[Senate Report 118-15]
[From the U.S. Government Publishing Office]
Calendar No. 39
118th Congress } { Report
1st Session } SENATE { 118-15
_______________________________________________________________________
FEDERAL DATA CENTER ENHANCEMENT ACT OF 2023
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 933
TO AMEND THE CARL LEVIN AND
HOWARD P. ``BUCK'' MCKEON NATIONAL DEFENSE
AUTHORIZATION ACT FOR FISCAL YEAR 2015 TO
MODIFY REQUIREMENTS RELATING TO DATA CENTERS
OF CERTAIN FEDERAL AGENCIES, AND FOR OTHER PURPOSES
April 27, 2023.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
39-010 WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
ALEX PADILLA, California RICK SCOTT, Florida
JON OSSOFF, Georgia JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Lena C. Chang, Director of Governmental Affairs
Matthew T. Cornelius, Senior Professional Staff Member
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Andrew J. Hopkins, Minority Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 39
118th Congress } { Report
SENATE
1st Session } { 118-15
======================================================================
FEDERAL DATA CENTER ENHANCEMENT ACT OF 2023
_______
April 27, 2023.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 933]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 933) to amend the
Carl Levin and Howard P. ``Buck'' McKeon National Defense
Authorization Act for Fiscal Year 2015 to modify requirements
relating to data centers of certain Federal agencies, and for
other purposes, having considered the same, reports favorably
thereon without amendment and recommends that the bill do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
IV. Section-by-Section Analysis of the Bill, as Reported.............3
V. Evaluation of Regulatory Impact..................................4
VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. Purpose and Summary
S. 933, the Federal Data Center Enhancement Act of 2023,
updates and amends the Federal Data Center Consolidation
Initiative (FDCCI) authorized under the Fiscal Year 2015
National Defense Authorization Act.\1\ S. 933 amends the
requirements of FDCCI, shifting the policy focus from
consolidation to optimization, security, and resilience.\2\ The
bill requires the Office of Management and Budget (OMB) to
coordinate a government-wide effort to develop minimum
requirements for federal data centers related to cyber
intrusions, data center availability, mission-critical uptime,
and resilience against physical attacks, and natural disasters.
It also strikes language from the Federal Information
Technology Acquisition Reform Act (FITARA) referring to data
center consolidation to ensure that federal agencies focus on
the cost savings and avoidances that can be achieved through
optimization, given the success of past data center
consolidation efforts.\3\
---------------------------------------------------------------------------
\1\On August 3, 2022, the Committee approved S. 4629, the Federal
Data Center Enhancement Act of 2022. That bill is substantially similar
to S. 933. Accordingly, this committee report is, in many respects,
similar to the committee report for S. 4629. See S. Rept. 117-210.
\2\National Defense Authorization Act of 2015, Public Law 113-291,
Sec. 834 (2014).
\3\The stricken language was enacted in H.R. 1232, Sec. 202(b),
113th Cong. (2013), which was incorporated into the National Defense
Authorization Act of 2015, Pub. L. No. 113-291, Sec. 834 (2014).
---------------------------------------------------------------------------
II. Background and Need for the Legislation
Federal data centers are the physical facilities where
federal agencies store and process data, and host key
information technology (IT) and cybersecurity infrastructure.
Following the passage of the FITARA, OMB launched the Federal
Data Center Optimization Initiative (DCOI) to advance data
center consolidation and improve federal data centers'
performance.\4\ Since 2010, more than 6,000 federal data
centers have been consolidated with a resulting cost savings
and cost avoidance of $5.8 billion.\5\
---------------------------------------------------------------------------
\4\Memorandum from Tony Scott, Federal Chief Information Officer,
to Heads of Executive Departments and Agencies, Data Center
Optimization Initiative (DCOI) (available at https://
datacenters.cio.gov/policy/) (Aug.1, 2016).
\5\Government Accountability Office, Data Center Optimization:
Agencies Report Progress and Billions Saved, but OMN Needs to Improve
Its Utilization Guidance (GAO-21-212) (March 4, 2021).
