Some agencies are still lagging in modernizing their legacy systems, which are expensive to operate and maintain and are susceptible to cybersecurity vulnerabilities, according to a Government Accountability Office report released Wednesday.
In 2019, GAO analyzed 65 federal legacy systems and identified the 10 most critical systems at 10 agencies. As of May 2023, while most agencies have made “significant progress,” two agencies—the Transportation Department and the Office of Personnel Management—have not fully implemented prior recommendations. According to the watchdog, the 10 legacy systems ranged from eight to 51 years old and cost approximately $337 million per year to operate and maintain.
GAO noted that its 2019 report found eight of the 10 agencies either did not have documented modernization plans or had incomplete plans—meaning they were missing milestones to complete modernization; had no description of necessary work to modernize the legacy system; and/or lacked details about the disposition of the legacy system.
Of those eight agencies, six have since implemented GAO’s previous recommendations to identify and document their modernization plans, but two agencies have not, as of May 2023. Specifically, the Transportation Department and Office of Personnel Management have not created complete modernization plans, which are important to address mission needs, tackle security risks and reduce operating costs.
When the initial recommendation was made in June 2019, Transportation did not have a documented modernization plan. The agency told GAO in April 2022 that it anticipated going live with its modernized system in fall of that year, but as of May 2023, GAO has yet to receive documentation for this modernization effort. Meanwhile, in 2019 OPM had a partial modernization plan, which did not completely include milestones or necessary work and did not include disposition of its legacy system. However, GAO noted that it still has not received evidence that OPM has created a complete modernization plan for its legacy system.
“Until the remaining agencies establish complete plans that include milestones, describe the work necessary to modernize the system and detail the disposition of the legacy system, the agencies’ efforts will have an increased likelihood of cost overruns, schedule delays and overall project failure,” the report said.
GAO added that, based on its 2016 recommendations, the Office of Management and Budget also needs to finalize its guidance to help agencies identify which systems need to be modernized and to address this issue governmentwide.
The report noted that modernizing legacy systems is important because vendors were no longer providing support for some old systems or components. Specifically, the prior June 2019 report found that “several of the federal government’s most critical legacy systems used outdated languages, had unsupported hardware and software, and were operating with known security vulnerabilities.”
GAO stated that Transportation, OPM and OMB previously agreed to its recommendations, but have not implemented them despite this agreement. GAO urged the agencies to follow through on the agreed actions.