Defense Computers: Year 2000 Computer Problems Threaten DOD Operations
(Letter Report, 04/30/98, GAO/AIMD-98-72).

Pursuant to a congressional request, GAO reviewed the Department of
Defense's (DOD) program for solving the year 2000 computer systems
problem, focusing on the: (1) overall status of DOD's effort to identify
and correct its date-sensitive systems; and (2) appropriateness of DOD's
strategy and actions to correct its year 2000 problems.

GAO noted that: (1) DOD relies on computer systems for some aspect of
all of its operations, including strategic and tactical operations,
sophisticated weaponry, intelligence, surveillance and security efforts,
and routine business functions, such as financial management, personnel,
logistics, and contract management; (2) failure to successfully address
the year 2000 problem in time could severely degrade or disrupt any of
DOD's mission-critical operations; (3) DOD has taken many positive
actions to increase awareness, promote sharing of information, and
encourage components to make year 2000 remediation efforts a high
priority; (4) however, its progress in fixing systems has been slow; (5)
in addition, DOD lacks key management and oversight controls to enforce
good management practices, direct resources, and establish a complete
picture of its progress in fixing systems; (6) as a result, DOD lacks
complete and reliable information on systems, interfaces, other
equipment needing repair, and the cost of its correction efforts; (7) it
is spending limited resources fixing nonmission-critical systems even
though most mission-critical systems have not been corrected; (8) it has
also increased the risk that: (a) year 2000 errors will be propagated
from one organization's systems to another's; (b) all systems and
interfaces will not be thoroughly and carefully tested; and (c)
components will not be prepared should their systems miss the year 2000
deadline or fail unexpectedly in operation; (9) each one of these
problems seriously endangers DOD chances of successfully meeting the
year 2000 deadline for mission-critical systems; and (10) together, they
make failure of at least some mission-critical systems and the
operations they support almost certain unless corrective actions are
taken.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-98-72
     TITLE:  Defense Computers: Year 2000 Computer Problems Threaten DOD 
             Operations
      DATE:  04/30/98
   SUBJECT:  Systems conversions
             Information systems
             Cost analysis
             Computer software verification and validation
             Information resources management
             Data integrity
             Strategic information systems planning
             Systems compatibility
IDENTIFIER:  Defense Integration Support Tools Data Base
             DLA Standard Automated Materiel Management System
             DOD Year 2000 Management Plan
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Report to Congressional Requesters

April 1998

DEFENSE COMPUTERS - YEAR 2000
COMPUTER PROBLEMS THREATEN DOD
OPERATIONS

GAO/AIMD-98-72

Defense Year 2000 Overview

(511636)


Abbreviations
=============================================================== ABBREV

  AMC - Army Materiel Command
  ASDC3I - Assistant Secretary of Defense for Command, Control,
     Communications and Intelligence
  AUTODIN - Automated Digital Network
  CCSS - Commodity Command Standard System
  CMM - Capability Maturity Model
  DFAS - Defense Finance and Accounting Service
  DISA - Defense Information Systems Agency
  DIST - Defense Integration Support Tools
  DLA - Defense Logistics Agency
  DMS - Defense Message System
  DOD - Department of Defense
  FMSO - Fleet Material Support Office
  GCCS - Global Command Control System
  GPS - Global Positioning System
  LSSC - Logistics Systems Support Center
  NAVSUP - Naval Supply Systems Command
  OMB - Office of Management and Budget
  OSD - Office of the Secretary of Defense
  SSG - Standard Systems Group

Letter
=============================================================== LETTER


B-278156

April 30, 1998

The Honorable Fred Thompson
Chairman
Committee on Governmental Affairs
United States Senate

The Honorable Stephen Horn
Chairman
Subcommittee on Government
 Management, Information and Technology
Committee on Government Reform and Oversight
House of Representatives

The Honorable Thomas M.  Davis, III
House of Representatives

The Year 2000 problem results from the inability of computer systems
at the year 2000 to interpret the century correctly from a recorded
or calculated date having only two digits to indicate the year.  Time
is running out to correct Department of Defense systems that could
malfunction or produce incorrect information when the year 2000 is
encountered during automated data processing.  The impact of these
failures could be widespread, costly, and potentially disruptive to
military operations worldwide. 

For an organization as large as Defense--with over 1.5 million
computers, 28,000 systems, and 10,000 networks--addressing its Year
2000 problem is a formidable task.  Several Defense components are
larger than most civil agencies and, in addition to the computers
themselves, thousands of embedded microprocessors used in a variety
of equipment such as telephone switches, traffic control, security,
and elevator control systems, and some weapons systems must be
checked for Year 2000 vulnerabilities. 

In view of the impact this problem can have on warfighting and
military support missions, you requested that we review the
Department of Defense's program for solving the Year 2000 computer
systems problem.  In response to your request, we have separately
reviewed Year 2000 efforts being carried out by the Army, Navy, and
Air Force; the Defense Logistics Agency (DLA); the Defense Finance
and Accounting Service (DFAS); the Defense Information Systems Agency
(DISA); and three central design activities.\1 This report assesses
(1) the overall status of Defense's effort to identify and correct
its date-sensitive systems and (2) the appropriateness of Defense's
strategy and actions to correct its Year 2000 problems. 


--------------------
\1 The Army's Logistics System Support Center, the Navy's Fleet
Material Support Office, and the Air Force's Standard Systems Group. 


   RESULTS IN BRIEF
------------------------------------------------------------ Letter :1

The Department of Defense relies on computer systems for some aspect
of all of its operations, including strategic and tactical
operations, sophisticated weaponry, intelligence, surveillance and
security efforts, and routine business functions, such as financial
management, personnel, logistics, and contract management.  Failure
to successfully address the Year 2000 problem in time could severely
degrade or disrupt any of Defense's mission-critical operations. 

Defense has taken many positive actions to increase awareness,
promote sharing of information, and encourage components to make Year
2000 remediation efforts a high priority.  However, its progress in
fixing systems has been slow.  For example, the department is still
assessing systems even though it originally anticipated this would be
done in June 1997.  In addition, Defense lacks key management and
oversight controls to enforce good management practices, direct
resources, and establish a complete picture of its progress in fixing
systems.  For example: 

  -- There is no program office or full-time executive in charge of
     the departmentwide effort. 

  -- Information being reported to Defense by components does not
     provide a reliable indication of program status because it is
     not being validated for accuracy or completeness. 

  -- Defense has not issued adequate guidance to its components on
     key issues concerning status reporting, interfaces, and testing. 

  -- Defense has not determined, at the departmentwide level, which
     systems have the highest impact on its mission. 

  -- Defense is not ensuring that its components are preparing
     written interface agreements and contingency plans. 

