The Government Accountability Office’s third report on legacy technology didn’t just highlight the lack of progress on 10 of the most critical systems across government since 2016. The report displays Congress’ continued failure to recognize the urgency that agencies need funding and leadership to deal with these and billions of dollars in technical debt.
“There is an unmet need for Congress to get this, particularly the authorizers and the appropriators,” said Tony Scott, the former federal CIO during the Obama administration. “They do not have a full appreciation of the size and the nature of the problem. They really need to make this a priority.”
This lack of prioritization comes through loud and clear in the House Appropriations Committee’s fiscal 2020 Financial Services and General Government bill that allocates $35 million to the Technology Modernization Fund, which is well off the Trump administration’s $150 million request, and only $15 million for the IT Reform and Oversight Fund, which is down from $28.5 million in 2019 and $3 million less than the Trump administration requested.
Scott, who is now CEO of the Tony Scott Group, said while there are a handful of members who do get the need to modernize technology, such as Reps. Gerry Connolly (D-VA.), Will Hurd (R-Texas) and Robin Kelly (D-Ill.), the TMF funding for 2020 shows that most lack the understanding of the role they need to play.
“There is a lack of urgency. The question about how agencies are spending money and how do you know it is working are not hard questions to answer and ones that need to be answered,” Scott said. “But Congress can’t sit on their hands because then nothing will happen. Too many folks in Congress are sitting on their hands and not recognizing the severity of the issue.”
Connolly and the rest of the Oversight and Reform Subcommittee on Government Operations will get their chance to show how much they care on June 26 when they release the latest Federal IT Acquisition Reform Act (FITARA) scorecard and hold a hearing on agency progress.
It’s unclear which agency will testify, but Connolly is working through agencies have that struggled and started to make real progress over the last year.
And it’s those struggles and that lack of progress that GAO, once again, highlighted in its legacy IT report.
Carol Harris, a director in GAO’s Information Technology and Cybersecurity team, said GAO asked the 24 CFO Act agencies to update the 2017 and 2016 list of 65 legacy IT systems to see the status of those systems.
Harris said GAO identified and assigned point values to certain attributes such as age of the system, the operating and labor costs, security risks and vendor warranty and support status to come up with the list of 10 systems based on those with the highest point values.
“From last year to this year, things remained the same, generally,” Harris said in an interview with Federal News Network. “We did take a look at the investments more holistically. We weren’t just focused on what are the most costly legacy systems to maintain or the ones that are at the highest risks. There is a good mix in the top 10. There were some that didn’t necessarily have the highest security risks, but did have some very old hardware or software that either the manufacturers weren’t able to maintain or the agency had a major challenge in identifying technical staff that were able to support COBOL and other aging programming languages.”
The top 10 range from 8-to-51 years old and cost about $337 million annually to maintain.
Harris said agencies will continue to face a rise in procurement and operating costs, meaning the technical debt is going up faster than the average system.
The Social Security Administration, for instance, is struggling with a 45-year-old system that GAO deemed critical to its mission and has a moderate security risk.
Harris said for SSA to maintain this system, which provides benefits to eligible people and collects detailed information from the recipients, the agency must pay a premium to get contractors to maintain the system.
Other systems like those at FEMA and the Interior Department have significant cyber vulnerabilities. For example, FEMA found about 249 reported cyber vulnerabilities, of which 168 were considered high or critical risks to the network.
“What really surprised me about the top 10, a majority of the agencies lack complete plans for modernizing their systems. Of the 10, there were three that didn’t have plans in place: the departments of Education, Health and Human Services, and Transportation,” she said. “The other seven had modernization plans, but only DoD and Interior’s were considered complete.”
Cultural and internal dynamics need to be addressed
The fact that 8 of 10 agencies didn’t have completed modernization plans in place, nearly two years after GAO’s first report and three years after the data breach at the Office of Personnel Management is both sad and shows how deep the problem goes.
Scott said GAO’s findings show that to make this type of major change agencies need to address culture and internal dynamics, which takes a lot of attention from auditors and Congress alike.
“The first thing is to create an awareness of the problem. Every CIO role I’ve ever had, had some element of legacy IT where the company had a set of systems that haven’t been looked at for some time, and now are critical for us to address and change,” said Scott, who also was CIO for General Motors and Disney. “The first thing a CIO needed to do was make sure there was great visibility of the opportunity as well as the risk and challenge that legacy systems present. The second step, now that you have visibility, is what do you want to do about it? So you must figure out who will do the work and what the new strategy will be to move off those legacy systems. It seems obvious, but it takes leadership to do that. It’s the proper role of OMB and CIOs in each agency who need to take this one on as a leadership issue. Without these things, getting out of this technical debt will not happen any time soon.”
OMB guidance needed
Harris said the lack of direction from OMB also continues to hamper this effort. She said GAO recommended last year that the administration issue guidance to require agencies identify legacy systems that need to be modernized.
“We found that, in part, the reason why agencies weren’t doing so is because they weren’t being required to modernize systems by OMB,” she said. “Until OMB requires agencies to modernize all legacy systems, the government will continue to run into the risk of having to maintain these aging investments that have outlived their effectiveness. From the agency standpoint, some of the things that they told is their modernization planning for the top 10 have been delayed due to budget restraints. While we can appreciate that they are operating in a resource-constrained environment, we also maintain that it will be vitally important for them to prioritize funding for the modernization of these very critical systems.”
Harris said GAO made eight recommendations to eight agencies to make sure they document their modernization plans, and seven described plans to address those recommendations.
“For the top 10, I think the agencies do recognize the criticality and risk they are facing in maintaining these legacy systems. I think the challenges they are running into is that some believe they have budget constraints and have continually pushed off modernization plans. We continue to maintain they will have to prioritize funding to modernize these very critical legacy systems.”