Skip to main content

Information Technology: Agencies Need to Continue Addressing Critical Legacy Systems

GAO-23-106821 Published: May 10, 2023. Publicly Released: May 10, 2023.
Jump To:

Fast Facts

Each year, the U.S. government spends over $100 billion on information technology. Most of that will be used to operate and maintain existing systems, including aging—or "legacy"—systems. These systems can be costly to maintain and vulnerable to hackers.

This testimony updates our work in this area. In 2019, we analyzed 65 federal legacy systems and identified the 10 most critical at 10 agencies. The agencies have since made significant progress developing plans to modernize their systems. But as of May 2023, two of them—the Department of Transportation and the Office of Personnel Management—haven't fully implemented our prior recommendations.

image of computer code on a monitor

Skip to Highlights


What GAO Found

In June 2019, GAO identified 10 critical federal IT legacy systems (i.e., systems that are outdated or obsolete) that were most in need of modernization. These legacy systems provided vital support to agencies' missions. According to the agencies, these legacy systems ranged from about 8 to 51 years old and collectively cost about $337 million annually to operate and maintain. Several of the systems used older languages, such as Common Business Oriented Language (COBOL). GAO has previously reported that reliance on such languages has risks, such as a rise in procurement and operating costs, and a decrease in the availability of individuals with the proper skill sets. Further, several of the legacy systems were operating with known security vulnerabilities and unsupported hardware and software.

Of the 10 agencies responsible for these legacy systems, GAO reported in June 2019 that eight agencies either did not have documented plans for modernizing their systems or had incomplete plans. Agency plans were incomplete if they were missing any of the key elements: (1) milestones to complete the modernization, (2) a description of the work necessary to modernize the legacy system, and (3) details regarding the disposition of the legacy system.

Six of those eight agencies have implemented GAO's recommendations to identify and document modernization plans for their respective legacy systems. However, as of May 2023, two agencies (the Department of Transportation and the Office of Personnel Management) have not developed complete modernization plans (see table). Developing such plans is essential to addressing mission needs, dealing with security risks, and reducing operating costs.

Table: Extent to Which Selected Agencies Had Documented Modernization Plans for Legacy Systems


Had modernization plan with key elements, as of June 2019?

Has addressed incomplete elements of modernization plan, as of May 2023?

Department of Transportation

No. Agency did not have a documented modernization plan.

No. In April 2022, agency officials informed GAO that they expected to go live with the modernized system in the fall of 2022; however, as of May 2023, GAO has not received documented plans for this modernization effort.

Office of Personnel Management

Partial. Agency had a modernization plan but it did not fully include milestones or work necessary, and it did not include the disposition of the legacy system.

No. As of May 2023, GAO has not received evidence that the agency has developed a comprehensive modernization plan for this system.

Source: GAO analysis of agency modernization plans. | GAO-23-106821

Implementing GAO's prior recommendation to the Office of Management and Budget (OMB) on finalizing guidance directing agencies to identify systems needing modernization is essential. While OMB had drafted such guidance, it has not yet been issued. Doing so would provide greater assurance that the risks of continuing to operate legacy systems are being addressed government-wide.

Why GAO Did This Study

Each year, the federal government spends more than $100 billion on IT and cyber-related investments. Of this amount, agencies have typically reported spending about 80 percent on operations and maintenance of existing IT, including legacy systems.

Maintaining federal legacy systems can pose significant challenges. In May 2016, GAO reported instances where agencies had systems with components that were at least 50 years old or vendors that were no longer providing support for hardware or software. Similarly, in June 2019, GAO reported that several of the federal government's most critical legacy systems used outdated languages, had unsupported hardware and software, and were operating with known security vulnerabilities.

This statement is based primarily on GAO's 2019 report on federal agencies' legacy systems. GAO summarized the (1) critical federal legacy systems identified as most in need of modernization and (2) status of agencies' plans for modernizing them. It also analyzed updated information on agencies' implementation of GAO's recommendations, and summarized other relevant legacy systems reports.


In a 2019 report, GAO recommended that eight agencies have modernization plans for legacy systems. The agencies agreed but two have not yet implemented the recommendations. GAO also had a 2016 recommendation to OMB on agency identification of systems needing modernization, and OMB agreed with it. The recommendation has not yet been implemented.

Full Report

GAO Contacts

Office of Public Affairs


Business systems modernizationLegacy systemsSoftwareCybersecurityInformation technologyInformation systemsProject milestonesFederal agenciesSecurity risksSecurity vulnerabilities