As a result, Defense lacks complete and reliable information on
systems, interfaces, other equipment needing repair, and the cost of
its correction efforts.  It is spending limited resources fixing
nonmission-critical systems even though most mission-critical systems
have not been corrected.  It has also increased the risk that (1)
Year 2000 errors will be propagated from one organization's systems
to another's, (2) all systems and interfaces will not be thoroughly
and carefully tested, and (3) components will not be prepared should
their systems miss the Year 2000 deadline or fail unexpectedly in
operation.  Each one of these problems seriously endangers Defense
chances of successfully meeting the Year 2000 deadline for
mission-critical systems.  Together, they make failure of at least
some mission-critical systems and the operations they support almost
certain unless corrective actions are taken. 


   OBJECTIVES, SCOPE, AND
   METHODOLOGY
------------------------------------------------------------ Letter :2

Our objectives were to determine (1) the overall status of Defense's
effort to identify and correct its date sensitive systems and (2) the
appropriateness of Defense's strategy and actions to correct these
systems.  In conducting our review, we used our Year 2000 Assessment
Guide to assess Defense's Year 2000 efforts.\2 This guide addresses
common issues affecting most federal agencies and presents a
structured approach and a checklist to aid in planning, managing, and
evaluating Year 2000 programs.  The guidance, which is consistent
with Defense's Year 2000 Management Plan\3 describes five
phases--supported by program and project management activities--with
each phase representing a major Year 2000 program activity or
segment.  The phases and a description of each follows. 

  -- Awareness - Define the Year 2000 problem and gain
     executive-level support and sponsorship for a Year 2000 program. 
     Establish a Year 2000 program team and develop an overall
     strategy.  Ensure that everyone in the organization is fully
     aware of the issue. 

  -- Assessment - Assess the Year 2000 impact on the enterprise. 
     Identify core business areas and processes, inventory and
     analyze systems supporting the core business areas, and
     prioritize their conversion or replacement.  Develop contingency
     plans to handle data exchange issues, lack of data, and bad
     data.  Identify and secure the necessary resources. 

  -- Renovation - Convert, replace, or eliminate selected platforms,
     applications, databases, and utilities.  Modify interfaces. 

  -- Validation - Test, verify, and validate converted or replaced
     platforms, applications, databases, and utilities.  Test the
     performance, functionality, and integration of converted or
     replaced platforms, applications, databases, utilities, and
     interfaces in an environment that faithfully represents the
     operational environment. 

  -- Implementation - Implement converted or replaced platforms,
     applications, databases, utilities, and interfaces.  Implement
     data exchange contingency plans, if necessary. 

During our review, we concentrated on Defense's department-level Year
2000 Program, managed by the Assistant Secretary of Defense, Command,
Control, Communications and Intelligence (ASDC3I), who is also the
Defense Chief Information Officer.  To determine how Defense
components and their organizations were implementing Defense policy
and managing their Year 2000 program efforts, we also reviewed Year
2000 efforts being carried out by Army, Navy, and Air Force
headquarters, three Defense agencies, and three central design
activities.  We also visited a number of other organizations
including the Joint Chiefs of Staff, the Global Command Control
System (GCCS) Program Office, and the National Security Agency.  The
scope and methodology of these individual reviews are detailed in the
following GAO reports: 

  -- Defense Computers:  Air Force Needs to Strengthen Year 2000
     Oversight (GAO/AIMD-98-35, January 16, 1998). 

  -- Defense Computers:  Technical Support Is Key to Naval Supply
     Year 2000 Success (GAO/AIMD-98-7R, October 21, 1997). 

  -- Defense Computers:  LSSC Needs to Confront Significant Year 2000
     Issues (GAO/AIMD-97-149, September 26, 1997). 

  -- Defense Computers:  SSG Needs to Sustain Year 2000 Progress
     (GAO/AIMD-97-120R, August 19, 1997). 

  -- Defense Computers:  Issues Confronting DLA in Addressing Year
     2000 Problems (GAO/AIMD-97-106, August 12, 1997). 

  -- Defense Computers:  DFAS Faces Challenges in Solving the Year
     2000 Problem (GAO/AIMD-97-117, August 11, 1997). 

Reports on the Army and Navy Year 2000 programs are being developed. 
We also reviewed efforts by the department to improve the Defense
Integration Support Tools database (DIST), which serves as the
Defense inventory of automated information systems and is intended to
be used as a tool to help Defense components in correcting Year 2000
date problems.  The scope and methodology of this work is further
detailed in our report, Defense Computers:  Improvements to DOD
Systems Inventory Needed for Year 2000 Effort (GAO/AIMD-97-112,
August 13, 1997). 

In conducting the individual component reviews and assessing
oversight efforts from Defense headquarters, we reviewed and analyzed
official memoranda and other documents discussing Defense and
component Year 2000 policy and procedures; the June 1996 and February
1997 Defense and component responses to Year 2000 questions from the
House Government Operations Committee, Subcommittee on Oversight; the
January 1997 Action Plan for Year 2000 Information Technology
Compliance; Defense's May 1997, August 1997, November 1997, and
February 1998 component quarterly reports on Year 2000 program status
to ASDC3I, and Defense's subsequent department-level reports to the
Office of Management and Budget; Year 2000 status briefings to the
Deputy Secretary of Defense by the Military Services, the Joint
Chiefs of Staff, DISA, DFAS, and DLA; early drafts and the final
April 1997 versions of the Defense Year 2000 Management Plan; and
Year 2000 inventory data compiled by ASDC3I, Defense components, and
their subcomponents. 

We also reviewed and monitored Year 2000 Internet homepages
maintained by various contractors, government agencies, ASDC3I,
DISA, the Army, the Navy, the Air Force, the Marine Corps, and
subcomponents; and minutes of federal, Defense, and Air Force Year
2000 Working Groups.  In addition, we held discussions with various
Defense Department, component and subcomponent officials concerning
Year 2000 problems, corrective actions, and related operational and
programmatic impacts of the program.  We conducted structured
interviews on program policies and practices with Defense Department
and component-level Year 2000 program officials.  We also reviewed
the output of various Defense computer generated databases and
management information systems related to Year 2000 activities, but
did not verify the integrity of the data in these systems. 

Our audit work on this overview report was conducted from August 1997
through February 1998 in accordance with generally accepted
government auditing standards. 

We requested written comments on a draft of this report from Defense. 
The Acting Principal Deputy of the Office of the Assistant Secretary
of Defense for Command, Control, Communications and Intelligence
provided written comments, which are discussed in the "Agency
Comments and Our Evaluation" section and reprinted in appendix II. 


--------------------
\2 Year 2000 Computing Crisis:  An Assessment Guide
(GAO/AIMD-10.1.14, September 1997); first issued as an exposure draft
in February 1997. 

\3 Version 1.0, April 1997. 


   BACKGROUND
------------------------------------------------------------ Letter :3

Most of Defense's automated information systems and weapon systems
computers are vulnerable to the Year 2000 problem, which is rooted in
the way dates are recorded, computed, and transmitted in automated
information systems.  For the past several decades, systems have
typically used two digits to represent the year, such as "97"
representing 1997, in order to conserve electronic data storage and
reduce operating costs.  With this two-digit format, however, the
year 2000 is indistinguishable from 1900, or 2001 from 1901, etc. 

