GAO: Some agencies with decades-old IT systems still have no plans for upgrades

Three agencies still don't have plans to update critical legacy systems, even though they self-reported security risks to be high in several cases.
legacy IT, vintage computer, keyboard, beige
(Getty Images)

A Government Accountability Office checkup of legacy IT systems found that in some cases, agencies don’t have modernization plans for aging technology that performs critical functions.

The departments of Education, Transportation and Health and Human Services were among the agencies with the most glaring examples. The GAO found that all three have not yet drawn up plans to upgrade specific IT systems that have been around for decades and rely on outdated hardware and software. Other departments didn’t fare much better — in many cases, they only met part of GAO’s “key elements” for documenting their modernization plans.

The GAO targeted its survey at specific systems — “the 10 most critical at 10 agencies” — but didn’t name them in the public version of the report. The agencies themselves were responsible for reporting each system’s “criticality” and “security risk” — and many were listed as “moderately high” or “high.”

The other seven agencies included in the report were the departments of Defense, the Interior, Treasury and Homeland Security; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration. The bipartisan leadership of the House Oversight and Reform requested the report, GAO said.


The report serves as a reminder that the government still has critical IT systems running on aging hardware and outdated coding languages, even as modernization efforts are under way elsewhere. A dwindling number of people know how to make the older hardware and software work, and there are broad potential repercussions for security and efficiency. The Education Department, the GAO said, uses a 46-year-old system with the outdated COBOL coding language. Legacy IT at DHS caused 168 high or critical cybersecurity vulnerabilities as of September 2018, the report said.

The DOD and Interior Department fared best on GAO’s scorecard, with plans that include specific milestones, a description of the work necessary to complete the modernization and a plan for the disposition of the legacy system.

“Until the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure.” the GAO said.

Eight of the agencies agreed with GAO’s findings and recommendations with seven describing plans to address the recommendations made in a sensitive report.

Latest Podcasts