Year 2000 Computing Challenge: FBI Needs to Complete Business Continuity
Plans (Letter Report, 10/22/1999, GAO/AIMD-00-11).

Pursuant to a congressional request, GAO provided information on the
Federal Bureau of Investigation's (FBI) plans and controls for year 2000
business continuity planning, focusing on: (1) the status of and plans
for completing the FBI's contingency planning for continuity of
operations; and (2) whether the FBI's contingency planning efforts
satisfy the key processes in GAO's year 2000 business continuity and
contingency planning guide.

GAO noted that: (1) the FBI reported that it has renovated, tested, and
certified as year 2000 compliant all but 1 of its 43 mission-critical
systems and has developed system-level contingency plans for all but 2
of the 43; (2) the FBI has made some progress in its year 2000 business
continuity planning, but this very important effort is running late; (3)
to ensure that there will be sufficient time to develop, test, and
finalize plans, GAO recommended in earlier testimony that plans be
developed by April 30, 1999, and tested, including addressing problems
and retesting by September 30, 1999, in order to allow agencies
sufficient time to evaluate whether the plans will provide the level of
core business capability needed and whether the plans can be implemented
within a specified timeframe; (4) however, the FBI had not yet developed
division-level business continuity plans or field office plans, and it
did not expect to complete the integration of the division plans until
September 1999; (5) further, it had not established a target date for
completing field office plans or testing both field-level and
division-level plans; (6) these delays left the FBI with little time to
complete the many planning tasks that remain and ensure that it is ready
to minimize the impact of possible year 2000-induced system failures;
(7) the FBI also did not have many of the management controls and
processes needed to effectively guide its continuity planning effort
through the short time remaining before the year 2000 deadline; (8)
according to the year 2000 official, the FBI had not implemented these
controls and processes because the Department of Justice's guidance
focuses on system-level contingency plans and does not require business
continuity planning; (9) further, the official stated that the FBI is
inherently capable of ensuring continuity of operations because its
agents in both headquarters and the field are well trained and prepared
for responding to various emergency circumstances, of which potential
year 2000 system failure is just one; and (10) by not employing the
management rigor and discipline specified in GAO's year 2000 business
continuity planning guide, the FBI will not be able to ensure that it:
(a) properly focuses its planning effort on the agency's most critical
operations; (b) selects the best strategies to protect these operations;
(c) has sufficient resources and staff dedicated to implementing
continuity plans; and (d) can efficiently and effectively invoke its
continuity plans, if necessary.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-11
     TITLE:  Year 2000 Computing Challenge: FBI Needs to Complete
	     Business Continuity Plans
      DATE:  10/22/1999
   SUBJECT:  Strategic information systems planning
	     Y2K
	     Computer security
	     Systems conversions
	     Computer software verification and validation
	     Information resources management
IDENTIFIER:  DOJ Year 2000 Program
	     FBI Year 2000 Program

******************************************************************
** This file contains an ASCII representation of the text of a  **

** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

Report to the Special Committee on the Year 2000 Technology Problem, U.S.
Senate

October 1999

YEAR 2000 COMPUTING CHALLENGE

FBI Needs to Complete Business Continuity Plans
*****************

*****************

GAO/AIMD-00-11

Letter                                                                     3

Appendixes

Appendix I:Briefing to the Special Committee on the Year 2000 Technology
Problem

                                                                         14

Appendix II:Objectives, Scope, and Methodology

                                                                         57

Appendix III:Comments From the Department of Justice

                                                                         59

BOP     Bureau of Prisons

CIO     Chief Information Officer

FBI     Federal Bureau of Investigation

IT      information technology

JMD/CSS Justice Management Division/Computer Services Staff

NCIC    National Crime Information Center

OMB     Office of Management and Budget

PMO     Program Management Office

SSA     Social Security Administration

                                                 Accounting and Information
                                                        Management Division

