Year 2000 Computing Challenge: Important Progress Made, Yet Much Work
Remains to Ensure Delivery of Critical Services (Testimony, 08/13/1999,
GAO/T-AIMD-99-266).

Because of the urgent nature of the Year 2000 computer crisis and the
potentially devastating impact it could have on government operations,
GAO has included the Year 2000 problem on its list of high-risk areas
within the federal government. GAO has issued more than 130 reports and
congressional testimony on the Year 2000 readiness of a wide range of
federal agencies. GAO has also issued guidance to help organizations
successfully address the issue. This testimony highlights the years 2000
risks facing the nation, discusses the federal government's progress and
challenges that remain in correcting its systems, identifies state and
local government Year 2000 issues, and provides an overview of available
information on the readiness of key public infrastructure and economic
sectors.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-266
     TITLE:  Year 2000 Computing Challenge: Important Progress Made,
	     Yet Much Work Remains to Ensure Delivery of Critical
	     Services
      DATE:  08/13/1999
   SUBJECT:  Computer software verification and validation
	     Systems conversions
	     Y2K
	     Computer software
	     State-administered programs
	     Information resources management
	     Strategic information systems planning
	     Data integrity
	     Federal/state relations
	     Systems compatibility
IDENTIFIER:  Y2K

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************

    United States General Accounting Office GAO
    Testimony Before the Subcommittee on Government Management,
    Information and Technology, Committee on Government Reform, House
    of Representatives For Release on Delivery Expected at
    YEAR 2000 COMPUTING 9 a.m. PDT Friday,
    CHALLENGE August 13, 1999 Important Progress Made, Yet Much Work
    Remains to Ensure Delivery of Critical Services Statement of Joel
    C. Willemssen Director, Civil Agencies Information Systems
    Accounting and Information Management Division GAO/T-AIMD-99-266
    Mr. Chairman and Members of the Subcommittee: Thank you for
    inviting us to participate in today's hearing on the Year 2000
    problem.  According to the report of the President's Commission on
    Critical Infrastructure Protection, the United States-with close
    to half of all computer capacity and 60 percent of Internet
    assets-is the world's most advanced and most dependent user of
    information technology.1 Should these systems-which perform
    functions and services critical to our nation-suffer problems, it
    could create widespread disruption. Accordingly, the upcoming
    change of century is a sweeping and urgent challenge for public-
    and private-sector organizations alike. Because of its urgent
    nature and the potentially devastating impact it could have on
    critical government operations, in February 1997 we designated the
    Year 2000 problem a high-risk area for the federal government.2
    Since that time, we have issued over 130 reports and testimony
    statements detailing specific findings and numerous
    recommendations related to the Year 2000 readiness of a wide range
    of federal agencies.3  We have also issued guidance to help
    organizations successfully address the issue.4 Today, I will
    highlight the Year 2000 risks facing the nation, discuss the
    federal government's progress and challenges that remain in
    correcting its systems, identify state and local government Year
    2000 issues, and provide an overview of available information on
    the readiness of key public infrastructure and economic sectors.
    1Critical Foundations:  Protecting America's Infrastructures
    (President's Commission on Critical Infrastructure Protection,
    October 1997). 2High-Risk Series:  Information Management and
    Technology (GAO/HR-97-9, February 1997). 3A list of these
    publications is included as an attachment to this statement.
    These publications can be obtained through GAO's World Wide Web
    page at www.gao.gov/y2kr.htm. 4Year 2000 Computing Crisis:  An
    Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
    February 1997 and in final form in September 1997), which
    addresses the key tasks needed to complete each phase of a Year
    2000 program (awareness, assessment, renovation, validation, and
    implementation); Year 2000 Computing Crisis:  Business Continuity
    and Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure
    draft in March 1998 and in final form in August 1998), which
    describes the tasks needed to ensure the continuity of agency
    operations; and Year 2000 Computing Crisis:  A Testing Guide
    (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998 and in
    final form in November 1998), which discusses the need to plan and
    conduct Year 2000 tests in a structured and disciplined fashion.
