The U.S. government is approaching a critical juncture in infrastructure oversight as the Federal Data Center Enhancement Act—a key legislative framework governing the physical security and operational baselines of government-linked data facilities—nears its expiration. As the demand for hyperscale computing surges due to the rapid integration of artificial intelligence, the sunsetting of these specific security mandates presents a potential gap in how the nation protects its most vital digital assets.
Understanding the Federal Data Center Enhancement Act
The Federal Data Center Enhancement Act was designed to standardize the physical security, energy efficiency, and operational resilience of data centers managed or utilized by federal agencies. According to the General Services Administration (GSA), these mandates were established to ensure that as agencies migrated toward cloud-based environments and modernized their IT footprints, the physical security of the hardware remained consistent with national security requirements. The legislation functions as a baseline, ensuring that facilities housing government data adhere to specific perimeter security, access control, and environmental monitoring standards.

As the expiration date looms, industry observers are concerned about the “regulatory cliff” this creates. The current infrastructure environment is defined by the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which emphasizes the need for robust security in the computing clusters that power modern AI models. Without a clear successor or an extension of the Act, agencies may find themselves operating in a vacuum where previous security baselines are no longer legally required, potentially inviting inconsistencies in how sensitive information is protected against physical breaches.
The Impact of AI Infrastructure Scaling
The timing of this regulatory expiration is particularly sensitive given the unprecedented expansion of global data center capacity. According to data from the International Energy Agency (IEA), global electricity consumption from data centers is projected to double by 2026, driven largely by the energy-intensive nature of generative AI training and inference. This growth has forced providers to scramble for space, often repurposing older facilities or accelerating the construction of new ones.

Security experts argue that as these facilities become more densely packed with high-value AI hardware—such as specialized GPUs—the physical security of these buildings becomes a matter of national economic interest. The lapse of the Federal Data Center Enhancement Act could lead to a scenario where the “standardized” security once required for federal data is compromised by the speed of commercial expansion. When federal agencies lease space in commercial multi-tenant data centers, the absence of codified federal security baselines makes it difficult for agencies to verify that the private sector is maintaining the necessary protections for sensitive workloads.
Current Regulatory Landscape and Agency Oversight
While the Act itself may be approaching its expiration, other federal entities retain broad oversight powers. The Cybersecurity and Infrastructure Security Agency (CISA) continues to provide voluntary Cross-Sector Cybersecurity Performance Goals, which include physical security components. However, these are largely advisory rather than mandatory, creating a stark difference in enforcement compared to the expiring legislation.
For facility managers and federal IT procurement officers, the uncertainty poses a logistical challenge. According to the Government Accountability Office (GAO), previous attempts to consolidate federal data centers have faced significant hurdles regarding cost-efficiency and security compliance. The expiration of the Act threatens to undo years of progress in ensuring that data center physical security is not treated as an afterthought in the broader effort to modernize federal IT.
What Happens Next for Data Center Security
The next major checkpoint for this policy area will be the upcoming congressional budget and reauthorization cycles, where lawmakers will determine if the provisions of the Act are integrated into broader federal infrastructure bills. There has been no formal announcement from the Department of Commerce or the Office of Management and Budget regarding a direct extension of the current security baselines, leaving stakeholders to rely on existing, albeit potentially outdated, procurement language.

Agencies are currently evaluating their internal risk management frameworks to determine how to maintain security standards if the legislative support is removed. For organizations operating within the federal space, the coming months will require heightened vigilance regarding contract renewals and the specific physical security requirements embedded in service-level agreements. Readers interested in tracking the legislative status of these mandates should monitor the Congress.gov database for new bills or amendments related to data center security and federal IT procurement. We will continue to update this page as new directives are issued by federal oversight bodies.
What are your thoughts on the intersection of AI growth and infrastructure security? Join the conversation in the comments section below.