Year 2000 Computing Challenge: Federal Government Making Progress But
Critical Issues Must Still Be Addressed to Minimize Disruptions
(Testimony, 04/14/99, GAO/T-AIMD-99-144).

Pursuant to a congressional request, GAO discussed the remaining year
2000 computing challenges facing the federal government, focusing on
the: (1) actions that the federal government has taken to improve its
year 2000 approach; (2) status of the federal government's remediation
of its mission-critical systems, with a particular focus on those that
are not yet compliant; (3) reported status of state-administered federal
programs; and (4) remaining challenges facing the government in ensuring
the continuity of business operations, namely end-to-end testing and
contingency planning.

GAO noted that: (1) since February 1997, action taken to address the
year 2000 threat has intensified; (2) in response to a growing
recognition of the challenge and urging from congressional leaders and
others, the administration strengthened the government's year 2000
preparation; (3) in February 1998, the President took a major step in
establishing the President's Council on Year 2000 Conversion; (4) the
Office of Management and Budget (OMB) has taken more aggressive action
on year 2000 matters over the past year and a half and has been
responsive to GAO's recommendations; (5) OMB's most recent reports show
improvement in addressing the year 2000 problem; (6) many key tasks,
however, remain to be completed to ensure the continuity of critical
services; (7) end-to-end testing and business continuity and contingency
planning are not yet complete and, in some cases, are in the beginning
stages; (8) not all of the systems reported as compliant have completed
an independent verification and validation process; (9) in some cases,
independent verification and validation of compliant systems have found
serious problems; (10) the Federal Aviation Administration has
identified 26 of its mission-critical systems as posing the greatest
risk to the National Airspace System should its year 2000 repairs
experience schedule delays or should the systems not be operational on
January 1, 2000; (11) the Health Care Financing Administration relies on
78 external mission-critical systems operated by contractors throughout
the country to process Medicare claims; (12) the Department of Health
and Human Services (HHS) reported that 23 of these external
mission-critical systems were not deemed year 2000 compliant as of March
31, 1999; (13) according to an official at the Coast Guard, three
mission-critical systems used in maritime search and rescue missions did
not meet the March 1999 implementation goal; (14) HHS reported that the
Indian Health Service's Resource and Patient Management System is
scheduled to be compliant by June 30, 1999; (15) GAO testified that
while the Department of Defense had recently made progress by providing
the controls and guidance needed to fix and test systems, it was behind
schedule; (16) one federal system that did not make the March
implementation target is critical to the implementation of several
federal human services programs; and (17) this system, HHS's Payment
Management System, processes billions of dollars in grant payments to
states and other recipient organizations for vital programs.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-144
     TITLE:  Year 2000 Computing Challenge: Federal Government Making 
             Progress But Critical Issues Must Still Be Addressed
             to Minimize Disruptions
      DATE:  04/14/99
   SUBJECT:  Y2K
             Strategic information systems planning
             Information resources management
             Data integrity
             Computer software
             Computer software verification and validation
             State-administered programs
             Schedule slippages
             Systems conversions
             Systems compatibility
IDENTIFIER:  Y2K
             FAA National Airspace System Plan
             FAA Automated Radar Terminal System
             FAA Year 2000 Program
             IHS Resource and Patient Management System
             DOD Global Command and Control System
             DOD Defense Switched Network
             DOD Theater Battle Management Core Systems
             Air Force Contingency Theater Automation Planning System
             Medicaid Management Information System
             Medicare Program
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
AI99144T.book GAO United States General Accounting Office

Testimony Before the Special Committee on the Year 2000 Technology
Problem, U. S. Senate

For Release on Delivery Expected at 9: 30 a. m. Wednesday, April
14, 1999

YEAR 2000 COMPUTING CHALLENGE

Federal Government Making Progress But Critical Issues Must Still
Be Addressed to Minimize Disruptions

Statement of Gene L. Dodaro Assistant Comptroller General
Accounting and Information Management Division




