Kevin Walsh, Director of IT and Cybersecurity, Government Accountability Office 

Aug 01 2022
Management

Agencies Work Diligently to Upgrade Legacy Systems

As agencies upgrade legacy systems, they’re always on the lookout for the next job.

No matter how many legacy systems a federal agency tries to upgrade, another will age into antique status right behind them.

“It’s almost like a game of whack-a-mole,” says Kevin Walsh, director of IT and cybersecurity at the Government Accountability Office. “As soon as you modernize one of these really old systems, you move on to the next one.”

In April 2021,Walsh provided testimony to Congress on agencies’ efforts to modernize critical legacy systems, some of which have been in operation since the 1960s.

“They’ve made progress,” he says now,“ but there’s still work to be done.”

For instance, the Federal Emergency Management Agency stamped out one of the peskiest modernization nuisances in its backyard. Working across agencies to identify the 10 most critical systems in need of modernization, the GAO cited FEMA’s legacy network infrastructure, used by 30,000 workers, as one of them.

In short, FEMA’s network had become a security liability. It also underperformed.

"The legacy data network system consisted of components and switches that were 8 years old on average,” explains Scott Bowman, FEMA’s acting deputy CIO for disaster operations. “Many of the switches provided only 100 megabits per second to the desktop and did not have Power over Ethernet capabilities to support modern Voice over IP phones and other network devices.”

The GAO also determined that a September 2018 security assessment of FEMA’s network found 249 security vulnerabilities, including 168 that were deemed high-risk or critical.

Click on the banner to find out how to become an Insider.

Plan for the Future of Government

FEMA began planning to upgrade its routers, switches, firewalls and other network appliances in 2019 and completed the modernization effort at the end of 2021. 

The network now features one gigabit per second to the desktop and a 10 Gbps backbone. It’s IPv6 compliant and ready to support software-defined networking, which is key to delivering services quickly to field offices when disasters happen.

As part of the process, Bowman explains, the agency implemented a multiyear lifecycle plan to ensure all its network equipment will be replaced again before it reaches end of life.

 “With the previous end-of-life equipment on the network, parts and support were not always available in the event of a failure, leading to extended downtime,” he says. 

READ MORE: Flexible as-a-service approaches will help federal agencies modernize

“This project increased redundancy by eliminating single points of failure in several places. We currently exceed 99.97 percent availability across the enterprise, with over 100 active locations.”

Equally important, Bowman says, the network’s Federal Information Security Modernization Act scorecard has improved.“

This modernization effort has automated cybersecurity vulnerability management for the network devices,” he explains. “We are now pushing out security patches and configuration changes automatically, across network switches, without logging into each device manually.”

Kevin Walsh
It’s almost like a game of whack-a-mole. As soon as you modernize one of these really old systems, you move on to the next one.”

Kevin Walsh Director of IT and Cybersecurity, Government Accountability Office

Paying Down Technical Debt Effectively

For every modernization victory, there’s a new or still unaddressed challenge. The 10 most critical legacy systems identified by GAO were selected from a list of 65 that agencies themselves recognized as needing modernization. Walsh suspects that there are hundreds of government IT systems in need of an upgrade.

“Not everything is a complete code rewrite,” he says. “In some cases, it’s a hardware refresh. In other cases, it’s software that’s no longer supported.” 

Whether agencies take on older systems one at a time or put off modernization plans due to a lack of funding, the bill eventually comes due.

READ MORE: How federal agencies can identify and address technical debt

“Not modernizing critical government legacy systems creates technical debt, which is the residual cost of completing technology tasks left undone,” says Adelaide O’Brien, research director for IDC Government Insights.

"Every change or enhancement made without fixing the debt compounds itself and adds workarounds, inefficiencies, complexities, fragility and costs. Every minute spent on workarounds, bugs, lack of interoperability and more is an indirect cost of technical debt.”

As the debt mounts, change becomes harder, slower, riskier and costlier. 

According to O’Brien, part of the interest on that debt is the challenge agencies face attracting and retaining IT workers to operate legacy systems. “Agency leadership needs to understand the technical debt issue and create strategies for quantifying, reporting and remediating it,” she says. “Plans should include cloud migration as the foundation for innovation and security, self-service, automation, 360-degree views of constituents, data-driven insights and analysis, and attracting skilled talent.”

