The Constitutionally-mandated U.S. Census provides vital information, but a Government Accountability Office (GAO) report published May 31, finds that the 2020 Census also involves some risks.
The Census Bureau (Bureau) has identified hundreds of risks to the 2020 Census. For example, the Bureau’s information systems face potential cyberattacks. The Bureau has mitigation and contingency plans for most of those risks, but the GAO found these plans did not consistently include key information needed to manage the six key risks:
Administrative records and third-party data—external factors
The Bureau plans to use administrative records and third-party data for various purposes, such as reducing the need to follow up with nonrespondents through identification of vacant housing units. However, external factors or policies—such as congressional action—could prevent the Bureau from using the records and data as planned, in which case the Bureau may be unable to meet its cost goals for the census, among other impacts.
The Bureau plans to put in place information technology (IT) security controls to protect the confidentiality, integrity, and availability of its IT systems and data for the 2020 Census. However, if a cybersecurity incident occurs, additional technological efforts may be required to repair or replace the systems affected to maintain secure services and data.
Insufficient levels of staff with subject-matter skillsets
Due to factors including hiring freezes, budgetary constraints, and staff eligible for retirement before 2020, the Bureau may be unable to hire and retain staff with the appropriate skillsets at sufficient levels. As a result, it may be difficult to achieve the goals and objectives of the 2020 Census.
Late operational design changes
After key planning and development milestones for the 2020 Census are completed, stakeholders may disagree with the planned innovations behind the 2020 Census and decide to modify the design, resulting in late operational design changes. In this event, costly design changes may have to be implemented, increasing the risk for a timely and complete 2020 Census.
Operations and systems integration
The Bureau plans to use 52 different IT systems to carry out 35 operations supporting the 2020 Census. If the various operations and systems are not properly integrated prior to implementation, then the strategic goals and objectives of the 2020 Census may not be met.
Public perception of ability to safeguard response data
If a substantial segment of the public is not convinced that the Bureau can safeguard its data against data breaches and unauthorized use, then response rates may be lower than projected, leading to increased cases for follow-up and greater cost.
The Bureau has faced challenges developing critical information technology systems, and new innovations—such as the ability to respond via the internet—have raised questions about potential security and fraud risks. As of December 2018, the Bureau had identified 360 active risks to the 2020 Census. Of these, 242 required a mitigation plan and 232 had one; 146 required a contingency plan and 102 had one. Mitigation plans detail how an agency will reduce the likelihood of a risk event and its impacts, if it occurs. Contingency plans identify how an agency will reduce or recover from the impact of a risk after it has been realized. Bureau guidance states that these plans should be developed as soon as possible after a risk is added to the risk register, but it does not establish clear time frames for doing so. Consequently, some risks may go without required plans for extended periods.
GAO reviewed the mitigation and contingency plans in detail for the six risks (detailed above) which the Bureau identified as among the major concerns that could affect the 2020 Census. GAO found that the plans did not consistently include key information needed to manage the risk. Among these was the Bureau’s cybersecurity mitigation plan. During an August 2018 public meeting, the Bureau’s Chief Information Officer discussed key strategies for mitigating cybersecurity risks to the census—such as reliance on other federal agencies to help resolve threats—not all of which were included in the mitigation plan.
GAO found that gaps stemmed from either requirements missing from the Bureau’s decennial risk management plan, or that risk owners were not fulfilling all of their risk management responsibilities. Bureau officials said that risk owners are aware of these responsibilities but do not always fulfill them given competing demands. Bureau officials also said that they are managing risks to the census, even if not always reflected in their mitigation and contingency plans. However, GAO says if such actions are reflected in disparate documents or are not documented at all, then decision makers are left without an integrated and comprehensive picture of how the Bureau is managing risks to the census.
The Bureau has designed an approach for managing fraud risk to the 2020 Census that generally aligns with leading practices in the commit, assess, and design and implement components of GAO’s Fraud Risk Framework. However, the Bureau has not yet determined the program’s fraud risk tolerance or outlined plans for referring potential fraud to the Department of Commerce Office of Inspector General (OIG) to investigate. Bureau officials described plans to take these actions later this year, but not for updating the antifraud strategy. Updating this strategy to include the Bureau’s fraud risk tolerance and OIG referral plan will help ensure the strategy is current, complete, and conforms to leading practices.
As a result of its investigations, GAO is making seven recommendations to the Secretary of Commerce:
- Develop and obtain management approval of mitigation and contingency plans for all risks that require them.
- Update the Bureau’s decennial risk management plan to include clear time frames for developing and obtaining management approval of mitigation and contingency plans.
- Update the Bureau’s decennial risk management plan to require that portfolio and program risk registers include a clear indication of the status of mitigation plans.
- Update the Bureau’s decennial risk management plan to require that risk mitigation and contingency plans, including the risk register descriptions and separate plans, have the seven key attributes for helping to ensure they contain the information needed to manage risk.
- Hold risk owners accountable for carrying out their risk management responsibilities.
- Update the Bureau’s antifraud strategy to include a fraud risk tolerance prior to beginning the 2020 Census and adjust as needed.
- Update the Bureau’s antifraud strategy to include the Bureau’s plans for referring instances of potential fraud to the Department of Commerce Office of Inspector General for further investigation.
the Department of Commerce agrees with GAOs findings and recommendations and says it will develop an action plan to address them.