Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for
Strong Federal Leadership (Letter Report, 04/30/98, GAO/AIMD-98-85).
Pursuant to a congressional request, GAO reviewed the year 2000
computing crisis facing the nation, focusing on: (1) the year 2000 risks
facing the government and nation; (2) the evolution of the federal
government's year 2000 strategy; and (3) additional actions that can be
taken by the Executive Branch to prepare the nation for the year 2000.
GAO noted that: (1) while progress has been made in addressing the
federal government's year 2000 readiness, serious vulnerabilities
remain; (2) many agencies are behind schedule; (3) at the current pace,
it is clear that not all mission-critical systems will be fixed in time;
(4) much more action is needed to ensure that federal agencies
satisfactorily mitigate year 2000 risks to avoid debilitating
consequences; (5) vital economic sectors of the nation likewise remain
vulnerable to problems that the change of century will bring; (6)
moreover, a high degree of information and systems interdependence
exists among various levels of government and the private sector in each
of these sectors; (7) these interdependencies increase the risk that a
cascading wave of failures or interruptions of essential services could
occur; (8) as the change of century grows closer and the breadth of year
2000 work that remains has become known, the federal government's
response to the crisis has increased; (9) originally, the Office of
Management and Budget (OMB) expressed a high degree of confidence about
the federal government's ability to meet the year 2000 deadline; (10)
more recently, as many agencies have reported their limited progress in
solving the year 2000 problem, OMB has become increasingly concerned;
(11) accordingly, at the urging of key congressional leaders, OMB has
improved its response to the crisis by issuing much needed policies and
increasing its monitoring of agencies; (12) most encouraging is the
President's recent announcement of the establishment of a President's
Council on Year 2000 Conversion to oversee federal efforts and promote
public/private relationships; and (13) the establishment of the
President's Council on Year 2000 Conversion provides an opportunity for
the Executive Branch to take further key implementation steps to avert
disruptions to critical services.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-98-85
TITLE: Year 2000 Computing Crisis: Potential for Widespread
Disruption Calls for Strong Federal Leadership
DATE: 04/30/98
SUBJECT: Strategic information systems planning
Systems conversions
Information resources management
Data integrity
Computer software verification and validation
Interagency relations
Information systems
Internal controls
Systems compatibility
IDENTIFIER: OMB Year 2000 Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Report to Congressional Requesters
April 1998
YEAR 2000 COMPUTING CRISIS -
POTENTIAL FOR WIDESPREAD
DISRUPTION CALLS FOR STRONG
LEADERSHIP AND PARTNERSHIPS
GAO/AIMD-98-85
Year 2000 Computing Crisis
(511454)
Abbreviations
=============================================================== ABBREV
CIO - Chief Information Officer
FAA - Federal Aviation Administration
HCFA - Health Care Financing Administration
OMB - Office of Management and Budget
OPM - Office of Personnel Management
SSA - Social Security Administration
VA - Department of Veterans Affairs
Letter
=============================================================== LETTER
B-279427
April 30, 1998
Congressional Requesters
As requested by the Senate Majority Leader and the Chairpersons and
Ranking Minority Members listed at the end of this letter, we are
reporting on the Year 2000 computing crisis facing the nation.
According to the report of the President's Commission on Critical
Infrastructure Protection, the United States--with close to half of
all computer capacity and 60 percent of Internet assets--is the
world's most advanced and most dependent user of information
technology.\1
Should these systems--which perform functions and services critical
to our nation--suffer disruption, it could create a widespread
crisis. Accordingly, the upcoming change of century is a sweeping
and urgent challenge for public and private-sector organizations.
For this reason, we have designated the Year 2000 computing problem
as a high-risk area.\2
To assist in addressing the Year 2000 computing problem, our
objectives were to (1) outline the Year 2000 risks facing the
government and the nation, (2) describe the evolution of the federal
government's Year 2000 strategy, and (3) identify additional actions
that can be taken by the Executive Branch to prepare the nation for
the Year 2000. Our views are based upon over two dozen reports we
have issued over the past year on the Year 2000 readiness of a wide
range of federal agencies as well as on extensive consultations with
various experts in information technology and our years of experience
in and knowledge of federal agencies' computer systems. Appendix I
contains our scope and methodology.
--------------------
\1 Critical Foundations: Protecting America's Infrastructures
(President's Commission on Critical Infrastructure Protection,
October 1997). The President's Commission on Critical Infrastructure
Protection was established in July 1996, in Executive Order 13010, to
assess the scope and nature of the vulnerabilities of, and threats
to, critical infrastructures, including telecommunications,
electrical power systems, gas and oil storage and transportation,
banking and finance, transportation, water supply systems, emergency
services, and continuity of government. The commission included
representatives from federal departments and agencies and the private
sector who were organized to assess sector-specific vulnerabilities
and propose solutions.
\2 High-Risk Series: Information Management and Technology
(GAO/HR-97-9, February 1997).
RESULTS IN BRIEF
------------------------------------------------------------ Letter :1
While progress has been made in addressing the federal government's
Year 2000 readiness, serious vulnerabilities remain. Many agencies
are behind schedule. At the current pace, it is clear that not all
mission critical systems will be fixed in time. Much more action is
needed to ensure that federal agencies satisfactorily mitigate Year
2000 risks to avoid debilitating consequences. Vital economic
sectors of the nation likewise remain vulnerable to problems that the
change of century will bring. Such key areas include information and
telecommunications; banking and finance; health, safety, and
emergency services; transportation; utilities; and manufacturing and
small business. Moreover, a high degree of information and systems
interdependence exists among various levels of government and the
private sector in each of these sectors. These interdependencies
increase the risk that a cascading wave of failures or interruptions
of essential services could occur.
As the change of century grows closer and the breadth of Year 2000
work that remains has become known, the federal government's response
to the crisis has increased. Originally, the Office of Management
and Budget (OMB) expressed a high degree of confidence about the
federal government's ability to meet the Year 2000 deadline. More
recently, as many agencies have reported their limited progress in
solving the Year 2000 problem, OMB has become increasingly concerned.
Accordingly, at the urging of key congressional leaders, OMB has
improved its response to the crisis by issuing much needed policies
and increasing its monitoring of agencies. Most encouraging is the
President's recent announcement of the establishment of a President's
Council on Year 2000 Conversion to oversee federal efforts and
promote public/private relationships.
Establishment of the President's Council on Year 2000 Conversion
provides an opportunity for the Executive Branch to take further key
implementation steps to avert disruptions to critical services. With
regard to steps that can be taken to strengthen federal agency
efforts, time is dwindling, therefore it is critical that the
government and the agencies set priorities to focus efforts on the
most important systems (especially, those that affect health and
safety, the economic well-being of Americans, national security, and
the economy) and ensure that appropriate testing is performed for
those systems. Moreover, the uncertainty of whether agencies'
internal systems, the systems of their data partners, and the systems
that support the public infrastructure will all be Year 2000
compliant makes developing and testing contingency plans an essential
task to ensure the continuity of services should failures occur.
Further, in order to make informed decisions, it is important that
the Council receive complete, timely information on the federal
government's Year 2000 readiness and that this information be
reliable. This can be accomplished by requiring additional critical
agencies to report regularly their progress, expanding reporting
elements, and setting independent verification standards for agency
efforts. Finally, some agencies have reported difficulty recruiting
and retaining information technology staff to perform Year 2000 work.
A Year 2000 personnel strategy is urgently needed to identify ways to
help solve this problem.
The President's Council on Year 2000 Conversion also needs to (1)
quickly formulate a comprehensive picture of the nation's Year 2000
readiness and (2) establish an effective approach to promote
public/private partnerships to resolve the nation's Year 2000 crisis.
Given the urgency to move swiftly, one approach that could be used as
a solid foundation is the type of sector-based approach used by the
President's Commission on Critical Infrastructures as a starting
point. This approach could involve federal agency focal points
working with sector coordinators. These coordinators would be
created or selected from existing associations and would facilitate
sharing information among providers and the government. Using this
model, the President's Council on Year 2000 Conversion could
establish public/private partnership forums composed of
representatives of each major sector. Such groups would help (1)
gauge the nation's preparedness for the Year 2000, (2) periodically
report on the status and remaining actions of each sector's Year 2000
remediation efforts, and (3) ensure the development of contingency
plans to assure the continuing delivery of critical public and
private services.
BACKGROUND
------------------------------------------------------------ Letter :2
Over the past 2 years, the term "Year 2000 Problem" has become
increasingly familiar. This problem is rooted in the way in which
automated information systems have, for the past several decades,
typically represented the year--using two digits rather than four--in
order to conserve electronic data storage space and reduce operating
costs. Thus 1998 would be represented as simply 98. In this format,
however, 2000 is indistinguishable from 1900 because both are
represented only as 00. As a result, if not modified, computer
systems or applications that use dates or perform date- or
time-sensitive calculations may generate incorrect results beyond
1999, reading 00 as 1900 rather than 2000.
As we testified before the Congress a year ago, correcting this
problem, in government as in the private sector, will be
labor-intensive and time-consuming--and must be done while systems
continue to operate.\3 Many of the federal government's computer
systems were originally designed and developed 20 to 25 years ago;
are poorly documented; and use a wide variety of computer
languages--many of which are obsolete. Some applications include
thousands, tens of thousands, or even millions of lines of code, each
of which must be examined for date-format problems. Other system
components--hardware, operating systems, communications interfaces,
and database software--may also be affected by the date problem.
Many data exchanges and interdependencies also exist among federal,
state, and local governments; the private sector; foreign countries;
and international organizations. Therefore, systems are also
vulnerable to failure caused by incorrectly formatted data provided
by other systems, which are noncompliant. Examples of such data
exchanges include the following situations.
-- Taxpayers can pay their taxes through data exchanges between the
taxpayer, financial institutions, the Federal Reserve System,
and the Department of the Treasury's Financial Management
Service and Internal Revenue Service.
-- State disability determination systems provide data on an
individual's medical eligibility for disability benefits to the
Social Security Administration which uses this data to support
payments to disabled persons.
-- Medical providers obtain payments for their medical services
through data exchanges between the provider, Health Care
Financing Administration (HCFA) and its contractors, the Social
Security Administration, the Department of the Treasury, the
Federal Reserve System, and financial institutions.
