February 2020

A Report to Congressional Requesters

2020 Census
Highlights of GAO-20-368R.

In the coming months, the 2020
Decennial Census will begin its
operations to count the population of
the United States. The success of
these operations relies on the
Bureau’s preparations, including
recruiting and hiring a sufficient work
force, developing and testing IT
systems, and maintaining public
trust to ensure participation by
developing community partnerships,
combating disinformation, and
protecting the privacy of respondent
data. The Bureau is actively
managing these preparations, but
faces significant risks that could
adversely impact the cost, quality,
schedule, and security of the count.
Over the past decade, GAO has
made 112 recommendations specific
to the 2020 Census to help address
issues such as cost estimation, key
innovations, and acquisition and
development of IT systems. The
Department of Commerce has
generally agreed with the
recommendations. As of February
2020, 28 of the recommendations
had not been fully implemented.
GAO was asked to provide regular
updates on the 2020 Census. This
report examines the cost and
progress of key 2020 census
operations critical to a cost-effective
enumeration, and early warnings, if
any, that may require Census
Bureau or congressional attention.

Initial Enumeration Underway but Readiness for
Upcoming Operations Is Mixed

This correspondence is the second in a series of updates meant to provide timely
reporting on the Census Bureau’s (Bureau) 2020 Census activities and
operations. This update includes information from GAO’s ongoing work on
preparing for operations including recruiting and hiring, information technology
(IT) systems development and testing, and cybersecurity.
In recent years, GAO has identified challenges that raise serious concerns about
the Bureau’s ability to conduct a cost-effective count of the nation, including new
innovations, acquisition and development of IT systems, and other challenges. In
2017, these challenges led us to place the 2020 Census on GAO’s High Risk list.
The Bureau Has Generally Executed Early Operations on Schedule, but
Faces Challenges Going Forward
Preparation for Data Collection Operations
The Bureau continues to prepare for upcoming operations for the 2020 Census.
These activities included launching media materials and opening area census
offices and call centers. The Bureau’s first self-response mailing is expected to
arrive at households beginning March 12, 2020. Further, the Bureau has begun
or is preparing to begin four operations that reach populations that do not receive
mail at their residence, including (1) remote areas; (2) areas in which many
housing units do not have mail delivered to their homes; (3) individuals living in
transitory locations, such as hotels and campgrounds; and (4) individuals in
group quarters, such as college resident halls and correctional facilities, as well
those experiencing homelessness. The Bureau has also begun work on its
Mobile Questionnaire Assistance Operation, which will provide staff to help
people complete the questionnaire in locations with low self-response.
Recruiting
The Bureau is behind in its recruiting of applicants for upcoming operations. If the
Bureau does not recruit sufficient individuals, it may have difficulty hiring enough
staff to complete its upcoming operations within scheduled time frames. As
shown by the graphic, despite efforts to increase recruiting through
advertisements and increased recruiting staff, the Bureau continues to miss its
interim recruiting goals as of February 3, 2020.
Census Bureau Progress on Recruiting as of February 2020

The Bureau provided technical
comments that were incorporated as
appropriate.

View GAO-20-368R. For more information,
contact J. Christopher Mihm at (202) 512-6806
or by email at mihmj@gao.gov and Nick
Marinos at (202) 512-9342 or by email at
marinosn@gao.gov.

United States Government Accountability Office

 Partnerships
The Bureau continues to form both national and community partners, which are
crucial in educating the public and maximizing survey response rates, particularly
among hard-to-count populations. As of early February 2020, the Bureau had
almost 240,000 community partners, such as businesses and nonprofits, in
place. However, the Bureau has missed interim goals building towards its overall
goal of 300,000 community partners by March 2020.
IT Systems Implementation
The Bureau has made progress in executing work against its development and
testing schedule for the 52 IT systems expected to be used during the 2020
Census, but continues to face risks in implementing the systems in time for key
operations. For example, as of January 2020, the Bureau was at risk of not
meeting key near-term IT system testing schedule milestones for five upcoming
2020 Census operational deliveries, such as self-response and non-response
follow-up (i.e., when the Bureau follows up with households that do not initially
respond to the Census).
The Bureau also needs to quickly address concerns related to the readiness of
its internet response system. In January 2020, the Bureau identified a scalability
issue that was preventing it from meeting its goal of enabling up to 600,000 users
to access the primary internet response system at the same time without
experiencing performance problems. As a result, in February 2020, the Bureau
decided to use its backup system to manage internet responses for the 2020
Census. Late design changes, such as the shift from one system to another, can
introduce new risks, in part, because the backup system was not used
extensively in earlier operational testing. The internet response system is
scheduled to be available in March 2020 and will enable the public to respond to
the 2020 Census online. Therefore, it is critical that the Bureau quickly ensures
the readiness of the system it has decided to use, including fully testing the
system before it is deployed.
Cybersecurity
The Bureau also continues to face significant cybersecurity challenges, including
those related to addressing cybersecurity weaknesses in a timely manner,
resolving cybersecurity recommendations from the Department of Homeland
Security (DHS), and addressing numerous other cybersecurity concerns (such as
protecting the privacy of respondent data). For example, in April 2019, GAO
recommended that the Bureau (1) take steps to ensure that identified corrective
actions for cybersecurity weaknesses were implemented within prescribed time
frames, and (2) implement a process for tracking and executing appropriate
corrective actions to remediate cybersecurity findings identified by DHS for the
2020 Census.
The Bureau has made progress toward addressing these recommendations, but
more work remains. For example, the Bureau has not always addressed
cybersecurity weaknesses in accordance with established deadlines. Because
the 2020 Census involves collecting personal information from more than 300
hundred million people across the country, it will be important that the Bureau
continue to address these challenges. GAO has ongoing work monitoring the
Bureau’s progress in addressing these and other cybersecurity challenges.