B-282155

October 22, 1999

The Honorable Robert F. Bennett
Chairman
The Honorable Christopher J. Dodd
Vice Chairman
Special Committee on the Year 2000 Technology Problem
United States Senate

The Federal Bureau of Investigation (FBI) relies on automated information
systems to fulfill its mission to investigate violations of federal
criminal law, protect the United States from foreign intelligence and
terrorist activities, and provide assistance to federal, state, and local
agencies. To prevent disruptions to systems caused by the Year 2000
problem, the FBI has taken action to renovate and test its mission-
critical systems. Nevertheless, because core business processes may still
be disrupted by Year 2000-induced failures in internal systems, business
partners' systems, or public infrastructure systems, it is necessary for
the FBI to develop and test plans for the continuity of business
operations. If done effectively, such plans can help mitigate the risks
and mission impacts associated with unexpected internal and uncontrollable
external system failures.

At your request, we determined (1) the status of and plans for completing
the FBI's contingency planning for continuity of operations and
(2) whether the FBI's contingency planning efforts satisfy the key
processes in our Year 2000 business continuity and contingency planning
guide./Footnote1/ This report summarizes the information presented at our
August 19, 1999, briefing to your office and provides examples of
important business continuity planning steps that the FBI is not
fulfilling. This report also includes the briefing slides that we
presented to your office because they contain our findings on how well the
FBI is satisfying business continuity planning steps. The briefing slides
are presented in appendix I, and our objectives, scope, and methodology in
appendix II. We requested comments on a draft of this report from the
Attorney General or her designee. The Department of Justice provided
comments. These comments along with our evaluation are summarized in the
"Agency Comments and Our Evaluation" section of this report and are
reprinted and addressed in detail in appendix III. We performed our work
from March through August 1999 in accordance with generally accepted
government auditing standards.

Results in Brief 

As of August 1999, the FBI reported that it has renovated, tested, and
certified as Year 2000 compliant all but 1of its 43 mission-critical
systems and has developed system-level contingency plans for all but 2 of
the 43. Also, the FBI has made some progress in its Year 2000 business
continuity planning, but this very important effort is running late. To
ensure that there will be sufficient time to develop, test, and finalize
plans, we recommended/Footnote2/ in earlier testimony that plans be
developed by April 30, 1999, and tested, including addressing problems and
retesting, if necessary, by September 30, 1999, in order to allow agencies
sufficient time to evaluate whether the plans will provide the level of
core business capability needed and whether the plans can be implemented
within a specified time frame. However, the FBI had not yet developed
division-level business continuity plans or field office plans, and it did
not expect to complete the integration of the division plans until
September 1999. Further, it had not yet established a target date for
completing field office plans or testing both field-level and division-
level plans. These delays left the FBI with little time to complete the
many planning tasks that remain and ensure that it is ready to minimize
the impact of possible Year 2000-induced system failures. 

Moreover, the FBI also did not have many of the management controls and
processes needed to effectively guide its continuity planning effort
through the short time remaining before the Year 2000 deadline. For
example, the FBI had not (1) developed a high-level business continuity
planning strategy, (2) developed a master schedule and milestones, (3)
defined all its core business processes, (4) implemented a complete risk
management process for business continuity planning, (5) performed risk
and impact analyses of each core business process, (6) assessed the costs
and benefits of alternative continuity strategies, or (7) planned for the
testing phase of its business continuity planning effort. According to the
senior Year 2000 official, the FBI had not implemented these controls and
processes because Justice's guidance focuses on system-level contingency
plans and does not require business continuity planning. Further, the
official stated that the FBI is inherently capable of ensuring continuity
of operations because its agents in both headquarters and the field are
well trained and prepared for responding to various emergency
circumstances, of which potential Year 2000 system failure is just one.

The need for a structured and defined approach to managing Year 2000
programs, including business continuity planning, is widely accepted by
both public and private sector organizations, and it is precisely why our
Year 2000 guidance has been adopted by the Office of Management and Budget
(OMB) as a federal standard. By not employing the management rigor and
discipline specified in our Year 2000 business continuity planning guide,
the FBI will not be able to ensure that it (1) properly focuses its
planning effort on the agency's most critical operations, (2) selects the
best strategies to protect these operations, (3) has sufficient resources
and staff dedicated to implementing continuity plans, and (4) can
efficiently and effectively invoke its continuity plans, if necessary.

To strengthen the FBI's management of business continuity planning, we are
recommending that Justice clarify its expectations for Year 2000 business
continuity planning for all of its bureaus and that the FBI establish and
implement (1) a plan for developing and testing business continuity plans
and (2) effective controls and structures for managing Year 2000 business
continuity planning. In commenting on a draft of this report, Justice
disagreed with our conclusion that it has not required the development and
emphasized the importance of business continuity planning. However, it
also cited steps that it has recently taken to address our
recommendations, including orally clarifying business continuity planning
for some bureaus, developing a plan for the timely development and testing
of headquarters and field office business continuity plans, and
establishing controls and structures for managing business continuity
planning. To fully implement all recommendations, Justice must build on
these first steps to ensure that all bureaus complete business continuity
plans, and that specifically cited plans and management controls for the
FBI's business continuity planning are effectively implemented.

Background

The FBI's mission is to investigate violations of federal criminal law,
protect the United States from foreign intelligence and terrorist
activities, and provide leadership and law enforcement assistance to
federal, state, local, and international agencies. The FBI supports its
mission with 56 field offices, about 400 satellite offices, and 35 foreign
legal attaches. In addition, classified systems link two computer centers-
Washington, D.C. and Clarksburg, West Virginia-and all FBI locations. 

To carry out its mission, the FBI depends on information technology (IT)
systems that contain information on fugitives, wanted persons, stolen
vehicles, etc. and are used by both FBI staff and state and local law
enforcement agencies. For example, the FBI has recently implemented its
National Crime Information Center (NCIC) 2000 system, which is used by law
enforcement agencies in the United States, Puerto Rico, Mexico, and Canada
to share information about individuals, vehicles, and property associated
with criminal activity. 

The FBI has been working to address the Year 2000 problem with its
critical IT systems. Under the leadership of a Year 2000 Senior Executive,
the FBI identified 43 mission-critical IT systems and hundreds of non-IT
assets, such as laboratory equipment and telephone and building systems,
to be renovated and tested before the Year 2000. All but one of these
systems have been renovated, tested, and certified as Year 2000 compliant.
The FBI has also developed system-level contingency plans for all but 2 of
its 43 mission-critical systems.

Despite the FBI's or any organization's best efforts to remediate its
mission-critical systems; however, core business processes may still be
disrupted by Year 2000-induced failures and errors in internal systems,
business partners' systems, or public infrastructure systems, such as
power, water, transportation, and telecommunications systems. Thus, it is
necessary to prepare plans for continuity of business operations to help
mitigate the risks and mission impacts associated with unexpected internal
and uncontrollable external system failures.

Our Year 2000 business continuity and contingency planning guidance
recommends that federal agencies follow a four-phased structured approach
to continuity and contingency planning, which is illustrated below. OMB
has adopted this guidance as a federal standard for business continuity
planning.

o Phase 1-Initiation. Establish a continuity work group and develop a
  high-level business continuity planning strategy. Develop a master
  schedule and milestones, and obtain executive support.

o Phase 2-Business impact analysis. Assess the potential impact of
  mission-critical system failures on the agency's core business
  processes. Define Year 2000 failure scenarios, and perform risk and
  impact analyses of each core business process. Assess infrastructure
  risks, and define the minimum acceptable levels of output for each core
  business process.

o Phase 3-Contingency planning. Identify and document contingency plans
  and implementation modes. Define triggers for activating contingency
  plans, and establish business resumption teams for each core business
  process.

o Phase 4-Testing. Validate the agency's business continuity strategy.
  Develop and document contingency test plans. Prepare and execute tests.
  Update disaster recovery plans and procedures.

