Information Technology: Agencies Need to Develop Modernization Plans for Critical Legacy Systems
Fast Facts
The U.S. government plans to spend over $90 billion this fiscal year on information technology. Most of that will be used to operate and maintain existing systems, including aging (also called legacy) systems. These systems can be more costly to maintain and vulnerable to hackers.
We analyzed 65 federal legacy systems and identified the 10 most critical at 10 agencies ranging from Defense to Treasury. The systems were 8 to 51 years old. Three agencies had no documented plans to modernize. Two had plans that included key practices for success.
Photo of code on a computer screen
Highlights
What GAO Found
Among the 10 most critical legacy systems that GAO identified as in need of modernization (see table 1), several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities. For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language (COBOL)—a programming language that has a dwindling number of people available with the skills needed to support it. In addition, the Department of the Interior's system contains obsolete hardware that is not supported by the manufacturers. Regarding cybersecurity, the Department of Homeland Security's system had a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018.
Table 1: The 10 Most Critical Federal Legacy Systems in Need of Modernization
Agency |
System namea |
Age of system, in years |
Age of oldest hardware, in years |
System criticality (according to agency) |
Security risk (according to agency) |
Department of Defense |
System 1 |
14 |
3 |
Moderately high |
Moderate |
Department of Education |
System 2 |
46 |
3 |
High |
High |
Department of Health and Human Services |
System 3 |
50 |
Unknownb |
High |
High |
Department of Homeland Security |
System 4 |
8 – 11c |
11 |
High |
High |
Department of the Interior |
System 5 |
18 |
18 |
High |
Moderately high |
Department of the Treasury |
System 6 |
51 |
4 |
High |
Moderately low |
Department of Transportation |
System 7 |
35 |
7 |
High |
Moderately high |
Office of Personnel Management |
System 8 |
34 |
14 |
High |
Moderately low |
Small Business Administration |
System 9 |
17 |
10 |
High |
Moderately high |
Social Security Administration |
System 10 |
45 |
5 |
High |
Moderate |
Source: GAO analysis of agency data. | HYPERLINK "http://www.gao.gov/products/GAO-19-471" GAO-19-471GAO-19-471
aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.
bThe agency stated that the system's hardware had various refresh dates and was not able to identify the oldest hardware.
cThe agency stated that the majority of the network's hardware was purchased between 2008 and 2011.
Of the 10 agencies responsible for these legacy systems, seven agencies (the Departments of Defense, Homeland Security, the Interior, the Treasury; as well as the Office of Personnel Management; Small Business Administration; and Social Security Administration) had documented plans for modernizing the systems (see table 2). The Departments of Education, Health and Human Services, and Transportation did not have documented modernization plans. Of the seven agencies with plans, only the Departments of the Interior and Defense's modernization plans included the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). Until the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure.
Table 2: Extent to Which Agencies' Legacy System Documented Modernization Plans Included Key Elements
Agency |
System namea |
Includes milestones to complete the modernization |
Describes work necessary to modernize system |
Summarizes planned disposition of legacy system |
Department of Defense |
System 1 |
Yes |
Yes |
Yes |
Department of Education |
System 2 |
No modernization plan |
||
Department of Health and Human Services |
System 3 |
No modernization plan |
||
Department of Homeland Security |
System 4 |
No |
Yes |
No |
Department of the Interior |
System 5 |
Yes |
Yes |
Yes |
Department of the Treasury |
System 6 |
Partial |
Yes |
No |
Department of Transportation |
System 7 |
No modernization plan |
||
Office of Personnel Management |
System 8 |
Partial |
Partial |
No |
Small Business Administration |
System 9 |
Yes |
No |
Yes |
Social Security Administration |
System 10 |
Partial |
Partial |
No |
Source: GAO analysis of agency data. | HYPERLINK "http://www.gao.gov/products/GAO-19-471" GAO-19-471GAO-19-471
Agencies received a “partial” if the element was completed for a portion of the modernization.
aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.
The five examples that GAO selected of successful information technology (IT) modernization initiatives included transforming legacy code into a more modern programming language and moving legacy software to the cloud. Doing so allowed the agencies to reportedly leverage IT to successfully address their missions and achieve a wide range of benefits, including cost savings.
Why GAO Did This Study
The federal government plans to spend over $90 billion in fiscal year 2019 on IT. About 80 percent of this amount is used to operate and maintain existing IT investments, including aging (also called legacy) systems. As they age, legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose.
GAO was asked to review federal agencies' legacy systems. This report (1) identifies the most critical federal legacy systems in need of modernization and evaluates agency plans for modernizing them, and (2) identifies examples of legacy system modernization initiatives that agencies considered successful.
To do so, GAO analyzed a total of 65 legacy systems in need of modernization that 24 agencies had identified. Of these 65, GAO identified the 10 most in need of modernization based on attributes such as age, criticality, and risk. GAO then analyzed agencies' modernization plans for the 10 selected legacy systems against key IT modernization best practices.
The 24 agencies also provided 94 examples of successful IT modernizations from the last 5 years. In addition, GAO identified other examples of modernization successes at these agencies. GAO then selected a total of five examples to highlight a mix of system modernization types and a range of benefits realized.
This is a public version of a sensitive report that is being issued concurrently. Information that agencies deemed sensitive has been omitted.
Recommendations
In the sensitive report, GAO is making a total of eight recommendations—one to each of eight agencies—to ensure that they document modernization plans for the selected legacy systems.
The eight agencies agreed with GAO's findings and recommendations, and seven of the agencies described plans to address the recommendations.