Page ii

GAO-20-368R

 441 G St. N.W.
Washington, DC 20548

February 12, 2020
Congressional Requestors
2020 Census: Initial Enumeration Underway but Readiness for Upcoming Operations Is
Mixed
In the coming months, the U.S. Census Bureau (Bureau) will begin the major operations to
count the population of the United States. Census Day for the 2020 Census, the reference date
for where and if a person should be counted, is April 1. The success of these operations, in part,
relies on the Bureau’s preparations, including recruiting and hiring a sufficient workforce; the
development and testing of information technology (IT) systems; and maintaining public trust to
ensure participation by developing community partnerships, combating disinformation, and
protecting the privacy of respondent data. The Bureau is actively managing these preparations,
but continues to face significant risks that could adversely impact the cost, quality, schedule,
and security of the count.
You asked us to provide regular updates on the implementation of the 2020 Census. For these
updates, we will review the cost and progress of key 2020 Census operations critical to a costeffective enumeration and early warnings, if any, that may require Census Bureau or
congressional attention. For this correspondence—the second in a series of products meant to
provide timely reporting on activities and operations while they are being implemented—we
focused on recruiting, preparations for upcoming operations, IT systems development and
testing, and cybersecurity. 1
To describe the status of the Bureau's execution of key operations for the 2020 Census, we
reviewed Bureau-provided data on cost and progress of key operations and compared those
data with Bureau-determined target dates and metrics. We determined those data were
sufficiently reliable for the purposes of our reporting objectives by interviewing Bureau staff
about the IT systems used. We interviewed Bureau officials to gather additional information on
the status and progress of these key operations.
To describe major trends and early warning signs, we compared Bureau-provided data against
goals outlined in Bureau plans. We assessed Bureau-provided performance data on individual
operations and efforts to make determinations of Bureau performance and progress. We also
included information from our ongoing work on the readiness of the Bureau’s IT systems for the
2020 Census. We collected and reviewed documentation on the status of systems development
and testing and for addressing cybersecurity risks, such as executive-level system status
reports and dashboards. We also interviewed relevant agency officials.
We conducted this performance audit from November 2019 to February 2020 in accordance
with generally accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for
our findings and conclusions based on our audit objectives. We believe that the evidence

1For

the first report in this series, see GAO, 2020 Census: Status Update on Early Operations, GAO-20-111R
(Washington, D.C.: Oct. 31, 2019).

Page 1

GAO-20-368R

 obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives.
Background
In 2017, we designated the 2020 Census as a high-risk area and added it to our High-Risk list.
The 2020 Census remains high risk, as new innovations, and acquisition and development of IT
systems for the 2020 Census, along with other challenges we have identified in recent years,
such as the reliability of the cost estimate, raise serious concerns about the Bureau’s ability to
conduct a cost-effective enumeration. Over the past decade, we have made 112
recommendations specific to the 2020 Census to help address these risks and other concerns.
The Department of Commerce has generally agreed with these recommendations and has
taken action and made progress to address them. To date, the Bureau has implemented 83 and
GAO has closed 1 recommendation as not implemented. However, as of February 2020, 28 of
the recommendations have not been fully implemented, of which six are designated priority
recommendations. 2
The Bureau has Generally Executed Early Operations on Schedule, but Faces Challenges
Going Forward
The Bureau Is Preparing for Its Data Collection Operations
In October 2019 the Bureau completed its In-Field Address Canvassing Operation, where
temporary field staff known as listers verify and update selected addresses across the country in
its address list. The Bureau also met its target dates for opening its Questionnaire Assistance
Contact Centers, where respondents can call to ask questions or provide their census data by
phone and it has launched its advertising campaign, that is designed to use print, social media,
and television to, among other initiatives, spread the word about the 2020 Census. Further,
despite initial delays, it has opened all 248 Area Census Offices that will be used to manage the
decennial at the local level.
In January 2020, enumeration activities began in certain areas of Alaska. The Bureau’s first selfresponse mailing is expected to arrive in mailboxes beginning on March 12, 2020. (see figure 1)
This is the first of five self-response mailings, which will cover 95 percent of households. These
mailings will consist of a letter inviting recipients to complete the census online, or via several
other response options. Households in areas with low internet connectivity will also receive a
paper questionnaire they can mail back.

2Priority

recommendations are those that GAO believes warrant priority attention from heads of key departments or
agencies. They are highlighted because, upon implementation, they may significantly improve government
operations, for example, by realizing large dollar savings; eliminating mismanagement, fraud, and abuse; or making
progress toward addressing a high-risk or fragmentation, overlap, or duplication issue.

