The Census Bureau has taken steps to safeguard the information and systems that support its mission, but it has not effectively implemented appropriate information security controls to protect those systems, the Government Accountability Office said in a new report.
GAO made 13 recommendations to the Census Bureau to enhance its information security program and, in a separate report with limited distribution, making an additional 102 recommendations.
According to GAO, an underlying reason for the weaknesses is that Census has not fully implemented a comprehensive information security program to ensure controls are effectively established and maintained.
Also, the bureau had not updated certain security management program policies, adequately enforced user requirements for security and awareness training, and implemented policies and procedures for incident response.
GAO argues that until the bureau implements a complete and comprehensive security program, it will have limited assurance that its information and systems are being adequately protected against unauthorized access.
The Department of Commerce expressed broad agreement with the overall theme of the report and said it would work to identify the best way to address our recommendations, but did not directly comment on the recommendations.