Skip to content
Business Efficiency

The US Government Spends $100 Billion a Year Maintaining Legacy Systems

More than 80% of the federal IT budget goes to keeping old systems alive. That's not modernization — that's life support paid by taxpayers.

· 6 min read
Share on X LinkedIn
The US Government Spends $100 Billion a Year Maintaining Legacy Systems

The Number

$100B+ annually
Federal IT legacy spending
Source: GAO-23-106821. Government Accountability Office report on federal IT spending.

The US federal government spends over $100 billion per year on information technology. More than 80% of that — over $80 billion — goes to operating and maintaining existing systems. Not building new capabilities. Not modernizing. Keeping old systems running.

What This Looks Like

The Social Security Administration processes benefits on COBOL systems written in the 1970s. The IRS runs tax processing on mainframes from the 1960s. The VA manages veteran health records on systems that predate the internet. These aren't edge cases — they're the norm.

~240 million
COBOL lines in US federal systems
Source: GAO reports. Social Security, IRS, VA, DoD — critical services.

whitehouse.gov Runs WordPress

The symbolic dimension: the White House — the most prominent digital address in American government — runs WordPress. Our scanner confirmed it. The nation's digital front door sits on a framework with 18,005 known vulnerabilities.

WordPress
whitehouse.gov framework
Source: WebPulse scanner detection. Confirmed via HTML signatures and meta tags.

The Modernization Gap

Congress has passed multiple modernization mandates — FITARA, MGT Act, TMF. Billions have been allocated. But the structural incentives favor maintenance over modernization: maintaining a working system is lower risk than replacing it. Nobody gets fired for keeping the lights on.

The result: America's digital infrastructure ages another year, every year. The maintenance cost rises. The security risk compounds. And the gap between what government services could be and what they are widens.

The CISA Dimension

Mandatory patch timelines
CISA BOD 22-01
Source: CISA Binding Operational Directive 22-01. Federal agencies must remediate KEV entries within defined timelines.

CISA's Known Exploited Vulnerabilities catalog creates a direct connection between framework choice and compliance obligation. Federal agencies running WordPress or Drupal inherit the CVE patching burden of those platforms — a burden that grows with each new vulnerability disclosure.

Share this insight