Information Technology: Agencies Need to Plan for Modernizing Critical Decades-Old Legacy Systems
Fast Facts
The government spends over $100 billion on IT each year. Most of that is used to operate and maintain existing systems, including aging "legacy" systems that are costly to maintain and vulnerable to hackers.
We identified 11 of the most critical federal legacy systems at agencies like Health and Human Services and Treasury. Three agencies had documented modernization plans for their systems that included all key practices for success. But agencies responsible for the 8 remaining systems didn’t fully document their plans.
We recommended that Congress consider requiring major agencies to make modernization plans for their critical legacy systems.
A person pointing at the words "Legacy System" surrounded by computer icons
Highlights
What GAO Found
As determined by GAO's review of 69 federal legacy IT systems, the 11 legacy systems most in need of modernization are maintained by 10 federal agencies. These agencies' missions are essential to government operations such as health care, critical infrastructure, tax processing, and national security, and these legacy systems provide vital support to the agencies' missions.
GAO identified 11 legacy IT systems as most in need of modernization (see table 1). Eight of the 11 systems use outdated languages, four have unsupported hardware or software, and seven are operating with known cybersecurity vulnerabilities. For example, both of the Department of the Treasury's selected systems run on Common Business Oriented Language (COBOL) and Assembly Language Code—programming languages that have a dwindling number of people available with the skills needed to support them. In addition, the Environmental Protection Agency's system contains obsolete hardware that is not supported by manufacturers and has known cybersecurity vulnerabilities that cannot be remediated without modernization.
Table 1: The 11 Most Critical Federal Legacy IT Systems in Need of Modernization
|
Agency |
System namea |
Age of system |
Hardware/software/operating system(s) supported |
Legacy programming language(s) used |
|---|---|---|---|---|
|
Department of Agriculture |
System 1 |
41 |
Yes |
Yes |
|
Department of Commerce |
System 2b |
30 |
Unknownc |
No |
|
Department of Defense |
System 3b |
60 |
Yes |
Yes |
|
Department of Energy |
System 4 |
25 |
Yes |
Yes |
|
Department of Health and Human Services |
System 5b |
55 |
Yes |
Yes |
|
Department of Homeland Security |
System 6 |
30 |
No |
No |
|
Department of the Interior |
System 7b |
23 |
No |
Yes |
|
Department of Transportation |
System 8 |
31 |
No |
Yes |
|
Department of the Treasury
|
System 9 |
59 |
Yes |
Yes |
|
System 10 |
51 |
Yes |
Yes |
|
|
Environmental Protection Agency |
System 11 |
51 |
No |
No |
Legend: green shade = favorable characteristic, red shade = unfavorable characteristic, and grey shade = unknown characteristic.
Source: GAO analysis of agency data. | GAO-25-107795
aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.
bThis system was previously identified in GAO's 2019 review as one of the federal government's legacy systems in need of modernization (see GAO-19-471 and concurrent limited official use only report GAO-19-351SU).
cCommerce officials stated that the Census Bureau, National Institute of Standards and Technology, and National Oceanic and Atmospheric Administration manage their own hardware for System 2, and that hardware information was unknown for the Census Bureau.
As shown in table 2, agencies had developed modernization plans for nine of the 11 systems. Of the nine systems with plans, three included all three elements of a plan (at Homeland Security, the Interior, and the Environmental Protection Agency), and six did not include all elements of a plan (at Agriculture, Commerce, Health and Human Services, Transportation, and the Treasury). The two systems without plans belonged to Defense and Energy.
