Federal Data Center Consolidation Initiative Amendments

(a)

Findings

Congress finds the following:(1)The statutory authorization for the Federal Data Center Optimization Initiative under section 834 of the Carl Levin and Howard P. Buck McKeon National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) expires at the end of fiscal year 2022.(2)The expiration of the authorization described in paragraph (1) presents Congress with an opportunity to review the objectives of the Federal Data Center Optimization Initiative to ensure that the initiative is meeting the current needs of the Federal Government.(3)The initial focus of the Federal Data Center Optimization Initiative, which was to consolidate data centers and create new efficiencies, has resulted in, since 2010—(A)the consolidation of more than 6,000 Federal data centers; and(B)cost savings and avoidance of $5,800,000,000.(4)The need of the Federal Government for access to data and data processing systems has evolved since the date of enactment in 2014 of subtitle D of title VIII of the Carl Levin and Howard P. Buck McKeon National Defense Authorization Act for Fiscal Year 2015.(5)Federal agencies and employees involved in mission critical functions increasingly need reliable access to secure, reliable, sustainable, and protected facilities to house mission critical data and data operations to meet the immediate needs of the people of the United States.(6)As of the date of enactment of this Act, there is a growing need for Federal agencies to use data centers and cloud applications that meet high standards for cybersecurity, resiliency, availability, and sustainability.(b)

Minimum requirements for new data centers

Section 834 of the Carl Levin and Howard P. Buck McKeon National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) is amended—(1)in subsection (a), by striking paragraphs (3) and (4) and inserting the following:

(3)

New data center

The term new data center means—(A)(i)a data center or a portion thereof that is owned, operated, or maintained by a covered agency; or (ii)to the extent practicable, a data center or portion thereof—(I)that is owned, operated, or maintained by a contractor on behalf of a covered agency on the date on which the contract between the covered agency and the contractor expires; and(II)with respect to which the covered agency extends the contract, or enters into a new contract, with the contractor; and(B)on or after the date that is 180 days after the date of enactment of the Federal Data Center Enhancement Act of 2023, a data center or portion thereof that is—(i)established; or(ii)substantially upgraded or expanded.

;

(2)by striking subsection (b) and inserting the following:

(b)

Minimum requirements for new data centers

(1)

In general

Not later than 180 days after the date of enactment of the Federal Data Center Enhancement Act of 2023, the Administrator shall establish minimum requirements for new data centers in consultation with the Administrator of General Services and the Federal Chief Information Officers Council.(2)

Contents

(A)

In general

The minimum requirements established under paragraph (1) shall include requirements relating to—(i)the availability of new data centers;(ii)the use of new data centers;(iii)the use of sustainable energy sources;(iv)uptime percentage;(v)protections against power failures, including on-site energy generation and access to multiple transmission paths;(vi)protections against physical intrusions and natural disasters;(vii)information security protections required by subchapter II of chapter 35 of title 44, United States Code, and other applicable law and policy; and(viii)any other requirements the Administrator determines appropriate.(B)

Consultation

In establishing the requirements described in subparagraph (A)(vii), the Administrator shall consult with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director.(3)

Incorporation of minimum requirements into current data centers

As soon as practicable, and in any case not later than 90 days after the Administrator establishes the minimum requirements pursuant to paragraph (1), the Administrator shall issue guidance to ensure, as appropriate, that covered agencies incorporate the minimum requirements established under that paragraph into the operations of any data center of a covered agency existing as of the date of enactment of the Federal Data Center Enhancement Act of 2023.(4)

Review of requirements

The Administrator, in consultation with the Administrator of General Services and the Federal Chief Information Officers Council, shall review, update, and modify the minimum requirements established under paragraph (1), as necessary.(5)

Report on new data centers

During the development and planning lifecycle of a new data center, if the head of a covered agency determines that the covered agency is likely to make a management or financial decision relating to any data center, the head of the covered agency shall—(A)notify—(i)the Administrator;(ii)Committee on Homeland Security and Governmental Affairs of the Senate; and(iii)Committee on Oversight and Accountability of the House of Representatives; and(B)describe in the notification with sufficient detail how the covered agency intends to comply with the minimum requirements established under paragraph (1).(6)

Use of technology

In determining whether to establish or continue to operate an existing data center, the head of a covered agency shall—(A)regularly assess the application portfolio of the covered agency and ensure that each at-risk legacy application is updated, replaced, or modernized, as appropriate, to take advantage of modern technologies; and(B)prioritize and, to the greatest extent possible, leverage commercial cloud environments rather than acquiring, overseeing, or managing custom data center infrastructure.(7)

Public website

(A)

In general

The Administrator shall maintain a public-facing website that includes information, data, and explanatory statements relating to the compliance of covered agencies with the requirements of this section.(B)

Processes and procedures

In maintaining the website described in subparagraph (A), the Administrator shall—(i)ensure covered agencies regularly, and not less frequently than biannually, update the information, data, and explanatory statements posed on the website, pursuant to guidance issued by the Administrator, relating to any new data centers and, as appropriate, each existing data center of the covered agency; and(ii)ensure that all information, data, and explanatory statements on the website are maintained as open Government data assets.

; and

(3)in subsection (c), by striking paragraph (1) and inserting the following:

(1)

In general

The head of a covered agency shall oversee and manage the data center portfolio and the information technology strategy of the covered agency in accordance with Federal cybersecurity guidelines and directives, including—(A)information security standards and guidelines promulgated by the Director of the National Institute of Standards and Technology;(B)applicable requirements and guidance issued by the Director of the Office of Management and Budget pursuant to section 3614 of title 44, United States Code; and(C)directives issued by the Secretary of Homeland Security under section 3553 of title 44, United States Code.

(c)

Extension of sunset

Section 834(e) of the Carl Levin and Howard P. Buck McKeon National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) is amended by striking 2022 and inserting 2026.(d)

GAO review

Not later than 1 year after the date of the enactment of this Act, and annually thereafter, the Comptroller General of the United States shall review, verify, and audit the compliance of covered agencies with the minimum requirements established pursuant to section 834(b)(1) of the Carl Levin and Howard P. Buck McKeon National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) for new data centers and subsection (b)(3) of that Act for existing data centers, as appropriate.