[Senate Report 118-172]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 383
118th Congress     }                                     {      Report
                                 SENATE
 2d Session        }                                     {     118-172
_______________________________________________________________________

                                     



                    LEGACY IT REDUCTION ACT OF 2023

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2032

              TO REQUIRE THE REDUCTION OF THE RELIANCE AND
            EXPENDITURES OF THE FEDERAL GOVERNMENT ON LEGACY
         INFORMATION TECHNOLOGY SYSTEMS, AND FOR OTHER PURPOSES









    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








                  May 9, 2024.--Ordered to be printed   
                  
                  
                  
                                   _______
                                   
                                   
                 U.S. GOVERNMENT PUBLISHING OFFICE 
                 
49-010                       WASHINGTON : 2024 
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut      JOSH HAWLEY, Missouri
LAPHONZA R. BUTLER, California       ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
                      Alan S. Kahn, Chief Counsel
                  Michelle M. Benecke, Senior Counsel
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
                  Andrew J. Hopkins, Minority Counsel
                     Laura W. Kilbride, Chief Clerk






































                                                      Calendar No. 383
118th Congress     }                                     {      Report
                                 SENATE
 2d Session        }                                     {     118-172

======================================================================



 
                    LEGACY IT REDUCTION ACT OF 2023

                                _______
                                

                  May 9, 2024.--Ordered to be printed

                                _______
                                

 Mr. Peters, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2032]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2032) to require 
the reduction of the reliance and expenditures of the Federal 
Government on legacy information technology systems, and for 
other purposes, having considered the same, reports favorably 
thereon with an amendment in the nature of a substitute and 
recommends that the bill, as amended, do pass.

                                CONTENTS

                                                                     Page
  I. Purpose and Summary..............................................  1
 II. Background and Need for the Legislation..........................  2
III. Legislative History..............................................  3
 IV. Section-by-Section Analysis of the Bill, as Reported.............  3
  V. Evaluation of Regulatory Impact..................................  5
 VI. Congressional Budget Office Cost Estimate........................  6
VII. Changes in Existing Law Made by the Bill, as Reported............  6

                         I. PURPOSE AND SUMMARY

    The purpose of S. 2032, the Legacy IT Reduction Act of 
2023, is to reduce the federal government's reliance on legacy 
information technology (IT) systems in order to reduce costs, 
increase cybersecurity, and improve user experience. The bill 
requires agencies to develop an inventory of their legacy IT 
systems and write modernization plans to update or dispose of 
those systems. The inventories are intended to be 
comprehensive, and should include hardware, software, data 
centers, and other digital or physical infrastructure that are 
legacy IT or support legacy IT. It also requires the Office of 
Management and Budget (OMB) to issue guidance to assist 
agencies with identifying legacy IT systems and modernizing 
them. To further improve agency coordination and outcomes, the 
bill also requires a Government Accountability Office (GAO) 
report examining the bill's implementation and how it functions 
alongside existing IT modernization policies and programs.\1\
---------------------------------------------------------------------------
    \1\On March 30, 2022, the Committee approved S. 3897, the Legacy IT 
Reduction Act of 2022, with an amendment. That bill, as reported, is 
substantially similar to S. 2032, except that S. 3897 included a 
section to codify the Computers for Learning Program. Accordingly, this 
committee report is, in many respects, similar to the committee report 
for S. 3897. See S. Rept. 117-262.
---------------------------------------------------------------------------

