INFORMATION TECHNOLOGY:

Report to Congressional Requesters

June 2026

GAO-26-107629

United States Government Accountability Office

A report to congressional requesters

For more information, contact: Kevin Walsh at walshk@gao.gov.

What GAO Found

The Census Bureau fully implemented leading practices for risk management for its enterprise-wide data storage and processing modernization program (known as the Enterprise Data Lake). It also substantially implemented leading practices for managing requirements and cost estimating. However, the Bureau partially implemented leading practices for developing and maintaining the schedule for the program, as shown in the table.

Management Area

Overall Assessment

Assessment by Leading Practice

Risk Management

● Fully implemented

●     ●     ●     ●     ●

Requirements Management

◕ Substantially implemented

●     ●     ●     ◐

Cost Estimation

◕ Substantially implemented

◕     ●     ●     ◕

Schedule

◐ Partially implemented

◐     ◔     ◔     ◐

  Source: GAO analysis of Census Bureau data.  |  GAO-26-107629

The program’s management of risk and requirements improves its ability to mitigate risks and deliver on the program. However, the program’s requirements management plan was not in alignment with its process for managing low-level requirements. Thus, the program may have difficulty ensuring that low-level requirements are documented consistently. Documenting requirements can ensure that there is consistency between the requirements and the solution, which increases the likelihood that the solution will meet user needs. 

Additionally, the program fully met two of the four characteristics of a high-quality, reliable cost estimate (well documented and accurate), and substantially met the remaining two characteristics (comprehensive and credible). As a result, GAO found that the program’s cost estimate was reliable. However, the program’s schedule estimate was unreliable. The program did not substantially meet any of the four characteristics of a reliable schedule: comprehensive, well-constructed, credible, and controlled. Without fully implementing leading practices for a reliable schedule, the Bureau faces schedule uncertainty that may result in unreliable completion dates, time extension requests, and delays in the program.

The Bureau partially implemented leading practices for managing selected interdependencies among its four IT modernization programs. For example, to manage stakeholder interdependencies among the programs, it is holding regular meetings with stakeholders to discuss program status, risks, and issues. However, the Bureau does not have a process to ensure that changes to survey onboarding dates are incorporated, if applicable, into the schedules for the related IT modernization programs. Without a documented process for managing interdependent schedule changes, the Bureau may not identify schedule disconnects early enough to allow program management sufficient time to make decisions. Potential schedule disconnects may also hinder the ability to predict the consequences of managerial action or inaction on events and increase the risk that the Bureau is unable to deliver a set of integrated systems for future surveys, such as the 2030 Census.

Why GAO Did This Study

The U.S. Census Bureau’s IT systems are essential to collecting and providing data about the nation’s people and economy. Prior to the 2020 Census, the Bureau, a component of the Department of Commerce, faced challenges in modernizing and consolidating its IT systems. For future surveys, including the 2030 Census, the Bureau has embarked on four modernization programs to collect, store, process, and disseminate data.

GAO was asked to review the Bureau’s implementation of key modernization programs. This report (1) evaluates the extent to which the Bureau is implementing leading practices in managing risks, requirements, cost estimates, and schedule for a selected enterprise-wide IT program; and (2) determines the extent to which the Bureau is managing selected interdependencies among the enterprise-wide IT programs.

GAO selected the data storage and processing program due to its critical role to the agency’s mission, and the maturity of its cost and schedule documentation. GAO assessed the program’s management of risks, requirements, cost, and schedule against leading practices. In addition, GAO reviewed prior GAO reports and Bureau documentation related to interdependencies among the four IT modernization programs and interviewed Bureau officials.

What GAO Recommends

GAO is making three recommendations to the Department of Commerce related to the Bureau managing requirements, developing a reliable schedule, and managing schedule interdependencies between the enterprise-wide IT programs. Commerce concurred with the recommendations and stated it would prepare a formal action plan.

 

 

 

 

Abbreviations
Bureau	U.S. Census Bureau
CEDCaP	Census Enterprise Data Collection and Processing
EDL	Enterprise Data Lake
CMMI	Capability Maturity Model® Integration
CEDSCI	Center for Enterprise Dissemination Services and Consumer Innovation
DICE	Data Ingest and Collection for the Enterprise
ISACA	Information Systems Audit and Control Association

June 4, 2026

Congressional Requesters

Modern, efficient IT systems are vital to the U.S. Census Bureau’s mission to collect and provide comprehensive data about the nation’s people and economy by conducting censuses and surveys. Prior to the 2020 Census, the Bureau, a component of the Department of Commerce, attempted to modernize and consolidate its data collection and processing systems, but had trouble monitoring risks, controlling IT costs, and managing the schedule. The effort also did not deliver enterprise-wide data collection and processing capabilities.

The Bureau has begun planning and implementing major enterprise-wide IT programs for the next decade’s surveys, including the 2030 Census. These plans include another attempt to integrate and manage the development of an enterprise-wide program for data collection, as well as enterprise data processing and data dissemination. In 2024, we reported that the Bureau had mixed results modernizing its data dissemination systems.[1] Specifically, the Bureau did not fully implement best practices for managing the program’s cost and schedule estimates.

You asked us to evaluate the Bureau’s implementation of the enterprise-wide programs for the 2030 Census and other Bureau surveys. This report (1) evaluates the extent to which the Bureau is implementing leading practices in managing risks, requirements, cost estimates, and schedule for a selected enterprise-wide IT program, and (2) determines the extent to which the Bureau is managing selected interdependencies among the enterprise-wide IT programs.

For our first objective, we selected the Enterprise Data Lake (EDL) program due to its central role in storing and processing Bureau data, which is critical to the agency’s mission, as well as the maturity of EDL’s cost and schedule documentation. We also selected EDL because we had not previously reported on it.[2] We collected documentation on the EDL program’s management of risks, requirements, cost estimate, and schedule. We analyzed this documentation against leading practices from the Information Systems Audit and Control Association’s (ISACA) Capability Maturity Model® Integration (CMMI),[3] the GAO Cost Estimating and Assessment Guide,[4] and the GAO Schedule Assessment Guide.[5]

We also interviewed Bureau officials to determine the extent to which they have implemented the leading practices. We corroborated our analyses by interviewing agency officials in the EDL program, especially in cases where the program does not appear to have followed leading practices.

For our second objective we reviewed prior GAO reports related to program interdependencies.[6] We also reviewed Bureau documentation describing the interdependencies among the Bureau’s four IT modernization programs. We selected the two most relevant interdependencies, stakeholder commitment and scheduling, because the four programs have overlapping stakeholders and interrelated schedules. We gathered information and conducted analyses on managing the selected interdependencies based on criteria from CMMI and the GAO Schedule Assessment Guide. We also interviewed Bureau officials to discuss their perspectives on the identified interdependencies and understand how the Bureau manages them. Additional details on our objectives, scope, and methodology are provided in appendix I.

The Census Bureau conducts many different censuses and surveys including: ·       Decennial Census—used to apportion the seats of the House of Representatives and allocate billions of dollars each year in federal financial assistance; ·       Economic Census—which serves as the benchmark for current economic activity, such as the Gross Domestic Product; and ·       American Community Survey—which is a source of social, demographic, economic, and housing information for the nation, states, counties, cities, and towns. Source: GAO summary of Census Bureau information.  | GAO‑26‑107629

We conducted this performance audit from June 2024 to June 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

The Census Bureau’s mission is to collect and provide comprehensive data about the nation’s people and economy. The data that the Bureau collects are essential to government functions, including apportioning seats in the House of Representatives and determining federal and state funding needs. To collect these data, the Bureau conducts various censuses and surveys, including the decennial census, the Economic Census, and the American Community Survey.

