Year 2000 Computing Crisis: Status of Bureau of Prisons' Year 2000
Efforts (Letter Report, 01/27/99, GAO/AIMD-99-23).
The Bureau of Prisons depends on an information technology
system--SENTRY--to carry out one of its most critical
responsibilities--managing and tracking inmates. Among other things,
SENTRY monitors prisoners, computes inmate sentences, documents work
assignments, and tracks disciplinary actions. The Bureau also uses more
than 2,000 individual non-information technology systems, which rely on
embedded computers, for other vital functions, from video surveillance
and perimeter detection systems to telephone switches and boiler
controls. This report assesses how well the Bureau has managed its
program to make these systems Year 2000 compliant. GAO discusses (1) the
status of the Bureau's Year 2000 program and (2) recent steps the Bureau
has taken to strengthen its management of the program and improve Year
2000 assistance to state and local governments.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-99-23
TITLE: Year 2000 Computing Crisis: Status of Bureau of Prisons'
Year 2000 Efforts
DATE: 01/27/99
SUBJECT: Y2K
Correctional facilities
Computer security
Computer software verification and validation
Federal/state relations
Systems conversions
Information systems
Information resources management
IDENTIFIER: BOP Year 2000 Program
BOP SENTRY System
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. This text was extracted from a PDF file. **
** Delineations within the text indicating chapter titles, **
** headings, and bullets have not been preserved, and in some **
** cases heading text has been incorrectly merged into **
** body text in the adjacent column. Graphic images have **
** not been reproduced, but figure captions are included. **
** Tables are included, but column deliniations have not been **
** preserved. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
FrtCover.book GAO United States General Accounting Office
Report to the Honorable Trent Lott, U. S. Senate
January 1999 YEAR 2000 COMPUTING CRISIS
Status of Bureau of Prisons' Year 2000 Efforts
GAO/AIMD-99-23
GAO/AIMD-99-23
United States General Accounting Office Washington, D. C. 20548
Lett er
Page 1 GAO/AIMD-99-23 Bureau of Prisons' Year 2000 Efforts
GAO
Accounting and Information Management Division Lett er
B-280106 January 27, 1999 The Honorable Trent Lott United States
Senate
Dear Senator Lott: This letter responds to your request that we
assess how well the Bureau of Prisons (BOP), an agency of the
Department of Justice (DOJ), is managing its Year 2000 program. 1
This letter summarizes (1) the status of the Bureau's Year 2000
program and (2) recent actions it has taken to strengthen its
management of the program and improve Year 2000
assistance to state and local government institutions. On
September 10, 1998, we briefed your office on the status of BOP's
Year 2000 program. This letter updates the information that we
provided during the briefing.
Results in Brief BOP has assessed, tested, and implemented its
only mission- critical information technology (IT) system and
reports that it is Year 2000 compliant. In addition, BOP reports
that it has assessed, renovated/ replaced, and implemented 94
percent of its 2,021 mission- critical non- IT systems. 2 For
those that are not yet implemented, BOP plans to do so by
March 1999. During the course of our review, BOP has acted to
strengthen its Year 2000 program management, including (1)
defining its Year 2000 program structure and developing a Year
2000 conversion plan, (2) expanding its
Year 2000 program scope to include its 250 contract facilities,
(3) tracking the status of workstation testing and non- IT
assessments, (4) hiring a contractor to validate the vendors' Year
2000 compliance certifications for non- IT systems, and (5)
directing all offices, including contract facilities,
and institutions to review, revise as necessary, and test their
emergency preparedness plans for consideration of the threat of
external 1 For the past several decades, computer systems have
typically used two digits to represent the year, such as 98 for
1998, in order to conserve electronic space and reduce operating
costs. In this format, however, 2000 is indistinguishable from
1900 because both are represented as 00. As a result, if not
modified, computer systems or applications that use dates or
perform date- or time- sensitive calculations may generate
incorrect results beyond 1999.
2 Non- IT systems include facilities' equipment (e. g., elevators)
and security systems manufactured by multiple vendors.
B-280106 Page 2 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
infrastructure (for example, telecommunications and utilities) and
internal system failures. However, BOP's outreach efforts to the
state and local corrections community have not been proactive.
During the course of our review, BOP updated the BOP and National
Institute of Corrections (NIC) 3 Internet sites to provide links
to government and private sector Year 2000 sites and identify BOP
and NIC points of contact. However, this requires that state and
local corrections officials come to BOP to obtain the information.
