Twice now the Government Accountability Office has reviewed agency systems and found they are old.
Maybe old isn’t the best description. Maybe it’s better to say ancient. Or maybe it’s better to say decades since they were installed.
Auditors say it’s not the age these systems that’s the biggest concern as many have been upgraded with new hardware or expanded with more modern software. GAO says these older systems that are no longer supported by vendors creating critical cybersecurity problems.
GAO states in its report “Legacy systems may operate with known security vulnerabilities that are either technically difficult or prohibitively expensive to address. In some cases, vendors no longer provide support for hardware or software, creating security vulnerabilities and additional costs.” Additionally, 6 out of 10 legacy systems the report identified as ‘critical’ were also identified as having ‘moderately high’ to ‘high’ security risk associated with them.
The GAO report provides only a snapshot of the challenge.
OMB estimates agencies face more than $7 billion in technical debt that includes both hardware and software.
It’s not all bad news. Both the Obama and Trump administrations as well as Congress have recognized the challenges of legacy systems.
Laws like the Modernizing Government Technology Act, strategies like the IT Modernization and contracts like the Enterprise Infrastructure Solutions (EIS) give agencies plenty of tools.
Agencies have to figure out how to take a pragmatic approach to modernizing these legacy systems, to closing these security gaps and dramatically reduce risk while improving services to citizens.
"We started with a thorough assessment. As a result of the assessment, we focused on three real key areas. One of the areas was cloud consolidation. We are 100% cloud, but we had a lot of cloud and the thought was reducing the cost of cloud. We also recognized that reducing the footprint of the number of systems we had from a security standpoint would reduce the surface area that is susceptible to attack. The third area we focused on was about automation."
- Jason Gray Chief Information Officer, Department of Education
There is a pragmatic approach usually tied to risks and costs that prioritize that shift [off mainframes]. I think you take an assessment of your environment, you have a profile of where the risk is and your high value assets and then you can start accelerating the reduction of risk. Some of that will involve moving older applications off the mainframe or maybe some older dev/ops processes or some infrastructure.
-Kevin Hansen Chief Technology Officer, Micro Focus Government Solutions
I think we live in an era of low code or no code where many things have already been written. The last thing I want to do is continue to write more custom code. I want to be able to find a way to leverage the experience of other agencies, leverage the applications they have already built to bear on the needs of Transportation.
-Ryan Cote Chief Information Officer, Department of Transportation
Link to the full episode and original post: https://federalnewsnetwork.com/federal-insights/2019/10/mitigating-mainframe-cyber-blind-spots-through-it-modernization/