Title: Which Critical Government IT Systems Are Most In Need of Modernization? Description: Each year, the federal government spends more than $100 billion on IT systems and cyber-related investments. About 80% of this funding goes to operating and maintaining existing IT, including old systems known as legacy IT. GAO identified several legacy systems that are both critical to federal operations and most in need of modernization. What are these systems? And what's the status of efforts to modernize them? We learn more from GAO's Kevin Walsh. Related work: GAO-25-107795, Information Technology: Agencies Need to Plan for Modernizing Critical Decades-Old Legacy Systems Released: July 2025 [ START ] {Music} [ Kevin Walsh: ] We've been kicking this can down the road. So at this point, we need to start devoting serious resources to IT modernization across the government. [ Holly Hobbs: ] Hi, and welcome to GAO's Watchdog Report, your source for fact-based, nonpartisan news and information from the U.S. Government Accountability Office. I'm your host, Holly Hobbs. Each year, the federal government spends more than $100 billion on IT systems and cyber-related investments. About 80% of this funding goes to operating and maintaining existing IT, including old systems known as legacy IT, that can cost more to maintain and are more vulnerable to cybersecurity risks. About 6 years ago, GAO identified several legacy systems that are both critical to federal operations and most in need of modernization. What are these systems? And what's the status of efforts to modernize them? We'll learn more from GAO's Kevin Walsh, who has a new report out today on this issue. Thanks for joining us. [ Kevin Walsh: ] Thank you. It's good to be here. [ Holly Hobbs: ] Kevin, we looked at IT systems that are critical to the government operations and in dire need of updates. What can you tell us about these systems? [ Kevin Walsh: ] So this is actually our second look at these systems. The first time was in 2019. We identified the ten most critical legacy systems in need of modernization. This time around, we identified 11. These are systems that deal with things like tax processing, finance, biometrics, and controlling dams and power plants out West. And I'm being a little squirrely here on not naming the systems just because we don't want to create a target list. [ Holly Hobbs: ] Can you give us an idea of how old these systems are and why their age matters? [ Kevin Walsh: ] Sure. I've got great examples from FAA. So, some of the FAA's air traffic control systems were around when JFK was alive. For the top list, the earliest of the top 11 this time, was 20 years old. That's when Facebook was just being written. George W. Bush was president. For the prior list of the 2019 systems, those systems actually also range from about 14 to 50 years old. Of the new 11, eight use legacy programing languages like COBOL or assembly language, which again, it's getting harder and harder to find people able to even code in those languages. Why it matters? As these systems age, we see a number of consequences. It's just like, you know, your cell phone, right? As it gets older, the battery doesn't last as long. It's not quite doing everything you want. Maybe it's not got all the new these bells and whistles. Well, that's true if your cell phone is a few years old. These systems are decades old. So a lot of times they aren't meeting mission needs. They're more expensive to maintain, because a lot of times the staff who know how to maintain them have retired or are no longer working with the government. In some instances, we've even seen the manufacturers of certain things go out of business, so you can't even get spare parts. And they're harder to protect as well. Seven of the 11 had known cyber vulnerabilities, and eight of the 11 can't implement our newest cybersecurity techniques, such as Zero Trust. They are required to do that by 2033. So that sounds like a long way off. But many of these modernization does take years to complete. [ Holly Hobbs: ] Modernization is a term that's used a lot when it comes to IT. Does that mean replacing it? Does it mean just updating it? [ Kevin Walsh: ] So I'm going to go back to the cell phone analogy here. A full rip and replace would just be 'I have a new cell phone.' The problem with that in in these terms is, again, these systems are tens of years old. So, it's not really going from an Apple to an Apple. You're going from an old flip phone to a modern smartphone. So that transition isn't easy. So, yes, you're going to you're going to do the main core functionality. If you're doing tax processing on the old one, you're doing tax processing on the new one. But you're also going to get more capabilities. It's going to be easier for the government employees to do their jobs. Hopefully you get some efficiencies along the way and hopefully better cybersecurity as well. [ Holly Hobbs: ] But wouldn't older systems that--say don't use the cloud or can't interface with other systems--wouldn't those be harder to hack than newer ones? [ Kevin Walsh: ] Yes and no. And in one of our earlier, legacy reports, we found that DOD was using floppy disks for a tertiary backup for its nuclear systems. So, yeah, it's going to be hard to hack. But if you're facing a dedicated nation-state actor, who has resources, the older systems doesn't necessarily mean that they are bulletproof, right? They all have vulnerabilities. They're no longer being patched, though. Now, for some of these really old systems that nobody uses anymore, it's not worth a hacker's time to try and train themselves up or figure out how to get into this 1980s-era technology. But if you're facing off against China or Russia, Iran, North Korea, they will absolutely do that. [ Holly Hobbs: ] So some of these