BOP agreed with our recommendation that it could be more effective
in promoting awareness and providing assistance by proactively
identifying state and local organizations needing assistance and
sharing experiences
and lessons learned. Background BOP's mission is to protect
society by confining offenders in the controlled
environments of prisons and community- based facilities that are
safe, humane, and appropriately secure. BOP is managed from a
national office that provides long- range planning and policy
formulation, and six regional offices that provide technical
support and on- site assistance to (1) 94
institutions, one of which is privately managed, and (2) over 250
contract facilities, which are owned and operated by contractors,
and include primarily community- based halfway houses, as well as
some state and local jails. BOP's only mission- critical IT
system, SENTRY, manages and tracks
inmates, including monitoring inmate population, computing inmate
sentences, documenting work assignments, and tracking disciplinary
actions and institution designations. SENTRY applications were
designed to process eight- digit dates, including a four- digit
year, and currently process dates using a single subroutine,
called DATETIME. SENTRY applications run in real time on a
mainframe computer operated by DOJ and are accessed by about 200
DOJ and BOP facilities through a network of about 11, 000 personal
computers with 3270 emulation 4 communicating through BOP's
Washington, D. C., network control center. The network
3 The National Institute of Corrections is an agency within BOP
that provides training, technical assistance, information
services, and policy/ program development assistance to federal,
state, and local corrections agencies. 4 A program that enables a
microcomputer to appear to be a mainframe terminal by using the
procedures and codes expected by the mainframe.
B-280106 Page 3 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
communication links are provided by Sprint (FTS 2000 carrier) 5
and the local exchange carriers. BOP reports that SENTRY processes
more than one million transactions each day and provides data
files to a number of external organizations, including the U. S.
Pardon Attorney, U. S. Marshals Service, Federal Bureau of
Investigation, and U. S. Parole Commission. In addition to SENTRY,
BOP has eight categories of mission- critical non- IT systems,
consisting of 2,021 individual systems that rely on embedded
computers. 6 These systems are critical to maintaining the
security of its institutions, as well as ensuring continued
operations of normal business functions. These eight categories of
non- IT systems are security systems, video surveillance systems,
perimeter detection systems, fire alarm systems, boiler controls
and energy management systems, elevators, telephone switches, and
radio systems. Objectives, Scope, and
Methodology In assessing actions taken by BOP to address the Year
2000 problem, our objective was to assess how well BOP is managing
its Year 2000 program. To satisfy this objective, we reviewed and
analyzed key BOP documents,
including (1) its Year 2000 guidance and Program Plan, (2)
network, software, and non- IT inventory databases, (3) SENTRY
test plan and results, (4) BOP quarterly reports, and (5) relevant
correspondence to BOP
regions and institutions, contractors, and product vendors. We
also reviewed Office of Management and Budget and DOJ Year 2000
guidance. We used GAO's Year 2000 guidance to assess BOP's
management of its programs. 7 To supplement our analyses, we
interviewed the BOP Year 2000 program manager and project team
members. We also interviewed representatives from the Community
Corrections and Detention Division, Federal Prison
Industries, Health Services Division, and the Office of Emergency
5 The Federal Telecommunications System 2000 currently provides
intercity telecommunications services for federal government
agencies. 6 Embedded computers are special- purpose computers
built into other devices. 7 Year 2000 Computing Crisis: An
Assessment Guide (GAO/ AIMD- 10.1.14, issued as an exposure draft
in February 1997; issued in final in September 1997); Year 2000
Computing Crisis: Business Continuity and Contingency Planning
(GAO/ AIMD- 10.1.19, issued as an exposure draft in February 1998;
issued in final in August 1998); and Year 2000 Computing Crisis: A
Testing Guide (GAO/ AIMD- 10.1.21, issued as an exposure draft in
June 1998; issued in final in November 1998).
B-280106 Page 4 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
Preparedness. We interviewed representatives from two BOP
institutions, including the Year 2000 Program manager, security
officers, facilities managers, IT managers, and the Emergency
Preparedness Manager. We did
not verify the Year 2000 status information provided by BOP. We
performed our work at BOP headquarters in Washington, D. C., and
at two BOP correctional facilities in Florence, Colorado, and
Taft, California. 8 Our work was performed from May 1998 through
January 1999, in accordance with generally accepted government
auditing standards. We requested comments from the Director of BOP
or her designee. On
December 3, 1998, we obtained oral comments from BOP officials,
including the Year 2000 Program Manager. Their comments are
discussed in the "Agency Comments and Our Evaluation" section of
this report.
