Skip to main content

IT Modernization: Census Bureau Needs Reliable Cost and Schedule Estimates

GAO-24-105979 Published: Apr 29, 2024. Publicly Released: Apr 29, 2024.
Jump To:

Fast Facts

While the 2030 Decennial Census is still years away, keeping the Census Bureau's IT systems modernized is critical to its mission.

The Bureau has begun 4 modernization programs for systems that collect, process, and disseminate data, but hasn't fully implemented leading practices for managing requirements, cost, and schedule. Without reliable estimates, the Bureau increases its risk of cost overruns and unmet performance targets.

The Bureau has also begun creating plans to address many of the cybersecurity and privacy challenges it faced during the prior Census but hasn't set timeframes for all of these efforts.

Our recommendations address this.

Illustrated people lined up in the shape of a U.S. map

Skip to Highlights

Highlights

What GAO Found

The Census Bureau fully implemented selected leading practices for risk management, but it did not fully implement selected leading practices for managing requirements, cost, and schedule for the Center for Enterprise Dissemination Services and Consumer Innovation (an enterprise-wide data dissemination modernization program), as shown in the table.

Extent to Which the Census Bureau Implemented Selected Areas for Managing the Center for Enterprise Dissemination Services and Consumer Innovation Program

Management area

Overall assessment

Risk Management

● Fully implemented

Requirements Management

◕ Substantially implemented

Cost

◐ Partially implemented

Schedule

◔ Minimally implemented

Source: GAO analysis of Census Bureau data. | GAO-24-105979

The Bureau substantially implemented leading practices for requirements management. However, it did not consistently trace requirements forward and backward from their source to the end product. As a result, the program faces challenges in ensuring it adheres to project requirements. Additionally, the program's cost and schedule estimates were unreliable because the Bureau did not substantially or fully implement leading practices. Specifically:

  • Although the program substantially met two of the four characteristics of a high-quality, reliable cost estimate (well documented and accurate), it only partially met the remaining two characteristics (credible and comprehensive).
  • The program did not substantially meet any of the four characteristics of a reliable schedule: comprehensive, well constructed, credible, and controlled.

Without reliable cost and schedule estimates, the Bureau increases the risk of cost overruns and unmet performance targets.

GAO's prior work identified several cybersecurity and privacy challenges the Bureau faces implementing its IT modernization programs, including

  • addressing cybersecurity workforce challenges,
  • improving information security initiatives and programs,
  • enhancing its detection and response to cyber incidents, and
  • ensuring respondent privacy while maintaining the usability of public Census data.

The Bureau has taken steps to address these challenges but lacks detailed plans and strategies. For example, the Bureau drafted a strategy in 2023 to improve the cybersecurity of software development and operations. However, the strategy has not been finalized and does not include specific information (e.g., time frames) for accomplishing its objectives. In addition, the Bureau was unable to provide detailed information about the steps it plans to take to balance the privacy of respondents to the 2025 American Community Survey against the usability of public data. Until the Bureau develops detailed plans and time frames for these activities, it risks not meeting its objectives of effectively securing and protecting its IT systems and data.

Why GAO Did This Study

The Census Bureau's IT systems are essential to collecting and providing data about the nation's people and economy. During the run up to the 2020 Census, the Bureau faced challenges in modernizing and consolidating its IT systems. For future surveys, including the 2030 Census, the Bureau has embarked on four modernization programs to collect, process, and disseminate data.

GAO was asked to review the Bureau's implementation of key modernization programs. This report (1) examines the extent to which the Bureau is implementing leading practices related to managing risks, requirements, cost, and schedule for a selected enterprise-wide IT program; and (2) describes the key cybersecurity and privacy challenges the Bureau faces in implementing its IT modernization programs and the extent to which the Bureau has plans to address them.

GAO selected the data dissemination program due to the maturity of its cost and schedule documentation. GAO assessed the program's management of risks, requirements, cost, and schedule against leading practices. In addition, GAO reviewed prior GAO reports and Bureau plans related to cybersecurity and privacy challenges, and interviewed Bureau officials.

Recommendations

GAO is making five recommendations to the Department of Commerce related to managing requirements, estimating cost and schedule, and developing plans and time frames on cybersecurity and privacy challenges. Commerce concurred with the recommendations and stated it would take steps to improve in these areas.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the CEDSCI program consistently documents user stories to ensure bidirectional traceability with requirements. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the CEDSCI program develops reliable cost estimates using best practices described in GAO's Cost Estimating and Assessment Guide, in particular those practices related to the comprehensive and credible characteristics. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the CEDSCI program develops its schedule using the best practices described in GAO's Schedule Assessment Guide. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the OCIO incorporates key elements, such as time frames, into its DevSecOps strategy and finalizes it in a timely manner. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the American Community Survey program develops a plan, including time frames, for the steps they intend to take to determine the most appropriate methods to protect respondent privacy in the publicly available data releases. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

GAO Contacts

Kevin Walsh
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Best practicesBusiness systems modernizationCensusCost and scheduleCost estimatesCybersecurityInformation systemsPrivacyProject critical pathRisk management