[Senate Report 118-15]
[From the U.S. Government Publishing Office]


                                                          Calendar No. 39
                                                          


118th Congress }                                               {  Report
 1st Session   }                 SENATE                        {  118-15
                                                                 
_______________________________________________________________________

                                     

                                                        

 
              FEDERAL DATA CENTER ENHANCEMENT ACT OF 2023

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                 S. 933

                      TO AMEND THE CARL LEVIN AND
               HOWARD P. ``BUCK'' MCKEON NATIONAL DEFENSE
               AUTHORIZATION ACT FOR FISCAL YEAR 2015 TO
              MODIFY REQUIREMENTS RELATING TO DATA CENTERS
          OF CERTAIN FEDERAL AGENCIES, AND FOR OTHER PURPOSES




                 April 27, 2023.--Ordered to be printed
                 
 
                       ______

             U.S. GOVERNMENT PUBLISHING OFFICE 
 39-010             WASHINGTON : 2023                
                 
                 
                 
                 
                 
                 
                 
                 
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
ALEX PADILLA, California             RICK SCOTT, Florida
JON OSSOFF, Georgia                  JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut      ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
            Lena C. Chang, Director of Governmental Affairs
         Matthew T. Cornelius, Senior Professional Staff Member
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
                  Andrew J. Hopkins, Minority Counsel
                     Laura W. Kilbride, Chief Clerk
                     
                     
                     
                     
                     
                     
                     
                     
                                                        Calendar No. 39
                                                        
118th Congress }                                               {   Report
                                 SENATE
 1st Session   }                                               {  118-15

======================================================================




              FEDERAL DATA CENTER ENHANCEMENT ACT OF 2023

                                _______
                                

                 April 27, 2023.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 933]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 933) to amend the 
Carl Levin and Howard P. ``Buck'' McKeon National Defense 
Authorization Act for Fiscal Year 2015 to modify requirements 
relating to data centers of certain Federal agencies, and for 
other purposes, having considered the same, reports favorably 
thereon without amendment and recommends that the bill do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
 IV. Section-by-Section Analysis of the Bill, as Reported.............3
  V. Evaluation of Regulatory Impact..................................4
 VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6

                         I. Purpose and Summary

    S. 933, the Federal Data Center Enhancement Act of 2023, 
updates and amends the Federal Data Center Consolidation 
Initiative (FDCCI) authorized under the Fiscal Year 2015 
National Defense Authorization Act.\1\ S. 933 amends the 
requirements of FDCCI, shifting the policy focus from 
consolidation to optimization, security, and resilience.\2\ The 
bill requires the Office of Management and Budget (OMB) to 
coordinate a government-wide effort to develop minimum 
requirements for federal data centers related to cyber 
intrusions, data center availability, mission-critical uptime, 
and resilience against physical attacks, and natural disasters. 
It also strikes language from the Federal Information 
Technology Acquisition Reform Act (FITARA) referring to data 
center consolidation to ensure that federal agencies focus on 
the cost savings and avoidances that can be achieved through 
optimization, given the success of past data center 
consolidation efforts.\3\
---------------------------------------------------------------------------
    \1\On August 3, 2022, the Committee approved S. 4629, the Federal 
Data Center Enhancement Act of 2022. That bill is substantially similar 
to S. 933. Accordingly, this committee report is, in many respects, 
similar to the committee report for S. 4629. See S. Rept. 117-210.
    \2\National Defense Authorization Act of 2015, Public Law 113-291, 
Sec. 834 (2014).
    \3\The stricken language was enacted in H.R. 1232, Sec. 202(b), 
113th Cong. (2013), which was incorporated into the National Defense 
Authorization Act of 2015, Pub. L. No. 113-291, Sec. 834 (2014).
---------------------------------------------------------------------------

