Some Energy Department facilities have made progress in identifying outdated IT and in making plans to replace it, but the department is not doing that comprehensively, an IG report has said.
Problems with outdated IT–much of which is no longer supported by its makers–are common across agencies, resulting in new laws and OMB guidance in recent years have sought to address the costs of maintaining it and the risks of keeping it running.
The IG said that two sites it reviewed “had taken actions to identify and reduce legacy systems and components” but that its work overall “did not reveal any requirements within the department to identify and eliminate legacy IT.” Not having a documented definition of what is obsolete “may result in the sites not always including systems incapable of meeting the organizational requirements or those using outdated program languages,” it said.
The auditors said they were unable to identify the exact amount of legacy IT at each of the four sites visited because three of them did not track legacy status in their inventory systems. “We did find that each of the locations had identified various legacy IT and developed projects to modernize several of those items. However, these projects did not culminate into an overarching plan to reduce or eliminate legacy IT department-wide,” the report said.
Said the IG, “If the department continues to operate legacy IT systems and system components, there is an increased level of operational risk, including maintenance costs, and may lead to an inability to meet mission requirements. In addition, there is an increased level of security risks, including the inability to use current cybersecurity best practices, such as data encryption and multi-factor authentication, making these systems particularly vulnerable to malicious cyber activity.”