The Government Accountability Office warned the Office of Management and Budget in a March 5 report that its data center policy has created cybersecurity and oversight risks.
The problems stem from a decision by OMB in June 2019 to revise in its Data Center Optimization Initiative what constitutes a data center. Under that guidance, agencies are no longer required to report on 2,000 facilities. Under the new definition, these smaller facilities no longer have to report metrics, creating a cybersecurity risk OMB officials in 2016 specifically identified.
“Since each physical location represents a potential access point to an agency’s interconnection with other internal and external systems and networks, each location also poses a risk as a point of potential attack,” GAO officials wrote.
The GAO added, “Because of OMB’s decision to remove these types of data centers from DCOI reporting, agencies may lose track of the security vulnerabilities that these facilities present due to the consequent reduction in overall visibility and oversight into all data centers.”
To mitigate the risk, the GAO recommended that OMB required agencies to submit reporting data on those facilities no longer classified as data centers. According to the GAO report, OMB didn’t agree or disagree with the recommendations and argued that the smaller facilities don’t pose a higher cybersecurity risk, even adding the GAO not reference cybersecurity in its report. Cybersecurity, OMB argued, wasn’t the aim of the DCOI policy and there are several other policies and laws that govern cybersecurity issues.
“OMB took issue with the report’s findings that the removal of facilities from DCOI oversight posed cybersecurity-related risks represented by those facilities,” the GAO report said. “OMB’s comments further recommended that we remove references to cybersecurity from our report’s title and from the body of the report.”
This is just the latest development in the debate over the DCOI policy’s revision of what a data center is. Reps. Gerry Connolly, D-Va., and Mark Meadows, R-N.C., have expressed concerns about the vagueness of the policy, while the GAO’s Director of IT Management Carol Harris has continuously warned about the cybersecurity risks associated with the policy.
In a hearing in December on agency progress on the Federal Information Technology Acquisition Reform Act, Harris said the OMB policy was “taking significant steps backwards from where we were just four years ago.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.