-- Commercial and military aircraft and ships within the United
States and in foreign countries and organizations interface with
the Global Positioning System, which consists of satellites,
ground systems, and receivers, for navigation purposes as well
as for precision targeting and smart bombs.
--------------------
\3 Year 2000 Computing Crisis: Strong Leadership Today Needed To
Prevent Future Disruption of Government Services (GAO/T-AIMD-97-51,
February 24, 1997).
THE GOVERNMENT AND THE NATION
FACE HIGH RISK OF SERVICE
DISRUPTION DUE TO THE YEAR 2000
PROBLEM
------------------------------------------------------------ Letter :3
The public faces a high risk that critical services provided by the
government and the private sector could be severely disrupted by the
Year 2000 computing crisis. Financial transactions could be delayed,
flights grounded, power lost, and national defense affected. The
many interdependencies that exist among governments and within key
economic sectors could cause a single failure to have adverse
repercussions. While managers in the government and the private
sector are taking many actions to mitigate these risks, a significant
amount of work remains, and time frames are unrelenting.
RISK OF DISRUPTION TO
GOVERNMENT SERVICES IS HIGH
---------------------------------------------------------- Letter :3.1
The federal government is extremely vulnerable to the Year 2000 issue
due to its widespread dependence on computer systems to process
financial transactions, deliver vital public services, and carry out
its operations. This challenge is made more difficult by the age and
poor documentation of some of the government's existing systems and
its lackluster track record in modernizing systems to deliver
expected improvements and meet promised deadlines.
Unless this issue is successfully addressed, serious consequences
could ensue. For example:
-- Unless the Federal Aviation Administration (FAA) takes much more
decisive action, there could be grounded or delayed flights,
degraded safety, customer inconvenience, and increased airline
costs.\4
-- Payments to veterans with service-connected disabilities could
be severely delayed if the system that issues them either halts
or produces checks so erroneous that it must be shut down and
checks processed manually.
-- The military services could find it extremely difficult to
efficiently and effectively equip and sustain their forces
around the world.
-- Federal systems used to track student loans could produce
erroneous information on loan status, such as indicating that a
paid loan was in default.
-- Internal Revenue Service tax systems could be unable to process
returns, thereby jeopardizing revenue collection and delaying
refunds.
-- The Social Security Administration process to provide benefits
to disabled persons could be disrupted if interfaces with state
systems fail.
In addition, the year 2000 could also cause problems for the many
facilities used by the federal government that were built or
renovated within the last 20 years and contain embedded computer
systems\5 to control, monitor, or assist in operations. Many of
these systems could malfunction due to vulnerability to the Year 2000
problem. For example, heating and air conditioning units could stop
functioning properly and card-entry security systems could cease to
operate.
Year 2000-related problems have already been identified. For
example, an automated Defense Logistics Agency system erroneously
deactivated 90,000 inventoried items as the result of an incorrect
date calculation. According to the agency, if the problem had not
been corrected (which took 400 work hours), the impact would have
been catastrophic and would have seriously hampered its mission to
deliver materiel in a timely manner.\6 In another case, the
Department of Defense's Global Command Control System, which is used
to generate a common operating picture of the battlefield for
planning, executing, and managing military operations, failed testing
when the date was rolled over to the Year 2000.
In order to assist federal agencies in addressing their Year 2000
risks, we developed an enterprise readiness guide that offers a
structured, step-by-step approach for reviewing the adequacy of
agency planning and management of its Year 2000 program.\7 The guide
describes five phases of a Year 2000 program: awareness, assessment,
renovation, validation, and implementation. Over 30,000 copies of
the guide--which was released to the public as an exposure draft in
February 1997 and issued in September 1997--have been requested.
We have also reviewed the Year 2000 programs of a number of federal
agencies and have issued over two dozen reports and testimonies on
this issue. (For a complete list of our reports and testimonies on
the Year 2000 issue, see the "Related GAO Products" section at the
end of this report.) In general, our reviews found that progress has
been uneven. As discussed below, some agencies are significantly
behind schedule and are at high risk that they will not fix their
systems in time. Other agencies have made progress, although risks
remain and a great deal more work is needed. Our reports have
numerous recommendations which the agencies have almost universally
agreed to implement.
Federal Aviation Administration (FAA). FAA has been severely behind
schedule in completing basic awareness and assessment activities.\8
In our January 1998 report, we concluded that at its current pace,
FAA would not make it in time. Moreover, FAA had not (1) analyzed
the impact of its systems' not being Year 2000 compliant, (2)
inventoried and assessed all of its systems for date dependencies, or
(3) developed contingency plans to ensure continuity of operations.
Accordingly, we made several recommendations including that FAA
should (1) assess how its business lines and the aviation industry
would be affected if the Year 2000 problem were not corrected in time
and use this information to help rank the agency's Year 2000
activities, (2) complete its inventory of all information systems and
determine each one's criticality and decide whether each system
should be converted, replaced, or retired, and (3) craft Year 2000
contingency plans for all business lines. FAA has agreed to
implement our recommendations.
Social Security Administration (SSA). A federal leader in addressing
Year 2000 issues, SSA had made significant progress in assessing and
renovating mission-critical mainframe software. However, we found
that SSA remained at risk in that not all mission-critical systems
necessary to prevent the disruption of benefit payments will be
corrected before January 1, 2000.\9 At particular risk are the 54
state disability determination systems\10 that had not yet been
assessed. In addition, SSA faced the risk that inaccurate data would
be introduced into its databases by the hundreds of federal and state
agencies and thousands of businesses with which it exchanges data
files. Also, SSA had not developed contingency plans. We made
several recommendations to the Commissioner of SSA to address these
areas. SSA agreed with all of our recommendations and identified
specific actions that it would take to ensure an adequate transition
to the year 2000.
Department of Veterans Affairs (VA). We reported that at VA, the
Veterans Benefits Administration is addressing the Year 2000 problem
but needed to take additional action to correct its systems in
time.\11 Accordingly, we made 10 specific recommendations, such as
(1) completing an analysis to determine whether the Veterans Benefits
Administration's internal applications, interfaces, and third-party
products were Year 2000 compliant and (2) developing a Year 2000
contingency plan. VA agreed to implement these recommendations. In
a later review, we found that VA had initiated a number of these
actions but that substantial risks remained.\12
Department of Defense. We recently reported\13 that the Department
of Defense, which is responsible for about a third of the federal
government's reported mission critical systems, has taken positive
actions to increase awareness, promote sharing of information, and
encourage components to make Year 2000 remediation efforts a
priority, but that its progress in fixing systems has been slow.
However, Defense lacked key management and oversight controls to
enforce good management practices, to direct resources, and to
establish a complete picture of its progress in fixing systems.
Accordingly, we recommended that the Secretary of Defense (1)
establish a strong department-level program office, (2) expedite
efforts to establish a comprehensive, accurate departmentwide
inventory of systems, interfaces, and other equipment needing repair,
(3) clearly define criteria and an objective process for prioritizing
systems for repair based on their mission-criticality, (4) ensure
that system interfaces are adequately addressed, (5) develop an
overall, departmentwide testing strategy and a plan for ensuring that
adequate resources are available to perform necessary testing, (6)
require components to develop contingency plans, and (7) prepare
complete and accurate Year 2000 cost estimates. The Department of
Defense concurred with our recommendations. We have also recommended
improvements in the Year 2000 programs of the Air Force,\14 Logistics
Systems Support Center,\15 the Defense Finance and Accounting
Service,\16 and the Defense Logistics Agency,\17 including the need
to develop contingency plans.
Health Care Financing Administration (HCFA). HCFA administers the
Medicare program, the nation's largest health insurer. HCFA expects
to process over 1 billion claims and pay $288 billion in benefits per
year by 2000. In May 1997, we reported that the Heath Care Financing
Administration had not taken enough initial steps, such as developing
an assessment of the potential severity of the century change, to
ensure that it can avoid the systems-related service disruptions that
may occur as the year 2000 approaches.\18 HCFA agreed to implement
our recommendations that it identify responsibilities for managing
and monitoring Year 2000 actions, prepare an assessment of the
severity and timing of potential Year 2000 impact, and develop
contingency plans for critical systems.
Federal Deposit Insurance Corporation. The Federal Deposit Insurance
Corporation is the deposit insurer of approximately 11,000 banks and
savings institutions which are responsible for over $6 trillion in
assets and have insured deposits totaling upwards of $2.7 trillion.
We found that while the Federal Deposit Insurance Corporation has
taken aggressive efforts to ensure that the banks it oversees
mitigate Year 2000 risks, it still faces significant challenges in
providing a high level of assurance that individual banks will be
ready.\19 We recommended that the Federal Deposit Insurance
Corporation work with other federal bank, credit union, and thrift
institution regulators\20 to, for example, revise their Year 2000
work program, complete guidance to institutions to mitigate risks
associated with corporate customers and reliance on vendors, and
establish a working group to develop contingency planning guidance.
The Federal Deposit Insurance Corporation also agreed to our
recommendations to (1) develop a tactical plan and explicit road map
of the actions it plans to take based on the results of its June 1998
bank assessments and (2) ensure that adequate resources are allocated
to complete its internal systems' Year 2000 assessment and develop
contingency plans for each of its mission critical systems and core
business processes.
National Credit Union Administration. The National Credit Union
Administration supervises and insures more than 7,200 federally
chartered credit unions and insures member deposits in an additional
4,200 state-chartered credit unions. In October 1997, we reported
that the National Credit Union Administration had recognized the
severity of the Year 2000 problem, developed a plan, and initiated
action, such as issuing several letters to credit unions alerting
them of Year 2000 risks.\21 At the same time, however, in response to
our recommendations, the National Credit Union Administration agreed
to take several actions to strengthen their Year 2000 efforts,
including requiring credit unions to (1) report on the precise status
of their Year 2000 efforts at least quarterly, including the status
of addressing their interfaces and (2) implement the necessary
management controls to ensure that these financial institutions have
adequately mitigated the risks associated with the Year 2000 problem.
