The Department of Energy (DoE) could do more to improve its identification of legacy information technology (IT) infrastructure and develop and implement plans to modernize IT systems and components, according to a March 27 DoE Office of Inspector General (OIG) audit.
Although OIG acknowledged that DoE took actions to manage the lifecycle of unsupported IT systems and components at the sites the office reviewed, OIG also said the agency should develop policies and procedures to ensure that the respective legacy systems and components are phased out as soon as possible.
“Improvements are necessary related to the identification of legacy IT infrastructure, and development and implementation of plans to modernize IT systems and components,” OIG said.
OIG also found that several of the sites it reviewed did not have required plans to fully eliminate legacy IT.
In dismantling legacy IT, DoE should define replacement resources and establish a comprehensive plan to replace legacy systems and infrastructure throughout the Department and among its contractors, OIG recommended.
The audit is grounded in the 2017 Modernizing Government Technology (MGT) Act, a law designed to improve, phase out, and replace existing IT, and eventually have agencies transition from legacy systems to commercial cloud computing services. The act helps fund these initiatives within various Federal agencies.
DoE officials said that one of the obstacles they face in modernizing legacy IT infrastructure is a lack of funding. DoE received $15 million in FY2018 under the MGT Act to help modernize the department’s IT infrastructure, but OIG found the agency did not take full advantage of the law.
OIG highlighted the potential operational risks that DoE faces if it continues to operate legacy IT, including maintenance costs and an inability to meet mission requirements.
“There is an increased level of security risks, including the inability to use current cybersecurity best practices, such as data encryption and multi-factor authentication, making these systems particularly vulnerable to malicious cyber activity,” OIG added. “In addition, the Department had not taken appropriate action to remediate known vulnerabilities through patching, system enhancements, or upgrades.”
DoE management agreed with the audit and its recommendations, OIG said.