    Letter    Page 1
    GAO/T-AIMD-99-266 The Public Faces Risk  The public faces the risk
    that critical services provided by the government of Year 2000
    and the private sector could be severely disrupted by the Year
    2000 computing problem.  Financial transactions could be delayed,
    flights Disruptions                      grounded, power lost, and
    national defense affected.  Moreover, America's infrastructures
    are a complex array of public and private enterprises with many
    interdependencies at all levels.  These many interdependencies
    among governments and within key economic sectors could cause a
    single failure to have adverse repercussions in other sectors.
    Key sectors that could be seriously affected if their systems are
    not Year 2000 compliant include information and
    telecommunications; banking and finance; health, safety, and
    emergency services; transportation; power and water; and
    manufacturing and small business. The following are examples of
    some of the major disruptions the public and private sectors could
    experience if the Year 2000 problem is not corrected. * With
    respect to aviation, there could be grounded or delayed flights,
    degraded safety, customer inconvenience, and increased airline
    costs.5 * Aircraft and other military equipment could be grounded
    because the computer systems used to schedule maintenance and
    track supplies may not work.  Further, the Department of Defense
    could incur shortages of vital items needed to sustain military
    operations and readiness.6 * Medical devices and scientific
    laboratory equipment may experience problems beginning January 1,
    2000, if their software applications or embedded chips use two-
    digit fields to represent the year. Recognizing the seriousness of
    the Year 2000 problem, on February 4, 1998, the President signed
    an executive order that established the President's Council on
    Year 2000 Conversion, chaired by an Assistant to the President and
    consisting of one representative from each of the executive
    departments and from other federal agencies as may be determined
    by the Chair.  The Chair of the Council was tasked with the
    following Year 2000 roles:  (1) overseeing the activities of
    agencies, (2) acting as chief spokesperson in national and
    international forums, (3) providing policy 5FAA Systems:  Serious
    Challenges Remain in Resolving Year 2000 and Computer Security
    Problems (GAO/T-AIMD-98-251, August 6, 1998) and Year 2000
    Computing Crisis:  FAA Is Making Progress But Important Challenges
    Remain (GAO/T-AIMD/RCED-99-118, March 15, 1999). 6Defense
    Computers:  Year 2000 Computer Problems Threaten DOD Operations
    (GAO/AIMD-98-72, April 30, 1998). Letter         Page 2
    GAO/T-AIMD-99-266 coordination of executive branch activities with
    state, local, and tribal governments, and (4) promoting
    appropriate federal roles with respect to private-sector
    activities. Improvements Made     Addressing the Year 2000 problem
    is a tremendous challenge for the federal But Much Work
    government. Many of the federal government's computer systems were
    originally designed and developed 20 to 25 years ago, are poorly
    Remains               documented, and use a wide variety of
    computer languages, many of which are obsolete.  Some applications
    include thousands, tens of thousands, or even millions of lines of
    code, each of which must be examined for date-format problems. To
    meet this challenge and monitor individual agency efforts, the
    Office of Management and Budget (OMB) directed the major
    departments and agencies to submit quarterly reports on their
    progress, beginning May 15, 1997.  These reports contain
    information on where agencies stand with respect to the
    assessment, renovation, validation, and implementation of mission-
    critical systems, as well as other management information on items
    such as costs and business continuity and contingency plans. The
    federal government's most recent reports show improvement in
    addressing the Year 2000 problem.  While much work remains, the
    federal government has significantly increased its percentage of
    mission-critical systems that are reported to be Year 2000
    compliant, as figure 1 illustrates. In particular, while the
    federal government did not meet its goal of having all mission-
    critical systems compliant by March 1999, as of mid-May 1999, 93
    percent of these systems were reported compliant. Page 3
    GAO/T-AIMD-99-266 Figure 1:  Mission-Critical Systems Reported
    Year 2000 Compliant, May 1997 Through May 1999 100%
    93% 90% 79% 80% 70%
    61% 60%
    50% 50%                                               40% 35% 40%
    27% 30% 21% 19% 20% 10% 0% May-97     Aug-97      Nov-97     Feb-
    98      May-98     Aug-98      Nov-98      Feb-99     M ay-99
    Source:  May 1997 through May 1999 data are from the OMB quarterly
    reports. While this reported progress is notable, OMB also noted
    that 10 agencies have mission-critical systems that were not yet
    compliant.7  In addition, as we testified in April, some of the
    systems that were not yet compliant support vital government
    functions.8  For example, some of the systems that were not
    compliant were among the 26 mission-critical systems that the
    Federal Aviation Administration (FAA) has identified as posing the
    greatest risk to the National Airspace System-the network of
    equipment, facilities, and information that supports U.S. aviation
    operations. Additionally, not all systems have undergone an
    independent verification and validation process.  For example, in
    April 1999 the Department of Commerce awarded a contract for
    independent verification and validation reviews of approximately
    40 mission-critical systems that support that 7The 10 agencies
    were the Departments of Agriculture, Commerce, Defense, Energy,
    Health and Human Services, Justice, Transportation, and the
    Treasury and the National Aeronautics and Space Administration and
    the U.S. Agency for International Development. 8Year 2000
    Computing Challenge:  Federal Government Making Progress But
    Critical Issues Must Still Be Addressed to Minimize Disruptions
    (GAO/T-AIMD-99-144, April 14, 1999). Page 4
    GAO/T-AIMD-99-266 department's most critical business processes.
    These reviews are to continue through the summer of 1999.  In some
    cases, independent verification and validation of compliant
    systems have found serious problems.  For example, as we testified
    this past February,9 none of 54 external mission-critical systems
    of the Health Care Financing Administration reported by the
    Department of Health and Human Services (HHS) as compliant as of
    December 31, 1998, was Year 2000 ready at that time, based on
    serious qualifications identified by the independent verification
    and validation contractor. Reviews Show Uneven        While the
    overall Year 2000 readiness of the government has improved, our
    Federal Agency Progress    reviews of federal agency Year 2000
    programs have found uneven progress. Some agencies had made good
    progress while other agencies were significantly behind schedule
    but had taken actions to improve their readiness.  For example: *
    In October 1997, we reported that while the Social Security
    Administration (SSA) had made significant progress in assessing
    and renovating mission-critical mainframe software, certain areas
    of risk in its Year 2000 program remained.10  Accordingly, we made
    several recommendations to address these risk areas, which
    included the Year 2000 compliance of the systems used by the 54
    state Disability Determination Services11 that help administer the
    disability programs. SSA agreed with these recommendations and, in
    July 1999, we reported that actions to implement these
    recommendations had either been taken or were underway.12   For
    example, regarding the state Disability Determination Services
    systems, SSA enhanced its monitoring and oversight by establishing
    a full-time project team, designating project managers and
    coordinators, and requesting biweekly reports. While actions such
    as these demonstrated SSA's leadership in addressing the Year 2000
    problem, it still needed to complete critical tasks to ensure
    9Year 2000 Computing Crisis:  Readiness Status of the Department
    of Health and Human Services (GAO/T-AIMD-99-92, February 26,
    1999). 10Social Security Administration:  Significant Progress
    Made in Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6,
    October 22, 1997). 11These include the systems in all 50 states,
    the District of Columbia, Guam, Puerto Rico, and the Virgin
    Islands. 12Social Security Administration:  Update on Year 2000
    and Other Key Information Technology Initiatives (GAO/T-AIMD-99-
    259, July 29, 1999). Page 5
    GAO/T-AIMD-99-266 readiness, including (1) ensuring the compliance
    of all external data exchanges, (2) completing tasks outlined in
    its contingency plans, (3) certifying the compliance of one
    remaining mission-critical system, (4) completing hardware and
    software upgrades in the Office of Telecommunications and Systems
    Operations, and (5) correcting date field errors identified
    through its quality assurance process. * In May 1999, we
    testified13 that the Department of Education had made progress
    toward addressing the significant risks we had identified in
    September 199814 related to systems testing, exchanging data with
    internal and external partners, and developing business continuity
    and contingency plans.  Nevertheless, work remained ongoing in
    these areas.  For example, Education had scheduled a series of
    tests with its data exchange partners, such as schools, through
    the early part of the fall.  Tests such as these are important
    since Education's student financial aid environment is very large
    and complex, including over 7,000 schools, 6,500 lenders, and 36
    guaranty agencies, as well as other federal agencies; we have
    reported that Education has experienced serious data integrity
    problems in the past.15  Accordingly, our May testimony stated
    that Education needed to continue end-to-end testing of critical
    business processes involving Education's internal systems and its
    external data exchange partners and continue its outreach
    activities with schools, guaranty agencies, and other participants
    in the student financial aid community. * Our work has shown that
    the Department of Defense and the military services face
    significant problems.16  This March we testified that despite
    considerable progress made in the preceding 3 months, the
    department was still well behind schedule.17  We found that the
    Department of Defense faced two significant challenges:  (1)
    completing 13Year 2000 Computing Challenge:  Education Taking
    Needed Actions But Work Remains (GAO/T-AIMD-99-180, May 12, 1999).
