Year 2000 Computing Challenge: Labor Has Progressed But Selected Systems
Remain at Risk (Testimony, 05/12/99, GAO/T-AIMD-99-179).

Pursuant to a congressional request, GAO discussed the Department of
Labor's progress in making its 61 mission-critical systems year 2000
compliant, focusing on: (1) the systems operated by states to administer
unemployment benefits payments for Labor's Unemployment Insurance
Service (UIS); and (2) an assessment of the risks faced by the Bureau of
Labor Statistics (BLS).

GAO noted that: (1) Labor has taken action to prepare its 61
mission-critical systems for the change of century; (2) however, with a
little more than 7 months left, Labor remains at risk of systems
disruptions in two of the areas GAO highlighted last fall: making
benefits payments to laid-off workers, and producing labor and economic
statistics; (3) the risk in making benefits payment systems compliant
emanates from Labor's reliance on largely unverified progress reports
from states and on states' capabilities to get the job done; (4) several
State Employment Agencies report that they are not yet compliant; (5)
further, the department acknowledges that 4 of the 23 mission-critical
systems used by BLS contain a non-year 2000-compliant vendor product;
and (6) given these risks, it is important that appropriate contingency
plans be developed to ensure business continuity in the event of system
failures.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-179
     TITLE:  Year 2000 Computing Challenge: Labor Has Progressed But
	     Selected Systems Remain at Risk
      DATE:  05/12/99
   SUBJECT:  Y2K
	     Computer software verification and validation
	     Systems conversions
	     Strategic information systems planning
	     Information resources management
	     Unemployment compensation programs
	     Information systems
	     State-administered programs
	     Data integrity
	     Computer software
IDENTIFIER:  Y2K
	     Unemployment Insurance Program
	     DOL Year 2000 Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
ai99179t.book GAO

United States General Accounting Office

Testimony

Before the Subcommittee on Oversight and Investigations, Committee
on Education and the Workforce, House of Representatives

For Release on Delivery Expected at 2 p.m. Wednesday, May 12, 1999

YEAR 2000 COMPUTING CHALLENGE Labor Has Progressed But Selected
Systems Remain at Risk

Statement of Joel C. Willemssen Director, Civil Agencies
Information Systems Accounting and Information Management Division

GAO/T-AIMD-99-179

Page 1 GAO/T-AIMD-99-179

Mr. Chairman and Members of the Subcommittee: We appreciate the
opportunity to share with you today the significant information
technology challenges that the upcoming century change poses to
the Department of Labor in general, and two of its entities in
particular. The Year 2000 (Y2K) computer crisis has rightly
received much attention in recent months; virtually every
organization, public and private, that uses computers is at risk.
1 The change of century is a sweeping and urgent challenge; for
this reason, we have designated the Year 2000 computing problem a
high-risk area for the federal government, 2 and have published
guidance to help organizations successfully address the issue. 3

We reported to this Subcommittee both in July and September of
last year on the department's progress in making its systems Y2K
compliant. Specifically, in July 1998 we reported on the Year 2000
efforts of the Office of Workers' Compensation Programs and the
four mission-critical systems that support it. 4 Our September
1998 testimony identified several areas of risk that remained for
the department: benefits payments to laid-off workers, collecting
labor statistics, and ensuring accurate accounting for pension
benefits. 5

Today, in addition to updating you on the status of Labor's Y2K
program and the progress the department has made in making its 61
mission-critical systems compliant, I will also, as requested,
focus on specific Y2K issues facing two of Labor's major component
organizations. Specifically, I will

1 For the past several decades, computer systems have typically
used two digits to represent the year, such as "98" for 1998, in
order to conserve electronic data storage and reduce operating
costs. In this format, however, 2000 is indistinguishable from
1900 because both are represented as "00." As a result, if not
modified, systems or applications that use dates or perform date-
or time-sensitive calculations may generate incorrect results
beyond 1999.

