The federal government runs on code older than most of its employees. According to the GAO's July 2025 report (GAO-25-107795), 11 critical legacy systems across 10 federal agencies are in desperate need of modernization—with the oldest dating back 60 years.
This isn't a technology curiosity. It's a national security risk hiding in plain sight.
The Staggering Cost of Standing Still
The federal government spends over $100 billion on IT and cyber-related investments each year. But here's the problem: agencies typically report spending approximately 80 percent on operations and maintenance of existing IT systems.
That means roughly $80 billion annually just to keep aging systems running—leaving only 20% for innovation, security improvements, and citizen-facing services.
"Each year, the federal government spends more than $100 billion on IT and cyber-related investments. Of this amount, agencies have typically reported spending about 80 percent on operations and maintenance of existing IT." — GAO-25-107795
Federal IT Budget Allocation
The math is brutal. Every dollar spent patching a 50-year-old system is a dollar not spent on:
- Modernizing citizen services
- Strengthening cybersecurity defenses
- Improving data analytics capabilities
- Building interoperability between agencies
The 11 Most Critical Legacy Systems
The GAO reviewed 69 federal legacy IT systems and identified the 11 most in need of modernization. These systems support essential government operations including health care, critical infrastructure, tax processing, and national security.
The findings are stark:
- 8 of 11 systems use outdated programming languages like COBOL and Assembly
- 4 systems have unsupported hardware or software
- 7 systems are operating with known cybersecurity vulnerabilities that cannot be fixed without modernization
Systems by Age and Agency
| Agency | System Age | Unsupported Hardware/Software | Legacy Languages |
|---|---|---|---|
| Department of Defense | 60 years | Yes | Yes |
| Department of the Treasury | 59 years | Yes | Yes |
| Department of Health and Human Services | 55 years | Yes | Yes |
| Department of the Treasury | 51 years | Yes | Yes |
| Environmental Protection Agency | 51 years | No | No |
| Department of Agriculture | 41 years | Yes | Yes |
| Department of Transportation | 31 years | No | Yes |
| Department of Commerce | 30 years | Unknown | No |
| Department of Homeland Security | 30 years | No | No |
| Department of Energy | 25 years | Yes | Yes |
| Department of the Interior | 23 years | No | Yes |
Source: GAO-25-107795, Table 1
The Department of Defense operates the oldest system at 60 years old. The Treasury Department maintains two legacy systems—59 and 51 years old—both running on COBOL and Assembly Language Code.
Federal Legacy System Ages by Agency
The COBOL Crisis
At the heart of many federal legacy systems sits COBOL—Common Business-Oriented Language. Developed in 1959, COBOL still powers systems that process trillions of dollars in transactions.
Both of the Department of the Treasury's flagged systems run on COBOL and Assembly Language Code—programming languages that have a dwindling number of people available with the skills needed to support them.
The Workforce Problem
The talent pool for these legacy languages is disappearing:
- Average age of COBOL programmers: 55-58 years old
- Retirement rate: 10% annually
- Time to hire a qualified developer: 90-180 days
- Universities still teaching COBOL: Less than 30%
"The community of COBOL programmers is shrinking faster than the open positions they create can be filled." — AFCEA International
When these experts retire, they take decades of institutional knowledge with them—knowledge that's rarely documented. The Environmental Protection Agency's system, for example, contains obsolete hardware that is not supported by manufacturers and has known cybersecurity vulnerabilities that cannot be remediated without modernization.
Why Modernization Plans Keep Failing
The GAO evaluated modernization plans for all 11 critical systems against three key elements:
- Milestones to complete the modernization
- Description of the work necessary to modernize
- Planned disposition of the legacy system
The results were troubling:
Only 3 Agencies Have Complete Plans
| Agency | Planned Completion | Has Milestones | Describes Work | Legacy Disposition |
|---|---|---|---|---|
| Homeland Security | September 2026 | Yes | Yes | Yes |
| Interior | August 2027 | Yes | Yes | Yes |
| EPA | December 2028 | Yes | Yes | Yes |
6 Agencies Have Incomplete Plans
| Agency | Status | Key Gaps |
|---|---|---|
| Agriculture | Planned 2031 | No work description |
| Commerce | Partial | All elements incomplete |
| Health and Human Services | Partial | All elements incomplete |
| Transportation | Planned 2030 | No work description |
| Treasury (2 systems) | Partial | No legacy disposition plan |
2 Agencies Have No Modernization Plan At All
- Department of Defense (60-year-old system)
- Department of Energy (25-year-old system)
Source: GAO-25-107795, Table 2
"Until agencies fully document modernization plans for critical legacy IT systems, their modernization initiatives will have an increased likelihood of cost overruns, schedule delays, and overall project failure." — GAO
Agency Modernization Plan Status
The Security Imperative
Legacy systems aren't just expensive—they're vulnerable. Seven of the 11 most critical legacy systems are operating with known cybersecurity vulnerabilities that cannot be remediated without modernization.
