US aims to step up security for federal datacenters: Both physical and cyber
Bit barns threatened by malware flingers, but fire, storms, or bad guys arriving at the sites are also bad news
Proposed legislation in the US will seek to ensure greater protection for government datacenters from the threat of cyberattacks, but also physical dangers such as natural disasters and terrorism.
The Federal Datacenter Enhancement Act of 2022 would require the White House Office of Management and Budget (OMB) to coordinate a government-wide effort to develop greater security requirements for federal data facilities.
These relate to cyber intrusions, datacenter availability, mission-critical uptime, and resilience against physical attacks, wildfires, and other natural disasters, according to a statement from Senator Jacky Rosen, one of the three introducing the bipartisan bill.
Rosen is a member of the Senate Homeland Security and Governmental Affairs Committee (HSGAC), while Senator Gary Peters is its chair and the third backer of the legislation is Senator John Cornyn.
"With the increasing threat of cyberattacks and natural disasters, we must ensure the integrity of our nation's critical information by protecting datacenters like Switch in Las Vegas," said Senator Rosen, claiming the bill will enact new security and resiliency standards to keep data safe.
Meanwhile, Senator Cornyn said the legislation would not only secure federal data but encourage optimization, which would save taxes as well as protecting Americans who entrust their information to the federal government.
But the Act does not specify these measures, and appears to leave it up to the Administrator of General Services to consult with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director in order to determine the requirements that must be met.
The Act itself is an amendment to the earlier National Defense Authorization Act for Fiscal Year 2015, modifying requirements relating to datacenters. The text notes that the authorization within this for the Federal Data Center Optimization Initiative (DCOI) expires at the end of 2022, giving Congress an opportunity to review the objectives of the DCOI to meet the current needs of the Federal Government.
The DCOI actually started in 2010 with a focus delivering greater efficiency in government IT infrastructure, such as through the consolidation of datacenters used by federal agencies.
- The US's biggest datacenter market is short on electricity
- Google: We had to shut down a datacenter to save it during London's heatwave
- Congress finally passes $52b subsidies for chip fabs on US soil
- Datacenter operator groups pledge to cut water consumption
According to the three senators, this has already resulted in the consolidation of more than 6,000 federal datacenters and delivered cost savings estimated to be $5.8 billion.
Senator Rosen noted that the new Act "builds on this success, shifting the policy focus from consolidation to optimization, security, and resiliency."
However, in March of this year, the US Government Accountability Office reported [PDF] there had been "mixed progress" against the OMB's datacenter optimization targets in recent years.
Fights, floods, and fortunes when cloud giants roll into townREAD MORE
It said that for fiscal year 2020, federal agencies had closed a total of 96 datacenters, and as of August last year, closures had amounted to 51, with another 29 planned closures expected by the end of that fiscal year.
The GAO reported that as of August 2021, the agencies expected to realize a cumulative total of $6.6 billion in cost savings from fiscal years 2012 through 2021, although it warned at the time that closures and savings were expected to slow in the future according to the DCOI strategic plans. For example, seven agencies reported that they planned to close 83 datacenters during fiscal years 2022 through 2025, with an estimated total saving of $46.32 million. ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Software defined data center
- Trusted Platform Module
- Zero trust