2020 Decennial Census as a high-risk area needing attention from Congress and the executive branch 12 This was due to significant risks related to among other things innovations never before used in prior enumerations 13 the acquisition and development of IT systems and expected escalating costs Among other things we reported that the commitment of top leadership was needed to ensure the Bureau’s management culture and business practices align with a cost-effective enumeration We also stressed that the Bureau needed to rigorously test census-taking activities ensure that scheduling adheres to best practices improve its ability to manage develop and secure its IT systems and have better oversight and control over its cost estimation process Our experience has shown that the key elements needed to make progress toward being removed from the High-Risk List are top-level attention by the administration and agency leaders grounded in the five criteria for removal as well as any needed congressional action The five criteria for removal that we identified in November 2000 are as follows 14 Leadership Commitment The agency has demonstrated strong commitment and top leadership support • 12 GAO-17-317 13 The Bureau has fundamentally re-examined its approach for conducting the 2020 Census to help reduce costs To do this the agency plans to use innovations in four broad areas described later in this statement re-engineering field operations using administrative records verifying addresses in-office and developing an Internet selfresponse option 14 GAO Determining Performance and Accountability Challenges and High Risks GAO-01-159SP Washington D C Nov 1 2000 Page 10 GAO-19-431T • Capacity The agency has the capacity i e people and resources to resolve the risk s • Action Plan A corrective action plan exists that defines the root causes and solutions and that provides for substantially completing corrective measures including steps necessary to implement solutions we recommended • Monitoring A program has been instituted to monitor and independently validate the effectiveness and sustainability of corrective measures • Demonstrated Progress The agency has demonstrated progress in implementing corrective measures and in resolving the high-risk area These five criteria form a road map for efforts to improve and ultimately address high-risk issues Addressing some of the criteria leads to progress while satisfying all of the criteria is central to removal from the list As we reported in the March 2019 high-risk report 15 the Bureau’s efforts to address the risks and challenges for the 2020 Census had fully met one of the five criteria for removal from the High-Risk List—leadership commitment—and partially met the other four as shown in figure 3 Additional details about the status of the Bureau’s efforts to address this high-risk area are discussed later in this statement 15 GAO-19-157SP Page 11 GAO-19-431T Figure 3 Status of High-Risk Area for the 2020 Decennial Census as of March 2019 Note Each point of the star represents one of the five criteria for removal from the High-Risk List and each ring represents one of the three designations not met partially met or met An unshaded point at the innermost ring means that the criterion has not been met a partially shaded point at the middle ring means that the criterion has been partially met and a fully shaded point at the outermost ring means that the criterion has been met The 2020 Census Remains High Risk Due to Challenges Facing the Enumeration The 2020 Census is on our list of high-risk programs because among other things 1 innovations never before used in prior enumerations are not expected to be fully tested 2 the Bureau continues to face challenges in implementing IT systems 3 the Bureau faces significant cybersecurity risks to its systems and data and 4 the Bureau’s cost estimate for the 2020 Census was unreliable 16 If not sufficiently addressed these risks could adversely impact the cost and quality of the enumeration Moreover the risks are compounded by other factors that contribute to the challenge of conducting a successful census such as the nation’s increasingly diverse population and concerns over personal privacy 16 GAO-17-317 Page 12 GAO-19-431T Key Risk #1 The Bureau Has Redesigned the Census with the Intent to Control Costs but Has Scaled Back Critical Tests The basic design of the enumeration—mail out and mail back of the census questionnaire with in-person follow-up for non-respondents—has been in use since 1970 However a lesson learned from the 2010 Census and earlier enumerations is that this traditional design is no longer capable of cost-effectively counting the population In response to its own assessments our recommendations and studies by other organizations the Bureau has fundamentally re-examined its approach for conducting the 2020 Census Specifically its plan for 2020 includes four broad innovation areas re-engineering field operations using administrative records verifying addresses in-office and developing an internet self-response option see table 2 If they function as planned the Bureau initially estimated that these innovations could result in savings of over $5 billion in 2020 constant dollars when compared to its estimates of the cost for conducting the census with traditional methods However in June 2016 we reported that the Bureau’s initial life-cycle cost estimate developed in October 2015 was not reliable and did not adequately account for risk 17 As discussed earlier in this statement the Bureau has updated its estimate from $12 3 billion and now estimates a life-cycle cost of $15 6 billion which would result in a smaller potential savings from the innovative design than the Bureau originally estimated According to the Bureau the goal of the cost estimate increase was to ensure quality was fully addressed Table 2 The Census Bureau Bureau Is Introducing Four Innovation Areas for the 2020 Census Innovation area Description Re-engineered field operations The Bureau intends to automate data collection methods including its case management system Administrative records In certain instances the Bureau plans to reduce enumerator collection of data by using administrative records information already provided to federal and state governments as they administer other programs such as Medicare and Medicaid records Verifying addresses inoffice To ensure the accuracy of its address list the Bureau intends to use “in-office” procedures and on-screen imagery to verify addresses and reduce street-by-street field canvassing 17 GAO 2020 Census Census Bureau Needs to Improve Its Life-Cycle Cost Estimating Process GAO-16-628 Washington D C June 30 2016 Page 13 GAO-19-431T Innovation area Description Internet self-response option The Bureau plans to offer households the option of responding to the survey through the internet The Bureau has not previously offered such an option on a large scale Source GAO analysis of Census Bureau data GAO-19-431T While the planned innovations could help control costs they also introduce new risks in part because they include new procedures and technology that have not been used extensively in earlier decennials if at all Our prior work has shown the importance of the Bureau conducting a robust testing program including the 2018 End-to-End test 18 Rigorous testing is a critical risk mitigation strategy because it provides information on the feasibility and performance of individual census-taking