These aren't theoretical risks:
- Outdated encryption - Many legacy systems predate modern security standards
- No patch support - Vendors may no longer provide security updates
- Limited monitoring - Old systems often lack modern logging and detection capabilities
- Authentication gaps - Multi-factor authentication may be impossible to implement
The GAO has recommended for nearly a decade that OMB direct agencies to identify legacy systems needing modernization. OMB has not yet taken action. Given this inaction, the GAO is now recommending Congress consider requiring federal agencies to develop modernization plans.
A Practical Path Forward
Successful modernization doesn't require replacing everything overnight. The three agencies with complete plans (Homeland Security, Interior, and EPA) share common approaches.
Phase 1: Assessment and Documentation (Weeks 1-8)
Before writing a single line of new code:
- Inventory all systems - Document what exists, who uses it, and what it does
- Map dependencies - Understand how systems connect and share data
- Extract business rules - Capture the logic embedded in legacy code
- Identify quick wins - Find components that can be modernized independently
This phase prevents the most common modernization failure: not understanding what you're replacing.
Phase 2: Strangler Pattern Implementation (Months 3-12)
Rather than big-bang replacement, use the strangler pattern:
- Build modern services alongside legacy - New functionality runs in parallel
- Gradually redirect traffic - Move users to modern systems incrementally
- Maintain fallback capability - Legacy systems remain available during transition
- Decommission piece by piece - Only retire components when replacements are proven
This approach reduces risk dramatically. If something fails, you roll back one component—not the entire system.
Phase 3: API-First Integration (Ongoing)
Create API layers that abstract legacy complexity:
- Modern applications communicate through clean APIs
- Legacy systems are wrapped, not exposed directly
- New integrations don't require understanding decades-old code
- Gradual replacement becomes possible without disruption
At PEW Consulting, we've used this approach to achieve 99.97% uptime during critical migrations. For systems processing millions of transactions monthly, gradual migration isn't just safer—it's the only responsible approach.
The Washington State Example
State governments face similar challenges. Washington State's One Washington program is modernizing systems built in the 1960s—including AFRS (Agency Financial Reporting System), which processes $4.3 billion in monthly payments affecting 60,000+ employees.
The risks mirror federal challenges:
- A single disruption could delay payments to thousands of state workers
- A shrinking pool of resources to support aging COBOL systems
- Fragmented procurement systems that can't integrate with modern tools
Washington chose Workday as their cloud ERP platform, with a phased go-live between October 2027 and October 2028. This multi-year, incremental approach reflects lessons learned from failed big-bang modernizations elsewhere.
For agencies watching One Washington's progress, it offers a template for state-level modernization done right.
Key Takeaways
- 11 critical systems need modernization - Ages range from 23 to 60 years old
- Only 3 agencies have complete plans - Defense and Energy have no plans at all
- 7 systems have known security vulnerabilities - That cannot be fixed without modernization
- COBOL expertise is disappearing - 10% of developers retire annually
- Phased approaches work - DHS, Interior, and EPA show the way forward
Ready to Assess Your Legacy Systems?
Whether you're a federal agency facing GAO scrutiny or a state government planning your own modernization journey, the first step is understanding what you have.
PEW Consulting specializes in legacy system assessment and cloud migration for government agencies. Our team has delivered solutions achieving 99.97% uptime while processing millions of monthly transactions.
Schedule a free modernization assessment to identify your highest-priority systems and build a practical path forward.
Sources
- GAO-25-107795: Information Technology: Agencies Need to Plan for Modernizing Critical Decades-Old Legacy Systems (July 17, 2025)
- AFCEA International: Aging Workforce Brings On COBOL Crisis
- One Washington Program
Related reading: Welcome to the PEW Consulting Blog