Department of Agriculture:

Analysis of Selected Data Centers Did Not Follow Federal Guidance and Leading Practices

GAO-19-146R: Published: Dec 19, 2018. Publicly Released: Dec 19, 2018.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Oliver M. Richard
(202) 512-8424
richardo@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

USDA's Assessment of the National Finance Center Data Center did not comprehensively address the cost-effectiveness, security, and demonstrated history of maintaining continuity of operations functions, as part of its cost-benefit assessment of selected data centers, as directed by the Consolidated Appropriations Act, 2018.

Specifically, USDA's assessment did not address three of five elements for evaluating the cost-benefit and cost-effectiveness of the data centers selected for its review. For example, while identifying potential cost savings to the National Finance Center (NFC), the assessment did not determine the net present value of the life-cycle costs of operating the data centers, as recommended by the Office of Management and Budget (OMB). In addition, the assessment's security review included a limited evaluation of physical security for only two of the four data centers, and lacked an analysis of the information security controls for any of the selected data centers. Further, the continuity of operations review did not evaluate each data center's demonstrated ability to maintain continuity of operations functions, as required by the act. The assessment did, however, accurately report the Federal Risk and Authorization Management Program (FedRAMP) certification status of the four selected data centers.

In discussing their approach to developing the assessment, General Services Administration (GSA) officials stated that they did not follow any policies or guidance for the development of this assessment. They also stated that their review of physical security was limited due to time limitations established by the mandate. Further, the officials stated that they did not evaluate the information security capabilities of the data centers because information on the information security posture for each data center was already available as part of the agencies' required reporting on Federal Information Security Modernization Act of 2014 (FISMA) metrics. As a result of the limited information provided, the assessment does not effectively inform stakeholders and congressional decision makers.

Why GAO Did This Study

The Consolidated Appropriations Act, 2018 required the Secretary of Agriculture to conduct and submit to the Committees on Appropriations, a detailed cost-benefit analysis that includes a complete analysis of the department's National Finance Center (NFC) data center and two other data centers of comparable size and complexity. The act required the analysis to also include an assessment of each data center's (1) cost-effectiveness; (2) security; (3) Federal Risk and Authorization Management Program (FedRAMP) certification status; and (4) demonstrated record of maintaining continuity of operations plan (COOP) functions without the disruption of critical operations.

The act also included a provision for GAO to conduct a sufficiency review of USDA's assessment. This report identifies the extent to which the assessment addressed the cost-effectiveness, security, and continuity of operations of each data center in accordance with federal guidance and leading practices.

To do so, GAO compared the assessment's analysis of each data center's cost-effectiveness, security, and continuity of operations with relevant federal guidelines and leading practices established by the Office of Management and Budget (OMB), GAO, and others. GAO also interviewed GSA officials who conducted the assessment, as well as officials representing the data centers included in the assessment.

What GAO Recommends

GAO recommends that the Secretary of Agriculture take four actions:

The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1)

When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2)

When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3)

When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4)

USDA, GSA, DOT, and NASA received drafts of this report for comment. USDA generally disagreed with the findings and recommendations in the report. The department stated that conducting another assessment in accordance with OMB guidance would yield the same results as its original assessment. Nevertheless, GAO continues to believe our recommendations are warranted. An official in the Office of the Executive Secretariat at GSA concurred with the draft via email. DOT and NASA provided technical comments, which we incorporated into the report, as appropriate.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or WilshusenG@gao.gov or Oliver Richard at (202) 512-8424 or RichardO@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: As of March 2019, Department of Agriculture has not provided sufficient evidence to close the recommendation.

    Recommendation: The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1)

    Agency Affected: Department of Agriculture

  2. Status: Open

    Comments: As of March 2019, Department of Agriculture has not provided sufficient evidence to close the recommendation.

    Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2)

    Agency Affected: Department of Agriculture

  3. Status: Open

    Comments: As of March 2019, Department of Agriculture has not provided sufficient evidence to close the recommendation.

    Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3)

    Agency Affected: Department of Agriculture

  4. Status: Open

    Comments: As of March 2019, Department of Agriculture has not provided sufficient evidence to close the recommendation.

    Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4)

    Agency Affected: Department of Agriculture

 

Explore the full database of GAO's Open Recommendations »

Sep 9, 2019

Jul 25, 2019

Jul 11, 2019

Jun 21, 2019

Jun 4, 2019

Apr 11, 2019

Apr 10, 2019

Mar 12, 2019

Feb 21, 2019

Jan 15, 2019

Looking for more? Browse all our products here