Page 2

GAO-20-368R

 Figure 1: Key Dates for 2020 Census Operations

Further, the Bureau has four upcoming operations that enumerate populations unlikely to be
reached with mailed self-response enumeration.
•

The Update Enumerate (UE) operation counts populations in remote areas that have
challenges associated with accessibility including remote Alaska, parts of northern Maine
and certain tribal areas. (January – April 2020)

•

The Update Leave (UL) operation hand delivers questionnaires in areas where the majority
of housing units do not have mail delivered to the location of the housing unit or do not have
verified mail delivery information. (March – April 2020)

•

The Enumeration at Transitory Locations (ETL) operation enumerates respondents living in
transitory locations such as recreational vehicle (RV) parks, campgrounds, hotels, motels,
marinas, racetracks, circuses and carnivals, and who do not have a usual home elsewhere.
(April – May 2020)

•

The Group Quarters (GQ) operation enumerates individuals living or staying in group
quarters, such as college residence halls, residential treatment centers, skilled nursing
facilities, group homes, correctional facilities, and workers’ dormitories, as well as those

Page 3

GAO-20-368R

 experiencing homelessness or receiving services at service-based locations such as soup
kitchens and shelters. This service based enumeration occurs over the course of 3 days.
We previously reported that the Bureau experienced issues managing staffing levels during
the 2018 Census Test. Facilities were either overstaffed or understaffed during enumeration
due to GQ facilities changing their preferred enumeration method from the preferences they
identified when Bureau officials initially reached out to facilities, such as changing from a
paper submission of census data for residents to an in-person enumeration. 3 (February –
June 2020)
The Bureau has also begun work on its Mobile Questionnaire Assistance (MQA) initiative as
directed in the Further Continuing Appropriations Act, 2020 in November 2019. 4 According to its
December 2019 MQA Operation Project Plan, the Bureau plans to provide staff at community
events to help people complete the questionnaire and answer questions in locations with low
self-response. Respondents are to directly access the questionnaire on mobile devices in
English, or one of the 12 non-English languages, or call for assistance. Staff will also have
language assistance guides available for 59 non-English languages.
MQAs will be in prominent locations to include grocery stores, houses of worship, community
festivals, public transit hubs and other locations. 5 The Bureau plans to convert up to 4,500
Recruiting Assistants to Census Response Representatives after recruiting efforts end. Further,
the Bureau plans to hire a small number of new staff starting in March 2020 to continue
throughout the nonresponse follow-up period.
According to the Bureau, the MQA plan improves on the model of the 2010 Questionnaire
Assistance Centers (QACs) that were static locations. We previously found that the QACs
experienced problems, including low visibility of the sites, trouble locating sites among the
public, and difficulty in monitoring them. 6 Instead of being tied solely to static locations, MQAs
can deploy to low response locations where they are likely to have a greater impact.
The Bureau Is Behind in Meeting Recruiting Goals for Upcoming Operations
The Bureau is behind in its goal to recruit more than 2.6 million applicants nationwide for
upcoming operations and 202 of 248 Area Census Offices fell short of their individual recruiting
targets as of early February 2020. As depicted in figure 2, the Bureau fell behind its recruiting
targets in late September 2019 and while it experienced an uptick in January and February
2020, has not yet been able to close the gap. As of February 3, 2020, the Bureau has recruited
more than 2.1 million applicants. This falls short of its interim target to reach more than 2.5
million applicants by the same date.

3GAO,

2020 Census: Additional Steps Needed to Finalize Readiness for Peak Operations, GAO-19-140
(Washington, D.C.: Dec. 10. 2018). The Bureau faced similar challenges in managing staffing levels while
enumerating service-based locations during the 2010 Census. See 2010 Census: Key Efforts to Include Hard-toCount Populations Went Generally as Planned; Improvements Could Make the Efforts More Effective for Next
Census, GAO-11-45 (Washington, D.C.: Dec. 14, 2010). We recommended that the Bureau determine the factors
that led to the staffing issues we observed during service-based enumeration and take corrective actions to ensure
more efficient staffing levels in 2020. As of December 2019, the Bureau had not taken action on this
recommendation.

4Pub.

L. No. 116-69, div. A, § 101, 133 Stat. 1134 (Nov. 21, 2019).

5In

November 2019, the Bureau estimated that this effort will reach over 23 million housing units if they target the
20% of tracts with the lowest projected self-response.

6GAO-11-45.

Page 4

GAO-20-368R

 Figure 2: Census Bureau Progress on Recruiting as of February 2020

Notes: In September 2019, the Census Bureau increased its total recruiting goal from approximately 2.2 million to
more than 2.6 million and increased its interim goals accordingly.
The Census Bureau began tracking recruiting progress in June 2019.

To increase recruiting, in early October 2019 Bureau officials told us that they were increasing
advertising for census jobs, hiring more staff that focus on recruiting, and holding a National
Recruiting Event later in the month. Bureau officials also told us they can focus recruiting
advertising in geographic locations where they are falling behind. Additionally, in late December
2019 Bureau officials told us they had completed a review of pay rates for upcoming operations
and planned to increase hourly rates in 73 percent of counties nationwide by an average of
$1.50 per hour for enumerators to address recruiting shortfalls. 7 In December 2019, Bureau
officials told us that the recruiting numbers had plateaued but that they expected the number of
applicants to increase in response to recruitment activities in January 2020. If the Bureau does
not recruit sufficient applicants, it may have difficulty hiring enough staff to complete its
upcoming operations within its scheduled time frames, which could delay subsequent
operations, add to costs, and adversely impact data quality. We will continue to monitor the
Bureau’s recruiting efforts.
The Bureau has met its hiring goals for some area census office positions, but not all. The
Bureau has exceeded its goal for hiring recruiting assistants and office operations supervisors,
but has not yet met its goals for hiring clerks as shown in Table 1. Hiring sufficient clerks is
7Enumerators

are Census Bureau employees who travel from door-to-door throughout the country to try to obtain
census data from individuals who do not respond through other means, including the internet, on paper, or by phone.