Because of the importance of these data, IT systems and infrastructure are foundational to the Bureau’s censuses and surveys. For example, for the 2020 Census, the Bureau developed and deployed 52 IT systems to support operations. These operations included internet self-response data collection, nonresponse follow-up, and data processing.

Historically, the Bureau’s censuses and surveys have largely relied on survey-specific IT systems, which has resulted in duplicative activities. Before the 2020 Census, the Bureau attempted to modernize and consolidate its survey data collection and processing systems through an enterprise-wide modernization program, known as Census Enterprise Data Collection and Processing (CEDCaP). The Bureau intended this program to support all of the Bureau’s survey data collection and processing functions, rather than continuing to develop survey-specific systems.

However, as we reported over the last decade, the Bureau struggled to implement CEDCaP.[7] For example, the Bureau faced significant challenges in managing the schedule for developing and testing IT systems for the 2020 Census due to issues experienced during systems development. Additionally, the agency struggled to control IT costs for the 2020 Census, which grew from $3.41 billion in its October 2015 estimate to $4.97 billion as of December 2017. This growth stemmed, in part, from late decisions on IT capabilities and contractors. The Bureau reduced the scope of CEDCaP in 2017 due to these challenges.

We also reported that the Bureau had trouble managing interdependencies between CEDCaP and the 2020 Census program.[8] For example, the Bureau did not have an effective process for integrating schedule dependencies between the two programs. This contributed to misalignment in milestones between the programs and limited the Bureau’s understanding of the work needed by both programs to meet milestones. Ultimately, although CEDCaP delivered several systems for the 2020 Census, the Bureau formally closed it in March 2020 without delivering enterprise-wide data collection and processing capabilities.

The Bureau’s Current Efforts to Modernize and Consolidate IT Systems

After the 2020 Census, the Bureau embarked on a large-scale effort to modernize its data collection, storage, and dissemination systems. This effort, called the Business Ecosystem, consists of four integrated, enterprise-wide IT modernization programs:

1.    Center for Enterprise Dissemination Services and Consumer Innovation (CEDSCI), aimed at modernizing data dissemination systems;

2.    Data Ingest and Collection for the Enterprise (DICE), focused on data collection systems;

3.    Enterprise Data Lake (EDL), intended to modernize data storage and data analysis capabilities; and

4.    Frames, a research program expected to identify ways to link data sets.

The aim of these programs is to create an integrated and data-centric ecosystem for Bureau activities. Figure 1 provides additional information about the four programs within the Business Ecosystem, and how they interface with each other.

Table 1 provides more information about each of the four programs within the Bureau’s Business Ecosystem.

Modernization Program	Description	Initiation Datea	Life cycle Cost Estimateb (dollars in millions)
Center for Enterprise Dissemination Services and Consumer Innovation (CEDSCI)	This program is intended to be the Bureau’s primary platform for data dissemination and the public gateway to Bureau information. According to officials, the Bureau designed the program to improve users’ experience by providing tools and data visualizations to allow users to better find, access, connect, and use data. CEDSCI systems were used during the 2020 Census.	2017	753
Data Ingest and Collection for the Enterprise (DICE)	This program is expected to develop, integrate, and manage an enterprise “system of systems” that facilitates collecting data from respondents as well as gathering data from third party/administrative sources (such as the Internal Revenue Service, Social Security Administration, and local governments). This is expected to reduce the Bureau’s IT footprint by consolidating redundant systems and retiring legacy solutions.	2021	1,080
Enterprise Data Lake (EDL)	This program is intended to modernize data storage and data analysis capabilities across the Bureau’s directorates with appropriate role-based access control. The EDL is expected to be the Census Bureau’s primary location for collected and ingested data, and to be used to analyze and store data.	2021	337
Frames	This program is expected to allow disparate census datasets to be linked, which is intended to improve research, reduce administrative burden, and increase productivity. In other words, instead of having the datasets serve as standalone entities, such as the master address file and business register, Frames is intended to gather datasets and provide an easy and efficient way to link them for purposes that are useful to the Bureau. These datasets will be linked within the EDL.	2021	Not applicablec

Source: GAO analysis of U.S. Census Bureau data.  |  GAO‑26‑107629

^aInitiation date is the year the program was funded.

^bThe life cycle cost estimate is based on data reported in the most recent program office estimate of the programs’ life cycle duration for the following fiscal years: CEDSCI—2020–2030; DICE—2021–2033.

^cAccording to the Bureau, the Frames program is an ongoing research project that has a fixed annual budget of about $12 million, as part of the appropriated Geographic Support Program.

The Bureau’s four modernization programs (CEDSCI, DICE, EDL, and Frames) are expected to be used for the same surveys, have the same executive stakeholders, and be interdependent with one another. For example, when incorporating new surveys, the schedules that the DICE program negotiates may be used to determine development activities with the other programs.

In April 2024, we reported on the Bureau’s progress in implementing leading IT management practices for CEDSCI.[9] We found that the Bureau fully implemented selected leading practices for risk management and substantially met leading practices for requirements management. However, it did not have a reliable cost estimate or schedule. Thus, we made recommendations aimed at improving the Bureau’s IT management practices. The Bureau agreed with our recommendations and has taken steps to implement them. For example, as of January 2026, CEDSCI officials provided documentation of its business process model and a draft of its updated requirements management plan. However, as of January 2026, they had not yet finalized the drafts.[10]

Leading Practices to Guide Organizations’ IT Modernizations

We and ISACA have identified practices to assist in ensuring the proper management of IT modernization programs. The following guides and model outline these practices.

ISACA’s CMMI. The CMMI provides an organized collection of best practices for business and performance improvement.[11] CMMI Model 3.0 includes a set of practice areas that can provide improved performance in the skills and activities of an organization or project. Each practice area is organized into levels that build on the previous level to increase the capability of the organization to implement that practice. For example, at level 3, the CMMI includes five practices related to risk and opportunity management that are used to identify and mitigate potential negative impacts that may make it difficult to meet objectives (see table 2).[12]

Selected practices	Example activities
Identify and use risk categories	Identify risk categories.
	Organize risks according to defined categories.
Define and use parameters for risk analysis handling	Identify a relative priority for each risk based on assigned parameters.
	Define thresholds to trigger actions for selected risks.
	Prepare and perform assessments for selected risks.
Develop and keep updated a risk management strategy	Develop, record, and keep updated a risk management strategy.
	Review the risk management strategy with affected stakeholders.
Develop and keep updated risk management plans	Develop mitigation plans for selected risks and contingency plans in the event their impacts are realized.
	Review plans with affected stakeholders.
Manage risks by implementing planned risk or opportunity management activities	Manage risks or opportunities using the risk management plans.

Source: GAO analysis of ISACA, Capability Maturity Model Integration, Model V3.0.  |  GAO‑26‑107629

Similarly, at level 2, CMMI includes four practices within the requirements development and management practice area.[13] These practices and their associated activities, as described in table 3, are used to address the needs of stakeholders.

