This is the accessible text file for GAO report number GAO-14-389 entitled '2020 Census: Prioritized Information Technology Research and Testing Is Needed for Census Design Decisions' which was released on April 3, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate: April 2014: 2020 Census: Prioritized Information Technology Research and Testing Is Needed for Census Design Decisions: GAO-14-389: GAO Highlights: Highlights of GAO-14-389, a report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: One of the most important functions of the U.S. Census Bureau is conducting the decennial census, which is mandated by the Constitution and provides vital data for the nation. This is a major undertaking, and the Bureau increasingly relies on IT to support the operational design and execution of the census. For the 2020 Decennial Census, the Bureau is planning significant changes to the methods and technologies it uses to conduct the census. However, it has not previously used many of these methods at the scale being considered for 2020, which adds a large degree of risk. GAO was asked to review the Bureau's IT-related efforts for the 2020 census. GAO's objectives were to determine (1) progress in researching and testing IT options to support design decisions for the census, (2) key IT risks facing the census and evaluate the Bureau's efforts to mitigate them, and (3) progress in implementing prior GAO recommendations related to IT management and information security. To do this, GAO reviewed Bureau plans, schedules, risk data, and other documentation and interviewed relevant officials. What GAO Found: The Census Bureau (Bureau) has made progress in researching and testing information technology (IT) options for the 2020 Decennial Census, but several of the supporting projects lack schedules and plans, and it is uncertain whether they will be completed in time to inform the decision on the operational design for the 2020 census, planned for September 2015. Specifically, it has begun research on six IT-related projects, such as using the Internet for survey response and using employees' personal smartphones to collect census data. However, four of the projects lacked finalized schedules, and three lacked plans for gauging progress. Moreover, the two projects with completed schedules are not estimated to be completed until after the September 2015 design decision date (see figure). Figure: Original and Tentative Revised Schedules for 2020 Decennial Census Design Decision: [Refer to PDF for image: illustration] Original schedule (as of August 2012): Research and testing: FY2012-FY2014; Design decision by September 2014; Operational development and system testing: FY 2015-FY2018; Readiness testing and execution: FY2019-FY2023; Census day: April 1, 2020. Tentative revised schedule (as of December 2013): Research and testing: FY2012-FY2017; Design decision by September 2015; Operational development and system testing: FY 2016-FY2018; Readiness testing, execution and close out: FY2019-FY2023; Census day: April 1, 2020. Source: GAO analysis of Census Bureau data. [End of figure] Further, contrary to industry best practices, the Bureau has not prioritized its projects to determine which are the most important to complete before the decision. Officials stated that they are working with project teams to determine what needs to be completed and by when to support the design decision, but as of December 2013 they had not specified when this would be completed. Without prioritizing its projects and establishing schedules and plans, the Bureau risks not making a timely and well-informed design decision for the 2020 census. The Bureau has identified key IT-related risks facing the 2020 Decennial Census program but has not consistently developed mitigation plans for all of them. As of October 2013, officials identified 77 program and project risks, with 7 of these identified as critical. However, 6 of these risks, including 1 critical risk, did not have mitigation plans, as called for by industry best practices and previously recommended by GAO. Officials acknowledged that they had not been disciplined about documenting mitigation plans for all risks. Until the Bureau ensures that all risks have mitigation plans, the program will be vulnerable to risks being realized. Of 21 outstanding GAO recommendations related to IT management and information security, the Bureau has implemented the majority. Specifically, 15 have been fully implemented, 5 have been partially implemented, and 1 has not been implemented. Continued efforts to implement these recommendations will help ensure that the Bureau is able to deliver secure IT solutions on time and within budget. What GAO Recommends: GAO is recommending that the Department of Commerce's Census Bureau prioritize its IT-related research and testing projects that it needs to complete to support the design decision and develop project schedules and plans to reflect the new prioritized approach. The Department of Commerce concurred with GAO's recommendations and noted that it had actions under way to address them. View [hyperlink, http://www.gao.gov/products/GAO-14-389]. For more information, contact Carol R. Cha at (202) 512-4456 or chac@gao.gov. [End of section] Contents: Letter: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Briefing for Staff Members of the Senate Committee on Homeland Security and Governmental Affairs: Appendix II: Comments from the Department of Commerce: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: ACS: American Community Survey: Bureau: U.S. Census Bureau: BYOD: bring your own device: CMMI: Capability Maturity Model® Integration: EIMP: Enterprise Investment Management Plan: ESDLC: Enterprise System Development Life-Cycle: IT: information technology: IVR: Interactive Voice Response: LCO: Local Census Office: PMBOK®: Project Management Body of Knowledge: PMI: Project Management Institute: SEI: Software Engineering Institute: US-CERT: United States Computer Emergency Readiness Team: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: April 3, 2014: The Honorable Thomas R. Carper: Chairman: The Honorable Tom Coburn, M.D. Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: One of the U.S. Census Bureau's (Bureau) most important functions is conducting the decennial census, which is mandated by the Constitution and provides data that are vital to the nation.[Footnote 1] The information collected is used to apportion seats in the House of Representatives, realign the boundaries of legislative districts, and allocate billions of dollars in federal financial assistance. Conducting the decennial census is a major undertaking, and the Bureau increasingly relies on information technology (IT) to support the operational design and execution of the enumeration. For the 2020 Decennial Census, the Bureau plans to significantly change the methods and technology it uses to count the population. However, it has not previously used many of these methods at the scale being considered for 2020, which adds a large degree of risk. In addition, we have previously identified weaknesses in the Bureau's IT management, which have contributed to challenges in its acquisition and implementation of technology solutions to support the census. In light of the new technologies being considered for the 2020 Decennial Census, you asked us to review the Bureau's IT-related efforts. The specific objectives of our review were to determine the Bureau's (1) progress in researching and testing IT options to support the design decisions for the 2020 Decennial Census, (2) key IT risks facing the 2020 Decennial Census and evaluate the adequacy of the Bureau's efforts to mitigate them, and (3) progress in implementing prior GAO recommendations aimed at improving IT management and information security. On January 30, 2014, we provided your staff with briefing materials that presented the results of our study. The purpose of this report is to publish the briefing slides and to officially transmit our results and recommendations to the Department of Commerce. The slides, which are included as appendix I of this report, also provide details on our scope and methodology. We conducted this performance audit from May 2013 to April 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. In summary, the results of our review were as follows. The Bureau has made progress in researching and testing IT options for the 2020 Decennial Census, but several of the supporting projects lack schedules and plans, and it is uncertain whether they will be completed in time to inform the decision on the operational design for the census, planned for September 2015. Specifically, the Bureau has begun research related to using the Internet for survey response and using Census employees' personal smartphones to collect data. However, of the six IT-related research and testing projects under way, only two have finalized schedules, and neither of these projects plans to complete research in time to support the 2015 decision. Developing such schedules is a fundamental management tool for the effective use of public funds. Census program officials could not specify when the remaining schedules would be finalized. In addition, only three of the six projects have project plans as called for by Bureau guidance to serve as the basis for monitoring performance. We had previously found that selected project plans were incomplete and recommended that the Bureau ensure they were completed. However, although the Bureau agreed to address these weaknesses, incomplete project plans remain. Officials stated they have begun to develop the missing plans but could not specify when they would be completed. Given the uncertainty around plans and schedules for the research and testing projects, it is less likely they will be completed in time to inform the design decision. Moreover, the Bureau has not prioritized these projects to determine which are the most important to complete before the decision. This is inconsistent with industry practices, which call for prioritizing projects based on risk and funding. In December 2013, 2020 Decennial Census program officials began meeting with project teams to determine what they need to complete and by when to support the design decision. However, they did not specify when this effort would be completed. Without prioritizing its IT-related research and testing projects and establishing schedules and project plans that are consistent with a prioritized approach, the Bureau risks not making a timely and well-informed design decision for the 2020 Decennial Census. The Bureau has identified key IT-related risks facing the 2020 Decennial Census program but has not consistently developed mitigation plans for all of them. As of October 2013, officials had identified a total of 77 IT-related program and project risks, with 7 of these identified as being most critical to the program. Industry practices recommend that organizations develop risk mitigation plans, and we recommended over a year ago that the Bureau develop risk mitigation and contingency plans for all projects. However, 6 of the 77 identified risks did not have mitigation plans, including 1 of the 7 most critical risks. Program officials stated that they have not been disciplined about ensuring that projects consistently document risk mitigation plans. Until the Bureau ensures that all risks have mitigation plans, as we have previously recommended, the program will continue to be vulnerable to risks being realized. Finally, the Bureau has implemented the majority of our 2012 and 2013 recommendations aimed at improving IT management and information security. Specifically, of 21 outstanding recommendations--8 related to IT management and 13 public recommendations related to security--15 have been fully implemented, 5 have been partially implemented, and 1 has not been implemented. Continued momentum to fully implement these recommendations will better position the Bureau to deliver secure IT solutions on time and within budget. Conclusions: The technology options the Bureau is exploring for 2020 have the potential to significantly reduce decennial costs. The results of the research and testing work on these options are expected to inform the 2020 design decision. While certain activities for each of the six IT- related research and testing projects have been completed, much more work remains. Because the Bureau has either not developed or finalized most of its project schedules, the projects with defined schedules are not estimated to complete key activities in time to support the target design decision, and project plans to guide work and measure progress have not been completed for half of the projects, it is unlikely the remaining planned work will be completed in time to support the design decision in fiscal year 2015. A delayed design decision would cut into an already slim margin of error to develop, acquire, and test the operational systems that will be used for the 2020 Decennial Census. In light of this, prioritizing activities and ensuring that schedules and project plans are completed in a way that is consistent with the prioritized approach could help ensure that the most essential information is available