Department of Agriculture: Analysis of Selected Data Centers Did Not Follow Federal Guidance and Leading Practices
Highlights
What GAO Found
USDA's Assessment of the National Finance Center Data Center did not comprehensively address the cost-effectiveness, security, and demonstrated history of maintaining continuity of operations functions, as part of its cost-benefit assessment of selected data centers, as directed by the Consolidated Appropriations Act, 2018.
Specifically, USDA's assessment did not address three of five elements for evaluating the cost-benefit and cost-effectiveness of the data centers selected for its review. For example, while identifying potential cost savings to the National Finance Center (NFC), the assessment did not determine the net present value of the life-cycle costs of operating the data centers, as recommended by the Office of Management and Budget (OMB). In addition, the assessment's security review included a limited evaluation of physical security for only two of the four data centers, and lacked an analysis of the information security controls for any of the selected data centers. Further, the continuity of operations review did not evaluate each data center's demonstrated ability to maintain continuity of operations functions, as required by the act. The assessment did, however, accurately report the Federal Risk and Authorization Management Program (FedRAMP) certification status of the four selected data centers.
In discussing their approach to developing the assessment, General Services Administration (GSA) officials stated that they did not follow any policies or guidance for the development of this assessment. They also stated that their review of physical security was limited due to time limitations established by the mandate. Further, the officials stated that they did not evaluate the information security capabilities of the data centers because information on the information security posture for each data center was already available as part of the agencies' required reporting on Federal Information Security Modernization Act of 2014 (FISMA) metrics. As a result of the limited information provided, the assessment does not effectively inform stakeholders and congressional decision makers.
Why GAO Did This Study
The Consolidated Appropriations Act, 2018 required the Secretary of Agriculture to conduct and submit to the Committees on Appropriations, a detailed cost-benefit analysis that includes a complete analysis of the department's National Finance Center (NFC) data center and two other data centers of comparable size and complexity. The act required the analysis to also include an assessment of each data center's (1) cost-effectiveness; (2) security; (3) Federal Risk and Authorization Management Program (FedRAMP) certification status; and (4) demonstrated record of maintaining continuity of operations plan (COOP) functions without the disruption of critical operations.
The act also included a provision for GAO to conduct a sufficiency review of USDA's assessment. This report identifies the extent to which the assessment addressed the cost-effectiveness, security, and continuity of operations of each data center in accordance with federal guidance and leading practices.
To do so, GAO compared the assessment's analysis of each data center's cost-effectiveness, security, and continuity of operations with relevant federal guidelines and leading practices established by the Office of Management and Budget (OMB), GAO, and others. GAO also interviewed GSA officials who conducted the assessment, as well as officials representing the data centers included in the assessment.
Recommendations
GAO recommends that the Secretary of Agriculture take four actions:
The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1)
When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2)
When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3)
When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4)
USDA, GSA, DOT, and NASA received drafts of this report for comment. USDA generally disagreed with the findings and recommendations in the report. The department stated that conducting another assessment in accordance with OMB guidance would yield the same results as its original assessment. Nevertheless, GAO continues to believe our recommendations are warranted. An official in the Office of the Executive Secretariat at GSA concurred with the draft via email. DOT and NASA provided technical comments, which we incorporated into the report, as appropriate.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Agriculture | The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1) |
The Department of Agriculture did not concur with the recommendation. In August 2021, the Department reported that it does not plan to address the recommendation because it has only two official enterprise data centers remaining and it would not be cost effective to do so.
|
Department of Agriculture | When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2) |
The Department of Agriculture did not concur with the recommendation. In August 2021, the Department reported that it does not plan to address the recommendation because it has only two official enterprise data centers remaining and it would not be cost effective to do so.
|
Department of Agriculture | When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3) |
The Department of Agriculture did not concur with the recommendation. In August 2021, the Department reported that it does not plan to address the recommendation because it has only two official enterprise data centers remaining and it would not be cost effective to do so.
|
Department of Agriculture | When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4) |
The Department of Agriculture did not concur with the recommendation. In August 2021, the Department reported that it does not plan to address the recommendation because it has only two official enterprise data centers remaining and it would not be cost effective to do so.
|