    14Year 2000 Computing Crisis:  Significant Risks Remain to
    Department of Education's Student Financial Aid Systems (GAO/T-
    AIMD-98-302, September 17, 1998). 15Student Financial Aid
    Information:  Systems Architecture Needed to Improve Programs'
    Efficiency (GAO/AIMD-97-122, July 29, 1997). 16Defense Computers:
    Year 2000 Computer Problems Put Navy Operations at Risk (GAO/AIMD-
    98-150, June 30, 1998); Defense Computers:  Army Needs to Greatly
    Strengthen Its Year 2000 Program (GAO/AIMD-98-53, May 29, 1998);
    GAO/AIMD-98-72, April 30, 1998; and Defense Computers:  Air Force
    Needs to Strengthen Year 2000 Oversight (GAO/AIMD-98-35, January
    16, 1998). 17Year 2000 Computing Crisis:  Defense Has Made
    Progress, But Additional Management Controls Are Needed (GAO/T-
    AIMD-99-101, March 2, 1999). Page 6
    GAO/T-AIMD-99-266 remediation and testing of its mission-critical
    systems and (2) having a reasonable level of assurance that key
    processes will continue to work on a day-to-day basis and key
    operational missions necessary for national defense can be
    successfully accomplished.  We concluded that such assurance could
    only be provided if Defense took steps to improve its visibility
    over the status of key business processes. End-to-End Testing Must
    Be  While it is important to achieve compliance for individual
    mission-critical Completed                          systems,
    realizing such compliance alone does not ensure that business
    functions will continue to operate through the change of century-
    the ultimate goal of Year 2000 efforts.  The purpose of end-to-end
    testing is to verify that a defined set of interrelated systems,
    which collectively support an organizational core business area or
    function, will work as intended in an operational environment.  In
    the case of the year 2000, many systems in the end-to-end chain
    will have been modified or replaced.  As a result, the scope and
    complexity of testing-and its importance-are dramatically
    increased, as is the difficulty of isolating, identifying, and
    correcting problems.  Consequently, agencies must work early and
    continually with their data exchange partners to plan and execute
    effective end-to-end tests. (Our Year 2000 testing guide sets
    forth a structured approach to testing, including end-to-end
    testing.18) In January, we testified that with the time available
    for end-to-end testing diminishing, OMB should consider, for the
    government's most critical functions, setting target dates, and
    having agencies report against them, for the development of end-
    to-end test plans, the establishment of test schedules, and the
    completion of the tests.19  On March 31, OMB and the Chair of the
    President's Council on Year 2000 Conversion announced that one of
    the key priorities that federal agencies will be pursuing during
    the rest of 1999 will be cooperative end-to-end testing to
    demonstrate the Year 2000 readiness of federal programs with
    states and other partners. Agencies have also acted to address
    end-to-end testing.  For example, our March FAA testimony20 found
    that the agency had addressed our prior 18GAO/AIMD-10.1.21,
    November 1998. 19Year 2000 Computing Crisis:  Readiness Improving,
    But Much Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-
    50, January 20, 1999). 20GAO/T-AIMD/RCED-99-118, March 15, 1999.
    Page 7
    GAO/T-AIMD-99-266 concerns about the lack of detail in its draft
    end-to-end test program plan and had developed a detailed end-to-
    end testing strategy and plans.21  Also, in June 1999 we
    reported22 that the Department of Defense had underway or planned
    hundreds of related Year 2000 end-to-end test and evaluation
    activities and that, thus far, it was taking steps to ensure that
    these related end-to-end tests were effectively coordinated.
