Year 2000 Computing Crisis: Time is Running Out for Federal Agencies to
Prepare for the Millennium (Testimony, 07/10/97, GAO/T-AIMD-97-129).

GAO discussed: (1) the federal government's strategy for addressing the
year 2000 computing problem, and agencies' reported status in resolving
the issue; and (2) federal efforts to date based on work GAO completed
at certain agencies and on GAO's review of the Office of Management and
Budget's (OMB) implementation of the federal strategy, including year
2000 reports submitted by 24 federal agencies.

GAO noted that: (1) the federal strategy for resolving the year 2000
computing crisis is detailed in a document OMB submitted on February 6
of this year to three House Committees: Government Reform and Oversight,
Science and Appropriations; (2) the strategy is predicated on three
assumptions: (a) senior agency managers will take whatever action is
necessary to address the problem once they are aware of its potential
consequences; (b) a single solution to the problem does not exist, and
solving it requires modification or replacement of agency information
systems; and (c) given the limited amount of time available, emphasis
will be placed on mission-critical systems; (3) at the department and
agency level, this strategy relies on the recently established chief
information officers, or CIOs, to direct year 2000 actions; (4) to
complement individual agency efforts, OMB is: (a) requesting that
departments and agencies submit quarterly reports on their progress; and
(b) sharing management and technical expertise through its CIO Council
and the Council's Subcommittee on the Year 2000; (5) OMB has set as the
standard that agency year 2000 activities should adhere to industry best
practices for the five delineated phases of an effective year 2000
program: awareness, assessment, renovation, validation, and
implementation; (6) on June 23, 1997, OMB transmitted its first
quarterly report, dated May 15, 1997, to selected congressional
committees on the progress of federal agencies in correcting the year
2000 problem; (7) in its report, based on May 1997 estimates, OMB noted
that agencies expect to spend about $2.75 billion correcting systems to
be what is called year 2000 compliant; (8) 18 of 24 departments and
agencies reported that they would complete the assessment phase as of
last month, the deadline in OMB's governmentwide schedule; (9) six
reported that they would not meet the assessment phase deadline:
Defense, Transportation, Treasury, Veterans Affairs, the Agency for
International Development (AID), and the Nuclear Regulatory Commission
(NRC); (10) GAO believes ample evidence exits that OMB and key federal
agencies need to heighten their levels of concern and move with more
urgency; and (11) other critical readiness issues that demand
high-priority attention are data exchange, systems prioritization, and
contingency planning.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-97-129
     TITLE:  Year 2000 Computing Crisis: Time is Running Out for Federal 
             Agencies to Prepare for the Millennium
      DATE:  07/10/97
   SUBJECT:  Systems conversions
             Computer equipment management
             Computer software verification and validation
             Information resources management
             Agency missions
             Strategic information systems planning
             Systems evaluation
             Systems compatibility
IDENTIFIER:  OMB Year 2000 Program
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Government Management, Information and
Technology, House Committee on Government Reform and Oversight, and
the Subcommittee on Technology, House Committee on Science

For Release on Delivery
Expected at
10 a.m.
Thursday,
July 10, 1997

YEAR 2000
COMPUTING CRISIS - TIME IS RUNNING
OUT FOR FEDERAL AGENCIES TO
PREPARE FOR THE NEW MILLENNIUM

Statement of Joel C.  Willemssen
Director, Information Resources Management
Accounting and Information Management Division

GAO/T-AIMD-97-129

GAO/AIMD-97-129T


(511225)


Abbreviations
=============================================================== ABBREV


============================================================ Chapter 0

Mr.  Chairman, Ms.  Chairwoman, and Members of the Subcommittees: 

During the past 12 months, the year 2000 computing problem has
received increased attention--and deservedly so--in large part thanks
to the efforts of your Subcommittees.  Much has happened since the
initial congressional hearings on this matter were held just over a
year ago on whether computer systems that support federal programs
will be equipped to handle dates later than 1999.  At that time, most
federal agencies were just beginning to be aware of the year 2000
issue and its importance, and few had prepared plans for addressing
it. 

