[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 933 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                 S. 933

To amend the Carl Levin and Howard P. ``Buck'' McKeon National Defense 
Authorization Act for Fiscal Year 2015 to modify requirements relating 
  to data centers of certain Federal agencies, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 22, 2023

  Ms. Rosen (for herself, Mr. Cornyn, and Mr. Peters) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
To amend the Carl Levin and Howard P. ``Buck'' McKeon National Defense 
Authorization Act for Fiscal Year 2015 to modify requirements relating 
  to data centers of certain Federal agencies, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Federal Data Center Enhancement Act 
of 2023''.

SEC. 2. FEDERAL DATA CENTER CONSOLIDATION INITIATIVE AMENDMENTS.

    (a) Findings.--Congress finds the following:
            (1) The statutory authorization for the Federal Data Center 
        Optimization Initiative under section 834 of the Carl Levin and 
        Howard P. ``Buck'' McKeon National Defense Authorization Act 
        for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113-291) 
        expires at the end of fiscal year 2022.
            (2) The expiration of the authorization described in 
        paragraph (1) presents Congress with an opportunity to review 
        the objectives of the Federal Data Center Optimization 
        Initiative to ensure that the initiative is meeting the current 
        needs of the Federal Government.
            (3) The initial focus of the Federal Data Center 
        Optimization Initiative, which was to consolidate data centers 
        and create new efficiencies, has resulted in, since 2010--
                    (A) the consolidation of more than 6,000 Federal 
                data centers; and
                    (B) cost savings and avoidance of $5,800,000,000.
            (4) The need of the Federal Government for access to data 
        and data processing systems has evolved since the date of 
        enactment in 2014 of subtitle D of title VIII of the Carl Levin 
        and Howard P. ``Buck'' McKeon National Defense Authorization 
        Act for Fiscal Year 2015.
            (5) Federal agencies and employees involved in mission 
        critical functions increasingly need reliable access to secure, 
        reliable, sustainable, and protected facilities to house 
        mission critical data and data operations to meet the immediate 
        needs of the people of the United States.
            (6) As of the date of enactment of this Act, there is a 
        growing need for Federal agencies to use data centers and cloud 
        applications that meet high standards for cybersecurity, 
        resiliency, availability, and sustainability.
    (b) Minimum Requirements for New Data Centers.--Section 834 of the 
Carl Levin and Howard P. ``Buck'' McKeon National Defense Authorization 
Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113-291) is 
amended--
            (1) in subsection (a), by striking paragraphs (3) and (4) 
        and inserting the following:
            ``(3) New data center.--The term `new data center' means--
                    ``(A)(i) a data center or a portion thereof that is 
                owned, operated, or maintained by a covered agency; or
                    ``(ii) to the extent practicable, a data center or 
                portion thereof--
                            ``(I) that is owned, operated, or 
                        maintained by a contractor on behalf of a 
                        covered agency on the date on which the 
                        contract between the covered agency and the 
                        contractor expires; and
                            ``(II) with respect to which the covered 
                        agency extends the contract, or enters into a 
                        new contract, with the contractor; and
                    ``(B) on or after the date that is 180 days after 
                the date of enactment of the Federal Data Center 
                Enhancement Act of 2023, a data center or portion 
                thereof that is--
                            ``(i) established; or
                            ``(ii) substantially upgraded or 
                        expanded.'';
            (2) by striking subsection (b) and inserting the following:
    ``(b) Minimum Requirements for New Data Centers.--
            ``(1) In general.--Not later than 180 days after the date 
        of enactment of the Federal Data Center Enhancement Act of 
        2023, the Administrator shall establish minimum requirements 
        for new data centers in consultation with the Administrator of 
        General Services and the Federal Chief Information Officers 
        Council.
            ``(2) Contents.--
                    ``(A) In general.--The minimum requirements 
                established under paragraph (1) shall include 
                requirements relating to--
                            ``(i) the availability of new data centers;
                            ``(ii) the use of new data centers;
                            ``(iii) the use of sustainable energy 
                        sources;
                            ``(iv) uptime percentage;
                            ``(v) protections against power failures, 
                        including on-site energy generation and access 
                        to multiple transmission paths;
                            ``(vi) protections against physical 
                        intrusions and natural disasters;
                            ``(vii) information security protections 
                        required by subchapter II of chapter 35 of 
                        title 44, United States Code, and other 
                        applicable law and policy; and
                            ``(viii) any other requirements the 
                        Administrator determines appropriate.
