Watchdog finds 10 ‘critical’ IT security risks in the government

The federal government spends approximately 80 percent of its $90 billion information technology funding maintaining legacy IT systems, which have contributed to “security risks, unmet mission needs, staffing issues and increased costs,” according to a June 11 Government Accountability Office report.

Of those systems, GAO identified 10 across an equal number of agencies that are in critical need of modernization, due to the age of the system, its criticality to the agency and the security risk it poses.

The systems themselves were not named, due to the potential security risks such a disclosure would pose, but were given generic descriptions and locations in the report:

  1. Department of Defense — a maintenance system supporting wartime readiness
  2. Department of Education — a system housing student information
  3. Department of Health and Human Services — an information system supporting clinical and administrative activities
  4. Department of Homeland Security — a network of routers, systems and appliances
  5. Department of Interior — a system supporting the operation of dams and powerplants
  6. Department of Treasury — a system containing taxpayer information
  7. Department of Transportation — an aircraft information system
  8. Office of Personnel Management — hardware, software and service components supporting IT applications and services
  9. Small Business Administration — a system controlling access to applications
  10. Social Security Administration — a group of systems housing information on Social Security beneficiaries

Those 10 systems cost approximately $337 million for their agencies to maintain, and can be expected to increase expenses and exposure while decreasing mission efficiency.

“Among the 10 most critical legacy systems that GAO identified as in need of modernization, several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities. For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language — a programming language that has a dwindling number of people available with the skills needed to support it,” the report said.

“Further, several of these legacy systems are also operating with known security vulnerabilities and unsupported hardware and software. For example, DHS’s Federal Emergency Management Agency performed a security assessment on its selected legacy system in September 2018. This review found 249 reported vulnerabilities, of which 168 were considered high or critical risk to the network.”

The Treasury manages the oldest system at 51 years, but the Department of Education and HHS both manage systems that are over 45 years old, which are both high-criticality and high-risk.

Both agencies, along with the Department of Transportation, have also failed to establish modernization plans.

Only the DoD and DOI have established complete modernization plans that include three essential components.

“According to our review of government and industry best practices for the modernization of federal IT, agencies should have documented modernization plans for legacy systems that, at a minimum, include three key elements: (1) milestones to complete the modernization, (2) a description of the work necessary to modernize the legacy system, and (3) details regarding the disposition of the legacy system,” the report said.

GAO made one recommendation to each of the eight agencies that did not already have a complete IT modernization plan in place, and all eight agreed with the recommendation.

Recommended for you
Around The Web