GAO-19-471, INFORMATION TECHNOLOGY: Agencies Need to Develop Modernization Plans for Critical Legacy Systems

INFORMATION

TECHNOLOGY

Agencies Need to

Develop

Modernization Plans

for Critical Legacy

Systems

Report to Congressional Requesters

June 2019

GAO-19-471

United States Government Accountability Office

Highlights of GAO-19-471, a report to

congressional

requesters

June 2019

INFORMATION TECHNOLOGY

Agencies Need to Develop

Modernization Plans for

Critical Legacy Systems

What GAO Found

Among the 10 most critical legacy systems that GAO identified as in need of

modernization (see table 1), several use outdated languages, have unsupported

hardware and software, and are operating with known security vulnerabilities. For

example, the selected legacy system at the Department of Education runs on

Common Business Oriented Language (COBOL)—a programming language that

has a dwindling number of people available with the skills needed to support it. In

addition, the Department of the Interior’s system contains obsolete hardware that

is not supported by the manufacturers. Regarding cybersecurity, the Department

of Homeland Security’s system had a large number of reported vulnerabilities, of

which 168 were considered high or critical risk to the network as of September

2018.

Table 1: The 10 Most Critical Federal Legacy Systems in Need of Modernization

Agency

System name

Age of

system,

years

Age of

oldest

hardware,

in years

System

criticality

(according

to agency)

Security

risk

(according

to agency)

Department of Defense

System 1

Moderately

high

Moderate

Department of Education

System 2

High

Department of Health and

Human Services

System 3

Unknown

High

Department of Homeland

Security

System 4

8 – 11

High

Department of the Interior

System 5

High

Moderately

high

Department of the Treasury

System 6

High

Moderately

low

Department of Transportation

System 7

High

Moderately

high

Office of Personnel

Management

System 8

High

Moderately

low

Small Business Administration

System 9

High

Moderately

high

Social Security Administration

System 10

High

Moderate

Source: GAO analysis of agency data. | GAO-19-471

Due to sensitivity concerns, GAO substituted a numeric identifier for the system names.

The agency stated that the system’s hardware had various refresh dates and was not able to identify

the oldest hardware.

The agency stated that the majority of the network’s hardware was purchased between 2008 and

2011.

Of the 10 agencies responsible for these legacy systems, seven agencies (the

Departments of Defense, Homeland Security, the Interior, the Treasury; as well

as the Office of Personnel Management; Small Business Administration; and

Social Security Administration) had documented plans for modernizing the

systems (see table 2). The Departments of Education, Health and Human

Services, and Transportation did not have documented modernization plans. Of

the seven agencies with plans, only the Departments of the Interior and

Defense’s modernization plans included the key elements identified in best

practices (milestones, a description of the work necessary to complete the

modernization, and a plan for the disposition of the legacy system). Until the

Why GAO Did This Study

The federal government plans to spend

over $90 billion in fiscal year 2019 on

IT. About 80 percent of this amount is

used to operate and maintain existing

IT investments, including aging (also

called legacy) systems. As they age,

legacy systems can be more costly to

maintain, more exposed to

cybersecurity risks, and less effective

in meeting their intended purpose.

GAO was asked to review federal

agencies’ legacy systems. This report

(1) identifies the most critical federal

legacy systems in need of

modernization and evaluates agency

plans for modernizing them, and (2)

identifies examples of legacy system

modernization initiatives that agencies

considered successful.

To do so, GAO analyzed a total of 65

legacy systems in need of

modernization that 24 agencies had

identified. Of these 65, GAO identified

the 10 most in need of modernization

based on attributes such as age,

criticality, and risk. GAO then analyzed

agencies’ modernization plans for the

10 selected legacy systems against

key IT modernization best practices.

The 24 agencies also provided 94

examples of successful IT

modernizations from the last 5 years.

In addition, GAO identified other

examples of modernization successes

at these agencies. GAO then selected

a total of five examples to highlight a

mix of system modernization types and

a range of benefits realized.

This is a public version of a sensitive

report that is being issued

concurrently. Information that agencies

deemed sensitive has been omitted.

View GAO-19-471. For more information,

contact Carol C. Harris at (202) 512-4456 or

[email protected].

Agencies Need to Develop Modernization Plans for Critical Legacy Systems

Page ii Highlights

other eight agencies establish complete modernization plans, they will have an

increased risk of cost overruns, schedule delays, and project failure.

Table 2: Extent to Which Agencies’ Legacy System Documented Modernization Plans Included

Key Elements

Agency

System

name

Includes

milestones to

complete the

modernization

Describes

work

necessary to

modernize

system

Summarizes

planned

disposition

of legacy

system

Department of Defense

System 1

Yes

Department of Education

System 2

No modernization plan

Department of Health and Human

Services

System 3

No modernization plan

Department of Homeland Security

System 4

Yes

Department of the Interior

System 5

Yes

Department of the Treasury

System 6

Partial

Yes

Department of Transportation

System 7

No modernization plan

Office of Personnel Management

System 8

Partial

Small Business Administration

System 9

Yes

Social Security Administration

System 10

Partial

Source: GAO analysis of agency data. | GAO-19-471

Agencies received a “partial” if the element was completed for a portion of the modernization.

Due to sensitivity concerns, GAO substituted a numeric identifier for the system names.

The five examples that GAO selected of successful information technology (IT)

modernization initiatives included transforming legacy code into a more modern

programming language and moving legacy software to the cloud. Doing so

allowed the agencies to reportedly leverage IT to successfully address their

missions and achieve a wide range of benefits, including cost savings.

What GAO Recommends

In the sensitive report, GAO is making

a total of eight recommendations—one

to each of eight agencies—to ensure

that they document modernization

plans for the selected legacy systems.

The eight agencies agreed with GAO’s

findings and recommendations, and

seven of the agencies described plans

to address the recommendations.