As a result of this ambiguity, systems or application programs that
use dates to perform calculations, comparisons, or sorting may
generate incorrect results when working with years after 1999.  For
example, the Defense Logistics Agency's Standard Automated Material
Management System is used to manage Defense's vast inventory of
supplies.  Because it uses dates to automatically target items for
deletion, the system erroneously targeted more than 90,000 items for
deletion before Defense discovered the problem in 1996. 

In addition, any electronic device that contains a microprocessor or
is dependent on a timing sequence may be also vulnerable to Year 2000
problems.  This includes computer hardware, telecommunications
equipment, building and base security systems, street lights at
military installations, elevators, and medical equipment.  For
example, Defense components reported to ASDC3I in February 1998 that
more than half of the over 730,000 personal computers they had
checked had a Year 2000 problem. 

For Defense, the Year 2000 effort is a significant management
challenge because it relies heavily on computers to carry out aspects
of all operations, and time for completing Year 2000 fixes is short. 
For example, the department is responsible for more than 1.5 million
computers, 28,000 automated information systems, and 10,000 networks. 
Its information systems are linked by thousands of interfaces that
exchange information within Defense and across organizational and
international lines.  Successful operation after January 1, 2000,
requires that Defense's systems and all of the systems that they
interface with be Year 2000 compliant. 

Should Defense fail to successfully address the Year 2000 problem in
time, its mission-critical operations could be severely degraded or
disrupted.  For example: 

  -- In an August 1997 operational exercise, the Global Command
     Control System failed testing when the date was rolled over to
     the year 2000.  GCCS is deployed at 700 sites worldwide and is
     used to generate a common operating picture of the battlefield
     for planning, executing, and managing military operations.  The
     U.S.  and its allies, many of whom also use GCCS, would be
     unable to orchestrate a Desert Storm-type engagement in the year
     2000 if the problem is not corrected. 

  -- The Global Positioning System (GPS) is widely used for aircraft
     and ship navigation (commercial and military) and for precision
     targeting and "smart" bombs.  The ground control stations use
     dates to synchronize the signals from the satellites and
     maintain uplinks to the satellites.  Failure to correct Year
     2000 problems could cause these stations to lose track of
     satellites and send erroneous information to the millions of
     users who rely on GPS. 

  -- The Defense Message System (DMS) is being developed to replace
     the aging Automated Digital Network (AUTODIN).  These systems
     provide critical capabilities such as secure messaging for
     important operations such as intelligence gathering, diplomatic
     communications, and military command and control.  Should Year
     2000 problems render DMS or AUTODIN inoperable or unreliable, it
     would be difficult to monitor enemy operations or conduct
     military engagements. 

  -- Aircraft and other military equipment could be grounded because
     the computer systems used to schedule maintenance and track
     supplies may not work.  Defense could incur shortages of vital
     items needed to sustain military operations and readiness--such
     as food, fuel, medical supplies, clothing, and spare and repair
     parts to support its over 1,400 weapons systems. 

  -- Billions of dollars in payments could be inaccurate because the
     computer systems used to manage thousands of defense contracts
     may not correctly process date-related information. 

  -- Active duty soldiers and military retirees may not get paid if
     the systems used to make calculations and prepare checks are not
     repaired in time. 


   DEFENSE'S YEAR 2000 EFFORTS TO
   DATE
------------------------------------------------------------ Letter :4

Defense plans to resolve its Year 2000 problem using a five-phased
process comparable to that in our Year 2000 Assessment Guide.  In
keeping with its decentralized approach to information technology
management, Defense has charged its components with responsibility
for making sure that all of their systems correctly process dates. 
The Assistant Secretary of Defense for Command, Control,
Communications and Intelligence (ASDC3I), as the Department's Chief
Information Officer, is responsible for leading Defense efforts to
solve the Year 2000 problem.  Further, Defense is requiring the
components to reprogram existing funds to correct their systems and
will provide no additional funds for Year 2000 fixes.  As of February
1998, Defense estimated that it would cost $1.9 billion to address
its Year 2000 problem, but as discussed later, we question the
reliability of this estimate. 

To increase the awareness of the Year 2000 problem and to foster
coordination among components, Defense has taken the following
actions: 

  -- In a November 27, 1995, memo, the ASDC3I alerted components to
     the problem and called on them to begin corrective actions if
     they had not already done so. 

  -- In December 1996, Defense established the Year 2000 Steering
     Committee, chaired by the Deputy Secretary of Defense, to
     oversee progress, provide departmentwide guidance, and make
     decisions related to the Year 2000.  Members, which include the
     department's chief information officers, chief financial
     officer, general counsel and the acquisition executive also
     discuss Year 2000 issues and exchange information on their
     programs.  The Steering Committee began meeting in September
     1997. 

  -- Defense established a Year 2000 Working Group to support the
     activities and deliberations of the Steering Committee.  The
     group is chaired by an ASDC3I staff member.  Each component has
     assigned a representative to the group to investigate Year 2000
     and cross-functional issues, provide recommendations, identify
     and share lessons learned, and avoid duplication of effort
     within Defense. 

  -- In October 1996, the ASDC3I began a series of interface
     workshops intended to better coordinate Year 2000 efforts in
     various functional areas.  These workshops are intended to
     ensure information systems and processes that exchange data are
     assessed and will be Year 2000 compliant.  Workshops are
     conducted for specific functional areas and will continue until
     Year 2000 problems are resolved. 

  -- In April 1997, Defense issued its Year 2000 Management Plan,
     which formalized its Year 2000 strategy and delineated the
     activities involved in each phase of its five-phased approach to
     remediation.  The plan also identified responsibilities of the
     Year 2000 Steering Committee, the Year 2000 Working Group, the
     ASDC3I, the Defense Information Systems Agency, and the
     Assistant Secretary of Defense for Intelligence Systems;
     established reporting requirements, target completion dates, and
     exit criteria for each of the program phases; provided guidance
     on estimating costs; and provided a compliance checklist. 

  -- In May 1997, Defense enlisted its Inspector General to help
     oversee the department's Year 2000 program, validate the data on
     Year 2000 status being reported by each component, identify
     problems areas, and recommend corrective actions. 

  -- In July 1997, a Defense Science Board panel was convened to
     determine whether the department's strategy, priorities,
     resources, and funding are sufficient to ensure that all
     mission-critical systems will be corrected in time. 

  -- Defense has extensively used the Internet to establish Year 2000
     home pages, information libraries, and links to other federal
     and nongovernment Year 2000 organizations, to enhance awareness
     and understanding of the Year 2000 problem. 

In February 1998, Defense reported to OMB that it had 2,915
mission-critical systems and 25,671 nonmission-critical systems. 
According to Defense, 1,886 mission-critical systems need to be
repaired and about half of these are in the renovation phase and a
third in the validation phase.  In addition, Defense now reports that
15,786 nonmission-critical systems need to be repaired, an increase
of over 6,500 systems from the number reported by components in
November 1997.  Like the mission-critical systems, about half of
these nonmission-critical systems are reported to be in the
renovation phase. 

