In the recently passed National Defense Authorization Act (NDAA) for Fiscal Year 2024, Congress directs agencies to prioritize the use of commercial cloud and data center solutions through an updated Federal Data Center Enhancement Act of 2023. In addition to emphasizing the continued goals of data center consolidation, the bill requires the establishment of security standards for commercial providers who aim to support critical U.S. federal IT.
The level of security required when selecting a data center should be a risk-based decision considering the criticality of the information and the operational capability it provides. Risk-based decisions should consider the threat to the information and operations, impact of information loss or operational readiness, and the countermeasures implemented to reduce the overall risk. Before choosing a data center provider, conduct a thorough review of the security posture of each facility to ensure it aligns with requirements.
With the recent explosive growth of data centers, some providers looking to be part of that growth may not fully understand the appropriate security requirements for safeguarding federal data. Consequently, inexperienced data center providers may not implement sufficient security measures to prevent a determined adversary from stealing information, infiltrating networks, or causing physical harm to equipment or critical infrastructure. This threat extends beyond typical state actors to include activists, environmentalists or groups promoting civil unrest or damage to facilities, especially as data centers continue to proliferate. One such example is Seth Arron Pendley who the FBI arrested in 2021 when he attempted to obtain explosives to blow up a data center.1 These concerns become even more critical when discussing the protection of sensitive federal government information and classified national security assets.
While traditional commercial colocation data center facilities may meet basic security and technical data center requirements, they often house multiple companies and may include foreign entities considered adversarial to U.S. interests. Due to the competing interests of the various tenants in these facilities, federal security countermeasures may be costly, seen as inconvenient, and may not be deployed effectively. Also, many colocation providers do not limit access to companies, visitors, or staff. This could allow the potential for a determined adversary to access information or inflict harm to the equipment housed within.
Conversely, in a data center with a dedicated federal focus and facilities restricted to “federal-only” tenants, these security considerations are built into their solutions from the ground up and they are fully prepared to support federal compliance and security best practices. There are numerous instances of foreign adversaries intent on obtaining sensitive or classified data from federal networks.2, 3, 4, 5, 6, 7 “Since 2014, the US government has suffered 1,283 breaches affecting more than 200 million records”.8 The closer an adversary can get to information the easier access becomes. Physical access to a data center could allow an adversary the ability to inject malware or spyware more easily, or simply exfiltrate data. Additionally, they can cause a physical threat to the servers, racks, or network cabling, as well as sabotage of the facility’s critical infrastructure. Federal only data centers restrict access and greatly reduce such threats.
A purpose-built federal-only data center can fulfill all the enhanced security requirements necessary to safeguard sensitive and classified information. Such a facility designed specifically for federal tenants and third-party providers supporting federal workloads can be constructed with the same rigor and countermeasures as any federal facility.
Some key security considerations when selecting a data center to house federal government data or equipment are:
- Is the data center compliant with all appropriate Department of Homeland Security Interagency Security Committee (ISC)9 standards and best practices for the protection of federal leased facilities?
- Is the facility constructed to meet GSA or DoD progressive collapse requirements (where applicable)?
- Does the provider meet both physical and technical security countermeasures to include not only ISC requirements, but also Intelligence Community Directives, DoD Unified Facilities Criteria, and other various government information technology policies?
- Does the provider have experience and a comprehensive understanding of government policies and requirements to ensure they are implemented appropriately and consistently?
- Does the facility provide these additional physical and technical security measures:
- Anti-ram and anti-climb defended perimeter
- Increased standoff
- Remote mail screening facility
- Enhanced CCTV
- Multi-factor and multi-layered access controls
- Enhanced supply chain risk management review to include compliance with NDAA section 889.
- Enhanced IT infrastructure and building management system security controls
- Employee vetting/background checks
- Robust and mature insider threat program
- Critical infrastructure physical protection
- Enhanced construction security
Many considerations must be taken into account when signing a lease for federal data center needs. As agencies look to comply with the new Federal Data Center Enhancement Act through use of cloud providers or direct leasing of commercial data center space, one must not overlook the importance of overall security.
ABOUT BRIAN DOTO
Brian Doto, Vice President, Federal Assurance, joined QTS in December 2020. Mr. Doto completed a 23-year law enforcement career, serving as a Special Agent with the FBI. During his distinguished career with the FBI, Mr. Doto conducted criminal investigations and supported many National Security cases. He also served in multiple roles within the FBI’s Security Division overseeing Physical Security, Supply Chain Risk Management, Continuity of Operations, Continuity of Government, FBI Police, and the Executive Protection programs. Mr. Doto also served in two Joint Duty Assignments with the Office of Director of National Intelligence, National Counterintelligence and Security Center’s, Center for Security Evaluation. In his current role Mr. Doto ensures QTS purpose built federal data centers meet all federal security standards from design concept through finished project.
1. Texas Man Charged With Intent to Attack Data Centers
2. China remains the biggest threat, according to the defense security community
3. The OPM hack explained: Bad security practices meet China’s Captain America
4. Targeting U.S. Technologies: A Report of Threats to Cleared Industry
5. US State Department suffers cyberattack
6. Major government hack a wake-up call for agencies
7. Significant Cyber Incidents
8. Can you trust the US Government with your data?
9. Federal Register: Interagency Security Committee
Visit QTS Federal, LLC at www.qtsdatacenters.com/federal