GAO/T-AIMD-99-144

  GAO/T-AIMD-99-144

Page 1 GAO/T-AIMD-99-144

Mr. Chairman and Members of the Committee: I am pleased to appear
today to discuss efforts to address the Year 2000 computing
challenge and to outline remaining actions needed to ensure a
smooth conversion to the next century. The federal government--
with its

widespread dependence on large- scale, complex computer systems to
deliver vital public services and carry out its massive
operations-- faces a large and difficult task. Unless adequately
corrected, Year 2000 computing problems could lead to serious
disruptions in key federal operations, ranging from national
defense to benefits payments to air traffic management.

Consequently, in February 1997, we designated the Year 2000
computing problem as a high- risk area. Our purpose was to
stimulate greater attention to assessing the government's exposure
to Year 2000 risks and to strengthen planning for achieving Year
2000 compliance for mission- critical systems. Since that time, to
help agencies mitigate their Year 2000 risks, we produced a series
of Year 2000 guides on enterprise readiness, business continuity
and contingency planning, and testing. 1 In addition, we have
issued over 90 reports and testimony statements detailing specific
findings and made dozens of recommendations related to the Year
2000 readiness of the government as a whole and of a wide range of
individual agencies.

My testimony today  outlines the actions that the federal
government has taken to improve its

Year 2000 approach;  summarizes the status of the federal
government's remediation of its

mission- critical systems, with a particular focus on those that
are not yet compliant;  discusses the reported status of state-
administered federal programs;

and  describes the main remaining challenges facing the government
in ensuring the continuity of business operations, namely end- to-
end

testing and contingency planning. 1 Year 2000 Computing Crisis: An
Assessment Guide (GAO/ AIMD- 10. 1. 14, issued as an exposure
draft in February 1997 and in final form in September 1997), Year
2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/ AIMD- 10.1.19, issued as an exposure draft in March
1998 and in final form in August 1998) and Year 2000 Computing
Crisis: A Testing Guide (GAO/ AIMD- 10. 1. 21, issued as an
exposure draft in June 1998 and in final form in November 1998).

Page 2 GAO/T-AIMD-99-144

Actions Taken to Increase Attention

Since February 1997, action to address the Year 2000 threat has
intensified. In response to a growing recognition of the challenge
and urging from congressional leaders and others, the
administration strengthened the government's Year 2000
preparation. In February 1998, the President took a major step in
establishing the President's Council on Year 2000 Conversion. The
President also (1) established the goal that no system

critical to the federal government's mission experience disruption
because of the Year 2000 problem and (2) charged agency heads with
ensuring that this issue receives the highest priority attention.
Among the initiatives the Chair of the Council has implemented in
carrying out these responsibilities are attending monthly meetings
with senior managers of agencies that are not making sufficient
progress, establishing numerous working groups to increase
awareness of and gain cooperation in addressing the Year 2000
problem in various economic sectors, and emphasizing the
importance of federal/ state data exchanges.

Many congressional committees have been extremely diligent in
addressing the Year 2000 challenge by holding agencies accountable
for demonstrating progress and by heightening public appreciation
of the problem. Work done by this Committee in holding over 10
hearings on important topics such as the food sector, electric
power, and financial services and issuing a major report 2 on the
impact of the Year 2000 problem has fostered a greater
understanding of the problem and focused attention on actions
needed.

The Office of Management and Budget (OMB), for its part, has taken
more aggressive action on Year 2000 matters over the past year and
half and has been responsive to our recommendations. For example,
in its quarterly report issued in December 1997, OMB accelerated
its milestone for agencies to complete the implementation phase
from November 1999 to March 1999. OMB also has tightened
requirements on agency reporting of Year 2000 progress. It now
requires that beyond the original 24 major departments and
agencies that have been reporting, 9 additional agencies (such as
the Tennessee Valley Authority and the Postal Service) report
quarterly on their Year 2000 progress, and that additional
information be reported from all agencies. OMB also has clarified
instructions for

agencies relative to preparing business continuity and contingency
plans. 2 Investigating the Impact of the Year 2000 Problem (United
States Senate, Special Committee on the Year 2000 Technology
Problem, February 24, 1999).