Audit offices of some states, including Arizona, Florida, Michigan,
New York, and Virginia, and the District of Columbia have also
identified significant Year 2000 concerns. Some of these risks
include the potential that systems supporting benefit programs, motor
vehicle records, and criminal records (i.e., prisoner release or
parole eligibility determinations) may be adversely affected by the
Year 2000 problem. These audit offices have made recommendations
including the need for increased oversight, Year 2000 project plans,
contingency plans, and personnel recruitment and retention
strategies.
--------------------
\4 Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent
Systems Failures (GAO/T-AIMD-98-63, February 4, 1998).
\5 Embedded systems are special-purpose computers built into other
devices.
\6 Defense Computers: Issues Confronting DLA in Addressing Year 2000
Problems (GAO/AIMD-97-106, August 12, 1997).
\7 Year 2000 Computing Crisis: An Assessment Guide
(GAO/AIMD-10.1.14, September 1997).
\8 FAA Computer Systems: Limited Progress on Year 2000 Issue
Increases Risk Dramatically (GAO/AIMD-98-45, January 30, 1998).
\9 Social Security Administration: Significant Progress Made in Year
2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997).
\10 These include the systems in all 50 states, the District of
Columbia, Guam, Puerto Rico, and the Virgin Islands.
\11 Veterans Benefits Computers Systems: Risks of VBA's Year-2000
Efforts (GAO/AIMD-97-79, May 30, 1997).
\12 Veterans Affairs Computer Systems: Action Underway Yet Much Work
Remains To Resolve Year 2000 Crisis (GAO/T-AIMD-97-174, September 25,
1997).
\13 Defense Computers: Year 2000 Computer Problems Threaten DOD
Operations (GAO/AIMD-98-72, April 30, 1998).
\14 Defense Computers: Air Force Needs to Strengthen Year 2000
Oversight (GAO/AIMD-98-35, January 16, 1998).
\15 Defense Computers: LSSC Needs to Confront Significant Year 2000
Issues (GAO/AIMD-97-149, September 26, 1997).
\16 Defense Computers: DFAS Faces Challenges in Solving the Year
2000 Problem (GAO/AIMD-97-117, August 11, 1997).
\17 GAO/AIMD-97-106, August 12, 1997.
\18 Medicare Transaction System: Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16,
1997).
\19 Year 2000 Computing Crisis: Federal Deposit Insurance
Corporation's Efforts to Ensure Bank Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-73, February 10, 1998).
\20 These other federal regulators are the Federal Reserve System,
the Comptroller of the Currency, the National Credit Union
Administration, and the Office of Thrift Supervision.
\21 Year 2000 Computing Crisis: National Credit Union
Administration's Efforts to Ensure Credit Union Systems Are Year 2000
Compliant (GAO/T-AIMD-98-20, October 22, 1997).
KEY ECONOMIC SECTORS AT RISK
OF YEAR 2000 FAILURES
---------------------------------------------------------- Letter :3.2
America's infrastructures are a complex array of public and private
enterprises with many interdependencies at all levels. Key economic
sectors that could be seriously affected if their systems are not
Year 2000 compliant are: information and telecommunications; banking
and finance; health, safety, and emergency services; transportation;
utilities; and manufacturing and small business.\22 The information
and telecommunications sector is especially important because it (1)
enables the electronic transfer of funds, the distribution of
electrical power, and the control of gas and oil pipeline systems,
(2) is essential to the service economy, manufacturing, and efficient
delivery of raw materials and finished goods, and (3) is basic to
responsive emergency services. Illustrations of Year 2000 risks
follow.
-- According to the Basle Committee on Banking Supervision--an
international committee of banking supervisory
authorities--failure to address the Year 2000 issue would cause
banking institutions to experience operational problems or even
bankruptcy. Moreover, the Chair of the Federal Financial
Institutions Examination Council, a U.S. interagency council
composed of federal bank, credit union, and thrift institution
regulators, who is also the Comptroller of the Currency, stated
that banking is one of America's most information-intensive
businesses and that any malfunctions caused by the century date
change could affect a bank's ability to meet its obligations.
He also stated that of equal concern are problems that customers
may experience that could prevent them from meeting their
obligations to banks and that these problems, if not addressed,
could have repercussions throughout the nation's economy.
-- According to the International Organization of Securities
Commissions, the year 2000 presents a serious challenge to the
world's financial markets. Because they are highly
interconnected, a disruption in one segment can spread quickly
to others.
-- FAA recently met with representatives of airlines, aircraft
manufacturers, airports, fuel suppliers, telecommunications
providers, and industry associations to discuss the Year 2000
issue. Participants raised the concern that their own Year 2000
compliance would be irrelevant if FAA were not compliant because
of the many system interdependencies. Representatives went on
to say that unless FAA was substantially Year 2000 compliant on
January 1, 2000, flights would not get off the ground and that
extended delays would be an economic disaster.
-- Another risk associated with the transportation sector was
described by the Federal Highway Administration which stated
that highway safety could be severely compromised because of
potential Year 2000 problems in operational transportation
systems. For example, date dependent signal timing patterns
could be incorrectly implemented at highway intersections if
traffic signal systems run by state and local governments do not
process four-digit years correctly.
-- One risk associated with the utility sector is the potential
loss of electrical power. For example, Nuclear Regulatory
Commission staff believe that safety-related safe shutdown
systems will function but that a worst-case scenario could occur
in which Year 2000 failures in several nonsafety-related systems
could cause a plant to shut down, resulting in the loss of
off-site power and complications in tracking post-shutdown plant
status and recovery.
-- With respect to the health, safety, and emergency services
sector, according to the Department of Health and Human
Services, the Year 2000 issue holds serious implications for
patient care and scientific research activities of the federal
government, and for the nation's health care providers and
researchers in general. Medical devices and scientific
laboratory equipment may experience problems beginning January
1, 2000, if the computer systems, software applications, or
embedded chips used in these devices contain two-digit fields
for year representation. In addition, according to the Gartner
Group, health care is substantially behind other industries in
Year 2000 compliance and it predicts that at least 10 percent of
mission-critical systems in this industry will fail because of
noncompliance.\23
In addition to the risks associated with the nation's key economic
sectors, one of the largest, and largely unknown, risks relates to
the global nature of the problem. With the advent of electronic
communication and international commerce, the United States and the
rest of the world have become critically dependent on computers.
However, there are indications of Year 2000 readiness problems in the
international arena. In September 1997, the Gartner Group, a private
research firm acknowledged for its expertise in Year 2000 issues,
surveyed 2,400 companies in 17 countries and concluded that "[t]hirty
percent of all companies have not started dealing with the year 2000
problem. Small companies, health care organizations, educational
institutions, and many companies in 30 percent of the world's
countries are at a high risk of seeing year 2000 mission-critical
failures due to a lack of readiness."\24
In this survey of companies in 17 countries, the Gartner Group also
ranked certain countries and areas of the world. According to it,
countries/areas at level I on its scale of compliance--just getting
started--include Eastern Europe, many African countries, many South
American countries, and several Asian countries, including China.
Those at level II--completed the inventory process and have begun the
assessment process--include Japan, Brazil, South Africa, Taiwan, and
Western Europe. Finally, some companies in the United States, the
United Kingdom, Canada, and Australia are at levels II while others
are at level III. Level III indicates that a program plan has been
completed and dedicated resources are committed and in place.
Although there are many national and international risks to key
economic sectors related to the Year 2000, our limited review of
these key sectors found a number of private-sector organizations that
have raised awareness and provided advice through publications,
conferences, and guidance. For example:
-- The Securities Industry Association established a Year 2000
committee in 1995 to promote industry awareness, and since then
has established other committees and subcommittees to address
key Year 2000 issues, such as testing, and has issued
guidelines.
-- The Electric Power Research Institute sponsored a conference in
1997 with utility professionals to explore the Year 2000 issue
in embedded systems.
-- Representatives of several oil and gas companies formed a Year
2000 energy industry group, which meets regularly to discuss the
Year 2000 problem.
-- The International Air Transport Association formed an
information management committee and organized Year 2000
seminars and briefings for many segments of the airline
industry.
In addition, information technology industry associations, such as
the Information Technology Association of America, have published
newsletters, issued guidance, and held seminars to focus information
technology users on the Year 2000 problem.
--------------------
\22 These sectors are compatible with the critical infrastructures
identified by the President's Commission on Critical Infrastructure
Protection: transportation, oil and gas production and storage,
water supply, emergency services, government services, banking and
finance, electrical power, and information and communications. The
Commission deemed these infrastructures so vital that their
destruction or incapacity would have a debilitating impact on our
defense and economic security.
\23 Healthcare Is Far Behind In Year 2000 Compliance (Gartner Group,
Document #IGG-020498-02, February 4, 1998).
\24 Year 2000-World Status (Gartner Group, Document #M-100-037,
November 25, 1997).
GROWING CONCERN LED TO
INCREASED FEDERAL ROLE
------------------------------------------------------------ Letter :4
As the Year 2000 has grown nearer and the scope of the problem has
become clearer, the federal government's response to the crisis has
grown as well. At the urging of congressional leaders and others,
OMB and the federal agencies have dramatically increased the amount
of attention and oversight given to this issue in the last year.
Moreover, last month the President issued an executive order
establishing a President's Council on Year 2000 Conversion and
recognizing the national and international aspects of the problem.
Congressional oversight has played a key role in focusing OMB and
agency attention on the Year 2000 problem. In addition,
Congressional hearings on the international, national,
governmentwide, and agency-specific Year 2000 problems have exposed
the threat that the Year 2000 poses to the public.
OMB'S INITIAL RESPONSE TO
THE YEAR 2000 PROBLEM
---------------------------------------------------------- Letter :4.1
In the fall of 1995, OMB asked SSA to be champion for the Year 2000
issue for the federal government. In this role, SSA formed an
informal interagency working group on the Year 2000, chaired by the
Assistant Deputy Commissioner for Systems of the Social Security
Administration, which met for the first time in November 1995. This
interagency working group subsequently developed best practices for
the Year 2000 conversion. The group later evolved into the Chief
Information Officer (CIO) Council's Year 2000 Committee. The
committee has two objectives: (1) re-emphasize information
technology management practices to ensure that mission critical
systems work on, before, and after January 1, 2000, and (2) identify
joint efforts to leverage resources for solving the Year 2000
problem.