2 High-Risk Series: Information Management and Technology (GAO/HR-
97-9, February 1997).

3 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-
10.1.14, September 1997), which addresses the key tasks needed to
complete each phase of a Year 2000 program (awareness, assessment,
renovation, validation, and implementation); Year 2000 Computing
Crisis: Business Continuity and Contingency Planning (GAO/AIMD-
10.1.19, August 1998), which describes the tasks needed to ensure
the continuity of agency operations; and Year 2000 Computing
Crisis: A Testing Guide (GAO/AIMD-10.1.21, Exposure Draft, June
1998), which discusses the need to plan and conduct Year 2000
tests in a structured and disciplined fashion.

4 A component of Labor's Employment Standards Administration.

5 Year 2000 Computing Crisis: Progress Made at Department of
Labor, But Key Systems at Risk (GAO/T-AIMD-98-303, September 17,
1998).

Let t er

Page 2 GAO/T-AIMD-99-179

discuss the systems operated by states to administer unemployment
benefits payments for Labor's Unemployment Insurance Service
(UIS), 6

and provide an assessment of the risks faced by the Bureau of
Labor Statistics (BLS)the federal government's principal fact-
finding agency in the broad field of labor economics and
statistics. We performed our work between March and May 1999, in
accordance with generally accepted government auditing standards.

In brief, the Department of Labor has taken action to prepare its
61 mission-critical systems for the change of century. However,
with a little more than 7 months left, Labor remains at risk of
systems disruptions in two of the areas we highlighted last fall:
making benefits payments to laid-off workers and producing labor
and economic statistics.

The risk in making benefits payment systems compliant emanates
from Labor's reliance on largely unverified progress reports from
states and on states' capabilities to get the job done. Several
State Employment Security Agencies (SESA) report that they are not
yet compliant. Further, the department acknowledges that 4 of the
23 mission-critical systems used by BLS contain a non-Y2K-
compliant vendor product. Given these risks, it is important that
appropriate contingency plans be developed to ensure business
continuity in the event of system failures.

Background The Department of Labor has primary responsibility for
overseeing the nation's job training programs and for enforcing a
variety of federal labor

laws. Labor's mission is defined as helping job-seekers find jobs
and helping employers find workers; protecting the retirement and
health care benefits of workers and improving their working
conditions; strengthening free collective bargaining; and tracking
changes in employment, prices, and other national economic
measurements. Labor's diverse functions are carried out through a
decentralized organizational structure made up of 22 component
agencies and more than 1,000 offices nationwide.

The Congress provided Labor with a budget of about $37 billion for
fiscal year 1999 and funded nearly 17,000 staff. About three
quarters of Labor's budget consists of mandatory spending on
income maintenance programs such as the Unemployment Insurance and
Black Lung programs.

6 A component of Labor's Employment and Training Administration.

Page 3 GAO/T-AIMD-99-179

Labor's program activities fall into two major categories:
enhancing worker skills through job training and ensuring worker
protection. A third category relates to developing economic
statistics, such as the following Principal Economic Indices: the
Consumer Price Index (CPI), 7 the Employment Cost Index (ECI), 8
and the Producer Price Index (PPI) , 9 all used to inform and
guide a host of decisions in the private and public sectors. Labor
assists workers in finding jobs under federal-state partnerships,
and also provides temporary income support for laid-off workers
seeking new jobs.

Labor's Risks Require Continuous Management Attention

Labor makes extensive use of complex information technology to
support programmatic requirements, departmentwide communications,
administrative functions, and office automation. It has determined
that without the 61 mission-critical systems for which it must
ensure Year 2000 compliance, it could not effectively carry out
numerous mission-critical functions, including (1) providing
income security to millions of workers through a variety of
benefits programs, (2) administering nationwide employment and
training programs and services, (3) generating vital statistics on
the U.S. economy (such as unemployment rates and the Consumer
Price Index), and (4) providing essential information to the
public on a variety of employment issues (such as the security of
pension plans, occupational injuries and illnesses, and employment
rights).