              II. Background and Need for the Legislation

    Federal data centers are the physical facilities where 
federal agencies store and process data, and host key 
information technology (IT) and cybersecurity infrastructure. 
Following the passage of the FITARA, OMB launched the Federal 
Data Center Optimization Initiative (DCOI) to advance data 
center consolidation and improve federal data centers' 
performance.\4\ Since 2010, more than 6,000 federal data 
centers have been consolidated with a resulting cost savings 
and cost avoidance of $5.8 billion.\5\
---------------------------------------------------------------------------
    \4\Memorandum from Tony Scott, Federal Chief Information Officer, 
to Heads of Executive Departments and Agencies, Data Center 
Optimization Initiative (DCOI) (available at https://
datacenters.cio.gov/policy/) (Aug.1, 2016).
    \5\Government Accountability Office, Data Center Optimization: 
Agencies Report Progress and Billions Saved, but OMN Needs to Improve 
Its Utilization Guidance (GAO-21-212) (March 4, 2021).
---------------------------------------------------------------------------
    The Government Accountability Office (GAO) has tracked and 
reported on agencies' progress in consolidating data centers 
regularly since 2011.\6\ In 2017, GAO issued three substantial 
reports identifying opportunities for agency data center 
optimization.\7\ It also included identification of 
improvements for IT management on its ``high risk'' list.\8\
---------------------------------------------------------------------------
    \6\Government Accountability Office, Data Center Consolidation: 
Agencies Need to Complete Inventories and Plans to Achieve Expected 
Savings (GAO-11-565) (Jul. 19, 2011); Government Accountability Office, 
Data Center Consolidation: Agencies Making Progress on Efforts, but 
Inventories and Plans Need to be Completed (GAO-12-742) (Jul. 19, 
2012); Government Accountability Office, Data Center Consolidation: 
Strengthened Oversight Needed to Achieve Cost Savings Goal (GAO-13-378) 
(Apr. 23, 2013); Government Accountability Office, Data Center 
Consolidation: Reporting Can Be Improved to Reflect Substantial Planned 
Savings (GAO-14-713); Government Accountability Office, Data Center 
Consolidation: Agencies Making Progress, but Planned Savings Goals Need 
to Be Established (GAO-16-323) (Mar. 3, 2016).
    \7\Government Accountability Office, Government Efficiency and 
Effectiveness: Opportunities to Address Pervasive Management Risks and 
Challenges while Reducing Federal Costs (GAO-17-631T) (May 17, 2017); 
Government Accountability Office, Agencies Need to Complete Plans to 
Address Inconsistencies in Reported Savings (GAO-17-388); Government 
Accountability Office, Data Center Optimization: Agencies Need to 
Address Challenges and Improve Progress to Achieve Cost Savings Goal 
(GAO-17-488) (Aug. 15, 2017); Government Accountability Office, 
Improving the Management of IT Acquisitions and Operations 
(www.gao.gov/highrisk/improving-
management-it-acquisitions-and-operations) (accessed Aug. 30, 2022).
    \8\Government Accountability Office, High-Risk Series: Efforts Made 
to Achieve Progress Need to Be Maintained and Expanded to Fully Address 
All Areas (GAO-23-106203) (accessed April 10, 2023).
---------------------------------------------------------------------------
    Building upon DCOI, OMB issued Memorandum M-19-19 Update to 
the Data Center Optimization Initiative (DCOI), which included 
new performance metrics for federal data centers, required 
agencies to prioritize their focus on key mission facilities, 
and aligned agency IT infrastructure investments to the Cloud 
Smart Strategy.\9\ Recently, Congress has provided additional 
direction to federal agencies on how to prioritize the metrics 
and requirements of federal IT infrastructure, most notably 
through the passage of the Energy Act of 2020.\10\ S. 933 
builds upon these requirements to ensure any new federal data 
center complies with additional requirements, to be set by OMB, 
for cybersecurity and resilience, while also urging agencies to 
update their current data centers to meet the OMB requirements 
when those facilities, or the contracts that manage them, come 
up for review or contract renewal.
---------------------------------------------------------------------------
    \9\Memorandum from Suzette Kent, Federal Chief Information Officer, 
to Chief Information Officers of Executive Departments and Agencies, 
Update to Data Center Optimization Initiative (DCOI) (available at 
https://datacenters.cio.gov/policy/) (June 25, 2019); Office of 
Management and Budget, Office of the Federal Chief Information Officer, 
Federal Cloud Computing Strategy, From Cloud First to Cloud Smart 
(https://cloud.cio.gov/strategy/) (accessed on Aug. 30, 2022).
    \10\Consolidated Appropriations Act of 2021, Pub. L. No 116-260, 
Div. Z, Sec. 1003 (2020).
---------------------------------------------------------------------------