activities their potential for achieving desired results and the extent to which they are able to function together under full operational conditions To address some of these challenges we have made numerous recommendations aimed at improving reengineered field operations using administrative records verifying the accuracy of the address list and securing census responses via the internet The Bureau has held a series of operational tests since 2012 but according to the Bureau it scaled back its most recent field tests because of funding uncertainties For example the Bureau canceled the field components of the 2017 Census Test including non-response follow-up a key census operation 19 In November 2016 we reported that the cancelation of the 2017 Census Test was a lost opportunity to test refine and integrate operations and systems and that it put more pressure on the 2018 End-to-End test to demonstrate that enumeration activities will function under census-like conditions as needed for 2020 However in May 2017 the Bureau scaled back the operational scope of the 2018 End-to-End test and of the three planned test sites only the Rhode Island site would fully implement the 2018 End-to-End test The Washington and West Virginia sites would test just one field operation In addition due to budgetary concerns the Bureau decided to remove three coverage measurement operations and the technology that supports 18 GAO 2020 Census Bureau Needs to Better Leverage Information to Achieve Goals of Reengineered Address Canvassing GAO-17-622 Washington D C July 20 2017 19 In non-response follow-up if a household does not respond to the census by a certain date the Bureau will conduct an in-person visit by an enumerator to collect census data using a mobile device provided by the Bureau Page 14 GAO-19-431T them from the scope of the test 20 However removal of the coverage measurement operations did not affect testing of the delivery of apportionment or redistricting data Without sufficient testing operational problems can go undiscovered and the opportunity to improve operations will be lost in part because the 2018 End-to-End test was the last opportunity to demonstrate census technology and procedures across a range of geographic locations housing types and demographic groups under decennial-like conditions prior to the 2020 Census To manage risk to the census the Bureau has developed hundreds of mitigation and contingency plans To maximize readiness for the 2020 Census it will also be important for the Bureau to prioritize among its mitigation and contingency strategies those that will deliver the most cost-effective outcomes for the census We reported on the 2018 End-to-End test in December 2018 and noted that the Bureau had made progress addressing prior test implementation issues but still faced challenges 21 As the Bureau studies the results of its testing to inform the 2020 Census it will be important that it addresses key program management issues that arose during implementation of the test Namely by not aligning the skills responsibilities and information flows for the first-line supervisors during field data collection the Bureau limited its role in support of enumerators within the re-engineered field operation The Bureau also lacked mid-operation training or guidance which if implemented in a targeted localized manner could have further helped enumerators navigate procedural modifications and any commonly encountered problems when enumerating It will be important for the Bureau to prioritize its mitigation strategies for these implementation issues so that it can maximize readiness for the 2020 Census Key Risk #2 The Bureau Faces Challenges in Implementing IT Systems We have previously reported that the Bureau faces challenges in managing and overseeing IT programs systems and contractors supporting the 2020 Census 22 Specifically we have noted challenges in the Bureau’s efforts to manage among other things the schedules and 20 Coverage measurement evaluates the quality of the census data by estimating the census coverage based on a post-enumeration survey 21 GAO-19-140 22 GAO-18-655 Page 15 GAO-19-431T contracts for its systems As a result of these challenges the Bureau is at risk of being unable to fully implement the systems necessary to support the 2020 Census and conduct a cost-effective enumeration The Bureau Has Made Initial Progress against Its Revised Development and Testing Schedule but Risks Missing Near-term Milestones To help improve its implementation of IT for the 2020 Census the Bureau recently revised its systems development and testing schedule Specifically in October 2018 the Bureau organized the development and testing schedule for its 52 systems into 16 operational deliveries 23 Each of the 16 operational deliveries has milestone dates for among other things development performance and scalability testing and system deployment According to Bureau officials in the Decennial Directorate the schedule was revised in part due to schedule management challenges experienced and lessons learned while completing development and testing during the 2018 End-to-End test The Bureau has made initial progress in executing work against its revised schedule For example the Bureau completed development for the systems in the first operational delivery—for 2020 Census early operations preparations—in July 2018 and deployed these systems into production in October 2018 However our current work has determined that the Bureau is at risk of not meeting several near-term systems testing milestones As of April 2019 six systems 24 that are expected to be used in a total of two operational deliveries are at risk of not meeting milestone dates which would signal that the systems have completed development and are ready for testing These six systems are needed for among other things field assignment management and worker performance tracking during address canvassing data collection for operations business and support automation and customer support during self-response According to Bureau documentation these systems were at risk due in part to the 23 The 52 systems being used in the 2020 Census are to be deployed multiple times in a series of operational deliveries which include operations such as address canvassing or self-response That is a system may be deployed for one operation in the 2020 Census such as address canvassing and be deployed again for a subsequent operation in the test such as self-response As such additional development and testing may occur each time a system is deployed 24 As of April 2019 the six systems were Enterprise Census and Survey Enabling Platform–Operational Control System Enterprise Census and Survey Enabling platform– Field Operation Control System Control and Response Data System Decennial Response Processing System Census Questionnaire Assistance and Automated Tracking and Control Page 16 GAO-19-431T lack of finalized system requirements and specifications Figure 4 presents an overview of the status for all 16 operational deliveries as of April 2019 Figure 4 Status of 16 Operational Deliveries for the 2020 Census as of April 2019 Note The 52 systems being used in the 2020 Census are to be deployed multiple times in a series of operational deliveries which include operations such as address canvassing or self-response That is a system may be deployed for one operation in the 2020 Census such as address canvassing and be deployed again for a subsequent