In April 1996, OMB sent a memorandum to agency senior information
resource management officials and CIOs requesting that agencies'
5-year information resources management plans include their Year 2000
strategy. In addition, OMB stated that agencies should avoid
acquiring commercial off-the-shelf products and application software
that are not year 2000 compliant, except in emergency situations. In
a follow-up to this memorandum, OMB sent a memorandum to the deputy
heads of departments and agencies urging them to discuss the Year
2000 issue with their managers and computer professionals.
On February 6, 1997, OMB issued a broader Year 2000 strategy for the
federal government. The strategy was predicated on three
assumptions: (1) senior agency managers will take whatever action is
necessary to address the problem, (2) a single solution to the
problem does not exist, and (3) given the limited amount of time
available, emphasis will be placed on mission-critical systems. At
the department or agency level, OMB's strategy relied on the CIOs to
direct agency Year 2000 actions.
To monitor individual agency efforts, OMB required the major
departments and agencies\25 to submit quarterly reports on their
progress. Specifically, OMB asked agencies to report where they
stand with respect to completing the assessment, renovation,
validation, and implementation phases. OMB's first governmentwide
progress report, based on 24 agencies' May 1997 reports,\26 was
transmitted to selected congressional committees on
June 23, 1997.\27 While acknowledging that much work remained, OMB
expressed its belief that agencies had made a good start in
addressing the problem and reported that agencies had identified no
mission-critical systems that were behind schedule.
In July 1997 testimony, we disagreed with OMB's position, stating
that we believed that there was ample evidence that OMB and key
federal agencies needed to heighten their levels of concern and move
with more urgency. First, most agencies' reported schedules left
little time to resolve unanticipated problems. Second, OMB's
perspective was based on agency self-reporting which had not been
independently validated. Third, entities may have interpreted the
term "mission critical" in various ways. Fourth, OMB, in its
governmentwide schedule, established only 1 month for the validation
phase which is critical for thorough testing and, according to the
Gartner Group, testing could consume over 40 percent of the time and
resources of the entire Year 2000 program. In this testimony, we
also identified other major areas--data exchanges, systems
prioritization, and contingency planning--that we considered
essential for OMB to emphasize.
--------------------
\25 The departments are Agriculture, Commerce, Defense, Education,
Energy, Health and Human Services, Housing and Urban Development,
Interior, Justice, Labor, Transportation, Treasury, State, and
Veterans Affairs. The agencies are the Agency for International
Development, Central Intelligence Agency, Environmental Protection
Agency, Federal Emergency Management Agency, General Services
Administration, National Aeronautics and Space Administration,
National Science Foundation, Nuclear Regulatory Commission, Office of
Personnel Management, Small Business Administration, and Social
Security Administration.
\26 OMB did not report the progress of the Central Intelligence
Agency because its reports are classified.
\27 Getting Federal Computers Ready for 2000, Progress Report, U.S.
Office of Management and Budget, May 15, 1997.
OMB TAKES ADDITIONAL ACTIONS
---------------------------------------------------------- Letter :4.2
In response to information provided by agencies in their August
quarterly report and the issues raised at the July hearing, OMB began
taking more aggressive action on Year 2000 matters. For example, in
the next governmentwide report, dated August 15, 1997, and released
in September, OMB noted increasing concern with agencies' progress
and announced additional initiatives to address the Year 2000
problem.\28 The report stated that while progress had been made
overall, it was not uniform across the agencies. Accordingly, OMB
placed agencies in three tiers based on their progress in addressing
the Year 2000 problem: (1) 4 agencies showed insufficient evidence
of progress, (2) 12 agencies showed evidence of progress but OMB also
had concerns, and (3) 8 agencies appeared to be making sufficient
progress.\29 OMB established a rebuttable presumption for agencies in
the first tier that it would not fund requests for information
technology investments in the fiscal year 1999 budget formulation
process unless they were directly related to fixing the Year 2000
problem.
OMB also announced other initiatives in its August 15, 1997,
governmentwide report. First, OMB emphasized that validation
activities were critical to success and stated that it planned to
meet with agencies in the following months to discuss the adequacy of
scheduled timetables for completing validation. Second, OMB said
that it would address interfaces with systems external to the federal
government, including those of state and local governments and the
private sector. Third, OMB asked agencies for a summary of the
contingency plan for any mission-critical system that was reported
behind schedule in two consecutive quarterly reports and planned to
summarize such plans in future reports to the Congress.
OMB's report issued in December 1997 and dated as of November 15,
1997, stated that while all agencies had shown progress, the extent
of that progress was mixed.\30 OMB expressed its concern about
whether agencies will have enough time to adequately test
mission-critical systems in production settings. Writing that "the
sense of urgency should be clear to both our private-sector suppliers
and to those with whom we exchange data," OMB accelerated two of its
governmentwide target milestones. It moved up the date for
completion of renovation by 3 months (from December to September
1998), and for implementation by 8 months (from November 1999 to
March 1999).
Along with accelerated target completion dates, OMB acknowledged its
expectation that some systems will not meet the [March 1999
implementation] target. Because of this, in January 1998, OMB asked
agencies--for their February 15, 1998 reports--to identify steps they
are taking to develop contingency plans for systems that may not meet
the deadline. Further, following the lead of several private
companies, OMB also asked agencies to report on independent
verification activities, in which independent entities determine
whether agency systems have in fact been made Year 2000 compliant.
OMB's last report, issued on March 10, 1998, stated that while good
progress has been made, it is not rapid enough overall.\31 Only 9 of
the 24 departments and agencies summarized in OMB's governmentwide
report were determined to be making satisfactory progress. (The
Departments of the Interior and Veteran Affairs, the Environmental
Protection Agency, General Services Administration, National
Aeronautics and Space Administration, National Science Foundation,
Nuclear Regulatory Commission, Small Business Administration, and the
Social Security Administration).
--------------------
\28 Progress on Year 2000 Conversion, U.S. Office of Management and
Budget, August 15, 1997.
\29 OMB based its evaluation on each agency's reported (1) status of
systems' assessment, (2) measurable improvement from previous
reports, (3) schedule for completion of the phases, and (4) dramatic
changes in previously reported information or other indications of
concern. In its latest government report, OMB added a fifth
evaluation element, risk management, which includes an assessment of
whether an agency has a workable approach to contingency planning and
an independent verification and validation program.
\30 Progress on Year 2000 Conversion, U.S. Office of Management and
Budget, as of November 15, 1997.
\31 Progress on Year 2000 Conversion, U.S. Office of Management and
Budget, as of February 15, 1998.
STATE/FEDERAL YEAR 2000
INITIATIVES ARE UNDERWAY
---------------------------------------------------------- Letter :4.3
Data exchanges between the federal government and the states are also
critical to ensuring that billions of dollars of benefits payments
are made to millions of recipients. Consequently, in October 1997
the Commonwealth of Pennsylvania hosted the first State/Federal CIO
Summit. Participants resolved to (1) use a four-digit contiguous
computer standard for data exchanges between states and federal
agencies, (2) establish a national policy group, cochaired by the
administrator of OMB's Office of Information and Regulatory Affairs
and the president of the National Association of State Information
Resource Executives (who is also California's CIO), and (3) create a
joint state/federal technical group, cochaired by the chair of the
federal CIO Council Year 2000 Committee and the chair of the National
Association of State Information Resource Executives' Subcommittee on
Year 2000. We participated in this summit and have also initiated a
governmentwide review of actions to address the Year 2000 problems
associated with electronic data exchanges.
THE PRESIDENT BROADENS THE
FEDERAL YEAR 2000 ROLE
---------------------------------------------------------- Letter :4.4
Although the federal government's Year 2000 efforts to date have
primarily focused on government agencies, we and congressional
leaders have urged the administration to expand the federal
government's Year 2000 outlook beyond federal agencies and their
programs. On February 4, 1998, the President issued an executive
order which could achieve this goal. The executive order states that
agencies shall (1) assure that no critical federal program
experiences disruption because of the Year 2000 problem, (2) assist
and cooperate with state, local, and tribal governments where those
governments depend on federal information or where the federal
government is dependent on those governments to perform critical
missions, (3) cooperate with private sector operators of critical
national and local systems, and (4) communicate with their foreign
counterparts to raise awareness of and generate cooperative
international arrangements. To implement these policies, the order
states that each agency head shall assure that efforts to address the
Year 2000 problem receive the highest priority attention in his/her
agency.
The executive order also established the President's Council on Year
2000 Conversion led by an Assistant to the President and comprised of
one representative from each of the executive departments and from
other federal agencies as may be determined by the Chair. The Chair
of the Council was tasked with the following Year 2000 roles: (1)
overseeing the activities of agencies, (2) acting as chief
spokesperson in national and international forums, (3) providing
policy coordination of executive branch activities with state, local,
and tribal governments, and (4) promoting appropriate federal roles
with respect to private sector activities. In addition, the
executive order requires the Chair and OMB to report to the President
quarterly on the progress of agencies in addressing the Year 2000
problem.
ADDITIONAL ACTIONS CAN BE TAKEN
TO REDUCE YEAR 2000 RISKS
------------------------------------------------------------ Letter :5
The increased attention that the administration has given to solving
the Year 2000 problem could help minimize the disruption to the
nation as the millennium approaches. In particular, the new
President's Council on Year 2000 Conversion can initiate the
additional actions needed to mitigate the many risks and
uncertainties associated with the Year 2000. These actions could
include fixing the government's highest priority systems first and
developing contingency plans.
SETTING PRIORITIES IS
CRITICAL
---------------------------------------------------------- Letter :5.1
Agencies have taken longer to complete the awareness and assessment
phases than is recommended. This leaves less time for the critical
renovation, validation, and implementation phases. For example, the
Air Force has used nearly 46 percent of its available time completing
the awareness and assessment phases while the Gartner Group estimates
that no more than 26 percent of an organizations' year 2000 effort
should be spent on these phases.
Consequently, priority-setting is absolutely essential. As
illustrated in figure 1, according to the February 1998 agency
quarterly reports, about 35 percent of federal agencies'
mission-critical systems were considered to be Year 2000 compliant.
This leaves over 3,500 mission-critical systems (45 percent), as well
as thousands of nonmission-critical systems, still to be repaired and
over 1,100 systems (15 percent) to be replaced. It is unlikely that
agencies can complete this vast amount of work in time. Accordingly,
it is critical that the Executive Branch identify those systems that
are of the highest priority. These include those that, if not
corrected, could most seriously threaten health and safety, the
financial well being of American citizens, national security, or the
economy.
