IT Modernization: Census Bureau Needs Reliable Cost and Schedule Estimates

What GAO Found

The Census Bureau fully implemented selected leading practices for risk management, but it did not fully implement selected leading practices for managing requirements, cost, and schedule for the Center for Enterprise Dissemination Services and Consumer Innovation (an enterprise-wide data dissemination modernization program), as shown in the table.

Extent to Which the Census Bureau Implemented Selected Areas for Managing the Center for Enterprise Dissemination Services and Consumer Innovation Program

Source: GAO analysis of Census Bureau data. | GAO-24-105979

The Bureau substantially implemented leading practices for requirements management. However, it did not consistently trace requirements forward and backward from their source to the end product. As a result, the program faces challenges in ensuring it adheres to project requirements. Additionally, the program's cost and schedule estimates were unreliable because the Bureau did not substantially or fully implement leading practices. Specifically:

• Although the program substantially met two of the four characteristics of a high-quality, reliable cost estimate (well documented and accurate), it only partially met the remaining two characteristics (credible and comprehensive).
• The program did not substantially meet any of the four characteristics of a reliable schedule: comprehensive, well constructed, credible, and controlled.

Without reliable cost and schedule estimates, the Bureau increases the risk of cost overruns and unmet performance targets.

GAO's prior work identified several cybersecurity and privacy challenges the Bureau faces implementing its IT modernization programs, including

• addressing cybersecurity workforce challenges,
• improving information security initiatives and programs,
• enhancing its detection and response to cyber incidents, and
• ensuring respondent privacy while maintaining the usability of public Census data.

The Bureau has taken steps to address these challenges but lacks detailed plans and strategies. For example, the Bureau drafted a strategy in 2023 to improve the cybersecurity of software development and operations. However, the strategy has not been finalized and does not include specific information (e.g., time frames) for accomplishing its objectives. In addition, the Bureau was unable to provide detailed information about the steps it plans to take to balance the privacy of respondents to the 2025 American Community Survey against the usability of public data. Until the Bureau develops detailed plans and time frames for these activities, it risks not meeting its objectives of effectively securing and protecting its IT systems and data.

Why GAO Did This Study

The Census Bureau's IT systems are essential to collecting and providing data about the nation's people and economy. During the run up to the 2020 Census, the Bureau faced challenges in modernizing and consolidating its IT systems. For future surveys, including the 2030 Census, the Bureau has embarked on four modernization programs to collect, process, and disseminate data.

GAO was asked to review the Bureau's implementation of key modernization programs. This report (1) examines the extent to which the Bureau is implementing leading practices related to managing risks, requirements, cost, and schedule for a selected enterprise-wide IT program; and (2) describes the key cybersecurity and privacy challenges the Bureau faces in implementing its IT modernization programs and the extent to which the Bureau has plans to address them.

GAO selected the data dissemination program due to the maturity of its cost and schedule documentation. GAO assessed the program's management of risks, requirements, cost, and schedule against leading practices. In addition, GAO reviewed prior GAO reports and Bureau plans related to cybersecurity and privacy challenges, and interviewed Bureau officials.