Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 The Honorable James Comer Chairman, Committee on Oversight and Government Reform August 25, 2025 United States House of Representatives Washington, DC 20515

Dear Chairman Comer:

On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am writing to inform you of the NRC's recent decision concerning the implementation of the Federal Data Center Enhancement Act of 2023 (FDCEA), as outlined in Office of Management and Budget (0MB) memorandum M-25-03, "Implementation Guidance for the Federal Data Center Enhancement Act," dated January 14, 2025.

On or about April 24, 2025, the NRC reached a significant decision related to its data center infrastructure. In alignment with the FDCEA, the NRC has decided to migrate its headquarters and Region IV data center services off premises to Equinix colocation facilities in Ashburn, Virginia and Dallas, Texas, respectively. This strategic move will facilitate the closure of the NRC's federally operated data centers located at its headquarters (Three White Flint) and Region IV facilities. The anticipated cost avoidance for renovating existing data centers to meet the mission-essential systems availability requirements is estimated at $1.12 million.

Furthermore, this initiative is projected to yield an annual reduction in lease, connectivity, and maintenance costs amounting to approximately $1. 75 million.

The NRC is in compliance with 0MB M-25-03, section Ill, as outlined below.

Chief Information Officer Oversight: The NRC's Chief Information Officer has designated subject matter experts to oversee the colocation contractors in designing and equipping the planned colocation spaces. The final configuration will undergo a thorough review before approval.

Data Center Infrastructure Management (DCIM): The statement of work provided in the colocation contract includes provisions for monitoring power and temperature within the colocation space. This information is readily available to the NRC upon request. Additionally, the NRC will use its existing DCIM software, Nlyte Asset Optimizer, to monitor rack utilization.

Energy and Water Efficiency: The NRC's team of subject matter experts includes a certified data center energy practitioner who collaborates closely with the colocation contractor throughout the design phase to understand the data center's resource usage and recommend considerations to improve efficiencies. The Ashburn facility boasts a Leadership in Energy and Environmental Design Silver certification; a reflective roof to mitigate extraneous heat loads; and the use of wind power for sustainability. The Dallas facility is powered entirely by renewable energy, sourced from U.S. wind virtual power purchase agreements and Green-e wind renewable energy certificates.

Mission Availability: The NRC is relocating all critical information technology assets and mission-essential functions to two privately owned colocation facilities, which offer 99.999 percent availability. This transition aims to reduce the capital expenditure associated with meeting uptime requirements. The NRC's existing federally managed data centers at headquarters and Region IV will be downsized to support edge services, telephony, and network functions, thereby excluding them from the FDCEA's scope of defined data centers.

Information and Physical Security: The NRC adheres to the lnteragency Security Committee Risk Management Process standards for physical security. Trained physical security specialists, in collaboration with the Federal Protective Service, conduct annual and ongoing independent inspections. The NRC's Office of the Inspector General regularly audits for compliance with the Federal Information Security Modernization Act (FISMA) physical security standards, including those in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, Revision 5, "Assessing Security and Privacy Controls in Information Systems and Organizations," issued January 2002, and identifies areas for improvement. For information security, the new data centers will comply with NIST SP 800-53, Revision 5, and meet the continuous diagnostics and mitigation requirements in accordance with 0MB memorandum M-21-31, "Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents," dated August 21, 2021, and Cybersecurity and Infrastructure Security Agency Binding Operational Directive 23-01, "Improving Asset Visibility and Vulnerability Detection on Federal Networks," dated October 3, 2022. Both colocation facilities hold FISMA High certification under NIST SP 800-53 and System and Organizational Control 1 and 2 Type II certifications.

The NRC remains committed to ensuring the security, efficiency, and reliability of the agency's data center operations. Should you require any further information or have any questions regarding this decision, please contact Eugene Dacus, Director of the Office of Congressional Affairs, at (301) 415-1776.

XY David A. Wright cc: Representative Stephen F. Lynch

Identical letter sent to:

The Honorable James Comer Chairman, Committee on Oversight and Government Reform United States House of Representatives Washington, DC 20515 cc: Representative Stephen F. Lynch The Honorable Rand Paul Chairman, Committee on Homeland Security and Governmental Affairs United States Senate Washington, DC 20510 cc: Senator Gary C. Peters