MITRE Recommends Comprehensive Approach to Modernize Legacy Systems


The recommendations focus on executable actions for the Office of Management and Budget, agencies, Congress and industry .

MITRE made 10 recommendations this week to help the federal government modernize legacy systems, citing that “significant numbers of critical federal information technology systems that provide vital support to agencies’ missions are operating with known security vulnerabilities and unsupported hardware and software.”

According to the March 29 recommendations, the government must move away from legacy systems to fully leverage technology and fulfill critical missions. The recommendations focus on execution and were directed at the Office of Management and Budget, agencies, Congress and industry.

For example, MITRE suggests OMB provide guidance on legacy systems inventories and IT modernization plans in addition to progress transparency mechanisms. Congress should introduce legislation to reduce legacy IT and should make adjustments to the Federal Information Technology Acquisition Reform Act—or FITARA—scorecard by adding an IT Modernization Planning and Delivering category.

Meanwhile, agencies should develop inventories, modernization plans and budgets to support this, in addition to progress reports that detail acquisition and legacy system retirement. Lastly, industry should partner with the government to further facilitate these processes. 

“If you look at our recommendations, there’s a premise here that it starts with putting in place some really good policies both in the executive branch and on the legislative side of the house,” said Dave Powner, executive director of MITRE’s Center for Data-Driven Policy and one of the authors of the recommendations. “So you can think of it as starting with OMB really requiring comprehensive modernization plans that focus on decommissioning some of these old systems and [then] that is backed with sound legislation. I think if you start with those policies in place from both sides—executive and legislative branches—that would be a good start to ensure that we’re all on the same page and marching to the same beat here.”

However, co-author Dr. Nitin Naik, a technical fellow at MITRE, noted that while policies and funding are necessary, there are other critical components to this process.

“You want to make sure that you have good implementation plans, and you need to have industry partnership because we don’t want the industry to continue to profess that the old technology can continue to meet the needs,” Naik said. “We want them to be an active participant to say, ‘Okay, let’s try to see how we can take this and bring it to the new industry standard.’”

Noting there have been several other efforts to modernize legacy systems—from previous bills to cyber budgets and the National Cybersecurity Strategy—Powner explained, “our recommendations really get at the execution of those plans.”

“And how do we execute those plans—having transparency mechanisms that you report progress, having industry as a key partner, thinking differently about the digital services team. And could agencies operate within their organizations, but also go to OMB or [a] central organization out of the White House for help?” Powner said. “And this is a collective game here—it’s the policymakers, the agencies and industry, all kind of collectively working together.”

For example, one recommendation suggests that agencies partner with industry, labs and federally-funded research and development centers to help with innovation and take advantage of new technologies, according to Naik.

Another recommendation for agencies focuses on using technology like artificial intelligence and automation to improve the modernization process.  

And while many agencies have modernization plans in place, there can be several challenges.

“The question is, are [agencies’] IT modernization plans really getting at these mission critical legacy applications?” Powner said. 

“All the systems we are talking about are delivering services 24/7, 365, so, you cannot have a stoppage of work in any way that will bring tremendous problems,” Naik said. “The question is—what is a good strategy to sort of start reengineering this, testing it out on the side, and then slowly one-by-one, migrating things over while it is an interconnected system.”