A 2019 tweak by the Office of Management and Budget (OMB) to the definition of a data center – and thus how the Federal government proceeds with its Data Center Optimization Initiative (DCOI) aimed at sharply cutting the number of data centers that Federal agencies operate – is having the effect of leaving the government more vulnerable to cyberattacks, a Government Accountability Office (GAO) official concurred today.
Kevin Walsh, director of IT and Cybersecurity Issues at GAO, delivered that message to members of the House Government Operations Subcommittee at a hearing to examine the 11th version of the FITARA Scorecard issued by the Oversight and Reform Committee last December.
The scorecard grades the largest 24 Federal agencies on a number of categories to gauge their success in improving IT operations. One of those categories tracks agency progress on reducing the number of data centers as required by DCOI.
During today’s hearing, subcommittee members asked Walsh about the impact of a 2019 OMB change to its definition of a data center which had the effect of dropping about 2,000 Federal agency data centers from the government’s total data center count and thus altered the scope of the DCOI effort. The OMB change mostly dropped out smaller, or “single-tier” data centers, from the overall count.
Walsh said some of the data centers that were dropped out of the larger count included those related to Federal Aviation Administration (FAA) air traffic control centers, and medical equipment with supercomputers built-in.
Rep. Katie Porter, D-Calif., raised the issue of the competing data center definitions, and Walsh concurred with the congresswoman when asked whether dropping those data centers could open agencies to cyberattack, as well as potentially missing out on taxpayer savings.
When pressed by subcommittee members on the issue, Walsh declined to say whether OMB’s change to the data center definition was contrary to compliance with the FITARA (Federal Information Technology Acquisition Reform Act) law, and noted that that current administration is still settling in. But he did describe past efforts to deal with OMB on the issue as a “push-pull” process.
“We work as collaboratively as we can but sometimes it does feel like it’s more or less talking and [OMB] not listening,” Walsh said. “There are times that we have worked very collaboratively, and I do not want to disrespect, OMB or the good work they do, but on certain issues, we don’t always see eye to eye.”
Subcommittee Chairman Gerry Connolly, D-Va., said that OMB’s 2019 change in definition does not relieve Federal agencies from the obligation of coming into compliance with FITARA’s definition.
“You don’t get to come into compliance with FITARA by redefining what a data center is,” Rep. Connolly said.
“And you don’t get to come into compliance by actually substituting a word in the law, with another one that suits your purposes better and gets you off the hook. And we are going to insist on compliance [with the] the law. … And we certainly will back up your efforts, Mr. Walsh” to drive towards compliance, the congressman said.
Rep. Porter noted that government-wide, data center consolidation has racked up an estimated $7.1 billion in cost savings or cost avoidance.
Walsh said that even with the OMB definition change, GAO has recommended agencies keep track of both their tiered and non-tiered data centers – the latter of which is excluded by OMB’s definition change.
One agency doing remarkably well with data center consolidation is the Department of Labor (DoL), which has been able to save over $70 million through consolidation while reducing office space and cutting down on duplicative services.
“I think this is one of the bright spots of our portfolio and how we have been able to realize savings over the last few years,” said DoL CIO Gundeep Ahluwalia, who testified as a witness at today’s hearing. “We have been able to close down 73 of these data centers, and despite what the regulations are and the current initiative status is, we are tracking every tiered and non-tiered data center,” he said.