It’s a lot of data — and by law, all of it must be kept confidential and protected. That keeps Beau Houser, the bureau’s chief information security officer, and his team of roughly 100 security specialists and developers focused not only on daily security threats but also on many projects to modernize the security of the bureau’s complex IT infrastructure.

When Houser joined the Census Bureau in the fall of 2019, following security stints at the Department of Homeland Security, the Centers for Medicare & Medicaid Services, and the U.S. Small Business Administration, he recognized several challenges faced by many federal agencies that needed immediate attention.

Among other concerns, improving and enhancing visibility into the bureau’s IT environment was needed to strengthen the ability to detect and respond to cybersecurity threats. The bureau also faces burdens with managing a large number of servers supporting enterprise log management, which requires extensive maintenance and resources. Additionally, the bureau’s security practices were centered primarily around compliance, which had become increasingly ineffective at protecting against new and rapidly evolving cyber threats.

Focusing on the challenge

While the Census Bureau had been actively migrating many IT operations to the cloud, Houser determined that one critical area to address was the need to “implement a different approach to enterprise audit and log management.”

Part of that was driven by new agency mandates issued in an August 2021 White House memo (M-21-31) outlining steps to establish a more mature log management system to detect, investigate and remediate cyber threats on-premises and across increasingly distributed third-party services. Prompted partly by the SolarWinds malware incident, the memo also required agencies to prepare to share incident information with other federal agencies to help the government respond to incidents more quickly.

Another factor was what Houser described in a recent interview as “a big data problem” involving multiple terabytes of data per day. Storing and analyzing that data required maintaining and patching roughly 50 aging servers dedicated to the enterprise logging service. “You’ve got logs coming from tens of thousands of devices — simultaneously feeding logs into a centralized repository. And we saw how critical it is for us to get that right to quickly recognize and respond when something bad happens.”  

Transformative solution

Houser knew the bureau needed a cloud-native enterprise logging solution aligned with its ongoing cloud migration strategy. Specifically, he sought a solution that met several critical criteria: It had to be flexible and scalable to manage and aggregate the massive amounts of log data generated by the Census Bureau’s operations during peak periods. It had to provide comprehensive visibility across the bureau’s entire IT environment. It needed to lower operating costs and complexity. Lastly, Houser wanted a software-as-a-service solution that reduced his team’s maintenance activities to allow more time to hunt potential threats proactively.

After a careful evaluation, the Census Bureau transitioned from an on-prem logging service to a cloud-native enterprise logging analytics solution, delivered and maintained as a service by one of the leading federal cloud and enterprise providers.

Improved outcomes

The transition, once complete, started paying dividends almost immediately, according to Houser, by providing:

• Full integration – “From a log source standpoint, we’ve been able to aggregate all logs from the entire enterprise,” said Houser. That includes logs from on-prem devices, the bureau’s data center, and other cloud services. “So you’re talking about a cloud-to-cloud communication from that standpoint.”

• Wider visibility – The transition provided a broader window on security data not just for security operations staff but also for operations and maintenance personnel who need this information for troubleshooting errors and communication bottlenecks. The security problems captured in the log files “are expansive,” he said, so it’s important that “there’s a lot of experts dealing with those problems and reviewing the logs to figure out exactly what’s going on. We’ve been able to improve our collaboration pretty significantly.”

• Greater granularity – Adopting advanced cloud-native solutions increases zero-trust capabilities that “allow you to be very granular with [user] access. It’s helping tremendously,” said Houser.  “Before, if you could read something, you could copy it. Now what we’re seeing is broken down even further, where you can give someone read access and deny them access to copy it.”

Zero-trust implementation

That added granularity also helps the Census Bureau apply conditional or attribute-based access policies versus role-based ones. “More and more cloud service providers are beginning to build those capabilities into their cloud natively,” Houser explained.

“Once you’ve got your authentication and policy engine in the cloud, you can configure those policies to say, ‘You’ve got to have this login with multi-factor. You have to be on this specific device. And you have to be coming from this geographic location.’ So, you open up a whole new set of attributes that you can use for that login process. We’ve seen so many attacks where someone takes over an account, and then they run through a system. If you have the conditional access set up, the account alone won’t let you in.”