                        III. Legislative History

    Senator Jacky Rosen (D-NV) introduced S. 933 on March 22, 
2023, with Senator John Cornyn (R-TX) and Chairman Gary Peters 
(D-MI) as cosponsors. The bill was referred to the Committee on 
Homeland Security and Governmental Affairs.
    The Committee considered S. 933 at a business meeting on 
March 29, 2023. During the business meeting. S. 933 was ordered 
reported favorably by a roll call vote of 12 yeas and 0 nays 
with Senators Peters, Hassan, Sinema, Rosen, Padilla, Ossoff, 
Blumenthal, Paul, Lankford, Romney, Scott, and Hawley voting in 
the affirmative, and with Senators Carper, Johnson, and 
Marshall voting yea by proxy, for the record only.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section designates the name of the bill as the 
``Federal Data Center Enhancement Act of 2023.''

Section 2. Federal Data Center Consolidation Initiative amendments

    Subsection (a) finds that the upcoming expiration of the 
Federal Data Center Optimization Initiative authorized under 
the Fiscal Year 2015 National Defense Authorization Act 
presents an opportunity to review the objectives of the Federal 
Data Center Optimization Initiative to ensure that the 
initiative is meeting the current needs of the federal 
government. This section also notes the growing need for 
federal agencies to use data centers and cloud applications 
that meet high standards for cybersecurity, resiliency, 
availability, and sustainability.
    Subsection (b) establishes minimum requirements for new 
data centers. Subsection (b)(1) defines a new data center as a 
data center (or a portion thereof) that is established or 
substantially upgraded within 180 days of enactment and that is 
owned, operated, or maintained by a covered federal agency and, 
to the extent practicable, a data center owned, operated, or 
maintained by a federal contractor.
    Subsection (b)(2) requires the Administrator of the Office 
of Electronic Government to establish minimum requirements for 
new data centers in consultation with the Administrator of 
General Services and the Federal Chief Information Officers 
Council. These requirements relate to availability and use of 
new data centers, the use of sustainable energy sources, uptime 
percentage, protection against power failures, protections 
against physical intrusions and natural disasters, and 
information security requirements of the Federal Information 
Security Modernization Act of 2014 (Pub. L. 113-283). This 
subsection requires OMB to consult with the Director of the 
Cybersecurity and Infrastructure Security Agency and the 
National Cyber Director in establishing the requirements.
    Subsection (b)(3) allows the Administrator to incorporate 
the minimum requirements established under (b)(1) into the 
requirements for any agency data center existing at the date of 
enactment.
    Subsection (b)(4) provides for periodic review of the 
requirements in consultation with the Administrator of General 
Services and the Federal Chief Information Officers Council.
    Subsection (b)(5) requires, if, during the development and 
planning lifecycle of a new data center, an agency head 
determines that the agency is likely to make a management or 
financial decision relating to the new data center, the head of 
the covered agency shall report it to the Administrator of the 
Office of Electronic Government, the Senate Committee on 
Homeland Security and Governmental Affairs and the House 
Committee on Oversight and Accountability with a sufficiently 
detailed description of how the agency intends to comply with 
the minimum requirements.
    Subsection (b)(6) requires agency heads, in determining 
whether to establish or continue to operate a data center, to 
regularly assess the agency's application portfolio to ensure 
that each legacy application is updated, replaced, or 
modernized, as appropriate, to take advantage of modern 
technologies. The subsection also requires agency heads to 
prioritize and, to the greatest extent possible, leverage 
commercial cloud environments rather than acquiring, 
overseeing, or managing custom data center infrastructure.
    Subsection (b)(7) requires agencies to post certain data 
and information on a public website regarding their compliance 
with the requirements in the Federal Data Center Enhancement 
Act of 2023. Finally, the subsection requires agencies to 
oversee and manage their data centers to comply with 
information security standards promulgated by the National 
Institute of Standards and Technology, additional requirements 
of the Federal Risk Authorization and Management Program 
(FedRAMP), and binding operational directives issues by the 
Department of Homeland Security.
    Subsection (c) extends the sunset of the Federal Data 
Center Consolidation Initiative from October 1, 2022 to October 
1, 2026.
    Subsection (d) requires the Comptroller General to issue a 
report within 1 year of enactment that will shall review, 
verify, and audit the compliance of covered agencies with the 
minimum requirements of the Act.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate




    S. 933 would modify and reauthorize the Federal Data Center 
Consolidation Initiative through the end of fiscal year 2026; 
that authority expired at the end of 2022.
    The bill would require the Office of E-Government and 
Information Technology to establish minimum requirements for 
the availability and use of new data centers and set standards 
for protection against power failures, intrusions, and natural 
disasters. Under the bill, the General Services Administration 
(GSA) would provide guidance for developing and incorporating 
those requirements into the operations of existing data centers 
and would post information about agencies' compliance with the 
new requirements.
    Based on information from GSA and the Government 
Accountability Office (GAO), CBO expects that federal agencies 
will continue their efforts to optimize the performance and 
improve the security of data centers, regardless of the 
initiative's expired authority. Thus, CBO estimates that 
implementing those requirements would not significantly 
increase federal costs over the 2023-2028 period.
    S. 933 also would require GAO to report annually to the 
Congress on implementation of the bill's requirements and CBO 
expects the cost of the reports would not be significant.
    S. 933 could affect direct spending by some agencies that 
are allowed to use fees, receipts from the sale of goods, and 
other collections to cover operating costs. CBO estimates that 
any net changes in direct spending by those agencies would be 
negligible because most of them can adjust amounts collected to 
reflect changes in operating costs.
    The CBO staff contact for this estimate is Matthew 
Pickford. The estimate was reviewed by H. Samuel Papenfuss, 
Deputy Director of Budget Analysis.
                                         Phillip L. Swagel,
                             Director, Congressional Budget Office.

       VII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 44--PUBLIC PRINTING AND DOCUMENTS

