IG: DHS data centers at risk
Centers have multiple vulnerabilities
The Homeland Security Department set up a huge data center on the Mississippi Gulf Coast in 2006 without considering protections against hurricanes, power outages and perimeter security threats, according to a new report from DHS Inspector General Richard Skinner.
Also, DHS did not consider possible risks to its Data Center 1 from rocket testing vibrations two miles away and from possible environmental contamination at the former weapons plant, the report said.
A second DHS data center in Clarksville, Va., did not fare much better. The department failed to consider the possible risks of locating Data Center 2 within several feet of two 25,000-gallon diesel fuel storage tanks, the report said.
The data centers were created to consolidate information technology systems from more than a dozen data centers. The two new centers are to serve as backups for each other to maintain operation of critical departmental IT systems, especially after a disaster.
However, due to shortcomings in risk assessments, the data centers may be vulnerable to breakdown, according to the report, which was posted May 7 on the Web.
“The DHS risk assessments for Data Center 1 and Data Center 2 are out of date and incomplete," the IG wrote. "Additionally, there are unmitigated threats and vulnerabilities at Data center 1 and Data Center 2 that may impact their ability to conduct normal operations."
Also, the new data centers do not have interconnecting circuits and redundant hardware to establish a capability of actively backing up each other. In addition, DHS has not provided alternative processing sites for all critical departmental information systems, and disaster recovery guidance does not conform fully to government standards, the report said.
In May 2005, the IG identified deficiencies in DHS’ ability to restore its mission-critical IT systems after a service disruption from a disaster. In response, the department established the two new data centers,.
In 2008, DHS awarded a multiyear contract with a maximum value of $391 million to Computer Sciences Corp. to manage Data Center 1 at the John C. Stennis Space Center.
DHS also awarded a multiyear contract not to exceed $820 million to Electronic Data Systems to operate the second data center at a contractor-owned and -operated facility in Clarksville, Va.
DHS officials agreed with the inspector general’s recommendation to perform additional risk assessments for both data centers, and they said those assessments would be performed by the end of 2009, according to a management response attached to the report. Departmental officials generally agreed with the other recommendations as well.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.