FBI's Continuity of Operations Planning Efforts Are Late

To ensure that agencies have sufficient time to develop, test, and
finalize their plans, contingency and continuity plans should have been
completed by April 30, 1999, and tested by September 30, 1999. However,
the FBI has been running behind our recommended schedule for business
continuity planning, and its plans do not contain milestones for
completing its remaining tasks. As of August 1999, the FBI

o had not yet developed an integrated set of division-level business
  continuity plans and did not expect this to be done until September 1999;

o had not yet established a milestone for the completion of field office
  business continuity plans or instructed field offices on what the
  content of their contingency plans should be; and

o had not yet established milestones for testing both field-level and
  division-level continuity plans.

These delays, in part, are attributable to the FBI's late start in
undertaking its business continuity planning effort. The agency did not
initiate business continuity planning until March 1999, did not instruct
its field offices to develop continuity plans until April 1999, and did
not instruct divisions to prepare continuity plans until May 1999. The
Year 2000 Program Management Office (PMO), in its Contingency Planning
Guidebook for Field Offices, stated that it will provide additional
guidance to the field offices on business continuity planning, including
instructions for the content of plans, in October 1999. According to FBI
officials, the FBI started late in business continuity planning because
Justice's guidance only requires system-level contingency plans and does
not address business continuity planning. Our review of Justice's Year
2000 guidance confirmed this statement.

FBI Lacks Key Controls and Processes Needed to Complete Its Continuity
Planning Effort

The delays in the FBI's development of business continuity plans have left
the agency with little time to properly test its plans and to update plans
based on the results of those tests. As a result, it is exceedingly
important for the FBI to have an effective set of management controls in
place for managing the remainder of its business continuity planning
effort. Nevertheless, the FBI does not have many of the key processes and
controls necessary to reduce the risk of Year 2000 business disruptions
because, according to the FBI's senior Year 2000 official, Justice's
guidance focuses on system-level contingency plans and does not require
business continuity planning. Further, the official stated that continuity
of operations is embedded in the FBI's normal daily operations, and its
agents in both headquarters and the field are well trained and prepared
for responding to various emergency circumstances, of which Year 2000
disruption is just one type.

However, the FBI does not have important management controls for
effectively managing Year 2000 business continuity planning, controls
which OMB has adopted as a federal standard and which public and private
sector organizations are employing. Without these controls, the FBI has
inadequate assurance that it will be able to effectively address potential
internal and external Year 2000-induced system failures.

The following are examples of our recommended business continuity planning
steps that, as of August 1999, the FBI had not fully satisfied.

o Develop a high-level strategy for business continuity planning. Our
  guidance recommends that agencies develop and document a high-level
  continuity planning strategy during the initiation phase to guide the
  planning effort. It should include project structure, metrics and
  reporting requirements, and cost and schedule estimates. Without a
  planning strategy, agencies cannot ensure that they have sufficient
  resources and staff dedicated to the contingency and continuity
  planning effort.

o Develop a master schedule and milestones. Our guidance recommends that
  agencies develop a master schedule, including milestones for the
  delivery of interim and final products. These tools help agencies track
  business continuity planning progress to ensure that important tasks
  are completed according to defined requirements, and timely corrective
  actions to address deviations from requirements are taken. While the
  PMO directed the divisions to develop continuity plans by mid-August
  and established early September as the milestone for integrating the
  division plans, it had not yet established a milestone for the
  completion of field office business continuity plans or established
  milestones for testing both field-level and division-level continuity
  plans.

o Define all its core business processes. The business continuity
  planning process focuses on reducing the risk of Year 2000-induced
  business failures. Thus, it is essential for agencies to identify their
  core business processes and supporting mission-critical systems. Our
  guidance recommends that this be done during the initiation phase so
  that in the business impact phase agencies can examine business process
  composition, priorities, and dependencies and define the minimum
  acceptable level of outputs and services for each core process. In May
  1999, the PMO tasked its headquarters divisions to identify their core
  business processes and supporting mission-critical systems. As of July
  1999, only one of the five divisions we contacted had defined its core
  processes and supporting systems; the other four reported that they
  were in the process of doing so.

