[House Hearing, 105 Congress]
[From the U.S. Government Publishing Office]



 
                       YEAR 2000 COMPUTER PROBLEM

=======================================================================

                                HEARING

                               before the

                       SUBCOMMITTEE ON OVERSIGHT

                                 of the

                      COMMITTEE ON WAYS AND MEANS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED FIFTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 7, 1998

                               __________

                             Serial 105-56

                               __________

         Printed for the use of the Committee on Ways and Means

                               ----------

                    U.S. GOVERNMENT PRINTING OFFICE
53-365 cc                   WASHINGTON : 1999




                      COMMITTEE ON WAYS AND MEANS

                      BILL ARCHER, Texas, Chairman

PHILIP M. CRANE, Illinois            CHARLES B. RANGEL, New York
BILL THOMAS, California              FORTNEY PETE STARK, California
E. CLAY SHAW, Jr., Florida           ROBERT T. MATSUI, California
NANCY L. JOHNSON, Connecticut        BARBARA B. KENNELLY, Connecticut
JIM BUNNING, Kentucky                WILLIAM J. COYNE, Pennsylvania
AMO HOUGHTON, New York               SANDER M. LEVIN, Michigan
WALLY HERGER, California             BENJAMIN L. CARDIN, Maryland
JIM McCRERY, Louisiana               JIM McDERMOTT, Washington
DAVE CAMP, Michigan                  GERALD D. KLECZKA, Wisconsin
JIM RAMSTAD, Minnesota               JOHN LEWIS, Georgia
JIM NUSSLE, Iowa                     RICHARD E. NEAL, Massachusetts
SAM JOHNSON, Texas                   MICHAEL R. McNULTY, New York
JENNIFER DUNN, Washington            WILLIAM J. JEFFERSON, Louisiana
MAC COLLINS, Georgia                 JOHN S. TANNER, Tennessee
ROB PORTMAN, Ohio                    XAVIER BECERRA, California
PHILIP S. ENGLISH, Pennsylvania      KAREN L. THURMAN, Florida
JOHN ENSIGN, Nevada
JON CHRISTENSEN, Nebraska
WES WATKINS, Oklahoma
J.D. HAYWORTH, Arizona
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri

                     A.L. Singleton, Chief of Staff

                  Janice Mays, Minority Chief Counsel

                                 ______

                       Subcommittee on Oversight

                NANCY L. JOHNSON, Connecticut, Chairman

ROB PORTMAN, Ohio                    WILLIAM J. COYNE, Pennsylvania
JIM RAMSTAD, Minnesota               GERALD D. KLECZKA, Wisconsin
JENNIFER DUNN, Washington            MICHAEL R. McNULTY, New York
PHILIP S. ENGLISH, Pennsylvania      JOHN S. TANNER, Tennessee
WES WATKINS, Oklahoma                KAREN L. THURMAN, Florida
JERRY WELLER, Illinois
KENNY HULSHOF, Missouri


Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Ways and Means are also published 
in electronic form. The printed hearing record remains the official 
version. Because electronic submissions are used to prepare both 
printed and electronic versions of the hearing record, the process of 
converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.


                            C O N T E N T S

                               __________

                                                                   Page

Advisory of April 30, 1998, announcing the hearing...............     2

                               WITNESSES

Internal Revenue Service, Hon. Charles O. Rossotti, Commissioner.     8
U.S. Department of Health and Human Services, Hon. John Callahan, 
  Assistant Secretary, Management and Budget; and Chief 
  Information Officer; accompanied by Gary Christoph, Chief 
  Information Officer, Health Care Financing Administration; 
  Elizabeth James, Chief Information Officer, Administration for 
  Children and Families; and Norm Thompson, Associate 
  Commissioner for Automation and Special Projects, 
  Administration for Children and Families.......................    30
Social Security Administration, John Dyer, Principal Deputy 
  Commissioner...................................................    36
U.S. Department of the Treasury, James J. Flyzik, Deputy 
  Assistant Secretary for Information Systems; and Chief 
  Information Officer............................................    40
U.S. Department of the Treasury, Financial Management Service, 
  Constance E. Craig, Assistant Commissioner, Information 
  Resources......................................................    46
U.S. Customs Service, Vincette L. Goerl, Assistant Commissioner, 
  Office of Finance; and Chief Financial Officer.................    50
U.S. General Accounting Office:
    Lynda D. Willis, Director, Tax Policy and Administration 
      Issues, General Government Division........................   103
    Joel C. Willemssen, Director, Civil Agencies Information 
      Systems, Accounting and Information Management Division; 
      accompanied by Randy Hite, Senior Assistant Director, 
      Defense and Governmentwide Information Systems, Accounting 
      and Information Management Division........................   108

                                 ______

American Hospital Association, Jennifer Jackson..................    84
BankBoston, N.A., Steven P. McManus..............................    71
Blue Cross and Blue Shield Association, Mary Nell Lehnhard.......    88
Connecticut Hospital Association, Jennifer Jackson...............    84
Gartner Group, Inc., John Bace...................................    58
Information Technology Association of America (ITAA), Harris N. 
  Miller.........................................................    66
Prudential Insurance Company of America, Irene Dec...............    76


                       YEAR 2000 COMPUTER PROBLEM

                              ----------                              


                         THURSDAY, MAY 7, 1998

                  House of Representatives,
                       Committee on Ways and Means,
                                 Subcommittee on Oversight,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10 a.m., in 
room B-318, Rayburn House Office Building, Hon. Nancy L. 
Johnson (Chairman of the Subcommittee) presiding.
    [The advisory announcing the hearing follows:]

ADVISORY

FROM THE 
COMMITTEE
 ON WAYS 
AND 
MEANS

                       SUBCOMMITTEE ON OVERSIGHT

                                                CONTACT: (202) 225-7601
FOR IMMEDIATE RELEASE

April 30, 1998

No. OV-17

                    Johnson Announces Hearing on the

                       Year 2000 Computer Problem

     Congresswoman Nancy L. Johnson (R-CT), Chairman, Subcommittee on 
Oversight of the Committee on Ways and Means, today announced that the 
Subcommittee will hold a hearing on the potential effects of the year 
2000 (Y2K) computer problem on the Federal programs within the 
jurisdiction of the Committee on Ways and Means. The hearing will take 
place on Thursday, May 7, 1998, in room B-318 Rayburn House Office 
Building, beginning at 10:00 a.m.
      
     In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. 
Witnesses will include individuals testifying on behalf of the U.S. 
Departments of the Treasury and Health and Human Services, the Social 
Security Administration, the Office of Management and Budget and the 
U.S. General Accounting Office, as well as the private sector. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Committee and for 
inclusion in the printed record of the hearing.
      

BACKGROUND:

      
     Most computers and computer systems in use in the Federal 
Government today will not be able to function beyond the year 2000 
unless they are modified. In particular, this applies with respect to 
the Federal programs within the jurisdiction of the Committee on Ways 
and Means, including those administered by the U.S. Department of the 
Treasury, U.S. Department of Health and Human Services, and the Social 
Security Administration.
      
     Some computers cannot be modified and must be replaced. In 
addition, there are many items, like elevators or security systems, 
that are not directly related to computer systems which have embedded 
computer chips. Many of these chips are date dependent and require 
replacement in order to function beyond the year 2000.
      
     Currently most computers only store a two-digit number for the 
year, which makes the year 2000 indistinguishable from the year 1900. 
Computer operating systems and applications software that are dependent 
upon this two-digit year format will likely malfunction. Incorrect 
notices, penalty assessments, refund or beneficiary checks could 
result. Without proper renovation, computer malfunctions will cause 
many costly problems for both commerce and government.
      
     While fixing the two-digit year field is technically simple, the 
process of analyzing, renovating, and testing software and hardware for 
all computer systems that must interact is a very complex management 
task. For most of the Federal Government's computer systems, it is too 
impractical and expensive to purchase a completely new system. Most 
software must be modified to accommodate four-digit years or to 
incorporate some other interim solution. To determine whether a 
computer system needs to be modified, all of its software code must be 
reviewed, which can entail reading hundreds, or millions, of lines of 
computer code. The process of reading and interpreting the code is made 
more difficult by the many computer languages in use today and the 
shortage of programmers with skills in older languages. Most older 
programs which have been modified thousands of times over the years, no 
longer have the accompanying documentation.
      
     A further complication is that there is no single solution to be 
used to renovate computer systems for the year 2000. Rather, there are 
dozens of standards, public and proprietary, for storing and processing 
dates in computers.
      
     Although some may have doubted the seriousness of this problem a 
few years ago or had not focused on the potential risks to the success 
of their programs and systems, most business managers and government 
officials are now convinced that this will be a difficult and time-
consuming management challenge. Federal agencies have established Y2K 
program offices, and an interagency committee has overseen government-
wide actions. The century date change is a worldwide problem affecting 
every industry, locally, nationally, and internationally.
      
     The information gained in this hearing will be helpful to Congress 
in evaluating the progress made by each agency in renovating its 
computer systems and in determining whether legislation or other 
congressional action is necessary to help ensure that renovation is 
successful and timely.
      
     In announcing the hearing, Chairman Johnson stated: ``We have a 
very real problem with a very real deadline. The programs within our 
Committee's jurisdiction affect more than 260 million Americans. Our 
revenue programs affect every taxpayer and every business. Millions 
rely on our benefit programs for their health and well being. These 
people need assurance that the services that they rely on will not be 
disrupted by a computer failure. Today we are assessing the adequacy of 
the planning and management of the bureaus within the Committee's 
jurisdiction to avert a potential disaster.''
      

FOCUS OF THE HEARING:

      
     The hearing will explore the Y2K issues for the major program 
areas within the jurisdiction of the Committee on Ways and Means. In 
particular the Subcommittee will examine the implications of the Y2K 
computer problem for the various program beneficiaries, the potential 
risks to program missions, and major remaining program vulnerabilities.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
     Any person or organization wishing to submit a written statement 
for the printed record of the hearing should submit six (6) single-
spaced copies of their statement, along with an IBM compatible 3.5-inch 
diskette in WordPerfect 5.1 format, with their name, address, and 
hearing date noted on a label, by the close of business, Thursday, May 
21, 1998, to A.L. Singleton, Chief of Staff, Committee on Ways and 
Means, U.S. House of Representatives, 1102 Longworth House Office 
Building, Washington, D.C. 20515. If those filing written statements 
wish to have their statements distributed to the press and interested 
public at the hearing, they may deliver 200 additional copies for this 
purpose to the Subcommittee on Oversight office, room 1136 Longworth 
House Office Building, at least one hour before the hearing begins.
      

FORMATTING REQUIREMENTS:

      
     Each statement presented for printing to the Committee by a 
witness, any written statement or exhibit submitted for the printed 
record or any written comments in response to a request for written 
comments must conform to the guidelines listed below. Any statement or 
exhibit not in compliance with these guidelines will not be printed, 
but will be maintained in the Committee files for review and use by the 
Committee.
      
     1. All statements and any accompanying exhibits for printing must 
be submitted on an IBM compatible 3.5-inch diskette in WordPerfect 5.1 
format, typed in single space and may not exceed a total of 10 pages 
including attachments. Witnesses are advised that the Committee will 
rely on electronic submissions for printing the official hearing 
record.
      
     2. Copies of whole documents submitted as exhibit material will 
not be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
     3. A witness appearing at a public hearing, or submitting a 
statement for the record of a public hearing, or submitting written 
comments in response to a published request for comments by the 
Committee, must include on his statement or submission a list of all 
clients, persons, or organizations on whose behalf the witness appears.
      
     4. A supplemental sheet must accompany each statement listing the 
name, company, address, telephone and fax numbers where the witness or 
the designated representative may be reached. This supplemental sheet 
will not be included in the printed record.
      
     The above restrictions and limitations apply only to material 
being submitted for printing. Statements and exhibits or supplementary 
material submitted solely for distribution to the Members, the press, 
and the public during the course of a public hearing may be submitted 
in other forms.
      

    Note: All Committee advisories and news releases are available on 
the World Wide Web at `HTTP://WWW.HOUSE.GOV/WAYS__MEANS/'.
      

    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.
      

                                

    Chairman Johnson of Connecticut [presiding]. Good morning, 
and welcome to all of you this morning. I am sorry that there 
are not chairs enough for everyone, but if experience is a 
guide, there will be.
    Hardly a day goes by when we don't read a newspaper article 
or see a story on television about the year 2000. A problem 
with its own catchy acronym, Y2K, that is quickly becoming a 
household word. Some have suggested that we are headed toward a 
millennium meltdown with a high probability of a nationwide 
recession. Others have suggested it will merely be annoying.
    Changing the date field to distinguish between January 1, 
2000 and 1900 is not technically difficult. What is 
challenging, however, is finding the data fields in old 
undocumented computer programs and searching for date-dependent 
computer chips embedded in noncomputer systems, such as 
elevators and security systems. Each must be modified in order 
to function in the year 2000. The enormity of the problem 
becomes evident when you consider that these modifications must 
be made by every organization, public and private, on every 
computer system that considers dates in any manner. Then, all 
those modified systems must be integrated and tested to make 
certain they produce consistent and accurate results.
    Just in the Federal agencies alone, we have more than 7,850 
mission-critical systems which must be able to function 
correctly by the year 2000. Of these mission-critical systems, 
1,126 are within this Committee's jurisdiction, and nearly all 
must be able to exchange information with each other, State and 
local systems, and private sector systems to be able to make 
proper calculations for millions of Social Security recipients, 
Medicare beneficiaries, and taxpayers. These systems must be 
able to keep accurate beneficiary records and taxpayer 
accounts.
    What has become evident to me is that this is a major 
management problem with a technical component. The Federal 
Government is not known for its ability to manage well, 
particularly its computer system modernization efforts. Yet, 
millions of beneficiaries and taxpayers find themselves relying 
on these managers to rise to the year 2000 challenge. While it 
is hard to have complete confidence in agencies that 
historically have been unable to successfully deliver computer 
systems that function properly and on schedule, January 1, 
2000, is a finite date that cannot be missed without affecting 
millions and millions of Americans. It is our job in Congress 
to see that beneficiaries and taxpayers are protected against 
risks that may result in computer error systems from government 
systems that are not year 2000 compliant.
    We're here today to hear from the major agencies within the 
Ways and Means Committee's jurisdiction how they are 
progressing toward the Y2K challenge and what confidence we 
should have that the affected taxpayers and beneficiaries will 
be properly served in the next century. We are interested in 
the risks that the agencies have identified and the actions 
that they are taking to manage those risks as well as their 
plans for contingencies.
    We will also be hearing from private sector representatives 
about their efforts to manage their risks inherent in the Y2K 
effort. Many of these organizations are data trading partners 
with our agencies and will be affected in a major way by the 
success or failure of the Federal effort. Finally, we will hear 
from representatives of the U.S. General Accounting Office 
about the Y2K vulnerabilities that remain in our agencies' 
programs and what actions are being taken to fix these systems 
in time to avoid catastrophic consequences.
    This is not solely a U.S. problem, it is a global one. 
Edward Yardeni, a noted economist from Deutsche Morgan 
Grenfell, has studied the problem--who as studied the problem, 
rates the odds that it will trigger a deep worldwide recession 
at 60 percent. While some consider this to be a pessimistic 
view, and I consider it to be a pessimistic view, the current 
focus on Asian financial instability and Eurodollar conversion 
may divert resources from being committed to properly preparing 
for the year 2000 and this could have serious economic 
consequences. There will always be pockets of those in the 
private sector who did not take the actions needed to look out 
for their business and economic interests. However, at the very 
least, it is our job to see that the public sector systems are 
ready with sufficient capacity to the economic needs of the 
private sector. We cannot afford to fail the millions of 
Americans who are relying on the public sector effort to be 
successful.
    And, so, today, we bring our more comprehensive oversight 
effort at reviewing those systems under our jurisdiction, and I 
welcome all the witnesses here today. I know this is going to 
take a good deal of time, but I think the interrelationship of 
the different panels is important to our understanding where we 
are in meeting the challenge of this problem.
    [The opening statement follows:]

Statement of Hon. Nancy L. Johnson, a Representative in Congress from 
the State of Connecticut

    Good morning. Hardly a day goes by when we don't read a 
news paper article or see a story on TV about the year 2000 
computer problem. A problem with its own catchy acronym--
``Y2K''--that is quickly becoming a household term. Some have 
suggested that we are headed towards a ``millennium meltdown'' 
with a high probability of a nationwide recession. Others have 
suggested it merely will be annoying.
    Changing the date field to distinguish between January 1, 
2000 and 1900 is not technically difficult. What is 
challenging, however, is finding the date fields in old 
undocumented computer programs and searching for date-dependent 
computer chips embedded in non-computer system items such as 
elevators and security systems. Each must be modified in order 
to function in the year 2000. The enormity of the problem 
becomes evident when you consider that these modifications must 
be made by every organization, public and private, on every 
computer system that considers dates in some manner. Then, all 
those modified systems must be integrated and tested to make 
certain they produce consistently accurate results.
    Just in the Federal agencies alone, we have more than 7,850 
mission critical systems which must be able to function in the 
year 2000. Of these mission critical systems, 1,126 are within 
this Committee's jurisdiction--and nearly all must be able to 
exchange information with each other, state and local systems, 
and private sector systems--to be able to make proper 
calculations for millions of Social Security recipients, 
Medicare beneficiaries and taxpayers. These systems must be 
able to keep accurate beneficiary records and taxpayer 
accounts.
    What has become evident to me is that this is a major 
management problem with a technical component. The Federal 
government is not known for its ability to manage well, 
particularly its computer system modernization efforts. Yet 
millions of beneficiaries and taxpayers find themselves relying 
on these managers to rise to the year 2000 challenge. While it 
is hard to have complete confidence in agencies that 
historically have been unable to successfully deliver computer 
systems that function properly on schedule, January 1, 2000 is 
a finite date that cannot be missed--without effecting millions 
of Americans. It is our job, in Congress, to see that 
beneficiaries and taxpayers are protected against risks that 
may result in computer system errors from government systems 
that are not year 2000 compliant.
    We are here to learn today from the major agencies within 
the Ways and Means Committee jurisdiction how they are 
progressing towards meeting the Y2K challenge and what 
confidence we should have that the effected taxpayers and 
beneficiaries will be properly served into the next century. We 
are interested in the risks that the agencies have identified 
and the actions that they are taking to manage those risks as 
well as their plans for contingencies.
    We also will be hearing from private sector representatives 
about their efforts to manage risks inherent in the Y2K effort. 
Many of these organizations are data trading partners with our 
agencies, and will be affected in a major way by the success or 
failure of the Federal effort. Finally, we will hear from 
representatives from the U.S. General Accounting Office about 
the Y2K vulnerabilities that remain in our agencies' programs 
and what actions need to be taken to fix these systems in time 
to avoid catastrophic consequences.
    This is not solely a U.S. problem; it is a global one. 
Edward Yardeni, a noted economist from Deutsche Morgan 
Grenfell, who has studied the problem, rates the odds that it 
will trigger a deep world-wide recession at 60 percent. While 
some may consider this to be a pessimistic view, the current 
focus on Asian financial instability and Eurodollar conversion 
may prevent others from committing the necessary resources to 
properly prepare for the year 2000 and could have serious 
economic consequences. There will always be pockets of those in 
the private sector who do not take the actions needed to look 
out for their business or economic interests. However, at the 
very least, it is our job to see that the public sector systems 
are ready with sufficient capacity to the economic needs of the 
private sector. We cannot afford to fail the millions of 
Americans win are relying on the public sector effort being 
successful.
      

                                

    Chairman Johnson of Connecticut. And at this point, I'd 
like to yield to my colleague, Mr. Coyne.
    Mr. Coyne. Thank you, Madam Chairman.
    Today, we will continue our review of the progress being 
made by departments and agencies within this Committee's 
jurisdiction to ensure a smooth computer system conversion 
process at the turn of the century. The year 2000 conversion 
process arises because many computer systems store dates using 
only the last two digits for the year. For such computers, the 
year 2000 will be indistinguishable from the year 1900.
    Correcting a year field is technically simple. However, the 
process of analyzing, correcting, testing, and integrating 
computer systems is a very complex and time-consuming task. The 
challenges facing the Federal Government are very similar to 
those facing the State and local governments, the private 
sector, foreign countries, and international organizations. 
While each entity needs to be prepared for the year 2000 
internally, it is also critical that its data exchanges be year 
2000 compliant in order to avoid systems breakdowns. The 
magnitude of the situation is daunting. Recent estimates 
indicate U.S. business are likely to spend between $30 and $50 
billion addressing year 2000 changes, and that worldwide 
conversion costs could be between $300 and $600 billion.
    It is timely that we review the overall year 2000 
activities of the Department of Treasury, and Health and Human 
Services, as well as the progress being made in the Internal 
Revenue Service, U.S. Customs Service, the Health Care 
Financing Administration, and the Social Security 
Administration.
    By and large, it appears that these Federal agencies are on 
track and are taking the year 2000 conversion process 
seriously. Nonetheless, as the General Accounting Office 
reported last week, and I quote: ``The public continues to face 
a high risk that critical services provided by the Federal 
Government and the private sector could be severely disrupted 
by the year 2000 computing crisis.''
    In my opinion, the Subcommittee needs to ask the witnesses 
before us today the same fundamental questions being asked by 
the President's Council on the Year 2000 Conversion, and that 
is, what are your major risks? What are the most significant 
obstacles to removing those risks? And what contingency plans 
are appropriate in light of that analysis? From an Oversight 
Subcommittee standpoint, I would add two questions relating 
particularly to the Department of Treasury and the IRS, do you 
have the resources needed to get the job done? And, at the end 
of the day, is the conversion process going to be a success?
    I look forward to exploring these issues with each of the 
witnesses, and I thank the Subcommittee Chairman, Mrs. Johnson, 
for scheduling today's hearing.
    Thank you.
    [The opening statements follow:]

Statement of Hon. William J. Coyne, a Representative in Congress from 
the State of Pennsylvania

    Today, the Ways and Means Oversight Subcommittee will 
continue its review of progress being made, by departments and 
agencies in the Committee's jurisdiction, to insure a smooth 
computer system conversion process at the turn of the Century.
    The year 2000 conversion process arises because computer 
systems store dates using only the last two digits for the 
year. For such computers, the year 2000 will be 
indistinguishable from the year 1900. Correcting a year field 
is technically simple. However, the process of analyzing, 
correcting, testing, and integrating computer systems is a very 
complex and time-consuming task.
    The challenges facing the Federal Government are very 
similar to those facing state and local governments, the 
private sector, foreign countries, and international 
organizations. While each entity needs to be prepared for year 
2000 internally, it also is critical that its data exchanges be 
year-2000-compliant in order to avoid systems breakdowns.
    The magnitude of the situation is daunting. Recent 
estimates indicate that U.S. business are likely to spend 
between $30 and $50 billion addressing year 2000 changes, and 
that worldwide conversion costs could be between $300 and $600 
billion.
    It is timely that we review the overall year 2000 
activities at the Departments of the Treasury and Health and 
Human Services, as well as progress being made at the Internal 
Revenue Service, the U.S. Customs Service, the Health Care 
Financing Administration, and the Social Security 
Administration. By in large, it appears that these Federal 
departments and agencies are on track and taking the year 2000 
conversion process seriously.
    Nonetheless, as the U.S. General Accounting Office reported 
last week, ``the public continues to face a high risk that 
critical services provided by the Federal Government and the 
private sector could be severely disrupted by the year 2000 
computing crisis.''
    In my opinion, the Subcommittee needs to ask the witnesses 
before us today, the same fundamental questions being asked by 
the ``President's Council on the Year 2000 Conversion.'' They 
are:
     What are your major risks?
     What are the most significant obstacles to 
removing those risks? and,
     What contingency plans are appropriate in light of 
that analysis?
    From an Oversight Subcommittee standpoint, I would add two 
questions relating particularly to the Department of the 
Treasury and the IRS:
     Do you have the resources needed to get the job 
done? and,
     At the end of the day, is the conversion process 
going to be a success?
    I look forward to exploring these issues with each of the 
witnesses. I also want to thank Subcommittee Chairwoman Johnson 
for scheduling this important hearing.
      

                                

Statement of Hon. Jim Ramstad, a Representative in Congress from the 
State of Minnesota

    Madam Chairman, thank you for convening this important 
hearing on the Year 2000 (Y2K) Problem.
    The possible malfunction of the government's computer 
systems is a critical issue for all Americans. The magnitude of 
this potential problem is illustrated by the number of 
representatives we have here today. All of our constituents 
have a vested interest in how the different aspects of their 
government are working to avoid a potential disaster.
    Some progress on solving the Year 2000 problem has been 
made. But as January 1, 2000 rapidly approaches it is up to 
Congress to enure that we are doing our part to help solve this 
problem. We need to ensure that the people we represent are not 
left without the health care and financial services upon which 
they depend.
    I am pleased that this hearing will allow us to examine 
what the different agencies under our jurisdiction are doing to 
be prepare for the year 2000 and how they are coordinating 
their efforts with the organizations in the private sector with 
which they work.
    Again, Madam Chairman, thank you for your own leadership in 
looking into the Year 2000 computer problem by holding this 
critical hearing.
      

                                

    Chairman Johnson of Connecticut. Thank you very much. Our 
first witness is going to be Mr. Rossotti, who has to leave, so 
after his--after your statement, Commissioner, then I'll ask 
the members of the panel if they have any questions, if there's 
time enough for you. And, then you'll leave and we'll hear from 
the rest of the panel. Thank you.
    Mr. Rossotti.

 STATEMENT OF HON. CHARLES O. ROSSOTTI, COMMISSIONER, INTERNAL 
                        REVENUE SERVICE

     Mr. Rossotti. Thank you, and I appreciate that very much, 
Madam Chairman. And thank you for the opportunity to discuss 
the IRS' century date change program. I have just a brief oral 
statement and I'd ask that my full testimony be included in the 
record.
    Chairman Johnson of Connecticut. So ordered.
    Mr. Rossotti. Madam Chairman, the Y2K conversion, in 
conjunction with our preparations for the next filing season, 
are, without a doubt, our highest technology priorities. And I 
stress that we are very aggressively managing this almost $1 
billion program. We are trying to identify risks and take 
timely action to ensure that the overriding goal of continuous 
service is fulfilled. I also want to mention, however, that on 
a program of this kind we have to often adjust deadlines and 
timetables as we identify new risks and new issues. So Y2K 
remains, not only a high priority, but a high risk that will 
require a continued intense focus by all of us to succeed.
    I think that a big part of our challenge at the IRS is not 
only our computer programs, our applications programs which is 
what most people think of in terms of fixing the date field, 
but the enormous inventory of other kinds of technology, 
hardware, and software, and telecommunications that we have in 
the IRS. This includes about 80 mainframe computers, 1,400 
minicomputers, over 100,000 personal computers, and a massive 
set of telecommunications networks that have over 100,000 
components in them.
    Because of the size of this inventory, as well as its age, 
fragmentation, and a wide variety of different vendor products 
associated with the infrastructure, the success of the overall 
Y2K program requires a strong central management and oversight 
of this whole combined program. In addition, we have to work 
with other outside parties such as the General Services 
Administration, who ensure that our buildings and facilities, 
including leased facilities, have operational elevators, 
physical security, equipment, and so forth after the century 
date change.
    I have personally placed an extremely high priority on this 
Y2K project from literally the first week that I took office. 
One of the first things that I did was to organize an executive 
steering committee, which I chair myself, and it has 
representatives of all the key decisionmakers within the IRS, 
as well as the Treasury Department and even our National 
Treasury Employees Union. Recently, a representative from the 
GAO has been sitting in these meetings with us. In between 
these meetings, which are very important because they tend to 
``tee-up'' exactly the decisions that we need to make, I also 
meet quite regularly with the Acting Chief Information Officer, 
and other executives to deal with specific issues and to 
monitor risks. We also have a variety of independent 
assessments going on from outside organizations, such as, 
consulting firms Booz-Allen and Hamilton, and Andersen 
Consulting, as well as active use of our internal audit staff 
which has actually very good technology auditing capabilities 
within the IRS. And, of course, the GAO assessments.
    Madam Chairman, in my testimony, I want to give a balanced 
assessment of the situation that we're in but I don't want to 
minimize what is obviously a dangerous and risky situation. Let 
me describe some of the risk areas, and some of the things that 
we're trying to do about it. In addition to the conversion 
probe of the century date change and all the infrastructure, we 
have the unique situation--maybe it's not unique--but we have 
the situation at the IRS that at this very time, this calendar 
year, we also have to implement about 750 to 800 tax law 
changes that stem from the 1997 Taxpayer Relief Act. Most of 
them are effective this tax year. These changes are being made 
to the same computer programs, by the same programmers and are 
being managed by the same people working on the century date 
change. So we are managing that as an integrated program with 
our century date change.
    In order to try to mitigate that risk, one of the things 
that we did, that I did, actually, toward the end of last year 
was to try to accelerate, by at least several months, the 
normal schedule for doing these annual tax law changes so we 
would buy some elapsed time to make these changes. 
Nevertheless, even with that accelerated schedule, as we speak 
today in early May, none of these 750 to 800 changes has 
actually been implemented yet. In fact, some of them we met on 
this week and are not yet completely defined. So we have a 
significant job to complete that along with the century date 
change application programming this year.
    Another important thing that we are attempting to turn our 
attention to right now, it has been underway for some time, but 
we're starting to focus more attention on it, is the planning 
for 1999 for our integrated end-to-end integration test. We 
will have to do a complete test of all these different pieces 
fitting together, the applications programs, the different 
kinds of computers, the software, and the telecommunications 
network. We will have to do a large-scale, integrated end-to-
end for this next year.
    In reflecting on this, I realize that this is probably 
going to be the largest single test of a business-type computer 
system ever, anywhere. There is no precedent that I'm aware of 
for this kind of a test. Planning for this is something that we 
have already underway and is going to be quite challenging.
    Of course, we also have not only ourselves to worry about, 
but external trading partners as, I believe, you and Mr. Coyne 
mentioned in your opening statements. We have been also working 
on that. We have had an independent assessment with the aid of 
an outside firm looking at our 13 major trading partners, 
including the Social Security Administration, the Financial 
Management Service, and, of course, the key providers of our 
electronic payments, and our third-party information returns. 
And we have a program in place to work together and to identify 
what risks we have with those external trading partners.
    Finally, I want to mention, as GAO has pointed out, that we 
need to also spend some of our time trying to work on 
contingency plans where we can, in those cases where there 
might not be full success in converting some of our technology. 
We're spending some of our effort on doing this kind of 
contingency planning. We're trying to focus our efforts, 
because we have limited management resources, on those areas 
where there would obviously be a high business impact, where 
there's a higher risk than other places where the schedule 
might slip. And also, of course, where there is a practical 
contingency plan that we can develop which doesn't apply in all 
cases. There are some places where there really is no 
contingency plan of any practical kind for the IRS. So we are 
working on that as well.
    I guess I would just conclude by saying that this is a 
massive challenge. It requires a great deal of time and effort, 
which displaces other things that we would like to do. We will 
gain some benefit from this because I think the learning 
experience of conducting and managing this kind of a project in 
a place like the IRS will have some residual benefit in helping 
us to improve, certainly our inventory of technology, but also 
our management practices and our system life cycle. I think if 
you want to conclude where we are, I think that we are making 
progress. We are managing it aggressively, but clearly there 
are substantial risks remaining in specific technical areas, 
such as our tier 2 hardware and software, which is a complex 
area for us; our telecommunications network; and this large 
end-to-end integration test that we're going to have to do next 
year.
    The final point is that I would just want to point out to 
the Committee, as we're discussing with members of the staff 
and Members over on the Senate side, that some of the 
provisions in the IRS restructuring bill that came out of the 
Senate Finance Committee, we believe need to have later 
effective dates than were in their draft in order for us to 
make this whole thing workable. This is not a matter of policy 
or desirability, it is just a feasibility question of how we 
will be able to accommodate some of these changes in light of 
all the other demands that we have on us. And, obviously, we 
have to give priority to maintaining uninterrupted service with 
the technology that we have.
    So, let me just conclude there, Madam Chairman, and I would 
be happy to answer questions.
    [The prepared statement follows:]

Statement of Hon. Charles O. Rossotti, Commissioner, Internal Revenue 
Service

    Madame Chairman and Distinguished Members of the 
Subcommittee:
    Thank you for the opportunity to discuss the Internal 
Revenue Service's (IRS') progress concerning the Century Date 
Conversion project.

                        Program Scope and Status

    The IRS is a huge enterprise, employing more than 100,000 
individuals in service centers, regional offices, district 
offices and posts of duty across the United States and around 
the world. A $1.7 trillion financial services organization, the 
IRS depends on its automated systems to process tax returns, 
issue refunds, deposit payments, and provide employee access to 
timely and accurate taxpayer account data.
    The IRS information technology organization faces major 
challenges associated with new tax law changes that require 
extensive reprogramming of legacy systems each filing season. 
For example, the Taxpayer Relief Act of 1997 requires the IRS 
to make more than 750 legacy systems changes for the 1999 
filing season.
    In addition, the scope and short time frames associated 
with our massive century date conversion project present 
tremendous challenges to our technical management of IRS 
systems. If not corrected, most existing application systems 
are programmed to display 00 in the year fields, and after 
January 1, 2000, would incorrectly use 1900 for the year in 
date-based calculations. Failure to identify, renovate and test 
each of these system calculations could result in catastrophic 
disruption to taxpayers and the government. For example, 
millions of erroneous tax notices, refunds, bills, taxpayer 
account adjustments, accounting transactions and financial 
reporting errors could be generated. Clearly, the IRS' role in 
collecting revenue supporting 95 percent of the federal 
government's operations could be jeopardized if the Century 
Date program is not completed in a timely fashion.
    Adding to the challenge is our largely non-Year 2000 
compliant technical infrastructure which includes more than 80 
mainframes, 1,400 minicomputers, 130,000 personal computers and 
massive telecommunications networks comprised of more than 
100,000 components. Because of the number, age, fragmentation, 
and variety of products associated with this infrastructure, 
successful implementation of these aspects of our Year 2000 
program require strong central management and oversight. Plans 
for upgrading and/or replacing these components must be 
integrated into the overall program management plan, schedule, 
and budget. Lastly, to ensure century date compliance, it is 
essential that the IRS continues to work with its landlord, the 
General Services Administration, to ensure that IRS buildings 
and leased facilities and equipment, including elevators and 
physical security systems, are upgraded or replaced.

Major elements of the IRS Year 2000 program are as follows:

     Application Systems Conversion
    The IRS currently supports 127 mission-critical application 
systems comprising 85,000 modules and approximately 50 million 
lines of code. IRS has five phases for code conversion, each 
six months long, and has completed three phases to date. As of 
April 24, 1998, the IRS has renovated 83 of its 127 mission-
critical systems and tested 62. Fifty-nine of these systems 
were placed back into production. These systems are working 
effectively and contributed to a successful filing season. We 
are on schedule to complete the systems conversion by January 
1999.
     Tier II (minicomputer) and Tier III (personal 
computer) Platforms
    Tier II and Tier III computers and their associated systems 
software (operating systems, data bases, etc.) require 
replacement or upgrades. Century date compliance for more than 
1,400 minicomputers and 130,000 personal computers largely 
depends on obtaining vendor upgrades; many are only now being 
made available in the market place. We are currently evaluating 
and testing these components to ensure they are compliant. This 
year we will replace/upgrade over 35,000 personal computers; 
over 100 minicomputers will be replaced and several hundred 
more will be upgraded.
     Telecommunications
    The critical IRS network backbone is supported through the 
Treasury Communications System (TCS) contract. A network 
component inventory was received from the contractor. We are 
reviewing and validating these data as well as the contractor's 
site specific plans to convert the network. Given the need to 
upgrade or replace thousands of components within the TCS 
network, as well as additional IRS proprietary networks which 
themselves comprise nearly 30,000 components, the network 
conversion represents a significant challenge. Integrated 
project management teams were formed with the TCS contractor, 
and we have engaged the services of other contractors to assist 
us in completing this critical effort.
     External Trading Partners
    The IRS is but one of many data dependent public (e.g., 
Financial Management Service and Social Security 
Administration) and private sector organizations (e.g., banks 
and financial institutions) which both send and receive data 
from one another. At this time, IRS efforts are on schedule to 
validate the accuracy of both incoming century date compliant 
data from a variety of sources and outgoing IRS century date 
compliant data to its trading partners. Over 60 percent of our 
trading partner files have been made compliant, and the 
remainder are scheduled for conversion by January 1999.
     Non-Information Technology
    A critical component of the non-information technology 
(non-IT) aspect of the program depends on the General Services 
Administration which is performing an inventory of its 
facilities. In addition, we are working with a contractor to 
complete an assessment of IRS-owned facilities and personal 
property. These inventories will be completed shortly, and cost 
and schedule information will be available in early summer.
     Testing
    Even prior to identifying the Century Date Conversion 
testing requirements, the Information Systems Product Assurance 
Division, responsible for Systems Acceptance Testing, lacked 
sufficient resources to fulfill its mission. In 1996, the 
Division was able to test only 20 percent of the systems placed 
into production. While some progress has been made, the 
Division's current testing operation covers only 30 percent of 
the agency's production systems.
    Given the critical need to undertake a comprehensive end-
to-end Century Date systems test, we will dedicate 
significantly more IRS and contractor resources to these 
testing efforts. Internal IRS hiring is underway, and detailed 
integration test plans are currently being developed in 
conjunction with contractors who will support this effort.
     Mainframe Consolidation
    Instead of investing more than $250 million to upgrade the 
agency's computer mainframes to ensure century date compliance, 
the IRS proposed and received Congressional approval for a 
mainframe consolidation program that consolidates 67 mainframes 
currently located at 10 service centers into 12 mainframes 
located at two computing centers. These mainframes support IRS 
returns processing, customer service and compliance operations. 
The consolidation program will provide for both century date 
compliance and savings of more than $250 million over 10 years. 
In addition, this initiative will position the IRS to take 
significant steps forward in its long-term information 
technology modernization efforts. The rollout of a century date 
compliant network of approximately 16,000 personal computers 
and related equipment will standardize a major component of the 
IRS telecommunications infrastructure, thus improving the 
ability to communicate among systems. In an effort to mitigate 
risks and incorporate additional business requirements for 
disaster recovery and increased systems capacity based on new 
customer service needs, we are extending the time frame for 
completing the mainframe consolidation effort; however, the 
components of the project required to achieve Year 2000 
compliance are currently on schedule and will be completed by 
December 1998.
     Integrated Submissions and Remittance Processing 
System
    Integrated Submissions and Remittance Processing (ISRP) 
replaces the antiquated Distributed Input System (DIS) and 
Remittance Processing System (RPS) which form the core of the 
tax processing input pipeline that processes more than 200 
million tax returns and accounts for tax revenues of over $1.5 
trillion. ISRP is currently in pilot status at the Austin 
Service Center and is on schedule to be fully implemented in 
all 10 service centers for the 1999 filing season. As of April 
18, 1998, ISRP has processed approximately two million tax 
returns and $1.3 billion in payments.

                            Mitigating Risk

    Without exception, the Century Date Conversion is the 
Service's highest technology priority. While the IRS assigned 
its most senior and qualified management to this program prior 
to my appointment as Commissioner, I reinforced the priority of 
this project by organizing and chairing a monthly Executive 
Steering Committee with representatives from Treasury, IRS, the 
General Accounting Office and the National Treasury Employees 
Union. As part of this process, I am personally monitoring the 
status of all Year 2000 activities and critical components. 
(See attached project overview for current status assessment.) 
I also meet on a regular basis with IRS' Acting Chief 
Information Officer and other top executives to obtain 
individual project status updates, monitor key risks, and make 
sure that necessary actions are being taken. In addition, 
recognizing the need to validate that we are doing everything 
we can to ensure that IRS is Year 2000 compliant, we initiated 
continuous independent assessments by organizations such as 
Booz-Allen & Hamilton, Inc. and Andersen Consulting, and 
continued Internal Audit and GAO assessments of our Year 2000 
program.
    I can assure you that this effort has top-level management 
commitment; however, I don't want to minimize the risks 
associated with this effort and the need to develop the 
following strategies:
     Planning and Implementing an Integrated Century 
Date Conversion and 1999 Filing Season Strategy
    Considering the extent of the Taxpayer Relief Act systems 
changes that require reprogramming of the same legacy systems 
that must be made century date compliant by January 1999, it is 
essential to develop and implement an integrated Century Date/
1999 Filing Season Plan. To mitigate risk, the IRS accelerated 
by several months the process for identifying the filing season 
related systems changes that would be incorporated into the 
integrated plan.
     Contingency Planning
    Given the scope of the IRS program and its critical 
importance to both the nation's economy and its taxpayers, it 
is imperative that the Service's mission-critical systems 
continue to function properly in the new millennium. While the 
IRS has made substantial progress, the risks are still 
significant. Accordingly, the IRS must develop contingency 
plans to manage any adverse impacts of a less-than-fully 
successful century date program. These plans must address the 
needs of the IRS, as well as those of our data exchange 
partners. We intend to concentrate on those areas that have 
high business impact, significant Year 2000 complexity, and may 
not be completed on time or successfully. This will allow us to 
work on aspects that have the greatest risk, while leveraging 
the majority of limited resources on Year 2000 conversion and 
testing.
                                 Budget

    Projected FY 1998 cost estimates are $454 million, which 
includes:
     $ 234.3 million for Year 2000 work under the 
Century Date Change Project Office ($170 million appropriated; 
remaining covered through reprogramming);
     $ 52.4 million for the Integrated Submission and 
Remittance Processing System; and
     $ 167.3 million for the Service Center Mainframe 
Consolidation (SCMC) which also includes funding for 
relocation/retraining and project staff.
    The IRS Century Date Change Project Office currently has 
specific budget requests totaling well over $170 million for 
fiscal year 1998. The $170 million only includes a small amount 
for non-IT conversion (the initial study) and additional funds 
are needed in this area as well as for Telecommunications, Tier 
II and Tier III hardware and commercial-off-the-shelf software, 
and Applications Conversion/Testing for non-CIO owned systems. 
In addition, funding for a Human Resources Retention Allowance 
Strategy for key IS resources is essential to successful 
completion of Year 2000 activities. Both House and Senate 
Appropriations Subcommittees have approved the use of prior 
year inter-appropriation transfer authority to move unobligated 
balances from IRS' non-Information Systems accounts for fiscal 
years 1993, 1994, 1996, and 1997 to cover approximately $50 
million of these additional Year 2000 requirements. The IRS is 
reviewing its current year resources to identify funds to cover 
the balance of these additional needs.
    IRS' FY 1999 cost estimate for Century Date Change Project 
Office Year 2000 Project expenditures was $140 million, of 
which $50 million was held as a contingency until the IRS was 
able to complete its analysis of specific requirements. Since 
the budget was submitted, specific uses for $38.6 million of 
the $50 million contingency have been identified. The needs 
consist of: Non-Information Technology conversion, Tier III 
Hardware, Program Management, and the Human Resource Retention 
Allowance. The contingency is thus reduced from $50 million to 
$11.4 million. Total FY 1999 costs for Year 2000 Project 
Expenditures may increase as additional needs are identified.
    Attached is a chart of estimated Y2K costs for FY 1997 
through 2001.

                             Opportunities

    While the primary goal is to timely complete the century 
date conversion, the IRS plans to leverage a variety of 
opportunities stemming from the project:
     Eliminate Duplicate Applications
    From an inventory of an estimated 20,000 computer 
applications, we asked business owners to eliminate duplicate 
applications and establish the ``best in breed'' as a national 
standard application. The IRS has already retired 3,000 
business-supported applications, and expects to retire 
approximately 3,500 additional program components. Looking 
ahead, IRS will limit the growth of future applications to 
better manage its Information Technology investments.
     Create, within IS, a project planning and 
management environment.
    Century Date conversion is a massive project management 
challenge which requires the thoughtful development and 
faithful execution of a rigorous plan. We do not intend to walk 
away from the lessons learned and project management experience 
gained from this effort. We will use these tools and expertise 
in adopting systems life cycle best practices, policies and 
procedures for future information technology investments.

                               Conclusion

    In conclusion, the Year 2000 effort at the IRS, a $1 
billion project, is one of the federal government's most 
formidable challenges. Although we are making sustained 
progress and are on schedule, risks remain in specific 
technical areas such as Tiers II and III hardware, 
Telecommunications, End-to-End Integration Testing and non-
Information Technology equipment. Because of its many 
stakeholders and interfaces, the IRS' Year 2000 program is 
highly complex. The IRS is working with its vendors to obtain 
Year 2000 compliant versions of their products. In addition, an 
independent risk assessment was conducted of IRS' major trading 
partners' Year 2000 conversion efforts (e.g., Social Security 
Administration, Financial Management Service, as well as key 
providers of electronic payments, returns and third party 
documents) to identify problems and work through solutions. 
Because the risks are so significant, the IRS is developing 
contingency plans to manage any adverse impacts of a less than 
successful Century Date Program.
    Finally, the Administration has serious concerns with 
provisions of the IRS restructuring legislation that require 
changes to IRS computer systems in 1998 and 1999. Mandating 
these changes according to the schedule currently in the bill 
would make it virtually impossible for the IRS to ensure that 
its computer systems are Year 2000 compliant by January 1, 
2000, and would create a genuine risk of a catastrophic failure 
of the Nation's tax collection system in the year 2000. Both 
Secretary Rubin and I have written the Senate Finance Committee 
warning them of this risk and recommending that the effective 
dates be modified in accordance with the schedule set forth in 
my April 23, 1998 letter.