Figure 1: Year 2000 Status of
Mission-Critical Systems (as a
percentage of total
mission-critical systems)
(See figure in printed
edition.)
Source: February 1998
quarterly reports submitted to
OMB by 24 federal departments
and agencies.
(See figure in printed
edition.)
Despite the importance of making sure that the most critical systems
are fixed and thoroughly tested, OMB has not set governmentwide
priorities to help agencies determine which systems perform the most
essential services and direct resources to correct these systems
first. OMB's most recent guidance sets the same deadline (March
1999) for agencies to implement Year 2000 fixes for both mission and
nonmission-critical systems. While OMB made this change with the
intention of fixing systems in time for them to be thoroughly tested
and implemented well in advance of January 1, 2000, this change could
have the unintended consequence of diverting agency attention from
the most critical systems.
Agencies must also ensure that their mission critical systems can
properly exchange data with other systems and are protected from
errors that can be introduced by external systems. For example,
agencies that administer key federal benefits payment programs, such
as the Department of Veterans Affairs, must exchange data with the
Department of the Treasury which, in turn, interfaces with financial
institutions, to ensure that beneficiary checks are issued. It is
important that the executive branch consider this issue because to
complete end-to-end testing, agencies must secure the cooperation of
other agencies and the private sector. In its February 1998
quarterly report, the Department of Transportation cited a concern
about its inability to control end-to-end testing of system
operations involving telephone companies and third-party operators of
telecommunications links. Transportation stated that these
private-sector entities must be committed to ensuring that
mission-critical communications are not affected by the Year 2000.
However, the executive branch has not directed that operational
end-to-end testing be conducted of all steps in this process and that
this testing be independently verified and validated. Without such
testing and independent verification and validation, the agency
authorizing the payments could find its Year 2000 efforts failing
even if its own systems are Year 2000 compliant.
MONITORING OF AGENCY
PROGRESS NEEDS TO BE
IMPROVED
---------------------------------------------------------- Letter :5.2
OMB's reports on agency progress do not fully and accurately reflect
the federal government's true progress because not all agencies are
required to report their progress and OMB's reporting requirements
are incomplete. For example,
-- OMB had not until recently required independent agencies to
submit quarterly reports. Accordingly, the status of these
agencies' Year 2000 programs has not been monitored centrally.
On March 9, 1998, OMB asked an additional 31 agencies, including
the Securities and Exchange Commission and the Pension Benefit
Guaranty Corporation, to report on their progress in fixing the
Year 2000 problem by April 30, 1998. OMB plans to include a
summary of those responses in its next quarterly report to the
Congress. However, unlike its reporting requirements for the
major departments and agencies which requires them to report
quarterly, the March 9th memorandum stated that OMB did not plan
to request that the independent agencies report again until next
year. Since the independent agencies will not be reporting
again until 1999, it will be difficult for OMB to be in a
position to address any major problems. In providing comments
on this report, the Chairman of the President's Council on Year
2000 Conversion stated that he and OMB will ask these agencies
to report more frequently if, based on their April 1998 reports,
it is apparent that there are problems.
-- Agencies are required to report their progress in repairing
noncompliant systems but are not required to report on their
progress in implementing systems to replace noncompliant
systems, unless the replacement effort is behind schedule by 2
months or more. Because federal agencies have a poor history of
delivering new system capabilities on time, it is essential to
know agencies' progress in implementing replacement systems.
-- OMB's guidance does not specify what steps must be taken to
complete each phase of a Year 2000 program (i.e., assessment,
renovation, validation, and implementation). Without such
guidance, agencies may report that they have completed a phase
when they have not. For example, while the Defense Logistics
Agency told us that it had completed the assessment phase, we
found that it had not addressed several critical steps
associated with the assessment phase, such as prioritizing
systems for correction.\32 As previously noted, our enterprise
readiness guide provides information on the key tasks that
should be performed within each phase.\33
In a December 1997 letter to OMB, the Chairman, Subcommittee on
Government Management, Information and Technology, House Committee on
Government Reform and Oversight, expressed similar concerns, stating
that "OMB needs to require agency plans and reports that are more
comprehensive and more reliable."
--------------------
\32 GAO/AIMD-97-106, August 12, 1997.
\33 GAO/AIMD-10.1.14, September 1997.
CONTINGENCY PLANS IMPERATIVE
---------------------------------------------------------- Letter :5.3
In January 1998, OMB asked agencies to describe their contingency
planning activities in their February 1998 quarterly reports. These
instructions stated that contingency plans should be established for
mission-critical systems that are not expected to be implemented by
March 1999, or for mission-critical systems which have been reported
as 2 months or more behind schedule. Accordingly, in their February
1998 quarterly reports, several agencies reported that they planned
to develop contingency plans only if they fall behind schedule in
completing their Year 2000 fixes.
Agencies that develop contingency plans only for systems currently
behind schedule, however, are not addressing the need to ensure the
continuity of a minimal level of core business operations in the
event of unforeseen failures. As a result, when unpredicted failures
occur, agencies will not have well-defined responses and may not have
enough time to develop and test effective contingency plans.
Contingency plans should be formulated to respond to two types of
failures: those that can be predicted (e.g., system renovations that
are already far behind schedule) and those that are unforeseen (e.g.,
a system that fails despite having been certified as Year 2000
compliant or a system that cannot be corrected by January 1, 2000,
despite appearing to be on schedule today).
Moreover, contingency plans that focus only on agency systems are
inadequate. Federal agencies depend on data provided by their
business partners as well as on services provided by the public
infrastructure (e.g., power, water, transportation, and voice and
data telecommunications). One weak link anywhere in the chain of
critical dependencies can cause major disruptions to business
operations. Given these interdependencies, it is imperative that
contingency plans be developed for all critical core business
processes and supporting systems, regardless of whether these systems
are owned by the agency.
In its latest governmentwide Year 2000 progress report, issued March
10, 1998, OMB clarified its contingency plan instructions.\34 OMB
stated that while it requires agencies to report on their contingency
plans under the circumstances described above, contingency plans
should be developed for all core business functions. On March 18, we
issued an exposure draft of a guide to help agencies ensure the
continuity of operations through contingency planning.\35 The CIO
Council worked with us in developing this guide and intends to adopt
the guide for federal agency use.
--------------------
\34 Progress on Year 2000 Conversion, U.S. Office of Management and
Budget, as of February 15, 1998.
\35 Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19, Exposure Draft, March 1998).
INDEPENDENT VERIFICATION OF
PROGRESS NEEDED
---------------------------------------------------------- Letter :5.4
OMB's assessment of the current status of federal Year 2000 progress
is predominantly based on agency reports that have not been
consistently verified or independently reviewed. Without such
independent reviews, OMB and others, such as the President's Council
on Year 2000 Conversion, have no assurance that they are receiving
accurate information. For example, as previously discussed, we have
found agencies reporting that they have completed the assessment
phase when critical work in this phase remained. In another example,
the Defense Finance and Accounting Service had not performed adequate
testing to assert that certain systems it had reported as compliant
were capable of transitioning into the year 2000. Specifically,
managers of three systems reported as compliant indicated that they
had performed some tests on the transfer and storage of dates, but
had not completed all Year 2000 compliance tests.\36
We are also concerned about whether agencies have completed the
assessment phase or are accurately reporting their status. Over
two-thirds of the agencies stated that they had completed the
assessment phase by November 1997, but in February 1998, several of
these same agencies reported significant changes in the total number
of mission-critical systems or increases in the number of systems
being replaced, repaired or retired--decisions that should have been
made during the assessment phase. For example, although the
Department of Energy reported that it had completed the assessment
phase in November, it reported in February 1998 that the number of
mission-critical systems had decreased by 21 percent (468 systems to
370) with corresponding decreases in the number already compliant,
being replaced, and being repaired. Most of these changes were
attributed to reclassifying systems as nonmission critical.
Classification of systems should have been completed in the
assessment phase. In addition, from November 1997 to February 1998,
the Department of Agriculture increased the number of systems being
replaced by 350 percent (from 58 to 261) and increased the number
being retired by 17 percent (126 to 147), even though it reported
that its assessment was complete in November 1997. There was no
explanation for these changes in Agriculture's February report.
OMB has acknowledged the need for independent verification and has
asked agencies to report on their independent verification activities
in their February 1998 quarterly reports. Accordingly, the agencies
described their current or planned verification activities in their
February reports, which included internal management processes,
reviews by the agencies' inspectors general, and ongoing or planned
contracts with vendors to perform independent verification and
validation. While this has helped provide assurance that some
verification is taking place through internal checks, reviews by
inspectors general, or contractors, the full scope of verification
activities required by OMB has not been articulated.
It is important that the executive branch set standards for the types
of reviews needed to provide assurance regarding the agencies' Year
2000 actions. Such standards could encompass independent assessments
of (1) whether the agency has developed and is implementing a
comprehensive and effective Year 2000 program, (2) the accuracy and
completeness of the agency's quarterly report to OMB, including
verification of the status of systems reported as compliant, (3)
whether the agency has a reasonable and comprehensive testing
approach, and (4) the completeness and reasonableness of the agency's
business continuity and contingency planning.
--------------------
\36 GAO/AIMD-97-117, August 11, 1997.
ABILITY TO ADDRESS
GOVERNMENTWIDE ISSUES COULD
BE STRENGTHENED
---------------------------------------------------------- Letter :5.5
The CIO Council's Year 2000 Committee has been useful in addressing
governmentwide issues. For example, the Year 2000 Committee worked
with the Federal Acquisition Regulation Council and industry to
develop a rule that (1) establishes a single definition of Year 2000
compliance in executive branch procurement and (2) generally requires
agencies to acquire only Year 2000-compliant products and services or
products and services that can be made Year 2000 compliant. The Year
2000 Committee has also established subcommittees on (1) best
practices, (2) state issues and data exchanges, (3) industry issues,
(4) telecommunications, (5) buildings, (6) biomedical and laboratory
equipment, (7) General Services Administration support and commercial
off-the-shelf products, and (8) international issues.