Page 3 GAO/T-AIMD-99-144

OMB also places each of the 24 major agencies into one of three
tiers after receiving its quarterly progress report, determined by
OMB's assessment of the agency's reported progress. Figure 1 shows
OMB's assessment of agencies' Year 2000 progress on the basis of
their latest quarterly report issued on March 18, 1999.

Page 4 GAO/T-AIMD-99-144

Figure 1: OMB's Assessment of Agencies' Year 2000 Progress

Source: Progress on Year 2000 Conversion, (OMB, data received
February 12, 1999, issued on March 18, 1999).

In April 1998, we recommended that the President's Council on Year
2000 Conversion establish governmentwide priorities, based on such
criteria as the potential for adverse health and safety effects,
adverse financial effects

TIER 1: Agencies Demonstrating Insufficient Evidence of Progress

 HHS  Transportation

 AID

TIER 2: Agencies Showing Evidence of Progress But About Which OMB
Has Concerns

 Agriculture  Labor

 Commerce  Treasury

 Defense  Justice

 Energy  State

TIER 3: Agencies Making Satisfactory Progress

 HUD  NASA

 Interior  NSF

 VA  NRC

 EPA  SBA

 FEMA  SSA

 Education  GSA

 OPM

Page 5 GAO/T-AIMD-99-144

on American citizens, detrimental effects on national security,
and adverse economic consequences. On March 26, 1999, OMB
implemented our recommendation by issuing a memorandum to federal
agencies designating lead agencies for the government's 42 high-
impact programs, including those delivering critical benefits such
as social security, food stamps, and Medicare; ensuring adequate
weather forecasting capabilities; and providing federal electric
power generation and delivery. The attachment contains a list of
these 42 high- impact programs and the lead agencies.

In the memorandum, the lead agency for each high- impact program
was charged with identifying the partners integral to program
delivery; taking a leadership role in convening those partners;
assuring that each partner has an adequate Year 2000 plan and, if
not, helping each partner without one; and developing a plan to
ensure that the program will operate effectively. According to
OMB, such a plan might include testing data exchanges

across partners, developing complementary business continuity and
contingency plans, sharing key information on readiness with other
partners and the public, and taking other steps necessary to
ensure that the program will work. OMB directed the lead agencies
to provide a schedule and milestones of key activities in the plan
by April 15. OMB also asked

agencies to provide monthly progress reports. Reported Percentage
of Compliant Federal Systems Increased, But Critical Issues Remain

OMB's most recent reports show improvement in addressing the Year
2000 problem. In particular, the federal government has reported
significantly increased percentages of mission- critical systems
that are Year 2000 compliant (from 21 percent compliant in May
1997 to a reported 92 percent

on March 31, 1999). Many key tasks, however, remain to be
completed to ensure the continuity of critical services. End- to-
end testing and business continuity and contingency planning are
not yet complete and, in some cases, are in the beginning stages.
Further, not all of the systems reported as compliant have yet
completed an independent verification and validation process. For
example, 57 Environmental Protection Agency mission- critical
systems and 3 Department of the Interior mission- critical

systems reported as compliant were still undergoing independent
verification and validation. In some cases, independent
verification and validation of compliant systems have found
serious problems. For example, as we testified in

Page 6 GAO/T-AIMD-99-144

February 1999, 3 none of the Health Care Financing
Administration's (HCFA) 54 external mission- critical systems
reported by the Department of Health and Human Services as
compliant as of December 31, 1998, were Year 2000 ready, based on
serious qualifications identified by the

independent verification and validation contractor. Some Agencies
Did Not Meet Governmentwide Goal

As table 1 shows, 11 major departments and agencies reported that
some of their mission- critical systems did not meet OMB's
governmentwide March 31, 1999, implementation goal.

