The Government Accountability Office (GAO) is recommending that Congress consider requiring major Federal government agencies to develop modernization plans for legacy IT systems that have been identified as among those most in need of overhauling.
In making that recommendation, GAO chided the Office of Management and Budget (OMB), which it said has thus far “not taken action” on GAO recommendations offered nearly a decade ago for OMB to identify legacy systems and/or investments needed to modernize them.
“Given OMB’s lack of action, Congress requiring federal agencies to develop modernization plans for critical legacy systems can expedite agencies’ efforts,” the watchdog agency said.
Those are some of the bigger takeaways from the public version of a GAO report issued today in which the agency flags what it sees as “11 of the most critical federal legacy systems” at 10 of the larger Federal government agencies.
A “sensitive” version of the report is being delivered to seven Federal agencies.
11 Systems Reviewed
The report identifies those agencies by name but does not identify the specific worrisome systems at those agencies “due to sensitivity concerns.”
The watchdog’s report covers 11 legacy systems at a total of 10 agencies, including two at the Department of the Treasury, and one each at the Environmental Protection Agency (EPA) and the departments of Interior, Transportation, Homeland Security (DHS), Health and Human Services (HHS), Defense, Commerce, and Agriculture.
The 11 legacy systems range between 23 years old (at the Interior Department) and 60 years old (at the Defense Department).
“These agencies’ missions are essential to government operations such as health care, critical infrastructure, tax processing, and national security, and these legacy systems provide vital support to the agencies’ missions,” GAO said.
Glaring Problems Found
Of the 11 legacy systems, GAO said that eight of them use outdated coding languages, four of them have unsupported hardware or software, and seven “are operating with known cybersecurity vulnerabilities.”
“For example, both of the Department of the Treasury’s selected systems run on Common Business Oriented Language (COBOL) and Assembly Language Code – programming languages that have a dwindling number of people available with the skills needed to support them,” GAO said.
“In addition, the Environmental Protection Agency’s system contains obsolete hardware that is not supported by manufacturers and has known cybersecurity vulnerabilities that cannot be remediated without modernization,” the agency reported.
The HHS legacy system on the GAO’s list was previously flagged by the watchdog in a 2019 review of systems most in need of updating.
Mixed Modernization Planning Status
In somewhat more hopeful news, GAO said that agencies have already developed modernization plans for nine of the 11 legacy systems.
But in reviewing those plans, GAO said that only three – systems maintained by DHS, Interior, and EPA – of the nine included all necessary planning elements.
The other six did not include all of the necessary planning elements, GAO said. The two systems without modernization plans are operated by the Defense and Energy departments.
“Until agencies fully document modernization plans for critical legacy IT systems, their modernization initiatives will have an increased likelihood of cost overruns, schedule delays, and overall project failure,” GAO warned.
“Project failure would be particularly detrimental not only because of wasted resources, but also because it would prolong the lifespan of increasingly vulnerable and obsolete systems,” the agency continued. “This could expose agencies and system clients to security threats and potentially significant performance issues.”
Further, GAO said, “There are likely more legacy systems needing attention beyond what is highlighted in this report.”
GAO recalled that in June 2019, it identified 10 critical Federal legacy IT systems that were most in need of modernization, but that as of February 2025, agencies have completed only three of the 10 modernizations.
“Of the seven remaining modernizations, agencies planned to complete four in the next few years, two in 5 or more years, and one does not yet have a planned completion date established,” GAO said.
GAO said it is delivering another eight recommendations to Federal agencies in its sensitive version of today’s public report.
In the case of those recommendations, the watchdog said that “three agencies agreed with GAO’s recommendations and three agencies neither agreed nor disagreed. In addition, one agency disagreed with its recommendation and GAO revised it to reflect updated information.”