to inform this decision. Additionally, while the Bureau has taken several steps to ensure that most risks are identified and mitigated, six identified risks lacked mitigation plans, including one critical risk. Until program officials implement our prior recommendation by ensuring that all risks are mitigated, the program is in danger of risks potentially being realized. The bureau has implemented a majority of our most recent recommendations for improving institutional IT management and security controls. Continued momentum in fully implementing remaining recommendations would enhance the Bureau's capabilities to reliably acquire the IT solutions selected for 2020 and ensure its information and systems are protected from intrusion. Recommendations for Executive Action: To ensure that the Bureau is better positioned to make a well-informed design decision for the 2020 Decennial Census, we are recommending that the Secretary of Commerce direct the Under Secretary of Economic Affairs to direct the Director of the Census Bureau to take the following three actions: * prioritize the research and testing that the Bureau needs to complete in order to support the operational design decision by the end of fiscal year 2015; * develop the research and testing project schedules consistent with the new prioritized approach; and: * ensure project plans are consistent with the new prioritized approach. Agency Comments and Our Evaluation: We received written comments on a draft of this report from the Department of Commerce. The comments are reprinted in appendix II. In its comments, the department stated that it concurred with our three recommendations and that the Census Bureau had actions under way to address them. For example, regarding our recommendation to prioritize the research and testing needed to support the operational design decision by the end of fiscal year 2015, the Bureau stated that it was continuing to meet with the research and testing project teams to determine and prioritize what is most critical to support the 2015 operational design decision. In addition, the Bureau stated that it agreed with our conclusion that the current trajectory demonstrated a level of risk, but did not agree, based on the work it had already completed, that it was unlikely that the remaining planned work would be completed in time to support the design decisions by the end of fiscal year 2015. However, as we state in the report, the Bureau has either not developed or not finalized most of its IT-related project schedules, and the projects with defined schedules are not estimated to complete key activities until approximately 9 to 12 months after the September 2015 design decision deadline. We therefore maintain that if the Bureau continues on its current course, the remaining research and testing activities are unlikely to be completed before September 2015. Further, the Bureau commented on our finding that three projects lacked project plans, which are to be used to identify the activities to be accomplished and serve as the baseline for monitoring project performance and managing changes to the projects. Specifically, the Bureau stated that its IT Directorate had developed a charter for the Systems Development Lifecycle, which it believed included this information. However, this document--which is intended to serve as a template for project managers to use in the development of their project charters--states that project management plans, in addition to project charters, should be developed for each project. It also states that in instances where it is determined that certain project planning artifacts are not necessary, this decision should be documented in the charter. The charters for each of the three projects we identified clearly indicated that project plans were to be developed. Accordingly, we maintain that our third recommendation is still needed. We are sending copies of this report to the Secretary of Commerce, the Under Secretary of Economic Affairs, the Director of the U.S. Census Bureau, and interested congressional committees. In addition, the report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-4456 or chac@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix II. Signed by: Carol R. Cha: Director: Information Technology Acquisition Management Issues: Footnote: [1] The Census Bureau is part of the Department of Commerce, and its mission is to collect and provide comprehensive data about the nation's people and economy. [End of section] Appendix I: Briefing for Staff Members of the Senate Committee on Homeland Security and Governmental Affairs: Information Technology: Prioritized Research and Testing Needs to Be Completed to Support Approaching 2020 Decennial Census Design Decisions: Briefing for Staff Members of the Committee on Homeland Security and Governmental Affairs, U.S. Senate: January 30, 2014: Overview: Introduction: Objectives: Scope and Methodology: Results in Brief: Background: Results--Objective 1: Results--Objective 2: Results--Objective 3: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Appendix II: [End of section] Introduction: U.S. Census Bureau's (Bureau) preparations for enumerating the U.S. population for the 2020 Decennial Census are under way. At $13 billion, 2010's head count was the costliest in U.S. history. The basic design of the enumeration--mail out and mail back of the census questionnaire with in-person follow-up for non-respondents--has been in use since 1970. A key lesson learned from 2010 and earlier enumerations is that this design is no longer capable of cost-effectively counting a population that is growing steadily larger, more diverse, increasingly difficult to find, and reluctant to participate in the census. The Bureau is well aware that reforms are needed, and plans to significantly change the methods and information technologies (IT) it uses to count the population. However, the Bureau has not previously employed many of these methods at the scale being considered for 2020, which adds a large degree of risk. Moreover, the Bureau's past efforts to implement new approaches and IT systems have not always gone well. For example, prior to the 2010 census, the Bureau experienced significant challenges in acquiring and implementing custom-developed handheld mobile devices to support field data collection, leading to cost overruns of almost $3 billion. We identified numerous IT management weaknesses that contributed to these overruns and made recommendations to the Bureau to address these weaknesses. The Bureau agreed and described steps it would take to address them. We discuss the status of the associated recommendations later in this briefing. [End of section] Objectives: Given the new technologies being considered for the 2020 Decennial Census, we were asked to review the Bureau's IT-related efforts. Our specific objectives were to determine the Bureau's: (1) progress in researching and testing IT options to support the design decisions for the 2020 census, (2) key IT risks facing the 2020 census and evaluate the adequacy of its efforts to mitigate these risks, and: (3) progress in implementing prior GAO recommendations aimed at improving IT management and information security. [End of section] Scope and Methodology: For our first objective, we obtained and reviewed documentation on the Bureau's IT-related researching and testing projects to determine the complete inventory of IT-related research projects supporting the 2020 Decennial Census, as well as Bureau policies and guidance related to IT project planning and management. We analyzed project charters, project plans, and key milestones for each IT-related project; compared project plans to relevant Bureau guidance, such as the Bureau's 2020 Program- Level Research and Testing Management Plan; compared project status reports and schedules to baseline schedules for each project; and compared project schedules to the overarching schedule for the 2020 census program, as well as to GAO's Schedule Assessment Guide.[Footnote 1] We also interviewed officials from the 2020 census program and the IT directorate to obtain information on implementation progress. In addition, we observed quarterly program management review meetings. Further, we reported project cost data as of December 2013 that were provided and verified by IT and 2020 program officials. We reviewed the data to identify obvious problems with completeness or accuracy and interviewed officials about the data. For the purposes of this briefing, we determined that the cost data were sufficiently reliable. We did not test the adequacy of the Bureau's cost accounting systems. For our second objective, we identified widely recognized industry standards for risk management practices, including processes defined in the Software Engineering Institute's (SEI) Capability Maturity Model® Integration for Development (CMMI)[Footnote 2] and the Project Management Institute's (PMI) Project Management Body of Knowledge® standards (PMBOK).[Footnote 3] We compared Census documentation, such as risk management plans, project and program risk registers, and associated policies, to SEI's and PMI's guidance on sound risk management practices. We assessed logs of IT-related risks to determine whether the Bureau identified key risks. We also evaluated mitigation plans for identified risks and compared mitigation efforts against various process improvement and project management best practices to determine if risks were being documented and addressed consistent with those practices. Additionally, we interviewed Bureau officials to obtain additional information on the Bureau's risk management practices. For our third objective, we focused on the recommendations made in our most recently issued reports on the Bureau's IT management and information security posture, respectively. Specifically, we determined the Bureau's progress in implementing our 2012 IT management recommendations[Footnote 4] by examining its investment review board guidelines, requirements management documentation, new system development methodology, and implementation plans for its Enterprise Investment Management Plan. We also reviewed documentation regarding the Bureau's implementation of our 2013 public IT security recommendations,[Footnote 5] such as the IT Security Program Policy, guidelines and procedures for incident response plan tests and exercises, and certificates for required security training. Based on our analysis, we assessed whether the Bureau fully, partially, or had not implemented our recommendations. "Fully implemented" means the Bureau provided complete evidence that satisfied the recommendation. "Partially implemented" means the Bureau implemented a portion of the recommendation. "Not implemented" means the Bureau provided no evidence that satisfied any part of the recommendation. We conducted this performance audit from May 2013 to January 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Results in Brief: The Census Bureau has made progress in researching and testing IT options for the 2020 Decennial Census, but several of the supporting projects lack schedules and plans, and it is uncertain whether these projects will be completed in time to inform the Bureau's planned September 2015 decision on the operational design of the census. Specifically, the Bureau has begun research related to, among other things, using the Internet to respond to surveys and using Census employees' personal smartphones to collect data. However, of the six IT-related research and testing projects under way, two have finalized schedules, and neither is planning to complete research in time to support the 2015 decision. According to our scheduling best practices work, developing such schedules is a fundamental management tool for the effective use of public funds. Program officials from the 2020 census program and IT directorate could not specify when the remaining schedules would be finalized. In addition, three of the six projects have project plans as called for by Bureau guidance and which are to serve as the basis for monitoring project performance. In our prior work, we found that selected research and testing project plans were incomplete, and recommended that the Bureau ensure project plans are completed. The Bureau agreed to address this weakness, but incomplete project plans remain. In December 2013, officials stated that they have begun working to develop the missing project plans, but could not specify when such plans would be completed. Given the uncertainty around the research and testing projects' schedules and plans, it is less likely that they will be completed in time to inform the design decision. Further, the Bureau has not yet prioritized its IT-related research projects to determine which are the most important to complete before the decision. This is inconsistent with industry practices, which recommend prioritizing projects based on risk and funding. In December 2013, 2020 census program officials began meeting with individual project teams to determine what they need to complete and by when in order to support the operational design decision; however, they did not specify when this effort would be completed. Without prioritizing its IT-related research