[GRAPHIC] [TIFF OMITTED] T3365.002

      

                                

    Chairman Johnson of Connecticut. Thank you, Commissioner. 
You mentioned a couple of different times in your testimony 
that your, that dates were being adjusted.
    Mr. Rossotti. Yes.
    Chairman Johnson of Connecticut. At one point you had hoped 
to complete most of the work by January 1999 in order to be in 
a better position to test and to do the kind of end-to-end 
integration testing that is necessary. What has happened to 
that January date?
    Mr. Rossotti. Well, the January date is still the target 
date for all the critical, mission-critical things that we have 
to be able to complete in time to have this end-to-end test. 
But, there are some things that we can delay. For example, our 
mainframe consolidation project has also the objective of cost 
savings and bringing all the computers into two computing 
centers, there are some parts of that where we don't have to 
absolutely have to do the consolidation effort in 1998 because 
we do have the ability to upgrade some of the computers that 
are out in the service centers. So we're going to do that, 
we're going to upgrade, as one of the contingency plans I 
mentioned, the mainframes that are out in the service centers 
that will allow us to have more time to do the consolidation 
without impacting on our ability to do the filing season in 
1999 and the integration test later on. That's an example of 
one of the kinds of dates. And that's a pretty big one because 
that's a very major part of the project and it's also a large 
consumer of management time.
    In addition, there are other things that we adjust. For 
example, as a result of an internal audit project which I 
requested, which did a sample testing--did a test of a sample 
of some of the programs that have been converted. We found that 
there were some procedures that needed to be adjusted but there 
were also some certain kinds of errors that were detected that 
we had not been, I think, finding and fixing adequately enough. 
So we've added another step in there that we're going to do 
this summer to do a complete additional kind of test at the 
component level of the inventory of application programs. Those 
are the kinds of things I'm talking about where we're adjusting 
dates and adjusting programs as we get new information.
    Chairman Johnson of Connecticut. In your earlier 
discussions, you were very high on at least succeeding and 
completing one of the consolidation centers----
    Mr. Rossotti. Yes.
    Chairman Johnson of Connecticut. It sounds to me like 
you're probably deferring that effort now?
    Mr. Rossotti. No, we're not deferring the whole effort. 
We're working very hard on it. That whole mainframe 
consolidation has a number of different pieces to it. The two 
pieces that are absolutely critical for Y2K, because there's no 
alternative, are what's called the Communications Replacement 
System, and the replacement of some of the desktop top 
terminals. Those are, within a small margin, reasonably on 
schedule. The piece that involves actually taking all the 
mainframes out of the 10 service centers and bringing them in 
is the part where we have more flexibility with respect to Y2K. 
What we've done is we have one of those service centers that's 
in Memphis, converted and running on a test basis.
    The second one is Kansas City, that's targeted for, I 
think, early summer. And what we're going to do in the Kansas 
City one is really the critical one in terms of testing how 
well the process is going to work. We're going to see how well 
that works and do some additional testing before we finalize 
the other schedule. Right now, we think the best estimate is 
that we can do Memphis and Kansas City plus two additional ones 
this year which would leave six for next year. But those other 
six, or even eight if we had to, can be upgraded in place and 
we are planning as contingency plan to do that. So, I think, 
we've got the bases covered on that particular program in terms 
of Y2K.
    Chairman Johnson of Connecticut. Thank you, Commissioner.
    Mr. Coyne.
    Mr. Coyne. Thank you, Madam Chairman. Commissioner, you 
indicated that you and Secretary Rubin had written a letter to 
the Senate Finance Committee. I wonder if we could have a copy 
of that letter?
    Mr. Rossotti. Sure.
    Mr. Coyne. For the record.
    Mr. Rossotti. We'll get that for you.
    [The following was subsequently received:]

                             Department of the Treasury    
                                   Internal Revenue Service
                                                     March 31, 1998

Honorable William V. Roth, Jr.
Chairman
Committee on Finance
United States Senate
Washington, D.C. 20510

    Dear Mr. Chairman:

    I am writing to provide the Senate Finance Committee information 
about provisions under consideration as pail of the IRS restructuring 
bill which, in order to implement, will require charges in IRS computer 
information systems.
    As is noted in one of the provisions of the restructuring bill, it 
is essential that the work needed to make the IRS computer systems 
comply with the Century Date Change be given priority. If these changes 
are not made and tested successfully, computer systems on which the IRS 
directly depends for accepting and processing tax returns and tax 
payments will cease to function after December 31, 1999. in order to 
accomplish this change, a massive effort is underway now and will 
continue through January 2000. This project, one of the largest 
information systems challenges in the country today, is estimated to 
cost approximately $850 million through FY 1999 and requires updating 
and testing of about 75,000 computer applications programs, 1400 
minicomputers, over 100,000 desktop computers, over 80 mainframe 
computers and data communications networks comprising more than 50,000 
individual product components. In addition, the data entry system that 
processes most of the tax returns must be replaced.
    Most of the work to repair or replace these Individual components 
must be done prior to the tax season that begins in January 1999, and 
thus is at its peak during calendar 1998. During this peak period, the 
IRS must also make the changes necessary to implement the provisions of 
the Taxpayer Relief Act of 1997 which are effective in tax year 1998. 
These changes are still being defined in detail but are currently 
estimated to require about 800 discrete computer systems changes.
    The most critical systems to which these changes must be made are 
systems that were originally developed in the 1960's, 1970's and 
1980's, and many are written in old computer languages. A limited 
number of technical staff have sufficient familiarity with these 
programs to make changes to them. Furthermore, the IRS suffered 
attrition of 8% of this staff during FY 97, which attrition has 
continued at the same or higher rate until recently. In part, this 
attrition reflected the very tight market for technical professionals 
as well as a perceived lack of future opportunities at the IRS.
    This extraordinary situation has required the IRS to commit every 
available technical and technical management resource to these critical 
priorities and to defer most other requests for systems changes at 
least during calendar year 1998.
    For these reasons, it will not be feasible to make any significant 
additional changes to the IRS systems prior to the 1999 ailing season, 
pushing the start of all additional work to about the second quarter of 
calendar 1999. Furthermore during 1999. a major amount of additional 
work will be required to perform the testing to ensure that all the 
repaired or replaced components work as expected prior to January 1, 
2000. Given the magnitude of the changes, it is likely that additional 
work will be required to repair defects and problems that will be 
uncovered during the testing in the second half of 1999. Thus, while 
some capacity to make systems changes is projected to exist in 1999, 
there is considerable uncertainty about how much capacity will in fact 
be available even during calendar 1999.
    With this context in mind, we have attempted to identify the 
provisions in the restructuring bill that require significant changes 
to computer systems and estimate how much staff time would be needed to 
implement these changes. Based on this very preliminary analysis, we 
have prepared a list of recommended effective dates if these provisions 
are adopted. In all cases, we would strive to implement the provisions 
sooner if possible. In addition, two provisions entail both significant 
systems and policy issues. For these items, which are discussed first, 
we suggest an alternative approach.

                          Alternative approach

    1. Require that all IRS notices and correspondence contain 
a name and a telephone number of an IRS employee who the 
taxpayer may call. Also, to the extent practicable and where it 
is advantageous to the taxpayer, the IRS should assign one 
employee to handle a matter with respect to a taxpayer until 
that matter is resolved.
    Concern: We agree with the objectives of this proposal, but 
are concerned because it would entail a total redesign of 
customer service systems, and would actually move the IRS away 
from the best practices found in the private sector. We do 
support the proposal that the IRS should assign one employee to 
handle a matter with respect to the taxpayer where it is both 
practicable and where it is advantageous to the taxpayer.
    The proposal would affect the Masterfile, Integrated Data 
Retrieval System (IDRS), and any system supported by IDRS 
(including AIMS and ACS). In addition, the proposal is likely 
to decrease the customer service we are trying to improve 
through our expansion of access by telephone to 7 days a week, 
24 hours a day. The assignment of a particular employee for a 
taxpayer contact could actually increase the level of taxpayer 
frustration as the named employee may be on another phone call, 
working a different shift, or handling some other taxpayer 
matter when taxpayers call. In addition, consistent with 
private sector practices, we are currently installing a 
national call router designed to ensure that when a taxpayer 
calls with a question, the call can be routed to the next 
available customer service representative for the fastest 
response possible.
    Proposal: Require that the IRS adopt best practices for 
customer service with regard to notices and correspondence, as 
exemplified by the private sector. Require that the IRS report 
to Congress on an annual basis on these private sector best 
practices, the comparable state of IRS activities, and the 
specific steps the IRS is taking to close any gap between its 
level and quality of service and that of the private sector. 
Furthermore, the IRS could be required to put employee names on 
individual correspondence it could require all employees to 
provide taxpayers with their names and employee ID numbers; 
and, finally, it could record, in the computer system, the ID 
number of the employee who takes any action on a taxpayer 
account.
    2. The proposal would suspend the accrual of penalties and 
interest after one year, if the IRS has not sent the taxpayer a 
notice of deficiency within the year following the date which 
is the later of the original date of the return or the date on 
which the individual taxpayer timely filed the return.
    Concern: We agree with the objective of the proposal to 
encourage the IRS to proceed expeditiously in any contact with 
taxpayers, however, our systems are currently unable to 
accommodate some of the data requirements with the speed 
necessary to make this proposal workable, In addition. we are 
concerned that the proposal could have the perverse incentive 
of encouraging taxpayers to actually drag out their audit 
proceedings rather than work with the IRS to bring them to a 
speedy conclusion. Our administrative appeals process, which is 
designed to resolve cases without the taxpayer and the 
government incurring the cost and burden of a trial, could also 
become a vehicle for taxpayers to delay issuance of a 
deficiency notice.
    Proposal: Require the IRS to set as a goal the issuance of 
a notice of deficiency within one year of a timely filed 
return. Mandate that the IRS provide a report to the Congress 
on an annual basis that specifies: progress the IRS has made 
toward meeting this goal, measures the IRS has implemented to 
meet this goal, additional measures it proposes toward the same 
end, and any impediments or problems that hinder the IRS' 
ability to meet the goal. In addition, the proposal could 
reemphasize the requirement that the IRS abate interest during 
periods when there is a lapse in contact with the taxpayer 
because the IRS employee handling the case is unable to proceed 
in a timely manner. The IRS could be required to provide 
information on the number of cases in which there is interest 
abatement each year in the report.

                            Effective dates

    We propose the following effective dates for specific 
provisions. These dates are driven by the capacity of our 
information technology systems, not the impact of the policy. 
Some of these provisions would be fairly easy to implement, but 
in total and in conjunction with all the other demands on our 
information technology resources it is simply not feasible to 
implement them until the dates proposed. If the situation 
changes, we will strive to implement the provisions sooner.
    The effective date for many of these charges is January 31, 
2000. Given that all of these changes must be made compatible 
with the Century Date Change, we believe we will need the month 
of January 2000 to ensure all the Century Date Charges are 
successful before implementing the provisions listed below.
     Allow the taxpayers to designate deposits for each 
payroll period rather than using the first-in-first-out (FIFO) 
method that results in cascading penalties.
    --Effective immediately for taxpayers making the 
designation at time of deposit.
    --Effective July 31, 2000 for taxpayers making the 
designation after deposit.
     Overhaul the innocent spouse relief requirements 
and replace with Proportionate liability, etc.
    --Effective date: July 31, 2000. The IRS has no way of 
administering proportionate liability with our current systems. 
This provision would require significant complex changes to cur 
systems and is likely to be cumbersome and error-prone for both 
taxpayers and the IRS,
     Require each notice of penalty to include a 
computation of penalty.
    --Effective date: Notices issued more than 180 days after 
date of enactment
     Develop procedures for alternative to written 
signature for electronic filing.
    --The IRS is already preparing a pilot project for filing 
season 1999. Subsequent roil out of alternatives to written 
signatures for electronic filing will depend an the success of 
the pilot.
     Develop procedures for a return-free tax system 
for appropriate individuals.
    --This provision should be interpreted as a study of the 
requirements of a return-free tax system and the target segment 
of taxpayers. Actual implementation will be based on the 
findings and conclusions of the study.
     Increase the interest rate on overpayments for 
non-corporate taxpayers from the federal short-term interest 
+2% to +3%.
    --Effective date: July 31, 1999.
     Do not impose the failure to pay penalty while the 
taxpayer is in an installment agreement.
    --Effective date January 31, 2000.
     Require the IRS to provide notice of the 
taxpayer's rights (if the IRS requests an extension of the 
statute of limitations). Require Treasury IG to track.
    --Effective date: January 31, 2000.
     Require IRS to provide on each deficiency notice 
the date the IRS determines is the last day for the taxpayer to 
file a tax court opinion. A petition filed by the specified 
date would be deemed timely filed.
    --Effective date: notices mailed after December 31, 1998.
     Require the Treasury IG to certify that the IRS 
notifies taxpayers of amount collected from a former spouse.
    --Effective date: January 31, 2000,
     Require the IRS to provide notice to the taxpayer 
30 days (90 days in the case of life insurance) before the IRS 
liens, levies, or seizes a taxpayer's property.
    --Effective date: 30 days after date of enactment for 
seizures; January 31, 2000 for liens and levies.
     Require the IRS to immediately release a)levy upon 
agreement that the amount is ``currently not collectible.''
    --Effective date: January 31, 2000.
     Waive the 10% addition to tax for early withdrawal 
from an IRA or other qualified plan if the IRS levies.
    --Effective date: January 31, 2000,
     The taxpayer would have 30 days to request a 
hearing with IRS Appeals. No collection activity (other than 
jeopardy situations) would be allowed until after the hearing. 
The taxpayer could raise any issue as to why collection should 
not be continued,
    --Effective date: January 31, 2000.
     IRS to implement approval process for liens, 
levies. and seizures.
    --Effective date: implement procedure manually 60 days 
after date of enactment; implement system for IG tracking and 
reporting January 31, 2000.
    The following items were proposed in the Administration's 
FY 1999 Budget. In conjunction with the other proposals in this 
bill, they will also require significant systems changes:
     Eliminate the interest rate differential on 
overlapping periods of interest on income tax overpayments and 
underpayments.
     Prohibit the IRS from collecting a tax liability 
by levy if: (1) an offer-compromise is being processed; (2) 
within 30 days following rejection of an offer; and (3) during 
appeal of a rejection of an offer.
     Suspend collection of a levy during refund suit.
     Allow equitable tolling of the statute of 
limitations on filing a refund claim for the period of time a 
taxpayer is unable to manage his affairs due to a physical or 
mental disability that is expected to result in death or last 
more than 12 months. Tolling would not apply if someone was 
authorized to act on these taxpayers' behalf on financial 
affairs.
     Ensure availability of installment agreements if 
the liability is $10,000 or less.
    Finally, we would attempt to immediately implement the 
cataloging of taxpayer complaints of employee misconduct and 
would stop any further designation of ``illegal tax 
protesters.'' However, there may be some systems issues with 
regard to these proposals that could delay certain changes 
until some time in early 1999.
    I look forward to working with you, the Finance Committee, and the 
Congress as we strive to restructure the Internal Revenue Service.

            Sincerely,
                                        Charles O. Rossotti
                                                       Commissioner

cc: Senator Daniel Patrick Moynihan, Ranking Minority Member
      

                                

    Mr. Coyne. And also if you could discuss the major two or 
three taxpayer rights provisions that you say need a delayed 
effective date?
    Mr. Rossotti. I'll mention a few. I don't have the letter 
with me. I'll mention a few that are at the top of my mind, but 
there's actually more than a few that I'm afraid need some 
delayed dates, or actually some alternative ways of handling 
them. I mean, one example that I think is well intentioned in 
its objective is a provision that would require us to put the 
name of an individual employee on all notices that are sent to 
taxpayers. This is a really major problem because most of the 
time a notice is like a phone bill or something. It isn't 
associated with an individual employee and our whole strategy 
for improving customer service is to take advantage of all our 
resources across the country so that we can get a phone call 
through to the first available assister, first available 
customer representative. So that approach would be really a 
major problem in a number of ways. One is related to century 
date. The other is it really has to be rethought as to how we 
would do that one. I think that one is very problematical 
except for a small number of notices that are individually 
generated correspondence by individual, for example, revenue 
agents. That part is fine. Within a reasonable timeframe we can 
do that, but on the larger volume of notices, it isn't going to 
work. Another one has to do with the penalties on installment 
agreements. This was one that clearly, you know, everybody 
seems to agree to make sense. But it requires some significant 
reprogramming to deal with the way the penalty revision is in 
the taxpayer rights provision, and, you know, this gets right 
at the heart of the kind of resource requirements that we have 
for the year 2000.
    So, for example, on that one we requested, I believe, to 
put the effective date off. In most cases, what we've asked for 
is to put the effective dates off so that we can fold them into 
the work we're going to do in 1999 that would go into effect 
after the turn of the century in the year 2000 filing season. 
And that is an example of that one. There are a fairly long 
list of others. There are some others that the Joint Committee 
staff has come up with. Some are, I think, practical ways to 
deal with them in the short term that we agree with.
    So we're trying to work this issue and accommodate as many 
things as fast as we can. And I actually feel it's very 
unfortunate that we're in a situation where there are 
provisions that we all think, you know, are desirable and we're 
asking to put them off because of this reason. But that is, in 
fact, the reality that we're in.
    Mr. Coyne. What are the departments, the IRS high-risk 
areas likely that are going to require a backup plan. For 
instance, would you issue refund checks annually?
    Mr. Rossotti. Well, the high-risk areas, I think, right 
now, the highest risk areas are the telecommunications network, 
what we call the tier 2, the middle-size minicomputers because 
they are in the IRS not very standardized and we have quite a 
bit of work to do on them. And I think more than anything is 
just the integration of all this into a comprehensive test 
plan. Those are the three most important.
    Now, we also have risks on the mainframe consolidation but 
I think that one we do have a contingency plan for the parts 
that are higher risk if we were implementing that contingency 
plan. I mean, if you look at what would be a contingency plan 
for issuing refunds, if you don't have your computer systems, 
frankly, I don't think you can issue 90 million refunds in any 
way without the computer systems working. So for at least the 
main key systems we really have to get them to work which is 
why we're trying to get all those key things done by January 
1999 so we have all of next year to test it.
    I don't want to make this whole thing bleak. I want--
because we are talking about risks but there also are things, 
some very positive things here, because I can see that I'm 
falling into the trap here of just talking only about the 
risks. I mean, we have implemented on the application programs 
a substantial number of change programs and put them into 
production for the filing season. It was very successful. It 
was last year. And that's very important because we actually 
got the majority, more than half, of our applications inventory 
back into production and already ran through a filing season. 
That doesn't completely test it but it's a pretty good sign. We 
only had a few examples of noticeable failures that affected 
taxpayers in the 1998 filing season. So, that is a very 
positive point to keep in mind.
    Mr. Coyne. Thank you.
    Chairman Johnson of Connecticut. That's very impressive.
    Mr. Portman.
    Mr. Portman. Thank you, Madam Chair. Commissioner, you kind 
of jumped into a difficult situation here, haven't you?
    Mr. Rossotti. I knew it was here.
    Mr. Portman. Yes, I think I speak for all members of this 
panel; we're glad you have the experience and expertise to be 
able to try to run this marathon at a sprinter's pace which is 
what your former CIO, Chief Information Officer, told the IRS 
Commission about a year ago. And I assume from what you're 
telling us today that, in fact, you are sprinting?
    Mr. Rossotti. The date is not going to move. I mean, we 
have to get it done. And really, I think, as Madam Chairman 
said, we really have to get it done, most of it by January 
1999. I mean, that is a very important observation for the IRS. 
We have to get it through so we can use it for the filing 
season.
    Mr. Portman. There's no extension?
    Mr. Rossotti. Pardon me?
    Mr. Portman. There's no way to file an extension on this 
deadline? [Laughter.]
    Mr. Rossotti. There's no way to file an extension, yes, 
exactly. It would be good. [Laughter.]
    Mr. Portman. OK, I've got three quick questions and I hope 
we can get through them, and I appreciate your working through 
the answers quickly also. In that March 31 letter that Bill 
Coyne just referenced, he talked about human resources. And my 
question to you, I guess, goes to some of the disturbing things 
you mentioned in the letter. One, you said you suffered an 8-
percent attrition rate of your technical staff during fiscal 
year 1997. That continued, I think, until recently. And even 
though this 10-percent retention allowance that you give to, I 
think, about 1,000 programmers has helped, it seems to me that 
you're still not going to be able to do this internally. You're 
going to be relying more and more on the contractors, 
particularly, the TIPSS people, is that correct?
    Mr. Rossotti. Well, yes, but, unfortunately--we are where 
we can but, unfortunately, the contractors are in short supply 
but more importantly for some portions of this, it really is 
not practical to use contractors. I mean, we have to have 
people that are experienced. Some of these people in the very 
short term really can't be replaced with contractors.
    Mr. Portman. How are you going to keep these people? I 
guess my question is do you have the depth of resources, do you 
have the ability to keep the good people you have already, 
retain contractors?
    Mr. Rossotti. Well, we did the six-point program to try to 
retain the people and I don't have up-to-date figures yet. I 
can get them for you, Mr. Portman.
    [The following was subsequently received:]

    Since March 15, 1998, we have been paying a 10% retention 
allowance to over 800 eligible technical staff (Programmers 
within Information Systems and other areas of the agency). Our 
purpose in paying this allowance was to stabilize and ideally, 
reduce our attrition rate, which stood at 7.9% for fiscal year 
1997. At this time, it is too soon to tell what impact the 10% 
retention allowance is having on our attrition rate.
    We have begun measuring our attrition rate on a quarterly 
basis. In addition, we will simultaneously gather information 
as to why people are leaving. We expect this data to provide us 
with additional insight into those workplace factors (in 
addition to pay) that contribute to retaining qualified 
technical staff, which will benefit our future recruitment and 
retention efforts.
    To further address the attrition issue we have recently 
undertaken a series of recruitment actions combined with 
additional hiring incentives as noted below.
     We have utilized a variety of recruitment vehicles 
in an attempt to attract a diverse and highly qualified group 
of candidates for our technical vacancies including; OPM's 
website, paid and unpaid ads in the Washington Post, various 
military publications and websites, technical career job fairs, 
and local colleges. In response the Service has received over 
1000 telephone inquiries and numerous electronic mail contacts. 
In addition we have participated in three technical job fairs 
sponsored by private sector and minority organizations. In the 
first week following a Mike Causey column in the Washington 
Post, publicizing our recruitment efforts, over 500 calls were 
received from potential applicants.
     Since March 1998, the Service has posted multiple 
vacancy announcements for experienced technical professionals 
(programmers, systems developers, etc.). We have received over 
800 applications (combination of external and internal 
candidates) for these positions. We are screening the 
applications to determine those with the required technical 
skills and will make selections accordingly. Those vacancy 
announcements have in some cases included additional hiring 
incentives such as:
    --Potential recruitment bonuses of up to 25 percent of 
basic salary for new recruits and potential eligibility for 
retention allowances for qualified employees who remain with 
the Service for a minimum of 6 months of continuous service.
    --In addition, we are planning to give temporary 
appointments to qualified retired annuitants using OPM's 
recently delegated authority (to IRS) for ``waiver of dual 
compensation offset.'' This waiver will be offered to 
individuals, on a case by case basis, who will be working 
solely on Year 2000 conversion efforts.
      

                                

    Mr. Rossotti. But I've heard reports that we seemed to have 
turned it around to some degree. I mean, some of the attrition 
seems to have slowed down but we need to get a couple more 
months' data to see if that's going to be the case. I mean, 
it's really essential to retain the people we have. Part of 
this was not just the money. It was conveying a message to the 
people that there's really a future for these people at the IRS 
because they've been getting a lot of mixed messages about 
whether there was going to be any programmers left at the IRS.
    You know, we're going to need these people, no matter how 
many contractors, we're going to need these people even as we 
go through the modernization blueprint. So, I think we've tried 
to do a little bit in terms of more than just the dollars but 
getting across the message that these people do have a future 
at the IRS, and that's very important.
    Mr. Portman. Well, I think you need to tell us when that 
becomes a problem or there needs to be something done because 
we are all familiar with the escalating salaries in the private 
sector for these kind of technicians.
    My next question has to do with the telecommunications. You 
mentioned in your testimony you have a massive set of 
telecommunications networks that are also creating a major 
challenge for you. In response to Mr. Coyne's question, you 
said it's a high-risk area. I just looked over Mr. Flyzik's 
testimony for later, and I know Treasury, through its 
communications system, believes it can meet your needs. You 
testified before the House Appropriations Committee saying that 
you thought it was a big problem. And my question to you is, 
given the degree to which we transmit data through 
telecommunications and to the degree to which that's really 
important for the IRS' viability and ability to make it through 
the filing season, the next two filing seasons, are you 
satisfied with the progress we've made, and having, again, 
looked at Mr. Flyzik's testimony, do you agree with him that 
the Treasury system is able to, which is a pretty optimistic 
view, I think, support all of your needs?
    Mr. Rossotti. Well, I think that the question is will we be 
able to make it compliant in time, which is by 1999? And this 
has been a high-risk area and we identified it as a high-risk 
area. Within the last, I would say, month or 6 weeks working 
with Jim and Nancy Killefer who is the Assistant Secretary for 
Management, as well as internally, this is not just the 
Treasury, there are a lot of networks inside the IRS.
    In fact, there's more inside of the IRS than there are 
ones--so what we've done is we've set up something that will, I 
think, make this thing work. That is a combined, integrated 
program management structure that is combined, meaning it 
includes all the different pieces of the puzzle in one roof 
which is really what we needed. I mean, we were not ever going 
to get there, I think, treating them as separate pieces.
    Mr. Portman. Do you have contingency plans for the 
telecommunications side? You didn't talk about that in your 
testimony.
    Mr. Rossotti. I don't have, we don't have the contingency 
plans for the telecommunications side at this point.
    Mr. Portman. I think that's one we all need more focus on 
because we talk a lot about the computers and less about that 
critical part.
    Mr. Rossotti. I think this combined management program that 
we put together in the last month, I think is really the key to 
making this whole thing work.
    Mr. Portman. But without a backup.
    The final question, quickly, with regard to electronic 
filing, as you know, in our House-passed legislation, we came 
up with a solution that a signature was not required to be 
submitted to the IRS, that taxpayers could keep that signature 
on file. As you know, I have a bias here. That's the approach 
that I think makes the most sense. It's simple. It doesn't 
involve some of the Y2K issues that some other approaches 
might.
    You mentioned in that same letter, March 31, that I'm 
looking at that you're developing a pilot project to test 
alternatives to the written signatures, and I just wonder if 
you believe that approach has merit? Again, it seems to me that 
the simplicity and the low taxpayer burden and then the Y2K 
problems----
    Mr. Rossotti. Yes.
    Mr. Portman [continuing]. Would all suggest moving toward 
doing something that's more in the lines of what we recommended 
in the House side.
    Mr. Rossotti. Yes, I think it does. I think it does. What 
we're trying to do in 1999 is to take advantage of what we've 
got that requires the least change to be able to allow more 
taxpayers to be able to file electronically without having to 
do this separate transaction. I've got Mr. Barr, who has come 
with us, who is actually focusing on that and we're going to be 
having some meetings. In fact, we were supposed to have them 
this week but they got postponed until next week to look at 
what he's going to propose, as to how exactly we're going to do 
this pilot for next year. So maybe what I should do is get that 
and get back to you with a report on that particular question.
    Mr. Portman. I guess my one comment would be that to the 
extent that we have all these other Y2K problems, why load it 
up with yet another issue----
    Mr. Rossotti. Right.
    Mr. Portman [continuing]. When there may be a simpler 
approach, not just because it's our approach but it's one that 
I think would result----
    Mr. Rossotti. OK. We're going to have this, literally 
within the next week we're having meetings on this, I'll get 
back to you on that question.
    [The following was subsequently received:]

    For 1999, the IRS is working toward an authentication pilot 
as a means of increasing electronically-filed returns. The 
pilot will use an alternative method of signature to replace 
the paper signature jurat, Form 8453. Based on the responses to 
Electronic Tax Administration's Request for Proposals, the IRS 
is currently considering a number of options for testing 
alternative methods next filing season.
      

                                

    Mr. Portman. Thank you. Thank you, Madam Chair.
    Chairman Johnson of Connecticut. Mr. Kleczka.
    Mr. Kleczka. Thank you, Madam Chair. Mr. Commissioner, 
thank you for appearing today. I also admire your courage in 
accepting this responsibility to run the Service. Now, as I 
understand some of the future tasks ahead for you, you have 
about 700 to 800 tax changes that have to be put online as per 
the 1997 tax bill, you have a major IRS reform bill that the 
IRS will have to implement in a short period of time. There's 
talk here in Congress of another major tax bill for 1998 which 
naturally will have to be up and running by 1999. And then you 
have the year 2000 problem.
    Now, I know if you don't get all this accomplished, there 
will be folks around the Capitol here that are going to be 
after your hide. And I think that's something you probably 
already have accepted. But my question is, and I think it's 
something that you have to put in the record, do you have the 
resources to complete all of these tasks? I know full well that 
you're on the Hill every day responding to congressional 
hearings. You're here again today. The Service is not held in 
the highest regard nationwide. What can we provide to you so 
that all these tasks can be accomplished?
    Mr. Rossotti. I think what we need most is to work with you 
on the timing of new requirements. I mean, and, of course, the 
budget is also important. Although, I will say for fiscal 1998, 
for this moment, we've gotten the budget that we need. We 
really have the dollar resources for this fiscal year, and as 
we go forward, the 1999 appropriations, we'll have to look at 
that. But for this fiscal year we've got it. But you're quite 
right. I mean, we have an extraordinarily thin management 
structure at the IRS. We've got quite a few vacant positions in 
key management positions, especially in information technology 
and we have a lot going on and I think this is exactly why, I 
mean, this is the fundamental reason why I've asked so strongly 
that the effective dates on some of the new provisions in the 
new bill be postponed. It's not the substance of them, it's 
just the practical issue of how to get them done. I really ask 
that those be put out.
    In most cases, there are a few exceptions, but in most 
cases, out beyond year 2000, which I know is a long time and 
it's not something that people like, but it's the honest 
statement of what I think we have to do to try to have a chance 
to succeed with this. I think, you know, obviously that would 
be equally true of any new, any additional tax bills that might 
be passed. It would be a matter of when these dates are made 
effective, you know, depending on the provisions.
    Some of them may not affect computer systems that much but 
any that affect computer systems, and most of them do, really 
for the rest of this calendar year we really cannot cram 
anything more into the situation. It's already high risk, and 
to put more in is really not reasonable. Even in 1999, in 
theory, we will have additional capacity in 1999 in order to 
implement in the year 2000, after the date change. And from a 
purely numerical standpoint, in terms of staff capacity, we do 
have some, but we also have all these risks of integrating all 
these things and so there's a great deal of uncertainty as to 
how much even we'll be able to do in 1999.
    Mr. Kleczka. OK, well, I respect you coming forward and 
saying that when it comes to the IRS reform bill, there are 
some things you just can't accomplish immediately. Know full 
well, we want it done yesterday not tomorrow. But as we go 
through this session and, as the Ways and Means Committee looks 
at the Tax Code again, I would hope that you would not be 
bashful of coming forward again and saying, ``This is overload 
for the agency, my friends. We just can't do it. We ask that 
you consider a different track.'' So I, when you come before 
the Full Committee later in the year, I'll be again broaching 
this same subject matter to make sure that we're not setting 
you and the agency up for failure, which I think would be very 
unfair.
    Thank you very much.
    Chairman Johnson of Connecticut. Thank you.
    Mr. Hulshof.
    Mr. Hulshof. Mr. Commissioner, I certainly don't want to be 
seen as piling on and appreciate the very forthright nature in 
which you've presented yourself these past weeks. Because we've 
got some excellent witnesses and I'm sort of reading ahead, I 
wanted to present to you some of the concerns that GAO has 
suggested. I know in your written testimony you mention that 
you did, in fact, consult GAO, particularly as it relates to 
mitigating risks and there's a concern that's been expressed by 
GAO regarding the contingency plan, and I just wanted to 
mention this and then ask for your comment.
    One of the concerns that GAO has raised is that your 
contingency management plan doesn't address a likelihood that 
information systems that are converted on schedule may 
experience some systems failures. Would you care to comment on 
that particular concern?
    Mr. Rossotti. First of all, let me say that I think that 
one of the resources that I'm trying to make use of to identify 
risks such as, I mean, the whole point of managing a project 
like this is to identify risks, get them out there, and take 
action as early as possible. And I've been using every resource 
I can, including GAO, very helpfully. In fact, now, I've got 
GAO, you know, attending our own steering committee meeting so 
we're welcoming this kind of input.
    I think with respect to contingency plans we do need to do 
more on contingency plans. In some cases, we've already taken 
some action like in mainframe consolidations. The difficulty we 
have, frankly, is that in some cases it may not be practical 
really to develop really very viable contingency plans for some 
aspects of what we're doing.
    But, second, the other problem we have is that the very 
people who are managing the program, in many cases, are the 
people who would have to divert time to developing contingency 
plans. I mean, given that our limited resource is management, 
which it really is even more a limiting of factor, as much of a 
limiting factor as staff, we even have to be careful to 
allocate our management resources to even doing things like 
contingency plans. We are going to do more in that area, and 
there are some that we've already done. We certainly are going 
to continue a very intense dialog with GAO on trying to get 
their help in identifying these risks and responding to them. 
But, in the end, we do have to sort of allocate our critical 
resources in the best way we can. And we really don't have 
enough to do everything that we'd like to do in some areas.
    Mr. Hulshof. Do you see as a problem, and Mrs. Johnson 
asked a question about, that the time tables are somewhat 
fluid. I think initially the hope was that 10 service centers 
would be up and ready to go by January 1999, now somewhat of a 
fudge factor that maybe we'll get five online, I mean, do you 
see this as potentially exacerbating the problem regarding 
contingency plans?
    Mr. Rossotti. Well, in the mainframe project, with the 
consolidation project, which is a very large project, that is 
one where because of its size and because there are practical 
options we are implementing a contingency plan which is 
practical. In fact, we're already doing it. We're going to 
upgrade the operating software for the mainframes that are in 
the service centers so that even if we don't convert them, we 
will still be able to operate them. It won't be as efficient. 
It will cost more money but we'll still be able to do it. There 
is another piece, this broad project called ``mainframe'' 
actually has about five pieces to it.
    There is another piece, a very important piece, which is a 
communications computer which really has no contingency plan, 
practically speaking, because we really have to replace that. 
It's sort of in the middle of everything. But we have put a lot 
of emphasis on that piece, obviously, and that one we are, more 
or less, on schedule and we will be able to get that one 
through. So this is what we're--when I said, adjusting, this is 
the kind of thing we're doing. We keep drilling down deeper and 
deeper and say, well, this is the piece that's absolutely 
critical; we don't have a backup; we've got to get it done, and 
you put the emphasis on it. The other part you find a way, you 
know, allocate your resources that it can at least, you know, 
be sure to get you through even if you don't do it exactly the 
way you want it to. And that's the kind of thing that consumes 
an immense amount of management time, our scarce resource.
    Mr. Hulshof. Thank you, Commissioner. And Madam Chairman, I 
yield back.
    Chairman Johnson of Connecticut. Thank you, Mr. Hulshof.
    Ms. Dunn.
    Ms. Dunn. Thank you, Madam Chairman. This is fascinating to 
hear you. We're very glad you're there, Mr. Rossotti, because 
we know that you understand the problems we've had with the IRS 
in the past, and that you're a management expert and you're 
going to do the best you can. And we all hope that working 
together we can make it turn out to be a really good job.
    I was pleased in your testimony that you talked about some 
of the opportunities you have and I think that will be useful 
information to put at the beginning of any speech you give on 
this because we all realize how complicated this Y2K problem is 
going to be. I speak, having the background of a former systems 
analyst for IBM and, because I recall spending many nights and 
weekends at businesses to whom the equipment was oversold 
trying to bail people out and trying to find the bugs in the 
system. I guess I focus mostly on the complicated aspect of 
testing the changes that are going to be made. And I wonder if 
you could spend a minute or two just telling us what your 
experts have told you on how you're going to do this testing, 
and whether you're going to run parallel systems, or how are we 
going to know by the year 2000 that we're not going to have a 
problem collecting taxes from the people who are out there 
trying to pay them?
    Mr. Rossotti. First of all, let me say that your focus on 
testing data is on target. I mean, that's the hardest part of 
this whole program, I mean other than just managing the whole 
thing together, but without a doubt, testing. And the reason is 
because obviously even though each little change is fairly 
simple, as some of the other Members had noticed, when you have 
this many thousands and thousands of changes in many different 
kinds of components, finding the place where there's an error 
when it all fits together is the hard part. And I think that, 
therefore, what, I think, we're trying to do is we're trying to 
have testing at many levels. We're testing each, you know, at 
the component level. For example, in the programs there's 
testing, there's testing of the systems, the individual 
application systems before we put them, for example, back into 
the filing season.
    On the telecommunications network, with Mr. Flyzik's help 
with the contractor that's working with us there, they have 
test lab set up where they're testing in the case of these 
different vendor components that they all fit together at the 
lab level. And then we've got another contractor, I mean, I 
hope I'm not being too long. We've got another contractor which 
is from the original Bell companies that's a telecommunications 
expert company that's doing a special test of some of the end-
to-end pieces in the telecommunications network. We have 
another lab that's testing our minicomputers. So we've got all 
these levels of testing. Then the next and last piece, or the 
last piece is really the big integrated end-to-end test that we 
have to do in 1999 and that's really an unprecedented test. I 
mean, I was in the business for 28 years, I never heard of 
anything this big anywhere. So we are working now, OK, with a 
contractor to develop that end-to-end test and we're just 
turning our attention in a serious way now to figuring out how 
to do that. OK, that is really breaking some new ground as far 
as I'm aware.
    Chairman Johnson of Connecticut. Mr. Ramstad.
    Mr. Ramstad. Thank you, Madam Chair, and thank you, 
Commissioner. I know there are five witnesses waiting behind 
you. I know you have another commitment, so I'll be brief. 
First of all, I wouldn't trade jobs with you. Second, 
concerning the 2000 problem, I just finished a series of town 
meetings and, like most of my colleagues, this is becoming a 
dominant concern among the people. There's more concern, 
especially among older Americans about Social Security checks. 
In fact, it's pretty unanimous that if you're not ready there's 
not a big concern out there--[Laughter.] But if you aren't 
there's a major worry. Let me just follow up, if I may 
Commissioner, on your exchange with Mr. Hulshof about replacing 
the communications replacement system. Is that going to be done 
in all 10 service centers or just those that will be 
consolidated?
    Mr. Rossotti. No, that will be in all 10 service centers. 
That piece is essential in order to make the whole framework. 
And that's on a much more accelerated schedule. We're in the 
testing phase of that right now and we would be, I don't 
remember exactly, we can get you that, what the rollout is for 
that. But that one we are definitely planning to roll out this 
year to all 10 service centers.
    Mr. Ramstad. And that's essentially on schedule?
    Mr. Rossotti. Yes, as of now. I always qualify those things 
because tomorrow we could get a test and find out we've got a 
new problem but I believe that that one is getting intense 
focus because it's so critical to making the whole rest of the 
thing work.
    Mr. Ramstad. Thank you, again, Commissioner. Thank you, 
Madam Chair. I yield back.
    Chairman Johnson of Connecticut. Thank you very much, 
Commissioner. We certainly do appreciate your knowledge, 
experience, your personal energy, and your leadership 
abilities. But I think we appreciate more seriously your 
honesty and straightforwardness with us, you are so cognizant 
of the enormity of this challenge and we'll work with you to 
make sure that the Congress backs you in every way we can to 
assure your success in what you so, I think, honestly describe 
as a dangerous and risky situation but not one that you are not 
aggressively working to manage and solve. Thank you for being 
with us this morning.
    Mr. Rossotti. Thank you, Madam Chair.
    Chairman Johnson of Connecticut. Mr. Callahan.

     STATEMENT OF HON. JOHN CALLAHAN, ASSISTANT SECRETARY, 
  MANAGEMENT AND BUDGET; AND CHIEF INFORMATION OFFICER, U.S. 
 DEPARTMENT OF HEALTH AND HUMAN SERVICES; ACCOMPANIED BY GARY 
  CHRISTOPH, CHIEF INFORMATION OFFICER, HEALTH CARE FINANCING 
  ADMINISTRATION; ELIZABETH JAMES, CHIEF INFORMATION OFFICER, 
 ADMINISTRATION FOR CHILDREN AND FAMILIES; AND NORM THOMPSON, 
  ASSOCIATE COMMISSIONER FOR AUTOMATION AND SPECIAL PROJECTS, 
            ADMINISTRATION FOR CHILDREN AND FAMILIES

     Mr. Callahan. Thank you very much, Madam Chairman Johnson, 
Congressman Coyne, and other Members of the Subcommittee. I 
want to thank you for the opportunity to testify here today for 
the Department of Health and Human Services. I am the CIO, 
Chief Information Officer, for the Department and today I'm 
accompanied by Dr. Gary Christoph, for CIO for HCFA; Dr. 
Elizabeth James, the CIO for the Administration for Children 
and Families; and Norm Thompson is the Associate Commissioner 
for Automation at ACF. All of these individuals plus myself 
will make ourselves available to the Subcommittee at any time 
that they have questions now or in the future.
    I submit to the record my written testimony, as well as our 
report to OMB in February 1998 which gives the full scope of 
what the Department is doing to correct its year 2000 computer 
problems.
    [The report is being retained in the Committee files.]
    I'd like to comment on three areas. One, the Y2K effort at 
HHS as a whole, just in general, then HCFA, then ACF. With 
regard to the Department as a whole, the Secretary, the Deputy 
Secretary, and myself have all indicated that year 2000 
compliance is job number one for the Department. It is the top 
and only information technology that we intend to pursue with 
all the resources at our disposal.
    What have we done this year? First of all, we've ensured 
that we have a December 31, 1998, deadline for year 2K 
compliance for all our mission-critical systems. We have 491 in 
the Department as a whole. We have a clear structure of 
administrative accountability. Every agency has a CIO. That CIO 
reports directly to its agency head, and they're responsible 
also to me, the Deputy Secretary, and the Secretary. We have 
required and are requiring independent validation and 
verification testing for all our mission-critical systems. We 
were the first agency to seek and to receive from the Office of 
Personnel Management authority to hire Federal retirees who 
have the skills to help us fix the year 2000 problem. We sought 
this at the end of last month, and we have received authority 
to hire up to 45 Federal retirees.
    We are, as you requested, and others have requested, 
developing contingency plans for all our major agencies. We've 
shared our data interfaces, we've identified our data 
interfaces with all our State partners. We've shared these with 
the National Association of State Information Resource 
officials as of April 22. And, then, finally, as is indicated 
in our testimony, we have up and running a biomedical Web site, 
which is maintained by FDA, wherein individuals can determine 
the Y2K compliance of all biomedical manufacturers which are so 
important to direct our health facilities and things of that 
nature. So that is up and running at the moment.
    Obviously, the biggest problem that we face in the 
Department is dealing with the year 2000 and HCFA. We have 25 
internal mission-critical systems, and 75 external contractor 
mission-critical systems. Forty-nine million lines of code are 
in these systems, 19 million lines of code in our internal 
systems, 30 in our external systems. These need to be examined 
in order to be made Y2K compliant. This software, which is 
basically the engine, if you will, that allows 900 million fee-
for-service claims to be paid annually by Medicare to more than 
33 million beneficiaries and countless number of Medicare 
providers.
    What are we doing in this regard? We have created and we 
have hired Dr. Gary Christoph from Los Alamos Laboratory as our 
CIO after a nationwide search. He and NancyAnn Min-DeParle have 
created ``tiger teams,'' for all our internal systems in order 
to make them year 2K compliant and they are using the personnel 
authorities that I described earlier to get additional 
personnel.
    On the fiscal front, we have, as a result of the 
supplemental that was recently passed here and the President 
signed, we have channeled $20 million from ongoing transition 
work to single part A to part B systems to our year 2000 
effort. We estimate that we may need $103 million more in 1998 
and 1999 for our year 2K work. We have authorities at our 
disposal including the Secretary's 1-percent transfer authority 
which is in our annual appropriations act and we will be 
prepared to use that in order to channel additional moneys to 
the Y2K effort.
    And NancyAnn Min-DeParle, who's the Administrator of HCFA, 
has said on numerous occasions that year 2000 is her top 
priority. She's been very proactive with her contractors, and 
we have finished, just about finished all our site visits with 
our 75 contractors to, again, talk to them about the urgency of 
the year 2K problem and to determine what they can and should 
be doing in that regard.
    One element I would draw your attention to is that we have 
sent up to the Congress on January 1998 contractor reform 
legislation. This allows HCFA to have increased discretion in 
contracting for Medicare claims processing and payment. It 
would allow the administrator to contract for these functions 
on a best-value basis as permitted by the Federal acquisition 
regulations. We believe this legislation is important so that 
we can exercise contingency plans and long-term planning in 
order to permit business continuity in light of any contractor 
failure. This legislation would eliminate the rigidities that 
we believe are now inherent in current contracting law, under 
Medicare, which requires us to contract with only selected 
claims processors, provides for automatic contract renewal, and 
reimbursement for all allowable costs. Our feeling is that the 
Federal acquisition regulation law, if that were applied to 
Medicare contractors, the contractor system, would be a 
positive benefit. We do not feel that competent contractors 
would have anything to fear from this legislation, and would 
not be harmed by the legislation if it were passed.
    Let me now just focus quickly on the Administration for 
Children and Families. We have 55 mission-critical systems in 
ACF. Twelve are now year 2000 compliant. We think as many as 33 
will be more compliant by the end of this quarter. Forty-one 
are being repaired or replaced and two are being retired. There 
are two main areas in the Administration for Children and 
Families: One is grants administration, the other is child 
support enforcement. We believe that all the grant systems, 
grant information systems will be made compliant and that our 
grants processing system under ACF will be made compliant 
through a new system called Gates by the end of this year.
    State data interfaces, that I mentioned earlier, we are 
handling that through what we call an electronic bridging 
system, which we're also using in CDC. All States that have to 
send information to us in the ACF systems, we will be able to 
accept that data whether it's year 2000 compliant or not, and 
bridge it into our system so that the data in fact is 
compliant. As I say, we used the system, or are using the 
system also for CDC for very important epidemiological data.
    With regard to child support, we expect the Federal Parent 
Locator System to be compliant by October 1, 1998, and the new 
higher data system which was required by recent welfare reform 
legislation is now being developed as a year 2000 compliant 
system. Five of our legacy systems in child support are moving 
to the SSA mainframe later this year.
    One issue that I know Mr. Rossotti touched on which we had 
made progress in the Department is data center consolidation. 
We now have only three mainframe centers, really working 
mainframes in the Department, one at HCFA, one at NIH, and one 
at CDC. We have completed our data center consolidation system 
some time ago at a savings of about $127 million over a number 
of years.
    State child support systems, as we all know here, are in 
effect the responsibilities of individual States. We had a 
meeting with a number of State CIOs recently, including the 
State CIO from Washington. I think they feel they're making 
good progress at the State level to make sure that their child 
support systems are compliant. We are able to help them out 
because they can support their Y2K compliance spending at the 
State level through the matching of child support grants which 
are 66\2/3\ percent. But we do think the States are working 
hard, and that they will succeed but obviously they have 
complex systems as well.
    I would just say, in conclusion, Madam Chairman, we 
certainly regard year 2000 as our job number one. We will be 
accountable to the President. We will be accountable to the 
Congress and we will work with you continuously on this problem 
throughout the remaining time here before the year 2000. We do 
think that our basic job, certainly from headquarters is to do 
three things. We have to focus the resources, the money, we 
have to focus the personnel, and whatever authorities those 
people need to get the job done. We will deploy frontline 
people to get the job done and we intend to do that and will 
keep this Subcommittee fully informed of our efforts.
    Thank you and I would be happy to answer any questions.
    [The prepared statement follows:]

Statement of Hon. John Callahan, Assistant Secretary, Management and 
Budget; and Chief Information Officer, U.S. Department of Health and 
Human Services

    Good morning. I am John Callahan, Assistant Secretary of 
the Department of Health and Human Services for Management and 
Budget (ASMB) and Chief Information Officer (CIO). I am pleased 
to appear before this Subcommittee to provide you with a report 
on the accomplishments of the Department and the challenges 
faced by the Department in assuring that our systems are 
Millennium compliant. We will especially emphasize the Year 
2000 progress made by HCFA and ACF. I am accompanied today by 
Gary Christoph, CIO of the Health Care Financing Administration 
(HCFA), and by Elizabeth James, CIO of the Administration for 
Children and Families (ACF), and Norm Thompson, Associate 
Commissioner for Automation and Special Projects in ACF's 
Office of Child Support Enforcement.

