The Office of Management and Budget has been working with federal agencies to reduce the number of outdated or duplicative federal data centers. In fiscal year 2019, agencies closed 102 centers, and planned to close 184 more.
OMB also narrowed the definition of a data center, recategorizing about 2,000 facilities and excluding them from federal reporting requirements. But many of these facilities—access points into federal IT systems—will continue operating. Each one is a potential target for cyberattacks.
The Government Accountability Office recommended that OMB require agencies to continue to report on these facilities to ensure effective cybersecurity oversight.
The 24 agencies participating in the Office of Management and Budget’s (OMB) Data Center Optimization Initiative (DCOI) reported progress toward achieving OMB’s fiscal year 2019 goals for closing unneeded data centers. As of August 2019, 23 of the 24 reported that they had met, or planned to meet, their fiscal year closure goals, and would close 286 facilities in doing so (see figure). Agencies also reported plans to close at least 37 of the remaining data centers.
OMB issued revised guidance in June 2019 that narrowed the scope of the type of facilities that would be defined as a data center. This revision eliminated the reporting of over 2,000 facilities government-wide. OMB had previously cited cybersecurity risks for these types of facilities. Without a requirement to report on these, important visibility is diminished, including oversight of security risks.
The 24 DCOI agencies have reported a total of $4.7 billion in cost savings from fiscal years 2012 through 2019. Of the 24 agencies, 23 reported in August 2019 they had met, or planned to meet, OMB’s fiscal year 2019 savings goal of $241.5 million. One agency did not complete a plan, but planned to do so in the future. Agencies also reported plans to save about $264 million in fiscal year 2020.
The 24 agencies reported progress against OMB’s three revised data center optimization metrics for virtualization, advanced energy monitoring, and server utilization. For a new fourth metric (availability), the data were not sufficiently reliable to report on because of unexpected variances in the information reported by the agencies. As of August 2019, eight agencies reported that they met all three targets for the metrics GAO reviewed, five met two targets, and six met one target. In addition, one agency had not established any targets, and four agencies reported that they no longer owned any data centers.
While the three revised metrics’ definitions included the key characteristics of being clearly defined and objective, none included statistical universe parameters that enable determinations of progress. Specifically, these metrics call for counts of the actual numbers of (1) virtualized servers, (2) data centers with advanced energy metering, and (3) underutilized servers; but the metrics did not include a count of the universe of all servers and all data centers. Accordingly, percentages cannot be calculated to determine progress–for example, the number of virtualized servers may increase, but if the universe of servers increases at a higher rate, then progress would actually be negative.
To improve DCOI reporting and performance, GAO is making four recommendations to OMB, and four to three selected agencies. The three agencies agreed with the recommendations while OMB did not state whether it agreed or disagreed. GAO continues to maintain that the four recommendations to OMB are warranted.