Selected practices	Description and example activities
Elicit stakeholder needs, expectations, constraints, and interfaces or connections, and confirm understanding of the requirements	Additional requirements that are not explicitly provided by stakeholders should be identified. These requirements could be collected from sources such as questionnaires, interviews, use cases, and observation of existing solutions. An organization and the requirements provider should analyze requirements to reach a shared understanding of their meaning.
Transform stakeholder needs, expectations, constraints, and interfaces or connections into prioritized customer requirements	An organization should consolidate and prioritize inputs from customers and stakeholders, obtain missing information, and resolve conflicts. Sources for requirements include customer and stakeholder provided input, previous efforts, existing solution systems, laws and regulations, standards, and business policies.
Obtain commitment from project participants that they can implement the requirements	As requirements are developed, an organization should ensure that project participants commit to requirements and any resulting changes in plans, activities, and work products. This may include assessing the impact of requirements on existing commitments, negotiating and recording commitments, developing impact assessments, and recording commitments that requirements can be met.
Develop, record, and keep updated bidirectional traceability among requirements and activities or work products	Bidirectional traceability involves tracing requirements from their source through work products to the final deliverable to ensure that all requirements are implemented. For projects using agile development methodology (like the Enterprise Data Lake program), this can be implemented by tracing requirements from user stories to final work products.

Source: GAO analysis of ISACA CMMI Model V3.0.  |  GAO‑26‑107629

GAO’s Cost Estimating and Assessment Guide. Reliable cost estimates are critical for successfully delivering IT programs. Such estimates provide the basis for informed decision making, realistic budget formulation, meaningful progress measurement, and accountability for results. GAO’s Cost Estimating and Assessment Guide outlines best practices for developing reliable cost estimates that management can use to make informed decisions.[14] These practices can be organized into four characteristics—comprehensive, well-documented, accurate, and credible. For an estimate to be considered reliable, an organization must meet or substantially meet each characteristic. Table 4 summarizes the four characteristics and corresponding best practices of a reliable cost estimate.

Characteristic	Corresponding best practices
Comprehensive	·          The cost estimate includes all life cycle costs. ·          The technical baseline description completely defines the program, reflects the current schedule, and is technically reasonable. ·          The cost estimate is based on a work breakdown structure that is product-oriented, traceable to the statement of work, and at an appropriate level of detail to ensure that cost elements are neither omitted nor double-counted. ·          The cost estimate documents all cost-influencing ground rules and assumptions.
Well-documented	·          The documentation shows the source data used, the reliability of the data, and the estimating methodology used to derive each element’s cost. ·          The documentation describes how the estimate was developed so that a cost analyst unfamiliar with the program could understand what was done and replicate it. ·          The documentation discusses the technical baseline description and the data in the technical baseline are consistent with the cost estimate. ·          The documentation provides evidence that the cost estimate is reviewed and accepted by management.
Accurate	·          The cost estimate is regularly updated to ensure it reflects program changes and actual costs. ·          The cost model is developed by estimating each work breakdown structure element using the best methodology from the data collected. ·          The cost estimate is adjusted properly for inflation. ·          The cost estimate contains few, if any, minor mistakes. ·          Variances between planned and actual costs are documented, explained, and reviewed. ·          The estimate is based on a historical record of cost estimating and actual experiences from other comparable programs.
Credible	·          The cost estimate includes a sensitivity analysis that identifies a range of possible costs based on varying major assumptions, parameters, and data inputs. ·          A risk and uncertainty analysis is conducted that quantifies the imperfectly understood risks and identified the effects of changing key cost driver assumptions and factors. ·          Major cost elements are cross-checked to see if results were similar. ·          An independent cost estimate is conducted by a group outside the acquiring organization to determine whether other estimating methods produce similar results.

Source: GAO analysis.  |  GAO‑26‑107629

GAO’s Schedule Assessment Guide. The success of a project depends, in part, on having an integrated and reliable master schedule that defines when and how long work will occur, and how each activity is related to the others. A project’s schedule provides not only a road map for systematic project execution, but also the means by which to gauge progress, identify and resolve potential problems, and promote accountability at all levels of the project. GAO’s Schedule Assessment Guide identifies best practices for developing and maintaining reliable project schedules.[15] The best practices are grouped into four characteristics of a reliable schedule: comprehensive, well-constructed, credible, and controlled. For a schedule to be considered reliable, an organization must meet or substantially meet each characteristic. Table 5 summarizes the four characteristics and corresponding best practices of a reliable schedule estimate.

Characteristic	Corresponding best practices
Comprehensive	·          Capturing all activities. The schedule reflects all activities as defined in the program’s work breakdown structure, which describes in detail the work necessary to accomplish a project’s objectives, including activities both the owner and the contractors are to perform. ·          Assigning resources to all activities. The schedule reflects the resources (labor, materials, travel, facilities, equipment, etc.) needed to do the work, whether they will be available when needed, and any constraints on funding or time. ·          Establishing the duration of all activities. The schedule realistically reflects how long each activity will take. When the duration of each activity is determined, the same rationale, historical data, and assumptions used for cost estimating should be used. Durations should be reasonably short and meaningful and should allow for discrete progress measurement. Schedules that contain planning and summary planning packages as activities will normally reflect longer durations until broken into work packages or specific activities.
Well-constructed	·          Sequencing all activities. The schedule is planned so that critical program dates can be met. To do this, activities must be logically sequenced and linked—that is, listed in the order in which they are to be carried out and joined with logic. In particular, a predecessor activity must start or finish before its successor. Date constraints and lags should be minimized and justified. This helps ensure that the interdependence of activities that collectively lead to the completion of activities or milestones can be established and used to guide work and measure progress. ·          Confirming that the critical path is valid. The schedule identifies the program’s critical path—the path of longest duration through the sequence of activities. Establishing a valid critical path is necessary for examining the effects of any activity’s slipping along this path. The program’s critical path determines the program’s earliest completion date and focuses the team’s energy and management’s attention on the activities that will lead to the project’s success. ·          Ensuring reasonable total float. The schedule identifies reasonable total float (or slack)—the amount of time a predecessor activity can slip before the delay affects the program’s estimated finish date—so that the schedule’s flexibility can be determined. The length of delay that can be accommodated without the finish date’s slipping depends on the number of date constraints within the schedule and the degree of uncertainty in the duration estimates, among other factors, but the activity’s total float provides a reasonable estimate of this value. As a general rule, activities along the critical path have the least total float. Unreasonably high total float on an activity or path indicates that schedule logic might be missing or invalid.
Credible	·          Verifying that the schedule can be traced horizontally and vertically. The schedule is horizontally traceable, meaning that it links products and outcomes associated with other sequenced activities. Such links are commonly referred to as “hand-offs” and serve to verify that activities are arranged in the right order for achieving aggregated products or outcomes. The schedule is also vertically traceable—that is, data are consistent between different levels of a schedule. When schedules are vertically traceable, lower-level schedules are clearly consistent with upper-level schedule milestones, allowing for total schedule integrity and enabling different teams to work to the same schedule expectations. ·          Conducting a schedule risk analysis. A schedule risk analysis starts with a good critical path method schedule. Data about program schedule risks are incorporated into a statistical simulation to predict the level of confidence in meeting a program’s completion date; to determine the contingency, or reserve of time, needed for a level of confidence; and to identify high-priority risks. Programs include the results of the schedule risk analysis in constructing an executable baseline schedule.
Controlled	·          Updating the schedule using actual progress and logic. Progress updates and logic provide a realistic forecast of start and completion dates for program activities. Maintaining the integrity of the schedule logic is necessary to reflect the true status of the program. To ensure that the schedule is properly updated, people responsible for the updating should be trained in critical path method scheduling. ·          Maintaining a baseline schedule. A baseline schedule is the basis for managing the program scope, the time period for accomplishing it, and the required resources. The baseline schedule is designated the target schedule and is subjected to a configuration management control process. Program performance is measured, monitored, and reported against the baseline schedule. The schedule is continually monitored so as to reveal when forecasted completion dates differ from baseline dates and whether schedule variances affect downstream work. A corresponding basis document explains the overall approach to the program, defines custom fields in the schedule file, details ground rules and assumptions used in developing the schedule, and justifies constraints, lags, long activity durations, and any other unique features of the schedule.

