Information Technology: Federal Agencies Need to Address Aging Legacy Systems
Highlights
What GAO Found
The federal government spent about 75 percent of the total amount budgeted for information technology (IT) for fiscal year 2015 on operations and maintenance (O&M) investments. Such spending has increased over the past 7 fiscal years, which has resulted in a $7.3 billion decline from fiscal years 2010 to 2017 in development, modernization, and enhancement activities.
Total Federal IT Spending by Type (in billions)
Specifically, 5,233 of the government's approximately 7,000 IT investments are spending all of their funds on O&M activities. Moreover, the Office of Management and Budget (OMB) has directed agencies to identify IT O&M expenditures known as non-provisioned services that do not use solutions often viewed as more efficient, such as cloud computing and shared services. Agencies reported planned spending of nearly $55 billion on such non-provisioned IT in fiscal year 2015. OMB has developed a metric for agencies to measure their spending on services such as cloud computing and shared services, but has not identified an associated goal. Thus, agencies may be limited in their ability to evaluate progress.
Many O&M investments in GAO's review were identified as moderate to high risk by agency CIOs, and agencies did not consistently perform required analysis of these at-risk investments. Further, several of the at-risk investments did not have plans to be retired or modernized. Until agencies fully review their at-risk investments, the government's oversight of such investments will be limited and its spending could be wasteful.
Federal legacy IT investments are becoming increasingly obsolete: many use outdated software languages and hardware parts that are unsupported. Agencies reported using several systems that have components that are, in some cases, at least 50 years old. For example, Department of Defense uses 8-inch floppy disks in a legacy system that coordinates the operational functions of the nation's nuclear forces. In addition, Department of the Treasury uses assembly language code—a computer language initially used in the 1950s and typically tied to the hardware for which it was developed. OMB recently began an initiative to modernize, retire, and replace the federal government's legacy IT systems. As part of this, OMB drafted guidance requiring agencies to identify, prioritize, and plan to modernize legacy systems. However, until this policy is finalized and fully executed, the government runs the risk of maintaining systems that have outlived their effectiveness. The following table provides examples of legacy systems across the federal government that agencies report are 30 years or older and use obsolete software or hardware, and identifies those that do not have specific plans with time frames to modernize or replace these investments.
Examples of Legacy Investments and Systems
Agency |
Investment or system |
Description |
Agency-reported age |
Specific, defined plans for modernization or replacement |
Department of the Treasury |
Individual Master File |
The authoritative data source for individual taxpayers where accounts are updated, taxes are assessed, and refunds are generated. This investment is written in assembly language code—a low-level computer code that is difficult to write and maintain—and operates on an IBM mainframe. |
~56 |
No - The agency has general plans to replace this investment, but there is no firm date associated with the transition. |
Department of the Treasury |
Business Master File |
Retains all tax data pertaining to individual business income taxpayers and reflects a continuously updated and current record of each taxpayer's account. This investment is also written in assembly language code and operates on an IBM mainframe. |
~56 |
No - The agency has general plans to update this system, but there is no time frame established for this transition. |
Department of Defense |
Strategic Automated Command and Control System |
Coordinates the operational functions of the United States' nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 Computer—a 1970s computing system—and uses 8-inch floppy disks. |
53 |
Yes - The agency plans to update its data storage solutions, port expansion processors, portable terminals, and desktop terminals by the end of fiscal year 2017. |
Department of Veterans Affairs |
Personnel and Accounting Integrated Data |
Automates time and attendance for employees, timekeepers, payroll, and supervisors. It is written in Common Business Oriented Language (COBOL)—a programming language developed in the 1950s and 1960s—and runs on IBM mainframes. |
53 |
Yes - The agency plans to replace it with a project called Human Resources Information System Shared Service Center in 2017. |
Department of Veterans Affairs |
Benefits Delivery Network |
Tracks claims filed by veterans for benefits, eligibility, and dates of death. This system is a suite of COBOL mainframe applications. |
51 |
No - The agency has general plans to roll capabilities into another system, but there is no firm time frame associated with this transition. |
Department of Justice |
Sentry |
Provides information regarding security and custody levels, inmate program and work assignments, and other pertinent information about the inmate population. The system uses COBOL and Java programming languages. |
35 |
Yes - The agency plans to update the system through September 2016. |
Social Security Administration |
Title II Systems |
Determines retirement benefits eligibility and amounts. The investment is comprised of 162 subsystems written in COBOL. |
31 |
Yes - The agency has ongoing modernization efforts, including one that is experiencing cost and schedule challenges due to the complexities of the legacy software. |
Source: GAO analysis of IT Dashboard data, agency documentation, and interviews. | GAO-16-468
Note: Age was reported by agencies. Systems and investments may have individual components newer than the reported age.
Why GAO Did This Study
The federal government invests more than $80 billion on IT annually, with much of this amount reportedly spent on operating and maintaining existing (legacy) IT systems. Given the magnitude of these investments, it is important that agencies effectively manage their O&M.