---------------------------------------------------------------------------
The Government Accountability Office (GAO) has tracked and
reported on agencies' progress in consolidating data centers
regularly since 2011.\6\ In 2017, GAO issued three substantial
reports identifying opportunities for agency data center
optimization.\7\ It also included identification of
improvements for IT management on its ``high risk'' list.\8\
---------------------------------------------------------------------------
\6\Government Accountability Office, Data Center Consolidation:
Agencies Need to Complete Inventories and Plans to Achieve Expected
Savings (GAO-11-565) (Jul. 19, 2011); Government Accountability Office,
Data Center Consolidation: Agencies Making Progress on Efforts, but
Inventories and Plans Need to be Completed (GAO-12-742) (Jul. 19,
2012); Government Accountability Office, Data Center Consolidation:
Strengthened Oversight Needed to Achieve Cost Savings Goal (GAO-13-378)
(Apr. 23, 2013); Government Accountability Office, Data Center
Consolidation: Reporting Can Be Improved to Reflect Substantial Planned
Savings (GAO-14-713); Government Accountability Office, Data Center
Consolidation: Agencies Making Progress, but Planned Savings Goals Need
to Be Established (GAO-16-323) (Mar. 3, 2016).
\7\Government Accountability Office, Government Efficiency and
Effectiveness: Opportunities to Address Pervasive Management Risks and
Challenges while Reducing Federal Costs (GAO-17-631T) (May 17, 2017);
Government Accountability Office, Agencies Need to Complete Plans to
Address Inconsistencies in Reported Savings (GAO-17-388); Government
Accountability Office, Data Center Optimization: Agencies Need to
Address Challenges and Improve Progress to Achieve Cost Savings Goal
(GAO-17-488) (Aug. 15, 2017); Government Accountability Office,
Improving the Management of IT Acquisitions and Operations
(www.gao.gov/highrisk/improving-
management-it-acquisitions-and-operations) (accessed Aug. 30, 2022).
\8\Government Accountability Office, High-Risk Series: Efforts Made
to Achieve Progress Need to Be Maintained and Expanded to Fully Address
All Areas (GAO-23-106203) (accessed April 10, 2023).
---------------------------------------------------------------------------
Building upon DCOI, OMB issued Memorandum M-19-19 Update to
the Data Center Optimization Initiative (DCOI), which included
new performance metrics for federal data centers, required
agencies to prioritize their focus on key mission facilities,
and aligned agency IT infrastructure investments to the Cloud
Smart Strategy.\9\ Recently, Congress has provided additional
direction to federal agencies on how to prioritize the metrics
and requirements of federal IT infrastructure, most notably
through the passage of the Energy Act of 2020.\10\ S. 933
builds upon these requirements to ensure any new federal data
center complies with additional requirements, to be set by OMB,
for cybersecurity and resilience, while also urging agencies to
update their current data centers to meet the OMB requirements
when those facilities, or the contracts that manage them, come
up for review or contract renewal.
---------------------------------------------------------------------------
\9\Memorandum from Suzette Kent, Federal Chief Information Officer,
to Chief Information Officers of Executive Departments and Agencies,
Update to Data Center Optimization Initiative (DCOI) (available at
https://datacenters.cio.gov/policy/) (June 25, 2019); Office of
Management and Budget, Office of the Federal Chief Information Officer,
Federal Cloud Computing Strategy, From Cloud First to Cloud Smart
(https://cloud.cio.gov/strategy/) (accessed on Aug. 30, 2022).
\10\Consolidated Appropriations Act of 2021, Pub. L. No 116-260,
Div. Z, Sec. 1003 (2020).
---------------------------------------------------------------------------
III. Legislative History
Senator Jacky Rosen (D-NV) introduced S. 933 on March 22,
2023, with Senator John Cornyn (R-TX) and Chairman Gary Peters
(D-MI) as cosponsors. The bill was referred to the Committee on
Homeland Security and Governmental Affairs.
The Committee considered S. 933 at a business meeting on
March 29, 2023. During the business meeting. S. 933 was ordered
reported favorably by a roll call vote of 12 yeas and 0 nays
with Senators Peters, Hassan, Sinema, Rosen, Padilla, Ossoff,
Blumenthal, Paul, Lankford, Romney, Scott, and Hawley voting in
the affirmative, and with Senators Carper, Johnson, and
Marshall voting yea by proxy, for the record only.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1. Short title
This section designates the name of the bill as the
``Federal Data Center Enhancement Act of 2023.''
Section 2. Federal Data Center Consolidation Initiative amendments
Subsection (a) finds that the upcoming expiration of the
Federal Data Center Optimization Initiative authorized under
the Fiscal Year 2015 National Defense Authorization Act
presents an opportunity to review the objectives of the Federal
Data Center Optimization Initiative to ensure that the
initiative is meeting the current needs of the federal
government. This section also notes the growing need for
federal agencies to use data centers and cloud applications
that meet high standards for cybersecurity, resiliency,
availability, and sustainability.
