Year 2000 Computing Challenge: Federal Business Continuity and
Contingency Plans and Day One Strategies (Testimony, 10/29/1999,
GAO/T-AIMD-00-40).

Pursuant to a congressional request, GAO discussed the status of
agencies' business continuity and contingency plans and Day One
strategies, focusing on the: (1) state of the government's business
continuity and contingency planning; and (2) status of Day One
strategies.

GAO noted that: (1) although more work remains, agency business
continuity and contingency planning has evolved and improved since 1998;
(2) in March 1998, GAO testified that several agencies reported that
they planned to develop contingency plans only if they fell behind
schedule in completing their year 2000 fixes; (3) in June 1998, GAO
testified that only four agencies had reported that they had drafted
contingency plans for their core business functions; (4) by contrast, in
January 1999, GAO testified that many agencies had reported that they
had completed or were drafting business continuity and contingency plans
while others were in the early stages of such planning; (5) finally, as
GAO testified in August, according to an Office of Management and Budget
(OMB) official, all of the major departments and agencies had submitted
high-level business continuity and contingency plans in response to
OMB's May 13,1999, memorandum; (6) with respect to OMB's latest request
for high-level plans, the 24 major departments and agencies and the U.S.
Postal Service have submitted updated business continuity and
contingency plans; (7) while OMB's May 1999 memorandum directed agencies
to describe their overall strategies and processes for ensuring the
readiness of key programs and functions across the agency, it did not
detail the format or reporting elements that the agencies were to
follow; (8) accordingly, the plans vary considerably in terms of format
and level of detail; (9) Day One strategies are necessary to reduce the
risk to facilities, systems, programs, and services during the weekend
of the critical rollover period; (10) in its September 1999 quarterly
report, OMB required agencies to submit Day One strategies by October
15; (11) GAO's review of the agency strategies found that about 40
percent (9 of 23) the seven elements required by OMB; (12) with respect
to specific elements, GAO was able to identify 15 agencies that included
a schedule of activities and 17 that addressed staffing issues; (13) an
important part of Day One planning is ensuring that the Day One strategy
is executable; and (14) GAO's Day One strategy review found that 19
agencies discussed rehearsing their strategies, although some did not
provide specific dates of planned or completed rehearsals.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-40
     TITLE:  Year 2000 Computing Challenge: Federal Business Continuity
	     and Contingency Plans and Day One Strategies
      DATE:  10/29/1999
   SUBJECT:  Y2K
	     Computer software verification and validation
	     Reporting requirements
	     Systems conversions
	     Strategic information systems planning
	     Emergency preparedness
	     Information resources management
IDENTIFIER:  Medicaid Program
	     Unemployment Insurance Program
	     Y2K

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

Before the Subcommittee on Government Management, Information and
Technology, Committee on Government Reform, and the Subcommittee on
Technology, Committee on Science, House of Representatives

For Release on Delivery
Expected at
10 a.m.
Friday,
October 29, 1999

YEAR 2000 COMPUTING CHALLENGE

Federal Business Continuity and Contingency Plans and Day One Strategies

Statement of Joel C. Willemssen
Director, Civil Agencies Information Systems
Accounting and Information Management Division
*****************

*****************

GAO/T-AIMD-00-40

Mr. Chairman, Ms. Chairwoman, and Members of the Subcommittees:

Thank you for inviting us to participate in today's hearing on the status
of agencies' business continuity and contingency plans and Day One
strategies. The public faces the risk that critical services provided by
the government and the private sector could be disrupted by the Year 2000
computing problem. Financial transactions could be delayed, flights
grounded, power lost, and national defense affected. Moreover, America's
infrastructures are a complex array of public and private enterprises with
many interdependencies at all levels. These many interdependencies among
governments and within key economic sectors could cause a single failure
to have adverse repercussions in other sectors.

The risk to government operations due to these many potential points of
failure can be mitigated by the development of effective business
continuity and contingency plans. In addition, Day One strategies--
developed either as part of business continuity and contingency plans or
separately--can help agencies manage the risks of the rollover period
during late December 1999 and early January 2000.