              II. BACKGROUND AND NEED FOR THE LEGISLATION

    In June 2019, GAO issued a report entitled Information 
Technology: Agencies Need to Develop Modernization Plans for 
Critical Legacy Systems. In this report, GAO analyzed 65 legacy 
systems and identified ten critical systems most in need of 
modernization. GAO found that, of the ten departments and 
agencies responsible for these legacy systems, three 
departments--the Department of Education, Department of Health 
and Human Services, and Department of Transportation--did not 
have documented modernization plans. Of the seven agencies with 
documented plans for modernizing their legacy systems, only the 
Departments of the Interior and Defense had plans that included 
key elements identified by GAO as best practices: milestones, a 
description of the work necessary to complete the 
modernization, and a plan for the disposition of the legacy 
system. The report concluded that, without complete 
modernization plans, all ten departments and agencies will be 
at increased risk of cost overruns, schedule delays, and 
project failures.\2\
---------------------------------------------------------------------------
    \2\Government Accountability Office, Information Technology: 
Agencies Need to Develop Modernization Plans for Critical Legacy 
Systems (GAO-19-471) (June 11, 2019).
---------------------------------------------------------------------------
    In June 2020, Senator Margaret Wood Hassan (D-NH) sent an 
oversight letter to these departments and agencies to ask how 
officials planned to modernize the systems GAO identified.\3\ 
In April 2021, the Homeland Security and Governmental Affairs 
Committee's Subcommittee on Emerging Threats and Spending 
Oversight held a hearing with the GAO report author and three 
former federal Chief Information Officers on the challenges 
presented by outdated technology and the barriers to 
modernization.\4\ In September 2021, the Subcommittee held a 
second hearing on the issue with witnesses from the Biden 
Administration.\5\
---------------------------------------------------------------------------
    \3\Letters from Senator Hassan to Agency Chief Financial and Chief 
Information Officers (June 3, 2020) (www.hassan.senate.gov/imo/media/
doc/Sen%20Hassan%20IT%20letters.pdf).
    \4\Senate Subcommittee on Emerging Threats and Spending Oversight, 
Hearing on Controlling Federal Legacy IT Costs and Crafting 21st 
Century IT Management Solutions, 117th Cong. (Apr. 27, 2021) (S. Hrg. 
117-38).
    \5\Senate Subcommittee on Emerging Threats and Spending Oversight, 
Hearing on Existing Resources and Innovations Needed to Replace Legacy 
IT and Save Taxpayer Dollars, 117th Cong. (Sept. 28, 2021) (S. Hrg. 
117-167).
---------------------------------------------------------------------------
    The Legacy IT Reduction Act of 2023 reflects the feedback 
and information gathered from the oversight letters and 
hearings. Specifically, the legislation adopts a single 
definition of ``legacy information technology,'' which does not 
currently exist in statute. In addition, the legislation 
requires agencies to write IT modernization plans, given that 
the 2019 GAO report and agency responses to Senator Hassan's 
2020 oversight letters revealed inconsistent or nonexistent 
technology infrastructure improvement plans across the federal 
government.\6\ While more agencies have adopted IT 
modernization plans since the 2019 report, at the April 2021 
hearing, GAO observed that these plans still failed to describe 
the work necessary to implement the plans, milestones to 
complete modernization, and plans to dispose of legacy 
systems.\7\ Finally, the legislation calls for leadership from 
OMB to help address these legacy IT challenges.
---------------------------------------------------------------------------
    \6\Id.; Hearing on Controlling Federal Legacy IT Costs, supra note 
4.
    \7\Senate Subcommittee on Emerging Threats and Spending Oversight, 
Testimony Submitted for the Record of Kevin Walsh, Director, 
Information Technology and Cybersecurity, Government Accountability 
Office, Hearing on Controlling Federal Legacy IT Costs and Crafting 
21st Century IT Management Solutions, 117th Cong. (Apr. 27, 2021) (S. 
Hrg. 117-38).
---------------------------------------------------------------------------

                        III. LEGISLATIVE HISTORY

    Senator Hassan introduced S. 2032, the Legacy IT Reduction 
Act of 2023, on June 15, 2023, with original cosponsor Senator 
John Cornyn (R-TX). The bill was referred to the Committee on 
Homeland Security and Governmental Affairs.
    The Committee considered S. 2032 at a business meeting on 
July 26, 2023. At the business meeting, Senator Hassan offered 
a substitute amendment as well as a modification to the 
substitute amendment. The amendment clarified that the 
inventories and modernization plans should also consider a 
legacy IT system's connection with non-legacy IT systems. The 
modification added a rule of construction, six-year sunset, and 
restriction on new appropriations. The Committee adopted the 
modification to the substitute amendment, and the substitute 
amendment as modified, by unanimous consent, with Senators 
Peters, Hassan, Sinema, Rosen, Blumenthal, Paul, Lankford, and 
Scott present. The bill, as amended by the Hassan amendment as 
modified, was ordered reported favorably by roll call vote of 8 
yeas to 1 nay, with Senators Peters, Hassan, Sinema, Rosen, 
Ossoff, Blumenthal, Lankford, and Scott voting in the 
affirmative and Senator Paul voting in the negative. Senators 
Carper, Padilla, Johnson, Romney, Hawley, and Marshall voted 
yea by proxy, for the record only.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section establishes the short title of the bill as the 
``Legacy IT Reduction Act of 2023.''

Section 2. Definitions

    For most key terms, this section draws definitions from 
other areas of the U.S. Code and Code of Federal Regulations.
    Paragraph (1) defines ``Administrator'' as the head of the 
General Services Administration (GSA).
    Paragraph (2) defines ``Agency'' as the 24 CFO Act agencies 
listed in 31 U.S.C. 901(b)(1)-(2).
    Paragraph (3) defines ``Chief Information Officer'' (CIO) 
as the person designated under 44 U.S.C. 3506(a)(2) to carry 
out an agency's information resources management to improve 
productivity, efficiency, and effectiveness.
    Paragraph (4) defines ``Comptroller General'' as the head 
of the Government Accountability Office (GAO).
    Paragraph (5) defines ``Congressional Oversight Committee'' 
as the Senate and House committees or subcommittees that 
provide oversight of a particular agency.
    Paragraph (6) defines ``Director'' as the head of the 
Office of Management and Budget (OMB).
    Paragraph (7) defines ``Information technology'' (IT) with 
the meaning given in 40 U.S.C. 11101(6).
    Paragraph (8) defines ``IT working capital fund'' as the 
funds established by the Modernizing Government Technology Act 
(codified at 40 U.S.C. 11301 note).
    Paragraph (9) defines ``National Security System'' with the 
meaning given the term in 40 U.S.C. 11301.
    Paragraph (10) defines ``Technology Modernization Fund'' as 
the Fund established under the Modernizing Government 
Technology Act (NDAA FY18, Sec. 1078(b)(1); codified at 40 
U.S.C. 11301 note).

