Why GAO Did This Study
“The federal government plans to spend over $90 billion in fiscal year 2019 on IT. About 80 percent of this amount is used to operate and maintain existing IT investments, including aging (also called legacy) systems. As they age, legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose.”
“GAO was asked to review federal agencies’ legacy systems. This report (1) identifies the most critical federal legacy systems in need of modernization and evaluates agency plans for modernizing them, and (2) identifies examples of legacy system modernization initiatives that agencies considered successful.”
“To do so, GAO analyzed a total of 65 legacy systems in need of modernization that 24 agencies had identified. Of these 65, GAO identified the 10 most in need of modernization based on attributes such as age, criticality, and risk. GAO then analyzed agencies’ modernization plans for the 10 selected legacy systems against key IT modernization best practices.”
“The 24 agencies also provided 94 examples of successful IT modernizations from the last 5 years. In addition, GAO identified other examples of modernization successes at these agencies. GAO then selected a total of five examples to highlight a mix of system modernization types and a range of benefits realized.”
What GAO Found
“Among the 10 most critical legacy systems that GAO identified as in need of modernization (see table 1), several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities. For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language (COBOL)—a programming language that has a dwindling number of people available with the skills needed to support it. In addition, the Department of the Interior’s system contains obsolete hardware that is not supported by the manufacturers. Regarding cybersecurity, the Department of Homeland Security’s system had a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018.”
“Of the 10 agencies responsible for these legacy systems, seven agencies (the Departments of Defense, Homeland Security, the Interior, the Treasury; as well as the Office of Personnel Management; Small Business Administration; and Social Security Administration) had documented plans for modernizing the systems (see table 2). The Departments of Education, Health and Human Services, and Transportation did not have documented modernization plans. Of the seven agencies with plans, only the Departments of the Interior and Defense’s modernization plans included the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). Until the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure.”
“The five examples that GAO selected of successful information technology (IT) modernization initiatives included transforming legacy code into a more modern programming language and moving legacy software to the cloud. Doing so allowed the agencies to reportedly leverage IT to successfully address their missions and achieve a wide range of benefits, including cost savings.”
What GAO Recommends
“In the sensitive report, GAO is making a total of eight recommendations—one to each of eight agencies—to ensure that they document modernization plans for the selected legacy systems.”
“The eight agencies agreed with GAO’s findings and recommendations, and seven of the agencies described plans to address the recommendations.”
Read the full 79-page report here.
Source: Information Technology Agencies Need to Develop Modernization Plans for Critical Legacy Systems – June 2019. GAO.