If Labor's systems are not Year 2000 compliant, the potential
impact could be significant: Billions of dollars in benefits
payments, including unemployment insurance and workers'
compensation, would be at significant risk of disruption; accurate
labor statistics used by both public and private organizations
might not be produced promptly; and the ability

7 The Consumer Price Index is the principal source of information
concerning trends in consumer prices and inflation in the United
States and is one of the nation's most important economic
indicators. The CPI also has a significant impact on the finances
of the federal government because it is used to adjust payments to
Social Security recipients, to federal and military retirees, and
for a number of entitlement programs such as Food Stamps and
school lunches. 8 The Employment Cost Index measures the rate of
change in employee compensation, which includes

wages, salaries, and the employer's cost of employee benefits. It
is used by the Federal Reserve, economic analysts, and economists
in the private sector and academia, as well as in setting and
making pay adjustments for long-term contracts for the Department
of Defense.

9 The Producer Price Index is generated from monthly survey data
to measure average changes in selling prices received by domestic
producers for their output. Government, business, labor,
universities, and other organizations use PPI outputs.

Page 4 GAO/T-AIMD-99-179

to manage the billions of dollars in assets for pension benefits
guarantees for over 40 million workers could be hampered.

Year 2000 Compliance Is a Departmental Priority

Labor recognized several years ago that the upcoming change of
century posed significant challenges, and in May 1996 reported to
the Congress that it had initiated Year 2000 remediation
activities. It reported to the Office of Management and Budget
(OMB) that it completed the awareness phase of its Y2K program
that December. During this time period, the Chief Information
Officer (CIO) designated a Labor Year 2000 project manager, and
together they held a series of briefings with executive staff,
administrative officers, and information technology managers to
ensure that Labor's executives and senior managers were fully
aware of the importance of the Year 2000 problem.

In May 1997, Labor reported to OMB that its CIO had directed each
Labor component to designate Year 2000 project managers. The CIO
and departmental Y2K project manager instituted two levels of
monthly meetings, one with Y2K project managers and another with
the department's information technology managers, to track
progress and share information on Year 2000 project activities.

To keep senior managers informed on an ongoing basis, Y2K status
reports were provided to the Capital Planning Investment Board,
chaired by the CIO and including the heads of major Labor program
agencies and the department's Chief Financial Officer. In August
1997, the department reported to OMB that it had completed
assessing its systems, using a three-tiered structure to evaluate
and rank them in order to prioritize its Year 2000 compliance
work. It assigned the highest priority to mission- critical
systems that would have a direct impact on the public, enforcement
activities, or financial systems such as its benefits payment
systems.

In a memorandum dated December 31, 1997, the Secretary of Labor
made Year 2000 compliance a top departmental priority and directed
steps to accelerate progress in reaching the department's target
goals. The Deputy Secretary has likewise made the agency's Year
2000 progress a priority item in monthly meetings with each
component agency head. In February 1998, Labor established a
monthly exception reporting system, requiring its component
agencies to report any deviations from their Year 2000 plans.
Labor used these reports as early warnings of potential issues
needing attention.

Page 5 GAO/T-AIMD-99-179

Labor has estimated its Year 2000 costs at $55 million; the
department now states that all 61 mission-critical systems met the
OMB target Y2K compliance date of March 31, 1999, and have been
implemented. Table 1 shows the reported status of Labor's mission-
critical systems.

Table 1: Reported Year 2000 Readiness Status of Labor's Mission-
Critical Systems as of March 31, 1999

Note: The mission- critical systems of the Pension Benefit
Guaranty Corporation are not included in Labor's totals. Source:
Department of Labor.

Labor's Unemployment Insurance Service Depends on Reliable
Functioning of State Systems

One of Labor's programs to help unemployed workers is carried out
by the Unemployment Insurance Service (UIS). Enacted over 60 years
ago as part of the Social Security Act of 1935 as a federal-state
partnership, the Unemployment Insurance Program has been a major
source of temporary income support for laid-off workers seeking
work. This program is for many the first economic line of defense
against the effects of unemployment. State Employment Security
Agencies (SESA) operate the program in accordance with their own
state priorities and unemployment compensation laws; each state,
therefore, has substantial control over services provided,
eligibility requirements, and benefits levels. The 53 SESAs
provide these services using varying degrees of automation; in
some states, claims are filed either electronically or over the
telephone, while other states rely on mailed claims or office
visits.

