USDA’s Assessment of the National Finance Center Data Center did not comprehensively address the cost-effectiveness, security, and demonstrated history of maintaining continuity of operations functions, as part of its cost-benefit assessment of selected data centers, as directed by the Consolidated Appropriations Act, 2018.
Specifically, USDA’s assessment did not address three of five elements for evaluating the cost-benefit and cost-effectiveness of the data centers selected for its review. For example, while identifying potential cost savings to the National Finance Center (NFC), the assessment did not determine the net present value of the life-cycle costs of operating the data centers, as recommended by the Office of Management and Budget (OMB). In addition, the assessment’s security review included a limited evaluation of physical security for only two of the four data centers, and lacked an analysis of the information security controls for any of the selected data centers. Further, the continuity of operations review did not evaluate each data center’s demonstrated ability to maintain continuity of operations functions, as required by the act. The assessment did, however, accurately report the Federal Risk and Authorization Management Program (FedRAMP) certification status of the four selected data centers.
In discussing their approach to developing the assessment, General Services Administration (GSA) officials stated that they did not follow any policies or guidance for the development of this assessment. They also stated that their review of physical security was limited due to time limitations established by the mandate. Further, the officials stated that they did not evaluate the information security capabilities of the data centers because information on the information security posture for each data center was already available as part of the agencies’ required reporting on Federal Information Security Modernization Act of 2014 (FISMA) metrics. As a result of the limited information provided, the assessment does not effectively inform stakeholders and congressional decision makers.