Now, agencies report to the Office of Management and Budget (OMB)
that they are in a much better position to resolve the year 2000
challenge before the actual change of millennium.  However, while
agencies have certainly made progress over the last year, we believe
that the pace needs to be significantly accelerated if widespread
systems problems are to be avoided as the year 2000 approaches. 

Our testimony today will describe the federal government's strategy
for addressing the year 2000 problem, and agencies' reported status
in resolving the issue.  In addition, we will provide observations on
federal efforts to date based on work we have completed at certain
agencies and on our review of OMB's implementation of the federal
strategy, including year 2000 reports submitted by 24 federal
agencies. 


   READINESS FOR THE YEAR 2000: 
   THE FEDERAL STRATEGY
---------------------------------------------------------- Chapter 0:1

The federal strategy for resolving the year 2000 computing crisis is
detailed in a document OMB submitted on February 6 of this year to
three House Committees:  Government Reform and Oversight, Science,
and Appropriations.  The strategy is predicated on three assumptions: 
(1) senior agency managers will take whatever action is necessary to
address the problem once they are aware of its potential
consequences; (2) a single solution to the problem does not exist,
and solving it requires modification or replacement of agency
information systems; and (3) given the limited amount of time
available, emphasis will be placed on mission-critical systems. 

At the department and agency level, this strategy relies on the
recently established chief information officers, or CIOs, to direct
year 2000 actions.  To complement individual agency efforts, OMB is
(1) requesting that departments and agencies submit quarterly reports
on their progress, and (2) sharing management and technical expertise
through its CIO Council and the Council's Subcommittee on the Year
2000. 

In addition, OMB has set as the standard that agency year 2000
activities should adhere to industry best practices for the five
delineated phases of an effective year 2000 program:  awareness,
assessment, renovation, validation, and implementation.  In
consonance with these phases, we have developed and disseminated an
assessment guide to help agencies plan, manage, and evaluate their
year 2000 programs.\1 The guide provides information on the scope of
the challenge and offers a structured approach for agencies to use. 
We are following the approach outlined in the guide for our reviews
at selected agencies, and are encouraging others to use it as well. 
To date, we have received over 16,000 requests for copies. 

For each of the five phases, OMB has set the following governmentwide
milestones for agencies to complete the majority of the work. 

              OMB's Governmentwide Year 2000 Milestones
----------------------------------------------------------------------
Phase                           Completion measure     Completion date
------------------------------  ------------------  ------------------
Awareness                       Agency strategy                  12/96
                                 approved by CIO
Assessment                      Inventory and                     3/97
                                 scope completed

                                 System plans/                    6/97
                                 schedules
                                 approved by CIO
Renovation                      Coding completed                 12/98
Validation                      Management sign-                  1/99
                                 off
Implementation                  Integrated testing               11/99
                                 completed
----------------------------------------------------------------------
Source:  OMB. 


--------------------
\1 Year 2000 Computing Crisis:  An Assessment Guide [exposure draft]
(GAO/AIMD-10.1.14, February 1997). 


   STATUS OF AGENCIES' YEAR 2000
   PROGRAMS
---------------------------------------------------------- Chapter 0:2

On June 23, 1997, OMB transmitted its first quarterly report, dated
May 15, 1997, to selected congressional committees on the progress of
federal agencies in correcting the year 2000 problem.\2 This report
is based on the quarterly reports submitted by the individual
departments and agencies, which address questions of organizational
responsibility, program status, cost, and mission-critical systems
that are behind schedule. 

In its report, based on May 1997 agency estimates, OMB noted that
agencies expect to spend about $2.75 billion correcting systems to be
what is called year 2000 compliant.  This is an increase of nearly
$500 million, or about 20 percent, over the February 1997 estimate. 
OMB noted in its summary report that its next quarterly report will
likely provide a higher cost estimate as more agencies complete the
assessment phase. 

While acknowledging that much work remains, OMB--on the basis of the
agency reports --expressed its belief that agencies had made a good
start in addressing the problem.  OMB further summarized that most
agencies had completed or would shortly complete their assessments of
the problem, many had begun systems renovation, and no
mission-critical systems were reported to be behind schedule. 

The OMB report includes agency-specific schedules for completing the
assessment, renovation, validation, and implementation phases of the
year 2000 effort.  Our accompanying chart, which appears at the end
of this statement, summarizes those schedules. 