As requested, after a brief background discussion, today I will (1)
discuss the state of the government's business continuity and contingency
planning and (2) describe the status of Day One strategies.

Background

Because of its urgent nature and the potentially devastating impact it
could have on critical government operations, in February 1997 we
designated the Year 2000 problem a high-risk area for the federal
government./Footnote1/ We have also issued guidance to help organizations
successfully address the issue./Footnote2/ Two of our publications--on
business continuity and contingency planing and on Day One planning and
operations--provide guidance on the subject of this hearing. 

Our business continuity and contingency guide describes the tasks needed
to ensure the continuity of agency operations in the event of Year 2000-
induced disruptions. The Day One guide provides a conceptual framework for
developing a Day One strategy and reducing the risk of adverse Year 2000
impact on agency operations during late December 1999 and early January
2000.

Business continuity and contingency plans are essential. Without such
plans, when failures occur, agencies will not have well-defined responses
and may not have enough time to develop and test alternatives. Federal
agencies depend on data provided by their business partners as well as on
services provided by the public infrastructure (e.g., power, water,
transportation, and voice and data telecommunications). One weak link
anywhere in the chain of critical dependencies can cause major disruptions
to business operations. Given these interdependencies, it is imperative
that contingency plans be developed for all critical core business
processes and supporting systems, regardless of whether these systems are
owned by the agency. Accordingly, in April 1998 we recommended that the
President's Council on Year 2000 Conversion require agencies to develop
contingency plans for all critical core business processes./Footnote3/

Since 1998, the federal government has improved its approach to business
continuity and contingency planning. The Office of Management and Budget
(OMB) has clarified its contingency plan instructions and, along with the
Chief Information Officers Council, has adopted our business continuity
and contingency planning guide for federal use. In addition, on January
26, 1999, OMB called on federal agencies to identify and report on the
high-level core business functions that are to be addressed in their
business continuity and contingency plans, as well as to provide key
milestones for development and testing of such plans in their February
1999 quarterly reports. In addition, on May 13, OMB required agencies to
submit high-level versions of these plans by June 15. 

As noted in our business continuity and contingency planning guide, a key
element of such a plan is the development of a zero day or Day One risk
reduction strategy. In testimony on January 20, 1999, we noted that the
Social Security Administration had developed a Day One strategy and
suggested that OMB consider requiring other agencies to develop such a
plan./Footnote4/ In its September 1999 quarterly report, OMB subsequently
required agencies to submit Day One strategies to OMB by October 15, 1999,
as well as updated high-level business continuity and contingency plans.

While Work Remains, Agency Business Continuity and Contingency Planning
Has Improved 

Although more work remains, agency business continuity and contingency
planning has evolved and improved since 1998. In March 1998, we testified
that several agencies reported that they planned to develop contingency
plans only if they fell behind schedule in completing their Year 2000
fixes./Footnote5/ In June 1998, we testified that only four agencies had
reported that they had drafted contingency plans for their core business
functions./Footnote6/ By contrast, in January 1999, we testified that many
agencies had reported that they had completed or were drafting business
continuity and contingency plans while others were in the early stages of
such planning./Footnote7/ Finally, as we testified in August, according to
an OMB official, all of the major departments and agencies had submitted
high-level business continuity and contingency plans in response to OMB's
May 13, 1999, memorandum./Footnote8/

With respect to OMB's latest request for high-level plans, the 24 major
departments and agencies and the U.S. Postal Service/Footnote9/ have
submitted updated business continuity and contingency plans. However,
while the Department of the Treasury and the General Services
Administration reported that they had provided their plans to OMB, we did
not receive these plans in time to include them in our analysis and,
therefore, we analyzed 23 submissions.

