GAO warns federal IT and cybersecurity remain high risk; legacy systems, FAA and VA cited

Comptroller General Gene Dodaro told the House Oversight Committee that the federal government's IT portfolio and cybersecurity posture remain on GAO's high-risk list and called for accelerated, deliberate modernization.

Dodaro said the government spends about $100 billion a year on information technology and that approximately 80% of that amount goes to maintaining legacy systems rather than investing in new capabilities. "Most of that goes to maintain existing legacy systems and not to new technology," he said. He and GAO IT staff cited multiple examples of aging technology: some systems identified for retirement are decades old and coded in languages such as COBOL, and FAA air-traffic-control components include systems that GAO says are not sustainable.

The nut graf: GAO argued that sustaining decades-old systems increases costs and cyber risks. Committee members pressed GAO for practical steps agencies should take now: portfolio management to avoid duplicate software buys, stronger investment review processes, and accelerated retirement plans for unsustainable systems.

Dodaro also pointed to the Department of Veterans Affairs' electronic health records program, which GAO said has cost more than $12 billion to date and is only partially deployed. GAO staff reminded lawmakers that sustaining legacy platforms creates staffing pressures because fewer workers have expertise in older languages, a problem that complicates cybersecurity and operations.

GAO recommended improved IT portfolio reviews, better metrics to judge cloud and legacy investments, and stronger agency-level governance to stop duplication and ensure security. Members of the committee asked GAO for agency-specific follow-up and asked that GAO share lessons learned from successful modernization efforts.

Ending: Lawmakers said they would use GAOrecommendations to press agencies to produce timetableed modernization plans and more transparent IT spending metrics.