Controls to Manage Outdated Computer Applications

IT applications have purposes that are more specific than the operating system software that makes computer hardware run. Typical applications include word processors, media players and accounting software. Governments large and small, state and local, use applications to perform a variety of critical functions, supporting public safety, social services, tax collection and transportation.

Whatever software they use, agency IT staff must continuously monitor and manage the application’s performance. They resolve any issues while also evaluating its security. In addition, they must assess it regularly for planned retirement. An important element of the maintenance stage is deciding when maintenance activity should stop and the organization upgrade to a newer version of the product or migrate to a different one. Older applications, known as “legacy applications” are the stopgap of maintaining a product past the point where it might be retired.

State agencies that use legacy applications face many risks, which could include greater security threats, decreased performance and expensive maintenance. For example, legacy applications are more vulnerable to cyberattacks when they are incompatible with modern security features. They are also slow, inefficient and more likely to fail, which can affect a government’s ability to achieve its objectives. In addition, the long-term costs of maintaining legacy systems can outweigh the trouble and expense of transitioning to new software.

For a government agency to effectively manage the risks legacy applications pose to security, efficiency and costs, it must first recognize which applications are possible problems. A reasonable first step in identifying such applications consistently is to develop clear criteria to describe “legacy.” The agency should document the criteria in a policy or procedure so all IT staff evaluate applications to the same standard.

We found the audited agencies lacked policies or guidelines that established criteria for a legacy application. We interviewed IT staff and found each held a different view of what constituted a legacy application. These views were inconsistent even within the same agency.

The OCIO has set out certain characteristics of outdated applications in its biennial report on the state's IT landscape. However, these characteristics have not yet been formalized. Issuing statewide policy or guidance could help agencies define and identify legacy applications.

Once they identify outdated applications, agencies should maintain accurate and complete IT application inventories. Doing so can help management make informed decisions about benefits and risks of maintaining them versus the expense of doing so.

We found agencies’ IT application inventory records were incomplete and contained inaccurate information. The reasons for this varied, but largely due to insufficient staffing, competing priorities and a lack of oversight. Incomplete and inaccurate inventories limit management’s ability to make informed decisions. In addition, faulty inventories affect the accuracy of statewide inventory records.

Another essential aspect of ensuring a complete record for each application is to examine maintenance costs. We also found agencies did not periodically identify, calculate or monitor the maintenance cost for each IT application accurately and completely. Agencies said because they did not prioritize resources for monitoring maintenance costs due to competing demands for limited resources.

The OCIO requires state agencies to conduct two types of application assessments – risk and security. The evaluations help them identify potential problems relating to application security and business objectives.

We found two agencies did not perform formal risk assessments on applications. While the third agency does conduct some formal risk assessments, it could improve its process by following state requirements.

We also found all three agencies periodically conducted state-required security assessments on IT devices and infrastructure, but not on applications. They also did not routinely document how they manage vulnerabilities.

These gaps between OCIO standards and agency assessments were due to a misunderstanding of the full requirements, insufficient staffing and competing priorities. Ultimately, our review of agencies’ own vulnerability scanning of servers identified potential security issues for their applications. 

Leading practices established for federal agencies advise them to consider the range of options available to mitigate the risks associated with their legacy applications. There are effectively four strategies to deal with the risks an organization has already identified:

• Accept the risks and do not act. Deciding to accept the risks associated with the legacy application and do nothing is still making an active choice.
• Update the legacy system. Update the application to improve its ability to handle the risks. This option does not provide new functionality but simply eliminates or reduces the risks associated with the existing functionality.
• Enhance the legacy system. In this option, the enhancements replace some elements of the application or add new functionality to address risks. Doing so retains the basic technology underpinning the application.
• Replace the legacy system. Plan to retire and replace the legacy application with new, more advanced technology.

Agencies should not make the final decision about which strategy to pursue without sufficient analysis. Typically, analyses should examine the risks, costs, and ultimate best value or return-on-investment that each choice offers.

As part of the audit, we reviewed six IT modernization projects – two for each of the audited agencies – to see how each agency had arrived at its decisions. We found only one project where an agency had sufficiently analyzed all available options for modernization. Washington agencies could improve their decision-making process for choosing modernization options by conducting sufficient analyses and recording them.

We made a series of recommendations to the three audited state agencies to better identify legacy applications and address risks associated with them. For example, we recommended that agencies develop a way to identify and track these applications. They should also perform both application risk and security assessments that align with state requirements.

We also made a recommendation to the Office of Chief Information Officer. We noted it could help agencies better identify and track legacy applications by implementing a statewide standard and policy.

Finally, we issued guidance that all state agencies consider the recommendations as they develop and implement their controls to manage legacy applications. The controls could also help local governments improve their own management of older IT applications. Read more in a new resource  published through our Center for Government Innovation.