Table 1: Agencies Reporting That They Did Not Complete
Implementation of Year 2000 Compliant Systems by the Government's
March 1999 Goal a

a The Department of Energy's data are as of April 8, 1999. The
Departments of Agriculture, State, and the Treasury data are as of
April 7, 1999. The Department of Justice data are as of April 6,
1999. The Department of Transportation data are as of April 5,
1999. The Departments of Commerce, Defense, and Health and Human
Services and the National Aeronautics and Space Administration and
the U. S. Agency for International Development data are as of
March 31, 1999.

b The Department of Health and Human Services reported 55 of
HCFA's 78 external mission- critical systems as compliant. We
testified in February (GAO/T-AIMD-99-89, February 24, 1999), that
none of HCFA's 54 external mission- critical systems reported by
the Department of Health and Human

3 Year 2000 Computing Crisis: Medicare and the Delivery of Health
Services Are at Risk (GAO/ T- AIMD99- 89, February 24, 1999).

Agency Total missioncritical

systems Number compliant Percentage

compliant

National Aeronautics and Space Administration 157 155 99%

Department of Commerce 473 462 98% Department of Energy 420 408
97% Department of Agriculture 350 335 96% Department of Health and
Human Services 287 262 b 91%

Department of Justice 220 201 91% Department of Treasury 322 293
91% Department of Transportation 608 541 89% Department of State
59 52 88% Department of Defense 2038 1793 88% U. S. Agency for
International Development 7 0

(Table notes continued on next page)

Page 7 GAO/T-AIMD-99-144

Services as compliant as of December 31, 1998, was Year 2000
ready, based on serious qualifications identified by the
independent verification and validation contractor. Source:
Agencies.

Many Mission- Critical Systems That Missed March Goal Support
Critical Business Processes

Many of the mission- critical systems that were not implemented by
the March target date support critical business processes, and
some are not scheduled to be Year 2000 compliant for several
months. For example, 120

systems are scheduled to be Year 2000 compliant in July 1999 or
later. Of these 120 systems, 23 are not expected to be compliant
until after September 1999. For these systems, given the limited
amount of time

available, agencies will be challenged to complete the remaining
tasks and respond to unexpected problems.

Table 2 shows the schedule for remediating currently noncompliant
mission- critical systems.

Table 2: Schedule for Implementing Noncompliant Mission- Critical
Systems a Agency April- June

1999 JulySeptember

1999 OctoberDecember

1999 January 2000 Unknown

Department of Agriculture 7 6 2 0 0 Department of Commerce 9 2 0 0
0 Department of Defense 168 65 12 0 0 Department of Energy 6 4 1 0
1 b Department of Health and Human Services 2 0 0 0 23 c

Department of Justice 11 5 3 0 0 Department of State 7 0 0 0 0
Department of the Treasury 16 9 2 2 d 0

Department of Transportation 55 4 1 0 7 e National Aeronautics and
Space Administration 1 1 0 0 0

U. S. Agency for International Development 6 1 0 0 0

Total 288 97 21 2 31

(Table notes on next page)

Page 8 GAO/T-AIMD-99-144

a The Department of Energy's data are as of April 8, 1999. The
Departments of Agriculture, State, and the Treasury data are as of
April 7, 1999. The Department of Justice data are as of April 6,
1999. The Department of Transportation data are as of April 5,
1999. The Departments of Commerce, Defense, and Health and Human
Services and the National Aeronautics and Space Administration and
the U. S. Agency for International Development data are as of
March 31, 1999.

b One noncompliant system was reported with an estimated
completion date of March 1, 1999. c According to the Department of
Health and Human Services, HCFA was in the process of receiving
and reviewing certifications from their contractors and expected
to know the actual status of these systems by April 21, 1999. d A
Department of the Treasury official stated that two systems will
be retired in January 2000.

e The Department of Transportation reported five noncompliant
systems with estimated completion dates of March 1999 or earlier
and did not provide the dates for two systems to be retired.
Source: Agencies.