Page i GAO-19-471 Legacy IT

Letter 1

Background 4

GAO Identified 10 Critical Federal Legacy Systems; Agencies

Often Lack Complete Plans for Their Modernization 13

Agencies Reported a Variety of IT Modernization Successes 20

Conclusions 23

Recommendations for Executive Action 23

Agency Comments and Our Evaluation 23

Appendix I Objectives, Scope, and Methodology 28

Appendix II The 24 Chief Financial Officers Act Agencies’ Most Critical Legacy

Systems in Need of Modernization 36

Appendix III Profiles of the 10 Most Critical Legacy Systems in Need of

Modernization 39

Appendix IV Comments from the Department of Education 59

Appendix V Comments from the Department of Health and Human Services 60

Appendix VI Comments from the Department of Homeland Security 62

Appendix VII Comments from the Internal Revenue Service 64

Appendix VIII Comments from the Office of Personnel Management 67

Contents

Page ii GAO-19-471 Legacy IT

Appendix IX Comments from the Small Business Administration 68

Appendix X Comments from the Social Security Administration 69

Appendix XI Comments from the Department of Housing and Urban

Development 70

Appendix XII Comments from the U.S. Agency for International Development 71

Appendix XIII GAO Contact and Staff Acknowledgments 72

Tables

Table 1: The 10 Most Critical Federal Legacy Systems in Need of

Modernization 15

Table 2: Extent to Which Agencies’ Legacy System Documented

Modernization Plans Included Key Elements 18

Table 3: Agency-Reported Examples of Successful Information

Technology (IT) Modernization Initiatives in the Last 5

Years and Associated Benefits 20

Table 4: Attributes and Associated Point Values Used to Rank

Legacy Systems 31

Table 5: Attributes and Associated Point Values Used to Rank

Legacy Systems in the Subsequent Round of Analysis 32

Table 6: The 10 Selected Most Critical Legacy Systems in Need of

Modernization 33

Table 7: Combined List of Agencies’ Most Critical Legacy Systems

in Need of Modernization 36

Figures

Figure 1: Airmen Maintaining an Air Force Aircraft 40

Figure 2: Photograph of a Dam 48

Page iii GAO-19-471 Legacy IT

Abbreviations

CIO Chief Information Officer

COBOL Common Business Oriented Language

DHS Department of Homeland Security

DOD Department of Defense

Education Department of Education

Energy Department of Energy

FAA Federal Aviation Administration

GSA General Services Administration

HHS Department of Health and Human Services

HUD Department of Housing and Urban Development

ICS Industrial Control System

IRS Internal Revenue Service

IT information technology

Interior Department of the Interior

Justice Department of Justice

LOUO limited official use only

MGT Modernizing Government Technology

NRC Nuclear Regulatory Commission

OIG Office of Inspector General

OMB Office of Management and Budget

OPM Office of Personnel Management

SCADA Supervisory Control and Data Acquisition

SBA Small Business Administration

SSA Social Security Administration

State Department of State

Transportation Department of Transportation

Treasury Department of the Treasury

VA Department of Veterans Affairs

This is a work of the U.S. government and is not subject to copyright protection in the

United States. The published product may be reproduced and distributed in its entirety

without further permission from GAO. However, because this work may contain

copyrighted images or other material, permission from the copyright holder may be

necessary if you wish to reproduce this material separately.

Page 1 GAO-19-471 Legacy IT

441 G St. N.W.

Washington, DC 20548

June 11, 2019

Congressional Requesters

According to the President’s Budget, the federal government plans to

spend over $90 billion in fiscal year 2019 on information technology (IT).

Of this amount, the government plans to spend about 80 percent on the

operations and maintenance of existing IT investments, including aging

(also called legacy) systems.

However, federal legacy systems are becoming increasingly obsolete. In

May 2016, we reported that many of the government’s IT investments

used outdated software languages and hardware parts that were

unsupported.

We also reported instances where agencies were using

systems that had components that were at least 50 years old or the

vendors were no longer providing support for hardware or software. As

they age, legacy systems can become more expensive to maintain, more

exposed to cybersecurity risks, and less effective in accomplishing their

intended purpose.

Accordingly, you asked us to review federal agencies’ legacy systems.

Our specific objectives were to (1) identify the most critical federal legacy

systems in need of modernization and evaluate plans for modernizing

them, and (2) identify examples of legacy system modernization initiatives

in the last 5 years that agencies considered successful.

This report presents a public version of a “limited official use only”

(LOUO) report that we are also issuing today.

The Department of

Homeland Security (DHS) and the Department of the Interior (Interior)

Office of Management and Budget, Analytical Perspectives, Budget of the United States

Government, Fiscal Year 2019 (Washington, D.C.: 2018) and Department of Defense,

Information Technology and Cyberspace Activities Budget Overview, Fiscal Year 2019

President’s Budget Request, (March 2018).

The Modernizing Government Technology (MGT) Act defines a legacy IT system as a

system that is outdated or obsolete. National Defense Authorization Act for Fiscal Year

2018, Pub. L. No. 115-91, Div. A, Title X, Subtitle G (2017).

GAO, Information Technology: Federal Agencies Need to Address Aging Legacy

Systems, GAO-16-468 (Washington, D.C.: May 25, 2016).

GAO, Information Technology: Agencies Need to Develop Modernization Plans for

Critical Legacy Systems, GAO-19-351SU (Washington, D.C.: June 11, 2019).

Letter

Page 2 GAO-19-471 Legacy IT

determined that certain information in our original report should be

protected from public disclosure. Therefore, we will not release the LOUO

report to the general public because of the sensitive information it

contains.

The LOUO report includes eight recommendations that we made to eight

agencies to identify and document modernization plans for particular

legacy systems, including milestones, a description of the work

necessary, and details on the disposition of the legacy system.

In this

public version of the report, we have omitted sensitive information

regarding particular legacy systems, including the systems’ names and

other information that would identify the systems.

Although the information provided in this report is more limited, this report

addresses the same objectives as the LOUO report and is based on the

same audit methodology. We provided a draft of this report to agency

officials to obtain their review and comments on the sensitivity of the

information contained herein. We confirmed with the agency officials that

this report can be made available to the public without jeopardizing the

security of federal agencies’ legacy systems.

To identify the most critical legacy systems in need of modernization, we

followed up with each of the 24 federal agencies’ covered by the Chief

Financial Officers Act of 1990 regarding their legacy systems that they

had identified in 2017 as most in need of modernization.

All 24 agencies

either confirmed or updated their lists of these systems most in need of

modernization. This resulted in a collective list of 65 systems.

We made recommendations to the Departments of Education, Health and Human

Services, Homeland Security, Transportation, the Treasury; the Office of Personnel

Management; Small Business Administration; and Social Security Administration.

The 24 major federal agencies covered by the Chief Financial Officers Act of 1990 are

the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and

Human Services, Homeland Security, Housing and Urban Development, the Interior,

Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; Environmental

Protection Agency; General Services Administration; National Aeronautics and Space

Administration; National Science Foundation; Nuclear Regulatory Commission; Office of

Personnel Management; Small Business Administration; Social Security Administration;

and U.S. Agency for International Development. 31 U.S.C. §90l(b).

Page 3 GAO-19-471 Legacy IT

We then reviewed available technical literature

and consulted with

system development experts within GAO to develop a set of attributes for

determining system obsolescence and their need for modernization.

These attributes included a system’s age, hardware age, operating and

labor costs, vendor warranty and support status, and security risk.

assigned point values to each system based on the systems’ agency-

reported attributes. We totaled each system’s assigned point values and

used the results to rank the 65 legacy systems. We then designated the

10 systems with the highest scores as those legacy systems most in need

of modernization.

However, due to sensitivity concerns, in this report we

substituted a numeric identifier for the system names and are not

providing detailed descriptions.

To evaluate agencies’ plans for modernizing the 10 federal legacy

systems most in need of modernization, we requested that the relevant

agencies provide us with their documented plans for modernizing the

selected systems. We reviewed government and industry best practices

related to the modernization of legacy systems.

Based on our reviews of

these documents, we determined that agencies’ documented plans for

system modernization should include, at a minimum, (1) milestones to

Our review of literature included General Services Administration, Unified Shared

Services Management, Modernization and Migration Management (M3) Playbook (Aug. 3,

2016); M3 Playbook Guidance (Aug. 3, 2016); American Technology Council, Report to

the President on Federal IT Modernization (Dec. 13, 2017); Office of Management and

Budget, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9,

2016); American Council for Technology-Industry Advisory Council, Legacy System

Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016);

and Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of

Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018).

A legacy system may run on updated hardware, and thus, the system’s age and

hardware age may not be the same.

The 10 agencies with the most critical legacy systems in need of modernization are the

Departments of Defense, Education, Health and Human Services, Homeland Security, the

Interior, the Treasury, and Transportation; the Office of Personnel Management; the Small

Business Administration; and the Social Security Administration.

General Services Administration, Unified Shared Services Management, Modernization

and Migration Management (M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug.

3, 2016); American Technology Council, Report to the President on Federal IT

Modernization (Dec. 13, 2017); Office of Management and Budget, Management of

Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9, 2016); American Council

for Technology-Industry Advisory Council, Legacy System Modernization: Addressing

Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016); and Dr. Gregory S.

Dawson, Arizona State University, IBM Center for The Business of Government, A

Roadmap for IT Modernization in Government (Washington, D.C.: 2018).