operation in the test such as self-response As such additional development and testing may occur each time a system is deployed Page 17 GAO-19-431T The Bureau Faces Additional Risks Due to Compressed IT Development and Testing Time Frames The at-risk systems previously discussed add uncertainty to a highly compressed time frame over the next 4 months Importantly between April and August 2019 the Bureau is expected to begin integration testing for the systems in seven operational deliveries including internet selfresponse and non-response follow-up Officials from the Bureau’s integration contractor noted concern that the current schedule leaves little room for any delays in completing the remaining development and testing activities In addition to managing the compressed testing time frames the Bureau also has to quickly finalize plans related to its IT infrastructure For example in March 2019 the Bureau’s technical integration contractor stated that it needed the Bureau to obtain approval from federal partners for its Trusted Internet Connection or finalize alternative plans in order to complete performance and scalability testing in a timely manner 25 As of mid-April 2019 the Bureau stated that it was still awaiting final approval Given that these plans may impact systems being tested this summer or deployed into production for the address canvassing operation in August 2019 it is important that the Bureau quickly addresses this matter Our past reporting noted that the Bureau faced significant challenges in managing its schedule for system development and testing that occurred in 2017 and 2018 26 We reported that while the Bureau had continued to make progress in developing and testing IT systems for the 2020 Census it had experienced delays in developing systems to support the 2018 End-to-End test These delays compressed the time available for system and integration testing and for security assessments In addition several systems experienced problems during the test We noted then and reaffirm now that continued schedule management challenges may compress the time available for the remaining system and integration testing and increase the risk that systems may not function or be as secure as intended The Bureau has acknowledged that it faces risks to the implementation of its systems and technology As of March 2019 the Bureau had identified 25 External network traffic traffic that is routed through agency’s external connections must be routed through a Trusted Internet Connection External connections include those connections between an agency’s information system or network and the globallyaddressable internet or a remote information system or network and networks located on foreign territory 26 GAO-18-655 Page 18 GAO-19-431T about 330 active risks for the 2020 Census program through its risk management process including 20 high risks that may have substantial technical and schedule impacts if realized Taken together these risks represent a cross-section of issues such as the effects of late changes to technical requirements the need to ensure adequate time for system development and performance and scalability testing contracting issues privacy risks and skilled staffing shortages Going forward it will be important that the Bureau effectively manages these risks to better ensure that it meets near-term milestones for system development and testing and is ready for the major operations of the 2020 Census Key Risk #3 The Bureau Faces Significant Cybersecurity Risks to Its Systems and Data The risks to IT systems supporting the federal government and its functions including conducting the 2020 Census are increasing as security threats continue to evolve and become more sophisticated These risks include insider threats from witting or unwitting employees escalating and emerging threats from around the globe and the emergence of new and more destructive attacks Underscoring the importance of this issue we have designated information security as a government-wide high-risk area since 1997 and in our most recent biennial report to Congress ensuring the cybersecurity of the nation was one of nine high-risk areas that we reported needing especially focused executive and congressional attention 27 Our prior and ongoing work has identified significant challenges that the Bureau faces in securing systems and data for the 2020 Census 28 Specifically the Bureau has faced challenges related to completing security assessments addressing security weaknesses resolving cybersecurity recommendations from DHS and addressing numerous other cybersecurity concerns such as phishing 29 The Bureau Has Made Progress in Completing Security Assessment but Critical Work Remains Federal law specifies requirements for protecting federal information and information systems such as those systems to be used in the 2020 Census Specifically the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014 27 GAO-19-157SP 28 GAO-18-655 29 Phishing is a digital form of social engineering that uses authentic-looking but fake emails to request information from users or direct them to a fake website that requests information Page 19 GAO-19-431T FISMA require executive branch agencies to develop document and implement an agency-wide program to provide security for the information and information systems that support operations and assets of the agency 30 In accordance with FISMA National Institute of Standards and Technology NIST guidance and Office of Management and Budget OMB guidance the Bureau’s Office of the Chief Information Officer CIO established a risk management framework This framework requires system developers to ensure that each of the Bureau’s systems undergoes a full security assessment and that system developers remediate critical deficiencies According to the Bureau’s risk management framework the systems expected to be used to conduct the 2020 Census will need to have complete security documentation such as system security plans and an approved authorization to operate prior to their use Currently according to the Bureau’s Office of the CIO • Fourteen of the 52 systems have authorization to operate and will not need to be reauthorized before they are used in the 2020 Census 31 • Thirty-two of the 52 systems have authorization to operate and may need to be reauthorized before they are used in the 2020 Census • Six of the 52 systems do not have authorization to operate and will need to be authorized before they are used in the 2020 Census Figure 5 summarizes the authorization to operate status for the systems being used in the 2020 Census as reported by the Bureau in April 2019 30 The Federal Information Security Modernization Act of 2014 Pub L No 113-283 128 Stat 3073 Dec 18 2014 largely superseded the Federal Information Security Management Act of 2002 enacted as Title III E-Government Act of 2002 Pub L No 107-347 116 Stat 2899 2946 Dec 17 2002 31 According to the Bureau’s risk management framework once a system obtains an authorization it is transitioned to the continuous monitoring process where the authorizing official can provide ongoing authorization for system operation as long as the risk level remains acceptable Further according to the framework authorized systems do not need a formal reauthorization unless the system’s authorizing official determines that the risk posture of the system needs to change This could occur for example if the system undergoes significant new development Page 20 