Census Bureau Isn’t Properly Managing Its Risk Management Review System
A lack of continuous assessment and oversight led to bad reporting, which in turn led to bad decision-making and a weak cybersecurity posture.
The Census Bureau has shown it understands the best practices around cybersecurity risk management and has an automated reporting system but didn’t follow its own advice, leading to poor, uninformed management decisions, according to a new watchdog report.
As the amount of data and interconnected systems and devices grow exponentially, it is impractical to apply top-level cybersecurity to every aspect of an agency network. Instead, experts—including cybersecurity leaders from the Homeland Security Department and National Institute of Standards and Technology—recommend using a risk management framework to focus resources on the areas that need the most attention.
The bureau has an established risk management framework, yet it failed to monitor security controls, properly document risk and keep authorizing officials in the loop, according to an inspector general report released Tuesday.
In order to implement a risk management framework, officials created an automated application called the Risk Management Program System to regularly assess its IT systems and deliver reports “that quantify cybersecurity risk.” But the IT and cybersecurity worlds change rapidly and Census officials failed to keep up.
“After security controls are selected and implemented, a plan to conduct periodic reassessments of security controls—referred to as a continuous monitoring strategy—is developed to determine whether the set of deployed security controls continue to be effective over time,” the IG wrote.
Under Census’ policy, no system or security control should go longer than two years without being reassessed. A March 2017 review showed a “large portion of security control requirements had either never been assessed or had not been assessed within the last two years.”
At that time, the bureau’s chief information officer and chief information security officer told IG investigators they “were unaware that the periodic assessments were not occurring,” according to the report.
“OIG found that continuous monitoring has been deficient at the bureau for potentially much longer than management believed,” auditors wrote, which led to Census leaders approving the use of systems that had never gone through a proper risk assessment. “The lack of ongoing assessments indicate that the risk-based decisions made by bureau management—to authorize these systems to operate while continuous monitoring was not occurring—were based on inaccurate information about what assessment activities had been, and would be, performed to assure their secure operation.”
The bureau has gotten better since that initial assessment but there is still work to be done. After a meeting in June 2017, Census leadership established a plan for continuous assessment. However, the plan calls for individual units to self-report when they fall behind schedule in these reviews—a process the IG says should be automated.
The IG audit found that approximately half of the security controls outlined in the NIST framework had been included in Census’ risk management system but in name only. Instead of including a proper description of the control and how it should be applied to Census systems, they were left blank.
“While the bureau had identified in RMPS which new security control requirements applied to these systems, it failed to describe how it would meet the requirements. Thus, there was no basis to assess the effectiveness of the controls—or even to understand how or if they were implemented,” the report states.
Auditors also found about one-third of control assessments that did take place “lacked documentation to support their validity … giving little or no assurance that the results were valid.”
All of these issues combined to produce incomplete reports that senior officials then used to make uninformed risk management decisions, according to the report.
Overall, the IG made seven recommendations to improve Census’ risk management posture. Bureau officials agreed with all of the IG’s recommendations and, as of late September, had already taken steps to address them.
The latest IG report comes just a few months after a Government Accountability Office report showed the bureau was far behind on testing the security of the new systems being developed for the 2020 count. As of August, Census had only tested 36 of 44 IT systems and had cut the scope of its end-to-end tests by two-thirds due to lack of budget.
A Census spokesperson told Nextgov that as of November the agency had 42 of those 44 systems ready for the test and is on schedule to have the last two ready by January.
Editor’s Note: This story has been updated to include additional comments from Census and the number of systems tested.