The Census Bureau found nearly 3,100 security weaknesses after testing 33 of its 44 systems, leaving a large amount of work to be done before the 2020 Census, according to a Government Accountability Office (GAO) report on the agency’s IT systems released Thursday.
The report describes how the Bureau’s security assessments place vulnerabilities in a plan of action and milestones (POA&M). “Of these nearly 3,100 POA&Ms, 43 were considered ‘very high risk’ or ‘high risk’ weaknesses. Further, over 2,700 of the POA&Ms were related to the infrastructure components being developed by the technical integration contractor,” the report stated.
“Further, because several of the systems that will be a part of the 2018 End-to-End Test and the 2020 Census are not yet fully developed, the Bureau has not finalized all of the security controls to be implemented,” the report noted.
Among the Bureau’s systems being used in the end-to-end test this year, 33 have received authorization to operate and will be continuously monitored, eight received initial authorization but will need to be analyzed again after changes to their infrastructure, and three systems do not yet have an authorization to operate.
GAO noted that the Bureau’s CIO developed a risk management framework that requires developers to “remediate critical deficiencies” in Census systems and reach an acceptable level of risk. GAO also noted the challenges of growing costs, condensed testing and development schedules and lack of oversight due to 33 vacancies out of 58 Federal Census positions as challenges for the Bureau’s IT systems
“The Census Bureau has continued to make progress in developing and testing IT systems for the 2020 Census,” the report noted. “Nevertheless, the Bureau continues to face significant challenges and risks in its efforts to manage the schedules, contracts, costs, and cybersecurity of its 2020 Census systems,” the report stated. “With the 2020 Census less than 2 years away, it is critical that the Bureau address these challenges and risks to ensure that its IT systems are developed, tested, and secured in time to support the count of the nation’s population.”