GAO-19-431T Figure 5 Authorization to Operate Status for the 52 Systems Being Used by the Census Bureau in the 2020 Census as of April 2019 As we have previously reported while large-scale technological changes such as internet self-response increase the likelihood of efficiency and effectiveness gains they also introduce many cybersecurity challenges The 2020 Census also involves collecting personally identifiable information PII on over a hundred million households across the country which further increases the need to properly secure these systems Thus it will be important that the Bureau provides adequate time to perform these security assessments completes them in a timely manner and ensures that risks are at an acceptable level before the systems are deployed We have ongoing work examining how the Bureau plans to address both internal and external cyber threats including its efforts to complete system security assessments and resolve identified weaknesses Page 21 GAO-19-431T The Bureau Has Identified a Significant Number of Corrective Actions to Address Security Weaknesses but Has Not Always Been Timely in Completing Them FISMA requires that agency-wide information security programs include a process for planning implementing evaluating and documenting remedial actions i e corrective actions to address any deficiencies in the information security policies procedures and practices of the agency Agencies must establish procedures to reasonably ensure that all information security control weaknesses regardless of how or by whom they are identified are addressed through the agency’s remediation processes For each identified control weakness the agency is required to develop and implement a plan of actions and milestones POA M based on findings from security control assessments security impact analyses continuous monitoring of activities audit reports and other sources Additionally the Bureau’s framework requires that security assessment findings that need to be remediated are to be tracked as POA Ms These POA Ms are expected to provide a description of the vulnerabilities identified during the security assessment that resulted from a control weakness As of March 2019 the Bureau had over 500 open POA Ms to remediate for issues identified during security assessment activities including ongoing continuous monitoring Of these open POA Ms 247 or about 48 percent were considered “high-risk” or “very high-risk ” While the Bureau established POA Ms for addressing these identified security control weaknesses it did not always complete remedial actions in accordance with its established deadlines For example of the 247 open “high-risk” or “very high-risk” POA Ms we reviewed through March 2019 the Bureau identified 115 as being delayed Further 70 of the 115 had missed their scheduled completion dates by 60 or more days In addition the number of open “high-risk” or “very high-risk” POA Ms that the Bureau identified as delayed has substantially increased since June 2018 as shown in figure 6 Page 22 GAO-19-431T Figure 6 Open and Delayed High-Risk and Very High-Risk Plans of Action and Milestones POA Ms for Census Bureau Systems June 2018 – March 2019 According to the Bureau these POA Ms were identified as delayed due to technical challenges or resource constraints to remediate and close them However without resolving identified vulnerabilities in a timely manner the Bureau faces an increased risk as continuing opportunities exist for unauthorized individuals to exploit these weaknesses and gain access to sensitive information and systems The Bureau Has Begun Implementing DHS’s Cybersecurity Recommendations but Has Not Established a Formal Process to Address Them The Bureau is working with federal and industry partners including the Department of Homeland Security to support the 2020 Census cybersecurity efforts Specifically the Bureau is working with DHS to ensure a scalable and secure network connection for the 2020 Census respondents e g virtual Trusted Internet Connection with the cloud improve its cybersecurity posture e g improve risk management processes and procedures and to strengthen its response to potential cyber threats e g federal cyber incident coordination Federal law describes practices for strengthening cybersecurity by documenting or tracking corrective actions As previously mentioned FISMA requires executive branch agencies to establish a process for Page 23 GAO-19-431T planning implementing evaluating and documenting remedial actions to address any deficiencies in their information security policies procedures and practices GAO’s internal control standards also state that agencies should establish effective internal control monitoring that includes a process to promptly resolve the findings of audits and other reviews 32 Specifically agencies should document and complete corrective actions to remediate identified deficiencies on a timely basis This would include correcting identified deficiencies or demonstrating that the findings and recommendations do not warrant agency action Since January 2017 DHS has been providing cybersecurity assistance including issuing recommendations to the Bureau in preparation for the 2020 Census and the Bureau has reported making progress in addressing those recommendations Specifically DHS has been providing cybersecurity assistance to the Bureau in five areas • management coordination and executive support including a CyberStat Review 33 • cybersecurity threat intelligence and information sharing enhancement through among other things a DHS cyber threat briefing to the Bureau’s leadership • network and infrastructure security and resilience including National Cybersecurity Protection System also called EINSTEIN support 34 • incident response and management readiness through a Federal Incident Response Evaluation assessment 35 and 32 GAO Standards for Internal Control in the Federal Government GAO-14-704G Washington D C Sept 10 2014 33 According to OMB CyberStat Reviews are face-to-face evidence-based meetings intended to ensure agencies are accountable for their cybersecurity posture OMB DHS and Commerce participated in the Fiscal Year 2017 CyberStat Review related to the Bureau 34 The National Cybersecurity Protection System operationally known as the EINSTEIN program is an integrated system-of-systems that is intended to deliver a range of capabilities including intrusion detection intrusion prevention analytics and information sharing This program was developed to be one of the tools to aid federal agencies in mitigating information security threats 35 As part of the CyberStat Review DHS conducted a Federal Incident Response Evaluation assessment in October 2017 The purpose of the assessment was in part to review the Bureau’s incident management practices and provide recommendations that if addressed would strengthen the Bureau’s cybersecurity efforts Page 24 GAO-19-431T • risk management and vulnerability assessments on specific targets provided by the Bureau In the last 2 years as a result of these activities DHS has provided 17 recommendations for the Bureau to strengthen its cybersecurity efforts Among other things the recommendations pertained to strengthening incident management capabilities penetration testing 36 and web application assessments of select systems and phishing assessments to gain access to sensitive PII Due to the sensitive nature of the recommendations we are not identifying the specific recommendations or