Another advantage of a cloud-based software-as-a-service that Houser’s team is now working to capitalize on is the ability to configure endpoint products centrally. “So if malware hits a laptop, we can configure the automation to say, ‘Automatically download the forensics package, automatically quarantine the box, automatically do this step, and that step.’  So, you can create logic related to the workflow that the analyst would typically do.”

Lessons learned

In addition to achieving greater security practices and lowering operating costs, Houser believes working with cloud-native solutions to support zero-trust will yield additional benefits.

“As we continue moving down this path, we’re going to be able to really improve the user experience,” on par with the experience consumers routinely encounter engaging with their bank. There’s a lot of flexibility with zero trust. It sounds rigid when you say zero trust, but it’s very flexible.”

Additionally, Houser sees a longer-term benefit in picking up the tempo of technology deployment.

“The vendors in this space are all very, very capable. But at the end of the day, our IT folks have to maintain whatever we set up.” The challenge organizations increasingly face is “there’s not enough IT expertise — and certainly not enough cyber expertise” to keep up with the pace of change.

Leveraging cloud-native software-as-a-service solutions helps address that and allows new capabilities to be implemented quickly. “We’re always seeing new functions and capabilities creep into the portals we use to access the data. Queries get more optimized, intelligence gets more streamlined and integrated, and you’re able to do more AI and machine learning type activities that allow your analysts to focus on higher-level analysis.”

This report was produced by Scoop News Group for FedScoop as part of a series on technology innovation in government, underwritten by Microsoft Federal.

The post How the U.S. Census Bureau leveraged cloud services to modernize security appeared first on FedScoop.

In a heavily redacted report published Nov. 22, the watchdog recommended the agency’s chief information officer implement the periodic review of active directory permissions, implement advanced authentication security controls and develop alerts that align with common detection methods for known cyberattacks.

The detailed report set out a total of 11 recommendations for the director and CIO of Census after the Commerce OIG engaged a red team to simulate a cyberattack on the Census Bureau.

While the penetration testing team was unable to breach the agency’s external defenses, once Census allowed them into its networks to simulate a successful breach, they were able to move around with ease.

“Once the Bureau provided the red team with an internal foothold under an assumed breach scenario, we determined that the Bureau did not have an effective cybersecurity posture in place to prevent against a simulated real-world attack,” the IG said in its report.

“Specifically, we found that the red team was able to gain unauthorized and undetected access to a Bureau domain administrator account as well as personally identifiable information (PII) of Bureau employees,” it added.

Commerce’s OIG also outlined in its findings that the red team had succeeded in reducing the bureau’s defensive options and sending fake emails.

Census is in the process of rolling out a zero-trust architecture, which is intended to prevent bad actors from moving laterally within an agency’s networks, even after they have breached the perimeter, as was the case in this simulated attack.

Commenting on the findings, a Census spokesperson said: “The Census Bureau believes the best way to ensure a robust system is to thoroughly test it using real-world attack techniques. In that spirit, we agreed to go a step further [with the penetration testing] and grant the red team special internal access to assess any potential areas of improvement. The members of the red team were vetted in advance.”

“During this exercise, the security firm identified areas of improvement and we are already taking action to make our robust cyber network even stronger. Cybersecurity has long been a core priority for the Census Bureau given our role as the nation’s leading provider of quality data. Our deep commitment to protecting data will continue,” the spokesperson added. “The bottom line: the contracted security firm was unable to access our system until we gave the red team the necessary access to complete the assessment. We value OIG’s role and appreciate the audit which allowed for a strong cyber exercise and will help us further improve our already robust cyber framework.”

The post Watchdog calls on Census Bureau to improve cyber incident detection and alerting appeared first on FedScoop.

As part of an ongoing pilot, Treasury had the IRS provide the bureau with data it used to build a model of race and ethnicity at the micro and person level. The bureau’s model was then matched with other IRS data to uncover biases.

The Census Bureau didn’t want to share publicly provided survey data with the IRS, lest it be used to collect taxes, but recognized tax data lacks race and ethnicity codes the bureau uses.

“We’re not sharing the data,” said Ron Jarmin, deputy director of the Census Bureau, at the ACT-IAC Imagine Nation ELC 2022 on Monday. “But we’re sharing insights from the model that’s based on our data, that makes their data model much more powerful.”