and testing projects and establishing schedules and project plans that are consistent with a prioritized approach, the Bureau risks not making a timely and well-informed design decision for the 2020 Decennial Census. The Bureau has identified key IT-related risks facing the 2020 Decennial Census, but it has not consistently identified mitigation plans for all risks. Specifically, as of October 2013, officials from the 2020 census program and the IT directorate had identified a total of 77 IT-related program and project risks facing the 2020 census program. Seven of these risks were identified by the Bureau as being the most critical to the program. As recommended by industry best practices, organizations should develop mitigation plans to address risks. However, although we recommended over a year ago that the Census Bureau develop risk mitigation and contingency plans for all projects to ensure that risks are adequately managed to minimize their effect on the project, 6 of the 77 risks identified by the Bureau did not have mitigation plans. This included 1 of the 7 most critical risks--that the Census may not be able to proceed with text and cell phone contracts if privacy, policy, security, and confidentiality issues are not resolved. According to 2020 census program officials, the lack of mitigation plans continues to be a problem because they have not been disciplined about ensuring projects consistently document such plans. Until the Bureau fully implements our prior recommendation to ensure that all risks have associated mitigation plans, the program will continue to be vulnerable to risks possibly being realized. The Census Bureau has implemented a majority of our 2012 and 2013 recommendations aimed at improving IT management and information security. Specifically, of the 21 outstanding recommendations (8 recommendations related to IT management and 13 public recommendations related to information security), 15 have been fully implemented, 5 have been partially implemented, and 1 has not been implemented. For example, the Bureau has made progress in institutionalizing key IT management controls, including updating its enterprise investment management plan and adopting a new system development life-cycle methodology. However, although we recommended that the Bureau clearly document its assessment of common controls for information systems before granting an authorization to operate, as of December 2013, Bureau officials reported that implementation of this recommendation had been delayed due to the October 2013 government shutdown and other resource issues. Continued momentum to fully implement our recommendations will better position the Bureau to deliver secure IT solutions on time and within budget goals. To ensure that the Bureau is better positioned to make a well-informed design decision for the 2020 Decennial Census and to help address risks, we are recommending that the Secretary of Commerce direct the Director of the Census Bureau to: * prioritize the research and testing the Bureau needs to complete in order to support the design decision by the end of fiscal year 2015; * develop research and testing project schedules consistent with the new prioritized approach; and: * ensure project plans are consistent with the new prioritized approach. We received oral comments from Census Bureau officials, including the Associate Director of the 2020 Census, on a draft of these briefing slides. In their comments, officials stated that they agreed with our three recommendations and have actions under way to address them. [End of section] Background: The Census Bureau's mission is to collect and provide comprehensive data about the nation's people and economy. Its core activities include conducting decennial, economic, and government censuses; conducting demographic and economic surveys; managing international demographic and socioeconomic databases; providing technical advisory services to foreign governments; and performing other activities such as producing official population estimates and projections. The Census Bureau is part of the Department of Commerce and is in the department's Economics and Statistics Administration, led by the Under Secretary for Economic Affairs. The Census Bureau is headed by a Director and is organized into directorates corresponding to key programmatic and administrative functions, as depicted in figure 1. Figure 1: Simplified Census Bureau Organizational Chart: [Refer to PDF for image: organizational chart] Top level: Director: Deputy Director; * Policy Coordination Office; * Office of Risk Management and Program Evaluation. Second level, reporting to Director: * Associate Director for Communications; * Associate Director for Information Technology and Chief Information Officer; * Associate Director for Economic Programs; * Associate Director for 2020 Census: - American Community Survey Office; - 2020 Research and Planning Office; * Associate Director for Research and Methodology; * Associate Director for Administration and Chief Financial Officer; * Associate Director for Field Operations; * Associate Director for Demographic Programs; * Associate Director for Decennial Census: - Decennial Management Division; - Geography Division; - Decennial Systems and Contracts Management Office; - Decennial Statistical Studies Division. Source: GAO analysis of Census Bureau information. [End of figure] The Role of the Decennial Census: One of the Census Bureau's most important functions is conducting the decennial census. The decennial census is mandated by the U.S. Constitution and provides data that are vital to the nation. The information collected is used to apportion seats in the House of Representatives; realign the boundaries of the legislative districts of each state; allocate billions of dollars in federal financial assistance; and provide social, demographic, and economic profiles of the nation's people to guide policy decisions at each level of government. Conducting the decennial census is a major undertaking, and for the last decennial, it included the following major activities: Establishing where to count. This included identifying and correcting addresses for all known living quarters in the United States (address canvassing) and validating addresses identified as potential group quarters, such as college residence halls and group homes (group quarters validation). Collecting and integrating respondent information. This included delivering questionnaires to housing units by mail and other methods, processing the returned questionnaires, and following up with non- respondents through personal interviews (non-respondent follow up). It also included enumerating residents of group quarters (group quarters enumeration) and occupied transitional living quarters (enumeration of transitory locations), such as recreational vehicle parks, campgrounds, and hotels. It also included a final check of housing unit status (field verification) where Bureau workers verified potential duplicate housing units identified during response processing. Providing census results. This included processes to tabulate and summarize census data and disseminate the results to the public. For the 2010 census, home addresses and other information were verified by enumerators using custom-developed handheld computers, and the collection and integration of respondent information were completed on paper questionnaires. Figure 2 summarizes key activities, processes, and technologies used in the 2010 Decennial Census. Figure 2: Key Decennial Census Activities and Processes Used in the 2010 Census: [Refer to PDF for image: process illustration] Establish where to count: Lists of addresses for living quarters in the United States are compiled from multiple sources, such as the Postal Service and state and local governments. The addresses and other information are verified by enumerators using handheld computers (address canvassing). Group quarters, such as college residence halls and group homes, are validated using paper (group quarters validation). The data are used to establish a universe of addresses from which to count. Collect and integrate respondent information: Questionnaires are delivered to housing units by mail and other methods, such as enumerators (update/leave). Returned questionnaires are processed. Enumerators contact nonrespondents through personal interviews to complete paper questionnaires. Enumerators also collect information from other living quarters, such as group quarters (group quarters enumeration) and occupied transitory locations, such as hotels (enumeration of transitory locations), using paper. A final check of housing unit status, known as field verification, is conducted by census workers to verify potential duplicate housing units (field verification). Provide census results: Census data are tabulated, summarized, and disseminated to the public. Apportionment data used to redistribute seats in the House of Representatives are delivered to the President, and redistricting data are delivered to state legislatures. Source: GAO analysis of Bureau data. [End of figure] Plans for the 2020 Decennial Census: The Census Bureau is aiming to design and conduct a 2020 Decennial Census that costs less per housing unit than the 2010 census, while maintaining high-quality results. Officials have determined that in order to achieve its cost and quality targets, the Census Bureau must make fundamental changes to the design, implementation, and management of the decennial census. According to the Bureau's 2013 business plan, substantial innovations and improvements are necessary to prevent another large increase in costs, while still maintaining high quality. In fiscal year 2012, the Bureau began the research and testing phase of the 2020 census program. The objective of this phase was to develop a preliminary design based on solid research aimed at achieving the goal of conducting the 2020 census at a lower cost than the 2010 census, while still maintaining high quality. According to the 2013 business plan, the Bureau planned to pursue 41 research and testing projects during this phase. Role of Information Technology at the Census Bureau: Several of these projects include researching and testing IT options to support the decisions the Bureau will need to make on how it plans to design the operations for the 2020 Decennial Census (referred to as the operational design decision). The technology options the Bureau is exploring for 2020 census operations collectively represent a dramatic leap from 2010. Specifically, the Census Bureau has six key IT-related research and testing projects under way that are intended to inform the operational design decisions for the 2020 census: * Automating Field Activities: Researching (1) the feasibility of commercially available hardware-independent solutions technologies that will be available to support the operational field infrastructure, (2) the ability to effectively automate and streamline field operations to take advantage of design changes and non-response follow-up data collection modes to improve data quality, and (3) the costs and benefits of alternative field automation designs. The 2020 census directorate is responsible for this project. * Workload Management Systems/System Reuse: Researching (1) the options for and feasibility of a successful, real-time, centralized headquarters workload management system and (2) the least-risky low- cost development and acquisition strategies for acquiring a real-time headquarters workload management system. This project also includes reusing existing systems (e.g., American Community Survey systems) within the Bureau to, among other things, conduct field operational and design tests supporting enumeration and infrastructure activities. The 2020 census directorate is responsible for this project. * Optimizing Self Response: Researching, among other things, (1) the technologies that will be feasible for self-enumeration by 2020 and how will they differ by demographics and geography (e.g., access to the Internet); (2) the best mix of modes and strategies by demographic/ geography to increase self-response; (3) the best notify-contact-remind strategies and timing by mode and demographic/geography; (4) the costs and benefits of different self-response modes by demographic/geography (including impact on data quality); (5) the Internet's (e.g., social networking sites, e-mail, text messages, communities of interest, automated phone) use for encouraging and collecting responses; and (6) the language support services and technologies across contact and enumeration methods that are most effective in increasing response and maintaining quality. The 2020 census directorate is responsible for this project. * Commercial Mobile Device: Researching (1) legal and privacy issues related to enabling enumerators to use their personal mobile devices (referred to as "bring your own device," or "BYOD") to collect field data, such as survey responses from households who did not self-report; (2) current and future willingness to adopt BYOD; (3) the government- furnished equipment approach to support 2020 deployment; (4) total cost of ownership; and (5) whether the Bureau's enterprise architecture can