Source: GAO analysis.  |  GAO‑26‑107629

The Bureau Implemented Selected Leading IT Management Practices for EDL, But Work Remains

For the EDL program, the Bureau fully implemented leading practices in the risk management area, substantially implemented practices in the requirements and cost estimating management areas, and partially implemented leading practices in the schedule management area. The program’s schedule estimate was unreliable because the Bureau did not substantially or fully implement any of the four characteristics of a reliable schedule: comprehensive, well-constructed, credible, and controlled.

The Bureau Fully Implemented Leading Practices for Risk Management

Leading practices for risk management, as outlined in CMMI, emphasize establishing a risk management plan with activities that include helping organizations identify potential problems and plan risk-handling activities across the life of the program.[16]

The Bureau established a risk management plan for EDL in accordance with these leading practices. This plan describes activities that the program is expected to take to identify, analyze, plan responses for, and control or monitor risks and issues. This risk management plan describes the steps the program takes to manage risks, including:

·         documenting risks and issues through risk and issue registers and escalating enterprise-wide risks and issues to the relevant Bureau risk and issue logs,

·         updating the status of its risks and issues on a regular basis,

·         documenting risk mitigation plans that describe strategies in place and actionable steps, and

·         documenting the risk owner, risk response, mitigation plan, date identified, probability, impact, and a risk category for each risk.

EDL’s implementation of its risk management plan fully met all five selected practices for analyzing and monitoring risks, as shown in table 6 below.

Selected practice	Assessment	Example Activities	Summary of assessment
Identify and use risk or opportunity categories	⚫	Identify risk or opportunity categories.	The EDL risk management plan describes its program risk register as a key outcome of risk identification. As part of the risk identification process, EDL listed risk management categories (e.g., cyber and information security, financial, or governance and oversight) in its risk management plan to group risks by common effects.
		Organize risks or opportunities according to defined categories.	EDL’s program risk register organizes risks into the risk management categories defined in the EDL risk management plan.
Define and use parameters for risk or opportunity analysis and handling	⚫	Identify a relative priority for each risk or opportunity based on assigned parameters.	The EDL risk management plan outlines a process for creating risk assessment ratings. EDL risk administrators first assigned each risk a value indicating the probability the risk could occur, and a value indicating the expected impact of the risk should it occur. EDL then computed risk assessment ratings by multiplying the risk’s assessed probability by the risk’s assessed impact, with higher ratings indicating higher priority risks.
		Define thresholds to trigger actions for selected risks or opportunities.	The EDL risk management plan identifies thresholds that require risk mitigation activities and contingency plans. Risks with risk assessment ratings exceeding a certain threshold are required to have a mitigation strategy or contingency plan. Risk owners are responsible for proposing risk mitigation strategies, contingency plans, and trigger events for risks exceeding the assessment rating threshold.
		Prepare and perform assessments for selected risks.	EDL officials performed risk assessments of each risk and documented the results of those assessments in the program’s risk register. Specifically, EDL’s risk register contains probability and impact values, as well as risk assessment ratings for all listed risks.
Develop and keep updated a risk or opportunity management strategy	⚫	Develop, record, and keep updated a risk or opportunity management strategy.	EDL officials developed, recorded, and updated a risk management plan for the program. This risk management plan includes a description of how risk management is performed, including its scope, methodology, risk categories, risk parameters, mitigation techniques, and the frequency of risk monitoring or reassessment.
		Review the risk or opportunity management strategy with affected stakeholders.	EDL officials reviewed and revised the program’s risk management plan and documented approvals from key stakeholders to the project.
Develop and keep updated risk or opportunity management plans	⚫	Develop mitigation plans for selected risks and contingency plans in the event their impacts are realized.	EDL officials created mitigation plans for identified risks and contingency plans for identified issues. Specifically, these officials developed mitigation plans for each mitigated risk and included those plans in the EDL risk register. Similarly, EDL officials developed contingency plans, or issue treatment strategies, for realized risks and included the contingency plans in the program’s issue register.
		Review plans with affected stakeholders.	EDL officials reviewed plans with affected stakeholders through monthly risk review board meetings to update and maintain the program risk register. These officials also held regular meetings to review EDL risks and issues with stakeholders. Additionally, officials updated program risk and issue registers on a monthly basis; this included changes to risk or issue statuses and mitigation and issue treatment plan descriptions.
Manage risks or opportunities by implementing planned risk or opportunity management activities	⚫	Manage risks or opportunities using the risk or opportunity management plans	Program officials managed risks according to the risk management process outlined in the EDL risk management plan. These officials identified risks on a regular basis, analyzed the exposure to risks, created mitigation plans, and closed several risks as a result of monitoring and control. EDL officials updated the status of their risks in the program risk register.

⚫—Met; ◕—Substantially Met; ◐—Partially Met; ◔—Minimally Met; O—Not Met

Source: GAO analysis of Enterprise Data Lake (EDL) information.  |  GAO‑26‑107629

EDL program officials noted that they hold regular meetings with Bureau areas to align with enterprise risk management and ensure strong communication between stakeholders in the Bureau. By continuing to use leading practices for risk management, the Bureau is better able to mitigate and address uncertainties that could have a negative impact on meeting objectives.

The Bureau Substantially Implemented Leading Practices Related to Requirements Management

Leading practices for managing requirements, as outlined in CMMI, note that project requirements are the basis for developing the right solutions to support mission needs.[17]

The Bureau established a requirements management plan for EDL in accordance with these leading practices. EDL utilizes a requirements structure consisting of epics (high-level functionalities needed to support the Census Bureau’s mission), features (functionalities that fulfill a stakeholder need), and stories (short descriptions of a small piece of desired functionality), with epics being the highest-level requirements, and stories being the most detailed requirements. The program’s implementation of its requirements management plan fully met three of the selected leading practices described in CMMI, and partially met one practice, as shown in table 7.

Selected practices	Assessment	Summary of assessment
Elicit stakeholder needs, expectations, constraints, and interfaces or connections, and confirm understanding of the requirements	●	EDL officials elicited new requirements from stakeholders through various means, including during the survey onboarding process and discussions during planning meetings. For example, surveys fill out a checklist prior to being onboarded to EDL. This checklist requests that onboarding surveys provide specifications and requirements for their usage of EDL, such as the survey’s data needs, number of workspaces needed, and tools required for each workspace. New surveys are also expected to prioritize the services and tools requested from EDL and list any additional technical information for the project, such as the local storage needs or interfaces with other Bureau systems. EDL officials also developed acceptance criteria for requirements validation and verification, which helps to confirm understanding of the requirements.
Transform stakeholder needs, expectations, constraints, and interfaces or connections into prioritized customer requirements	●	After gathering customer and stakeholder needs from the onboarding checklist, program officials transformed them into specific technical requirements. In addition, these officials identified other requirements by reviewing existing solutions, program documentation, new mandates from internal and external authorities, and discussions of business needs with the EDL program team. After writing these requirements, EDL officials prioritized the requirements by assigning them to 10-week intervals for development. These officials considered the business impact, return on investment, risks, and other factors when prioritizing the requirements.
Obtain commitment from project participants that they can implement the requirements	●	EDL officials obtained commitment from participants on the implementation of requirements during the program planning and development process. Specifically, after identifying the requirements, program officials assigned them to 10-week development intervals. These officials prepared for the intervals by conducting pre-planning meetings, allocating resources, and reviewing the work completed during prior intervals. Prior to beginning development during a given interval, EDL development teams reviewed the program’s list of prioritized requirements and committed to delivering the requirements that could be reasonably completed during the interval. Program officials tracked the work commitments for each interval in a requirements management tool, which they updated before each development interval.
Develop, record, and keep updated bidirectional traceability among requirements and activities or work products	◐	The requirements management plan requires EDL officials to trace requirements to activities and work products by using a requirements traceability matrix. This matrix is expected to trace high-level requirements (called epics and features) to corresponding low-level requirements (called stories). EDL’s requirements management plan also explains that test plans, a key component of ensuring traceability from source requirements to the solution, should provide linkages between requirements and the solution. EDL’s traceability matrix contains high-level requirements such as epics and features. However, it does not include lower-level requirements, known as stories, as required in the program’s requirements management plan. Instead, EDL officials stated that low-level requirements are assigned during planning for development intervals and are not included in the requirements traceability matrix. Additionally, program officials did not develop test plans as required by the requirements management plan and instead used a verification process to confirm system correctness.

