Year 2000 Computing Crisis: Risk of Serious Disruption to Essential
Government Functions Calls for Agency Action Now (Testimony, 02/27/97,
GAO/T-AIMD-97-52).

GAO discussed the potential serious disruption to critical government
functions and services that may result from the upcoming change of
century, focusing on the steps agencies can take to reduce the risk of
year 2000 computer system failures by making their systems year
2000-compliant.

GAO noted that: (1) if not modified, computer systems or applications
that use dates or perform date- or time-sensitive calculations may
generate incorrect results beyond 1999; (2) every government program
that provides benefits in any way is subject to these problems; (3)
correcting the problem will be labor-intensive and time-consuming and
must be done while systems continue to operate; (4) every federal agency
is at risk of system failures; (5) agencies must begin to address this
challenge now, if they have not already started; (6) whether agencies
succeed or fail will be largely influenced by the quality of executive
leadership and program management; (7) it will be imperative for top
agency management, including the agency head and the chief information
officer, to not only be fully aware of the importance of this
undertaking, but to communicate this awareness and urgency to all agency
personnel in such a way that everyone understands why year 2000
compliance is so important; (8) an agency's ability to successfully
manage its year 2000 program will also depend on the degree to which the
agency has institutionalized key systems development and program
management practices, and on its experience in managing large-scale
software conversion or systems development efforts; (9) to carry out
their year 2000 programs, agencies likewise need to assess their
information resources management capabilities and, if necessary, upgrade
them; (10) GAO has developed a guide that constitutes a framework that
agencies can use to assess their readiness to achieve year 2000
compliance; (11) it provides information on the scope of the challenge
and offers a structured, step-by-step approach for reviewing the
adequacy of agency planning and management of its year 2000 program;
(12) phase 1, awareness, encompasses problem definition and executive
support and sponsorship during which the year 2000 team is assembled and
an overall strategy developed; (13) in phase 2, assessment, the impact
of the century change on the organization is examined, and core business
processes are identified; (14) phase 3 is renovation, in which technical
systems elements are converted or replaced; (15) in phase 4, validation,
replaced elements are thoroughly tested, as is overall performance; (16)
finally, phase 5 is implementation where new elements are integrated as
part of the system; (17) the year 2000 program should be planned and ma*

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-97-52
     TITLE:  Year 2000 Computing Crisis: Risk of Serious Disruption to 
             Essential Government Functions Calls for Agency
             Action Now
      DATE:  02/27/97
   SUBJECT:  Systems conversions
             Financial management systems
             Federal agency accounting systems
             Strategic information systems planning
             Computer software verification and validation
             Information resources management
             Computer equipment management
             Systems design
             Application software

             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the National Commission on Restructuring the
Internal Revenue Service

For Release on Delivery
Expected at
9 a.m.
Thursday,
February 27, 1997

YEAR 2000 COMPUTING CRISIS - RISK
OF SERIOUS DISRUPTION TO
ESSENTIAL GOVERNMENT
FUNCTIONS CALLS FOR AGENCY
ACTION NOW

Statement of Joel C.  Willemssen
Director, Information Resources Management
Accounting and Information Management Division

GAO/T-AIMD-97-52

GAO/AIMD-97-52T


(511420)


Abbreviations
=============================================================== ABBREV

  CIO - Chief Information Officer
  IRM - information resources management

============================================================ Chapter 0

Members of the Commission: 

As you know, the upcoming change of century poses serious risks to
virtually all functions--public and private--that rely on computer
systems.  This year 2000 computing problem has received a great deal
of attention, and deservedly so.  The area has recently been added to
our list of high-risk issues because of its potential for widespread
adverse impact on government operations.  As in the private sector,
there is much that needs to be done if the federal government is to
avoid the disruption of important services on which millions of
Americans depend--and, fortunately, much that can be done.  I am
pleased to share with you today information gathered from numerous
sources about the steps agencies can take to reduce the risk of year
2000 computer system failures by making their systems what is called
year 2000-compliant. 

Let me begin by summarizing the problem.  Since the birth of the
computer era, computer systems have typically used two digits to
represent the year, such as "97" for 1997, in order to conserve
electronic data storage and reduce operating costs.  In the two-digit
format, however, 2000 is indistinguishable from 1900 because both are
represented as "00." As a result, if not modified, computer systems
or applications that use dates or perform date- or time-sensitive
calculations may generate incorrect results beyond 1999.  In fact,
such problems will begin well before January 1, 2000, because they
will affect all calculations that project into the next century. 