Subsection (b) establishes minimum requirements for new
data centers. Subsection (b)(1) defines a new data center as a
data center (or a portion thereof) that is established or
substantially upgraded within 180 days of enactment and that is
owned, operated, or maintained by a covered federal agency and,
to the extent practicable, a data center owned, operated, or
maintained by a federal contractor.
Subsection (b)(2) requires the Administrator of the Office
of Electronic Government to establish minimum requirements for
new data centers in consultation with the Administrator of
General Services and the Federal Chief Information Officers
Council. These requirements relate to availability and use of
new data centers, the use of sustainable energy sources, uptime
percentage, protection against power failures, protections
against physical intrusions and natural disasters, and
information security requirements of the Federal Information
Security Modernization Act of 2014 (Pub. L. 113-283). This
subsection requires OMB to consult with the Director of the
Cybersecurity and Infrastructure Security Agency and the
National Cyber Director in establishing the requirements.
Subsection (b)(3) allows the Administrator to incorporate
the minimum requirements established under (b)(1) into the
requirements for any agency data center existing at the date of
enactment.
Subsection (b)(4) provides for periodic review of the
requirements in consultation with the Administrator of General
Services and the Federal Chief Information Officers Council.
Subsection (b)(5) requires, if, during the development and
planning lifecycle of a new data center, an agency head
determines that the agency is likely to make a management or
financial decision relating to the new data center, the head of
the covered agency shall report it to the Administrator of the
Office of Electronic Government, the Senate Committee on
Homeland Security and Governmental Affairs and the House
Committee on Oversight and Accountability with a sufficiently
detailed description of how the agency intends to comply with
the minimum requirements.
Subsection (b)(6) requires agency heads, in determining
whether to establish or continue to operate a data center, to
regularly assess the agency's application portfolio to ensure
that each legacy application is updated, replaced, or
modernized, as appropriate, to take advantage of modern
technologies. The subsection also requires agency heads to
prioritize and, to the greatest extent possible, leverage
commercial cloud environments rather than acquiring,
overseeing, or managing custom data center infrastructure.
Subsection (b)(7) requires agencies to post certain data
and information on a public website regarding their compliance
with the requirements in the Federal Data Center Enhancement
Act of 2023. Finally, the subsection requires agencies to
oversee and manage their data centers to comply with
information security standards promulgated by the National
Institute of Standards and Technology, additional requirements
of the Federal Risk Authorization and Management Program
(FedRAMP), and binding operational directives issues by the
Department of Homeland Security.
Subsection (c) extends the sunset of the Federal Data
Center Consolidation Initiative from October 1, 2022 to October
1, 2026.
Subsection (d) requires the Comptroller General to issue a
report within 1 year of enactment that will shall review,
verify, and audit the compliance of covered agencies with the
minimum requirements of the Act.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. Congressional Budget Office Cost Estimate
S. 933 would modify and reauthorize the Federal Data Center
Consolidation Initiative through the end of fiscal year 2026;
that authority expired at the end of 2022.
The bill would require the Office of E-Government and
Information Technology to establish minimum requirements for
the availability and use of new data centers and set standards
for protection against power failures, intrusions, and natural
disasters. Under the bill, the General Services Administration
(GSA) would provide guidance for developing and incorporating
those requirements into the operations of existing data centers
and would post information about agencies' compliance with the
new requirements.
Based on information from GSA and the Government
Accountability Office (GAO), CBO expects that federal agencies
will continue their efforts to optimize the performance and
improve the security of data centers, regardless of the
initiative's expired authority. Thus, CBO estimates that
implementing those requirements would not significantly
increase federal costs over the 2023-2028 period.
S. 933 also would require GAO to report annually to the
Congress on implementation of the bill's requirements and CBO
expects the cost of the reports would not be significant.
S. 933 could affect direct spending by some agencies that
are allowed to use fees, receipts from the sale of goods, and
other collections to cover operating costs. CBO estimates that
any net changes in direct spending by those agencies would be
negligible because most of them can adjust amounts collected to
reflect changes in operating costs.
The CBO staff contact for this estimate is Matthew
Pickford. The estimate was reviewed by H. Samuel Papenfuss,
Deputy Director of Budget Analysis.