Not only can Treasury verify equitable distribution in the timing of tax refunds, but it can compare the timing of check mail deliveries with that of direct deposits.

Meanwhile the IRS and other agencies can be confident the Census Bureau won’t release the findings, Jarmin said.

“We’re hoping that this is something that we’ll be able to do with other state, federal and local government agencies to help them,” he added.

The Census Bureau has used administrative data from other agencies for decades, but now it’s looking to use unstructured data. For instance, the bureau is trying to use transaction-level data from retailers for more timely, granular sales statistics to improve its own price analyses, Jarmin said.

“If we can do more accurate statistics using the sort of unstructured, transaction-level data that gets generated every time you purchase something, we should be able to produce far better statistics,” Jarmin said. “And maybe stop doing surveys every month of retailers across the country.”

The post Census Bureau shares analytics insights, not data, in pilot with IRS appeared first on FedScoop.

Dubbed the Census Acceleration to Secure Cloud (CASC), the IT modernization approach is in the early stages of understanding the state of the industry and its offerings and planning procurements for small businesses and full and open competition.

Demand for data at the pandemic’s outset prompted the bureau to create the Household Pulse Survey to fill gaps in the government’s understanding of the social and economic impacts, but now it wants an ecosystem for collection, storage and processing.

“The USCB’s focus as an agency must no longer be simply to field surveys and censuses, and to publish the results, but rather to shift to combining data science with traditional survey methods, elevating and diversifying data products, and placing data at the center of the approach by accelerating to secure native cloud services,” reads the request for information (RFI). “The objective of this initiative is to address challenges and propose new ways in which the USCB will take advantage of native secure cloud services.”

The CASC approach consists of three pillars: technical support reducing the bureau’s on-premise data center footprint over time through cloud migration, secure cloud technical capabilities and services, and technical services assisting the migration of applications and development of new ones in the cloud.

Four initiatives form the foundation of CASC, the first being an enterprise data lake (EDL). 

Next is the Frames Program, involving the collocation and linking of datasets within the EDL to do everything from tailoring a survey to answering new questions about jobs and COVID-19 vaccination rates.

“Centralization and ‘linkability’ will increase efficiency, reduce duplicative efforts to maintain and manage data, and greatly expand our capacity to answer critical questions about the population and economy at multiple geographic scales,” reads the RFI. “These linked, augmented and continuously updated datasets will provide a more comprehensive means for maintaining and updating the inventory of our nation’s addresses, jobs, businesses, people and other linked data.”

The third initiative is Data Ingest and Collection for the Enterprise (DICE), a modern platform serving as the entry point for all of the bureau’s data. A foundation for DICE was deployed during 2020 census work, but more needs to be done to enable adaptive survey design and reduce the need for costly updates and system rebuilds.

Last is the Center for Enterprise Dissemination Services and Consumer Innovation (CEDSCI), the primary platform for public data dissemination. The bureau envisions CEDSCI as a means to provide data products quickly and improve the user experience to allow for discovery and new visualizations.

Together the four initiatives will form an integrated system of systems called the Census Operations and Data Ecosystem (CODE).

“CODE will provide myriad data linking capabilities, using secure and confidential data sources, for evidence-building questions like: “Did a government business incentive program reduce poverty in selected neighborhoods?” reads the RFI.

Market research will continue beyond the initial CASC RFI to keep pace with the evolving IT environment. Respondents have until 9 a.m. EST on Oct. 11 to submit comments on the RFI.

The post Census Bureau moving beyond surveys and censuses with cloud-based data ecosystem appeared first on FedScoop.

Most significantly, the website has been improved through a redesign of its main navigation bar at the top of the page and new navigation options for high-frequency users like researchers, educators and survey respondents have been introduced.

“The Census Bureau conducted extensive customer research and usability testing to identify ways to improve the digital experience and enhance how users find statistics for research, projects and business needs,” Census said in a press release Monday.

“The Census Bureau has boosted overall site performance and mobile functionality along with updating the visual design,” the agency added. The refreshed Census.gov website debuted on September 17.

