Government agencies keep sacrificing cash to zombie IT systems, GAO finds

Some of the most critical business systems run by US government agencies are older than many of the IT people who support them, written in mainframe assembler code or COBOL. That might not shock or surprise anyone who works in mainframe-centric industries like insurance and finance, where the time-tested reliability of some systems has granted them lives that reach back to the Johnson administration. But a new Government Accountability Office report has called out some of these systems as being so archaic that they're consuming increasingly larger portions of agencies' IT budgets just for operation and maintenance. As the breach at the Office of Personnel Management demonstrated, old systems are also a security risk—particularly when they've been "updated" with now-unsupported versions of Windows Server and Internet and database components that were end-of-life'd by their creators years ago.

To drive those points home, the report—written by David A. Powner, GAO's director for information technology management issues—called out specific legacy systems from multiple agencies that are particularly obsolete, reliant on older programming languages and older computing technologies that are no longer supported. To help members of Congress too young to remember them, the report also included an infographic (as shown above) to explain what an 8-inch floppy disk was.

Of the top ten oldest systems cited by GAO, six are over 50 years old—and five of the ten oldest systems, all dating from before the 1980s, are not slated to be replaced any time soon. And it should come as no surprise that the two oldest systems in government are at the Internal Revenue Service, and both will remain in place for some time.

To be fair, the "ages" of these systems represent how long the agencies have been investing in them and not necessarily their technology base. Many of them have had major updates to their components, if not their core code. But for the most part, those that have been updated are still based on more recent—but still obsolete and unsupported—operating systems and software.

The Old 10 are:

1. Individual Master File, Department of the Treasury—about 56 years old. Written in IBM mainframe assembly language code, this system is "the authoritative data source for individual taxpayer accounts where accounts are updated, taxes are assessed, and refunds are generated during the tax filing period. There are no firm plans to replace it.
2. Business Master File, Department of the Treasury—also about 56 years old and also written in IBM mainframe assembler code, this is the business income tax equivalent of the Individual Master File. An update is planned, but there's no timeframe set.
3. Strategic Automated Command and Control System, Department of Defense—53 years old. Thankfully, this system—which was highlighted in a 60 Minutes report two years ago—will be replaced in fiscal year 2017. SACCS "coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts," the GAO report notes. And it does that running on IBM Series/1 computers that boot off 8-inch floppy disks. For the members of Congress who are too young to know what an 8-inch floppy disk is, GAO thankfully provided a photo.
4. Personnel and Accounting Integrated Data, Department of Veterans Affairs—53 years old. Human Resources systems are one of the most common sinkholes for legacy technology. This system is VA's time and attendance system, and it was written in COBOL. Veterans Affairs is planning to replace it with a shared service in 2017 as part of the ongoing consolidation of like systems across the government.
5. Computerized Optimization Model For Predicting and Analyzing Support Structure (COMPASS), Department of Defense—52 years old, but not really. This decision support, command, and control system is used across DOD to plan how to move all the stuff required to support military operations in a crisis. The system has had several updates over the years, and in its current PC-based version it runs on Windows 2008 Server, an Oracle 11g database (circa 2009), and its core code is written in Java. DOD "plans to migrate it a 2012 [Microsoft] SQL Server by the end of the year," GAO reported.
6. Benefits Delivery Network, Department of Veterans Affairs—51 years old. This cluster of COBOL mainframe applications is what VA uses to track veterans' benefits, eligibility for access to benefits, and their dates of death, among other things. The VA is planning to roll it into another system someday, but there's no timeframe set.
7. Hazardous Materials Information System, Department of Transportation's Pipeline and Hazardous Materials Safety Administration—about 46 years old, though in its current incarnation the system runs on Microsoft Classic Active Server Pages, Microsoft.NET, and other legacy Windows code that is no longer supported—"which can cause security risks, among other issues," GAO noted. DOT is planning on replacing the "legacy components" by 2018.
8. National Oceanic and Atmospheric Administration/ National Weather Service Dissemination Systems, Department of Commerce—46 years old. These three "information dissemination systems" are what push out severe weather warnings and other alerts to both the public and to emergency management organizations. It runs across a hodgepodge of platforms, including Windows Server 2003, and is partially written in FORTRAN. "The agency has general plans to continuously update system components," GAO noted, but there are no plans for a rewrite in a more modern programming language.
9. National Data Buoy Center Ocean Observing System of Systems, Department of Commerce—46 years old. This is the system that collects weather, sea state, and tsunami warning data from a network of ocean buoys. The back end runs on a patchwork of operating systems, like the NOAA/National Weather Service systems, including Windows Server 2003 (and, surprisingly, Linux). It also uses an Oracle database that is no longer supported and "a variety of programming languages, including FORTRAN." Incremental updates to hardware and component software are planned, but with no firm dates.
10. Hiring Tracking Systems, Department of Homeland Security Immigration and Customs Enforcement—39 years old, with some updates. This HR system runs on a relatively recent 2008 IBM z10 mainframe and is written in COBOL. It has a Web front end that runs on Windows Server 2012, based on Java. DHS plans on replacing the mainframe with a service-oriented architecture starting this year—if it gets the funding.

While not in the top ten, the State Department's 26-year-old Diversity Visa Information System is worth noting as well. The case management system, used to handle applications under the Diversity Visa Program—a program intended to promote entry of immigrants from countries with "historically low rates of immigration"—is based on code written in PowerBuilder, the client-server development environment introduced by PowerSoft in the 1990s before being acquired by Sybase. While PowerBuilder is now supported by Appeon (and owned by SAP), the "classic" PowerBuilder environment used to write the front end for the system hasn't been supported for years.

In some cases, the government has had to turn to another source of expertise to keep some of these systems running. GAO reports that the Social Security Administration had to hire retired IT workers as consultants to come back in to perform maintenance on the COBOL code its 32-year-old Title II retirement benefits systems depend on.