Section 3. Legacy information technology system inventory

    Subsection (a) requires agency CIOs to develop an inventory 
of each legacy IT system in use at the agency within one year 
of enactment, and then update the inventory every five years 
thereafter. These inventories will identify legacy IT and will 
inform the modernization plans required under Section 4. OMB is 
required to issue guidance on what should be included in the 
inventory. OMB should consider including the name or 
identification of the legacy IT system, the office or mission 
of the agency that the system supports and how it is used, 
whether the system is connected to a non-legacy IT system, and 
the date of the system's next expected update, retirement, or 
disposal. To the extent that information is available, OMB 
should also consider including the date the legacy IT system 
was last updated; the system's annual price (including 
recurring costs and costs of contracts for labor and 
maintenance); the name and contact information of the system's 
vendor.
    Subsection (b) requires agencies to make the inventory 
available upon request to a House of Congress, an agency's 
congressional oversight committee, GAO, or an agency's Office 
of Inspector General upon request. OMB may also require an 
agency to include the inventory in other reporting structures.

Section 4. Agency legacy information technology systems modernization 
        plans and report

    Subsection (a) requires agencies to develop a plan to 
modernize their legacy IT systems following the development of 
the legacy IT system inventory. The plan must be published 
within two years of enactment, and then updated every five 
years thereafter and included as part of the agency's 
information resource management strategic plan under 44 U.S.C. 
3506(b)(2).
    Subsection (b) requires the modernization plans include the 
following information: (1) an inventory of the agency's legacy 
IT system; (2) an identification of legacy IT systems that the 
agency has prioritized for updates, modernization, retirement, 
or disposal; (3) steps the agency intends to make to update, 
modernize, cease use of, or dispose of each legacy IT system 
within five years of the submission of the plan; and (4) any 
additional information OMB determines necessary or useful for 
an agency to consider or include to effectively and efficiently 
execute the plan, including (A) the capacity of the agency to 
operate and maintain the modern system; (B) the cost and 
sources of funding required for the modernization; (C) the 
agency's ability to adapt the modernized system to changes in 
technology and policy; and (D) the effect of modernization on 
non-legacy IT systems.
    Subsection (c) requires agencies to submit copies of the 
plans to the Senate Committee on Homeland Security and 
Governmental Affairs, the House Committee on Oversight and 
Accountability, and the agency's committee of jurisdiction.

Section 5. Role of the Office of Management and Budget

    This section requires OMB to issue guidance on the 
implementation of this Act and the amendments it makes within 
180 days. The guidance must include criteria to determine what 
constitutes an ``outdated and obsolete'' IT system for the 
purposes of compiling the inventory under Section 3; 
instructions and templates for completing the legacy IT system 
inventory and modernization plans (and subsequent updates to 
the plans); and any additional guidance necessary to implement 
this Act.

Section 6. Comptroller general review

    This section requires GAO to issue a report within three 
years of enactment on the implementation of the Act, and how 
this Act functions alongside other existing IT modernization 
offices, programs, and policies.

Section 7. Protection of sensitive information; exemption of national 
        security systems

    This section states that this legislation does not require 
disclosure of sensitive information that is otherwise protected 
from disclosure by law or that would compromise security of 
federal IT systems. In addition, this section exempts national 
security systems from the requirements of this legislation. 
This section also includes a Rule of Construction stating that 
nothing in the Act shall be construed to authorize transfers of 
IT systems to the People's Republic of China or organizations 
controlled by the People's Republic of China.

Section 8. No new funds; sunset

    This section prohibits the appropriation of additional 
funds to carry out the Act. It also sunsets the bill six years 
after the date of enactment.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE







    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





    S. 2032 would require federal agencies to inventory legacy 
information technology (IT) systems and develop plans to update 
or dispose of those that are outdated or obsolete. The bill 
also would require the Office of Management and Budget to issue 
guidance for managing that process and direct the Government 
Accountability Office (GAO) to report on agency efforts.
    The federal government spends about $100 billion annually 
on IT systems and several laws and directives require agencies 
to assess, evaluate, and manage their IT resources. Because the 
bill would not appreciably expand the duties of executive 
branch agencies, CBO estimates that implementing S. 2032 would 
not have a significant effect on the federal budget.
    Enacting S. 2032 could affect direct spending by some 
agencies that are allowed to use fees, receipts from the sale 
of goods, and other collections to cover operating costs. CBO 
estimates that any net changes in direct spending by those 
agencies would be negligible because most of them can adjust 
amounts collected to reflect changes in operating costs.
    The CBO staff contact for this estimate is Matthew 
Pickford. The estimate was reviewed by H. Samuel Papenfuss, 
Deputy Director of Budget Analysis.
                                         Phillip L. Swagel,
                             Director, Congressional Budget Office.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    This legislation would make no change in existing law, 
within the meaning of clauses (a) and (b) of subparagraph 12 of 
rule XXVI of the Standing Rules of the Senate, because this 
legislation would not repeal or amend any provision of current 
law.

                                  [all]