The committee's effectiveness could be further enhanced. For
example, currently agencies are not required to participate in the
Year 2000 Committee. Without such full participation, it is less
likely that appropriate governmentwide solutions can be implemented.
Further, while most of the committee's subcommittees are currently
working on plans, they have not published these with associated
milestones. It is important that these plans and accompanying
milestones be finalized and publicized quickly so that agencies can
use this information in their Year 2000 programs. It is equally
important that implementation of agency activities resulting from
these plans be monitored closely and that the subcommittees'
decisions be enforced.
Another governmentwide issue that needs to be addressed is the
availability of information technology personnel. According to the
Information Technology Association of America, the United States has
a shortage of 346,000 information technology personnel.\37 In their
February 1998 quarterly reports, the Departments of Agriculture,
Health and Human Services, Justice, Labor, State, and Veterans
Affairs as well as the Small Business Administration and Patent and
Trademark Office reported that they or their contractors had problems
obtaining and/or retaining information technology personnel. We also
identified staffing concerns at the National Credit Union
Administration,\38 Army's Logistics Systems Support Center,\39 and
VA's Veterans Benefits Administration.\40 The Internal Revenue
Service has also stated that it needs to address critical recruitment
and retention issues related to the Year 2000 problem as well as
other information technology projects.
Currently, no governmentwide strategy exists to address recruiting
and retaining information technology personnel with the appropriate
skills for Year 2000-related work. Until recently, the CIO Council
had not addressed this issue. We have not performed an analysis of
the government's information technology personnel needs to address
the Year 2000 problem. However, before the personnel issue reaches a
grave condition, it would be prudent for the CIO Council to identify
and champion personnel strategies, such as obtaining waivers to
rehire retired federal personnel and identifying incentives to retain
needed staff, that could be implemented quickly by agencies with
staffing problems.
While a draft of this report was out for comment, this issue was
discussed at the March 18, 1998, meeting of the CIO Council. The
Office of Personnel Management (OPM) provided the council with
information on the tools that are currently available to help
agencies obtain and retain staff. In addition, the council agreed
that OPM and the Human Resources Technology Council would form a
working group to look at any additional tools that could be made
available to help agencies obtain and retain staff for the Year 2000
challenge. This working group is tasked with providing
recommendations by May 1998. On March 30, 1998, OPM issued a
memorandum stating that the Year 2000 problem was an "unusual
circumstance" which would allow OPM to grant agencies waivers to
allow them to rehire former federal personnel without financial
penalty on a temporary basis to address the Year 2000 problem. This
same memorandum advised the agencies of their ability to make
exceptions to the biweekly limitation on premium pay when the head of
an agency or designee determines that an emergency involving a direct
threat to life or property exists.
--------------------
\37 Help Wanted 2: A Call for Collaborative Action for the New
Millennium (Information Technology Association of America, January
1998).
\38 GAO/T-AIMD-98-20, October 22, 1997.
\39 GAO/AIMD-97-149, September 26, 1997.
\40 GAO/AIMD-97-79, May 30, 1997.
SUCCESS OF THE NEW PRESIDENTIAL
COUNCIL IS CRITICAL
------------------------------------------------------------ Letter :6
Given the sweeping ramifications of the Year 2000 issue, other
countries have set up mechanisms to solve the Year 2000 problem on a
nationwide basis. Several countries, such as the United Kingdom,
Canada, the Netherlands, and Australia, have appointed central
organizations to coordinate and oversee their governments' responses
to the Year 2000 crisis. In the case of the United Kingdom, a
ministerial group is being established, under the leadership of the
President of the Board of Trade, to tackle the Year 2000 problem
across the public and private sectors. In addition, the British
Prime Minister has stated that he will use his country's European
Union presidency to raise the profile of the Year 2000 crisis
throughout Europe and the world.
These countries have also established public/private forums to
address the Year 2000 problem. For example, in September 1997,
Canada's Minister of Industry established a government/industry Year
2000 task force of representatives from banking, insurance,
transportation, manufacturing, telecommunications, information
technology, small and medium-sized businesses, agriculture, and the
retail and service sectors. The Canadian CIO is an ex-officio member
of the task force. It has been charged with providing (1) an
assessment of the nature and scope of the Year 2000 problem, (2) the
state of industry preparedness, and (3) leadership and advice on how
risks could reduced.
The Canadian task force issued a report\41 in February 1998 with 18
recommendations to all levels of government and to private sector
associations and businesses. These recommendations are intended to
promote public/private sector cooperation as well as to prompt
remedial actions. The task force published its report 4 months
earlier than planned because of the seriousness of the Year 2000
situation. According to the task force it made this decision,
"trusting that our recommendations, designed to focus business
attention and bring about action on this critical issue, will be
implemented with similar urgency." Among these recommendations were
that (1) formal action plans, if not already in place, be immediately
implemented by every business leader, chief executive officer,
president, and business owner and that these plans, along with
progress reports, be shared with all trade partners in the Canadian
national supply chain--with due consideration to commercial and legal
circumstances, (2) all levels of government, before introducing
legislation or regulatory changes, consider the impact that these
changes may have in terms of reprogramming information systems and
diverting resources from Year 2000 preparedness efforts, (3) all
lending institutions as a prerequisite for loans and the insurance
community for issuance/renewal of an insurance policy, should require
the availability of a formal Year 2000 plan, and (4) regulators at
all levels of government complete an assessment of the impacts that
Year 2000 failures in their regulated industries would have on their
regulatory objectives, and revise, where appropriate, their
compliance assessment procedures, and exert, where possible, "moral
suasion" on the importance of Year 2000 preparedness.
In the United States, the President's February 4, 1998, executive
order could serve as the linchpin that bridges the nation's and the
federal government's various Year 2000 initiatives. While the Year
2000 problem could have serious consequences, there is no
comprehensive assessment of the nation's readiness. As one of its
first tasks, the President's Council on Year 2000 Conversion could
formulate such a comprehensive assessment in partnership with the
private sector and state and local governments.
Many organizational and managerial models exist that the Conversion
Council could use to build effective partnerships to solve the
nation's Year 2000 problem. Because of the need to move swiftly, one
viable alternative would be to consider using the sector-based
approach used recently by the President's Commission on Critical
Infrastructure Protection as a starting point. The Commission also
called for a framework for implementing a national infrastructure
protection policy, working in conjunction with state and local
governments and the private sector.
One possible way to create a Year 2000 national coordination approach
could involve federal agency focal points working with sector
infrastructure coordinators. These coordinators would be created or
selected from existing associations and would facilitate sharing
information among providers and the government. Using this model,
the President's Council on Year 2000 Conversion could establish
public/private partnership forums composed of representatives of each
major sector that, in turn, could rely on task forces organized along
economic sector lines, if necessary. Such groups would help (1)
gauge the nation's preparedness for the Year 2000, (2) periodically
report on the status and remaining actions of each sector's year 2000
remediation efforts, and (3) ensure the development of contingency
plans to assure the continuing delivery of critical public and
private services.
--------------------
\41 A Call for Action, Report of Task Force Year 2000, February 1998.
CONCLUSIONS
------------------------------------------------------------ Letter :7
While the Year 2000 crisis has the potential to be catastrophic, the
very real risks can be mitigated and disruptions minimized with
proper attention and management. At the federal level, additional
attention to the systems that serve the highest priorities, such as
health and safety, would help ensure that the most essential
government services continue without disruption beyond 1999.
Moreover, the executive branch could improve oversight of federal
agencies' Year 2000 efforts by requiring business continuity and
contingency plans for all mission-critical systems and instructing
all key agencies to report regularly on the status of their Year 2000
efforts.
A coordinated, public/private effort, under the leadership of the
executive branch, could provide a forum and bring together the key
players in each key economic sector to effectively coordinate the
nation's Year 2000 efforts and assure that each sector, as well as
sector interdependencies, are being adequately addressed. Further,
public/private forums, in conjunction with the President's new Year
2000 Conversion Council, could be instrumental in developing business
continuity and contingency plans to safeguard the continued delivery
of critical services for each key economic sector. While we do not
foresee the federal government as dictating policy or requiring
specific solutions, it is, however, uniquely positioned to publicize
the Year 2000 computing crisis as a national priority, take a
leadership role, and identify, assess, and report on the risks and
necessary remediation efforts associated with the nation's key
economic sectors. Such plans would be most effective if they bring
to bear the combined and considerable influence of the federal
government, state and local governments, and the private sector.
RECOMMENDATIONS
------------------------------------------------------------ Letter :8
To more effectively oversee the activities of federal agencies to
address the Year 2000 crisis, we recommend that the Chairman of the
President's Council on Year 2000 Conversion
-- establish governmentwide priorities, and ensure that agencies
set agencywide priorities, for the most mission-critical
business processes and supporting systems, using criteria such
as the potential for adverse health and safety effects, adverse
financial effects on American citizens, detrimental effects on
national security, and adverse economic consequences;
-- for the selected priorities, designate a lead agency to be
responsible for ensuring that end-to-end operational testing of
these processes and supporting systems occurs across
organizational boundaries, and that independent verification and
validation of such testing has been performed;
-- identify all federal agencies beyond the departments and
agencies currently reporting that are central to the success of
Year 2000 readiness and require them to provide regular reports
to OMB;
-- require, as part of the quarterly reporting requirement,
agencies to report to OMB on their progress in implementing
systems intended to replace noncompliant systems;
-- identify and publicize expectations on the key activities that
should be accomplished for each of the assessment, renovation,
validation, and implementation phases, and direct agencies to
adhere to these expectations in reporting on the status of their
programs;
-- require agencies to develop contingency plans for all critical
core business processes;
-- require agencies to develop an independent verification strategy
to involve inspectors general or other independent organizations
in reviewing agency Year 2000 progress, to include (1) assessing
whether the agency has developed and is implementing a
comprehensive and effective Year 2000 program, (2) providing an
independent assessment of the agency's quarterly report to OMB,
(3) assessing whether the agency has a reasonable and
comprehensive testing approach, and (4) assessing the
completeness and reasonableness of the agency's business
continuity and contingency planning;
-- ensure that agencies participate in the CIO Council's Year 2000
Committee and that the CIO Council's Year 2000 Committee
subcommittees establish and publicize plans, milestones, and
enforcement mechanisms; and
-- develop a personnel strategy which includes (1) determining the
need for various information specialists, (2) identifying any
administrative or statutory changes that would be required to
waive reemployment penalties for former federal employees, and
(3) identifying ways to retain key Year 2000 staff in agencies
through the turn of the century.