 

Modernization at the Social Security Administration  

The Social Security Administration intends to reduce its technical debt by offering new digital services.

In rolling out the agency’s updated IT modernization plan in June 2020, former SSA Commissioner Andrew Saul stated, “Some of the changes we need to make involve updating our infrastructure to take advantage of modern technology...Currently, it is too hard for many of you to securely access our online services.”

The system that SSA uses to collect information, deliver benefits and communicate with the public has been around since 1974. As laws have changed, it’s been modified regularly and new capabilities added, but the process of altering the core system has become too expensive.

“We have known for years that we must modernize our IT—including phasing out legacy systems and aligning our IT infrastructure with FITARA [Federal IT Acquisition Reform Act] requirements—to bring it into the 21st century and meet the evolving needs of the public,” SSA spokesperson Darren Lutz toldFedTech.

DISCOVER: How to embrace DevOps in the federal sector.

Among the many facets of its modernization plan, SSA is adopting a hybrid cloud infrastructure to support modern applications; implementing a new customer relationship management platform for its public-facing apps; and rolling out a new SocialSecurity.gov website later this year, offering streamlined content and a better user experience based on human-centered design practices.

“The challenges we face today are different than those we identified five years ago at the start of our IT modernization program,” says Lutz. “We are using lessons learned from the pandemic to enhance our ability to provide in-person service to people who need to see us in our local offices and to enhance our online services for our many customers who prefer doing business online or through our automated services.” 

However, the agency acknowledges it will need sustained IT investment to modernize its legacy systems before losing its institutional knowledge as IT staff members reach retirement.

$4 million

Estimated savings per year through fiscal year 2027 from modernizing the Social Security Administration’s legacy benefits platform

Source: Government Accountability Office,“Agencies Need to Develop and Implement Modernization Plans for Critical Legacy Systems,”April 2021

Using Shared Services Will Move Agencies To The Future

According to the GAO, 80 to 90 percent of agencies’ IT budgets cover operations and maintenance,“just keeping the lights on,” says Walsh. “But there will always be a need for modernization.”

One solution is to share. The GAO identified the Small Business Administration’s public-facing identification, authentication and authorization platform as a critical system in need of modernization.

By next year, SBA expects to have completed migration to Login.gov, offered by the General Services Administration as a single sign-on solution that multiple agencies can use.

“As with most technology, newer, more advanced products offer better solutions, causing the older ones to become less efficient,” says Charles Abell, an SBA spokesman. “As our general login system aged, it posed multiple challenges, including security vulnerabilities, rising operational costs and a lack of people with the skills to support the system.”

DIVE DEEPER: How to make federal cross-agency collaboration a success.

When completed, the move to Login.gov will increase security to protect users’ privacy and improve the overall customer experience by eliminating the need to remember multiple passwords. As with all modernization efforts, the goal is better service to the citizen, now and in the future.

“When agencies modernize, there’s this perception that the old systems simply cost more and newer systems are going to save money,” says Walsh. “But that’s not necessarily what we’re after. We also want better performance, better security, better citizen services. And we can’t just check a box. Modernization is like cybersecurity. It’s never done.”

Show Agencies the Money for Modernization

In 2017, Congress and the President established the Technology Modernization Fund, which provides money to improve, retire or replace aging federal IT systems. Eventually, the TMF would grow to more than $1 billion, including money made available through the American Rescue Plan.

As of mid-June, the TMF had funded 26 projects across 15 agencies and disbursed more than $400 million, including $187 million to continue work on the General Services Administration’sLogin.gov single sign-on solution.

“The money allocated to the TMF was a huge, huge help,” says Kevin Walsh, director of IT and cybersecurity at the Government Accountability Office. “However, we've been chronically neglecting investment in technology for years.”

READ MORE: Federal agencies can benefit from the technology modernization fund.

The pool of TMF-funded modernization projects may have been limited at the start because agencies needed to demonstrate cost savings, but Walsh says not all necessary modernization projects yield cost savings, leading to a loosening of the fund’s reins.“

The TMF is great, not only as an additional funding mechanism but also because it empowers our federal CIOs to help identify the best investment of taxpayer dollars,” Walsh says.

While the agency is not yet dealing with the larger goals, he says, “through smaller projects, we can spread the love across many agencies, get some small wins, prove that this works and build up some momentum.”

Ryan Donnell
Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.