Legend: ⚫—Met; ◕—Substantially Met; ◐—Partially Met; ◔—Minimally Met; O—Not Met

Source: GAO analysis of Enterprise Data Lake (EDL) information.  |  GAO‑26‑107629

While EDL program officials developed, recorded, and updated bidirectional traceability among requirements, it did not document low-level requirements in alignment with the program’s requirements management plan. Bureau officials acknowledged that EDL’s requirements management plan does not accurately reflect the process they use to ensure that requirements are fully traceable to the developed solutions. As a result, the program may have difficulty ensuring that low-level requirements are documented consistently. Adequately documenting requirements can ensure that there is consistency between the requirements and the solution, which increases the likelihood that the solution will meet user needs.

The Bureau Substantially Implemented Leading Practices Related to Cost Estimating

GAO’s Cost Estimating and Assessment Guide outlines best practices associated with developing a reliable, high-quality cost estimate to enable government programs to better estimate and manage their costs to improve program management and execution.[18] According to this guide, the four characteristics of a high-quality, reliable cost estimate are that it is comprehensive, well-documented, accurate, and credible.[19]

The Bureau’s cost estimate for EDL fully met two of the four characteristics of a high-quality, reliable cost estimate (well-documented and accurate), and substantially met the remaining two characteristics (comprehensive and credible). As a result, we found that the estimate EDL was reliable. Table 8 summarizes our assessment of EDL’s cost estimate compared to best practices.

Characteristic	Assessment	Leading practices	Summary of assessment
Comprehensive	◕	Includes all life-cycle costs	The life-cycle estimate included both government and contractor costs and the Bureau provided explanations for costs that were excluded. However, the Bureau used a fixed 10- year estimate window that could result in cost and schedule growth beyond the estimated timeframe. As a result, cost comparisons over time may be invalid if estimates reflect different scope as the program evolves.
		Completely defines the program and reflects the current schedule and technical baseline	The estimate provided a list of major supporting program documentation that was used to understand system capabilities, technical and program inputs, along with acquisition aspects. However, the estimate lacked a cost analysis requirements description, which can help ensure the technical baseline is maintained and updated in preparation for program reviews, milestone decisions, and major program changes.
		Incorporates a work breakdown structure with sufficient detail to ensure that cost elements are neither omitted nor double-counted	The EDL work breakdown structure was a product-oriented structure that aligns with other program documents. In addition, the work breakdown structure contained common elements, such as program management and systems engineering, which helps to ensure that all work is covered. However, the work breakdown structure was not standard, which would help to ensure that cost data can be collected and used for estimating future programs.
		Ensures that cost-influencing assumptions and ground rules on which the estimate is based are identified and documented	The basis of estimate document contained many, but not all, ground rules and assumptions. The ground rules and assumptions were generated using the source documentation outlined in the basis of estimate. All ground rules and assumptions were ultimately briefed to the program management office and leadership, then approved by the Cost Review Board. Many of the leadership members were original authors of the source documents.
Well documented	●	Shows the source data used, the reliability of the data, and the estimating methodology used to derive each element’s cost	The Bureau documented the source data used to develop the estimate in the basis of estimate document. Among other things, this document provided a description of the data and an assessment of the reliability of the data. The basis of estimate document also described each major cost element, and the methodology used to implement the estimate.
		Describes how the estimate was developed so that a cost analyst unfamiliar with the program could understand what was done and replicate it	The basis of estimate document provided a narrative description and cost tables to accompany the estimate model. This description included key information describing the estimate, such as a discussion of ground rules, assumptions, and limitations; a summary of data sources; a summary of the overall model design; and a description of the sensitivity analysis and risk and uncertainty analysis.
		Discusses the technical baseline description; the data in the technical baseline are consistent with the cost estimate	The EDL technical baseline was summarized in the basis of estimate document and included descriptions of each of the program’s development cycles. The basis of estimate document also outlined connections between program technical documentation and the cost estimate methodologies. This summary of the technical baseline was consistent with other program documentation.
		Provides evidence that the cost estimate was reviewed and accepted by management	The Department of Commerce IT Review Board reviewed portions of the cost estimate in April 2023 and requested that the Census Bureau report back on the completion of a baselined program office estimate by the end of December 2023. In response, EDL presented the cost estimate at a Bureau Cost Review Board briefing in December 2023.
Accurate	●	Developed by estimating each work breakdown structure element using the best methodology from the data collected	Most of the estimate was based on methodologies that used program or historical data as a basis. EDL did rely on input from subject matter experts for several key elements, such as onboarding and cloud costs. In the case of onboarding, EDL accounted for the potential for bias in this input; however, EDL did not fully make adjustments for potential bias in estimated cloud costs.
		Adjusted properly for inflation	The estimate was appropriately adjusted for inflation using historical inflation factors for previous years and estimates for future years.
		Contains few, if any, minor mistakes	The estimate was largely error-free.
		Regularly updated to reflect program changes and actual costs	EDL provided documentation that demonstrated that the estimate was updated to reflect program changes and actual costs. Also, the basis of estimate document addressed continuous cost analysis and stated that the EDL program office estimate will be continually updated with actual cost data.
		Based on a historical record of cost estimating and actual experiences from other comparable programs	The cost estimate was largely based on the historical performance of EDL. For example, the program office estimate was regularly updated with available data and demonstrates reconciliation with planned versus actuals hours/costs.
Credible	◕	Includes a sensitivity analysis that identifies a range of possible costs based on varying major assumptions, parameters, and data inputs	The basis of estimate document included a high-level summary of a sensitivity analysis that was conducted as part of the EDL program office estimate. The analysis was performed on each key input, which were assigned risk distributions. However, there were several elements that were not covered by the risk and uncertainty and sensitivity analyses, including labor rates and other important areas.
		Includes a risk and uncertainty analysis to quantify the imperfectly understood risks and identify the effects of changing key cost driver assumptions and factors	The EDL program office estimate incorporated cost risk and uncertainty analysis (when appropriate with the data available) into the estimate and provided the program office and Census Bureau decision-makers with these results. However, the 10-year estimate window combined with an annual budget constraint means that risk associated with schedule delays are not captured by the risk and uncertainty modeling.
		Cross-checked major costs to see if results were similar	The Bureau provided numerous examples of analysis performed to support cross-checks; however, they did not provide details related to how these checks compared with the baseline estimates or how they ultimately influenced the cost estimate. The Bureau stated that they cross-checked cloud costs by comparing financial data from the Commerce Business System and a cloud-tracking tool. According to the Bureau, this led to an updated cloud estimation methodology in the program office estimate.
		Included an independent cost estimate by a group outside the acquiring organization to determine whether other estimating methods produce similar results	The Bureau began, but did not complete, an independent cost estimate to reconcile with the program office estimate. Census Bureau officials determined that the program did not have sufficient in-house expertise to develop a comprehensive program office estimate. As a result, despite the program office estimate being prepared by an independent office, decision-makers may not have the full range of insights into the program’s potential costs that an independent cost estimate would typically provide. For example, an independent estimate using alternative methodology could have provided an objective measure of whether the point estimate is reasonable.

