Information Technology:

Federal Agencies Need to Address Aging Legacy Systems

GAO-16-468: Published: May 25, 2016. Publicly Released: May 25, 2016.

Multimedia:

Additional Materials:

Contact:

David A. Powner
(202) 512-9286
pownerd@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The federal government spent about 75 percent of the total amount budgeted for information technology (IT) for fiscal year 2015 on operations and maintenance (O&M) investments. Such spending has increased over the past 7 fiscal years, which has resulted in a $7.3 billion decline from fiscal years 2010 to 2017 in development, modernization, and enhancement activities.

Total Federal IT Spending by Type (in billions)

Total Federal IT Spending by Type (in billions)

Specifically, 5,233 of the government's approximately 7,000 IT investments are spending all of their funds on O&M activities. Moreover, the Office of Management and Budget (OMB) has directed agencies to identify IT O&M expenditures known as non-provisioned services that do not use solutions often viewed as more efficient, such as cloud computing and shared services. Agencies reported planned spending of nearly $55 billion on such non-provisioned IT in fiscal year 2015. OMB has developed a metric for agencies to measure their spending on services such as cloud computing and shared services, but has not identified an associated goal. Thus, agencies may be limited in their ability to evaluate progress.

Many O&M investments in GAO's review were identified as moderate to high risk by agency CIOs, and agencies did not consistently perform required analysis of these at-risk investments. Further, several of the at-risk investments did not have plans to be retired or modernized. Until agencies fully review their at-risk investments, the government's oversight of such investments will be limited and its spending could be wasteful.

Federal legacy IT investments are becoming increasingly obsolete: many use outdated software languages and hardware parts that are unsupported. Agencies reported using several systems that have components that are, in some cases, at least 50 years old. For example, Department of Defense uses 8-inch floppy disks in a legacy system that coordinates the operational functions of the nation's nuclear forces. In addition, Department of the Treasury uses assembly language code—a computer language initially used in the 1950s and typically tied to the hardware for which it was developed. OMB recently began an initiative to modernize, retire, and replace the federal government's legacy IT systems. As part of this, OMB drafted guidance requiring agencies to identify, prioritize, and plan to modernize legacy systems. However, until this policy is finalized and fully executed, the government runs the risk of maintaining systems that have outlived their effectiveness. The following table provides examples of legacy systems across the federal government that agencies report are 30 years or older and use obsolete software or hardware, and identifies those that do not have specific plans with time frames to modernize or replace these investments.

Examples of Legacy Investments and Systems

Agency

Investment or system

Description

Agency-reported age

Specific, defined plans for modernization or replacement

Department of the Treasury

Individual Master File

The authoritative data source for individual taxpayers where accounts are updated, taxes are assessed, and refunds are generated. This investment is written in assembly language code—a low-level computer code that is difficult to write and maintain—and operates on an IBM mainframe.

~56

No - The agency has general plans to replace this investment, but there is no firm date associated with the transition.

Department of the Treasury

Business Master File

Retains all tax data pertaining to individual business income taxpayers and reflects a continuously updated and current record of each taxpayer's account. This investment is also written in assembly language code and operates on an IBM mainframe.

~56

No - The agency has general plans to update this system, but there is no time frame established for this transition.

Department of Defense

Strategic Automated Command and Control System

Coordinates the operational functions of the United States' nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 Computer—a 1970s computing system—and uses 8-inch floppy disks.

53

Yes - The agency plans to update its data storage solutions, port expansion processors, portable terminals, and desktop terminals by the end of fiscal year 2017.

Department of Veterans Affairs

Personnel and Accounting Integrated Data

Automates time and attendance for employees, timekeepers, payroll, and supervisors. It is written in Common Business Oriented Language (COBOL)—a programming language developed in the 1950s and 1960s—and runs on IBM mainframes.

53

Yes - The agency plans to replace it with a project called Human Resources Information System Shared Service Center in 2017.

Department of Veterans Affairs

Benefits Delivery Network

Tracks claims filed by veterans for benefits, eligibility, and dates of death. This system is a suite of COBOL mainframe applications.

51

No - The agency has general plans to roll capabilities into another system, but there is no firm time frame associated with this transition.

Department of Justice

Sentry

Provides information regarding security and custody levels, inmate program and work assignments, and other pertinent information about the inmate population. The system uses COBOL and Java programming languages.

