How can regulators tackle the urgent challenge of legacy IT modernization?
The burden of outdated IT systems can create serious problems for regulators as workload demands increase and new security vulnerabilities develop over time. In this Insight piece, we explore how government agencies may go about upgrading their legacy systems to current-day requirements and why it is imperative to do so.

Thentia is a highly configurable, end-to-end regulatory and licensing solution designed exclusively for regulators, by regulators.


Thentia is a highly configurable, end-to-end regulatory and licensing solution designed exclusively for regulators, by regulators.



Share on linkedin
Share on twitter
Share on email
Share on facebook

For years, the U.S.’s Government Accountability Office (GAO) and Office of Management and Budget (OMB) have been pushing public sector organizations to evaluate and update their IT systems. Outdated or “legacy” software and hardware systems can hamstring an agency’s productivity and open organizations up to an increased risk of cyberattacks. All the available evidence points toward one basic fact: legacy systems are costly.

In a 2016 report, the OMB estimated government agencies could face $7 billion in technical debt over the next five years – a number that has surely only risen with the passage of time. Technical debt can be defined as the financial burden of legacy hardware and software systems. In other words, it’s the amount it would cost to update or “modernize” this technology to meet current-day performance requirements. 

The necessity of eliminating technical debt has become apparent at every level of government. Some U.S. lawmakers, for example, are calling on agencies at the federal level to make changes with their endorsement of the Legacy IT Reduction Act of 2022, which would require federal government organizations to identify their hardware and software burdens and make plans to modernize them.

The bill, introduced by Sen. Maggie Hassan, would mandate that agencies create lists of the top 10 IT systems most in need of updates and create detailed outlines of their plans to modernize. These plans would include details on which systems would be disposed of or retired as well as details regarding where the funding to execute the plans would come from.

Legacy software systems don’t just pose a burden in terms of their limitations in meeting current-day work requirements – they also open agencies up to cybersecurity vulnerabilities, as evidenced in the case of the Federal Emergency Management Agency (FEMA), which in 2018 was subjected to a security audit finding that the agency’s network contained 249 security vulnerabilities, 168 of which were deemed critical or high-risk.

When addressing the legacy systems issue, officials must first decide whether to take a revolutionary or evolutionary approach. In the former case, the totality of an agency’s systems would be replaced, discarded, or updated, and in the other, the organization would take the project in smaller pieces, slowly transitioning toward a state of total modernization. But how exactly can these strategies play out?

Approaches to modernization

When we think about bringing an agency’s IT systems up to current-day standards, perhaps the most obvious approach is to replace them entirely, disposing of old technology and building or buying new tech to take its place. Though it may not necessarily involve retooling or upgrading any existing hardware or software systems, replacement is a modernization option worth considering for many agencies.

On the software side of things, “lean modernization” offers a solution that involves a “build new” approach, in which the old system is replaced piece by piece. Development teams are broken down into small groups that each work to build a new process or capability for the system’s next generation, with all these discrete pieces of the new system being tied together at the end of the process.

Other approaches to modernization include rebuilding, which involves completely restructuring the legacy system into a cloud-native environment. This is the most comprehensive approach that doesn’t involve actual replacement, and ultimately, many organizations may see a rebuild as the goal in any legacy system modernization project, with other approaches (like those listed below) to be deployed in service of the rebuild objective.

The replatform approach involves keeping an application’s code structure mostly intact and simply porting it over to a new runtime platform. Rehosting involves a “lift and shift” approach in which full legacy systems are moved, for example, from onsite data centers to the cloud. Both methodologies may be appealing for agencies who want to continue getting mileage out of their legacy investments.

The refactoring and rearchitecting approach involves a systematic overview of which parts of an agency’s legacy system would benefit from code updates or a switch to the cloud and a case-by-case upgrade of system components deemed to be in need of them. Though refactoring and rearchitecting stands to pose less of a disruption to day-to-day operations, it can also take much more time and reap fewer performance benefits in the long run.

Case studies and the importance of planning

Regardless of which path an agency chooses on its road toward modernized IT systems, organizational culture will almost inevitably play a role in the process. There are no two ways around the fact that change, whether it’s revolutionary or incremental, stands to disrupt existing work operations. There may very well be inconveniences, learning curves, and workflow delays that arise from the shift.

Therefore, it is important that agency staff members are educated on the modernization process and the user functionality of the new hardware and software systems that are to come. Knowing why one’s organization is changing its IT systems, understanding the technology that is to come, and seeing how modernization will benefit the agency can go a long way in ensuring a smooth transition.

The importance of planning the modernization process cannot be overstated. Without a clear outline of an agency’s goals and strategies, these projects can crash and burn all too easily, as seen in California’s attempt to transform IT infrastructure in the California Court Case Management System (CCMS). The project started in the early aughts but was deemed a failure within about 10 years, due in part to poor planning and management.

An audit of the initiative, which would have replaced 70 different legacy systems, found its failures related largely to cost analysis. In 2004, the estimated cost of the project was $260 million, but by 2010, this number had ballooned to approximately $1.9 billion. The state’s contract with the development vendor did not contain adequate controls for cost and scope, and this allowed the project to spiral out of control until court officials decided to terminate it in 2012.

But when modernization is done right, it delivers. One senior project manager for a state U.S. government agency said modernization saved their organization around $20-25 million in costs, touting automation and cloud-based technology as catalysts for productivity. They also said modernization improved customer service for the agency, thanks in part to on-demand report generation and data-driven insights that enabled more efficient project planning and assessment.

It is important for leaders within the public sector to remember that maintaining a legacy system for an extended period will always cost an agency much more than switching to a modern, cloud-based environment. Though the short-term costs in terms of time and resources may seem daunting, the long-term benefits usually outweigh these burdens.

Not only will agencies likely see a significant boost in terms of their productivity and ability to serve the public, but they will also be able to update their security standards to better protect against the pervasive threat of cyberattacks. It therefore remains imperative that legacy system modernization remains at the forefront of strategic priorities for government agencies in the years to come.



Do chatbots understand you? Exploring bias and discrimination in AI

To what extent does AI have the potential to exhibit bias and discrimination? And how might humans implement the technology in a way that curbs these tendencies? In his latest piece for Ascend, Rick Borges discusses the ethical implications of widespread AI implementation and explores what could be done to address them.

Read More »
Harry Cayton AI regulation

AI requires people-centric regulation to succeed: Cayton

Artificial Intelligence has much to offer for good as well as for harm, and the need to regulate emerging AI technologies in some way has become apparent. In this article, Harry Cayton argues that instead of trying to regulate an entire international industry, AI regulation requires a precise approach that focuses on the people who create it and use it.

Read More »
operational resilience

Regulators tackle operational resilience in the UK

To mitigate the risk of major operational failures affecting the day-to-day lives of millions of financial services customers, U.K. regulators issued new rules on operational resilience that came into force in March 2022. In this article, Rick Borges looks at the requirements and the impact they will have on firms’ cyber resilience and use of third-party providers.

Read More »

Stay informed.

Get the latest news and views on regulation and digital government.


Share on linkedin
Share on twitter
Share on email
Share on facebook
Jordan Milian
Written byJordan Milian
Jordan Milian is a writer covering government regulation and occupational licensing for Ascend, with a professional background in journalism and marketing.


Review commission identifies barriers to entry for Virginia teachers: Weekly regulatory news

The Week in Brief is your weekly snapshot of regulatory news and what's happening in the world of professional licensing, government technology, and public policy.
This week in regulatory news, a review commission identifies barriers to licensure amidst Virginia’s statewide teacher shortage, a U.K. architecture board recommends reforming educational requirements, and more.