Legend: ⚫—Met; ◕—Substantially Met; ◐—Partially Met; ◔—Minimally Met; O—Not Met

Source: GAO analysis of EDL information.  |  GAO‑26‑107629

Overall, adhering to the cost estimating best practices identified in GAO’s Cost Estimating and Assessment Guide can help the Bureau effectively plan, manage, and oversee its modernization efforts.

The Bureau Partially Implemented Leading Practices for a Reliable Schedule

GAO’s Schedule Assessment Guide identifies best practices for developing and maintaining reliable project schedules.[20] According to this guide, a reliable schedule estimate is comprehensive, well-constructed, credible, and controlled.

Among other scheduling tools, Bureau officials have developed an integrated master schedule to manage EDL activities, and a work breakdown structure that details those activities. However, the Bureau’s schedule for EDL was not reliable because it did not substantially meet any of the four characteristics of a reliable schedule. Table 9 summarizes our assessment of EDL’s schedule compared to leading practices for reliable schedules.

Characteristic	Assessment	Best practices	Summary of assessment
Comprehensive	◐	Captures all activities	The schedule is planned from fiscal years 2023 to 2030. However, the basis of estimate document extends to fiscal year 2033 to account for a 10-year lifecycle period. Without capturing all activities, it does not appear that the schedule contains all required activities to accomplish EDL’s planned goals through 2033.
		Assigns resources to all activities	The schedule included labor resources by name and labor category. However, the schedule was missing resources for 72 percent of the detailed activities. Information on resource needs and availability in each work period assists the program office in forecasting the likelihood that activities will be completed as scheduled. If the current schedule does not allow insight into the current or projected allocation of resources, then the risk of the program slipping, or missing a deadline, is significantly increased.
		Establishes durations of all activities	The durations of activities are generally not short enough to be consistent with the needs of effective planning and program execution. In general, estimated detail activity durations for near-term effort should be no longer than the reporting period established by the program. If activities are longer than the reporting period, activities should have at least one quantitative measurable event within the reporting period.
Well- constructed	◔	Sequences all activities	The majority of the relationships within the detailed schedule are finish-to-start, representing straightforward, serial effort. However, we found a significant number of activities missing logic: over 26 percent of the remaining activities are missing predecessors or successors. It is necessary that all interdependencies between activities are identified for the schedule to properly calculate dates and predict changes in the future. We also found that 37 percent of the remaining activities have unjustified date constraints that prevent activities from taking advantage of time savings. This includes hard constraints that prevent activities from moving either forward or back in the plan in response to the status of predecessor activities. These constraints force activities to specific dates without much regard for the realism of the assumptions necessary to achieve them.
		Confirms that the critical path is valid	The scheduling software could not produce a valid critical path (the path of longest duration through the sequence of activities) due to the aforementioned sequencing issues. In addition, the Bureau noted that within the schedule, it may not be clear what the critical path is. Without a valid critical path, management cannot focus on activities that will detrimentally affect the key program milestones and deliveries if they slip. Unless the schedule can produce a true critical path, the program office will not be able to provide reliable timeline estimates or identify when problems or changes may occur and their effects on downstream work.
		Ensures reasonable total float	The float (i.e., the amount of time a predecessor activity can slip before the delay affects the program’s estimated finish date) did not reflect accurate flexibility due to sequencing issues and date anomalies. Without accurate values of total float, the schedule cannot be used to identify activities that could be permitted to slip and thus release and reallocate resources to activities that require more resources to be completed on time. In addition, inaccurate values of total float falsely depict true program status, which could lead to decisions that may jeopardize the program.
Credible	◔	Can be horizontally and vertically traced	The schedule was not completely horizontally traceable due to sequencing issues. Without horizontal traceability, the Bureau may be unable to verify that activities are arranged in the right order for achieving outcomes. In addition, the schedule was not completely vertically traceable due to the lack of corroboration between the schedule and other management documents. Without vertical traceability, there may be little confidence that all consumers of the schedule are getting the same correct schedule information.
		Conducted a robust schedule risk analysis	The program minimally met the best practice of conducting a schedule risk analysis. There is no evidence that the schedule used for the risk analysis was checked to ensure that it meets best practices before the simulation was conducted. If the schedule risk analysis is to be valid, the program’s schedule must reflect reli­able logic and clearly identify the critical path. If the schedule does not follow best practices, confidence in the risk analysis results will be lacking.
Controlled	◐	Updated regularly, using actual progress and logic	While progress is recorded regularly, the current schedule contains date anomalies. Specifically, there are activities with start and finish dates in the past with no actual dates input into the schedule. Officials reported that the schedule is examined regularly and there is a resource that updates this consistently. However, there was no evidence of schedule health metrics performed after a schedule update. Unless the schedule is kept updated, trend reports and analyses that highlight problems will not be useful in mitigating future delays.
		Maintains a baseline schedule	The baseline was last saved in October 2024, but there are several remaining activities that do not have baseline dates. Without a formally established baseline schedule to measure performance against, management cannot identify or mitigate the effect of unfavorable performance. EDL provided their schedule management plan, which describes some elements contained in a schedule basis document, such as the general approach to the program and the overall structure of the schedule. However, the plan did not include other elements, such as the status delivery dates for each project, the relationship between projects, and a list of key hand-off products and their estimated. Thorough documentation helps with analyzing changes in the program schedule and identifying the reasons for variances between estimates and actual results. In this respect, basis documentation contributes to the collection of cost, schedule, and technical data that can be used to support future estimates.

Legend: ⚫—Met; ◕—Substantially Met; ◐—Partially Met; ◔—Minimally Met; O—Not Met

Source: GAO analysis of U.S. Census Bureau.  |  GAO‑26‑107629

EDL officials acknowledged the shortcomings in the schedule and provided several reasons for the deficiencies. For example, related to the schedule capturing all activities for the entirety of the program, officials acknowledged that the program may extend well beyond the current 10-year schedule until they run out of usable features. Further, with regard to having a valid critical path, the Bureau stated that it may not be clear what the critical path is for the program because management relies more on the program’s survey release roadmap to determine critical activities. Without a valid critical path, management cannot focus on activities that will detrimentally affect the key program milestones and deliveries if they slip.

By implementing a program schedule that does not reflect the four characteristics of a high-quality, reliable estimate, the Bureau faces schedule uncertainty that may result in unreliable completion dates, time extension requests, and delays in the program.

The Bureau Partially Managed Selected Interdependencies Among its IT Modernizations

The Bureau partially managed selected interdependencies among the four IT modernization programs (CEDSCI, DICE, EDL, and Frames). Specifically, the agency fully implemented leading practices found in the CMMI for managing stakeholder interdependencies to ensure stakeholder commitment among these programs. However, the agency partially implemented leading practices found in the GAO Schedule Assessment Guide and the CMMI related to integrating schedule interdependencies.

The Bureau Fully Implemented Leading Practices For Managing Stakeholder Interdependencies

The Bureau fully implemented leading practices related to managing stakeholder interdependencies for the four programs. According to leading practices from CMMI, ensuring stakeholder commitment can ensure accountability, identify and sustain leadership, clarify roles and responsibilities, and enhance collaboration. Examples of this practice include periodically reviewing and recording the status of stakeholder involvement through events such as team and cross-functional coordination meetings, and identifying and recording significant stakeholder issues.

