Aside perhaps from the continued focus on cybersecurity, there is no bigger trend in federal technology in 2018 than the push for legacy system modernization.
All of the pieces are in place for agencies to start. However, they’re left with some simple questions without easy answers: When should agencies upgrade legacy IT systems? How should they prioritize their modernization efforts? And when should older technologies be left in place?
These are crucial questions that agency IT leaders need to ponder and answer to in the months ahead. President Donald Trump’s Management Agenda has IT modernization at its core, so it seems clear that agencies will be held accountable for making progress on the issue this year and beyond.
Luckily, agencies have some guidance on how to proceed. In late February, the Office of Management and Budget issued detailed guidance for the implementation of the Modernizing Government Technology Act (also known as the MGT Act). Federal IT experts also say that the Management Agenda is also a helpful place to start.
The agenda emphasizes three key priorities that it will follow as it directs agencies to upgrade their technology:
- Enhancing mission effectiveness “by improving the quality and efficiency of critical citizen-facing services, including through the increased utilization of cloud-based solutions such as email and collaboration tools.”
- Reducing cybersecurity risks to the federal mission using modern commercial capabilities and implementing cutting-edge IT security capabilities.
- Building a modern IT workforce by recruiting, reskilling, retaining professionals “able to help drive modernization with up-to-date technology.”
Beyond those, agencies should focus their modernization efforts on systems whose continued operation would present a cybersecurity risk, as well as and those that can be replaced by shared services, experts and analysts say. Above all, IT leaders should take a holistic approach to legacy system migration and modernization.
Here is a guide to the key questions facing government IT leaders as they modernize legacy systems:
What Is the Modernizing Government Technology Act (MGT Act)?
Under the MGT Act, the head of each agency can establish working capital funds for IT modernization (some agencies already do so). Agencies can transfer and reprogram funds, including for the operation and maintenance of their legacy IT systems, and then use the money for a variety of projects.
The funds can be used to improve, retire or replace existing IT systems to enhance cybersecurity and to improve efficiency and effectiveness; transition legacy IT systems to cloud or shared services; adopt risk-based cybersecurity solutions; or reimburse a central modernization fund the law sets up.
Under the law, the General Services Administration will manage a centralized Technology Modernization Fund. The law authorizes $250 million for the fund for fiscal year 2018 and the same amount for fiscal year 2019. However, in the $1.3 trillion omnibus spending bill Trump signed into law on March 23, Congress appropriated $100 million for the TMF. Agencies can apply to get money from the fund to modernize their IT and make it more efficient and secure.
On March 1, the Office of Management and Budget announced the board that will advise on fund distribution. The relatively new Federal CIO Suzette Kent chairs the board.
Agencies will compete for funding, and the board will evaluate and recommend funding the proposals that show the strongest cases for delivering on agency mission objectives and achieving success, according to OMB. Agencies must reimburse the fund for any transfer of TMF money in accordance with the terms of a written agreement, which will document how the funds will be used and the terms of repayment. It may not exceed five years unless approved by OMB.
“Successful projects will demonstrate a strong execution strategy, technical approach and have a strong team with a demonstrated history of successful modernization efforts,” OMB’s memo states. “Agencies should, to the extent practicable, consider the adoption of commercial technology solutions in their proposals and provide a strong technical approach and acquisition strategy to implement those solutions.”
Agencies are encouraged to submit proposals for common platforms and shared solutions or other modernization projects that will serve multiple components within a single agency or multiple agencies, according to OMB. The agency “anticipates that the TMF will be a test-bed for projects and procedures that agencies can operationalize through their IT planning processes and in their execution of their existing appropriations,” the memo says.
How Should Agencies Prioritize the Modernization of Legacy Systems?
OMB’s memo and the Management Agenda provide a solid foundation for helping agencies prioritize legacy IT upgrades. Agencies should think holistically.
“Agencies need to take a portfolio management approach for these types of decisions,” says Shawn McCarthy, research director of IDC Government Insights. “This isn’t easy because it often means both setting priorities and doing a detailed [return on investment] analysis for system replacement and modernization.”
