GAO has identified the 10 IT systems in government most in need of modernization—finding two systems more than 50 years old, two others more than 40 years old and two others more than 30 years old—saying that “legacy systems can be more costly to maintain, more exposed to cybersecurity risks, and less effective in meeting their intended purpose.”
GAO selected the 10 based on attributes such as age, criticality and risk out of 65 legacy systems in need of modernization that 24 agencies had identified. The report did not identify them specifically out of security concerns, although it noted that those agencies deemed nine of them as highly critical and three at high security risk. “Several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities,” it said.
It said that one identified system at Education runs on COBOL, “a programming language that has a dwindling number of people available with the skills needed to support it”; one at Interior “contains obsolete hardware that is not supported by the manufacturers”; and one at DHS has “a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018.”
Further, HHS, Transportation and Education lacked documented modernization plans and of the other seven, only two included the key elements identified of best practices such as milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system.