Several of the noncompliant mission- critical systems summarized
above support the 42 high- impact federal programs designated by
OMB. These systems should be given particular attention by agency
management, the administration, and the Congress because of the
potential serious consequences of disruptions in critical services
and operations. Examples include the following.

Air Traffic Control System: The Federal Aviation Administration
(FAA) has identified 26 of its mission- critical systems as posing
the greatest risk to the National Airspace System the network of
equipment, facilities, and

information that supports U. S. aviation operations should their
Year 2000 repairs experience schedule delays or should the systems
not be operational on January 1, 2000. FAA ranked mission-
critical air traffic

control systems based on their impact and criticality to the
National Airspace System, their overall functionality, and an
evaluation of the risk associated with solving the Year 2000
problem. Ten of FAA's 52 noncompliant mission- critical systems
are among the systems that meet this criteria and, therefore, pose
the greatest risk. Examples of the 10 systems include (1) the
Automated Radar Terminal System IIIE, not expected to be compliant
until June 1, 1999, which provides critical radar

data processing to air traffic controllers in selected terminal
radar approach facilities, and (2) the Host environment, which
consists of several systems and is used to control air traffic at
20 en route centers, is not expected to be compliant until June
30, 1999. Because of the risks associated with FAA's Year 2000
program, we have advocated that the

Page 9 GAO/T-AIMD-99-144

agency develop business continuity and contingency plans. 4 FAA
agreed and has activities underway, which we are currently
reviewing. Medicare: HCFA relies on 78 external mission- critical
systems operated

by contractors throughout the country to process Medicare claims.
The Department of Health and Human Services reported that 23 of
these external mission- critical systems were not deemed Year 2000
compliant as of March 31, 1999. According to the department, it is
in the process of receiving and reviewing certifications from
these external contractors and

expects to know the status of these systems by April 21, 1999.
Reviews of contractors reports of Year 2000 compliance have
disclosed serious problems in the past. We testified in February
that none of HCFA's 54 external mission- critical systems reported
by the Department of Health and Human Services as compliant as of
December 31, 1998, was Year 2000 ready, based on serious
qualifications identified by the independent verification and
validation contractor. 5 Among the many recommendations that we
have made to HCFA in September 1998 is that it define the scope of
an end- to- end test of the claims process and develop plans and a
schedule

for conducting such a test. 6 HCFA agreed and we continue to
review its efforts in this area.

Maritime Search and Rescue: According to an official at the U. S.
Coast Guard, three mission- critical systems used in maritime
search and rescue missions did not meet the March 1999
implementation goal: (1) the Command and Control Personal
Computer, scheduled to be compliant in September 1999, is used to
map search areas, (2) the Digital Global Positioning System,
scheduled to be compliant in April 1999, provides greater search
location accuracy, and (3) voice recorders, due to be

compliant in May 1999, tape records conversations between rescue
response dispatchers and the party requiring assistance.

Indian Health Service: The Department of Health and Human Services
reported that the Indian Health Service's Resource and Patient 4
FAA Computer Systems: Limited Progress on Year 2000 Issue
Increases Risk Dramatically (GAO/AIMD-98-45, January 30, 1998),
FAA Systems: Serious Challenges Remain in Resolving Year 2000 and
Computer Security Problems (GAO/T-AIMD-98-251, August 6, 1998),
and GAO/ T- AIMD/ RCED- 99- 118, March 15, 1999. 5 GAO/T-AIMD-99-
89, February 24, 1999.

6 Medicare Computer Systems: Year 2000 Challenges Put Benefits and
Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998).

Page 10 GAO/T-AIMD-99-144

Management System is scheduled to be compliant by June 30, 1999.
This system provides clinical and administrative information in
the service's health care facilities and supports health care
planning and delivery, management and research.