The Bureau developed an integration plan to ensure that risks and challenges among the four interconnected modernization programs are mitigated through collaboration and stakeholder commitment. Among other things, this plan notes that the Bureau is expected to hold governance meetings weekly, monthly, and quarterly to ensure that the Bureau has management commitment to the four programs.

As described in the plan, the Bureau has held meetings on a regular basis to ensure accountability and collaboration between the IT modernization programs. The CIO holds weekly meetings with the four modernization programs to discuss interrelated risks, challenges, and schedule updates. In addition, the Bureau holds monthly executive-level meetings with directorate leadership to discuss program status; risks, issues, and potential mitigations; and key enterprise-level decisions. These meetings include, among other things, discussions of program budgets and staffing; the status of onboarding surveys onto the modernization programs; plans for systems development, testing, and production; updates on plans for data migration; and the status of cloud infrastructure security and continuous monitoring activities. The programs also hold meetings as needed with survey stakeholders when surveys are about to onboard onto the programs.

These efforts provide stakeholders access to information needed to make long-term planning, funding, and investment decisions.

The Bureau Partially Implemented Leading Practices For Managing Schedule Interdependencies

The Bureau partially implemented leading practices for managing schedule interdependencies. According to GAO’s Schedule Assessment Guide, agencies should ensure that major handoffs between programs are discussed and agreed upon. In addition, agencies should ensure that all interdependencies in the programs’ schedules are clearly identified and logically and dynamically linked so that dates can be properly calculated. Attempting to manually resolve incompatible schedules in different software can become time-consuming and expensive and thus should be avoided. If it is not possible to avoid manual updates, agencies should have a defined and documented process for ensuring that schedules are updated when changes occur. Further, according to the CMMI, agencies should also track and monitor progress against the schedule by taking corrective actions when actual results differ significantly from planned results.

While each of the Census Bureau’s four modernization programs have a separate schedule, the schedules are interrelated. For example, the Bureau’s Business Ecosystem planning documentation notes that the DICE program’s survey onboarding schedule is one of the inputs for decision-making that helps drive the implementation activities of the other three modernization programs (e.g., EDL, Frames, and CEDSCI). Once onboarding dates are determined, they are manually added to each program’s integrated master schedule.

However, the Bureau has not documented a process for when and how the other programs update their schedules to align with changes to the DICE onboarding schedule. Bureau officials reported that potential schedule issues between the programs are discussed between program team leads and the management team. These officials noted that changes to programs’ schedules are done manually, not dynamically, to align with the DICE onboarding schedule. Bureau officials also reported that it was more effective to hold regular integration meetings to ensure that the four programs onboarding schedules were aligned, rather than to try to dynamically link all of the schedules. In January 2026, Bureau officials also reported that a representative for the EDL program serves as a member of the DICE Change Control Board. This is to ensure visibility and assess impacts of any schedule changes that may impact EDL’s onboarding schedule. However, the most recent DICE change management plan from 2022 does not document EDL as a member of its Change Control Board, nor does it document a process for any schedule changes among the programs.

Without a documented process for managing interdependent schedule changes across the programs, the Bureau may not identify schedule disconnects early enough to allow program management sufficient time to make decisions regarding possible sequences of activities. Potential schedule disconnects may also hinder the ability to predict the consequences of managerial action or inaction on events and increase the risk that the Bureau is unable to deliver a set of integrated systems for future surveys, such as the 2030 Census.

Conclusions

The Bureau’s current modernization programs will be essential for collecting and providing comprehensive data about the nation’s people and economy. These modernization efforts are especially critical given their role in the forthcoming 2030 Census, the results of which form the basis for the apportionment of seats in the U.S. House of Representatives.

To its credit, the Bureau has largely implemented leading practices related to managing risks, requirements, and cost estimating for its data processing and storage modernization program known as EDL. However, it has not updated the program’s requirements management plan to ensure that low-level requirements are fully traceable to solutions, nor has it developed a reliable schedule for the program. Accordingly, the agency lacks assurance that it can effectively deliver EDL on time, or that decision-makers have the information needed to monitor the program.

The Bureau has fully implemented practices for coordinating with stakeholders and ensuring stakeholder commitment among its modernization programs. However, it has not documented a process for managing schedule changes across its four interdependent modernization programs. Until the Bureau addresses key practices for managing interdependent schedules, the success of these modernization efforts and the surveys that rely on them, including the 2030 Census, will remain at risk.

Recommendations for Executive Action

We are making the following three recommendations to the Department of Commerce:

The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the requirements management plan for the EDL program is updated to ensure that it accurately reflects the process used to ensure that requirements are fully traceable to the developed solutions. (Recommendation 1)

The Secretary of Commerce should direct the Director of the Census Bureau to ensure that the EDL program develops a reliable schedule using the best practices described in GAO’s Schedule Assessment Guide. (Recommendation 2)

The Secretary of Commerce should direct the Director of the Census Bureau to define and document a process to ensure that the modernization programs regularly communicate about changes to the survey onboarding schedule and update relevant schedules for those changes. (Recommendation 3)

Agency Comments

We provided a draft of this report to the Department of Commerce and the Census Bureau for review and comment. A program analyst from the Bureau’s Policy Coordination Office provided comments via email, stating that Commerce concurred with all three of our recommendations and that the Bureau will prepare a formal action plan.

We are sending copies of this report to the appropriate congressional committees, the Director of the Census Bureau, and other interested parties. In addition, the report is available at no charge on the GAO website at http://www.gao.gov.

If you have any questions about this report, please contact me at (202) 512-6151 or walshk@gao.gov. Contact points for our Offices of Congressional Relations and Media Relations may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix II.

Kevin Walsh
Director, Information Technology and Cybersecurity

List of Requesters

The Honorable Gary C. Peters
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Andy Kim
Ranking Member
Subcommittee on Disaster Management, District of Columbia, and Census
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable James Comer
Chairman
The Honorable Robert Garcia
Ranking Member
Committee on Oversight and Government Reform
House of Representatives

Objectives

Our objectives were to:

1.    evaluate the extent to which the Census Bureau is implementing leading practices in managing risk, requirements, cost estimates, and schedule for a selected enterprise-wide IT program, and

2.    determine to what extent the Bureau is managing selected interdependencies among the enterprise-wide IT programs.

Scope and Methodology

Evaluating Leading IT Practices

For the first objective, we reviewed documentation describing the Bureau’s four IT modernization programs. We analyzed Bureau program management documentation, including program management plans, operational plans, strategic plans, risk management plans, requirements management plans, budget plans, and schedule management plans. Of the four modernization programs, we selected the Enterprise Data Lake (EDL) program due to its maturity and development. We did not select the other three for the following reasons:

·         We had recently audited the Center for Enterprise Dissemination Services and Consumer Innovation (CEDSCI) program.[21]

·         The Frames program was not relevant to our scope after discussions with Bureau officials indicating that it is a research project to modernize how data sets are linked and has a fixed annual budget.

·         The Data Ingest and Collection for the Enterprise (DICE) did not yet have baselined cost and schedule estimates, and thus could not be assessed against leading practices.[22]

We evaluated EDL’s implementation of four leading IT modernization areas, as described in more detail below: risk management, requirements management, cost estimation, and schedule estimation. For each of the four areas, we assessed the evidence against the best and leading practices to determine whether each program fully, substantially, partially, minimally, or did not meet the best practices. Specifically, “met” means that the Bureau provided complete evidence that satisfies the entire criterion, “substantially met” means the Bureau provided evidence that satisfies most but not all of the criterion, “partially met” means the Bureau provided evidence that satisfies some but not all of the criterion, “minimally met” means the Bureau provided evidence that satisfies less than some portion of the criterion, and “not met” means the Bureau provided no evidence that satisfies any of the criterion. For example, if an area had five criteria, satisfying three of the five criteria would be “substantially met,” satisfying two of the five criteria would be “partially met” and satisfying one of the five criteria would be “minimally met.”