Page 4 GAO-19-471 Legacy IT

complete the modernization, (2) a description of the work necessary to

modernize the system, and (3) details regarding the disposition of the

legacy system. We then analyzed agencies’ documented modernization

plans for the selected legacy systems to determine whether the plans

included these elements. We supplemented our work with interviews of

officials in the agencies’ offices of the Chief Information Officer (CIO) and

program offices for the selected legacy systems.

To identify legacy system modernization initiatives that agencies indicated

were successful, we asked each of the 24 agencies to provide us with

examples of those modernization initiatives that they completed between

2014 and 2018 and deemed to be successful. In addition, we identified

other examples of modernization successes at these agencies. We also

coordinated with the selected agencies’ Offices of Inspector General

(OIG) to determine whether those offices had any past or current audit

work that would contradict the agencies’ determination that the initiatives

were successful. We then selected initiatives that reflected a mix of

different agencies, types of system modernizations undertaken, and types

of benefits realized from the initiatives. A full description of our objectives,

scope, and methodology can be found in appendix I.

We conducted this performance audit from January 2018 to June 2019 in

accordance with generally accepted government auditing standards.

Those standards require that we plan and perform the audit to obtain

sufficient, appropriate evidence to provide a reasonable basis for our

findings and conclusions based on our audit objectives. We believe that

the evidence obtained provides a reasonable basis for our findings and

conclusions based on our audit objectives.

Historically, the federal government has had difficulties acquiring,

developing, and managing IT investments.

Further, federal agencies

have struggled with appropriately planning and budgeting for modernizing

legacy systems; upgrading underlying infrastructure; and investing in high

quality, lower cost service delivery technology. The consequences of not

updating legacy systems has contributed to, among other things, security

risks, unmet mission needs, staffing issues, and increased costs.

As a result of the many issues the federal government has experienced, we identified

“Improving the Management of IT Acquisitions and Operations” as a high-risk area in

February 2015. GAO, High-Risk Series: An Update, GAO-15-290 (Washington, D.C.: Feb.

11, 2015).

Background

Page 5 GAO-19-471 Legacy IT

• Security risks. Legacy systems may operate with known security

vulnerabilities that are either technically difficult or prohibitively

expensive to address. In some cases, vendors no longer provide

support for hardware or software, creating security vulnerabilities and

additional costs. For example, in November 2017, the Department of

Education’s (Education) Inspector General identified security

weaknesses that included the department’s use of unsupported

operating systems, databases, and applications.

By using

unsupported software, the department put its sensitive information at

risk, including the personal records and financial information of

millions of federal student aid applicants.

• Unmet mission needs. Legacy systems may not be able to reliably

meet mission needs because they are outdated or obsolete. For

instance, in 2016, the Department of State’s (State) Inspector General

reported on the unreliability of the Bureau of Consular Affairs’ legacy

systems.

Specifically, during the summers of 2014 and 2015,

outages in the legacy systems slowed and, at times, stopped the

processing of routine consular services such as visa processing. For

example, in June 2015, system outages caused by a hardware failure

halted visa processing for 13 days, creating a backlog of 650,000

visas.

• Staffing issues. In order to operate and maintain legacy systems,

staff may need experience with older technology and programming

languages, such as the Common Business Oriented Language

(COBOL).

Agencies have had difficulty finding employees with such

knowledge and may have to pay a premium to hire specialized staff or

contractors. For example, we reported in May 2016 that the Social

Security Administration (SSA) had to rehire retired employees to

Department of Education, Office of Inspector General, FY 2018 Management

Challenges, (Washington, D.C.: November 2017).

According to Education’s Office of General Counsel, Education has developed

corrective action plans to address the Inspector General’s recommendation.

U.S. Department of State, Office of Inspector General, Inspection of the Bureau of

Consular Affairs, Office of Consular Systems and Technology, ISP-I-17-04, (Arlington, VA:

December 2016).

COBOL, which was introduced in 1959, became the first widely used, high-level

programming language for business applications. The Gartner Group, a leading IT

research and advisory company, has reported that organizations using COBOL should

consider replacing the language, as procurement and operating costs are expected to

steadily rise, and because there is a decrease in people available with the proper skill sets

to support the language.

Page 6 GAO-19-471 Legacy IT

maintain its COBOL systems.

Further, having a shortage of expert

personnel available to maintain a critical system creates significant

risk to an agency’s mission. For instance, we reported in June 2018

that the Internal Revenue Service (IRS) was experiencing shortages

of staff with the skills to support key tax processing systems that used

legacy programming languages.

These staff shortages not only

posed risks to the operation of the key tax processing systems, but

they also hindered the agency’s efforts to modernize its core tax

processing system.

• Increased costs. The cost of operating and maintaining legacy

systems increases over time. The issue of cost is linked to the three

previously described consequences—either because the other issues

directly raise costs or, as in the case of not meeting mission needs,

the agency is not receiving a favorable return on investment. Further,

in an era of constrained budgets, the high costs of maintaining legacy

systems could limit agencies’ ability to modernize and develop new or

replacement systems.

During the course of our review, agencies reported that they consider

several factors prior to deciding whether to modernize a legacy system. In

particular, agencies evaluate factors, such as the inherent risks, the

criticality of the system, the associated costs, and the system’s

operational performance.

• Risks. Agencies consider the risks associated with maintaining the

legacy system as well as modernizing the legacy system. For

instance, agencies may prioritize the modernization of legacy systems

that have security vulnerabilities or software that is unsupported by

the vendor.

However, limited system accessibility may also reduce

the need to modernize a legacy system. For example, air-gapped

systems, which are systems that are isolated from the internet, may

GAO-16-468.

GAO, Information Technology: IRS Needs to Take Additional Actions to Address

Significant Risks to Tax Processing, GAO-18-298 (Washington, D.C.: June 28, 2018).

When computer systems or software are no longer supported, the vendor of the product

ceases to provide patches, security fixes, or updates, leaving system vulnerabilities open

to exploitation.

Page 7 GAO-19-471 Legacy IT

mitigate a legacy system’s cybersecurity risk by preventing remote

hackers from having system access.

Conversely, we have also reported that air-gapped systems are not

necessarily secure: they could potentially be accessed by other

means than the internet, such as through Universal Serial Bus

devices.

Even so, removing the threat of remote access is a

mitigation technique used by agencies such as the Nuclear

Regulatory Commission (NRC). According to NRC, the agency

reduced the riskiness of using computers with unsupported operating

systems by putting these computers on isolated networks or by

disconnecting them from networks entirely.

• Criticality. Agencies consider how critical the system is to the

agency’s mission. Several agencies stated that they would consider

how essential a legacy system is to their agencies’ missions before

deciding to modernize it. For example, the Department of Health and

Human Services (HHS) stated that, when deciding to modernize a

legacy system, it considers the degree to which core mission

functions of the agency or other agencies are dependent on the

system. Similarly, Department of Energy (Energy) officials noted that

the department is required to maintain several legacy systems

associated with the storage of its nuclear waste.

• Costs. Agencies consider the costs of maintaining a legacy system

and modernizing the system. For example, according to the

Department of Veterans Affairs (VA), there are systems for which a

life-cycle cost analysis of the legacy system may show that the cost to

modernize exceeds the projected costs to maintain the system.

Similarly, the Department of Defense (DOD) noted that, before

deciding on a modernization solution, it is important to assess the

costs of the transition to a new or replacement solution.

An agency also may decide to modernize a system when there is

potential for cost savings to be realized with a modernization effort.

For example, HHS stated that it may pursue the modernization of a

legacy system if the department anticipates reductions in operations

Michael DePhillips and Susan Pepper, “Computer Security – Indirect Vulnerabilities and

Threat Vectors (Air-Gap In-depth)” (paper presented at the International Conference on

Physical Protection of Nuclear Material and Nuclear Facilities, Vienna, Austria: November

2017).