                         HHS' Year 2000 Effort

    The Secretary, the Deputy Secretary, and I have declared 
the Year 2000 (Y2K) date issue to be our highest information 
technology priority. We have already taken several steps, and 
we will continue to take action, to ensure that all HHS 
information systems are Year 2000 compliant. We have involved 
all parts of our organization, including staff with expertise 
in information systems, budget, human resources, and 
acquisition management in solving the Year 2000 problem. No 
matter what else we do and what other initiatives we undertake, 
we must ensure that our ability to accomplish the Department's 
mission is not impaired.
    For this reason, we have established December 31, 1998 as 
our internal deadline for Year 2000 compliance of mission 
critical systems. This was done in order to provide a full year 
of operations in which to detect and remedy any adverse 
interactions among HHS systems and those of our many service 
partners, including other Federal agencies, state and local 
governments, tribes, and contractors.
    To meet our Year 2000 responsibilities, we have taken a 
series of strong administrative actions. We have established 
direct reporting lines between staff working on Year 2000 
activities and all Operating Division (OPDIV) Chief Information 
Officers; and each OPDIV CIO is responsible for regular 
reporting on Y2K efforts directly to the OPDIV head and to me, 
until Year 2000 date compliance is accomplished.
    In our February 1998 quarterly report to the Congress, HHS 
reported 491 mission critical systems. About 40 percent of 
these systems are now Year 2000 compliant. We closely monitor 
progress and maintain a monthly reporting system to track 
progress on all of our data systems. Our monitoring system 
prompts remedial action where and when necessary and encourages 
examination of systems that may be able to be retired, thereby 
making better use of limited Year 2000 resources. In addition, 
our OPDIVs have compiled inventories of their system 
interfaces, and have contacted their interface partners. On 
April 22, I provided a listing of state interfaces to the 
National Association of State Information Resources Executives 
(NASIRE). Because testing, including independent verification 
and validation (IV&V), is critical to our Year 2000 effort, we 
are requiring our OPDIVs to subject their systems to stringent 
testing and IV&V. We also know there is a possibility that, try 
as we might, some systems may not be fully compliant in time. 
Therefore, we are requiring the OPDIVs to develop contingency 
plans that permit business continuity in the event of system 
failure. These contingency plans will be noted in our next Year 
2000 quarterly report.
    We are taking action to retain, re-employ, and attract 
qualified information technology professionals, using both 
employment and contracting authorities. On March 31, we 
received Department-wide personnel authorities from the Office 
of Personnel Management (OPM) to waive the pay and retirement 
reduction for re-employed military and civilian retirees who 
return to work on Y2K remediation.
    Late last week, the President signed a 1998 supplemental 
appropriations bill directing $20 million of HCFA contractor 
funds to be redirected toward HCFA's Year 2000 remediation 
efforts. While these funds will certainly help, HCFA still must 
find ways to address the shortfall. We estimate that HCFA will 
require additional Year 2000 funding in FY 1998 and FY 1999. In 
FY 1998, HCFA estimates it needs an additional $43 million, and 
in FY 1999, HCFA may require an additional $60 million for HCFA 
contractor remediation efforts. For FY 1998, we will soon be 
sending to Congress a letter notifying you of our intent to use 
the Secretary's one-percent transfer authority to shift funds 
from other HHS activities to make the additional $43 million 
available for HCFA's Y2K efforts. While cutting funding for 
other activities is never easy, and all may not be happy with 
our choices for offsets, we would appreciate Congress' support 
for our effort to give HCFA the resources necessary to address 
this problem.

            Health Care Financing Administration Challenges

    Our greatest Year 2000 concern is for HCFA's Medicare 
program. This program is run by over seventy external 
contractors, including several shared systems maintainers, who 
operate and maintain a base of software programs that process 
900 million fee-for-service claims payments annually for nearly 
33 million Medicare beneficiaries. Nearly one quarter of the 
external Medicare contractors have not yet completed 
assessments of their systems. However, under the current law 
(Title XVIII of the Social Security Act) HCFA has limited 
authority for addressing the Year 2000 threat to Medicare 
systems. This situation illustrates why Medicare contracting 
reform has been and continues to be an Administration priority.
    There are a number of facets to HCFA's current contracting 
authority that hinder HCFA's ability to aggressively 
orchestrate Year 2000 compliance.
    Medicare claims processing contract terms are unique and 
differ in several important respects from typical Federal 
contracts awarded under Federal Acquisition Regulation. 
Medicare statutes require HCFA to contract for services with 
insurance companies only--not computer or transaction 
processing firms--and only on a cost reimbursement basis
    Intermediary and carrier contracts provide for automatic 
renewal on an annual basis. Furthermore, HCFA may terminate a 
contract only for cause and not for convenience, while 
contractors may leave the Medicare program with 180 days 
notice. It generally takes HCFA six to nine months to transfer 
a contractor's workload to another contractor organization.
    Most importantly, because HCFA is required to reimburse its 
Medicare contractors for all allowable costs, the agency's 
ability to exert financial leverage over its contractors to 
direct funds toward such activities as Year 2000 compliance is 
limited.
    HCFA has been proactive in exerting what pressure is 
possible on the Medicare contractors with regard to Year 2000 
compliance. HCFA has proposed amendments to Medicare contracts 
requiring millennium compliance, and has released guidance that 
would provide more restrictive definitions of compliance and 
testing requirements. Nonetheless, we remain greatly concerned 
about the need for a faster pace of progress by Medicare 
contractors in meeting our Year 2000 goal.
    As I stated earlier, problems surrounding Year 2000 
compliance are an illustration of why the Administration has 
proposed contracting reform legislation. On February 27, 1998, 
HHS sent a proposal for Medicare contractor reform to Congress. 
This proposal would amend the Medicare statute regarding HCFA-
contractor relations. Our proposal would provide the Secretary 
with greater flexibility for managing the Medicare program, and 
allow increased discretion in contracting for claims processing 
and payment functions. Under this authority, the Secretary 
could award contracts from a larger pool of qualified 
contractors. We believe that this change would promote 
competition and potentially allow the Medicare program to 
obtain better value for its dollar. The new authority would 
also be especially helpful in allowing the Secretary to enforce 
contingency plans that permit business continuity in the event 
of system failure. This proposal has received the endorsement 
of John Koskinen, Special Assistant to the President for Year 
2000, in testimony before the Senate Governmental Affairs 
Committee.
    The proposal would allow the Secretary to contract for 
Medicare functions on a best value basis as permitted by the 
Federal Acquisition Regulations (FAR). It would change Medicare 
law to permit the Secretary to follow the FAR in administrative 
contracting. We would then be able to determine on a case-by-
case basis the most appropriate contractual arrangements, with 
fixed price and incentive provisions, for example.
    We have requested Medicare contracting reform from Congress 
for a number of years and recently submitted a proposal with 
our FY 1999 Budget request. While we understand that, due to 
uncontrollable variables, no organization can provide an 
absolute guarantee of end-to-end processing throughout the 
Millennium change, swift passage of this legislation now will 
provide HCFA with greater leverage to proactively manage 
Medicare contractors. We therefore, respectfully request, and 
encourage, your assistance in securing enactment of this very 
important proposal.
    We recognize that HCFA will continue to face a daunting and 
exhausting effort that contractor reform alone cannot address. 
As noted earlier, this will require additional resources to be 
used for contractor Year 2000 remediation or testing and 
independent verification and validation. We will especially 
depend on HCFA's IV&V contractor, who will review both internal 
and contractor remediation efforts. HCFA's testing contractor 
will provide independent assurance that Medicare claims 
processing systems will operate properly in the next 
Millennium.

          Administration for Children and Families Challenges

    ACF has 55 mission critical systems. Of these systems, 12 
are compliant, three are being repaired, 38 are being replaced, 
and two are being retired. ACF processes nearly 7,000 grants 
per year.
    ACF's mission critical systems fall into two major 
categories. These categories are grants and child support 
enforcement. Approximately 40 ACF systems award grant funds and 
track the grants ranking and approval process, as well as 
tracking financial and program information, for example, how 
many children are enrolled in a local Head Start program.
    Child support enforcement systems include the Federal 
Parent Locator Service (FPLS), which helps States to find non-
custodial parents for purposes of establishing or enforcing 
child support orders. The FPLS allows the States to search 
Federal Government data bases for information such as Social 
Security records and Internal Revenue Service tax information. 
The FPLS will be compliant by October 1, 1998.
    A new system mandated by the Personal Responsibility, and 
Work Opportunity Reconciliation Act, the New Hires data base, 
receives and processes information from all employers about 
newly hired employees. Knowing when an employee is newly hired 
or changes jobs can provide information that allows States to 
provide more timely location of absent parents. The New Hires 
Data Base was developed as a Year 2000 compliant system.
    ACF has completed the identification of its data exchanges 
and has established contact with its data trading partners. 
Many of ACF's data exchanges are incoming only. Much like the 
Centers for Disease Control, ACF is relying heavily on 
electronic bridging to convert non-compliant information, 
thereby avoiding difficult-to-detect ``soft failure'' caused by 
bad data.
    In fact, ACF's contingency plans to ensure the continuity 
of operations, should the need arise, will rely on electronic 
bridging to exchange information. For example, the Office of 
Child Support Enforcement systems will use electronic bridges 
developed as part of the renovation process to allow ACF to 
successfully exchange and process both compliant and non-
compliant data. In addition, ACF's systems for processing 
grants are being replaced by a Year 2000 compliant client-
server system called GATES.
    ACF is working closely with its state partners to ensure 
that the states continue to devote sufficient attention to Year 
2000 issues. As noted above, many state systems, including most 
of the child support enforcement systems, have been developed 
over the last five years and are Year 2000 compliant. Yet, some 
older systems, for example in the welfare programs, may need 
work. ACF will maintain a dialogue with the states, and will 
provide assistance where necessary

                Biomedical Equipment Outreach Activities

    Our Year 2000 related activities are not limited solely to 
HHS programs alone. On January 21, 1998, Deputy Secretary Kevin 
Thurm signed a letter, sent to over 16,000 biomedical equipment 
manufacturers, strongly urging them to identify noncompliant 
products, and the actions they are taking to ensure compliance. 
The manufacturers are now responding to this survey developed 
by my office and the Food and Drug Administration (FDA). The 
FDA now operates and maintains a public Internet web site 
listing all biomedical equipment information received from the 
manufacturers relating to Year 2000 compliance. The web site is 
operational and FDA is currently posting the manufacturer 
responses on the Internet ``http:/www.fda.gov/cdrh/yr2000/
year2000.html.''.
    We are planning additional outreach activities, beyond the 
biomedical equipment issues, to inform the health and human 
services community in general about Year 2000 issues. These 
issues include the potential for Year 2000 problems with 
facilities equipment, telecommunication products, and 
commercial off-the-shelf software that runs automated 
information systems.

                               Conclusion

    HHS still faces substantial challenges in our Year 2000 
efforts. However, let me assure you, on behalf of Secretary 
Shalala and Deputy Secretary Kevin Thurm, that we will continue 
to vigorously pursue Year 2000 remediation as our most 
important information technology initiative. We recognize our 
obligation to the American people to assure that HHS's programs 
function properly now and in the next millennium.
    I thank the Committee for its interest and oversight on 
this issue, and would be happy to answer any questions you may 
have.
      

                                

    Chairman Johnson of Connecticut. Thank you, Mr. Callahan.
     Mr. Dyer.

 STATEMENT OF JOHN DYER, PRINCIPAL DEPUTY COMMISSIONER, SOCIAL 
                    SECURITY ADMINISTRATION

     Mr. Dyer. Chairman Johnson, Members of the Subcommittee, 
I'm pleased to be here to testify today concerning the Social 
Security Administration's efforts to prepare for year 2000. SSA 
became aware of the year 2000 problem and began planning for it 
in 1989 to make sure that the payments that we make to more 
than 48 million beneficiaries will not be in jeopardy. Let me 
assure you that Commissioner Apfel and the senior staff at SSA 
are well aware of the great importance of all the issues 
surrounding year 2000 computer problems. As Commissioner Apfel 
testified before the Subcommittees on Social Security and Human 
Resources this year, ``preparing for year 2000 is 
unquestionably the biggest challenge the information technology 
industry has ever faced.''
    How are we progressing at SSA to resolve the year 2000 
problems? As of April 30, 1998, SSA has renovated more than 90 
percent of the agency mission-critical systems that support our 
core business processes: Enumeration, earnings, claims, 
postentitlement, and informing the public. We are scheduled to 
complete all testing of all systems by December 31, 1998, and 
have all systems implemented into production in January 1999 
providing a full year for postimplementation review. Beyond 
computer software, we have developed plans to address the year 
2000 problem in the areas of telecommunications, hardware 
infrastructure, and facilities infrastructure. We have plans in 
place to upgrade or replace all noncompliant equipment and are 
working with the vendor community, General Services 
Administration, and the CIO Council Committee on Year 2000 to 
test vendor fixes.
    What obstacles do we have yet ahead of us? In October 1997, 
the General Accounting Office issued a report entitled ``Social 
Security Administration: Significant Progress in Year 2000 
Effort, But Key Risks Remain.'' The report was generally 
complimentary of our year 2000 program. However, it identified 
three concerns: The States' Disability Determination Services 
systems compliance, data exchanges, and contingency planning 
which we are addressing at this time, and will continue to 
address.
    Now, let me talk about them individually. In terms of the 
State disability compliance, we have focused our attention on 
ensuring that the State's Disability Determination Services, or 
DDSs, as we call them, systems which are used to determine 
medical eligibility of disability applicants are made year 2000 
compliant by the end of December 1998. Each State has developed 
a plan for year 2000 conversion and SSA, working closely with 
each State, monitors the progress of each State against its 
project milestones. As of today, 21 of the 55 DDS systems have 
been renovated, tested, and implemented.
    Data exchanges: We have been actively addressing the issue 
of data exchanges which occur between SSA, other Federal 
agencies, States, and third parties. Thus far, 65 percent of 
our data exchanges are year 2000 compliant and implemented. Our 
target is to have all data exchanges implemented by December 
1998. We are focusing particular attention on our exchanges 
with affected benefit payments. We are working very closely 
with the Treasury Department to ensure that Social Security and 
Supplemental Security Income checks and direct deposit payments 
for January 2000 will be on time. In addition to testing with 
Treasury, which we started March 4 of this year, we have 
agreements to test from SSA through Treasury and the Federal 
Reserve's automated clearinghouse for our direct deposit 
payments.
    Contingency planning: On March 31, 1998, we issued the SSA 
Business Continuity and Contingency Plan. The plan addresses 
the core business functions, including disability claims 
processing functions supported by the DDSs which must be 
supported if year 2000 conversion activities experience 
unforeseen disruptions. The plan identifies potential risks to 
business processes, ways to mitigate each risk, and strategies 
for ensuring continuity of operations if planned corrections 
are not completed or if systems fail to operate as intended. We 
certainly hope there will be no need to activate our 
contingency plan. However, if there are unforeseen problems or 
year 2000 disruptions, the contingency plan will be implemented 
to ensure continuation of SSA's vital service to the public.
    Because of our early attention to this challenge, we are 
confident that our systems will function on and after year 2000 
to ensure that our core business processes proceed smoothly and 
without disruption as we move into the 21st century. When we 
open our offices for business on January 3, 2000, we expect to 
be prepared to provide the full complement of services to the 
American public with the accuracy and reliability they have 
come to expect from us. And if there are unforeseen problems, 
we have contingency plans in place to assure continuation of 
our operations.
    I'd be happy to answer any questions you may have. Thank 
you.
    [The prepared statement follows:]

Statement of John Dyer, Principal Deputy Commissioner, Social Security 
Administration

    Chairman Johnson and Members of the Subcommittee:
    I am pleased to be here to testify today concerning the 
Social Security Administration's (SSA) efforts to prepare for 
the Year 2000. SSA became aware of the Year 2000 problem and 
began planning for it in 1989 to make sure that the payments we 
make to more than 48 million beneficiaries will not be in 
jeopardy.
    Let me first assure you that Commissioner Apfel and all the 
Senior Staff at SSA are well aware of the great importance of 
all the issues surrounding the Year 2000 computer problem. As 
Commissioner Apfel testified before the Subcommittees on Social 
Security and Human Resources on March 12, 1998, ``Preparing for 
the year 2000 is unquestionably the biggest challenge the 
information technology industry has ever faced.''
    Because we were on the forefront of Year 2000 preparation, 
our Assistant Deputy Commissioner for Systems, Kathleen Adams, 
was asked to Chair the Chief Information Officers (CIO) Council 
Committee on Year 2000. The purpose of this committee is to 
share lessons learned and best practices in addressing the Year 
2000 challenge, address cross-cutting issues affecting all 
government agencies and identify ways to manage resources in 
solving the Year 2000 problem.
    At SSA, we have used a systematic approach to making sure 
systems are Year 2000 compliant. This approach consists of five 
phases:
    The Awareness phase, in which we defined the Year 2000 
problem and ensured that everyone in SSA was aware of it;
    The Assessment phase, in which we identified our core 
business processes, analyzed the systems supporting these 
processes, identified resources, and developed a detailed 
schedule for making corrections;
    The Renovation phase, in which we converted databases and 
are renovating software and modifying interfaces;
    The Validation phase, in which we are testing converted or 
replaced software; and
    The Implementation phase, in which we will implement 
converted or replacement systems.
    SSA has completed the first two phases as well as more than 
90 percent of the renovation phase of its Year 2000 program. We 
are in the process of testing all of our renovated systems in 
our Year 2000 Test Facility. We are on schedule to complete 
testing of all systems by December 31, 1998, and to have all 
systems implemented into production in January 1999, providing 
a full year for post-implementation review.

      How is SSA Progressing in Resolving its Year 2000 Problems?

    As of April 30, 1998, SSA has renovated more than 90 
percent of the Agency's mission-critical systems. These 
mission-critical systems support our core business processes--
enumeration, earnings, claims, postentitlement, and informing 
the public--through which we maintain the accuracy of 
beneficiary records and process and adjudicate claims. SSA has 
also renovated 67 percent of its non-mission-critical systems. 
All of SSA's systems are scheduled to be Year 2000 compliant by 
December of this year.
    In addition, we have taken an active role in addressing the 
issue of Year 2000 compliance in case processing systems used 
by the State Disability Determination Services (DDSs) and data 
exchanges between SSA and other entities.
    Furthermore, SSA has developed plans to address the Year 
2000 problem in the areas of our telecommunications and 
hardware infrastructure and facilities infrastructure. We have 
inventoried all components of these infrastructures and have 
plans in place to upgrade or replace all non-compliant 
equipment. We are working with the vendor community, the 
General Services Administration, and the CIO Council Committee 
on Year 2000 to test vendor fixes.

 What Obstacles Stand in the Way of the Completion of Preparations for 
                               Year 2000?

    In October, 1997, the General Accounting Office issued a 
report entitled, ``Social Security Administration: Significant 
Progress Made in Year 2000 Effort, But Key Risks Remain.'' The 
report was generally very complimentary of SSA's Year 2000 
program; however, it identified three concerns--DDS systems 
compliance, data exchanges, and contingency planning. At the 
time the report was issued we were addressing all three areas 
and we continue to do so.

                        DDS Software Compliance

    SSA has focused increased attention on ensuring that State 
DDS systems, which are used in determining the medical 
eligibility of disability applicants, are made Year 2000 
compliant by December 1998. There are 55 DDSs: one in each of 
the States and the District of Columbia, Puerto Rico, Guam, and 
the Virgin Islands, as well as the Federal DDS at SSA Central 
Office in Baltimore. Since DDSs are fully funded by SSA, Year 
2000 compliance activity costs in the DDSs were not borne by 
the States.
    We requested and received Year 2000 plans from each of the 
DDSs that identify specific milestones, resources, and 
schedules for completing Year 2000 conversion activities. All 
DDS systems are scheduled to be Year 2000 compliant by SSA's 
target of December 1998. As of today, twenty-one DDS systems 
have been renovated, tested and implemented. These DDSs are: 
Alabama, Arizona, Arkansas, Connecticut, Florida, Idaho, 
Indiana, Kentucky, Maine, Massachusetts, Michigan, Minnesota, 
New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Vermont, 
Washington DC, Wisconsin, and the Federal DDS.
    We are working closely with each DDS on monitoring and 
oversight of DDS Year 2000 activities. SSA has a DDS Year 2000 
Project Team working full time on DDS Year 2000 activities. 
Each DDS has named a Year 2000 Project Coordinator. In 
addition, each SSA regional office has named a DDS Year 2000 
Coordinator for the DDSs in that region. The SSA DDS Year 2000 
Project Team and SSA's Year 2000 Program Manager are in 
constant communication with the DDS Year 2000 Project 
Coordinators, Regional Office Coordinators, and State systems 
contractor representatives. The progress in each State 
continues to be monitored and tracked against project 
milestones in the State's Year 2000 plan.
    Since the majority of the DDSs (43) contract with one of 
two vendors for their systems, SSA decided to enter into a 
contract with each vendor to cover all of the Year 2000 
conversion work for these 43 systems. This was done to enable 
Year 2000 conversion work to begin more rapidly and to allow 
SSA to exercise a greater degree of control to ensure the Year 
2000 conversions are done timely. The DDSs which do not use 
these vendors' systems use either in-house systems, other 
vendor systems, or are not automated. The States using other 
systems have all entered into contracts with their vendors, or 
planned for in-house changes to their systems, respectively. 
There are five DDSs that do not have automated claims 
processing systems.
    We believe these actions and oversight activities, together 
with a close working relationship with the DDSs, will enable us 
to meet our schedule of making the DDS systems Year 2000 
compliant by December 1998.

                             Data Exchanges

    SSA has been actively addressing the issue of data 
exchanges which occur between SSA and other Federal agencies, 
States, and third parties. We have inventoried all of our 
external exchanges. In order to formally track the progress of 
each external data exchange, SSA developed the Data Exchange 
Tracking System (DETS). SSA has just over 2,000 data exchanges 
with Federal agencies, States, or third parties. For example, 
SSA exchanges data with the Treasury Department to make benefit 
payments and with the States to verify death records.
    We have been in contact with all of our trading partners 
regarding the format and schedule for making these data 
exchanges compliant. Thus far, 65 percent of our data exchanges 
have been made Year 2000 compliant and implemented. We are in 
the process of negotiating, scheduling, and implementing 
remaining changes. Our target is to have all data exchanges 
implemented by December 1998.
    We are focusing particular attention on our exchanges which 
affect benefit payments. We are working very closely with the 
Treasury Department to ensure Social Security and Supplemental 
Security Income (SSI) checks and direct deposit payments for 
January 2000 will be on time. The testing plans for Social 
Security and SSI payments have been approved by SSA and 
Treasury. Joint testing of files began on March 4, 1998, and 
testing is going as planned. In addition to testing with 
Treasury, we have agreements to test from SSA, through Treasury 
and the Federal Reserve's automated clearinghouse, for direct 
deposit payments.

                          Contingency Planning

    On March 31, 1998, we issued the SSA Business Continuity 
and Contingency Plan. The plan addresses the core business 
functions, including disability claims processing functions 
supported by the DDSs, which must be supported if Year 2000 
conversion activities experience unforeseen disruptions. The 
plan identifies potential risks to business processes, ways to 
mitigate each risk, and strategies for ensuring continuity of 
operations if planned corrections are not completed or if 
systems fail to operate as intended. The plan, which also 
identifies milestones, target dates, and responsible components 
for developing local contingency plans and procedures 
throughout all of SSA's operating components, will be updated 
quarterly and used to track development and testing of local 
contingencies planned throughout the agency.
    We certainly hope that there will be no need to activate 
the SSA Business Continuity and Contingency Plan. However, if 
there are unforeseen, Year 2000-induced disruptions, this 
contingency plan will be implemented to ensure continuation of 
SSA's vital services to the public.

    Will SSA's Data Systems Be Ready for the Transition to the New 
                              Millennium?

    There is no question that the Year 2000 problem is the 
biggest challenge ever facing the information technology 
industry. Since SSA is so dependent on computers to do its 
business and serve the public, we have taken this problem very 
seriously and dedicated the resources to address it in a timely 
manner.
    Because of our early attention to this challenge, we are 
confident that our systems will function on and after the Year 
2000 to ensure that our core business processes proceed 
smoothly and without disruption as we move into the 21st 
century. When we open our offices for business on January 3, 
2000, we expect to be prepared to provide our full complement 
of services to the American public with the accuracy and 
reliability they have come to expect from SSA. And, if there 
are unforeseen problems, we will have contingency plans in 
place to assure continuity of SSA's business operations.
    I would be happy to answer any questions you may have.
      

                                

    Chairman Johnson of Connecticut. Thank you very much.
     Mr. Flyzik.

 STATEMENT OF JAMES J. FLYZIK, DEPUTY ASSISTANT SECRETARY FOR 
   INFORMATION SYSTEMS; AND CHIEF INFORMATION OFFICER, U.S. 
                   DEPARTMENT OF THE TREASURY

    Mr. Flyzik. Madam Chairman, Representative Coyne, and 
Members of the Subcommittee, thank you very much for the 
opportunity to appear today to discuss the Department of 
Treasury's progress on year 2000. I request that my complete 
written testimony be submitted for the record. I'll summarize 
here for the sake of time.
    The Department has indicated that the year 2000 computer 
problem is our highest priority information technology 
challenge, and I am confident that Treasury has a strong 
program in place to address this challenge. While there is much 
work ahead of us, we have made significant progress to date. 
The Assistant Secretary for Management and Chief Financial 
Officer has the overall responsibility for year 2000. As the 
Deputy Assistant Secretary of Information Systems and Chief 
Information Officer, I am the overall program manager for this 
effort. Day-to-day responsibilities reside in my office. We 
have contracted with several firms with specialized skills to 
assist us with our effort. Attached to my submitted written 
statement is a chart that shows how we're organized to address 
this problem.
    The Secretary of the Treasury himself is briefed 
periodically by me on the status of our program, and the 
Assistant Secretary for Management and Chief Financial Officer, 
and myself meet every week with the bureaus to review their 
progress. We have working groups that meet regularly for 
information technology, noninformation technology, and 
telecommunications components and, our bureaus submit monthly 
reports to me.
    We've identified 323 mission-critical IT systems and 269 
mission-critical non-IT systems. At present, we have renovated 
133, or 55 percent, of the mission-critical systems that need 
to be converted. We can now report 125 out of 323 of the total 
mission-critical IT systems are year 2000 compliant.
    The TCS, Treasury Communications System, as mentioned by 
Commissioner Rossotti, is a nationwide data network serving all 
Treasury bureaus and many other Federal agencies. The TCS as we 
call it, provides multiple services and is the largest secure, 
private wide-area network in the U.S. civilian government. We 
have established a test laboratory where each component of this 
network can be tested both as an independent system and from an 
interoperability perspective as each component is 
interconnected with the other components. As Mr. Rossotti 
testified, we formed a combined program management team which 
brings all the individuals associated with this program 
together to work with our contractors in one location. We are 
coordinating issues with the manufacturer of each piece of 
equipment and software incorporated in our network, and we 
expect to be in a position by September 30, 1998, to be year 
2000 compliant.
    In order to address these challenges, we also have 
established a command center to serve as our central location 
for telecommunications activities, including our executive body 
and working group meetings. Charts and graphs that depict the 
current status of hardware and software for each corporate 
program, the independent verification and validation testing 
process, and progress tracking are displayed prominently for 
use by program managers and executives.
    To further promote communications among my offices, 
executive body, program areas, working groups, and our bureaus, 
we have established a telecommunication site on our year 2000 
Internet Web site. We have engaged a telecommunications company 
to perform independent verification and validation of all of 
our infrastructure components with respect to year 2000 
compliance.
    As of March 6, 1998, we have identified 6,898 external data 
exchanges of which 3,169 are incoming, and 3,729 are outgoing. 
The Department has assessed 99.7 percent of these external data 
exchanges and found that 87 percent are year 2000 compliant or 
have been granted a waiver. Of the 2,551 interfaces with the 
U.S. private sector, Treasury bureaus and offices thus far have 
contacted 2,446 and reached agreements with 2,391. In our 
regulatory and oversight roles, the Office of Thrift 
Supervision and the Office of the Comptroller of the Currency 
are participating with the Federal Financial Institutions 
Examination Council in aggressive programs to audit the 
financial institutions compliance on year 2000.
    In early 1996, we established September 1998 as a program 
milestone for completion of contingency plans. During a series 
of meetings with bureau and office heads in June 1997, the 
Department emphasized the need for contingency planning.
    In spite of our best efforts to date, and our aggressive 
plans for the future, the year 2000 is far from solved. Indeed, 
several key significant issues pose special challenges for us 
and possibly for other agencies as well. One issue that 
concerns us is vendor schedules for year 2000 compliant 
versions of their commercial off-the-shelf hardware and 
software products. As Mr. Rossotti indicated, we have a large 
number of products in our networks. Some vendors have yet to 
release year 2000 compliant upgrades.
    While we are continuing to work on our renovation efforts, 
our testing cannot be completed until we have obtained and 
integrated the year 2000 compliant third-party versions of 
these products. In addition to funding challenges, we must also 
contend with the increasing rate of attrition within our 
information systems work force. Skilled programmers, especially 
those with experience in legacy system platforms, are in strong 
demand within the private sector which can pay significantly 
higher salaries than the government.
    I believe that Treasury has an aggressive overall year 2000 
program in place and we are on target to complete the 
conversion, testing, validation, and implementation of all 
mission-critical systems in time to avoid disruptions to any of 
these critical systems. Nothing less than 100 percent 
compliance will be acceptable to the American public and to me 
personally.
    Thank you for the opportunity to meet with you today to 
discuss the actions being taken by the Department of the 
Treasury. I will be happy to answer questions you may have on 
this important matter.
    [The prepared statement follows:]

Statement of James J. Flyzik, Deputy Assistant Secretary for 
Information Systems; and Chief Information Officer, U.S. Department of 
the Treasury

    Chairwoman Johnson, Representative Coyne, and members of 
the Subcommittee, thank you for the opportunity to appear today 
to discuss the Department of the Treasury's progress on the 
Year 2000 computer problem. The Department of the Treasury has 
stated that the Year 2000 computer problem is our highest 
priority information technology challenge. I am confident that 
Treasury has a strong program in place to address this 
challenge, and while there is much work ahead of us, we have 
made significant progress to date.
    The Assistant Secretary for Management and CFO has overall 
responsibility for the Year 2000 date transition. As Deputy 
Assistant Secretary (Information Systems) and CIO, I am the 
overall program manager for the Year 2000 effort. The day-to-
day responsibilities of the Year 2000 program reside within my 
office. In addition, Treasury has contracted with several firms 
with specialized skills in the Year 2000 problem, and these 
firms are assisting the Department in its oversight role. 
Attached to this statement are copies of the Year 2000 Program 
Organization at the Department of the Treasury.
    Secretary of the Treasury Rubin is briefed periodically on 
the status of our Year 2000 program, and the Assistant 
Secretary for Management and CFO and myself meet weekly with 
bureau heads to review their Year 2000 progress. Working groups 
meet regularly for the IT, Non-IT, and Telecommunications 
components of our program. The Department requires each bureau 
and office to submit detailed monthly status reports. 
Additionally, the Secretary of the Treasury has mandated that 
each bureau and office head select an executive official to be 
in charge of their Year 2000 program. This individual, 
typically at the CIO or CFO level or higher, is responsible for 
ensuring that the Year 2000 program at their bureau or office 
is completed in a timely manner. I would now like to describe 
the overall status of Treasury's Year 2000 program, some 
successes we have experienced, and some remaining challenges we 
must address.
    Treasury has identified 323 mission critical IT systems and 
269 mission critical Non-IT systems. At present, we have 
renovated 133, or 54.7% of the mission critical IT systems that 
need to be converted. We can now report 125 out of 323 (38.7%) 
of the total mission critical IT systems are now Year 2000 
compliant.
    I believe that, as a Department, we have made significantly 
more progress than has been indicated by the above figures. We 
are conservatively not reporting progress until entire systems 
have been renovated and tested. For example, the Customs 
Service, like the IRS, manages its renovation efforts by 
components. Customs has three mission critical systems, all of 
which require repair, which included 186 components. Although 
we report none of these three Customs mission critical IT 
systems as completed renovation, testing, or implementation, 
the fact is that 68.5% of the components within these systems 
have been renovated, 35.3% have been tested, and 25% have been 
implemented.
    Treasury operates one of the largest enterprise 
telecommunications networks in the Government. This Treasury 
Enterprise System includes both local and nationwide 
telecommunications systems. My office is directly responsible 
for the Year 2000 compliance of these telecommunications 
systems.
    The Digital Telecommunications System (DTS) is an 
integrated voice/data local telephone system in over 30 
Treasury locations that serves over 30,000 Treasury employees. 
Treasury has established a phased implementation schedule so 
that DTS will be Year 2000 compliant by September 1998.
    The Treasury Communications System (TCS) is a nationwide 
data network serving all Treasury bureaus and some Federal 
agencies (such as Justice). The TCS provides multiple services 
and is the largest secure, private wide-area network in the 
U.S. civilian Government. We have established a test laboratory 
where each component of the TCS network can be tested, both as 
an independent system, and from an interoperability perspective 
as each component is interconnected with other components. 
Treasury is coordinating the Year 2000 issues with the 
manufacturer of each piece of equipment and software 
incorporated in the TCS network and expects to be operationally 
Year 2000 compliant on or before 30 September 1998.
    In order to address these challenges, a Year 2000 
Telecommunications ``Command Center'' has been established to 
serve as a central location for telecommunications activities, 
including the Telecommunications Executive Body and Working 
Group meetings. Charts and graphs depicting current hardware 
and software status of each corporate telecommunications 
program, the independent verification and validation (IV&V) 
testing process, and overall progress tracking are displayed 
prominently for use by program managers and executives. To 
further promote communications among the CIO, Executive Body, 
program areas, working groups and bureaus, the Department has 
established a telecommunications site on the Treasury Year 2000 
Intranet web site. In addition, Treasury has engaged a 
telecommunications company to perform independent verification 
and validation (IV&V) of the telecommunications infrastructure 
with respect to Year 2000 compliance.
    Since the kickoff of the Treasury Non-IT Working Group on 
August 28, 1997, Non-IT efforts have been continuing. The 
management planning and the definition of bureau and office 
specific Treasury Year 2000 Non-IT management plans began on 
October 16, 1997. These plans are based on the standard plan 
format, overall process, and content requirements as defined in 
the Treasury Year 2000 Non-IT Baseline Management Plan, dated 
October 16, 1997. This Treasury plan has been used as a model 
by the General Services Administration (GSA) for addressing 
Non-IT systems.
    The Non-IT effort is supported by a central Non-IT 
database, on the Treasury Intranet Year 2000 site, which 
provides a tracking tool to determine the compliance status of 
vendor products.
    As of March 6, 1998, Treasury bureaus and offices had 
identified 6,898 external data exchanges, of which 3,169 were 
incoming and 3,729 were outgoing. The Department has assessed 
6,878 out of 6,898 (99.7%) of these external data exchanges, 
and found that 87.3% are Year 2000 compliant or have been 
granted a waiver. Of the 2,551 interfaces with the US private 
sector, Treasury bureaus and offices thus far have contacted 
2,446 and reached agreements with 2,391.
    In our regulatory and oversight roles, the Office of Thrift 
Supervision (OTS) and the Office of the Comptroller of the 
Currency (OCC) are participating on the Federal Financial 
Institutions Examinations Council (FFIEC) with aggressive 
programs to audit financial institutions' compliance on Year 
2000.
    At the Department level, coordination on Year 2000 data 
exchanges has been ongoing with other government agencies. 
Treasury has held a series of meetings with executives and 
staffs from the Department of Defense and the Department of 
Agriculture's National Finance Center to address and resolve 
data exchange issues and readiness for Year 2000 testing.
    In early 1996, Treasury established September 1998 as a 
program milestone date for the completion of contingency plans. 
During a series of meetings with bureau and offices heads in 
June 1997, the Department emphasized the need for contingency 
planning and asked the bureaus and offices to accelerate their 
schedules for the development of these plans. Since then, Year 
2000 Contingency Management Plans have been developed at 
several bureaus and offices for mission critical IT systems and 
components. Factors such as failure date, time to implement, 
dependencies, interfaces, resources, responsible office, 
impact, and criteria for invoking the plans are included. The 
bureaus' and offices' contingency planning efforts will be 
expanded to address Non-IT mission critical systems and 
telecommunications items.
    In spite of our best efforts to date and our aggressive 
plans for the future, the Year 2000 problem is far from solved. 
Indeed, several significant key issues pose special challenges 
for us, and possibly for other Government agencies as well.
    One issue that concerns us is vendor schedules for Year 
2000 compliant versions of their commercial off-the-shelf 
hardware and software products. Some vendors have yet to 
release Year 2000 compliant upgrades of their products. While 
we are continuing to work on our renovation efforts, our 
testing cannot be completed until we have obtained and 
integrated the Year 2000 compliant third-party versions of 
these products.
    Treasury's cost estimates for fixing the Year 2000 computer 
problem have continued to rise. In our submission to OMB for 
the February 15, 1998, report, we estimated a total cost of 
$1.43 billion, with the bulk of that cost being incurred in 
this fiscal year. Our cost estimates were initially based in 
large part on a Year 2000 cost model that focused on costs 
associated with mainframe lines of code. In the period since 
those initial estimates were provided, Treasury bureaus and 
offices have made significant progress in their inventory and 
cost estimate efforts for repairing and testing IT items, 
telecommunications items, and Non-IT items. In the February 15, 
1998, quarterly report, we estimated Non-IT program costs of 
$68.6 million, and $295 million for telecommunications costs.
    In addition to funding challenges, we must also contend 
with the increasing rate of attrition within our information 
systems workforce. Skilled programmers--especially those with 
skills in legacy system platforms--are in strong demand within 
the private sector, which can pay significantly higher salaries 
than the Government.
    I believe that Treasury has an aggressive overall Year 2000 
program in place, and we are on target to complete the 
conversion, testing, validation, and implementation of all 
mission critical systems in time to avoid disruption to any 
critical systems. Nothing less than 100% compliance will be 
acceptable to the American public, or to me personally.
    Thank you for the opportunity to meet with you today to 
discuss the actions being taken by the Department of the 
Treasury in addressing the Year 2000 computer problem. I will 
be happy to answer any questions you may have regarding this 
important matter.

[GRAPHIC] [TIFF OMITTED] T3365.003


[GRAPHIC] [TIFF OMITTED] T3365.004

    Chairman Johnson of Connecticut. Thank you very much.
    Ms. Craig.