Page 5

GAO-20-368R

 particularly important since clerks assist with on-boarding the 320,000 to 500,000 enumerators
needed for upcoming data collection operations. 8
The Bureau’s total goal for hiring clerks is 9,874 by March 1, 2020. According to Bureau
officials, it has hired 6,537 clerks and the interim hiring goal for early February was
approximately 7,500 clerks. In November 2019, the Census received approval from the
Department of Commerce and notified the Office of Personnel Management (OPM) that to more
efficiently onboard staff, it would conduct a more limited background investigation for Area
Census Office clerks, recruiting assistants, and office operation supervisors. According to
Bureau officials this has sped up the hiring process for office staff.
Table 1: Hiring Goals for Select Area Census Office Positions
Position

Goal

Hired (as of Feb. 4, 2020)

Recruiting Assistant

4,741

4,758

Office Operations Supervisor

2,601

2,641

9,874a

6,537

Clerk

Source: Census Bureau hiring data   GAO-20-368R
Note: “Hired” refers to the number of individuals who are sworn-in to the position and could charge time.
aThe Census Bureau plans to hire by March 1, 2020

The Bureau Has Missed Interim Milestones for Establishing Community Partners
The Bureau is forming partnerships through its Community and National Partnerships to reach
hard-to-count populations. According to the 2020 Census Partnership Plan, partnerships are
crucial in educating the public and maximizing survey response rates, particularly for hard-tocount populations, such as persons with disabilities and persons experiencing homelessness.
Bureau management reports provide the number of community partners and participating
organizations by sector and audiences served, as well as the number of events the partners
have sponsored. The Bureau’s goal for 2020 is to have 300,000 community partners by March
2020. As of February 4, 2020, the Bureau had established relationships with 642 national
participating organizations and 238,982 community partners such as media outlets, nonprofits,
and healthcare organizations (see figure 3). Bureau officials told us that their interim goal was to
have approximately 200,000 community partnerships in place by January 1, 2020 and 250,000
in place by February 1, 2020.

8To

conduct data operations on schedule, the Bureau’s conservative estimate for the optimal number of enumerators
is 500,000. The Bureau’s estimate for the most likely number of enumerators needed is 320,000.

Page 6

GAO-20-368R

 Figure 3: Number of Active Community Partners

By the end of the 2010 cycle, the Bureau had worked with nearly 256,000 partners. We have
previously reported that hiring for Partnership Specialists, who often help establish Community
Partner relationships, was delayed in 2019 due to delays in processing background checks and
greater than expected attrition. 9 Bureau officials told us that these delays had not affected the
number of participating organizations and community partners and that they were pleased with
the quality of those relationships. The Bureau’s website has webinars and materials available to
partners on common barriers to census response and mapping tools that show locations of
specific hard-to-count populations.
The Bureau Is at Risk of Missing Near-Term Schedule Milestones for IT Systems Testing and
Needs to Quickly Address Concerns Related to the Readiness of Its Internet Response System
The Bureau is significantly changing how it intends to conduct the census during this decennial,
in part by re-engineering key census-taking methods and infrastructure, and making use of new
IT applications and systems. 10 Most notably, the Bureau plans to offer an option for households
to respond to the survey via the internet and enable field-based enumerators to use applications
on mobile devices to collect survey data from households.
To conduct the 2020 Census, the Bureau plans to utilize 52 new and legacy IT systems and the
infrastructure supporting them. In October 2018, to help improve its implementation of IT, the
Bureau revised its systems development and testing schedule. Specifically, the Bureau
organized the development and testing schedule for its 52 systems into 16 operational

9GAO,

2020 Census: Status Update on Early Operations, GAO-20-111R (Washington, D.C.: Oct. 31, 2019).

10GAO,

2020 Census: Bureau Needs to Take Additional Actions to Address Risks to a Successful Enumeration,
GAO-19-685T (Washington, D.C.: Jul. 24, 2019).