GAO, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of

Vulnerabilities, GAO-19-128 (Washington, D.C.: Oct. 9, 2018).

Page 8 GAO-19-471 Legacy IT

and maintenance costs due to efficiencies gained through the

modernization.

• Performance. Before making the decision to modernize, agencies

consider the legacy system’s operational performance. Specifically, if

the legacy system is performing poorly, the agency may decide to

modernize it. For example, the Department of Transportation

(Transportation) stated that, if a legacy system is no longer

functioning properly, it should be modernized. In addition, HHS noted

that the ability to improve the functionality of the legacy system could

be a reason to modernize it.

As previously mentioned, in May 2016, we reported that federal legacy IT

investments were becoming increasingly obsolete.

In this regard,

agencies had reported operating systems that used outdated languages

and old parts, which were difficult to replace. Further, we noted that each

of the 12 selected agencies had reported using unsupported operating

systems and components, which could create security vulnerabilities and

additional costs.

At the time, five of the selected agencies reported

using 1980s and 1990s Microsoft operating systems that stopped being

supported by the vendor more than a decade ago. We concluded that

agencies were, in part, maintaining obsolete investments because they

were not required to identify, evaluate, and prioritize investments to

determine whether the investments should be kept as-is, modernized,

replaced, or retired. We pointed out that the Office of Management and

Budget (OMB) had created draft guidance that would require agencies to

do so, but OMB had not committed to a firm time frame for when the

guidance would be issued.

As such, we made 16 recommendations to OMB and the selected federal

agencies to better manage legacy systems and investments. Most

agencies agreed with the recommendations or had no comment.

However, as of May 2019, 13 recommendations had not been

implemented. In particular, OMB has not finalized and issued its draft

guidance on legacy systems. Until this guidance is finalized and issued,

GAO-16-468.

The agencies in our 2016 review were the 12 that reported the highest planned IT

spending for fiscal year 2015. These agencies were the Departments of Agriculture,

Commerce, Defense, Energy, Health and Human Services, Homeland Security, Justice,

State, Transportation, the Treasury, and Veterans Affairs; and the Social Security

Administration.

GAO Has Reported on the

Need to Improve

Oversight of Legacy IT

Page 9 GAO-19-471 Legacy IT

the federal government will continue to run the risk of maintaining

investments that have outlived their effectiveness and are increasingly

difficult to protect from cybersecurity vulnerabilities.

Congress and the executive branch have initiated several efforts to

modernize federal IT, including:

• Identification of High Value Assets. In a December 2016

memorandum, OMB observed that continued increases in computing

power combined with declining computing and storage costs and

increased network connectivity had expanded the government’s

capacity to store and process data.

However, OMB noted that this

rise in technology and interconnectivity also meant that the federal

government’s critical networks, systems, and data were more

exposed to cyber risks. As a result, OMB issued guidance to assist

federal agencies covered by the Chief Financial Officers Act in

managing the risks to these assets, which it designated as High Value

Assets.

Subsequently, in December 2018, OMB issued a memorandum that

provided further guidance regarding the establishment and

enhancement of the High Value Asset program.

It stated that the

program is to be operated by DHS in coordination with OMB. Further,

the new guidance expanded the program to apply to all agencies (i.e.,

agencies covered by the Chief Financial Officers Act, as well as those

not covered by the act) and expanded the definition of High Value

OMB, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9,

2016).

OMB’s December 2016 memorandum defined High Value Assets as those assets,

federal information systems, information, and data for which an unauthorized access, use,

disclosure, disruption, modification, or destruction could cause significant impact to the

United States’ national security interests, foreign relations, economy, or to the public

confidence, civil liberties, or public health and safety of the American people. This

definition replaced a previous definition from OMB Memorandum M-16-04.

OMB, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High

Value Asset Program, M-19-03 (Washington, D.C.: Dec. 10, 2018). This memorandum

rescinded the previous guidance on High Value Assets, M-16-04 and M-17-09.

Congress and the

Executive Branch Have

Made Efforts to Modernize

Federal IT

Page 10 GAO-19-471 Legacy IT

Assets.

The guidance required agencies to identify and report these

assets (which may include legacy systems), assess them for security

risks, and remediate any weaknesses identified, including those

associated with obsolete or unsupported technology.

• Assessment of federal IT modernization. On May 11, 2017, the

President signed Executive Order 13800, Strengthening the

Cybersecurity of Federal Networks and Critical Infrastructure.

This

executive order outlined actions to enhance cybersecurity across

federal agencies and critical infrastructure to improve the nation’s

cyber posture and capabilities against cybersecurity threats. Among

other things, the order tasked the Director of the American

Technology Council to coordinate a report to the President from the

Secretary of DHS, the Director of OMB, and the Administrator of the

General Services Administration (GSA), in consultation with the

Secretary of Commerce, regarding modernizing federal IT.

As a result, the Report to the President on Federal IT Modernization

was issued on December 13, 2017, and outlined the current and

envisioned state of federal IT.

The report focused on modernization

efforts to improve the security posture of federal IT and recognized

that agencies have attempted to modernize systems but have been

stymied by a variety of factors, including resource prioritization, ability

to procure services quickly, and technical issues. The report provided

multiple recommendations intended to address these issues through

the modernization and consolidation of networks and the use of

shared services. In particular, the report recommended that the

According to OMB’s December 2018 guidance, an agency may designate federal

information or an information system as a High Value Asset when one or more of these

categories apply to it: (1) the information or information system that processes, stores, or

transmits the information is of high value to the federal government or its adversaries; (2)

the agency that owns the information or information system cannot accomplish its primary

mission essential functions within expected timelines without the information or

information system; and (3) the information or information system serves a critical function

in maintaining the security and resilience of the federal civilian enterprise.

Exec. Order No. 13800, 82 Fed Reg. 22391 (2017).

The American Technology Council was established in May 2017, and has the goal of

helping to transform and modernize federal agency IT and how the federal government

uses and delivers digital services. The President is the chairman of this council, and the

Federal CIO and the United States Digital Service Administrator are among the members.

American Technology Council, Report to the President on Federal IT Modernization,

(Washington, D.C.: Dec. 13, 2017).

Page 11 GAO-19-471 Legacy IT

federal government prioritize the modernization of legacy IT by

focusing on enhancing security and privacy controls for those assets

that are essential for agencies to serve the American people and

whose security posture is most vulnerable (i.e., High Value Assets).

• Enactment of the Modernizing Government Technology (MGT)

Act. To help further agencies’ efforts to modernize IT, in December

2017, Congress and the President enacted a law to authorize the

availability of funding mechanisms to improve, retire, or replace

existing IT systems to enhance cybersecurity and to improve

efficiency and effectiveness. The law, known as the MGT Act,

authorizes agencies to establish working capital funds for use in

transitioning from legacy systems, as well as for addressing evolving

threats to information security.

The law also created the Technology

Modernization Fund, within the Department of the Treasury

(Treasury), from which agencies can “borrow” money to retire and

replace legacy systems, as well as acquire or develop systems.

Subsequently, in February 2018, OMB issued guidance for agencies

to implement the MGT Act.

The guidance was intended to provide

agencies additional information regarding the Technology

Modernization Fund, and the administration and funding of the related

IT working capital funds.

Specifically, the guidance allowed agencies

to begin submitting initial project proposals for modernization on

February 27, 2018.

In addition, in accordance with the MGT Act, the guidance provides

details regarding a Technology Modernization Board, which is to

consist of (1) the Federal CIO; (2) a senior official with IT technical

expertise from GSA; (3) a member of DHS’s National Protection and

National Defense Authorization Act for Fiscal Year 2018, Pub. L. No. 115-91, Div. A,

Title X, Subtitle G (2017).

