Sometimes agencies lack the time or resources to fully phase out legacy IT systems. According to a March 27 audit from the Energy Department (DoE) Office of Inspector General (OIG), DoE was one of those agencies.
OIG initiated the audit because prior reports pointed to weaknesses regarding outdated software and hardware that the department uses, and OIG wanted to determine whether DoE had acted efficiently to update legacy IT systems and components. They determined that “opportunities for improvement exist.”
Specifically, efforts at the Pacific Northwest National Laboratory, Lawrence Livermore National Library, SLAC National Accelerator Laboratory, and the Hanford Site were acknowledged, but further improvements were deemed necessary related to identifying, developing, and implementing plans to modernize.
DoE lacks internal requirements to eliminate legacy IT or set deadlines by which legacy IT must go. The department also lacks a set definition for what qualifies as legacy IT. “We found that a formal definition for legacy IT resources had not been developed nor had a comprehensive plan to reduce or eliminate legacy IT across the Department been developed and implemented,” the audit reads.
At the reviewed sites, DoE officials defined legacy IT as hardware and software no longer sold or maintained by the manufacturer. Legacy IT was identified as such through system owners and scans. However, OIG was concerned because there was no documented definition of legacy IT. Thus, there was no official way to regulate the consistency of the legacy IT identified and accounted for.
At the Pacific Northwest National Laboratory, officials were in the process of implementing IT modernization projects, but they still had to manually review an inventory report to identify legacy IT systems. The laboratory did reduce end-of-life servers from 67 percent to 20 percent between March 2017 and July 2018.
The Livermore Library had specified devices, applications, and systems that fell under legacy IT, and had six modernization projects underway to replace 45 of 118 legacy network devices by Q2 FY2019. By the time of the audit, Livermore officials had replaced 37 of the 45 devices. If legacy IT is not updated, officials will be using technology that is not supported by the original manufacturer; this poses security concerns.
Those were two examples of legacy IT considerations in modernization efforts at two sites. However, there were some barriers to overall legacy IT modernization that department officials identified.
First was the availability of funding, and second was a lack of documented processes and requirements to quickly phase out legacy IT. Without set requirements, funding that might have been allocated for this purpose may have instead been used for projects with deadlines.
On the funding issue, the Modernizing Government Technology Act, signed into law in 2017, required agencies to bring funding requests to the table that included solid business cases, technical input, program management, and procurement strategy, to make use of the up to $500 million set aside for modernization purposes. “Although sites reported funding as an issue, the Department may not have taken full advantage of the Modernizing Government Technology Act,” the report points out. In FY2018, DoE received $15 million to increase the pace of an enterprise e-mail migration.