I
118THCONGRESS
1
STSESSION H. R. 5218
To amend the Carl Levin and Howard P. ‘‘Buck’’ McKeon National Defense
Authorization Act for Fiscal Year 2015 to modify requirements relating
to data centers of certain Federal agencies, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
AUGUST15, 2023
Mr. N
EGUSE(for himself and Mr. LALOTA) introduced the following bill;
which was referred to the Committee on Oversight and Accountability
A BILL
To amend the Carl Levin and Howard P. ‘‘Buck’’ McKeon
National Defense Authorization Act for Fiscal Year 2015
to modify requirements relating to data centers of certain
Federal agencies, and for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘Federal Data Center 4
Enhancement Act of 2023’’. 5
SEC. 2. FEDERAL DATA CENTER CONSOLIDATION INITIA-6
TIVE AMENDMENTS. 7
(a) F
INDINGS.—Congress finds the following: 8
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 2
•HR 5218 IH
(1) The statutory authorization for the Federal 1
Data Center Optimization Initiative under section 2
834 of the Carl Levin and Howard P. ‘‘Buck’’ 3
McKeon National Defense Authorization Act for 4
Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 5
113–291) expires at the end of fiscal year 2022. 6
(2) The expiration of the authorization de-7
scribed in paragraph (1) presents Congress with an 8
opportunity to review the objectives of the Federal 9
Data Center Optimization Initiative to ensure that 10
the initiative is meeting the current needs of the 11
Federal Government. 12
(3) The initial focus of the Federal Data Center 13
Optimization Initiative, which was to consolidate 14
data centers and create new efficiencies, has resulted 15
in, since 2010— 16
(A) the consolidation of more than 6,000 17
Federal data centers; and 18
(B) cost savings and avoidance of 19
$5,800,000,000. 20
(4) The need of the Federal Government for ac-21
cess to data and data processing systems has evolved 22
since the date of enactment in 2014 of subtitle D of 23
title VIII of the Carl Levin and Howard P. ‘‘Buck’’ 24
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 3
•HR 5218 IH
McKeon National Defense Authorization Act for 1
Fiscal Year 2015. 2
(5) Federal agencies and employees involved in 3
mission critical functions increasingly need reliable 4
access to secure, reliable, sustainable, and protected 5
facilities to house mission critical data and data op-6
erations to meet the immediate needs of the people 7
of the United States. 8
(6) As of the date of enactment of this Act, 9
there is a growing need for Federal agencies to use 10
data centers and cloud applications that meet high 11
standards for cybersecurity, resiliency, availability, 12
and sustainability. 13
(b) M
INIMUMREQUIREMENTS FOR NEWDATACEN-14
TERS.—Section 834 of the Carl Levin and Howard P. 15
‘‘Buck’’ McKeon National Defense Authorization Act for 16
Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113– 17
291) is amended— 18
(1) in subsection (a), by striking paragraphs 19
(3) and (4) and inserting the following: 20
‘‘(3) N
EW DATA CENTER.—The term ‘new data 21
center’ means— 22
‘‘(A)(i) a data center or a portion thereof 23
that is owned, operated, or maintained by a 24
covered agency; or 25
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 4
•HR 5218 IH
‘‘(ii) to the extent practicable, a data cen-1
ter or portion thereof— 2
‘‘(I) that is owned, operated, or main-3
tained by a contractor on behalf of a cov-4
ered agency on the date on which the con-5
tract between the covered agency and the 6
contractor expires; and 7
‘‘(II) with respect to which the cov-8
ered agency extends the contract, or enters 9
into a new contract, with the contractor; 10
and 11
‘‘(B) on or after the date that is 180 days 12
after the date of enactment of the Federal Data 13
Center Enhancement Act of 2023, a data cen-14
ter or portion thereof that is— 15
‘‘(i) established; or 16
‘‘(ii) substantially upgraded or ex-17
panded.’’; 18
(2) by striking subsection (b) and inserting the 19
following: 20
‘‘(b) M
INIMUMREQUIREMENTS FOR NEWDATA 21
C
ENTERS.— 22
‘‘(1) I
N GENERAL.—Not later than 180 days 23
after the date of enactment of the Federal Data 24
Center Enhancement Act of 2023, the Administrator 25
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 5
•HR 5218 IH
shall establish minimum requirements for new data 1
centers in consultation with the Administrator of 2
General Services and the Federal Chief Information 3
Officers Council. 4
‘‘(2) C
ONTENTS.— 5
‘‘(A) I
N GENERAL.—The minimum re-6
quirements established under paragraph (1) 7
shall include requirements relating to— 8
‘‘(i) the availability of new data cen-9
ters; 10
‘‘(ii) the use of new data centers; 11
‘‘(iii) the use of sustainable energy 12
sources; 13
‘‘(iv) uptime percentage; 14
‘‘(v) protections against power fail-15
ures, including on-site energy generation 16
and access to multiple transmission paths; 17
‘‘(vi) protections against physical in-18
trusions and natural disasters; 19
‘‘(vii) information security protections 20
required by subchapter II of chapter 35 of 21
title 44, United States Code, and other ap-22
plicable law and policy; and 23
‘‘(viii) any other requirements the Ad-24
ministrator determines appropriate. 25
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 6
•HR 5218 IH
