Year 2000 Computing Challenge: DEA Has Developed Plans and Established
Controls for Business Continuity Planning (Letter Report, 10/14/1999,
GAO/AIMD-00-8).

The Drug Enforcement Administration (DEA) has managed its business
continuity planning efforts in accordance with the structure and process
recommended by GAO's business continuity and contingency planning guide
and it has made progress toward completing Year 2000 business continuity
plans. DEA had planned to complete development of its business
continuity plans by early September 1999 and to test them by the end of
November 1999. DEA's development of its plans is about four months
behind GAO's recommended date, and its testing milestone is about two
months behind GAO's recommended date. Despite the progress so far, DEA
is running late and still has many important tasks to complete. Its
plans for completing these tasks leave little time to address any
schedule slippage.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-8
     TITLE:  Year 2000 Computing Challenge: DEA Has Developed Plans and
	     Established Controls for Business Continuity
	     Planning
      DATE:  10/14/1999
   SUBJECT:  Strategic information systems planning
	     Y2K
	     Computer security
	     Computer software verification and validation
	     Systems conversions
IDENTIFIER:  DEA Year 2000 Program

******************************************************************
** This file contains an ASCII representation of the text of a  **

** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

GAO/AIMD-00-8

Report to the Special Committee on the Year 2000 Technology Problem

October 1999

YEAR 2000 COMPUTING CHALLENGE

DEA Has Developed Plans and Established Controls for Business Continuity
Planning
*****************

*****************

 GAO/AIMD-00-8

Letter                                                                     3

Appendixes

Appendix I:Briefing to the Senate Special Committee on the Year 2000
Technology Problem

                                                                         12

Appendix II:Objectives, Scope, and Methodology

                                                                         58

DEA     Drug Enforcement Administration

IT      information technology

BCCP    Business Continuity and Contingency Planning

A "zero day" strategy includes procedures for minimizing the risk
associated with potential Year 2000-induced failures for the period
between December 30, 1999, and January 3, 2000. This strategy may include
an agencywide shutdown of all information systems on 
                                                 Accounting and Information
                                                        Management Division

B-282158

October 14, 1999

The Honorable Robert F. Bennett 
Chairman
The Honorable Christopher J. Dodd
Vice Chairman
Senate Special Committee on the Year 2000 Technology Problem
United States Senate

Despite an organization's best efforts to remediate its mission-critical
systems, core business processes may still be disrupted by Year 2000-
induced failures and errors in internal systems, business partners'
systems, or public infrastructure systems such as power, water,
transportation, and telecommunications systems. Contingency plans for
continuity of business operations help mitigate the risks and impacts
associated with unexpected internal and uncontrollable external system
failures.

At your request, we determined (1) the status of and plans for completing
the Drug Enforcement Administration's (DEA) contingency planning for
continuity of operations and (2) whether DEA's contingency planning
efforts satisfy the key processes described in our business continuity and
contingency planning guide./Footnote1/ On July 21, 1999, we briefed your
office on these matters. This report summarizes and updates the
information presented in the briefing. The briefing slides are presented
in appendix I. Details of our objectives, scope, and methodology are in
appendix II. We performed our work from March through July 1999 in
accordance with generally accepted government auditing standards. We
updated the status of DEA's development of its business continuity plans
through August 1999.

Results In Brief

DEA has managed its business continuity planning efforts in accordance
with the structures and processes recommended by our business continuity
and contingency planning guide and it has made progress toward completing
Year 2000 business continuity plans. DEA plans to complete development of
its business continuity plans by early September 1999 and to test them by
the end of November 1999. DEA's development of its plans is about 4 months
later than our April 30, 1999, recommended date and its testing milestone
is 2 months behind our recommended date of September 30, 1999./Footnote2/ 

While progress has been made, DEA is, nevertheless running late, and still
has many important tasks to complete and its plans for completing these
tasks leave little time to address any schedule slippage. Therefore, it is
important that DEA's leadership continues to monitor its business
continuity planning efforts to ensure that any deviations from plans are
identified and that corrective actions are taken immediately to ensure
that this very important Year 2000 risk mitigation process is completed on
time.

DEA officials commented on a draft of the briefing slides and agreed with
our findings and conclusions.