To steer the United States through the Year 2000 crisis, we recommend
that the Chairman of the President's Council on Year 2000 Conversion
-- develop a comprehensive picture of the nation's Year 2000
readiness, which would include identifying and assessing the
risks of the nation's key economic sectors, including those
posed by international links and by the failure of critical
infrastructure components;
-- establish public/private partnership forums composed of
representatives of each major economic sector to help (1) gauge
the nation's preparedness for the Year 2000, (2) periodically
report on the status and remaining actions of each sector's Year
2000 remediation efforts, and (3) ensure the development of
contingency plans to assure the continuing delivery of critical
public and private services.
AGENCY COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :9
The Chairman of the President's Council on Year 2000 Conversion
provided comments on the recommendations contained in this report on
March 23, 1998. A copy of these comments is reprinted in appendix
II. We also met with the Chairman on March 30, 1998, to further
discuss the need to implement our recommendations and to obtain
clarification of his written comments.
Regarding our recommendation on setting priorities, the Chairman
stated that agencies have established their priorities by identifying
their mission-critical systems. Further, the Chairman stated that
the council's focus at this time should be to assist agencies as they
work to ensure that all of their mission critical systems are ready
for the year 2000. He added that it may be necessary at a later date
for agencies to further prioritize these systems.
While priority setting is always an iterative process, it would be
prudent to give this more concentrated attention now.\42 Only a
little over one-third of the 24 agencies analyzed by OMB in its
governmentwide report were making satisfactory progress and many
critical large departments and agencies were not. For example, we
are reporting today that the Department of Defense, which is
reponsible for about one-third of the government's mission-critical
systems, has not yet determined, at the department level, which
systems have the highest impact on its mission. Consequently, we are
recommending that DOD clearly define criteria and an objective
process for prioritizing systems for repair based on their mission
criticality, and ensure that the most mission-critical systems will
be repaired first. The department concurred with our recommendation
and stated that ". . . the Secretary of Defense will define
criteria and a process for prioritizing systems for repair based on
the needs and mission of the Department of Defense. This process
will be implemented no later than June 30, 1998."\43
The time to reassess priorities and make difficult decisions is now,
while agencies can concentrate attention on those systems that are
essential to public health and safety, the financial well being of
American citizens, national security, or the economy. If priorities
are not clearly set, the government may find that its highest
priority systems are not ready in time but that they could have been
corrected had management attention and resources been properly
focused earlier. To help identify the government's most critical
systems, (1) the Council on Year 2000 Conversion should set
governmentwide priorities and (2) agencies must ensure that all
component entities evaluate their systems using consistent
priority-setting criteria that accurately reflect the agencies' core
mission.
Regarding our related recommendation on end-to-end operational
testing and independent verification and validation of such testing,
the Chairman stated that agencies are currently developing such plans
and obtaining independent verification and validation for their
systems. He added that the council and OMB will monitor these
activities. In our March 30 meeting with the Chairman, he added that
if any difficulty arises in getting agencies to cooperate with
respect to end-to-end testing, he or OMB will intervene to resolve
the matter.
Because time is short and thorough end-to-end testing of critical
systems and processes across organizational boundaries is essential,
the council should ensure that a lead agency for each high priority
business process is designated to develop and ensure the
implementation of an end-to-end test plan, which includes independent
verification and validation. Unless responsibility is clearly
assigned, it will be difficult to ensure that all organizations
participate constructively and expeditiously. Further, the
President's Council on Year 2000 Conversion will have to assume
leadership and take whatever actions are warranted should
difficulties arise in obtaining needed participation and cooperation
from state and local governments and the private sector. We modified
our recommendation to clarify our position.
With respect to our recommendation to require all critical agencies
to report their progress quarterly, the Chairman's written response
pointed to the recent OMB memorandum that required an additional 31
agencies to report to OMB on their Year 2000 progress in April 1998
and again in a year's time. However, this requirement does not
currently pertain to all critical governmental and quasi-governmental
agencies such as the U.S. Postal Service. The Chairman also stated
that agencies considered central to the success of Year 2000
readiness should report their progress to OMB more frequently but did
not state which agencies are considered central to the government's
Year 2000 readiness or how frequently these agencies will be required
to report their progress. The Chairman later told us that OMB is
considering expanding the list of reporting entities to include other
organizations. In addition, he stated that he and OMB will ask the
additional 31 agencies to report more frequently than annually if,
based on their April 1998 reports, it is apparent that there are
problems.
Since (1) all agencies which are critical to the nation's Year 2000
readiness should be monitored and (2) problems could surface at any
point in the Year 2000 remediation process, especially during the
latter testing and implementation phases, it is imperative that all
critical agencies be identified and be required to report to OMB
regularly and be included in OMB's governmentwide progress report.
Moreover, just because an agency is not experiencing problems in
April 1998 does not mean that it will not later encounter problems.
Therefore, it is important to continue monitoring the progress of
agencies which reported making adequate progress to ensure that such
progress continues.
The Chairman disagreed with our recommendation to require agencies,
as part of their quarterly reports, to cite their progress in
implementing systems intended to replace noncompliant systems. He
stated that the current requirement--under which agencies provide an
exception report to OMB on replacement systems that have fallen 2
months or more behind schedule--is an appropriate level of reporting.
The Chairman stated that OMB and the council will monitor this issue
closely to determine if more reporting is required in the future.
However, waiting until later is very risky, given the federal
government's poor record of delivering new systems capabilities when
promised, and the immutability of the Year 2000 milestone. Over
1,100 mission-critical systems--22 percent of the government's
noncompliant mission-critical systems--are due to be replaced. To
monitor their progress effectively, we believe that the President's
Council on Year 2000 Conversion, OMB, and the Congress need more
thorough reports, including information on whether the replacement
systems have been tested.
In reference to our recommendation related to consistent agency
reporting, the Chairman stated that the council will encourage OMB to
have agencies report on their progress consistent with the CIO
Council's best practice guide and our enterprise readiness guide.\44
In our March meeting, the Chairman stated that agencies should use
the criteria on the Year 2000 phases contained in our enterprise
readiness guide when completing their quarterly reports. He added
that OMB will likely encourage agencies to do so in its next
quarterly report guidance. If OMB requires agencies to use the
criteria set forth in our guide, this will satisfy our
recommendation.
With respect to our recommendation to require agencies to develop
contingency plans for core business processes and supporting systems,
the Chairman agreed that it is important to develop contingency plans
for all core business functions. He did not, however, believe that
agencies would be making the most efficient use of the time remaining
by developing contingency plans for every supporting system. We
clarified that we are not advocating the development of contingency
plans for individual mission-critical systems. Rather, contingency
plans should be developed for each core business process. A core
business process may rely on one or more mission-critical systems
which the contingency plan would address as part of its
identification and mitigation of potential system failures.
Moreover, those program managers responsible for core business
processes should take a leading role in developing business
continuity and contingency plans because they best understand their
business processes and how problems can be resolved. In this manner,
the business continuity and contingency planning activity generally
complements, rather than competes with, the agency's Year 2000
remediation activities. We revised our recommendation to clarify our
position.
In his written response, the Chairman did not specifically address
whether the council would require agencies to develop an independent
verification strategy. Instead, he agreed that independent
assessments of agencies' Year 2000 programs and their testing and
planning approaches are important, stating that the council will
examine how best to promote those assessments. The Chairman stated
that he would work with the President's Council on Integrity and
Efficiency to encourage inspectors general to play a role in this
area. In order to assure agencies, OMB, and the President's Council
on Year 2000 Conversion that their Year 2000 activities are
effective, agencies must develop independent verification strategies
which, in accordance with our recommendations, should be required by
the President's Council on Year 2000 Conversion. In a later meeting,
the Chairman stated that he and OMB will consider issuing more
explicit directions on independent verification to the agencies,
especially with regard to establishing standards for the type of
verification and evaluation desired.
To improve the effectiveness of the CIO Council's Year 2000
Committee, we recommended that the Chairman ensure that (1) agencies
participate in the committee and (2) the Committee's subcommittees
establish and publicize plans, milestones, and enforcement
mechanisms. Regarding the first recommendation, the Chairman stated
that in his meetings with agencies, he will continue to encourage
their awareness of, and participation in, the activities of the Year
2000 Committee. With respect to the second recommendation, he said
that he was satisfied that the committee is developing plans and
milestones for its work and that OMB and the President's Council on
Year 2000 Conversion will continue to consult with the Committee on
appropriate enforcement mechanisms. If the nation is to negotiate
the millennium change successfully, the Chairman needs to ensure that
the Year 2000 Committee and its subcommittees continue to play a
central role in addressing the federal government's Year 2000
problem. Without full participation of the agencies as well as
publicity of the subcommittees' plans, milestones, and enforcement
mechanisms, it is less likely that appropriate solutions to
governmentwide problems will be identified and effectively addressed.
Although the Chairman agreed that the President's Council on Year
2000 Conversion should view the Year 2000 problem as more than a
federal systems problem and should adopt a global perspective, he did
not address our recommendation to develop a comprehensive picture of
the nation's Year 2000 readiness, and he did not fully agree with our
recommendation to establish a national coordination structure using
private/public partnerships in appropriate sector-based forums. The
Chairman stated that he believed that the President's Council on Year
2000 Conversion needed to be a catalyst, facilitator, and
coordinator. He later told us that the council should only create
and directly manage new national forums for specific sectors of the
economy. He noted that to begin with, such partnerships would be
appropriate in the energy and telecommunications sectors. In
addition, the Chairman stated that the council can be effective by
enlisting and supporting an agency, such as the Department of Health
and Human Services, to coordinate an outreach approach to the health
care industry. These agencies would be empowered to determine the
appropriate measures the government should take to ensure progress in
these industries. Senior executives of these coordinating agencies
would be the agency's representatives on the council, which would
then monitor and coordinate the agency's outreach activities and help
ensure that there are not gaps in the coverage.