Defense has taken a long time in the early phases of its Year 2000
program and its progress in fixing systems has been slow.  For
example, Defense took 16 months to issue its Year 2000 Management
Plan, 1 year to establish the Year 2000 Steering Committee, and an
additional 9 months for the Committee to hold its first meeting.  In
addition, Defense is still assessing systems even though it
originally anticipated that this would be done in June 1997.  In
February 1998, Defense reported that only about 130 mission-critical
systems had completed repairs since November 1997. 

Technology experts like the Mitre Corporation and the Gartner Group,
estimate that about 70 percent of an organization's total effort will
be required for the renovation, validation, and implementation
phases.  With less than 20 months remaining and most mission-critical
systems in these three phases, Defense is running out of time to make
the necessary repairs before the Year 2000 deadline.  Specific
reported totals for February 1998 are shown in table 1.  As discussed
later in this report, we question the reliability of this
information. 



                                Table 1
                
                  Reported Status of Defense Year 2000
                     Efforts (As of February 1998)

                                           Mission-      Nonmission-
                                           critical        critical
                                           systems         systems
                                            (2,915         (25,671
                                           systems)        systems)
                                        --------------  --------------
                                                Percen          Percen
                                        Number     t\a  Number     t\a
--------------------------------------  ------  ------  ------  ------
Compliant                                  530    18.3   8,196    31.9
To be replaced before 2000                 330    11.3     380     1.5
To be retired before 2000                  164     5.6   1,309     5.1
To be repaired                           1,891    64.9  15,786    61.5

Reported status of systems to be repaired
----------------------------------------------------------------------
In awareness phase                           0       0       4     0.1
In assessment phase                         22     1.2     340     2.2
In renovation phase                        873    46.2   8,296    52.6
In validation phase                        695    36.8   4,241    26.9
In implementation phase                    130     6.9   2,644    16.7
Corrected                                  171     9.0     261     1.7
----------------------------------------------------------------------
Source:  Defense information reported to the Office of Management and
Budget.  We did not independently verify this information. 

\a Percentages do not total 100 percent due to rounding. 

Information on personal computers and communications and facility
equipment reported by components is provided in table 2. 



                                Table 2
                
                Information Reported to Defense on Other
                               Equipment

                                     Total
                                    invent  Compli  Noncomplia  Unknow
                                       ory     ant          nt       n
----------------------------------  ------  ------  ----------  ------
Personal computers                  826,76  350,69     381,882  94,186
                                         2       4
Communications devices (including   88,166  52,117      17,216  18,833
 telecommunications equipment)
Facility devices (includes such     100,42  27,041      14,264  59,116
 items as elevators, security            1
 systems, medical equipment)
----------------------------------------------------------------------
Source:  Defense information reported by components.  Only compliant
systems were reported to the Office of Management and Budget.  We did
not independently verify this information. 


      PREVIOUS GAO REVIEWS OF
      COMPONENT YEAR 2000 EFFORTS
---------------------------------------------------------- Letter :4.1

We have separately reported on Year 2000 efforts being carried out by
the military services, three Defense agencies, and three central
design activities.  Our reviews have shown that individual components
have also taken positive actions to increase awareness.  For example,
the Air Force established an Air Force Year 2000 Working Group
comprised of focal points from each major command, field operating
agency, and direct reporting unit.  The group has focused on such
matters as sharing lessons learned, eliminating duplicative efforts,
sharing resources, and tracking component progress.  Also, the Air
Force and other components, such as DFAS and DLA, each developed
written Year 2000 plans that adopted the five-phased approach.  In
addition, these components, as well as some other organizations, such
as the central design activities we reviewed, established Year 2000
program offices and designated program managers. 

However, there were systemic weaknesses in component Year 2000
programs.  For example, many of the components failed to develop
contingency plans during the assessment phase to ensure that critical
operations can continue in the face of unforeseen problems or delays. 
They also were not effectively planning to ensure the availability of
needed testing facilities and resources.  And they had not fully
identified interfaces or communicated their Year 2000 plans to their
interface partners.  Finally, none of the three military services had
developed accurate and reliable cost estimates as their systems were
assessed.  Our findings with regard to these reviews are noted
throughout this report and are detailed in appendix I. 


   DEFENSE IS NOT EFFECTIVELY
   OVERSEEING AND MANAGING YEAR
   2000 REMEDIATION EFFORTS
------------------------------------------------------------ Letter :5

In view of the magnitude of the Year 2000 problem, our Assessment
Guide recommends that agencies plan and manage the Year 2000 program
as a single large information system development effort and
promulgate and enforce good management practices on the program and
project levels.  The guide also recommends that agencies appoint a
Year 2000 program manager and establish an agency-level Year 2000
program office. 

Defense has not supported its decentralized approach to the Year 2000
effort with a program manager or an agency-level Year 2000 program
office.  Instead of establishing a department-level program office,
Defense assigned five full-time staff members in the Office of the
ASDC3I to oversee the progress of 23 major components and over
28,000 information systems.  The group does not have authority to
enforce good management practices, direct resources for special
needs, or even to question the validity of the data being reported
from components. 

In addition, this group is not supported by an executive that can
focus on the Year 2000 problem full-time.  For example, the ASDC3I,
who has been assigned to lead the effort, is also responsible for (1)
providing guidance and oversight for all command, control,
communications, and intelligence projects, programs, and systems
being acquired by Defense and its components, (2) chairing the Major
Automated Information System Review Council, (3) serving as the
principal Defense official responsible for software policy and
practices, and (4) establishing and implementing information
management policy, processes, programs, and standards. 

Furthermore, Defense has not promulgated and enforced good management
practices for Year 2000 corrective efforts.  For example, Defense has
not provided guidance and authoritative direction needed to ensure
that components effectively (1) identify "a system" for purposes of
Year 2000 reporting, (2) communicate Year 2000 plans to interface
partners, (3) address conflicts between interface partners, and (4)
identify common standards and procedures to use in testing.  In
addition, it has not been validating the information being reported
by its components for completeness and accuracy or tracking component
progress in completing important Year 2000-related activities, such
as contingency planning, acquiring additional test facilities, and
prioritizing systems. 

Because it lacks strong management and oversight controls over Year
2000 remediation efforts, Defense has failed to successfully address
a number of steps that are fundamental to correcting mission-critical
systems on time. 

  -- First, Defense does not yet have a complete inventory of
     systems.  Without this, it cannot reliably determine what
     resources it needs or identify problems requiring greater
     management attention. 

  -- Second, Defense has not ensured that mission-critical systems
     are receiving a higher priority than nonmission-critical
     systems. 

  -- Third, Defense has neither identified all system interfaces nor
     ensured that its components are effectively working with their
     interface partners to correct the interfaces. 

  -- Fourth, Defense has not ensured that facilities are available
     for Year 2000-related testing or that component testing
     requirements are consistent. 