Improving researchers’ access to datasets held by federal agencies remains a key priority for data and IT leaders across government. In an interview with FedScoop earlier this month, Federal Chief Data Officer Denice Ross highlighted the use of disaggregated data as a core priority and its importance for identifying policy inequalities.

The website refresh comes as reshaping digital service delivery remains high on the Biden administration’s agenda, following the customer experience executive order signed by President Biden last year.

The order mandates that federal agencies commit to placing citizens’ user experience at the center of everything they do and that departments take actions including piloting new online tools and technologies to provide a “simple, seamless and secure customer experience.”

It came after the Biden-Harris administration last year announced that improving the design of digital services and the customer experience management of high-impact government service providers were among top priorities in the president’s management agenda.

The post Census bureau redesigns website to make it more accessible for high-frequency users appeared first on FedScoop.

A beta version of the Census Survey Explorer launched in April to help researchers, who previously had to open every survey’s webpage for descriptions to know they weren’t overlooking data they needed.

Bureau surveys cover more than 100 topics, and subtopics overlap across large program areas — economic surveys collecting data on business owner characteristics and demographic surveys like the American Community Survey or Current Population Survey gathering data on employment status and income. Adding layers like geographic area complicates matters further.

“For each survey we had to convey the geographic availability, how frequently data are released, how far back the survey went, what topics were available, and we also needed to visualize this information,” said Eric Coyle, intergovernmental affairs specialist at the Census Bureau, during the 2022 Government UX Summit on Wednesday.

The Census Survey Explorer helps researchers narrow down what surveys to reference using dropdown menus to filter by data topics and geographies.

An unidentified commercial off-the-shelf product ingests the relevant data and serves it through an application programming interface to a JavaScript application. All told the tool took two months to stand up with survey owners providing input throughout the process.

“Even with our very simple prototype, we had a great deal of feedback,” said Logan Powell, developer experience lead. “And we integrated that feedback as we went through the process.”

A week-long soft launch helped ensure there were no bugs with the tool and gave the project team, which resided in the Communications Directorate at the time, time to do internal marketing.

Potential users needed to know the tool existed and where to find it, so a banner announcing its launch was displayed across many of the bureau’s webpages and a tutorial video released.

A Topics page helps users identify the search term they’re looking for, such as race if they’re seeking demographic data on Black people, and a Help page addresses frequently asked questions about the tool.

“Instead of having to crawl through lots of webpages, you now have narrowed down your choices to just a few surveys to go and click into and do some further investigation,” said Mary Leisenring, program analyst.

The post Census Survey Explorer helping users find the data they need appeared first on FedScoop.

Whichever contractor the Decennial IT Division chooses would establish strategies, roadmaps, engineering management processes and technology research initiatives to create a solution architecture for the 2030 census.

The first “online census” in 2020 undercounted the Black, American Indian reservation and Hispanic populations, after the COVID-19 pandemic and the Trump administration’s shortening of the response deadline delayed integration testing of 12 IT systems. This time the bureau seeks a “skillfully integrated, efficient, scalable and secure system of systems.”

“Given the criticality of the early work performed under this contract to the success of the decennial program, the DITD is interested in forming a partnership that builds upon the innovations of the past decade, applies the lessons learned from the 2020 census, enhances the quality of the decennial census, reduces overall cost, and meets required timelines,” reads the notice posted to SAM.gov on April 8. “The DITD seeks a partner who demonstrates an understanding of and dedication to the decennial mission and/or major field data collection operation across the United States and U.S. territories [and] has a history of excellence and leadership in systems engineering and integration for large-scale government programs.”

The bureau wants this early decade contract to ensure “maximum flexibility” to accommodate later 2030 census design decisions and finalization, according to the request for information (RFI). The 2030 census is currently in the operational design selection phase slated to run until fiscal 2024, when the IT solution development and integration phase begins and runs through fiscal 2029.

An IT strategy and roadmap must include a program timeline with milestones; identify technology gaps; and address systems, technologies and their integration, according to the statement of work.

The awardee will further be responsible for IT organization and the framework outlining all participating service providers’ roles and responsibilities, as well as establishing governance entities.

Other contractor responsibilities include integrating and documenting the 2030 census IT architecture; overseeing evaluation of innovative, alternative technologies; and project management.

