This post first appeared on GAO Reports. Read the original article.
What GAO Found
GAO reported in June 2019 that, of the 65 critical legacy IT systems identified by federal agencies as needing modernization, the Department of Homeland Security (DHS) had three such systems (see table). Further, GAO identified DHS’s System 4 as one of the 10 most critical legacy systems across the federal government in need of modernization.
Table: Critical Legacy Systems in Need of Modernization According to DHS, as of June 2019
System namea
Age of system, in years
Age of oldest hardware, in years
System criticality (according to DHS)
Security risk (according to DHS)
System 4
8-11
11
High
High
System L
9
2
High
Moderately low
System M
6
1
High
Low
Source: GAO analysis of Department of Homeland Security (DHS) data. | GAO-23-106853
aDue to sensitivity concerns, GAO substituted alphanumeric identifiers for the names of the agencies’ systems. GAO assigned a number to identify each of the 10 most critical legacy systems in need of modernization and assigned a letter to identify the remaining 55 systems. The identifiers in the table reflect how DHS’s system names appeared in the 2019 report (GAO-19-471).
In evaluating agencies’ modernization plans for the 10 most critical legacy systems, GAO determined that DHS lacked a complete plan for modernizing System 4. Specifically, DHS’s plan did not include milestones to complete the modernization and did not describe the planned disposition of the existing legacy system. In February 2022, DHS provided an updated modernization plan that included milestones for replacing the system and removing legacy hardware, which addressed our recommendation. By documenting its plan in sufficient detail, DHS increased the likelihood that the modernization will succeed.
GAO has also previously reported on DHS’s efforts to modernize and replace other legacy systems that support financial management, biometric identity management, and grants management. Specifically,
In February 2023, GAO noted that, after attempting to modernize its financial management systems for decades, DHS implemented a governance structure to oversee component-level financial systems modernizations. However, the Coast Guard was unable to declare full operational capability as expected because it had not remediated issues from operational testing.
In June 2021, GAO reported that DHS’s Homeland Advanced Recognition Technology program (intended to replace an outdated system for biometric identity management) was significantly behind schedule and had exceeded its estimated costs. GAO also found that DHS had not fully addressed key risk management and IT acquisition practices.
In April 2019, GAO reported that the Federal Emergency Management Agency’s Grants Management Modernization program (intended to replace 10 legacy systems) had not fully addressed leading practices for business process reengineering, requirements, and cybersecurity risk management. The program also did not meet leading practices for a reliable schedule.
DHS has now implemented 11 of the 19 recommendations GAO made in these reports. Implementing the remaining eight will help the department ensure these critical legacy systems are successfully replaced.
Why GAO Did This Study
Each year, the federal government spends more than $100 billion on IT and cyber-related investments. Of this amount, agencies have typically reported spending about 80 percent on operations and maintenance of existing IT, including legacy systems. DHS’s expected IT spending for fiscal year 2023 is about $10.1 billion; operations and maintenance is expected to consume about $8.8 billion of that total.
Maintaining legacy systems (i.e., systems that are outdated or obsolete) can pose significant challenges. GAO reported in 2016 that agencies had system components that were at least 50 years old and vendors that were no longer providing support for hardware or software. In 2019, GAO reported that several critical federal legacy systems used outdated languages, had unsupported hardware and software, and were operating with known security vulnerabilities.
GAO was asked to testify on its past legacy system reports and DHS’s efforts to modernize. Specifically, GAO summarized (1) DHS’s critical legacy IT systems and plan for modernizing and (2) progress and challenges with selected DHS IT modernizations. This statement is based on issued GAO reports and updated information on the department’s implementation of GAO’s recommendations.