While OMB's May 1999 memorandum directed agencies to describe their
overall strategies and processes for ensuring the readiness of key
programs and functions across the agency, it did not detail the format or
reporting elements that the agencies were to follow. Accordingly, the
plans vary considerably in terms of format and level of detail. Some
agencies, such as the Departments of Justice and Labor described their
general approach or strategy while others, such as the Departments of
Education and Transportation, provided program or component agency
specific plans that contained more detailed information. As an example of
the first type of plan, the Social Security Administration's high-level
plan identified broad areas of risk and general mitigation strategies and
contingencies. However, as we testified in July,/Footnote10/ the Social
Security Administration has also completed local contingency plans to
support its core business operations, and has obtained contingency plans
for all state disability determination services as well as developed, in
conjunction with the Department of the Treasury and the Federal Reserve, a
Benefits Payment Delivery Y2K Contingency Plan. In contrast, the
Department of Education provided OMB with its detailed contingency plans
for its core business processes and their supporting systems.

In their high-level plans, some agencies provided details of the types of
contingencies that could be implemented in the event of a Year 2000-
induced failure. For example:

o The Social Security Administration described the risk that its field
  offices would be unable to issue certain types of payments due to Year
  2000-related problems with automated support. In this event, the Social
  Security Administration stated that it would coordinate with the
  Department of the Treasury to address the problem. Further, in the
  event that it is known by December 1999 that enterprises such as local
  banks and/or the Postal Service were not ready to make delivery of
  payments in early January, the Social Security Administration stated
  that it would consider plans to issue payments early.

o The Department of Education described the risk of a registration system
  failure at a school that prevents it from determining the title IV
  (student financial aid)/Footnote11/ eligibility of its students.
  Education's risk mitigation/contingency activity if this occurs is
  threefold. First, Education stated that it will encourage schools to
  take steps to obtain registration and preregistration information
  before January 2000 for students beginning or continuing classes after
  January 1. Second, Education stated that it will encourage schools to
  develop other processes, including manual processes, for determining
  the enrollment status and eligibility of students who begin classes
  after January 1, 2000. Third, for students enrolled or preregistered in
  fall 1999 classes, Education will allow schools to package aid and
  credit students' accounts using fall 1999 enrollment or preregistration
  information, but not to disburse funds directly to students or parents.
  After the system is repaired, funds will have to be returned for any
  student who was ineligible. To implement these contingencies, Education
  stated that it would not enforce certain requirements and provided
  directions that a school is to follow (e.g., if a school makes a short-
  term loan to a student in lieu of paying a credit balance, the school
  may not charge the student interest on that loan). 

o The Department of Veterans Affairs' Veterans Health Administration's
  contingency planning guidebook provides sample templates to be used as
  guides or models by its health care facilities. For example, to prepare
  for the potential problem that a facility would be unable to provide
  water in its inpatient wards for patients' needs and staff infection
  control, the facility could prepare locations for bottled water and
  stock waterless soaps. In the event that a failure actually occurred
  and action was needed, an assessment of the situation could be reported
  to a facility's command center, and bottled water centers established
  with control mechanisms.

All of the high-level plans in our review identified core business
processes, as called for in our guide. For example, the Department of
Labor identified and described seven core business functions: (1) benefits
programs, 
(2) national employment and/or economic conditions tracking, (3) job
training programs and employment assistance, (4) workers' benefits, 
(5) worker safety and health policy and oversight, (6) labor and
employment policy and oversight, and (7) program support. 

A key aspect of business continuity and contingency planning is
validation, which evaluates whether individual contingency plans are
capable of providing the needed level of support to the agency's core
business processes and whether the plan can be implemented within a
specified period of time. In instances in which a full-scale test may not
be feasible, the agency may consider end-to-end testing of key plan
components. Moreover, an independent review of the plan can validate the
soundness of the proposed contingency strategy. We were able to identify
20 agencies that discussed their validation strategies in their high-level
plan. These strategies encompassed a range of activities, including
reviews, desktop exercises, simulations, and/or quality assurance audits. 