accommodate BYOD. In addition, the project intends to (1) prototype solutions, (2) develop supporting data to enable executive management to decide to what extent BYOD should be implemented in the 2020 census, and (3) document the operational impacts of BYOD on field data collection. The IT directorate is responsible for this project. * Privacy and Confidentiality Study: Researching (1) current public perceptions about the decennial census, Internet response, and administrative records; (2) how the Bureau uses the Internet, web-based applications, and administrative records while protecting the public's privacy and confidentiality; (3) perceptions or concerns about new contact methods and modes; and (4) how the Bureau will address emerging issues that reflect changing public perceptions throughout the decade. The 2020 census directorate is responsible for this project. * Virtual Local Census Office and Test Bed: This project is intended to develop a virtual Local Census Office to conduct research for the Census 2020 Research and Testing Program. It is also intended to deploy the virtual local census office to a physical local office test bed to conduct all field operational tests for the 2020 Research and Testing Program. The 2020 census directorate is responsible for this project. Following the completion of the preliminary research and testing to support the operational design decision, the Bureau plans to conduct supplemental research. To support IT operations for all of its activities, including those related to the decennial census, the Bureau reported that it plans to spend approximately $101.98 million on major IT investments from fiscal years 2012 through 2014. Prior GAO Reports Highlighting IT Management Challenges: Our prior work has identified the importance of having sound management processes in place to help the Bureau as it manages the multimillion dollar investments needed for its decennial census. For the last decennial, we issued multiple reports and testimonies from 2005 through 2011 on weaknesses in the Census Bureau's management and testing of key 2010 census IT systems. For example, * In 2005 we concluded that the Bureau had not fully and consistently implemented key IT management practices. For example, the Bureau had established executive-level investment boards, but it lacked written procedures outlining how the investment boards should operate and ensure a consistent and repeatable approach to investment management and decision making. Accordingly, we recommended that it address weaknesses we found in areas such as IT investment management and IT human capital.[Footnote 6] The Bureau has taken actions to address these weaknesses. For example, beginning in 2007, the Bureau developed and began using defined evaluation criteria and documented procedures to monitor IT projects. * In March 2008, in part because of longstanding concerns about the Bureau's IT management capabilities, we added the 2010 Decennial Census to our list of high-risk programs.[Footnote 7] We also testified in March 2008 on significant problems with the Field Data Collection Automation program, including schedule delays and cost increases. [Footnote 8] * In March 2009, we reported that the Bureau continued to face a number of problems related to the testing of key IT systems, including weaknesses in test plans and schedules and a lack of executive-level oversight and guidance.[Footnote 9] Accordingly, we recommended that, among other things, the Bureau complete key system testing activities, develop and maintain plans for integration testing, and improve the oversight of and guidance for systems testing. The Bureau has since implemented our recommendations, which has helped to improve its system testing. * In November 2009, we reported that the Bureau had not finalized detailed requirements for its Paper-Based Operations Control System, putting the system at risk for cost increases, schedule delays, or performance shortfalls.[Footnote 10] Accordingly, we recommended that the Bureau finalize and prioritize detailed requirements and implement reliable progress reporting on the development of this system. In response, the Bureau created a dashboard to monitor requirements and had program management reviews that were audited by an independent assessment team to monitor development. The aggressive monitoring of IT systems allowed the Bureau to anticipate risk and implement a contingency plan once it was clear that the system would not be ready on time. * In December 2010, we concluded that, although efforts had been taken to improve the Paper-Based Operations Control System through workarounds, it had experienced significant issues when put into operation.[Footnote 11] We reported that the challenges experienced by the Bureau in acquiring and developing this system further demonstrated the importance of establishing and enforcing rigorous IT acquisition management practices Bureau-wide. We recommended that the Bureau establish and enforce a system-acquisition management policy that incorporates best practices in system- and software-acquisition management. In response, the Bureau has developed this policy. While the 2010 Decennial Census was removed from our high-risk list in February 2011, we testified in April 2011 that the Bureau needed to continue to improve key practices for managing IT and strengthen its ability to develop reliable life-cycle cost estimates.[Footnote 12] * In September 2012, we reported that the Bureau had drafted a new investment management plan, system development methodology, and requirements development and management processes to improve its ability to manage IT investments and systems development.[Footnote 13] However, additional work was needed to ensure that these processes are effective and successfully implemented across the Bureau. Specifically, the Bureau's investment management plan had gaps in its guidance for escalating troubled investments for executive-level attention and updating investment information in a planned Bureau-wide tracking tool. Its system development methodology guide did not explain how to adapt processes and work products to newer, more iterative development approaches. Moreover, the Census Bureau had not finalized plans for implementing its new investment management and systems development processes across the Bureau. In addition, the Bureau had not fully put in place key practices for effective IT workforce planning, including conducting an IT skills assessment and gap analysis and establishing a process for directorates to coordinate on IT workforce planning. To address these weaknesses, we made a number of recommendations to the Bureau. The Department of Commerce concurred and described steps it would take to address them. We discuss the status of the associated recommendations later in this briefing. * Additionally, in November 2012, we reported on the Bureau's initial research efforts to improve the cost-effectiveness of the 2020 census enumeration. Among other things, certain research and testing project plans for the 2020 Decennial Census were incomplete and we recommended that the Bureau ensure documentation for projects are complete. We also concluded at that time that the Bureau had not developed mitigation and contingency plans for any of its project-level risks and recommended that the Bureau develop such plans for all project risks to ensure they are adequately managed to minimize their effect on the projects.[Footnote 14] As of December 2013, these recommendations had not been fully implemented. * In addition, we reported in January 2013 on the Census Bureau's implementation of information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission.[Footnote 15] We concluded that the Bureau had a number of weaknesses in controls intended to limit access to its systems and information, as well as those related to managing system configurations and unplanned events. We attributed these weaknesses to the fact that the Bureau had not fully implemented a comprehensive information security program, and made 13 public recommendations and over 100 other recommendations that were for limited distribution to address these deficiencies. The Department of Commerce expressed broad agreement with the report and said it would work to find the best way to address our recommendations. The status of our public recommendations is discussed later in this briefing. * In September 2013 we testified on progress the Bureau had made in its efforts to contain enumeration costs, including its efforts to strengthen IT management and security practices.[Footnote 16] We noted that the Bureau was exploring technology options for 2020 census operations that collectively represent a dramatic leap from 2010, including the "bring your own device" model for field data collection. We stressed the importance of the Bureau strengthening its ability to manage its IT investments, as well as its practices for securing the information it collects and disseminates. * Most recently, we reported in November 2013 that the Bureau's scheduling practices needed to improve.[Footnote 17] Among other things, we concluded the schedule for the 2020 census research and testing phase did not include all activities and also that the Bureau was not in a position to carry out a quantitative risk analysis on that schedule. Accordingly, we recommended that the Bureau take a number of actions to improve the reliability of its schedule, including steps to ensure that all relevant activities are included in the schedule, and to conduct a quantitative risk assessment. The Department of Commerce agreed with our recommendations. [End of section] Results--Objective 1: The Bureau Has Begun Researching and Testing IT Options, but the Supporting Projects Lack Schedules and Plans That Align with Design Decision Deadline: The Bureau has made progress in researching and testing IT options to support the decisions for designing the operations for the 2020 census (referred to as the operational design decision); however, much more work remains, and it is unlikely to be completed in time to support this decision, which is planned for the end of fiscal year 2015. As part of its initial high-level schedule, the Bureau had planned to complete all research and testing activities by September 2014 in order to provide input into the decision on how it was to design the 2020 census. Additionally, the Bureau had intended to begin critical planning for the 2020 census in October 2014, conduct operational development and systems testing between fiscal years 2015 and 2018, and perform readiness testing and execution from fiscal years 2019 through 2023. In the spring 2013, however, the Bureau reassessed its researching and testing efforts and time frames in response to the 2013 budget. As a result of this reassessment, it delayed and canceled certain projects, canceled several planned tests, and extended the design decision date to the end of fiscal year 2015. In September 2013, the Bureau Director testified that development of the operational system for the 2020 Decennial Census must begin in 2016--especially given the extent of design changes from 2010 that it is considering. According to our work on acquisition management, the procurement process alone can potentially require a significant amount of time. For example, in preparation for the 2010 Decennial Census, the Bureau was issuing solicitations and awarding contracts in 2005. To the Bureau's credit, numerous IT-related research activities for each of six projects have been completed. For example, on the Optimizing Self Response project, officials have, among other things, developed the design to test the optimizing self-response strategy as part of a site test that is planned for 2014. They have also researched options to enable early registration for those who plan to respond to the survey through the Internet, prior to the beginning of the 2020 census. On the Commercial Mobile Device project, as of December 2013, officials had deployed 68 new smartphone devices to selected Census employees to assess their adaptability to a different device from what they were previously issued; designed, developed, and tested a mobile application that can be used on different government-issued mobile devices to collect relevant census data; and conducted a survey to understand acceptance levels for using personal phones to conduct business. See appendix I for more details on recent accomplishments and upcoming steps that program officials had identified for each of the projects. However, while the Bureau has determined that it needs to make the operational design decision by September 2015, it has not developed schedules or plans that support this time frame. Specifically, while best practices for project schedules state that a well-planned schedule is a fundamental management tool that can help government programs use public funds effectively by specifying when work will be performed in the future and measuring program performance against an approved plan,[Footnote 18] the schedules for four of the six IT-related research projects that are to inform the 2020 census operational design decision are either not yet developed or not finalized. Two of these projects were