specific findings associated with them in this statement As of February 2019 the Bureau had fully completed actions to address three recommendations needed to further improve on actions taken for one recommendation it indicated had been completed and needed to complete actions in progress for the remaining 13 recommendations as summarized in table 3 Table 3 GAO Assessment of the Status of 17 Recommendations to the Census Bureau by the Department of Homeland Security as of February 2019 Status Number of recommendations Completed actions 3 Further improvements needed for actions the Census Bureau considered complete 1 Actions In progress 13 Source GAO analysis of Census Bureau data GAO-19-431T However the Bureau had not established a formal process for documenting tracking and completing corrective actions for all the recommendations provided by DHS To the Bureau’s credit it had incorporated the corrective actions associated with the three completed recommendations into its formal process used for tracking POA Ms which includes identifying remediation activities resources required milestones and completion dates However the Bureau had not incorporated the remaining 14 recommendations into the POA M process Instead in November 2018 the Bureau created an informal 36 The National Institute of Standards and Technology defined penetration testing as security testing in which the evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application system or network Penetration testing often involves issuing real attacks on real systems and data using the same tools and techniques used by actual attackers Page 25 GAO-19-431T document to track the 17 DHS recommendations but this document does not consistently include details such as the resources required expected completion date or whether the recommendations do not warrant agency action Until the Bureau implements a formal process for tracking and implementing appropriate corrective actions to remediate identified cybersecurity weaknesses from DHS and addresses the identified deficiencies it faces an increased likelihood that these weaknesses will go uncorrected and may be exploited to cause harm to agency’s 2020 Census IT systems and gain access to sensitive respondent data Implementing a formal process would also help to ensure that DHS’s efforts result in improvements to the Bureau’s cybersecurity posture The Bureau Faces Several Other Cybersecurity Challenges in Implementing the 2020 Census The Bureau faces other significant cybersecurity challenges in addition to those previously discussed More specifically we previously reported 37 that the extensive use of IT systems to support the 2020 Census redesign may help increase efficiency but that this redesign introduces critical cybersecurity challenges These challenges include those related to the following • Phishing We have previously reported that advanced persistent threats may be targeted against social media web sites used by the federal government In addition attackers may use social media to collect information and launch attacks against federal information systems through social engineering such as phishing 38 Phishing is a digital form of social engineering that uses authentic-looking but fake emails websites or instant messages to get users to download malware open malicious attachments or open links that direct them to a website that requests information or executes malicious code Phishing attacks could target respondents as well as Bureau employees and contractors The 2020 Census will be the first one in which respondents will be heavily encouraged to respond via the internet This will likely increase the risk that cyber criminals will use phishing in an attempt to steal personal information 37 GAO Information Technology Better Management of Interdependencies between Programs Supporting 2020 Census Is Needed GAO-16-623 Washington D C Aug 9 2016 and Information Technology Uncertainty Remains about the Bureau’s Readiness for a Key Decennial Census Test GAO-17-221T Washington D C Nov 16 2016 38 GAO Social Media Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate GAO-11-605 Washington D C June 28 2011 Page 26 GAO-19-431T • Disinformation from social media We previously reported that one of the Bureau’s key innovations for the 2020 Census is the large-scale implementation of an internet self-response option The Bureau is encouraging the public to use the internet self-response option through expanded use of social media However the public perception of the Bureau’s ability to adequately safeguard the privacy and confidentiality of the 2020 Census internet self-responses could be influenced by disinformation spread through social media According to the Bureau if a substantial segment of the public is not convinced that the Bureau can safeguard public response data against data breaches and unauthorized use then response rates may be lower than projected leading to an increase in cases for follow-up and subsequent cost increases • Ensuring that individuals gain only limited and appropriate access to 2020 Census data The Bureau plans to enable a publicfacing website and Bureau-issued mobile devices to collect PII e g name address and date of birth from the nation’s entire population— estimated to be over 300 million In addition the Bureau is planning to obtain and store administrative records containing PII from other government agencies to help augment information that enumerators did not collect The number of reported security incidents involving PII at federal agencies has increased dramatically in recent years Because of these challenges we have recommended among other things that federal agencies improve their response to information security incidents and data breaches involving PII and consistently develop and implement privacy policies and procedures Accordingly it will be important for the Bureau to ensure that only respondents and Bureau officials are able to gain access to this information and enumerators and other employees only have access to the information needed to perform their jobs • Ensuring adequate control in a cloud environment The Bureau has decided to use cloud solutions as a key component of the 2020 Census IT infrastructure We have previously reported that cloud computing has both positive and negative information security implications and thus federal agencies should develop service-level agreements with cloud providers These agreements should specify among other things the security performance requirements— including data reliability preservation privacy and access rights— Page 27 GAO-19-431T that the service provider is to meet 39 Without these safeguards computer systems and networks as well as the critical operations and key infrastructures they support may be lost information—including sensitive personal information—may be compromised and the agency’s operations could be disrupted • Ensuring contingency and incident response plans are in place to encompass all of the IT systems to be used to support the 2020 Census Because of the brief time frame for collecting data during the 2020 Census it is especially important that systems are available for respondents to ensure a high response rate Contingency planning and incident response help ensure that if normal operations are interrupted network managers will be able to detect mitigate and recover from a service disruption while preserving access to vital information Implementing important security