In addition to reviewing high-level plans, we have assessed and reported
on the business continuity and contingency planning of several agencies or
their component entities and have found uneven progress. Some had
instituted key processes while others had not completed key tasks. For
example:

o As we reported on October 22, the Department of Justice's Federal
  Bureau of Investigation had made progress in its Year 2000 business
  continuity planning./Footnote12/ However, because Justice had not
  explicitly required and emphasized the importance of business
  continuity plans, the bureau had started late in undertaking its
  planning effort and was faced with a compressed time frame for testing
  and finalizing its plans. In addition, as of August 1999, the bureau
  did not have many of the management controls and processes needed to
  effectively guide its planning activities. For example, the bureau had
  not (1) developed a master schedule and milestones, (2) defined all of
  its core business processes, (3) assessed the costs and benefits of
  alternative continuity strategies, or (4) planned for the testing phase
  of its business continuity planning effort. We recommended improvements
  to the Federal Bureau of Investigation's planning activities, including
  that it establish and implement effective controls and structures for
  managing its business continuity planning. In commenting on our report,
  Justice indicated that it and the bureau had taken the first steps in
  implementing our recommendations.

o In testimony last week we stated that, because of deficiencies in their
  contingency plans, the Department of State and the U.S. Agency for
  International Development lacked assurance that they could sustain
  their worldwide operations and facilities into the next
  century./Footnote13/ For example, State's business continuity and
  contingency plan did not identify and link its core business processes
  to its Year 2000 contingency plans and procedures, and the department
  had not yet tested its plans with Year 2000-specific scenarios. In the
  case of the U.S. Agency for International Development, we found that it
  had identified one core business process in its business continuity and
  contingency plan but did not identify or address other key agency
  functions. Moreover, the U.S. Agency for International Development
  provided little information on contingency planning activities for its
  missions, and it was unclear when the agency expected to complete its
  business continuity and contingency planning process.

o As we reported on October 14, the Department of Justice's Drug
  Enforcement Administration had managed its business continuity planning
  efforts in accordance with the structures and processes recommended by
  our guide, and had made progress toward completing its
  plans./Footnote14/ However, while progress had been made, the Drug
  Enforcement Administration still had many tasks to complete, with
  little time to address schedule slippages. For example, at the time of
  our review, it had not validated its business continuity strategy;
  defined, documented, or reviewed test plans; or prepared test schedules
  and test scenarios. The agency planned to complete testing of its plans
  by the end of November.

o The Internal Revenue Service's business continuity and contingency
  plans that addressed issuing refunds and receiving paper submissions
  were inconsistent in two key areas--performance goals and mitigating
  actions--as we reported in September./Footnote15/ This raised questions
  about whether these two plans provided sufficient assurance that the
  Internal Revenue Service had taken all necessary steps to reduce the
  impact of a potential Year 2000 failure. For example, neither of the
  plans specified completion dates for the mitigating actions nor did the
  plans specify which individuals would be responsible for completing
  those actions. In response to our concerns, Internal Revenue Service
  officials agreed to make changes to these two plans and to review other
  business continuity and contingency plans for consistency and accuracy.

Business continuity and contingency plans are also key to ensuring that
the government's highest priority programs are not adversely affected by
the Year 2000 problem. In the case of some of the government's essential
programs, not only is it important that the federal government have
effective plans but their partners (such as states) must also have such
plans in order to ensure program continuity. Accordingly, in its March 26,
1999, memorandum designating the government's 42 high-impact programs,
such as food stamps (OMB later added a 43rd high-impact program), each
program's lead agency was charged with identifying to OMB the partners
integral to program delivery; taking a leadership role in convening those
partners; assuring that each partner has an adequate Year 2000 plan and,
if not, helping each partner without one; and developing a plan to ensure
that the program will operate effectively. According to OMB, such a plan
might include testing data exchanges across partners, developing
complementary business continuity and contingency plans, sharing key
information on readiness with other partners and the public, and taking
other steps necessary to ensure that the program will work. 