suspended in response to the continuing resolution in fiscal year 2014. As a result, it is uncertain if the projects will be completed in time to support the 2015 design decision. Moreover, of the two IT-related research and testing projects with completed schedules, neither is planning to finish its necessary research in time to support the 2015 decision. Specifically, Automating Field Activities is not estimated to be completed until approximately 9 months after the design decision date, and the Commercial Mobile Device project is not expected to complete the necessary research to support the decision on whether the Bureau needs to purchase commercial mobile devices until the first quarter of fiscal year 2017. Table 1 describes the estimated completion dates for each project, and figure 3 shows the changes from the 2020 census program's original schedule to the tentative revised schedule and the projected overlap between the research and testing and the design decision. Table 1: Estimated Completion Dates for IT-Related Research and Testing Projects: Project: Automating Field Activities; Estimated completion date: The most recent schedule, as of December 2013, estimated the project would be completed in June 2016. Project: Workload Management Systems/System Reuse; Estimated completion date: This schedule is being reevaluated because of planned modifications to the purpose and scope of this project, and program officials did not specify when this reevaluation would be complete. Project: Optimizing Self Response; Estimated completion date: As of December 2013, the schedule was being reevaluated as a result of the spring 2013 reassessment, and program officials did not specify when this reevaluation would be complete. Project: Commercial Mobile Device; Estimated completion date: The schedule was finalized in December 2013, and stated that key research to support the decision on whether to purchase commercial mobile devices is scheduled to be completed by the first quarter of fiscal year 2017. Project: Privacy and Confidentiality Study; Estimated completion date: The schedule is uncertain. The project was suspended in response to the continuing resolution in fiscal year 2014. Project: Virtual Local Census Office and Test Bed; Estimated completion date: The schedule is uncertain. The project was suspended in response to the continuing resolution in fiscal year 2014. Source: GAO analysis of Census Bureau data. [End of table] Figure 3: Original and Tentative Revised Schedules for 2020 Decennial Census Design Decision: [Refer to PDF for image: illustration] Original schedule (as of August 2012): Research and testing: FY2012-FY2014; Design decision by September 2014; Operational development and system testing: FY 2015-FY2018; Readiness testing and execution: FY2019-FY2023; Census day: April 1, 2020. Tentative revised schedule (as of December 2013): Research and testing: FY2012-FY2017; Design decision by September 2015; Operational development and system testing: FY 2016-FY2018; Readiness testing, execution and close out: FY2019-FY2023; Census day: April 1, 2020. Source: GAO analysis of Census Bureau data. [End of figure] Nevertheless, officials could not specify when the schedules for the four projects would be completed. When asked why these schedules had not been completed, 2020 census program officials stated that management had not devoted the time and resources to agreeing on schedule dates, and that instead they had been focused on preparing for a 2014 site test.[Footnote 19] In mid-December, the officials stated that in the next several weeks they planned to focus on working through their schedule issues. Specifically, on December 17, officials from the 2020 census and IT directorates attended a workshop to brainstorm the deliverables and key decision points needed for the researching and testing projects, and the actions needed to meet the 2015 design decision date. While this is a step in the right direction, officials did not specify when the schedules would be completed. Additionally, Bureau guidance states that research and testing projects must develop project plans to identify the activities to be accomplished and which are to serve as the baseline for monitoring project performance and managing changes to the project.[Footnote 20] Consistent with this guidance, three of the six projects--Automating Field Activities, Workload Management Systems, and Privacy and Confidentiality Study--had project plans. However, the remaining three projects--the Commercial Mobile Device, Optimizing Self Response, and Virtual Local Census Office and Test Bed projects--did not.[Footnote 21] Similar to the gaps in the schedules, 2020 census program officials reported that they have also not been disciplined in ensuring project plans are completed and have recently begun working with the project teams to develop such plans. However, without finalized project plans, it is unclear whether the key activities and objectives for these projects will be achieved. For example, as previously mentioned, one of the objectives of the Commercial Mobile Device project is to address legal and privacy issues related to enabling enumerators to use their personal mobile devices, but the Department of Commerce currently has a policy that states that personal devices should not be used to store or process sensitive department information. This policy also states that personal devices cannot be used in any official capacity other than to access business e-mail without prior written approval. While the project's schedule specified that it plans to obtain authorization to install personally identifiable data on personally owned devices for the 2020 census by second quarter of fiscal year 2017, without a project plan that clearly lays out the actions that the Bureau needs to take, it is unclear how the project will meet its target. As previously mentioned, during the early stages of the research and testing phase--in 2012--we determined that key research and testing project plans were incomplete and recommended that the Bureau ensure that documentation for projects is complete. However, the research and testing phase has now been under way for over 2 years, and certain project plans still do not exist. Until these plans are completed, the Bureau risks not finishing key projects needed to support the operational design decisions. Given the current trajectory and the lack of supporting schedules and plans, it is unlikely that all of the planned IT-related research and testing activities will be completed in time to support the 2015 design decision. In light of this, it is important for the Bureau to consider which projects are the highest priorities for informing the design decision. According to industry best practices, projects should be prioritized based on risk and funding.[Footnote 22] Further, while it is critically important to meet the already-delayed design decision date in order to have sufficient time to implement the operational systems for the 2020 Census, the Bureau has not prioritized its IT-related research to align with the 2015 decision date. As previously mentioned, in December 2013, 2020 census program officials began meeting with individual project teams to determine what they need to complete and by when in order to support the operational design decision; however, they did not specify when this effort would be completed. In the absence of prioritized IT-related research and testing projects with established schedules and project plans that align to the 2015 decision date, the Bureau risks not making a timely and well-informed design decision for the 2020 Decennial Census. [End of section] Results--Objective 2: The Bureau Has Identified Key Risks but Has Not Consistently Developed Risk Mitigation Plans: The Bureau has identified key risks facing the 2020 Decennial Census; however, its efforts to mitigate risks varied. According to industry best practices, an effective risk management process identifies potential problems before they occur, so that risk-handling activities may be planned and invoked as needed across the life of the product and project in order to mitigate adverse impacts on achieving objectives. Additionally, best practices indicate that risks should be prioritized based on clear criteria. Risk prioritization helps to determine the most effective areas to which resources for risk mitigation can be applied with the greatest positive impact on the project.[Footnote 23] In accordance with these practices, the 2020 census and IT directorates have taken several steps to identify risks. For example, the 2020 census directorate holds biweekly 2020 forums to discuss risks with risk owners and answer process questions to improve project-level risk management. In addition, officials from the 2020 census and IT directorates participate in biweekly risk review board meetings to facilitate the identification, management, and monitoring of risks and issues for the program; and both directorates use an enterprise risk management logging tool through which users are required to identify, track, and manage the mitigation of program and project-level risks. As a result of these activities, as of October 2013, a total of 77 IT- related program and project risks[Footnote 24] facing the 2020 census were identified by the 2020 census and IT directorates. Further, the Bureau identified 7 of these risks as being the most critical IT- related risk to the 2020 census. However, although the Bureau requires and industry best practices recommend[Footnote 25] that risk mitigation plans be developed for risks, 6 of the 77 risks did not have associated mitigation plans--including 1 of the 7 critical risks. Table 2 describes the 7 most critical program-and project-level risks and their associated mitigation plans, where available. Table 2: Most Critical IT-Related Program and Project Risks Facing the 2020 Census and Mitigation Plans (as of October 2013): Most critical program risks: If the 2020 census program does not establish a well-structured and properly managed requirements engineering approach, then decennial census operations and systems may fail to integrate or operate efficiently, thereby failing to produce the quality required by the 2020 census program; Mitigation plans: The Bureau planned to develop a requirements engineering strategy and plan for the 2020 census research and testing phase, develop and deploy tools to support requirements engineering processes, and facilitate and capture requirements for all levels of the requirements documented in the Requirements Engineering Management Plan. Most critical program risks: If enterprise IT solutions cannot meet decennial census requirements, the existing systems may require substantial modifications or entirely new systems may have to be developed, adding complexity and reducing the opportunity for program cost efficiencies; Mitigation plans: The Bureau planned to, among other things, conduct weekly system engineering meetings; take part in IT directorate and other technical initiatives early to ensure that the 2020 perspective is communicated and considered in key enterprise decisions; and consider system modification and reuse to support requirements for the 2020 census research and testing phase and beyond. Most critical program risks: If required staffing levels for the site test planned for 2014 are not maintained, then the test requirements may not be met; Mitigation plans: The Bureau planned to ensure that required staffing levels are maintained. Most critical program risks: If a decision for an Interactive Voice Response (IVR) development for data collection for the large integration field test is not made, there will not be enough time for system procurement and development; Mitigation plans: The Bureau decided that IVR would not be used for Census data collection. Instead it planned to use IVR for the limited purpose of allowing people to get basic information or requested materials. The Bureau planned to explore the potential of using the in- house IVR solution currently used for the American Community Survey operations to see if it could be modified to use for the large integration test. Most critical program risks: If policy decisions for new methodologies such as e-mail contact are not defined as needed or when needed, the ability to do new testing for enumeration and contact options will be limited; Mitigation plans: The Bureau escalated this project-level risk to a program-level risk, and program officials are working to define this risk at the program-level. Most critical project risks: If privacy, policy, security, and confidentiality issues related to use of new methods are not resolved, Census may not be able to proceed with text and cell phone contacts; Mitigation plans: The Bureau does not have a documented mitigation plan for this risk. Most critical project risks: If early decade testing is not spaced out, then the census program may not be able to apply lessons learned to following tests; Mitigation plans: The Bureau intends to review research objectives and determine if they can be met by delaying or consolidating the tests. Source: GAO analysis of Census Bureau data. [End of table] As previously mentioned, over a year ago we reported that the Bureau had not developed mitigation and contingency plans for its project- level risks.