Page 7

GAO-20-368R

 deliveries. 11 Each of the 16 operational deliveries was assigned milestone dates for, among
other things, development, performance and scalability testing, 12 and system deployment.
As of January 2020, the Bureau had made progress in executing work against its revised
schedule by deploying the systems for five of the 16 operational deliveries. For example, the
Bureau deployed the systems for the integrated partnership and communications 13 operational
delivery in January 2020. Further, the Bureau was continuing system development,
performance and scalability testing, and/or integration testing for the remaining 11 operational
deliveries, including self-response and non-response follow-up. For example, the Bureau was
working to complete integration testing and performance and scalability testing for the systems
needed to support self-response (including the internet response option), in preparation for
deploying the final systems in March 2020.
However, as of January 2020, five of the remaining 11 operational deliveries were at risk of not
meeting key near-term milestones planned for completing performance and scalability testing
and/or integration testing by April 2020. These five operational deliveries are the post
enumeration survey, 14 self-response, group quarters enumeration, update enumerate/update
leave, and non-response follow-up. For example:
•

Self-response: The Bureau recently identified a scalability issue that was preventing it
from meeting a critical testing goal for its primary internet response system (known as
the Enterprise Censuses and Surveys Enabling Platform–Internet Self-Response, or
ECaSE–ISR). 15 Specifically, in early January 2020, the Bureau stated that an issue with
the design of its recently revised Trusted Internet Connection 16 was preventing it from
meeting its goal of enabling up to 600,000 users to access the internet response system
at the same time without experiencing performance issues. 17 According to the Bureau,
ECaSE–ISR was able to reach up to 400,000 concurrent users during testing before
encountering performance issues.

11The

Bureau plans to deploy the 52 systems being used in the 2020 Census multiple times in a series of operational
deliveries, which includes operations such as address canvassing or self-response (e.g., the ability to respond to the
2020 Census through the internet). That is, the Bureau may deploy a system for one operation in the 2020 Census
(such as address canvassing), and again for a subsequent operation (such as self-response). As such, additional
development and testing may occur each time a system is deployed.
12According

to the Bureau’s 2020 Census Operational Plan, the purpose of performance and scalability testing is to
ensure that systems will scale to meet the workloads, or volumes, of the 2020 Census.
13The

purpose of the Bureau’s integrated partnership and communications operation is to communicate the
importance of 2020 Census participation to the entire population of the 50 states, the District of Columbia, and U.S.
territories.
14The post enumeration survey is intended to provide estimates of 2020 Census net coverage and components of
coverage for housing units and people in the United States and Puerto Rico, excluding remote Alaska.
15ECASE–ISR

is a modified commercial-off-the-shelf product developed by a third-party contractor.

16External network traffic (traffic that is routed through agency’s external connections) must be routed through a
Trusted Internet Connection. External connections include those connections between an agency’s information
system or network and the globally-addressable internet or a remote information system or network and networks
located on foreign territory.
17The

Bureau stated that it was at testing at 5 times the expected internet self-response user load of 120,000
concurrent users, for a total of 600,000 concurrent users, to minimize risk.

Page 8

GAO-20-368R

 In mid-January 2020, due to concerns with resolving this scalability issue in a timely
manner, the Associate Director for Decennial Census Programs and other Bureau
leadership officials stated that the Bureau was reviewing its options for using another
system called Primus to provide the internet response capability for the 2020 Census.
According to Bureau documentation, Primus is a Bureau-developed backup system that
was intended to provide internet data collection capabilities in the event that normal
operations of ECaSE–ISR are disrupted. The officials stated that recent testing of
Primus indicated that it could meet the scalability goal of 600,000 concurrent users;
however, additional integration and performance and scalability testing remained to be
completed.
On February 7, 2020, the Bureau made a decision to use Primus as the primary internet
response system for the 2020 Census. The Bureau added that it is planning to use
ECaSE-ISR to support its Questionnaire Assistance Contact Centers, as well as provide
a backup for Primus.
Given that the Bureau expects the internet response system will be available to the
public in March 2020, it is important that the Bureau quickly ensures the readiness of the
system it has decided to use. Late design changes, such as the shift from one system to
another, can introduce new risks, in part, because the backup system was not used
extensively in earlier operational testing. Notably, Primus was not used as the internet
response system during the Bureau’s 2018 End-to-End Test. 18 As a result, this
increases the risk that operational problems may go undiscovered before the system is
deployed, in part because the 2018 End-to-End Test was the last opportunity to test the
system under Census-like conditions.
•

Non-response follow-up: The Bureau has identified several issues during the testing of
two systems expected to be used to conduct non-response follow-up—the enumeration
application 19 and the Sampling, Matching, Reviewing, and Coding system. 20 Specifically,
as of January 2020, the Bureau reported that it needed to identify the root causes of,
and implement resolutions for, issues identified when using the enumeration application
(e.g., in certain cases, needing to restart or reinstall the application for it to work
correctly).
Further, regarding the Sampling, Matching, Reviewing, and Coding system, the Bureau
reported that it needed to, among other things, resolve outstanding system defects and
implement new requirements to improve system performance and scalability. Given that
these two systems are expected to be deployed into production in April 2020, it is
important that the Bureau quickly resolve these issues.

Figure 4 presents an overview of the status for all 16 operational deliveries, as of January 2020.
18According to the Bureau, the 2018 End-to-End Test was conducted to confirm key technologies, data collection
methods, outreach and promotional strategies, and management and response processes that are intended to be
deployed in support of the 2020 Census.
19The enumeration application, also known as the Enterprise Censuses and Surveys Enabling Platform–
Enumeration, is intended to support Bureau employees who travel from door-to-door throughout the country to try to
obtain census data from individuals who do not respond through other means, including the internet, on paper, or by
phone. The application is also expected to be used by these employees to, among other things, provide their
availability for performing work and for reporting expenses.
20The

Sampling, Matching, Reviewing, and Coding system is expected to, among other things, apply quality control
algorithms to determine whether enumerators are using validated procedures and collecting accurate data.