   STATEMENT OF CONSTANCE E. CRAIG, ASSISTANT COMMISSIONER, 
   INFORMATION RESOURCES, FINANCIAL MANAGEMENT SERVICE, U.S. 
                   DEPARTMENT OF THE TREASURY

     Ms. Craig. Good morning. Thank you for the opportunity to 
appear today. The highest priority of the Financial Management 
Service is to adapt our mission-critical computer systems to 
the century date change. FMS is devoting all possible resources 
to ensure that the day-to-day services we provide to the 
American people will not be disrupted after January 1 of the 
year 2000.
    FMS plays a central and critical role within the 
government. Virtually every Federal agency depends on FMS to 
facilitate the issuance of payments, collection of revenue and 
delinquent debt, and account for the government's receipts and 
outlays. Each fiscal year we issue over 850 million payments 
with a dollar value of more than $1 trillion. We issue these 
payments on behalf of civilian agencies, such as the Social 
Security Administration, the Department of Veterans Affairs, 
and IRS. FMS also provides debt collection services and manages 
the processing of roughly $1.4 trillion in Federal revenue. FMS 
also maintains the central accounting and reporting systems 
that track the government's monetary assets and liabilities.
    In terms of current status, we have turned a corner and 
gained momentum since the beginning of this year. We are now 
well underway with making the necessary changes to our software 
code and all but 3 of our 62 mission-critical systems are 
scheduled for completion by the end of 1998. The remaining 
three systems will be implemented in early to mid 1999. We are 
confident that we will complete all of the necessary work to 
ensure compliance before the beginning of the year 2000.
    As an example, we have made critical progress with the 
Social Security Administration to ensure that monthly direct 
deposits and check payments will continue to go out accurately 
and on time after January 1 of the year 2000. Our Philadelphia 
office and the Social Security Administration have been working 
closely together to coordinate the required program and format 
changes needed for Y2K compliance. As Mr. Dyer indicated, 
testing between Social Security and FMS began in March. We will 
complete that testing in July, and implement Y2K compliance 
systems for both Social Security and Supplemental Security 
Income payments in August. Based on the fact that our testing 
will be completed at least 15 months before the year 2000 
deadline, we believe we can be confident that all Social 
Security payments will be issued correctly and on time by FMS 
when the century begins.
    In addition to renovating and testing our critical systems, 
we are taking steps to mitigate risks by focusing extra 
attention on data exchange, certification, and contingency 
planning. FMS interfaces with almost every Federal program 
agency. We believe we can reduce risks by minimizing the 
interface changes needed for successful data exchange. For many 
of our systems we are not requiring agencies to change file 
formats or adopt a four-digit year. Our assessment indicated 
that these systems would continue to function beyond the year 
2000 without using a four-digit date. Our analysis also 
indicated that it would require less time and effort to ensure 
compliance if date and file formats remained the same. As a 
result, we are not changing those formats, rather, these 
systems are being internally modified to distinguish between 
the years 1900 and 2000.
    With regard to certification, we have developed procedures 
which include baseline testing, simulated forward date testing, 
and some actual forward date testing. We are also employing a 
contractor to provide independent review and validation of test 
results for each internal mission-critical system prior to 
certification.
    To further address the challenges and risks of Y2K, we are 
developing contingency plans to ensure that a basic level of 
service can be provided as disruptions occur. This includes 
identification of specific risks and associated mitigation 
strategies. As an example, if there are local power outages, we 
will move the work to one of our centers that has continuous 
backup power capability. We are putting a significant amount of 
effort into this planning because we do touch the lives of so 
many Americans, and we expect to complete the contingency 
planning process before the end of the summer.
    FMS views systems preparation for the year 2000 as our 
absolute highest priority and we will assign whatever resources 
are needed to ensure we do not fail.
    Thank you for allowing me the opportunity to discuss our 
plans to meet the year 2000 challenge. I would be happy to 
answer any questions you may have regarding this issue.
    [The prepared statement follows:]

Statement of Constance E. Craig, Assistant Commissioner, Information 
Resources, Financial Management Service, U.S. Department of the 
Treasury

    Chairwoman Johnson, and members of the Subcommittee, thank 
you for the opportunity to appear today to discuss the 
Financial Management Service's (FMS) progress in meeting the 
challenges posed by the year 2000 (Y2K) computer problem. In my 
capacity as Assistant Commissioner of Information Resources, I 
have the responsibility for making the program decisions to 
ensure that FMS computer systems are Y2K compliant.
    The highest priority of the Financial Management Service is 
to adapt its mission critical computer systems to the century 
date change. FMS is devoting all possible resources to ensure 
that the day-to-day services we provide to the American people, 
on behalf of other Federal agencies, will not be disrupted on 
January 1, 2000 or thereafter.
    FMS plays a central and critical role within the 
government. Virtually every Federal agency depends on us to 
facilitate the issuance of payments, collection of revenue and 
delinquent debt, and accounting for the government's receipts 
and outlays. Each fiscal year, FMS issues over 850 million 
payments, with a dollar value of more than $1 trillion. We 
issue these payments on behalf of civilian agencies such as the 
Social Security Administration, the Department of Veterans 
Affairs, and the Internal Revenue Service. Our payment services 
touch the lives of over 100 million people, and literally tens 
of millions of Americans depend on FMS systems to meet lifeline 
needs every month. FMS also provides debt collection services 
and manages the processing of roughly $1.4 trillion in Federal 
revenues, which include corporate and individual income taxes, 
customs duties, and Federal fines. And, FMS maintains the 
central accounting and reporting systems that track the 
government's monetary assets and liabilities, 7,500 separate 
Congressionally enacted accounts in all. Making sure our 
systems are year 2000 compliant is absolutely essential to our 
operations and the integrity of our systems for paying, 
collecting and accounting for money government wide.
    To make the necessary modifications to our automated 
systems for the century date change requires a massive, all out 
effort that touches every part of FMS. It is our number one 
priority effort and we are well underway with making the 
changes to our software code to have our systems in compliance. 
I have attached several charts to my testimony that show the 
status of FMS's 62 mission critical systems. Since January, we 
have implemented three replacement systems and completed repair 
on two systems requiring renovation, bringing to 15 the number 
of Y2K compliant mission critical systems. In addition, of the 
38 systems still in need of repair, we have completed 
assessment on 33, 22 of which are now in the renovation phase, 
and 11 of which are in validation testing. Implementation of 
Y2K compliant systems for all but three of our mission critical 
systems is planned, and on schedule, for completion by the end 
of 1998. The remaining three will be implemented in early to 
mid-1999. We are confident that we will complete all necessary 
work to ensure compliance well before January of the year 2000.
    For example, we have made critical progress with the Social 
Security Administration (SSA) to ensure that monthly direct 
deposit and check payments will continue to go out accurately 
and on time after January 1, 2000. Social Security 
disbursements comprise almost two-thirds of our overall payment 
volume. Each month, FMS issues 33 million electronic funds 
transfer/direct deposit payments and 17 million check payments 
to Social Security recipients. The majority of these payments 
are issued by our Philadelphia Regional Financial Center.
    The FMS Philadelphia office and the Social Security 
Administration have been working closely together to coordinate 
the required program and format changes needed for Y2K 
compliance. All of the programming changes necessary to begin 
Y2K validation have been completed, and testing between SSA and 
FMS began in March. Testing will be accomplished through all 
Social Security and FMS processes, including the transmission 
of input from the Social Security Administration to FMS, 
processing of that information in FMS's payment system, end to 
end testing from the payment system to FMS claims and 
accounting systems and the Federal Reserve, and transmission of 
output back to SSA. Validation will also be accomplished using 
both current and forward date testing. We will complete all of 
our testing by July, and implement Y2K compliant systems for 
both Title II (old age and survivors benefits) and Title XVI 
(supplemental security income) payments in August. Based on the 
fact that our testing will be completed at least 15 months 
before the year 2000 deadline, we can be confident that all 
Social Security payments will be issued correctly and on time 
by FMS when the next century begins.
    In addition to renovating and testing our critical systems, 
we are taking steps to mitigate the risks to our mission and 
the American people by focusing extra attention on data 
exchange, certification and contingency planning. Because 
almost every Federal program agency exchanges data with us, we 
are minimizing the amount of change needed to interface with 
our systems wherever possible. For the majority of the FMS 
payment, accounting and claims systems, we are not requiring 
agencies to change file formats or to adopt a four digit year. 
Our Analysis indicated that these systems could continue to 
function beyond the year 2000 without using a four digit date, 
and that it would require less time and effort to make the 
changes needed to ensure compliance if formats did not change. 
The majority of the agencies interfacing with these systems 
have also indicated that it would facilitate their conversion 
efforts if date and file format requirements do not change. 
Consequently, we are not changing these file formats, rather 
our systems are being internally modified to distinguish 
between the year 1900 and the year 2000. FMS has established a 
Web page and issued a number of Treasury Financial Manual 
bulletins, to provide guidance on these issues. We are also 
meeting regularly, and working closely, with our major data 
exchange partners to ensure we have a common understanding on 
date standards, file formats and testing schedules.
    With regard to certification, procedures have been 
developed which include baseline testing, simulated forward 
date testing and actual forward date testing. A contractor will 
be employed to provide independent review and validation of 
test results for each internal mission critical system, and 
make recommendations for re-testing or certification based on 
that review. If re-testing is necessary, they will provide 
specific guidance on necessary steps to fix identified problems 
and achieve successful validation testing. Certification is 
scheduled for completion on all but one of our systems, by 
March of 1999; the remaining system will be certified by June 
of 1999. Post implementation reviews will be conducted during 
the rest of 1999.
    Although these efforts will greatly reduce the chance of a 
systems failure, there will still be areas of risk as FMS 
depends on vendors for telecommunications and software 
services, and public infrastructure services for power and 
transportation. To address these challenges, we are also 
developing contingency plans so that, in the event there are 
Y2K related disruptions, a basic level of service can be 
provided to FMS customers and the Public until normal service 
can be restored. This includes identification of specific risks 
and associated mitigation strategies. As examples, if we 
experience data communications problems in one area, we could 
route the workload to another center; or if there are local 
power outages, we could move the workload to a center with 
backup power capabilities. Because FMS touches the lives of so 
many Americans, we are doing everything we can to ensure that 
our critical business services will not be interrupted. 
Completion of contingency plans is targeted for this summer.
    We view systems preparation for the year 2000 as our 
absolute highest priority, enabling us to successfully maintain 
payment and collection operations in the next century. FMS will 
assign whatever resources are needed to ensure we do not fail 
to accomplish these changes to our computer systems.
    Thank you for allowing me the opportunity to discuss FMS's 
plans to complete the work necessary to enable us to meet the 
year 2000 computer challenge. We recognize the importance and 
enormity of the challenge and are working to ensure that 
important government services are not disrupted on January 1, 
2000. I would be happy to answer any questions you may have 
regarding this issue.




[GRAPHIC] [TIFF OMITTED] T3365.006

    Chairman Johnson of Connecticut. Thank you very much, Ms. 
Craig.
    Ms. Goerl.

STATEMENT OF VINCETTE L. GOERL, ASSISTANT COMMISSIONER, OFFICE 
 OF FINANCE; AND CHIEF FINANCIAL OFFICER, U.S. CUSTOMS SERVICE

     Ms. Goerl. Good morning, Madam Chairman, and Members of 
the Subcommittee. It is a pleasure to appear before you to 
present Customs' approach to managing the year 2000 renovation 
effort and how the year 2000 will affect Customs' major program 
areas in fulfilling our commitment to deliver safe borders for 
the American people. With your permission, I would like to 
submit my formal statement for the record and briefly address 
some of the issues of interest to the Subcommittee.
    Everything I will discuss with you today revolves around 
Customs' commitment to ensuring that the transition to the next 
millennium will move smoothly with minimal disruption to trade 
and law enforcement activities. Customs interfaces with 
millions of people, commercial organizations, and national and 
international organizations through, or in conjunction with 
other computer and other systems.
    Three mission-critical systems support Customs' efforts, 
the Automated Commercial System processes over $850 billion in 
imported merchandise and accounts for the collection of $21 
billion in revenue. The Treasury Enforcement and Communications 
System assists in the processing of over 450 million passengers 
annually through the U.S. borders. The Administrative and 
Management System provides for Customs accounting functions, 
human resource management activities, payroll activities, and 
various other administrative functions. The failure of these 
mission-critical systems to be in compliance with the year 2000 
change could have a substantial impact on Customs programs. 
Customs compliance laws would have to be manually ensured which 
would cost the U.S. Treasury millions of dollars in fines, 
fees, and penalties. For our trading partners, the release of 
cargo would be delayed as millions of entries would have to be 
manually processed. This would cause a fundamental slowdown in 
trade and hinder the ability of businesses to provide their 
goods to their customers.
    Customs law enforcement activities rely on accurate and up-
to-date data. Inspectors rely on this data to make informed 
decisions as to which shipment to review resulting in possible 
loss of revenue. The Customs Treasury Enforcement and 
Communications System, or TECS, provides a large database of 
law enforcement data which interfaces with other Federal and 
State law enforcement systems and provides integral information 
for border operations. Without TECS, intelligence, alerts, and 
lookouts could be lost and we could see an increase in the 
smuggling of narcotics and other prohibited merchandise, money 
laundering, and commercial fraud.
    Our traveling public could also be adversely affected if 
the systems should fail due to year 2000 related problems, as 
advanced passenger information used for targeting high-risk 
passengers may be unavailable. This could result in more 
passengers being interviewed and more luggage searched causing 
congestion and backups at international processing facilities. 
With systems conversion problems, Customs could also be looking 
at manually processing checks, the majority of such payments 
now being made electronically.
    In order to ensure that these program nightmares do not 
occur, Customs developed a comprehensive year 2000 program in 
1997 in conformance with the General Accounting Office 
guidelines to address the efforts required to bring information 
technology systems and non-IT systems activities in conformance 
with year 2000 requirements. An executive council, composed of 
senior Customs managers, was formed to provide oversight to the 
program. A systematic approach was developed to address the 
year 2000 challenges. Detailed plans were developed to guide 
the year 2000 efforts through each step of the process in 
conformance with the GAO requirements and OMB mandates. 
Contingency plans also have been developed to address mission-
critical computer systems in the event of major systems 
failures. Contingency plans are in process to address non-
mission-critical computer systems, computer operating systems, 
and telecommunications.
    I'm happy to report that Customs is on schedule to meet 
target dates established by the year 2000 program plan. To 
date, of the 21 million lines of code associated with mission-
critical systems, 88 percent have been renovated, 60 percent 
have been tested, and 37 percent are back in production.
    For the non-IT items, we are continuing our assessment of 
building systems by reviewing the H-back systems, elevators, 
and security. Our plans call for the LAN and personal computers 
to be assessed, tested, and brought into year 2000 conformance 
by either making modifications or replacement of the equipment. 
Of the over 4,300 other non-IT products we have assessed in our 
inventory, 67 percent do not have a date functionality. Of the 
products with date function, 93 percent are year 2000 
compliant. Our next steps in the non-IT area will be to 
validate the products, oversee the renovations, and develop 
product-specific test plans and execution strategies. By 
October 1, 1998, all mission-critical and non-mission-critical 
systems are to be in production to allow for the full fiscal 
year of operations for the year 2000. By March 31, 1999, all 
non-IT systems are to be in production.
    The cost to complete the year 2000 renovation is estimated 
at $122 million. These costs represent the estimated 
expenditures from project conception to completion, that is, 
for fiscal 1997 through the year 2000. Of this amount, $34 
million relates to the three mission-critical systems, and 
$50.5 million relate to nonapplications such as personal 
computers, mainframe upgrades and infrastructure.
    In closing, I would like to say that although we have made 
much progress in year 2000 efforts, Customs' year 2000 program 
approach has provided long-term benefits beyond the year 2000 
conversion. This approach has allowed us to take positive steps 
toward guiding application inventory, central repository, 
standard metrics for measuring performance, and contingency 
planning. We realize that there's not much left to be done. 
However, we will continue to follow our Y2K project approach 
and move toward our implementation goals. We look forward to 
working with the Subcommittee to accomplish year 2000 
conversion efforts.
    Thank you, Madam Chairman. I would be pleased to answer any 
questions.
    [The prepared statement follows:]

Statement of Vincette L. Goerl, Assistant Commissioner, Office of 
Finance; and Chief Financial Officer, U.S. Customs Service

    Good morning, Madam Chairman and Members of the 
Subcommittee. I am pleased to be here today and present Customs 
approach to managing the Year 2000 renovation efforts, the 
status of our efforts and how our efforts will affect Customs 
major program areas. Although the original mission of Customs 
was to collect revenue, its role includes guarding and 
protecting the nations's borders. Customs inspectors at the 
borders are the nation's first line of defense against illegal 
drugs, tainted or deseased food and plant products, unsafe or 
counterfeit goods, illegal weapons, other types of contraband, 
child pornography, financial crimes and money laundering. It is 
important for Customs to process passengers and cargo quickly 
and efficiently but also to ensure that sufficient vigilance 
and care are exercised to detect and intercept noncomplying 
persons and substances.
    To ensure that Customs pursues its mission effectively and 
efficiently, three mission critical systems are used. The 
Automated Commercial System processes over $850 billion in 
imported merchandise and accounts for the collection of $21 
billion in revenue. The Treasury Enforcement and Communications 
System assists in the processing of over 450 million passengers 
annually through the U.S. borders. The third system, the 
Adminstrative/Management System provides for Customs accounting 
functions, human resource management activities, payroll 
activities and various other administrative functions. Within 
Customs, nearly 21 million lines of code must be reviewed as a 
part of the Y2K efforts for these mission critical systems. 
Without renovation to these systems, collections after December 
31, 1999, cannot be deposited for any previous dates; alerts, 
lookouts and intelligence would be lost; and payments to 
creditors and employees would be delayed or incorrect. Y2K non-
IT efforts require among many things that 340 LANs and 19,000 
personal computers be brought into compliance, and for 
laboratory equipment to be tested and upgraded as necessary.

                             Program Impact

    Customs interfaces with millions of people, commerical 
organizations and national and international governmental 
organizations. Much of this interface is through or in 
conjunction with computer and other systems. As a result, the 
failure of these systems to be in compliance with the century 
change, would critically impact commerce and law enforcement in 
the United States.

United States Citizenry

    The United States Customs compliance laws would have to be 
manually enforced which could cost the United States Treasury 
millions of dollars in fines, fees and penalties. In addition, 
collections could be further impacted should post Year 2000 
dates result in incorrect interest and aging calculations.

Trading Partners

    Our goal for our Trading Partners is to ensure the release 
of cargo will not be delayed. The nearly 1.5 million entries, 
most of which are automatically released, would have to be 
manually processed. Delays up to a week or more could occur. 
This could cause a fundamental slow down in trade and hinder 
the ability of businesses to provide their goods to their 
customers. For instance, businesses with ``just-in-time'' 
inventories will have tremendous problems conducting normal 
activities. Additionally, shipments with perishable goods could 
see spoilage causing potentially tremendous losses before the 
entries are processed and the goods are releasable into the 
economy.
    Brokers, importers, port authorities and others currently 
have direct access to certain public Customs computer files--
primarily entry summary type of data. Qualified users can now 
monitor and track product entries by use of such tools as 
information queries, paper less electronic updates and 
messaging. Tariff, quota status and cargo release data are just 
some types of data available to qualified system users which 
would no longer be available, in the event of system failures. 
The impact of not being able to provide this access would not 
only mean delays in processing import information but also 
would burden Customs staffing and may result in less compliance 
enforcement, as well as less accurate revenue information.
    The trade community would suffer further should there be a 
failure to the systems that the air, sea, rail and truck 
carriers use to assist them in reconciling their cargo 
inventories. The reconciliations are necessary as they lead to 
better management of carriers billing, accounting and traffic 
control functions.

U.S. Law Enforcement Organizations

    For most U.S. Law Enforcement Organizations, enforcement or 
compliance laws would be in jeopardy if the automated processes 
used to assist Customs Inspectors in determining which 
shipments to review is not functioning properly. As a result, 
the review process would be based solely on the Inspectors' 
intuitive analyses. This could lead to loss of revenue in the 
form of fines, fees, penalties and seizures.
    The Customs Treasury Enforcement and Communications System 
provides a large database of law enforcement data which 
interfaces with other Federal and State law enforcement 
systems. The system supports other agency border operations, 
for example, the Immigration and Naturalization Service. 
Without this system, intelligence, alerts, and lookouts would 
be lost or not available on a timely basis. Law Enforcement 
agencies may not be able to detect criminal elements not only 
on the border but at numerous other locations throughout the 
country. Increases in smuggling or narcotics and other 
prohibited merchandise, money laundering, and commercial fraud 
would be a real possibility.

Traveling Public

    The Traveling Public would be adversely affected as 
advanced passenger information used for targeting high risk 
passengers may be unavailable should Customs, air carriers and 
cruise ships systems fail due to Year 2000 related problems. A 
result would be that a larger number of passengers would be 
interviewed and luggage searched leading to increased passenger 
processing time, missed transportation connections and a 
possible ``melt down'' at international processing facilities.

Banking Industry

    Most of the payments to and from Customs are automated. 
Filers transmit payment authorization electronically. The 
payer's account is debited and the Customs account is credited 
with the amount due, requiring no paper payments and no 
cashiers. Additionally, Customs clearinghouse bank 
automatically provides debit information to the payer's (trade 
community) bank. To revert to manual processing of checks would 
adversely impact not only cash flow to Customs but would result 
in an overwhelming increase in labor costs for both Customs and 
the payer's banks to process the millions of checks generated 
daily. The accuracy and timeliness of payment data would also 
be impacted.

Other Government Agencies

    Other Government Agencies interface with Customs computer 
systems and would experience problems should Customs not be 
Year 2000 compliant. One Customs system edits broker 
transactions against classifications established by the Census 
Bureau. The classification parameters are generally measured 
against tariff numbers. The data is gathered from the entries 
and is collected to support the Census Bureau statistical data 
capture needs.
    The Fish and Wildlife Service, Food and Drug Administration 
and U.S. Department of Agriculture rely on Customs selectivity 
modules to support their compliance efforts. These agencies 
would have to revert to manual methods, should they no longer 
be able to rely on Customs systems.
    Antidumping and Countervailing (AD/CVD) enforcement would 
be impacted by the loss of Customs computer systems. When a 
United States industry files a claim that merchandise is 
illegally being sold at less than fair value, these systems are 
used to track the case as it is investigated. Data is 
maintained by the U.S. Department of Commerce and is used by 
Customs as part of its investigative function.

                              Y2K Program

    To address the renovation efforts and potential problems, 
Customs developed a comprehensive Y2K Program. The Y2K Program 
was developed in compliance with General Accounting Office 
guidelines to address the efforts required to bring IT systems 
and non-IT activities in compliance with Y2K requirements. To 
provide oversight to the Y2K Program, the Executive Council 
composed of senior Customs managers was formed. The Program 
ensured that an approach was taken to address vulnerability 
assessments, renovation of mission critical systems, validation 
of efforts and implementation. Also, the Program included 
provisions for the completion of non-IT building and equipment 
surveys. Comprehensive strategic and operations plans were 
developed to guide the Y2K efforts through each step of the 
process in conformance with the GAO requirements and OMB 
mandates. Contingency plans were developed to address Customs 
mission critical computer systems in the event of major systems 
failures. Contingency plans are also in process to address non-
mission critical computer systems, computer operating systems 
and telecommunications.
    For non-IT items, we are continuing the assessment of 
building systems, equipment and security systems. Most of these 
systems and products do not date functionality or are 
compliant. Solutions and fixes have been identified, but must 
be validated or tested. Our biggest challenge will be ensuring 
that personal computers and LANS located in over 1500 locations 
are compliant, either through modification or replacement
    Customs is on schedule to meet target dates established by 
the Y2K Program plans. Of the 21 million lines of code 
associated with mission critical systems, to date 88 percent 
have been renovated, 60 percent have been tested and 37 percent 
are in production. By October 1, 1998, all mission critical and 
non mission critical systems are to be in production to allow 
for a full fiscal year of operation before the year 2000. By 
March 31, 1999, all non-IT systems (telecommunications, 
building equipment, etc.) are to be in production.

                                 Costs

    Project costs to complete the Y2K renovations are estimated 
at $122 million. These costs represent the estimated 
expenditures from project conception in FY 1997 to completion 
in FY 2000, but do not include $1.5 million for independent 
verification and validation. The $122 million includes:
    --$34.1 million relates to the three mission critical 
systems,
    --$50.5 relates to non applications (personal computers, 
mainframe upgrade, infrastructure, etc.),
    --$10 million relates to non-IT systems,
    --$9 million to the Y2K Program Office, and
    --$18.1 million for government labor.
    The Y2K Program approach has several long term benefits 
beyond the conversion to the Year 2000. This approach has 
allowed us to streamline application inventory, create a 
central repository by tying applications to files, tables and 
internal and external users implementing a Uniform methodology, 
and develop standard metrics for measuring performance. We 
realize that there is much left to be done. We will continue to 
follow our Y2K Project approach and move toward our 
implementation goals. This concludes my statement for the 
record. I will be happy to answer and questions the Committee 
may have. Thank you again for this opportunity to appear before 
the Committee.
      

                                

    Chairman Johnson of Connecticut. Thank you very much. We 
have been notified of a vote so I think with five of us here 
we'll each ask one question, so we get one brief round, and 
then in case anyone can't come back for a few minutes, they 
will have had one chance.
    I'll start with Mr. Callahan. First of all, thank you all 
very much for your testimony. It's apparent that you are all 
very focused on this project in your various agencies. It also 
is apparent that time is an advantage, Mr. Dyer, that Social 
Security started early and you are well advanced. I hope that 
some of your testing experience may give guidance to others 
that are well behind you, and prevent them from making 
unnecessary mistakes.
    Mr. Callahan, last month you testified before the House 
Appropriations Subcommittee on Labor, Health and Human 
Services, and Education, of HCFA's great concern of the slow 
pace the Medicare contractors were making toward meeting their 
year 2000 goals. What triggered your concern and how confident 
are you that the contractors are meeting this? And do you have 
any reason at all to believe that you should have any concern 
about the Medicare Choice plans?
    Mr. Callahan. In terms of what triggers our concern, Madam 
Chairman, obviously, the basic concern is they have to be up 
and running the 70 systems, as you know, process all those 900 
million fee-for-service claims. We have visited HCFA staff, as 
well as some departmental staff, have now visited all the 70 
contractors and I think there's a general feeling that while a 
number of the contractors are making some significant progress, 
obviously, we would like to be in a position to have them all 
be ready to do end-to-end testing by December 31, 1998. I think 
that's a tall order and so that's the reason I indicated my 
concerns at the Subcommittee hearing. With regard to 
Medicare+Choice, I think the issue is somewhat the same as Mr. 
Rossotti mentioned. A lot of the people we're having dealing 
with the programming of systems have to do year 2000, they 
initially were doing transition work to single A and single B 
systems which we've now suspended so that they can go back to 
year 2000 work. So, I will give you an answer for the record 
about the impact of this on our Medicare Choice contractor 
systems. I don't have a definitive answer for you right now.
    Chairman Johnson of Connecticut. OK, thank you very much.
    Mr. Coyne.
    Mr. Coyne. Thank you, Madam Chairman. Mr. Dyer, are there 
any particular concerns that you have with regard to the 
administration, Social Security Administration's systems 
interface with IRS, the employers and others that you deal 
with?
    Mr. Dyer. At this time, we do not have any concerns. We 
track it. I have a list biweekly of where we are, whom we're 
working with. As I mentioned, 65 percent of our data exchanges 
are year 2000 compliant and have been implemented, and we've 
set our priority, obviously, on being able to assure we get our 
payments out, our checks out, direct deposits made 
successfully, and we're zeroed in on it. At this time, we're 
not aware of any problem.
    Mr. Coyne. And your relationships with the others doesn't 
present you a problem?
    Mr. Dyer. No, we've been working very closely with 
everybody at this table.
    Mr. Coyne. Thank you.
    Chairman Johnson of Connecticut. Mr. Hulshof.
    Mr. Hulshof. Mr. Callahan, following up Mrs. Johnson's 
questions regarding the contractor issue, seems that a lot of 
the claims processing contractors are doing a great deal of 
non-Medicare business which requires Y2K compliance systems. In 
fact, some of your part B claims processing is done by a firm 
that is well known within the industry. So is there a problem 
with these contractors? I'd like you to elaborate just a little 
bit if you would.
    Mr. Callahan. Well, I can't give you a specific answer for 
every specific contractor. I'll give you this general answer. 
We do know--it's our understanding that on their non-Medicare 
side of the business, which is the proprietary side, they're 
obviously moving heaven and Earth to make sure that that part 
of their business is Y2K compliant. We would hope, obviously, 
that the lessons they learn there will be reflected back over 
into the Medicare side. One thing that I would mention is that 
we indicated in my testimony that we believe there is a need 
for additional resources for the contractor effort at HCFA to 
make it Y2K compliant. We received another $20 million. We're 
going to be transferring probably another $43 million as 
quickly as we can and another $60 million in 1999. So we will 
move the resources as best we can into this effort.
    Chairman Johnson of Connecticut. Thank you.
    Ms. Thurman.
    Ms. Thurman. Mr. Dyer or Ms. Craig, in following up to Mr. 
Coyne's question, we talked a lot about agencies within 
agencies, what about direct deposit where we would be working 
with banks? What is happening in that area?
    Mr. Dyer. Why don't you go ahead.
    Ms. Craig. The Federal Reserve System has already announced 
that they are compliant, and for the electronic payments, we 
actually transmit those payments to the Federal Reserve and 
then they're working with all the financial institutions. Most 
of them, we think, are doing OK. If it should turn out that 
there is a bank that is not ready, that payment would then come 
back as nonreceipt, and we would, back through the Federal 
Reserve, through Treasury, to Social Security. So it wouldn't 
get lost, it's just that it would take extra time then to 
either reissue it as a check payment or wait until that bank 
was ready to issue it.
    Ms. Thurman. OK, thank you.
    Chairman Johnson of Connecticut. I think it was Mr. 
Callahan, one of you mentioned in your testimony that in the 
telecommunications area, some of the companies did not have Y2K 
compliant components yet. Which one was it?
    Mr. Flyzik. Madam Chairman, yes, that was me--Treasury 
operates the largest private communications network in the 
civilian government and one of the risks I identified is the 
massive complexity of scheduling this. We're scheduling around 
the IRS tax season. We're scheduling around what we need to do 
to support all the bureaus as well as then trying to plan that 
as vendor compliant products become available, we need to 
factor in their schedules. One of the high-risk areas we have 
is some of those vendors schedules have continued to move and 
have been moving targets which means we are constantly 
adjusting our schedules to be able to do end-to-end testing. So 
even though many of our applications will be available, say in 
Washington and out in various regions, the ability to test them 
across the entire United States for all the components that 
we're relying on from the commercial services, individual 
products, and vendor's components has been an issue we're 
dealing with.
    Chairman Johnson of Connecticut. This is extremely 
concerning. I mean it's very clear from all of you the role the 
telecommunications system plays in the government being able to 
serve nationally and internationally its taxpayers and 
customers. And if we can do everything we're responsible for 
doing but can't get the parts then we have the same outcome. So 
I would like to have you get back to me about how serious this 
is, what can be done, is there a way to press forward on a 
second set of suppliers. We have faced these situations 
sometimes in defense areas, and certainly we cannot allow the 
possibility of untimely delivery of components to prevent us 
from moving forward if we've met all the other management 
challenges and technical challenges associated with being 
compliant with the year 2000 demand. So if there's--I think you 
need to enlarge on that for us and I think we need to talk 
through whether there's any way that we could be a more helpful 
partner in achieving that goal. I am going to dismiss this 
panel. We're going to go vote, give you all a break. I'm sorry 
that we didn't have a longer question period but I appreciate 
the quality of your testimony and also because we haven't had 
much time to question, we may follow up with written questions 
not raised and then, of course, there is some conversation to 
go forward on issues raised.
    We'll recess for, is it one vote or two? One vote. We'll 
recess until 12. Thank you.
    [Recess.]
    Mr. Portman [presiding]. First, John Bace is here, research 
director of the Gartner Group, Inc., in Rosemont, Illinois. 
We're also going to hear from Harris N. Miller, president of 
Information Technology Association of America; Steven McManus, 
who is communications manager of the BankBoston, Boston, 
Massachusetts; Irene Dec, vice president, information systems, 
Prudential Insurance Co. of America; Jennifer Jackson, general 
counsel of the Connecticut Hospital Association, on behalf of 
the American Hospital Association; and Mary Nell Lehnhard who 
is senior vice president, Office of Policy and Representation, 
Blue Cross and Blue Shield.
    Mr. Bace, if you could begin the testimony. We'll just go 
right down the line. We have 5 minutes for your formal 
presentation, and any written material you have will be happily 
accepted into the record, but we want to keep it on track so we 
have a chance to ask questions.
    Mr. Bace.

 STATEMENT OF JOHN BACE, RESEARCH DIRECTOR, GARTNER GROUP, INC.

     Mr. Bace. Very good. Thank you, Mr. Chairman, and Members 
of the Subcommittee. My name is John Bace and I'm a research 
director for the Gartner Group and I would like to take this 
opportunity to thank you for inviting us today to share with 
you our findings on the year 2000, or Y2K as it's known, and 
the state of work underway on year 2000 projects, both here in 
the United States and around the world.
    Before I get into the details of our research, allow me to 
tell you something about the Gartner Group. Founded in 1979, 
we're the world's largest information technology research and 
advisory firm, with more than 33,000 individual clients at more 
than 9,000 organizations worldwide. We cover this very fast 
growing industry with more than 750 analysts located in 49 
countries around the world. We published our first research 
about the upcoming impact on Y2K back in 1989 and we're sorry 
to say that we can only deduce that our warnings and 
suggestions have gone mostly unheeded. Our current research, 
completed in the first quarter of 1998 on the state of the IT 
infrastructure regarding year 2000 makes us very pessimistic. 
Indeed, the year 2000 problem infesting the world's computers 
and IT systems has the potential to have a negative impact on 
or to disrupt the normal flow of everything we do, from brewing 
our coffee in the morning and recording our favorite television 
show at night, to putting into question our financial net worth 
or keeping track of who we are and where we work.
    At the heart of this problem, as you've heard time and 
again, is the practice of using only two digits to record the 
year in computer programs, records, and database entries. 
Thirty-five years ago when hardware was expensive and storage 
was scarce and the industry was evolving quickly, the use of 
two digits for years was considered a best practice. The 
programmers or systems analysts of the day never thought that 
the programs that they were writing would survive to the end of 
the decade, much less into the next century. Indeed, many 
companies faced many Y2K crises in 1969, 1979, and 1989 as they 
wrestled with some computer programs that kept track of the 
year with only one digit. However, the way the industry evolved 
building the next generation on top of the previous, those best 
practices of yesteryear became the cracks in the foundation 
that threaten the entire house today.
    As a result, we stand on the threshold of an unpredictable 
and uncertain future. No one is completely sure what impact 
this year 2000 problem will have on us personally, on the 
economy, or the society in general. Some will lead you to 
believe that the problem will begin at the stroke of midnight 
on December 31, 1999. Indeed, some scenarios recall the fifties 
science fiction movie, ``The Day the Earth Stood Still,'' with 
lights going out, motors grinding to a halt, and airplanes 
falling from the sky.
    These are not the subjects of our research at the Gartner 
Group regarding the year 2000. We believe that the fundamental 
computer programs, those that are used to run most companies 
have, in some cases, already experienced the year 2000 anomaly. 
Indeed, some production planning systems that use a 5-year 
resource balance view, hit the Y2K wall 3 years ago. Insurance 
companies and financial institutions that calculate interest 
rates have been wrestling with and doing work around the 00 
year for some time. In each case, as these companies hit their 
time horizon failure, or THF, as we call it, normal operations 
were interrupted and the resources of the enterprise were 
thrown in to fight the problem in crisis mode.
    Most have handled these year 2000 problems successfully and 
have done nothing more than create a small ripple through the 
economic structure of the company. What worries us at the 
Gartner Group is that as we approach New Year's Eve 1999, more 
and more companies will hit their time horizon failure on more 
and more different applications. As a result, more and more 
business functions within each enterprise will be negatively 
impacted and need to be dealt with in a crisis mode. We're 
afraid that there just will not be enough talent and resources 
available, given the amount of time left, to handle all of the 
potential failures in a timely fashion. As a result, companies 
could lose the ability to process invoices, issue payroll 
checks, or collect taxes for an unpredictable amount of time as 
they wrestle with each system failure. Other companies who are 
dependent upon electronic commerce, EDI, or just-in-time 
manufacturing need to be concerned about the integrity of the 
systems of their trading partners and their supply change. For 
example, the inability of a parts supplier to be able to 
correctly read inventory levels at manufacturing companies 
could shut down another firm's production line. The result is 
that no one single year 2000 problem hits a major artery that 
could kill a company, however, the combination of failures 
within the enterprise and from outside might have the effect of 
disrupting business in such a way that the company bleeds to 
death instead from a series of paper cuts.
    As normal business operations are interrupted, there will 
be follow-on economic disruptions. Some say the impact will be 
mild, a two- or three-quarter dip in the gross national product 
that will feel like a speed bump on the road of the longest 
economic expansion in history. Others suggest that the year 
2000 business disruptions will be a pothole that finally puts 
to an end our growing economy. Indeed, one estimate suggests 
the economic impact will be equal to the OPEC oil embargo in 
1972.
    Finally, before I get into the details of our research, 
allow me to share with you one last observation about the year 
2000 marketplace. Some estimate that Y2K has the potential to 
become the most litigious event in the history of civilization. 
Indeed, if the Internet is any indication and depending upon 
the type of search engine you use, you may find nearly one half 
of the results from a search on year 2000 and Y2K to be from 
law firms or class action groups preparing for the results of 
the new millennium crossover. Lloyds of London, at an 
underwriter's conference in June 1997, estimated impact of year 
2000 total cost for just the United States at $1 trillion. The 
Lloyds' figure included not just the cost of hardware, 
software, and services for remediation, but also the cost of 
litigation, actual and punitive damages, and lost opportunity 
cost.
    Five years ago, the Gartner Group began work on a 
measurement tool called the COMPARE Scale, and COMPARE stands 
for compliance, progress and readiness. Our clients told us 
that they wanted a universally understood yardstick that could 
be used to communicate within the enterprise, the board of 
directors, auditors, trading partners, and customers, about the 
status of the year 2000 remediation efforts.
    Mr. Portman. Mr. Bace.
    Mr. Bace. Yes.
    Mr. Portman. Could I ask you to summarize the remainder of 
your oral testimony? Again, knowing that your entire written 
statement will be made part of the record.
    Mr. Bace. Very well, sir. In essence, what we find as of 
the first quarter of 1998, is there are only 5 percent of all 
companies in the world that are fully remediated year 2000 
capable. They are at what we call level 4, which is all 
mission-critical systems fully operational and the enterprise 
is operationally sustainable, the enterprises are at 10 
percent. Those who have at least 20 percent of their systems 
remediated and in work is at 25 percent, and we find 
approximately 50 percent of all companies have, at this point 
in time, not touched a single line of code at work in Y2K. And 
if we project that out to the future, given the trend lines, by 
January 1 in the year 2000, only 50 percent of the companies of 
the world, the enterprises of the world will be at what we call 
level four, or level five which is basically operationally 
sustainable vis-a-vis year 2000.
    [The prepared statement follows:]

Statement of John Bace, Research Director, Gartner Group, Inc.

    Good afternoon Madam Chairwoman and members of the 
committee. My name is John Bace and I am a research director 
for the Gartner Group. I would like to take this opportunity to 
thank you for inviting us here today to share with you the 
findings of our research on the year 2000--or Y2K as it is 
known--and the state of work underway on year 2000 projects 
both here in the United States and around the world.
    Before I get into the details of our research, allow me to 
tell you something about the Gartner Group. Founded in 1979, we 
are the world's largest information technology (IT) research 
and advisory firm with more than 33,000 individual clients at 
more than 9,000 organizations worldwide. We cover this very 
fast-growing industry with more 750 analysts located in 49 
countries around the world.
    We published our first research about the upcoming impact 
of the Y2K problem on IT organizations back in 1989. We are 
sorry to say that we can only deduce that our warnings and 
suggestions have gone mostly unheeded. Our current research--
completed in the first quarter of 1998--on the state of the IT 
infrastructure regarding year 2000 makes us very pessimistic.
    Indeed, the year 2000 problem infesting the world's 
computer and IT systems has the potential to have a negative 
impact on to disrupt the normal flow of everything we do: from 
brewing our coffee in the morning and recording our favorite 
television show at night to putting into question our financial 
net worth or keeping track of who we are and where we work.
    At the heart of this problem is, as you have heard time and 
again, the practice of using only two digits to record the year 
in computer programs, records, and database entries. Thirty-
five years ago when hardware was expensive, storage was scarce, 
and the industry was evolving quickly, the use of two digits 
for years was considered a best practice. The programmers or 
systems analysts of the day never thought the programs they 
were writing would survive to the end of the decade, much less 
into the next century. Indeed, many companies faced mini-Y2K 
crisis in 1969, 1979 and 1989 as they wrestled with some 
computer programs that kept track of the year with only one 
digit.
    However, the way the industry evolved, building the next 
generation on top of the previous, those best practices of 
yesteryear became the cracks in the foundation that threaten 
the entire house today. As a result, we stand on the threshold 
of a unpredictable and uncertain future. No one is completely 
sure what impact this year 2000 problem will have on us 
personally, on the economy, or on society in general.
    Some will lead you to believe that the problem will begin 
at the stroke of midnight on December 31, 1999. Indeed some 
scenarios recall the 1950s science fiction movie ``The Day the 
Earth Stood Still'' with lights going out, motors grinding to a 
halt, and airplanes falling from the sky. These are not the 
subjects of our research at the Gartner Group regarding the 
year 2000. We believe that the fundamental computer programs, 
those that are used to run most companies, have in some cases 
already experienced a year 2000 anomaly. Indeed, some 
production planning systems that use a five year resource 
balance view, hit their Y2K wall three years ago. Insurance 
companies and financial institutions that calculate interest 
rates have been wrestling with and doing work-arounds the zero-
zero year for some time.
    In each case, as these companies hit their Time Horizon to 
Failure (THF), normal operations were interrupted and the 
resources of the enterprise were thrown in to fight the problem 
in a crisis mode. Most have handled these year 2000 problems 
successfully and have done nothing more than create a small 
ripple through the economic structure of the company.
    What worries us at the Gartner Group is that as we approach 
New Year's Eve 1999, more and more companies will hit their 
Time Horizon to Failure on more and more different 
applications. As result, more and more business functions 
within each enterprise will be negatively impacted and need to 
be dealt with in a crisis mode. We are afraid that there just 
will not be enough talent and resources available, given the 
amount of time left, to handle all of the potential failures in 
a timely fashion. As a result, companies could lose the ability 
to process invoices, issue payroll checks, or collect taxes for 
an unpredictable amount of time as they wrestle with each 
system failure.
    Other companies who are dependent upon electronic commerce, 
EDI, or just-in-time manufacturing need to be concerned about 
the integrity of the systems of their trading partners and 
their supply chain. For example, the inability of a parts 
supplier to be able to correctly read inventory levels at a 
manufacturing company, could shut down another firm's 
production line.
    The result is that no one single year 2000 problem hits a 
major artery that could kill a company. However the combination 
of failures within the enterprise and from the outside might 
have the effect of disrupting business in such a way that the 
company bleeds to death instead from a series of paper cuts.
    As normal business operations are interrupted there will be 
follow-on economic disruption. Some say that the impact will be 
mild, a two or three quarter dip in the Gross National Product 
that will feel like a speed bump on the road of the longest 
economic expansion in history. Others suggest that the year 
2000 business disruptions will be the pot hole that finally 
puts to an end our growing economy. Indeed one estimate 
suggests the economic impact will be equal to the OPEC oil 
embargo of 1972.
    Finally, before I get into the details of our research, 
allow me to share one last observation about the year 2000 
marketplace. Some estimate that Y2K has the potential to become 
the most litigious event in the history of civilization. 
Indeed, if the Internet is any indication, and depending upon 
the type of search engine you use, you may find nearly one-half 
of the results from a search on ``year 2000 or Y2K'' to be from 
law firms or class action groups preparing for the result of 
the new millennium crossover. Lloyds of London, at an 
underwriter's conference in June of 1997, estimated the impact 
of year 2000 total cost for just the United States at one 
trillion dollars. The Lloyds figure included not just the cost 
of hardware, software, and services for remediation, but also 
the cost of litigation, actual and punitive damages, and lost 
opportunity cost.
    Five years ago, Gartner Group begin work on a measurement 
tool called the COMPARE Scale. COMPARE stands for COMpliance 
Progress And REadiness. Our clients told us they wanted a 
universally understood yardstick that could be used to 
communicate within the enterprise, the board of directors, 
auditors, trading partners, and customers about the status of 
their year 2000 remediation efforts.
    The scale, which is seen in Figure One, is graphically 
illustrated as a smooth set of equal steps. In reality, the 
scale is logarithmic, which means it is nearly twice as 
difficult to go from step three to step four as it was to go 
from step two to step three.


    The scale begins, of course, at Level Zero, which means no 
awareness of the year 2000 problem. At Level One, the 
enterprise is in the information gathering stage, planning 
resources, and establishing vendor compliance requirements.
    At Level Two, the enterprise has a full and complete 
inventory of its IT portfolio, the core team for the Y2K 
Project Management Office has been selected, test scripts are 
being developed, non-IT and embedded systems are being reviewed 
and an impact analysis is underway.
    At Level Three, the key requirements that need to be met 
for the enterprise are that the budgets are fully approved, 
assessment is complete as well as the impact analysis and the 
test scripts are fully developed. By this point in time, the 
enterprise needs have completed at least 20 percent of mission 
critical systems remediated, tested and reimplemented as well 
as 20 percent of its PC and desktop assets.
    At Level Four, the remaining 80 percent of all mission 
critical systems are fully remediated, tested, and 
reimplemented. Which means, the IT systems provide the 
enterprise operational sustainability to reach the millennium 
crossover point.
    At Level Five, the key factor for success is that all of 
the trading partners, electronic commerce links, and supply 
chain systems for the enterprise are fully remediated, tested, 
and functional.
    In the first quarter of 1998, Gartner Group undertook a 
survey of 6,000 companies in 47 countries to determine the 
worldwide status of year 2000 projects. This survey sample was 
developed in such a way as to give us the most accurate and 
detailed status by size of enterprise, industry, and geography. 
Figure Two shows the results of our worldwide findings.

        Figure Two. Worldwide COMPARE Scale Results as of 1Q1998
------------------------------------------------------------------------
                       COMPARE Scale                          Percentage
------------------------------------------------------------------------
Level Zero.................................................          25%
Level One..................................................          20%
Level Two..................................................          15%
Level Three................................................          25%
Level Four.................................................          10%
Level Five.................................................           5%
------------------------------------------------------------------------


    The most telling numbers here are the cumulative additions 
for Levels Zero, One, and Two. That translates into 60 percent 
of the world's companies which have yet to remediate, test, and 
reimplement at least 20 percent of their IT systems. 
Additionally, our research shows that the five percent 
reporting themselves at Level Five are either very small 
companies or those with extremely limited, non-automated 
interaction with other firms.
    How does the United States and how do key industries show 
up on the COMPARE Scale? I call your attention to Figure Three, 
which at first glance looks to be extremely complicated, but 
allow me to walk you through this chart.

[GRAPHIC] [TIFF OMITTED] T3365.008


    We can see a large oval stretching primarily from the Level 
One 10 percent curve to just beyond the 50 percent complete 
curve at Level Four. This represents the status of the United 
States, Australia, Canada, Israel, the United Kingdom, and 
Ireland. Within that oval, you can see that the large 
investment services, large insurance companies, and large 
banking institutions are the furthest along on this scale, 
which translates into the lowest probability of a mission 
critical system failure due to year 2000 anomalies.
[GRAPHIC] [TIFF OMITTED] T3365.009

    Our research indicates that governmental agencies in the 
United States--state, local, and federal--are generally at 
about 15 percent complete in their year 2000 projects, which 
would place them on the threshold of entering Level Three on 
the COMPARE Scale. There are, of course, some agencies further 
along than others, however the majority are still far behind in 
their work.
    Figures Four and Five provide an overview of the worldwide 
results by both geography and industry.
[GRAPHIC] [TIFF OMITTED] T3365.010

    If these trends continue, our predictions for completion of 
year 2000 projects by January 1, 2000 are very pessimistic. 
Figure Six summarizes our estimates based on current trends. 
These translate into only half of worldwide enterprises 
reaching operational sustainability with 20 percent reaching 
Level Five and 30 percent at Level Four. This does not mean we 
are predicting one half of these companies will fail. What we 
are suggesting here is that these companies will experience 
disruptions in normal business procedures and operations due to 
year 2000 computer related problems.

       Figure Six. COMPARE Scale Predictions as of January 1, 2000
------------------------------------------------------------------------
                       COMPARE Scale                          Percentage
------------------------------------------------------------------------
Level Zero.................................................          20%
Level One..................................................           5%
Level Two..................................................          10%
Level Three................................................          15%
Level Four.................................................          30%
Level Five.................................................          20%
------------------------------------------------------------------------


    As a citizen of the Republic and an investor in the 
economy, I wish I could be more optimistic. However, as a 
technologist who wrote his first computer program in 1968 I am 
painfully aware of the impact even two simple wrong digits can 
have on the operation of any IT system. As result, this is a 
very real problem that needs to be addressed quickly.
    I thank you for your time and this opportunity.
      

                                

    Mr. Portman. I don't know if I should thank you for that 
discouraging statement, but I will thank you for your 
testimony, and I look forward to questions. [Laughter.]
    Mr. Miller.

     STATEMENT OF HARRIS N. MILLER, PRESIDENT, INFORMATION 
            TECHNOLOGY ASSOCIATION OF AMERICA (ITAA)

     Mr. Miller. Chairman Portman, I'm not going to be any more 
optimistic than the previous speaker, unfortunately. We, in the 
information technology industry, both in the United States and 
globally, are very frustrated with the lack of progress. Let me 
go on record publicly with what those in the know are thinking 
and saying privately. We are very, very worried. In the several 
years that ITAA has been out there speaking about this issue, 
I'm afraid to say the progress is very slow. The first panel 
this morning, which I would characterize as the Bobby McFerrin 
panel, ``Don't worry, be happy,'' really didn't convince me 
very much we're making a lot of progress.
    I'd ask the Chair to note, that for example, they kept 
talking only about mission-critical progress. They're not even 
talking about all their systems. The jargon has changed a lot 
the last 3 years. I would also note that there was a lot of 
focus on contingency planning which, again, doesn't bring a lot 
of optimism to one's heart.
    I'd like to talk about five areas where I think that this 
Congress can take leadership to deal with this major crisis 
which is not just a national, but international crisis. First, 
I believe the Congress needs to step up to the challenge. For 
example, the Senate recently set up a special committee which 
goes across jurisdictional lines, committee lines. I think that 
gives the Senate a more effective oversight and I would suggest 
the House consider doing the same.
    Second, I would suggest that the U.S. Congress, because of 
its role, in essence, as the Nation's board of directors, 
provide a much more aggressive set of oversight hearings 
because ultimately the voters, the taxpayers, the citizens are 
going to look to you. For example, the Congress should call 
immediately upon the President and the Vice President to take a 
much more aggressive leadership role. John Koskinen, the Y2K 
Czar, is a very outstanding public servant determined to do his 
best. But without a major commitment from the top of this 
country, and that means the President and the Vice President of 
the United States, we simply are not going to pay enough 
attention to this.
    Other countries have come to this realization. If you look 
to the United Kingdom where Prime Minister Tony Blair has taken 
leadership; If you look to Canada where the Prime Minister Jean 
Chretien has spoken; if you look to Australia where they're now 
about to embark on a national television advertising campaign, 
you see a lot more leadership from the political leaders in 
those countries than you do in the United States. And that's 
why we believe the President should make a national address and 
Congress should be much more aggressive on this issue.
    Step two is it takes more money. Again, we're involved in 
what John Koskinen himself has referred to as a Kabuki dance, 
where Congress doesn't appropriate more money because the 
agencies don't ask for it, and the agencies don't ask for it 
because they're trying to stay within certain predetermined 
budget limitations. The fact of the matter is if the systems go 
wrong, as they possibly can, in the Federal Government, the 
State governments, the private sector, the price to be paid 
down the road will be substantial. And we suggest very strongly 
that we need to get the funding available as soon as possible. 
I'm pleased to see as a citizen that we're heading toward a 
budget surplus in this country for the first time in three 
decades. But if we're not appropriating enough money to fix the 
year 2000 problem, the surplus could quickly turn into a 
deficit because of the negative impact on the economy.
    We have already found in a survey that we did that 44 
percent of organizations have already experienced a system 
failure. You will hear similar reports from other speakers 
later. We're recommending, specifically, Mr. Portman, that the 
Congress establish a $500 million contingency fund immediately 
that would be available, particularly during the period when 
Congress will be in recess--you'll be going into recess in 
early October and not back until February--that may be a 
critical time for the Federal agencies that need access to 
money. I think this Subcommittee could play a leadership role 
in that.
    Third, public education is absolutely critical. I mentioned 
the public advertising campaign in Australia. I think the 
government needs to take a much more aggressive public 
education role in this country. You need to be much more 
aggressive in terms of bringing the message back to your 
constituents. Every Congressperson, every Senator has townhall 
meetings. You all have newsletters. You need to communicate 
much more aggressively with your constituents. That will help 
get the message out there. It's not a good message to deliver. 
I know elected officials don't always like to deliver messages 
that aren't very positive, but I know you've been very candid 
as a Congressperson in your leadership of this country, and I 
know your colleagues want to do the same. This is a time for 
real leadership.
    Fourth, when there is more public education, there's going 
to be more public demand for rational solutions. And there are 
some creative public policy responses that this country has not 
yet looked at that are being looked at in other countries. For 
example, emergency tax incentives to help the most at-risk 
populations, particularly small- and medium-size enterprises, 
because they are the ones that have the most at risk. Also, 
research and development, R and D, tax credits, and credit 
guarantees, expedited procurement process, enhanced training 
opportunities and associated tax credits to deal with the work 
force shortage. All of this needs to be focused on.
    My final suggestion is discipline. We have to focus on the 
year 2000 problem and to solve it. Within the Federal 
Government, State governments, local governments, and in the 
private sector. Basically, what we see is what we call the big 
disconnect, a lot of talk about the crisis but not much action 
in terms of solution. This Congress could lead on discipline. 
You've already heard from Mr. Rossotti this morning, and we 
endorse his request that there be some deferral of some 
important tax law changes. Not elimination but deferral, so 
that there can be a focus.
    Europe, for example, has dug itself a tremendous hole by 
trying to move ahead with the year 2000 challenge at the same 
time as trying to do their Euro conversion creating, in a 
sense, an impossible task. Please don't do the same thing to 
our government, to Mr. Rossotti, to any Federal agencies, by 
adding new IT demands on top of the year 2000. In fact, Canada 
is implementing what they call basically a change freeze, no 
more laws that will change IT if it would in any way get in the 
way of the year 2000.
    In summary, I would urge Congress to not perpetuate the big 
disconnect, to put the pieces together of the difficulties that 
are faced and the challenge that must be addressed. Congress 
has a critical role of planning this challenge. And I tell you 
that the industry is prepared to work with you to help solve 
the challenge.
    Thank you very much, Mr. Portman.
    [The prepared statement follows:]

Statement of Harris N. Miller, President, Information Technology 
Association of America (ITAA)

    Madame Chairwoman and distinguished members of the 
Subcommittee, on behalf of the 11,000 direct and affiliate 
members of the Information Technology Association of America 
(ITAA), I am pleased to appear before you and offer insights 
into the single most important information technology challenge 
facing government and industry today--the worldwide Year 2000 
software conversion.
    This is not just an information technology challenge. This 
is a fundamental challenge to the ability of organizations 
throughout the world to continue to function. And it is a 
challenge which could have tremendous negative consequences for 
economies and governments throughout the world if it is not 
met.
    ITAA represents information technology companies working at 
the forefront of computer software, Internet and electronic 
commerce, telecommunications, systems integration, outsourcing, 
consulting and more. Our members have been on the front lines 
of the struggle with the Year 2000 software challenge, helping 
their customers leap this hurdle with new products and services 
or Y2K specific fixes to existing systems. As an Association, 
ITAA has led industry's efforts in dealing with this difficult 
issue. Because I also serve as President of the World 
Information Technology and Services Alliance (WITSA), ITAA has 
reached out to many international organizations such as the 
Organization for Economic Cooperation and Development (OECD), 
the United Nations, the World Bank, the Bank for International 
Settlements and the G-8 to urge them to take Y2K seriously. The 
WITSA White Paper was the first international paper on the 
importance of Year 2000. ITAA is proud to be the organization 
that the world looks to for Y2K information, news, insight and 
public policy leadership.
    You have asked ITAA to provide an assessment of the 
nation's Year 2000 preparedness. Let me go on record publicly 
with what those in the know are thinking and saying privately. 
We are very worried. When ITAA first got involved with the Year 
2000 issue back in 1995, we talked in terms of the marketplace 
as a ``deer in the headlights.'' In those halcyon days, we 
sought a balanced approach to this situation which would 
educate organizations to the urgency for fast movement while 
not allowing the magnitude of the problem to cause sensory 
shutdown.
    How far have we come in the last three years? I must say, 
not very. On the first part of the challenge--awareness--we 
have done reasonably well. Virtually no one can say that he or 
she is not aware of the Y2K issue. But on the next stages--
commitment to and actually solving the problem--we are very 
frustrated. The focus of conversation among those best versed 
in this issue is about how we are going to clean up after what 
appears now to be an inevitable train wreck. As a society, we 
are on the point of conceding failure. Those unwilling or 
unable to move off the track are numerous. Federal agencies. 
State governments. Local and municipal governments. School 
districts. Private sector industries. Small and mid-sized 
companies. Critical infrastructure players. And most foreign 
nations. It's crazy. It's frustrating. It cannot be happening. 
But it is. Now the ``smart'' questions have shifted to 
concentrate on contingency planning, crisis management, and 
liability. Lawyers are circling, and that is not a good sign.
    Failure is not part of the American fiber. Yet after this 
transition to the new century, society may have to admit that 
here was a situation it saw coming. Everyone understood its 
hard deadline. Everyone appreciated its worldwide scope. 
Everyone realized its massive potential to cause harm. And 
everyone let it happen.
    This morning I would like to talk what Congress can do help 
the country and the world off the path of fast approaching 
disaster.
    My five step program to Y2K wellness includes:
    1. Step up to the challenge
    2. Spend the money required
    3. Educate the public to the problem
    4. Provide incentives to a solution, while highlighting 
contingency planning
    5. Exercise discipline in setting competing priorities
    Stepping up to the challenge means accepting the mantle of 
leadership on this issue. The Senate recently established a 
special Committee to deal with the Year 2000 situation, and I 
encourage the House to do the same. The Senate Committee will 
provide oversight and legislative recommendations to help the 
government and private sector react quicker and more 
effectively to the economic difficulties arising from the Year 
2000 system failures. The Committee will focus special emphasis 
on such areas as utilities, telecommunications, transportation, 
financial services, general government services, general 
business services and litigation, cutting across traditional 
jurisdictional lines. Under the leadership of Senator Robert 
Bennett, the Senate has begun to take a big step in the right 
direction.
    The government Y2K report cards issued by Congressman 
Stephen Horn and the hearings held on this issue by the House 
Subcommittee on Government Management, Information and 
Technology; the House Subcommittee on Technology; and other 
Subcommittees have also helped bring important scrutiny to bear 
on the performance of government agencies and, to a lesser 
extent, regulated industry. The House is to be commended for 
its leadership in this area.
    What has been missing throughout this process, stretching 
back to the first House hearing in 1996, is a sense of real 
ownership. The U.S. Congress is the nation's board of 
directors. You provide the highest level oversight of federal 
agencies, critical infrastructure industries and international 
relations. You are ultimately responsible to your 
shareholders--the American voter.
    Year 2000 is an issue which will affect shareholder values. 
Those values are measured in the health of the national 
economy, consumer confidence, global trade, political stability 
and similar constructs. The proliferation of information 
systems into virtually every facet of modern life, from the 
embedded chips in complicated weapons systems to the wafer thin 
chip on a smart card, puts Y2K on a collide path with business 
as usual.
    With the notable exceptions that I mentioned just now, 
Congress has been slow to grapple with this issue of the 
century date change. The Year 2000 is a potentially devastating 
issue with breathtaking scope and an immovable deadline. The 
Year 2000 challenge is a call to think beyond the routine in 
response to an unprecedented situation. Today, leadership 
demands that Congress move past exploratory hearings to 
concrete actions; tomorrow, your accountability will be to the 
American people.
    How do you exercise this leadership? First, use the power 
of the Legislative Branch to get the President Clinton and Vice 
President Gore. John Koskinen, the recently appointed Y2K czar, 
is an outstanding public servant doing exceptional work in 
attempting to marshal a cohesive federal response. But his 
appointment came very late. We have drifted well beyond the 
point where anyone but the President and Vice President of the 
United States can put the country on the necessary emergency 
response footing. The office of the Y2K Czar is staffed by four 
people and does not have the needed resources that a problem of 
this magnitude requires.
    Other nations have come to this realization. In the United 
Kingdom, despite some stumbles along the way, Prime Minister 
Tony Blair has put the force of his government behind the Y2K 
issue, placing a Cabinet Minister in charge of a ministerial-
level Y2K oversight group and forming a government program, 
Action 2000, to coordinate a government/industry response. 
Prime Minister Blair has proposed a set of initiatives valued 
at almost 100 million pounds, with 30 million pounds slated for 
``bug busting'' training courses and 17 million pounds for 
programs affecting small and mid-sized businesses and related 
work.
    In Canada, Task Force Year 2000, a blue ribbon commission 
of key industry CEOs, is working with the government to make 
recommendations as an impetus to action. We would do well as a 
nation to use the commission's series of 18 recommendations to 
bootstrap a national action agenda for the United States.
    In Australia, a national television advertising campaign is 
about to bring a Year 2000 focus into the homes of average 
citizens and on to the radar screens of thousands of small and 
mid-sized businesses.
    By any measure, the U.S. is the world leader in information 
technology. Just last month, the U.S. Department of Commerce 
released a report showing that information technology accounts 
for 8.2 percent of GDP, up from 6 percent just a few years ago, 
and contributes more than twenty five percent of GDP growth. 
With so much at stake, should we really be doing less than the 
U.K., Canada or Australia? Of course not. That is why we 
believe President Clinton should make a major national address 
on the issue immediately. That is why we believe Vice President 
Gore should be using his status as the ``high tech'' Vice 
President to press the urgency of the Year 2000 message to 
industry groups and his standing as the ``reinventing 
government'' Vice President to ramp up the response within 
federal agencies.
    Step two. Congressional leadership on this issue will 
require spending the money required to make the necessary 
repairs inside government and to understand the status of 
external trading parties. John Koskinen referred to the current 
Y2K funding situation in Washington as ``a grand kabuki'' 
dance, with federal agencies refusing to step forward with 
requests for additional funding and Congress unwilling to 
supply the funds until such requests are made. President 
Clinton, speaking through the Office of Management and Budget, 
has told his agency heads to reprogram the necessary dollars.
    This dance has been going on for at least two years now. 
Unfortunately, federal agencies have too often placed the need 
to protect programs and jobs in front of the more urgent 
requirement to solve their Year 2000 problems. Nothing will 
changeunless you change it. I urge you to stop the kabuki dance 
by forcing agencies to disclose the level of reprogramming now 
underway. I respectfully suggest that if an agency is not 
appropriated new Y2K funds and is not reprogramming existing 
funds, insufficient date repair work of consequence is being 
performed. I am pleased that the U.S. government will run a 
budget surplus this year for the first time in decades, but if 
one of the prices for doing so is not fixing the Y2K problem, 
that is a very bad trade-off. The negative economic 
consequences of not fixing Y2K could, some economists are 
predicting, lead to a substantial slowdown in our country's 
economic growth. This, in turn, would lead to reduced tax 
revenues and head our federal budget back towards deficits.
    Congress can be part of the solution by demonstrating the 
risk management strategies now urged for the marketplace as a 
whole. Part of risk management involves having the vision to 
plan for contingencies. Given where the federal government 
stands today, I feel very confident in predicting that some 
mission critical government systems will fail--perhaps as early 
as January 1, 1999. A recent ITAA survey showed that 44% of 
organizations have already experience a Y2K failure.
    ITAA is not alone in stating this likelihood of failure; 
the General Accounting Office (GAO) also shares this assessment 
If and when these failures happen, reprogramming dollars or 
protecting federal workers--the federal kabuki dance--may at 
last be considered beside the point. I assume that at that 
unhappy point in time, government agency heads will be ready to 
contract with private sector firms specializing in Y2K 
remediation and testing to expedite the necessary repairs. We 
suggest that a special $500 million contingency fund be 
established to cover the period of October 1998 through 
February 1999. Congress will be adjourned during most of this 
period--a period during which emergency access to additional 
funds may prove critical.
    I also urge this Subcommittee--and every other Subcommittee 
with oversight authority--to require agencies to identify and 
respond to their inter-government and extra-government 
interfaces. Such electronic handshakes must be made with state 
governments, municipalities, foreign nations, and private 
sector firms. The smooth functioning of government depends on 
the ability of these highly integrated systems to operate 
without date errors. While Mr. Koskinen and the Federal CIO 
Council are making attempts to build the list of external 
interfaces with state governments, I suggest that Congress make 
this cross-cutting project its own, spending whatever funds are 
necessary to acquire the private sector expertise necessary to 
perform quickly and effectively the work.
    Step three. Public education is critical. I mentioned the 
public service advertising campaign launched in Australia. I 
urge Congress to make Year 2000 a the top priority issue of the 
U.S. government for at least the next two years. No services 
are more important to Americans than Social Security and 
Medicare; no system may be more important to the efficient 
operation of government than tax collection. Your conviction to 
hold this hearing today is a stake in the ground. Now build on 
this good start by continuing to hold Y2K hearings. Also, as 
you get public and private sector CEOs, CFOs, and CIOs in these 
witness seats, whether or not the hearing is specifically 
related to Year 2000, ask about Y2K status. The answers you 
receive may be very revealing. And do not accept pat responses 
or easy assurances. Congress is the steward of the public 
trust. I urge Congress to keep asking questions and to drill 
down for substantive answers. Doing so will help the public 
understand this issue, and where they should concentrate their 
concerns moving forward.
    Individual Congressmen and Senators can also use other 
tools as their disposal such as newsletters and town meetings 
to increase the awareness among the general public.
    Step four. Public education will inevitably lead to public 
demand for rational solutions. We have not begun to scratch the 
surface on creative public policy responses to this issue. 
Countries around the globe are considering emergency tax 
incentives to help the most-at-risk populations--small and mid-
sized enterprises--deal with this issue. We have begun to hear 
about low interest government loans to stave off bankruptcies. 
R&D tax credits and credit guarantees. Expedited procurement 
processes. Productivity corps to assist small firms and 
proliferate best practices. Enhanced training opportunities and 
associated tax credits. And much more. We are limited in 
creativity only by our willingness to engage this issue 
directly.
    And that brings me to my final point this morning. Step 
five. Discipline. Having the will to attend to the Year 2000 
problem and to solve it. Within our local communities. Across 
states. Around the nation and throughout the world. During 
World War II, we did not become distracted by other concerns 
and divert precious resources to other efforts. As a country, 
we found the collective will to win. We discovered the 
discipline. Today, America's efforts to cope with the Year 2000 
are diluted and disconnected. Indeed, we often talk about the 
tepid response to the Y2K tidal wave in terms of ``the Big 
Disconnect.''
    This Congress can help the country find its will to win by 
exercising discipline. As Congress goes to pass new laws that 
will require computer system changes, ask yourselves whether 
the risk is worth the reward. In Europe, we have the example of 
a rush to judgment on the Euro implementation--a competition 
which at best dramatically decreases the odds for successful 
Year 2000 conversion in some of the world's largest economies. 
Here, we have a similar concern with the Internal Revenue 
Service (IRS). With systems already committed to the limit, 
Congress must show flexibility in asking the IRS to maintain 
existing systems, introduce changes to the tax laws, modernize 
and conduct the Year 2000 conversion. ITAA urges Congress to 
follow Commissioner Charles Rossotti's request to soften some 
of its timelines in the current legislation in order to ensure 
that our tax collection system is able to operate effectively 
in the Year 2000.
    Congress must reconsider any legislation that requires 
major changes in the federal IT systems. Canada is attempting 
to implement a ``change freeze'' in its government IT systems 
so all energy can be focused on Y2K. It is too late to expect 
government agencies to fix their systems while also adapting 
them for new programs. Today, by ignoring this simple reality, 
Congress is perpetuating ``the Big Disconnect.'' The pervasive 
apathy. The business as usual mentality. Today, you can help 
end it. With discipline.
    In conclusion, I urge this Subcommittee to do everything in 
its power to make Y2K preparedness a national concern. There 
are 602 days left. Although the train is barreling down the 
track, it is still not too late. Congress has a critical role 
to play in meeting the challenge, and the five step program I 
have outlined here today can help. Congress does not want to be 
placed in the position of wishing it had taken this issue more 
seriously while there was time left to address the challenges. 
The American public--and the world at large--are counting on 
you. ITAA is ready to assist you in every way possible.
    Thank you very much.
      

                                

    Mr. Portman. Thank you very much, Mr. Miller.
    Mr. McManus.

    STATEMENT OF STEVEN P. MCMANUS, COMMUNICATIONS MANAGER, 
              MILLENNIUM PROJECT, BANKBOSTON, N.A.

     Mr. McManus. Mr. Portman, I'm Steven McManus, 
communications manager for BankBoston's millennium project, and 
I'm pleased to have this opportunity to present my views on the 
magnitude of the year 2000 problem, the associated business 
risks, and the adequacy of remediation and risk management 
efforts being undertaken by the financial services industry.
    With $71 billion in assets, BankBoston is ranked number 15 
in the country, with over 700 offices in 24 different 
countries. We were also the first bank in the United States to 
receive ITAA 2000 certification which speaks to our methods and 
processes in place, essentially, that we're on the right path.
    The year 2000 computer problem is pervasive and is global 
in scope. It affects not only the financial services industry 
but all industries. Each business is itself both a customer and 
a supplier in the food chain of international commerce. Each 
industry is simultaneously competing for available human 
resources to complete its remediation processes against this 
fixed deadline in order to mitigate its year 2000 risks. The 
millennium challenge is a significant project management 
challenge that requires institutionally focused attention as 
well addressing dependencies on its suppliers that are facing 
the very same challenge. These are the parameters that make the 
year 2000 challenge unique.
    Financial institutions are also extremely dependent on one 
another as well as common service providers for the interchange 
of electronic commerce. The national payment system is 
dependent upon automation to clear checks principally through 
the Federal Reserve System. The automated clearinghouses 
present the primary means of processing preauthorized payments 
enabling automatic direct deposits of Social Security checks to 
the consumer's bank of choice, in addition to processing 
standing orders for repetitive payments such as insurance 
premiums, automobile payments, and investments. The retail 
consumer is dependent on the use of credit and debit card 
conveniences offered internationally through suppliers such as 
Visa, MasterCard, and American Express, which have extensive 
electronic networks linking a transaction from its point of 
sale to the consumer's financial institution. Corporate 
customers are heavily dependent on electronic data interchange, 
EDI, wire transfers, letters of credit. The increasing 
globalization of the business enterprise radiates these 
dependencies beyond our borders to include financial 
institutions worldwide. It should be clear from these examples 
that there are significant risks associated with such tightly 
woven interdependencies.
    Like all financial institutions, BankBoston is heavily 
dependent on computer technology in the conduct of our 
business. We have major data centers in New England, London, 
Brazil, Argentina, and Singapore with large scale data 
communications networks linking these centers to our branches, 
remote offices, customers, and service providers like the 
Federal Reserve. Additionally, we participate in multiple 
delivery networks for ATM processing, point of sale services, 
information exchanges, and other forms of electronic commerce.
    This dependence on technology was the prime motivation for 
BankBoston to begin its millennium project in the spring of 
1995. The initial assessment of our systems inventory revealed 
that roughly 50 percent of our software is supplied to us by 
external vendors and that this vendor supplied software is 
usually customized to meet the unique needs of our institution. 
This heavy reliance on external vendor software, which is 
common within financial services, represents the single biggest 
risk in being able to meet the millennium challenge since the 
timely deliver of this millennium compliant software is outside 
of each bank's control. However, even managing these types of 
software risks that are germane to individual institutions will 
only help ensure millennium compliance within their own spheres 
of influence.
    I'd also tell you that the year 2000 problem is very real 
at BankBoston which identified and corrected millennium related 
logic errors within systems that have already been through our 
remediation process. I have four examples in my written 
testimony that include our certificates of deposit system, 
negotiable collateral system, and our controlled disbursement 
system, as well as precious metals.
    So keep in mind that these situations, had they not been 
identified in advance, our ability to respond to all of them 
simultaneously in the year 2000 may have been hampered by the 
availability of computer resources and the pressures brought on 
by the demands of our customer base. As I mentioned earlier, 
BankBoston had begun its millennium preparedness in early 1995. 
As such, I feel comfortable that we will be able to complete 
our internal preparedness, given the project organization 
processes that we currently have in place.
    But it has taken us 3 years to structure this very rigorous 
program that we have in place today. Our project also includes 
not only information technology by the non-IT issues, the 
business' risk issues which I've listed in my written 
testimony. This side of our project is headed by our executive 
vice president of risk management, and this program is 
reviewing the potential risks associated with each major line 
of business, and they're outlined in my written testimony.
    And I bring our model to your attention, not only because 
we're proud of what was accomplished, but to underscore the 
fact to you that it has taken us 3 years to get where we are 
today. Knowing that all financial institutions must address the 
very same issues that we have faced with much less time 
remaining, I'm concerned with the general preparedness of the 
rest of the financial services industry. In my discussions with 
other banks, customers, and service providers, I feel that 
unless comparable programs to BankBoston's are put in place 
within the next few months, the effect will adversely impact 
even those that are adequately prepared.
    And this concludes my testimony.
    [The prepared statement follows:]

Statement of Steven P. McManus, Communications Manager, Millennium 
Project, BankBoston, N.A.

    Mrs. Johnson and distinguished members of the Subcommittee, 
my name is Steven McManus and I am the Communications Manager 
for the Millennium Project at BankBoston. I am pleased to have 
this opportunity to present my views on the magnitude of the 
Year 2000 problem, the associated business risks, and the 
adequacy of remediation and risk management efforts being 
undertaken by the financial services industry.
    Let me first tell you a little about who we are. We are a 
large New England based Superregional Bank holding company with 
$71 billion in assets, ranked number 15 in the United States 
with 475 branches and 275 offices located in 24 countries. We 
offer a complete range of financial products and services both 
domestically and internationally.
    The Year 2000 computer problem is pervasive and is global 
in scope. It affects not only the financial services industry, 
but all industries. Each business is itself both a customer and 
a supplier in the food chain of international commerce. Each 
industry is simultaneously competing for available human 
resources to complete its remediation processes against a fixed 
deadline in order to mitigate its Year 2000 risks. The 
millennium challenge is a significant project management 
challenge that requires institutionally focused attention as 
well as addressing dependencies on its suppliers that are 
facing the very same challenge. These are the parameters that 
make the millennium challenge unique.
    Financial institutions are extremely dependent on one 
another as well as common service providers for the interchange 
of electronic commerce. The national payment system is 
dependent upon automation to clear checks principally through 
the Federal Reserve System. The Automated Clearing Houses 
represent the primary means of processing pre-authorized 
payments enabling automated direct deposits of social security 
checks to the consumer's Bank of choice in addition to 
processing standing orders for repetitive payments such as 
insurance premiums, automobile payments, and investments. The 
retail consumer is dependent on the use of credit and debit 
card conveniences offered internationally through suppliers 
such as VISA, MASTERCARD, and AMERICAN EXPRESS which have 
extensive electronic networks linking a transaction from its 
point of sale to the consumer's financial institution. The 
Corporate customer, heavily dependent on Electronic Data 
Interchange (EDI), Wire Transfers, and Letters of Credit, uses 
the nation's financial institutions as their financial 
intermediaries. The increasing globalization of the business 
enterprise radiates these dependencies beyond our borders to 
include financial institutions worldwide. It should be clear 
from these examples that there are significant risks associated 
with such tightly woven interdependencies.
    Like all financial institutions, BankBoston is heavily 
dependent on computer technology in the conduct of our 
business. We have major Data Centers in New England, London, 
Brazil, Argentina, and Singapore with large scale data 
communications networks linking these Centers to our branches, 
remote offices, customers, and service providers like the 
Federal Reserve. Additionally, we participate in multiple 
delivery networks for ATM processing, point of sale services, 
information exchange, and other forms of electronic commerce. 
This dependence on technology was the prime motivation for 
BankBoston to begin its Millennium Project in the Spring of 
1995. The initial assessment of our systems inventory revealed 
that roughly fifty percent of our software is supplied to us by 
external Vendors, and that this Vendor supplied software is 
usually customized to meet the unique needs of our institution. 
This heavy reliance on external Vendor software, which is 
common within the financial services industry, represents the 
single biggest risk in being able to meet the millennium 
challenge since the timely delivery of this millennium 
compliant software is outside of each bank's control. However, 
even managing these types of software risks that are germane to 
individual institutions will help ensure millennium compliance 
only within their own spheres of influence.
    The Year 2000 problem is also very real. At BankBoston, we 
have identified and corrected millennium related logic errors 
within our systems that have already been through the 
remediation process. For example, we found that:
     we would not have been able to mature our 
customers' Certificates of Deposits in the year 2000 and 
beyond;
     our Negotiable Collateral system would have lost 
expiration dates and review dates on collateral used to secure 
loans in the event of loan default;
     the system processing a daily volume of $800 
million of Controlled Disbursements for our corporate customers 
would have been inoperable for ten days while the problem was 
corrected in January, 2000 resulting in massive overdrafts to 
the Bank., and;
     our Precious Metals business would have been 
inoperable for up to two weeks while systems changes were being 
made to correct erroneous date processing.
    And keep in mind that had these situations not been 
identified in advance, our ability to respond to all of them 
simultaneously in the Year 2000 may have been hampered by the 
availability of computer resources and the pressures brought on 
by the demands of our customer base.
    As I mentioned earlier, BankBoston had begun its millennium 
preparedness in early 1995. As such, I feel comfortable that we 
will be able to complete our internal preparedness given the 
project organization and processes that we currently have in 
place. It has taken us two years to structure the very rigorous 
program that we have in place today. Our inventory of 
technology applications is under constant review and newly 
acquired or developed applications are being scrutinized for 
their millennium compliance, both contractually and in their 
acceptance testing, in order not to propagate the millennium 
problem.
    We have developed an extensive Communications and Awareness 
program within the Bank to sensitize every facet of the 
business to review the risks of the millennium challenge to 
their business. This is a mandatory program for every financial 
institution. We have also instituted a very rigorous Vendor and 
Contracts Management program to track the millennium readiness 
and delivery of the vendor supplied applications which account 
for more than half of our application inventory. We have 
developed comprehensive remediation and certification processes 
to carefully examine and test all of our systems to assure 
accurate operability in the year 2000 and beyond. We have 
developed sound Project Administration practices to track 
costs, maintain accurate inventory, and manage issues. We have 
put in place and continually monitor the Technical Support 
infrastructure required to conduct remediation and 
certification concurrently with the day to day systems demands 
of our business. And we have developed an elaborate Planning 
and Scheduling program that integrates our resource 
requirements planning, Vendor software availability, and triage 
program founded on an already existing Disaster Recovery Plan 
that orders our most critical applications for renovation 
before those of lesser importance.
    Complementing the systemic preparations being undertaken 
within BankBoston, we have a corporate-wide millennium risk 
management program underway where the potential impacts of the 
Year 2000 challenge are being addressed as risk related 
business issues and opportunities to gain competitive 
advantage. Headed by our Director of Risk Management 
Assessment, this program is reviewing the potential risks 
associated with each major line of business:
    Credit. Credit policy is being reviewed to account for the 
potential risk that the borrower's ability to repay outstanding 
debt may be affected by the impact of the year 2000 on the 
borrower. Increased allowances for potential loan losses are 
accordingly being evaluated. Existing loans requiring customer 
unqualified financial statements are being watched in the event 
that the customer's own millennium preparation expense may 
erode comfortable profit margins. Loan participations and 
syndications require the cooperation of all participants in the 
evaluation of millennium related risk.
    Finance. Regulatory requirements concerning SEC 10K and 10Q 
millennium disclosures are being reviewed as are FASB's 
treatment of accounting and tax implications of millennium 
related expenses.
    Third Party Suppliers. Critical outsourcing arrangements 
such as loan portfolio servicing are being reviewed to ensure 
uninterrupted revenue streams. The risks associated with 
potential disruption of critical point solutions that augment 
the bank's business functions (such as news services, stock 
quotations, et al) are also under review.
    Joint Ventures. The millennium preparedness of all joint 
ventures in which BankBoston is a participant is being 
investigated to protect the value of our investment.
    Legal Issues. BankBoston is taking aggressive steps to 
conduct the appropriate due diligence associated with its 
preparedness for the millennium. These include supplier 
contract review of indemnification and warrantee provisions, 
board level project review, and escalation of critical business 
related issues.
    Mergers and Acquisitions. BankBoston completed a merger 
with BayBanks in 1997. This merger involved extensive best of 
breed product integration into the surviving systems that serve 
the combined entity. This fifteen month effort required 
extensive systems renovation which consumed the attention of 
systems personnel involved with the merger. In future M&A 
activities, the valuation of any acquired software will have to 
be significantly discounted unless it is already millennium 
compliant. There simply isn't enough time remaining to affect 
product integration concurrent with providing for millennium 
readiness.
    Insurance. It is imperative for all businesses to review 
Director and Officer liability insurance in addition to 
business interruption insurance policies currently in place or 
under renewal. Given the estimated certainty of forthcoming 
lawsuits surrounding predicted business failures, BankBoston 
has begun such reviews.
    Marketing. The millennium prepared financial institution 
will enjoy a competitive advantage over other Banks' inaction. 
Cross selling of additional products and services to a nervous 
customer base will provide an opportunity for additional fee 
income to the millennium compliant bank. Communicating 
millennium strategy to the retail and corporate customer is 
becoming more of a sensitive issue as our customers' awareness 
of the millennium issue increases.
    I bring the BankBoston model to your attention, not only 
because I am proud of what we have accomplished, but to 
underscore to you the fact that it has taken us three years to 
experience and overcome some of the project management 
complexities associated with the Year 2000 challenge. Knowing 
that all financial institutions must address the very same 
issues that we have faced with much less time remaining, I am 
concerned with the general preparedness of the rest of the 
financial services industry. In my discussions with other 
banks, customers, and service suppliers, I feel that unless 
comparable programs to BankBoston's are put in place within the 
next few months, the effect will adversely impact even those 
that are adequately prepared.
    On a positive note, a cohesiveness is developing in the 
Banking industry to address the millennium challenge. The Bank 
Administration Institute (BAI), a US banking industry 
association representing about 80% of the nation's banking 
assets, has been quite proactive in bringing together its 
membership and service providers to address common issues. In 
fact, BankBoston will be hosting a BAI Rountable on Readiness 
Testing on June 2 and 3.
    The majority of the critical work, however, lies ahead. As 
I mentioned earlier, there is an enormous interdependency among 
all financial institutions on the viability of the payments 
system. All must be prepared for the millennium. All common 
financial services providers must be prepared. All systems and 
application vendors must be prepared. All suppliers and 
customers must be prepared. And then we must all test the 
interdependencies we share well before the year 2000 to ensure 
stability of the system not only domestically, but also 
globally.
    The Federal Financial Institutions Examination Council 
(FFIEC), has been proactive in delivering the urgency of the 
millennium challenge to the industry and has stepped up its 
examinations. In many cases, especially to smaller institutions 
that do not have the resources to manage such large scale 
projects against an immutable deadline, the Regulatory bodies 
represented by the FFIEC will be required to offer assistance. 
As each financial institution must mitigate risk through 
rigorous contingency planning, our Regulators must develop 
contingency plans to assure stability of the Banking system. We 
have a collective fiduciary responsibility to our customers and 
must continue to relax the roles of the Regulator and the 
Regulated by working together to ensure the safety and 
soundness of this nation's banking system.
    This concludes my testimony. Thank you.
      

                                

    Mr. Portman. Thank you, Mr. McManus.
    Ms. Dec.

 STATEMENT OF IRENE DEC, VICE PRESIDENT, INFORMATION SYSTEMS, 
   CORPORATE INFORMATION TECHNOLOGY; AND MANAGER, YEAR 2000 
        PROGRAM, PRUDENTIAL INSURANCE COMPANY OF AMERICA

    Ms. Dec. Mr. Portman and Members of the Subcommittee, my 
name is Irene Dec and I'm vice president of corporate 
information technology for the Prudential Insurance Co. of 
America which is headquartered in New Jersey. I am Prudential's 
year 2000 program manager and lead the companywide project. I'm 
pleased to have this opportunity to present Prudential's 
strategies for solving the year 2000 problem. They are 
strategies that can be applied to any large organizations, 
including the government.
    Because of Prudential's size and scope, our year 2000 
problem was monumental. Fortunately, our chief executive 
officer, Art Ryan, and our CIO, Bill Friel, recognized the 
seriousness of the problem and identified it as an enterprise 
priority. Prudential's entire senior management team sees year 
2000 as a critical business issue, not a technology nuisance.
    It is too late to start early. As of today, there are 603 
days left and 86 weekends. At this point, it's late. We began 
to address year 2K in the fall of 1995 and we have moved 
aggressively since then. For those organizations that have not 
moved aggressively on the year 2K, I will be focusing on 10 
risk management actions that should take place.
    First, secure executive commitment. Identify the year 2000 
project as the most critical project in your organization, and 
secure unwavering executive commitment.
    Second, establish a program office immediately, assign your 
best people, and it must be full time.
    Third, identify your critical applications, those that have 
the greatest impact on people and on business. Focus on those 
first.
    Fourth, stop all other projects. There is no time for 
applications or systems that are not year 2K related. Year 2000 
must take complete and total priority. When we hear year 2K is 
a high priority we must measure that priority. Simply saying, 
It's a high priority, will not get you there.
    Fifth, devote time to testing. It takes three times the 
normal application testing time. It takes over 50 percent. When 
you hear that renovation is complete, that is only 50 percent 
of the project done. Be ready. When you're testing, you will 
find problems, which means did you allow in your schedule the 
fact that you have to go back and fix again.
    Sixth, develop contingency plans. Organizations must think 
about building manual processes to do work around. You know you 
will not meet all of your objectives. Start working on those 
plans and communicating how the processes will be different.
    Seventh, review and assess business partners, including 
software vendors and other suppliers. You must also identify 
vendors that put your organization at risk and if you need to, 
you need to go out and find alternative software and business 
partner replacements.
    Eighth, validate desktops. In this case, I'm referring to 
desktops that are not IT controlled. In many businesses today, 
decisions are based on calculations performed on spreadsheets 
and databases that are hidden in the corners of our offices.
    Ninth, determine your computer capacity. Do not wait. In 
most cases, you need twice the capacity you have today to do 
the test.
    Tenth, develop and control your risk validation process. 
Your audit and management integrated control department must 
assist in validating your progress and reviewing your 
compliance. In addition, you may need to hire an outside firm 
to validate or audit your process. For example, ITAA was 
brought in to validate and certify Prudential's year 2000 
process. Also determine a process to do spot checks on the code 
that is compliant. You may choose to hire a vendor to come in 
and perform this validation. Don't wait until 2000 for 
validation.
    The key message that I am compelled to leave you with is 
that year 2000 is a problem of titanic proportions but 
information technology controls only the tip. The remaining is 
the unseen. The risks include business partners, software 
providers, and your desktops. We can do the best job. We can do 
the fixes. We can do all of that, but we cannot do it alone. We 
have got to have the unwavering support of our executives. It 
was an unseen portion of the iceberg which struck Titanic below 
decks. That doomed everyone aboard. My grave concern is that 
the leaders of too many organizations will and have dismissed 
the criticalness of the year 2K. In my opinion, the year 2000 
is a sink or swim proposition.
    However, being somewhat of an optimistic person, I'd like 
to leave you with a different message. During the Apollo 13, 
Jim Lovell said, ``Houston, we have a problem.'' And it was 
because they were smart and strategic that their lives were 
saved. I will now say, ``Washington, we have a problem. It's 
the year 2000. I believe you will be smart and strategic but 
you must understand what that means and be prepared by having 
contingency plans.''
    In closing, it would be impossible for me to overstate the 
size and scope and challenge that the Federal Government has, 
and its obligation to the citizens of this great Nation, as 
leaders. We Americans must take the lead on the year 2000. We 
must set an example for other countries. We must demonstrate 
with decisive action the bold measures to follow. I urge you to 
take swift action on your 10 action steps.
    Mr. Portman and Subcommittee Members, thank you for giving 
me the opportunity to speak with you today. It is, indeed, an 
honor for Prudential to be invited to contribute to the public 
dialog on what will surely be the defining moment at the end of 
the 20th century, not only for the United States, but the 
world.
    This concludes my testimony.
    [The prepared statement follows:]

Statement of Irene Dec, Vice President, Information Systems, Corporate 
Information Technology; and Manager, Year 2000 Program, Prudential 
Insurance Company of America

    Congresswoman Johnson and members of the committee:
    My name is Irene Dec and I am a Vice President of Corporate 
Information Technology at Prudential. I am the Prudential Year 
2000 Program Manager, leading the company-wide Program Office. 
It is my responsibility to work with all of Prudential's 
Business Groups and Corporate Functions to bring the entire 
enterprise to Year 2000 compliance. I am pleased to have this 
opportunity to present Prudential's experiences regarding the 
magnitude of the Year 2000 problem. In the time you've given 
me, I'd like to discuss the strategies Prudential is using to 
solve the Year 2000 problem. I also will discuss how these 
strategies might be applied to other large organizations.

                              Introduction

    First, some background on Prudential. We are one of 
America's largest insurance and financial services companies, 
with a presence in every state of the union and offices abroad. 
As of December 31, 1997, our statutory assets were $194.0 
billion and we had $37 billion in revenues on a GAAP basis. We 
employ almost 80,000 people and serve nearly 40 million 
customers worldwide. Our gross 1997 information technology 
budget was approximately $1 billion.
    Because of Prudential's size and scope, the magnitude of 
our Year 2000 problem is monumental. We were fortunate that our 
Chief Executive Officer, Art Ryan, and our Chief Information 
Officer, Bill Friel, recognized the seriousness of the problem 
and identified it as a priority. Also, Prudential's senior 
management team sees Year 2000 as a business issue not as a 
technology nuisance. Early on, Prudential realized the 
potential business risk represented by Year 2000, and sought to 
manage that risk intelligently. Year 2000 is a risk to all 
businesses. It is essential for all organizations to run Y2K 
projects with a sound risk management philosophy.

                        Too Late to Start Early

    As of today, there are exactly 603 days left until we reach 
the Year 2000. That includes only 86 weekends. At this point, 
it is simply too late to start early. We began addressing the 
Y2K issue at Prudential in 1995. While we are confident we'll 
meet our objectives, we are not wasting one single day. This is 
the ultimate information technology deadline. And 
unfortunately, information technology professionals are widely 
regarded by our corporate colleagues as people who cannot meet 
deadlines.
    It is time to move beyond awareness of the Y2K problem. It 
is time to take action.

                        Risk Management Actions

    For those organizations that have not moved aggressively on 
the Y2K project, the following risk management actions should 
be considered:

1. Secure Executive Commitment

    Identify the Year 2000 project as the most critical project 
within your organization, and secure unwavering executive 
commitment to it at once.

2. Establish a Year 2000 Program Office

    Implement a Year 2000 Program Office immediately and assign 
your best people to the project.

3. Identify Critical Applications

    Identify your most critical applications, those that have 
the greatest impact on the business and on people. Focus your 
efforts on achieving Year 2000 compliance for those critical 
applications first and foremost.

4. Stop All Other Projects

    Place all other systems work on hold until your Year 2000 
project is completed. At this point, there isn't time for 
anything else. You cannot afford to take your focus off the 
Year 2000 goal. The Y2K project cannot be done along with other 
projects. Y2K takes complete and total priority.

5. Devote Time to Testing

    Testing for Year 2000 will require three times the normal 
procedures since the organization will have to test before Year 
2K, as the century turns, and on critical dates, such as Leap 
Year and the first working day of the year. Allow sufficient 
time for testing. Approximately 50% of the Year 2000 project 
will be spent on testing. Organizations must set up Year 2K 
simulated testing environments for networks, distributed 
applications and mainframes.

6. Develop Contingency Plans

    If the risk is high that your organization may not get done 
with its Year 2000 project in time, a contingency plan is 
critical. You must build manual processes to do the work and 
you must communicate to the people who are impacted. Do not 
wait until you have missed Year 2000 target dates to 
communicate. Tell people how you plan to handle the work in the 
interim and what they can expect.

7. Review and Assess Business Partner Risks

    One of the greatest risks to Y2K projects is an 
organization's business partners, including software vendors 
and other suppliers. Take time to review all software products 
and identify those that require version upgrades in order to 
become Y2K compliant. Identify software vendors that put your 
organization at risk for non-compliance and prepare contingency 
plans for alternative software replacements. Also, identify the 
processes required to maintain critical business functions.

8. Validate Desktops

    Testing and validating applications and systems, software 
and hardware are extremely important. Equally critical is 
assessing and validating end user desktop compliance. Many 
business decisions are based on calculations performed on 
spreadsheets and databases on personal computers. Your Y2K plan 
must include a process to ensuring that every desktop in the 
organization is Year 2000 compliant.
    To be successful in their Y2K initiatives, organizations 
must run this project differently than they have ever run 
anything before. Year 2000 cannot be managed as just another 
normal information technology maintenance project. It must be 
run from a dedicated, organization-wide Program Office and it 
must call upon the skills of your very best people.

                     Year 2000 Strategic Decisions

    At Prudential, we developed our Year 2000 strategy around 
several key decisions. I'd like to take some time to walk 
through these decisions to show you how we built our strategy 
and how it is moving us toward Year 2000 compliance.

                   1. Define Organizational Structure

    First, we defined our organizational structure. We created 
an Enterprise-wide Year 2000 Program Office. Because Prudential 
has multiple lines of business, such as Individual Insurance, 
HealthCare and Securities and Investments, for example, we also 
created Year 2000 Program Offices in each one of our Business 
Groups. The Business Group Program Offices report to the 
corporate-wide Y2K Program Office, which I manage. Any large 
organization that encompasses diverse activities should 
consider this approach.
    Once we had our structure in place, we staffed the Program 
Offices with our best people. And we staffed it sufficiently. 
You can't expect to meet the Y2K deadline with staff members 
who can only devote a percentage of their time to the fix. Our 
Program Office employees are dedicated full-time to achieving 
Y2K compliance. To meet the extraordinary manpower demands 
Prudential's Year 2000 problem presents, we also brought on 
board contractors and consultants to assist us.

                    2. Identify Operating Principles

    With the Program Office established, we were able to 
identify standard operating principles. These are the rules and 
regulations of how we'll manage our Year 2000 initiative. For 
example, there are basically two ways to fix the Year 2000 
issue field expansion or windowing. One is to actually expand 
the field from two position year to four positions. The other 
is to build logic into the code that fixes the problem. Rather 
than ask our individual Business Groups to make this decision 
for themselves, Prudential's Y2K Program Office made the 
decision that is mandated across the entire company. We have 
selected the windowing technique.
    By establishing Operating Principles up front and by 
setting a company direction, we've reduced indecision and 
unnecessary analysis throughout the company. There is no 
waffling on important standards because they've already been 
set by the Enterprise-level Program Office. Thanks to our 
Operating Principles, there's less opportunity for wasting 
time.
    There will be exceptions to any Operating principles that 
are established. We anticipated that and built a process 
wherein our Business Groups may present specific cases, based 
on business reasons, for making exceptions to the Operating 
Principles. As a result, we've granted some exceptions.

Prudential's Operating Principles are:

     All existing applications will require a Year 2000 
certification for compliance.
     New software (purchases and internal development) 
will be certified before purchase and installation.
     Rigorous risk and cost analyses will determine 
whether Prudential applications should be repaired or replaced.
     Redundant applications will be consolidated where 
appropriate.
     Replacement applications have been targeted for 
December 1998.
     Parallel development activities will be carefully 
researched and assessed to ensure against jeopardizing the 
timely success of Year 2000 maintenance. As I recommended 
earlier, your organization's entire IT team should have one 
common and central purpose: to become Year 2000 compliant in 
time to avert disaster. You should be working on nothing else 
until Y2K is solved.
     Standard date formats established by the Year 2000 
Team will be employed in new development.
     Date ``windowing'' (the logic approach) will be 
employed when renovating existing applications.
     Application replacement projects will be scheduled 
for completion by December 1998. Dual strategy (i.e. 
renovation) will be required for any projects that will not 
meet that target.
     Select vendors have been approved for the Year 
2000 assessment and renovation work at Prudential.

                3. Complete Strategic Portfolio Analysis

    In deciding how you'll tackle your Year 2000 problem, you 
might want to consider the approach of triage. Ask yourself 
three questions about your existing applications and systems: 
Should we renovate or fix it to make it Y2K compliant? Should 
we replace it with something new? Should we just retire it, 
since we aren't even using it anymore?
    At Prudential, our Year 2000 Program Office looked at every 
one of our 1,533 applications and decided to renovate 1,035 of 
them. With a total of more than 170 million lines of code, we 
are working on fixing about 97 million of them. Our decision 
was to renovate 75% of our existing applications. We decided to 
replace 12% and retire 13%.
    At this point, however, replacement strategies are high-
risk. It is too late to begin a replacement/new development 
project, unless the project has been targeted for completion by 
1998. The better approach would be to consider a renovation 
strategy and begin immediately.
    Organizations should not allow illogical rationale to creep 
into their Y2K decision making. Some are saying that they don't 
need to fix particular applications because they will just 
replace them. But remember, everyone in the IT industry is 
notoriously bad about meeting target dates even software 
vendors. If the replacement is not intensely controlled, 
there's a potential risk you will not be done on time. 
Organizations can't take that chance. It is better to go 
straight to renovation. Select systems or applications that are 
most critical those with a health impact or a financial impact. 
In the case of the federal government, they are the 
applications and systems that will affect the quality of life 
of American citizens. In the case of Prudential, we determined 
that the applications that are most critical to us are the ones 
that touch our customers. Those applications became our 
priorities and we scheduled them first.

                  4. Implement Communications Strategy

    The fourth step in Prudential's Year 2000 Strategic 
decision-making process was to create a process for 
communicating about our initiative. Organizations need to 
communicate to two groups. One is the information technology 
community. They need to be aware of directions, tools, 
achievements, expectations and the like. The second group you 
must communicate with is all employees. Year 2000 impacts every 
desktop in your organization. Employees and associates need to 
know what changes they can expect and what they must do to 
cooperate with Y2K strategies.
    At Prudential, we use every means of communication 
available to us to reach these two important constituents. We 
produce a quarterly newsletter and send E-mail messages out on 
a regular basis. We have established databases to share 
information and to answer frequently asked questions about Y2K.
    We are also addressing the subject of external 
communication to the public, and most important, to our 
customers and business partners.

                  5. Identify Staff Retention Approach

    Another important step in our Y2K strategy was 
acknowledging that staff retention would be an issue and 
developing an approach to keeping our people with us. There is 
a huge demand for coders, project managers, program managers 
and quality testers. I told you that at Prudential, we put our 
best people on our Year 2000 effort. We do not want to lose 
them. We used approaches to motivate our best and brightest to 
stick with us in the face of tempting offers from other 
organizations.
    Our retention strategy is to offer bonuses to individuals 
who stay with us in our Y2K effort. It is a strategy that many 
companies are using successfully and we decided to adopt it. 
Enriching compensation may not be an option for some 
organizations, including the government, perhaps. But money is 
not the only incentive to stick with a job. Take a look at your 
people and what motivates them. Offer the awards that will have 
meaning to the people in your organization. It might be 
increased vacation time, a promotion, training, flexible 
scheduling or a number of other lower-cost options your 
organization can comfortably offer.

                  6. Select External Service Providers

    An organization needs to make a decision as to which 
components of the Year 2K program their own employees will work 
on and which will be handled either outside the company or by 
external contractors who may work on-site. General categories 
include program and project management, assessment, code fixing 
and testing. Prudential's decision was to outsource about 65% 
of code fixing to outside providers.
    In selecting your service providers, it is too late to 
spend a lot of time on RFPs (Requests For Proposals) and RFIs 
(Requests For Information). There just isn't time now. Choose 
providers with whom you've already established partnerships, 
whose work is proven and whose people you trust.
    Using outside providers will save your organization time. 
Many have an automated tool set that allows their people to 
come in and fix your code in a fraction of the time it might 
take your own employees who don't have those advanced tools 
available. Automated tools reduce the chance for error and give 
you more time to work on testing.

                         7. Identify Standards

    One key step in Prudential's Y2K strategy was to identify 
standards for tools, methodology, certification and renovation. 
Just as we saw the advantages of establishing company-wide 
Operating Principles, we also saw the need to identify 
standards that would apply throughout the company. This saves 
analysis time, as we've seen. It also gets everyone on the same 
page. With a standard tool set and methodology, for example, we 
can also obtain consistent metrics and data for reporting 
purposes. And by applying the same standards for certification 
across the Enterprise, we have reduced our Year 2000 risk.

                  8. Identify Renovation-Fix Strategy

    There are two ways an organization can fix the Year 2000 
code problems. One is to actually expand the field from two 
position years to four positions. The other is to build logic 
into the code that fixes the problem. This can not be a 
decision made by individual programmers. Your Program Office 
must decide which solution is right for the entire 
organization. At this point, however, the field expansion fix 
may not be an option, since it takes longer to do and to test. 
And it costs more.

              9. Implement Project Tracking and Reporting

    It is May 7, 1998. Do you know where your Year 2000 project 
is?
    Doing the work is critical, but tracking your progress is 
equally important. In a large organization, tracking and 
reporting are key strategies for Y2K success. The most 
meaningful method for project tracking gauges ``planned'' 
versus ``actual'' accomplishments. Status reports that 
summarize what people did that week or month are worthless, if 
they are not tagged to a planned completion date. Prudential's 
Year 2000 Program Office set milestones for accomplishing 
specific objectives. Our people have to track their 
accomplishment based on those established milestones. We've 
built in checkpoints to validate that we are always on target 
to meet our long-range goals. Perhaps most important, we report 
on a monthly basis. This is absolutely critical if your aim in 
reporting is to give senior management the opportunity to do 
some course correction, if the metrics warrant it.
    Following are the five milestones we've identified on the 
project:
     Not started
     Assessment phase
     Code fix
     Testing
     Certification complete and back in production.
    Meticulous tracking and reporting with real accountability 
attached is one of the best ways to reduce the risk of failure. 
Antiquated tracking methods or haphazard reporting are 
unacceptable for the Year 2000. Large organizations, 
especially, must rely on sophisticated metrics and tools to 
track their Y2K projects.

                  10. Conduct Certification Procedures

    A certification process is critical. Prudential has 
established its own certification process to assure that all 
our Business Groups and Corporate Functions meet our standards 
for Year 2000 compliance. Organizations can not take a chance 
that Y2K compliance is compromised on any front. You cannot 
rely on an individual's assurance that the application will be 
ready to go. You need definitive, objective measures that 
demonstrate without a shadow of a doubt that all of your 
applications are functioning properly, in complete Y2K 
compliance, both before Y2K and after.
    In addition to creating our own 15-point Y2K compliance 
certification procedure, Prudential has obtained certification 
from the Information Technology Association of America (ITAA) 
for its Year 2000 program. The ITAA certification process is an 
excellent means for determining whether or not an organization 
has an effective Y2K process in place.

                     11. Identify Contingency Plans

    Since Year 2000 is a business management risk, it requires 
a business continuation plan. Organizations need to look at the 
potential for high risk to the company and its constituents and 
create contingency plans for critical business functions.
    Contingency planning goes beyond applications. You must 
also prepare contingency plans around infrastructure, including 
all your data centers, computers, buildings and facilities, and 
your telecommunications. In addition, you must have contingency 
planning in place as it relates to your business partners and 
suppliers.

             12. Inventory Business Partners and Suppliers

    One of the greatest risks to an organization is its Y2K 
vulnerability with business partners and suppliers. You can 
control your own applications and systems. You can have an 
airtight business continuation plan in place. But if your 
critical business partners and suppliers fall short on 
delivering Y2K compliance, that could have serious 
repercussions for your organization. At Prudential, we 
identified our critical business partners and suppliers and 
surveyed them to determine their ability to meet Y2K 
compliance. We put together a risk assessment team to help us 
determine for sure whether our business partners and suppliers 
meet our Y2K standards and to replace or assist those that do 
not meet our expectations.

                    13. Determine Financial Tracking

    Just as you track how you are progressing on your Year 2000 
project, you should also track how much it is costing the 
organization. You must identify those costs that are associated 
with Y2K and establish a mechanism for tracking your 
organization's financial commitment to the project.

           14. Develop a Process for Responding to Inquiries

    One of the things that has helped Prudential's Year 2000 
Program is our propensity to develop a process to handle 
everything related to our work. As part of our Y2K process, we 
receive inquiries and surveys from our business partners, 
including the government, our suppliers, and our customers, 
asking us about our procedures. In order to streamline our 
responses and to track them effectively, we created a process 
and developed legally approved language to help us answer 
questions quickly and consistently. We track these inquiries in 
a database to make sure they are answered in a timely, 
appropriate way.

                    A Problem of Titanic Proportions

    That is a summary of the strategic decisions Prudential and 
any other large organization must make in order to orchestrate 
a successful Year 2000 transition. This is a huge undertaking 
for our company and for every organization and industry around 
the globe. No one has ever had to do an IT project of this size 
and scope before, and it will be a significant challenge to our 
industry.
    But one key message I am compelled to leave with you is 
this. Year 2000 is an issue of Titanic proportions, but 
information technology controls just a tip of the iceberg. The 
remaining and often unseen risks include business partners, 
software vendors and the validation of the desktop environment.
    Prudential executives support Year 2000 as a critical 
business issue. They realize that technology is so integrated 
into our products and services that Year 2000 is an issue in 
which each employee has a stake and makes a contribution.
    We in the information technology department can run the Y2K 
Program Offices, manage the projects and fix or replace the 
code. We can test for compliance and prepare the organization 
for January 1, 2000 and beyond. But we can't do it alone. We've 
got to have the unwavering support of our top executives and 
the understanding and cooperation of every employee in the 
organization and every one of our business partners.
    It was the unseen portion of the iceberg, which struck 
Titanic below-decks, that doomed everyone aboard. My grave 
concern is that the leaders of too many organizations will 
dismiss the critical nature of the Y2K project. They may 
overestimate the ability of their already stretched information 
technology staff. Or perhaps, they will underestimate the 
amount of work and resources needed to become Year 2000 
compliant by the deadline. It's a deadline that is imposed by 
the relentless force of time the toughest taskmaster of them 
all.

                        Failure Is Not An Option

    In my opinion, the Year 2000 problem is a sink or swim 
proposition. But because I am, by nature, an optimist, I prefer 
to leave you with a different image of Y2K.
    When Jim Lovell, the commander on the ill-fated Apollo 13 
mission, uttered those immortal words, ``Houston, we have a 
problem,'' he wasn't kidding.
    For us at Prudential, and for any organization that plans 
to succeed into the 21St century, failure is not an option. 
Those were the confident and determined words of Gene Kranz, 
Mission Control Chief, who was largely responsible for 
returning the astronauts safely to Earth.
    Houston, ``there is a problem.'' And its name is Year 2000. 
Yet, I believe if you are smart and strategic, if you make 
every second count from now until the clock strikes midnight on 
December 31, 1999, you will achieve your goals and survive this 
mission critical assignment.
    Because we at Prudential have zero tolerance for Y2K 
failure within our own organization, we have zero tolerance for 
Y2K failure within any of our business partners' organizations. 
We are aggressively working with all our partners in fields as 
diverse as finance, law, medicine and government to ensure that 
Prudential's customers will not feel so much as a tremor when 
we collectively blast into the new millennium.

                               Conclusion

    That is why, in closing, it would be impossible for me to 
overstate the size and scope of the challenge the Federal 
government faces in preparing to meet its obligation to the 
citizens of this great nation regarding Year 2000 readiness. As 
world leaders, we Americans must take the lead in Y2K 
compliance. We must set the example for other countries to 
follow. We must demonstrate with decisive action and bold 
measures that failure is not an option.
    I urge the Subcommittee on Oversight of the Committee on 
Ways and Means to take swift action on the eight risk 
management actions for successful Year 2000 transition, which 
are:
    1. Secure Executive Commitment
    2. Establish a Year 2000 Program Office
    3. Identify Critical Applications
    4. Stop All Other Projects
    5. Devote Time to Testing
    6. Develop Contingency Plans
    7. Review and Assess Business Partner Risks
    8. Validate Desktops
    Congresswoman Johnson and committee members, thank you for 
giving me this opportunity to speak with you today. It is 
indeed an honor for Prudential to have been invited to 
contribute to the public dialogue on what will surely be the 
defining moment of the end of the 20th century, not only here 
in the United States, but around the world. This concludes my 
testimony.
      

                                

    Mr. Portman. Thank you, Ms. Dec.
    Ms. Jackson.

    STATEMENT OF JENNIFER JACKSON, GENERAL COUNSEL AND VICE 
PRESIDENT, CLINICAL SERVICES, CONNECTICUT HOSPITAL ASSOCIATION; 
           ON BEHALF OF AMERICAN HOSPITAL ASSOCIATION

     Ms. Jackson. Mr. Portman, I'm Jennifer Jackson, general 
counsel and vice president of Clinical Services at the 
Connecticut Hospital Association. And I'm pleased to be here 
today on behalf of the American Hospital Association which 
represents nearly 5,000 hospitals, health systems, networks, 
and other providers of care.
    Hospitals and health systems are taking the year 2000 
situation very seriously. They face the same potential problems 
as most other institutions and businesses. Their computer 
systems, their telecommunications systems, their security 
systems, their elevators, all could be affected by year 2000 
problems. However, hospitals are unique places and they have 
the potential for unique problems primarily because of their 
heavy dependence on technology and medical devices and 
equipment.
    In analyzing these potential problems, our priority is, as 
always, the safety of our patients and the delivery of high-
quality patient care. There are several key players that can 
help prevent those problems from occurring. There are hospitals 
and their associations, manufacturers of medical devices and 
equipment, the Food and Drug Administration, the Health Care 
Financing Administration, and Congress. AHA and State hospital 
associations are working together to ensure that our members 
know about the potential dangers of the millennium bug and they 
are taking steps to avoid problems.
    When it comes to medical devices and equipment, however, 
our efforts alone will not solve the problem. Information about 
whether or not these devices will be affected by the date 
change must come from the manufacturers of the equipment. We 
believe that existing regulations allow the FDA to require 
manufacturers to perform year 2000 testing and report adverse 
results. We urge the FDA to exercise its enforcement authority 
and we ask Congress to do everything in its power to enable the 
FDA to take the lead in ensuring that year 2000 information 
regarding medical devices gets from the manufacturers to those 
who need it the most--and that is the health care providers.
    We also need the help of the Health Care Financing 
Administration. America's hospitals and health systems receive, 
on average, half of their revenue from government programs like 
Medicare and it is critical that the flow of these funds not be 
interrupted by year 2000 problems. HCFA must require its 
contractors to ensure that their performance will not be 
interrupted by the date change. Letting providers know what 
changes may be required of their billing systems is also 
important so that providers and contractors can work together 
to ensure that their systems are compatible.
    Of course, there also remains the possibility that 
unforeseen problems could occur so there should be a 
contingency plan. A system to provide periodic interim payments 
based on past payment levels is an ideal way to do this.
    Congress also has a key role to play. Your attention to 
this issue through hearings like this one reflects your 
understanding of the gravity of the situation. We ask you to 
help America's health care system to avoid year 2000 problems 
by taking several steps. First, Congress should appropriate 
whatever funds the FDA may need to ensure that manufacturers of 
medical devices investigate, report, and correct year 2000 
related problems in their products. Second, Congress should 
consider enacting some form of immunity from liability for 
health care providers who have taken steps to prevent year 2000 
problems. And, third, Congress should authorize the use of 
periodic interim payments under the Medicare Program.
    America's hospitals and health systems, their State 
associations, and the American Hospital Association are working 
together to prepare for the year 2000. We encourage Congress 
and our Federal agencies to work with us as well so that 
together we can ensure a smooth and healthy transition into the 
new millennium.
    Thank you.
    [The prepared statement follows:]

Statement of Jennifer Jackson, General Counsel and Vice President, 
Clinical Services, Connecticut Hospital Association; on behalf of 
American Hospital Association

    Madam Chairwoman, I am Jennifer Jackson, General Counsel 
and Vice President, Clinical Services, at the Connecticut 
Hospital Association. I am here on behalf of the American 
Hospital Association (AHA), which represents nearly 5,000 
hospitals, health systems, networks, and other providers of 
care.
    We appreciate this opportunity to present our views on an 
issue that is of critical importance to our members and the 
patients they care for: the potential for the ``millennium 
bug''--the inability of computer chips to recognize the Year 
2000--to interrupt the smooth delivery of high-quality health 
care. The AHA and its members are committed to taking whatever 
steps may be necessary to prevent potential Year 2000 problems 
from affecting patient care.
    Hospitals and health systems operate seven days a week, 24 
hours a day. Their doors are always open because the people 
they serve trust that they will be there whenever the need 
arises. Our number one concern is the health and safety of our 
patients, and that is why I am here.
    Hospitals and health systems face the same potential 
problems as most other institutions. Cellular phones, pagers, 
security systems, elevators--all could be affected by Year 2000 
problems. However, hospitals are special places that also rely 
daily upon unique medical devices and equipment. We are 
concerned about the potential impact of Year 2000 computer 
problems on patient safety--and hospitals, health care 
providers and their associations cannot reduce, let alone 
eliminate, that risk by themselves. We need your help and 
cooperation, and that of the federal agencies that regulate the 
health care field: namely, the Food and Drug Administration 
(FDA) and the Health Care Financing Administration (HCFA).
    In particular, we need the federal government to exercise 
its authority in this area--now. We need the federal government 
to create an atmosphere in which everyone involved in the 
health care field will view the full and timely disclosure of 
Year 2000 computer problems not only as diligent and prudent 
behavior--the right thing to do--but also as mandatory conduct.
    One of our primary concerns has to do with potentially non-
compliant medical devices and equipment. Microchips (or 
microprocessors) that use date-sensitive logic are embedded in 
many medical devices, and we need to find out whether those 
devices will be affected by the date change to the Year 2000, 
and, if so, how we can fix them to avoid an interruption or 
other malfunction. The manufacturers of these devices are the 
best and, and in some cases, the only source of this 
information. Assuming that prudent medical device and equipment 
manufacturers are engaging in Year 2000 testing, we need to 
know what they are discovering, especially if they are 
uncovering problems. Here lies the heart of our concern.
    While we as health care providers can ask manufacturers to 
disclose Year 2000 information to us, we cannot force them to 
do so. We do not have the legislative or regulatory authority 
to compel disclosure. We believe that is a job for Congress and 
the FDA.

            The Role of AHA and State Hospital Associations

    Hospitals and health systems are trying to do their part. 
Across the nation, more and more hospitals are preparing for 
the date change, and making a commitment to take all 
appropriate steps to avoid any disruption in patient care. 
Continuing a tradition of partnership in addressing issues that 
affect our mutual members, the AHA and the nation's state 
hospital associations are working together to inform and 
educate hospitals and health systems about the Year 2000 issue.
    We are committed to ensuring that our members are aware of 
the dangers of the millennium bug. We can make sure they have 
the latest information on what their colleagues and other 
organizations are doing to address the problem. And we can help 
them learn about solutions that can help them.
    Our State Issues Forum, which tracks state-level 
legislative and advocacy activities, is hosting biweekly 
conference calls dedicated entirely to the Year 2000 issue. On 
these calls, information is shared among and between states and 
AHA staff. A special AHA task force on the Year 2000 problem 
has been drawing up specific timelines for action to make sure 
our members get the latest information and know where to turn 
for help.
    Articles are appearing regularly in AHA News, our national 
newspaper, in Hospitals and Health Networks, our national 
magazine for hospital CEOs, in Trustee, our national magazine 
for volunteer hospital leadership, and in several other 
national publications that are published by various AHA 
membership societies. Several of these societies, such as the 
American Society for Healthcare Engineering and the American 
Society for Healthcare Risk Management, are deeply involved in 
helping their members attack the millennium bug in their 
hospitals.
    In addition, the AHA Web site has become an important 
clearinghouse of information on the Year 2000 issue, including 
links to other Web sites that also have information that can 
help our members.

              The Role of the Food and Drug Administration

    When it comes to medical devices, however, our efforts are 
not going to be sufficient to solve the problem, unless the 
manufacturers cooperate fully and quickly. While we anticipate 
that the number of devices that are affected may be limited, it 
is critical that accurate and thorough information be available 
from manufacturers. Health care providers must inventory their 
thousands of devices and pieces of equipment. But information 
about whether these devices are Year 2000-compliant--that is, 
whether or not they will be affected by the date change--must 
come from the manufacturers. The FDA has a key role to play in 
this area.
    The Center for Devices and Radiological Health (CDRH), the 
arm of FDA responsible for regulating the safety and 
effectiveness of medical devices, has taken a number of steps 
to ensure that manufacturers of medical devices address 
potential Year 2000 problems. We commend the center for its 
actions. Dr. Thomas Shope, who is heading FDA's efforts, has 
been very receptive to our concerns. We believe that current 
regulations allow the FDA to require manufacturers of medical 
devices to perform Year 2000 testing and report adverse 
results. We urge that FDA be given whatever resources or 
support it may need from Congress to exercise its enforcement 
authority in this area.

          The Role of the Health Care Financing Administration

    On average, America's hospitals and health systems receive 
roughly half of their revenues from government programs like 
Medicare and Medicaid. If that much revenue were to be suddenly 
cut off, hospitals could not survive, and patient care could be 
jeopardized. Hospitals would not be able to pay vendors. They 
would not be able to purchase food, supplies, laundry services, 
maintain medical equipment--in short, they would not be able to 
do the job their communities expect of them. All this would 
occur even as hospitals and health systems faced the 
substantial costs of addressing their own Year 2000 system 
needs.
    HCFA must make sure its contractors have taken steps to 
ensure that their performance will not be interrupted by Year 
2000 problems caused by the millennium bug. HCFA should make 
readily available its work plan for bringing the contractors 
into compliance and aggressively monitor their efforts. Letting 
the providers know what changes may be required of them is also 
important. This would allow both providers and contractors to 
prepare simultaneously and ensure that their systems are 
compatible.
    Even if all contractors express confidence that their 
payment mechanisms will not be affected by the millennium bug, 
the possibility remains that unforeseen problems could crop up. 
Therefore, HCFA should establish a contingency plan in case 
contractors' payment mechanisms somehow fail at the turn of the 
century.
    Medicare beneficiaries' health care needs will remain 
constant, regardless of whether we are prepared for Year 2000 
problems. If carrier and fiscal intermediary payment systems 
are clogged up by the millennium bug, hospitals' ability to 
continue providing high-quality health care could be severely 
affected. A system to provide periodic interim payments, based 
on past payment levels, is one way that this could be done. It 
would ensure that hospitals have the resources necessary to 
care for Medicare patients.
    And let me add that Medicare is certainly not the only 
payer for hospital services. Similar payment delays could occur 
if private health insurers and, in the case of Medicaid, 
individual states, have not addressed their own Year 2000 
problems. The federal government has the power to prevent this 
from happening, and we urge you to use that power.

                          The Role of Congress

    As I have described, health care providers and the 
associations that represent them are devoting significant time, 
resources and energy to preventing potential Year 2000 problems 
from affecting patient safety. It is essential that we all look 
for ways to help prepare America's health care system for the 
turn of the century, and Congress can play an important role. 
Your attention to this issue, through hearings such as this, 
reflects your understanding of the gravity of the situation.
    We ask you to help America's health care system avoid Year 
2000 problems by taking several steps that relate to the issues 
I have described:
     Congress should appropriate whatever funds are 
necessary for the FDA to ensure that manufacturers of medical 
devices investigate and correct Year 2000-related problems in 
their products, and report the results in a timely fashion to 
the FDA and to the users of their products.
     Congress should enact some form of immunity from 
liability for health care providers that have taken steps to 
prevent Year 2000 problems from affecting patient care--for 
example, relying on the FDA's data base of medical devices and 
equipment for information about Year 2000 compliance. To a 
great extent, hospitals must rely on manufacturers of medical 
equipment and devices--and on vendors providing other systems 
and products--to disclose whether a Year 2000 problem may 
arise, and how to correct the problem. In addition, some 
products and systems may have been purchased by hospitals years 
ago, before the Year 2000 date change became a consideration. 
Providers should not be liable for damages for the Year 2000 
limitations of those products and systems.
     Congress should authorize the use of periodic 
interim payments under the Medicare program. These payments, 
based on past payment levels, should be implemented to ensure 
adequate cash flow for providers in case carrier and fiscal 
intermediary payment systems fail due to the date change.
    Madam Chairman, the Year 2000 issue will affect every 
aspect of American life, but few, if any, are as important as 
health care. America's hospitals and health systems, their 
state associations, and the AHA are partners in the effort to 
prepare for the Year 2000. We encourage Congress and our 
federal agencies to work with us as well. Together, we can 
ensure a smooth--and healthy--transition into the new 
millennium.
      

                                

    Mr. Portman. Thank you, Ms. Jackson.
    Ms. Lehnhard.

STATEMENT OF MARY NELL LEHNHARD, SENIOR VICE PRESIDENT, POLICY 
   AND REPRESENTATION, BLUE CROSS AND BLUE SHIELD ASSOCIATION

     Ms. Lehnhard. Congressman Portman, I'm Mary Nell Lehnhard, 
senior vice president of the Blue Cross and Blue Shield 
Association. I appreciate the opportunity to testify on behalf 
of the 38 Blue Cross and Blue Shield plans that are part A 
intermediaries and the 21 plans that are part B carriers.
    Medicare is administered through a very successful 
partnership between private industry and HCFA. Blue Cross and 
Blue Shield plans process 85 percent of part A claims, and 
about two-thirds of all part B claims. Medicare contractors 
have successfully met many significant challenges through this 
33-year partnership. Contractors have been able to handle a 
dramatic increase in workload from about 60 million claims in 
1970 to about 900 million claims in 1998. We process more than 
3 million claims every working day. Contractors have handled 
major challenges in the past, implementing programmatic changes 
quickly, including Medicare prospective payment systems for 
hospitals in the eighties, the physician resource-based 
relative value scale in the nineties, and the many complex 
payment changes in BBA, the Balanced Budget Act, in 1997. These 
complex undertakings were accomplished in extremely tight 
timeframes and were successful.
    Our next challenge is assuring that year 2000 computer 
adjustments are made accurately and in accordance with the 
timetable set out with HCFA. I want to state very clearly that 
Medicare contractors are committed to year 2000 compliance. 
Despite the very real challenges, let me assure you that 
contractors are working toward becoming compliant on a 
timetable that will meet HCFA's deadline of December 31, 1998, 
which is actually 2 months earlier than the governmentwide 
target set by OMB.
    Blue Cross and Blue Shield Association and our contractors 
have been working closely with HCFA on all the compliance 
issues. I would note that two circumstances have made year 2000 
compliance even more challenging for our contractors. First, 
there's been a significant change in how contractors are to 
proceed in assuring millennium compliance. Originally, many of 
the system changes that would have been necessary for 
compliance were to be accomplished through the conversion of 
all the contractors to the Medicare Transaction System, MTS. As 
you know, MTS was dropped 6 months ago and, as a result, 
contractors that would have been making significant changes, in 
the absence of MTS, they are behind because they've totally 
switched directions. Also, instead of converting to the MTS 
system, Medicare contractors are now transitioning to a single 
part A system and a single part B system. In some cases, this 
has made it difficult to focus on millennium compliance. It's a 
diversion of resource, a diversion of expertise, and several 
contractors have asked HCFA to delay these major transition 
requirements so they could focus on the year 2000 issues. We're 
very pleased that just last week HCFA agreed to delay 
transition to the single system for some plans.
    Funding is also an issue. We have yet to receive any 
funding for our transition activities--our compliance 
activities. We anticipate that the year 2000 compliance will be 
very costly and, in the absence of allocation of funds, we've 
had to reallocate funding from other important activities to 
support our compliance activities. We're very pleased that 
Congress actually reprogrammed $20 million in the fiscal year 
1998 supplemental appropriations bill to cover our millennium 
costs but given the very high cost of compliance, more funding 
is going to be necessary.
    Finally, I'd note that HCFA has been seeking legislative 
authority to dramatically restructure the Medicare contracting 
process arguing that contractor reform is necessary to achieve 
compliance. Given our efforts to work cooperatively with HCFA 
on the issue, and the very broad authority that HCFA has under 
current contracts, we're perplexed about why HCFA is asking for 
contractor reform to support year 2000 compliance. Contractor 
reform wouldn't address year 2000 compliance issues. New 
contractors are going to face the same difficulties as current 
contractors, including compliance dates that are 2 months 
earlier than many subcontractors they depend on that also have 
government contracts. In fact, contractors unfamiliar with 
Medicare would have the added burden of learning its extremely 
complex rules and regulations while simultaneously working to 
achieve millennium compliance. Also, given the overwhelming 
current responsibilities from BBA and HIPAA, the Health 
Insurance Portability and Accountability Act, we don't believe 
the agency has the resources or staff to implement any 
additional activities such as new procurement. And, finally, 
HCFA has very broad authority under current law, and can 
terminate contractors for nonperformance including failure to 
meet the year 2000 timetable. In fact, HCFA has already put us 
on notice that this is the standard for compliance with the 
program.
    The Ways and Means Subcommittee on Health has reviewed and 
rejected similar proposals for new authority in the past and my 
testimony details our specific concerns with the reform 
legislation such as preempting the Secretary from the 
competitive bidding process under the Federal acquisition 
regulations.
    In summary, contractors are working diligently to become 
compliant by December 1, 1998. It's a monumental task but 
contractors are committed to meeting these challenges just as 
they have met past challenges. And we believe Congress should 
reject HCFA's use of 2000 compliance as a reason for 
legislating far-reaching changes in the program. In fact, 
contractors reform at this time would introduce major change, 
confusion, and diversion of resources at a time when experience 
and focus is extremely important.
    Thank you.
    [The prepared statement follows:]

Statement of Mary Nell Lehnhard, Senior Vice President, Policy and 
Representation, Blue Cross and Blue Shield Association

    Madam Chairman and members of the subcommittee, I am Mary 
Nell Lehnhard, Senior Vice President of the Blue Cross and Blue 
Shield Association, the organization representing 55 
independent Blue Cross and Blue Shield Plans throughout the 
nation. I appreciate the opportunity to testify before the 
subcommittee on the efforts of Medicare contractors to ensure 
that Medicare computer systems will function properly beyond 
the year 2000.
    The Medicare program is administered through a successful 
partnership between private industry and the Health Care 
Financing Administration (HCFA). Since 1965, Blue Cross and 
Blue Shield Plans have played a leading role in administering 
the program. They have contracted with the federal government 
to handle much of the day-to-day work of paying Medicare claims 
accurately and in a timely manner. Today, Blue Cross and Blue 
Shield Plans process 85 percent of Medicare Part A claims from 
hospitals, nursing homes, and other institutional providers, 
and about two-thirds of all Part B claims from physicians, 
labs, durable medical equipment and other health care 
practitioners.
    Medicare contractors have successfully met many significant 
challenges during this thirty-three-year partnership. Medicare 
contractors, for example, have been able to handle a dramatic 
increase in workload. The number of Medicare claims has 
increased almost 15 fold from 61 million claims in 1970 to an 
estimated 889 million in 1998. Today, Medicare contractors 
process more than 3 million claims every working day.
    On top of this massive growth in workload, contractors have 
handled other major challenges such as quickly implementing 
major programmatic changes, especially over the last 15 years. 
These changes to the Medicare program include: the institution 
and refinement of the Medicare prospective payment system for 
hospitals in the mid-1980s, the physician resource-based 
relative value payment system in the 1990s, and the many new 
payment system changes that are required by the Balanced Budget 
Act of 1997. These critical undertakings were accomplished in 
extremely tight time frames. We are very proud of our role as 
Medicare administrators, and our record of efficiency and cost 
effectiveness for the federal government.
    My testimony today focuses on one of our next major 
challenges assuring that Year 2000 computer adjustments are 
made accurately and in accordance with the timetable set out by 
HCFA. Specifically, I will discuss:
     Medicare contractors' commitment to becoming Year 
2000 compliant;
     Our efforts with HCFA to ensure compliance;
     Other factors affecting contractor compliance; and
     Why Medicare contractor reform is not necessary to 
assure compliance.

     I. Medicare Contractors Are Committed To Year 2000 Compliance

    I want to state clearly that Medicare contractors are 
committed to Year 2000 compliance. In recent congressional 
hearings and press reports, it has been suggested that 
contractors are not being diligent in their efforts to meet 
this requirement and that HCFA needs additional authority to 
assure compliance. Nothing could be further from the truth. The 
confusion may be the result of a discussion between HCFA and 
contractors regarding a contract amendment, and I will say more 
about that later in my testimony.
    Year 2000 compliance is a top priority for Medicare 
contractors. Despite the real challenges, let me assure you 
that Medicare contractors are working toward becoming compliant 
on a timetable that will meet HCFA's deadline of December 31, 
1998, which is two months earlier than the government-wide 
target date set by Office of Management and Budget (OMB).
    Medicare contractors will make every effort to meet this 
challenge just as they have successfully met other challenges 
in the past. It is in everyone's interest Blue Cross and Blue 
Shield Plans, the government, providers and beneficiaries for 
contractors to become millenium compliant. For Blue Cross and 
Blue Shield Plans, both their Medicare and private business 
depend on meeting this challenge.

             II. Our Efforts With HCFA To Ensure Compliance

    BCBSA and Medicare contractors have been working closely 
with HCFA on compliance issues. As part of this process, BCBSA 
has been working with HCFA to find an agreeable contract 
amendment related to Year 2000 compliance. I want to discuss 
the circumstances surrounding this amendment.
    Last fall, HCFA sent all Medicare contractors a contract 
amendment intended to assure Year 2000 compliance. The proposed 
amendment required Medicare contractors to be Year 2000 
compliant by December 31, 1998 two months ahead of other 
government contractors. The amendment also defined HCFA's 
expectations of Medicare contractors with regard to Year 2000 
compliance.
    While we fully support HCFA's efforts to address the Year 
2000 issue in a timely fashion, BCBSA raised several questions 
about the proposed amendment. We did not have a problem with 
being compliant earlier than other government contractors, but 
we did raise several problems, such as contractors' dependence 
on vendors, which is described below. Plans and contractors 
believed that no entity would legally be able to sign the 
proposed amendment, and we asked that it be modified. We had 
the following concerns:
     BCBSA pointed out that it would be impossible to 
provide HCFA the assurances for Year 2000 compliance that the 
contract amendment would have required because ``full'' 
compliance depends on other businesses. Examples of other 
businesses that contractors will depend on for compliance are 
manufacturers of microchips, banks, and the claims systems that 
are owned and maintained by doctors' offices and hospitals. The 
problem is that all of these entities are following varying 
compliance dates. If any one of these other entities has a 
later compliance date, then the Plan cannot be in ``full'' 
compliance. Since Medicare contractors cannot force third-party 
vendors to become compliant by a certain date, contractors 
would be in no position to ensure full compliance.
     A decision about compliance by the Securities and 
Exchange Commission (SEC) illustrates and adds to the problem 
we are raising. A recent SEC policy statement said that it is 
impossible for any entity to represent that it has achieved 
full Year 2000 compliance before January 1, 2000. Contractors 
would essentially be put in the position of forcing the 
compliance of public entities that have different timetables 
for compliance. This could pose significant problems. Based on 
our legal interpretation of the amendment, even if our claims 
processing activities were compliant, we could have been 
considered noncompliant if, for example, our maintenance 
company for the elevators in a building we rent failed to 
assure compliance by December 31, 1998.
     The amendment also would have required that 
contractors certify the compliance of all vendors. 
Certification is a specific procedure that creates a civil or 
criminal liability for contractors if the information is 
incorrect. Certification of Year 2000 compliance would have 
required contractors to know all the facts about any entity 
that has any kind of relationship with the contractor (e.g., 
all subcontractors in a building rented or owned by the 
contractor, all vendors and all vendor subcontractors). 
Contractors would be subject to civil and criminal penalties if 
they certified compliance and were not in compliance through 
circumstances beyond their control. There are circumstances 
where contractors have to certify the validity of information 
(e.g., financial statements). These are, however, situations 
where contractors are familiar with and know all the facts. But 
it is an unacceptable level of liability for us to certify that 
everyone contractors have a relationship with is Year 2000 
compliant.
     In addition, the amendment would have allowed HCFA 
to prohibit Plans with Medicare contracts from entering into 
other Medicare contracts, such as managed care contracts or 
Medicare Integrity Program contracts, if they were 
noncompliant. We find no statutory basis for unilaterally 
debarring Plans with Medicare contracts from participating in 
other Medicare programs--especially programs such as 
Medicare+Choice that are not part of the scope of the current 
Medicare contracts--based on non-compliance of Medicare 
contractors.
     Another concern with the proposed contract 
amendment is that we believe HCFA has current authority to 
terminate contractors that do not meet its performance 
standards, including Year 2000 compliance.
    Notwithstanding these concerns, we are willing to sign an 
amendment if the terms are appropriate.
    Two weeks ago, HCFA responded to our letter. It 
acknowledged that it was not the agency's intention to require 
compliance with contractors outside of the contractors' direct 
control. We are now working with HCFA to redraft a new 
amendment that is mutually agreeable.
    In addition to our work with HCFA on the contractor 
amendment, we are collaborating closely with the agency on 
compliance issues. BCBSA has, in fact, recommended a regular, 
formal process to assure regular communication with HCFA. A 
steering committee to facilitate this communication has been 
established. The steering committee which is chaired by HCFA's 
chief operating officer and vice-chaired by BCBSA--has 
established four working groups and will hold its third meeting 
on June 2. We are very pleased with the progress that has been 
made at these meetings and with the constructive dialogue 
between HCFA and the contractors. We look forward to more of 
this type of cooperation.

           III. Other Factors Affecting Contractor Compliance

    In reviewing the circumstances and issues related to Year 
2000 compliance, the subcommittee should be aware of two 
additional issues that have made Year 2000 compliance 
activities even more challenging.
    First, there has been a significant change in direction in 
how contractors are to proceed in assuring millenium 
compliance. Originally, many of the system changes that are 
necessary for compliance would have been accomplished by the 
conversion of all Medicare contractors to the Medicare 
Transaction System (MTS). As you know, the MTS initiative was 
dropped last year. As a result, contractors had to make 
significant changes that, in the absence of MTS, they would 
have been working on for some time.
    In addition, instead of converting to the MTS system, 
Medicare contractors are now transitioning to a single Part A 
and Part B system. In some cases, this conversion to different 
systems has made it more difficult to focus on millenium 
compliance. As a result, several contractors requested that 
HCFA delay transition requirements so they could focus on Year 
2000 issues. We are very pleased that just last week, HCFA 
agreed to delay transitions for some Plans. We are continuing 
to work with HCFA to assure priority attention to this effort.
    The second issue is funding. We anticipate Year 2000 
compliance to be very costly, but funding has not yet been 
available to contractors to cover their expenses. As a result, 
contractors have had to reallocate funding from other important 
activities on a temporary basis.
    Some of the costs that contractors will face include:
     Additional salaries and benefits for FTEs;
     Additional software licensing, telecommunications, 
and a CPU upgrade;
     Testing of software programs;
     Testing and upgrading telephone and security 
systems;
     Testing of LAN and PC environments; and
     Training costs, including provider training.
    We are very pleased that Congress included in the FY 1998 
supplemental appropriation bill reprogramming of $20 million to 
cover millenium costs. But given the high costs of compliance, 
we believe more funding is necessary.
    Compliance will be both time- and resource-intensive. For 
example, contractors will need to properly test new computer 
systems, which necessitates that they model their systems in a 
closed environment. Contractors will have to use separate staff 
and software and construct separate systems to do proper 
testing.

                 IV. Contractor Reform Is Not Necessary

    In addition to pursuing amendments to the contracts, HCFA 
is also seeking legislative authority to dramatically 
restructure the Medicare contracting process. This effort to 
make broad changes in contract authority is not a new 
initiative. But most recently, HCFA has been arguing that this 
contractor reform is necessary to assure compliance.
    Given our efforts to work cooperatively with HCFA on this 
issue and the broad authority HCFA already has under current 
contracts, we are disappointed and perplexed about why it is 
linking contractor reform legislation with Year 2000 
compliance.
    Contractor reform would not improve the Year 2000 problem. 
Every potential new contractor would face the same difficulties 
as current contractors, such as government compliance dates 
that are later than the compliance date for Medicare 
contractors. In fact, contractors unfamiliar with the Medicare 
program would have the added burden of having to learn its 
extremely complex rules and regulations while simultaneously 
working to achieving millenium compliance.
    Under contractor reform, HCFA would potentially have to 
manage many new contracts for claims-processing services with 
entities unfamiliar with Medicare. Management of these new 
contracts would require diversion of major HCFA resources at a 
time when HCFA has many other responsibilities such as 
implementation of the Balanced Budget Act and the Health 
Insurance Portability and Accountability Act. Also, HCFA has 
just begun to implement the new contracting provisions for the 
Medicare Integrity Program. We believe the agency does not have 
the resources or staff to implement any additional procurement 
activities.
    Importantly, HCFA already has broad authority to sanction 
contractors that are not in compliance. HCFA can replace or 
terminate contractors for poor performance, including non-
compliance for Year 2000. In fact, in a letter sent to 
contractors on November 17, 1997, HCFA indicated that ``failure 
on the part of a [Medicare] contractor to bring its system into 
compliance will be considered a serous deficiency in contract 
performance.'' Contractor reform--or even a contract 
amendment--is not necessary to replace contractors that are not 
millenium compliant. The contract amendment would only provide 
HCFA with more detailed performance criteria.
    For several years, HCFA has been seeking contractor reform 
legislation that would give HCFA broad authority to fragment 
the functions of current contractors. We believe that 
contractor reform provisions: jeopardize the continuity of 
Medicare claims payment to providers and service to 
beneficiaries; are ill-advised in the absence of HCFA 
articulating a new strategy for Medicare administration and of 
public debate on that strategy; are unnecessary for the 
continued smooth operation of the Medicare program; and give 
HCFA extraordinary authority not needed in the current 
environment.
    This proposal would have significant implications and 
unintended consequences for Medicare beneficiaries and 
providers. The Ways and Means Subcommittee on Health has 
reviewed and rejected similar proposals in the past.
    Our specific concerns with the contractor legislation are 
as follows:
     Current law gives the Health and Human Services 
Secretary authority to terminate Medicare contracts for lack of 
performance. Beneficiaries and providers have been well served 
by this language. The so called ``reform'' legislation would 
give the Secretary and HCFA a free hand to terminate contracts 
at will, regardless of how efficiently and effectively the 
contractor has performed under the contract. Medicare 
contractors' provider payments and services to beneficiaries 
thus would become subject to the whim of HCFA staff.
     The ``reform'' legislation also would authorize 
the transfer of functions among fiscal intermediaries without 
regard to any provision of law requiring competition. Transfer 
of functions could happen at the whim of HCFA, with no warning 
and no recourse for the contractor or providers effected by the 
transfer. This would create an unstable system and would 
prohibit contractors from investing in the technology and 
resources needed in top-flight organizations.
     As noted, this legislation would provide HCFA with 
expanded, unprecedented authority to terminate and debar 
contractors without due process or appeal rights. Like the Year 
2000 contract amendment, this language could be interpreted as 
precluding any terminated contractor from receiving other 
government contracts, such as FEP, CHAMPUS, Medicaid, and 
Medicare+Choice. The lack of due process and the de facto 
debarment provides HCFA with authority well beyond what is 
allowed by the Federal Acquisition Regulations (FAR).
    This reform proposal would give HCFA the authority to 
totally revamp participation in Medicare contracting within one 
year of enactment without due process for current contractors 
and without competition. Taken together these reform provisions 
would give HCFA the authority to cast out with no recourse 
Medicare contractors that have served the country faithfully 
for over 30 years, without stating the plan for future Medicare 
contractor administration. What will it look like? Who will 
HCFA contract with? What experience will they have? How will 
service to beneficiaries and providers improve? This authority 
and the possibility of an unplanned, behind-closed-doors use of 
it would impede Medicare contracting for many years to come.
    Success in Medicare claims administration requires that 
HCFA and the contractors work together toward their mutual goal 
of accurate and timely claims payment. This partnership should 
extend to planning the future of Medicare contract 
administration.
    Change in Medicare contracting is ongoing and inevitable. 
In the last ten years, the number of contractors has declined, 
with most withdrawing from Medicare contract administration to 
pursue private business interests. MTS failed, but HCFA is 
rapidly moving the contractors onto three standard claims 
processing systems that HCFA controls. This represents a 
dramatic opportunity for the government to directly control 
program expenditures and reduce the variability that exists 
throughout the country.
    In summary, we do not believe these legislative changes are 
necessary to assure efficiency and high performance levels.