The department and the states share responsibility for
administration of the Unemployment Insurance Program. Labor's UIS
is responsible for establishing broad guidelines (including some
eligibility conditions), general oversight, and administrative
funding. SESAs pay unemployment compensation benefits from the
Unemployment Trust Fund to eligible workers and collect state
unemployment taxes from employers.

Agency Number of systems Repaired Replaced Reported

compliant 3/ 31/ 99

UIS 1 1 0 1 BLS 23 5 18 23 Other 37 22 15 37

Total 61 28 33 61

Page 6 GAO/T-AIMD-99-179

Today, this program covers 97 percent of all wage earners.
Unemployment insurance will pay an estimated $24 billion to
approximately 8 million workers in compensation benefits and
allowances fromthe Unemployment Trust Fund in fiscal year 1999.
(In fiscal year 1998, SESAs collected $22 billion in state
unemployment insurance taxes.) During this same period, SESA staff
will handle over 6 million employer tax accounts, 20 million
initial unemployment claims, almost 137 million weeks claimed, and
1 million appeals.

While Labor's UIS systemwhich collects information from numerous
state sourcesis reported to be compliant, each of the 53 SESAs has
its own benefits system to provide unemployment benefits to laid-
off workers, its own tax system to collect unemployment taxes from
employers, and its own wage record system to track employees'
earnings. Labor's UIS system allows it to measure and monitor
state unemployment insurance performance, workload, and budgeting
activities. If, however, SESAs' benefits systems were to become
inoperable, benefits payments could be jeopardized; if its tax
systems failed, tax collections could suffer. Successful operation
of the benefits and tax functions are heavily dependent upon
complex information systems, a wide range of internal and external
products and services, and the uninterrupted operation of the
major information technology infrastructure. In recognition of its
importance, OMB has recently identified the Unemployment Insurance
program as one of 42 federal programs having a high impact on the
public, and for which Y2K readiness is critical.

January 1999: Vulnerability Demonstrated

In September 1998, we reported that many SESAs were at risk of
failure as early as January 1999 and urged Labor to initiate the
development of realistic contingency plans to ensure continuity of
core business processes in the event of Year 2000-induced
failures. Indeed, four SESA systems were able to avert early Y2K
date problems occurring in January 1999 only by instituting
contingency measures for avoiding disruption of benefits.

All SESAs produce what is known as the benefit-year-end (BYE)
date, used in projecting the end of a claimant's annual
eligibility period. These BYE projections are relied upon
throughout state benefits systems. For claims filed after January
1, 1999, claimants would have a BYE date beyond January 1, 2000.
Systems not able to recognize the year 2000 as a valid date would
assume that claimant benefit eligibility had ended in 1900.
Because of this date vulnerability, Labor had strongly encouraged
SESAs to address this problem first, and provided each with an
initial grant of $1 million or

Page 7 GAO/T-AIMD-99-179

more in fiscal year 1998 to jump-start their efforts. Additional
funding was also made available to SESAs upon submission of
supplemental budget requests. Labor allocations for states through
fiscal year 1999 totaled $245 million.

In spite of the funding and monitoring activities by Labor, four
SESAs' systemsthose of the District of Columbia, Puerto Rico, New
Mexico, and the U.S. Virgin Islandscould have failed if those
systems had not been programmed with an emergency software patch
in December 1998. This patch worked because it provided all
claimants, regardless of their date of application, with the same
BYE date of December 25, 1999. If not for this emergency
workaround, the systems could have been unable to provide a BYE
date for applicants, thus delaying or preventing payment of
benefits. When these SESAs eventually complete their systems'
renovation or replacement, all claimants who received the
erroneous date will have to be identified and their true date
recalculated accurately. Thus far, of the four SESAs using the
software patch, only the District of Columbia has reported that it
has removed the patch and provided claimants with their true BYE
dates.