OMB, Implementation of the Modernizing Government Technology Act, M-18-12

(Washington, D.C.: Feb. 27, 2018).

OMB staff stated that, while the MGT Act authorizes agencies to establish working

capital funds, the Act does not confer the transfer authority necessary to operate an IT

working capital fund.

Page 12 GAO-19-471 Legacy IT

Program Directorate;

and (4) four federal employees with technical

expertise in IT development, financial management, cybersecurity and

privacy, and acquisition, appointed by the Director of OMB.

As of February 2019, the Technology Management Fund Board had

approved funds for seven IT modernization projects across five

agencies: the Department of Agriculture, Energy, the Department of

Housing and Urban Development (HUD), the Department of Labor,

and GSA. For example, the board approved $20 million for HUD to

modernize a mainframe and five COBOL-based applications that are

expensive to maintain. According to the board’s website, without

these funds, HUD would not have been able to pursue this project for

several years.

• Issuance of the President’s Management Agenda. In March 2018,

the Administration issued the President’s Management Agenda, which

lays out a long-term vision for modernizing the federal government.

The agenda identifies three related drivers of transformation—IT

modernization; data, accountability, and transparency; and the

workforce of the future—that are intended to push change across the

federal government.

The President’s Management Agenda identifies 14 related Cross-

Agency Priority goals, many of which have elements that involve IT.

In particular, the Cross-Agency Priority goal on IT modernization

states that modern technology must function as the backbone of how

government serves the public in the digital age. Further, the goal on IT

modernization provides three priorities that are to guide the

Administration’s efforts to modernize federal IT: (1) enhancing mission

effectiveness by improving the quality and efficiency of critical

The National Protection and Program Directorate was the DHS component responsible

for addressing physical and cyber infrastructure protection. The Cybersecurity and

Infrastructure Security Agency Act of 2018 renamed the National Protection and Program

Directorate to be the Cybersecurity and Infrastructure Security Agency and established a

director and responsibilities for the agency.

As of February 2019, these four employees were the Acting Administrator of OMB’s U.S.

Digital Service, the Small Business Administration’s CIO, SSA’s CIO, and VA’s Chief

Technology Officer.

President’s Management Council and Executive Office of the President, President’s

Management Agenda (Washington, D.C.: Mar. 20, 2018).

Cross-Agency Priority goals were established in response to the GPRA Modernization

Act of 2010, Pub. L. No. 111-352, Sec. 5 (Jan. 4, 2011); 124 Stat. 3866, 3873; 31 U.S.C. §

1120(a)(1)(B).

Page 13 GAO-19-471 Legacy IT

services, including the increased utilization of cloud-based solutions;

(2) reducing cybersecurity risks to the federal mission by leveraging

current commercial capabilities and implementing cutting edge

cybersecurity capabilities; and (3) building a modern IT workforce by

recruiting, reskilling, and retaining professionals able to help drive

modernization with up-to-date technology.

As determined by our review of 65 critical federal legacy systems (see

appendix II), the 10 most critical legacy systems in need of modernization

are maintained by 10 different federal agencies whose missions are

essential to government operations, such as emergency management,

health care, and wartime readiness.

These legacy systems provide vital

support to the agencies’ missions.

According to the agencies, these legacy systems range from about 8 to

51 years old and, collectively, cost approximately $337 million annually to

operate and maintain.

Several of the systems use older languages,

such as COBOL and assembly language code.

However, as we

reported in June 2018, reliance on assembly language code and COBOL

has risks, such as a rise in procurement and operating costs, and a

decrease in the availability of individuals with the proper skill sets.

Cloud computing is a means for delivering computing services via IT networks. When

executed effectively, cloud-based solutions can allow agencies to pay for only the IT

services used, thus paying less for more services.

To identify the 10 most critical legacy systems in need of modernization, we collected

information on 65 of the most critical federal legacy systems and assigned point values

based on system attributes, including a system’s age, hardware’s age, system criticality,

and security risk (see appendix II for the full list of 65 systems). We then selected the 10

systems with the highest scores as the most critical legacy systems in need of

modernization.

SSA was unable to isolate the costs for just System 10 and, as a result, this number

includes the cost of operating some of SSA’s other mainframe systems.

As we reported in May 2016, assembly language code is a low-level computer language

initially used in the 1950s. Programs written in assembly language are conservative of

machine resources and quite fast; however, they are much more difficult to write and

maintain than other languages. Programs written in assembly language may only run on

the type of computer for which they were originally developed.

GAO, Information Technology: IRS Needs to Take Additional Actions to Address

Significant Risks to Tax Processing, GAO-18-298 (Washington, D.C.: June 28, 2018).

GAO Identified 10

Critical Federal

Legacy Systems;

Agencies Often Lack

Complete Plans for

Their Modernization

Page 14 GAO-19-471 Legacy IT

Further, several of these legacy systems are also operating with known

security vulnerabilities and unsupported hardware and software. For

example, DHS’s Federal Emergency Management Agency performed a

security assessment on its selected legacy system in September 2018.

This review found 249 reported vulnerabilities, of which 168 were

considered high or critical risk to the network.

With regard to unsupported hardware and software, Interior’s system

contains obsolete hardware that is not supported by the manufacturers.

Moreover, the system’s original hardware and software installation did not

include any long-term vendor support. Thus, any original components that

remain operational may have had long-term exposure to security and

performance weaknesses.

Table 1 provides a generalized list of each of the 10 most critical legacy

systems that we identified, as well as agency-reported system attributes,

including the system’s age, hardware’s age, system criticality, and

security risk. (Due to sensitivity concerns, we substituted a numeric

identifier for the system names and are not providing detailed

descriptions). Appendix III provides additional generalized agency-

reported details on each of these 10 legacy systems.

Page 15 GAO-19-471 Legacy IT

Table 1: The 10 Most Critical Federal Legacy Systems in Need of Modernization

Agency

System

name

System description

Age of

system,

in years

Age of

oldest

hardware,

in years

System

criticality

(according to

agency)

Security

risk

(according

to agency)

Department of

Defense

System 1

A maintenance system that supports

wartime readiness, among other things

Moderately

high

Moderate

Department of

Education

System 2

A system that contains student

information

High

Department of

Health and Human

Services

System 3

An information system that supports

clinical and patient administrative

activities

Unknown

High

Department of

Homeland Security

System 4

A network that consists of routers,

switches, and other network appliances

Between 8

and 11

High

Department of the

Interior

System 5

A system that supports the operation of

certain dams and power plants

High

Moderately

high

Department of the

Treasury

System 6

A system that contains taxpayer

information

High

Moderately

low

Department of

Transportation

System 7

A system that contains information on

aircraft

High

Moderately

high

Office of Personnel

Management

System 8

Hardware, software, and service

components that support information

technology applications and services

High

Moderately

low

Small Business

Administration

System 9

A system that controls access to

applications

High

Moderately

high

Social Security

Administration

System 10

A group of systems that contain

information on Social Security

beneficiaries

High

Moderate

Key:

Agencies reported the system criticality and security risk on a scale of 1 to 5 (with 5 being the most critical and the highest risk).

Low-1: According to the agency, system has low security risk or criticality.

Moderately low-2: According to the agency, system has moderately low security risk or criticality.

Moderate-3: According to the agency, system has moderate security risk or criticality.

Moderately high-4: According to the agency, system has moderately high security risk or criticality.

High-5: According to the agency, system has high security risk or criticality.

Source: GAO analysis of agency data. | GAO-19-471

Due to sensitivity concerns, we substituted a numeric identifier for the system names and only

provided general details.

The agency stated that the system’s hardware had various refresh dates and that it was not able to

identify the oldest hardware.

