Washington’s governments use information technology (IT) applications every day to perform many critical functions. These applications help agencies provide everything from social services to collecting taxes and managing public transportation. Each application has a lifespan, moving through purchase, installation and maintenance, including evaluating end of its working life. IT specialists often refer to those used beyond the point where they might be retired as “legacy applications.”
Legacy applications use outdated technology, making them incompatible with more modern IT systems. Consequently, they can be more vulnerable to security threats. Such software can be challenging and expensive to maintain because fewer people have the necessary expertise to do so.
Washington Technology Solutions (WaTech), the state’s centralized provider and procurer of IT services, estimates that between 40 percent and 60 percent of the state’s government applications could be considered legacy. This audit looked at three state agencies to see if they have procedures to identify legacy applications and address risks associated with them.
Read a two-page summary of the report.
Local governments may also find the guidance issued to state agencies in the report useful. View our new resource around identifying legacy computer applications. You can also read our blog post about this topic.
Legacy applications are more vulnerable to security threats, decreased performance and expensive maintenance. The audit found the three audited agencies had gaps in their practices that, if closed, could help them better manage IT risks:
- Defining what constitutes a legacy application
- Keeping accurate and complete application inventory records
- Monitoring maintenance costs
We also found that they were inconsistent in conducting period risk and security assessments on IT applications. These two types of assessments are required by Washington’s Office of the Chief Information Officer (OCIO). Performing these assessments would help each one identify the possible risks and costs involved in maintaining the software instead of replacing it. Similarly, using qualitative and quantitative analyses could help guide agency leadership make decisions about software modernization options.
After reviewing the efforts of three state agencies, this audit made several recommendations. They included developing a more uniform approach to identifying and tracking legacy applications and assessing risks associated with those applications. We also recommended agencies perform sufficient analyses of modernization options. In this effort, the OCIO also has a role to play, in implementing a statewide standard and policy for legacy applications.
Note that confidentiality is key to preventing cyberattacks on state IT systems by those seeking to do harm. For this reason, the report does not name audited agencies. In addition, state law protects detailed information about the cybersecurity protocols of state agencies. Our report provides general examples of issues, consequences and remedies drawn from our research.
IT applications have purposes that are more specific than the operating system software that makes computer hardware run. Typical applications include word processors, media players and accounting software. Governments large and small, state and local, use applications to perform a variety of critical functions, supporting public safety, social services, tax collection and transportation.
Whatever software they use, agency IT staff must continuously monitor and manage the application’s performance. They resolve any issues while also evaluating its security. In addition, they must assess it regularly for planned retirement. An important element of the maintenance stage is deciding when maintenance activity should stop and the organization upgrade to a newer version of the product or migrate to a different one. Older applications, known as “legacy applications” are the stopgap of maintaining a product past the point where it might be retired.
State agencies that use legacy applications face many risks, which could include greater security threats, decreased performance and expensive maintenance. For example, legacy applications are more vulnerable to cyberattacks when they are incompatible with modern security features. They are also slow, inefficient and more likely to fail, which can affect a government’s ability to achieve its objectives. In addition, the long-term costs of maintaining legacy systems can outweigh the trouble and expense of transitioning to new software.
Define the problem
For a government agency to effectively manage the risks legacy applications pose to security, efficiency and costs, it must first recognize which applications are possible problems. A reasonable first step in identifying such applications consistently is to develop clear criteria to describe “legacy.” The agency should document the criteria in a policy or procedure so all IT staff evaluate applications to the same standard.
We found the audited agencies lacked policies or guidelines that established criteria for a legacy application. We interviewed IT staff and found each held a different view of what constituted a legacy application. These views were inconsistent even within the same agency.
The OCIO has set out certain characteristics of outdated applications in its biennial report on the state's IT landscape. However, these characteristics have not yet been formalized. Issuing statewide policy or guidance could help agencies define and identify legacy applications.
Inventory and monitor costs
Once they identify outdated applications, agencies should maintain accurate and complete IT application inventories. Doing so can help management make informed decisions about benefits and risks of maintaining them versus the expense of doing so.
We found agencies’ IT application inventory records were incomplete and contained inaccurate information. The reasons for this varied, but largely due to insufficient staffing, competing priorities and a lack of oversight. Incomplete and inaccurate inventories limit management’s ability to make informed decisions. In addition, faulty inventories affect the accuracy of statewide inventory records.
Another essential aspect of ensuring a complete record for each application is to examine maintenance costs. We also found agencies did not periodically identify, calculate or monitor the maintenance cost for each IT application accurately and completely. Agencies said because they did not prioritize resources for monitoring maintenance costs due to competing demands for limited resources.
Conduct period assessments
The OCIO requires state agencies to conduct two types of application assessments – risk and security. The evaluations help them identify potential problems relating to application security and business objectives.
We found two agencies did not perform formal risk assessments on applications. While the third agency does conduct some formal risk assessments, it could improve its process by following state requirements.
We also found all three agencies periodically conducted state-required security assessments on IT devices and infrastructure, but not on applications. They also did not routinely document how they manage vulnerabilities.
These gaps between OCIO standards and agency assessments were due to a misunderstanding of the full requirements, insufficient staffing and competing priorities. Ultimately, our review of agencies’ own vulnerability scanning of servers identified potential security issues for their applications.
Leading practices established for federal agencies advise them to consider the range of options available to mitigate the risks associated with their legacy applications. There are effectively four strategies to deal with the risks an organization has already identified:
- Accept the risks and do not act. Deciding to accept the risks associated with the legacy application and do nothing is still making an active choice.
- Update the legacy system. Update the application to improve its ability to handle the risks. This option does not provide new functionality but simply eliminates or reduces the risks associated with the existing functionality.
- Enhance the legacy system. In this option, the enhancements replace some elements of the application or add new functionality to address risks. Doing so retains the basic technology underpinning the application.
- Replace the legacy system. Plan to retire and replace the legacy application with new, more advanced technology.
Agencies should not make the final decision about which strategy to pursue without sufficient analysis. Typically, analyses should examine the risks, costs, and ultimate best value or return-on-investment that each choice offers.
As part of the audit, we reviewed six IT modernization projects – two for each of the audited agencies – to see how each agency had arrived at its decisions. We found only one project where an agency had sufficiently analyzed all available options for modernization. Washington agencies could improve their decision-making process for choosing modernization options by conducting sufficient analyses and recording them.
We made a series of recommendations to the three audited state agencies to better identify legacy applications and address risks associated with them. For example, we recommended that agencies develop a way to identify and track these applications. They should also perform both application risk and security assessments that align with state requirements.
We also made a recommendation to the Office of Chief Information Officer. We noted it could help agencies better identify and track legacy applications by implementing a statewide standard and policy.
Finally, we issued guidance that all state agencies consider the recommendations as they develop and implement their controls to manage legacy applications. The controls could also help local governments improve their own management of older IT applications. Read more in a new resource published through our Center for Government Innovation.