The Framework incentivises legacy technologies and imperfect solutions

“So right now, the ATO process basically provides no incentive to move off of legacy systems because the mainframe has an ATO so we’re just gonna keep it running forever. There’s not really a prompt to reevaluate whether moving to a more modern system would actually improve the security of the system.”

Programmatic decisions are often made for practical reasons, such as simplicity or speed, as opposed to technical capability. Because the Risk Management Framework process is lengthy and complicated, agencies sometimes choose to expedite problem solving by other means, rather than fulfill all of the requirements of the program. In multiple interviews, we were told that a program had chosen to work with a previously approved technology or legacy system even though it only met a fraction of their technical needs. These decisions were made explicitly to avoid having to go through a new ATO approval process.

“Usually the government offering is like two to three steps at a minimum behind commercial [offerings].”

“You can’t really use the new features. So the code that’s there doesn’t benefit from the improvements we’ve made over the past 20 years.”

The technology industry moves quickly. New features and capabilities are added to products over the course of weeks or months. The ATO process takes months to years. Over time, this disparity puts program managers in a difficult position. They must choose between using outdated tools or failing to deliver services.

This incentive to continue using existing systems has played a role in the continued use of critical Federal technology systems that are more than 40 years old. Reliance on such legacy systems is both unwise and expensive. Approximately 80% of the Federal government’s $100 billion IT budget is spent on maintenance for existing systems.

*”Unfortunately compliance has become so burdensome that sometimes it prevents updates to security.”

More importantly, the reliance on certain legacy systems, such as those at the Center for Medicare and Medicaid Services and the Social Security Administration, can lead to more than just inconvenience, increased cost, and poor service delivery. They create nation-wide programmatic, financial, and social vulnerabilities. Were they to fail, agencies would be hard pressed to deliver any service at all, actively harming individuals, the economy at large, and the public’s faith in government.