Defense: We testified in March that while Defense had recently
made progress by providing the controls and guidance needed to fix
and test systems, it was behind schedule. 7 The following are
three examples of

some of these systems. First, the Global Command and Control
System (GCCS) system is deployed at more than 600 sites worldwide
and is Defense's primary system for generating a common operating
picture of the battlefield for planning, executing, and managing
military operations. Completion of the component- level GCCS at
some locations is currently

scheduled for as late as September 30, 1999. Second, the Defense
Switch Network (DSN), scheduled to be completed by September 30,
1999, is the primary long- distance voice communications service
for Defense. DSN provides both dedicated and common- user voice
communications services at all priority levels for command and
control and special command and control users as well as routine
service for administrative users throughout the department.
Finally, the Theater Battle Management Core Systems

(TBMCS) is being developed by the Air Force and is intended to
replace three Year 2000 noncompliant legacy systems. TBMCS is to
be a primary support tool used by theater commanders to provide
information to the warfighter and for peacetime and humanitarian
operations. Because of developmental problems that have resulted
in schedule slippages, the Air Force does not expect to fully
implement TBMCS until September 30, 1999, at the earliest.
Schedule slippages have also caused Air Force to remediate a
legacy system, the Contingency Theater Automation Planning System-
scheduled to be completed in September 1999-- in the event of
further delays to TBMCS.

Status of StateAdministered Federal Human Services Programs Not
Clear

About 25 percent of the federal government's programs designated
as highimpact by OMB are state- administered, such as Food Stamps
and Temporary Assistance for Needy Families. One federal system
that did not make the March implementation target is critical to
the implementation of several of these programs. This system, the
Department of Health and

Human Service's Payment Management System, processes billions of 7
Year 2000 Computing Crisis: Defense Has Made Progress, But
Additional Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999).

Page 11 GAO/T-AIMD-99-144

dollars in grant payments to states and other recipient
organizations for vital programs, such as Medicaid. As we
testified in February 1999, the planned replacement system has
encountered problems since its inception and, as a result, is
still not operational. 8 Consequently, the Department of

Health and Human Services decided to repair the existing system,
which is not expected to be compliant until June 30, 1999. As we
reported in November 1998, many systems that support
stateadministered federal human services programs were at risk and
much work remained to ensure continued services. 9 In February of
this year, we

testified that while some progress had been achieved, many states'
systems were not scheduled to become compliant until the last half
of 1999. 10 Accordingly, we concluded that, given these risks,
business continuity and contingency planning was even more
important in ensuring continuity of program operations and
benefits in the event of systems failures. In January 1999, OMB
required that federal oversight agencies include the status of
selected state human services systems in their quarterly reports.
Specifically, OMB requested that the agencies describe actions to
help ensure that federally supported, state- run programs will be
able to provide services and benefits. OMB further asked that
agencies report the date when each state's systems will be Year
2000 compliant. OMB's latest

quarterly report, issued on March 18, 1999, summarized the
information obtained by the Departments of Agriculture, Health and
Human Services, and Labor on how many state- level organizations
reported that they were compliant or when in 1999 they planned to
be compliant. According to OMB's report, for programs that had
received responses from at least 80

percent of the state- level organizations, the percentage of
states that reported that a program was compliant ranged from 14
percent for Medicaid Management Information Systems to 48 percent
for the Women, Infants, and Children program. According to the OMB
report, for five programs, the Department of Health and Human
Services had not received responses from 44 percent or more of the
state- level organizations.

8 Year 2000 Computing Crisis: Readiness Status of the Department
of Health and Human Services (GAO/T-AIMD-99-92, February 26,
1999). 9 Year 2000 Computing Crisis: Readiness of State Automated
Systems to Support Federal Welfare Programs (GAO/AIMD-99-28,
November 6, 1998). 10 Year 2000 Computing Crisis: Readiness of
State Automated Systems That Support Federal Human Services
Programs (GAO/T-AIMD-99-91, February 24, 1999).