Table 2: Extent to Which Agencies' Legacy IT Systems Documented Modernization Plans Included Key Elements
|
Agency |
System namea |
Includes milestones to complete the modernization |
Describes the work necessary to modernize the system |
Summarizes planned disposition of legacy system |
|---|---|---|---|---|
|
Department of Agriculture |
System 1 |
Yes – planned completion 2031 |
No |
Partial |
|
Department of Commerce |
System 2 |
Partial |
Partial |
Partial |
|
Department of Defense |
System 3 |
No modernization plan |
|
|
|
Department of Energy |
System 4 |
No modernization plan |
|
|
|
Department of Health and Human Services |
System 5 |
Partial |
Partial |
Partial |
|
Department of Homeland Security |
System 6 |
Yes – planned completion September 2026 |
Yes |
Yes |
|
Department of the Interior |
System 7 |
Yes – planned completion August 2027 |
Yes |
Yes |
|
Department of Transportation |
System 8 |
Yes – planned completion 2030 |
No |
Partial |
|
Department of the Treasury |
System 9 |
Partial |
Partial |
No |
|
|
System 10 |
Partial |
Yes |
Partial |
|
Environmental Protection Agency |
System 11 |
Yes – planned completion December 2028 |
Yes |
Yes |
Source: GAO analysis of agency modernization plans. | GAO-25-107795
Note: Agencies received a “partial” if the element was completed for a portion of the modernization.
aDue to sensitivity concerns, GAO substituted a numeric identifier for the system names.
The incomplete modernization plans are especially concerning for seven of the systems because they reportedly have modernizations already underway. These seven systems belonged to six agencies: Agriculture, Commerce, Defense, Health and Human Services, Transportation, and the Treasury.
Until agencies fully document modernization plans for critical legacy IT systems, their modernization initiatives will have an increased likelihood of cost overruns, schedule delays, and overall project failure. Project failure would be particularly detrimental not only because of wasted resources, but also because it would prolong the lifespan of increasingly vulnerable and obsolete systems. This could expose agencies and system clients to security threats and potentially significant performance issues. Further, there are likely more legacy systems needing attention beyond what is highlighted in this report.
GAO recommended nearly a decade ago, and has since made it a priority recommendation, that OMB direct agencies to identify legacy systems and/or investments needing to be modernized. OMB has not yet taken action. Given OMB's lack of action, Congress requiring federal agencies to develop modernization plans for critical legacy systems can expedite agencies' efforts.
Why GAO Did This Study
Each year, the federal government spends more than $100 billion on IT and cyber-related investments. Of this amount, agencies have typically reported spending about 80 percent on operations and maintenance of existing IT. This includes maintaining legacy systems that can pose significant challenges, such as increased costs and cybersecurity vulnerabilities.
In June 2019, GAO identified 10 critical federal legacy IT systems that were most in need of modernization. As of February 2025, agencies have completed three of the 10 modernizations. Of the seven remaining modernizations, agencies planned to complete four in the next few years, two in 5 or more years, and one does not yet have a planned completion date established.
GAO was asked to conduct an updated review of federal agencies' current legacy systems. GAO's specific objective for this report was to identify the federal legacy systems most in need of modernization and evaluate plans for modernizing them.
To do so, GAO asked the 24 Chief Financial Officers Act agencies to provide their three legacy IT systems most in need of modernization and obtained a total of 69 systems. GAO scored these systems based on 16 system attributes and associated point values, such as age, vendor support, use of legacy programming languages, degree of cybersecurity risk, and operating costs. GAO ranked the systems based on their scores and selected those with the highest scores.
For the resulting 11 systems, GAO compared the agencies' modernization plans against leading practices. According to government and industry best practices, agencies' documented plans for system modernization should include, at a minimum, (1) milestones, (2) a description of the work, and (3) details regarding disposition of the legacy system. GAO then analyzed agencies' documented modernization plans for the selected systems to determine whether the plans included these elements.
This is a public version of a sensitive report that is being issued concurrently. Sensitive information, such as system names and identifiers, has been omitted.
Recommendations
GAO is making one matter for congressional consideration: Congress should consider requiring major federal agencies to develop modernization plans for their legacy systems that have been identified as most in need of modernization.
In the sensitive report, GAO is also making a total of eight recommendations to seven agencies to ensure that they fully document modernization plans for the selected legacy systems.
Three agencies agreed with GAO's recommendations and three agencies neither agreed nor disagreed. In addition, one agency disagreed with its recommendation and GAO revised it to reflect updated information.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| Congress should consider requiring major federal agencies to develop modernization plans for their legacy systems that have been identified as most in need of modernization. | When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |