Board Report: 2015-IT-B-001 January 30, 2015
The Board of Governors of the Federal Reserve System (Board) has undertaken a project to relocate its data center from the Board’s Martin Building in Washington, DC, to the Baltimore Branch of the Federal Reserve Bank of Richmond. Given the magnitude and significance of the project, we plan to monitor it as the project continues through 2015. We issued our initial report on the data center relocation in February 2014. The objective of this second audit was to review the planned physical and environmental controls for the data center. We also reviewed the change order and procurement processes and followed up on the budget and project schedule recommendations from the initial audit. We plan to issue subsequent reports at key future dates.
The Board’s data center relocation is a major element of the third theme in the Board’s Strategic Framework 2012–15. The Board plans to completely renovate the Martin Building, where the data center currently resides. The multiyear data center project is composed of four overlapping phases, with completion scheduled for December 2015. Construction of the new data center was underway as of the end of our fieldwork. The Board approved an overall budget of $201.5 million for the project and established a high-level timeline for the project.
Overall, we observed that the Board is continuing to follow a structured approach to planning and executing the relocation of the data center, and Board staff are actively engaged in the planning and decisionmaking for the project. Specifically, we found that the tracking and monitoring of the budget has improved since our previous audit, and the budget has been updated to reflect the information currently available regarding actual costs. The Division of Information Technology has taken steps to monitor the timeline closely and to update the Chief Operating Officer about the project and delays that have occurred.
We found that the Board still needs to ensure that all physical and environmental controls will be implemented in accordance with Board requirements. Prior to the relocation, the Board’s data center must be authorized to operate based on a security package that includes a system security plan and risk assessment, in accordance with the Board Information Security Program.
Our February 2014 audit report included two recommendations, one regarding the data center relocation project budget and the other regarding the project schedule. As part of this second audit, we followed up on these recommendations and determined that the budget recommendation can be closed but that the schedule recommendation remains open.
We recommend that the Director of the Division of Information Technology compare the Board’s control baselines and planned controls for the data center with the Federal Reserve System’s requirements and baselines, document the planned controls in a security plan, and conduct a risk assessment to formally accept or facilitate the mitigation of any identified risks or deviations from Board requirements.
The Director of the Division of Information Technology agreed with the recommendation and outlined the actions that the division is taking to address the recommendation. We plan to follow up on the division’s actions to ensure that the recommendation is fully addressed.