controls including policies procedures and techniques for contingency planning and incident response helps to ensure the confidentiality integrity and availability of information and systems even during disruptions of service Without contingency and incident response plans system availability might be impacted and result in a lower response rate The Bureau’s CIO has acknowledged these cybersecurity challenges and is working to address them according to Bureau documentation In addition we have ongoing work looking at many of these challenges including the Bureau’s plans to protect PII use a cloud-based infrastructure and recover from security incidents and other disasters Key Risk #4 The Bureau Will Need to Control Any Further Cost Growth and Develop Cost Estimates That Reflect Best Practices Since 2015 the Bureau has made progress in improving its ability to develop a reliable cost estimate We have reported on the reliability of the $12 3 billion life-cycle cost estimate released in October 2015 and the $15 6 billion revised cost estimate released in October 2017 40 In 2016 we reported that the October 2015 version of the Bureau’s life-cycle cost estimate for the 2020 Census was not reliable Specifically we found that the 2020 Census life-cycle cost estimate partially met two of the characteristics of a reliable cost estimate comprehensive and accurate 39 GAO Information Security Agencies Need to Improve Cyber Incident Response Practices GAO-14-354 Washington D C Apr 30 2014 40 GAO-16-628 and GAO 2020 Census Census Bureau Improved the Quality of Its Cost Estimation but Additional Steps Are Needed to Ensure Reliability GAO-18-635 Washington D C Aug 17 2018 Page 28 GAO-19-431T and minimally met the other two well-documented and credible We recommended that the Bureau take specific steps to ensure its cost estimate meets the characteristics of a high-quality estimate The Bureau agreed and has taken action to improve the reliability of the cost estimate In August 2018 we reported that while improvements had been made the Bureau’s October 2017 cost estimate for the 2020 Census did not fully reflect all the characteristics of a reliable estimate See figure 7 Figure 7 Overview of the Census Bureau’s 2015 and 2017 Cost Estimates Compared to Characteristics of a Reliable Cost Estimate In order for a cost estimate to be deemed reliable as described in GAO’s Cost Estimating and Assessment Guide 41 and thus to effectively inform 2020 Census annual budgetary figures the cost estimate must meet or substantially meet the following four characteristics • Well-Documented Cost estimates are considered valid if they are well-documented to the point they can be easily repeated or updated 41 GAO GAO Cost Estimating and Assessment Guide Best Practices for Developing and Managing Capital Program Costs Supersedes GAO-07-1134SP GAO-09-3SP Washington D C Mar 2 2009 Page 29 GAO-19-431T and can be traced to original sources through auditing according to best practices • Accurate Accurate estimates are unbiased and contain few mathematical mistakes • Credible Credible cost estimates must clearly identify limitations due to uncertainty or bias surrounding the data or assumptions according to best practices • Comprehensive To be comprehensive an estimate should have enough detail to ensure that cost elements are neither omitted nor double-counted and all cost-influencing assumptions are detailed in the estimate’s documentation among other things according to best practices The 2017 cost estimate only partially met the characteristic of being welldocumented In general some documentation was missing inconsistent or difficult to understand Specifically we found that source data did not always support the information described in the basis of estimate document or could not be found in the files provided for two of the Bureau’s largest field operations Address Canvassing and NonResponse Follow-Up We also found that some of the cost elements did not trace clearly to supporting spreadsheets and assumption documents Failure to document an estimate in enough detail makes it more difficult to replicate calculations or to detect possible errors in the estimate reduces transparency of the estimation process and can undermine the ability to use the information to improve future cost estimates or even to reconcile the estimate with another independent cost estimate The Bureau told us it would continue to make improvements to ensure the estimate is welldocumented Increased Costs Are Driven by an Assumed Decrease in SelfResponse Rates and Increases in Contingency Funds and IT Cost Categories The 2017 life-cycle cost estimate includes significantly higher costs than those included in the 2015 estimate The largest increases occurred in the Response Managerial Contingency and Census Survey Engineering categories For example increased costs of $1 3 billion in the response category costs related to collecting maintaining and processing survey response data were in part due to reduced assumptions for selfresponse rates leading to increases in the amount of data collected in the field which is more costly to the Bureau Contingency allocations increased overall from $1 35 billion in 2015 to $2 6 billion in 2017 as the Bureau gained a greater understanding of risks facing the 2020 Census Increases of $838 million in the Page 30 GAO-19-431T Census Survey Engineering category were due mainly to the cost of an IT contract for integrating decennial survey systems that was not included in the 2015 cost estimate Bureau officials attribute a decrease of $551 million in estimated costs for Program Management to changes in the categorization of costs associated with risks Specifically in the 2017 version of the estimate estimated costs related to program risks were allocated to their corresponding work breakdown structure WBS element Figure 8 shows the change in cost by WBS category for 2015 and 2017 Figure 8 Change in 2020 Census Cost Estimate by Work Breakdown Structure Category 2015 vs 2017 a The 2015 cost estimate also included managerial contingency amounts totaling $829 million however these were not presented as a separate work breakdown structure category More generally factors that contributed to cost fluctuations between the 2015 and 2017 cost estimates include • Changes in assumptions Among other changes a decrease in the assumed rate for self-response from 63 5 percent in 2015 to 60 5 percent in 2017 increased the cost of collecting responses from nonresponding housing units Page 31 GAO-19-431T • Improved ability to anticipate and quantify risk In general contingency allocations designed to address the effects of potential risks increased overall from $1 3 billion in 2015 to $2 6 billion in 2017 • An overall increase in IT costs IT cost increases totaling $1 59 billion represented almost 50 percent of the total cost increase from 2015 to 2017 • More defined contract requirements Bureau documents described an overall improvement in the Bureau’s ability to define and specify contract requirements This resulted in updated estimates for several contracts including for the Census Questionnaire Assistance contract 42 However while the Bureau has been able to better quantify risk in August 2018 we also reported that the Secretary of Commerce included a contingency amount of about $1 2 billion in the 2017 cost estimate to account for what the Bureau refers to as “unknown unknowns ” According to Bureau documentation these include