Latest data center guidance may have increased security risk, watchdog says
While federal agencies are making progress closing data centers, the Office of Management and Budget’s changes to the definition of a data center may dilute some of the gains.
In a recent report, the Government Accountability Office said that the 24 agencies participating in the Data Center Optimization Initiative (DCOI) are on the way to meeting their goals to shut down unneeded data centers, closing 102 facilities in FY 2019 with plans to close 184 more and realizing sayings of over $200 million. As of last August, 2,441 centers are still to be closed.
However, GAO said, in June 2019 OMB updated DCOI guidance that is helping data centers is helping agencies meet their goals. For purposes of consolidation or closing data centers, OMB narrowed the program’s scope to cover to "general compute" facilities. The guidance said focusing on closing the smaller facilities that were previously considered data centers -- such as small server closets, telecom closets, individual print and file servers and single computers acting as servers -- had shown little impact on efficiencies or savings. Closing those kinds of small facilities may cost more than it's worth, OMB said.
According to GAO, the narrower definition eliminated reporting on cybersecurity risks at over 2,000 smaller facilities governmentwide, limiting agencies’ visibility and oversight and increasing risk.
The updated DCOI guidance also included metrics for virtualization, advanced energy monitoring and server utilization and availability; GAO said agencies are making mixed progress toward those goals. Yet because the metrics call for actual numbers of virtual servers, energy meters and underutilized servers – without providing a count of the universe servers and meters – progress against goals is difficult to measure.
GAO recommended specific agencies take actions to meet their saving targets and optimization metrics, and the agencies agreed with those recommendations. It also called for OMB to spell out and track data center closure goals, require agencies to report on the smaller data centers previously considered under DCOI and address performance measurement issues.
OMB neither agreed nor disagreed with the recommendations, but it did dispute findings “that the removal of facilities from DCOI oversight posed cybersecurity-related risks represented by those facilities,” the GAO report said. OMB also recommended that GAO remove references to cybersecurity from the report’s title and text, primarily because cybersecurity “was never a driver” of DCOI and that many other laws and regulations government data center security.
GAO reiterated its position, saying that allowing agencies to discontinue reporting on over 2,000 data centers could cause agencies to lose track of security vulnerabilities of those sites and risk potential attacks.
Connect with the GCN staff on Twitter @GCNtech.