While the other 49 state agency systems were able to solve the BYE
problem before the December 1998 deadline, much work remains to
make many of their benefits, taxes, and wage record systems
totally compliant and reduce the risk of Year 2000-induced
failures.

Most Recent Status Information Shows Many States Are Not Yet Ready

Table 2 indicates the reported Year 2000 readiness status of SESA
systems as of the end of last year. None of these state systems
are included in Labor's list of 61 mission-critical systems.

Page 8 GAO/T-AIMD-99-179

Table 2: Reported Y2K Readiness Status of SESA Unemployment
Insurance Systems as of December 31, 1998

a There are 53 entities with such systems each state plus the
District of Columbia, Puerto Rico, and the U. S. Virgin Islands.
According to Labor, ready means that the date fields within the
program applications have been converted, either by date field
expansion or by programming logic to correctly interpret dates.
Source: Department of Labor.

The data reflected in table 2as of December 31, 1998represent the
latest quarter for which information is available. According to
these data, completion schedules showed that several state systems
were not scheduled to be Y2K ready until later in 1999.

 Of the 14 SESAs that had not implemented Y2K-ready benefits
systems, 6 planned to do so in the first quarter of 1999, 5 during
the second quarter, 2 during the third quarter, and 1 in the last
quarter.  Of the 29 SESAs that had not implemented Y2K-ready tax
systems,

8 were planning to do so in either the third or fourth quarters.
Four of the 20 SESAs that had not implemented Y2K-ready wage
record

systems were planning to do so in either the third or fourth
quarters. The next official quarterly reportfor the period ending
March 31, 1999 has yet to be issued. With such a relatively large
gap in time between reports, it may be difficult for Labor to
quickly identify and address key state issues. Accordingly, the
department may wish to consider more frequent reporting of state
systems' compliance status.

In addition, Labor cannot be assured of the level of states' Year
2000 progress until independent verification and validation (IV&V)
takes place. Labor requires all SESAs to conduct IV&V reviews of
their unemployment insurance systems in order to provide third-
party certification of Y2K compliance. Labor has set a target date
of July 1, 1999, for completion of IV&V. However, states with
systems scheduled to be Y2K ready in either the third or fourth
quarters will not be able to provide IV&V certifications for their
systems by this deadline.

System Number of systems ready a Percentage ready

Benefits 39 74% Tax 24 45% Wage Record 33 62%

Page 9 GAO/T-AIMD-99-179

Additional Risks Remain to Be Addressed

In the short time remaining until the century change, Labor must
oversee three additional critical dimensions of state systems:
testing, data exchanges, and business continuity and contingency
planning.

Complete and thorough Year 2000 testing is essential to providing
reasonable assurance that systems process dates correctly and will
not jeopardize an organization's ability to perform core business
operations after the century change. Experience is showing that
Year 2000 testing is consuming between 50 and 70 percent of a
project's time and resources. With little more than 230 days left
until 2000, any SESA that falls behind on renovation may find it
difficult to schedule sufficient time for testing.

The need for testing is not limited to an organization's or a
state's internal information systems. The extent of data exchanges
in the unemployment insurance environment is significant, and will
require additional time to coordinate with the many data exchange
partners. As shown in figure 1, a simplified overview of this
environment, many organizations are involved, including employers,
claimants, states, and other federal agencies (e.g., the
Department of the Treasury and the Department of Health and Human
Services (HHS)).

Page 10 GAO/T-AIMD-99-179

Figure 1: SESA Unemployment Insurance Benefits Payment Data
Exchange Environment

Source: Department of Labor.

One of the key systems used in the Unemployment Insurance Program
is the Payment Management System, an administrative funding system
(as opposed to benefits) operated by HHS. As we testified in
February, this system was not Y2K compliant, 10 and is now not
expected to become compliant until June or July. This system is
responsible for some $165 billion annually in federal grants
payments.