such risks as natural disasters or cyber attacks The Bureau provides a description of how the risk contingency for “unknown unknowns” is calculated however this description does not clearly link calculated amounts to the risks themselves Thus only $14 4 billion of the Bureau’s $15 6 billion cost estimate has justification According to Bureau officials the cost estimate remains at $15 6 billion but they are managing the 2020 Census at a lower level of funding—$14 1 billion and at this time do not plan to request funding for the $1 2 billion contingency fund for unknown unknowns or $369 million in funding for selected discrete program risks for what-if scenarios such as an increase in the wage rate or additional supervisors needed to manage field operations Instead of requesting funding for these contingencies upfront the Bureau plans to work with OMB and Commerce to request additional funds if the need arises According to Bureau officials they anticipate that the remaining $1 1 billion in contingency funding included in the $14 1 billion will be sufficient to carry out the 2020 Census In June 2016 we recommended the Bureau improve control over how risk and uncertainty are accounted for This prior recommendation remains valid given the life-cycle cost estimate still 42 This contract has two primary functions to provide 1 questionnaire assistance by telephone and email for respondents by answering questions about the census in general and regarding specific items on the census form and 2 an option for respondents to complete a census interview over the telephone Page 32 GAO-19-431T includes the $1 2 billion unjustified contingency fund for “unknown unknowns” Moreover given the cost growth between 2015 and 2017 it will be important for the Bureau to monitor cost in real-time as well as document explain and review variances between planned and actual cost In August 2018 we reported that the Bureau had not been tracking variances between estimated life-cycle costs and actual expenses Tools to track variance enable management to measure progress against planned outcomes and will help inform the 2030 Census cost estimate Bureau officials stated that they already have systems in place that can be adapted for tracking estimated and actual costs We will continue to monitor the status of the tracking system According to Bureau officials it plans to release an updated version of the 2020 Census life-cycle estimate in the spring of 2019 To ensure that future updates to the life-cycle cost estimate reflect best practices it will be important for the Bureau to implement our recommendation related to the cost estimate Continued Management Attention Needed to Keep Preparations on Track and Help Ensure a CostEffective Enumeration 2020 Challenges Are Symptomatic of Deeper Long-Term Organizational Issues The difficulties facing the Bureau’s preparation for the decennial census in such areas as planning and testing managing and overseeing IT programs systems and contractors supporting the enumeration developing reliable cost estimates prioritizing decisions managing schedules and other challenges are symptomatic of deeper organizational issues Following the 2010 Census a key lesson learned for 2020 that we identified was ensuring that the Bureau’s organizational culture and Page 33 GAO-19-431T structure as well as its approach to strategic planning human capital management internal collaboration knowledge sharing capital decisionmaking risk and change management and other internal functions are aligned toward delivering more cost-effective outcomes 43 The Bureau has made improvements over the last decade and continued progress will depend in part on sustaining efforts to strengthen risk management activities enhancing systems testing bringing in experienced personnel to key positions implementing our recommendations and meeting regularly with officials from its parent agency Commerce Going forward we have reported that the key elements needed to make progress in high-risk areas are top-level attention by the administration and agency officials to 1 leadership commitment 2 ensuring capacity 3 developing a corrective action plan 4 regular monitoring and 5 demonstrated progress Although important steps have been taken in at least some of these areas overall far more work is needed 44 We discuss three of five areas below The Secretary of Commerce has successfully demonstrated leadership commitment For example the Bureau and Commerce have strengthened this area with executive-level oversight of the 2020 Census by holding regular meetings on the status of IT systems and other risk areas In addition in 2017 Commerce designated a team to assist senior Bureau management with cost estimation challenges Moreover on January 2 2019 a new Director of the Census Bureau took office a position that had been vacant since June 2017 With regard to capacity the Bureau has improved the cost estimation process of the decennial when it established guidance including • roles and responsibilities for oversight and approval of cost estimation processes • procedures requiring a detailed description of the steps taken to produce a high-quality cost estimate and 43 GAO 2010 Census Preliminary Lessons Learned Highlight the Need for Fundamental Reforms GAO-11-496T Washington D C Apr 6 2011 44 GAO-17-317 Page 34 GAO-19-431T • a process for updating the cost estimate and associated documents over the life of a project However the Bureau continues to experience skills gaps in the government program management office overseeing the $886 million contract for integrating the IT systems needed to conduct the 2020 Census Specifically as of February 2019 15 of 44 positions in this office were vacant For the monitoring element we found to track performance of decennial census operations the Bureau relied on reports to track progress against pre-set goals for a test conducted in 2018 According to the Bureau these same reports will be used in 2020 to track progress However the Bureau’s schedule for developing IT systems during the 2018 End-to-End test experienced delays that compressed the time available for system testing integration testing and security assessments These schedule delays contributed to systems experiencing problems after deployment as well as cybersecurity challenges In the months ahead we will continue to monitor the Bureau’s progress in addressing each of the five elements essential for reducing the risk to a cost-effective enumeration Further Actions Needed on Our Recommendations Over the past several years we have issued numerous reports that underscored the fact that if the Bureau was to successfully meet its cost savings goal for the 2020 Census the agency needed to take significant actions to improve its research testing planning scheduling cost estimation system development and IT security practices As of April 2019 we have made 97 recommendations related to the 2020 Census The Bureau has implemented 72 of these recommendations 24 remain open and one recommendation was closed as not implemented Of the 24 open recommendations 11 were directed at improving the implementation of the innovations for the 2020 Census Commerce generally agreed with our recommendations and is taking steps to implement them Moreover in April 2018 we designated 15 recommendations as “priority ” Priority recommendations are those recommendations that we believe warrant priority attention from heads of key departments and agencies Eight of