March 27, 2019

Department of Energy’s Management of Legacy Information Technology Infrastructure

The Federal Government spends close to $90 billion annually on information technology (IT) resources.  Approximately 80 percent of funds budgeted for IT are dedicated to maintaining legacy IT that is outdated or obsolete and, therefore, particularly vulnerable to malicious cyber activity.  To address concerns over aging technologies, the Modernizing Government Technology Act was signed into law in 2017.  The law is designed to improve, retire, or replace existing IT; transition legacy systems to commercial cloud computing services; and support efforts to provide adequate risk-based solutions to address evolving threats to information security.

The Department of Energy and its contractors operate many types of IT systems and infrastructure to support its diverse missions related to nuclear security, scientific research and development, and environmental management.  Prior reviews conducted by the Office of Inspector General have identified weaknesses related to the existence of outdated software and hardware.  We initiated this audit to determine whether the Department effectively managed the lifecycle of legacy IT systems and components.  Our review focused on the Department’s unclassified information systems and did not include industrial control and national security systems.

We determined that while actions to manage the lifecycle of unsupported IT systems and components had been taken at the sites we reviewed, opportunities for improvement exist.  To continue to improve activities related to the Department’s management of legacy IT, we recommended developing policies and procedures to ensure that unsupported IT systems and system components are phased out as rapidly as possible, including defining the resources that should be considered legacy IT and establishing a comprehensive plan to replace legacy IT across the Department and its contractors.

Topic: Management & Administration