The GAO flagged 10 ‘critical’ legacy IT systems. Years later, most haven’t been modernized
Six years after identifying the 10 most critical federal legacy systems in need of modernization, the Government Accountability Office said Thursday that just three of those projects have made it across the finish line.
In an audit conducted from January 2024 to this month, the GAO found that IT modernization projects at the Small Business Administration, Office of Personnel Management and Department of Defense were completed since the watchdog issued its 2019 report, which analyzed 65 federal legacy systems before selecting the 10 most critical.
The remaining seven systems range from 23 to 59 years old, costing hundreds of millions of dollars in annual operational costs. Some of the hardware used in these IT systems — the backbones of essential government services, including health care support and tax processing — are more than two decades old.
“Until agencies fully document modernization plans for critical legacy IT systems, their modernization initiatives will have an increased likelihood of cost overruns, schedule delays, and overall project failure,” the GAO wrote. “Project failure would be particularly detrimental not only because of wasted resources, but also because it would prolong the lifespan of increasingly vulnerable and obsolete systems.”
The GAO’s report, which didn’t name the specific systems “due to sensitivity concerns,” found that most of the legacy IT examined in its audit “used outdated languages, had unsupported hardware and software, and operated with known cybersecurity vulnerabilities.”
Eight systems used legacy programming languages. Selected Treasury Department systems, for example, use Common Business Oriented Language, or COBOL, and Assembly Language Code — “programming languages that have a dwindling number of people available with the skills needed to support them,” the GAO noted.
Other systems reported “ known cybersecurity vulnerabilities that cannot be remediated without modernization,” underscoring the urgency with which these agencies need to move. “This can lead to increased risks of loss of data and compromised systems,” the watchdog noted.
Most of the agencies with outstanding modernization projects told the GAO that they’d be finished with their work within the next few years, with the departments of Education (September 2025) and Transportation (2026) up first. The Department of Health and Human Services, meanwhile, set a completion date for a decade from now, while the Department of Homeland Security hasn’t yet established a timeline.
And though most of the agencies provided GAO with an estimated completion date, many of them have only partially documented their plans to do so, with some missing key milestones and others lacking details on necessary work and how they aim to approach disposition of the legacy system in question.
Until those plans are fully fleshed out, agencies’ legacy systems are increasingly exposed “to security threats and potentially significant performance issues,” the watchdog wrote.
The GAO partially lays the blame for poor modernization planning at the feet of the Office of Management and Budget, which the watchdog said has ignored its 2016 recommendation to direct agencies in these efforts.
At this point, GAO concluded, “it is appropriate to ask Congress to take such action. Doing so can reduce agencies’ growing reliance on outdated, insufficient, and vulnerable legacy systems to carry out their missions.”