these 15 priority recommendations have been closed as implemented over the past year 45 45 The 15 priority recommendations for the 2020 Census cover the period from November 2009 to July 2017 Page 35 GAO-19-431T On July 19 2018 in response to our April 2018 letter calling his attention to our priority recommendations the Commerce Secretary concurred that there was still much work to be done and that the number of our priority recommendations concerning the 2020 Census was reflective of Commerce’s focus on ensuring a successful census in 2020 On April 23 2019 we sent an updated priority recommendation letter to the Commerce Secretary that included five new recommendations from our recent work and also reflected the department’s progress on implementing past recommendations We believe that attention to these recommendations is essential for a cost-effective enumeration The recommendations included implementing reliable cost estimation and scheduling practices in order to establish better control over program costs as well as taking steps to better position the Bureau to develop an internet response option for the 2020 Census In addition to our recommendations to better position the Bureau for a more cost-effective enumeration on March 18 2019 we met with OMB Commerce and Bureau officials to discuss the Bureau’s progress in reducing the risks facing the census We also meet regularly with Bureau officials and managers to discuss the progress and status of open recommendations related to the 2020 Census which has resulted in Bureau actions in recent months leading to closure of some recommendations We are encouraged by this commitment by Commerce and the Bureau in addressing our recommendations Implementing our recommendations in a complete and timely manner is important because it could improve the management of the 2020 Census and help to mitigate continued risks Conclusions In conclusion while the Bureau has made progress in revamping its approach to the census it faces considerable challenges and uncertainties in implementing key cost-saving innovations and ensuring they function under operational conditions managing the development and testing of its IT systems ensuring the cybersecurity of its systems and data and developing a quality cost estimate for the 2020 Census and preventing further cost increases For these reasons the 2020 Census is a GAO high-risk area Regarding cybersecurity the Bureau’s involvement of DHS to improve its cybersecurity posture including cyber threat briefings and vulnerability assessments is a positive step forward However the Bureau’s corrective Page 36 GAO-19-431T actions to address its high-risk and very high-risk security weaknesses are frequently delayed—often for months—which increases the risk that these weaknesses could be exploited to cause harm to the agency’s systems In addition the Bureau’s process for addressing DHS’s cybersecurity recommendations has shortcomings which increases the risk that the underlying deficiencies identified by DHS may be exploited to gain access to the Bureau’s systems and sensitive data Going forward continued management attention and oversight will be vital for ensuring that risks are managed preparations stay on track and the Bureau is held accountable for implementing the enumeration as planned Without timely and appropriate actions the challenges previously discussed could adversely affect the cost accuracy schedule and security of the enumeration We will continue to assess the Bureau’s efforts and look forward to keeping Congress informed of the Bureau’s progress Recommendations for Executive Action We are making the following two recommendations to Commerce The Secretary of Commerce should direct the Director of the Census Bureau to direct the Census Bureau’s CIO to take steps to ensure that identified corrective actions for cybersecurity weaknesses are implemented within prescribed time frames Recommendation 1 The Secretary of Commerce should direct the Director of the Census Bureau to direct the Bureau’s CIO to implement a formal process for tracking and executing appropriate corrective actions to remediate cybersecurity weaknesses identified by DHS and expeditiously address the identified deficiencies Recommendation 2 Chairman Serrano Ranking Member Aderholt and Members of the Subcommittee this completes our prepared statement We would be pleased to respond to any questions that you may have GAO Contacts and Staff Acknowledgments If you have any questions about this statement please contact Robert Goldenkoff at 202 512-2757 or by email at goldenkoffr@gao gov or Nick Marinos at 202 512-9342 or by email at marinosn@gao gov Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement Other key contributors to this testimony include Jon Ticehurst Assistant Director Ty Mitchell Page 37 GAO-19-431T Assistant Director Lisa Pearson Assistant Director Andrea Starosciak Analyst in Charge Christopher Businsky Rebecca Eyler Scott Pettis Lindsey Pilver Kate Sharkey Kevin R Smith Umesh Thakkar and Tim Wexler 103290 Page 38 GAO-19-431T This is a work of the U S government and is not subject to copyright protection in the United States The published product may be reproduced and distributed in its entirety without further permission from GAO However because this work may contain copyrighted images or other material permission from the copyright holder may be necessary if you wish to reproduce this material separately GAO’s Mission The Government Accountability Office the audit evaluation and investigative arm of Congress exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people GAO examines the use of public funds evaluates federal programs and policies and provides analyses recommendations and other assistance to help Congress make informed oversight policy and funding decisions GAO’s commitment to good government is reflected in its core values of accountability integrity and reliability Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website https www gao gov Each weekday afternoon GAO posts on its website newly released reports testimony and correspondence To have GAO e-mail you a list of newly posted products go to https www gao gov and select “E-mail Updates ” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white Pricing and ordering information is posted on GAO’s website https www gao gov ordering htm Place orders by calling 202 512-6000 toll free 866 801-7077 or TDD 202 512-2537 Orders may be paid for using American Express Discover Card MasterCard Visa check or money order Call for additional information Connect with GAO Connect with GAO on Facebook Flickr Twitter and YouTube Subscribe to our RSS Feeds or E-mail Updates Listen to our Podcasts Visit GAO on the web at https www gao gov To Report Fraud Waste and Abuse in Federal Programs Contact FraudNet Website https www gao gov fraudnet fraudnet htm Automated answering system 800 424-5454 or 202 512-7700 Congressional Relations Orice Williams Brown Managing Director WilliamsO@gao gov 202 512-4400 U S Government Accountability Office 441 G Street NW Room 7125 Washington DC 20548 Public Affairs Chuck Young Managing Director youngc1@gao gov 202 512-4800 U S Government Accountability Office 441 G Street NW Room 7149 Washington DC 20548 Strategic Planning and External Liaison James-Christian Blockwood Managing Director spel@gao gov 202 512-4707 U S Government Accountability Office 441 G Street NW Room 7814 Washington DC 20548 Please Print on Recycled Paper