Phillip L. Swagel,
Director, Congressional Budget Office.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in brackets, new matter is
printed in italic, and existing law in which no change is
proposed is shown in roman):
UNITED STATES CODE
* * * * * * *
TITLE 44--PUBLIC PRINTING AND DOCUMENTS
* * * * * * *
CHAPTER 36--MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES
* * * * * * *
SEC. 3601. DEFINITIONS
* * * * * * *
STATUTORY NOTES AND RELATED SUBSIDIARIES
* * * * * * *
FEDERAL DATA CENTER CONSOLIDATION INITIATIVE
* * * * * * *
(a) * * *
(1) * * *
(2) * * *
[(3) FDCCI.--The term `FDCCI' means the Federal Data
Center Consolidation Initiative described in the Office
of Management and Budget Memorandum on the Federal Data
Center Consolidation Initiative, dated February 26,
2010, or any successor thereto.
[(4) Government-Wide Data Center Consolidation and
Optimization Metrics.--The term `Government-wide data
center consolidation and optimization metrics' means
the metrics established by the Administrator under
subsection (b)(2)(G).]
(3) New data center.--The term `new data center'
means--
(A)(i) a data center or a portion thereof
that is owned, operated, or maintained by a
covered agency; or
(ii) to the extent practicable, a data center
or portion thereof--
(I) that is owned, operated, or
maintained by a contractor on behalf of
a covered agency on the date on which
the contract between the covered agency
and the contractor expires; and
(II) with respect to which the
covered agency extends the contract, or
enters into a new contract, with the
contractor; and
(B) on or after the date that is 180 days
after the date of enactment of the Federal Data
Center Enhancement Act of 2023, a data center
or portion thereof that is--
(i) established; or
(ii) substantially upgraded or
expanded.
[(b) Federal Data Center Consolidation Inventories and
Strategies.--
[(1) In general.--
[(A) Annual reporting.--Except as provided in
subparagraph (C), each year, beginning in the
first fiscal year after the date of the
enactment of this Act [Dec. 19, 2014] and each
fiscal year thereafter, the head of each
covered agency, assisted by the Chief
Information Officer of the agency, shall submit
to the Administrator--
[(i) a comprehensive inventory of the
data centers owned, operated, or
maintained by or on behalf of the
agency; and
[(ii) a multi-year strategy to
achieve the consolidation and
optimization of the data centers
inventoried under clause (i), that
includes--
[(I) performance metrics--
[(aa) that are
consistent with the
Government-wide data
center consolidation
and optimization
metrics; and
[(bb) by which the
quantitative and
qualitative progress of
the agency toward the
goals of the FDCCI can
be measured;
[(II) a timeline for agency
activities to be completed
under the FDCCI, with an
emphasis on benchmarks the
agency can achieve by specific
dates;
[(III) year-by-year
calculations of investment and
cost savings for the period
beginning on the date of the
enactment of this Act and
ending on the date set forth in
subsection (e), broken down by
each year, including a
description of any initial
costs for data center
consolidation and optimization
and life cycle cost savings and
other improvements, with an
emphasis on--
[(aa) meeting the
Government-wide data
center consolidation
and optimization
metrics; and
[(bb) demonstrating
the amount of agency-
specific cost savings
each fiscal year
achieved through the
FDCCI; and
[(IV) any additional
information required by the
Administrator.
[(B) Use of other reporting structures.--The
Administrator may require a covered agency to
include the information required to be
submitted under this subsection through
reporting structures determined by the
Administrator to be appropriate.
[(C) Department of defense reporting.--For
any year that the Department of Defense is
required to submit a performance plan for
reduction of resources required for data
servers and centers, as required under section
2867(b) of the National Defense Authorization
Act for Fiscal Year 2012 [Pub. L. 112-81] (10
U.S.C. 2223a note), the Department of Defense--
[(i) may submit to the Administrator,
in lieu of the multi-year strategy
required under subparagraph (A)(ii)--
[(I) the defense-wide plan
required under section
2867(b)(2) of the National
Defense Authorization Act for
Fiscal Year 2012 (10 U.S.C.
2223a note); and
[(II) the report on cost
savings required under section
2867(d) of the National Defense
Authorization Act for Fiscal
Year 2012 (10 U.S.C. 2223a
note); and
[(ii) shall submit the comprehensive
inventory required under subparagraph
(A)(i), unless the defense-wide plan
required under section 2867(b)(2) of
the National Defense Authorization Act
for Fiscal Year 2012 (10 U.S.C. 2223a
note)--
[(I) contains a comparable
comprehensive inventory; and
[(II) is submitted under
clause (i).