As shown on our chart, 18 of 24 departments and agencies reported
that they would complete the assessment phase as of last month, the
deadline in OMB's governmentwide schedule.  Six reported that they
would not meet the assessment phase deadline:  Defense,
Transportation, Treasury, Veterans Affairs, the Agency for
International Development (AID), and the Nuclear Regulatory
Commission (NRC).  The current estimated cost for achieving year 2000
compliance for these 6 entities is about $1.9 billion, or about 70
percent of the total for the 24 agencies. 

To complete the assessment phase, an agency needs to undertake a
variety of activities.  In our view these should include, at a
minimum, (1) assessing the severity and timing of the impact of year
2000-induced failures; (2) developing a thorough inventory of all of
its systems; (3) establishing priorities and schedules as to
whether--and which--systems should be converted, replaced, or
eliminated; (4) developing validation strategies and test plans; (5)
addressing interface and data exchange issues; and (6) developing
contingency plans for critical systems in the event of failure. 

Our evaluations of year 2000 readiness at component agencies of both
the Department of Veterans Affairs--one of the six reporting to OMB
that its assessment was still underway --and of Health and Human
Services--which reported that this phase would be completed in June
1997--show that assessment activities have not yet been completed.\3

For example, we recently testified that key readiness assessment
processes at the Veterans Benefits Administration--including
determining the potential severity of impact of the year 2000 on
agency operations, inventorying information systems and their
components, and developing contingency plans--had not been completed. 
The Department has indicated that it will complete its assessment
next January.\4

We also reported and testified this past May that the Health Care
Financing Administration (HCFA)--a major component agency within the
Department of Health and Human Services (HHS)--had not completed
numerous critical assessment activities for the systems run by its
contractors to process approximately $200 billion annually in
Medicare claims.\5 Specifically, HCFA had not required systems
contractors to submit year 2000 plans for approval, and lacked
contracts or other legal agreements detailing how or when the year
2000 problem would be corrected, or indeed whether contractors would
even certify that they would correct the problem.  We made several
recommendations to HCFA to address its shortcomings in this area,
including regular reporting to HHS on its progress.  HHS reported in
May that it expected to complete the assessment phase last month. 


--------------------
\2 Getting Federal Computers Ready for 2000, Progress Report, U.  S. 
Office of Management and Budget, May 15, 1997. 

\3 We currently have ongoing year 2000 evaluations at the Department
of Defense, Department of State, Social Security Administration,
Federal Aviation Administration, and Internal Revenue Service; in
addition, we will shortly begin work at the Veterans Health
Administration. 

\4 Veterans Benefits Computer Systems:  Uninterrupted Delivery of
Benefits Depends on Timely Correction of Year 2000 Problems
(GAO/T-AIMD-97-114, June 26, 1997) and Veterans Benefits Computer
Systems:  Risks of VBA's Year 2000 Efforts (GAO/AIMD-97-79, May 30,
1997). 

\5 Medicare Transaction System:  Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16,
1997) and Medicare Transaction System:  Serious Managerial and
Technical Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May
16, 1997). 


   URGENT NEED TO ACCELERATE
   AGENCY YEAR 2000 PROGRAMS
---------------------------------------------------------- Chapter 0:3

As we have pointed out in earlier testimony, if systems that millions
of Americans have come to rely on for regular benefits malfunction,
the ensuing delays could be disastrous.\6

OMB's perspective that agencies have made a good start and that no
mission-critical systems were reported to be behind schedule would
seem to imply that there is no cause for alarm.  On the contrary, we
believe ample evidence exists that OMB and key federal agencies need
to heighten their levels of concern and move with more urgency.  A
closer look reveals why. 

First, the agencies' reported schedules show that most are leaving
essentially no margin of error for unanticipated schedule delays; 15
of 24 expect to complete implementation in either November or
December of 1999.  This leaves only a matter of weeks, at most, if
something should require more work before January 1, 2000.  According
to their own reports, six agencies, including four large departments,
have already missed OMB's June 1997 deadline for completion of
assessment.  Where assessments of mission criticality have not been
completed, it is logical to assume that schedules for correcting
those systems have not been made final.  Given these factors, it is
essential that OMB continue to monitor agency schedules to identify
delays so that necessary action can be taken to enable programs to
finish in time. 