35

Yes - The agency plans to update the system through September 2016.

Social Security Administration

Title II Systems

Determines retirement benefits eligibility and amounts. The investment is comprised of 162 subsystems written in COBOL.

31

Yes - The agency has ongoing modernization efforts, including one that is experiencing cost and schedule challenges due to the complexities of the legacy software.

Source: GAO analysis of IT Dashboard data, agency documentation, and interviews. | GAO-16-468

Note: Age was reported by agencies. Systems and investments may have individual components newer than the reported age.

Why GAO Did This Study

The federal government invests more than $80 billion on IT annually, with much of this amount reportedly spent on operating and maintaining existing (legacy) IT systems. Given the magnitude of these investments, it is important that agencies effectively manage their O&M.

GAO's objectives were to (1) assess federal agencies' IT O&M spending, (2) evaluate the oversight of at-risk legacy investments, and (3) assess the age and obsolescence of federal IT.

To do so, GAO reviewed OMB and 26 agencies' IT O&M spending for fiscal years 2010 through 2017. GAO further reviewed the 12 agencies that reported the highest planned IT spending for fiscal year 2015 to provide specifics on agency spending and individual investments.

What GAO Recommends

GAO is making 16 recommendations, one of which is for OMB to develop a goal for its spending measure and finalize draft guidance to identify and prioritize legacy IT needing to be modernized or replaced. GAO is also recommending that selected agencies address at-risk and obsolete legacy O&M investments. Nine agencies agreed with GAO's recommendations, two agencies partially agreed, and two agencies stated they had no comment. The two agencies that partially agreed, Defense and Energy, outlined plans that were consistent with the intent of our recommendations.

For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The agency agreed with the recommendation. However, in July 2020, OMB stated that the implementation of this recommendation would be counter to the Administration's focus of prioritizing modernization activities specifically for High Value Assets and, as a result, it does not intend on implementing this recommendation. We disagree and believe that identifying and publishing a specific goal aimed at reducing non-provisioned spending (i.e., spending associated with systems that are not cloud or shared service-based) aligns with the Administration's Cloud Smart strategy to accelerate agency adoption of cloud-based solutions. We will continue to monitor the implementation of this recommendation.

    Recommendation: The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Open

    Comments: The agency agreed with the recommendation. In July 2020, OMB stated that agencies were directed to manage the risk to High Value Assets associated with legacy systems in OMB's December 2018 guidance. While OMB's guidance does direct agencies to identify, report, assess, and remediate issues associated with High Value Assets, it does not require agencies to do so for all legacy systems. We will continue to monitor the implementation of this recommendation.

    Recommendation: The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: The agency agreed with the recommendation. In May 2016, the agency updated its Capital Planning and Investment Control handbook with instructions on conducting operational analyses. In April 2019, the agency provided evidence that it was conducting these analyses on an annual basis as required. Doing so will allow Commerce to ensure that its investments in the operations and maintenance phase are fully reviewed and provide the agency opportunity to better oversee its older IT investments.

    Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

    Agency Affected: Department of Commerce

  4. Status: Open

    Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to ensure that operational analyses are performed on investments in the operations and maintenance phase. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

    Recommendation: To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase.

    Agency Affected: Department of the Treasury

  5. Status: Closed - Implemented

    Comments: The agency agreed with the recommendation. Subsequently, DHS identified several legacy systems in need of modernization and provided evidence of modernization plans for each of those modernization initiatives to include time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position DHS to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: The agency agreed with the recommendation. In May 2019, the agency stated that it had conducted an assessment of its legacy system environment and identified 106 legacy IT assets across 18 components. In a March 2020 update, the agency stated that it is in the process of developing a policy to govern all legacy systems, to include modernization and decommissioning plans. The agency plans to publish this policy by March 2021. We will continue to monitor the implementation of this recommendation.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Agriculture

  7. Status: Closed - Implemented

    Comments: The agency agreed with the recommendation. In May 2017, the agency stated that it was continuously assessing its current IT portfolio for opportunities to retire or modernize its mission critical legacy systems. Specifically, Commerce stated that it had identified two candidate systems for modernization--the National Weather Service Telecommunications Gateway and the USPTO Examiner Automated Search Tool. In May 2019, the agency stated that it has since retired the National Weather Service Telecommunications Gateway. In addition, the agency provided plans for the modernization of the USPTO Examiner Automated Search Tool that included time frames, activities to be performed, and functions to be replaced or enhanced. As a result, Commerce will be in a better position to identify investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Commerce