Our reviews have shown that some high-impact programs are farther along
than others with respect to business continuity and contingency planning.
For example:

o Yesterday we testified on the contingency planning progress of the
  Department of Veterans Affairs' two high-impact programs, benefits and
  health care./Footnote16/ The Veterans Benefits Administration's
  regional offices and Veterans Health Administration's medical
  facilities have completed their business continuity and contingency
  plans but testing is incomplete. Only 5 of 58 Veterans Benefits
  Administration regional offices had completed testing of their business
  continuity and contingency plans (all are now required to complete
  testing by November 15). In addition, while all of the Veterans Health
  Administration's medical facilities completed emergency power drills,
  other portions of their plans, such as the possibility of water and gas
  shortages, have not been tested.

o On October 6, we testified on the readiness status of the 10 high-
  impact state-administered federal programs, including the business
  continuity and contingency plans being developed by the states for
  these programs./Footnote17/ With respect to the three such programs
  overseen by the Department of Agriculture's Food and Nutrition Service
  (e.g., food stamps), it was unclear whether all states had adequate
  plans to ensure the continuity of these programs. Indeed, as of
  September 15, Food and Nutrition Service officials told us that only
  two states had submitted suitable contingency plans. 

In the case of the Department of Health and Human Services' Health Care
Financing Administration's (HCFA) Medicaid program, of the 33 states and
two territories that had been reviewed by a business continuity and
contingency plan contractor, 11 were high risk, 11 were medium risk, and
13 were low risk. Regarding the five high-impact programs of the
department's Administration for Children and Families administered by the
states (e.g., Temporary Assistance for Needy Families), business
continuity and contingency planning was one of the most common areas of
concern cited in 19 state assessment reports available as of September 27,
1999.

With respect to the Department of Labor's Unemployment Insurance program,
a contractor rated states' business continuity and contingency plans from
low to high in terms of their compliance with Labor's requirements for
coverage of core business functions of benefits and tax systems. Based on
the contractor's completed reviews, the quality of state plans varied
widely. For example, according to Labor's contractor, 
(1) 23 benefits and 14 tax plans had a low/very low degree of compliance
with Labor's requirements and (2) 9 benefits and 5 tax plans had a high
degree of compliance with Labor's requirements.

o In September, we reported that the Department of Agriculture's Food
  Safety Inspection Service had not established milestones for completing
  complementary business continuity and contingency planning with its
  partners for its food safety inspection high-impact program. The food
  safety high-impact program's partners include 25 states with approval
  to operate their own inspection programs./Footnote18/

o As we testified on September 27, the Health Care Financing
  Administration (HCFA) continued to make steady progress on its
  agencywide and 29 internal business continuity and contingency plans
  for its high-impact Medicare program, but the status of contractor
  plans was unknown and the results of HCFA's reviews of managed care
  organizations' plans were not promising./Footnote19/ With respect to
  its internal plans, HCFA had completed an agencywide business
  continuity and contingency plan, but essential validation activities
  remained. Regarding the Medicare contractors plans, HCFA's contractor
  and our review both found that not all Medicare contractors have
  specified detailed procedures that are required for executing and
  testing their business continuity and contingency plans. In the case of
  the managed care organizations, as of September 2, 1999, HCFA had
  received plans from 310 of the 383 managed care organizations. Its
  review of these 310 plans concluded that 69 percent needed major
  improvement, 18 percent needed minor improvement, and 13 percent were
  reasonable.

Mr. Chairman, on October 26, 1999, we briefed your Subcommittee staff on
the results of our review of 11 high-impact programs, performed at your
request. We found mixed progress on the business continuity and
contingency planning for these programs. For example, the Defense Finance
and Accounting Service reported completing the development and testing of
its business continuity plan for military retiree and annuity pay while
the Immigration and Naturalization Service had not completed or tested the
business continuity plan for its immigration program. In other cases, such
as the Postal Service's mail delivery program, the business continuity
plans had been prepared but testing was not completed.

