Top

GAO study: US nuclear forces are still controlled by floppy disks

May 27, 2016

Over $80 billion are invested in government IT annually – a large amount reportedly for maintaining existing systems, therefore efficiency studies are required at some points. The United States Government Accountability Office assessed federal agencies’ IT O&M spending, evaluated the oversight of at-risk legacy investments, and assessed the age and obsolescence of federal IT. In its review of government agencies’ spending, GAO found some fascinating facts, including that the Department of Defense still uses floppy disks for emergency messages to nuclear forces.

IT spending through the years

According to the report, the federal government spent about 75 percent of the total amount budgeted for information technology (IT) for fiscal year 2015 on operations and maintenance (O&M) investments. Such spending has increased over the past 7 fiscal years, which has resulted in a $7.3 billion decline from fiscal years 2010 to 2017 in development, modernization, and enhancement activities.

Specifically, 5,233 of the government’s approximately 7,000 IT investments are spending all of their funds on O&M activities. Moreover, the Office of Management and Budget (OMB) has directed agencies to identify IT O&M expenditures known as non-provisioned services that do not use solutions often viewed as more efficient, such as cloud computing and shared services.

Agencies reported planned spending of nearly $55 billion on such non-provisioned IT in fiscal year 2015. OMB has developed a metric for agencies to measure their spending on services such as cloud computing and shared services, but has not identified an associated goal. Thus, agencies may be limited in their ability to evaluate progress. Many O&M investments in GAO’s review were identified as moderate to high risk by agency CIOs, and agencies did not consistently perform required analysis of these at-risk investments. Further, several of the at-risk investments did not have plans to be retired or modernized. Until agencies fully review their at-risk investments, the government’s oversight of such investments will be limited and its spending could be wasteful.

Time to upgrade

Federal legacy IT investments are becoming increasingly obsolete: many use outdated software languages and hardware parts that are unsupported. Agencies reported using several systems that have components that are, in some cases, at least 50 years old. For example, Department of Defense uses 8-inch floppy disks in a legacy system that coordinates the operational functions of the nation’s nuclear forces. In addition, Department of the Treasury uses assembly language code—a computer language initially used in the 1950s and typically tied to the hardware for which it was developed. OMB recently began an initiative to modernize, retire, and replace the federal government’s legacy IT systems. As part of this, OMB drafted guidance requiring agencies to identify, prioritize, and plan to modernize legacy systems. However, until this policy is finalized and fully executed, the government runs the risk of maintaining systems that have outlived their effectiveness. The following table provides examples of legacy systems across the federal government that agencies report are 30 years or older and use obsolete software or hardware, and identifies those that do not have specific plans with time frames to modernize or replace these investments.

According to the report, DoD started to replace the system in March 2016. Secure digital cards should replace floppy disks by 2017.

The Department of Defense – probably where upgrades are most needed, had a recommendation from GAO to identify and plan to modernize or replace legacy systems as needed and consistent with OMB’s draft guidance, including timeframes, activities to be performed, and functions to be replaced or enhanced, all under the direction of the Secretary of Defense, of course.

DoD responded: “DoD partially concurs with the GAO recommendation. DoD has modernized, upgraded or retired hundreds of systems in the last several years through an investment review process under the oversight of the Defense Business Council (DBC). The DBC, co-chaired by the Deputy Chief Management Officer and the Department of Defense Chief Information Officer, continues to move forward with key infrastructure, security, and business systems initiatives that will enable further steps towards a more agile, interoperable, and secure environment. The Department will continue to identify, prioritize, and manage legacy systems that should be modernized or replaced, based on existing DoD policies, using existing Department processes, consistent to the extent practicable with OMB’s draft guidance.”

In all fairness to some of the reviewed agencies, the replacement process can be difficult and costly, and not all the systems can be replaced at once. Furthermore, the outdated ones that remain, will probably have high maintenance costs as well, because the expertise needed to operate them becomes increasingly harder to find as the years go by. That still does not excuse the fact that the Office of Management and Budget did not set targets for spending on new technologies. We’re talking about national security here, and in a day and age when almost anyone can afford advanced and (somewhat) secure pieces of technology, it can’t be acceptable for government agencies to keep using software and hardware almost half of century old.