Agencies Lack Sound Modernization Plans for Critical Legacy Systems

Published: June 13, 2019

Information Technology

GAO examined legacy systems across the federal government and identified the top ten systems highest in operation and security risk. The government watchdog discovered that agencies do not have thorough IT modernization plans in place for many of the selected systems.


It is a well-known fact that the federal government struggles with managing, acquiring and modernizing IT investments. As a result, a plethora of legacy systems exists across federal agencies, contributing to mounting security risks, increased costs and unmet mission needs.

In response, the GAO recently issued a report identifying the legacy systems with the highest risk and offering a few agency success stories of modernization as models for future upgrades.  The GAO reviewed 65 legacy systems and selected 10 that proved the most critical in security risk and operations by weighing areas of hardware age, operating and labor costs, vendor warranty, among other criteria. Thereafter, selected systems underwent evaluation of their plans for modernization.

The GAO determined that each system’s modernization plans should at least contain milestones to complete modernization, a description of the work necessary and a plan for the disposal of the legacy system.


The report states that the ten systems cost approximately $337M annually to operation and maintain. Moreover, several of the observed legacy systems were found to be operating on well-known security vulnerabilities. The following chart summarizes the GAO’s findings of the top ten high risk IT legacy systems. Note, titles of the system were not provided by the GAO report due to sensitivity concerns.


System Purpose

Age of System (Yrs)

Reason for Modernization

Current Maintenance Costs

Complete Modernization Plan?

DOD/Air Force

Control and management for wartime readiness and aircraft operational support


Legacy COBOL code and aging infrastructure




Process and store student information in relation to federal aid applications


Legacy COBOL code




Clinical and patient administrative information system


Outdated technical architecture, C++ and MUMPS legacy language, various software configurations




Routers, switches, firewalls, and other network appliances to support connectivity of FEMA sites


Majority of hardware is 8 to 11 yrs old




Industrial Control System (ICS) Supervisory Control and Data Acquisition (SCADA) System supporting the general operation of particular dams and power plants.


Obsolete hardware not supported by the manufacturers and lack of long-term vendor support




Taxpayer Data


COBOL legacy code




Contains data on aircraft and pilots and provides information in investigations of aviation accidents


System is DOS-based and running on unsupported software




Supports business functions and provides investigative products and services


Infrastructure is beyond end of life with unsupported patches and security fixes




Identification, authentication, and authorization services for several SBA applications


Obsolete hardware and software not supported by the manufacturers and system platform scheduled to be decommissioned.




Collects information, makes payments, and communicates with SSA’s clients.


Complications with core system functionalities due to age and original system design



Source: GAO Report # GAO-19-471

Note: Further details regarding each system’s modernization plans/needs can be found in Appendix II of the report.

The GAO discovered that Interior and DOD’s modernization plans included elements from the identified best practices. Meanwhile, Education, HHS and DOT did not have any documented modernization plans for their identified systems! DHS lacked milestones and planned disposition within its modernization plan while Treasury, OPM and SSA lacked disposition plans while completing or partially filling the other two criteria. For SBA, the agency lacked a description of the work necessary to modernize but did have milestones and a plan of disposition in place.

Successful Modernization

The report proceeds to illustrate five successful modernization initiatives that have taken place in the government:

  • DOD : Standard Base Supply System and Enterprise Solution Supply
  • Education: Direct Loan Consolidation System
  • DHS: Employing Shared Services/ Cloud
  • Treasury: Treasury Offset Program
  • SSA: Representative Payee System

Based on these examples, the report collects the key attributes for modernization success, suggesting solutions (as applicable) to those systems that remain in legacy and high risk:

  • Enlist automated technologies to examine programming code and perform testing
  • Thorough system testing
  • Engage both end users and stakeholders in the modernization process
  • Promote a strong partnership between government and industry
  • Follow management practices on change and lifecycle management
  • Implement an enterprise-wide cost collection and data analysis process for commodity IT to measure progress in optimization and cost.
  • Create an interface consistent across all systems
  • Strong executive leadership support
  • Use agile principles to facilitate the team’s ownership of the project