GAO Reconfirms Federal IT Must Be Modernized

The federal government annually spends more than $100 billion for information technology (IT), 80 percent of which is used to operate and maintain existing systems, some of which are more than 50 years old. The Government Accountability Office (GAO) first placed IT modernization on its High Risk List in 2015, and Citizens Against Government Waste has long been critical of the failure to update these systems.
In its July 17, 2025, report to the House Committee on Oversight and Government Reform on the need for agencies to modernize “critical decades-old legacy systems,” GAO updated the committee on progress in modernizing the 10 most critical systems it had identified in 2019. By February 2025, three had been completed, four are expected to be modernized in the next few years, two will be done in five or more years, and there are no plans in place for one of the systems.
For the updated report, GAO asked all federal agencies to identify their three most critical legacy IT systems in need of modernization and were provided with a list of 69 such systems. After ranking these systems based on “16 system attributes and associate point values, including age, cybersecurity risk, and operating costs,” GAO found that the 11 highest scoring systems in the most critical need of modernization are maintained by 10 federal agencies, whose missions involve “health care, critical infrastructure, tax processing, and national security and these legacy systems provide vital support to the agencies’ missions.”
GAO made eight recommendations to seven agencies and provided Congress an additional matter for its consideration. While the systems are not named due to their sensitivity, GAO reported that “Eight of the 11 systems use outdated languages, four have unsupported hardware or software, and seven are operating with known cybersecurity vulnerabilities. For example, both of the Department of the Treasury’s selected systems run on Common Business Oriented Language (COBOL) and Assembly Language Code—programming languages that have a dwindling number of people available with the skills needed to support them. In addition, the Environmental Protection Agency’s system contains obsolete hardware that is not supported by manufacturers and has known cybersecurity vulnerabilities that cannot be remediated without modernization.”
Congress has long been aware of the need provide the resources necessary for the agencies modernize their IT systems, especially, as GAO noted, for “legacy systems that have been identified as most in need of modernization.”