Second, OMB's perspective is based on agency self-reporting, which
has not been independently validated.  Indications are that agency
reports may not be accurate; those saying that assessment has been
completed include HHS which, as I have highlighted today, still has
much to do. 

Third, entities may have interpreted mission-critical in various
ways--even within departments.  For example, the Department of the
Army reports that 7 percent of its systems are mission-critical, yet
the Defense Information Systems Agency, a Defense Department support
agency, considers all of its systems--100 percent--to be
mission-critical.  A further look within Defense shows that almost
two-thirds of over 2,750 "mission-critical" systems slated for repair
are still in the assessment phase.  And this excludes over 11,000
lower priority systems that are in varying stages of assessment. 

Fourth, OMB, in its governmentwide schedule, has established only 1
month--from December 1998 to January 1999--to complete validation. 
The validation phase is critical for thorough testing of all
converted or replaced system components to (1) uncover any errors
introduced during conversion or renovation, (2) validate year 2000
compliance, and (3) verify operational readiness.  Without adequate
testing, agencies can have no assurance that their solutions will
actually work.  According to the Gartner Group, a private research
firm acknowledged for its expertise in year 2000 issues, activities
such as unit and system testing could consume up to 40 percent of the
time and resources dedicated to an entire year 2000 program.  OMB's
timeline does not convey this message.  Accordingly, agencies may
perceive that OMB does not view testing and validation activities as
especially critical, and that OMB may approve overly optimistic
schedules. 


--------------------
\6 Year 2000 Computing Crisis:  Strong Leadership Today Needed To
Prevent Future Disruption of Government Services (GAO/T-AIMD-97-51,
Feb.  24, 1997). 


   OTHER CRITICAL READINESS ISSUES
   THAT DEMAND HIGH-PRIORITY
   ATTENTION
---------------------------------------------------------- Chapter 0:4

Beyond the major areas covered in agency reports to OMB and, in turn,
in OMB's report to Committees of the Congress, other issues
surrounding year 2000 readiness are quickly emerging that will be of
major importance as agencies move farther along in their year 2000
programs.  These include data interfaces and exchanges, systems
prioritization, and contingency planning.  Our recent reports on year
2000 programs at the Veterans Benefits Administration and the Health
Care Financing Administration include several recommendations to
address these issues. 

Data exchange.  Many agencies exchange data with hundreds if not
thousands of external entities.  Unless both parties to any exchange
are year 2000 compliant, information systems and databases may easily
be contaminated by coding embedded in noncompliant systems.  To
combat this, agencies must inventory and assess all internal and
external data exchanges, make appropriate notifications and, if
necessary, develop appropriate bridges or filters to maintain the
integrity of replaced or converted systems and the data within them. 

Systems prioritization.  It is becoming increasingly clear that
agencies will likely be unable to correct all noncompliant systems
before 2000.  Accordingly, it is imperative that agencies set
priorities, on the basis of mission needs and the timing and expected
impact of year 2000-induced failures.  Identification of
mission-critical systems is not enough; each department's and
agency's most important business activities must be given top
priority to ensure their continued, uninterrupted operation. 

Contingency planning.  Because the cost of systems failure--in terms
beyond just the monetary--can be very high, contingency plans must be
prepared so that core business functions will continue to be
performed even if systems have not been made year 2000 compliant. 

We consider it essential that OMB emphasize in its ongoing oversight
and monitoring these issues that we expect to grow in significance in
the next 2 years. 


-------------------------------------------------------- Chapter 0:4.1

In closing, as we have reiterated previously, preparing for the year
2000 is much more of a management challenge than a technical one. 
Managers--in the agencies and in OMB--must ensure that the technical
solutions are implemented on time.  It can be done, and the public is
depending on us to do it.  Continuing congressional oversight, such
as this hearing, will be an important catalyst to effective, timely
actions to ensure that information systems are prepared for the year
2000. 

Mr.  Chairman, Ms.  Chairwoman, and Members of the Subcommittees,
this concludes my statement.  I would be pleased to respond to any
questions you may have at this time. 


*** End of document. ***