[(D) Statement. --Each year, beginning in the
first fiscal year after the date of the
enactment of this Act and each fiscal year
thereafter, the head of each covered agency,
acting through the Chief Information Officer of
the agency, shall--
[(i)
[(I) submit a statement to
the Administrator stating
whether the agency has complied
with the requirements of this
section; and
[(II) make the statement
submitted under subclause (I)
publicly available; and
[(ii) if the agency has not complied
with the requirements of this section,
submit a statement to the Administrator
explaining the reasons for not
complying with such requirements.
[(E) Agency implementation of strategies.--
[(i) In general.--Each covered
agency, under the direction of the
Chief Information Officer of the
agency, shall--
[(I) implement the strategy
required under subparagraph
(A)(ii); and
[(II) provide updates to the
Administrator, on a quarterly
basis, of--
[(aa) the completion
of activities by the
agency under the FDCCI;
[(bb) any progress of
the agency towards
meeting the Government-
wide data center
consolidation and
optimization metrics;
and
[(cc) the actual cost
savings and other
improvements realized
through the
implementation of the
strategy of the agency.
[(ii) Department of defense.--For
purposes of clause (i)(I),
implementation of the defense-wide plan
required under section 2867(b)(2) of
the National Defense Authorization Act
for Fiscal Year 2012 [Pub. L. 112-81]
(10 U.S.C. 2223a note) by the
Department of Defense shall be
considered implementation of the
strategy required under subparagraph
(A)(ii).
[(F) Rule of construction.--Nothing in this
section shall be construed to limit the
reporting of information by a covered agency to
the Administrator, the Director of the Office
of Management and Budget, or Congress.
[(2) Administrator responsibilities.--The
Administrator shall--
[(A) establish the deadline, on an annual
basis, for covered agencies to submit
information under this section;
[(B) establish a list of requirements that
the covered agencies must meet to be considered
in compliance with paragraph (1);
[(C) ensure that information relating to
agency progress towards meeting the Government-
wide data center consolidation and optimization
metrics is made available in a timely manner to
the general public;
[(D) review the inventories and strategies
submitted under paragraph (1) to determine
whether they are comprehensive and complete;
[(E) monitor the implementation of the data
center strategy of each covered agency that is
required under paragraph (1)(A)(ii);
[(F) update, on an annual basis, the
cumulative cost savings realized through the
implementation of the FDCCI; and
[(G) establish metrics applicable to the
consolidation and optimization of data centers
Government-wide, including metrics with respect
to--
[(i) costs;
[(ii) efficiencies, including, at a
minimum, server efficiency; and
[(iii) any other factors the
Administrator considers appropriate.
[(3) Cost saving goal and updates for congress.--
[(A) In general.--Not later than one year
after the date of the enactment of this Act,
the Administrator shall develop, and make
publicly available, a goal, broken down by
year, for the amount of planned cost savings
and optimization improvements achieved through
the FDCCI during the period beginning on the
date of the enactment of this Act and ending on
the date set forth in subsection (e).
[(B) Annual update.--
[(i) In general.--Not later than one
year after the date on which the goal
described in subparagraph (A) is made
publicly available, and each year
thereafter, the Administrator shall
aggregate the reported cost savings of
each covered agency and optimization
improvements achieved to date through
the FDCCI and compare the savings to
the projected cost savings and
optimization improvements developed
under subparagraph (A).
[(ii) Update for congress.--The goal
required to be developed under
subparagraph (A) shall be submitted to
Congress and shall be accompanied by a
statement describing--
[(I) the extent to which each
covered agency has developed
and submitted a comprehensive
inventory under paragraph
(1)(A)(i), including an
analysis of the inventory that
details specific numbers, use,
and efficiency level of data
centers in each inventory; and
[(II) the extent to which
each covered agency has
submitted a comprehensive
strategy that addresses the
items listed in paragraph
(1)(A)(ii).
[(4) GAO review.--
[(A) In general.--Not later than one year
after the date of the enactment of this Act,
and each year thereafter, the Comptroller
General of the United States shall review and
verify the quality and completeness of the
inventory and strategy of each covered agency
required under paragraph (1)(A).
[(B) Report.--The Comptroller General of the
United States shall, on an annual basis,
publish a report on each review conducted under
subparagraph (A).]