[Footnote 26] Accordingly, we recommended that the Census Bureau develop mitigation and contingency plans for all project risks to ensure they are adequately managed to minimize their effect on the project. According to 2020 census program officials, gaps in certain mitigation plans still exist because they have not been disciplined about ensuring that projects consistently document mitigation plans. Until the Bureau ensures that all risks have mitigation plans, the program will continue to be in danger of risks potentially being realized. [End of section] Results--Objective 3: A Majority of GAO's Public Recommendations for Improving IT Management and Information Security Have Been Fully Implemented: In September 2012, we reported on the Census Bureau's IT management practices, and made 8 recommendations aimed at addressing weaknesses in its practices.[Footnote 27] In January 2013, we reported that the Census Bureau's IT systems contained deficiencies in its access controls.[Footnote 28] Accordingly, we publicly recommended that the Bureau take 13 actions, such as clearly documenting its assessment of common controls for information systems before granting an authorization to operate and fully developing an incident response plan. Of these 21 recommendations to improve the Bureau's IT management and security practices, 15 have been fully implemented, 5 have been partially implemented, and 1 has not been implemented. For example, progress has been made to institutionalize key IT management controls, including updating the Bureau's Enterprise Investment Management plan to specify investment board membership, frequency of meetings, and guidelines for project managers. The Bureau also adopted a new system development life-cycle methodology, which addresses multiple development methodologies. However, although we recommended that the Bureau clearly document its assessment of common controls for information systems before granting authorizations to operate, as of December 2013, Bureau officials reported that implementation of this recommendation had been delayed due to the October 2013 government shutdown and other resource issues. Appendix II provides additional details on the 8 IT management and 13 information security recommendations and the Bureau's status in addressing them. Continued momentum to fully implement our recommendations will better position the Bureau to deliver secure IT solutions on time and within budget goals. [End of section] Conclusions: The technology options the Bureau is exploring for 2020 have the potential to significantly reduce decennial costs. The results of the research and testing work on these options are expected to inform the 2020 design decision. While certain activities for each of the six IT- related research and testing projects have been completed, much more work remains. Because the Bureau has either not developed or finalized most of its project schedules, the projects with defined schedules are not estimated to complete key activities in time to support the target design decision, and project plans to guide work and measure progress have not been completed for half of the projects, it is unlikely the remaining planned work will be completed in time to support the design decision in fiscal year 2015. A delayed design decision would cut into an already slim margin of error to develop, acquire, and test the operational systems that will be used for the 2020 census. In light of this, prioritizing activities and ensuring that schedules and project plans are completed in a way that is consistent with the prioritized approach could help ensure that the most essential information is available to inform this decision. Additionally, while the Bureau has taken several steps to ensure that most risks are identified and mitigated, six identified risks lacked mitigation plans, including one critical risk. Until program officials implement our prior recommendation by ensuring all risks are mitigated, the program is in danger of risks potentially being realized. The bureau has implemented a majority of our most recent recommendations for improving institutional IT management and security controls. Continued momentum in fully implementing remaining recommendations would enhance the Bureau's capabilities to reliably acquire the IT solutions selected for 2020 and ensure its information and systems are protected from intrusion. [End of section] Recommendations for Executive Action: To ensure that the Bureau is better positioned to make a well-informed design decision for the 2020 Decennial Census, we are recommending that the Secretary of Commerce direct the Director of the Census Bureau to take the following three actions: * prioritize the research and testing that the Bureau needs to complete in order to support the operational design decision by the end of fiscal year 2015; * develop the research and testing project schedules consistent with the new prioritized approach; and: * ensure project plans are consistent with the new prioritized approach. [End of section] Agency Comments and Our Evaluation: We received oral comments from Census Bureau officials, including the Associate Director of the 2020 Census, on a draft of these briefing slides. In their comments, officials stated that they agreed with our three recommendations and have actions under way to address them. Specifically, officials stated they are continuing to meet with the research and testing project teams to determine and prioritize what research and testing needs to be done in order to support the operational design decision by the end of fiscal year 2015. They stated that they plan to complete this effort by the end of February 2014. Additionally, officials stated that the federal budget process has forced the Bureau to take certain steps to prioritize its 2020 research and testing efforts, such as conducting the spring 2013 reassessment and suspending the Privacy and Confidentially Study and the Virtual Local Census Office and Test Bed projects in response to the continuing resolution in fiscal year 2014. We acknowledge these actions in our briefing slides, but, while these are steps in the right direction, the actions have not yet resulted in a prioritized researching and testing approach that supports the 2015 decision date. In addition, the Associate Director of the 2020 Census stated that their current trajectory demonstrated significant risk, but he does not agree with our statement that it is unlikely that the remaining planned work will be completed in time to support the design decision by the end of fiscal year 2015. However, we continue to believe that the volume of remaining research and testing activities that the program currently plans to conduct in order to make its operational design decision is unlikely to be completed before: September 2015--thus suggesting that less-important research and testing activities may need to be removed from the scope or postponed. Regarding our finding related to the six missing risk mitigation plans, officials stated that while they believe they have made progress in their risk mitigation efforts from prior years, they agree that they need to develop those missing plans. Officials reported that they will do so after they complete their research and testing prioritization work. Given the importance of prioritizing the remaining research and testing, we agree with this approach. Officials also provided technical comments, which we have incorporated, as appropriate. [End of section] Appendix I: Status of IT-Related Research and Testing Projects: Automating Field Activities: Researching (1) the feasibility of commercially-available hardware-independent solutions technologies that will be available to support the operational field infrastructure, (2) how the Bureau can effectively automate and streamline field operations to take advantage of design changes and non-response follow- up data collection modes to improve data quality, and (3) the costs and benefits of alternative field automation designs. Completed activities: * Tested the ability to use mobile devices to enumerate households who do not respond to the census survey; * Developed high-level capability requirements for operational control system software; * Completed approximately 75 percent of screening needed for enumerators to conduct interviews for the planned 2014 site testing; * Began documentation and development of communication processes between the hand-held enumerator system and the operational control system; * Began development of geospatial tools within the control system to show visual indication of casework and field staff duty station; * Completed development of the geospatial tools within the operational (field) control system to show a visual indication of casework and the duty station of the field staff; * Developed a case management menu within a field enumeration application; * Completed key development work in preparation for the planned 2014 site test. Planned activities: * Complete development of the process for loading the non-response follow-up universe for the planned 2014 site test into the operation control system. Project start date: November 2011. Original completion date: No later than September 2014. Estimated completion date as of December 2013: June 2016. Estimated life-cycle cost estimate as of December 2013: $30,588,371. Amount spent as of December 2013: $9,503,617. Source: Data reported by Bureau officials. [End of table] Optimizing Self Response: Researching among other things (1) the technologies that will be feasible for self-enumeration by 2020 and how will they differ by demographics and geography (e.g., access to the Internet); (2) the best mix of modes and strategies by demographic/ geography to increase self-response; (3) the best notify-contact-remind strategies and timing by mode and demographic/geography; (4) the costs and benefits of different self-response modes by demographic/geography (including impact on data quality); (5) how the Internet (e.g., social networking sites, e-mail, text messages, communities of interest, automated phone) can be used for encouraging and collecting responses; and (6) the language support services and technologies across contact and enumeration methods that are most effective in increasing response and maintaining quality. Completed activities: * Developed the Internet data collection browser used in the 2010 Census Quality Survey and 2012 National Census Test; * Defined scope for testing and deploying contacts with respondents with and without user IDs or access codes; * Developed panel design for planned 2014 site test and a proposed five-prong strategy to facilitate project; * Discussed authentication of e-mails and paper mail with e-postmarks with the U.S. Postal Service and National Institute of Standards and Technology; * Conveyed the scope of requirements for 2020 Telephone Questionnaire Assistance based on proposed five-prong strategy. Planned activities: * Develop requirements for systems which encourage individuals to pre- register, indicate how they prefer to be contacted, and a system to push e-mails to individuals to respond; * Roll out of an online identification pilot and solution for the pre- registration portal for planned 2014 site test. Project start date: Fiscal year 2012. Original completion date: No later than September 2014. Estimated life-cycle cost estimate as of December 2013: The Bureau did not provide any cost information. Amount spent as of December 2013: The Bureau did not provide any cost information. Source: Data reported by Bureau officials. [End of table] Workload Management Systems/System Reuse: Researching (1) the options for and feasibility of a successful, real-time, centralized headquarters workload management system and (2) the least-risky low- cost development and acquisition strategies for acquiring a real-time headquarters workload management system. This project also includes reusing existing systems (e.g., American Community Survey (ACS) systems) within the Bureau to, among other things, conduct field operational and design tests supporting enumeration and infrastructure activities. Completed activities: * Completed a cost-benefit analysis of Interactive Voice Response data collection solutions which concluded that it was not cost effective; * Completed the functional diagram for planned 2014 site test, defining all the systems, the interfaces between the systems with the data to be exchanged, and the transfer protocol; * Worked with other government agencies to research their telephone operations. Recently worked with the Veterans Administration regarding their Benefits Program Telephony services; * Provided support in designing and developing the business process model and delivery of system overviews for the planned 2014 site test. Planned activities: * As of December 2013, project officials were significantly modifying the purpose and scope of the project. This includes developing a new project charter, plan, and schedule. Project start date: November 2011. Original completion date: No later than September 2014. Estimated life-cycle cost estimate as of December 