GAO Finds Critical Security Risks in ‘Decades Old’ Federal IT Systems

The U.S. government plans to spend over $90 billion this fiscal year on information technology (IT). Most of that will be used to operate and maintain existing systems, including legacy systems which can be more costly to maintain and vulnerable to hackers.

A Government Accountability Office (GAO) report analyzed 65 federal legacy systems and identified the 10 most critical at 10 agencies. The systems were 8 to 51 years old.

Among the 10 most critical legacy systems that GAO identified as in need of modernization, several use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities. For example, the selected legacy system at the Department of Education runs on Common Business Oriented Language (COBOL)—a programming language that has a dwindling number of people available with the skills needed to support it. In addition, the Department of the Interior’s system contains obsolete hardware that is not supported by the manufacturers. Regarding cybersecurity, the Department of Homeland Security’s system had a large number of reported vulnerabilities, of which 168 were considered high or critical risk to the network as of September 2018.

Of the 10 agencies responsible for these legacy systems, seven agencies (the Departments of Defense, Homeland Security, the Interior, the Treasury; as well as the Office of Personnel Management; Small Business Administration; and Social Security Administration) had documented plans for modernizing the systems. The Departments of Education, Health and Human Services, and Transportation did not have documented modernization plans. Of the seven agencies with plans, only the Departments of the Interior and Defense’s modernization plans included the key elements identified in best practices (milestones, a description of the work necessary to complete the modernization, and a plan for the disposition of the legacy system). Until the other eight agencies establish complete modernization plans, GAO says they will have an increased risk of cost overruns, schedule delays, and project failure.

GAO therefore recommends the eight agencies identify and document modernization plans for their respective legacy systems, including milestones, a description of the work necessary, and details on the disposition of the legacy system. All agencies agreed with GAO’s findings and are making plans to address the recommendation.

FEMA’s System 4 vulnerabilities

The Department of Homeland Security (DHS)—Federal Emergency Management Agency’s (FEMA) System 4 consists of routers, switches, firewalls, and other network appliances (all referred to as devices) to support the connectivity of FEMA sites. According to FEMA, System 4 needs to be modernized because there are significant cyber and network vulnerability risks associated with its end of life (i.e., no longer supported or manufactured by the vendor) devices. In particular, the system’s devices typically require replacement every 3 to 5 years from the date of purchase. Despite this, the majority of the hardware was purchased between 8 and 11 years ago.

As of December 2018, about 545 of these devices were at the end of life. In a security assessment report performed in September 2018, System 4 received 249 security findings, of which 168 were high or critical risk to the system. Further compounding this issue, the agency is not certain exactly how many devices make up the system. In particular, FEMA officials stated that the vendor completed an inventory of devices in May 2018, but that inventory did not align with other inventory counts. As a result, the agency plans to develop an inventory reconciliation strategy and process to address this issue.

FEMA intends to replace System 4’s devices in two phases. The first phase will target the agency’s smaller facilities, while the second phase will address the larger facilities, which may require more complex installations. FEMA’s Office of the Chief Information Officer is conducting site surveys to better define requirements and cost estimates. While the agency has yet to develop finalized modernization plans for this initiative with milestones, DHS officials and contract information technology staff developed a list of future recommended activities that would help modernize the system as part of their November 2018 quarterly business review.

Despite the lack of finalized plans, FEMA intends to replace 240 of the 545 devices that are at the end of support, if funds are available. The agency also intends to upgrade the remaining 305 devices in the future, if funds are available.

Once the system is completely updated and a lifecycle replacement operations and maintenance support plan is in place and funded, FEMA and DHS expect to realize cost savings based on new technology and increased throughput. Further, the agency stated that with new equipment, it would be able to meet mission requirements and take advantage of new technologies. In addition, replacing these unsupported devices would significantly reduce downtime and increase network availability.

Read the full report at GAO

Kylie Bielby has 20 years' experience in reporting and editing a wide range of security topics, covering geopolitical and policy analysis to international and country-specific trends and events. She is an editor and contributor for Jane's by IHS Markit, a columnist for security and counter-terror publications, and a former managing editor for Homeland Security Today.

Leave a Reply

Latest from Cybersecurity

Go to Top
Malcare WordPress Security