The RFI asks interested vendors about their experience with such planning, strategies they’d employ for managing service providers over a decade, how they’d deploy a field mobile data collection solution, and research needed to modernize census data collection and analysis for speed and accuracy.

Interested vendors must respond by 5 p.m. ET Wednesday.

The post Census Bureau seeks small business to develop 2030 census IT strategy appeared first on FedScoop.

Differential privacy — systems that withhold information on people in datasets while publicly sharing data on group patterns — will be used with forthcoming census products like the demographic and housing characteristics file.

The bureau already employed differential privacy to mitigate the risk of census respondents being re-identified when it released redistricting data, used to redraw legislative boundaries every decade, in August. But GAO found there’s no way of knowing if that’s currently “realistic and achievable” with forthcoming data products.

“The success of a program depends in part on having a reliable schedule that defines when work will occur,” reads GAO’s report. “Without a specific and complete schedule, the bureau may be unable to accurately plan for and track progress on disclosure avoidance steps for future data products.”

The Decennial Directorate cited the fact its schedule is being updated in phases for not yet setting deadlines for additional disclosure avoidance activities, but it expected to make “key decisions in the winter and spring.

GAO recommended the bureau update its schedule of activities with specific timeframes because of their potential to impact “key features” of the 2030 census being decided over the next three years, and the agency agreed.

“The Census Bureau will prepare a formal action plan addressing this recommendation upon GAO’s issuance of the final report,” wrote the Department of Commerce, within which the bureau resides, in its response.

Previously the bureau mitigated indirect disclosure of personally identifiable information through data suppression, swapping an rounding, but advances in technology saw it identify a vulnerability in published 2010 census data in 2018. The bureau reconstructed the sex, age, race and ethnicity information of some people using that data, so it turned to differential privacy in 2020.

Since then the Data Stewardship Executive Policy Committee has held several meetings to discuss user outreach and make decisions around differential privacy, and the bureau has published several demonstration data products.

The bureau continues to assess 2020 census data quality with tools like the independent Post-Enumeration Survey (PES), a sampling of the population used to estimate the number of people and houses missed or counted more than once, as well as undercounts and overcounts of the population by demographic — with national estimates released March 10 and state estimates expected June 30, 2022.

Tool releases are delayed because the COVID-19 pandemic delayed census operations beginning with field data collection, but GAO raised concerns about 2020 census planning — including the development of new IT systems — back in 2017 when it was placed on the High-Risk List.

“[C]ontinued attention and oversight is warranted, as multiple data products have yet to be produced and key activities related to data privacy and quality remain to be completed,” GAO’s report reads.

The post Report: Census Bureau should set timeframes for protecting respondents’ data privacy appeared first on FedScoop.

The census “undercounted the Black or African American population, the American Indian or Alaska Native population living on a reservation, the Hispanic or Latino population, and people who reported being of Some Other Race,” the Census Bureau said Thursday. “On the other hand, the 2020 Census overcounted the Non-Hispanic White population and the Asian population.”

The 2020 count — labeled by officials as the first “online census” — faced numerous stresses on its IT infrastructure, in addition to the challenges that came with a global pandemic, natural disasters and hangups within the Trump administration, including efforts to add a citizenship question and stop the count earlier than planned. Among the new technology was an iPhone app that enumerators used when trying to count the homeless population.

The count of Black or African American population had an undercount of about 3.3%; the shortfall for the Hispanic or Latino population was nearly 5%, and the American Indian or Alaska Native population living on reservations had an undercount of about 5.6%, the bureau said.

Meanwhile, there was an overcount of the non-Hispanic White population of more than 1.6% and an overcount of the Asian population of about 2.6%. “The Native Hawaiian or Other Pacific Islander population was neither overcounted nor undercounted according to the findings,” the bureau said.

The reviews were the Post-Enumeration Survey, which “estimates the population using a sample survey,” and the Demographic Analysis, which “estimates the population using vital records and other data.”

The census counted “323.2 million people who were living in housing units on April 1, 2020,” the bureau said.

The bureau will release more detailed information about the 2020 count later this year, including detailed breakdowns by state.

The post Reviews of 2020 census data show undercounts of some demographic groups, overcounts of others appeared first on FedScoop.