Who could be affected?  Virtually every citizen.  Every government
program that provides benefits in any way is subject to these
problems, from social security and veterans' benefits to student
loans and subsidized housing.  This is not simply a government issue,
it is something that will touch us all.  As an example of what could
go wrong, an individual born in 1935 who expects a certain benefit at
age 65 assumes that this will begin in the year 2000.  Yet if the
system reads 2000 as 1900, that person is negative 35 years old--not
even born yet. 

Correcting the problem, in government as in the private sector, will
be labor-intensive and time-consuming--and must be done while systems
continue to operate.  Many of the federal government's computer
systems were originally designed and developed 20 to 25 years ago,
are poorly documented, and use a variety of computer languages--many
of which are obsolete.  The systems consist of tens or hundreds of
computer programs, each with thousands, tens of thousands, or even
millions of lines of code, which must be examined for date format
problems.  In addition, the systems have numerous
components--hardware, operating systems, communications applications,
and database software--that are affected by the date problem. 

Make no mistake:  Every federal agency is at risk of system failures. 
Modifying systems will be a massive undertaking, and agencies must
begin to address this challenge now--if they have not already
started. 

Ironically, perhaps, the enormous challenge involved in achieving
year 2000 compliance is not technical; it is, rather, managerial. 
Whether agencies succeed or fail will be largely influenced by the
quality of executive leadership and program management.  Executive
leadership sets the tone; program management makes change happen.  It
will be imperative for top agency management--including the agency
head and the chief information officer, or CIO--to not only be fully
aware of the importance of this undertaking, but to communicate this
awareness and urgency to all agency personnel in such a way that
everyone understands why year 2000 compliance is so important. 

An agency's ability to successfully manage its year 2000 program will
also depend on the degree to which the agency has institutionalized
key systems development and program management practices, and on its
experience in managing large-scale software conversion or systems
development efforts.  GAO has reported on numerous occasions that
agencies need to address and improve their management of information
technology.  Accordingly, to carry out their year 2000 programs,
agencies need to assess their information resources management, or
IRM, capabilities and, if necessary, upgrade them.  In this process
agencies should also consider soliciting assistance from
organizations experienced in managing major software conversions. 

GAO has developed a guide that constitutes a framework that agencies
can use to assess their readiness to achieve year 2000 compliance. 
It provides information on the scope of the challenge and offers a
structured, step-by-step approach for reviewing the adequacy of
agency planning and management of its year 2000 program.  The guide
draws heavily on the work of the Best Practices Subcommittee of the
Interagency Year 2000 Committee and incorporates guidance and
practices identified by leading information technology organizations. 
Copies of an exposure draft of this guide, released this past Monday,
are available at this hearing today.\1

The guide is divided into five sections, which correspond with the
five phases that we see representing a year 2000 program.  Most of
the remainder of my statement today will discuss the substance of
these five phases:  awareness, assessment, renovation, validation,
and implementation.  Let me first describe each in broad terms. 
(Attached are illustrations of both the year 2000 program phases, and
a timeline showing the important milestones from awareness through
implementation.)

Phase 1, AWARENESS, encompasses problem definition and executive
support and sponsorship; the year 2000 team is assembled and an
overall strategy developed.  In phase 2, ASSESSMENT, the impact of
the century change on the organization is examined, and core business
processes are identified.  Phase 3 is RENOVATION, in which technical
system elements are converted or replaced.  In phase 4, VALIDATION,
replaced elements are thoroughly tested, as is overall performance. 
Finally, phase 5 is IMPLEMENTATION:  New elements are integrated as
part of the system. 

It must be remembered that management of the overall year 2000
program and its individual projects is ongoing, throughout all
phases.  The year 2000 program should be planned and managed as a
single, large information-systems project.  Along with planned
monitoring, policies and procedures that must be in place include
quality assurance, risk management, scheduling and tracking, and
budgeting. 

At this time I'd like to highlight in more detail the main points in
each of the five phases. 


--------------------
\1 Year 2000 Computing Crisis:  An Assessment Guide [exposure draft]
(GAO/AIMD-10.1.14, February 1997). 