The agency stated that the majority of the network’s hardware was purchased between 2008 and

2011.

Page 16 GAO-19-471 Legacy IT

Given the age of the hardware and software in legacy systems, the

systems’ criticality to agency missions, and the security risks posed by

operating aging systems, it is imperative that agencies carefully plan for

their successful modernization. Documenting modernization plans in

sufficient detail increases the likelihood that modernization initiatives will

succeed. According to our review of government and industry best

practices for the modernization of federal IT,

agencies should have

documented modernization plans for legacy systems that, at a minimum,

include three key elements: (1) milestones to complete the modernization,

(2) a description of the work necessary to modernize the legacy system,

and (3) details regarding the disposition of the legacy system.

Of the 10 identified agencies with critical systems most in need of

modernization, seven (DOD, DHS, Interior, Treasury, the Office of

Personnel Management (OPM), the Small Business Administration

(SBA), and SSA) had documented modernization plans for their

respective critical legacy systems and three did not have documented

plans. The three agencies that did not have documented modernization

plans for their critical legacy systems were: (1) Education, (2) HHS, and

(3) Transportation.

Of the seven agencies with documented plans, DOD and Interior had

modernization plans that addressed each of the three key elements. For

example, Interior submitted documentation of both completed and

forthcoming milestones leading to the deployment of the modernized

system. The department also provided a list of the mandatory

requirements for the updated system, as well as the work that needed to

be performed at each stage of the project, including the disposition of the

legacy system.

Likewise, DOD provided documentation of the milestones and the work

needed to complete the modernization of its legacy system. In addition,

the documentation discussed the department’s plans for the disposition of

the legacy system.

GSA, Unified Shared Services Management, Modernization and Migration Management

(M3) Playbook (Aug. 3, 2016); M3 Playbook Guidance (Aug. 3, 2016); American

Technology Council, Report to the President on Federal IT Modernization (Dec. 13, 2017);

OMB, Management of Federal High Value Assets, M-17-09 (Washington, D.C.: Dec. 9,

2016); American Council for Technology-Industry Advisory Council, Legacy System

Modernization: Addressing Challenges on the Path to Success (Fairfax, VA: Oct. 7, 2016);

and Dr. Gregory S. Dawson, Arizona State University, IBM Center for The Business of

Government, A Roadmap for IT Modernization in Government (Washington, D.C.: 2018).

The Majority of Agencies

Lack Complete Plans for

Modernizing the Most

Critical Legacy Systems

Page 17 GAO-19-471 Legacy IT

While the other five agencies—Treasury, DHS, OPM, SBA, and SSA—

had developed modernization plans for their respective legacy systems,

their plans did not fully address one or more of the three key elements.

For instance, DHS’s Federal Emergency Management Agency’s

modernization plan for its selected legacy system described the work that

the department needed to accomplish, but did not include the associated

milestones or the disposition of the legacy system. Similarly, SBA

included milestones and a plan for the disposition of the legacy system,

but did not include a description of the work necessary to accomplish the

modernization.

Treasury, OPM, and SSA partially included one or more of the key

elements in their modernization plans. For instance, OPM’s and SSA’s

plans included upcoming milestones for one part of the initiative, but not

the entire effort. Similarly, OPM’s modernization plans only described a

portion of the work necessary to complete each modernization initiative.

Further, none of these four agencies’ modernization plans included

considerations for the disposition of legacy system components following

the completion of the modernization initiatives. While agencies may be

using development practices that minimize initial planning, such as

agile,

agencies should have high-level information on cost, scope, and

timing.

Table 2 identifies the seven agencies with documented modernization

plans for their critical systems, as well as the extent to which the plans

were sufficiently detailed to include the three key elements. (Due to

sensitivity concerns, we substituted a numeric identifier for the system

names.)

Agile development is a type of incremental development, which calls for the rapid

delivery of software in small, short increments. Many organizations, especially in the

federal government, are accustomed to using a waterfall software development model,

which consists of long, sequential phases.

GAO, FEMA Grants Modernization: Improvements Needed to Strengthen Program

Management and Cybersecurity, GAO-19-164 (Washington, D.C.: Apr. 9, 2019).

Page 18 GAO-19-471 Legacy IT

Table 2: Extent to Which Agencies’ Legacy System Documented Modernization Plans Included Key Elements

Agency System name

Includes milestones

to complete the

modernization

Describes work

necessary to

modernize system

Summarizes

planned disposition

of legacy system

Department of Defense

System 1

Yes

Department of Homeland Security

System 4

Yes

Department of the Interior

System 5

Yes

Department of the Treasury

System 6

Partial

Yes

Office of Personnel Management

System 8

Partial

Small Business Administration

System 9

Yes

Social Security Administration

System 10

Partial

Legend:

Yes – Agency included element in modernization plan.

Partial – Agency partially included the element in the modernization plan (e.g., the element was completed for only a portion of the modernization, rather

than the entire modernization).

No – Agency did not include element in modernization plan.

Source: GAO analysis of agency modernization plans. | GAO-19-471

Due to sensitivity concerns, we have substituted the systems’ names with a numeric identifier.

The agencies provided a variety of explanations for the missing

modernization plans. For example, according to the three agencies

without documented modernization plans:

• Education’s modernization plans were pending the results of a

comprehensive IT visualization and engineering project that would

determine which IT systems and services could be feasibly

modernized, consolidated, or eliminated;

• HHS had entered into a contract to begin a modernization initiative but

had not yet completed its plans; and

• Transportation had solicited information from industry to determine

whether the agency’s ideas for modernization were feasible.

Of the five agencies which had plans that lacked key elements, officials

within SSA’s office of the CIO stated that the agency has yet to complete

its modernization planning, even though modernization efforts are

currently underway. The officials said that they will update the planning

documentation and make further decisions as the modernization effort

progresses.

Officials within DHS’s Federal Emergency Management Agency’s Office

of the CIO stated that its plans for modernizing the system we reviewed

Page 19 GAO-19-471 Legacy IT

(System 4) are contingent on receiving funding and being able to allocate

staffing resources to planning activities. According to the officials, the

agency is also integrating its plans for modernizing System 4 with the

management of the rest of the agency’s systems.

Similarly, Treasury officials stated that IRS’s efforts to complete planning

for the remaining modernization activities have been delayed due to

budget constraints. In addition, officials within OPM’s Office of the CIO

stated that its modernization plan did not extend to fiscal year 2019

because there were changes in leadership during the creation of the plan,

and because of uncertainty in funding amounts.

While we recognize that system modernizations are dependent on

funding, it is important for agencies to prioritize funding for the

modernization of these critical legacy systems. In addition, Congress

provided increased authority for agencies to fund such modernization

efforts through the MGT Act’s Technology Modernization Fund and the

related IT working capital funds.

Until the agencies establish complete legacy system modernization plans

that include milestones, describe the work necessary to modernize the

system, and detail the disposition of the legacy system, the agencies’

modernization initiatives will have an increased likelihood of cost

overruns, schedule delays, and overall project failure. Project failure

would be particularly detrimental in these 10 cases, not only because of

wasted resources, but also because it would prolong the lifespan of

increasingly vulnerable and obsolete systems, exposing the agency and

system clients to security threats and potentially significant performance

issues.

Further, agencies may not be effectively planning for the modernization of

legacy systems, in part, because they are not required to. As we reported

in May 2016, agencies are not required to identify, evaluate, and prioritize

existing IT investments to determine whether they should be kept as-is,

modernized, replaced, or retired.

We recommended that OMB direct

agencies to identify legacy systems needing to be replaced or

modernized. As of April 2019, OMB had not implemented this

recommendation. OMB staff stated that agencies were directed to

manage the risk to High Value Assets associated with legacy systems in

GAO-16-468.

