The Census Bureau is on track to meet deadlines to modernize and upgrade the agency’s IT in time for the 2020 enumeration, despite only having made half of the decisions needed, the House Oversight and Government Reform Committee heard Thursday.
Census Bureau Director John Thompson told the hearing the $1.14 billion project to allow online form-filling and provide surveyors phone apps to collect data will be ready to test by 2018 and launch by 2020, but other witnesses were skeptical.
Government Accountability Office’s IT Acquisition Management Issues Director, Carol Harris, said there was no way the agency could meet its deadline or budget.
The Census has neither bought nor addressed any of the 17 key IT solutions needed for the Census Enterprise Data Collection and Processing program, or CEDCaP, which plans to overhaul most of the Census’ IT. Harris said she doubts the agency could finish the program with the planned year and a half of testing, especially because it currently depends on 4 inefficient, unimplemented schedules.
“So you have a schedule to develop the schedule, but you say you’re on schedule,” Committee Chairman, Sen. Jason Chaffetz, R-Utah, said. “That doesn’t engender a lot of confidence.”
But the Census officials stuck to their guns. Thompson said the bureau had not yet addressed many IT issues because it had recently decided to simply buy the necessary tech from contractors, rather than build it. As a result, the agency needed to draft up new schedules and new cost analyses based on those decisions.
If successful, Census’ 2020 goals would save the agency $5.2 billion and allow 55 percent of citizens to respond via the internet, but the scheduling problems could prevent this, Harris said. While the Census estimates the CEDCaP project should cost $548 million, this is too low, and the real costs could end up nearly double that, said Harris, who released a GAO report on the topic the same day.
Many of the problems are a result of the Census going 11 months without an official CIO or a chief security engineer. Earlier this week, the Census announced Kevin Smith would step in as a permanent CIO, which the GAO and the bureau agreed will help get closer to their goals.
“If we cannot make a decision on key personnel in 11 months, do you not think we’re going to have a problem with end-to-end testing in a year and a half?” Rep. Mark Meadows, R-NC, said.
[Read more: Census Bureau names new CIO]
The Census also missed the January deadline to submit a data security procedures report, as required by the Quarterly Financial Support Reauthorization Act, the Commerce Department CIO Steve Cooper said. The CIO did not become aware of it until last month, and said it will be submitted by the end of the month.
To prepare for the greater attack surface that mobile devices and online form-submission will create, the bureau also plans to deploy encryption and multi-factor ID authentication for the surveyors’ devices, witnesses said. The Census will also use the Homeland Security-developed program, Einstein – even though it only creates alerts, and does not prevent attacks.
“I think what we might say is that Einstein is necessary but not sufficient. Einstein alone, as you have stated, won’t protect us from everything. That’s the reason for additional measures we are taking in our cyber approach,” Cooper said.
But according to Harris, it is too early to tell if cybersecurity will be a problem since the security programs have yet to be finalized or even fully planned. On a scale of one to 10 for how confident she is in the bureau’s security, Harris said she was at a five, thanks to the agency addressing GAO’s recommendations.
The Census already suffered two breaches – one in July 2015 and one in February 2016, and have since addressed the vulnerabilities, Acting Census CIO Harry Lee said. Lee said he did not know the amount of people affected, but did have to send a “handful of notices” to people about having their email and names leaked.
To solve these issues, Harris said to scale back on the scope and complexity of CEDCaP in order to prevent delays and budget increases. She recommended removing a program to identify possible fraudulent responses, which would be too costly and ambitious to complete in time.
Contact the reporter on this story via email: Jeremy.Snow@FedScoop.com. Follow him on Twitter @JeremyM_Snow. Sign up for the Daily Scoop — all the federal IT news you need in your inbox every morning — here: fdscp.com/sign-me-on.