o Implement a complete risk management process for continuity planning.
  Our guidance recommends that agencies implement a risk management and
  reporting process during the initiation phase of the business
  continuity planning project that includes identifying business
  continuity project risks, developing measures for tracking planning
  progress and determining plans' quality, establishing reporting
  requirements, and assessing system renovation risks. The FBI had not
  identified project risks, developed measures, or established a
  reporting system for its business continuity planning project, although
  it had implemented a risk management process for its mission-critical
  systems.

o Perform risk and impact analyses for each core business process. To
  help develop adequate contingency procedures, our guidance recommends
  that agencies determine the impact of internal and external information
  system failures and infrastructure services on each core business
  process. The PMO has directed both headquarters divisions and field
  offices to assess the impact of internal and external system failures
  on core functions and to use these analyses in their business
  continuity planning. One of the five divisions and two of the three
  field offices we contacted reported that they had not yet begun their
  impact analyses, although they stated that they plan to do so.

o Assess the costs and benefits of alternative continuity strategies. To
  select the best contingency strategy for each core business process,
  our guidance recommends that agencies assess the costs and benefits of
  identified alternatives as a first step in the contingency planning
  phase. The FBI had not assessed the cost and benefits of alternative
  strategies, and it has not instructed its divisions and field offices
  to do so. 

o Plan for the testing phase of its business continuity planning effort.
  Agencies need to test their continuity plans to evaluate whether they
  are capable of providing the desired level of support to core business
  processes and whether the plans can be implemented within a specified
  period. To effectively prepare for such tests, our guidance recommends
  that agencies develop and document test plans and establish teams and
  acquire contingency resources. Our guidance also recommends that
  agencies rehearse business resumption teams to ensure that each team
  and team member is familiar with business resumption procedures and
  their roles. The FBI had yet to undertake these important planning
  tasks and, as discussed earlier, has yet to set milestones for
  completing its testing efforts.

Conclusions

The FBI reports good progress in making its mission-critical systems Year
2000 compliant and in developing system-level contingency plans. However,
because Justice has not explicitly required and emphasized the importance
of business continuity plans, the FBI started late in undertaking its
business continuity planning effort, and it is now faced with a compressed
time frame for testing and finalizing its plans. Unless the FBI moves
swiftly to implement the management controls and processes it lacks, it is
unlikely to have effective business continuity plans in place by the turn
of the century, and it runs the serious risk of not being able to sustain
the minimal levels of service needed to meet its mission if confronted
with Year 2000 system failures.

Recommendations

We recommend that the Attorney General direct the Department of Justice's
Year 2000 Program Office to clarify the department's expectations for Year
2000 business continuity planning for all Justice bureaus, emphasizing the
need for these plans and discussing OMB's adoption of our guidance as a
federal standard. We also recommend that the Attorney General direct the
FBI Director to take the following actions:

o establish and implement a plan for the timely development and testing
  of effective headquarters and field office Year 2000 business
  continuity plans, including incremental milestones for completing all
  relevant key processes in our guide associated with business impact
  analysis, plan development, and plan testing, and

o establish and implement effective controls and structures for managing
  Year 2000 business continuity planning, including each of the relevant
  key processes addressed in our Year 2000 contingency planning guide and
  discussed in this report as not yet being satisfied. 

Agency Comments and Our Evaluation

In written comments on a draft of this report, Justice disagreed with our
conclusion that it has not required the development and emphasized the
importance of business continuity plans. To support its position, Justice
(1) cited Year 2000 guidance and information provided to its bureaus in
early 1998, (2) noted that three of its eight bureaus currently have plans
in place, and (3) stated that it provided OMB a departmentwide business
continuity and contingency plan on June 15, 1999. 