    However, we concluded that the Department of Defense was far from
    successfully finishing its various Year 2000 end-to-end test
    activities and that it must complete efforts to establish end-to-
    end management controls, such as establishing an independent
    quality assurance program. Business Continuity and     Business
    continuity and contingency plans are essential.  Without such
    Contingency Plans Are       plans, when unpredicted failures
    occur, agencies will not have well-defined Needed
    responses and may not have enough time to develop and test
    alternatives. Federal agencies depend on data provided by their
    business partners as well as on services provided by the public
    infrastructure (e.g., power, water, transportation, and voice and
    data telecommunications).  One weak link anywhere in the chain of
    critical dependencies can cause major disruptions to business
    operations.  Given these interdependencies, it is imperative that
    contingency plans be developed for all critical core business
    processes and supporting systems, regardless of whether these
    systems are owned by the agency.  Accordingly, in April 1998 we
    recommended that the Council require agencies to develop
    contingency plans for all critical core business processes.23 OMB
    has clarified its contingency plan instructions and, along with
    the Chief Information Officers Council, has adopted our business
    continuity and contingency planning guide.24  In particular, on
    January 26, 1999, OMB called on federal agencies to identify and
    report on the high-level core business functions that are to be
    addressed in their business continuity and contingency plans, as
    well as to provide key milestones for development and testing of
    such plans in their February 1999 quarterly reports.  In 21GAO/T-
    AIMD-98-251, August 6, 1998. 22Defense Computers:  Management
    Controls Are Critical to Effective Year 2000 Testing (GAO/AIMD-99-
    172, June 30, 1999). 23Year 2000 Computing Crisis:  Potential for
    Widespread Disruption Calls for Strong Leadership and Partnerships
    (GAO/AIMD-98-85, April 30, 1998). 24GAO/AIMD-10.1.19, August 1998.
    Page 8
    GAO/T-AIMD-99-266 addition, on May 13 OMB required agencies to
    submit high-level versions of these plans by June 15.  According
    to an OMB official, OMB has received plans from the 24 major
    departments and agencies.  This official stated that OMB planned
    to review the plans, discuss them with the agencies, determine
    whether there were any common themes, and report on the plans'
    status in its next quarterly report. To provide assurance that
    agencies' business continuity and contingency plans will work if
    needed, on January 20 we suggested that OMB may want to consider
    requiring agencies to test their business continuity strategy and
    set a target date, such as September 30, 1999, for the completion
    of this validation. 25  Our review of the 24 major departments and
    agencies' May 1999 quarterly reports found 14 cases in which
    agencies did not identify test dates for their business continuity
    and contingency plans or reported test dates subsequent to
    September 30, 1999. On March 31, OMB and the Chair of the
    President's Council announced that completing and testing business
    continuity and contingency plans as insurance against disruptions
    to federal service delivery and operations from Year 2000-related
    failures will be one of the key priorities that federal agencies
    will be pursuing through the rest of 1999.  Accordingly, OMB
    should implement our suggestion and establish a target date for
    the validation of agency business continuity and contingency
    plans. Our reviews of specific agency business continuity and
    contingency plans have found that agencies are in varying stages
    of completion.  For example: * We testified in July 1999 that SSA
    was in the process of testing all of its contingency plans, with
    expected completion in September.26  In addition, SSA planned to
    assist the Department of the Treasury in developing alternative
    disbursement processes for problematic financial institutions. *
    This June, we testified that the U.S. Customs Service had
    implemented sound management processes for developing business
    continuity and contingency plans and was in the process of testing
    its plans.27  Customs expected to complete contingency plan
    testing by October 1999. 25GAO/T-AIMD-99-50, January 20, 1999.