McCarthy adds that agencies may choose to tackle the project that will give them the greatest return on investment, or they might decide to simply replace a legacy system that is reaching the end of its lifecycle (such as requiring a server or an operating system upgrade and associated system improvements). Or, they may need to focus on something that is legally required, such as the federal Data Center Optimization Initiative.
A key element of any such calculus is whether the systems present cybersecurity risks.
Kevin Cummins, vice president of technology at the Professional Services Council, says agencies must take a risk-management approach. “If there is an operating system that doesn’t have a patch that is needed to prevent something like WannaCry, you might want to attack that in a hurry,” he says.
Mallory Barg Bulman, vice president of research and evaluation at the Partnership for Public Service, says the most significant cybersecurity risks should be eliminated first through modernization. “Recognizing that agencies are not going to be able to address everything at risk, you have to focus on what is the greatest point of risk,” she says. That will require leaders, and many agencies still lack permanent CIOs, which makes it “very challenging” to make difficult decisions on which systems to upgrade.
Ultimately, Bulman say, agencies must focus on the mission they need to accomplish and how they can do it better. “We tend to digitize existing bad practices for the agency,” she says. “You want to make sure that you’re finding a way to do things better and more efficiently and effectively.”
Which Legacy Systems Are Ripe for Modernization?
Some legacy systems are more primed for modernization than others. McCarthy says IT leaders should focus on upgrading legacy systems that still exist on single servers (as opposed to virtualized systems), those that run on older outdated code that can make the systems increasingly expensive to upgrade, and any system that is facing an upgrade that will cost more than just starting over.
OMB definitely has a preference for upgrading IT that can be converted into a shared service across multiple agencies. Former Federal CIO Tony Scott recently talked about how agencies should look to modernize their case management systems via a common, cloud-based shared service, since 80 percent of federal case management systems are the same.
Similarly, Cummins says agencies should look to commercial solutions that can serve as the basis for shared services for common functions (human resources, payroll, etc.), “so that government doesn’t need a unique, purpose-built solution.” He expects to see TMF and working capital funds be put toward those efforts.
More difficult modernization challenges will be older systems that were purposely built for government use and which cannot be easily replaced by commercial technologies, Cummins says. Those include IT like supervisory control and data acquisition systems that run hydroelectric power plants under the jurisdiction of agencies like the Bureau of Reclamation in the Interior Department.
To hold agencies’ feet to the fire on long overdue upgrades, Congress has tasked the Government Accountability Office with, among other things, identifying and evaluating the top 15 to 25 mission-critical IT acquisitions for the nation and reporting on the status of each of these IT acquisitions. GAO has also been told to identify and evaluate the top 10 legacy system modernization initiatives for the nation and top 10 modernization successes in the last five years.
When Should Legacy Systems Be Left in Place?
As Cummins indicated, some legacy systems are going to be easier to modernize than others. And sometimes, older systems should be left in place.
In PSC’s 2017 Federal CIO Survey, one unnamed agency CIO stated: “Legacy doesn’t mean it’s a bad system. If it is working and meeting the business requirements, it’s fine [and] lets you sleep at night. Many legacy systems are more secure than those running on modern platforms. You don’t hear about mainframes getting viruses.”
If there is a special government certification needed, and it is challenging to attain, McCarthy recommends that “the old system should remain until the time is right to migrate.”
Cummins says that when it comes to modernization, he gets the sense many federal officials are “conducting triage.” It takes money to modernize, and the $100 million allocated for the TMF is a tiny fraction of the roughly $80 billion federal IT budget.
“The hopeful end state is a modern, cheaper solution than maintaining legacy IT,” he says. “Agencies do need an injection of funds to be able to make those modernizations happen. It’s a target-rich environment.”
Agencies have a “mountain of legacy IT” they can upgrade, Cummins says, since nearly three-quarters of the budget is spent on operations and maintenance of old systems. “Even incrementally, it’s a challenge, because you have to keep the old system running if it runs a mission-critical function,” he says. “You might have to have both running before you can turn the old system off.”