Status of BOP's Efforts for Mission- Critical Systems
BOP has assessed, tested, and implemented its only mission-
critical IT system, and reports that it is Year 2000 compliant. In
addition, BOP reports that it has assessed, renovated/ replaced,
and implemented 94 percent of its mission- critical non- IT
systems. BOP plans to implement the remaining 6 percent by March
1999.
Status of Mission- Critical IT Systems
SENTRY consists of (1) software applications, (2) mainframe
hardware and systems software, (3) workstations, (4)
telecommunications hardware and software, and (5) leased
telecommunications lines. According to BOP officials, all SENTRY
system components have been assessed for Year 2000 compliance. BOP
tested the SENTRY system for correct processing of critical Year
2000 dates, and certified that, except for four percent of the 11,
189 SENTRY workstations, it is compliant. BOP plans to replace the
noncompliant workstations by March 1999. According to BOP
officials, however, this four percent will not affect the
operation of SENTRY. BOP's certification of SENTRY has not yet
been independently verified and
validated, but BOP is working with a DOJ independent verification
and validation (IV& V) contractor to review and validate BOP's
test activities. In addition, BOP contacted its telecommunications
provider to determine its Year 2000 compliance, and according to
BOP officials, it was told that the 8 We selected these two
facilities because Florence is one of the newest maximum- security
institutions,
and Taft is the only BOP- owned institution that is run by a
private correctional management organization.
B-280106 Page 5 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
provider's service delivery business area would be Year 2000
compliant by June 1999.
Status of Mission- Critical Non- IT Systems
As of January 1999, BOP reported that 94 percent of its 2, 021
missioncritical non- IT systems were Year 2000 compliant, 4
percent were scheduled to be repaired or replaced, and 2 percent
were still being assessed. BOP plans to complete all conversion
activities by March 1999.
For example, because BOP depends on vendors to provide the
information to complete its assessment activities, it has
specified in its plans (1) trigger dates beyond which BOP can no
longer wait for vendor information and (2) potential alternative
courses of action, such as replacing the systems.
As of January 1999, BOP reported the following status of its eight
categories of mission- critical non- IT systems: Of 106 security
systems, 72 were reported to be Year 2000 compliant; 15 are still
being assessed and 19 are scheduled to be repaired by March
1999. All 811 surveillance equipment systems were reported to be
Year 2000
compliant. All 96 perimeter detection systems were reported to be
Year 2000
compliant. Of 274 fire alarm systems, 269 were reported to be
Year 2000 compliant;
the 5 noncompliant systems are scheduled to repaired or replaced
by March 1999. Of 443 boiler control and energy management
systems, 394 were
reported to be Year 2000 compliant and the remaining 49 are
scheduled to be repaired by March 1999. All 109 elevator systems
were reported to be Year 2000 compliant. All 94 BOP- owned
telephone switches were reported to be Year 2000 compliant.
Of 88 radio systems, 49 were reported to be Year 2000 compliant;
19 are still being assessed and 20 are scheduled to be repaired by
March 1999. BOP is working with a contractor to independently
validate the vendors' Year 2000 compliance certifications for non-
IT systems. In addition to validating compliance, the contractor
also is to assess the completeness of the non- IT system
inventories at several institutions.
B-280106 Page 6 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
Recent BOP Actions to Strengthen Year 2000 Program Management
During the course of our review, we identified several program
management weaknesses and discussed each with BOP officials. BOP
officials responded quickly to our concerns by initiating the
following actions to strengthen its Year 2000 program management:
defined its Year 2000 program structure, including organizational
roles and responsibilities, and developed a Year 2000 conversion
plan; expanded its Year 2000 program scope to include its 250
contract
facilities; developed a Year 2000 test plan and procedures for
the SENTRY system that included testing for correct processing of
critical Year 2000 dates;
implemented methods to track the status and results of SENTRY
workstation testing and non- IT systems assessments and renovation
efforts; and hired a contractor to validate vendors' Year 2000
compliance
certifications of its non- IT systems and assess the accuracy of
its non- IT system inventories.
Further, since we briefed your office and BOP officials in
September 1998 on the need to strengthen contingency planning for
continuity of operations, the Program Manager has directed all
offices, including its contract facilities, and institutions to
(1) review and analyze their emergency preparedness plans for
consideration of the threat of external infrastructure (for
example, telecommunications and utilities) and internal system
failures, (2) revise the emergency plans as necessary by March 1,
1999, to address Year 2000 contingencies, and (3) test the revised
plans
prior to April 5, 1999. In addition, the BOP Year 2000 Program
Manager tasked each regional director with designating a liaison
to coordinate the analysis, revision, and testing of institution
and regional contingency plans, and report monthly on the status
of achieving the enhancement and testing milestones.