           *       *       *       *       *       *       *


CHAPTER 36--MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES

           *       *       *       *       *       *       *



SEC. 3601. DEFINITIONS

           *       *       *       *       *       *       *


STATUTORY NOTES AND RELATED SUBSIDIARIES

           *       *       *       *       *       *       *


FEDERAL DATA CENTER CONSOLIDATION INITIATIVE

           *       *       *       *       *       *       *


    (a) * * *
          (1) * * *
          (2) * * *
          [(3) FDCCI.--The term `FDCCI' means the Federal Data 
        Center Consolidation Initiative described in the Office 
        of Management and Budget Memorandum on the Federal Data 
        Center Consolidation Initiative, dated February 26, 
        2010, or any successor thereto.
          [(4) Government-Wide Data Center Consolidation and 
        Optimization Metrics.--The term `Government-wide data 
        center consolidation and optimization metrics' means 
        the metrics established by the Administrator under 
        subsection (b)(2)(G).]
          (3) New data center.--The term `new data center' 
        means--
                  (A)(i) a data center or a portion thereof 
                that is owned, operated, or maintained by a 
                covered agency; or
                  (ii) to the extent practicable, a data center 
                or portion thereof--
                          (I) that is owned, operated, or 
                        maintained by a contractor on behalf of 
                        a covered agency on the date on which 
                        the contract between the covered agency 
                        and the contractor expires; and
                          (II) with respect to which the 
                        covered agency extends the contract, or 
                        enters into a new contract, with the 
                        contractor; and
                  (B) on or after the date that is 180 days 
                after the date of enactment of the Federal Data 
                Center Enhancement Act of 2023, a data center 
                or portion thereof that is--
                          (i) established; or
                          (ii) substantially upgraded or 
                        expanded.
    [(b) Federal Data Center Consolidation Inventories and 
Strategies.--
                          [(1) In general.--
                  [(A) Annual reporting.--Except as provided in 
                subparagraph (C), each year, beginning in the 
                first fiscal year after the date of the 
                enactment of this Act [Dec. 19, 2014] and each 
                fiscal year thereafter, the head of each 
                covered agency, assisted by the Chief 
                Information Officer of the agency, shall submit 
                to the Administrator--
                          [(i) a comprehensive inventory of the 
                        data centers owned, operated, or 
                        maintained by or on behalf of the 
                        agency; and
                          [(ii) a multi-year strategy to 
                        achieve the consolidation and 
                        optimization of the data centers 
                        inventoried under clause (i), that 
                        includes--
                                  [(I) performance metrics--
                                          [(aa) that are 
                                        consistent with the 
                                        Government-wide data 
                                        center consolidation 
                                        and optimization 
                                        metrics; and
                                          [(bb) by which the 
                                        quantitative and 
                                        qualitative progress of 
                                        the agency toward the 
                                        goals of the FDCCI can 
                                        be measured;
                                  [(II) a timeline for agency 
                                activities to be completed 
                                under the FDCCI, with an 
                                emphasis on benchmarks the 
                                agency can achieve by specific 
                                dates;
                                  [(III) year-by-year 
                                calculations of investment and 
                                cost savings for the period 
                                beginning on the date of the 
                                enactment of this Act and 
                                ending on the date set forth in 
                                subsection (e), broken down by 
                                each year, including a 
                                description of any initial 
                                costs for data center 
                                consolidation and optimization 
                                and life cycle cost savings and 
                                other improvements, with an 
                                emphasis on--
                                          [(aa) meeting the 
                                        Government-wide data 
                                        center consolidation 
                                        and optimization 
                                        metrics; and
                                          [(bb) demonstrating 
                                        the amount of agency-
                                        specific cost savings 
                                        each fiscal year 
                                        achieved through the 
                                        FDCCI; and
                                  [(IV) any additional 
                                information required by the 
                                Administrator.
                  [(B) Use of other reporting structures.--The 
                Administrator may require a covered agency to 
                include the information required to be 
                submitted under this subsection through 
                reporting structures determined by the 
                Administrator to be appropriate.
                  [(C) Department of defense reporting.--For 
                any year that the Department of Defense is 
                required to submit a performance plan for 
                reduction of resources required for data 
                servers and centers, as required under section 
                2867(b) of the National Defense Authorization 
                Act for Fiscal Year 2012 [Pub. L. 112-81] (10 
                U.S.C. 2223a note), the Department of Defense--
                          [(i) may submit to the Administrator, 
                        in lieu of the multi-year strategy 
                        required under subparagraph (A)(ii)--
                                  [(I) the defense-wide plan 
                                required under section 
                                2867(b)(2) of the National 
                                Defense Authorization Act for 
                                Fiscal Year 2012 (10 U.S.C. 
                                2223a note); and
                                  [(II) the report on cost 
                                savings required under section 
                                2867(d) of the National Defense 
                                Authorization Act for Fiscal 
                                Year 2012 (10 U.S.C. 2223a 
                                note); and
                          [(ii) shall submit the comprehensive 
                        inventory required under subparagraph 
                        (A)(i), unless the defense-wide plan 
                        required under section 2867(b)(2) of 
                        the National Defense Authorization Act 