  -- Fifth, Defense does not know if components have developed
     contingency plans necessary to ensure that essential mission
     functions can be performed even if critical mission systems are
     not corrected in time. 

  -- Sixth, Defense does not have a reliable estimate of Year 2000
     problem correction costs. 

These weaknesses and their impact on Defense's Year 2000 remediation
efforts are discussed in the following sections. 


   DEFENSE DOES NOT HAVE AN
   ACCURATE AND COMPLETE INVENTORY
   OF SYSTEMS
------------------------------------------------------------ Letter :6

Our Assessment Guide noted that a key part of the assessment phase is
to conduct an enterprisewide inventory of information systems for
each business area.  Such an inventory should include specific
information such as the business processes that systems support, the
potential impact on those business processes if systems are not fixed
on time, and the progress components are making in correcting their
systems.  This provides the necessary foundation for Year 2000
program planning.  Defense, however, does not yet have a complete and
accurate inventory of its systems and other equipment needing repair. 
As a result, it does not have a clear picture of its overall Year
2000 correction efforts and it cannot reliably determine what
resources it needs or identify problems that require greater
management attention. 

Defense is requiring its components to submit quarterly Year 2000
progress reports and to input system information into the
departmentwide database of automated information systems, known as
the Defense Integration Support Tools (DIST) database.  However, many
components are still identifying their systems, interfaces, and/or
other equipment that may be affected by the Year 2000 problem, such
as telecommunications equipment, elevators, and security systems. 
For example,

  -- Defense components are still adding systems to the inventory;
     the total number of nonmission-critical systems increased by
     over 3,700 systems between November 1997 and February 1998. 

  -- The Air Force, the National Reconnaissance Office, the National
     Security Agency, and the Under Secretary of Defense for
     Acquisition and Technology have not yet identified other
     equipment needing repair such as personal computers and
     telecommunications equipment. 

  -- Eleven components, including the Defense Information Systems
     Agency and the Joint Chiefs of Staff, have not yet identified
     interfaces. 

In addition, Defense headquarters does not validate the information
it is receiving from its components for accuracy or completeness
before reporting its status quarterly to the Office of Management and
Budget.  Similarly, Navy headquarters does not validate the
information being reported by its components and system managers. 
The Army and the Air Force have enlisted their audit agencies to help
validate information being reported by components.  These audits have
identified large discrepancies between information maintained by the
services and information maintained by individual system owners. 

Further, Defense has not provided sufficient guidance to components
to ensure they use a common definition of a "system" for reporting
purposes.  This has further degraded the accuracy of Defense's
inventory reporting.  If not precisely defined, one "system" can be
interpreted to mean a small application comprised of a few hundred
lines of code or the entire collection of systems aboard a major
weapon system.  At Defense, a variety of interpretations are being
used.  For example, in August 1997, the Air Force's F-16 and F-15
weapon system programs reported each system aboard an aircraft (86
and 32 systems, respectively) while the C-17 and B-2 programs treated
all onboard systems as a single system.  Since each system must be
corrected individually, aggregating onboard systems into a single
system causes Defense's inventory to be understated.  In addition,
while some organizations reported these smaller applications that
downloaded and processed information from their major automated
information systems, the Defense Logistics Agency did not consider
these programs as systems.  With some organizations reporting on
these systems and others, like DLA, not reporting them, Defense's
inventory is further understating the number of systems that need to
be corrected. 


      RECENT CLASSIFICATION OF
      DIST DATABASE HAS FURTHER
      DECREASED ITS EFFECTIVENESS
---------------------------------------------------------- Letter :6.1

On February 4, 1998, due to concerns that extensive and detailed
information on all of the department's mission critical systems was
available on the Internet, the ASDC3I classified DIST as
"secret"--meaning that anyone requiring access to the database must
have a validated security clearance and access to secure computer and
communications equipment.  DIST was removed from the Internet and
will remain unavailable until detailed access and security procedures
are developed and put in place.  As a result, at the close of our
review, DIST was not available for system managers to update the Year
2000 status of their systems or determine the status of interfaces or
interfacing systems, and Defense and component Year 2000 officials
could not use it as a program management tool.  In addition,
organizations such as the Navy, which rely on the DIST for their only
source of inventory information, were directed to create separate
databases to meet their quarterly inventory reporting and program
management requirements. 

In commenting on our draft report, Defense officials told us that
ASDC3I was in the process of defining options for a new database to
replace DIST.  The new inventory, which Defense intends to be
unclassified, would not have as much detailed information on systems
as DIST; instead, it would only contain Year 2000-relevant data. 
ASDC3I officials plan to have the new system in place by mid-summer
1998.  Until this new system is in place, Defense will lack a central
source for inventory and status information on Defense's Year 2000
program.  In addition, the new database will be as ineffective as
DIST unless components ensure that the information they submit is
accurate and complete and Defense headquarters validates their
submissions. 


   DEFENSE HAS NOT EFFECTIVELY
   PRIORITIZED SYSTEMS FOR
   CORRECTION
------------------------------------------------------------ Letter :7

According to our Assessment Guide, an important aspect of the
assessment phase is prioritizing the remediation of the systems that
have the highest impact on an agency's mission and thus need to be
corrected first.  This helps an agency ensure that its most vital
systems are corrected before systems that do not support the agency's
core business. 

Defense's Year 2000 plan states that the highest priority should be
given to systems that are critical to warfighting and peacekeeping
missions and the safety of individuals.  The plan makes each
component responsible for prioritizing its own systems.  This
approach is flawed.  Since all components' functions are not equally
essential to Defense's core missions, Defense cannot define its
priorities simply by aggregating components' priorities.  For
example, as noted in a Defense Science Board report,\4 Defense has no
means of distinguishing between the priority of a video conferencing
system listed as mission-critical by one component and a logistics
system listed as mission-critical by another component.  If it had
such a means, the board estimated that the number of "priority
mission-critical systems" would be reduced by a factor of 10 or
greater. 

Once Defense decides the relative priority of its mission-critical
systems, it will still need to ensure that its mission-critical
rather than nonmission-critical systems receive focused management
attention and resources.  However, according to its status reports,
Defense is correcting nonmission-critical systems nearly as quickly
as its mission-critical systems.  In February 1998, it reported that
83 percent of its mission-critical systems being repaired were in the
renovation or validation phases versus about 80 percent of it
nonmission-critical systems. 


--------------------
\4 Interim Report of the Defense Science Board Task Force on Year
2000, January 12, 1998; final report has not yet been issued. 


   DEFENSE LACKS ASSURANCE THAT
   INTERFACES ARE BEING
   APPROPRIATELY ADDRESSED
------------------------------------------------------------ Letter :8

Defense systems interface with each other as well as with systems
belonging to contractors, other federal agencies, and international
organizations.  For example, supply orders originating from the
military services are filled and payments to contractors are made
through automated interfaces.  Therefore, it is essential that
Defense agencies ensure that external noncompliant systems not
introduce and/or propagate Year 2000-related errors to compliant
Defense systems\5 and that interfaces function after January 1, 2000. 

