GAO: Federal Data Centers Remain Vulnerable to CyberthreatsOMB Changed Definition of What Qualifies As a Federal Data Center
Over the last eight years, the U.S. Office of Management and Budget has been reducing and consolidating data centers used by various federal agencies in an effort to save resources and reduce costs. A drawback to these plans, however, is that many of these facilities no longer classified as data centers remain vulnerable to cyberthreats, according to a Government Accountability Office audit released Thursday.
As part of this ongoing consolidation process, OMB recently changed the definition of what a federal "data center" is and asked its staff to focus their attention on these much larger facilities, according to the GAO report. This includes producing reports about security vulnerabilities and other cyberthreat issues.
This change, however, means that OMB staff no longer collects reports from federal agencies concerning smaller IT facilities, which are now defined as "non-tier" facilities. Despite the change in definition, about 2,000 of these non-tier facilities still host large and significant IT infrastructures, even though they are no longer classified as federal data centers. And many of these are still vulnerable to hacking and other cyberthreats, the GAO report finds.
"As noted previously, OMB directed agencies to stop reporting on spaces not designed to be data centers as part of their inventory," the report notes. "As a result, agencies are no longer required to report on about 2,000 facilities, some of which are considerable in size and will continue to operate."
The major concern that the GAO audit found is that these smaller facilities remain significant access points to federal IT infrastructures and without proper reporting and cybersecurity oversite, could provide vulnerable to a data breach or a larger-scale attack.
"OMB had previously cited cybersecurity risks for these types of facilities. Without a requirement to report on these, important visibility is diminished, including oversight of security risks," according to the report.
The GAO report makes several recommendations to improve security around the OMB consolidation plan, including requiring federal agencies to issues quarterly and annual reports about what data centers have been closed and why these were shuttered. This will allow for better tracking and reporting, especially when it comes to cybersecurity, the audit notes.
While the GAO audit made several recommendation, the report notes that OMB "did not state whether it agreed or disagreed" with the recommendations.
Currently, 24 federal agencies are involved in the OMB's data center consolidation program, which is officially called the Data Center Optimization Initiative (DCOI), according to the GAO.
Between 2012 and 2019, the 24 federal agencies involved in DCOI have saved $4.7 billion through various data center consolidation initiatives and closures, and GAO expects another $264 million in savings this year. In total, those federal agencies have closed 102 data centers since 2012, and there are plans to close another 184, according to the audit.
This still leaves over 2,400 federal data centers in service, according to the GAO audit.
And while DCOI has shown significant costs savings, the GAO audit finds that many significant IT facilities are still operating but are no longer defined as data centers, which leaves them open to gaps when it comes to cybersecurity. The report finds that some 260 data centers that measure over 1,000 square feet will continue operating, but longer send reports to the OMB.
An example of this is Social Security Administration, which is now operating five data centers larger than 8,000 square feet, but which are no longer classified as data centers under the updated OMB definition, according to the audit. The GAO also found two, 10,000 square foot facilities run by the State Department that no longer meet the definition of a data center.
This leaves these facilities open to cyberthreats, the audit notes.
"Because of OMB's decision to remove these types of data centers from DCOI reporting, agencies may lose track of the security vulnerabilities that these facilities present due to the consequent reduction in overall visibility and oversight into all data centers," the report states.
In addition, the GAO report finds that there was a lack of transparency in the OMB's approval process for removing certain facilities from the data center list.
Other Security Issues
Over the last several months, the GAO has taken several other federal agencies to takes over various cybersecurity practices.
In August, 2019, for example, the federal watchdog released a report that found some 23 federal agencies came up short in their cybersecurity efforts even as attacks on their IT infrastructures continue to grow and concerns about foreign interference in the upcoming 2020 elections persist (see: GAO Blasts Cybersecurity Efforts of Federal Agencies).
More recently, the GAO found that the U.S. Census Bureau, part of the Department of Commerce, needs to make improvements in some of its cybersecurity plans before the 2020 Census starts in April (see: GAO: Census Bureau Comes Up Short on Cybersecurity).