Fundamental Security Safeguards Were Not In Place to Adequately Protect the IT Systems Supporting the 2020 Census

The objective of this audit was to determine the effectiveness of security measures for select IT systems that support the 2020 Census. Our audit scope included the Bureau’s risk management program, security operations center (SOC) capabilities, security of Active Directory, and implementation of multi-factor authentication. We found the following: (1) The Bureau’s inadequate risk management program left significant risks present in decennial IT systems. (2) The Bureau’s Decennial security operations center lacked fundamental capabilities during periods of decennial census data collection. (3) The Bureau inadequately managed its Active Directory that supports decennial census operations. (4) The Bureau had not fully enforced personal identity verification in accordance with federal and Department requirements.