Defense has held a series of Interface Assessment Workshops for
individual functional areas such as finance, logistics, and
intelligence in order to raise awareness of the interface problem. 
While these workshops have helped to acquaint high-level managers
with the nature and extent of interface problems, much more effort is
needed to assist system managers in making corrections. 

First, as noted earlier, the department does not know how many
interfaces exist among its systems.  Seven of 28 components (25
percent) including the Joint Chiefs of Staff did not report interface
information on their February 1998 inventory.  In addition, four
components, including the National Security Agency and the National
Reconnaissance Office reported their interfaces as "to be
determined." Three additional components--including the Navy, Defense
Intelligence Agency and Air Force Intelligence--reported interfaces,
but had not yet determined whether they were affected by the Year
2000 problem.  The longer it takes Defense to identify all interfaces
and determine which ones need to be corrected, the greater the risk
will be that it will discover too late in its Year 2000 effort that
systems will not be able to accommodate the Year 2000 changes from a
connecting system. 

Second, Defense has not provided sufficiently definitive guidance to
establish (1) who is responsible for correcting interfaces and (2)
how conflicts--for example, who should fund corrective
actions--between interface partners will be resolved.  Such guidance
is necessary since interface problems will likely cut across command,
functional, and component lines and may involve contractors, other
government agencies, and international organizations. 

Finally, in order for interfaces to work, both ends need to know what
to send and what to expect.  This requires formal documentation of
the details on data formats, the timing of format changes, etc. 
While the April 1997 Management Plan directed components to prepare
written agreements with their interface partners, Defense has not
provided guidance to its components on what the content of interface
agreements should be.  Components have been slow in responding to the
Management Plans direction.  For example, at the time of our review,
none of the components we reviewed had completed preparation of all
required interface agreements.  The Army Year 2000 project office
reported that its components were behind in their efforts to do so. 
Defense components have concurred with our recommendations to date
concerning the need to develop interface agreements.  However, they
are still not being uniformly required across the department.  Until
these agreements are prepared, Defense components will run the risk
that key interfaces will not work. 


--------------------
\5 An example of this type of problem occurred in July 1997.  During
a joint operational exercise, system clocks were turned forward to
test their ability to handle dates after 1999.  One component of
Defense's Global Command and Control System failed to operate
properly as a result, and, in turn, began sending error messages to
the main computer.  These messages caused the main computer to shut
down, even though it had not experienced any Year 2000 problems
itself. 


   DEFENSE IS NOT FULLY PREPARED
   FOR THE TESTING PHASE
------------------------------------------------------------ Letter :9

The validation (testing) phase of the Year 2000 effort is expected to
be the most expensive and time-consuming.  Experts estimate that it
will account for 45 percent of the entire effort.\6 As Defense's Year
2000 Management Plan notes, the testing phase will be complex since
"components must not only test Year 2000 compliance of individual
applications, but also the complex interactions between scores of
converted or replaced computer platforms, operating systems,
utilities, [networks], databases, and interfaces." In some instances,
the plan notes, Defense components may not be able to shut down their
production systems for testing, and may have to operate parallel
systems implemented on a Year 2000 test facility.  Also, because over
17,500 systems will require testing prior to the March 1999 testing
deadline, it will be important to plan for the use of testing
resources carefully. 

To mitigate risks associated with testing, our Year 2000 Assessment
Guide calls on agencies to develop validation strategies and test
plans, and to ensure that resources, such as facilities and tools,
are available to perform adequate testing.  Validation strategies are
developed at an organization-wide level to ensure that common testing
requirements are used by all locations.  Our Assessment Guide further
notes that this planning should begin in the assessment phase since
agencies may need over a year to adequately validate and test
converted or replaced systems for Year 2000 compliance. 

Defense lacks an overall validation strategy that specifies uniform
criteria and processes which components should use in testing their
systems.  Defense's Management Plan includes a checklist for
certifying Year 2000 compliance, but does not require components to
use it.  Likewise, a number of major components--including DFAS, the
Navy, the Air Force, and the Army--have not developed such strategies
nor were they ensuring that the organizations reporting to them did
so.  As a result, Defense runs the risk that all systems and
interfaces will not be thoroughly and carefully tested. 

Another important aspect of planning for the test phase is to define
requirements for test facilities.  As our Year 2000 Assessment Guide
notes, agencies may have to acquire additional facilities in order to
provide an adequate testing environment.  Because of the length and
complexity of the testing phase and the potential that facilities may
not be available, our guide recommends that this planning begin in
the assessment phase.  We found that the Navy, the Air Force, the
Army had not yet begun this planning.  The Defense Information
Systems Agency, which operates the Department's central computer
centers, has only recently begun assessing what the demand for its
facilities will be.  The longer Defense waits to begin assessing the
demand for and the adequacy of test facilities, the less time it will
have to acquire additional facilities or otherwise ensure that all
mission-critical systems can be tested before the Year 2000 deadline. 


--------------------
\6 According to the Mitre Corporation and Gartner Group. 


   CONTINGENCY PLANNING OVERSIGHT
   IS INADEQUATE
----------------------------------------------------------- Letter :10

To mitigate the risk that Year 2000-related problems will disrupt
operations, Defense's Year 2000 Management Plan and our Year 2000
Assessment Guide recommend that agencies perform risk assessments and
develop realistic contingency plans for critical systems and
activities.  Recent OMB directives\7

require quarterly reporting of contingency planning activities. 
Contingency plans are important because they identify the manual or
other fallback procedures to be employed should systems miss their
Year 2000 deadline or fail unexpectedly in operation.  Contingency
plans also define the specific conditions that will cause their
activation. 

Since many of its systems are critical to mission performance and
Defense has fallen behind its own Year 2000 schedule, Defense must
develop contingency plans now for essential mission functions. 
However, although Defense's Year 2000 Management Plan identifies the
need for contingency planning to ensure continuity of core processes,
Defense is not routinely tracking the status of contingency plans or
ensuring that its components are developing them.  The need for
oversight is serious since many of the components we reviewed were
not developing contingency plans until we recommended that they do
so.  For example: 

  -- At the time of our review of their programs, DLA and the Naval
     Supply Systems Command (NAVSUP) had no contingency plans because
     they expected that all of their systems would be completed by
     the Year 2000 deadline and would function correctly.  This
     assumption is not well founded because even if systems are
     replaced or corrected on time, there is no guarantee that they
     will operate correctly.  In addition, in the event that
     replacement schedules slip, components may not have enough time
     to renovate, test, and implement a legacy system or identify
     other alternatives, such as manual procedures or outsourcing. 
     For example, one system used to help manage DLA's
     mission-critical $5-billion a year fuel commodity operations had
     already slipped 4 to 5 months behind its October 1998 scheduled
     replacement date.  Both DLA and NAVSUP began developing
     contingency plans after we raised these concerns. 