We also interviewed Bureau officials to determine the extent to which they have implemented the selected leading practices. We corroborated our analyses by interviewing agency officials in the EDL program, especially in cases where they do not appear to have followed leading practices. Specifically, we interviewed Bureau officials from the EDL program and the Decennial Census directorate, including the EDL program manager, Associate Director of Decennial Census Programs, and the Bureau’s Chief Information Security Officer, on their approach to managing cost, schedule, requirements, and risk for the program.

Risk Management

To determine the extent to which the Bureau and EDL implemented leading practices for risk management, we selected five risk management leading practices identified by the Information Systems Audit and Control Association (ISACA) Capability Maturity Model® Integration (CMMI).[23] These leading practices map to CMMI’s Level 3 risk management practices, which are to use organizational standards and tailoring to address project and work characteristics. These selected practices were:

1.    identifying and using risk or opportunity categories,

2.    defining and using parameters for risk or opportunity analysis and handling,

3.    developing and updating a risk or opportunity strategy,

4.    developing and updating risk management plans, and

5.    managing risks or opportunities by implementing planned risk or opportunity management activities.

We then evaluated EDL program documentation against the selected practices. Specifically, we reviewed the program’s risk management plan, risk registers from April 2024 through December 2025, risk mitigation plans, and contingency plans.

To assess the reliability of data from EDL’s risk documentation, we interviewed knowledgeable Bureau officials, such as the EDL program manager, about the accuracy and completeness of the data. We also compared the data to other relevant program documentation on risk management, such as the department’s risk management plan. We determined that the data used were sufficiently reliable for the purpose of evaluating the program’s practices for managing risk.

Requirements Management

To determine the extent to which the Bureau had implemented leading practices for requirements management, we selected four requirements management leading practices identified in the ISACA’s CMMI.[24] These leading practices map to CMMI’s Level 2 practices of requirements development and management, which are to identify and monitor progress towards project performance objectives. These selected practices were:

1.    eliciting stakeholder needs, expectations, constraints, and interfaces or connections, and confirming understanding of the requirements;

2.    transforming stakeholder needs, expectations, constraints, and interfaces or connections into prioritized customer requirements;

3.    obtaining commitment from project participants that they can implement the requirements and activities or work products; and

4.    developing, recording, and keeping updated bidirectional traceability among requirements and activities or work products.

We then evaluated EDL program documentation against the selected practices. Specifically, we reviewed the program’s requirements management plan, documentation of stakeholder needs, user stories, requirements traceability matrix, and prioritized features in its requirement management tools, and reviewed how the EDL program demonstrated bidirectional traceability for its requirements and ensured that work products remained consistent with requirements.

To assess the reliability of data from the program’s IT requirements management tools, we interviewed Bureau officials about the procedures used by the program to assure accuracy and completeness of the data. We also compared the data to other relevant requirements documentation, such as user stories and planning intervals. We determined that the data used were sufficiently reliable for the purpose of evaluating the program’s practices for managing IT requirements.

Cost Estimation

To analyze the Bureau’s progress in monitoring and controlling cost for the EDL program, we compared cost documentation against cost best practices identified by our Cost Estimating and Assessment Guide.[25] These best practices map to the four characteristics of a high-quality, reliable cost estimate—comprehensive, well-documented, accurate, and credible. Specifically, we analyzed cost documentation supporting the EDL lifecycle cost estimate from December 2023. This documentation included the cost model, basis of estimate and other program office estimate documentation, independent cost estimate documentation, work breakdown structures, and documentation such as updates from meetings held by the EDL cost review board. To assess the reliability of the EDL cost estimate data that we used to support findings in this report, we evaluated relevant program documentation, such as cost estimating models, as available, to substantiate evidence obtained from interviews with knowledgeable agency officials. We found the data we used to be sufficiently reliable for the purposes of our report.

Schedule Estimation

To determine the extent to which the Bureau implemented schedule estimation best practices, we compared schedule documentation for the EDL program against schedule best practices identified by our Schedule Assessment Guide.[26] These best practices map to the four characteristics of a high-quality, reliable schedule estimate—comprehensive, well-constructed, credible, and controlled. Specifically, we analyzed documentation from the EDL program’s schedule from November 2024, including the integrated master schedule, backlogs, trend analysis documentation, and program board documents for the budget year. To assess the reliability of the EDL schedule, we evaluated documentation supporting the schedule, such as the integrated master schedule. We found the data we used to be sufficiently reliable for the purposes of our report.

Evaluating Management of Interdependencies Among the Programs

For the second objective, we identified interdependencies among the Bureau’s four modernization programs by reviewing prior GAO reports that describe interdependencies among programs in federal agencies. We then reviewed Bureau documentation, such as Business Ecosystem integration plans and risk registers, to determine which interdependencies the Bureau had identified as relevant for the Bureau’s four modernization programs. We discussed the interdependencies with staff within the Bureau’s Business Ecosystem business team, each of the four modernization programs, and the Office of the Chief Information Officer, to determine and validate which were relevant for the four modernization programs. We determined that stakeholders and schedule were the most relevant because the programs have overlapping stakeholders and interrelated schedules.

Related to managing stakeholder interdependencies, we reviewed and selected relevant criteria related to ensuring stakeholder commitment from the CMMI’s Monitoring and Control practice area. We then reviewed and evaluated Bureau documentation to determine the extent to which the agency had implemented the relevant practices from those criteria. For example, we analyzed the integration plan for the Bureau’s four enterprise-wide modernization programs; and agendas, slides, and meeting minutes from executive-level meetings where the modernization programs are discussed. We also interviewed staff within the Bureau’s Business Ecosystem Program Office, each of the four modernization programs, and the Office of the Chief Information Officer.

Related to managing schedule interdependencies, we reviewed and selected relevant criteria from the CMMI’s Monitoring and Control practice area and the GAO Schedule Assessment Guide. We then reviewed and evaluated Bureau documentation to determine the extent to which the agency had implemented the relevant practices in those criteria. For example, we analyzed the integration plan for the Bureau’s four enterprise-wide modernization programs; agendas, slides, and meeting minutes from executive-level meetings where the modernization programs are discussed; change management plans; and schedule management plans. We also interviewed staff within the Bureau’s Business Ecosystem Program Office, each of the four modernization programs, and the Office of the Chief Information Officer.

We conducted this performance audit from June 2024 to June 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

GAO Contact

Kevin Walsh, walshk@gao.gov

Staff Acknowledgments

In addition to the contact named above, Kate Sharkey (Assistant Director), Lisa Hardman (Analyst-in-Charge), Amanda Andrade, Chris Businsky, Juaná Collymore, Matthew Gray, Elizabeth Harris, William Laing IV, Carlton Maynard, Ty Mitchell, Teresa Smith, Walter Vance, and Adam Vodraska made key contributions to this report.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on X, LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact FraudNet:

Website: https://www.gao.gov/about/what-gao-does/fraudnet

Automated answering system: (800) 424-5454

Media Relations

Sarah Kaczmarek, Managing Director, Media@gao.gov

Congressional Relations

David A. Powner, Acting Managing Director, CongRel@gao.gov

General Inquiries

https://www.gao.gov/about/contact-us