Facilities remain vulnerable to cyberattacks even without OMB’s ‘data center’ label
Many of the 2,180 federal facilities the Office of Management and Budget stopped classifying as data centers remain potential targets for cyberattacks, according to a Government Accountability Office report released Thursday.
OMB narrowed its definition of a data center in June, excluding most “non-tiered” facilities — places like server rooms and closets — to help focus other agencies’ closure and optimization efforts.
In the process, OMB removed from federal oversight many facilities “which are considerable in size and will continue to operate,” according to GAO.
“Because of OMB’s decision to remove these types of data centers from [Data Center Optimization Initiative] reporting, agencies may lose track of the security vulnerabilities that these facilities present due to the consequent reduction in overall visibility and oversight into all data centers,” reads the report.
Vulnerabilities like unsecured access points could allow hackers to disrupt critical operations or leak, change or destroy sensitive information.
GAO identified 20 data centers larger than 1,000 square feet and planned for closure that went unreported in fiscal 2019 and 260 more expected to continue operating. For instance, the Social Security Administration operated five unreported data centers larger than 8,000 square feet, while the State Department ran two larger than 10,000 square feet.
The congressional watchdog recommended OMB require agencies to continue quarterly reporting of all such facilities, as well as document its decisions to delay certain data center closures.
The Data Center Optimization Initiative (DCOI) saw the 24 Chief Financial Officers Act agencies close 102 unneeded data centers with plans for 184 more in fiscal 2019. A total of 2,441 data centers remained.
Only the Office of Personnel Management failed to complete a DCOI strategic plan for fiscal 2019 but planned to in the future, and GAO recommended OMB require progress be tracked on agencies’ IT dashboards.
GAO estimated DCOI saved $241.5 million in fiscal 2019 and $4.7 billion since 2012. The agency recommended the departments of Agriculture and Commerce and NASA achieve their cost savings targets for fiscal 2019, which hadn’t happened by the report’s publication.
The savings goal for fiscal 2020 is $264 million with plans for 37 data center closures already in the works.
DCOI requires agencies to count their numbers of virtualized servers, data centers with advanced energy monitoring, underutilized servers, and available data centers to determine if they meet annual targets.
Data varied too much between agencies regarding the new availability metric to be reliable, but in fiscal 2019 eight agencies met the other three targets, five met two and six met one.
OPM failed to establish targets, while four agencies — the Department of Education, Department of Housing and Urban Development, General Services Administration, and U.S. Agency for International Development — no longer have any data centers.
Only the Department of Commerce was urged to improve, as it was the only agency that wasn’t previously in GAO’s April report on DCOI.
GAO recommended OMB begin tracking agencies’ progress on all metrics, not simply the meeting of targets, by having them count all their servers and data centers to calculate percent improvement.