GAO's objectives were to (1) assess federal agencies' IT O&M spending, (2) evaluate the oversight of at-risk legacy investments, and (3) assess the age and obsolescence of federal IT.
To do so, GAO reviewed OMB and 26 agencies' IT O&M spending for fiscal years 2010 through 2017. GAO further reviewed the 12 agencies that reported the highest planned IT spending for fiscal year 2015 to provide specifics on agency spending and individual investments.
Recommendations
GAO is making 16 recommendations, one of which is for OMB to develop a goal for its spending measure and finalize draft guidance to identify and prioritize legacy IT needing to be modernized or replaced. GAO is also recommending that selected agencies address at-risk and obsolete legacy O&M investments. Nine agencies agreed with GAO's recommendations, two agencies partially agreed, and two agencies stated they had no comment. The two agencies that partially agreed, Defense and Energy, outlined plans that were consistent with the intent of our recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | The Director of OMB should identify and publish a specific goal associated with its non-provisioned O&M spending measure. |
The agency agreed with the recommendation. In a December 2022 update, OMB stated that it plans to compare the recommendation with recent actions, guidance and policy memoranda issued since the recommendation was made, to determine if an update to the OMB response is appropriate. In March 2024, OMB stated that it believes it has met the intent of the recommendation and considers it closed. We disagree and believe that identifying and publishing a specific goal aimed at reducing non-provisioned spending (i.e., spending associated with systems that are not cloud or shared service-based) aligns with the Administration's goal to identify and prioritize the development of federal shared products, services, and standards. We will continue to monitor the implementation of this recommendation.
|
Office of Management and Budget |
Priority Rec.
The Director of OMB should commit to a firm date by which its draft guidance on legacy systems will be issued, and subsequently direct agencies to identify legacy systems and/or investments needing to be modernized or replaced.
|
The agency agreed with the recommendation. In April 2021, OMB stated that agencies were directed to manage the risk to High Value Assets associated with legacy systems in OMB's December 2018 guidance. While OMB's guidance does direct agencies to identify, report, assess, and remediate issues associated with High Value Assets, it does not require agencies to do so for all legacy systems. In a September 2021 update, OMB stated that OMB would work closely with agencies to better understand their plans and any obstacles. In a December 2022 update, OMB stated that it planned to compare the recommendation with recent actions, guidance and policy memoranda issued since the recommendation was made, to determine if an update to the OMB response is appropriate. In February 2024, OMB stated that it did not currently plan to issue any additional guidance on legacy systems. In March 2024, OMB stated that it believes it has met the intent of the recommendation and considers it closed. We disagree and believe that until OMB issues guidance on identifying and modernizing legacy systems, the federal government runs the risk of continuing to maintain investments that have outlived their effectiveness and are consuming resources that outweigh their benefits. We will continue to monitor the implementation of this recommendation.
|
Department of Commerce | To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase. |
The agency agreed with the recommendation. In May 2016, the agency updated its Capital Planning and Investment Control handbook with instructions on conducting operational analyses. In April 2019, the agency provided evidence that it was conducting these analyses on an annual basis as required. Doing so will allow Commerce to ensure that its investments in the operations and maintenance phase are fully reviewed and provide the agency opportunity to better oversee its older IT investments.
|
Department of the Treasury | To monitor whether existing investments are meeting the needs of their agencies, the Secretaries of Commerce and the Treasury should direct the respective agency CIO to ensure that required analyses are performed on investments in the operations and maintenance phase. |
The agency had no comment on the recommendation. In February 2021 update, Treasury provided evidence that its Capital Planning and Investment Control guidance requires the department's bureaus to conduct and maintain an Operational Analyses annually for IT investments. Treasury also provided evidence that it was conducting these analyses on an annual basis, as required. Doing so will allowe Treasury to ensure that its investments in the operations and maintenance phase are fully reviewed and provide the agency opportunity to better oversee its older IT investments.
