Congress is still shortchanging agency IT modernization

When Congress established the TMF in 2017, it was hoped that action signaled the beginning of a long-term financial commitment to help federal agencies transiti...

The Government Accountability Office has released its annual report to Congress on the federal government’s Technology Modernization Fund, established by law six years ago. While much of the audit focused on the identifiable dollar savings from projects that received awards from the TMF, a more careful look shows that Congress has continually failed to provide adequate, consistent funding for meaningful technology modernization.

Year after year, various analyses outline the need to modernize legacy systems, yet the problem remains. That’s because modernization of federal IT must be a long-term, continuous process, as government systems require regular and repeated modernization to meet new threats and incorporate new technologies.

TMF impact diminished without proper funding

When Congress established the TMF in 2017, it was hoped that action signaled the beginning of a long-term financial commitment to help federal agencies transition “from antiquated legacy IT systems to modern IT platforms” by providing upfront funding for modernization investments.

Unfortunately, in the years since, Congress has woefully underfunded the program, except for as part of the American Rescue Plan Act of 2021, which included a $1 billion infusion into the TMF that could be allocated beyond that year. But every other year, it has been difficult to get the House and Senate to agree to invest even a small fraction of that amount in the TMF.

For context, a May 2023 GAO report noted, “Each year, the U.S. government spends over $100 billion on information technology. Most of that will be used to operate and maintain existing systems, including aging – or ‘legacy’ – systems.” But in the TMF’s six years of existence, it has received only $1.23 billion in appropriations – from which the Technology Modernization Fund Board has awarded just $636 million, spread across 37 projects. As the White House recently pointed out, “To date, the TMF Board has received more than 200 proposals from agencies totaling over $3.7 billion in requested funds, far exceeding the amount of resources available.”

2024 outlook doesn’t show promise

In 2024, we may hit a new low for the TMF. After Congress only approved $50 million last year, the President’s proposed FY 2024 budget called for $200 million for the TMF. But the House, in its appropriations bill, has proposed nothing – no new money at all in FY 2024 for the fund. The Senate even went a (backward) step further by not only zeroing out the program in FY 2024, but also proposing to rescind $290 million that hasn’t been spent yet out of the multi-year appropriation Congress approved in 2021.

Appropriators in both chambers, noting that there is still nearly $300 million in money left unspent from the $1 billion approved in 2021, are demanding more information from the General Services Administration and the board that makes TMF award decisions about how agencies are repaying their grants. The Senate committee is also pushing for full reimbursement over time from funded agencies, a requirement the Biden Administration relaxed in 2021.

To provide no new funding and rescind previously appropriated money would inhibit the government’s ability to make necessary investments. According to the Alliance for Digital Innovation and other forward-looking organizations, such actions could actually “cost taxpayers due to the high costs of maintaining legacy systems while allowing for additional cyber vulnerability due to antiquated software.”

What about true cost avoidance?

When Congress funds a modernization project, the true return-on-investment is in the added security and mission effectiveness provided by these technological advancements. While there are stipulations about pay-back periods, the push for full repayment is unrealistic as it doesn’t consider the true savings of “cost avoidance.” Here’s why.

The latest annual GAO report on the TMF notes, “[The Office of Management and Budget] defines cost avoidance as an action taken in the immediate time frame that will decrease costs in the future.” But what about savings from preventing unforeseen future breaches? We can unfortunately expect potentially massive public and private sector financial losses from future attacks against critical networks and systems – only they can’t be quantified until they happen. Think back to the 2021 Colonial Pipeline attack and its downstream impacts. A breach of key federal systems and networks, with possibly a significant loss of data, could have similar fiscal and overall economic repercussions.

I think of technology modernization as comparable to the United States’ philosophy since World War II: Maintain a strong military capability to deter aggression against the U.S., even if we never use our full capabilities. We prevent attacks by maintaining a solid defense against them. That’s the real ROI.

How to break the underfunded cycle

While Congress has a legitimate oversight responsibility, it also has a responsibility to consistently appropriate money for the TMF for agencies to replace outdated and often unsafe legacy IT. Cutting funding for technology modernization is short-sighted and would cost the government in the long run, especially if bad actors exploit vulnerable federal legacy IT.

In the final FY 2024 appropriations bill that must still be negotiated, Congress should back away from the proposed reduction in already appropriated funding and also provide the TMF with the administration’s requested level of appropriations for its vital mission.

Moreover, addressing the problems of legacy IT requires a continued commitment by Congress in the future, not this annual ritual of providing what is, in comparison to the potential damage of a breach, a relatively minuscule amount of funding.

John Wood is CEO and chairman of the board at Telos.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories