b'<html>\n<title> - JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING</title>\n<body><pre>[Senate Hearing 106-219]\n[From the U.S. Government Printing Office]\n\n\n                                                        S. Hrg. 106-219\n\n \n              JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                          SUBCOMMITTEE OF THE\n\n                      COMMITTEE ON APPROPRIATIONS\n\n                                  and\n\n         SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            SPECIAL HEARING\n\n                               __________\n\nPrinted for the use of the Committee on Appropriations and the Special \n             Committee on the Year 2000 Technology Problem\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/senate\n\n                                 ______\n\n_______________________________________________________________________\n            For sale by the U.S. Government Printing Office\nSuperintendent of Documents, Congressional Sales Office, Washington, DC \n                                 20402\n\n\n                        COMMITTEE ON APPROPRIATIONS\n\n                     TED STEVENS, Alaska, Chairman\nTHAD COCHRAN, Mississippi            ROBERT C. BYRD, West Virginia\nARLEN SPECTER, Pennsylvania          DANIEL K. INOUYE, Hawaii\nPETE V. DOMENICI, New Mexico         ERNEST F. HOLLINGS, South Carolina\nCHRISTOPHER S. BOND, Missouri        PATRICK J. LEAHY, Vermont\nSLADE GORTON, Washington             FRANK R. LAUTENBERG, New Jersey\nMITCH McCONNELL, Kentucky            TOM HARKIN, Iowa\nCONRAD BURNS, Montana                BARBARA A. MIKULSKI, Maryland\nRICHARD C. SHELBY, Alabama           HARRY REID, Nevada\nJUDD GREGG, New Hampshire            HERB KOHL, Wisconsin\nROBERT F. BENNETT, Utah              PATTY MURRAY, Washington\nBEN NIGHTHORSE CAMPBELL, Colorado    BYRON L. DORGAN, North Dakota\nLARRY CRAIG, Idaho                   DIANNE FEINSTEIN, California\nKAY BAILEY HUTCHISON, Texas          RICHARD J. DURBIN, Illinois\nJON KYL, Arizona\n                   Steven J. Cortese, Staff Director\n                 Lisa Sutherland, Deputy Staff Director\n               James H. English, Minority Staff Director\n                                 ------                                \n\n         SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM\n\n                   ROBERT F. BENNETT, Utah, Chairman\n            CHRISTOPHER J. DODD, Connecticut, Vice Chairman\nJON KYL, Arizona                     DANIEL PATRICK MOYNIHAN, New York\nGORDON SMITH, Oregon                 ROBERT C. BYRD, West Virginia (ex \nSUSAN M. COLLINS, Maine                  officio)\nTED STEVENS, Alaska (ex officio)\n                    Robert Cresanti, Staff Director\n             Wilke Green, Minority Staff Director<greek-l>\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\nStatement of Hon. David M. Walker, Comptroller General, General \n  Accounting Office..............................................     1\nStatement of Jacob J. Lew, Director, Office of Management and \n  Budget.........................................................     1\nOpening statement of Hon. Robert F. Bennett......................     1\nPrepared statement of Senator Robert F. Bennett..................     3\nStatement of Hon. Ted Stevens....................................     3\nPrepared statement of Senator Robert C. Byrd.....................     4\nStatement of Hon. David M. Walker................................     5\n    Prepared statement...........................................     8\nResults in brief.................................................     8\nBackground.......................................................     9\nEstimated year 2000 costs continue to escalate...................    11\nEmergency funds to be used for a variety of purposes.............    13\nCosts for fiscal year 2000 and beyond............................    14\nProgram and information technology initiatives delayed by Y2K....    15\nLessons learned from the Government\'s year 2000 efforts can be \n  applied to future information technology activities............    16\nContact and acknowledgments......................................    18\nStatement of Jacob J. Lew........................................    19\n    Prepared statement...........................................    22\nFederal progress.................................................    23\nY2K costs and funding............................................    23\nNext steps.......................................................    26\nNumber of Federal mission-critical systems that are Y2K compliant    28\nHas the Y2K problem undermined computer security?................    30\nProgress on nonmission-critical systems..........................    33\nAre additional Y2K supplemental funds required?..................    35\nWhat progress is being made in contingency planning?.............    36\nWhat is the difference between mission-critical and nonmission-\n  critical?......................................................    38\nWho will agencies turn to if they have Y2K problems?.............    40\nIs the Postal Service Y2K compliant?.............................    41\nNeed for progress for Federal systems that interact with State \n  and local systems..............................................    41\nProgress with our international partners.........................    42\nNeed for additional Y2K funding..................................    43\nPotential need for another flexible fund to respond to Y2K \n  problems.......................................................    45\n\n                                  (iii)\n\n\n              JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 22, 1999\n\n                           U.S. Senate,    \n               Committee on Appropriations,\n                           Special Committee on the\n                              Year 2000 Technology Problem,\n                                                    Washington, DC.\n    The committees met at 9:35 a.m., in room SD-192, Dirksen \nSenate Office Building, Hon. Robert F. Bennett (chairman of the \nSpecial Committee on the Year 2000 Technology Problem) \npresiding.\n    Present: Senators Bennett, Stevens, and Gorton.\n\n                       GENERAL ACCOUNTING OFFICE\n\nSTATEMENT OF HON. DAVID M. WALKER, COMPTROLLER GENERAL\nACCOMPANIED BY JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES INFORMATION \n            SYSTEMS\n\n                    OFFICE OF MANAGEMENT AND BUDGET\n\nSTATEMENT OF JACOB J. LEW, DIRECTOR\n\n\n              opening statement of hon. robert f. bennett\n\n\n    Chairman Bennett. We welcome you to this morning\'s hearing, \nwhich is a joint hearing of the Senate Appropriations Committee \nand the Senate Special Committee on the Year 2000 Technology \nProblem. Senator Stevens has asked that I chair the committee, \nand I am grateful to him for his courtesy.\n    We want to welcome our witnesses for coming today as well. \nThe topic for today\'s hearing is oversight of spending on the \nyear 2000 technology problem within the Federal Government. Let \nme start out by noting that questioning Government spending on \nY2K has been likened in some circles to questioning a \nfirefighter on the use of water during a fight against a fire \nin a burning building, and I agree with that to a certain \nextent.\n    I think it would be a tragedy if we get to the year 2000 \nand have serious problems. To have them traced to a lack of \nmoney and say, ``well, we knew what to do, we had the plans in \nplace to do them, but we just did not have the money.\'\' I \ncertainly do not want anyone to accuse the Congress of being \ncomplicit in a situation like that. Ensuring the uninterrupted \nflow of critical Federal services is too important.\n    Our purpose here today is not to assail the Federal \nagencies or the administration for the amount or manner of Y2K \nspending. We recognize that the biggest roadblock we face \ntoward getting this problem under control, the biggest scarcity \nwe have, is time, not money.\n    However, there is always the possibility within the Federal \nGovernment that money that is appropriated for good and proper \npurposes ends up being diverted some place else. We have a \nresponsibility to ensure that the taxpayer dollars have been \nspent for the purpose for which they were appropriated, and at \nthe same time that there will be sufficient funds left for \nunexpected Y2K costs that will shortly crop up this year and \nnext.\n    The appropriations that were made, were made with the \nassumption that there would be some left over after we get to \nJanuary 2000 to take care of problems. We simply do not know \nhow much needs to be left over, but it would be irresponsible \nto say, well, this money is available, let\'s just go ahead and \nspend it.\n    Now, here is what we do know. According to the General \nAccounting Office (GAO), Federal spending on Y2K readiness is \ncurrently estimated to be $8.7 billion, and that is up from \n$2.3 billion that was estimated in February of 1997. I remember \nwhen that estimate was made, members of our committee were \nhighly skeptical that it could be achieved for that, so we are \nnow more than three times that original estimate. We may see an \nescalation in the $8.7 billion. It may continue up after \nJanuary 1, 2000.\n    Now, we have also learned that many Government agencies are \nnot tracking their Y2K costs, and this includes costs funded \nfrom the $3.35 billion emergency supplemental appropriation. \nThat breaks down to $1.1 billion for defense, and $2.25 billion \nfor nondefense. We need to determine if these funds are being \nused appropriately and, if not, we should determine where \nadditional oversight is necessary.\n    The charts displayed here show the growth in Federal \nagencies\' Y2K cost estimates and the status of emergency \nsupplemental funding for nondefense agencies. That second chart \nis a little hard--not a little hard, it is impossible to read, \nexcept when you have a hard copy of it in front of you. We \ntried to simplify it but we were unable to because the \ninformation on it is vital.\n    The charts indicate that we have only $450 million left \nthrough September 30, 2001, the life of the fund. That is one \nof the reasons for this hearing. We are concerned about whether \nthere will be money left to clean up problems that come after \nthe year 2000 turns, so we must determine if there are adequate \nresources available to meet the future Y2K demands, and we \nsuspect that more and more will be spent for Federal agencies\' \ncontingency plans.\n    Now, unfortunately the current pace of contingency planning \npresents us with one of our blind spots as far as congressional \noversight is concerned, because many Government agencies missed \nthe June 15 deadline for submitting contingency plans. This \nfailure not only deprives us of any confidence we might have in \ntheir ability to handle the emergencies, but it also prevents \nthe Office of Management and Budget (OMB), GAO, and the \nCongress from estimating how much these contingency plans may \ncost if they are required.\n    So with time running out, contingency planning for Y2K \nbecomes very important. As we explore the flow of funding to \nthe Federal agencies, a lack of contingency planning is not a \nblind spot we can afford to have.\n    So with that, Senator Stevens, if you have an opening \ncomment we will call upon you now.\n    [The statement follows:]\n\n            Prepared Statement of Senator Robert F. Bennett\n\n    Good morning. I would like to thank Chairman Stevens for \npresiding over this joint hearing of the Senate Appropriations \nand Y2K committees. I would also like to thank our witnesses \nfor coming today.\n    The topic of today\'s hearing is federal Y2K spending. \nBefore proceeding, I think it is important to note that, in \nsome circles, questioning government spending on Y2K is likened \nto questioning a firefighter on his use of water on a burning \nbuilding. I agree with that statement to an extent. In fact, I \nbelieve we should continue to make available the necessary \nresources to ensure that government continues to function on \nJanuary 1, 2000 and beyond. We don\'t want the lack of money to \nbe a reason why the federal government is not prepared for \nY2K--ensuring the uninterrupted flow of critical federal \nservices is simply too important.\n    Therefore, my purpose here today is not to assail the \nfederal agencies or the administration for the amount or manner \nof Y2K spending. The biggest roadblock to Y2K readiness at this \npoint--with only 192 days left--is the scarcity of time, not \nmoney.\n    Having said that, we have a responsibility to ensure that \ntaxpayer dollars are not being spent frivolously, and that \nthere will be sufficient funds left for the continued \nunexpected Y2K costs that will surely crop up later this year, \nand next. But the truth is, we simply don\'t know enough to say \nexactly how much will be needed for the remainder of this year \nand future years.\n    Here is what we do know: According to GAO, federal spending \non Y2K readiness is currently estimated to be $8.7 billion--up \nfrom $2.3 billion in February 1997--and may continue upward \nafter January 1, 2000. We have also learned that many \ngovernment agencies are not tracking Y2K costs--this includes \ncosts funded from the $3.35 billion emergency supplemental \nappropriation. We need to determine if these funds are being \nused appropriately. If not, we should determine whether \nadditional oversight is necessary.\n    We must determine if there are adequate resources available \nto meet future Y2K funding demands. In particular, we suspect \nthat more and more will be spent for federal agencies\' \ncontingency plans. Unfortunately, the current pace of \ncontingency planning presents us with another blind spot, as \nfar as congressional oversight is concerned. Many government \nagencies missed the June 15 deadline for submitting contingency \nplans. This failure not only deprives us of any confidence we \nmight have in their ability to handle Y2K-induced emergencies, \nbut also prevents OMB, GAO and the Congress from estimating how \nmuch contingency plans may cost.\n    With time running short, contingency planning for Y2K \nbecomes very important. As we explore the flow of funding to \nthe federal agencies, a lack of contingency planning is not a \nblind spot we can afford to have. Thank you very much.\n\n\n                     statement of hon. ted stevens\n\n\n    Chairman Stevens. Well, thank you very much, Senator \nBennett. I welcome the chance to jointly review this problem \nwith you. The emergency supplemental funding is what worries \nme, and I hope that we are keeping track of not only what has \nbeen spent, but what the demand will be between now and the \nturn of the century. It does appear to me that we have a little \nglitch in terms of contingency planning. I do want to go into \nthat with our witnesses this morning. I do not have an opening \nstatement.\n    I appreciate these charts. They are a little busy, but they \ncontain a great deal of information. I do not know if we have \ncopies we could provide to the press out there so they can \nunderstand what we are talking about.\n    Chairman Bennett. Yes, indeed.\n    Chairman Stevens. Thank you very much.\n    Chairman Bennett. Thank you, and everyone should recognize \nthat we would not be in the good position we are with respect \nto funds for the year 2000 if it were not for Senator Stevens \nand his very early recognition of this problem and his \nwillingness to carve out of the appropriations bill these \nfunds. Any other appropriations chairman might have taken the \nposition of, ``well, let\'s wait and see.\'\' Senator Stevens \nrecognized early on that there is no time to wait and see, and \nwe are in the good position we are because of Senator Stevens.\n\n\n                   prepared statement of senator byrd\n\n\n    Chairman Stevens. Mr. Chairman, Senator Byrd is detained, \nand I would like to have his statement placed in the record, \nand he does have some questions he would like to submit for the \nrecord.\n    Chairman Bennett. That will be placed in the record, and we \nwill be happy to forward his questions and receive them at such \ntime as he might be available.\n    [The statement follows:]\n\n              Prepared Statement of Senator Robert C. Byrd\n\n    Thank you, Mr. Chairman, for calling this joint hearing of \nthe Appropriations Committee and the Special Committee on the \nYear 2000 (Y2K) Technology Problem to examine budgeting efforts \nto ensure the Y2K readiness of the executive branch. You have \nprovided important leadership on this issue. As an Ex-Officio \nMember of the Special Committee on the Year 2000 Technology \nProblem, I also thank Chairman Bennett and Senator Dodd for \ntheir good work on this vexing problem. You have both worked \ndiligently to raise awareness about this issue and to monitor \nthe progress our nation is making toward meeting the immovable \ndeadline of midnight, December 31.\n    Our nation, indeed, the entire world, is increasingly \nreliant on technology. In the case of the federal government \nand its responsibilities in areas such as defense, emergency \nmanagement services, telecommunications, and benefit programs, \nY2K readiness is critical. Congress has recognized and \nresponded to the importance of this issue by providing \nconsiderable funds to bring federal systems into compliance.\n    The costs are substantial. GAO estimates that federal Y2K \ncosts as of May 1999 total $8.7 billion, a dramatic increase \nfrom the $2.3 billion cost estimated in early 1997. In response \nto emergency needs cited by federal agencies, last year \nCongress provided $3.35 billion in emergency funding through \nthe Omnibus Consolidated and Emergency Supplemental \nAppropriations Act. Of the $3.35 billion, $2.25 billion was \nprovided for non-defense agencies and $1.1 billion for \nDepartment of Defense (DOD). Thus far, a substantial portion of \nthese emergency funds have been allocated to federal agencies \nby the Office of Management and Budget (OMB). It is important \nthat these Committees provide oversight of this spending.\n    As December 31, 1999, draws near, we must make every effort \nto ensure that the federal government is Y2K ready. As \nappropriators, we have a responsibility to ensure that the \nfunds provided for Y2K conversion are in fact achieving federal \nY2K readiness and that these funds are accounted for carefully. \nWe must also explore whether additional resources will be \nnecessary to finish the job, to implement contingency plans, \nand to meet any outstanding needs. I look forward to receiving \nthe testimony of our witnesses this morning as we delve into \nthese important issues.\n\n    Chairman Bennett. Our witnesses this morning are Hon. David \nWalker, who is the Comptroller General of the U.S. General \nAccounting Office, and Hon. Jacob Lew, who is the Director of \nthe Office of Management and Budget. Between the two of you, \nyou probably represent more expertise on the budget and the \ncash flow of the Federal Government than any other two \nindividuals available, and we are grateful to you for your \nwillingness to appear here and look forward to hearing from you \nboth.\n    We will start, Mr. Walker, with you.\n\n\n                   statement of hon. david m. walker\n\n\n    Mr. Walker. Thank you, Mr. Chairman. Good morning, Chairman \nBennett, Chairman Stevens. Thank you for inviting me to testify \ntoday on Y2K costs and to discuss more broadly the implications \nof Y2K on future information technology activities.\n    Since our February 1997 designation of the year 2000 \nproblem as a high risk area for the Federal Government, action \nto address the Y2K threat has intensified. In response to a \ngrowing recognition of the challenge, as well as urging from \ncongressional leaders, the administration has strengthened the \nGovernment\'s Y2K preparations.\n    For example, OMB has now established 43 high impact program \nareas as Government priorities. This list includes such \nprograms as Social Security, food stamps, and Medicare. It does \nnot, however, include direct national security and revenue \ncollection activities. Many congressional committees have been \nextremely diligent in addressing the year 2000 challenge by \nholding agencies accountable for demonstrating progress, and by \nheightening public appreciation of the problem.\n    In particular, work done by the Senate Special Committee on \nthe Year 2000 Technology Problem has fostered a greater \nunderstanding of this issue and focused attention on much-\nneeded actions. Despite the improvements in the Government\'s \nY2K approach, significant challenges remain. In particular, \nthrough year 2000 testing is essential. Further, adequate \nbusiness continuity and contingency plans must be successfully \ncompleted and tested.\n    As shown by this chart, Mr. Chairman, the total estimated \nY2K costs for the 24 major Federal agencies have more than \ntripled during the last 2 years. A total of about $8.7 billion \nas of the end of last month. Within this $8.7 billion, Federal \nagencies have reported that their year 2000 costs for fiscal \nyears 1996 to 1998 were over $3 billion. Some agencies told us \nthat they reported these based on actual costs, while others \nreported some costs as actuals, and others as estimates. Still \nothers included total estimates, and did not maintain actual \ncosts for Y2K, other than for the emergency supplemental.\n    With agencies\' estimates of Y2K costs increasing \ndramatically, and with limited time remaining to complete \nneeded actions, many agencies have requested emergency funds in \nfiscal year 1999. According to their justification submissions \nto the Congress and OMB, three categories of reasons emerge to \nexplain organizations\' requests for emergency funds: First, new \nrequirements that had not been planned for fiscal 1999; second, \ncost increases to complete ongoing Y2K activities; and, third, \nthe unavailability of regular appropriations for planned Y2K \nwork.\n    New requirements included outreach, independent \nverification validation, as well as decisions to replace \npersonal computers and network hardware and software for a \nvariety of reasons, including to assure Y2K compliance.\n    In May 1999, the 24 major departments and agencies \nestimated their fiscal year 2000 costs for Y2K activities at \nabout $981 million, almost a ninefold increase from the \noriginal year 2000 estimate of about $111 million provided in \nFebruary 1997.\n    Determining the extent of continued Y2K cost estimation is \ndifficult because of many uncertainties. For example, 10 \nagencies reported that they have not completed work on their \nmission-critical systems as of mid-May 1999. Key factors that \ncould fuel additional cost increases include agencies \ndetermining that they must implement business continuity and \ncontingency plans, or if there are any other anticipated events \nthat occur due to the Y2K problem that must be addressed.\n    For example, in August of 1998, the Health Care Financing \nAdministration (HCFA) estimated that it would need between $300 \nmillion and $500 million to handle emergency contingency \nsituations that could result from the Y2K problem. HCFA \nreported that the types of activities that these funds would be \nneeded for included unforeseen software, hardware, and \ntelecommunications failures, increased paper claims due to \nprovider or billing companies\' inability to transmit \nelectronically, and claims reprocessing to correct erroneous \nrepayments.\n    The Health and Human Services (HHS) reported to us that it \nrequested about $165 million for Y2K activities in its fiscal \nyear 2000 budget request. This amount, however, excluded any \namounts for the implementation of HCFA contingency plans should \nthose plans prove to be necessary.\n    Other agencies could also have higher costs if business \ncontingency and continuity plans need to be implemented. OMB\'s \nreview of agency contingency plans should therefore consider \nwhether agencies have provided information on the cost of \nimplementing contingency plans if that should be required. If \nnot, OMB needs to gather this information quickly so that it \ncan share with the Congress what impact this would have on \npotential future funding needs.\n    Additional costs could also be incurred if some States do \nnot complete their year 2000 work on systems that support \ncritical Federal programs such as food stamps and Medicaid. \nImportantly, 10 of OMB\'s designated high impact programs rely \non State-level implementation. Information indicates that some \nState systems are not scheduled to be compliant until the last \nquarter of 1999.\n    If States do not complete their year 2000 remediation in \ntime, or if those remediation efforts fail, the States would \nhave to implement their business continuity and contingency \nplans, which could encompass Federal Government assistance \nbecause of the cost reimbursement mechanisms under those \nprograms.\n    While making systems ready for year 2000 has been an \nenormous job, other program and information technology needs \nhave not disappeared. In fact, they have grown, and continue to \ngrow. In particular, because of the year 2000 problem, agencies \nhave delayed implementation of regulatory requirements and \nplanned information technology enhancements. There is a pent-up \ndemand and growing backlog of such initiatives which may have \nsignificant implications for future funding level requests.\n    The total Government-wide volume of program and information \ntechnology activities delayed by Y2K is not known. Therefore, \nthe potential demand for additional information technology \nresources in the future is difficult to predict. However, the \ncost of these delayed activities could be significant. \nAccordingly, OMB will need to work with the agencies to \ndetermine the magnitude of these pent-up demands in order to \nmake informed management and funding decisions in the future.\n    In addition to these demands, increased resources will \nlikely be needed for another key issue that has garnered \nincreased attention, namely information security. As we \nreported in September 1998, the expanded amount of audit \nevidence that has become available since mid-1996 describes \nwidespread and serious weaknesses to adequately protect Federal \nassets, sensitive information, and critical operations.\n    The computer security issue, which is already on our high \nrisk list, will follow on the heels of the Y2K challenge. \nComputer security issues have a range of potential national \nsecurity, economic security, and personal privacy implications.\n    There has importantly been a silver lining to the Y2K \nchallenge. The Government organizations\' experiences in \nbecoming prepared for the year 2000 hold valuable lessons about \nhow information technology can best be managed. For many \nagencies, the threat posed by the year 2000 problem was a much-\nneeded wake-up call. Because of the urgency of the issues, \nagencies could not afford to carry on in the same manner that \nresulted in a decade of poor information technology planning \nand program management.\n    Earlier this year, we reported that the year 2000 provided \nthe opportunity to institutionalize valuable lessons, such as \nthe importance of consistent and persistent top management \nattention to be accompanied by reliable processes and \nreasonable controls.\n    Another benefit of the year 2000 effort was the \nestablishment of much-needed information technology policies in \nsuch areas as configuration management, quality assurance, risk \nmanagement, project scheduling and tracking, and metrics. \nBeyond individual agencies, the year 2000 problem holds lessons \nin overseeing and managing information technology on a \nGovernment-wide basis. In particular, actions taken by the \nCongress and the executive branch have demonstrated that \neffective oversight and guidance can have a positive influence \non major information technology efforts.\n    In conclusion, Mr. Chairman, it is clear that Y2K \nexpenditures have been significant, sometimes unpredictable, \nand constantly growing. Further, Y2K cost growth may continue, \nespecially if business and continuity contingency plans must be \nput into operation, or if State-administered Federal program \nsystem efforts are not completed.\n    In addition, pent-up demand exists for information \ntechnology enhancements and security activities. OMB needs to \ntake steps to estimate the nature and extent of these pent-up \ndemands, as well as the contingency expenditures that could be \nincurred related to Y2K.\n    On the positive side, while correcting the Y2K problem has \nbeen and continues to be costly, the experiences of individual \nagencies and the Government as a whole in meeting this \nchallenge have provided renewed and needed focus on information \nsystems. As we attempt to meet future information technology \nand security challenges, these lessons must not be lost.\n\n                           prepared statement\n\n    This completes my summary statement, Mr. Chairman. I would \nbe happy to answer any questions at the appropriate time. Thank \nyou.\n    Chairman Bennett. Thank you very much. We appreciate your \nstatement. Your full statement will be made a part of the \nrecord.\n    [The statement follows:]\n                 Prepared Statement of David M. Walker\n    Messrs. Chairmen and Members of the Committees: We are pleased to \nbe here today to present information on Year 2000 (Y2K) \\1\\ costs and \nfunding and to discuss more broadly what implications the government\'s \nnecessary short-term focus on preparing for the year 2000 will have on \nfuture information technology activities. In 1997, we designated the \nYear 2000 computing problem as a high-risk area because computer \nfailures could disrupt functions and services that are critical to our \nnation. \\2\\ After providing a brief summary of the issues and \nbackground information, my testimony today will highlight (1) estimated \nY2K costs and agency processes to track costs to date, (2) planned uses \nof emergency funding, (3) Y2K costs for fiscal year 2000 and beyond, \n(4) agency program and information technology initiatives delayed by \nY2K activities, and (5) lessons learned from Y2K efforts that can be \napplied to other information technology activities.\n---------------------------------------------------------------------------\n    \\1\\ The Y2K problem is rooted in how dates are recorded and \ncomputed. For the past several decades, computer systems typically used \ntwo digits to represent the year, such as ``99\'\' for 1999, in order to \nconserve electronic data storage and reduce operating costs. In this \nformat, however, 2000 is indistinguishable from 1900 because both are \nrepresented as ``00\'\'. As a result, if not modified, systems or \napplications that use dates or perform date- or time-sensitive \ncalculations may generate incorrect results beyond 1999.\n    \\2\\ High-Risk Series: Information Management and Technology (GAO/\nHR-97-9, February 1997).\n---------------------------------------------------------------------------\n                            results in brief\n    Meeting the Year 2000 challenge has been necessary but expensive, \nwith estimated federal costs rising from $2.3 billion in February 1997 \nto $8.7 billion as of last month. From February through May 1999, the \nestimated cost rose $1.2 billion. With respect to Y2K costs incurred \nthrough fiscal year 1998, the 24 major federal departments and agencies \nreported costs exceeding $3 billion. While some agencies reported \nactual costs incurred through 1998, others reported estimates. In \nfiscal year 1999, agencies have requested emergency funds and plan to \nspend much of these funds on renovation, validation, and implementation \nactivities, along with replacing personal computers and network \nhardware and software. Beyond fiscal year 1999, estimated Y2K costs \nhave continued to climb, now reaching over $1 billion. Determining the \nextent of continued Y2K cost escalation is difficult because of many \nuncertainties. One major unknown is whether agencies will have to \nimplement their business continuity and contingency plans. Such plans, \nif triggered, could entail substantial costs. Agencies\' high-level \nbusiness continuity and contingency plans were due to the Office of \nManagement and Budget (OMB) by June 15. OMB\'s review of these plans \nshould consider whether agencies provided estimated business continuity \nand contingency plan costs. If not, OMB needs to require that this \ninformation be provided expeditiously so that it can provide the \nCongress with information on potential future funding needs. We intend \nto review the plans submitted to OMB and advise the Congress of \npotential funding ramifications.\n    Another less direct but undeniable issue associated with the Year \n2000 challenge has been the postponement of many program and \ninformation technology initiatives so that resources could be dedicated \nto Y2K. Such demands--including system enhancements and computer \nsecurity--have not vanished; in fact, they have grown. On the positive \nside, however, the government will likely approach these future \ninformation technology challenges better prepared, having gained much \nvaluable information from experiences in meeting the Y2K challenge. For \nexample, this was the motivator that resulted in many agencies\' taking \ncharge of their information technology resources in much more active \nways, from inventorying and prioritizing systems to implementing \nreliable processes and better controls. Such lessons should not be lost \non future information technology projects.\n                               background\n    With close to half of all computer capacity and 60 percent of \nInternet assets, the United States is the world\'s most advanced and \nmost dependent user of information technology.\\3\\ Such systems perform \nfunctions and services critical to our nation; disruption could create \nwidespread hardship, including problems in key federal operations \nranging from national defense to benefits payments to air traffic \nmanagement. Accordingly, the upcoming change of century is a sweeping \nand urgent challenge for public- and private-sector organizations \nalike, in this country and around the world.\n---------------------------------------------------------------------------\n    \\3\\ Critical Foundations: Protecting America\'s Infrastructures \n(President\'s Commission on Critical Infrastructure Protection, October \n1997).\n---------------------------------------------------------------------------\n    Since our February 1997 designation of the Year 2000 problem as a \nhigh-risk area for the federal government, action to address the Y2K \nthreat has intensified. In response to a growing recognition of the \nchallenge and urging from congressional leaders and others, the \nadministration strengthened the government\'s Year 2000 preparation. In \nFebruary 1998, the President took a major step in establishing the \nPresident\'s Council on Year 2000 Conversion. The President also (1) \nestablished the goal that no system critical to the federal \ngovernment\'s mission experience disruption because of the Year 2000 \nproblem and (2) charged agency heads with ensuring that this issue \nreceive the highest priority attention. Further, the Chair of the \nCouncil was tasked with the following Year 2000 roles: (1) overseeing \nthe activities of agencies, (2) acting as chief spokesperson in \nnational and international forums, (3) providing policy coordination of \nexecutive branch activities with state, local, and tribal governments, \nand (4) promoting appropriate federal roles with respect to private-\nsector activities.\n    Among the initiatives the Chair of the Council has implemented in \ncarrying out these responsibilities are attending monthly meetings with \nsenior managers of agencies that are not making sufficient progress, \nestablishing numerous working groups to increase awareness of and gain \ncooperation in addressing the Y2K problem in various economic sectors, \nand emphasizing the importance of federal/state data exchanges. In \naddition, on June 14, 1999, the President ordered the creation of an \nInformation Coordination Center--consisting of officials from executive \nagencies--to assist the Chair of the Council in addressing Year 2000 \nconversion problems both domestically and internationally. Among its \nduties, the Information Coordination Center is to assist in making \npreparations for information sharing and coordination within the \nfederal government and key components of the public and private \nsectors.\n    Many congressional committees have been extremely diligent in \naddressing the Year 2000 challenge by holding agencies accountable for \ndemonstrating progress and by heightening public appreciation of the \nproblem. By holding numerous hearings on important topics such as \nhealth care, the food sector, electric power, and financial services \nand in issuing a major report \\4\\ on the impact of the Year 2000 \nproblem, the Senate Special Committee on the Year 2000 Technology \nProblem has fostered a greater understanding of the problem and focused \nattention on actions needed.\n---------------------------------------------------------------------------\n    \\4\\ Investigating the Impact of the Year 2000 Problem (United \nStates Senate, Special Committee on the Year 2000 Technology Problem, \nFebruary 24, 1999).\n---------------------------------------------------------------------------\n    OMB, for its part, has taken more aggressive action on Year 2000 \nmatters over the past year and a half and has been responsive to our \nrecommendations. For example, in its quarterly report issued in \nDecember 1997, OMB accelerated its milestone for agencies to complete \nthe implementation phase of Y2K conversion by 8 months, from November \nto March 1999. OMB has also tightened requirements on agency reporting \nof Year 2000 progress. It now requires that beyond the original 24 \nmajor departments and agencies that have been reporting, 9 additional \nagencies (such as the Tennessee Valley Authority and the Postal \nService) report quarterly on their Year 2000 progress, and that \nadditional information be reported from all agencies. Additionally, in \nresponse to our April 1998 recommendation,\\5\\ on March 26, 1999, OMB \nissued a memorandum to federal agencies designating lead agencies for \nthe government\'s 42 high-impact programs, including those delivering \ncritical benefits such as social security, food stamps, and Medicare; \nensuring adequate weather forecasting capabilities; and providing \nfederal electric power generation and delivery. (OMB later added a 43rd \nhigh-impact program--the National Crime Information Center.) Further, \nOMB has clarified instructions for agencies relative to preparing \nbusiness continuity and contingency plans, and required agencies to \nsubmit high-level versions of these plans just last week, on June 15. \nWe intend to review the plans submitted to OMB and advise the Congress \nof our results.\n---------------------------------------------------------------------------\n    \\5\\ Year 2000 Computing Crisis: Potential for Widespread Disruption \nCalls for Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, \n1998).\n---------------------------------------------------------------------------\n    As you know, we have been very active in working with the Congress \nas well as federal agencies to both strengthen agency processes and to \nevaluate their progress in addressing these challenges. To help \nagencies mitigate their Year 2000 risks, we produced a series of Year \n2000 guides on enterprise readiness, business continuity and \ncontingency planning, and testing.\\6\\ In addition, we have issued over \n100 reports and testimony statements detailing specific findings and \nhave made dozens of recommendations related to the Year 2000 readiness \nof the government as a whole and of a wide range of individual \nagencies.\n---------------------------------------------------------------------------\n    \\6\\ Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-\n10.1.14, issued as an exposure draft in February 1997 and in final form \nin September 1997), Year 2000 Computing Crisis: Business Continuity and \nContingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in \nMarch 1998 and in final form in August 1998), and Year 2000 Computing \nCrisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft \nin June 1998 and in final form in November 1998).\n---------------------------------------------------------------------------\n    Fortunately, the past 2 years have witnessed marked improvement in \npreparedness as the government has revised and intensified its approach \nto this problem. Nevertheless, significant challenges remain. In \nparticular, complete and thorough Year 2000 testing is essential to \nproviding reasonable assurance that new or modified systems will be \nable to process dates correctly and not jeopardize agencies\' abilities \nto perform core business operations. Moreover, adequate business \ncontinuity and contingency plans must be successfully completed and \ntested throughout government.\nThe Congress Appropriated Emergency Year 2000 Funding\n    To address Y2K resource needs, last year the Congress appropriated \n$2.25 billion for civilian agencies \\7\\ and $1.1 billion for the \nDepartment of Defense for emergency expenses related to Year 2000 \nconversion of federal information technology systems. Through May 1999, \nOMB made six separate allocations totaling about $1.724 billion \\8\\ to \ncivil agencies (77 percent of the $2.25 billion in civilian emergency \nfunds) and one allocation of $935 million to the Department of Defense \n(85 percent of its emergency funds). Figure 1 illustrates the \ncumulative amount of emergency funds allocated to nondefense \norganizations and the Department of Defense, and that about $661 \nmillion remains.\n---------------------------------------------------------------------------\n    \\7\\ As part of the $2.25 billion for civilian departments and \nagencies, $16.873 million and $13.044 million were designated for the \nlegislative and judicial branches, respectively.\n    \\8\\ This amount does not include $13.65 million that OMB allocated \nto the Department of Energy but did not transfer to the department \nbecause, according to OMB, the House Appropriations Committee did not \nconsider the planned use of these monies an appropriate use of \nemergency funding.\n[GRAPHIC] [TIFF OMITTED] T14JU22S.000\n\n\n    Note: This chart does not include the amount set aside for the \n---------------------------------------------------------------------------\nlegislative and judicial branches ($29.9 million).\n\n    Source: OMB.\n\n    Figure 2 illustrates the entities that received the largest \nallocations.\n[GRAPHIC] [TIFF OMITTED] T14JU22S.001\n\n\n    Note: Appendix I lists all of the entities that received emergency \nfunding allocations.\n\n    Source: OMB.\n\n    Regarding Y2K costs and funding, the House Majority Leader asked us \nto (1) identify agency-reported Year 2000 costs through fiscal year \n1998 and the agencies\' processes used to track these costs, (2) \ndetermine the reported status of fiscal year 1999 obligations for Year \n2000 activities, (3) identify estimated Year 2000 costs for fiscal year \n1999 and the planned uses of the emergency allocations, and (4) \nidentify the Year 2000 costs for fiscal year 2000. In addressing these \nquestions, we requested documentation of actual and planned costs from \n29 federal agencies that provide quarterly Y2K compliance information \nto OMB, plus an additional 12 organizations that had received emergency \nfunding. We provided a report to the House Majority Leader on this \ninformation in April 1999.\\9\\\n---------------------------------------------------------------------------\n    \\9\\ Year 2000 Computing Crisis: Costs and Planned Use of Emergency \nFunds (GAO/AIMD-99-154, April 28, 1999).\n---------------------------------------------------------------------------\n    In my testimony before the Senate Committee on Appropriations in \nJanuary,\\10\\ Chairman Stevens, you asked me to return and discuss these \ncosts issues further. Accordingly, to prepare for this testimony, we \nupdated the information in our April report to include (1) the latest \ncost estimates from the 24 major departments and agencies and (2) \ninformation on releases from the emergency fund subsequent to our prior \nwork.\\11\\\n---------------------------------------------------------------------------\n    \\10\\ Year 2000 Computing Challenge: Readiness Improving, But \nCritical Risks Remain (GAO/T-AIMD-99-49, January 20, 1999).\n    \\11\\ Seven additional agencies received emergency allocations \nsubsequent to our prior work and, therefore, were not included in our \nApril 1999 report.\n---------------------------------------------------------------------------\n             estimated year 2000 costs continue to escalate\n    As figure 3 indicates, the total estimated costs of ensuring that \nthe computer systems of the 24 major federal agencies perform as \nexpected beyond 1999 more than tripled during the last 2 years--to a \ntotal of about $8.7 billion as of last month--up $1.2 billion in the \npast 3 months alone.\n[GRAPHIC] [TIFF OMITTED] T14JU22S.002\n\n\n    Note: The August 1998 through May 1999 figures are totals of all \nindividual submissions from the 24 major departments and agencies. In \nits summary of agency reports, OMB decreased total estimated Year 2000 \ncosts for the 24 major agencies by about $900 million in August 1998, \n$800 million in November 1998, $779 million in February 1999, and $688 \nmillion in May 1999. For the August 1998 costs, OMB did not include all \ncosts in its estimate because, for example, it was still reviewing some \nof the estimates provided by the agencies. For the November 1998 and \nFebruary 1999 costs, OMB did not provide explanations in its report for \nall of the discrepancies between the agency reports and their total \nestimated Y2K cost figure. However, the OMB reports covering the \nNovember 1998 and February 1999 periods did not include $81.3 million \nand $91.7 million in Transportation and Treasury costs, respectively, \nthat they stated were non-Y2K costs funded from emergency supplemental \nfunds. In OMB\'s report covering the May 1999 period, it revised the \namount of Transportation\'s non-Y2K costs funded from emergency \nsupplemental funds to $52 million, but Treasury\'s amount remained the \nsame.\n\n    Source: February 1997 data are from OMB\'s report Getting Federal \nComputers Ready for 2000, February 6, 1997. May 1997 through May 1998 \ndata are from OMB\'s quarterly reports. The August 1998 through May 1999 \ndata are from the quarterly reports of the 24 major departments and \nagencies.\n\n    Among the agencies that had substantial increases from February \n1997 through May 1999 were the Department of Defense--$969.6 million to \n$3.66 billion (277 percent increase), the Department of the Treasury--\n$318.5 million to $1.9 billion (497 percent increase), and the \nDepartment of Health and Human Services (HHS)--$90.7 million to $1.111 \nbillion (1,125 percent increase).\nSeveral Agencies Did Not Separately Track Actual Year 2000 Costs for \n        Fiscal Years 1996 Through 1998\n    Reported Year 2000 costs incurred each year from 1996 through 1998 \nfor the 24 major departments and agencies have also grown dramatically. \nReported fiscal year 1996 costs were about $72 million,\\12\\ fiscal year \n1997 costs were about $830 million, and fiscal year 1998 costs were \nover $2.7 billion. These reported costs, however, still represent less \nthan half of the total Year 2000 costs of $8.7 billion estimated last \nmonth by the 24 major departments and agencies.\n---------------------------------------------------------------------------\n    \\12\\ One agency also reported Year 2000 costs that were prior to \nfiscal year 1996.\n---------------------------------------------------------------------------\n    While federal agencies reported that their Year 2000 costs from \nfiscal years 1996 through 1998 were over $3 billion, some agencies \nreported actual costs while others reported some costs as actual and \nothers as estimates; still others reported just estimates. In \nparticular, at the time of our report,\\13\\ of the 24 major departments \nand agencies, 7 reported that their fiscal years 1996 through 1998 \ncosts were actual (3 used financial management systems while 4 used \nreports from component entities to track costs), 5 reported that some \ncosts were actual while others were estimates (e.g., contract costs \nwere actual while labor costs were estimates), 9 reported that they did \nnot separately track actual costs for fiscal years 1996 through 1998, \nand 3 did not provide information on cost tracking.\n---------------------------------------------------------------------------\n    \\13\\ GAO/AIMD-99-154, April 28, 1999.\n---------------------------------------------------------------------------\n    With respect to the nine major agencies that reported not \nseparately tracking actual costs for fiscal years 1996 through 1998, at \nleast three cited as a reason that they were not required to do so. For \nexample, the Department of the Interior reported that aside from the \n1999 Y2K Supplemental Funding, the Department has never tracked Y2K \nfunding separately from other appropriated funds, as there has never \nbeen any requirement to do so. With respect to tracking of actual costs \nassociated with the emergency funding, five of the nine agencies that \nreported estimated costs for fiscal years 1996 through 1998 reported \nthat they were tracking, or planned to track, actual costs associated \nwith the emergency funding allocation (the other four agencies did not \naddress whether they were tracking these funds or had not received \nemergency allocations).\n    While agencies may not be required to track actual costs of Y2K \nactivities, we believe that the criticality of Year 2000 activities and \nthe significance of the costs--hundreds of million of dollars in some \ncases--indicate that prudent management practices warrant cost \ntracking. Specifically, our enterprise readiness guide \\14\\ states that \nagencies\' Year 2000 program management staff should be able to track \nthe cost and schedule of individual Year 2000 projects.\n---------------------------------------------------------------------------\n    \\14\\ GAO/AIMD-10.1.14, September 1997.\n---------------------------------------------------------------------------\n          emergency funds to be used for a variety of purposes\n    With agencies\' estimates of Y2K costs increasing dramatically and \nwith limited time remaining to complete needed actions, many agencies \nrequested emergency funds in fiscal year 1999. Thirty-nine civilian \nagencies and the District of Columbia have requested--and received--\nemergency funding for a variety of uses, as shown in figure 4.\n[GRAPHIC] [TIFF OMITTED] T14JU22S.003\n\n\n    Note: The other category primarily includes funds for replacement \nof personal computers and network hardware and software. In their \njustifications, some organizations said the personal computers and \nnetwork hardware and software could not be upgraded to be Y2K \ncompliant, and in other cases they determined that it would not be \neconomical to upgrade obsolete equipment. In addition, the total amount \nin this chart does not equal the total amount allocated because the \njustification data from two organizations did not equal the total \nallocations reported by OMB.\n\n    Source: GAO analysis based on agency justifications.\n\n    In its response to our request, the Department of Defense reported \nthat it is targeting almost $525 million for testing, about $262 \nmillion for contingency planning, and $148 million for operational \nevaluations.\n    According to their justification submissions to the Congress and \nOMB, three categories of reasons emerged to explain organizations\' \nrequests for emergency funds: (1) new requirements that had not been \nplanned for fiscal year 1999, (2) cost increases to complete ongoing \nY2K activities, and (3) the unavailability of regular appropriations \nfor planned Y2K work.\n    New requirements included outreach and independent verification and \nvalidation (IV&V) (cited by 24 organizations), and decisions to replace \npersonal computers and network hardware and software (cited by 23 \norganizations)--activities not initially in agencies\' fiscal year 1999 \nplans. For example, the Department of Commerce requested about $32 \nmillion for IV&V and $25 million for outreach activities not previously \nanticipated.\n    Costs for ongoing Y2K activities also increased for 25 \norganizations, beyond the fiscal year 1999 projections on which budget \nrequests were based. For instance, HHS\' Health Care Financing \nAdministration (HCFA) requested over $28 million for IV&V activities \nbecause such work had increased beyond the level planned for fiscal \nyear 1999. The Department of Energy requested just under $14 million to \naccelerate renovation, validation, and implementation.\n    Finally, in several cases, agencies reported that their budget \nrequests were reduced and Year 2000 emergency funding was utilized to \nhelp make up the difference, even though not all of the activities in \nthe original budget request were Y2K-related. While no legislative or \nstatutory requirements explicitly provide for the use of emergency \nfunds as an alternative to general appropriations, the House-Senate \nconference report on Treasury and Department of State appropriations \nfor fiscal year 1999 acknowledges the need for additional monies to \nachieve Y2K compliance, and part of the Treasury and General Government \nAppropriations Act permits use of Treasury funds to achieve Y2K \ncompliance until * * * supplemental appropriations are made available * \n* *.\n                 costs for fiscal year 2000 and beyond\n    In May 1999, the 24 major departments and agencies estimated their \nfiscal year 2000 costs for Y2K activities at about $981 million--almost \na nine-fold increase from the original fiscal year 2000 estimate of \nabout $111 million provided in February 1997. In addition, in their May \n1999 quarterly reports to OMB, three agencies estimated that they would \nincur about $127.4 million in Year 2000 costs beyond fiscal year \n2000.\\15\\ During our work for the House Majority Leader, we asked \nagencies whether they expected to have Year 2000 costs beyond those \nprojected in their budgets. HHS was the only agency that identified a \nspecific need: it reported that it had begun to identify possible Y2K \nneeds of grantees.\n---------------------------------------------------------------------------\n    \\15\\ The vast majority of these costs were reported by the \nDepartment of the Treasury, which reported that the Internal Revenue \nService\'s Y2K costs after fiscal year 2000 would be about $125 million.\n---------------------------------------------------------------------------\n    Determining the extent of continued Y2K cost escalation is \ndifficult because of many uncertainties; 10 agencies reported that they \nhad not completed work on their mission-critical systems as of mid-May \n1999, many agencies are still planning or undergoing end-to-end testing \nto ensure that data can be properly transferred and processed among \nsystems, and much work with states and other partners remains. Key \nfactors that could fuel additional cost increases include agencies\' \ndetermining that they must implement business continuity and \ncontingency plans, or the occurrence of other, unanticipated events due \nto the Y2K problem that must be addressed. In August 1998, HCFA \nestimated, for example, that it would need between $311.2 million (most \nlikely scenario) and $536.7 million (pessimistic scenario) to handle \nemergency situations that could result from the Y2K problem. HCFA \nreported that the types of activities that these funds would be needed \nfor included (1) unforeseen software, hardware, and telecommunications \nfailures, (2) increased paper claims due to provider or billing \ncompanies\' inability to transmit electronically, and (3) claims \nreprocessing to correct erroneous payments. HHS\' August 1998, November \n1998, February 1999, and May 1999 quarterly reports to OMB included the \n$311.2 million in contingent HCFA costs in its Year 2000 cost estimate. \nHHS reported to us that it had requested about $165 million for Y2K \nactivities in its fiscal year 2000 budget request--the amount it \nestimated that it needed to fund other Year 2000 activities, excluding \nthe implementation of HCFA contingency plans. Consistent with this, OMB \nhas not included HCFA\'s contingency costs when reporting Y2K costs.\n    Other agencies could also have higher costs if business continuity \nand contingency plans need to be implemented. For example, the \nDepartment of Education\'s May 1999 quarterly report stated that it \nplanned to estimate the cost to implement its contingency plans in the \nnext few months and that these estimates would be likely to increase \nits fiscal year 2000 and overall Y2K cost estimates. Similarly, the \nOffice of Personnel Management\'s May 1999 quarterly report said that it \nwould continue to evaluate the need for additional Y2K-related funding \nfor business continuity and contingency plan implementation and will \nadvise OMB of those requirements.\n    Our guide on business continuity and contingency planning calls on \nagencies to assess the cost and benefits of identified \nalternatives.\\16\\ In its May 13 memo requiring agencies to submit high-\nlevel business continuity and contingency plans on June 15, OMB stated \nthat agencies should follow our guide in preparing these plans. \nAccordingly, OMB\'s review of these plans should consider whether \nagencies provided estimated business continuity and contingency plan \ncosts. If not, OMB needs to require that this information be provided \nexpeditiously so that it can provide the Congress with information on \npotential future funding needs.\n---------------------------------------------------------------------------\n    \\16\\ GAO/AIMD-10.1.19, August 1998.\n---------------------------------------------------------------------------\n    Additional costs could also be incurred if some states do not \ncomplete their Year 2000 work on systems that support federal programs, \nsuch as food stamps and Medicaid. Recent information indicates that \nsome state systems are not scheduled to be compliant until the last \nquarter of 1999. For example, according to OMB\'s latest quarterly \nreport dated June 15, 1999, three states or U.S. territories did not \nexpect to complete testing of their food stamp systems and four states \nor U.S. territories did not expect to complete testing of their \nMedicaid eligibility systems until the last quarter of 1999. Because \nthese deadlines are so close to the turn of the century, the risk of \ndisruption to these states\' and territories\' programs substantially \nincreases, especially if delays occur or if unexpected problems arise.\n    If states do not complete their Year 2000 remediation in time, or \nif those remediation efforts fail, the states would have to implement \ntheir business continuity and contingency plans, which could encompass \nfederal government assistance. An example of such assistance is the \nDepartment of Labor\'s April 2, 1999, emergency funding request of \n$274,000 to design and develop a prototype PC-based system to be used \nin the event that a state\'s unemployment insurance system is unusable \ndue to a Y2K-induced problem. In addition, many state-administered \nfederal programs, such as Medicaid and child support enforcement, \nrequire the federal government to reimburse states for a percentage of \ntheir administrative costs, which would be expected to increase in the \nevent that business continuity and contingency plans are implemented.\n     program and information technology initiatives delayed by y2k\n    While making systems ready for the year 2000 has been an enormous \njob, other program and information technology needs have not \ndisappeared; in fact, they continue to grow. In particular, because of \nthe Year 2000 problem, agencies or the Congress have delayed \nimplementation of regulatory requirements and planned information \ntechnology initiatives. In addition, many agencies have implemented or \nplan to implement moratoriums on software changes until some time after \nthe rollover to the new century. For example:\n  --In July 1998, HCFA notified the Congress of its intention to delay \n        implementation of certain provisions of the Balanced Budget Act \n        of 1997 that would have required changes to systems on which \n        Year 2000 modifications were being made. As of June 16, 1999, \n        HCFA had delayed work on seven provisions, in whole or in part, \n        associated with this act in order to meet the Year 2000 \n        challenge. In addition, HCFA reported that it had delayed \n        another information technology initiative because it would have \n        caused an unacceptable resource drain from the Year 2000 \n        effort. According to a HCFA official, the agency is in the \n        process of carefully examining all of the work associated with \n        the Balanced Budget Act of 1997 provisions and the other \n        initiative in order to make decisions as to the order and time \n        frames in which each will be accomplished after the Y2K effort.\n  --As we reported last year, the level of effort required for the \n        Internal Revenue Service (IRS) to make its information systems \n        compliant is without precedent.\\17\\ Accordingly, as the Senate \n        was debating the IRS Restructuring and Reform Act of 1998, the \n        IRS Commissioner provided the Joint Committee on Taxation with \n        a listing of 28 provisions that given their effective dates, \n        could affect IRS\' ability to complete its Y2K work as planned. \n        The final act extended the effective dates for 13 of the 28 \n        provisions about which IRS had expressed concern.\n---------------------------------------------------------------------------\n    \\17\\ Internal Revenue Service: Impact of the IRS Restructuring and \nReform Act on Year 2000 Efforts (GAO/GGD-98-158R, August 4, 1998).\n---------------------------------------------------------------------------\n  --Some agencies have delayed planned information technology \n        initiatives in order to concentrate on their Year 2000 efforts. \n        In December 1998 we reported that the Department of Housing and \n        Urban Development suspended systems integration work on three \n        mission-critical systems so that the department could focus its \n        resources on completing Y2K renovations.\\18\\ Also, in September \n        1998, the Department of State imposed a moratorium on non-Year \n        2000-related system development projects to focus scarce \n        resources on Y2K remediation.\n---------------------------------------------------------------------------\n    \\18\\ HUD Information Systems: Improved Management Practices Needed \nto Control Integration Cost and Schedule (GAO/AIMD-99-25, December 18, \n1998).\n---------------------------------------------------------------------------\n  --A backlog of system modifications will have to be addressed \n        subsequent to the change of century. In response to our January \n        1999 suggestion,\\19\\ OMB issued a memorandum in May stating \n        that agencies should follow a policy that allows system changes \n        only where absolutely necessary because such changes can \n        introduce additional risk into systems that have already been \n        certified as Y2K compliant and could divert resources from \n        other Year 2000 efforts. Accordingly, at least six agencies \n        have established, or plan to establish, moratoriums or \n        restrictions on system changes during parts of 1999 and early \n        2000.\n---------------------------------------------------------------------------\n    \\19\\ Year 2000 Computing Crisis: Readiness Improving, But Much Work \nRemains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20, \n1999).\n---------------------------------------------------------------------------\n    The total governmentwide volume of program and information \ntechnology activities delayed by Y2K efforts is not known; therefore, \nthe potential demand for additional information technology resources in \nthe future is difficult to predict. However, the costs of these delayed \nactivities could be significant. Accordingly, OMB will need to work \nwith the agencies to determine the magnitude of these pent-up demands \nin order to make informed funding decisions in the future.\n    In addition to these demands, increased resources will likely be \nneeded for another key issue that has been garnering increased \nattention--information security. This issue has many dimensions, \nranging from national security to economic disruption to privacy \nconsiderations. As we reported in September 1998, the expanded amount \nof audit evidence that has become available since mid-1996 describes \nwidespread and serious weaknesses in adequately protecting federal \nassets, sensitive information, and critical operations.\\20\\ These \nweaknesses place critical government operations, such as national \nsecurity, tax collection, and benefit payments, as well as assets \nassociated with these operations, at great risk of fraud, disruption, \nand inappropriate disclosures. Further, as we testified in September \n1998, the Year 2000 crisis is the most dramatic example yet of why we \nneed to protect critical computer systems because it illustrates the \ngovernment\'s widespread dependence on information systems and our \nvulnerability to their disruption.\\21\\\n---------------------------------------------------------------------------\n    \\20\\ Information Security: Serious Weaknesses Place Critical \nFederal Operations and Assets at Risk (GAO/AIMD-98-92, September 23, \n1998).\n    \\21\\ Information Security: Strengthened Management Needed to \nProtect Critical Federal Operations and Assets (GAO/T-AIMD-98-312, \nSeptember 23, 1998).\n---------------------------------------------------------------------------\n    Because of the longer-term danger of malicious attack from \nindividuals or groups, it is important that the government design long-\nterm solutions to this and other security risks. Accordingly, in \nresponse to recommendations by the President\'s Commission on Critical \nInfrastructure Protection, Presidential Decision Directive 63 was \nissued in May 1998, which, among other provisions, required federal \nagencies to develop plans for protecting their own critical \ninfrastructure, including cyber-based systems. These plans are \ncurrently undergoing review by the Critical Infrastructure Assurance \nOffice, which was established by the Presidential Directive.\nlessons learned from the government\'s year 2000 efforts can be applied \n              to future information technology activities\n    Throughout government--and likely in the private sector as well--\norganizations\' experiences in addressing Y2K hold valuable lessons \nabout how information technology can best be managed. For many \nagencies, the threat posed by the Year 2000 problem was a much-needed \nwake-up call. Because of the urgency of the issue, agencies could not \nafford to carry on in the same manner that had resulted in over a \ndecade of poor information technology planning and program management. \nAccordingly, lessons learned from the Year 2000 challenge should be \napplied to agencies\' implementation of the Clinger-Cohen Act of 1996 \nwhich, in part, seeks to strengthen executive leadership in information \nmanagement and institute sound capital investment decision-making to \nmaximize the return on information systems investments. Indeed, the \nDepartment of Defense has reported that its response to the Year 2000 \nproblem has become an example of an enterprisewide approach to \ninformation technology management advocated by the Clinger-Cohen Act of \n1996. It is important that agencies institutionalize the processes that \nthey have established to contend with the Year 2000 problem so that \nfuture information technology initiatives benefit from this massive \neffort.\n    Year 2000 programs provided agencies with the incentive and \nopportunity to assume control of their information technology \nenvironment. In many instances, it forced agencies to inventory their \ninformation systems, link those systems to agency core business \nprocesses, and jettison systems of marginal value. For example, in \nresponse to recommendations in our August 1998 report, the Department \nof State is in the process of identifying its core business functions \nand determining the relative importance of each function.\\22\\\n---------------------------------------------------------------------------\n    \\22\\ Year 2000 Computing Crisis: State Department Needs To Make \nFundamental Improvements To Its Year 2000 Program (GAO/AIMD-98-162, \nAugust 28, 1998).\n---------------------------------------------------------------------------\n    Earlier this year we also reported \\23\\ that the Year 2000 problem \nprovided the opportunity to institutionalize valuable lessons, such as \nthe importance of consistent and persistent top management attention, \naccompanied by reliable processes and reasonable controls. More \nspecifically, complete and accurate inventories of information systems \ncan facilitate remediation, testing, and validation activities. \nInformation gained from identifying and prioritizing mission-critical \nsystems can further be used to identify and retire duplicative or \nunproductive systems, and work that has been done to identify and \nestablish controls over data interfaces can help prevent data exchange \nproblems in the future. Similar lessons have been learned at the state \nlevel, according to three state Year 2000 project managers. Other \ncritical success factors cited by one of these project managers that \ncould be used in future information technology initiatives are the need \nto measure performance, outline responsibilities, and ensure \naccountability.\n---------------------------------------------------------------------------\n    \\23\\ Defense Information Management: Continuing Implementation \nChallenges Highlight the Need for Improvement (GAO/T-AIMD-99-93, \nFebruary 25, 1999) and Year 2000 Computing Crisis: Defense Has Made \nProgress, But Additional Management Controls Are Needed (GAO/T-AIMD-99-\n101, March 2, 1999).\n---------------------------------------------------------------------------\n    Another benefit of the Year 2000 effort was the establishment of \nmuch-needed information technology policies. Our Year 2000 enterprise \nreadiness guide \\24\\ called on agencies to develop and implement \npolicies, guidelines, and procedures in such critical areas as \nconfiguration management, quality assurance, risk management, project \nscheduling and tracking, and metrics. Several agencies have implemented \nsuch policies. For example:\n---------------------------------------------------------------------------\n    \\24\\ GAO/AIMD-10.1.14, September 1997.\n---------------------------------------------------------------------------\n  --In April 1999, we reported that according to Postal Service \n        officials, the service is implementing improved processes for \n        documenting software, testing, quality control, and \n        configuration management.\\25\\\n---------------------------------------------------------------------------\n    \\25\\ U.S. Postal Service: Subcommittee Questions Concerning Year \n2000 Challenges Facing the Service (GAO/AIMD-99-150R, April 23, 1999).\n---------------------------------------------------------------------------\n  --As part of its Year 2000 effort, HCFA has implemented policies and \n        procedures related to configuration management, quality \n        assurance, risk management, project scheduling and tracking, \n        and performance metrics for its internal systems.\n  --As we testified in February, the Customs Commissioner has committed \n        to leveraging the agency\'s Year 2000 experience by extending \n        the level of project management discipline and rigor being \n        employed on the year 2000 to other information technology \n        programs and projects.\\26\\\n---------------------------------------------------------------------------\n    \\26\\ Year 2000 Computing Crisis: Customs Is Effectively Managing \nIts Year 2000 Program (GAO/T-AIMD-99-85, February 24, 1999).\n---------------------------------------------------------------------------\n    Beyond individual agencies, the Year 2000 problem holds lessons in \noverseeing and managing information technology on a governmentwide \nbasis. In particular, actions taken by the Congress and the Chief \nInformation Officers Council have demonstrated that effective oversight \nand guidance can have a positive influence on major information \ntechnology efforts. Congressional oversight played a crucial role in \nfocusing OMB and agency attention on the Y2K problem. In addition, \ncongressional hearings on international, national, governmentwide, and \nagency-specific Year 2000 problems exposed the threat that this problem \nposes to the public. The Chief Information Officers Council has proved \nuseful in addressing governmentwide issues through its Year 2000 \nCommittee; this committee and its subcommittees have dealt with \nimportant issues such as best practices, telecommunications, and data \nexchanges. Continued oversight and guidance from the Congress and the \nChief Information Officers Council will be essential to ensuring the \nfuture effectiveness of information technology initiatives.\n    Another lesson that could be adopted in the future is the use of \npublic/private partnerships. To address the Year 2000 problem from a \nnational perspective, the President\'s Council on Year 2000 Conversion \nadopted a sector-based focus and has been initiating outreach \nactivities since it became operational last spring. As a result, the \nCouncil and federal agencies have partnered with private-sector \norganizations, such as the North American Electric Reliability Council, \nto gather information critical to the nation\'s Year 2000 efforts and to \naddress issues such as contingency planning. In addition, the Chair of \nthe Council has formed a Senior Advisors Group composed of \nrepresentatives from private-sector firms across key economic sectors. \nMembers of this group are expected to offer perspectives on \ncrosscutting issues, information-sharing, and appropriate federal \nresponses to potential Year 2000 failures. Other major information \ntechnology areas, such as information security, could benefit from such \nan approach.\n    In summary, it is clear that Year 2000 expenditures have been \nsignificant, sometimes unpredictable, and growing. Emergency \nsupplemental funds are planned for a variety of purposes, including \nrenovation, validation, and implementation of individual systems and \nthe independent verification and validation of these systems. Moreover, \nY2K cost growth may continue, especially if business continuity and \ncontingency plans must be put into operation or if state-administered \nfederal program remediation efforts are not completed. While correcting \nthe Y2K problem has been and continues to be costly, the experiences of \nindividual agencies and the government as a whole in meeting this \nchallenge have provided a renewed and needed focus on information \nsystems. We have come to realize how much we depend on them, and have \nbeen reminded of how they must be well-managed. As we attempt to meet \nfuture information technology and security challenges, these lessons \nshould not be lost.\n    Messrs. Chairmen, this completes my statement. I would be happy to \nrespond to any questions that you or other members of the Committees \nmay have at this time.\n                      contact and acknowledgments\n    For information about this testimony, please contact Joel \nWillemssen at (202) 512-6253 or by e-mail at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3c4b55505059514f4f595256125d5551587c5b5d53125b534a12">[email&#160;protected]</a> \nIndividuals making key contributions to this testimony included Michael \nFruitman, James Hamilton, James Houtz, Linda Lambert, Michael Tovares, \nand Daniel Wexler.\n\nAppendix I.--Organizations Receiving Emergency Allocations (as of May \n1999)\n\n                             [In thousands]\n\n        Organization                                    Amount allocated\nDepartment of the Treasury....................................  $602,223\nDepartment of Health and Human Services.......................   323,858\nDepartment of Transportation..................................   192,789\nDepartment of Justice.........................................    84,396\nDepartment of the Interior....................................    80,347\nDepartment of State...........................................    64,918\nDistrict of Columbia..........................................    64,049\nDepartment of Commerce........................................    57,920\nGeneral Services Administration...............................    48,407\nDepartment of Agriculture.....................................    46,168\nExecutive Office of the President--Office of Administration...    29,791\nDepartment of Energy \\1\\......................................    23,840\nDepartment of Labor...........................................    17,792\nDepartment of Housing and Urban Development...................    12,200\nAgency for International Development..........................    10,200\nUnited States Information Agency..............................     9,562\nFederal Communications Commission.............................     8,516\nSecurities and Exchange Commission............................     8,175\nFederal Emergency Management Agency...........................     7,352\nNational Archives and Records Administration..................     6,662\nSmall Business Administration.................................     4,840\nSmithsonian Institution.......................................     4,801\nDepartment of Education.......................................     3,846\nFederal Trade Commission......................................     2,599\nOffice of Personnel Management................................     2,428\nOverseas Private Investment Corporation.......................     2,100\nUnited States Holocaust Memorial Council......................       900\nCorporation for National and Community Service................       800\nExecutive Office of the President--Office of the U.S. Trade \n    Representative............................................       498\nExport-Import Bank of the United States.......................       400\nRailroad Retirement Board.....................................       398\nNational Capital Planning Commission..........................       381\nCommodity Futures Trading Commission..........................       356\nSelective Service System......................................       250\nFederal Labor Relations Authority.............................       243\nAfrican Development Foundation................................       137\nOffice of Special Counsel.....................................       100\nMerit Systems Protection Board................................        66\nArchitectural and Transportation Barriers Compliance Board....        60\nMarine Mammal Commission......................................        38\n                    --------------------------------------------------------------\n                    ____________________________________________________\n\n      Total civil agencies.................................... 1,724,406\nDepartment of Defense.........................................   935,000\n                    --------------------------------------------------------------\n                    ____________________________________________________\n\n      Total allocations....................................... 2,659,406\n\n\\1\\ This amount does not include $13.65 million that was allocated to \nthe Department of Energy but was not transferred.\n\nSource: OMB.\n---------------------------------------------------------------------------\n\n                       Statement of Jacob J. Lew\n\n    Chairman Bennett. Mr. Lew, let\'s go to you now.\n    Mr. Lew. Thank you, Mr. Chairman, Senator Stevens. I am \ndelighted to be here with you this morning. I appreciate the \ninvitation to testify on the progress the Federal Government \nhas made in addressing the year 2000 problem.\n    As you well know, this is a problem that potentially has \nenormous implications for our Nation. I am very pleased we have \nbeen able to work together, and I want to thank Senator Stevens \nin particular for the cooperation on working to make sure that \nthe funding was in place to make sure that Y2K, as the \nPresident has said, will be remembered as the last headache of \nthe 20th Century and not the first crisis of the 21st.\n    I would like to address three topics today: First, the \nFederal progress in addressing the Y2K challenge; second, \nFederal agency costs and funding for these efforts; and third, \nthe next steps to assure that Federal programs that people \ndepend on will not be disrupted.\n    As you know, last week I sent both committees OMB\'s ninth \nquarterly report on Federal agency progress in addressing the \nY2K problem. That report shows that Federal agencies continue \nto make excellent progress in addressing the challenge.\n    Ninety-three percent of the Federal Government\'s mission-\ncritical systems are now compliant, which is an increase from \n79 percent reported in February. Fourteen of the 24 major \nFederal departments and agencies now report that they have 100 \npercent of their mission-critical systems Y2K-compliant, and 9 \nare over 90 percent.\n    This progress is attributed to the hard work of thousands \nof Federal employees and contractors and, I might add, to the \nrapid and timely availability of funding through the contingent \nemergency reserve. I would like to thank the committees for \nensuring Federal agencies have had adequate funds to address \nY2K remediation to date.\n    While much work remains to be done, we fully expect that \nall of the Government\'s mission-critical systems will be Y2K-\ncompliant before January 1, 2000. For some time, fixing the Y2K \nproblem has been the agency\'s number one information technology \npriority. Additionally, agencies are minimizing any kind of \nchanges to their systems that are not related to Y2K in order \nto ensure that they will be able to maintain the schedules that \nthey have set.\n    Based on guidance that we sent out just last month, \nagencies are using change management processes to ensure that \nany new IT requirement changes and system changes are minimized \nwhile they are completing dealing with the Y2K problem. This \neffort will ensure that agencies set realistic goals for the \ncompletion of their work, and will enable them and us to \nmeasure their progress against their own goals. As I said, we \nare confident that every mission-critical system will be ready \nfor the year 2000.\n    As you know, last September, the administration requested a \nfiscal year 1998 supplemental appropriation for $3,250 million \nin contingency emergency funding to address urgent emerging \nneeds related to Y2K activities. The 1999 omnibus bill provided \ncontingent funding of $2.25 billion for nondefense activities \nand $1.1 billion for defense-related activities. OMB is \nresponsible for allocating the nondefense contingent emergency \nreserve and for working with the Department of Defense (DOD) on \nits share as well.\n    To date, $1,768 million has been allocated from the \nnondefense reserve, and $14 million has been returned to the \nreserve at the request of the House Appropriations Committee. \nTherefore, $486 million remains in the reserve for unforeseen \nrequirements. Of the $1.1 billion provided for defense-related \nactivities, $935 million has been released, and $165 million \nremains in the reserve.\n    OMB has worked with the agencies on an ongoing basis to \nevaluate the total Y2K requirements and to determine how to \nbest utilize available nondefense funding for Y2K. First, OMB \nmade certain that agencies received funding for activities that \nwere requested in the President\'s fiscal year 1999 budget, but \nwere directed to be funded from the contingent emergency \nreserve.\n    As you know, there were a number of specifically mentioned \nitems. Since then, agencies have been asked to forward requests \nfor contingent emergency funding on an as-needed basis. These \nrequests were then reviewed by OMB to ensure that the requested \nfunding meets the criteria for release. First, that the funding \nis Y2K-related, and is the most cost-effective option to \nfacilitate compliance; second, that it addresses an unforeseen \nneed, not one accounted for within existing agency plans; and, \nthird, that it cannot be accommodated within appropriated \nlevels for fiscal year 1999. Finally, that they cannot be \naddressed using unobligated balances of already-released Y2K \nfunds.\n    Once the funds are allocated, OMB tracks the Y2K-related \nexpenditures to confirm that appropriate progress is being \nmade, and that each agency can cogently explain its cost levels \nand cost changes. All agencies that received emergency funding \nhave forwarded data on obligations to date to OMB, and this \ndata has informed our consideration of subsequent emergency \nrequests.\n    In the first OMB quarterly report issued in February 1997, \nwe estimated that the cost of Y2K compliance would be $2.3 \nbillion. Initially, it was thought that fixing the problem \nwould primarily involve mainframe computers and legacy \napplications. However, as we and others learned in the course \nof remediation, the problem is far more complex, involving \ndesktop personal computers, embedded chips, and \ntelecommunications components.\n    Cost increases from the first to the fourth OMB quarterly \nreport--that would be through March 1998, totalling $2.4 \nbillion--resulted from better understanding of the scope of the \nproblem and increasing agency attention to the cost estimates.\n    Since the broader universe of Y2K remediation was clearly \nestablished, costs have remained within a much more predictable \nband. From the fourth OMB quarterly report in March 1998, to \nthe ninth OMB quarterly report just this month, cost reports \nreported change by 4.7 percent of the 3-year total. Of this, \nestimates for defense have changed by 3.6 percent of the 3-year \ntotal.\n    The increase in fiscal year 1999 funding, $2.8 billion \nbetween the fourth and ninth OMB quarterly reports, has \nreported activities that have been subjected to a rigorous \npolicy review. Most of the cost increases can be attributed to \nspecific activities, remediation of information technology \nsystems, testing to ensure that systems are Y2K compliant, \nreplacement of embedded computer chips, and creation and \nverification of business continuity plans.\n    Fiscal year 2000 costs, which have increased by $509 \nmillion over the same period, are primarily for Y2K project \noffices to manage and monitor the transition into 2000, as well \nas for retesting and recertifying contingency plans. The \ndetails of agency spending plans continue to be made available \nfor your review as the process moves forward.\n    Most of the work on fixing mission-critical systems is \ncompleted, so OMB will focus its system-readiness on ensuring \nthe readiness of individual systems. In addition, OMB and the \nagencies are beginning to focus on two new priorities: ensuring \nthe readiness of Federal programs, particularly 43 high-impact \nprograms that we have identified, and planning for business \ncontinuity and contingencies.\n    We must make sure that the Federal programs, particularly \nthose that have a direct and immediate effect on health, safety \nand well-being of the public, function smoothly. As I have just \nrelated to you, we are confident that the mission-critical \nsystems will be ready, but because Federal programs partner \nwith other entities. It is critically important that all \npartners are working together to ensure that the programs they \nsupport will be ready.\n    The critical task is to make sure that not just systems but \nthe programs they support will be ready. Accordingly, I have \nasked agencies to take this additional step.\n    OMB has also identified 43 high-impact, federally supported \nprograms, and directed Federal agencies to take the lead on \nworking with others to ensure that programs critical to health, \nsafety, and well-being will provide uninterrupted service. \nAgencies have also been asked to help partners develop year \n2000 plans if they have not already done so to ensure that \nthese programs will operate effectively.\n    Agencies are reporting to us monthly, and will demonstrate \nthe readiness of each program by September 30, 1999. Although \nwe expect all Federal mission-critical systems to be ready by \nJanuary 1, 2000, it is still important that every agency, no \nmatter how well-prepared, have a business continuity and \ncontingency plan in place.\n    Agencies have identified their core business functions and \nare using this as a basis for developing business continuity \nand contingency plans which will ensure that these core \nbusiness functions will operate smoothly no matter what kinds \nof glitches occur in agency systems or with agency partners.\n    Let me make it clear, we do not anticipate disastrous \nconsequences as a result of the year 2000 computer problem in \nFederal systems. However, it is possible there will be problems \nthat result in minor disruptions to the way agencies operate. \nAgencies are prioritizing functions and systems and work-\narounds and backup plans are being established as \ncontingencies.\n    On May 13, I issued guidance on this subject, asking all \nagencies, including small and independent agencies, to submit \nto OMB by June 15 their business continuity and contingency \nplans. These plans are an increasingly important component of \nagency progress. Like a good insurance policy, a sound plan is \nimportant no matter how well you are taking care of your \nsystem. I have directed agencies to use the GAO guidance in \npreparing their plans.\n    Additionally, many agencies are working closely with their \ninspectors general and their expert contractors in the \ndevelopment and testing of these plans. OMB is reviewing the \nhigh-level business continuity and contingency plan (BCCP) of \nagencies and will provide feedback and guidance to the agencies \non an individual basis.\n    In conclusion, during the 192 days remaining before the \nyear 2000, we plan to complete work on the remaining mission-\ncritical systems and on other Federal systems. We will conduct \nend-to-end testing with the States and other key partners, \nplacing special emphasis on the readiness of programs that have \na direct and immediate impact on public health, safety, and \nwell-being.\n    We will complete and test business continuity and \ncontingency plans as insurance against any disruptions related \nto Y2K failures. We will promote Y2K awareness with State, \nlocal, and tribal governments with the private sector and with \nother nations.\n\n                           prepared statement\n\n    Again, I want to thank you for the opportunity for allowing \nme to share this information with you. The administration \ncontinues to treat this challenge with the high level of \nattention that it deserves. We have enjoyed the cooperative \nrelationship that we have had with this committee and with the \nAppropriations Committee to work together on this problem.\n    Thank you.\n    [The statement follows:]\n                   Prepared Statement of Jacob J. Lew\n    Good morning, Chairman Stevens, Chairman Bennett, Senator Byrd, and \nSenator Dodd. I am pleased to appear before the Committees to discuss \nthe Federal Government\'s progress in addressing one of the most complex \nmanagement challenges it has ever faced, the year 2000 problem. The \nFederal Government is not alone in addressing this challenge, as the \nSenate wisely recognized last year when it formed the Senate Special \nCommittee on the Year 2000 Technology Problem. This is a problem with \npotentially enormous implications for our Nation. Every sector of our \neconomy and all organizations large and small must work together so \nthat we can, as the President said in his State of the Union Address, \nmake sure that the Y2K computer bug will be remembered as the last \nheadache of the 20th century, not the first crisis of the 21st.\n    Today, I would like to address three topics. First, I will describe \nFederal progress in addressing the Y2K challenge. Second, I will \ndiscuss Federal agency costs and funding for these efforts. Third, I \nwill describe our next steps to assure that Federal programs that \npeople depend upon will not be disrupted. These next steps include \nfocusing on completion of individual systems, ensuring the readiness of \nFederal programs, and completion of business continuity and contingency \nplans.\n                            federal progress\n    As you know, the Federal Government has been working for more than \nthree years on this problem. Last week I sent to Congress OMB\'s ninth \nquarterly report on Federal agency progress in addressing the Year 2000 \nproblem. That report shows that Federal agencies continue to make \nexcellent progress in addressing this challenge. In particular, it \nshows that 93 percent of the Federal Government\'s mission critical \nsystems are now compliant, an increase from 79 percent reported in \nFebruary.\n    Fourteen of the 24 major Federal departments and agencies now \nreport that 100 percent of their mission critical systems are Y2K \ncompliant. These agencies are: the Departments of Education, Housing \nand Urban Development, Interior, Labor, State, and Veterans Affairs; \nthe Environmental Protection Agency, the Federal Emergency Management \nAgency, the General Services Administration, the National Science \nFoundation, the Nuclear Regulatory Commission, the Office of Personnel \nManagement, the Social Security Administration, and the Small Business \nAdministration.\n    In addition, two agencies, Commerce and NASA, report that 99 \npercent of their mission critical systems are compliant and that they \nexpect to be finished soon. Three agencies, the Departments of \nAgriculture, Energy, and Health and Human Services, are between 96 and \n97 percent compliant. Four agencies report that between 90 and 94 \npercent of their mission critical systems are compliant, including the \nDepartments of Justice and Transportation at 92 percent. The Department \nof Defense reports that 87 percent of its systems are compliant, while \nthe U.S. Agency for International Development has completed \nimplementation of three of its seven mission critical systems.\n    From a base of 6,190 mission critical systems at this time, 410 \nmission critical systems remain to be finished, down from 1,354 in the \nlast report. The compliant systems include those that have been \nrepaired or replaced as well as systems that were already compliant. Of \nthe mission critical systems that remain to be finished, 87 (82 \npercent) are being repaired, 35 (10 percent) are being replaced, and 24 \n(eight percent) are being retired. We are monitoring the completion of \neach remaining system through monthly reports from the agencies.\n    This progress is a tribute to the hard, skillful, and dedicated \nwork of thousands of Federal employees and contractors. Moreover, the \nrapid availability of funds through the contingent emergency reserve \nhas been key to ensuring progress. I would like to thank the Committees \nfor ensuring that Federal agencies will not fail to meet the Year 2000 \ndeadline because of lack of adequate funding.\n    While much work remains to be done, we fully expect that all of the \nGovernment\'s mission critical systems will be Y2K compliant before \nJanuary 1, 2000. For some time, fixing the Year 2000 problem has been \nthe agencies\' number one information technology (IT) priority, as other \nIT projects are being delayed until the Y2K work is done. This action \nhas been managed throughout OMB\'s budget process.\n    Additionally, agencies are minimizing any kind of changes to their \nsystems unrelated to Y2K in order to ensure that they will be able to \nmaintain the schedules they have set for completion of their work. \nChanges not only divert resources from fixing the Y2K problem, but may \nalso undo Y2K fixes. Based on guidance I issued on May 14, 1999, \n``Minimizing Regulatory and Information Technology Requirements,\'\' (M-\n99-17), agencies are using change management processes to ensure that \nnew IT requirements or changes to IT systems are minimized.\n    Again, this effort will ensure that agencies set realistic goals \nfor the completion of their work and will enable them--and us--to \nmeasure their progress against their own goals. Agencies are working \nhard to finish fixing their systems, and we are confident that every \nmission critical system will be ready for the year 2000.\n                         y2k costs and funding\n    First and foremost, I want to recognize that the transition into \nthe Year 2000 has posed a unique challenge. Formulating the Federal \nresponse has required a great deal of attention, hard work, and \nflexibility. In advance of my more detailed comments on this subject, \nlet me thank you for all of your work and leadership in helping to \nensure that sufficient funds are available in a timely manner to \naddress Y2K remediation. As we have scrutinized agency requests and \nfunded the most critical ones, the utility of this funding mechanism \nhas been proven many times. Simply put, without such a fund, many \nFederal agencies would not be nearly as far along in their efforts as \nthey are today.\n    I would also like to emphasize that the Administration\'s strategy \nfor monitoring Government-wide progress on Y2K has been predicated on \nagency accountability. We have systematically monitored agency progress \nusing a range of performance measures--compliance of mission critical \nsystems, status of mission critical systems being repaired, progress on \nhigh impact programs, etc., as well as agency Y2K cost estimates. These \nmeasures are linked, and together provide the most accurate picture of \nthe Government\'s overall readiness. On a quarterly basis (or more \nfrequently, if needed), agencies have been required to update OMB on \ntheir Y2K progress and to explain all significant changes in these \nmeasures.\n    We have tried to strike the appropriate balance to ensure agency \naccountability without diverting vital resources from Y2K compliance \nactivities to reporting requirements. In addition, the Administration \nhas tried to be as forthright as possible in sharing information about \nY2K readiness. OMB has directed that agency quarterly reports and \ndetailed spending plans be forwarded to Congress, and we have \nappreciated your input as we have worked together to address the \nchallenge posed by Y2K.\n    As you know, last September the Administration requested an fiscal \nyear 1998 supplemental appropriation for $3.25 billion in contingent \nemergency funding to address urgent, emerging needs associated with Y2K \nconversion activities. This request was consistent with Senate action \nto that point. The Omnibus bill provided contingent emergency funding \nof $2.25 billion for non-defense activities and $1.1 billion for \ndefense-related activities for Y2K computer conversion. As you also \nknow, OMB is responsible for allocating the non-defense contingent \nemergency reserve. To date, $1.768 billion has been allocated from the \nnon-defense reserve, and $14 million has been returned to the reserve \nat the request of the House Appropriations Committee. Therefore, $496 \nremains in reserve for unforeseen requirements. Of the $1.1 billion \nprovided for defense-related activities, $935 million has been released \nand $165 million remains in reserve.\n    In order to determine how to best utilize all available non-defense \nfunding for Y2K--both base appropriations and emergency funding--OMB \nhas worked with agencies on an ongoing basis to evaluate total Y2K \nrequirements. First, OMB made certain that agencies received funding \nfor activities that were requested in the President\'s Fiscal Year 1999 \nBudget, but were directed to be funded from the contingent emergency \nreserve. Since then, agencies have been asked to forward requests for \ncontingent emergency funding on an as-needed basis. These requests are \nthen reviewed by OMB examiners from both the Resource Management \nOffices (RMOs)--liaisons to the individual agencies--and analysts from \nour Information Policy and Technology Branch. In combination, they \nreview these requests to ensure that requested funding is:\n  --Y2K-related and is the most cost-effective option to facilitate \n        compliance.\n  --Addresses an unforeseen need, not one accounted for within existing \n        agency plans.\n  --Cannot be accommodated within appropriated levels for fiscal year \n        1999.\n  --Cannot be addressed using unobligated balances of Y2K emergency \n        funding.\n    In some cases, funds have also been requested to support outreach \nto non-Federal entities in support of the efforts of the President\'s \nCouncil on Year 2000 Conversion.\n    Once reviewed and discussed with the affected agency, OMB staff \nmake recommendations to OMB policy officials. These levels are then \nfinalized and included in an emergency release. As you know, pursuant \nto last Omnibus Act, detailed information on each affected agency\'s \nspending plan, as well as an account-by-account breakdown of the \nrequest as a whole, is provided to your and other Committees. The funds \nin the release are not made available to the agencies until 15 days \nafter the transmittal.\n    Once the funds are allocated, each Resource Management Office has \nbeen tasked with tracking the Y2K-related expenditures for the agencies \nit oversees, including emergency expenditures. At a minimum, the RMOs \nreview the agency quarterly report to confirm that appropriate progress \nis being made and that each agency can cogently explain its cost levels \nand cost changes. Then, depending on an agency\'s status, RMOs have used \ndifferent methods to track Y2K-related spending. All agencies that have \nreceived emergency funding have forwarded data on obligations to date \nto their RMOs. This data has informed our consideration of subsequent \nemergency requests, and has resulted in several reprogramming requests \nrather than additional releases. For example, in the Department of \nHealth and Human Services, we recently reprogrammed funds from HCFA to \nthe Administration for Children and Families. More reprogramming \nactions may be forthcoming as agencies further refine their estimates \nfor fiscal year 1999 and 2000.\n    In addition, some RMOs monitor Y2K-related obligations and/or \noutlays on a more regular basis, and require detailed information on \nthe expenditure of both base and emergency resources. Finally, because \nof their unique period of availability (fiscal year 1999-fiscal year \n2001), emergency funds are very transparent in terms of budget \nexecution. The RMOs have been given discretion in terms of treatment of \nboth base and emergency funds in the apportionment process, as is OMB\'s \ngeneral policy.\n    Your Committees have asked me to focus on the cost increases since \nthe 1st OMB Y2K Quarterly Report, which was issued February 1997. In \nthat report, the five year (fiscal years 1996-2000) Federal cost of Y2K \nwas reported estimated at $2.3 billion. However, it is now clear that \nin the first quarterly report, we were not fully aware of the magnitude \nof the year 2000 problem. Initially, it was thought that fixing the \nproblem would primarily involve mainframe computers and legacy \napplications.\n    However, as we and others learned in the course or remediation, the \nproblem was far more complex, involving desktop personal computers, \nembedded chips, and telecommunications components. Cost increases from \nthe 1st to 4th OMB Quarterly Report (through March 1998), totaling $2.4 \nbillion, resulted from a better understanding of the scope of the \nproblem and increasing agency attention on the cost estimates. It is \nimportant to note that until fiscal year 1999 agencies funded their \nyear 2000 costs exclusively out of base appropriations. Prior to the \navailability of emergency funding, all costs increases were absorbed \nwithin agency operating budgets.\n    Since the broader universe of Y2K remediation was clearly \nestablished, costs have remained within a more predictable band. From \nthe 4th OMB Quarterly Report (March 1998) to the 9th OMB Quarterly \nReport (June 1999), costs reported for fiscal years 1996-1998 changed \nby $164 million, or 4.7 percent of the three-year total. Of this, \nestimates for Defense have changed by $128 million, or 3.6 percent of \nthe three-year total. Since last March, then, cost estimates for non-\ndefense agencies for fiscal years 1996-1998 for have changed by a \nlittle more than one percent.\n    The increase in fiscal year 1999 funding, $2.8 billion between the \n4th and 9th OMB Quarterly Reports, has supported activities that have \nbeen subjected to the rigorous policy review that I have discussed. \nMost of the cost increases can be attributed to specific activities: \nremediation for information technology systems, testing to ensure that \nsystems are Y2K compliant, replacement of embedded computer chips, and \ncreation and verification of BCCPs. I am confident that this funding \nhas helped to ensure that important Federal programs will have a smooth \ntransition into the year 2000. Fiscal year 2000 costs, which have \nincreased by $509 million over the same period, are primarily for Y2K \nproject offices to manage and monitor the transition into 2000, as well \nas for retesting and recertifying contingency plans. The details of \nagency spending plans continue to be made available for your review as \nthis process moves forward.\n    I would now like to turn to another issue that I have been asked to \naddress: the difference between agency estimates and actual costs. I \nbelieve that this question stems from the cost table in each OMB \nQuarterly Report. In that table, past years (fiscal years 1996-1998) \nare characterized as estimates even though, as you know, the budgetary \ndata for those years reflects actual expenditures. With OMB\'s approval, \nagencies have refined the universe of Y2K-related costs since fiscal \nyear 1996. As an activity is added to the Y2K universe, we want to make \ncertain that we are capturing the five-year cost of that activity. For \nexample, a Department may not have reported embedded chip replacement \nas part of their initial Y2K estimate. However, they later received \nguidance to do so. In such a case, OMB has worked with the Department \nto verify that the multi-year cost of embedded chip replacement was \nbeing reported. If this required changing an estimate in a past fiscal \nyear, agencies did so with OMB approval. At the same time, future year \nestimates may have been adjusted to account for newly recognized \nactivities. Thus, although the budget data for fiscal years 1996-1998 \nare actuals, since recognition of the scope of the Y2K problem has \nchanged over time, OMB has not asked for or characterized costs for \nthose years as actuals.\n    Another component of this issue is that Y2K-related expenses can be \naggregated at a level below or above budget accounts. Y2K-related \nexpenses are embedded in broader operating budgets. We have worked to \nensure that we are capturing Y2K-related costs and that agencies are \nmaking defensible and standardized assumptions about these costs. \nConversely, we are trying to filter out activities that were wholly \nplanned for and would have been implemented regardless of Y2K.\n                               next steps\n    As I stated earlier, now that most of the work on fixing mission \ncritical systems is completed, OMB will shift its focus from aggregate \nfigures for system readiness to ensuring the readiness of individual \nsystems. In addition, OMB and the agencies are beginning to focus on \ntwo new priorities.\n  --Ensuring the readiness of Federal programs, particularly 43 high \n        impact programs that we have identified.\n  --Planning for business continuity and contingencies.\nEnsuring the Readiness of Federal Programs\n    While we have made excellent progress in preparing our systems, we \nare not yet done. We must make sure that Federal programs, particularly \nthose that have a direct and immediate affect on the health, safety, \nand well-being of the public, function smoothly. As I have just related \nto you, we are confident that critical systems will be ready. But \nbecause Federal programs partner with other entities, including other \nFederal agencies; State, Tribal, and local governments; banks; \ncontractors; vendors; and other entities; it is critically important to \nensure that all partners are working together to ensure that the \nprogram they support will be ready. The critical task is to make sure \nthat not just systems, but the programs they support, will be ready.\n    Accordingly, on March 26, 1999, I asked agencies to take this next \nstep. I also identified 42 ``high impact\'\' Federally supported programs \nand directed Federal agencies to take the lead on working with other \nFederal agencies, State, Tribal, and local governments, contractors, \nbanks, and others to ensure that programs critical to public health, \nsafety, and well-being will provide uninterrupted services. Examples \ninclude Medicare and Unemployment Insurance. The list was subsequently \nrevised to include the National Crime Information Center at the \nDepartment of Justice, bringing the total to 43.\n    Agencies have also been asked to help partners develop year 2000 \nplans if they have not already done so to ensure that these programs \nwill operate effectively. Such plans are to include end-to-end testing, \ndeveloping complementary business continuity and contingency plans, and \nsharing key information on readiness with partner organizations and \nwith the public. Agencies are reporting to us monthly and will \ndemonstrate the readiness of each program by September 30, 1999. A \ntable of the programs, including the partners agencies are working with \nis included last week\'s quarterly report.\nBusiness Continuity and Contingency Planning\n    Although we expect all Federal mission critical systems to be ready \nby January 1, 2000, and although we are prepared to demonstrate the \nreadiness of a number of critical programs, it is still important that \nevery agency, no matter how well prepared, have a business continuity \nand contingency plan (BCCP) in place.\n    Agencies have identified their core business functions and are \nusing these as a basis for developing business continuity and \ncontingency plans, which will ensure that these core business functions \nwill operate smoothly, no matter what glitch may occur in an agencies\' \nsystems or with an agencies\' partners. While we are confident that the \nmeasures taken for Y2K compliance are sound, the chance remains that, \ndespite testing, a bug may still slip through. Furthermore, elements \nbeyond an agency\'s control are at risk from the Y2K problem as well. \nFor example, bad data from a data exchange partner or the inability of \na vendor to provide key supplies could disrupt work at an agency.\n    Let me make it clear that we do not anticipate any disastrous \nconsequences as a result of year 2000 computer problems in Federal \nsystems. It is possible, and even likely in some situations, that there \nwill be glitches in systems that result in minor disruptions to the \nways that agencies operate. Accordingly, for each core business \nfunction and its associated systems, agencies have identified risk \nfactors, and assigned them a probability rating as well as an impact \nrating. The agencies use these ratings to prioritize functions and \nsystems. Work-arounds and back-up plans are established as \ncontingencies.\n    Although we do not expect any disasters, it is always wise to \nprepare for the worst. Since the 1970s, agencies have been required to \nhave in place Continuity of Operations plans (COOP plans), to address \nsuch emergencies. In the event of a disaster, whether related to Y2K or \nto a national emergency, such as a terrorist attack or regional weather \nemergency such as a tornado or violent snowstorm, agencies are using \ntheir COOP plans to ensure that the agency will continue to function. I \nalso asked agencies to ensure that the development of their BCCP was \ncoordinated with pending revisions to each agency\'s COOP plan. Again, \nalthough we do not expect any kind of Y2K disaster, agencies are \ndeveloping plans, in coordination with their BCCPs, to address this \ncontingency.\n    On May 13, 1999, I issued guidance on this subject, ``Business \nContinuity and Contingency Planning for the Year 2000,\'\' (M99-16). This \nmemorandum asked all agencies, including small and independent \nagencies, to submit to OMB by June 15 their business continuity and \ncontingency plans (BCCPs). This memorandum also identified a number of \ninfrastructure areas for which agencies should make common assumptions, \nsuch as electric power, financial services, and public voice and data \ncommunications. This common assumption is that there will be no nation-\nwide disruptions within these infrastructure services.\n    By setting these risk areas aside from agencies\' business \ncontinuity and contingency planning, agencies are able to focus on \nensuring that their core business functions and affiliated systems will \nwork. In the extremely unlikely event that a catastrophic emergency \noccurs that damages local infrastructure, communications, or the agency \nbuilding itself--whether caused by Y2K, or by a natural disaster, \nterrorism, or war--the agency\'s COOP plan will address these \ncontingencies.\n    On the international side, the State Department is leading a \nworking group of those agencies with employees overseas in order to \ndevelop risk assumptions and appropriate responses, to be used in the \ndevelopment and refinement of those programs\' BCCPs.\n    BCCPs are an increasingly important component of agency progress. \nLike a good insurance policy, a sound plan is important, no matter how \nwell you have taken care of your systems. To ensure quality and \nconsistency, I have directed agencies to use the General Accounting \nOffice\'s (GAO) guidance on this subject in preparing their plans. \nAdditionally, many agencies are working closely with their Inspectors \nGeneral and/or expert contractors in the development and testing of \nthese plans. Finally, OMB is reviewing the high-level BCCPs of \nagencies, which were due June 15, and will provide feedback and \nguidance to the agencies on an individual basis.\nPrepayment\n    As part of their contingency planning, some agencies have explored \nthe possibility of making some payments in December that would \notherwise be due in January to beneficiaries, contractors, and others. \nHowever, the Administration has determined that such actions are not \nnecessary at this time, given the level of readiness of agency payment \nsystems and agency business continuity and contingency plans. Moreover, \nthe extensive downside risk to prepayment mitigates strongly against \nimplementing this contingency plan in all but the most exceptional \ncircumstances.\n    First, and most importantly, issuing such payments early would \nrequire reprogramming of payroll and other financial management \nsystems. I have previously stated that any changes to systems should be \nminimized as they not only divert resources from fixing the Y2K \nproblem, but also may undo Y2K fixes. It would be highly irresponsible \nto implement a contingency plan that could worsen the year 2000 \nproblem.\n    Second, making early payments would have tax implications for \nindividuals and businesses. Undoing any tax implications would require \nlegislative changes for the Internal Revenue Service, which in turn \nwould be required to make changes to the tax code and to their systems. \nAll of these actions would be both costly and time-consuming.\n    Third, such actions could easily be interpreted by the public as an \noverall sign of lack of confidence in the ability of the Government to \nmake its payments after January 1. Such a signal could prove disastrous \nfor the national economy as panicked citizens turn to withdrawing their \ncurrency in anticipation of a currency shortage. This sort of panic is \na self-fulfilling prophecy. Public panic and overreaction is a problem \nfar larger than the technology problem and something we are very \nconcerned about.\n    Finally, even allowing prepayment in extremely limited areas \nincreases pressure to provide early payment for everyone.\n    Any uncertainty about the readiness of agencies to make benefits \npayments should be mitigated by continuing to focus on fixing and \ntesting systems. Agencies should also consider alternative contingency \nplans that do not introduce such high levels of Y2K risk into systems \nor that could propagate public panic.\n    Despite these concerns, however, there may be a few rare instances \nin which early payment is the best option. In any such instances, \nagencies may request authority from OMB to pay certain benefits early \nif certain criteria are met. These include demonstration that there \nwill be substantial harm to individuals from not getting a timely \npayment, a high likelihood that timely payments (either by normal \nprogram operation or through a contingency) will not be made, assurance \nthat early payments made will be targeted only to those recipients who \nwould be harmed, and that early payment will substantially mitigate the \nharm. The agency must also be willing to make a public announcement of \nthese decisions and to work with the Department of Treasury so that \nadequate cash management practices are maintained. Throughout the \nremainder of the year, we will continue to review this matter with \nagencies.\n                              conclusions\n    In conclusion, during the 192 days remaining before the year 2000, \nwe plan to:\n  --Complete work on remaining mission critical systems and on other \n        Federal systems.\n  --Conduct end-to-end testing with the States and other key partners, \n        placing special emphasis on ensuring the readiness of programs \n        that have a direct and immediate impact on public health, \n        safety, and well-being.\n  --Complete and test business continuity and contingency plans as \n        insurance against any disruptions related to Y2K failures.\n  --Promote Y2K awareness with State, local, and Tribal governments, \n        with the private sector, and with other Nations.\n    Thank you for the opportunity to allow me to share information with \nyou on the Administration\'s progress. The Administration continues to \ntreat this challenge with the direct, high-level attention it deserves. \nThe additional focus on the year 2000 problem by the President, \nCongress, and the public has resulted in agencies focusing management \nattention on the issue and taking a close look at their resource needs. \nThe Year 2000 contingent emergency reserve has helped ensure that \nagencies have access to funds to facilitate their work. OMB remains \ncommitted to working with the Committees and Congress on this critical \nissue. I would be pleased to answer any questions you may have.\n\n   Number of Federal mission-critical systems that are Y2K compliant\n\n    Chairman Bennett. Thank you very much. You use the phrase, \n93 percent compliant as of June. That is the same number that \nJohn Koskinan reported in the end of March. Are you simply \nreporting that number, or are you telling us subliminally that \nthere has been no progress from the end of March?\n    Mr. Lew. Well, the February report we submitted was at 79 \npercent, so from February until now we have gone to 93 percent. \nI think you have to look at the other areas where we have \nclosed in on the 100 percent, and the fact that we have 14 \nagencies that are now 90 percent compliant or better.\n    Chairman Bennett. I do not want to quibble numbers with \nyou, but there are enough people who follow this on the \nInternet. We need to be careful here and give you an \nopportunity to focus on it.\n    The President set March 31 as the deadline by which every \nFederal agency was supposed to be 100-percent compliant. A \nnumber of agencies missed that deadline, and John Koskinan \nreported when that deadline came, a 93-percent overall number \nfor the Federal Government. We are now 60 days beyond, 75 days \nbeyond March 31, and you are using the 93 percent number. Are \nyou using the 93 percent number because that is the last number \nwe have and it comes as of March 31, or are you telling us that \nwe are stuck, as of March 31, and we are still at the 93 \npercent number?\n    Mr. Lew. No, Senator, I am certainly not saying we are \nstuck. The numbers I am using are based on the ninth quarterly \nreport we submitted to you last week. John Koskinan was basing \nhis comments in March on estimates which were not yet in our \nquarterly report system and may have anticipated some of the \nprogress that has been made.\n    Chairman Bennett. So you are saying the 93 percent at the \nend of March was not fully accurate.\n    Mr. Lew. Well, I am saying it was an estimate. The numbers \nin the quarterly report are based on the rigorous review that \nwe do of each agency\'s reporting, and the estimate in between \nreports is necessarily based on--I do not want to say less \naccurate data, but estimates are different than actual numbers, \nas we will probably discuss in other regards as well.\n    I think the important thing to focus on is that we are \nmaking continuous progress and very rapid progress in the areas \nwhere we had the most catching up to do. Look at the largest \nand most complicated departments, an agency like HHS with HCFA, \nwhere they have made tremendous progress such that HCFA is now \ncompliant. Some of the resources that we thought would be \nneeded for HCFA have actually been shifted over to other HHS \nactivities because HCFA has completed most of its work.\n    You look at the Defense Department, where they have more \nsystems than anywhere else. They are down to the point now \nwhere they are working on their systems that are not yet in \nservice, the new technologies that have not yet been put in \nplace. They are making great progress to ensure that they have \ncontinuity and that they do not have the kinds of delays that \nwe had feared, if they could not get new systems to be \ncompliant.\n    So I think we are continuing to make very good progress. I \ndo not want to suggest for a minute we do not have a lot of \nwork to do. We will be working very hard for the remainder of \nthe time we have, and I think you will see in May and June and \nJuly and August considerable progress in each of the months.\n    As I looked over the report, I was struck at how many \nagencies expected to be reporting substantial progress in the \nvery near-term timeframe. Now, I am not surprised by that. We \nwould hope, given that we are 192 days away from the year 2000, \nthat we would be seeing ourselves closing down problems at a \nrapid pace, and that is what our reports are showing, so I \nthink we have continued to move forward. If there is some \nconfusion between the numbers that were based on estimates and \nthe quarterly reports, I would be happy to go through it \noutside of the hearing and look at what might lie behind that.\n    Chairman Bennett. I think it is important to get it very \nclear, because one of our problems with respect to Y2K is the \nquestion of public confidence, and there are those who have \nattacked this committee for being too alarmist. Saying we are \ngoing to set off a panic that will be worse than the problem. \nObviously, I do not accept that criticism. I think the \ncommittee has been responsible, but again, back to the public \nperception here.\n    The President said 1 year, 1\\1/2\\ years ago when he made \nhis statement on Y2K, I believe it was at the National Science \nFoundation, that every Federal agency would be 100 percent \ncompliant by March 31, 1999. We did not make that. I applauded \nthat as the goal at the time he said it, and said that is the \nright goal, and that is what we should strive for, but \nprivately I thought, we are not going to make it.\n    All right, we did not. Now, the number that was put out by \nthe administration as of that date was 93 percent, and we were \ntold the new target date for 100-percent compliance is June 30. \nNow, June 30 is 2 weeks away, and if there is an announcement \nas of June 30 that we are 93 percent compliant, people who will \nnot go into the details that you have shared with us here are \ngoing to start to panic and say, the Federal Government is not \nmaking it, has not had any progress.\n    So without asking for a specific response here--and I will \nbe talking with John Koskinan tomorrow, we talk every week \neither face-to-face or on the phone--I will just signal that \nthere is that public perception problem that has to be dealt \nwith. Either the statement is made as of the end of June we are \nnow up to 97, or whatever the number, or hey, we need to revise \nwhat was said in March that it was an estimate. We now know \nthat the reality is that--I mean, we adjust statements around \nhere all the time, when more data comes in. This is where we \nwere in March, and we have made this much progress to June 30.\n    I am gathering from your testimony that we will not be able \nto announce on June 30 that we are 100-percent compliant.\n    Mr. Lew. No, I do not think we will be able to announce we \nare 100-percent compliant, but I am hopeful we will be able to \nshow more continuing progress. Obviously, from our report last \nweek to the end of June is a fairly short window, so I do not \nwant to raise unreasonable expectations about how much we will \nbe able to say, over what is really a matter of a few weeks, \nbut we are not just doing quarterly reports.\n    We are keeping daily contact, as you mentioned. We are in \nregular contact with the committee as well. If there is a \nconcern that we are not putting out frequent enough benchmarks \nof how much progress is made in a way that can be tracked \nclearly by the public, that is something we can look into.\n    I think the underlying facts are better than the impression \nthat you are suggesting, which means we have a communication \nproblem.\n    Chairman Bennett. I think there are too, and I think it is \na joint responsibility of the Congress and the administration \nto get the information out so that we do avoid panic.\n    Yes, Mr. Walker.\n    Mr. Walker. Mr. Chairman, for the benefit of you and the \ncommittee, based upon self-reported data that we see from the \nagencies as of May 14, the number was 94 percent, and hopefully \nJack will end up having more recent numbers in the near future.\n    Second, I have asked Joel Willemssen to join me, Mr. \nChairman, in part because of his expertise and in part because \nof the recognition of the work that he and his team has done in \nthe Y2K area working with your committee and others.\n\n           Has the Y2K problem undermined computer security?\n\n    Chairman Bennett. Thank you, and the record will show, Mr. \nWillemssen, that you are at the table and available. If the \ntime comes that you need to speak up, you will be identified \nfor the record.\n    Let me get a dialogue going between the two witnesses for \njust a minute before I call on Senator Stevens. Mr. Walker, I \nwas impressed by your statement in two areas, both of which I \nagree with absolutely. The first one had to do with pent-up \ndemand. We are finding that in the private sector as well that, \nas we do our hearings in the special committee, more and more \nindustries are saying they are going to have no more IT \nactivity the last half of 1999 because we are concentrating so \nheavily on testing and final installation of Y2K solutions, and \nsince we do not want any new initiatives, there will be a \nsignificant pent-up demand.\n    Some high tech companies on the reverse side of that are \nreporting anticipation of lower sales in the third and fourth \nquarters of 1999, because they say that customers are so \nwrapped up in Y2K they do not have the time to look at anything \nnow, and then it will explode in 2000.\n    Now, if we have serious Y2K problems, the preoccupation of \nY2K will not carry over in the first and second quarters of \n2000. The pent-up demand will not hit until they are taken care \nof, but is very much there. I would think, Mr. Lew, that it has \ngot to be a real planning headache for OMB, and it is \ninformation that we in the Congress need as we face the \nappropriations process.\n    Because, as Chairman Stevens can tell you more eloquently \nthan anybody, dealing with the caps and the challenges of the \nappropriations process is very, very difficult. To say, ``Well, \nthere is all this pent-up demand, where we are going to need \nmore funds for Y2K capability,\'\' and that is caused by the \nslow-down, or the interruption, rather, of the normal flow of \nthings as result of Y2K, that can be very serious business for \nthe Appropriations Committee and its various subcommittees.\n    The second issue that I would like you to talk about, \nalthough perhaps not in the same breath, but just to alert you \nto the other thing I am concerned about, is this question of \nsecurity. Now, Y2K has made a tremendous impact on me at least, \nas it has forced me to confront what will happen to our society \nif the computers fail.\n    Now, we are talking about close to $9 billion, and it may \nget to $10 billion by the time we are through, just to keep the \nFederal computers from failing. This amount in the general \neconomy is--pick a number--somewhere between $50 and $100 \nbillion that private entities and the State and local \ngovernments will spend just to keep the computers from failing. \nThe potential for failure is a problem that is built into the \nsoftware.\n    The potential for failure as a result of a deliberate act \non the part of a terrorist group is just as great, and will \ncause just as much devastation as the Y2K. Right now, most of \nthe attack, cyber attack if you want to call it that, is coming \nat the Defense Department. I have had conversations with \nSecretary Hamre about that and will continue to have those \nconversations. The Defense Department is hardening itself \nagainst those kinds of attacks and is building some expertise \nfor dealing with them.\n    The rest of the economy is not, as nearly as I can tell, \nand some Government agencies are not. I do not want to give \nanybody any ideas, but I can see a scenario where a terrorist \ngroup says, ``all right, if we want to take down the great \nSatan, we will not attack their military, we will destroy their \nability to distribute welfare checks, and we can do that much \nmore easily than we can hack into the military computers.\n    If we want to cause disruption in America, we will shut \ndown the power grid, we will shut down the telephone system, we \nwill interrupt the flow of commerce by taking down the Fed \nwire.\'\'\n    A whole series of security issues that have nothing to do \nwith defense, but everything to do with our ability to continue \nto function as a Nation have come to my attention as a result \nof Y2K. I have spoken with the Majority Leader about it, and he \nhas encouraged me to use the Y2K Committee to examine these \nissues in the time the committee has left. We go out of \nbusiness on February 29.\n    But these are very serious issues, and I was glad to see \nyou raise them, Mr. Walker, and at some point in this hearing \nbetween the two of you, you might want to talk about that.\n    So those are the two issues that I want to focus on, the \npent-up demand, its immediate impact on the appropriations \nprocess, and then the overall security issue. We will get into \nthose questions, Senator Stevens, unless you have a question \nnow.\n    Chairman Stevens. If they want to comment, that is fine.\n    Mr. Walker. Mr. Chairman, I will comment on that.\n    First off, on pent-up demand, my experience both in the \npublic and private sectors has shown over the years that there \nis always a pent-up demand for wants in the area of information \ntechnology, but what I think is different because of Y2K is \nthat there is increasing pent-up demand for needs.\n    You pointed to the fact that many, both public and private, \nentities have frozen changes in their LANs, in their software, \nin various other areas dealing with information technology to \nfocus full attention on the Y2K challenge. They need to \nstabilize their environment in order to deal with their most \nimmediate time-sensitive need--that is Y2K.\n    The fact of the matter is that there is a pent-up demand \nfor needs for enhancements as well as the second issue that you \nraise, which is computer security. Computer security is already \non our high risk list, just as Y2K is. Computer security is \ngoing to follow up closely on the heels of Y2K. It has national \nsecurity, economic security, and personal privacy \nconsiderations.\n    We are focusing a lot of our time and attention on that, \nand believe that the Congress will need to do the same, as well \nas the executive branch, and I am sure that they intend to do \nso. I think these are two very real issues that not only are \nimportant from a wants, needs and affords perspective. What can \nwe afford? And there are tradeoffs. Money is fungible, and so \nthe question is, What are the consequences of these choices?\n    Mr. Lew. Mr. Chairman, I think there is no doubt there will \nbe some pent-up demand, and that we have separate but very \nimportant concerns about computer security that are unrelated \nto Y2K. I think I would actually take a slightly different \ntack, I think our experience with Y2K in some ways leaves us \nmore ready to deal with both of these issues than we otherwise \nwould be.\n    In the area of pent-up demand, there are many agencies that \nhave much more modern computer systems now than they would have \nhad if we had not been dealing with Y2K because, given the \ntightness of appropriated resources they would not have \nreplaced their personal computers (PC\'s), they would not have \ndone the work that they have done over the last couple of \nyears.\n    That does not mean that it is all of what they need for the \nnext stage of agency operations, but I think we are left with \nan architecture that is generally better, not just Y2K-\ncompatible. We need, as we calculate the pent-up demand, to \nreally look at what the net pent-up demand is, not of the \ninvestments we have made.\n    The concerns I have looked at are more the programmatic \nthan the hardware issues, where agencies have deferred \nactivities. You look at HCFA. In order to comply with Y2K \ncompliance requirements, they deferred some of their rulemaking \nactivity.\n    There is going to be a pent-up demand which will mean that \npeople have to work on those projects in the coming year that \nthey should have done in the past year. I think that has \npotentially programmatic implications. I do not know yet \nwhether it has funding implications. I think we have to get a \nlittle farther into it to determine that.\n    In the area of computer security, one of the things that \nthe contingency planning process is serving to be very useful \nfor is to take contingency planning generally more seriously. \nMany of the contingency plans for dealing with your potential \nyear 2000 disruptions are no different, as you mentioned, than \nthe kinds of disruptions that could occur from natural or \nhostile acts.\n    The Y2K problem is more complex, because the potential of \nthings happening in a lot of places is greater, whereas when \nthere is a natural disaster it is very local. Presumably the \nsame would be true if there are hostile acts, though you raise \nthe good question of what the risks are, and are the risks \ngrowing.\n    I think we are more prepared to deal with contingency \nplanning now than we were before Y2K remediation was \nundertaken. We had underway, as you know, through the National \nSecurity Council (NSC) process planning for contingencies in \nthis area. I think we need to continue to work together after \nJanuary 1, 2000 on that problem.\n    I do not at the moment expect a spike in funding \nrequirements for either pent-up demand or the security issues, \nbut that does not mean there will not be ongoing funding \nrequirements that we have to balance against other needs.\n    I think the core issue in both cases is, are the needs \nthere greater than the needs in other areas, and do they \nwarrant funding.\n    The thing about Y2K that was so unusual, and that did \nrequire the extraordinary funding mechanism that we had, was \nthat all the expenses came at once, and we are marching against \nan inflexible deadline, where if we do not do it by January 1, \n2000, it will not deal with the problem.\n    In these other areas, while there are serious problems, \nthey are problems we can fit into the spectrum of all the other \nthings that we do have to worry about, and I look forward to \nworking with you on those issues.\n    Chairman Bennett. Senator Stevens.\n\n                Progress on nonmission-critical systems\n\n    Chairman Stevens. Mr. Lew, because of where I am from, I \nworry about the nonmission-critical systems, and the definition \nof those, and I raised this last year. Do we have any idea of \nhow many such systems there are that are nonmission-critical \nsystems?\n    Mr. Lew. I do not have a number. I understand the question, \nand I will be happy to get back to you with a number. We are \nnot ignoring nonmission-critical systems. The fact that we are \nsetting a more absolute deadline for dealing with mission-\ncritical systems does not in any way mean that we are treating \nthe noncritical remediation as something that could wait until \nlater.\n    Chairman Stevens. Did you ever get an estimate of what it \nwould cost to deal with all Federal systems and Y2K \nimplications?\n    Mr. Lew. I believe the cost that we have been referring to \nwould be the $8.02 billion level.\n    Chairman Stevens. That is mission-critical.\n    Mr. Lew. It is more than mission-critical. It is the total \nexpenditure on Y2K. The total compliance is based on bringing \nall the mission-critical systems into compliance at a \nparticular time.\n    If I could get back to you, Senator, what I would like to \ndo is ask some questions about what do we expect in terms of \nlingering funding requirements after January 1 for the \nnonmission-critical systems. I think that may give me a better \nability to answer your question, and I do not know off the top \nof my head the answer to that question.\n    Chairman Stevens. The implication here is that, not \ncounting the emergency funds, that agencies have used \nappropriated funds to pay for Y2K problems and deferred their \nnormal programming. Is that your statement? You have indicated \nthat.\n    Mr. Lew. I think it is a combination. I think some of the \nthings that they have done with the money were exclusively Y2K-\nrelated. Other activities really have multiple purposes, and \none of the reasons it has been difficult to give actual numbers \nis that the bookkeeping before 1997 was not very good in terms \nof how much money was Y2K-related and how much of it was just \ngenerally IT-related.\n    As Mr. Walker noted, even now we are dealing with agencies \nthat are being much more clear in terms of their defining Y2K \ncosts for the emergency funds than they are for their base \nfunds. Some of the costs have to be disaggregated to see \nwhether they are just Y2K. When you buy a new PC system, it \nobviously is Y2K-related, but it is also giving you \ninfrastructure that the agency needed. They are all modernizing \ntheir computer systems as quickly as they can.\n    Chairman Stevens. The indication here is that they deferred \nnormal programming activities in order to make those \nadjustments. How extensive has that been?\n    Mr. Lew. I think what we have done is, we have built into \nour budget request in the last several years additional \nresources where we saw it as needed for Y2K, and we balanced it \nagainst the ongoing programmatic activities.\n    I think the areas where it would have created the clearest \ndirect conflict were some of the funding that was directed to \ncome out of the Y2K emergency reserve, and actually that went \nboth directions. Some of that funding was really Y2K-related, \nand some of it was funding that we had in the base that we \nthought was only marginally Y2K-related, so a lot of these are \ngray areas.\n    I think that when we are dealing with caps, as you and I \nknow painfully well, there are tough choices about how we can \ndeal with all of the competing needs.\n    Chairman Stevens. I am looking at it, as Senator Bennett \nmentioned, from two sides. One, it appears there are a lot of \nthings that have been deferred, normal program activities, \nbecause of the Y2K emergency, and on the other side of the coin \nis that there are increasing demands on the budgets of all \nagencies because of Y2K compliance activities.\n    Now, both of those add up to me to a need for more money, \nbut it is sort of a feather pillow. I am not getting what I \nneed.\n    Mr. Lew. I think there are really two different questions \nthere. One is, did they get more money than they otherwise \nwould have gotten to deal with Y2K within the base funding, and \nin our budget proposals we were allocating dollars to Y2K where \nwe were not taking it necessarily from something else. We were \nmaking our decisions from the ground up. What did an agency \nneed to do for its entire mission that had to do with Y2K? We \ncame to the conclusion that we could not do it within totals, \nwhich is why we put the emergency fund proposal in our budget \nlast year. It got beyond the point of our ability to work \nwithin the limits and still meet agency needs and Y2K needs.\n\n            Are additional Y2K supplemental funds required?\n\n    Chairman Stevens. That is what we anticipated, and that is \nwhy we started the emergency presence. But what I am looking at \nis whether or not, one, are we going to get a supplemental \nrequest to make up for the moneys that agencies have spent, the \nY2K activities, in order that they may have the funds to carry \nout their normal programming; and two, are we going to get a \nsupplemental request for Y2K activities? This $8.7 billion is \nmuch higher than we anticipated 1 year ago, or 2 years ago. Are \nthere two supplementals out there staring us in the face?\n    Mr. Lew. We have no immediate plans for any additional \nsupplementals. Our calculation is $8.02 billion total, and does \nassume that we use the emergency funds, but it does not assume \nthat we have any additional funding requirements in fiscal year \n1999. The agencies have been using the emergency funds not just \nto deal with mission-critical systems. They have been using the \nemergency funds to deal with noncritical as well as critical.\n    I actually have never seen a breakout of how much of the \nmoney has gone to mission-critical versus nonmission-critical, \nand it is a good question. I actually will go back and ask to \nsee it broken out that way.\n    I tried to use the example of HCFA as the kind of activity \nwhere we know that there was a deferral of some work. I do not \nthink that that necessarily means we will need a supplemental \nappropriation for HCFA. It means there was a delay in putting \nsome regulations into effect. As HCFA works through its 2000 \nand 2001 work plans, they will integrate completing the work \nthat they deferred with the work that they have to do.\n    They may have increased needs overall. Agency needs change \nfrom year to year. But I do not foresee a spike of additional \nneeds because of doing the deferred work that came about \nbecause of dealing with Y2K remediation.\n    It is a fair question. It is something we are keeping our \neye on. I am not sure we can anticipate everything in advance, \nbut I certainly at the moment do not see a huge number of \ndeferred activities where we will need to come in for a \nsupplemental request.\n    Chairman Stevens. Do you have any comment on this, Mr. \nWalker?\n    Mr. Walker. Mr. Chairman, first I would agree with Director \nLew that what we ought to focus on is the net need. Second, as \nwe say in our statement, we do believe that there is pent-up \ndemand and pent-up need, as there is in the private sector. We \nbelieve it is important to try to survey that, and try to \nunderstand the nature and extent of that.\n    Chairman Stevens. A need for non-Y2K funds, because of Y2K \nactivities?\n    Mr. Walker. A need for additional funds because there have \nbeen projects that have been delayed that may represent need \nrather than want. Director Lew mentioned one, where there are \nsome types of activities to implement certain regulations. \nThere also could be some computer security related system \nenhancement needs that could be essential and cost beneficial, \nhowever, they have been delayed.\n    I think there is a need to try to inventory that to \nunderstand the nature and extent, but then there is a \nmanagement decision and a budget decision as to the merits of \nthose various proposals, and how they will be handled; but we \ndo think it is important to inventory it, because we do believe \nit exists.\n    Mr. Lew. The only thing I would add, Senator, is that these \nissues are not new issues, because we have been dealing with \nY2K. We faced it at the Treasury Department in terms of putting \na new computer system in place there, where completely apart \nfrom the year 2000 there was a need for a long-term capital \nprogram.\n    I am not sure, net of what we spent on Y2K, that it is as \nmuch a question of pent-up demand as it is fitting those IT \nrequirements into the many demands that agencies have for \nresources. If there is a pent-up demand we certainly should, as \nthe Comptroller General says, try to keep an eye on it and \ncoordinate it in a managed way.\n    I just would not put up a red flag that there is a crisis \nlooming. We may have additional requirements in these areas \ncompletely apart from Y2K. The question of cyber security is \nsomething we will have to keep dealing with. I do not think we \nshould confuse the pent-up demand issue with what the absolute \nrequirements are, and if so, it is just a timing question.\n    On the other hand, we should not panic. We are in better \nshape now in terms of contingency planning than we have ever \nbeen in the past, and I think as we continue to deal with these \nquestions we will have a much better knowledge.\n\n          What progress is being made in contingency planning?\n\n    Chairman Stevens. I visited two major industries where they \nhad been told that their systems were Y2K compliant and on a \ntest found that they were not. Now, we are relying on this \ntesting. It is sort of a self-testing process of each agency, \nbut as I understand it, the cost of contingency planning is not \npermitted to be paid out of the emergency money, is that right?\n    Mr. Lew. Well, actually I would distinguish between \ncontingency planning and funding of the contingency plans. We \nare helping agencies deal with funding requirements for the \ncontingency planning. We are just beginning to see them, so I \ndo not have a wealth of material to draw on yet.\n    As we see the plans, I think we can expect that the plans \nwill identify two kinds of risks. One is risks that their own \nsystems will fail and there may in fact be additional funding \nrequirements there. As you know we continue to have $496 \nmillion in the nondefense and $165 million in the defense \nreserve, some of which may well be used for the agency \ncontingency plans.\n    Chairman Stevens. You use that for planning, or plans?\n    Mr. Lew. There may well be funding needed for plans. If \nthey need to back up their own systems internally there is a \nwhole separate kind of contingency planning where I do not know \nthat we have the authority to fund it. We may need to talk \nfurther about this if they identify problems that are not their \nown, but problems that are connected to the environments they \nare in, such as telephone and electric grids.\n    Obviously, we do not have the resources to do contingency \nplans for every agency so, if there is a localized power \nfailure for a brief period of time we will bring the whole grid \nback up. Utilities are dealing with that, and they are dealing \nwith it quite well.\n    I think the question we have to answer is if there is a \nlocalized problem, does each agency have a credible plan so \nthat it can continue its operations while the local utility is \ndealing with the outside problem.\n    We may decide that we want to take on as a Federal \nobligation, and I do not think I would recommend it, dealing \nwell beyond the ambit of Federal responsibility. Clearly we do \nnot have the resources for that, but that is also not a Federal \nresponsibility. What we are trying to do is make sure that it \nis coordinated, that information is readily available, and to \nprovide the leadership so that each of the different parts of \nthe environment that Federal agencies find themselves in is \nalso making the kind of progress they need to make.\n    We do not anticipate the kind of massive electric or \ntelephone failures that people worried about years ago, but \nthat does not mean there will not be isolated incidents. The \npurpose of contingency planning is to be able to respond, so we \nhave continuity in all Federal operations.\n    Chairman Stevens. Do we have any idea what the cost of \nthose plans will be?\n    Mr. Lew. The June 15 deadline just passed. We have received \nsome, not all. I would not even say most of them yet. Over the \nnext several weeks we will review them and we will continue to \nwork with the committees as we get a better understanding of \nwhat the contingency plans call for.\n    I think the agencies are struggling a little bit in terms \nof putting the price tag themselves on what are in some cases \nfairly imponderable costs. I think as they narrow down to the \ncost for their own backup plans, that is an area that is much \nmore concrete. We will start to see what the numbers are fairly \nquickly on those. I do not anticipate that those will be \nenormous, but if they do turn out larger than we expect, we \nwill come back as soon as we know more.\n    Chairman Stevens. Mr. Walker.\n    Mr. Walker. Mr. Chairman, we tried to note on page 13 of \nthe full statement how much of the emergency supplemental to \ndate has been spent for contingency planning. It is over $300 \nmillion, primarily the Defense Department, but also about $77 \nmillion for the civilian agencies.\n    As Director Lew noted, there is a need to try to get your \narms around what type of plans are necessary on a contingent \nbasis, and it is a separate and distinct matter as to what cost \nmight be necessary if those plans have to be implemented, and \nthat is something that is important to focus on.\n    Chairman Stevens. Do the contingency plans themselves have \nto be tested, in your judgment?\n    Mr. Walker. We do believe they need to be reviewed. We plan \nto review them. OMB needs to review them first. I believe they \nare due later this month. Joel, do you have a comment?\n    Mr. Willemssen. Yes. OMB has noted that they are following \nour guidance on contingency planning. One of the key phases in \ndoing that is validation and testing of those plans. We have \nrecommended that the validation and testing be completed no \nlater than September 30 of this year.\n    Chairman Stevens. Do you have the sense that we have enough \nfunds available now to deal with this total Y2K problem on the \nFederal level without any additional money, Mr. Walker?\n    Mr. Walker. Mr. Chairman, the real key is that, for fiscal \nyear 2000, there are certain unknowns. As Director Lew said, we \nhave still got 10 Federal agencies that have not completed \ntheir own remediation testing efforts.\n    Second, 10 of the 43 critical Federal programs have \nsignificant State involvement. Many of those States are not \ngoing to be completed with the Y2K efforts until the fourth \nquarter of this calendar year.\n    In addition, there are other factors that frankly, until we \nget more clarity on those, it is difficult, if not impossible, \nto predict the funds that will be necessary. The real key is, \nwhat are the tradeoffs?\n    If additional funds are needed for Y2K, there are several \nways to handle that. Obviously, one way is through a \nsupplemental. Another way is through changing priorities within \nthe existing baseline, and the key is to try to understand what \nthe possibilities are, what the magnitude might be, and to be \nable to make informed choices about what those tradeoffs should \nbe.\n\n    What is the difference between mission-critical and nonmission-\n                               critical?\n\n    Chairman Stevens. Both of you were talking about internal \nreprogramming. There could be a massive amount if there are any \ncontingencies that develop between now and the end of the year, \nand we are dealing with two different fiscal years as far as \nthe restraints on spending. I do hope that we are monitoring \nthe marshaling of this money towards achieving objectives \nwithin the laws available. Maybe we need some additional \nflexibility on this, and if you do, we might have to give it to \nyou in one of these bills. I would hope that you would both \nlook at that.\n    But one of the critical problems here to me is the \ndefinition of what is critical. I am afraid the people sitting \nhere in Washington have an idea of what is critical, and people \nout in the rural areas, and the western States in particular, \nhave an entirely different attitude about what is critical. Has \nanyone reviewed the definition of what is critical in your \nagency?\n    Mr. Walker. Mr. Chairman, let me comment on a couple of \nthings, and I would ask Joel to add. First, the dollars that \nhave been spent so far have been spent on Y2K, both mission-\ncritical and nonmission-critical systems. Second, at this point \nin time we believe the important thing to focus on is the \nprograms.\n    Candidly, the taxpayers, our citizens care about the \nresults, they do not care about the process, and so the key is \nto assure, either through the remediation efforts or through \nthe contingency planning that the programs will operate as \nintended at the taxpayer and the citizen level.\n    And Joel, I would ask you to add.\n    Mr. Willemssen. Mr. Walker hit it right on the nail. We \nhave applauded what OMB has done in terms of moving its focus \naway from systems and into programs. I think there is still \nroom for debate as to whether they have targeted the right \nprograms. As Mr. Walker mentioned in his statement, there are \nsome outliers that are not within the definition of the 43 \nprograms that I think would raise some issues, but I believe \nnow OMB has the correct focus, especially on testing end-to-end \nmultiple systems. I think that is the appropriate emphasis that \nnow needs to be placed.\n    Mr. Lew. That is actually the point I was going to make. \nThe value of testing is that we will have a much better \nunderstanding if there is going to be a problem in rural areas, \nor in isolated areas. That is one of the reasons the funding \nhas been going out in the pattern it has. As we have discovered \nproblems, we have been using funds to deal with the problems.\n    We have been very careful, and frankly I think you deserve \na lot of credit for designing a flexible-enough authority so \nthat we have had the authority to fund basically everything we \nhave needed to fund while still reserving resources for the \nfinal period.\n    The imponderable about the contingency planning is \ndifferent from whether we are taking the kinds of effective \nsteps to deal with the programmatic needs that agencies have, \nand I think it would be a mistake to think that there is a \nlooming, huge problem in terms of basic agency operations that \nare unfunded.\n    If we discover that the contingency plans have funding \nrequirements that are greater than what we think they will be, \nI assure you it is not something we would just keep to \nourselves. Just as we shared with you the need for the $3\\1/4\\ \nbillion emergency fund, we would come back. I just at this \nmoment do not anticipate it, and frankly it gets into an area \nfairly quickly that is not the Federal Government\'s primary \nresponsibility. We have been using the money that was \nappropriated to deal with the testing to make sure that we \ndiscover, within the Federal systems, what else we need to do.\n\n          Who will agencies turn to if they have Y2K problems?\n\n    Chairman Stevens. Do we have any reserve capacity for the \nGovernment as a whole? Is there an agency that has been \ndesignated to come forward and assist any Federal program that \nruns into a glitch in the last part of the year?\n    As the next fiscal year started sometime after October 1, \nyou run into problems. Who do these agencies turn to for \nassistance if some real difficult problem emerges that has not \nbeen contemplated?\n    Mr. Lew. As you know, John Koskinan has been coordinating \noverall the administration\'s planning and implementation of the \nY2K effort. That has been, I think, a very effective process \nwhere we have had agency heads take on the responsibility \npersonally to make sure that they were doing what needed to be \ndone, and coming in with the kind of technical support.\n    We do not have a formal process where there is one agency \nthat is doing things for the other agencies, but there has been \na lot of sharing of information and cooperation amongst \nagencies in the way that you would want to see in a situation \nlike this. As one agency learns something we do not wait for \neach of the others to discover it on their own, there is a \nsharing of information.\n    Chairman Stevens. I am looking for something different. We \nhave the Federal Emergency Management Agency (FEMA) if there is \na natural disaster. What agency has the role of FEMA in dealing \nwith Y2K, if something really goes bad in December?\n    Mr. Lew. Let me distinguish the work up until January 1 and \ndeal a little bit separately with what happens in the immediate \nperiod at the new year.\n    The President made it very clear that it was the obligation \nof each agency head to assure that his or her agency was taking \nthe action needed. Frankly, if there was a more centralized \nresponsibility we would not be able to sit here today and \nreport the kind of progress that we have made.\n    Chairman Stevens. I am not interested in that. I am \ninterested in emergency assistance at a time when it may be \nneeded.\n    Mr. Lew. In terms of emergency assistance, we have planned \nfor what we call an Information Coordination Center which we \nhave worked with the committees on to bring together \ninformation at the end of the year. At the beginning of the new \nyear, as we learn of disruptions, as we learn of problems, so \nthat there will be a clear flow of information and an ability \nto muster appropriate responses.\n    I think that is more of an information exercise than it is \na command and control exercise. It is not that we have a \nspecial weapons and tactics (SWAT) team that will go in, but it \nis a way to marshall the resources of the Federal Government to \ndeal with situations as they occur. It is not the case, as in a \nnatural disaster, where we designate FEMA or one agency to be \nthe lead agency, because frankly, the problems are not \nnecessarily going to be within the expertise of one agency.\n    If you have a transportation issue, the Department of \nTransportation is going to deal with it. If you have a \ncommunication issue, it is largely going to be private, and \nmore information at the Federal level rather than action at the \nFederal level.\n    But there is going to be information coming in. Frankly, \nJanuary 1 will come in many hours earlier in other parts of the \nworld. We will gather information from what happens in other \nparts of the world and be able to perhaps take some \npreventative steps as we learn what happens in other places and \nbe able to have the preparedness in real time.\n    I do not think that it would be as effective, frankly, if \nwe had a single designated agency that would deal with all \nproblems that might arise, because it would be more than any \none agency could handle within its expertise.\n    Mr. Walker. Mr. Chairman, four points that might be \nhelpful. Obviously, John Koskinan has been handling overall \ninteragency coordination and strategic planning. Second, it is \nmy understanding that for each of the high-impact programs OMB \nhas designated, in working with John Koskinan, a lead agency \nhas responsibility for that program, even though there may be \nnumerous agencies that have to be involved.\n    Third, based upon our experience so far, if there is one \nagency that probably has shined in this, it has been the Social \nSecurity Administration, but obviously no one agency, as \nDirector Lew noted, could really handle contingency planning \nfor everything.\n\n                  Is the Postal Service Y2K compliant?\n\n    And last, but certainly not least, the Postal Service is \ncritical. They are making progress, but they represent the \ncontingency plan, or have an integral part in the contingency \nplans of not only the Federal Government but, quite frankly, \nthe private sector, and that is one I think we have to keep our \neye on the ball.\n    Chairman Stevens. Who is monitoring that?\n    Mr. Walker. I am sure that OMB and we at GAO are monitoring \ntheir progress.\n    Chairman Bennett. Can you tell us where they are?\n    Mr. Willemssen. The Postal Service after a fairly slow \nstart has made very rapid progress, and we have recently \ntestified that the kind of management controls that they have \nput in place should give them greater assurance of being ready \nin time. There are still some risks, such as a number of \nsystems that they have to get ready in a relatively short \nperiod of time, but the attention is now being placed on that, \nand frankly that was not the case some time ago.\n    I think one of the things that spurred the Postal Service \non was when OMB last year put their additional reporting \nrequirement on other entities beyond the 24 major Federal \ndepartments and agencies. That led to the Postal Service coming \nin with their first report, and that first report raised a lot \nmore questions than it did answers. That led to enhanced \noversight which contributed to the Postal Service being on the \nroad they need to be on.\n\n  Need for progress for Federal systems that interact with State and \n                             local systems\n\n    Chairman Stevens. What about the Federal systems programs \nthat interface with the State and local activities such as food \nstamps, Medicare, and others that are dependent on State \nactions and State implementation?\n    Mr. Willemssen. I think there remains much room for concern \nthere, and OMB is very aware of those concerns. States are \nworking quite diligently with the Federal agencies, but many of \nthose States do not plan to be compliant until the end of the \nyear.\n    What we have seen as a model agency in terms of oversight \nof State systems has been the Health Care Financing \nAdministration and Medicaid. When we came out with a report \nlast fall that indicated that only about 16 percent of those \nsystems were compliant, the Administrator of HCFA took the lead \nand obtained needed contractor help.\n    They\'ve gone out and done risk assessments and visits of \nall States. They completed that first round in April and made \ndetailed risk assessments. They are now in the midst of doing a \nsecond round of visits and, concurrent with that, they have \noutside help focusing on contingency planning for those States.\n    It is really a very good model, one that could be emulated \nby some of the other Federal agencies in working with their \nState partners. Although it is getting fairly late in the game, \nwe think with the time remaining, activities like that could be \nvery beneficial.\n\n                Progress with our international partners\n\n    Chairman Stevens. I have taken a lot of time. One last \nquestion, and this is a North American economy now, not a \nUnited States economy. What about Canada and Mexico, and the \ntremendous interface of our private economy with our neighbors \nto the north and south?\n    Mr. Lew. Senator, we have participated actively in \ninternational forums to help other countries learn from our \nexperience as we discovered what needed to be done. In fact, \nthe largest conference ever in terms of U.N. focusing on a \nsingle topic is being held either this week or next week in New \nYork. I do not know for a fact, but I assume Mexico, Canada, \nand most of the countries of the Western Hemisphere are \nparticipating.\n    The challenge we have is, we clearly cannot take on as a \nU.S. obligation direct responsibility for the systems in other \ncountries, but we have been trying very hard to share \ninformation and help others learn to take responsibility and \ntake the actions necessary.\n    I do not have country-by-country reports. We would be happy \nto get back to you if you have specific questions about Mexico \nand Canada. I suspect the bigger concerns we have are in other \nparts of the world, though.\n    Chairman Stevens. Well, that is a prime time for illegal \nimmigrants to cross the border from California all the way over \nto Louisiana.\n    Mr. Lew. That is obviously a question of our critical \nsystems working, and that is our responsibility.\n    If I could just respond on the question of the States, \nbecause I think it is one of the significant issues we have to \ncontinue to focus on from now until the end of the year. It is \nmore difficult in the sense that it is not something we can \njust go out and fix. We have to work with others to fix their \nsystems.\n    But we can encourage and require that there be backup \narrangements, and that there be testing. We have been providing \nthat leadership. Putting into the quarterly report the State-\nby-State data we inputed was a very useful step in terms of \ngetting each of the agencies to work with the States on their \nsystems and, frankly, to put the public attention on which \nStates are scheduled to be completed and which States are \nfalling behind. I know that up here there is a lot of concern \nnot just for the aggregate number, but on each individual \nState, and I would commend to your attention the State-by-State \ndata in the ninth quarterly report.\n    We are going to be doing that on a regular basis from now \nthrough the end of the year. We have directed the agencies to \nwork closely with the States to try and be helpful to them as \nthey plan their own activities, but this is one of the \nremaining challenges that is going to require a lot of our \nattention.\n    Chairman Stevens. Thank you very much, Mr. Chairman.\n\n                    Need for additional Y2K funding\n\n    Chairman Bennett. Thank you. This is just a little bit of \ninstitutional jealousy, and I probably should not say it, but I \nwill anyway. Mr. Lew, you made the comment, in your words, ``we \nshared with you the need for the $3\\1/4\\ billion emergency.\'\' \nJust for the record, the initiative for the $3\\1/4\\ billion \nemergency came from Senator Stevens. I was in the room when he \ncame up with that number and announced it.\n    I remember the phone call I received from John Koskinan \nwhere he said, ``Senator, we had no idea you were going to do \nthat. We had no tip-off at OMB in advance that this Congress \nwas going to do that.\'\' I thought he was going to complain that \nthe Congress was doing things, and then he said, and we think \nit\'s a really, really, really good idea. So I think just for \nthe record Senator Stevens should receive the credit for having \ncome up with that.\n    Let me talk about that supplemental. After the allocations \nagainst the funds, there is $165 million in reserve, as you \nsaid, for defense, and $400 million for nondefense. Mr. Walker, \nyou say in your testimony that the cost of end-to-end testing \nand contingency plans will be high.\n    Do you share my concern that these reserve funds may not be \nenough? That too much of the money that was allocated in the \nemergency, $3.25 billion in emergency money, has already been \nspent, given the size of what we are still looking at, or do \nyou think the expenditures and allocations up until now have \nbeen about right, and that these reserves are adequate? Either \none of you.\n    Mr. Walker. Mr. Chairman, I think there are two issues. One \nissue is whether or not the remaining funds that exist in the \nreserve will adequately cover all the additional Y2K costs \nversus whether or not there is a need for an additional \nsupplemental, for example. I think there is a much higher risk \nthat there will be more money necessary in order to address all \nthe Y2K issues, given the contingencies that we have \narticulated today.\n    I think it is a separate and important, yet somewhat \ndistinct, question as to how best to do that. Will it be \nthrough tradeoffs in other funding that already exists in \nfiscal year 2000 for these programs, or will there be a need \nfor supplemental funding, and I would ask Director Lew to \ncomment.\n    Chairman Bennett. Do you share that view? I have the \nfeeling you have a slightly different view.\n    Mr. Lew. The reason I am hesitant is that we are just \nbeginning to review the contingency plans for the agencies. The \nreal answer to the question will come after we have reviewed \ntheir plans.\n    Frankly, the early plans we are getting do not have cost \nestimates in them in many cases, so we have to go back and work \nwith the agencies. To the extent that contingency planning \ncosts are much larger than we have anticipated I would have a \nvery different response. If the contingency plans fit within \nwhat we have expected, and I will not know that for several \nweeks, to the extent that they identify expenses that are not \nwithin the authority of the emergency fund, we would clearly \nneed to come back and seek additional flexibilities.\n    I did not mean to detract at all from the contributions of \nSenator Stevens in particular. We very much appreciate it. We \nput a place marker in our budget, as you know, and it became \nreal when Senator Stevens offered the amendment that he did and \nthe flexibility the fund provides is very helpful.\n    Chairman Bennett. Just a little executive branch-\nlegislative branch----\n    Mr. Lew. I appreciate that. The answer to your question \nultimately I think would be something I would want to get back \nto you after we have reviewed the continuity and contingency \nplans, because I think that is where the wild card would be.\n    At the moment, I cannot sit here today saying we anticipate \ntremendous additional needs, though I think Mr. Walker is right \nthat to the extent that there are ongoing requirements. Either \nat the very end of this year or at the beginning of next year, \nthere may be some tension within the existing budgets. That is \nnot always a bad thing. I mean, agencies do deal with some \ncosts that are outside of their normal business without it \ncausing tremendous disruption.\n    What happened in Y2K was the amounts required so far \nexceeded the ability to manage the totals, so it was necessary \nto have the emergency fund.\n    Chairman Bennett. Senator Stevens has an additional \nquestion, but before he gets to that, let me just pick up on \nwhat you are saying about the contingency plans. Your deadline \nwas June 15. By your testimony most of the agencies missed that \ndeadline, and that concerns us.\n    We do not have, as everybody knows, any fudge factor on the \nultimate date that is hitting us here, and just quickly, do you \nhave any sense when you will have all of the contingency plans \nwith estimates in front of you? Can you give us a new date that \nwe can hold people accountable for?\n    Mr. Lew. I cannot give you a firm date and, frankly, I \nthink what is going to be happening is, we are going to be \nworking with the agencies to refine what we get on an ongoing \nbasis. There will not be a date when they are finished. They \nare going to keep proceeding with their planning and their work \nright until the end. I think in the next several weeks we will \nhave a lot more than we have now. We have been working with the \ncommittees\' staff and with you directly on each of the \nallocations, and we will continue to do so as we review the \ncontingency plans.\n    We have tried to be responsive to any of the issues raised \nin the course of those consultations and would continue to do \nso. If we discover a problem, or you discover a problem, we \nwould like to keep the conversation going.\n    I wish I could say that I will have all the plans on June \n30. When we set deadlines we try to be realistic about agency \ncompliance patterns, and I think we are still in decent shape. \nIf the President had not set March 31 as a deadline, we would \nnot be sitting here today with the results that we have, and I \ndare say the same is true about the June 15 deadline.\n    I would wish that at all times agencies would respond with \ngreat punctuality, but we did build in a little bit of room.\n    Chairman Bennett. If my friend Senator Dodd were here, I \nknow he would have a few words to you to say about the \nimportance of meeting deadlines and how carefully he will \nmonitor those deadlines. Since he got married over the weekend \nhe may have other things on his mind, but I assure you that he \nand the committee will be watching these dates very carefully.\n    Senator Stevens.\n\n  Potential need for another flexible fund to respond to Y2K problems\n\n    Chairman Stevens. Well, I want to make sure about this \nauthority problem that you have indicated a couple of times, \nMr. Lew. I have the same feeling. There is no basic authority \nlike the President, as Commander in Chief, possesses for taking \ncare of troops. You know, the food and forage concept.\n    I would like to contemplate, or like to have resolved how \nto establish an emergency authority in one single area. I take \nit would be the President\'s decision that would get that, but I \nalso assume it would be OMB. I think we have to have that. I \nthink we have to have someone with the authority to make the \ndecision to use funds from wherever they have to be taken if \nthere is an emergency that develops. We will be out of session. \nIt is the holiday period where these crises could take place.\n    We also have critical non-Federal actions that may need \ncorrection, or might need assistance because they impact our \nmission-critical systems at a time in an unexpected way. I do \nnot think you have the authority today to use funding for that \npurpose, but I do think you should have it. I also think that \nwhatever we do along that line we should require a report from \nyou to Congress, so that when we come back into session we can \nreview what has happened and see whether adjustments are \nnecessary to other accounts because of that.\n    But I would urge you to think about that, and Mr. Walker, \nyou might review that also. I think in one of these bills that \nis coming along we ought to start a basic designation of who \nhas that authority, how it is to be exercised, and what the \nscope of it is. If it goes outside the mission-critical Federal \nsystems to the area where non-Federal actions might have an \nimpact on the plans or contingency plans that we may have to \nput into effect.\n    Clearly, I think that the public is going to expect that we \nhave placed, somewhere in the administration, the authority to \ntake action, and I still believe it is sort of like any other \ntime of weakness.\n    Are you a fisherman? I remember when I was fishing down off \nof Pulaski Light, and I learned how to fish for the giant \nbarracuda. You really fish for the mackerel, but just as the \nmackerel hits the bait, that is when the barracuda likes to hit \nthe mackerel. I am thinking there are a lot of barracudas out \nthere that would like to have an impact on our Federal systems \nat a time of apparent weakness. We ought to guard against that, \nand we ought to have authority.\n    Again, I urge you to think about someone having a FEMA \nresponsibility. There has to be a fireman there somewhere, and \nit is going to take some further analysis of this, as I am sure \nthat Senator Bennett\'s committee will do.\n    We are here today primarily because of the implications of \nfuture funding that may be required. Even beyond that is the \nbasic authority to use whatever funds are available should a \nsubstantial crisis develop.\n    Mr. Lew. Senator Stevens, I think it is an important \ndistinction, because the truth is, if there is an emergency in \nan area where funds have been appropriated and authority \nexists, you could spend down money and could replenish the \nfunds with a supplemental later on. I think the real critical \nissue in terms of being able to respond in a timely manner is \nwhether the scope of authority is broad enough.\n    We have very substantial authorities to respond to most of \nthe contingencies that are directly Federal. I think the issue \nhere is whether it would be desirable to have a broader Federal \nresponsibility for non-Federal response.\n    Chairman Stevens. I am not talking about responsibility. I \nam talking about ability to act where there is a definite \nconnection between the systems we rely on for our people \nthrough the Federal Government and those that are non-Federal, \nwhere the contingency planning or the planning may be \ndefective, and we will not know that until it is too late.\n    Mr. Lew. Just to use an example, if there is a Federal \nagency where communications are critical, then the Federal \nresponsibility is to have backup communication capacity so the \nFederal agency can communicate. It is not a Federal obligation \nto bring up the telephone system for the entire area. We have \nthe authorities to our knowledge to do what we need for the \nFederal backups to be provided for.\n    The area where there is a question about authority is also, \nI think, where there is a question about whether it is a \ndesirable Federal role. As we go through these contingency \nplans, if we discover additional needs for authority, I would \nwelcome the invitation to pursue it with you. We clearly want \nto have whatever authorities we need to deal quickly and with \nagility to things that almost by definition are as \nunpredictable as the barracuda eating the mackerel.\n    Chairman Stevens. The National Guard is in every State, and \nit is an entity in every State. I think somewhere along the \nline there has to be some entity like that where the standby \ncapacity to assist in areas that are life threatening, that \nrelate to Federal activities, or are threatening to the economy \nin general--well, we will work with you on it.\n    Mr. Walker.\n    Mr. Walker. Mr. Chairman, while obviously our first and \nforemost priority needs to be Federal programs and U.S. \ncitizens, you touched on the international aspect. The fact of \nthe matter is, we are in a global economy, and as I looked \ntoday at GAO\'s daily news clips, there is an article that comes \nto mind, the source of which is published through the Gartner \nGroup, which is one of the leading information consulting \nfirms. It has attempted--we have not attempted to verify this--\nto rank various countries into different levels, level 1 being \nthe best prepared, of which I am pleased to say the United \nStates and Canada are on that level; level 2 is where Mexico \nfalls; but if I look at level 4, which is the lowest level, you \nhave countries such as Russia and Pakistan, and clearly there \nare security issues associated with that which I think we have \nto keep in mind. While that is not our primary responsibility, \nit is not inconceivable that there could be some issues there.\n    Thank you, Mr. Chairman.\n    Chairman Stevens. Thank you very much.\n    Chairman Bennett. Thank you. We appreciate your being here \nand appreciate your patience with the questioning. If we have \nfurther questions we will submit them to you in writing, and as \nSenator Stevens said, Senator Byrd, who was not able to be with \nus, will have some questions for you in writing.\n\n                         conclusion of hearing\n\n    Chairman Bennett. Thank you very much. The committee is \nrecessed.\n    [Whereupon, at 11:10 a.m., Tuesday, June 22, the hearing \nwas concluded, and the joint committees were recessed, to \nreconvene subject to the call of the Chair.]\n\n                                 <all>\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'