BOP Needs to Proactively Reach Out to the State and Local
Correctional Community
In June 1998, the Chairman of the President's Council on Year 2000
Conversion tasked federal agencies with coordinating outreach
efforts with their counterparts in state and local governments and
the private sector.
According to the Chairman, such outreach efforts could expedite
the year 2000 efforts of late starting nonfederal organizations.
In September 1998, we briefed BOP officials on the need to
strengthen its outreach efforts. Subsequently, BOP issued its
Federal Bureau of Prisons'
B-280106 Page 7 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
Year 2000 (Y2K) Outreach Plan to State and Local Corrections
Organizations. As part of its outreach effort, BOP updated the BOP
and National Institute of Corrections (NIC) internet sites to (1)
provide links to government and private sector sites where Year
2000 information is available and (2) identify a BOP and NIC point
of contact for those who may need specific guidance on Year 2000
issues germane to the corrections environment. While these actions
represent a start towards reaching out to the state and
local corrections community, they require that state and local
corrections officials come to BOP to obtain the information. BOP
could be more effective in promoting awareness and providing
assistance by proactively identifying state and local
organizations needing assistance and sharing experiences and
lessons learned. One way to reach state and local organizations is
to use established networks, such as the National Sheriff's
Association and the National Association of Chiefs of Police.
Conclusions Given BOP's progress to date, and its plans for
completing remaining Year 2000 activities, the risk that BOP will
not complete remaining renovation,
validation, and implementation activities by January 1, 2000,
currently appears low. Further, while BOP has initiated some
actions to reach state and local corrections officials, its
actions may not allow these officials to fully benefit from BOP
experiences and lessons learned.
Recommendation To promote awareness and provide assistance to the
state and local corrections community, we recommend that the
Director, Bureau of Prisons, direct the Year 2000 Program Manager
to proactively identify organizations needing assistance and share
BOP experiences and lessons learned. This could be done through
established networks, such as the National Sheriff's Association
and the National Association of Chiefs of Police.
Agency Comments and Our Evaluation
BOP officials, including the Year 2000 Program, agreed with our
conclusions and recommendations. The BOP Program Manager stated
that he recognizes the limitations of BOP's existing outreach
efforts and stated that BOP will actively identify organizations
needing assistance and share BOP's lessons learned and relevant
Year 2000 guidance.
B-280106 Page 8 GAO/AIMD-99-23 Bureau of Prisons' Year 2000
Efforts
BOP officials also provided updated information on the status of
its Year 2000 efforts. We have incorporated the updated
information in the report where appropriate. We are making copies
of this letter available to the Chairmen and Ranking Minority
Members of the House Committee on Government Reform and Oversight,
Subcommittee on Government Management, Information, and Technology
and the Senate Special Committee on the Year 2000 Technology
Problem; the Director of the Office of Management and Budget; the
Attorney General; the Director of the Bureau of Prisons; and other
interested parties. We will also make copies available to others
on request.
If you have any questions about this report, please contact me at
(202) 512- 6240 or, by e- mail, at brockj. aimd@ gao. gov.
Sincerely yours, Jack L. Brock, Jr. Director, Governmentwide and
Defense Information Systems
Page 9 GAO/AIMD-99-23 Bureau of Prisons' Year 2000 Efforts
Appendix I Major Contributors to This Report Appendi x I
Accounting and Information Management Division, Washington, D. C.
Dr. Rona B. Stillman, Chief Scientist for Computers and
Telecommunications Randolph C. Hite, Associate Director Deborah A.
Davis, Assistant Director
Chicago Field Office Sanford F. Reigle, Information Systems
Analyst Phillip E. Rutar, Information Systems Analyst
(511121) Let t er
Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.
Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013
or visit: Room 1100 700 4 th St. NW (corner of 4 th and G Sts. NW)
U. S. General Accounting Office Washington, DC
Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.
Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.
For information on how to access GAO reports on the INTERNET, send
an e- mail message with info in the body to: info@ www. gao. gov
or visit GAO's World Wide Web Home Page at: http:// www. gao. gov
United States General Accounting Office Washington, D. C. 20548-
0001
Official Business Penalty for Private Use $300
Address Correction Requested Bulk Rate
Postage & Fees Paid GAO Permit No. GI00
*** End of document. ***