                    ``(B) Consultation.--In establishing the 
                requirements described in subparagraph (A)(vii), the 
                Administrator shall consult with the Director of the 
                Cybersecurity and Infrastructure Security Agency and 
                the National Cyber Director.
            ``(3) Incorporation of minimum requirements into current 
        data centers.--As soon as practicable, and in any case not 
        later than 90 days after the Administrator establishes the 
        minimum requirements pursuant to paragraph (1), the 
        Administrator shall issue guidance to ensure, as appropriate, 
        that covered agencies incorporate the minimum requirements 
        established under that paragraph into the operations of any 
        data center of a covered agency existing as of the date of 
        enactment of the Federal Data Center Enhancement Act of 2023.
            ``(4) Review of requirements.--The Administrator, in 
        consultation with the Administrator of General Services and the 
        Federal Chief Information Officers Council, shall review, 
        update, and modify the minimum requirements established under 
        paragraph (1), as necessary.
            ``(5) Report on new data centers.--During the development 
        and planning lifecycle of a new data center, if the head of a 
        covered agency determines that the covered agency is likely to 
        make a management or financial decision relating to any data 
        center, the head of the covered agency shall--
                    ``(A) notify--
                            ``(i) the Administrator;
                            ``(ii) Committee on Homeland Security and 
                        Governmental Affairs of the Senate; and
                            ``(iii) Committee on Oversight and 
                        Accountability of the House of Representatives; 
                        and
                    ``(B) describe in the notification with sufficient 
                detail how the covered agency intends to comply with 
                the minimum requirements established under paragraph 
                (1).
            ``(6) Use of technology.--In determining whether to 
        establish or continue to operate an existing data center, the 
        head of a covered agency shall--
                    ``(A) regularly assess the application portfolio of 
                the covered agency and ensure that each at-risk legacy 
                application is updated, replaced, or modernized, as 
                appropriate, to take advantage of modern technologies; 
                and
                    ``(B) prioritize and, to the greatest extent 
                possible, leverage commercial cloud environments rather 
                than acquiring, overseeing, or managing custom data 
                center infrastructure.
            ``(7) Public website.--
                    ``(A) In general.--The Administrator shall maintain 
                a public-facing website that includes information, 
                data, and explanatory statements relating to the 
                compliance of covered agencies with the requirements of 
                this section.
                    ``(B) Processes and procedures.--In maintaining the 
                website described in subparagraph (A), the 
                Administrator shall--
                            ``(i) ensure covered agencies regularly, 
                        and not less frequently than biannually, update 
                        the information, data, and explanatory 
                        statements posed on the website, pursuant to 
                        guidance issued by the Administrator, relating 
                        to any new data centers and, as appropriate, 
                        each existing data center of the covered 
                        agency; and
                            ``(ii) ensure that all information, data, 
                        and explanatory statements on the website are 
                        maintained as open Government data assets.''; 
                        and
            (3) in subsection (c), by striking paragraph (1) and 
        inserting the following:
            ``(1) In general.--The head of a covered agency shall 
        oversee and manage the data center portfolio and the 
        information technology strategy of the covered agency in 
        accordance with Federal cybersecurity guidelines and 
        directives, including--
                    ``(A) information security standards and guidelines 
                promulgated by the Director of the National Institute 
                of Standards and Technology;
                    ``(B) applicable requirements and guidance issued 
                by the Director of the Office of Management and Budget 
                pursuant to section 3614 of title 44, United States 
                Code; and
                    ``(C) directives issued by the Secretary of 
                Homeland Security under section 3553 of title 44, 
                United States Code.''.
    (c) Extension of Sunset.--Section 834(e) of the Carl Levin and 
Howard P. ``Buck'' McKeon National Defense Authorization Act for Fiscal 
Year 2015 (44 U.S.C. 3601 note; Public Law 113-291) is amended by 
striking ``2022'' and inserting ``2026''.
    (d) GAO Review.--Not later than 1 year after the date of the 
enactment of this Act, and annually thereafter, the Comptroller General 
of the United States shall review, verify, and audit the compliance of 
covered agencies with the minimum requirements established pursuant to 
section 834(b)(1) of the Carl Levin and Howard P. ``Buck'' McKeon 
National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 
note; Public Law 113-291) for new data centers and subsection (b)(3) of 
that Act for existing data centers, as appropriate.
                                 <all>