By March 22, 2020, Ohio became the sixth state to declare a coronavirus lockdown. It had only been two weeks since a state of emergency had been declared. And in that time, the state’s Chief Information Officer (CIO), Ervan Rodgers, needed to shift tens of thousands of employees to remote work.

“In two weeks, we got roughly anywhere from 30,000 to 55,000 people in a work-from-home status. That’s lightning speed,” Rodgers said, speaking at the 2021 Public Sector Innovation Summit sponsored by VMware. Rodgers left his CIO post in June to take a role in the private sector, but shared the lessons he learned through that period. (Watch the full panel discussion here.) 

While the pandemic would prove to be disruptive for millions of Americans, there was a silver lining in how it forced many public sector agencies to rethink how to accomplish their missions. Telework, as it was once known, no longer accurately described what was happening to the nature of work — or conveys an accurate picture of the technology landscape that is revolutionizing what it means to work in the public sector.

“State government has not necessarily been an environment where we’ve worked from home. It’s kind of frowned upon,” Rodgers said. “However, I think the pandemic not only ignited innovation, but it’s also given us an ability to prove that we’re, in some cases, much more productive.”

Government workers in Ohio weren’t alone. At the U.S. Census Bureau in Washington, D.C., — an agency perhaps best-known for its paper forms and army of pencil-toting census takers — Deputy CIO Dr. Gregg Bailey sent more than 15,000 employees home in the middle of the decennial population count.

In a weird sort of way, the changes brought about by the pandemic were “really good timing for us from a technology standpoint,” Bailey said. The bureau had been racing against the clock to overhaul its IT operations to make the 2020 census the first to be conducted primarily online.

“Because we were beginning the census, we had expanded our bandwidth dramatically. And ironically, the day we went to 15,000 teleworkers was the highest day for the self-report, internet census. “We had a huge number, over 100,000 concurrent respondents filling out the census, at the same time we had 15,000 new employees teleworking.”

Cultural implications: It’s different this time

For Bailey, it’s important for agencies to make a distinction between teleworking of the past and what is taking place post-pandemic. It goes “beyond telework” to “work from anywhere,” he said, and the new normal has significant implications for culture and security. 

“We have the ability to go anywhere from a technical standpoint, and now it becomes an issue of policy,” Bailey said. “We’re working with the union and we’re working with the employees and the leadership to see what that is going to look like.”

Cameron Chehreh, Chief Technology Officer and Vice President of Pre-Sales, Engineering at Dell Technologies Federal, said whatever the anywhere workforce looks like will entail a “rethinking of work” for the public sector.

“There’s no water cooler to gather around anymore,” he said. “So how do I actually take teams of people that were used to working in an office and make them productive, in that work from anywhere situation, and make sure that we’re getting work completed, and that the mission of government and continuity is continuing to occur?”

Part of the answer is leveraging new technologies, like Virtual Desktop Infrastructure (VDI) and cloud computing, Chehreh said.

The other part of the answer, and perhaps the most important part, is culture — and ensuring employees feel connected. It’s not always as easy as it sounds, but sometimes the solutions are right in front of us.

“We found things as simple as turning the [web] camera on has been a really important solution,” said Bailey. “We were finding there were people being hired during the pandemic who wouldn’t turn their camera on. And so they literally had never met their boss visually,” he said. “Although we’re not demanding the use of cameras, we’re trying to encourage their use.”

Rodgers acknowledged that tools like Microsoft Teams and VMware have enabled public sector agencies to reshape the workplace. “It’s the future of the workplace, where you’re going to have some folks that are working from home, some folks that are in the office, and they might switch schedules,” he said. “There are folks who are reimagining the workplace, things are only going to get more exciting from a cultural perspective.”

For Chehreh, the cultural shift looks more profound this time around. 

“Never forget or underestimate the power of culture,” he said. “And you have to make sure people continue to connect. If you don’t have that team environment, then you don’t have people that will run through walls for you to be able to get things done. But we can safely and securely innovate. And there’s a level of excellence in this country I haven’t seen in a long time. And it’s the pandemic that brought out the best of us.”

Learn more about “Enabling an Anywhere Workforce” and how VMware is helping to accelerate public sector innovation.  

The post Enabling an anywhere workforce in government appeared first on FedScoop.