Agencies “may lose track of the security vulnerabilities” in smaller data centers that are no longer accounted for in the data center consolidation initiative due to an OMB policy change that placed more focus in that initiative on larger centers, GAO has said.
A report said that under the 2019 change, agencies no longer are required to report on some 2,000 facilities previously being tracked, leaving about 2,700. That policy did note the need to address security small facilities such as server rooms and closets and encouraged agencies to continue working to consolidate and optimize them, it said, but there is no longer a requirement for agencies to continue to track and report on their progress toward closing them.
GAO said that “since each physical location represents a potential access point to an agency’s interconnection with other internal and external systems and networks, each location also poses a risk as a point of potential attack.”
For centers still falling under the reporting requirements, it added, almost all of the affected 24 Cabinet departments and large agencies have met, or are on track to meet, cost savings targets through closings and consolidations. However, it said OMB does not document decisions on agency requests to exempt centers from closure targets.
GAO said that OMB took no position on its recommendations to reinstate reporting on the centers previously covered and to have OMB document its decisions to exempt others from the initiative.
Pilot Program on Cyber Training Being Developed (12/9/2019)