The Census Bureau did not implement security baselines and basic security practices for its cloud implementation, leading to “severe risks to 2020 Census cloud environments,” according to an audit from the Department of Commerce Inspector General released June 19.
The Census will rely on commercial cloud services to store data “for its primary means,” making the need for a strong cloud security posture crucial to the success of the 2020 Census. The Bureau is relying on contractors to manage the cloud environments related to the 2020 Census, while Federal personnel in the agency’s Office of Information Security (OIS) manage enterprise cloud environments.
The Inspector General did not hold back in its criticism of the Bureau’s security posture.
“We found that the Bureau’s cloud-based IT systems – which will support the 2020 Census – contained fundamental security deficiencies that violated federal standards and U.S. Department of Commerce policies. Many of these deficiencies indicate that the Bureau was behind schedule and rushed to deploy its systems to support the 2018 [End-to-End] Test and the 2020 Census,” the report found.
The audit found unsecured root user keys for environments that held data protected by Title 13 of the United States Code, leading to “severe risks” to the data. Root user keys were not disabled for the assessed environments and were lost in both 2020 Census and enterprise environments, requiring technical intervention from the cloud service provider and taking an extended period of time to fix. While no malicious activity was detected, the report finds that the Bureau “exposed the 2020 Census preparations to potentially catastrophic risk by not securing the root user accounts.”
The Inspector General also found that the Census Bureau did not securely configure its cloud environments before putting them into production. While the Census Bureau set baselines rooted in industry best practices, it did not follow them. Unused credentials were not disabled, multi-factor authentication was not implemented on some accounts, and the majority of alarms were not utilized.
“We found no indication that the assessors took actions to verify whether the … cloud environments actually adhered to the security baselines,” the audit found. “OIS’ inattention to the fundamental security requirements for critical 2020 Census systems caused security vulnerabilities to persist with no awareness of the weaknesses.”
Finally, the audit found that basic security controls – like disaster recovery planning, data backup, and a cloud exit strategy – had not been completed before the 2018 End-to-End test, putting sensitive data at risk. Cloud administrators were uncertain of which databases and virtual servers held which data, and did not keep a record of sensitive data.
The rushed nature of 2020 Census preparations factored into the inadequate posture, according to the Inspector General’s report.
“We found that although the backup solution was available in January 2018, cloud administrators did not begin to implement the backup solution until July 2018 because the Bureau had not granted the backup solution an authorization to operate. This lack of implementation illustrates our overall conclusion that the Bureau was behind schedule to have fundamental security functions in-place before collecting Title 13 data,” the report notes.
The audit includes eight recommendations, all of which the Bureau concurred with.