The US federal government has faced numerous challenges over the years in its efforts to consolidate a huge number of data centers across the country. Now it faces yet another hurdle.
Already behind schedule, it is uncertain what the future holds for the Data Center Optimization Initiative, with a new administration that has yet to provide clarity on some of its most pressing questions.
The 2010 Federal Data Center Consolidation Initiative (FDCCI) and the 2014 Federal Information Technology Acquisition Reform Act (FITARA) led to the closure of thousands of data centers - with ‘data center’ being redefined last year to include smaller sites - bringing over $1 billion in savings, but not going far enough, or fast enough.
In August 2016, the government finalized its Data Center Optimization Initiative, which laid out further plans for greater efficiency and a shift to the cloud, with FITARA remaining in force.
Hitting the target closure timeline has proved tricky, however, particularly for the US Army, which is meant to shut down 60 percent of its nearly 1,200 data centers by fiscal 2018, but is not expected to reach that goal. Neither are numerous other agencies.
“2018 probably isn’t enough time to get this done,” Dave Powner, director of IT issues at the Government Accountability Office, said at MeriTalk’s Data Center Brainstorm (via Meritalk).
He added that FITARA and the accompanying initiatives had led to 4,400 data center closures, but that they were still behind schedule, with some 5,600 data centers currently active.
“A key recommendation moving forward is extending the sunset provision in FITARA. The question is how long to extend it. If an agency really can’t optimize by 2020, should they be in the business of managing a data center? They need to ask themselves that. If agencies can’t operate these things, they need to think long and hard about getting out of the business.”
Some agencies have performed better than others, Powner said. Of the active data centers, only 120 have embraced server utilization tools, including those at NASA and the Social Security Administration.
While the overall goal is to close 25 percent of large data centers and 65 percent of small data centers, Veterans Affairs aims to close just 8 percent, and the Department of Transportation plans to close 4 percent of its large data centers over the next two years.
“VA’s done very little on data center consolidation,” Powner said. “It’s sad what our veterans have.”
FITARA requires agencies to submit transparency plans detailing cost-cutting measures, but that has also not gone as expected.
Powner said that 12 agencies outlined plans with potential savings of $600 million, while ten agencies submitted plans without savings involved, and the Defense and the Office of Personnel Management agencies submitted nothing.
He added: “We need to have agencies commit more to these savings. This is where we need leadership from [The Office of Management and Budget].”
Data centers and cyber security
But leadership on this issue from the OMB and Trump administration as a whole may take time, with the office dealing with a new budget that focuses more on military spending and cuts to agencies like the Environmental Protection Agency and the National Institutes of Health. The new administration is still nominating staff and pushing forward with campaign agendas such as healthcare reform and The Wall.
Powner, however, had an idea on how to make data center consolidation a more pressing issue in the eyes of the state - a rebrand.
He said, via Federal News Radio: “I talked a lot with the transition teams, and IT is kind of a tough subject to get people to pay attention to, but cyber isn’t, and I think if you start with cyber and lead with cyber, it opens a conversation with key executives at the departments and agencies. Because to go in there and talk about data centers, IT spend or inefficient systems, it doesn’t get the attention it deserves.”
A focus on cyber security - which is both genuinely a valid reason for closing outdated, poorly protected data centers, and a hot button issue for the current administration - could also mean that the consolidation initiative could find its way into Trump’s upcoming cyber security executive order.
Various drafts of the order have circulated, but it was originally expected to be signed by Trump at the end of January. After the troubled roll-out of his travel ban order, however, the pace of executive orders has slowed as the White House is seeking greater input from different departments in their formulation.
On January 31, Trump met with NSA director Admiral Mike Rogers, senior adviser Jared Kushner, and chief strategist Steve Bannon to discuss the cyber security order, and it is believed that more cyber security and technology industry experts have been consulted.
A leaked February version of the order, titled Strengthening the cybersecurity of federal networks and critical infrastructure, states: “The executive branch has for too long accepted antiquated and difficult to defend IT and information systems.”
