Legacy IT Systems Put the Energy Department at Risk

The Energy Department must rapidly develop a comprehensive plan to identify and replace legacy information technology systems and components, according to a report from the agency’s inspector general.

Between February 2018 and March 2019, the IG conducted an audit to determine whether Energy is effectively managing the lifecycle of its legacy IT systems at the department’s headquarters and at national laboratory sites including the Pacific Northwest National Lab and SLAC National Accelerator Lab. The review primarily focused on unclassified information systems and excluded industrial control and national security systems.

The IG could not accurately quantify the exact amount of legacy IT at all of the sites because most did not track the legacy status of their inventory systems.

While some sites had taken necessary actions to reduce their reliance on legacy systems, “improvements are necessary related to the identification of legacy IT infrastructure, and development and implementation of plans to modernize IT systems and components,” Assistant Inspector General for Technology, Financial and Analytics Office Sarah Nelson wrote in the review.  

Energy and its contractors operate many different IT systems and infrastructure to support missions related to nuclear security, environmental management, and scientific research and development. The IG’s review found that the department lacks an overarching definition that can be used to identify legacy IT, which prohibits it from adequately accounting for all of its legacy systems.

Site officials interviewed in the process also indicated that some of the legacy IT included hardware and software that’s no longer supported by manufacturers and also noted they had to rely on system owners and system scans to even identify the unsupported or outdated technology. Further, not one of the locations reviewed by the IG has yet to develop a comprehensive modernization plan.  

All sites indicated that funding was a barrier impacting their ability to modernize. The Richland Operations Office’s Infrastructure and site services contractor at the Hanford Site reported almost $10.2 million of unfunded priorities and Lawrence Livermore National Laboratory in California had four projects planned for fiscal year 2018 placed on hold citing restrictions around funding.

“Although sites reported funding as an issue, the department may not have taken full advantage of the Modernizing Government Technology Act,” the report said, referring to the revolving fund Congress authorized for such projects in 2017.

However, the review did highlight a few “positive steps toward modernization.”

Pacific Northwest National Laboratory indicated it’s working on a data center migration to reduce legacy IT and that it decreased its use of end-of-life servers from 67 to 20 percent between March 2017 and July 2018.

The Livermore site reported 58 applications, 35 operating systems and 118 unclassified network devices that were all legacy IT. Yet the lab has six ongoing modernization projects and plans to replace 45 of the 118 legacy network devices by the second quarter of this fiscal year. At the time of the audit, Livermore had already replaced 37 of the 45 devices.

Still, the IG report said that the department may find itself unable to meet mission requirements if it continues to operate legacy systems and system components.

“In addition, there is an increased level of security risks, including the inability to use current cybersecurity best practices, such as data encryption and multi-factor authentication, making these systems particularly vulnerable to malicious cyber activity,” the report said.

It also called the department’s continued use of unsupported IT “especially concerning” in light of the cybersecurity breach it faced in 2013, which was “caused, in part, by a failure to assign the appropriate level of urgency to replacing end-of-life systems.”

The department’s management accepted the IG’s recommendations and responded that corrective actions are ongoing to address the issues raised in the report.

In a written response, Energy’s Chief Information Officer Max Everett said “[t]he department, including the National Nuclear Security Administration, understands the importance of phasing out unsupported IT systems and system components as rapidly as possible.”

He added that the deputy chief information officer for architecture, engineering and technology and innovation has initiated a memorandum documenting the department’s “current state, future state, and a three year technology roadmap.” The memorandum is estimated to be completed by September 30 and is pending departmental review and approval.