Page 12 GAO/T-AIMD-99-144

Remaining Tasks Vital to Continuity of Federal Operations

While it is important to achieve compliance for individual
mission- critical systems, realizing such compliance alone does
not ensure that business functions will continue to operate
through the change of century-- the ultimate goal of Year 2000
efforts. Going forward, it is imperative that the focus be on the
government's overall readiness to ensure continual services for
the 42 high- impact programs. This can be accomplished by focusing
on ensuring that related systems work together through end- to-
end testing. Moreover, coordinated business continuity and
contingency plans need to be developed and tested.

End- to- End Testing The purpose of end- to- end testing is to
verify that a defined set of interrelated systems, which
collectively support an organizational core business area or
function, will work as intended in an operational

environment. In the case of the year 2000, many systems in the
end- to- end chain will have been modified or replaced. As a
result, the scope and complexity of testing-- and its importance--
are dramatically increased, as is the difficulty of isolating,
identifying, and correcting problems. Our Year

2000 testing guide sets forth a structured approach to testing,
including end- to- end testing. 11

In January 1999, we testified that with the time available for
end- to- end testing diminishing, OMB should consider, for the
government's most critical functions, setting target dates for
developing end- to- end test plans, establishing test schedules,
and completing the tests. 12 This is even more critical today. On
March 31, OMB and the Chair of the President's Council on Year
2000 Conversion emphasized that one of the key priorities that
federal agencies will be pursuing during the rest of 1999 will be
cooperative end- to- end testing efforts to demonstrate the Year
2000 readiness of federal programs with states and other partners
critical to the administration of those programs.

Business Continuity and Contingency Plans Business continuity and
contingency plans are essential. Without such

plans, when unpredicted failures occur, agencies will not have
well- defined responses and may not have enough time to develop
and test alternatives. 11 GAO/ AIMD- 10. 1. 21, November 1998. 12
Year 2000 Computing Crisis: Readiness Improving, But Much Work
Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20,
1999).

Page 13 GAO/T-AIMD-99-144

Federal agencies depend on data provided by their business
partners as well as on services provided by the public
infrastructure (e. g., power, water, transportation, and voice and
data telecommunications). One weak link anywhere in the chain of
critical dependencies can cause major disruptions to business
operations. Given these interdependencies, it is imperative that
contingency plans be developed for all critical core business
processes and supporting systems, regardless of whether these

systems are owned by the agency. Accordingly, in April 1998, we
recommended that the council require agencies to develop
contingency plans for all critical core business processes. 13

OMB has clarified its contingency plan instructions and, along
with the Chief Information Officers Council, has adopted our
business continuity and contingency planning guide. 14 In
particular, on January 26, 1999, OMB

called on federal agencies to identify and report on the high-
level core business functions that are to be addressed in their
business continuity and contingency plans, as well as to provide
key milestones for development and testing of business continuity
and contingency plans, in their February

1999 quarterly reports. Accordingly, in their February 1999
reports, almost all agencies listed their high- level core
business functions. Our review of the 24 major departments and
agencies February 1999 quarterly reports found that business
continuity and contingency planning was generally reported as
being underway. However, we also found cases in which agencies (1)
were in the early stages of business continuity and contingency
planning, (2) did not indicate when they planned to complete and/
or test their plan, or (3) did not intend to finish testing the
plans until

after September 1999. In January 1999, we testified that OMB could
consider setting a target date, such as April 30, 1999, for the
completion of business continuity and contingency plans, and
require agencies to report

on their progress against this milestone, so OMB had more complete
information on this critical issue. 15 To provide assurance that
agencies' business continuity and contingency plans will work if
they are needed, we also suggested that OMB consider requiring
agencies to test their business continuity strategy and set a
target date, such as September 30, 1999, for

the completion of this validation. 13 GAO/AIMD-98-85, April 30,
1998. 14 GAO/ AIMD- 10. 1. 19, August 1998. 15 GAO/T-AIMD-99-50,
January 20, 1999.