10 See Year 2000 Computing Crisis: Readiness Status of the
Department of Health and Human Services (GAO/T-AIMD-99-92,
February 26, 1999).

Claimants Employers State Treasury

Federal Reserve

HHS' Payment Management

System U. S.

Treasury U. S.

Department of L abor

Interfaces Benefits

System Wage

Records System Tax

System State Employment

Security Agency Unemployment Insurance Systems

Page 11 GAO/T-AIMD-99-179

Serving as a fiscal intermediary between awarding agencies and
recipients of grants and contracts, the Payment Management System
processes over half of all federal grants payments. It was
originally created 30 years ago, and has been expanded and
modified several times since. In 1995, a project to replace the
existing system with a new, state-of-the-art automated system
known as the Reengineered Payment Management System was
undertaken. It was anticipated that this new system would be Y2K
compliant and operational by October 1997.

Since its inception, however, the planned system replacement has
encountered problems and, as a result, is still not operational.
For example, when the original contractor failed to meet the
October 1997 schedule, a new contractor was obtained; the
completion date was revised to October 1998also not met.

Because of the replacement system's continuing problems, HHS has
now decided to focus on remediating and testing the existing
Payment Management System. Subsequent to the Payment Management
System's becoming compliant, Labor will need to ensure that the
states and other relevant entities have rigorously tested their
systems with the Payment Management System to make sure that the
electronic transfer of administrative funds to the states will not
be disrupted.

The final critical dimension that Labor will need to monitor
concerns solid business continuity and contingency planning to
ensure that states can still provide services in the event of Year
2000-induced failures. Specifically, every agency must ensure the
continuity of its core business processes by identifying,
assessing, managing, and mitigating its Year 2000 risks. Such
planning should not be limited to internal information systems,
but must rather include the potential Y2K failures of others,
including business partners and infrastructure service providers.
One weak link anywhere in this chain of critical dependencies and
even the most successful Year 2000 program could find itself
powerless against major disruption of business operations.

Last September, Labor advised all SESAs of the importance of
having business continuity and contingency plans in place for
operation of their unemployment insurance programs to prevent the
interruption of benefits should Year 2000-induced problems inhibit
SESAs' abilities to receive claims and issue payments. The
department specifically required that SESAs prepare contingency
plans for their tax and benefits systems. Labor also has required
states to test their business continuity and contingency

Let t er

Page 12 GAO/T-AIMD-99-179

plans and intends to receive monthly reports on these test
activities beginning in August.

Bureau of Labor Statistics: Producer of Critical Trend Data

The Bureau of Labor Statistics is an independent national
statistical agency that collects, processes, analyzes, and
disseminates essential statistical data for the American public,
the Congress, other federal agencies, state and local governments,
business, and labor. BLS produces, among other indices, the
Consumer Price Index (CPI), the principal source of information
concerning trends in consumer prices and inflation in the United
States, and one of the nation's most important economic
indicators. BLS also produces other principal economic indicators,
such as current employment statistics, which are generated monthly
and include detailed data on employment, hours, and earnings, by
industry and geographic area. These estimates serve as components
of the index of leading economic indicators. BLS has eight
regional offices throughout the country, each specializing in the
economy of the region in which it is located. With 23 of Labor's
61 mission-critical systems, BLS' technology environment has more
mission-critical systems than any other single Labor agency.

All Mission-Critical Systems Reported Compliant

When we testified in September 1998, 11 BLS was reporting that 11
of its 23 mission-critical systems were already Year 2000
compliant, 8 were being replaced, and 4 were being repaired. We
noted at that time that failures of these systems could result in
the inability to accurately calculate important national
statistical data promptly. For example, if the CPI system failed
it could affect other federal government operations and programs,
as it is used to determine the basis for adjustments to payments
for Social Security recipients, federal and military retirees, and
a number of entitlement programs.

As of March 31, BLS reported that all of its mission-critical
systems were compliant. While progress has been made with its
systems, Labor recognizes, however, that many more activities need
to be completed before it can be sure that the systems will
perform properly into the next century.

