Board Report: 2015-IT-B-001 January 30, 2015
The Board of Governors of the Federal Reserve System's (Board) project to relocate its data center is a major element of the third theme in the Board's Strategic Framework 2012-15. This multiyear project is composed of four overlapping phases, with completion scheduled for December 2015. Given the project's magnitude and significance, the Office of Inspector General (OIG) plans to monitor the Board's data center relocation as the project continues through 2015. We issued our initial report on the data center relocation in February 2014.1
The objective of this second audit was to review the planned physical and environmental (PE) controls identified in National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53), for the data center as well as the change order and procurement processes. We also followed up on the budget and project schedule recommendations from the initial report. We plan to issue subsequent reports at key future dates.
The Board's data center provides the infrastructure that makes data and information technology available to the Board and to the Federal Reserve System to support monetary policy, financial supervision, consumer protection, and economic research. The data center currently resides in the Board's Martin Building, which the Board plans to completely renovate. After considering its options, the Board decided to relocate the data center to the Baltimore Branch of the Federal Reserve Bank of Richmond (FRB Richmond). The Board approved the scope and funding for this option in June 2012 as part of the Board's strategic plan.
The approved funding for the project, which is intended to cover all costs associated with building, migrating, and operating the data center for 10 years, is $201.5 million. This amount was allocated into three high-level categories:
According to the January 2013 memorandum of understanding between the Board and FRB Richmond, FRB Richmond is responsible for the build-out of the data center. The Board also subsequently delegated to FRB Richmond responsibility for designing and implementing PE controls. The Board's PE control requirements are documented in the Board Information Security Program (BISP), and PE control requirements for the Federal Reserve Banks, including FRB Richmond, are outlined in the Federal Reserve System's Security Assurance for the Federal Reserve (SAFR) program. Construction of the data center was underway as of the end of our fieldwork.
PE controls are measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. FRB Richmond is responsible for providing all the low and moderate controls identified in the NIST SP 800-53 PE control family. Such controls include the following:
The planned PE controls for the data center were designed by the architectural and engineering (A/E) vendor and FRB Richmond, with oversight by the Board.