Page 14 GAO/T-AIMD-99-144

On March 31, OMB and the Chair of the President's Council on Year
2000 Conversion announced that completing and testing business
continuity and contingency plans as insurance against disruptions
to federal service delivery and operations from Year 2000- related
failures will be one of the key priorities that federal agencies
will be pursuing through the rest of 1999. OMB also announced that
it planned to ask agencies to submit their business continuity and
contingency plans in June. In addition to this action, we would
encourage OMB to implement our previous suggestion and establish a
target date for the validation of these business continuity and
contingency plans.

In summary, progress has been made on the Year 2000 problem, yet a
great deal remains to be accomplished. In particular, complete and
thorough testing is essential to provide reasonable assurance that
new or modified systems process dates correctly and will not
jeopardize an agency's ability to perform core business
operations. Moreover, adequate business

continuity and contingency plans throughout government must be
successfully completed. Further, the federal government, states,
and its other partners must work diligently and cooperatively so
that important

services are not disrupted. Mr. Chairman, this concludes my
statement. I will be pleased to respond to any questions that you
or other members of the Committee may have at this time.

Page 15 GAO/T-AIMD-99-144

Page 16 GAO/T-AIMD-99-144

Attachment Listing of Federal High- Impact Programs and Lead
Agencies Appendi x I

Agency Program

Department of Agriculture Child Nutrition Programs Department of
Agriculture Food Safety Inspection Department of Agriculture Food
Stamps Department of Agriculture Special Supplemental Nutrition
Program for Women, Infants, and Children Department of Commerce
Patent and trademark processing Department of Commerce Weather
Service Department of Defense Military Hospitals Department of
Defense Military Retirement Department of Education Student Aid
Department of Energy Federal electric power generation and
delivery Department of Health and Human Services Child Care
Department of Health and Human Services Child Support Enforcement
Department of Health and Human Services Child Welfare Department
of Health and Human Services Disease monitoring and the ability to
issue warnings Department of Health and Human Services Indian
Health Service Department of Health and Human Services Low Income
Home Energy Assistance Program Department of Health and Human
Services Medicaid Department of Health and Human Services Medicare
Department of Health and Human Services Organ Transplants
Department of Health and Human Services Temporary Assistance for
Needy Families Department of Housing and Urban Development Housing
loans (Government National Mortgage Association) Department of
Housing and Urban Development Section 8 Rental Assistance
Department of Housing and Urban Development Public Housing
Department of Housing and Urban Development FHA Mortgage Insurance
Department of Housing and Urban Development Community Development
Block Grants Department of the Interior Bureau of Indians Affairs
programs Department of Justice Federal Prisons Department of
Justice Immigration Department of Labor Unemployment Insurance
Department of State Passport Applications and Processing
Department of Transportation Air Traffic Control system Department
of Transportation Maritime Search and Rescue Department of the
Treasury Cross- border Inspection Services Department of Veterans
Affairs Veterans' Benefits Department of Veterans Affairs
Veterans' Health Care Federal Emergency Management Agency Disaster
relief Office of Personnel Management Federal Employee Health
Benefits Office of Personnel Management Federal Employee Life
Insurance

(continued)

Attachment Listing of Federal High- Impact Programs and Lead
Agencies

Page 17 GAO/T-AIMD-99-144

Agency Program

Office of Personnel Management Federal Employee Retirement
Benefits Railroad Retirement Board Retired Rail Workers Benefits
Social Security Administration Social Security Benefits U. S.
Postal Service Mail Service

(511751) Let t er

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e- mail message with info in the body to: info@ www. gao. gov
or visit GAO's World Wide Web Home Page at: http:// www. gao. gov

United States General Accounting Office Washington, D. C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Mail

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***