11 GAO/T-AIMD-98-303, September 17, 1998.

Page 13 GAO/T-AIMD-99-179

External Review Identifies Use of Noncompliant Vendor Product

To provide additional quality assurance, the department reached an
agreement with the Office of Inspector General (OIG) to have it
help review Y2K progress and to notify the department as soon as
possible if any Y2K issues arose. The OIG subsequently obtained an
independent contractor to assist in its review of the completeness
and adequacy of Labor's compliance testing.

In the course of its review, the OIG's contractor raised concerns
regarding Labor's decision to use a noncompliant, non-vendor-
supported product in some of BLS' systems. This productknown as
the Customer Information Control System (CICS) version 2.1.2is a
transaction management software product that allows multiple users
to perform transactions from remote terminals sharing the same
database. This noncompliant product supports several mission-
critical BLS systems: the Employment Cost Index, the Locality Pay
System, the Producer Price Index, and the Survey of Occupational
Injuries and Illnesses System. In 1997, the manufacturer
discontinued support of this version. The manufacturer said that
this version is Not Year 2000 Ready and strongly recommended that
customers upgrade to a compliant version and not attempt to use
the noncompliant product into the next century. If customers
decided to use the product, they would do so at their own risk.

According to the BLS Associate Commissioner for Technology and
Survey Processing, BLS staff conducted an assessment and concluded
that its systems would not be affected by the date problems
identified by the manufacturer due to the limited manner in which
BLS used CICS. Labor's IV&V contractor also assessed BLS' use of
this product in its Employment Cost Index system and evaluated it
as low risk. Further, BLS stated that it has restricted any new
system modifications to prevent the unintentional insertion of
programming logic containing a requirement for a date. BLS also
said it performed future-date testing on a parallel system using
the noncompliant version of CICS, finding no problems associated
with its use.

Based on these actions, BLS stated that it made a management
decision to accept a lower level of risk associated with a known
product, rather than take the chance of introducing additional
unknown risks in upgrading the product or accelerating its planned
migration to a new technology platform. However, much of the
documentation supporting BLS' analysis of CICS has not yet been
available for review. BLS has subsequently agreed to provide this
documentation.

Page 14 GAO/T-AIMD-99-179

Independent Verification and Validation Efforts Are Ongoing

According to Labor's guidance, IV&V begins promptly after systems
are deemed compliant. Labor has directed that IV&V be completed
for all mission-critical systems by June 30. In an agreement with
Labor's Chief Information Officer, BLS received permission to use
its own certification laboratory to perform most of its IV&V
testing. The department found the laboratory to be independent and
qualified to perform IV&V services.

According to Labor's most recent Year 2000 quarterly report to
OMB, IV&V was completed for 8 of BLS' mission-critical systems. As
of May 10, the department told us that 6 additional systems had
completed IV&V. As a result, BLS now has 9 systems remaining to
complete IV&V before the June 30 deadline.

BLS Is Still Developing Business Continuity and Contingency Plans

The department required its components to complete business
continuity and contingency plans this month. Testing of these
plans is scheduled to be completed by September.

BLS has submitted draft continuity and contingency plans to the
department. However, according to the department, the draft plans
require substantial revision. Therefore, the department told BLS
to revise the plans and resubmit them by the end of the month.

In summary, Labor has taken action to prepare its mission-critical
systems for the change of century and to oversee states' efforts.
However, the department remains at risk of disruptions in the
areas of making benefits payments to laid-off workers and
producing labor and economic statistics. Given these risks, it is
important to focus carefully on remaining testing activities and
developing appropriate contingency plans to ensure business
continuity in the event of system failures.

This concludes my statement. I would be pleased to respond to any
questions that you or other members of the Subcommittee may have
at this time.

(511744) Let t er

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U.S. General Accounting Office P.O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using
fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e-mail message with info in the body to:

[email protected] or visit GAO's World Wide Web Home Page at:
http://www.gao.gov

United States General Accounting Office Washington, D.C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Mail

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***