Energy Unable to Identify Legacy IT Infrastructure for Modernization

Last week, Energy’s OIG released findings of an audit used to determine the success of the department’s ability to manage the lifecycle of its legacy IT systems and components. The report focused on DOE’s unclassified information systems and did not include industrial control and national security systems.

Outcome

The results of the audit indicated that DOE, including contractor-managed labs, did not have an enterprise-wide developed plan to identify and replace legacy IT infrastructure. In fact, the OIG found that no formal definition of legacy IT had been created at DOE in order to help identify antiquated systems. A lack of definition created difficulties for inspectors to quantify the exact amount of legacy IT at each of the sites audited. For example, three of the four sites visited during the audit did not track legacy status metrics within their inventory systems. In another instance, the auditors found that officials at Pacific Northwest National Laboratory had to manually review an inventory report in order to respond to the audit. Meanwhile, the SLAC National Accelerator Laboratory’s inventory system did not recognize several applications and operating systems as legacy IT, including an enterprise resource planning system, despite contrary reports from SLAC officials.

Impact

A lack of recognized legacy IT typically leads to grave impacts at a federal agency. Increased level of security risks, particularly on systems that contain hardware and software no longer supported by the manufacturer, leaves them susceptible to malicious cyber-attacks.  Moreover, operation of legacy IT systems leads to increased levels of maintenance costs and an inability to meet mission requirements. In fact, according to OMB metrics, operation and maintenance (O&M) costs at DOE increased from $1.71B in FY 2017 to $1.88B in FY 2019, representing anywhere between 88-90% of the agency’s total IT budget in that time frame.

Barriers to Modernization

Other than a lack of system to identify legacy IT in the first place, auditors found three main reasons preventing modernization at DOE, based on numerous interviews with officials:

1. Officials consistently cited lack of funding. For example,
   1. The Hanford Site reported almost $10.2M in unfunded modernization priorities.
   2. Despite ongoing modernization projects, four projects at the Lawrence Livermore Laboratory were placed on hold in FY 2018 due to funding restrictions.
2. The department CIO did not develop processes to phase out, as quickly as possible, all unsupported information system and components. Without such requirements, potential funding is prioritized to other projects with more set deadlines.  
3. Despite Energy receiving $15M from the Modernizing Government Technology (MGT) Act for enterprise electronic mail migration, the OIG suggests DOE may not have taken full advantage of MGT Act benefits to accelerate modernization of systems due to lack of lifecycle management for legacy systems.

Some Modernization Found

Nonetheless, auditors did come to find some ongoing modernization projects at the sites visited for the report. Specifically, actions of modernization to reduce legacy systems were found at the Pacific Northwest National Laboratory, Lawrence Livermore National Laboratory (Livermore) and SLAC National Accelerator Laboratory (SLAC).

• Pacific Northwest Laboratory is in the midst of a data center migration. Between March 2017 and July 2018, auditors found that the lab had a reduction in end-of-life servers from 67% to 20%.
• Livermore reported 58 applications, 35 operating systems and 118 unclassified network devices as legacy IT. During the audit, Livermore had six ongoing modernization projects to replace some of this legacy IT infrastructure.
• At the time of the audit, SLAC was in the middle of retiring its legacy enterprise resource planning system. The system is planned for decommission in 2019 once migration to the already-operational new system is complete. In addition, auditors found that the number of legacy workstations at SLAC had been reduced. Lab officials stated that almost $850k had been spent annually to modernize hardware with mostly leased hardware. Furthermore, SLAC planned to replace 45 of 118 legacy IT network devices by Q2 of FY 2019 and had already replaced 37 of the 45 during the time of the audit.