“Effective risk management involves more than just protecting networks and data currently in place. It also requires planning so that future maintenance, improvements, and modernization occur in a coordinated fashion and with appropriate regularity.”
The argument for consolidating data centers as a cyber security endeavor has merit. In the Department of Defense’s 2013 paper on its Strategy for Implementing the Joint Information Environment it said: “The current array of DoD data centers, networks, and systems introduces unnecessary costs, constrains interoperability, and introduces cyber security risks.
“To address these areas of concern, DoD is executing consolidation efforts that will ultimately reduce the number of data centers, shrink the size of the attack surface, and ensure survivability by consolidating and eliminating all data centers that are not part of the target architecture. Data center consolidation will help improve the DoD’s ability to streamline security, locate information, and incorporate new technologies and innovative approaches.”
Should Trump’s executive order take this into account, it could give chief information officers more influence in government agencies to push forward with data center closure initiatives, Powner argued. “A lot of CIOs don’t have the authority they need. I think there’s an opportunity to leverage cyber for CIO authority,” he said.
“IT is a tough subject to get people into, but cyber isn’t. If you lead with cyber, it’s helpful.”
A question of regulation
Joe Paiva, chief information officer of the Department of Commerce’s International Trade Administration, had another view on how to speed up the data center consolidation drive - cutting regulations.
Also at MeriTalk’s Data Center Brainstorm, he said: “We’re digging up mushrooms without getting to the problem at the forest floor.
“A bunch of civil servants created a bunch of regulations that they fed up through the chain of command to intentionally make their business so complex that you can’t go out and just buy a system. The culprit is needless regulations that civil servants created themselves. My piece of advice is get rid of that crap.”
This strategy may prove inviting to Trump, who has long spoken against regulations and signed an executive order with the goal of revoking two regulations for every new one put forward.
It could, however, lead to problems if the wrong regulations are cut. Should data center consolidation be undertaken with the idea to improving cyber security, it is regulations that decide whether private companies are sufficiently secure and are therefore deemed safe to work with.
Currently, federal agencies can only partner with contractors who are certified through The Federal Risk and Authorization Management Program (FedRAMP), managed by the OMB and Trump administration-appointee Mick Mulvaney. Amazon Web Services, Microsoft Azure, Autonomic Resources, and IBM’s SmartCloud are among those certified.
“First and foremost, FedRAMP is a defined set of security controls and parameters carved out of the National Institute of Standards and Technology (NIST) Special Publication 800.53 that defines a cybersecruity framework,” John Keese, director of government cloud services at CSRA, said in a blog post.
“Without FedRAMP, security and risk management has no consistency and is done on a case-by-case basis.”
It’s a divisive issue - with Yemi Oshinnaiye, division chief of US Citizenship and Immigration Services’ Enterprise Infrastructure Division, saying at Data Center Brainstorm that his agency had “been walled off from many good solutions because they’re not FedRAMP certified.”
But instead of cutting FedRAMP, Oshinnaiye said that private corporations could benefit from a better education on FedRAMP.
There is one other way that Oshinnaiye believes the government could get behind a consolidation drive and move to the cloud - it can be simply better.
“People see the gains. As you go ahead and experiment and put things in the cloud… from an IT perspective, we forget the program is the end-user. So we say ‘Hold on, we’re going to the cloud,’ but we need to show the benefit of the program. Once they see it, they’ll support it,” he said.
Whether the Trump administration sees that benefit, and how it will pursue it, is a matter that may take some time to be revealed.
In his first detailed comments since becoming the President’s assistant for homeland security and counterterrorism, Tom Bossert said: “Federal networks at this point can no longer sustain themselves. We cannot tolerate indefensible technology, antiquated technology, hardware and software.
“Modernization is absolutely critical. We will pursue that. You will see details in the coming weeks and months on how we will pursue that. It is not easy, but we cannot any longer defend indefensible networks.”