(b) Minimum Requirements for New Data Centers.--
(1) In general.--Not later than 180 days after the
date of enactment of the Federal Data Center
Enhancement Act of 2023, the Administrator shall
establish minimum requirements for new data centers in
consultation with the Administrator of General Services
and the Federal Chief Information Officers Council.
(2) Contents.--
(A) In general.--The minimum requirements
established under paragraph (1) shall include
requirements relating to--
(i) the availability of new data
centers;
(ii) the use of new data centers;
(iii) the use of sustainable energy
sources;
(iv) uptime percentage;
(v) protections against power
failures, including on-site energy
generation and access to multiple
transmission paths;
(vi) protections against physical
intrusions and natural disasters;
(vii) information security
protections required by subchapter II
of chapter 35 of title 44, United
States Code, and other applicable law
and policy; and
(viii) any other requirements the
Administrator determines appropriate.
(B) Consultation.--In establishing the
requirements described in subparagraph
(A)(vii), the Administrator shall consult with
the Director of the Cybersecurity and
Infrastructure Security Agency and the National
Cyber Director.
(3) Incorporation of minimum requirements into
current data centers.--As soon as practicable, and in
any case not later than 90 days after the Administrator
establishes the minimum requirements pursuant to
paragraph (1), the Administrator shall issue guidance
to ensure, as appropriate, that covered agencies
incorporate the minimum requirements established under
that paragraph into the operations of any data center
of a covered agency existing as of the date of
enactment of the Federal Data Center Enhancement Act of
2023.
(4) Review of requirements.--The Administrator, in
consultation with the Administrator of General Services
and the Federal Chief Information Officers Council,
shall review, update, and modify the minimum
requirements established under paragraph (1), as
necessary.
(5) Report on new data centers.--During the
development and planning lifecycle of a new data
center, if the head of a covered agency determines that
the covered agency is likely to make a management or
financial decision relating to any data center, the
head of the covered agency shall--
(A) notify--
(i) the Administrator;
(ii) Committee on Homeland Security
and Governmental Affairs of the Senate;
and
(iii) Committee on Oversight and
Accountability of the House of
Representatives; and
(B) describe in the notification with
sufficient detail how the covered agency
intends to comply with the minimum requirements
established under paragraph (1).
(6) Use of technology.--In determining whether to
establish or continue to operate an existing data
center, the head of a covered agency shall--
(A) regularly assess the application
portfolio of the covered agency and ensure that
each at risk legacy application is updated,
replaced, or modernized, as appropriate, to
take advantage of modern technologies; and
(B) prioritize and, to the greatest extent
possible, leverage commercial cloud
environments rather than acquiring, overseeing,
or managing custom data center infrastructure.
(7) Public website.--
(A) In general.--The Administrator shall
maintain a public-facing website that includes
information, data, and explanatory statements
relating to the compliance of covered agencies
with the requirements of this section.
(B) Processes and procedures.--In maintaining
the website described in subparagraph (A), the
Administrator shall--
(i) ensure covered agencies
regularly, and not less frequently than
biannually, update the information,
data, and explanatory statements posed
on the website, pursuant to guidance
issued by the Administrator, relating
to any new data centers and, as
appropriate, each existing data center
of the covered agency; and
(ii) ensure that all information,
data, and explanatory statements on the
website are maintained as open
Government data assets.
(c) Ensuring Cybersecurity Standards for Data Center
Consolidation and Cloud Computing.--
[(1) In general.--In implementing a data center
consolidation and optimization strategy under this
section, a covered agency shall do so in a manner that
is consistent with Federal guidelines on cloud
computing security, including--
[(A) applicable provisions found within the
Federal Risk and Authorization Management
Program (FedRAMP); and
[(B) guidance published by the National
Institute of Standards and Technology.]
(1) In general.--The head of a covered agency shall
oversee and manage the data center portfolio and the
information technology strategy of the covered agency
in accordance with Federal cybersecurity guidelines and
directives, including--
(A) information security standards and
guidelines promulgated by the Director of the
National Institute of Standards and Technology;
(B) applicable requirements and guidance
issued by the Director of the Office of
Management and Budget pursuant to section 3614
of title 44, United States Code; and
(C) directives issued by the Secretary of
Homeland Security under section 3553 of title
44, United States Code.
(2) * * *
(d) * * *
(e) Sunset.--This section is repealed effective on October
1, [2022] 2026.