                             V. Conclusion

    Let me reiterate that Medicare contractors are working 
diligently to become millenium compliant by December 31, 1998. 
This is a monumental task, and we will face a number of 
challenges along the way. Medicare contractors are committed to 
meeting these challenges just as they have done in the past.
    We will continue to work with HCFA to resolve issues that 
arise and to ensure compliance. A cooperative approach between 
contractors and HCFA will achieve the best results.
    Congress should reject HCFA's use of year 2000 compliance 
as a reason for legislating far-reaching changes to the 
Medicare contractor program. Contractor reform raises 
fundamental issues and implications for the Medicare program. 
In fact, contractor reform could introduce change, confusion 
and diversion of resources at a time when experience and focus 
is important.
    Thank you for the opportunity to speak with you on this 
important issue.
      

                                

    Mr. Portman. Thank you, Ms. Lehnhard. And we're now joined 
by the Chairwoman of the panel.
    Chairman Johnson of Connecticut [presiding]. My apologies 
for having to have been absent much longer than I thought I 
would have to. But I'm going to let Mr. Portman start 
questioning, and then join in.
    Mr. Portman. Well, first thanks to all the witnesses. I've 
learned a lot and although it seems as though the panel is 
somewhat empty this afternoon, know that the staff is here and, 
after all, they're the most important people around. But more 
important, honestly, your written remarks are in the record. 
That record is reviewed and that is the basis upon which we 
often act so it's very important you're here today to bring 
more, frankly, public and congressional attention to this very 
critical issue.
    I learned a lot about the private sector today because I've 
been more focused, of course, on the Federal agencies, 
particularly the IRS and also the interconnection of not only 
the Federal agencies to the private sector, particularly in 
some of these more regulated areas, like hospitals and 
insurance, but also with regard to the interconnection between 
companies. So if a bank, for instance, spends 3 years getting 
all of its year 2000 problems resolved it really doesn't matter 
because you still have to deal with the Federal Reserve and 
other banks and other institutions.
    And, finally, Mr. Bace started off by shocking us with his 
analysis and I guess what I've learned is about the 
international aspect of this. That there's not just a national 
problem. Mr. Bace, in looking at your chart, which you didn't 
have time to go into in your oral remarks, but those who 
haven't seen it, you want to get a copy of this because it's 
very interesting to see the degree to which the United States 
is actually somewhat ahead of other global trading partners 
where we have this interconnected relationship.
    I guess I would start off by saying I'm impressed enough 
today to understand that the message is important. And you 
talked about Apollo 13, Ms. Dec, and Lovell saying, ``Houston, 
we have a problem.'' I go back to the well of the House of 
Representatives where Jack Kennedy said we're going to get to 
the moon, and that's maybe even the better analogy here because 
we need that kind of leadership and maybe that kind of 
consolidation of effort on the Hill and downtown, meaning at 
the White House. So I hope that President Clinton and Vice 
President Gore, being as interested as they are in information 
technology and the hope for information technology to even spur 
further economic growth, will also start to focus more on this 
very real problem in our information technology revolution, and 
begin to take more of a leadership role as well as Congress. 
Frankly, they have a bully pulpit that is somewhat more 
powerful than ours. So although we need to do more, as Mr. 
Miller said, I think we also have to try to encourage the 
administration to do more on a national level with the private 
sector.
    My first question for Mr. Bace and any of the panelists is 
from what you heard from that first panel, do you think our 
Federal officials understand the risks, that they understand 
the challenges, and do you think they are taking adequate steps 
to manage and mitigate those risks?
    Mr. Bace. Yes, I do. I believe that they are very much 
aware of the issues facing them, but I think there has 
generally been, for a lack of a better term, sort of management 
malaise for years thinking that it's just a simple information 
technology problem, an IT problem. Go fix the two digits dates 
in the computer and, as Mr. Miller was saying, there's a 
serious lack of a crisis attitude within society. I had hoped 
we would have been getting these kind of status reports maybe 2 
years ago where we still had much more time instead of being 
within 603 days of the millennium crossover at this point in 
time.
    Mr. Portman. Mr. Miller.
    Mr. Miller. Mr. Portman, I think they're also hamstrung by 
the lack of financial resources. The current numbers we're 
hearing for the government is $4.7 billion. This sounds like a 
lot of money, but then you realize that one company, General 
Motors or Citibank, is talking about spending $600 million 
alone. That government number is ludicrously small. Obviously, 
again, as government officials they have to stay within the 
party line. And the party line from the Office of Management 
and Budget is we don't need more money. But, clearly, if you 
listen to them carefully, they do need a lot more money and 
additionally they have the problem of the retention of 
employees which is very serious. I chaired a panel recently of 
senior human resource people from the government and they 
indicated there are very serious retention problems. The Office 
of Personnel Management is trying to be helpful. But the fact 
is salaries are going up so rapidly in the private sector that 
it's very hard to convince people to stay in the public sector. 
So money is a huge problem and that's why we're recommending, 
at a minimum, Congress provide some contingency funding and 
somehow work out a way to get the Congress to give additional 
funding because there has to be more honesty about the needs 
for funding.
    Mr. Portman. Just one quick comment to that, I think we 
have to rely to a certain extent on OMB to tell us what the 
funding needs are. I mean, it's difficult for us, on this 
Subcommittee or Committees, to establish what the priorities 
are and to spend even that $500 million which, as you say, is a 
somewhat questionable sum given that General Motors, as you 
indicated, said they're going to spend that amount as one 
company, a relatively large company. But, so, I think you're 
right but, again, I would turn some attention back downtown to 
say they have to tell us, I mean, they're the ones that know 
where those needs are within their agencies and how to allocate 
those funds and prioritize those funds. And we gave the 
Commissioner opportunity today to talk about that, and he said 
he had adequate funding in this fiscal year. He indicates for 
next fiscal year, they'll need more. But when pressed, he seems 
to be saying it's not a resource question. But I appreciate 
your input. You've talked to people maybe in a more candid 
environment without OMB there. Other comments on the Federal 
witnesses this morning?
    Ms. Lehnhard.
    Ms. Lehnhard. Mr. Portman, I would also suggest that a 
strong signal from the Congress to the executive branch to 
focus on this as a priority and eliminate, I believe the 
panelists mentioned that, other activities that pull resources 
away. I can't overemphasize that. And I would also suggest that 
this is probably not the time to be passing major legislative 
proposals that are again going to divert HCFA resources. 
They're still struggling to implement HIPAA and BBA, and to put 
a major new legislative proposal on the top of that at the time 
we're struggling with year 2000 compliance, it is just not a 
timely--an appropriate time to do that, we believe.
    Mr. Portman. That is a point well taken and Mrs. Johnson is 
on the Health Subcommittee and is closer to these issues than I 
am, but I think what we heard from the Commissioner today is 
consistent with that which is we need to be careful not to 
overburden the system in the next 18 months, otherwise we will 
not be able to meet both the legislative priorities and the 
year 2000. I would also harken back to what Mr. Miller said 
earlier about legislation. If you have specific ideas on the R 
and D tax credit, for instance, or tax deductions, or other tax 
preferences that might be helpful to move this effort forward 
in the private sector, I hope you're letting us know with more 
specificity. Maybe it's in your written comments.
    It's difficult for us, given the timeframe here, we're sort 
of like the companies in the middle of the year 2000 crisis, we 
need more time because we're probably going to have only one 
shot at it, which will be the tax bill which will be put 
together in the next few months in order to be able to affect 
what happens in turn between now and the year 2000.
    So to the extent you have thoughts on HCFA in addition to 
what you've indicated administratively, if you think there's 
something legislative we should do, for instance, you need to 
get that to us.
    And I guess I'll give the opportunity, Ms. Jackson, to 
discuss that, and then I will turn it over to the Chairwoman.
    Ms. Jackson. One of the other things that we found that I 
believe members of this other panel have mentioned is how 
enormous this problem is and that it is not restricted to what 
I think everyone thought, and a lot of people still think that 
it's computers. And what we hear is that because we are so 
advanced in this day and age in computer technology, there's 
some sort of assumption that there's just going to be a fix, 
that someone will find the fix. And there's a growing 
recognition that it also has to do with how we move money and 
how we keep records. But there is a whole other side to this, 
and we're finding in our industry that it's operational. And, 
for instance, in health care, as we've discussed, it has to do 
with how we take care of patients, not just how we run the 
business end of it, but actually taking care of patients and 
I'm sure that's true in other industries as well. That there 
are very concrete, critical operational issues that are going 
to arise.
    Mr. Portman. With regard, again, to the medical devices 
issue you mentioned, which I guess would fall in that category, 
if you can give us more specificity as to what we should do 
legislatively vis-a-vis the FDA, that would be very helpful, 
that's not within this Committee's jurisdiction, as you know, 
but we do get into Medicare. [Laughter.]
    And that's the sort of thing that, again, if we don't begin 
that process of legislating now, it will be too late to be able 
to affect this particular problem. I know FDA can do a lot 
administratively but if you could give us some more guidance on 
that, that would be helpful.
    Ms. Jackson. And we very much appreciate that opportunity 
but would note that, in terms of the FDA, there is strong 
legislative and perhaps regulatory authority that already 
exists and a very clear congressional policy as to how that 
should be applied in partnership with all of us.
    Mr. Portman. All right, well, again, I really appreciate 
the panel's input and I'll turn it back to the Chairwoman who 
was here all morning listening to the government witnesses. And 
I thank you for your testimony.
    Chairman Johnson of Connecticut. Thank you very much for 
joining us. Just to follow up on the issue of all the things 
we're not looking at, I appreciate your suggestion, Ms. 
Jackson, that we use existing authority, but we would need a 
lot of help from the private sector and the public sector to 
sort of shape what is that mandate that we're putting out there 
because we really are, I would say, you know, only in the last 
few months developing any depth of knowledge ourselves of even 
what the challenge is to our own executive branch in management 
and interrelationships, and public, private impacts, as opposed 
to just technology, and programs, and computers, so this issue 
that you bring up is extremely important and the more I've read 
in this area, the more I understand how important it is. I have 
literally no way of, in a sense, laying out in verbiage all of 
the scope of that directive that we clearly need to put in 
place so that we, in a sense, permeate the information system 
in the private sector and make it work faster.
    I'm not at all sure that this doesn't take legislation, 
some kind of mandate that any company that makes anything at 
all with a timing chip in it has to reveal that and publicize 
the fact that this is a problem and when they plan to fix it. I 
think probably there is no one who can define all of the ways 
in which this issue is going to insinuate itself in our lives 
and so I think some umbrella action like that, and if any of 
you have thoughts on how to develop that, we would be very 
interested in having you work with us.
    Mr. Miller. One possibility, Madam Chair, following Mr. 
Portman's suggestion, is to ask the Congressional Budget Office 
to assume Mr. Yardeni is right in terms of the impact on the 
GDP, and determine what does that mean in terms of the Federal 
and State tax collections over the next 2 to 3 years. Maybe 
that would get OMB's attention.
    One accountant did an analysis just in the State of New 
Jersey, and he estimated it could cost the State of New Jersey 
several hundred million dollars in lost anticipated tax 
revenue. That's just one State. He did not do a national 
sample. So we're back to this Kabuki dance I referred to 
earlier. It's tough to get the administration to admit that it 
needs more money because the mantra downtown is, Let's stay 
within the balanced budget agreement, let's not go outside of 
it.
    But if the tradeoff for that, as I suggest in my testimony, 
is down the road a recession, as Mr. Yardeni and others are 
suggesting, and a loss of economic activity and a concomitant 
loss of revenue to the Federal Government, then all the great 
plans this Congress has carried out to get us back to surplus 
can quickly be reversed. Maybe the way to get OMB's attention 
is to have the Congressional Budget Office do that type of 
scenario: Not to predict a recession, but just to say what the 
outcome could be. Then OMB would realize that you've got to fix 
the roof now to make sure you don't have serious leaks down the 
road a couple of years.
    Chairman Johnson of Connecticut. Yes, I appreciate that. 
I'm not, I think it's, it's not likely, in my estimation, and I 
may be wrong, and I'll be interested in GAO's evaluation of 
this, in my estimation it's not likely that they really can see 
and understand big costs that they're not telling us about. I 
think they believe their estimates. They may believe that they 
are skinny. They may believe that they're on the conservative 
side, but I don't believe that their understanding of the 
problem leads them to believe that they need three times as 
much money but they don't have the nerve to say it.
    So there are just too many back channels, there's too many, 
we've had too many hearings. We've got people like Steve Horn 
out there who has worked on both sides of the administration. 
It is conceivable to me that some of you who work in this area 
more broadly, in a sense, and look at its ramifications and 
have seen big bureaucracies move further along in the 
accommodation than we have, would have a different view.
    But, for instance, you know, the Social Security system is 
really well along. I think that at this point there's a level 
of knowledge that we haven't, in a sense, forced out on to the 
table about what compliance is going to involve, at least 
that's just what I hear you saying and what I, you know, what 
you say reverberates in my mind with some of the things I've 
read. But, you know, to what extent do you think that's the 
problem?
    Mr. Miller. Well, again, you don't have witnesses up here 
protected by cloth covering----
    Chairman Johnson of Connecticut. Right.
    Mr. Miller [continuing]. Like you did on the IRS whistle 
blower hearing. I spoke recently before a group of Army 
officials at the invitation of the Army Science Board. I will 
tell you the official Army line of the people who spoke, the 
generals and the civilians, was ``We're going to tackle this, 
we don't need any more money.'' I got up and said, ``I'm 
skeptical of that based on what my contractor members and other 
people like Gartner say.'' The coffee break came, and sure 
enough, those same people who stood up in front of the room and 
said, ``We're going do this and we're going to get it done with 
the money we have''--and these are can-do people of the 
military--privately said there's no way we can get this done 
with the resources we have. And you hear that over and over 
again. When you drill down a little bit, that's what you get. 
It seems to be the relationship, as one of my members 
suggested, between how high in the organization you ask the 
question and how favorable a response you get.
    Mr. Rossotti, if you really listen to him carefully, I 
think was saying, ``Help.'' Now, maybe he is constrained by OMB 
not to ask for more money but I think if you listen to him 
carefully, he has problems. He has very senior management 
positions unfilled today. He has no CIO, for example.
    Chairman Johnson of Connecticut. Well, I think the 
personnel issue is a very significant issue but, you know, I 
think you need to help us frame better questions if we're going 
to elicit the right answers.
    Mr. Miller. OK.
    Ms. Dec. I just wanted to add something of this morning 
where we heard a lot about every organization giving this a 
high priority and executive commitment. I think the thing we 
have to be careful of is that I'm sure the sincerity is there 
and they all believe in it, but the difference is to be able to 
make that happen. And the status of today's projects shows real 
indication that only 50 percent of it is going to be done. So 
just hearing the words isn't the answer. It's the ability of 
the government to change those business priorities and measure 
the effect new bills will have on the computer system and on 
the year 2000 work. And it's almost as if you need to, in each 
of the organizations, is set up a task force who will make the 
decision on what work is going to get done and what is 
mandatory, other than the year 2K work? Because what happens is 
by the time it drifts down, honestly, if you did an outside 
review, you'd probably see over 50 percent of the work is non-
Y2K work. You have to understand that simply saying the words 
is not going to provide the actions. And, again, having been at 
Prudential 3 years----
    Chairman Johnson of Connecticut. I do understand that but I 
think you're going to have to help us define much more accurate 
questions if you're going to expect us to understand what 
you're talking about, you know. The agencies come up and they 
say how many systems have, and how much equipment, and 
presumably they do know what they mean when they say that, and 
it's not hard to evaluate the cost of equipment replacement. 
And there's a lot of very old equipment in the Federal 
Government, and a lot of it's going to have to be replaced. And 
then there are system changes, some of which are hard and some 
of which are easy, I wonder what your evaluation is, Mr. Bace 
and Mr. Miller? And I'm sorry I didn't get through all the 
testimony, but anyone who would really like to comment.
    One of the problems that we're running into, particularly 
in the IRS, but this is also true in HCFA, both of which 
systems have had really failing efforts of technology 
modernization, so we have particularly old systems and 
multiplicity of disparate systems, and so we almost have to 
modernize the systems and deal with the mainframe problem at 
the same time we're doing this. Now, that's my conclusion. Do 
you think we have to take on things like mainframe 
consolidation at the same time we're taking on Y2K?
    Mr. Bace. I think what you have to be aware of or look at 
in total here is that year 2000 is not a technology problem. It 
is a business problem and a management problem that is infested 
due to some technology anomalies that occurred some years back. 
From what I heard this morning in the panel is that, given the 
things that I study for the Gartner Group which include the 
dynamics of this very immature marketplace, the year 2000 
marketplace, and by the way, this may be the first marketplace 
that never reaches maturity. The clock will run out before it 
ever grows up. So it's a very unusual market but what I heard 
this morning, there was a cognitive dissonance there. I heard 
people talking about high turnover rates, losing employees, 
which is true across the entire industry within the traditional 
and user enterprise, the turnover rates are 12 to 15 percent. 
In the service provider category, they are 18 to 20 percent. We 
have some reports as high as 70 percent turnover of staff.
    Chairman Johnson of Connecticut. You mean in the private 
sector?
    Mr. Bace. In the private sector, yes, of turnover of 
employees. I think it was Mr. Rossotti who said that, you know, 
he had an 8-percent turnover rate. I thought, my God, that's 
great. And part of what is fueling that is the inflationary 
costs. If you're talking about contractors coming in to do 
services work in the IT industry right now, in 1997, my 
research found that there was a 20-percent inflationary cost 
and if we plotted that out, we're looking at about a 50-percent 
increase in contractor and external service providers for Y2K 
work between now and the year 2000. So if the cost of your 
basic raw materials and the people who are going to come in and 
help you is going up by an inflation rate of 50 percent, you're 
going to need, perhaps, some more money. And that's just based 
upon what was said.
    Chairman Johnson of Connecticut. Yes, I think that's very 
likely. I mean, I think that's logical and you can anticipate 
that that's going to happen. What do you think about that same 
kind of mechanism on the production end? I mean here we already 
have the Federal Government saying they're not getting the 
components. Well, if you don't get the components, you can't do 
the testing. If you don't do the testing, you know, beginning a 
year out, you're not going to have a good system. I had a small 
banker tell me, over a year ago, that he already ordered all 
his new computers and it was only going to cost him $400,000. 
This is a relatively small bank. It only has several branches, 
and yet it cost him $400,000. And he just did it early because 
he wasn't going to be caught.
    And I wonder how many haven't done anything. I mean what is 
going to be the demand, the production demand on the computer 
industry? I mention this to some computer, you know, some 
businesspeople in that area and they said the industry is at 
such undercapacity right now, it's a good time for this to hit. 
Are there ways we should be focusing the purchasing process of 
the Federal Government, making sure that that, beginning now, 
is going to roll out in a way where the demand can be met? What 
is the aspect of the problem?
    Mr. Miller. The purchasing process does have some reforms. 
The government has taken advantage of some of the provisions 
that Congress implemented in 1996 to allow that. But we have 
suggested some other reforms and we would be glad to share that 
with you in detail. But I'd also like to emphasize the work 
force issue.
    Our study recently identified 346,000 vacant positions in 
the private sector today. Salaries going up in double-digit 
rates. I found out at the work force panel that I chaired 
recently for the Reinvention Revolution Conference that the 
Vice President ran is that the workers who are staying in the 
Federal Government are older. And that's not to say older 
workers aren't also productive. But they're getting close to 
retirement, so they're staying in. But the Treasury Department, 
for example, said that 70 percent of their work force in IT 
will be eligible for retirement in the year 2004. They're 
having a very hard time recruiting new people, younger people, 
because they're able to pay GS-5 salaries in a marketplace 
which is demanding GS-9 or GS-10 salaries.
    And the other place they're having difficulty is where Mr. 
Rossotti is having difficulty--finding CIOs and senior managers 
because the CIO salary, $125,000 or whatever it is in the 
government, compared to $300,000 in the private sector--is 
very, very difficult to do. Mr. Rossotti, I believe, has gotten 
a waiver to raise that a little bit, but that's very difficult. 
So I would really emphasize the work force side of it, Madam 
Chair. I think that's really a big difficulty.
    We have suggested some changes in procurement. The Federal 
Government has been relatively flexible in that area, 
surprisingly so in a positive way.
    Ms. Lehnhard. I would point out one example where, I think, 
the executive branch has focused in this discussion about doing 
only what's necessary. I mentioned a week or two ago, HCFA said 
they're going to drop some transitions to a single system for 
part A and part B in Medicare and that allowed us to free up 
more people to focus on year 2000 compliance. I think that's 
the type of very positive exchange and working out of 
priorities that needs to go on. The other thing I would mention 
again that has our plans very, very concerned on the private 
side and their government side is another massive piece of 
legislation.
    As I mentioned, we're still implementing HIPAA and BBA. I 
would give you one example. One private side change was mental 
health parity, a relatively simple provision. HCFA is so 
overloaded with responsibilities right now that even though 
they move very quickly, they weren't able to get the 
regulations out on that until December 28 which meant that we 
couldn't sign our private side contracts until December 28 or 
January 1, then we had to make all our systems changes once we 
knew what would be legal within 2 or 3 days. And some plans had 
to process by hand because it takes a long time to make these 
system changes. That was one little provision.
    The bills that are being contemplated now have hundreds of 
provisions like that, particularly if you get into quality 
measurement, outcomes measurement, and data collection. Those 
are going to be hundreds and hundreds of systems changes at the 
same time we're trying to do compliance on both sides and it 
will affect both our private side business and Medicare.
    Chairman Johnson of Connecticut. Thank you. That was very 
interesting, very helpful.
    Ms. Jackson.
    Ms. Jackson. One of the other issues, as we've talked a lot 
about all the work that we have to do, is our reliance on 
systems and products that are not within our control; and our 
need to have information on medical devices is a primary 
example. And that's why I was particularly pleased to hear your 
interest in creating an atmosphere where mandatory disclosure 
or full disclosure is mandatory conduct. We don't know why 
we're not able to get some of the information. We think it may 
be because it's not available yet, that manufacturers of 
products haven't completed their testing. But we also have a 
concern that there's a fear of liability and that's why some of 
the manufacturers have not released their information. So, 
again, an atmosphere of full disclosure of information and 
communicating and sharing of information is very important for 
us all to work in partnership to address this issue.
    Ms. Lehnhard. You know, one thing I would say, I think you 
have to make it a sexy issue. Right now it's a wonk issue and I 
think you have to make it OK to talk about how these bills, 
these activities, are a problem administratively. Right now, 
that's an inside the beltway issue. It's not an issue that's 
acceptable to the American public to say you can't do certain 
things because of that. I don't know if we can get there but 
that----
    Chairman Johnson of Connecticut. It's very hard to make a 
management issue a sexy issue and the danger is that you make 
it sexy by sort of picturing doomsday. And one of the little 
vignettes I read was the tip of the coolants in the radar 
system at the airport is time dependent. And it could stop 
releasing the coolant once we roll into the year 2000. The 
radar will go out and the airports will close. So, I mean, that 
helped me a lot to see, and I'll tell you I hear what you're 
saying differently because I read that example because I really 
hadn't thought about this issue of its insinuation into so many 
situations, and I think it's not just the health equipment 
producers. It's really any manufacturer who produces anything 
that has a chip in it that triggers any action on the basis of 
date. And how you get a grasp of how to get that level of 
public disclosure out, I don't know but certainly I hope you'll 
think about it and get back to us with some ideas because I can 
see how important that is.
    Mr. McManus. Before we close, if I could suggest that you 
were looking for questions that you might ask, going forward, 
of people that come to you and present numbers or plans to you. 
The first question that should be asked is, ``What's 
included?'' ``What have you included in the scope of this 
project in this dollar amount, what is included in that?'' The 
second question is, ``What's excluded?'' And then the third 
question, ``Who controls what's critical and what's the 
definition of critical?'' Because if people are redefining, 
``Well, this was critical but it's not critical any more 
because we're too close to the deadline.'' Then the inventory 
shifts on you and the inventory needs to include a lot of other 
things besides desktops and mainframes and telecommunication 
systems.
    I mean, there's a lot of third-party vendors that are going 
to help any agency or business get through the day and does 
this dollar figure that you're prepared to spend, or saying 
that that's enough resources, that's enough money for my 
agency, does that include all these third--some analysis of all 
of these third-party vendors? And it will quickly get you into 
a level of detail if you're trying to put the puzzle together. 
If there's a piece missing, there's an explanation for what's 
not a part of that puzzle.
    Chairman Johnson of Connecticut. Thank you very much for 
your testimony, and I look forward to reading the parts that I 
hadn't had a chance to read. And I really appreciate your 
thoughtfulness and your experience, and I invite your continued 
input as we move forward with this. And we will share your 
thoughts with Steve Horn and his Subcommittee too and see if we 
can't get a little broader systemic response. One of the things 
that's hard for the Congress is that the oversight is Committee 
by Committee. And so while Ways and Means has oversight over a 
lot of the systems, we don't have oversight over all the 
systems and I don't know that anybody knows exactly what's 
going on everywhere but there are certain common threads and 
common problems and I very much appreciate your working with 
us.
    Thank you.
    The next panel will be Lynda Willis from the GAO, Joel 
Willemssen, Director of Civil Agencies Information Systems, 
Accounting and Information Management; accompanied by Randy 
Hite, Senior Assistant Director of the Defense and 
Governmentwide Systems, Accounting and Information Management 
Division.
    Welcome, welcome, Lynda, thank you for being with us today 
and I always hate to have you sit through the whole hearing. It 
is useful to us to have you hear all the testimony that went 
before and I look forward to your comments.

    STATEMENT OF LYNDA D. WILLIS, DIRECTOR, TAX POLICY AND 
   ADMINISTRATION ISSUES, GENERAL GOVERNMENT DIVISION, U.S. 
                   GENERAL ACCOUNTING OFFICE

     Ms. Willis. Thank you, Madam Chairman, I can assure you it 
was very useful to us to sit there and hear not only the other 
panelists, in addition to the Commissioner, whom we have a lot 
of contact with on this issue, but also the private sector who 
reflect some of the very concerns that we have as well. And I 
think, while not wanting to be alarmist about it, that there is 
no question that there are major issues here that need to be 
addressed and, most important of all, time is running out and 
that is our most important resource right now and it is 
something that you cannot buy. And I think that that's one of 
the problems that they're having in getting a handle on this.
    IRS, for example, has less than 9 months to complete the 
work that it believes is necessary to reach its goal of having 
all of its systems year 2000 compliant by the end of January 
1999. Meeting this goal is important to help ensure that IRS 
has almost a full year and a filing season to test the 
multitude of changes that are necessary and to fix problems 
that will undoubtedly arise.
    Madam Chairman, we identified two significant risk areas to 
IRS' year 2000 efforts. The first is the lack of a master 
conversion and replacement schedule. The second is a limited 
approach to contingency planning. As the Commissioner noted, 
IRS is taking actions to address both of these concerns. A 
master conversion and replacement schedule could establish the 
sequential relationships between the tasks associated with the 
year 2000 conversion and replacement projects at IRS, identify 
how much a task can slip without affecting other tasks, or the 
overall year 2000 effort, help determine whether programming 
and testing resources are likely to be available when needed as 
time gets shorter, and provide a tool for prioritizing and 
assigning programming and testing resources that are essential 
in the most efficient manner.
    IRS currently has a contractor working on the development 
of an integrated schedule of its year 2000 related efforts, 
including making all of the necessary tax law changes for 1999. 
But time is running out for completing such a schedule. Unless 
IRS obtains a schedule soon, its value as a management tool to 
help anticipate bottlenecks is diminished. We also remain 
concerned that IRS' approach to contingency planning does not 
address the likelihood that system failures could occur once 
systems are implemented. However, recent communication, in 
fact, communication that took place this week with IRS 
officials, indicates that the agency will take additional steps 
to establish contingency plans for its highest priority 
systems.
    And, Madam Chairman, I'd like to stress here that a 
contingency plan is not necessarily an alternative system, that 
there are other ways that may need to be considered in terms of 
back up for any problems that would occur with a particular 
system with the year 2000 failure. And that might be changes in 
businesses processes. It could even include changes in 
legislative requirements. And I think that a holistic and an 
expansive approach to contingency planning at this point is 
very important to making sure that we understand what the 
options are and also understand what it's going to take 
including time, resources, and so forth, to implement the 
contingencies.
    In summary, IRS has established the goal to complete its 
year 2000 work by January 31 so that it will have converted and 
replaced systems implemented for the 1999 filing season. By 
establishing this goal, IRS built a safety net into its 
schedule to allow time to work out problems. However, given the 
conversion status of some of its infrastructure areas, IRS runs 
the risk of not completing all of its work by January 1999.
    I'll stop my prepared statement there. Madam Chairman, I 
ask that the entire statement be placed in the record, and will 
be happy to answer any questions you may ask.
    [The prepared statement follows:]

Statement of Lynda D. Willis, Director, Tax Policy and Administration 
Issues, General Government Division, U.S. General Accounting Office

    Madam Chairman and Members of the Subcommittee:
    We are pleased to be here today to discuss the results of 
our work to date on the Internal Revenue Service's (IRS) 
efforts to have its information systems function correctly when 
processing dates beyond December 31, 1999. These efforts are 
necessary because IRS' information systems, many of which are 
over 25 years old, were programmed to read two-digit date 
fields. Therefore, if unchanged, beginning January 1, 2000, 
these systems would interpret 2000 as 1900, and thus would 
seriously jeopardize critical tax processing and collection 
operations. According to IRS, the failure to change two-digit 
date fields before 2000 could result in generating millions of 
erroneous tax notices, refunds and bills. IRS has less than 9 
months to complete the work that it believes is necessary to 
reach its goal of having all of its systems Year 2000 compliant 
by January 31, 1999. Meeting this goal is important to help 
ensure that IRS (1) can accurately process tax returns during 
the 1999 filing season and (2) has almost a full year to test 
the multitude of changes that are necessary and make additional 
corrections so that its systems operate properly in the next 
millennium.
    Our statement today is based on the work we did to prepare 
a draft report on the status of IRS' Year 2000 efforts. Our 
draft report is currently at IRS for comment. In preparing that 
report, we interviewed officials from IRS' National Office, 
computing centers, service centers, regions, and district 
offices. We analyzed and compared IRS' planning, budget, and 
performance-monitoring documentation with our Year 2000 
assessment guide \1\ as a part of a structured approach for 
reviewing IRS' conversion efforts.
---------------------------------------------------------------------------
    \1\ Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-
10.1.14, Sept. 1997).
---------------------------------------------------------------------------
    Our statement today includes the following points:
    --For its existing systems, IRS has made more progress in 
converting application software than converting its information 
systems infrastructure, which includes hardware, systems 
software, and telecommunications. Despite its progress on 
converting applications, IRS fell short of its goal to have the 
applications for 66 of the 127 systems that it considers 
mission-critical converted by January 1998. IRS is still 
assessing or in the early stages of converting its hardware and 
systems software for two of its three levels of computing 
operations--minicomputers/file servers and personal computers. 
Of all the infrastructure areas, according to IRS' tracking 
systems, telecommunications is at the highest risk for not 
being completed by January 31, 1999.
    --In addition to converting systems, IRS is undertaking two 
major system replacement projects as part of its Year 2000 
efforts. Both of these projects have encountered some schedule 
delays.
    --In a briefing to this Subcommittee in January 1998, we 
identified two significant risk areas to IRS' Year 2000 
efforts. The first was the lack of a master conversion and 
replacement schedule. The second was a limited approach to 
contingency planning. IRS is taking actions to address our 
concerns regarding the lack of a master conversion and 
replacement schedule. However, we remain concerned that IRS' 
current approach to contingency planning does not address the 
likelihood that system failures could occur once systems are 
implemented.

              Status of Conversion and Replacement Efforts

    To assist agencies in their Year 2000 conversion efforts, 
we developed an assessment guide that includes a structured, 
step-by-step approach that agencies may use for reviewing and 
assessing their readiness to handle the Year 2000 problem. The 
assessment guide states that the Year 2000 conversion efforts 
should be managed as a single, large information systems 
project. The assessment guide describes in detail the five 
phases of a Year 2000 conversion process (i.e., awareness, 
assessment, renovation, validation, and implementation). Each 
of these phases represents a major Year 2000 program activity 
or segment. To successfully address the Year 2000 problem, 
effective program and project management is required for all 
five phases.
    IRS' Chief Information Officer (CIO) established several 
parallel efforts to help ensure that IRS achieves Year 2000 
compliance by January 31, 1999. These efforts include creating 
the Century Date Change Project Office, which is responsible 
for coordinating the conversion of most existing information 
systems that can be made Year 2000 compliant as well as 
ensuring that all systems are converted in accordance with a 
14-step conversion process. That process incorporates the five 
phases included in our assessment guide. Some of the steps 
involved in converting existing systems include (1) correcting 
millions of lines of application code; (2) upgrading thousands 
of hardware and systems software products for IRS' three levels 
of computing operations--mainframes, minicomputers/file 
servers, and personal computers, (3) upgrading 
telecommunications networks; and (4) ensuring that external 
data exchanges are Year 2000 compliant.
    The other parallel Year 2000 efforts are two major system 
replacement projects--the replacement of the Distributed Input 
System (DIS) and the Remittance Processing System (RPS) with 
the Integrated Submission and Remittance Processing (ISRP) 
system and the consolidation of the mainframe computer 
processing operations at 10 service centers to 2 computing 
centers. IRS personnel use DIS to input taxpayer data and RPS 
to input remittance data. According to IRS, these two systems 
are old, and it is not cost-beneficial to make them Year 2000 
compliant. Therefore, IRS decided to replace DIS and RPS with 
ISRP. ISRP will be piloted in two phases at the Austin Service 
Center. The first phase is underway and the second phase is 
scheduled to begin July 31, 1998. Nationwide implementation is 
scheduled for January 1999.
    As a part of its mainframe consolidation effort, IRS is to 
(1) replace and/or upgrade service center mainframe hardware, 
systems software, and the associated telecommunications 
infrastructure; (2) replace about 16,000 terminals that support 
frontline customer service and compliance operations; and (3) 
replace the Communication Replacement System (CRS) that 
provides security functions for on-line taxpayer account 
databases. Replacements of the terminals and CRS are critical 
to IRS' achieving Year 2000 compliance.

Conversion of Existing Systems

    According to IRS, before January 1999, it needs to complete 
12 steps of its 14-step process for converting (1) the 
applications for its existing systems; (2) telecommunications 
networks; and (3) systems software and/or hardware for 
mainframes, minicomputers/file servers, and personal computers. 
In addition, before January 31, 1999, IRS needs to (1) make its 
systems for external data exchanges Year 2000 compliant; (2) 
replace its data input and remittance processing systems and, 
at a minimum, the Year 2000 portions of its mainframe 
consolidation program; and (3) modify application software to 
implement tax law changes for the 1999 and 2000 filing seasons.
    Much of IRS' initial Year 2000 efforts focused on the 
awareness and assessment phases for the applications for 
existing information systems controlled by the CIO.\2\ In May 
1997, IRS began assessing the date dependencies of applications 
for information systems that were controlled by either field 
offices or business functional areas (hereafter referred to as 
field/customer systems). As a result of the CIO and field/
customer system assessments, as of March 31, 1998, IRS had 
identified 127 mission-critical systems, including 7 
telecommunications systems.
---------------------------------------------------------------------------
    \2\ CIO-controlled systems are generally large, mainframe-based tax 
processing systems. Field or business functional area systems are 
smaller, more specialized systems that use a variety of platforms.
---------------------------------------------------------------------------
    IRS has made more progress in converting its applications 
than in converting its information systems infrastructure. 
Specifically, as of March 31, 1998, IRS reported that it had 
completed the first 12 steps of its 14-step conversion process 
for applications for about 59 (46 percent) of its 127 mission-
critical systems. IRS' goal is to convert the applications for 
the remaining 68 mission-critical systems by January 31, 1999. 
IRS officials said they believe they are on track for meeting 
that goal.
    IRS has completed its assessment of the hardware and 
systems software for its mainframe computers. Conversion 
efforts for other infrastructure areas--hardware and systems 
software for minicomputers/file servers and personal computers, 
telecommunications networks, and external data exchanges--are, 
for the most part, either in the assessment phase or the early 
stages of conversion. According to IRS, of these areas, 
telecommunications networks will likely present the most 
significant conversion challenge and may be at the highest risk 
for not being completed by January 31, 1999.
    According to IRS, the capability to exchange information, 
both voice and data, among various computer systems is the 
backbone of IRS' ability to perform all of its tax processing 
and customer service functions. IRS uses a telecommunications 
network that is supported through the Department of the 
Treasury and additional networks that are unique to IRS. As of 
March 10, 1998, IRS had an inventory of the components that are 
included in Treasury's network and was verifying a preliminary 
inventory of the components in the networks unique to IRS. A 
contractor is currently doing a risk assessment to help develop 
a conversion schedule so that the most important work will be 
scheduled first to minimize adverse impacts if IRS is unable to 
complete all of its telecommunications work by January 31, 
1999.

System Replacement Efforts

    The two major system replacement projects included in IRS' 
Year 2000 efforts are experiencing some schedule slippages. For 
example, certain software development for ISRP that was to be 
completed in April 1998 is now scheduled to be done in June 
1998. As a result, the time available for testing before the 
start of the second phase of the pilot has been reduced. ISRP 
officials do not believe this two-month delay will affect 
either the start of the second phase of the ISRP pilot or its 
nationwide implementation. According to IRS officials, IRS has 
revised its mainframe consolidation completion schedule because 
of field office concerns about the ambitious schedule and 
pending expanded business requirements. Under the revised 
schedule, IRS plans to delay the consolidation of data 
processing operations of five service centers from 1998 until 
after June 1999. IRS officials said they expect to complete the 
Year 2000 portions of mainframe consolidation (e.g., terminal 
replacement and CRS) by January 31, 1999. However, according to 
IRS' weekly status reports on mainframe consolidation, CRS has 
been experiencing some difficulties and is somewhat behind its 
original schedule for system testing.

 IRS is Taking Actions to Develop a Master Conversion and Replacement 
                                Schedule

    In our January briefing to your office, we identified two 
major risk areas for IRS' Year 2000 effort: (1) the lack of an 
integrated master conversion and replacement schedule and (2) a 
limited approach to contingency planning. IRS is taking action 
to have a contractor develop a master conversion and 
replacement schedule. A master conversion and replacement 
schedule, according to our Year 2000 assessment guide, should 
be a part of an agency's Year 2000 Program Plan. This schedule 
could be used to track the progress of concurrent and 
interdependent projects that must be ready for integrated 
systems testing at the end of January 1999. This year, IRS has 
a host of activities that it must complete concurrently so that 
its systems will be able to function correctly in 2000. 
Managing the interdependencies of these activities is critical 
to help IRS ensure the timely completion of its Year 2000 
effort.
    A master conversion and replacement schedule could (1) 
establish the sequential relationships between the tasks 
associated with the Year 2000 conversion and replacement 
activities, (2) identify how much a task can slip without 
affecting other tasks or the overall Year 2000 effort, (3) help 
determine whether programming and testing resources are likely 
to be available when needed, and (4) provide a tool for 
prioritizing and assigning programming and testing resources 
that are essential to the success of all Year 2000 efforts in 
the most efficient manner.
    Recognizing that several major and complex projects, 
including application software changes that are needed to 
implement recent tax legislation, must be completed before the 
1999 filing season, in November 1997, the Commissioner of 
Internal Revenue announced the establishment of an executive 
steering committee. This committee is to identify risks to the 
1999 filing season and the entire Year 2000 effort and take 
actions to mitigate those risks. As a part of this effort, IRS 
developed a Century Date Change Project Schedule for its Year 
2000 activities. Although the project schedule identifies the 
tasks for major Year 2000 activities, their corresponding start 
and finish dates, and the primary organizations responsible for 
them, the schedule does not yet establish a link between 
related tasks or analyze how the timing of the various tasks 
may affect resource availability. Until these actions are 
complete, IRS cannot project whether resources will be 
available when needed for concurrent tasks. Thus, IRS faces the 
risk that resources may not be available when needed.
    IRS currently has a contractor working on the development 
of an integrated schedule of its Year 2000-related efforts, 
including making all of the necessary tax law changes for 1999. 
If properly developed, this schedule should meet the intent of 
the master conversion and replacement schedule called for in 
our assessment guide. But time is running out for completing 
such a schedule. Unless IRS obtains this schedule soon, its 
value as a management tool to help anticipate bottlenecks is 
diminished.

    IRS' Contingency Planning Approach Poses Risk to Continuity of 
                               Operations

    Contingency planning was the second risk area we identified 
in our January 1998 briefing. In part, due to concerns that the 
same resources that are doing Year 2000 conversion work would 
be needed to do contingency planning, IRS officials decided to 
develop a contingency planning process that would minimize the 
number of contingency plans that would have to be developed. 
Accordingly, IRS' ``Century Date Change Contingency Management 
Plan'' calls for developing contingency plans only for those 
business functions or processes that are supported by 
application projects that are at risk of not being made Year 
2000 compliant on schedule.
    The Century Date Change Project Office has established 
criteria to identify such projects. For these projects, IRS is 
to initiate a business function impact analysis. Once that 
analysis is complete, technical and business owners evaluate 
available alternatives, including using any existing 
contingency procedures, such as manual procedures, or using an 
alternative technological solution, such as commercial off-the-
shelf software. IRS plans to use a similar approach for 
initiating contingency plans for business functions when the 
conversion of infrastructure areas such as systems software, 
external data exchanges, and telecommunications network 
components fall behind schedule.
    IRS' ``Century Date Change Contingency Management Plan'' 
does not address the likelihood that information systems that 
are converted on schedule may experience system failures. As a 
result, IRS will be ill-prepared to effectively manage all Year 
2000-induced system failures that could affect core business 
processes. IRS' contingency management plan does not address 
the possibility that (1) IRS may have overlooked a date 
dependency during its assessment phase of applications or 
infrastructure areas or (2) even if system conversion and 
replacement efforts are completed on time and fully tested, 
unexpected system failures may occur.
    Aspects of contingency planning are under way for IRS' 
replacement projects (i.e., ISRP and mainframe consolidation). 
For example, the ISRP project office has developed a 
contingency plan that identifies (1) various risks to the ISRP 
pilot and nationwide implementation, (2) the probability of 
those risks, and (3) contingency options for addressing those 
risks. Also, as part of a larger effort to enhance IRS' 
disaster recovery capabilities, IRS officials said they hope to 
finalize expanded disaster recovery requirements for service 
center data processing in May 1998 so that those requirements 
can be included in the mainframe consolidation project.
    Our exposure draft on business continuity and contingency 
planning states that agencies must start business continuity 
and contingency planning now to reduce the risk of Year 2000 
business failures.\3\ Among other things, the exposure draft 
states that agencies need to do a business impact analysis to 
determine the effect of mission-critical system failures on the 
viability of agency operations. This analysis is to include 
examining business priorities; dependencies; service levels; 
and, most importantly, the business process dependency on 
mission-critical information systems. According to our exposure 
draft, the business impact analysis triggers the development of 
contingency plans for each core business process, including any 
information system components that support that process. 
Contingency plans would also address the actions IRS may take, 
for example, to notify taxpayers in the event that Year 2000 
failures cause significant delays in processing tax returns and 
issuing refunds.
---------------------------------------------------------------------------
    \3\ Year 2000 Computing Crisis: Business Continuity and Contingency 
Planning (GAO/AIMD-10.1.19, Mar. 1998).
---------------------------------------------------------------------------
    In summary, IRS established the goal to complete its Year 
2000 work by January 31, 1999, so that it would have converted 
and replaced systems implemented for the 1999 filing season. By 
establishing this goal, IRS built a safety net into its 
schedule to allow time to work out problems with converted and 
replaced systems before January 1, 2000. However, given the 
conversion status of some of its infrastructure areas, IRS runs 
the risk of not completing all of its work by the January 31, 
1999, milestone. Moreover, even if all of IRS' work is 
completed according to schedule, the potential exists for 
failures in systems that were fully assessed, converted, tested 
and implemented according to schedule. We remain concerned 
about IRS' narrow approach to contingency planning which 
focuses on developing contingency plans only for business 
functions that are supported by information systems projects 
that have a known risk of not being completed according to 
schedule. Under this approach, IRS has no assurance that its 
core business processes will be able to continue to function, 
albeit, possibly at some reduced level of service, in the event 
that Year 2000-induced system failures occur in systems that 
were converted according to schedule.
    That concludes my prepared statement. We welcome any 
questions that you may have.
      

                                

    Chairman Johnson of Connecticut. OK.
    Mr. Willemssen.