2013: $8,205,567. Amount spent as of December 2013: $3,472,270. Source: Data reported by Bureau officials. [End of table] Commercial Mobile Device: Researching (1) legal and privacy issues related to enabling enumerators to use their personal mobile devices (referred to as "bring your own device," or "BYOD") to collect field data, such as survey responses from households who did not self-report; (2) current and future willingness to adopt BYOD; (3) the government- furnished equipment approach to support 2020 deployment; (4) total cost of ownership; and (5) whether the Bureau's enterprise architecture can accommodate BYOD. In addition, the project intends to (1) prototype solutions, (2) develop supporting data to enable executive management to decide to what extent BYOD should be implemented in the 2020 census, and (3) document the operational impacts of BYOD on field data collection. Completed activities: * Procured 100 new smartphone devices to roll out to selected employees to determine employees' adaptability to a smartphone that was different from what the Bureau has previously issued them. As of December 2013, 68 had been deployed; * Researched the ability to create a separate container on personal devices to house applications for business-use only; * Conducted a survey to understand the level of acceptance among employees of using their personal phones to conduct business; * Designed, developed, and tested a mobile application that can be used on different government-issued mobile devices to collect relevant census data. Planned activities: * Simulate technical implementation of BYOD, using government-issued devices in the 2014 site test; * Test technical and legal/policy implementation of BYOD in a follow- up to the 2014 site test; * Conduct survey on consumer attitudes toward BYOD. Project start date: First quarter of fiscal year 2013. Original completion date: N/A. Estimated life-cycle cost estimate as of December 2013: $3,417,090. Amount spent as of December 2013: $192,560. Source: Data reported by Bureau officials. [End of table] Privacy and Confidentiality Study: Researching (1) current public perceptions about the decennial census, Internet response, and administrative records; (2) how the Bureau uses the Internet, web-based applications, and administrative records while protecting the public's privacy and confidentiality; (3) perceptions or concerns about new contact methods and modes; and (4) how the Bureau will address emerging issues that reflect changing public perceptions throughout the decade. Completed activities: * Conducted a study to begin presenting questions for "bring your own device," and began fielding alternative contact questions; * Acquired social media software and conducted literature review; * Submitted first set of questions for split-ballot testing for programming. Split-ballot testing is when a sample is randomly divided to test two or more versions of a questionnaire; * Identified an alternative solution for data collection; * Performed Gallup study by developing and pretesting questions about Bring Your Own Device; fielded another set of alternative contact questions, and completed collection of third major series of administrative records questions; * Presented most recent findings on Gallup study at American Association for Public Opinion Research and to Interagency Council on Statistical Policy. Planned activities: * In October 2013, this project was suspended in response to the fiscal year 2014 continuing resolution. Project start date: December 2011. Original completion date: Unknown. Estimated life-cycle cost estimate as of December 2013: The Bureau did not provide any cost information. Amount spent as of December 2013: The Bureau did not provide any cost information. Source: Data reported by Bureau officials. [End of table] Virtual Local Census Office (LCO) and Test Bed: This project is intended to develop a Virtual Local Census Office (LCO) to conduct research for the Census 2020 Research and Testing Program. It is also intended to deploy the Virtual Local Census Office to a physical local office test bed to conduct all field operational tests for the 2020 Research and Testing Program. Completed activities: * Redefined the project scope to include providing the IT Infrastructure systems for the field offices; * Revised project research questions on network printing, cost efficient technology, and conferencing technology; * Conducted market research related to a mobile solution as a type of local census office to support field staff operations; * Developed a cost estimate for the Virtual LCO infrastructure and the LCO IT support equipment; * Submitted requirements and identified technology approaches for research and development for the planned 2014 site test; * Finalized the Virtual LCO IT Infrastructure high-level requirements to support; research and testing activities; * Conducted research on various mobile units in use by other government agencies for solutions that could best suit local needs; * Researched options and costs between the application delivery method and the desk delivery method for virtual desktop infrastructure to be used in Local Census Offices during follow up operations. Planned activities: * In October 2013, this project was suspended in response to the fiscal year 2014 continuing resolution. Project start date: November 2012. Original completion date: No later than September 2014. Estimated life-cycle cost estimate as of December 2013: $1,819,441. Amount spent as of December 2013: The Bureau did not provide any cost information. Source: Data reported by Bureau officials. [End of table] [End of section] Appendix II: Implementation Status of Prior GAO Recommendations: IT management: Recommendation: Establish guidelines for the frequency and membership of Bureau investment review boards and thresholds for these boards to escalate cost or schedule variances to higher-level boards; Status: Fully implemented; In June 2013, the Bureau updated its Enterprise Investment Management Plan (EIMP) to include guidelines for frequency of investment review board meetings, which are to occur at least monthly. In addition, Bureau officials indicated that while the threshold for escalation for cost, risk, or impact is 10 percent, variance analysis must be performed to determine if the variance warrants escalation, due to metrics being based on a snapshot in time. Recommendation: Establish time frames for project managers to provide periodic updates of investment information in the enterprise investment management tool; Status: Fully implemented; In June 2013, the EIMP was updated to specify that project managers are responsible for updating performance and investment information at least once a month in the Enterprise Performance Management Tool. Recommendation: Adapt the Bureau's new system development life-cycle methodology, including the mandatory work products, activities, and phases of the project, to the additional software development models beyond the waterfall model that are specified in the methodology; Status: Fully implemented; Bureau officials adapted a new system development life-cycle methodology, referred to as the Enterprise System Development Life- Cycle (ESDLC), which was finalized in September 2013 and includes the short incremental development model referred to as Agile. The ESDLC includes mandatory work products, artifacts, activities, and phases to be followed during the implementation of systems development projects. Recommendation: Establish and implement a consistent requirements development and management process across the Bureau that is integrated with its new system development life-cycle methodology and includes guidance for developing requirements at the strategic mission, business, and project levels; Status: Fully implemented; In September 2013, the Bureau established and implemented a consistent requirements development tool that includes guidance for developing requirements at strategic mission, business, and project levels, as part of the ESDLC. The ESDLC provides guidance in developing and discovering requirements with the waterfall and Agile models. Recommendation: Finalize a plan for implementing the Enterprise Investment Management Plan, including time frames for implementation by fiscal year 2015, pilot testing of the new process, and a documented evaluation process; Status: Fully implemented; The Bureau developed an investment management process implementation plan to cover fiscal years 2013 through 2015. The plan states that the investment management processes have been piloted. The Office of Risk Management and Program Evaluation is implementing investment management incrementally across the Bureau. For example, one of the Bureau's directorates established a Portfolio Management Governance Board and a Program Management Review process based on principles laid out in the Bureau's EIMP. Recommendation: Establish a plan for implementing the new system development life-cycle methodology, including requirements development and management processes, across the Bureau, to include time frames for implementation by fiscal year 2015, additional pilots of the methodology prior to full implementation, and a documented evaluation process; Status: Partially implemented; The ESDLC User Guide indicated that all new information technology projects at the Bureau must use the ESDLC as of October 1, 2013. However, there was no indication of a documented evaluation process. Recommendation: Establish a repeatable process for performing IT skills assessments and gap analyses that can be implemented in a timely manner; Status: Partially implemented; Bureau officials stated that the skills and needs assessment for the IT workforce was expanded to include headquarters staff in professional job series. This skills assessment was completed in mid- September 2013, and the Bureau is currently in the process of conducting a headquarters-wide review to validate the competency data. Officials plan to release the action plans for the IT skills needs by March 2014. Recommendation: Establish a process for directorates to coordinate on IT workforce planning, including (1) aligning IT workforce planning with strategic planning and budget formulation; (2) involving appropriate stakeholders and staff from each directorate; (3) identifying critical occupations, skills, and competencies, and analyzing workforce gaps; (4) developing strategies to address IT workforce gaps; (5) building capacity to address workforce gaps; and (6) monitoring and evaluating IT workforce planning efforts across the Bureau, and ensure this process is implemented across the Bureau; Status: Partially implemented; The Bureau developed a strategic workforce planning team which is implementing a human capital and strategic workforce plan that includes high priority domains, such as IT. Bureau officials stated that the skills and needs assessment for the IT workforce was expanded to include headquarters staff in professional job series. This skills assessment was completed in mid-September 2013 and the Bureau is currently in the process of conducting a headquarters-wide review to validate the competency data. Officials plan to release the action plans for the IT skills needs by March 2014. Information security: Recommendation: Clearly document the Bureau's assessment of common controls for information systems before granting an authorization to operate; Status: Not implemented; In December 2013, Bureau officials reported that implementation of this recommendation has been delayed until January 31, 2014, due to the October 2013 government shutdown and other resource issues. Recommendation: Clearly document acceptance of risks and remedial actions for management review and approval before closing them; Status: Fully implemented; In December 2013, the Bureau provided its policy on risk acceptance, which stated that rationale for risk acceptance needs to be documented. In addition, Bureau officials demonstrated that it is implementing its policy by documenting its acceptance of risks and remedial actions in its Risk Management Framework. Recommendation: Establish a deadline for updating and finalizing the Bureau's IT Security Program Policies document; Status: Fully implemented; In August 2013, the Bureau provided an updated and finalized IT Security Program Policy. Recommendation: Fully implement the Bureau's new process for tracking employee completion of security awareness training in the database of record; Status: Fully implemented; Bureau officials fully implemented a process for tracking employee completion of its Data Stewardship Awareness Training in its training management database. Recommendation: Enforce the requirement for annual security awareness training for all users and ensure all users complete the training; Status: Fully implemented; In March 2013, the Bureau established a Data Stewardship Executive Policy which detailed the requirement for annual security awareness training for all users. Bureau officials e-mailed policy reminder notices in April and June 2013 which stated that all employees must be in compliance with their annual Data Stewardship and IT Security Awareness training by June 28, 2013, or network access will be disabled