We do not agree with Justice's position for several reasons. First,
guidance cited by Justice does not address business continuity planning
per se. Justice's guidance transmitted our Year 2000 guide and a
description of the Social Security Administration's (SSA) business
continuity planning efforts, but did not direct the bureaus to develop and
test business continuity plans. Second, as stated in its response to our
report, only three of eight Justice bureaus have developed business
continuity plans at this late date, which further supports our conclusion.
Third, Justice's department-level plan is not relevant to our conclusion
about bureau-level planning, direction and guidance. Moreover, in its
comments Justice acknowledges that it has concentrated on system-level
contingency plans as opposed to business continuity planning. To its
credit, after receiving a draft of our report, Justice held a meeting with
selected bureaus that was attended by us, in which it required and
explained the importance of business continuity plans; however, Justice
provided no evidence that all bureaus were subjected to this requirement. 

Justice also stated that the FBI has developed a plan for the timely
development and testing of headquarters and field office business
continuity plans, and has established controls and structures for managing
business continuity planning. We are encouraged by the FBI's first step in
responding to our recommendations. To fully implement our recommendations,
the FBI must effectively implement its plan, which requires, among other
things, that it define reporting requirements and measures of interim
progress and effectively act to address any deviations from expectations.
Further, the FBI must establish and effectively implement all business
continuity key processes, including effectively monitoring their
implementation so that any deviations are identified and corrective action
is taken immediately.

Justice's written comments, along with our detailed response, are
reprinted in appendix III.

We are sending copies of this report to the Honorable Jacob J. Lew,
Director, Office of Management and Budget; the Honorable Janet Reno,
Attorney General; the Honorable Louis J. Freeh, Director of the Federal
Bureau of Investigation; and John Koskinen, Chairman of the President's
Council on Year 2000 Conversion. Copies will be made available to others
upon request.

If you have any questions, please contact me or Deborah Davis, Assistant
Director, at (202) 512-6240 or by e-mail at [email protected]  or
[email protected]. Other major contributors to this work were Cristina
Chaplain, Carl Higginbotham, and John Ortiz.

*****************

*****************

Randolph C. Hite
Associate Director, Governmentwide 
  and Defense Information Systems

--------------------------------------
/Footnote1/-^Year 2000 Computing Crisis: Business Continuity and
  Contingency Planning (GAO/AIMD-10.1.19, August 1998).
/Footnote2/-^Year 2000 Computing Crisis: Readiness Improving, But Much
  Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January
  20,1999).

BRIEFING TO THE SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM
=====================================================================

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

OBJECTIVES, SCOPE, AND METHODOLOGY
==================================

Our objectives were to determine (1) the status of and plans for
completing the FBI's contingency planning for continuity of operations and
(2) whether the FBI's contingency planning efforts satisfy the key
processes described in our business continuity and contingency planning
guide./Footnote1/

To accomplish our first objective, we reviewed the FBI's progress towards
developing and testing business continuity plans and compared it to our
recommended milestones./Footnote2/ Also, we reviewed supporting
documentation to evaluate the status and progress of the FBI's efforts
against milestones. Specifically, we reviewed the FBI's business
continuity guidance provided to headquarters divisions and field offices,
business continuity task force meeting minutes, IT and non-IT status
reports, and system-level contingency planning documents. In addition, we
reviewed Justice's Year 2000-related guidance, including its roles,
responsibilities and guidance document, dated January 23, 1999; and its
guidelines for testing contingency plans, dated March 1999.

We accomplished our second objective by identifying the FBI's Year 2000
program management controls and comparing these to controls (i.e., key
processes) described in our business continuity and contingency planning
guide. In addition, we reviewed supporting documentation to verify that
the management controls were functioning as intended and, using specified
criteria,/Footnote3/ determined whether each of the key processes was
satisfied. To do this verification, we reviewed documents describing the
FBI's business continuity planning activities, business continuity task
force meeting minutes, contractors' statements of work, organization
charts, and business continuity planning guidance provided to the
headquarters divisions and field offices by the Year 2000 Program Office.

