The Department of Homeland Security (DHS) seems kind of new at a mere 20 years of age. But it has a lot of really old information technology, politely called,...
The Department of Homeland Security seems kind of new at a mere 20 years of age. But it has a lot of really old information technology, politely called, “legacy systems.” The Government Accountability Office gave DHS a list of recommendations for modernizing. But, as you might have guessed, there’s still a lot of work to do. For more, Federal Drive with Tom Temin spoke with Kevin Walsh, GAO’s Director of Information Technology and Cybersecurity.
Tom Temin Now, of course, DHS is new as a department, but it is a conglomeration of agencies that were mostly preexisting. So they do have this legacy. Let’s define the term here, legacy system. How well does something have to be to be legacy or is it a matter of functionality and cyber security more than physical age?
Kevin Walsh So fantastic question. There’s a lot of debate or discussion of what exactly should constitute a legacy system. Some people would say it’s anything older than X amount of years. Other agencies define it as when you stop trying to improve it. But I think probably the best definition comes from our federal CIO, who has said that legacy systems are those that are outdated or obsolete. So they may have heightened security risks or aren’t meeting mission needs. Basically, their time has come. They’re no longer doing the job, but we’re still having a limp along trying to do the job that they once did.
Join us Mar. 26 and 27 at 1 p.m. EST for Federal News Network's DoD Cloud Exchange where we'll be hosting leaders from across Defense along with industry tech experts to get in the weeds on the latest policy initiatives, real-world implementations and latest technology developments. | Register today!
Tom Temin So they’re like a car with a carburetor. It still runs, but you can’t get parts for the carburetor anymore.
Kevin Walsh Right. And some of this is because the government has different fiscal motivations and different capabilities than what you might see in the private sector. In the private sector, the dollar is king. And if that new system or if that modernization or improvement is going to bring in more money, then yeah, let’s do it. But in the federal government, where we are trying to be responsible stewards of taxpayer dollars and frankly, our current budget situation is somewhat challenging at times. That’s not always the case. So we wind up with these systems that are limping along, doing part of the job that they were intended to do. And we’re having to use manual workarounds to get the rest of the job done.
Tom Temin And you also found that DHS is well aware of what they are. There’s a chart here, system 4, system L and system M, although so designated because of cybersecurity issues, you don’t want to say what it is they actually do?
Kevin Walsh Spot on. So those are systems, we went through a list and flagged 63 across the government, in part thanks to agency’s own identification. And then we flagged the top ten in no particular order. So there’s no significance to DHS having system 4, but those are what we thought at the time. The most critical legacy systems in the government in need of modernization.
Tom Temin All right. And the recommendations that you issued to GAO a couple of years ago, just briefly review what those were and which ones have they embarked on, and then we’ll get into which ones you feel they still need to get on the stick for.
Kevin Walsh Sure. So we made some overarching recommendations to OMB. We wanted OMB to require all agencies to identify where their legacy systems are, flag which ones may have performance issues and plan to make modernization. So there’s that big picture kind of recommendation. And then in addition to that, we made some specific recommendations to DHS in that report. Most importantly was to make sure that their modernization plan for a system 4, the one we looked at in depth was complete. They have since closed that recommendation. Kudos to them. But in the most recent testimony and discussion, we also highlighted three additional systems that DHS has really been trying to modernize in some cases for the past few decades. For example, they’ve been trying to modernize their financial systems. They’re on their third attempt in the past 15 years. Similarly, they are working on their grants, management, modernization at FEMA. And the final and third system that we highlighted was DHS’s Homeland Advanced Recognition Technology system, shortened to HART, which handles biometrics and fingerprinting. And in each of those three cases, they have issues. For example, their financial systems modernization, I mentioned that this is their third swing at that. That one recently breached schedule and performance goals and so that’s a problem. DHS HART, they have problems with their management of risks, mitigation and monitoring and their grants modernization initiative recently breached their cost. They have a new estimate that’s almost two and a half times the original. So in total to those three additional systems, we made 19 recommendations. DHS has closed 11 of them. So again, kudos to them, but there’s still a lot of work remaining here.