until proof of completed training is submitted. Bureau officials also documented the list of users that were in compliance for fiscal year 2013. Recommendation: Enforce the requirement that all individuals with significant security responsibilities complete both initial and refresher role-based training; Status: Fully implemented; In August 2013, the Bureau provided documentation showing that individuals with significant security responsibilities were in compliance with training requirements, or if they were not, they were removed from related duties and replaced. Recommendation: Provide sufficient opportunities for incident response personnel to complete required training and certifications and verify compliance; Status: Fully implemented; In August 2013, the Bureau provided certificates of completion for the required incident response training for the two officials responsible for incident response. Recommendation: Develop plans and criteria or metrics for incident response plan tests and exercises, and evaluate the effectiveness of the incident response capability; Status: Partially implemented; In August 2013, the Bureau provided guidelines and procedures it had developed for incident response plan tests and exercises. However, it is unclear from the guidelines and procedures what criteria or metrics are being used for the incident response plan tests and exercises. Further, in December 2013, Bureau officials stated that they have not yet evaluated the effectiveness of the incident response exercises to determine if there has been improvement in how live incidents are handled. Recommendation: Verify that incident response personnel document in the incident log the actions taken to contain, eradicate, and recover from incidents; Status: Fully implemented; In January 2014, Bureau officials provided samples of incident logs demonstrating that actions taken to eradicate and recover from incidents were documented. Officials stated there has not been a widespread incident that has required containment. Recommendation: Fully develop an incident response plan by documenting metrics used for measuring the Bureau's incident response effectiveness and defining the resources and management support necessary to develop an incident response capability that meets the Census Bureau's unique needs; Status: Fully implemented; In December 2013, Bureau officials provided the Bureau's handbook on standard operating procedures for incident handling, which defines resources and management support to maintain an incident response capability, and identified requirements needed to meet that capability. The handbook also detailed metrics needed in incident reports, and Bureau officials provided examples of these security incident metrics. Recommendation: Ensure that all reportable incidents are reported to the United States Computer Emergency Readiness Team (US-CERT); Status: Fully implemented; In December 2013, the Bureau provided documentation demonstrating that reportable incidents with the proper classification were reported to US-CERT. Recommendation: Complete development of a mature digital forensics capability to better detect and validate malware incidents; Status: Fully implemented; The Bureau developed a Combined Forensics Lab Procedures document on January 23, 2013, that details the process for performing forensics on malware incidents. Recommendation: Develop a process to formally review incidents, gather lessons learned from ongoing incident handling activities, and incorporate identified improvements into training, testing, and procedures; Status: Partially implemented; In August 2013, the Bureau provided a document that listed dates and high-level details of incidents that were reviewed at daily review meetings, which detailed, at a very high-level, how the incidents were handled. The Bureau also provided an after-action report and a participant guide that discussed a tabletop exercise to simulate communication among relevant personnel in cases of a security breach involving personally identifiable information. In December 2013, Bureau officials stated that they have incorporated identified improvements in the data stewardship training course. However, officials have not yet provided documentation demonstrating the outcome of processes improvements in their testing and procedures. [End of table] [End of section] Footnotes: [1] GAO, GAO Schedule Assessment Guide: Best Practices for Project Schedules, [hyperlink, http://www.gao.gov/products/GAO-12-120G] (Washington, D.C.: May, 2012). [2] Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Development (CMMI-DEV), Version 1.3 (November 2010). [3] IEEE Guide-Adoption of the Project Management Institute (PMI) Standard, A Guide to the Project Management Body of Knowledge (PMBOK® Guide), Fourth Edition (November 21, 2011). [4] GAO, Information Technology: Census Bureau Needs to Implement Key Management Practices, [hyperlink, http://www.gao.gov/products/GAO-12-915] (Washington, D.C.: Sept. 18, 2012). [5] GAO, Information Security: Actions Needed by Census Bureau to Address Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-13-63] (Washington, D.C.: Jan. 22, 2013). Another version of this report was issued for limited distribution, which contained over 100 additional recommendations. We do not provide information in this briefing on actions taken to address the recommendations contained in that version of the report. [6] See GAO, Information Technology Management: Census Bureau Has Implemented Many Key Practices, but Additional Actions Are Needed, [hyperlink, http://www.gao.gov/products/GAO-05-661] (Washington, D.C.: June 16, 2005) and Information Technology: Census Bureau Needs to Improve Its Risk Management of Decennial Systems, [hyperlink, http://www.gao.gov/products/GAO-08-79] (Washington, D.C.: Oct. 5, 2007). [7] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: Jan. 22, 2009). The 2010 Census was removed from our high-risk list in February 2011. [8] GAO, Information Technology: Significant Problems of Critical Automation Program Contribute to Risks Facing 2010 Census, [hyperlink, http://www.gao.gov/products/GAO-08-550T] (Washington, D.C.: Mar. 5, 2008). [9] GAO, Information Technology: Census Bureau Testing of 2010 Decennial Systems Can Be Strengthened, [hyperlink, http://www.gao.gov/products/GAO-09-262] (Washington, D.C.: Mar. 5, 2009). [10] GAO, 2010 Census: Census Bureau Has Made Progress on Schedule and Operational Control Tools, but Needs to Prioritize Remaining System Requirements, [hyperlink, http://www.gao.gov/products/GAO-10-59] (Washington, D.C.: Nov. 13, 2009). [11] GAO, 2010 Census: Data Collection Operations Were Generally Completed as Planned, but Long-standing Challenges Suggest Need for Fundamental Reforms, [hyperlink, http://www.gao.gov/products/GAO-11-193] (Washington, D.C.: Dec. 14, 2010). [12] GAO, 2010 Census: Preliminary Lessons Learned Highlight the Need for Fundamental Reforms, [hyperlink, http://www.gao.gov/products/GAO-11-496T] (Washington, D.C.: Apr. 6, 2011). [13] [hyperlink, http://www.gao.gov/products/GAO-12-915]. [14] GAO, 2020 Census: Initial Research Milestones Generally Met but Plans Needed to Mitigate Highest Risks, [hyperlink, http://www.gao.gov/products/GAO-13-53] (Washington, D.C.: Nov. 7, 2012). [15] [hyperlink, http://www.gao.gov/products/GAO-13-63]. Another version of this report was issued for limited distribution. [16] GAO, 2020 Census: Progress Report on the Census Bureau's Efforts to Contain Enumeration Costs, [hyperlink, http://www.gao.gov/products/GAO-13-857T] (Washington, D.C.: Sept. 11, 2013). [17] GAO, 2020 Census: Bureau Needs to Improve Scheduling Practices to Enhance Ability to Meet Address List Development Deadlines, [hyperlink, http://www.gao.gov/products/GAO-14-59] (Washington, D.C.: Nov. 21, 2013). [18] [hyperlink, http://www.gao.gov/products/GAO-12-120G]. [19] The 2014 Site Test is the first opportunity by the Bureau to employ and test new methods that may increase self-response rates and reduce the cost of the non-response enumeration. This test is designed to: (1) answer research questions on how respondents react to strategies aimed at encouraging Internet self-response, and (2) improve the non-response enumeration while maintaining cost and quality. The test is planned to take place from July to September 2014 in Washington D.C., and Montgomery County, Maryland. [20] United States Census Bureau, 2020 Census Program-Level Research and Testing Management Plan WBS 1.105, Version 1.0 (Aug. 7, 2012). [21] The project plan for Optimizing Self-Response from March 2012 that we assessed as part of [hyperlink, http://www.gao.gov/products/GAO-13-53] was no longer valid, as it was under development during the time of this review. [22] PMBOK® Guide, Fourth Edition (November 21, 2011). [23] CMMI-DEV, Version 1.3 (November 2010). [24] According to the Bureau, program-level risks span the entire 2020 research and testing phase and if not managed properly could jeopardize the phase's goals and objectives. In contrast, project-level risks pertain to the successful completion of projects. [25] CMMI-DEV, Version 1.3 (November 2010), and PMBOK® Guide, Fourth Edition (November 21, 2011). United States Census Bureau, 2020 Census Risk Management Plan WBS 1.111, Version 2.0 (August 2012), and United States Census Bureau: IT Directorate, Risk Management Policy (September 2011). [26] [hyperlink, http://www.gao.gov/products/GAO-13-53]. [27] [hyperlink, http://www.gao.gov/products/GAO-12-915]. [28] [hyperlink, http://www.gao.gov/products/GAO-13-63]. Another version of this report was issued for limited distribution, which contained over 100 additional recommendations. We do not provide information in this briefing on actions taken to address the recommendations contained in that version of the report. [End of briefing slides] Appendix II: Comments from the Department of Commerce: United States Department of Commerce: Office of the Secretary: Washington, D.C. 20230: March 25, 2014: Ms. Carol Cha: Director: Information Technology Acquisition Management Issues: U.S. Government Accountability Office: Washington, DC 20548: Dear Ms. Cha: The U.S. Department of Commerce appreciates the opportunity to comment on the U.S. Government Accountability Office's draft report titled 2020 Census: Prioritized Information and Technology Research and Testing Is Needed for Census Design Decision (GAO-14-389). The Department's comments on this report are enclosed. Sincerely, Signed by: NIST Director performing the duties of the Deputy Secretary: Enclosure: U.S. Department of Commerce: Comments on the United States Government Accountability Office Draft Report Titled 2020 Census: Prioritized Information and Technology Research and Testing is Needed for Census Design Decision (GAO-14-389): March 2014: The U.S. Census Bureau agrees with the three recommendations of the Government Accountability Office (GAO) and has actions under way to address them, as stated in the draft GAO report. In May 2013, we conducted a rigorous reprioritization of our program to ensure we could continue to work on key cost-savings innovations, even if faced with funding challenges. This effort, which has been guiding us since, is why we were well positioned when faced with a series of such challenges in early fiscal year (FY) 2014. For example, when we were operating under a Continuing Resolution in early FY 2014, we placed some of our research on hiatus in order to proceed with priority testing activities in 2013 and systems development for the 2014 Census Test. We continue this prioritization effort as we meet with the research and testing project teams to determine and prioritize what research and testing are most critical to the operational design decisions we need to make by the end of FY 2015 for the 2020 Census design. Now that we have received a strong budget for FY 2014, we are well positioned to complete the research we planned for the program. While we agree that our current trajectory demonstrates a level of risk, based on the work we have already completed, we do not agree with GAO's conclusion that it is unlikely that the remaining planned work will be completed in time to support the design decisions by the end of FY 2015. The Census Bureau has one additional comment to those provided in December. On page 39, the draft GAO reports that three projects, including the Commercial Mobile Device, lack project plans, which are used to identify activities to be accomplished and serve as the baseline for monitoring project performance and managing changes to the project. The IT Directorate has developed a charter for the Systems Development Lifecycle that we believe includes this information. We provided this document to the GAO and can provide further clarification, if necessary, to ensure we have an appropriate and sufficient project plan in place. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Carol R. Cha at (202) 512-4456 or chac@gao.gov. Staff Acknowledgments: In addition to the contact named above, the following staff made key contributions to this report: Shannin G. O'Neill (Assistant Director), Lisa J. Hardman, Vernetta Y. Marquis, Lee McCracken, Scott Pettis, and Jeanne H. Sung. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]