                        for Fiscal Year 2012 (10 U.S.C. 2223a 
                        note)--
                                  [(I) contains a comparable 
                                comprehensive inventory; and
                                  [(II) is submitted under 
                                clause (i).
                  [(D) Statement. --Each year, beginning in the 
                first fiscal year after the date of the 
                enactment of this Act and each fiscal year 
                thereafter, the head of each covered agency, 
                acting through the Chief Information Officer of 
                the agency, shall--
                          [(i)
                                  [(I) submit a statement to 
                                the Administrator stating 
                                whether the agency has complied 
                                with the requirements of this 
                                section; and
                                  [(II) make the statement 
                                submitted under subclause (I) 
                                publicly available; and
                          [(ii) if the agency has not complied 
                        with the requirements of this section, 
                        submit a statement to the Administrator 
                        explaining the reasons for not 
                        complying with such requirements.
                  [(E) Agency implementation of strategies.--
                          [(i) In general.--Each covered 
                        agency, under the direction of the 
                        Chief Information Officer of the 
                        agency, shall--
                                  [(I) implement the strategy 
                                required under subparagraph 
                                (A)(ii); and
                                  [(II) provide updates to the 
                                Administrator, on a quarterly 
                                basis, of--
                                          [(aa) the completion 
                                        of activities by the 
                                        agency under the FDCCI;
                                          [(bb) any progress of 
                                        the agency towards 
                                        meeting the Government-
                                        wide data center 
                                        consolidation and 
                                        optimization metrics; 
                                        and
                                          [(cc) the actual cost 
                                        savings and other 
                                        improvements realized 
                                        through the 
                                        implementation of the 
                                        strategy of the agency.
                          [(ii) Department of defense.--For 
                        purposes of clause (i)(I), 
                        implementation of the defense-wide plan 
                        required under section 2867(b)(2) of 
                        the National Defense Authorization Act 
                        for Fiscal Year 2012 [Pub. L. 112-81] 
                        (10 U.S.C. 2223a note) by the 
                        Department of Defense shall be 
                        considered implementation of the 
                        strategy required under subparagraph 
                        (A)(ii).
                  [(F) Rule of construction.--Nothing in this 
                section shall be construed to limit the 
                reporting of information by a covered agency to 
                the Administrator, the Director of the Office 
                of Management and Budget, or Congress.
          [(2) Administrator responsibilities.--The 
        Administrator shall--
                  [(A) establish the deadline, on an annual 
                basis, for covered agencies to submit 
                information under this section;
                  [(B) establish a list of requirements that 
                the covered agencies must meet to be considered 
                in compliance with paragraph (1);
                  [(C) ensure that information relating to 
                agency progress towards meeting the Government-
                wide data center consolidation and optimization 
                metrics is made available in a timely manner to 
                the general public;
                  [(D) review the inventories and strategies 
                submitted under paragraph (1) to determine 
                whether they are comprehensive and complete;
                  [(E) monitor the implementation of the data 
                center strategy of each covered agency that is 
                required under paragraph (1)(A)(ii);
                  [(F) update, on an annual basis, the 
                cumulative cost savings realized through the 
                implementation of the FDCCI; and
                  [(G) establish metrics applicable to the 
                consolidation and optimization of data centers 
                Government-wide, including metrics with respect 
                to--
                          [(i) costs;
                          [(ii) efficiencies, including, at a 
                        minimum, server efficiency; and
                          [(iii) any other factors the 
                        Administrator considers appropriate.
          [(3) Cost saving goal and updates for congress.--
                  [(A) In general.--Not later than one year 
                after the date of the enactment of this Act, 
                the Administrator shall develop, and make 
                publicly available, a goal, broken down by 
                year, for the amount of planned cost savings 
                and optimization improvements achieved through 
                the FDCCI during the period beginning on the 
                date of the enactment of this Act and ending on 
                the date set forth in subsection (e).
                  [(B) Annual update.--
                          [(i) In general.--Not later than one 
                        year after the date on which the goal 
                        described in subparagraph (A) is made 
                        publicly available, and each year 
                        thereafter, the Administrator shall 
                        aggregate the reported cost savings of 
                        each covered agency and optimization 
                        improvements achieved to date through 
                        the FDCCI and compare the savings to 
                        the projected cost savings and 
                        optimization improvements developed 
                        under subparagraph (A).
                          [(ii) Update for congress.--The goal 
                        required to be developed under 
                        subparagraph (A) shall be submitted to 
                        Congress and shall be accompanied by a 
                        statement describing--
                                  [(I) the extent to which each 
                                covered agency has developed 
                                and submitted a comprehensive 
                                inventory under paragraph 
                                (1)(A)(i), including an 
                                analysis of the inventory that 
                                details specific numbers, use, 
                                and efficiency level of data 
                                centers in each inventory; and
                                  [(II) the extent to which 
                                each covered agency has 
                                submitted a comprehensive 
                                strategy that addresses the 
                                items listed in paragraph 