Tom Temin We were speaking with Kevin Walsh. He’s director of information technology and cybersecurity at the Government Accountability Office. Now, you mentioned the FEMA grants program, that was the subject of the hearing, and they’re aware of that. The financial systems, is that a DHS-wide program that covers all of the components, or is it specific to one of the agencies like FEMA grants?
Kevin Walsh So their initial attempt, this is the one where they’re on their third attempt. One of the earlier attempts did try that DHS-wide, “hey, let’s get everybody on the same financial system,” that didn’t work. Instead, now they are trying to have individual components move and modernize their financial systems. At some point in the future, perhaps they will move to that singular, overarching financial plan. But for right now, they are working on the financial systems at Coast Guard, FEMA and ICE. And apologies for all these acronyms. In June of 2022, the Coast Guard declared initial operating capability. Right. And they still haven’t declared final operating capability. So despite almost declaring success a year ago now, they still haven’t been able to, land the plane and finish the system.
Tom Temin Or launch the cutter, let’s say, and get out of harbor. Let’s put it that way –
Kevin Walsh Using the sailing metaphor. Yep.
Tom Temin Okay. I guess with all of those financial systems component by component, I kind of smell a future platform for application programing interfaces coming up.
Kevin Walsh One would hope that they’re incorporating those kinds of plans and lessons learned right now.
Tom Temin And on the biometrics, that’s another type of functionality that crosses a number of DHS components, for, say, fingerprinting or imaging. People coming across the border to the TSAs well known systems. When it comes to the HART system, the biometrics that cuts across numerous agencies. And so is that also a cross-cutting department wide functionality or is that also component specific?
Kevin Walsh So, yeah, DHS HART is a DHS initiative. As you correctly note, it involves a lot of law enforcement. The problem is their current system. IDENT originally was operational in 1994. So this is pre-DHS’s formation. However, the problems with that system are that it cannot handle well multiple biometrics. So it can’t have, fingerprints and facial scans at the same time. It also has issues with performance, cost, security requirements. So not all that surprising in a system that’s built in 1994, but most recently in 2020, they had a cost and schedule breach due to what they called an overly complex, high risk design. So this is one of those instances where they’re trying to build this massive, massive system and it’s just very, very complex and hard to do when you’re talking about all these different players and meeting all of the needs. So yeah, DHS-wide on that one.
Tom Temin I guess they could test it on people who are coming through Ash Wednesday and you could get facial recognition and a thumbprint at the same time, but maybe that would really confuse it.
Kevin Walsh Maybe, yeah.
Tom Temin DHS agrees with the remainder of the eight recommendations that are still open, fair to say?
Kevin Walsh Yeah, and to their credit, DHS is addressing our recommendations at a better clip than average in the government. So these recommendations are also related to our high risk area on I.T acquisitions and operations. So GAO has its high risk list and I.T acquisitions and operations have been on there since I believe 2015 and that includes recommendations to many agents. So again, DHS is doing a good job here and they’re working diligently. But this legacy and I.T. modernization issue, Tom, is not something that is going to go away soon or quickly, and it’s going to require years and years of work.
Tom Temin And just by point of comparison, even though DHS does have a good load of legacy, they are not alone. And some of their legacy doesn’t begin to compare with the age and obsolescence of legacy systems and some of the other agencies.
Kevin Walsh That is correct. And I would also add that the full scope of this legacy issue is not yet known. The recommendation I mentioned earlier to OMB about making sure that agencies know where their legacy systems are, so identify them and then prioritize what they want to replace and then actually start doing the work. That first step, identify where the legacy systems are, the implication there is that agencies need to figure out what they have before they can start prioritizing what needs to be done. And so, yeah, you are spot on. There’s a lot of really, really old systems out there. I mentioned IDENT was built in 94. That’s a spring chicken compared to some of the systems at other agencies.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.