Agencies Lack Sound Modernization Plans for Critical Legacy Systems
Published: June 13, 2019
GAO examined legacy systems across the federal government and identified the top ten systems highest in operation and security risk. The government watchdog discovered that agencies do not have thorough IT modernization plans in place for many of the selected systems.
Background:
It is a well-known fact that the federal government struggles with managing, acquiring and modernizing IT investments. As a result, a plethora of legacy systems exists across federal agencies, contributing to mounting security risks, increased costs and unmet mission needs.
In response, the GAO recently issued a report identifying the legacy systems with the highest risk and offering a few agency success stories of modernization as models for future upgrades. The GAO reviewed 65 legacy systems and selected 10 that proved the most critical in security risk and operations by weighing areas of hardware age, operating and labor costs, vendor warranty, among other criteria. Thereafter, selected systems underwent evaluation of their plans for modernization.
The GAO determined that each system’s modernization plans should at least contain milestones to complete modernization, a description of the work necessary and a plan for the disposal of the legacy system.
Results:
The report states that the ten systems cost approximately $337M annually to operation and maintain. Moreover, several of the observed legacy systems were found to be operating on well-known security vulnerabilities. The following chart summarizes the GAO’s findings of the top ten high risk IT legacy systems. Note, titles of the system were not provided by the GAO report due to sensitivity concerns.
Department/Bureau |
System Purpose |
Age of System (Yrs) |
Reason for Modernization |
Current Maintenance Costs |
Complete Modernization Plan? |
DOD/Air Force |
Control and management for wartime readiness and aircraft operational support |
14 |
Legacy COBOL code and aging infrastructure |
$21.8M |
Yes |
Education/FSA |
Process and store student information in relation to federal aid applications |
46 |
Legacy COBOL code |
$43.9M |
No |
HHS/IHS |
Clinical and patient administrative information system |
50 |
Outdated technical architecture, C++ and MUMPS legacy language, various software configurations |
$79.1M |
No |
DHS/FEMA |
Routers, switches, firewalls, and other network appliances to support connectivity of FEMA sites |
11 |
Majority of hardware is 8 to 11 yrs old |
$1.9M |
No |
Interior |
Industrial Control System (ICS) Supervisory Control and Data Acquisition (SCADA) System supporting the general operation of particular dams and power plants. |
18 |
Obsolete hardware not supported by the manufacturers and lack of long-term vendor support |
$427K |
Yes |
Treasury/IRS |
Taxpayer Data |
51 |
COBOL legacy code |
$5.5M |
No |
DOT/FAA |
Contains data on aircraft and pilots and provides information in investigations of aviation accidents |
35 |
System is DOS-based and running on unsupported software |
$3.8M |
No |
OPM |
Supports business functions and provides investigative products and services |
34 |
Infrastructure is beyond end of life with unsupported patches and security fixes |
$45M |
No |
SBA |
Identification, authentication, and authorization services for several SBA applications |
17 |
Obsolete hardware and software not supported by the manufacturers and system platform scheduled to be decommissioned. |
$62K |
No |
SSA |
Collects information, makes payments, and communicates with SSA’s clients. |
45 |
Complications with core system functionalities due to age and original system design |
$6.7M |
No |
Source: GAO Report # GAO-19-471
Note: Further details regarding each system’s modernization plans/needs can be found in Appendix II of the report.
The GAO discovered that Interior and DOD’s modernization plans included elements from the identified best practices. Meanwhile, Education, HHS and DOT did not have any documented modernization plans for their identified systems! DHS lacked milestones and planned disposition within its modernization plan while Treasury, OPM and SSA lacked disposition plans while completing or partially filling the other two criteria. For SBA, the agency lacked a description of the work necessary to modernize but did have milestones and a plan of disposition in place.
Successful Modernization
The report proceeds to illustrate five successful modernization initiatives that have taken place in the government:
- DOD : Standard Base Supply System and Enterprise Solution Supply
- Education: Direct Loan Consolidation System
- DHS: Employing Shared Services/ Cloud
- Treasury: Treasury Offset Program
- SSA: Representative Payee System
Based on these examples, the report collects the key attributes for modernization success, suggesting solutions (as applicable) to those systems that remain in legacy and high risk:
- Enlist automated technologies to examine programming code and perform testing
- Thorough system testing
- Engage both end users and stakeholders in the modernization process
- Promote a strong partnership between government and industry
- Follow management practices on change and lifecycle management
- Implement an enterprise-wide cost collection and data analysis process for commodity IT to measure progress in optimization and cost.
- Create an interface consistent across all systems
- Strong executive leadership support
- Use agile principles to facilitate the team’s ownership of the project