                                (1)(A)(ii).
          [(4) GAO review.--
                  [(A) In general.--Not later than one year 
                after the date of the enactment of this Act, 
                and each year thereafter, the Comptroller 
                General of the United States shall review and 
                verify the quality and completeness of the 
                inventory and strategy of each covered agency 
                required under paragraph (1)(A).
                  [(B) Report.--The Comptroller General of the 
                United States shall, on an annual basis, 
                publish a report on each review conducted under 
                subparagraph (A).]
    (b) Minimum Requirements for New Data Centers.--
          (1) In general.--Not later than 180 days after the 
        date of enactment of the Federal Data Center 
        Enhancement Act of 2023, the Administrator shall 
        establish minimum requirements for new data centers in 
        consultation with the Administrator of General Services 
        and the Federal Chief Information Officers Council.
          (2) Contents.--
                  (A) In general.--The minimum requirements 
                established under paragraph (1) shall include 
                requirements relating to--
                          (i) the availability of new data 
                        centers;
                          (ii) the use of new data centers;
                          (iii) the use of sustainable energy 
                        sources;
                          (iv) uptime percentage;
                          (v) protections against power 
                        failures, including on-site energy 
                        generation and access to multiple 
                        transmission paths;
                          (vi) protections against physical 
                        intrusions and natural disasters;
                          (vii) information security 
                        protections required by subchapter II 
                        of chapter 35 of title 44, United 
                        States Code, and other applicable law 
                        and policy; and
                          (viii) any other requirements the 
                        Administrator determines appropriate.
                  (B) Consultation.--In establishing the 
                requirements described in subparagraph 
                (A)(vii), the Administrator shall consult with 
                the Director of the Cybersecurity and 
                Infrastructure Security Agency and the National 
                Cyber Director.
          (3) Incorporation of minimum requirements into 
        current data centers.--As soon as practicable, and in 
        any case not later than 90 days after the Administrator 
        establishes the minimum requirements pursuant to 
        paragraph (1), the Administrator shall issue guidance 
        to ensure, as appropriate, that covered agencies 
        incorporate the minimum requirements established under 
        that paragraph into the operations of any data center 
        of a covered agency existing as of the date of 
        enactment of the Federal Data Center Enhancement Act of 
        2023.
          (4) Review of requirements.--The Administrator, in 
        consultation with the Administrator of General Services 
        and the Federal Chief Information Officers Council, 
        shall review, update, and modify the minimum 
        requirements established under paragraph (1), as 
        necessary.
          (5) Report on new data centers.--During the 
        development and planning lifecycle of a new data 
        center, if the head of a covered agency determines that 
        the covered agency is likely to make a management or 
        financial decision relating to any data center, the 
        head of the covered agency shall--
                  (A) notify--
                          (i) the Administrator;
                          (ii) Committee on Homeland Security 
                        and Governmental Affairs of the Senate; 
                        and
                          (iii) Committee on Oversight and 
                        Accountability of the House of 
                        Representatives; and
                  (B) describe in the notification with 
                sufficient detail how the covered agency 
                intends to comply with the minimum requirements 
                established under paragraph (1).
          (6) Use of technology.--In determining whether to 
        establish or continue to operate an existing data 
        center, the head of a covered agency shall--
                  (A) regularly assess the application 
                portfolio of the covered agency and ensure that 
                each at risk legacy application is updated, 
                replaced, or modernized, as appropriate, to 
                take advantage of modern technologies; and
                  (B) prioritize and, to the greatest extent 
                possible, leverage commercial cloud 
                environments rather than acquiring, overseeing, 
                or managing custom data center infrastructure.
          (7) Public website.--
                  (A) In general.--The Administrator shall 
                maintain a public-facing website that includes 
                information, data, and explanatory statements 
                relating to the compliance of covered agencies 
                with the requirements of this section.
                  (B) Processes and procedures.--In maintaining 
                the website described in subparagraph (A), the 
                Administrator shall--
                          (i) ensure covered agencies 
                        regularly, and not less frequently than 
                        biannually, update the information, 
                        data, and explanatory statements posed 
                        on the website, pursuant to guidance 
                        issued by the Administrator, relating 
                        to any new data centers and, as 
                        appropriate, each existing data center 
                        of the covered agency; and
                          (ii) ensure that all information, 
                        data, and explanatory statements on the 
                        website are maintained as open 
                        Government data assets.
    (c) Ensuring Cybersecurity Standards for Data Center 
Consolidation and Cloud Computing.--
          [(1) In general.--In implementing a data center 
        consolidation and optimization strategy under this 
        section, a covered agency shall do so in a manner that 
        is consistent with Federal guidelines on cloud 
        computing security, including--
                  [(A) applicable provisions found within the 
                Federal Risk and Authorization Management 
                Program (FedRAMP); and
                  [(B) guidance published by the National 
                Institute of Standards and Technology.]
          (1) In general.--The head of a covered agency shall 
        oversee and manage the data center portfolio and the 
        information technology strategy of the covered agency 
        in accordance with Federal cybersecurity guidelines and 
        directives, including--
                  (A) information security standards and 
                guidelines promulgated by the Director of the 
                National Institute of Standards and Technology;
                  (B) applicable requirements and guidance 
                issued by the Director of the Office of 
                Management and Budget pursuant to section 3614 
                of title 44, United States Code; and
                  (C) directives issued by the Secretary of 
                Homeland Security under section 3553 of title 
                44, United States Code.
          (2) * * *
    (d) * * *
    (e) Sunset.--This section is repealed effective on October 
1, [2022] 2026.