Census tech transition leaves security weaknesses, GAO says
Connecting state and local government leaders
An incomplete transition to a new IT security framework has left weaknesses in some systems holding sensitive census information, according to a GAO report.
The Census Bureau, as it has for decades, is upgrading the technology in uses for its decennial census, but an incomplete transition to a new risk management framework has left weaknesses in some IT systems that could put sensitive census data at risk, according to a recent report from the Government Accountability Office.
As part of its ongoing IT upgrade in preparation for the next census, the bureau is transitioning to a new risk management framework to improve system visibility and management of security risks. But GAO found the risks have not been fully documented and that plans and policies were not complete.
The 2012 security audit found that the bureau had not effectively implemented appropriate security controls on all of its systems, including access controls, configuration management and contingency planning.
Specifically, the GAO audit found that Census was not adequately:
- Controlling connectivity to key network devices and servers.
- Identifying and authenticating users.
- Appropriately limiting user access rights and permissions.
- Encrypting data in transmission and at rest.
- Monitoring its systems and network.
- Ensuring appropriate physical security.
Use of Personal Identification Verification cards for both physical and logical access also was not complete.
Auditors found that although the bureau had policies for securely configuring systems, some communication systems were not securely configured and were not using strong encryption. Monitoring for intrusion detection was not always used and disaster response and continuity of operations plans for its data center also were not complete.
“While the bureau’s new program for risk management may produce potential benefits to the bureau, the effectiveness of its remediation efforts cannot be known unless the bureau ensures that its actions have been documented,” the GAO report said.
The weaknesses are a concern not only because of the possible exposure of personally identifiable information, but also because they could impair the agency’s ability to do its job.
“A data breach could result in the public’s loss of confidence in the bureau and could affect its ability to collect census data,” the report said.
GAO’s public report gave 13 recommendations for improving security, dealing primarily with documentation and training rather than technology, and made another 102 recommendations in a separate report with limited distribution. The bureau largely agreed with the findings and is putting together a formal plan of actions and milestones to address issues identified in the audit.
The Census Bureau is required to do a national headcount every 10 years, and the challenge of gathering and analyzing information on a rapidly growing population has made it a pioneer in the use of information technology.
Tabulating machines first used in the 1880 census doubled the speed of data processing. In 1951 the bureau used the UNIVAC I, a purpose-built computer that again doubled the number of items the bureau could tabulate per minute, from 2,000 to 4,000. Technology has been updated regularly since and its use expanded to include data collection as well as analysis.
“The 2000 census demonstrated probably the biggest leap forward in the use of technology for collecting and disseminating data,” GAO said. This was further expanded in 2010 with the use of handheld devices for some field operations and the integration of Global Positioning System data for maps. Performance problems with some of the equipment resulted in the use of more paper than expected, however, and at a cost of $13 billion, the 2010 census was the most expensive ever. The 2020 census is projected to cost as much as $25 billion.
Census Bureau IT operations are centered in bureau headquarters in Suitland, Md., the Bowie Computing Center in Bowie, Md., and the National Processing Center in Jeffersonville, Ind., and sensitive data held in the systems must be protected.