|
Department of Homeland Security | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency agreed with the recommendation. Subsequently, DHS identified several legacy systems in need of modernization and provided evidence of modernization plans for each of those modernization initiatives to include time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position DHS to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Agriculture | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency agreed with the recommendation. In June 2021, at the request of the Secretary and Deputy Secretary, USDA began identifying, monitoring, and tracking legacy systems needing modernization. Data regarding the systems included the system's relative age , expected decommission date, reason for decommission, number of users, and "Authority to Operate" expiration date, and was captured within USDA's enterprise architecture (EA) system. As of July 2021, USDA had identified 275 legacy systems in need of modernization. Further, in April 2022, USDA issued guidance that requires the agency to identify legacy systems with an expected decommission date of less than 5 years; maintain this information in the EA system for all applicable IT assets; and develop and maintain a roadmap or strategy to support strategic goals and technology modernization efforts. Completing these activities will better position USDA to identify investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Commerce | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency agreed with the recommendation. In May 2017, the agency stated that it was continuously assessing its current IT portfolio for opportunities to retire or modernize its mission critical legacy systems. Specifically, Commerce stated that it had identified two candidate systems for modernization--the National Weather Service Telecommunications Gateway and the USPTO Examiner Automated Search Tool. In May 2019, the agency stated that it has since retired the National Weather Service Telecommunications Gateway. In addition, the agency provided plans for the modernization of the USPTO Examiner Automated Search Tool that included time frames, activities to be performed, and functions to be replaced or enhanced. As a result, Commerce will be in a better position to identify investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Defense | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The department subsequently agreed with the recommendation, and in July 2019, DOD issued its Digital Modernization Strategy that detailed the department's approach for IT modernization, including eliminating or upgrading legacy IT. DOD's plans include time frames, activities to be performed, and functions to be replaced or enhanced. This will position DOD to better identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Energy |
Priority Rec.
To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.
|
The department partially agreed with the recommendation and agreed to take steps to modernize its legacy IT systems, as needed and as was available. In 2019, Energy began an effort to modernize its enterprise architecture, to include documenting the current and future states of its technology. As a result of this effort, in 2019 and 2020, Energy issued policies and a memorandum that required the identification of obsolete software for modernization or disposal. In addition, in late 2019, Energy completed a three-year technical roadmap for its IT modernization, as well as a detailed one-year roadmap. Energy's plans include time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position Energy to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Health and Human Services | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency agreed with the recommendation. In a May 2019 update, the agency stated that beginning in 2017, its Office of the CIO had led a legacy IT and unsupported technology initiative to identify and plan for the migration of unsupported technology for HHS's most critical IT systems. The output of this effort was a prioritized list of HHS's legacy system modernization initiatives. HHS also demonstrated that its modernization plans of key legacy systems included time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position HHS to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Social Security Administration | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency agreed with the recommendation and in October 2017, SSA issued its IT Modernization Plan. SSA's IT Modernization plan details the agency's vision to rebuild its systems using modern design techniques and includes time frames, activities to be performed, and functions to be replaced or enhanced. As a result, SSA will be in a better position to identify investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Justice | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency had no comment on the recommendation. In October 2018, Justice identified the legacy systems it intended to modernize, and included evidence of planned time frames, activities to be performed, and functions to be replaced or enhanced. As a result, Justice will be be able to better IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of Transportation | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency agreed with the recommendation and in fiscal year 2017, Transportation completed an initiative that 1) identified the components of the current state of its systems and created a visualized end-to-end diagram of it; 2) identified the legacy systems that need to be replaced and created a visualized model of what the ideal future state would look like, and 3) created a roadmap detailing the time frames, and activities that need to take place to achieve the ideal future state. Implementing this recommendation will position Transportation to better identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of the Treasury | To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced. |
The agency had no comment on the recommendation. In a February 2021 update, Treasury noted that in order to allow its bureaus to satisfy their unique mission objectives, Treasury has chosen to manage its IT (including IT modernization) in a federated manner. The department noted that while there is no single plan for modernizing all of Treasury's IT, some bureaus do have a modernization plan. Treasury also stated that it does maintain an inventory of legacy systems as part of its CPIC process. Treasury noted that those systems that are flagged as being a legacy system are discussed as part of the annual strategic planning discussion with the CIO. As of February 2024, the department had not provide an update. Until Treasury documents its plans for modernizing its legacy systems, the department will continue to run the risk of maintaining investments that have outlived their effectiveness. We will continue to monitor the implementation of this recommendation.
|
Department of Veterans Affairs |
Priority Rec.
To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.
|
The agency agreed with the recommendation. In a May 2018, the agency provided its Comprehensive Information Technology Plan that shows a detailed roadmap for the key programs and systems required for modernization and includes time frames, activities to be performed, and functions to be replaced or enhanced. As a result, VA will be able to better identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|
Department of State |
Priority Rec.
To address obsolete IT investments in need of modernization or replacement, the Secretaries of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, the Treasury, Transportation, and Veterans Affairs; the Attorney General; and the Commissioner of Social Security should direct their respective agency CIOs to identify and plan to modernize or replace legacy systems as needed and consistent with OMB's draft guidance, including time frames, activities to be performed, and functions to be replaced or enhanced.
|
The agency agreed with the recommendation. In December 2019, State issued an IT Modernization Plan to guide the transformation of IT at State. The plan identifies legacy functions/systems that need to be modernized and states that the Department is continuing to work with the bureaus to identify additional legacy functionality/systems for modernization. In addition, the plans includes time frames, activities to be performed, and functions to be replaced or enhanced. These actions will better position State to identify IT investments that have outlived their effectiveness and effectively plan for the modernization or replacement of these investments.
|