  8. Status: Closed - Implemented

    Comments: The department subsequently agreed with the recommendation, and in July 2019, DOD issued its Digital Modernization Strategy that detailed the department's approach for IT modernization, including eliminating or upgrading legacy IT. DOD's plans include time frames, activities to be performed, and functions to be replaced or enhanced. This will position DOD to better identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Defense

  9. Status: Closed - Implemented

    Priority recommendation

    Comments: The department partially agreed with the recommendation and agreed to take steps to modernize its legacy IT systems, as needed and as was available. In 2019, Energy began an effort to modernize its enterprise architecture, to include documenting the current and future states of its technology. As a result of this effort, in 2019 and 2020, Energy issued policies and a memorandum that required the identification of obsolete software for modernization or disposal. In addition, in late 2019, Energy completed a three-year technical roadmap for its IT modernization, as well as a detailed one-year roadmap. Energy's plans include time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position Energy to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Energy

  10. Status: Closed - Implemented

    Comments: The agency agreed with the recommendation. In a May 2019 update, the agency stated that beginning in 2017, its Office of the CIO had led a legacy IT and unsupported technology initiative to identify and plan for the migration of unsupported technology for HHS's most critical IT systems. The output of this effort was a prioritized list of HHS's legacy system modernization initiatives. HHS also demonstrated that its modernization plans of key legacy systems included time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position HHS to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Health and Human Services

  11. Status: Closed - Implemented

    Comments: The agency agreed with the recommendation and in October 2017, SSA issued its IT Modernization Plan. SSA's IT Modernization plan details the agency's vision to rebuild its systems using modern design techniques and includes time frames, activities to be performed, and functions to be replaced or enhanced. As a result, SSA will be in a better position to identify investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Social Security Administration

  12. Status: Closed - Implemented

    Comments: The agency had no comment on the recommendation. In October 2018, Justice identified the legacy systems it intended to modernize, and included evidence of planned time frames, activities to be performed, and functions to be replaced or enhanced. As a result, Justice will be be able to better IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Justice

  13. Status: Closed - Implemented

    Comments: The agency agreed with the recommendation and in fiscal year 2017, Transportation completed an initiative that 1) identified the components of the current state of its systems and created a visualized end-to-end diagram of it; 2) identified the legacy systems that need to be replaced and created a visualized model of what the ideal future state would look like, and 3) created a roadmap detailing the time frames, and activities that need to take place to achieve the ideal future state. Implementing this recommendation will position Transportation to better identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Transportation

  14. Status: Open

    Comments: The agency had no comment on the recommendation. In June 2017, Treasury provided an update on the IRS's efforts to modernize the IRS's legacy systems. However, the recommendation is intended to address issues at the department level and not just at the IRS. In 2017, Treasury declined to provide an update at the department level. As of April 2020, Treasury has not responded to requests for updates. We will continue to monitor the implementation of this recommendation.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of the Treasury

  15. Status: Closed - Implemented

    Priority recommendation

    Comments: The agency agreed with the recommendation. In a May 2018, the agency provided its Comprehensive Information Technology Plan that shows a detailed roadmap for the key programs and systems required for modernization and includes time frames, activities to be performed, and functions to be replaced or enhanced. As a result, VA will be able to better identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of Veterans Affairs

  16. Status: Closed - Implemented

    Priority recommendation

    Comments: The agency agreed with the recommendation. In December 2019, State issued an IT Modernization Plan to guide the transformation of IT at State. The plan identifies legacy functions/systems that need to be modernized and states that the Department is continuing to work with the bureaus to identify additional legacy functionality/systems for modernization. In addition, the plans includes time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position State to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.

    Recommendation: To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.

    Agency Affected: Department of State

 

Explore the full database of GAO's Open Recommendations »

Sep 30, 2020

Sep 29, 2020

Sep 28, 2020

Sep 14, 2020

Sep 9, 2020

Sep 8, 2020

Aug 31, 2020

Aug 3, 2020

Jun 1, 2020

Mar 5, 2020

Looking for more? Browse all our products here