Page 9

GAO-20-368R

 Figure 4: Status of 16 Operational Deliveries for the 2020 Census, as of January 2020

Note: The 52 systems being used in the 2020 Census are to be deployed multiple times in a series of operational deliveries (which
include operations such as address canvassing or self-response). That is, a system may be deployed for one operation in the 2020
Census (such as address canvassing), and be deployed again for a subsequent operation such as self-response). As such,
additional development and testing may occur each time a system is deployed.

These five at-risk operational deliveries add uncertainty to a highly compressed time frame over
the next 2 months. Going forward, the Bureau must effectively manage the at-risk operational
deliveries to better ensure that it meets near-term milestones for completing IT systems testing,
and is ready for the major operations of the 2020 Census. Further, it will be critical that the
Bureau expeditiously completes remaining integration and performance and scalability testing
for its internet response system to better ensure that the system functions as intended.
The Bureau Faces Significant Cybersecurity Challenges in Securing Its Systems and Data
Our prior and ongoing work has identified significant challenges that the Bureau faces in
securing systems and data for the 2020 Census. 21 Specifically, the Bureau continues to face
challenges related to addressing cybersecurity weaknesses, tracking and resolving
cybersecurity recommendations from the Department of Homeland Security (DHS), and

21See,

for example, GAO, GAO-19-431T and GAO-18-655.

Page 10

GAO-20-368R

 addressing numerous other cybersecurity concerns (such as protecting the privacy of
respondent data). For example:
•

Addressing cybersecurity weaknesses within prescribed time frames. The
Bureau’s risk management framework requires it to conduct a full security assessment
for nearly all the systems expected to be used for the 2020 Census. If deficiencies are
identified, the Bureau is to determine the corrective actions—known as plans of actions
and milestones (POA&Ms)—needed to remediate those deficiencies.
The Bureau had made progress in addressing open POA&Ms as of the end of
December 2019, but more work remains. Specifically, the Bureau reduced the number of
open “high” and “very high-risk” POA&Ms from 264 in January 2019 to 191 as of the end
of December 2019.
However, we reported in April 2019 that the Bureau did not always address POA&Ms in
accordance with its established deadlines. 22 Thus, we recommended that the Bureau
take steps to ensure that identified corrective actions for cybersecurity weaknesses are
implemented within prescribed time frames. As of December 2019, this recommendation
remained open. Specifically, as of December 2019, 81 of the 191 (about 42 percent)
total open “high” and “very high-risk” POA&Ms were delayed past their scheduled
completion dates. Additionally, 50 of the 191 (about 26 percent) total open “high” and
“very high-risk” POA&Ms were delayed 60 or more days.
In February 2020, the Bureau told us that it is taking steps to more actively manage
overdue POA&Ms. According to the Bureau’s Chief Information Security Officer, the
delay in addressing these POA&Ms was due to technical challenges such as
interdependencies among multiple system components.
We have ongoing work that will continue to evaluate the Bureau’s progress in ensuring
that corrective actions are implemented within prescribed time frames. Fully
implementing our recommendation will help to ensure that the Bureau is in a better
position to manage and mitigate cybersecurity risks in a timely manner.

•

Tracking and resolving cybersecurity recommendations from DHS. DHS is working
with the Bureau to support its 2020 Census cybersecurity efforts. For example, since
2017, DHS has provided various assessments to support the Department of Commerce
and the Bureau’s risk management of the 2020 Census and help to enhance the
cybersecurity posture. In addition, DHS has developed plans with the Department of
Commerce and the Bureau on the type of assistance that DHS expects to provide during
2020 Census operations.
DHS has provided numerous recommendations to assist the Bureau in strengthening its
cybersecurity efforts in the last 2 years. Among other things, the recommendations
pertained to strengthening cyber incident management capabilities, penetration testing 23

22GAO,

2020 Census: Further Actions Needed to Reduce Key Risks to a Successful Enumeration, GAO-19-431T
(Washington, D.C.: Apr. 30, 2019).

23The

National Institute of Standards and Technology defined penetration testing as security testing in which the
evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an
application, system, or network. Penetration testing often involves issuing real attacks on real systems and data,
using the same tools and techniques used by actual attackers.

Page 11

GAO-20-368R

 and web application assessments of select systems, and phishing assessments 24 to
gain access to sensitive personally identifiable information (PII). 25 In April 2019, we
recommended that the Bureau implement a process for documenting, tracking, and
executing appropriate corrective actions to remediate the cybersecurity findings
identified by DHS. 26 Such a plan would help ensure that DHS’s efforts result in
improvements to the Bureau’s cybersecurity posture.
In the fall of 2019, the Bureau had developed a process for tracking IT-related
recommendations from agencies such as DHS, the Commerce Inspector General, and
GAO. More recently, the Bureau had begun implementing that process, and provided us
with a spreadsheet that it is using to track the status of these recommendations. This
spreadsheet included key information, such as corrective actions that the Bureau plans
to take to address the recommendations, a point of contact responsible for actions taken
to address each recommendation, and a time frame for implementation or for key
activities to be completed. We have ongoing work intended to monitor the Bureau’s
continued progress in implementing this process of tracking the status of the
recommendations.
•