We believe that the President's Council on Year 2000 Conversion must
posture itself to be in an informed position to provide Year 2000
leadership for the nation as a whole. To provide such leadership,
the council must develop an approach to receive the best guidance
directly from the private sector and state and local government
bodies, in addition to views and perspectives garnered by federal
agency executives. Moreover, while the federal agencies should play
an important role in any Year 2000 assessment of our nation's key
economic sectors, they may not always be in the best position to
discharge responsibility for all outreach efforts in an economic
sector. First, the problems that agencies face in ensuring their own
Year 2000 compliance are daunting. Second, some sectors, such as
telecommunications, health, safety, and emergency services,
utilities, and manufacturing and small business have limited federal
government involvement. As a result, in some sectors, the leadership
role may be more appropriately placed in the private sector or state
and local government. To clarify our position, we have modified our
recommendation related to this issue.
In addition to the comments of the Chairman of the President's
Council on Year 2000 Conversion, OMB staff and the Chairwoman of the
CIO Council's Year 2000 Committee provided comments on the facts
presented in the report, and generally agreed with these facts. OMB
staff and the Chairwoman offered technical comments on selected
sections of the report, and we have incorporated their suggested
changes as appropriate.
--------------------
\42 Year 2000 Computing Crisis: Strong Leadership and Effective
Public/Private Cooperation Needed to Avoid Major Disruptions
(GAO/T-AIMD-98-101, March 18, 1998).
\43 GAO/AIMD-98-72, April 30, 1998.
\44 GAO/AIMD-10.1.14, September 1997.
---------------------------------------------------------- Letter :9.1
We are sending copies of this report to the Chairmen and Ranking
Minority Members of the Senate and House Committees on Appropriations
and the House Committee on Government Reform and Oversight; Ranking
Minority Member of the Subcommittee on Financial Services and
Technology, Senate Committee on Banking, Housing and Urban Affairs;
the Chairman of the President's Council on Year 2000 Conversion; and
Director of the Office of Management and Budget. Copies will also be
made available to others upon request.
Please contact me at (202) 512-2600 or Joel Willemssen, Director,
Civil Agencies Information Systems, at (202) 512-6408, if you or your
staff have any questions concerning this report. We can also be
reached by e-mail at [email protected] and
[email protected], respectively.
Gene L. Dodaro
Assistant Comptroller General
Requesters
The Honorable Trent Lott
Majority Leader
United States Senate
The Honorable Robert F. Bennett
Chairman, Subcommittee on Financial
Services and Technology
Committee on Banking, Housing, and
Urban Affairs
United States Senate
The Honorable Fred Thompson
Chairman
The Honorable John Glenn
Ranking Minority Member
Committee on Governmental Affairs
United States Senate
The Honorable Richard G. Lugar
Chairman, Committee on Agriculture,
Nutrition and Forestry
United States Senate
The Honorable Stephen Horn
Chairman
The Honorable Dennis J. Kucinich
Ranking Minority Member
Subcommittee on Government Management,
Information and Technology
Committee on Government Reform and Oversight
House of Representatives
The Honorable Constance A. Morella
Chairwoman
The Honorable James A. Barcia
Ranking Minority Member
Subcommittee on Technology
Committee on Science
House of Representatives
The Honorable James J. Leach
Chairman
The Honorable John J. LaFalce
Ranking Minority Member
Committee on Banking and
Financial Services
House of Representatives
SCOPE AND METHODOLOGY
=========================================================== Appendix I
To describe the Year 2000 risks facing the government and the nation,
we relied on the work that we have performed in the Year 2000 area
over the past 2 years that has encompassed evaluating and reporting
on the progress of several individual agencies. (See Related GAO
Products at the end of this report for a complete list of all our
Year 2000 reports and testimonies.) In addition, we reviewed and
assessed major departments and agencies' quarterly reports as well as
OMB's governmentwide reports. We also researched information on
private-sector and international activity related to the Year 2000
problem through the Internet and other sources. We did not
independently assess the reliability of the information provided by
these sources. We also discussed the Year 2000 issue with leading
experts in certain key economic sectors and, where available,
obtained and reviewed reports by state and foreign audit
organizations.
To describe the evolution of the federal government's Year 2000
strategy and identify additional actions that can be taken to prepare
the nation for the Year 2000, we evaluated the Year 2000 efforts of
OMB and of the CIO Council, including reviewing OMB's quarterly
reports and other documents. We also reviewed the February 4, 1998,
executive order establishing the President's Council on Year 2000
Conversion and met with the Chairman of this council. In addition,
we interviewed officials from OMB and attended meetings of the CIO
Council's Year 2000 Committee and its subcommittees. We also
reviewed the President's Commission on Critical Infrastructure
Protection's October 1997 report.
We conducted our review from December 1997 through March 1998. We
performed this review in accordance with generally accepted
government auditing standards. We also provided a draft of this
report for comment to the Chairman of the President's Council on Year
2000 Conversion, OMB staff, and the Chairwoman of the CIO Council's
Year 2000 Committee, and incorporated their comments as appropriate.
Their comments are discussed in the "Agency Comment and Our
Evaluation" section.
(See figure in printed edition.)Appendix II
COMMENTS FROM THE CHAIRMAN OF THE
PRESIDENT'S COUNCIL ON YEAR 2000
CONVERSION
=========================================================== Appendix I
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
(See figure in printed edition.)
The following are GAO's supplemental comments on the Chairman of the
President's Council on Year 2000 Conversion's letter of March 23,
1998. Additional comments are contained in the "Agency Comments and
Our Evaluation" section.
GAO COMMENTS
1. Report revised to reflect modified recommendation.
2. Report revised to reflect modified recommendation.
3. The report was revised to reflect that the CIO Council's
Subcommittee on the Year 2000 was renamed the Committee on Year 2000.
The Committee on Year 2000 now has subcommittees rather than
subgroups.
4. Report revised to reflect modified recommendations
5. The testimony of the Chairman of the President's Council on Year
2000 was not reprinted. It is available upon request.
RELATED GAO PRODUCTS
Defense Computers: Year 2000 Computer Problems Threaten DOD
Operations (GAO/AIMD-98-72, April 30, 1998).
Year 2000 Computing Crisis: Federal Regulatory Efforts to Ensure
Financial Institution Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-116, March 24, 1998).
Year 2000 Computing Crisis: Strong Leadership Needed to Avoid
Disruption of Essential Services (GAO/T-AIMD-98-117, March 24, 1998).
Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19, Exposure Draft, March 1998).
Year 2000 Computing Crisis: Office of Thrift Supervision's Efforts
to Ensure Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102,
March 18, 1998).
Year 2000 Computing Crisis: Strong Leadership and Effective
Public/Private Cooperation Needed to Avoid Major Disruptions
(GAO/T-AIMD-98-101, March 18, 1998).
Post-Hearing Questions on the Federal Deposit Insurance Corporation's
Year 2000 (Y2K) Preparedness (GAO/AIMD-98-108R, March 18, 1998).
SEC Year 2000 Report: Future Reports Could Provide More Detailed
Information (GAO/GGD/AIMD-98-51, March 6, 1998).
Year 2000 Readiness: NRC's Proposed Approach Regarding Nuclear
Powerplants (GAO/AIMD-98-90R, March 6, 1998).
Year 2000 Computing Crisis: Federal Deposit Insurance Corporation's
Efforts to Ensure Bank Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-73, February 10, 1998).
Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent Systems
Failures (GAO/T-AIMD-98-63, February 4, 1998).
FAA Computer Systems: Limited Progress on Year 2000 Issue Increases
Risk Dramatically (GAO/AIMD-98-45, January 30, 1998).
Defense Computers: Air Force Needs to Strengthen Year 2000 Oversight
(GAO/AIMD-98-35, January 16, 1998).
Year 2000 Computing Crisis: Actions Needed to Address Credit Union
Systems' Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998).
Veterans Health Administration Facility Systems: Some Progress Made
In Ensuring Year 2000 Compliance, But Challenges Remain
(GAO/AIMD-98-31R, November 7, 1997).
Year 2000 Computing Crisis: National Credit Union Administration's
Efforts to Ensure Credit Union Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-20, October 22, 1997).
Social Security Administration: Significant Progress Made in Year
2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997).
Defense Computers: Technical Support Is Key to Naval Supply Year
2000 Success (GAO/AIMD-98-7R, October 21, 1997).
Defense Computers: LSSC Needs to Confront Significant Year 2000
Issues (GAO/AIMD-97-149, September 26, 1997).
Veterans Affairs Computer Systems: Action Underway Yet Much Work
Remains To Resolve Year 2000 Crisis (GAO/T-AIMD-97-174, September 25,
1997).
Year 2000 Computing Crisis: Success Depends Upon Strong Management
and Structured Approach, (GAO/T-AIMD-97-173, September 25, 1997).
Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14,
September 1997).
Defense Computers: SSG Needs to Sustain Year 2000 Progress
(GAO/AIMD-97-120R, August 19, 1997).
Defense Computers: Improvements to DOD Systems Inventory Needed for
Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997).
Defense Computers: Issues Confronting DLA in Addressing Year 2000
Problems (GAO/AIMD-97-106, August 12, 1997).
Defense Computers: DFAS Faces Challenges in Solving the Year 2000
Problem (GAO/AIMD-97-117, August 11, 1997).
Year 2000 Computing Crisis: Time is Running Out for Federal Agencies
to Prepare for the New Millennium (GAO/T-AIMD-97-129, July 10, 1997).
Veterans Benefits Computer Systems: Uninterrupted Delivery of
Benefits Depends on Timely Correction of Year-2000 Problems
(GAO/T-AIMD-97-114, June 26, 1997).
Veterans Benefits Computers Systems: Risks of VBA's Year-2000
Efforts (GAO/AIMD-97-79, May 30, 1997).
Medicare Transaction System: Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16,
1997).
Medicare Transaction System: Serious Managerial and Technical
Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997).
Year 2000 Computing Crisis: Risk of Serious Disruption to Essential
Government Functions Calls for Agency Action Now (GAO/T-AIMD-97-52,
February 27, 1997).
Year 2000 Computing Crisis: Strong Leadership Today Needed To
Prevent Future Disruption of Government Services (GAO/T-AIMD-97-51,
February 24, 1997).
High Risk Series: Information Management and Technology
(GAO/HR-97-9, February 1997).
*** End of document. ***