Information Technology:

Agencies Need to Develop Modernization Plans for Critical Legacy Systems

GAO-19-471: Published: Jun 11, 2019. Publicly Released: Jun 11, 2019.

Additional Materials:

Contact:

Carol C. Harris
(202) 512-4456
harriscc@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The U.S. government plans to spend over $90 billion this fiscal year on information technology. Most of that will be used to operate and maintain existing systems, including aging (also called legacy) systems. These systems can be more costly to maintain and vulnerable to hackers.

We analyzed 65 federal legacy systems and identified the 10 most critical at 10 agencies ranging from Defense to Treasury. The systems were 8 to 51 years old. Three agencies had no documented plans to modernize. Two had plans that included key practices for success.

Photo of code on a computer screen

Photo of code on a computer screen

Additional Materials:

Contact:

Carol C. Harris
(202) 512-4456
harriscc@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Among the 10 most critical legacy systems that GAO identified as in need of modernization (see table 1), several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities. For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language (COBOL)—a programming language that has a dwindling number of people available with the skills needed to support it. In addition, the Department of the Interior's system contains obsolete hardware that is not supported by the manufacturers. Regarding cybersecurity, the Department of Homeland Security's system had a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018.

Table 1: The 10 Most Critical Federal Legacy Systems in Need of Modernization

Agency

System namea

Age of system, in years

Age of oldest hardware, in years

System criticality (according to agency)

Security risk (according to agency)

Department of Defense

System 1

14

3

Moderately high

Moderate

Department of Education

System 2

46

3

High

High

Department of Health and Human Services

System 3

50

Unknownb

High

High

Department of Homeland Security

System 4

8 – 11c

11

High

High

Department of the Interior

System 5

18

18

High

Moderately high

Department of the Treasury

System 6

51

4

High

Moderately low

Department of Transportation

System 7

35

7

High

Moderately high

Office of Personnel Management

System 8

34

14

High

Moderately low

Small Business Administration

System 9

17

10

High

Moderately high

Social Security Administration

System 10

45

5

High

Moderate

Source: GAO analysis of agency data. | HYPERLINK "http://www.gao.gov/products/GAO-19-471" GAO-19-471GAO-19-471

aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.

bThe agency stated that the system's hardware had various refresh dates and was not able to identify the oldest hardware.

cThe agency stated that the majority of the network's hardware was purchased between 2008 and 2011.

Of the 10 agencies responsible for these legacy systems, seven agencies (the Departments of Defense, Homeland Security, the Interior, the Treasury; as well as the Office of Personnel Management; Small Business Administration; and Social Security Administration) had documented plans for modernizing the systems (see table 2). The Departments of Education, Health and Human Services, and Transportation did not have documented modernization plans. Of the seven agencies with plans, only the Departments of the Interior and Defense's modernization plans included the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). Until the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure.

Table 2: Extent to Which Agencies' Legacy System Documented Modernization Plans Included Key Elements

Agency

System namea

Includes milestones to complete the modernization

Describes work necessary to modernize system

Summarizes planned disposition of legacy system

Department of Defense

System 1

Yes

Yes

Yes

Department of Education

System 2

No modernization plan

Department of Health and Human Services

System 3

No modernization plan

Department of Homeland Security

System 4

No

Yes

No

Department of the Interior

System 5

Yes

Yes

Yes

Department of the Treasury

System 6

Partial

Yes

No

Department of Transportation

System 7

No modernization plan

Office of Personnel Management

System 8

Partial

Partial

No

Small Business Administration

System 9

Yes

No

Yes

Social Security Administration

System 10

Partial

Partial

No

Source: GAO analysis of agency data. | HYPERLINK "http://www.gao.gov/products/GAO-19-471" GAO-19-471GAO-19-471

Agencies received a “partial” if the element was completed for a portion of the modernization.

aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.

The five examples that GAO selected of successful information technology (IT) modernization initiatives included transforming legacy code into a more modern programming language and moving legacy software to the cloud. Doing so allowed the agencies to reportedly leverage IT to successfully address their missions and achieve a wide range of benefits, including cost savings.

Why GAO Did This Study

The federal government plans to spend over $90 billion in fiscal year 2019 on IT. About 80 percent of this amount is used to operate and maintain existing IT investments, including aging (also called legacy) systems. As they age, legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose.

GAO was asked to review federal agencies' legacy systems. This report (1) identifies the most critical federal legacy systems in need of modernization and evaluates agency plans for modernizing them, and (2) identifies examples of legacy system modernization initiatives that agencies considered successful.

To do so, GAO analyzed a total of 65 legacy systems in need of modernization that 24 agencies had identified. Of these 65, GAO identified the 10 most in need of modernization based on attributes such as age, criticality, and risk. GAO then analyzed agencies' modernization plans for the 10 selected legacy systems against key IT modernization best practices.

The 24 agencies also provided 94 examples of successful IT modernizations from the last 5 years. In addition, GAO identified other examples of modernization successes at these agencies. GAO then selected a total of five examples to highlight a mix of system modernization types and a range of benefits realized.

This is a public version of a sensitive report that is being issued concurrently. Information that agencies deemed sensitive has been omitted.

What GAO Recommends

In the sensitive report, GAO is making a total of eight recommendations—one to each of eight agencies—to ensure that they document modernization plans for the selected legacy systems.

The eight agencies agreed with GAO's findings and recommendations, and seven of the agencies described plans to address the recommendations.

For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.

May 6, 2019

Apr 29, 2019

Apr 11, 2019

Apr 9, 2019

Dec 13, 2018

Dec 12, 2018

Dec 11, 2018

Nov 13, 2018

Sep 27, 2018

Aug 2, 2018

Looking for more? Browse all our products here