Background

DEA's mission is to enforce the controlled substances laws and regulations
of the United States, to bring to the criminal and civil justice systems
organizations and individuals involved in the growing, manufacture, or
distribution of controlled substances, and to recommend and support
programs aimed at reducing the availability of illicit controlled
substances. For purposes of business continuity planning, DEA has defined
six core business processes:

o Investigations of regional, national, and international drug cases;

o Tracking information on domestically cultivated and manufactured
  illegal drugs;

o Enforcement of the country's drug laws;

o Regulation and control of the distribution of controlled substances;

o Management of human resource issues such as payroll, health, staffing,
  and training; and 

o Financial management of payroll, bills paying, and ordering of supplies.

To carry out its responsibilities, DEA depends extensively on information
technology (IT) systems. For example, DEA uses the Narcotics and Dangerous
Drugs Information System, which includes information on people,
businesses, vessels, and selected airfields of interest to support its
investigation process. In addition, DEA uses the Automation of Reports and
Consolidated Orders System to track the sales and purchases of illegal
drugs between manufacturers, distributors, and the retail sector (e.g.,
practitioners, hospitals, and pharmacies). 

DEA has been working to address the Year 2000 problem with its critical IT
systems. Under the leadership of its Year 2000 executive, DEA identified 
38 mission-critical IT systems. DEA reported that all its mission-critical
IT systems were Year 2000 compliant as of March 1999.

DEA Has Limited Time Remaining to Complete Important Business Continuity
Planning Tasks

To ensure that agencies have sufficient time to develop, test, and
finalize business continuity plans, we recommended that agencies develop
their business continuity plans by April 30, 1999, and test them by
September 30, 1999. This allows sufficient time for agencies to evaluate
whether individual contingency plans are capable of providing the level of
support needed to their core business processes and whether the plan can
be implemented within a specified period of time.

DEA had made progress towards developing and testing its business
continuity plans; however, its efforts are running late and its schedule
and milestones leave limited time to complete many important tasks. DEA
plans to complete the development of its business continuity plans by
early September 1999 and to test them by the end of November 1999, which
is 4 months and 2 months later, respectively, than we recommended.

In March 1999, DEA's Year 2000 Program Office briefed the headquarters and
field divisions on DEA's Year 2000 business continuity and contingency
planning strategy and milestones for preparing draft business continuity
plans, reviewing and revising the plans, and testing the plans. As of July
1999, DEA had met most of the milestones identified in its strategy. For
example, DEA's field and headquarters divisions began submitting draft
plans in May, and in June, the Business Continuity and Contingency
Planning (BCCP) Task Force began reviewing the draft plans to identify
needed improvements and best practices. In addition, contractors, system
owners, and users have begun validating and testing system-level
contingency plans and the Year 2000 Program Office is currently developing
plans and schedules for the agencywide rehearsal of the business
continuity plans. 

While DEA has made progress towards developing and testing its business
continuity plans, it still has many important testing activities to
complete in about 4 months before the century date change. For example, as
of
July 1999, DEA had not validated its business continuity strategy;
defined, documented, and reviewed test plans; prepared test schedules and
test scenarios; validated the functional capability of each contingency
plan; rehearsed business resumption teams to ensure that each team member
is familiar with procedures, roles, and responsibilities; and updated
business continuity plans based upon lessons learned, then retesting them,
if necessary. Such a challenging list of tasks and only about 4  months
remaining leaves DEA limited time for addressing problems, such as
schedule slippage or delayed delivery of resources needed to implement
contingencies, which could arise. 

DEA Has Satisfied or Has Plans to Satisfy Most Key Processes For Business
Continuity Planning

Our business continuity and contingency planning guide provides a four-
phased structured approach for business continuity planning-initiation,
business impact analysis, contingency planning, and testing. Each phase
includes several key processes to be completed within that phase. DEA has
satisfied or has plans to satisfy most of these key processes.

DEA Has Satisfied the Key Processes in the Initiation Phase 
------------------------------------------------------------

According to our contingency planning guide, effective initiation of a
business continuity planning effort includes, among other things, 
(1) establishing a business continuity project work group that reports to
executive management and includes representatives from major business
units, (2) developing and documenting a high-level business continuity
planning strategy that includes project structure, metrics and reporting
requirements, and cost and schedule estimates, (3) defining core business
processes and the supporting mission-critical systems, and 
(4) implementing quality assurance reviews to verify that the business
continuity plans satisfy information requirements.

DEA has implemented all of the initiation phase key processes. For
example, DEA's Year 2000 Program Office (1) established a BCCP task force,
which reports to senior management and consists of division and contractor
representatives, to help develop guidance and review contingency plans;
(2) documented and communicated the business continuity planning project
structure and reporting requirements throughout the agency through
management memoranda and briefings, developed reporting metrics to support
executive management's reporting requirements, and developed initial cost
and schedule estimates for the business continuity planning activities;
(3) defined its six core business processes and identified the mission-
critical systems that support each of them; and (4) tasked the BCCP task
force and its supporting contractors to review the divisions' plans for
adherence to DEA's guidance and consistency, and to ensure that the plans
address appropriate core business processes.