modernization efforts are looking to have one system rather than multiple that do the same thing, right? But it seems like it would be easier to hack one system rather than several systems. [ Kevin Walsh: ] So the challenge with hacking is not to get into an individual system. It's to get inside the network. The network has layers of defenses and that's, you know, it's kind of like an old time fortress or castle, right? Once you're in the castle, it's very easy to go from one system to another to another. So there is an ongoing initiative called Zero Trust. The old way was once you were in the castle, nobody checked your ID. You know, once you were in the federal building, you're good. You checked your ID at the door? Fine. Zero Trust is every time you pass anybody in the corridor, your badge is getting checked. So, at every gate along the way, at every door, you need to be verified and validated. That's zero trust. And so that is the newer paradigm in cybersecurity. It hasn't been fully implemented. It's one of the things that we studied in this work. We looked at whether all these systems were capable of implementing zero trust. [ Holly Hobbs: ] And what's the status of efforts to modernize these systems? [ Kevin Walsh: ] Of the 2019 list, three of the ten have now been modernized and the other seven are in flight. Of the 11 on the current list, we have three that have complete modernization plans. Kudos to them. We also have two that don't have plans, so we made recommendations to them. And the remaining six, have a mix. They have they have some plans. Now, these are all at different stages of the process. So, some are in the process of modernizing. Some are not going to be done for several years. And so they're just getting started. But this list is basically the systems that need to be modernized. So, if they were already done, they wouldn't be on the list. [ Holly Hobbs: ] So did you just say that some of these systems are currently being modernized without a plan? [ Kevin Walsh: ] If they're very, very early on, they could, still be setting up their milestones or figuring out the exact work that needs to be done, or importantly, how to turn off the old legacy system. Because the last thing we want is a new system and an old system, and now we have to maintain both of them. But to the core of your question, yes, some of these modernization efforts do not have all the rudimentary plans that we'd be hoping for. [ Holly Hobbs: ] Wouldn't that potentially impact the outcome of what they're trying to do? [ Kevin Walsh: ] Absolutely. Getting started on the right foot, having some sense of your time frames, a description of the work needed, and, again, that plan to shut off the old system, we think would be key to success. {Music} [ Holly Hobbs: ] So, Kevin just told us that despite the age and condition of some of these critical IT systems, the government's efforts to modernize them may still be in the early stages. Kevin, why is it taking so long to modernize these systems? [ Kevin Walsh: ] Each of these systems is large and critical. This isn't just a flick of the switch. I want to I want to make it clear that this isn't an easy thing. And it also takes a lot of money and a lot of people to do. In terms of why it takes so long. That's just a facet of how these government modernizations work. A lot of times we see funding isn't quite where these agencies would want it. And we see that as a common issue in some of these, a lot of times, expertise as well. [ Holly Hobbs: ] Given that, what do we think agencies should be doing to their efforts? [ Kevin Walsh: ] For these 11 systems that we highlighted, we think that, if they don't have the full plan that we identified that they should be working on that plan. They should also be prioritizing and making sure that these critical legacy systems receive the resources--and that could be people or funding--that they need to be successful and get off the ground. [ Holly Hobbs: ] Since we've been looking at this for a while and agencies are not where they need to be, are we asking Congress to take any action? [ Kevin Walsh: ] Yes, actually, we have a matter for congressional consideration, which echoes one of our even earlier reports. In 2016, we made another report on legacy systems, which found that, at that time, the systems were getting older and not, being modernized fast enough. So, at that time, OMB had some draft guidance on how agencies should manage their legacy systems. But crucially, they never finalized the guidance. And we've been waiting a decade now. And so we've, we've said, okay, now's the time. Let's go to Congress and say, 'hey, for agencies that have these legacy systems that are desperately in need of modernization, agency should establish a modernization plan.' [ Holly Hobbs: ] And last question, what's the bottom line of this report? [ Kevin Walsh: ] The bottom line is the government has a lot of old technology. We're not doing enough to modernize and replace it. And some part of me is okay with that. I don't want the government to have the newest, flashiest tech. We don't need to splash out on the most amazing systems. But we've been kicking this can down the road so long that the can no longer resembles a can. It's probably more duct tape and Band-Aids. So at this point, we need to start devoting serious resources to IT modernization across the government. [ Holly Hobbs: ] That was Kevin Walsh talking about our new report on IT modernization. Thanks for your time, Kevin. [ Kevin Walsh: ] Glad to be here. [ Holly Hobbs: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts, Spotify, or wherever you listen. And make sure to leave a rating and review to let others know about the work we're doing. For more from the Congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov. [ END ]