Federal agencies participating in the Office of Management and Budget’s (OMB) Data Center Optimization Initiative (DCOI) report that they are on track with previously announced plans to close hundreds of outdated data centers, but many of the facilities that will continue to operate are at increased risk of being hacked, the U.S. Government Accountability Office (GAO) warned last week.
As of August 2019, 23 of the 24 agencies participating in the initiative said they had met or were on track to meet their fiscal year 2019 closure goals. Thus, out of more than 2,700 government-wide facilities, 286 were planned for closure, with 37 more expected to close within the next couple of years.
A total of 102 facilities had been closed by August 2019, with 184 more planned to be closed by the end of fiscal year 2019. Additionally, 31 data centers are planned for closure in fiscal year 2020, five in 2021, and one in 2022.
“Based on our past work reviewing agencies’ DCOI strategic plans, this total number of planned closures is likely to increase when agencies submit their annual DCOI strategic plans in the spring of 2020,” GAO notes in a newly published report (PDF).
However, over 2,000 facilities that will continue to operate face increasing security risks as the agencies that use them are no longer required to report about cyber-threats and vulnerabilities, meaning that the OMB’s visibility into them is significantly diminished.
This is due to the fact that, in June 2019, OMB issued revised guidance that narrowed the scope of the type of facilities considered data centers, thus eliminating reporting requirements for over 2,000 facilities. However, this increases the chances of agencies losing track of the vulnerabilities affecting these facilities, making them an easier target for malicious hackers.
The new GAO study reveals that due to the lack of reporting requirements for key facilities and lack of proper documentation of decisions on which facilities are exempt from DCOI, agencies might remain exposed to vulnerabilities and oversight of consolidation, and optimization efforts may be impaired.
“While OMB previously acknowledged that these types of facilities inefficiently consume resources and pose security risks, agencies are no longer required to report these locations in their inventories. Further, there is currently no documentation of OMB’s decisions on agency requests to remove data centers from reporting, or to exempt mission critical data centers from closure targets,” GAO says.
The OMB, however, contested GAO’s claims that the removal of some facilities from DCOI oversight increased cybersecurity risks, and OMB even advised GAO to remove cybersecurity references from its report.
“In raising these objections, OMB’s comments stated that DCOI is focused on consolidating and optimizing the federal data center portfolio and that cybersecurity is not a primary driver of the initiative. OMB added that DCOI was never designed to track or directly address cybersecurity risks,” GAO said in its report. “Specifically, OMB’s comments took issue with our finding that data centers not tracked within DCOI are at a greater risk for a cybersecurity incident. These comments noted that many other laws, policies, and procedures directly deal with the cybersecurity posture of all federal IT systems, and that OMB’s DCOI guidance does not affect the applicability of those requirements.”
Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed
Related: GAO Makes Recommendations to Improve Security of Taxpayer Data