Disinformation from social media. We previously reported that one of the Bureau’s
key innovations for the 2020 Census is the large-scale implementation of an internet
self-response option. The public perception of the Bureau’s ability to adequately
safeguard the privacy and confidentiality of the 2020 Census internet self-responses
could be influenced by disinformation spread through social media.
According to the Bureau, if a substantial segment of the public is not convinced that the
Bureau can safeguard public response data against data breaches and unauthorized
use, then self-response rates may be lower than projected, leading to an increase in
cases for follow-up and in subsequent costs. For example, Bureau officials stated that,
during the address canvassing operation, rumors were shared across social media
platforms about the address canvassing operation or the staff performing it. The Bureau
determined that the rumors created safety concerns for staff who were legitimately
working to confirm addresses. To contain the rumors, officials explained that the Bureau
worked with local partners, fact-checkers, and law enforcement to share correct
information. The Bureau also posted information on its website 27 explaining the rumors
and also explaining how to determine whether someone is a Bureau employee and how
to contact the Bureau.
To help address this challenge, Bureau officials stated that they plan to inform the public
of the risks associated with disinformation from social media through the Bureau’s
education and communication campaigns. In addition, these officials stated that they
plan to use specialized tools to monitor traditional media (e.g., newspapers) and social
media, and then track, categorize, and respond to disinformation that may be shared.
Additionally, Bureau officials stated that they are coordinating with several technology

24Phishing

is a digital form of social engineering that uses authentic-looking, but fake emails to request information
from users or direct them to a fake website that requests information.

25Due

to the sensitive nature of the recommendations, we are not identifying the specific recommendations or
specific findings associated with them in this product.
26GAO-19-431T.
27https://2020census.gov/en/news-events/rumors.html

Page 12

GAO-20-368R

 companies and social media platforms that have agreed to support the Bureau’s efforts
in various ways, which may include sharing information and modifying relevant Terms of
Service to include support for the 2020 Census. Bureau officials have also stated that
DHS is providing direct support primarily through information sharing.
•

Ensuring contingency and incident response plans are in place to encompass all
of the IT systems to be used to support the 2020 Census. Because of the brief time
frame for collecting data during the 2020 Census, it is especially important that systems
are available for respondents, in order to better ensure a high response rate.
Contingency planning 28 and incident response help ensure that, if normal operations are
interrupted, network managers will be able to detect, mitigate, and recover from a
service disruption while preserving access to vital information.
In June 2019, Commerce’s Inspector General identified several weaknesses in the
Bureau’s 2020 Census contingency planning efforts. 29 For example, the Inspector
General identified, among other things, incomplete disaster recovery planning efforts
during the Bureau’s 2018 End-to-End Test that could have resulted in the Bureau being
unable to execute mission critical 2020 Census operations in the event of a major
disruption or outage. The Inspector General made eight recommendations to the Bureau
including to, among other things, improve the documentation and implementation of
disaster recovery planning activities. Bureau officials agreed with all eight of the
Inspector General’s recommendations and identified actions taken and planned to
address them.
Further, the Bureau needs to finalize its contingency planning efforts for its internet
response capability. For example, although the Bureau developed a contingency plan for
its internet response system in August 2019, this plan is not finalized. In addition, as
noted earlier, the Bureau recently made a decision to change the system that it intends
to use as the primary system to provide the internet response capability. Given that
internet response for the 2020 Census starts in March 2020—approximately 1 month
away—it is important that the Bureau expeditiously finalize and test the contingency plan
for its internet response capability and ensure that the plan reflects the approach the
Bureau has recently decided to implement.
Regarding incident response, as mentioned previously, DHS provided the Bureau with
findings and recommendations related to improving the Bureau’s capabilities in this area
in November 2017. 30 As of January 2020, the Bureau was still working to complete
activities for several of these incident response recommendations. As part of our
ongoing work, we are evaluating the Bureau’s progress in tracking and implementing
these and other recommendations provided by DHS.

28According to NIST, contingency planning is part of overall information system continuity of operations planning,
which fits into a much broader security and emergency management effort that includes, among other things,
organizational and business process continuity and disaster recovery planning.
29U.S.

Department of Commerce, Office of Inspector General, The Census Bureau Must Correct Fundamental Cloud
Security Deficiencies in Order to Better Safeguard the 2020 Decennial Census, OIG-19-015-A (Washington, D.C.:
June 19, 2019).
30Because

of the sensitive nature of the findings and recommendations in the DHS report, we are not identifying
them publicly.