   AWARENESS
---------------------------------------------------------- Chapter 0:1

Awareness is a critical first step.  Many people who may have heard
something about a year 2000 computer problem do not yet fully
understand what it's about and why it matters.  For agency personnel,
this is imperative.  This is also the phase in which an organization
within the agency is identified to take the lead in correcting the
problem.  The CIO, in concert with the project teams, must select a
workable approach to the problem, examine the existing IRM
infrastructure, and obtain needed resources. 

More specifically, during this phase, agencies should focus their
energies on defining the year 2000 problem and its potential impact,
assessing the adequacy of program management capabilities, developing
a strategy, establishing an executive management council, appointing
a program manager, and establishing a program office. 


   ASSESSMENT
---------------------------------------------------------- Chapter 0:2

The main thrust of assessment is separating the mission-critical
systems--which must be converted or replaced--from important ones
that should be converted or replaced and marginal ones that may be
addressed now or deferred.  It is important to remember that the year
2000 problem is primarily a business problem, not just an issue of
information technology.  This is why it is essential to assess the
impact of potential year 2000-induced system failures on core
business functions and mission-critical processes. 

To determine specifically what must be done and when, agencies should
inventory their information systems in each business area, assign
priority to individual systems, establish project teams for business
areas and major systems, and develop a program plan.  Agencies should
also develop validation strategies and testing plans, identify and
acquire tools, and develop contingency plans.  Assessments also need
to include other systems that affect the business, such as telephone
switching systems. 


   RENOVATION
---------------------------------------------------------- Chapter 0:3

This phase deals with making actual changes, whether eliminating,
converting, or replacing hardware and software, and documenting those
changes.  In all cases, it will be important to consider the complex
interdependencies among systems and applications.  All changes also
need to be consistent agencywide, and information about changes
clearly disseminated to users. 

In addition to the conversion of selected applications and related
system components, agencies must address data exchange issues,
document code and system changes, and track and measure renovation
processes. 


   VALIDATION
---------------------------------------------------------- Chapter 0:4

The validation phase may well take agencies over a year to complete,
and consume up to half of the year 2000 program's budget and
resources.  This is due to the complex interrelationships among
scores of applications, databases, and operating systems.  Yet this
is precisely why the testing and validation are so essential:  It is
the only way to ensure that changes expected to work do in fact work. 
It will be important for agencies to satisfy themselves that their
testing procedures are indeed up to this challenge, that their
results can be trusted. 

During this phase, agencies should develop and document test plans
and schedules; develop a strategy for managing testing of
contractor-converted systems; implement a year 2000 test facility;
perform system testing; and define, collect, and use test
measurements for managing the validation process. 


   IMPLEMENTATION
---------------------------------------------------------- Chapter 0:5

Implementing year 2000-compliant systems and their components
requires extensive integration and acceptance testing to ensure that
all components perform as needed in an operating environment
consisting of diverse types of systems.  In addition, since not all
system elements will be converted or replaced simultaneously,
agencies may for a time operate with a mix of year 2000-compliant and
noncompliant systems.  To reduce risk as systems are converted or
replaced, it may be wise for agencies to operate in a parallel
processing mode for a period for selected systems--using the old and
new systems side-by-side simultaneously.  This redundancy can act as
a fail-safe mechanism until it is clear that all changed systems are
operating correctly. 

During this phase, agencies must also define the environment and
procedures to be followed during transition to the renovated systems,
develop an implementation schedule, resolve interagency and data
exchange concerns, address database questions, complete acceptance
testing, develop contingency plans, and update or develop disaster
recovery plans. 

In closing, let me reiterate that while the year 2000 problem is
serious and could well become a crisis for any organization that
fails to take its demands seriously, it is correctable.  It will take
long, hard effort, but it can--and must--be done.  There is much that
can be done, and the time is now. 


-------------------------------------------------------- Chapter 0:5.1

This concludes my statement.  I'd be pleased to respond to any
questions you or other members of the Commission may have at this
time. 


YEAR 2000 PROGRAM PHASES
=========================================================== Appendix I



   (See figure in printed
   edition.)


YEAR 2000 MILESTONES
========================================================== Appendix II



   (See figure in printed
   edition.)


*** End of document. ***