Federal financial regulators stay off list of ‘need to develop modernization plans’ for legacy information systems

Under the category of “things could be worse,” the congressional watchdog Tuesday issued a report listing the top 10 federal agencies in dire need of modernization plans for their “critical legacy” information systems – but not one of them listed was one of the five federal financial institution regulators.

The Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corp. (FDIC), Federal Reserve, National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) were not specifically named in the report (titled “Agencies Need to Develop Modernization Plans for Critical Legacy Systems”) issued Tuesday by the Government Accountability Office (GAO). (However, the Treasury Department – which houses the OCC – is included in the report.)

Instead, the report said the Department of Health and Human Services (HHS) led the field of 10 that need updates with a 50-year-old system that the agency deems has “high” criticality to the overall mission of the agency – but has a listing of “unknown” when it comes to the age of the oldest hardware in the system. Not surprisingly, the agency also described to the GAO the security risk of its system as “high.”

Only the Treasury Department, out of the other agencies listed in the GAO report has an older system than that of HHS (51 years). No other agency reported “unknown” when it comes to age of the oldest hardware (although a footnote explains that there have been some updates to the HHS system over the years – but nobody really knows what the oldest processing equipment is in the agency).

Other agencies making the top 10 included the Department of Education (with a 46-year-old system), the Social Security Administration (45 years old), and Transportation Department (35 years old).

Among the top 10 agencies in need of modernization, GAO said in the report, several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities.

“For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language (COBOL)—a programming language that has a dwindling number of people available with the skills needed to support it,” the report states.

“In addition, the Department of the Interior’s system contains obsolete hardware that is not supported by the manufacturers. Regarding cybersecurity, the Department of Homeland Security’s system had a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018,” the report noted.

GAO reported that of the 10 agencies responsible for the legacy systems, seven (the Departments of Defense, Homeland Security, the Interior, the Treasury; as well as the Office of Personnel Management; Small Business Administration; and Social Security Administration) had documented plans for modernizing the systems.

However, the Departments of Education, Health and Human Services, and Transportation did not have documented modernization plans.

Of the seven agencies with plans, GAO said, only the Departments of the Interior and Defense’s modernization plans included the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). “Until the other eight agencies establish complete modernization plans, they will have an increased risk of cost overruns, schedule delays, and project failure,” the report states.

Agencies Need to Develop Modernization Plans for Critical Legacy Systems