Original broadcast 7/27/25
Presented by ServiceNow
The federal government faces a $100 billion legacy IT challenge—but a new report from the Government Accountability Office (GAO) shows that many agencies still haven’t made the first move. Kevin Walsh, Director of Information Technology and Cybersecurity at GAO, joined Fed Gov Today with Francis Rose to share the findings of the latest review into aging systems that federal agencies continue to rely on.
The results are alarming: of 11 critical systems GAO identified as urgently needing modernization, eight still lack a complete plan. “This is a follow-on to our work from 2019,” Walsh explained. “Back then we flagged the 10 most critical legacy systems. Since then, only three have successfully modernized.”
The bar for success isn’t high. GAO isn’t judging the quality of modernization plans—only their basic presence. According to Walsh, a sufficient plan includes four simple components: a description of work to be done, a timeline or milestones, and—most importantly—a strategy to shut off the old system. “Without that, you end up running both systems in parallel, and the legacy one never truly dies,” he said.
Walsh noted this is not a new issue. “At the FAA, 105 of 138 air traffic control systems are considered unsustainable. Some use hardware that’s no longer supported because the manufacturers have gone out of business,” he said. The VA, meanwhile, is on its fourth attempt to modernize its EHR system.
The IRS remains one of the biggest laggards. “They operate hundreds of legacy systems and still don’t have plans in place to modernize many of them,” Walsh said.
Compounding the problem is that aging systems are not only inefficient—they’re increasingly vulnerable. “Many use outdated programming languages like COBOL. Seven of the eleven systems we reviewed had known security vulnerabilities,” Walsh warned. Even more troubling, many of the experts who know how to maintain those systems are retired—or deceased.
When asked why so many agencies continue to delay action, Walsh pointed to funding and uncertainty. “Plans are changing, leadership changes, and agencies tend to focus on urgent rather than important tasks.”
GAO has now escalated its recommendations to Congress, suggesting lawmakers require agencies to develop and maintain basic modernization plans for systems deemed critical. “We actually made a similar recommendation to OMB back in 2012,” Walsh noted. “Thirteen years later, there’s been no action. So now we’re going to the bosses.”
Walsh emphasized this is not about flashy tech or innovation for innovation’s sake. “We’re not asking agencies to chase the latest gadget,” he said. “We’re asking them to plan for long-term sustainability so these systems can last another 40 or 50 years.”
The report—and the segment—ends with a clear warning: modernization is no longer optional. Agencies must take basic steps now to avoid a future filled with avoidable risk, security gaps, and escalating costs.