   STATEMENT OF JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES 
  INFORMATION SYSTEMS, ACCOUNTING AND INFORMATION MANAGEMENT 
DIVISION, U.S. GENERAL ACCOUNTING OFFICE; ACCOMPANIED BY RANDY 
  HITE, SENIOR ASSISTANT DIRECTOR, DEFENSE AND GOVERNMENTWIDE 
  INFORMATION SYSTEMS, ACCOUNTING AND INFORMATION MANAGEMENT 
            DIVISION, U.S. GENERAL ACCOUNTING OFFICE

     Mr. Willemssen. Thank you, Madam Chair. I am going to very 
briefly summarize our statement. Accompanying me is Randy Hite 
who is responsible for much of our work at Treasury components, 
other than IRS. I'm going to briefly summarize what we found at 
SSA, HCFA, and some of those Treasury components.
    Let me begin with SSA. What we found is SSA is a leader 
among Federal agencies in addressing the year 2000 issue. And 
they've made significant progress in assessing, and renovating 
mission-critical mainframe systems that are essential to the 
delivery of benefits. However, as we reported last fall and as 
was mentioned earlier today, we did find some risks at SSA. 
Those risks surrounded States' disability systems, the data 
exchange issue, and contingency planning. And we recommended 
several actions to mitigate those risks. Now SSA has agreed to 
implement all of our recommendations and actions are underway 
to do that. For example, SSA recently completed a high-level 
overall plan for ensuring business continuity in the event of 
year 2000 induced failures.
    Next, let me turn to HCFA and Medicare. In our report of 
last year, we discussed the serious weaknesses in HCFA's 
approach to addressing the year 2000 issue. For example, we 
found that HCFA generally did not have agreements with its 
contractors stating how or when the year 2000 problem would be 
corrected. In addition, while HCFA had done some work on its 
internal systems, it had not completed similar reviews of the 
Medicare contractors claims processing systems. In addition, 
they did not have plans for independent validation of 
renovation strategies and testing. We made several 
recommendations to HHS to address these weaknesses. Since then, 
HCFA has made some progress. The most encouraging note is they 
have clearly made it now a top priority. However, it appears 
the agency still has not determined how its core business 
functions would be affected if its systems fail.
    Finally, let me turn briefly to Treasury. Again, we see 
some evidence of progress at the Department but there are key 
risks remaining. Let me point out one of the more severe risks 
at one of those Treasury components and that is at FMS, which 
as has been mentioned today, plays a critical role in 
delivering government services, such as Social Security and 
Medicare payments. FMS is falling seriously behind schedule in 
converting some of its systems to be year 2000 compliant. For 
example, as of the end of March, FMS still had not completed 
assessing the compliance of five of its mission-critical 
systems. That's an activity that should have been done last 
summer. Fortunately, Treasury recognizes it now must focus on 
FMS. Department officials have told us that FMS is now 
Treasury's highest bureau priority because of its slow progress 
and because of its overall criticality.
    That summarizes my statement, and, as with Lynda, be 
pleased to address any questions that you may have.
    [The prepared statement follows:]

Statement of Joel C. Willemssen, Director, Civil Agencies Information 
Systems, Accounting and Information Management Division, U.S. General 
Accounting Office

    Madam Chairwoman and Members of the Subcommittee:
    We are pleased to be here today to discuss the computing 
challenges that the upcoming change of century poses to 
virtually all major organizations, public and private, 
including government programs with a high degree of interaction 
with the American public such as the Social Security 
Administration (SSA) and Medicare. As the world's most advanced 
and most dependent user of information technology, the United 
States possesses close to half of all computer capacity and 60 
percent of Internet assets.\1\ As a result, the coming century 
change presents a particularly sweeping and urgent challenge 
for entities in this country.\2\
---------------------------------------------------------------------------
    \1\ Critical Foundations: Protecting America's Infrastructures 
(President's Commission on Critical Infrastructure Protection, October 
1997).
    \2\ For the past several decades, automated information systems 
have typically represented the year using two digits rather than four 
in order to conserve electronic data storage space and reduce operating 
costs. In this format, however, 2000 is indistinguishable from 1900 
because both are represented only as 00. As a result, if not modified, 
computer systems or applications that use dates or perform date- or 
time-sensitive calculations may generate incorrect results beyond 1999.
---------------------------------------------------------------------------
    For this reason, we have designated the Year 2000 computing 
problem as a high-risk area \3\ for the federal government, and 
have published guidance \4\ to help organizations successfully 
address the issue. Since early 1997 we have issued over 35 
products detailing specific findings and recommendations 
related to the Year 2000 readiness of a wide range of federal 
agencies.\5\
---------------------------------------------------------------------------
    \3\ High-Risk Series: Information Management and Technology (GAO/
HR-97-9, February 1997).
    \4\ Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-
10.1.14, September 1997) and Year 2000 Computing Crisis: Business 
Continuity and Contingency Planning (GAO/AIMD-10.1.19, March 1998 
[exposure draft]).
    \5\ A listing of our publications is included as an attachment to 
this statement.
---------------------------------------------------------------------------
    The common theme of these reports has been that serious 
vulnerabilities remain in addressing the federal government's 
Year 2000 readiness. Much more action is needed to ensure that 
federal agencies satisfactorily mitigate Year 2000 risks to 
avoid debilitating consequences. Vital economic sectors of the 
nation are also vulnerable. These include state and local 
governments; telecommunications; banking and finance; health, 
safety, and emergency services; transportation; utilities; and 
manufacturing and small business.
    While actions by government and industry are underway 
throughout the nation, the creation of the President's Council 
on Year 2000 Conversion represents an opportunity to 
orchestrate the leadership and public/private partnerships 
essential to confronting the unprecedented challenges that our 
nation faces. My testimony today will briefly outline our views 
on what additional actions must be taken to reduce the nation's 
Year 2000 risks, and what our inquiries into Year 2000 
readiness found at Social Security, the Health Care Financing 
Administration (HCFA) and Medicare, and at the Department of 
the Treasury.

           Risk of Year 2000 Disruptions Requires Leadership

    The public faces the risk that critical services could be 
severely disrupted by the Year 2000 computing crisis. Financial 
transactions could be delayed, airline flights grounded, and 
national defense affected. The many interdependencies that 
exist among the levels of governments and within key economic 
sectors of our nation could cause a single failure to have 
wide-ranging repercussions. While managers in the government 
and the private sector are acting to mitigate these risks, a 
significant amount of work remains.
    The federal government is extremely vulnerable to the Year 
2000 issue due to its widespread dependence on computer systems 
to process financial transactions, deliver vital public 
services, and carry out its operations. This challenge is made 
more difficult by the age and poor documentation of many of the 
government's existing systems and its lackluster track record 
in modernizing systems to deliver expected improvements and 
meet promised deadlines.
    Year 2000-related problems have already occurred. For 
example, an automated Defense Logistics Agency system 
erroneously deactivated 90,000 inventoried items as the result 
of an incorrect date calculation. According to the agency, if 
the problem had not been corrected (which took 400 work hours), 
the impact would have seriously hampered its mission to deliver 
materiel in a timely manner.\6\
---------------------------------------------------------------------------
    \6\ Defense Computers: Issues Confronting DLA in Addressing Year 
2000 Problems (GAO/AIMD-97-106, August 12, 1997).
---------------------------------------------------------------------------
    Our reviews of federal agency Year 2000 programs have found 
uneven progress, and our reports contain numerous 
recommendations, which the agencies have almost universally 
agreed to implement. Among them are the need to establish 
priorities, solidify data exchange agreements, and develop 
contingency plans.
    One of the largest, and largely unknown, risks relates to 
the global nature of the problem. With the advent of electronic 
communication and international commerce, the United States and 
the rest of the world have become critically dependent on 
computers. However, with this electronic dependence and massive 
exchanging of data comes increasing risk that uncorrected Year 
2000 problems in other countries will adversely affect the 
United States. And there are indications of Year 2000 readiness 
problems internationally. In September 1997, the Gartner Group, 
a private research firm acknowledged for its expertise in Year 
2000 computing issues, surveyed 2,400 companies in 17 countries 
and concluded that ``[t]hirty percent of all companies have not 
started dealing with the year 2000 problem.'' \7\
---------------------------------------------------------------------------
    \7\ Year 2000-World Status (Gartner Group, Document #M-100-037, 
November 25, 1997).

Additional Actions Must Be Taken To Reduce Nation's Year 2000 
---------------------------------------------------------------------------
Risks

    As 2000 approaches, the scope of the risks that the century 
change could bring has become more clear, and the federal 
government's actions have intensified. This past February, an 
executive order was issued establishing the President's Council 
on Year 2000 Conversion. The Council Chair is to oversee 
federal agency Year 2000 efforts as well as be the spokesman in 
national and international forums, coordinate with state and 
local governments, promote appropriate federal roles with 
respect to private-sector activities, and report to the 
President on a quarterly basis.
    As we testified in March,\8\ there are a number of actions 
we believe the Council must take to avert this crisis. In a 
report issued just last week, we detailed specific 
recommendations.\9\ The following summarizes a few of the key 
areas in which we recommend action:
---------------------------------------------------------------------------
    \8\ Year 2000 Computing Crisis: Strong Leadership and Effective 
Public/Private Cooperation Needed to Avoid Major Disruptions (GAO/T-
AIMD-98-101, March 18, 1998).
    \9\ Year 2000 Computing Crisis: Potential For Widespread Disruption 
Calls For Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, 
1998)
---------------------------------------------------------------------------
     Because departments and agencies have taken longer 
than recommended to assess the readiness of their systems, it 
is unlikely that they will be able to renovate and fully test 
all mission-critical systems by January 1, 2000. Consequently, 
setting priorities is essential, with the focus being on 
systems most critical to our health and safety, financial well 
being, national security, or the economy.
     Agencies must start business continuity and 
contingency planning now to safeguard their ability to deliver 
a minimum acceptable level of services in the event of Year 
2000-induced failures. In March we issued an exposure draft of 
a guide providing information on business continuity and 
contingency planning issues common to most large enterprises; 
OMB recently adopted this guide as a model for federal 
agencies.\10\ Agencies developing such plans only for systems 
currently behind schedule, however, are not addressing the need 
to ensure business continuity in the event of unforeseen 
failures. Further, such plans should not be limited to the 
risks posed by the Year 2000-induced failures of internal 
information systems, but must include the potential Year 2000 
failures of others, including business partners and 
infrastructure service providers.
---------------------------------------------------------------------------
    \10\ GAO/AIMD-10.1.19, March 1998 [exposure draft].
---------------------------------------------------------------------------
     The Office of Management and Budget's (OMB) 
assessment of the current status of federal Year 2000 progress 
is predominantly based on agency reports that have not been 
consistently verified or independently reviewed. Without such 
independent reviews, OMB and the President's Council on Year 
2000 Conversion have little assurance that they are receiving 
accurate information. Accordingly, agencies must have 
independent verification strategies involving inspectors 
general or other independent organizations.
     As a nation, we do not know where we stand overall 
with regard to Year 2000 risks and readiness. No nationwide 
assessment--including the private and public sectors--has been 
undertaken to gauge this. In partnership with the private 
sector and state and local governments, the President's Council 
could orchestrate such an assessment.

                     Social Security Administration

    At this point I would like to address our findings at 
specific agencies, beginning with the Social Security 
Administration. We see significant progress at SSA, and it is 
essential that this progress continue. SSA has been 
anticipating the change of century since 1989, initiating an 
early response to the potential crisis. It made important early 
progress in assessing and renovating mission-critical mainframe 
systems--those necessary to prevent the disruption of 
benefits--and has been a leader among federal agencies.
    Three key risks remained, however, as discussed in our 
report of last October and testimony of this past March.\11\ 
One major risk concerned Year 2000 compliance of the 54 state 
Disability Determination Services (DDS) \12\ that provide vital 
support to the agency in administering SSA's disability 
programs. The second major risk concerned data exchanges, 
ensuring that information obtained from these thousands of 
outside sources--such as other federal agencies, state 
agencies, and private businesses--was not ``corrupted'' by data 
being passed from systems not Year 2000 compliant. Third, such 
risks were compounded by the lack of contingency plans to 
ensure business continuity in the event of systems failure.
---------------------------------------------------------------------------
    \11\ Social Security Administration: Significant Progress Made in 
Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 
1997) and Social Security Administration: Information Technology 
Challenges Facing the Commissioner (GAO/T-AIMD-98-109, March 12, 1998).
    \12\ One for each state plus the District of Columbia, Guam, Puerto 
Rico, and the Virgin Islands. A federal DDS serves as a backup and 
model office for testing new technologies and work processes.
---------------------------------------------------------------------------
    We recommended several specific actions to mitigate these 
risks. These included (1) strengthening monitoring and 
oversight of state DDS Year 2000 activities, (2) expeditiously 
completing the assessment of mission-critical systems at DDS 
offices and using those results to establish specific plans of 
action, (3) discussing the status of DDS Year 2000 activities 
in SSA's quarterly reports to OMB, (4) quickly completing SSA's 
Year 2000 compliance coordination with all data exchange 
partners, and (5) developing specific contingency plans that 
articulate clear strategies for ensuring the continuity of core 
business functions.
    At the request of this Committee's Subcommittee on Social 
Security and the Senate Special Committee on Aging, we are 
monitoring SSA's implementation of our recommendations. SSA has 
agreed with all of our recommendations, and actions to 
implement them have either been taken or are underway.
    Regarding state DDSs, SSA has enhanced its monitoring and 
oversight by establishing a full-time DDS project team, 
designating project managers and coordinators, and requesting 
biweekly status reports. Further, almost all states have now 
submitted initial Year 2000 plans; SSA now reports that 22 DDSs 
have had their systems renovated, tested, and implemented. In 
addition, beginning with its November 1997 report, SSA has 
included information on DDSs in its quarterly reports to OMB.
    SSA has also identified its external data exchanges and is 
in the process of coordinating with its partners to make the 
exchanges Year 2000 compliant. Further, SSA began working with 
the Department of the Treasury in March of this year to test 
for the disbursement of benefit checks and other direct deposit 
payments.
    Finally, in accordance with our guidance, SSA has completed 
a high-level, overall plan for business continuity. This plan 
represents a sound framework from which SSA can build its 
specific contingency plans. These specific plans--for each core 
business area--need to be developed to ensure that operations 
continue uninterrupted.

         Medicare and the Health Care Financing Administration

    As the nation's largest health insurer, Medicare expects to 
process over a billion claims and pay $288 billion in benefits 
annually by 2000. The consequences, then, of its systems' not 
being Year 2000 compliant could be enormous. In a report issued 
last May,\13\ we discussed the critical managerial and 
technical challenges facing the Health Care Financing 
Administration (HCFA) in its efforts to ensure the viability of 
systems to handle Medicare transactions into the next century.
---------------------------------------------------------------------------
    \13\ Medicare Transaction System: Success Depends Upon Correcting 
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16, 
1997).
---------------------------------------------------------------------------
    We found that HCFA had not required systems contractors to 
submit Year 2000 plans for approval. Further, it did not have 
contracts or other specific legal agreements with any 
contractors, other than one recently selected contractor, 
stating how or when the Year 2000 problem would be corrected, 
or whether contractors would certify that they would correct 
the problem.
    HCFA had also not identified critical areas of 
responsibility for Year 2000 activities. Although HCFA's 
regional offices have a role in overseeing contractor efforts, 
their specific Year 2000 responsibilities had not been defined, 
nor had guidance been prepared on how to monitor or evaluate 
contractor performance. While HCFA had been assessing the 
impact of the century change on its internal systems, it had 
not completed a similar review of Medicare contractors' claims 
processing systems. Further, HCFA had not required its 
contractors to prepare an assessment of the severity of impact 
of potential Year 2000 problems.
    Plans for independent validation of contractors' strategies 
and test plans were also lacking. Likewise, while HCFA had 
asked contractors to identify their system interfaces, it had 
no plans for approving the contractors' approaches for 
addressing interface and data exchange issues. Moreover, HCFA 
had not developed contingency plans to address continuity of 
business operations in the event of Year 2000-induced failures. 
HCFA officials were again relying on the contractors themselves 
to identify and complete the necessary work in time to avoid 
problems. Yet the contractors had not developed contingency 
plans--and did not intend to--because they considered this 
HCFA's responsibility.
    To address these deficiencies in HCFA's approach, we made 
several recommendations to the Secretary of Health and Human 
Services. These included identifying responsibilities for 
managing and monitoring Year 2000 actions, preparing an 
assessment of the severity of impact and timing of potential 
Year 2000 problems, and developing contingency plans. We also 
recommended that HCFA require its contractors to submit for 
review and approval (1) plans for identifying and correcting 
potential problems, including certification that their changes 
would correct the problems, (2) validation strategies and test 
plans for systems, and (3) plans for addressing interface and 
data exchange issues.
    The Department of Health and Human Services (HHS) has 
agreed to implement our recommendations. For example, HCFA has 
established the position of Chief Information Officer (CIO); 
this individual has made the Year 2000 issue his top priority. 
HCFA has also established a Year 2000 organization, and the 
issue is included in HCFA's information technology investment 
process and annual performance plan goals. It is also 
developing business continuity and contingency plans, with a 
draft plan set for release this month. Further, the Medicare 
carriers' manual has been revised to require such contingency 
planning.
    It should be noted, however, that since our report of last 
year,\14\ HHS' and OMB's concerns about the Medicare 
contractors' systems have become more evident. For example, 
according to HHS' February 1998 quarterly Year 2000 report, 
``HCFA's Medicare contractor systems continue to be of great 
concern to the Department.'' In addition, in its summary of all 
agencies' February 1998 reports, OMB concluded that HHS was 
making insufficient progress on Year 2000 due in large part to 
HCFA's delays.
---------------------------------------------------------------------------
    \14\ GAO/AIMD-97-78, May 16, 1997.
---------------------------------------------------------------------------
    There are also indications that the agency has not 
documented the severity of impact of Year 2000-related 
failures--in other words, how its core business functions would 
be affected if its automated information systems failed because 
of Year 2000-related problems. For example, if Medicare systems 
failed, the number of health services providers who would not 
be paid, paid late, or in incorrect amounts is unknown. HCFA 
has recently begun contingency planning that may address some 
of these issues. We are currently evaluating the effectiveness 
of HCFA's actions, at the request of the Senate Special 
Committee on Aging.

                       Department of the Treasury

    With respect to the Department of the Treasury, we must 
first point out that--unlike with Social Security and 
Medicare--we have not completed a thorough assessment of the 
Department's Year 2000 readiness. However, we can describe some 
of what we have seen, and what Treasury officials themselves 
report. In addition, we have undertaken detailed work at the 
Internal Revenue Service (IRS), which will be discussed in a 
separate statement today.
    Treasury's role in delivering government services, such as 
Social Security and Medicare payments, is vital. Treasury's 
Financial Management Service (FMS), for instance, as the 
government's cash receipts and disbursements agent and 
financial manager, represents the crossroads of financial 
activity for the federal government. However, the Department's 
progress in making systems Year 2000 compliant has been mixed. 
Bureaus such as its Office of Thrift Supervision are making 
good progress in converting their systems and in overseeing the 
conversion activities of the financial institutions that they 
regulate and inspect.\15\ In contrast, FMS is falling seriously 
behind schedule in converting some of its systems.\16\ Treasury 
Year 2000 program officials are aware of these and other 
related risks facing the Department, and have established 
program management structures and processes to address them, 
which we are presently evaluating.
---------------------------------------------------------------------------
    \15\ Year 2000 Computing Crisis: Office of Thrift Supervision's 
Efforts to Ensure Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-
98-102, March 18, 1998).
    \16\ Treasury encompasses 14 separate bureaus or program offices. 
Two of these--the Internal Revenue Service (IRS) and the U.S. Customs 
Service--account for almost 98 percent of federal revenues each year. 
Two other major bureaus for which Year 2000 compliance implications are 
critical include FMS and the Bureau of the Public Debt. Taken together, 
these four bureaus are instrumental in the efficient collection and 
payment functions that support beneficiaries of programs such as Social 
Security and Medicare.
---------------------------------------------------------------------------
    To perform their core business functions, Treasury and its 
bureaus rely on a vast--and in many cases antiquated--
collection of systems, thereby complicating Year 2000 
renovations. To integrate many of the bureaus' systems and 
permit them to interact and exchange information with a wide 
assortment of federal, state, and local government and private-
sector data exchange partners (over 6,800, according to the 
Department), Treasury operates and maintains the largest non-
Defense telecommunications network in the federal government.
    The responsibilities of Treasury's Year 2000 program office 
are basically twofold: guiding, monitoring, and reporting on 
the conversion activities of its bureaus; and converting and 
reporting on Departmentwide telecommunications systems that 
support its bureaus. To guide, monitor, and report on bureau 
activities, Treasury has (1) established a departmental program 
office and designated a program manager within the CIO 
organization, (2) established Year 2000 working groups and 
designated work group project managers to focus on major 
categories of systems, (3) issued a departmental Year 2000 
conversion strategy, guidance, and standards, and (4) 
established monthly progress reporting requirements. 
Additionally, it used its existing CIO Council as a forum for 
Year 2000 information exchanges between the Department and 
bureau CIOs, hired a contractor to validate the information 
being reported by its bureaus, and developed draft guidance 
governing the process to be used in certifying systems as 
compliant and for verification and validation of certification 
determinations.
    As a result of this program office oversight, Treasury has 
a good appreciation of where its attention must be focused. 
Program officials recognize that progress among the bureaus has 
been uneven, as has progress within individual agencies for 
certain categories of systems. For example, they stated that 
FMS is Treasury's highest priority because of its slow progress 
to date and the criticality of its role in managing the 
government's finances. As a result, according to the 
Department's Year 2000 program manager, FMS progress and 
activities are tracked on a daily basis and, consequently, FMS 
Year 2000 management effectiveness has improved.
    Department Year 2000 officials further report that 
telecommunications systems and non-information technology (IT) 
areas, such as systems embedded in facilities and equipment, 
are not as far along as other IT areas, such as financial and 
management information systems, because work in these areas 
started late. To address this risk, Treasury has established 
working groups and project managers for both telecommunications 
and non-IT systems, along with formal processes for guiding, 
monitoring, and reporting on these areas.
    To address the conversion of its telecommunications 
systems, the program office has established a 
telecommunications working group and designated a project 
manager. A risk management plan has also been established, as 
has a test facility to permit all telecommunications systems 
components to be tested before being placed in operation. In 
addition, a contractor has been hired to perform independent 
verification and validation of telecommunications conversion 
activities.
    Despite these actions, Treasury and its bureaus face other 
major risks that must be managed effectively if key systems are 
to be ready in time. For example, the assessment phase--during 
which the compliance of mission-critical systems is 
determined--has not been completed. This is worrisome because 
it reduces the amount of time left for critical renovation, 
validation, and implementation activities. Treasury's milestone 
for assessing all mission-critical systems was July 1997. 
However, as of the end of March 1998, FMS still had not 
completed assessing the compliance of five of its mission-
critical systems.
    For example, according to Treasury's latest status report, 
FMS is awaiting a contractor proposal for renovating a system 
called GOALS I--for Government On-Line Accounting Link System 
I. This system plays a critical role in processing interagency 
payments and collections. Of particular note is that the need 
to assess GOALS I for renovation arose only recently, when it 
became apparent that GOALS II, intended to replace GOALS I, 
will not be ready in time.
    For non-IT systems, Treasury's components are farther 
behind. As of mid-March, systems in 3 of Treasury's 14 bureaus 
had still not been inventoried. Of the systems in the 11 
inventoried bureaus, about one quarter remain to be assessed.
    A final risk area is that contingency plans for ensuring 
continuity of business operations have not yet been developed. 
As our guidance points out,\17\ business area priorities and 
system dependencies must be examined in light of possible Year 
2000-induced failures; contingency planning to help ensure 
continuity of business operations must then be developed and 
tested.
---------------------------------------------------------------------------
    \17\ GAO/AIMD-10.1.19, March 1998 [exposure draft].
---------------------------------------------------------------------------
    Although Treasury's Year 2000 program office recognizes the 
importance of business continuity planning and has issued 
guidance in this area, bureaus have not yet completed such 
plans, and are at risk of being unable to complete them in 
time. For example, IRS plans to develop contingency plans only 
for those business areas relying on systems whose conversions 
are behind schedule. With this approach, IRS will have no ready 
response to unexpected Year 2000-induced problems. Further 
exacerbating this problem is that devising and activating 
manual or contract processes to ensure continuity of operations 
could be a daunting task. According to a Treasury contractor, 
it may be difficult for some Treasury components, such as FMS, 
to formulate an approach to operating in a nonautomated 
environment.
    In conclusion, the change of century will present many 
difficult challenges in information technology and in ensuring 
the continuity of business operations, and has the potential to 
cause serious disruption to the nation and to government 
entities on which the public depends, including SSA, Medicare, 
and Treasury. These risks can be mitigated and disruptions 
minimized with proper attention and management. While these 
agencies and programs have been working to mitigate their Year 
2000 risks, further action must be taken to ensure continuity 
of mission-critical business operations. Continued 
congressional oversight through hearings such as this can help 
ensure that such attention is sustained and that appropriate 
actions are taken to address this crisis.
    Madam Chairwoman, this concludes my statement. I would be 
happy to respond to any questions that you or other members of 
the Subcommittee may have at this time.

       GAO Reports and Testimony Addressing the Year 2000 Crisis

    Year 2000 Computing Crisis: Potential For Widespread Disruption 
Calls For Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, 
1998)
    Defense Computers: Year 2000 Computer Problems Threaten DOD 
Operations (GAO/AIMD-98-72, April 30, 1998)
    Department of the Interior: Year 2000 Computing Crisis Presents 
Risk of Disruption to Key Operations (GAO/T-AIMD-98-149, April 22, 
1998)
    Year 2000 Computing Crisis: Business Continuity and Contingency 
Planning (GAO/AIMD-10.1.19, Exposure Draft, March 1998)
    Tax Administration: IRS' Fiscal Year 1999 Budget Request and Fiscal 
Year 1998 Filing Season (GAO/T-GGD/AIMD-98-114, March 31, 1998)
    Year 2000 Computing Crisis: Strong Leadership Needed to Avoid 
Disruption of Essential Services (GAO/T-AIMD-98-117, March 24, 1998)
    Year 2000 Computing Crisis: Office of Thrift Supervision's Efforts 
to Ensure Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102, 
March 18, 1998)
    Year 2000 Computing Crisis: Strong Leadership and Effective Public/
Private Cooperation Needed to Avoid Major Disruptions (GAO/T-AIMD-98-
101, March 18, 1998)
    Post-Hearing Questions on the Federal Deposit Insurance 
Corporation's Year 2000 (Y2K) Preparedness (AIMD-98-108R, March 18, 
1998)
    SEC Year 2000 Report: Future Reports Could Provide More Detailed 
Information (GAO/GGD/AIMD-98-51, March 6, 1998
    Year 2000 Readiness: NRC's Proposed Approach Regarding Nuclear 
Powerplants (GAO/AIMD-98-90R, March 6, 1998)
    Year 2000 Computing Crisis: Federal Deposit Insurance Corporation's 
Efforts to Ensure Bank Systems Are Year 2000 Compliant (GAO/T-AIMD-98-
73, February 10, 1998)
    Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent Systems 
Failures (GAO/T-AIMD-98-63, February 4, 1998)
    FAA Computer Systems: Limited Progress on Year 2000 Issue Increases 
Risk Dramatically (GAO/AIMD-98-45, January 30, 1998)
    Defense Computers: Air Force Needs to Strengthen Year 2000 
Oversight (GAO/AIMD-98-35, January 16, 1998)
    Year 2000 Computing Crisis: Actions Needed to Address Credit Union 
Systems' Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998)
    Veterans Health Administration Facility Systems: Some Progress Made 
In Ensuring Year 2000 Compliance, But Challenges Remain (GAO/AIMD-98-
31R, November 7, 1997)
    Year 2000 Computing Crisis: National Credit Union Administration's 
Efforts to Ensure Credit Union Systems Are Year 2000 Compliant (GAO/T-
AIMD-98-20, October 22, 1997)
    Social Security Administration: Significant Progress Made in Year 
2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997)
    Defense Computers: Technical Support Is Key to Naval Supply Year 
2000 Success (GAO/AIMD-98-7R, October 21, 1997)
    Defense Computers: LSSC Needs to Confront Significant Year 2000 
Issues (GAO/AIMD-97-149, September 26, 1997)
    Veterans Affairs Computer Systems: Action Underway Yet Much Work 
Remains To Resolve Year 2000 Crisis (GAO/T-AIMD-97-174, September 25, 
1997)
    Year 2000 Computing Crisis: Success Depends Upon Strong Management 
and Structured Approach, (GAO/T-AIMD-97-173, September 25, 1997)
    Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, 
September 1997)
    Defense Computers: SSG Needs to Sustain Year 2000 Progress (GAO/
AIMD-97-120R, August 19, 1997)
    Defense Computers: Improvements to DOD Systems Inventory Needed for 
Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997)
    Defense Computers: Issues Confronting DLA in Addressing Year 2000 
Problems (GAO/AIMD-97-106, August 12, 1997)
    Defense Computers: DFAS Faces Challenges in Solving the Year 2000 
Problem (GAO/AIMD-97-117, August 11, 1997)
    Year 2000 Computing Crisis: Time is Running Out for Federal 
Agencies to Prepare for the New Millennium (GAO/T-AIMD-97-129, July 10, 
1997)
    Veterans Benefits Computer Systems: Uninterrupted Delivery of 
Benefits Depends on Timely Correction of Year-2000 Problems (GAO/T-
AIMD-97-114, June 26, 1997)
    Veterans Benefits Computers Systems: Risks of VBA's Year-2000 
Efforts (GAO/AIMD-97-79, May 30, 1997)
    Medicare Transaction System: Success Depends Upon Correcting 
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16, 
1997)
    Medicare Transaction System: Serious Managerial and Technical 
Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997)
    Year 2000 Computing Crisis: Risk of Serious Disruption to Essential 
Government Functions Calls for Agency Action Now (GAO/T-AIMD-97-52, 
February 27, 1997)
    Year 2000 Computing Crisis: Strong Leadership Today Needed To 
Prevent Future Disruption of Government Services (GAO/T-AIMD-97-51, 
February 24, 1997)
    High Risk Series: Information Management and Technology (GAO/HR-97-
9, February 1997)
      

                                

    Chairman Johnson of Connecticut. That's a pretty 
pessimistic evaluation of where we are. How do you respond to 
the issue of personnel that's been raised? How serious do you 
think that is?
    Ms. Willis. I would think for IRS it is a serious problem. 
In part because many of the key component functions that are 
now doing the year 2000 work were understaffed to begin with, 
and this includes some of the product assurance and testing 
functions. And so when you start in a deficit situation and you 
start losing people through attrition, leaving the 
organization, then you have an even greater problem with 
carrying out what I think is going to be the most critical 
challenge facing IRS. And as the Commissioner noted, I think 
there are some real questions about the fungibility of 
individuals in terms of being able to do the testing. It is not 
going to be possible, in many cases, for IRS to just pick 
people up off the street, no matter how much money they're 
willing to pay, who are familiar enough with the systems to be 
able to complete the testing in the time that's available.
    Mr. Willemssen. If I could speak toward the issue from also 
a governmentwide perspective, we are seeing increasing evidence 
that this is an urgent problem. In fact, we made a 
recommendation in a report that we issued last week to Mr. 
Koskinen, the Chair of the Y2K Conversion Council, that we must 
have a variety of actions in the personnel area to address 
this. We are seeing more and more anecdotal evidence at key 
departments and agencies that they are beginning to lose those 
personnel. We are seeing some positive movement, 
governmentwide, for example, as I believe was mentioned 
earlier. OPM has put out a waiver of some of the rehiring of 
retired annuitants, and also we've seen some encouraging action 
in the way of trying to retain existing staff. Because in some 
cases where we're talking about very old systems that are not 
well documented, you must rely on your existing staff who are 
the only ones immediately available who really understand the 
systems.
    Chairman Johnson of Connecticut. How aggressive are their 
incentives to retain existing staff?
    Mr. Willemssen. We have seen----
    Chairman Johnson of Connecticut. Are they adequate, are 
they succeeding?
    Mr. Willemssen. They are succeeding in some regard, but I 
think we're going to have to see more aggressive action, 
because the unfortunate situation we have here is as the 
private sector salaries continue to ratchet up, we're going to 
have to be even more innovative in the Federal Government, and 
we're going to have to take a stance that we just cannot allow 
certain critical folks to leave and we've got to take whatever 
measures are necessary to do that. One key example, I know it's 
outside the purview of this committee, but at the Federal 
Aviation Administration, there again, we have some absolutely 
critical systems, very old systems, though, that only a 
handful, a cadre of folks know, and it's not really a viable 
solution to go out and get contractors support in some cases 
for those kinds of scenarios. So I think we've got to be 
flexible and be alert to the marketplace and whatever the 
marketplace demands, we've got to be responsive to that.
    Ms. Willis. As far as IRS goes, I know that the 
Commissioner has been looking very hard at the new provisions 
that would allow him to rehire retirees without the penalty to 
the pension, and he hopes that if he can pick up even 10 
percent of those that it will make a significant difference. 
And at the last steering committee meeting, one of the things 
that was discussed was alternative work arrangements and 
various options that were available to make this work 
attractive to people who have left IRS or to keep people who 
are currently there now. I think there are limitations around 
the issue of how much money people in the Federal Government 
can be paid. And even their retention bonuses and some of the 
other incentives that have been offered, while they're 
significant for the Federal Government, I think one of the open 
questions is whether they will match what's available in the 
private sector. And I heard from the last panel that CIOs 
working with this were making $300,000. Around the issue of the 
IRS CIO, that may not be high enough given the size of IRS' 
systems and the year 2000 challenge that it faces.
    Chairman Johnson of Connecticut. Have you developed any, 
has GAO developed any information on what the salaries are in 
the private sector for the kinds of positions that we see 
people leaving in the Federal Government across the board?
    Mr. Willemssen. We have an assignment that we have just 
initiated in the personnel area at the request of Chairman 
Leach so that work is just underway to look at the personnel 
issues and those kind of salary ramifications, and we hope to 
have something out additionally on that this summer.
    Chairman Johnson of Connecticut. OK. We hope to share in 
that. I'll speak to Congressman Leach about that. What about 
this issue of the availability of technology? How serious is 
the problem of the telecommunications industry not upgrading 
their equipment promptly?
    Mr. Willemssen. The telecommunications area is one of great 
concern to us. I think one of the issues that we need to see 
more movement on from a governmentwide perspective is there 
needs to be data on telecommunications and exactly what the 
compliance status is right now. Many of the major providers are 
reluctant to date to share much of that data. Mr. Koskinen and 
his Conversion Council have made telecommunications a major 
priority area. They had an initial major meeting, unfortunately 
much of the discussion at that meeting centered around 
litigation and the reluctance to share data on the compliance 
status of various telecommunications components. I don't think 
we can go much longer and talk about those kind of issues. 
We've got to get into more exactly where we are compliancewise 
and we've got to be sharing information because no matter how 
good the agencies up before you today are going to do, if the 
telecommunication isn't there.
    Chairman Johnson of Connecticut. Well, that's my concern 
but you heard from the preceding panel that there also is 
concern about medical equipment and, you know, when you look at 
all the equipment across the board----
    Mr. Willemssen. There should be concern, again, we have an 
ongoing assignment on biomedical equipment, also, that we're 
doing for the House Veterans' Affairs Committee, and there 
should be concern about that. There are efforts underway to 
collect data on the wide range of biomedical equipment out 
there and the exact nature of what the Y2K issues may be. So 
there are efforts underway, we just need to more aggressively 
speed up those efforts.
    Chairman Johnson of Connecticut. I'd appreciate if you'd 
give some thought to if you were going to formulate a mandate 
about, you know, who in our society ought to be reporting 
publicly to where they are and what the liability protection 
that you would have to give them. I mean, it sounds to me like 
we're going to need an umbrella action here, otherwise you're 
not going to get the information out in a timely fashion. There 
has to be some protection so I think we need help on that 
because it would have to move very rapidly, it would certainly 
have to go through Judiciary, it would be very controversial, 
as liability things are. I don't see how you're going to get 
the information you need without it.
    Ms. Willis. Well, Mrs. Johnson, I think, again, the time 
issue is very, very important because we can't wait until 
December 1999 for an agency like IRS that is heavily dependent 
upon telecommunications to do its basic job to move data around 
the country, and so forth. Those systems, ideally, need to be 
in place early next year----
    Chairman Johnson of Connecticut. Right.
    Ms. Willis [continuing]. In time for IRS to be able to test 
them as a component part of its end-to-end testing.
    Chairman Johnson of Connecticut. If you have any other 
suggestions, I mean legislating is slow and then it has to go 
into effect.
    Ms. Willis. Right.
    Chairman Johnson of Connecticut. If you have any other 
suggestions as to how the Congress could work on this problem. 
It clearly is a very critical problem. And if it's dominating 
the meetings, all that time is not going to the other planning. 
And it's very, very important.
    Mr. Willemssen. Totally agree with you. And because of the 
increasing amount of attention that this litigation area has 
received recently, we have now initiated some work to get at 
that as quickly as possible and we will share with you as soon 
as we have our overall conclusions and recommendations on that 
area.
    Chairman Johnson of Connecticut. When do you expect that to 
be?
    Mr. Willemssen. We need to have that by, hopefully, early, 
early summer.
    Chairman Johnson of Connecticut. You need to have it before 
then.
    Mr. Willemssen. OK.
    Chairman Johnson of Connecticut. Or at least you need to 
have some, we need to have some idea----
    Mr. Willemssen. Well, but we can give some preliminary 
indications very quickly, just in terms of a final product----
    Chairman Johnson of Connecticut. And the truth is if 
there's going to be any greater pressure put on the resolution 
of this problem systemically, we really have no time at all to 
lose because you have to get the ideas at least into the key 
committees before the May recess so they can germinate over the 
May recess and then possibly have some life in June and, you 
know, you certainly you can't wait for this stuff to take place 
in September. And if you can help develop sort of a hierarchy 
of actions that could be taken, you know, some of them bully 
pulpit, some of them legislative. It is extremely concerning to 
see how terribly important succeeding on this year 2000 project 
is and what is at stake for us as an economy and a society and 
to see that test companies not giving their upgrades soon 
enough to be tested, you know, could in a sense destroy all of 
the good efforts, recognizing that there's plenty of problems 
on the good effort side. So, I think that and the personnel 
issue, I think the money follows those things but I think those 
are issues that we really have to focus more attention on than 
I had realized before this hearing.
    Would you enlarge a little bit more on this issue of 
contingency planning? I must say when I see what this 
Commissioner, and the same is true for Nancy Min-DeParle, that 
they're very capable people, they've come in, you know, they 
didn't start in 1989 like the Social Security Administration 
did, and the problems they face are really extraordinary. I 
don't know how yourself as thin as developing contingency plans 
which, in my mind, have been sort of backup systems, so I was 
interested that you indicated that you indicated that you 
thought there were contingency plans that didn't constitute 
backup systems, and I'd like you to give me a little clearer 
idea of what you mean by that.
    Ms. Willis. Well, Madam Chairman, it could be things such 
as changes in how they operate certain types of business 
processes. Now, obviously with IRS to go to a manual process, 
as somebody noted, for 90 million refunds is not viable but 
there may be dates that could be changed for certain statutory 
requirements, such as filing requirements. You could delay the 
impact of some of these things on systems that are not ready 
yet. I'm just saying that I think we need to start at the very 
beginning and look at what the desired outcome of the process 
is and look at the timing of it and turn it and twist it every 
which way to see how blocks start fitting together to address 
the vulnerabilities and the potential problems.
    One of the things with the tax system is that you're 
talking such a huge base, both in the number of taxpayers and 
in terms of dollars, that it doesn't take very long to start 
racking up a lot of costs indirectly around any kind of 
problem, any kind of delay. It might be easier and cheaper to 
fix in anticipation.
    But I guess my concern right now is that we're not at a 
point where we truly understand what the contingencies and the 
risks in a concrete fashion are that are ahead of IRS as they 
move into testing. As witnesses testified earlier, and I 
believe as Joel has in his testimony, testing is taking much, 
much longer than people anticipated and, so I think one of the 
things that you do as a contingency plan is that you keep that 
year that you've set aside as sacrosanct.
    One of the things that came up earlier today was mainframe 
consolidation at IRS. Not all of the component parts of 
mainframe consolidation are necessary to make the systems year 
2000 compliant. One of the questions that needs to be on the 
table is whether it is necessary to roll out those additional 
service centers in 1999, or whether that management talent, 
those resources, and the energy that's involved with that is 
better placed elsewhere. And I think there are other things 
throughout the agency in terms of setting priorities----
    Chairman Johnson of Connecticut. On that particular issue, 
have you looked closely at the tradeoff between, you know, the 
center operations and the fact that they will be not only new 
technology but very much more capable and simplified system 
down through--in other words, they have a lot of ramifications 
for the systems, is that not worth the management investment 
now? Can you really modernize all of the complex old stuff? It 
seems to me that it might be better to push ahead with some of 
these.
    Ms. Willis. Well, I think there's two things to be 
considered. One is exactly how much modernization you're 
getting from the consolidation effort. And most of the benefits 
that IRS estimated that it would receive, and those are 
currently under reevaluation because of slippages in the 
schedule, came from reducing the number of people they needed 
to have around the country managing their various computing 
operations. So the applications are not changing as they move 
to this new platform. They're basically doing business in a lot 
of the same ways but at a different location in a consolidated 
environment. So I'm not sure that you're getting a whole lot 
through that process in terms of actual modernization. You're 
getting more current computers but they are able to make, and 
will be making, the existing computers year 2000 compliant. And 
I'm not suggesting that consolidation is not something that you 
don't want to do at all, but something that maybe you want to 
delay for a year as a tradeoff in terms of the risks that 
you're undertaking around it and I think that's an issue that 
needs to be looked at very carefully, not only for 
consolidation but in the other part of the system that's going 
to be undergoing replacement, and so forth.
    Mr. Willemssen. If I could add a couple of points also, 
Madam Chair. Contingency planning is probably the topic we've 
gotten the most traffic on in the last few months. The item 
that people want to know how to do. So at the request of the 
executive branch, we did put together a guide in March of this 
year on how to go about and how to do contingency planning. A 
couple of points to make related to that----
    Chairman Johnson of Connecticut. I'll hope you'll share 
that with the Subcommittee.
    Mr. Willemssen. Definitely.
    Chairman Johnson of Connecticut. It would be very useful to 
us.
    Mr. Willemssen. Definitely. A couple of points to consider 
related to that is our contingency planning needs to be focused 
on backing up business processes more so than individual 
systems. That is, how do we go about delivering our service? 
And if there's a Y2K induced failure that prevents us from 
doing that, what are we going to do instead? So we have to 
think of it from a business perspective and a little less so 
from a system perspective although there's obviously a 
relationship and integration to consider. Given that, we would 
expect the business side of the House, generally speaking, to 
take the lead in putting these kind of plans together with the 
involvement, obviously, of the information technology staff, 
including the year 2000 personnel. But the business side of the 
House, they're the ones that know how they deliver services. 
They're the ones in the best position to know----
    Chairman Johnson of Connecticut. In other words, the 
contingency planning people don't necessarily have to be the 
same as the system reform people?
    Mr. Willemssen. That's exactly right. You need to involve 
them but it's not necessarily a tradeoff issue. Ironically, the 
organization in the Federal Government furthest ahead on this 
is the Social Security Administration. And there's a point to 
be made there too. We don't do contingency plans just because 
we're falling behind. You do them regardless, because of the 
unforeseen circumstances that could hit like the 
telecommunications issue that we talked about earlier. And SSA 
has put together a very sound structure for an overall business 
continuity and contingency plan.
    Chairman Johnson of Connecticut. Do you foresee any problem 
with the government being able to get the technology it needs--
--
    Mr. Willemssen. I would say----
    Chairman Johnson of Connecticut [continuing]. The 
computers, and the number of parts?
    Mr. Willemssen. I would say from what we see at selected 
agencies, is there are a lot of, should I say, ``to-be-
determined,'' as it pertains to commercial off-the-shelf 
products and what their year 2000 compliance status is. And a 
lot of those commercial off-the-shelf products are absolutely 
crucial to the operation of key business functions.
    Chairman Johnson of Connecticut. Are we going to test 
commercial off-the-shelf components?
    Mr. Willemssen. One of the things that the executive branch 
is doing is setting up a separate test facility for commercial 
off-the-shelf products. SSA and GSA are beginning to do that 
and then they will put the results up on a Web site so beyond 
just the manufacturer's claim that it's compliant, there will 
be some independent testing to that effect.
    Chairman Johnson of Connecticut. Good.
    Ms. Willis. Madam Chairman, the one thing that I would add 
is what we found at IRS. Part of the problem with their 
existing systems is that the contractors or the vendors are no 
longer supporting some of the commercial off-the-shelf, or 
COTS, products. I think, agencies with old systems, much like 
IRS, are going to run into this problem as well and you're 
running out of time in terms of deciding what your alternatives 
are. And at IRS, for example, that's one of the big concerns 
around the tier 2 systems. Just now, after months and months 
and months of negotiations, IRS has received the beta version 
of some of the operating systems that they need and they've got 
a massive number of platforms, a massive number of applications 
that all have to be testing on this new operating system. And 
so it's not as easy as with a new company, perhaps, that can 
simply go down to their local vendor and buy the latest year 
2000 upgrade. A lot of these systems simply aren't supported 
any more.
    Chairman Johnson of Connecticut. Which aspects of the IRS 
year 2000 effort do you believe are least likely to be 
completed by January 1999?
    Ms. Willis. I think there are serious concerns around some 
aspects of the mainframe consolidation, especially the parts 
that must be completed for IRS to be year 2000 compliant, like 
CRS, the Communication Replacement System. They are running 
into some slippages, some delays and one of the things that 
we've learned as we've watched over the past year as things 
start to slip and time starts to domino that it's much harder 
to get things back on track along that line. They have problems 
with their tier 2 systems, again, because of the variety of 
platforms that they're working on as well as the large number 
of applications across the country, many of which are not 
standardized so they have to do different things in different 
places.
    And I think the thing that I would put at the top of the 
list is testing. IRS does not currently have an integrated test 
plan for all of its conversion and replacement efforts. So 
right now it's not real clear, come January 1999, how they are 
going to test everything. And a comment I would make on some of 
the things that I heard earlier this morning from one of the 
prior panelists is be sure that everybody understands what 
we're talking about when we talk about things being completed. 
IRS, for example, has completed the conversion of a number of 
its main applications and those are running this filing season. 
But those applications have not been tested on, or may not be 
running on year 2000 compliant platforms nor in an integrated 
environment. So we're not home free on the systems that are 
running this year, or that will run next year and run 
successfully through the filing season.
    Chairman Johnson of Connecticut. I see, interesting. Thank 
you very much. I appreciate your testimony today and look 
forward to working with you.
    The hearing will be adjourned.
    [Whereupon, at 1:42 p.m., the hearing was adjourned, 
subject to the call of the Chair.]

                                   - 