One key aspect of business continuity and contingency planning that has
not been adequately addressed is the potential cost of implementing plans.
Our business continuity and contingency planning guide calls on agencies
to assess the costs and benefits of identified alternative contingency
strategies. Accordingly, we testified in June that OMB's assessment of
agencies' high-level plans should consider whether agencies provided
estimated business continuity and contingency plan costs and, if not, OMB
should require that this information be provided expeditiously so that it
can give the Congress information on potential future funding
needs./Footnote20/ 

OMB has not required agencies to provide estimates of their business
continuity and contingency plans. Nevertheless, in their August 1999
quarterly reports, we identified five agencies that specified estimated
costs for some aspects of their business continuity and contingency plan
development and/or implementation. For example, the Department of Health
and Human Services estimated that it would cost about $99 million to
implement its business continuity and contingency plans and Day One
strategies regardless of how the year 2000 affects its operations, but its
estimate does not include the cost of invoking the business continuity and
contingency plan. The Department of Education's quarterly report stated
that, as of August 13, 1999, its business continuity and contingency plan
preparation costs were estimated at $3.2 million, and estimated that it
would cost $7.5 million in the event that all of the plans had to be
implemented (which it believed to be of very low probability).

Day One Planning Is Ongoing

Day One strategies are necessary to reduce the risk to facilities,
systems, programs, and services during the weekend of the critical
rollover period. Accordingly, such strategies describe a wide range of
complex, interrelated activities and geographically distributed processes
that must be executed shortly before, during, and after the rollover.
Earlier this month we issued a Day One strategy guide./Footnote21/ As
shown in figure 1, the guide addresses four phases supported by executive
oversight: (1) initiation, (2) rollover risk assessment, planning, and
preparation, (3) rehearsal, and (4) execution, monitoring, responding, and
reporting.

Figure****Helvetica:x11****1:    Year 2000 Day One Planning and Operations
                                 Structure
*****************

*****************

In its September 1999 quarterly report, OMB required agencies to submit
Day One strategies by October 15. OMB subsequently asked agencies to
address seven elements in their plans: (1) a schedule of activities, 
(2) personnel on call or on duty, (3) contractor availability, 
(4) communications with the workforce, (5) facilities and services to
support the workforce, (6) security, and (7) communications with the
public. OMB also told the agencies to consider our Day One strategy
guidance carefully. All agencies have submitted such draft or final
strategies to OMB (either as part of their business continuity and
contingency plan or as a separate document). However, while the 
U.S. Agency for International Development and the General Services
Administration reported that they had provided their plans to OMB, we did
not receive these plans in time to include them in our analysis.
Therefore, we analyzed 23 agencies' submissions.

Our review of the agency strategies found that about 40 percent (9 of 23)
addressed all seven elements. For example, in our testimony yesterday we
noted that the Department of Veterans Affairs addressed all of OMB's
elements./Footnote22/ This department and its agencies had developed a Day
One strategy that should help the department manage risks associated with
the rollover period and better position itself to address any disruptions
that may occur. For example, the strategy included a timeline of events
between December 31 and January 1 and a personnel strategy and leave
policy that identifies key managerial and technical personnel available to
support day one operations.

With respect to specific elements, we were able to identify 15 agencies
that included a schedule of activities and 17 that addressed staffing
issues. Also, in a few cases, agencies addressed either OMB's internal
communications element or external communication element but not both.
Further, some elements were addressed in a general manner and/or indicated
that more work needed to be completed. For example, one agency reported
that it is developing procedures to ensure its ability to identify,
report, and respond effectively to Year-2000 related events.

An important part of Day One planning is ensuring that the Day One
strategy is executable. Accordingly, the Day One plans and their key
processes and timetables should be reviewed and, if feasible, rehearsed.
Our Day One strategy review found that 19 agencies discussed rehearsing
their strategies, although some did not provide specific dates of planned
or completed rehearsals.

In summary, business continuity and contingency plans and Day One
strategies are key to managing and reducing the risks associated with the
change to the year 2000. In the area of business continuity and
contingency planning, noteworthy progress has been made since early 1998,
although more work remains. With respect to Day One strategies, while about 
40 percent of agencies addressed all of OMB's elements in their
submissions, it is clear that much more work remains. 

Mr. Chairman, Ms. Chairwoman, this concludes my statement. I would be
happy to respond to any questions that you or other members of the
Subcommittees may have at this time.

Contact and Acknowledgments

For information about this testimony, please contact Joel Willemssen at
(202) 512-6253 or by e-mail at [email protected]. Individuals
making key contributions to this testimony included Margaret Davis, 
Mirko Dolak, Jim Houtz, and Linda Lambert.