DEA Has Satisfied or Plans to Satisfy All Business Impact Analysis Key
Processes
---------------------------------------------------------------------------

The objective of the business impact analysis phase is to determine the
effect of mission-critical information systems' failures on the viability
and effectiveness of agencies' core business processes. According to our
guide, effective business impact analysis includes, among other things, 
(1) defining and documenting Year 2000 failure scenarios, (2) performing
risk and impact analyses of each core business process, and (3) defining
the minimum acceptable level of output and services for each core business
process.

DEA has fully satisfied, partially satisfied, or has plans to satisfy all
business impact analysis key processes. For example, DEA's Year 2000
Program Office (1) defined general failure scenarios, such as
infrastructure outages or system failures, and directed the headquarters
and field divisions to ensure that failure scenarios are defined in their
business continuity plans and (2) assigned risks and assessed the impact
of internal and external system failures on each core business process and
instructed the field and headquarters divisions to perform risk and impact
analyses for the core business processes that they support. In addition,
during the business continuity plan review and revision process, DEA Year
2000 program officials plan to ensure that the divisions define the
minimum acceptable levels of service for each core business process.
According to these officials, the criteria for establishing the minimal
acceptable levels are those which will not compromise the safety and
security of DEA resources.

DEA Has Fully or Partially Satisfied Most Contingency Planning Key Processes
---------------------------------------------------------------------------

The purpose of the contingency planning phase is to integrate and act on
the business impact analysis results. According to our contingency
planning guide, effective contingency planning includes, among other
things, (1) defining and documenting triggers for activating contingency
plans for each core business process, (2) developing and documenting a
"zero day"/Footnote3/ strategy and procedures, (3) establishing a business
resumption team for each core business process that is responsible for
managing and implementing the contingency plans, and (4) assessing the
costs and benefits of identified alternatives and selecting the best
contingency strategy for each core business process.

DEA has fully or partially satisfied all but one contingency planning key
process. For example, DEA (1) defined triggers for activating contingency
plans in case of IT and infrastructure failures, such as loss of system
services, communications services, and emergency services, and 
(2) developed a "zero day" strategy that includes participation by all
sites during the Year 2000 transition weekend-December 30, 1999, through
January 2, 2000. Further, DEA plans to establish and train Year 2000
business response teams within its existing (r)command center(c) support
structure to ensure that Year 2000 contingency plans can be successfully
executed if necessary.

However, DEA has not assessed the costs and benefits of identified
contingency alternatives and its guidance does not instruct the
headquarters and field divisions to complete cost/benefit analyses during
the development of their business continuity plans. DEA's Year 2000
program officials stated that, during the review of the divisions' draft
plans, they would consider the cost effectiveness of alternative
contingency strategies.

DEA Plans to Satisfy All Testing Key Processes
----------------------------------------------

The objective of the testing phase is to verify that, when implemented,
contingency plans provide the required levels of business performance.
According to our continuity planning guide, effective testing includes,
among other things, (1) validating the business continuity strategy
through reviews, rehearsals, or quality assurance audits, (2) establishing
test teams responsible for preparing and executing the contingency plan
test and acquiring contingency resources, and (3) updating the business
continuity plans based upon lessons learned and retesting if necessary.

DEA plans to satisfy all the key processes for the testing phase. For
example, DEA's draft Business Continuity and Contingency Plan and master
test plan include plans to (1) conduct "talk-throughs," "walk-throughs,"
and simulations-with participation by system owners, business owners, and
users-to ensure that the system-level contingency plans support DEA's core
business processes and to rehearse the divisions' business continuity
plans, (2) establish business response teams and command centers at
headquarters and throughout the headquarters and field divisions that are
responsible for executing the tests, and (3) update its division- and
agency-level business continuity plans based upon lessons learned and to
retest them, if necessary.

Conclusions

DEA is developing Year 2000 contingency plans for continuity of business
operations and has established effective management controls for ensuring
that this very important Year 2000 risk mitigation task is completed on
time. However, DEA is behind our recommended schedule, has many important
planning steps yet to complete, and has very little time to address any
slippage in its schedule. As a result, it is important that DEA's
leadership continue to closely monitor business continuity planning
efforts to ensure that any deviations from plans are identified and that
corrective actions are taken immediately. While management structures and
processes cannot guarantee that DEA will not experience Year 2000-induced
system failures and business impacts, if the agency implements its plans
and follows its policies and procedures to ensure that remaining business
continuity tasks are completed, it should effectively reduce the severity
of these impacts.