To supplement our analysis of documentation, we interviewed key Year 2000
program officials, such as the Year 2000 Program Manager, support
contractor representatives, and headquarters' division and field office
representatives/Footnote4/ responsible for developing business continuity
plans. We selected these offices because the divisions were responsible
for developing continuity plans for the FBI's core business processes and
the field offices were three of the largest field units. The Year 2000
Program Office agreed with our selections. 

We performed our work at FBI headquarters in Washington, D.C. We performed
our work from March through August 1999 in accordance with generally
accepted government auditing standards.

--------------------------------------
/Footnote1/-^Year 2000 Computing Crisis: Business Continuity and
  Contingency Planning (GAO/AIMD-10.1.19, August 1998).
/Footnote2/-^Year 2000 Computing Crisis: Readiness Improving, But Much
  Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20,
  1999).
/Footnote3/-^"Satisfied" means that the key process was developed and
  implemented, and documentation was provided. "Partially satisfied" means
  that some, but not all, components of the key process were developed and
  implemented, and documentation was provided. "Plans to satisfy" means
  that the key process was not yet developed or implemented but guidance
  directs the divisions to develop it. "Not satisfied" means that the key
  process was not developed and not addressed in guidance to the divisions.
/Footnote4/-^Criminal Investigative Division, Criminal Justice Information
  Services Division, Information Resources Division, Laboratory Division,
  National Security Division and the Los Angeles, New York, and
  Washington, D.C., field offices.

COMMENTS FROM THE DEPARTMENT OF JUSTICE
=======================================

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

The following is our detailed response to the Department of Justice's
comments, dated September 21, 1999, on a draft of this report. 

GAO Response

   1.We do not agree with Justice's statement that its guidance and
         information adequately emphasizes the importance of business
         continuity planning, and therefore have not modified our position
         in the report that the department has not required and emphasized
         the importance of business continuity plans. As we stated in our
         report, Justice's Year 2000 guidance, dated January 23, 1999,
         only requires that its bureaus develop system-level contingency
         plans and does not address business continuity planning. In
         addition, Justice's Year 2000 Program Manager told us that
         Justice's Year 2000 guidance does not instruct its bureaus to
         prepare business continuity plans, and in fact Justice, in its
         comments on our draft report, states that the Department has
         concentrated on system-level contingency plans as opposed to
         business continuity plans. 

Regarding the comment that beginning in February 1998, the department's
Year 2000 Program Office provided information on business continuity and
contingency plans to its components, including the FBI, Justice did not
provide evidence with its comments to support this statement. We
subsequently asked for support and were advised that the Year 2000 Program
Manager provided our Year 2000 business continuity and contingency
planning guide to Justice's designated senior officials for Year 2000 and
members of Justice's Year 2000 working group. Justice's Year 2000 Program
Manager also provided the Year 2000 working members with a copy of SSA's
business continuity and contingency plan, as well as meeting minutes from
the April and May Chief Information Officer (CIO) Council Committee
working group on the Year 2000, where SSA's business continuity plan was
discussed. However, Justice provided no evidence that it established
expectations for its bureaus with respect to business continuity planning,
and Justice's Year 2000 Program Manager told us that communications with
the bureaus never included a requirement to develop and test business
continuity plans.

   2.Justice issued Year 2000-related guidance to its bureaus on testing
         contingency plans, but the guidance only addresses the testing of
         system-level contingency plans, not business continuity plans. In
         fact, in his
         March 31, 1999, memorandum, the Assistant Attorney General for
         Administration makes this point clear when he states that
         contingency plans have been completed for most of the
         Department's mission-critical systems and that the next step is
         the testing of these plans. 