‘‘(B) CONSULTATION.—In establishing the 1
requirements described in subparagraph 2
(A)(vii), the Administrator shall consult with 3
the Director of the Cybersecurity and Infra-4
structure Security Agency and the National 5
Cyber Director. 6
‘‘(3) I
NCORPORATION OF MINIMUM REQUIRE -7
MENTS INTO CURRENT DATA CENTERS .—As soon as 8
practicable, and in any case not later than 90 days 9
after the Administrator establishes the minimum re-10
quirements pursuant to paragraph (1), the Adminis-11
trator shall issue guidance to ensure, as appropriate, 12
that covered agencies incorporate the minimum re-13
quirements established under that paragraph into 14
the operations of any data center of a covered agen-15
cy existing as of the date of enactment of the Fed-16
eral Data Center Enhancement Act of 2023. 17
‘‘(4) R
EVIEW OF REQUIREMENTS .—The Admin-18
istrator, in consultation with the Administrator of 19
General Services and the Federal Chief Information 20
Officers Council, shall review, update, and modify 21
the minimum requirements established under para-22
graph (1), as necessary. 23
‘‘(5) R
EPORT ON NEW DATA CENTERS .—During 24
the development and planning lifecycle of a new data 25
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 7
•HR 5218 IH
center, if the head of a covered agency determines 1
that the covered agency is likely to make a manage-2
ment or financial decision relating to any data cen-3
ter, the head of the covered agency shall— 4
‘‘(A) notify— 5
‘‘(i) the Administrator; 6
‘‘(ii) Committee on Homeland Secu-7
rity and Governmental Affairs of the Sen-8
ate; and 9
‘‘(iii) Committee on Oversight and Ac-10
countability of the House of Representa-11
tives; and 12
‘‘(B) describe in the notification with suffi-13
cient detail how the covered agency intends to 14
comply with the minimum requirements estab-15
lished under paragraph (1). 16
‘‘(6) U
SE OF TECHNOLOGY .—In determining 17
whether to establish or continue to operate an exist-18
ing data center, the head of a covered agency shall— 19
‘‘(A) regularly assess the application port-20
folio of the covered agency and ensure that each 21
at-risk legacy application is updated, replaced, 22
or modernized, as appropriate, to take advan-23
tage of modern technologies; and 24
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 8
•HR 5218 IH
‘‘(B) prioritize and, to the greatest extent 1
possible, leverage commercial cloud environ-2
ments rather than acquiring, overseeing, or 3
managing custom data center infrastructure. 4
‘‘(7) P
UBLIC WEBSITE.— 5
‘‘(A) I
N GENERAL.—The Administrator 6
shall maintain a public-facing website that in-7
cludes information, data, and explanatory state-8
ments relating to the compliance of covered 9
agencies with the requirements of this section. 10
‘‘(B) P
ROCESSES AND PROCEDURES .—In 11
maintaining the website described in subpara-12
graph (A), the Administrator shall— 13
‘‘(i) ensure covered agencies regularly, 14
and not less frequently than biannually, 15
update the information, data, and explana-16
tory statements posed on the website, pur-17
suant to guidance issued by the Adminis-18
trator, relating to any new data centers 19
and, as appropriate, each existing data 20
center of the covered agency; and 21
‘‘(ii) ensure that all information, data, 22
and explanatory statements on the website 23
are maintained as open Government data 24
assets.’’; and 25
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 9
•HR 5218 IH
(3) in subsection (c), by striking paragraph (1) 1
and inserting the following: 2
‘‘(1) I
N GENERAL.—The head of a covered 3
agency shall oversee and manage the data center 4
portfolio and the information technology strategy of 5
the covered agency in accordance with Federal cy-6
bersecurity guidelines and directives, including— 7
‘‘(A) information security standards and 8
guidelines promulgated by the Director of the 9
National Institute of Standards and Tech-10
nology; 11
‘‘(B) applicable requirements and guidance 12
issued by the Director of the Office of Manage-13
ment and Budget pursuant to section 3614 of 14
title 44, United States Code; and 15
‘‘(C) directives issued by the Secretary of 16
Homeland Security under section 3553 of title 17
44, United States Code.’’. 18
(c) E
XTENSION OFSUNSET.—Section 834(e) of the 19
Carl Levin and Howard P. ‘‘Buck’’ McKeon National De-20
fense Authorization Act for Fiscal Year 2015 (44 U.S.C. 21
3601 note; Public Law 113–291) is amended by striking 22
‘‘2022’’ and inserting ‘‘2026’’. 23
(d) GAO R
EVIEW.—Not later than 1 year after the 24
date of the enactment of this Act, and annually thereafter, 25
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS 10
•HR 5218 IH
the Comptroller General of the United States shall review, 1
verify, and audit the compliance of covered agencies with 2
the minimum requirements established pursuant to section 3
834(b)(1) of the Carl Levin and Howard P. ‘‘Buck’’ 4
McKeon National Defense Authorization Act for Fiscal 5
Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) 6
for new data centers and subsection (b)(3) of that Act for 7
existing data centers, as appropriate. 8
Æ
VerDate Sep 11 2014 00:14 Aug 23, 2023 Jkt 039200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6301 E:\BILLS\H5218.IH H5218
kjohnson on DSK79L0C42PROD with BILLS