  -- The Air Force was not tracking the extent to which these plans
     were being developed by its components for mission-critical
     systems, and, at the time of our review, five system program
     offices we surveyed had not prepared such plans.  In response to
     our report, the Air Force began ensuring that contingency plans
     were developed through Air Force Audit Agency spot checks and
     management reviews.  It also plans to develop contingency plans
     at crisis response centers as well as incorporate Year 2000
     scenarios into existing contingency plans. 

  -- DFAS was preparing contingency planning for noncompliant systems
     to be replaced before the Year 2000.  However, it was not
     requiring contingency plans for systems being renovated.  We
     noted that DFAS faced a risk that systems being renovated may
     not be corrected by January 1, 2000, and may not operate
     correctly even if completed.  In response, DFAS began developing
     contingency strategies for these systems. 

In January 1998, the military services briefed the Defense's Year
2000 Steering Committee on the status of contingency planning for
mission-critical systems.  The Army and Air Force reported that they
had completed contingency plans for 49 percent and 30 percent of
their mission-critical systems respectively.  The Navy is only
requiring contingency plans for systems planned to be renovated after
June 30, 1998, or implemented after January 1, 1999.  Using this
criteria and the Navy's current schedule, less than 2 percent of the
Navy's 812 mission-critical systems are required to have contingency
plans. 


--------------------
\7 OMB's November 1997 quarterly Year 2000 report directs agencies to
develop contingency plans and requires that summary contingency plan
information be provided to OMB for any mission-critical system that
is behind schedule in two consecutive quarterly reports to OMB. 


   DEFENSE LACKS RELIABLE COST
   INFORMATION
----------------------------------------------------------- Letter :11

As Defense's Year 2000 Management Plan and our Assessment Guide
state, a primary purpose of the assessment phase is to determine the
size and scope of the Year 2000 problem and to prioritize remediation
activities.  Reliable cost estimates are needed to ensure that
adequate resources will be available for Year 2000 activities.  Once
reliable estimates have been established, they can provide a baseline
to measure program progress and to improve future program management. 
In addition, because Defense is funding Year 2000 efforts from
existing budgets, reliable Year 2000 cost estimates are needed to
assess the impact on future information technology budgets. 

Defense relies on its components to estimate the cost of their Year
2000 efforts, but it has not required that they use a consistent
estimating methodology or that they update the estimates when more
reliable cost information becomes available during the assessment
phase.  Defense merely sums up the cost estimates it receives from
components to produce the estimate it provides to OMB.  As a result,
Defense's Year 2000 cost estimate is neither reliable nor complete,
and does not provide a useful management tool for assessing the
impact of the Year 2000 problem or determining if sufficient
resources will be available to complete its fixes. 

To make a first rough estimate, Defense suggested that components use
a cost formula derived from the Gartner Group and the Mitre
Corporation, which recommends multiplying the number of lines of code
by $1.10 for automated information systems and by $8 for weapons
systems.  This rough estimate was to be refined by conducting a
detailed cost analysis based on more than 30 cost factors as the
component progressed through the assessment phase and learned more
about its systems and the resources that would be required to fix
them.  These include such factors as: 

  -- the age of systems,

  -- the skill and expertise of in-house programmers,

  -- the strategy that the agency is pursuing (strategies that
     involve keeping the two-digit code, for example, may be much
     less expensive than those that involve changing the two-digit
     code to a four-digit code),

  -- the clarity and completeness of documentation on systems,

  -- the availability of source code, and

  -- the programming language used by the systems. 

However, Defense did not require that components use these factors in
preparing their quarterly cost estimates or that they refine their
rough estimates as more reliable information became available during
assessment.  The difference between an estimate based on a more
reliable analysis of data collected during the assessment phase and
an estimate based on the Gartner formula and similar methodologies
can be significant.  For example, in August 1996, the Army's
Logistics Systems Support Center used the Gartner formula to project
Year 2000 costs for its huge Commodity Command Standard System. 
Based on this formula, it estimated that it would cost $8.4 million
to correct the system.  In April 1997, the Center conducted a
detailed cost analysis based on data collected during the assessment
phase, and found that Year 2000 costs would actually be about $12.4
million--a 50 percent increase over the original estimate. 

While Defense's Management Plan suggested that components revise
their cost estimates as more reliable information becomes available,
it has not ensured that components are doing so.  While some
components may have refined their estimates with each report to the
Office of the Secretary of Defense (OSD), the Army, the Air Force,
and the Navy continue to provide only rough order-of-magnitude
estimates using the Gartner formula or other formulas provided by
contractors, or have omitted significant cost items from their
estimates.  For example: 

  -- The Army's November 1997 estimate of $429 million did not
     include costs for 36 systems. 

  -- The Navy's November 1997 estimate of $293 million did not
     include cost information from about 95 percent of the program
     managers in the Naval Sea Systems Command.  Naval Air Systems
     Command also indicated that many program managers were not
     reporting costs.  The Navy estimate also did not include an
     estimated $15 million associated with fixing telephone switches. 

  -- The Air Force's November 1997 estimate did not include the cost
     of fixing telephone switches, which was estimated to be between
     $70 million and $90 million. 

Until Defense has a complete and reliable cost estimate, it will not
be able to effectively allocate resources, track progress, make
trade-off decisions, or resolve funding disputes. 


   CONCLUSIONS
----------------------------------------------------------- Letter :12

Defense operations hinge on the department's ability to successfully
fix its mission-critical computer systems before the Year 2000
deadline.  Yet Defense has left it up to its components to solve the
problem themselves without establishing a project office, led by a
full-time top-level executive, to (1) enforce good management
practices, (2) prioritize systems across the department based on
criticality to core missions, (3) provide guidance on areas that
components should be addressing consistently and ensure that they are
doing so, (4) direct resources for special needs, and (5) ensure that
data being reported to the Office of Management and Budget and the
Congress is accurate.  As a result, Defense lacks complete and
reliable information on systems, interfaces, and costs.  It is
allowing nonmission-critical systems to be corrected even though only
a small percentage of mission-critical systems have been completed. 
It lacks assurance that facilities will be available for testing. 
And, it has not ensured that essential mission functions can be
performed if critical mission systems are not corrected in time. 
Until Defense supports remediation efforts with adequate centralized
program management and oversight, its mission-critical operations may
well be severely degraded or disrupted as a result of the Year 2000
problem. 


   RECOMMENDATIONS
----------------------------------------------------------- Letter :13

We recommend that the Secretary of Defense: 

  -- Establish a strong department-level program office led by an
     executive whose full-time job is to effectively manage and
     oversee the Department's Year 2000 efforts.  The office should
     as a minimum have sufficient authority to enforce good
     management practices, direct resources to specific problem
     areas, and ensure the validity of data being reported by
     components on such things as progress, contingency planning, and
     testing. 

  -- Expedite efforts to establish a comprehensive, accurate
     departmentwide inventory of systems, interfaces, and other
     equipment needing repair.  Require components to validate the
     accuracy of data being reported to OSD.  Provide guidance that
     clearly defines a "system" for Year 2000 reporting purposes. 