   3.We have not reviewed the Justice referenced department-level business
         continuity and contingency plan because this plan was not
         relevant to the scope of our review. As a result, we cannot
         comment on this plan beyond noting that many of the essential
         elements of such a plan, e.g., core business processes, risk and
         impact analyses, and contingency strategies, had not been
         completed by all the bureaus at the time Justice submitted the
         plan to OMB (June 15, 1999). For example, as of August 1999, the
         FBI had not yet (1) identified its core business processes, (2)
         completed risk and impact analyses at its headquarters and field
         offices, and (3) developed contingency strategies. Only since
         receiving our draft report for comment has Justice requested that
         four of its bureaus, including the Immigration and Naturalization
         Service and the U.S. Marshals Service, develop and test business
         continuity and contingency plans, and thus far these four have
         only initiated preliminary development activities. 

   4.We cannot comment on the number of Justice bureaus that do or do not
         have business continuity plans because we have not reviewed each
         of the bureaus' continuity planning efforts. However, the fact
         that Justice acknowledges in its comments that only three of its
         eight components have developed business continuity plans further
         demonstrates our point that Justice has not established clear
         expectations for Year 2000 business continuity planning.

   5.We do not agree that we have favorably reviewed the Bureau of
         Prisons' (BOP) business continuity plans. As of January 1999,
         when we completed our review of BOP's Year 2000 program
         management, BOP had not yet completed business continuity plans,
         and had not yet completed its review and testing of emergency
         preparedness plans. As we stated in our report, Year 2000
         Computing Crisis: Status of Bureau of Prisons' Year 2000 Effort
         (GAO/AIMD-99-23, January 27, 1999), BOP's Year 2000 Program
         Manager had at that time directed all offices, including BOP
         contract facilities and institutions, to (1) review and analyze
         emergency preparedness plans for consideration of the threat of
         external infrastructure and internal system failures, (2) revise
         those plans as necessary by March 1, 1999, and (3) test the
         revised plans prior to April 5, 1999. As a result, we concluded
         that BOP had established plans for completing important business
         continuity planning efforts but that BOP still needed to
         effectively implement its plans to minimize its Year 2000 risks.

   6.We have not reviewed Justice Management Division/Computer Services
         Staff's (JMD/CSS) business continuity plan because it was not
         relevant to the scope of our review. Therefore, we cannot comment
         on JMD/CSS' plan.

   7.Requiring selected bureaus to develop and test continuity of business
         plans is the first step in responding to our recommendation. We
         are committed to providing Justice further assistance, if
         requested, in explaining our Year 2000 business continuity
         planning guide. To fully respond to our recommendation, Justice
         must clarify its expectations for all of its bureaus and
         explicitly require all of them to effectively develop and test
         continuity of business plans. In addition, Justice's Year 2000
         Program Office must monitor each bureau's business continuity
         planning efforts and ensure that they are completed in accordance
         with expectations.

   8.Establishing and implementing a plan for timely development and
         testing of effective headquarters and field office Year 2000
         business continuity plans is a first step in responding to our
         recommendation. The FBI must ensure that its plan is effectively
         implemented, which among other things, will require it to define
         reporting requirements and measures of interim progress, and
         effectively act to address any deviations from expectations. 

   9.Establishing and implementing effective controls and structures for
         managing Year 2000 business continuity planning are first steps
         in responding to our recommendation. In particular, the FBI (1)
         developed a master schedule for developing and testing
         contingency plans, (2) tasked its headquarters and field offices
         to define and describe the minimum acceptable level of business
         operations, complete contingency plans by the end of October
         1999, and develop and execute test plans by November 1999, and
         (3) provided guidance to its headquarters and field offices for
         developing contingency plans. However, it did not provide any
         evidence that it has (1) established a risk management process,
         (2) initiated quality assurance reviews, and (3) planned for
         updating business continuity plans based upon test results and
         retesting the plan, if necessary. Moreover, given that the FBI
         has many important tasks to complete with very little time, it is
         important that FBI's leadership monitor its implementation of
         these controls and structures to ensure that any deviations are
         identified and corrective action taken immediately. 

(511140)

*** End of document. ***