Agency Comments

We provided the attached briefing to DEA officials, including the senior
DEA Year 2000 official, on July 20, 1999, who agreed with our findings and
conclusions and provided some updated status information. We incorporated
DEA's comments into the briefing where appropriate before briefing your
office on July 21, 1999.

We are sending copies of this report to the Honorable Jacob J. Lew,
Director, Office of Management and Budget; the Honorable Janet Reno,
Attorney General; and the Honorable Thomas A. Constantine, Administrator,
U.S. Drug Enforcement Administration. Copies will be made available to
others upon request.

If you have any questions regarding this report, please contact me or
Deborah Davis, Assistant Director, at (202) 512-6240 or by e-mail at
[email protected] or [email protected]. Key contributors to this
assignment were Tonia Brown and Teresa Tucker.

*****************

*****************

Randolph C. Hite
Associate Director, Governmentwide 
 and Defense Information Systems

--------------------------------------
/Footnote1/-^Year 2000 Computing Crisis: Business Continuity and
  Contingency Planning (GAO/AIMD-10.1.19, August 1998).
/Footnote2/-^Year 2000 Computing Crisis: Readiness Improving, But Much
  Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 1999).
/Footnote3/-^December 31, 1999, and a phased power-up on January 1, 2000.
  The shutdown may extend to infrastructure systems, including local area
  networks, elevators, and building management systems.

*****************

*****************

BRIEFING TO THE SENATE SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM
===========================================================================

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

*****************

OBJECTIVES, SCOPE, AND METHODOLOGY
==================================

Our objectives were to determine (1) the status of and plans for
completing DEA's contingency planning for continuity of operations and (2)
whether DEA's contingency planning efforts satisfy the key processes
described in GAO's business continuity and contingency planning
guide./Footnote1/ 

To accomplish our first objective, we reviewed DEA's high-level strategy,
plans, and schedules for developing and testing business continuity plans
and compared these to our recommended milestones./Footnote2/ Additionally,
we reviewed supporting documentation to evaluate the status and progress
of DEA's efforts against its plans and schedules. Specifically, we
reviewed project plans, progress and status reports, and Year 2000 program
management memoranda. To supplement our analysis, we discussed the status
of planned and ongoing activities with Year 2000 program officials
responsible for implementing the management strategy and overseeing the
divisions' activities, division chiefs responsible for developing business
continuity plans, and contractors responsible for reviewing the plans and
developing validation procedures. 

We accomplished our second objective by identifying DEA's Year 2000
program management controls and comparing these to controls (i.e., key
processes) described in our business continuity and contingency planning
guide. In addition, we reviewed supporting documentation to verify that
the management controls were functioning as intended and, using specified
criteria,/Footnote3/ determined whether each of the key processes were
satisfied. To do this verification, we reviewed documents describing DEA's
business continuity planning strategy, organization charts, documents
describing business continuity planning activities, risk management
matrices, contractors' statements of work, and business continuity
planning guidance provided to the divisions by the Year 2000 Program
Office. We then judgmentally selected eight draft business continuity
plans for review and compared these to the key processes in GAO's business
continuity and contingency planning guide. To supplement our analysis, we
interviewed key Year 2000 program officials, such as the Year 2000
executive and Year 2000 program manager, division representatives, and
support contractor representatives.

We performed our work at DEA's headquarters in Arlington, Virginia. We
performed our work from March through July 1999 in accordance with
generally accepted government auditing standards. We updated the status of
DEA's development of its business continuity plans through August 1999.

(511141)

--------------------------------------
/Footnote1/-^Year 2000 Computing Crisis: Business Continuity and
  Contingency Planning (GAO/AIMD-10.1.19, August 1998).
/Footnote2/-^Year 2000 Computing Crisis: Readiness Improving, But Much
  Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 1999).
/Footnote3/-^"Satisfied" means that the key process was developed and
  implemented and documentation was provided. "Partially satisfied" means
  that some components, but not all, of the key process were developed and
  implemented, and documentation was provided. "Plans to satisfy" means
  that the key process was not yet developed or implemented but may be
  ongoing and guidance directs the divisions to develop. "Not satisfied"
  means that the key process was not developed and not addressed in
  guidance to the divisions.

*** End of document. ***