Page 13

GAO-20-368R

 •

Protecting the privacy of respondent data. According to the Bureau’s Chief Scientist,
a challenge of the 2020 Census is to collect the data needed to meet mission needs
while protecting the privacy of individual respondent data. This is important because the
Bureau plans to enable a public-facing website and mobile devices to collect PII (e.g.,
name, address, and date of birth) from the nation’s entire population—estimated to be
over 300 million. Accordingly, it will be important for the Bureau to ensure that only
responsible Bureau officials are able to gain access to respondent data, and that
enumerators and other employees only have access to the data needed to perform their
jobs.
We have reported on challenges to the federal government and the private sector in
ensuring the privacy of personal information posed by advances in technology. For
example, in 2015, we expanded one of our high-risk areas—ensuring the security of
federal information systems and cyber critical infrastructure—to include protecting the
privacy of PII. 31 In addition, we noted that the number of reported security incidents
involving PII at federal agencies had increased dramatically. To help mitigate this highrisk area, we reported that federal agencies need to, among other things, consistently
develop and implement privacy policies and procedures.
To assist in protecting the privacy of respondent information as required by statute, 32 the
Bureau plans to apply a disclosure avoidance technique, known as differential privacy, to
its publicly-released statistical products to protect the confidentiality of its respondents
and their data. 33 As of November 2019, Bureau officials reported that they had tested
this technique by creating sample data products using data collected during the 2010
Census and 2018 End-to-End Test. According to these officials, the sample data
products included redistricting data and demographic and housing data. However, these
officials noted that, for the 2020 Census, they may not be able to publish all of the data
products that were published in prior decennials, in order to protect respondent privacy.
As of November 2019, the Bureau was collecting feedback from data users on the
sample data products, and had not yet finalized the list of data products that would be
produced after the 2020 Census. We have ongoing work monitoring the Bureau’s
progress as it works to implement differential privacy for the 2020 Census.

Agency Comments
We provided a copy of this draft report to the Department of Commerce. The Census Bureau
provided technical comments that were incorporated as appropriate.

31GAO,

High- Risk Series: An Update. GAO-15-290 (Washington, D.C.: Feb. 11, 2015). We designated the security
of our federal cyber assets as a high-risk area in 1997. In 2003, we expanded this high-risk area to include the
protection of critical cyber infrastructure, and in 2015 we expanded it again, to include risks to PII.

3213

U.S.C. § 9.

33Differential

privacy is a disclosure avoidance technique aimed at limiting statistical disclosure and controlling
privacy risk. According to the Bureau, differential privacy provides a way for the Bureau to quantify the level of
acceptable privacy risk and mitigate the risk that individuals can be reidentified using the Bureau’s data.
Reidentification can occur when public data is linked to other external data sources. According to the Bureau, using
differential privacy means that publicly available data will include some statistical noise, or data inaccuracies, in order
to protect the privacy of individuals. Differential privacy provides algorithms that allow policy makers to decide the
trade-off between data accuracy and privacy.

Page 14

GAO-20-368R

 We are sending copies of this report to the Secretary of the Department of Commerce, the
Under Secretary of Economic Affairs, the Director of the U.S. Census Bureau, and interested
congressional committees. In addition, the report is available at no charge on the GAO website
at http://www.gao.gov.
If you or your staff have any questions about this report, please contact J. Christopher Mihm at
202-512-6806 or by email at mihmj@gao.gov or Nick Marinos at (202) 512-9342 or by email at
marinosn@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. GAO staff who made key contributions to this
report are listed in enclosure I.

J. Christopher Mihm
Managing Director, Strategic Issues

Nick Marinos
Director, Information Technology and Cybersecurity

Page 15

GAO-20-368R

 List of Requesters
The Honorable Ron Johnson
Chairman
The Honorable Gary C. Peters
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate
The Honorable Carolyn B. Maloney
Chairwoman
The Honorable Jim Jordan
Ranking Member
Committee on Oversight and Reform
House of Representatives
The Honorable Jamie Raskin
Chairman
The Honorable Chip Roy
Ranking Member
Subcommittee on Civil Rights and Civil Liberties
Committee on Oversight and Reform
House of Representatives
The Honorable Gerald E. Connolly
Chairman
The Honorable Mark Meadows
Ranking Member
Subcommittee on Government Operations
Committee on Oversight and Reform
House of Representatives

Page 16

GAO-20-368R

 Enclosure I: GAO Contacts and Staff Acknowledgments
GAO Contacts: J. Christopher Mihm, (202) 512-6806 or mihmj@gao.gov
Nick Marinos, (202) 512-9342 or marinosn@gao.gov
Staff Acknowledgments: In addition to the contacts named above, Lisa Pearson, Jon
Ticehurst, Kate Sharkey, (Assistant Directors), Andrea Starosciak, Alexandra Edwards
(Analysts-in-Charge), Kerstin Meyer, David Matcham, Stephen Duraiswamy, Sejal Sheth, Keith
Kim, Alan Daigle, Rebecca Eyler, Christopher Businsky, Peter Verchinski, Franklin Jackson,
Michael Bechetti, Amalia Konstas, Jarenda Williams-Jones, Cynthia Saunders and Andrew
Stavisky made significant contributions to this report.

(103960)

Page 17

GAO-20-368R

 This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.

 GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative
arm of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of the
federal government for the American people. GAO examines the use of public
funds; evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make informed
oversight, policy, and funding decisions. GAO’s commitment to good government
is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of
GAO Reports and
Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is
through our website. Each weekday afternoon, GAO posts on its website newly
released reports, testimony, and correspondence. You can also subscribe to
GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and
distribution and depends on the number of pages in the publication and whether
the publication is printed in color or black and white. Pricing and ordering
information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard,
Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud,
Waste, and Abuse in
Federal Programs

Contact FraudNet:

Congressional
Relations

Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400,
U.S. Government Accountability Office, 441 G Street NW, Room 7125,
Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548

Strategic Planning and
External Liaison

James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814,
Washington, DC 20548

Website: https://www.gao.gov/fraudnet/fraudnet.htm
Automated answering system: (800) 424-5454 or (202) 512-7700

Please Print on Recycled Paper.