  -- Clearly define criteria and an objective process for
     prioritizing systems for repair based on their
     mission-criticality and ensure that the "most" mission-critical
     systems will be repaired first. 

  -- Ensure that system interfaces are adequately addressed by (1)
     taking inventory and assigning clear responsibility for each,
     (2) tracking progress in Year 2000 problem resolution, (3)
     requiring interface agreement documentation, and (4) providing
     guidance on the content of interface agreements and who should
     fund corrective actions. 

  -- Develop an overall, departmentwide testing strategy and a plan
     for ensuring that adequate resources, such as test facilities
     and tools, are available to perform necessary testing.  Ensure
     that the testing strategy specifies the common criteria and
     processes that components should use in testing their systems. 

  -- Require components to develop contingency plans to ensure that
     essential operations and functions can be performed even if
     mission-critical systems are not corrected in time or fail due
     to Year 2000 problems.  Track component progress in completing
     these plans. 

  -- Prepare complete and accurate Year 2000 cost estimates so that
     the department can assess the full impact of the Year 2000
     problem, ensure adequate resources are available, and
     effectively make trade-off decisions to ensure that funds are
     properly allocated. 


   AGENCY COMMENTS AND OUR
   EVALUATION
----------------------------------------------------------- Letter :14

In reviewing a draft of this report, the Acting Principal Deputy of
the Office of the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence concurred with all of our
recommendations to improve Defense's Year 2000 program. 
Specifically, Defense agreed with the need to establish a strong
central Year 2000 program office and has appointed a full-time
executive to lead the department's efforts to solve the Year 2000
challenge.  Defense stated that this office will have sufficient
authority to enforce good management practices.  In addition, Defense
stated that the DOD Year 2000 Management Plan is being revised to (1)
define criteria and processes for prioritizing systems, (2) formalize
guidance on identification and documentation of interfaces, (3)
establish common testing conditions and dates for attaining Year 2000
compliance, and (4) provide for development of contingency plans in
accordance with GAO's recently issued guidance.\8 The revised
Management Plan is scheduled to be issued in April 1998. 

However, in concurring with several of our recommendations, Defense
did not indicate how it would implement them.  Instead, it reiterated
current practices which to date have not resulted in reliable and
complete inventory, progress, and cost data.  For example, Defense
concurred with our recommendation to establish an accurate
departmentwide inventory of its systems and a clear definition of the
term "system." But, it then said that components will continue to
validate the accuracy of data submitted for its new database using
audit agencies and other independent validation techniques
recommended by OMB and claimed that it had already clearly defined
the term "system" in a March 1997 memorandum from ASDC3I and in
DOD's Dictionary of Military and Associated Terms.  Components have
not submitted accurate data to Defense to date, and these actions do
not indicate that Defense will validate these data to ensure their
accuracy in the future as we recommended.  Further, the documents
cited do not define the term "system" effectively and, as we
reported, components have interpreted the term inconsistently. 

Likewise, Defense concurred with our recommendation that the
Secretary of Defense prepare complete and accurate Year 2000 cost
estimates, but then cited current cost estimating guidance and
procedures, and noted that it had "requested the Components to
improve their estimated costs by using actual figures as they became
available." It added that the Secretary of Defense, through the Year
2000 Steering Committee, will use these estimates to assess the
impact of Year 2000 problems, make trade-off decisions, and ensure
adequate resources are available.  Again, these actions describe
current practices which have resulted in incomplete and inaccurate
cost estimates.  Despite requests from Defense that they refine their
cost analyses and prepare complete cost estimates, components
continued to provide unreliable and incomplete cost data.  Until
Defense takes additional action to implement our recommendation to
require and ensure that components use a more reliable methodology
and report complete costs, it will not have the reliable information
it needs to allocate resources, track progress, make trade-off
decisions, and resolve funding disputes. 


--------------------
\8 Year 2000 Computing Crisis:  Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19 Exposure Draft, March 1998). 


--------------------------------------------------------- Letter :14.1

We are providing copies of this letter to the Ranking Minority
Members of the Senate Committee on Governmental Affairs and the
Subcommittee on Government Management, Information and Technology,
House Committee on Government Reform and Oversight; the Chairmen and
Ranking Minority members of the Subcommittee on Oversight of
Government Management, Restructuring and the District of Columbia,
Senate Committee on Governmental Affairs; the Subcommittee on
Defense, Senate Committee on Appropriations; the Senate Committee on
Armed Services; the Subcommittee on National Security, House
Committee on Appropriations; and the House Committee on National
Security.  We are also sending copies to the Deputy Secretary of
Defense; the Acting Secretary of Defense for Command, Control,
Communications and Intelligence; the Director of the Office of
Management and Budget; the Assistant to the President for Year 2000;
and other interested parties.  Copies will be made available to
others on request. 

If you have any questions on matters discussed in this letter, please
call me at (202) 512-6240.  Other major contributors to this report
are listed in appendix III. 

Jack L.  Brock, Jr.
Director, Governmentwide and
 Defense Information Systems




(See figure in printed edition.)Appendix I
GAO REVIEWS OF DEFENSE COMPONENT
YEAR 2000 EFFORTS
============================================================== Letter 



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)




(See figure in printed edition.)Appendix II
COMMENTS FROM THE DEPARTMENT OF
DEFENSE
============================================================== Letter 



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)



(See figure in printed edition.)


The following is GAO's comment on the Department of Defense's March
27, 1998, letter. 

GAO COMMENT

1.  Defense's additional comments have been incorporated as
appropriate but have not been included in the report. 


MAJOR CONTRIBUTORS TO THIS REPORT
========================================================= Appendix III

ACCOUNTING AND INFORMATION
MANAGEMENT DIVISION, WASHINGTON,
D.C. 

John B.  Stephenson, Project Director
Keith A.  Rhodes, Technical Director
Ronald B.  Bageant, Assistant Director
Carl M.  Urie, Assistant Director
Madhav Panwar, Technical Assistant Director
Brian C.  Spencer, Technical Assistant Director
Alicia L.  Sommers, Senior Information Systems Analyst
Brenda A.  James, Senior Information Systems Analyst
Robert L.  Crocker, Senior Information Systems Analyst
Cristina T.  Chaplain, Communications Analyst

ATLANTA FIELD OFFICE

Carl Higginbotham, Senior Information Systems Analyst
Christopher T.  Brannon, Staff Evaluator
Teresa Tucker, Senior Information Systems Analyst

CHICAGO/DAYTON FIELD OFFICE

Robert P.  Kissel, Jr., Evaluator-in-Charge
Steven M.  Hunter, Senior Evaluator
Robert G.  Preston, Senior Evaluator
Thomas Hewlett, Staff Evaluator

DENVER FIELD OFFICE

John A.  Spence, Information Systems Analyst

KANSAS CITY FIELD OFFICE

George L.  Jones, Senior Information Systems Analyst
Denice M.  Millett, Senior Evaluator
Michael W.  Buell, Staff Evaluator
Karen S.  Sifford, Staff Evaluator


*** End of document. ***