Agencies Lack Sound Modernization Plans for Critical Legacy Systems

Background:

It is a well-known fact that the federal government struggles with managing, acquiring and modernizing IT investments. As a result, a plethora of legacy systems exists across federal agencies, contributing to mounting security risks, increased costs and unmet mission needs.

In response, the GAO recently issued a report identifying the legacy systems with the highest risk and offering a few agency success stories of modernization as models for future upgrades.  The GAO reviewed 65 legacy systems and selected 10 that proved the most critical in security risk and operations by weighing areas of hardware age, operating and labor costs, vendor warranty, among other criteria. Thereafter, selected systems underwent evaluation of their plans for modernization.

The GAO determined that each system’s modernization plans should at least contain milestones to complete modernization, a description of the work necessary and a plan for the disposal of the legacy system.

Results:

The report states that the ten systems cost approximately $337M annually to operation and maintain. Moreover, several of the observed legacy systems were found to be operating on well-known security vulnerabilities. The following chart summarizes the GAO’s findings of the top ten high risk IT legacy systems. Note, titles of the system were not provided by the GAO report due to sensitivity concerns.

Department/Bureau	System Purpose	Age of System (Yrs)	Reason for Modernization	Current Maintenance Costs	Complete Modernization Plan?
DOD/Air Force	Control and management for wartime readiness and aircraft operational support	14	Legacy COBOL code and aging infrastructure	$21.8M	Yes
Education/FSA	Process and store student information in relation to federal aid applications	46	Legacy COBOL code	$43.9M	No
HHS/IHS	Clinical and patient administrative information system	50	Outdated technical architecture, C++ and MUMPS legacy language, various software configurations	$79.1M	No
DHS/FEMA	Routers, switches, firewalls, and other network appliances to support connectivity of FEMA sites	11	Majority of hardware is 8 to 11 yrs old	$1.9M	No
Interior	Industrial Control System (ICS) Supervisory Control and Data Acquisition (SCADA) System supporting the general operation of particular dams and power plants.	18	Obsolete hardware not supported by the manufacturers and lack of long-term vendor support	$427K	Yes
Treasury/IRS	Taxpayer Data	51	COBOL legacy code	$5.5M	No
DOT/FAA	Contains data on aircraft and pilots and provides information in investigations of aviation accidents	35	System is DOS-based and running on unsupported software	$3.8M	No
OPM	Supports business functions and provides investigative products and services	34	Infrastructure is beyond end of life with unsupported patches and security fixes	$45M	No
SBA	Identification, authentication, and authorization services for several SBA applications	17	Obsolete hardware and software not supported by the manufacturers and system platform scheduled to be decommissioned.	$62K	No
SSA	Collects information, makes payments, and communicates with SSA’s clients.	45	Complications with core system functionalities due to age and original system design	$6.7M	No

Source: GAO Report # GAO-19-471

Note: Further details regarding each system’s modernization plans/needs can be found in Appendix II of the report.

The GAO discovered that Interior and DOD’s modernization plans included elements from the identified best practices. Meanwhile, Education, HHS and DOT did not have any documented modernization plans for their identified systems! DHS lacked milestones and planned disposition within its modernization plan while Treasury, OPM and SSA lacked disposition plans while completing or partially filling the other two criteria. For SBA, the agency lacked a description of the work necessary to modernize but did have milestones and a plan of disposition in place.

Successful Modernization

The report proceeds to illustrate five successful modernization initiatives that have taken place in the government:

• DOD : Standard Base Supply System and Enterprise Solution Supply
• Education: Direct Loan Consolidation System
• DHS: Employing Shared Services/ Cloud
• Treasury: Treasury Offset Program
• SSA: Representative Payee System

Based on these examples, the report collects the key attributes for modernization success, suggesting solutions (as applicable) to those systems that remain in legacy and high risk:

• Enlist automated technologies to examine programming code and perform testing
• Thorough system testing
• Engage both end users and stakeholders in the modernization process
• Promote a strong partnership between government and industry
• Follow management practices on change and lifecycle management
• Implement an enterprise-wide cost collection and data analysis process for commodity IT to measure progress in optimization and cost.
• Create an interface consistent across all systems
• Strong executive leadership support
• Use agile principles to facilitate the team’s ownership of the project