Page 20 GAO-19-471 Legacy IT

OMB’s December 2018 guidance.

While OMB’s guidance does direct

agencies to identify, report, assess, and remediate issues associated with

High Value Assets, it does not require agencies to do so for all legacy

systems. Until OMB requires agencies to do so, the federal government

will continue to run the risk of continuing to maintain investments that

have outlived their effectiveness.

The 24 Chief Financial Officers Act agencies in our review identified a

total of 94 examples of successful modernizations of legacy systems

undertaken in the last 5 years. The initiatives were of several types,

including those aimed at transforming legacy code into a more modern

programming language, migrating legacy services (e.g., email) to the

cloud, and re-designing a legacy mainframe to a cloud-based application.

Among these examples, the five that we selected reflect a mix of different

agencies, types of system modernization initiatives, and types of benefits

realized from the initiatives.

Table 3 provides details on the five examples of successful IT

modernization initiatives, as reported by their respective agencies, as well

as the reported benefits related to those initiatives.

Table 3: Agency-Reported Examples of Successful Information Technology (IT) Modernization Initiatives in the Last 5 Years

and Associated Benefits

Agency

Initiative description

Benefits reported by agencies

Department of

Defense

(DOD)

Standard Base Supply System and Enterprise Solution-

Supply. In April 2015, the Air Force, a component of DOD,

began an initiative to modernize its Standard Base Supply

System and Enterprise Solution-Supply (legacy systems

responsible for the management of supplies and equipment for

warfighting missions). To do so, among other things, the

component transformed millions of lines of Common Business

Oriented Language (COBOL) code to Java code. In February

2018, the Air Force completed the migration to the modernized

version of the Integrated Logistics Systems-Supply system.

•

Avoided spending $11 million on costs

associated with hosting the system due to

decommissioning the legacy system earlier than

anticipated

• Avoided spending $25 million annually on

hosting costs

• Minimized the use of legacy code, which can be

costly and difficult to maintain

OMB, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High

Value Asset Program, M-19-03 (Washington, D.C.: Dec. 10, 2018).

Agencies Reported a

Variety of IT

Modernization

Successes

Page 21 GAO-19-471 Legacy IT

Agency

Initiative description

Benefits reported by agencies

Department of

Education

(Education)

Direct Loan Consolidation System. In 2012, Education

began its initiative to modernize the Direct Loan Consolidation

System, its system that allows students to apply for, receive,

and consolidate federal education loans. Among other things,

this modernization allowed loans to be assigned to multiple

servicers, corrected information security findings, and provided

better customer service. In June 2016, Education

decommissioned the legacy system. Functions that were

performed by the legacy system are now performed by

another existing system, which has an application process in

place for borrowers and a real-time interface to help

prepopulate the application.

•

Improved customer experience through website

consolidation

• Consolidated customer call centers

• Reduced applicant data entry errors by

prepopulating data from another system

• Reduced the amount of oversight required by

lowering the number of contractors and systems

• Closed multiple critical security vulnerabilities

• Improved customer service

Department of

Homeland

Security

(DHS)

Employing Shared Services/ Cloud. In August 2012, DHS

initiated the modernization of multiple IT infrastructure

systems. This included an agency-wide transition to a DHS

private cloud email system and migrating legacy services to 13

DHS private cloud offerings.

In particular, all eight of DHS’s

operational components migrated applicable legacy services

to 13 DHS private cloud offerings by the end of fiscal year

2016. As a result, DHS components were able to retire legacy

systems and replace legacy software application procurement

requirements. For example, U.S. Citizenship and Immigration

Services migrated several legacy services to the cloud,

including email, which ultimately saved the agency $42,000.

•

Realized cumulative $1.6 billion in cost savings

• Streamlined the supply chain for IT services

• Reduced the amount of labor needed to maintain

legacy systems and software

• Enhanced security

Department of

the Treasury

(Treasury)

Treasury Offset Program. Treasury began the modernization

initiative for this system in July 2011 using Agile development

principles.

In November 2014, Treasury migrated its legacy

COBOL- and Java-based Treasury Offset Program system to

its new Java-based Treasury Offset Program Next Generation.

The new system easily supported adding new debt collections

from federal and state agencies, along with new payment

streams.

•

Enhanced revenue by $759 million by collecting

delinquent debts

• Increased efficiency of the system

• Reduced time spent on manual interventions to

keep the system from failing

• Automated testing and deployment pipeline,

reducing risk and cost

Social

Security

Administration

(SSA)

Representative Payee System. SSA began the

modernization initiative in December 2011. The agency

needed to have the ability to continually add new

representative payee records and expand the number of

records stored in the database. In April 2016, SSA completed

its redesign of the system, changing it from a mainframe-

based system that used Assembler Language Code and

COBOL to a web-based application, and decommissioned the

legacy system.

•

Improved users’ ability to find data related to

criminal history and fraud

• Increased security by becoming compliant with

current agency standards and federal guidelines

• Improved business processes, such as search

capability

• Improved ability to identify criminal and

fraudulent data

• Improved system performance and incorporated

user requested features

Source: GAO analysis of agency data. | GAO-19-471

A private cloud is set up specifically for one organization, although there may be multiple customers

within that organization and the cloud may exist on or off the customer’s premises.

Agile development is an incremental approach that delivers software functionality in short increments

before the system is fully deployed.

Page 22 GAO-19-471 Legacy IT

The five agencies attributed the success of their modernization initiatives

to various factors, including:

• using automated technologies to examine programming code and

perform testing (DOD and Treasury);

• testing the system thoroughly (SSA and Treasury);

• actively engaging the end users and stakeholders throughout the

modernization process (SSA and Treasury);

• cultivating a partnership between industry and government (DOD);

• following management practices on change and life cycle

management (Education);

• developing and implementing an enterprise-wide cost collection and

data analysis process for commodity IT to track and measure

progress against consolidation, optimization, and savings targets

(DHS);

• creating an interface that was consistent across systems (SSA);

• having strong executive leadership and support (Treasury); and

• using agile principles to facilitate the team’s ownership of the project

(Treasury).

These factors are largely consistent with government and industry best

practices. For example, we reported in 2011 on critical success factors

associated with major acquisitions, including engaging stakeholders and

having the support of senior executives.

Similarly, OMB’s guidance on

High Value Assets calls for agencies’ plans to address change

management and life cycle management.

Likewise, the Software

Engineering Institute’s Capability Maturity Model® Integration for

Development recommends that organizations engage stakeholders,

practice effective change and life cycle management, and thoroughly test

systems, among other practices.

Further, our Information Technology

Investment Management framework recommends involving end users,

GAO, Information Technology: Critical Factors Underlying Successful Major

Acquisitions, GAO-12-7 (Washington, D.C.: Oct. 21, 2011).

OMB, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High

Value Asset Program, M-19-03 (Washington, D.C.: Dec. 10, 2018).

Carnegie Mellon University’s Software Engineering Institute, Capability Maturity Model®

Integration for Development, Version 1.3 (CMMI-Dev V1.3) (Pittsburgh, PA: Nov. 2010).

Page 23 GAO-19-471 Legacy IT

implementing change and life cycle management processes, and

obtaining the support of executive leadership.

Agencies that follow such practices are better positioned to modernize

their legacy systems. Doing so will also allow the agencies to leverage IT

to successfully address their missions.

The 10 most critical federal legacy systems in need of modernization are

becoming increasingly obsolete. Several agencies are using outdated

computer languages, which can be difficult to maintain and increase

costs. Further, several of these legacy systems are also operating with

unsupported hardware and software and known security vulnerabilities.