(511781)

--------------------------------------
/Footnote1/-^High-Risk Series: Information Management and Technology
  (GAO/HR-97-9, February 1997).
/Footnote2/-^Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-
  10.1.14, issued as an exposure draft in February 1997 and in final form
  in September 1997); Year 2000 Computing Crisis: Business Continuity and
  Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in
  March 1998 and in final form in August 1998); Year 2000 Computing
  Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft
  in June 1998 and in final form in November 1998); and Year 2000
  Computing Challenge: Day One Planning and Operations Guide (GAO/AIMD-
  10.1.22, issued as a discussion draft in September 1999 and in final
  form in October 1999).
/Footnote3/-^Year 2000 Computing Crisis: Potential for Widespread
  Disruption Calls for Strong Leadership and Partnerships (GAO/AIMD-98-85,
  April 30, 1998).
/Footnote4/-^Year 2000 Computing Crisis: Readiness Improving, But Much
  Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20,
  1999).
/Footnote5/-^Year 2000 Computing Crisis: Strong Leadership and Effective
  Public/Private Cooperation Needed to Avoid Major Disruptions (GAO/T-AIMD-
  98-101, March 18, 1998). 
/Footnote6/-^Year 2000 Computing Crisis: Actions Must Be Taken Now to
  Address Slow Pace of Federal Progress (GAO/T-AIMD-98-205, June 10, 1998). 
/Footnote7/-^GAO/T-AIMD-99-50, January 20, 1999. 
/Footnote8/-^Year 2000 Computing Challenge: Important Progress Made, Yet
  Much Work Remains to Ensure Delivery of Critical Services (GAO/T-AIMD-99-
  266, August 13, 1999). 
/Footnote9/-^With respect to our analysis of high-level plans and the Day
  One Strategies, the term agencies will hereafter include the Postal
  Service.
/Footnote10/-^Social Security Administration: Update on Year 2000 and
  Other Key Information Technology Initiatives (GAO/T-AIMD-99-259, July
  29, 1999). 
/Footnote11/-^Title IV of the Higher Education Act of 1965, as amended. 
/Footnote12/-^Year 2000 Computing Challenge: FBI Needs to Complete
  Business Continuity Plans (GAO/AIMD-00-11, October 22, 1999). 
/Footnote13/-^Year 2000 Computing Challenge: State and USAID Need to
  Strengthen Business Continuity Planning (GAO/T-AIMD-00-25, October 21,
  1999).
/Footnote14/-^Year 2000 Computing Challenge: DEA Has Developed Plans and
  Established Controls for Business Continuity Planning (GAO/AIMD-00-8,
  October 14, 1999). 
/Footnote15/-^IRS' Year 2000 Efforts: Actions Are Under Way to Help Ensure
  That Contingency Plans Are Complete and Consistent (GAO/GGD-99-176,
  September 14, 1999). 
/Footnote16/-^Year 2000 Computing Challenge: Update on the Readiness of
  the Department of Veterans Affairs (GAO/T-AIMD-00-39, October, 28, 1999). 
/Footnote17/-^Year 2000 Computing Challenge: Readiness of Key State-
  Administered Federal Programs (GAO/T-AIMD-00-9, October 6, 1999). 
/Footnote18/-^Year 2000 Computing Challenge: Readiness of USDA High-Impact
  Programs Improving, But More Action Is Needed (GAO/AIMD-99-284,
  September 30, 1999). 
/Footnote19/-^Year 2000 Computing Challenge: HCFA Action Needed to Address
  Remaining Medicare Issues (GAO/T-AIMD-99-299, September 27, 1999). 
/Footnote20/-^Year 2000 Computing Challenge: Estimated Costs, Planned Uses
  of Emergency Funding, and Future Implications (GAO/T-AIMD-99-214, June
  22, 1999). 
/Footnote21/-^GAO/AIMD-10.1.22, October 1999. 
/Footnote22/-^GAO/T-AIMD-00-39, October 28, 1999. 

*** End of document. ***