Most agencies did not have complete plans to modernize these legacy

systems. Due to the criticality and possible cybersecurity risks posed by

operating aging systems, having a plan that includes how and when the

agency plans to modernize is vital. In the absence of such plans, the

agencies increase the likelihood of cost overruns, schedule delays, and

overall project failure. Such outcomes would be particularly detrimental

because of the importance of these systems to agency missions.

Successfully modernizing legacy systems is possible, as demonstrated by

the five highlighted examples. Agencies attributed the success of their

modernization initiatives to a variety of management and technical factors

that were consistent with best practices.

In the LOUO report that we are issuing concurrently with this report, we

are making a total of eight recommendations to eight federal agencies to

identify and document modernization plans for their respective legacy

systems, including milestones, a description of the work necessary, and

details on the disposition of the legacy system.

We requested comments on a draft of this report from OMB and the 24

agencies included in our review. The eight agencies to which we made

recommendations in the LOUO report agreed with our findings and

GAO, Information Technology Investment Management: A Framework for Assessing

and Improving Process Maturity, GAO-04-394G (Washington, D.C.: March 2004).

Conclusions

Recommendations for

Executive Action

Agency Comments

and Our Evaluation

Page 24 GAO-19-471 Legacy IT

recommendations. In addition, OMB and the 16 agencies to which we did

not make recommendations either agreed with our findings, did not agree

or disagree with the findings, or stated that they had no comments.

Further, multiple agencies provided technical comments, which we have

incorporated, as appropriate.

The following eight agencies agreed with our recommendations:

• In written comments from Education, the agency stated that it

concurred with the recommendation and indicated its intent to address

it. Education’s comments are reprinted in appendix IV.

• In written comments from HHS on the LOUO version of this report, the

agency stated that it concurred with the recommendation and intends

to evaluate ways to provide its modernization plan, including

milestones and a description of the work necessary to modernize the

system. HHS also provided technical comments that we incorporated,

as appropriate.

HHS deemed some of the information in its original agency comment

letter pertaining to particular legacy systems to be sensitive, which

must be protected from public disclosure. Therefore, we have omitted

the sensitive information from the version of the agency comment

letter that is reprinted in appendix V of this report.

• In written comments, DHS stated that it concurred with our

recommendation. DHS’s comments are reprinted in appendix VI.

• In comments received via email from Transportation’s Director of

Audit Relations and Program Improvement on May 9, 2019, the

agency stated that it agreed with our recommendation.

• In comments from Treasury’s Supervisory IT Specialist/Performance

and Governance Analyst, received via email on May 17, 2019, the

department stated that it agreed with our recommendation. In

addition, Treasury’s component agency, IRS, provided written

comments which stated that it agreed with the recommendation. The

agency said it intends to develop a multiyear retirement strategy for its

system to address the recommendation.

In its written comments, IRS also stated that our draft report did not

accurately convey that the legacy system replacement project is

intended to only replace core components of its selected legacy

system. The agency said that, even when the entire replacement

project is completed, it will only address a portion of the work required

to retire the legacy system. In response, we modified our discussion

Page 25 GAO-19-471 Legacy IT

of this project in the report. IRS’s comments are reprinted in appendix

VII.

• In written comments from OPM on the LOUO version of this report,

the agency stated that it concurred with the recommendation and

indicated its plans to address the recommendation. OPM also

provided technical comments that we incorporated, as appropriate.

OPM deemed some of the information in its original agency comment

letter pertaining to particular legacy systems to be sensitive, which

must be protected from public disclosure. Therefore, we have omitted

the sensitive information in the version of the agency comment letter

that is reprinted in appendix VIII.

• In written comments, SBA concurred with our recommendation and

stated that it intends to include a description of the work necessary to

modernize the legacy system in the initiative’s project plan. The

agency estimated that it will address the recommendation by July 31,

2019.

SBA deemed some of the information in its original agency comment

letter pertaining to particular legacy systems to be sensitive, which

must be protected from public disclosure. Therefore, we have omitted

the sensitive information from the version of the agency comment

letter that is reprinted in appendix IX.

• In written comments from SSA, the agency stated that it agreed with

our recommendation. The agency added that it is modernizing its

legacy system using agile software methods and a multiyear roadmap

of development activities. The agency further stated that, as it

completes its modernization work, it expects to retire most of the

legacy software associated with System 10. SSA also provided

technical comments that we incorporated, as appropriate. SSA’s

comments are reprinted in appendix X.

In addition, we received responses via email from 14 agencies to which

we did not make recommendations. Of these agencies, three agreed with

our findings and 11 stated that they did not have comments on the report.

Two other agencies—HUD and the U.S. Agency for International

Development—provided written comments in which they expressed

appreciation for the opportunity to review the report, but did not state

whether they agreed or disagreed with our findings. These agencies’

comments are reprinted in appendixes XI and XII, respectively.

Further, in an email from OMB staff on May 22, 2019, the agency did not

state whether it agreed or disagreed with our findings, but provided

technical comments that we incorporated, as appropriate.

Page 26 GAO-19-471 Legacy IT

We are sending copies of this report to the appropriate congressional

committees; the Secretaries of the Departments of Agriculture,

Commerce, Defense, Education, Energy, Health and Human Services,

Homeland Security, Housing and Urban Development, Labor, State, the

Interior, the Treasury, Transportation, and Veterans Affairs; the U.S.

Attorney General (Department of Justice); the Administrators of the

Environmental Protection Agency, General Services Administration,

National Aeronautics and Space Administration, Small Business

Administration, and the U.S. Agency for International Development; the

Commissioner of the Social Security Administration; the Directors of the

National Science Foundation and the Office of Personnel Management;

and the Chairman of the Nuclear Regulatory Commission; and other

interested parties. This report is also available at no charge on the GAO

website at http://www.gao.gov.

Should you or your staffs have any questions on information discussed in

this report, please contact me at (202) 512-4456 or [email protected].

Contact points for our Offices of Congressional Relations and Public

Affairs may be found on the last page of this report. GAO staff who made

major contributions to this report are listed in appendix XIII.

Carol C. Harris

Director

Information Technology Management Issues

Page 27 GAO-19-471 Legacy IT

List of Requesters

The Honorable Elijah E. Cummings

Chairman

The Honorable Jim Jordan

Ranking Member

Committee on Oversight and Reform

House of Representatives

The Honorable Gerald E. Connolly

Chairman

The Honorable Mark Meadows

Ranking Member

Subcommittee on Government Operations

Committee on Oversight and Reform

House of Representatives

The Honorable Will Hurd

House of Representatives

The Honorable Robin L. Kelly

House of Representatives

Appendix I: Objectives, Scope, and

Methodology

Page 28 GAO-19-471 Legacy IT

Our objectives were to (1) identify the most critical federal legacy systems

in need of modernization and evaluate plans for modernizing them, and

(2) identify examples of information technology (IT) legacy system

modernization initiatives in the last 5 years that agencies considered

successful. The scope of our review included the 24 agencies covered by

the Chief Financial Officers Act of 1990.

This report presents a public version of a “limited official use only”

(LOUO) report that we are also issuing today.

The Department of

Homeland Security and the Department of the Interior determined that

certain information in our original report should be protected from public

disclosure. Therefore, we will not release the LOUO report to the general

public because of the sensitive information it contains.

The LOUO report includes eight recommendations that we made to eight

agencies to document modernization plans for particular legacy systems,

including milestones, a description of the work necessary, and details on

the disposition of the legacy system.

In this public version of the report,

we have omitted sensitive information regarding particular legacy

systems. Specifically, we have deleted systems’ names and other

information that would identify the particular system, such as specific

descriptions of the systems’ purposes and vulnerabilities.

Although the information provided in this report is more limited, the report