    26GAO/T-AIMD-99-259, July 29, 1999. 27Year 2000 Computing Crisis:
    Customs Is Making Good Progress (GAO/T-AIMD-99-225, June 29,
    1999). Page 9
    GAO/T-AIMD-99-266 * In May 1999, we reported28 that the Department
    of Agriculture's component agencies were actively engaged in
    developing business continuity and contingency plans but that much
    work remained to complete and test these plans.  Further, its
    December 1999 departmentwide goal of completing business
    continuity and contingency plans left no room for delays or
    sufficient time for correcting, revising, and retesting plans, if
    necessary.  Consequently, we recommended that the Department of
    Agriculture advance its time frame to no later than September 30,
    1999, and develop priorities for completing and testing business
    continuity and contingency plans that are aligned with the
    department's highest priority business processes, to ensure that
    remaining work addresses these processes first.  The Department of
    Agriculture's Chief Information Officer stated that the department
    planned to implement our recommendations. * This June, we
    reported29 that the General Services Administration had completed
    its telecommunications business continuity and contingency plan in
    September 1998.  However, we made several suggestions for
    enhancing this plan, including that the General Services
    Administration work with its customers to ensure that the
    customers' business continuity and contingency plans are fully
    coordinated with the General Services Administration's plan and
    that it consider the possibility of partial loss of service.  The
    General Services Administration agreed to implement our
    suggestions. OMB Action Could Help              While individual
    agencies have been identifying and remediating Ensure Business
    Continuity  mission-critical systems, the government's future
    actions need to be of High-Impact Programs            focused on
    its high-priority programs and ensuring the continuity of these
    programs, including the continuity of federal programs that are
    administered by states.  Accordingly, governmentwide priorities
    need to be based on such criteria as the potential for adverse
    health and safety effects, adverse financial effects on American
    citizens, detrimental effects on national security, and adverse
    economic consequences.  In April 1998, we recommended that the
    President's Council on Year 2000 Conversion 28Year 2000 Computing
    Crisis:  USDA Needs to Accelerate Time Frames for Completing
    Contingency Planning (GAO/AIMD-99-178, May 21, 1999). 29GSA's
    Effort to Develop Year 2000 Business Continuity and Contingency
    Plans for Telecommunications Systems (GAO/AIMD-99-201R, June 16,
    1999). Page 10
    GAO/T-AIMD-99-266 establish governmentwide priorities and ensure
    that agencies set agencywide priorities.30 On March 26, OMB
    implemented our recommendation by issuing a memorandum to federal
    agencies designating lead agencies for the government's 42 high-
    impact programs (e.g., food stamps, Medicare, and federal electric
    power generation and delivery).  (OMB later added a 43rd high-
    impact program-the Department of Justice's National Crime
    Information Center.)  Appendix I lists these programs and their
    lead agencies.  For each program, the lead agency was charged with
    identifying to OMB the partners integral to program delivery;
    taking a leadership role in convening those partners; assuring
    that each partner has an adequate Year 2000 plan and, if not,
    helping each partner without one; and developing a plan to ensure
    that the program will operate effectively. According to OMB, such
    a plan might include testing data exchanges across partners,
    developing complementary business continuity and contingency
    plans, sharing key information on readiness with other partners
    and the public, and taking other steps necessary to ensure that
    the program will work.  OMB directed the lead agencies to provide
    a schedule and milestones of key activities in their plans by
    April 15.  OMB also asked agencies to provide monthly progress
    reports.  As you know, we are currently reviewing agencies'
    progress in ensuring the readiness of their high-impact programs
    for this Subcommittee. State and Local           Just as the
    federal government faces significant Year 2000 risks, so too do
    Governments Face          state and local governments.  If the
    Year 2000 problem is not properly addressed, for example, (1) food
    stamps and other types of payments may Significant Year 2000
    not be made or could be made for incorrect amounts, (2) date-
    dependent Risks                     signal timing patterns could
    be incorrectly implemented at highway intersections, with safety
    severely compromised, and (3) prisoner release or parole
    eligibility determinations may be adversely affected.
    Nevertheless, available information on the Year 2000 readiness of
    state and local governments indicates that much work remains.
    According to information on state Year 2000 activities reported to
    the National Association of State Information Resource Executives
    as of 30GAO/AIMD-98-85, April 30, 1998. Page 11
    GAO/T-AIMD-99-266 August 3, 1999,31 states32 reported having
    thousands of mission-critical systems.33  With respect to
    completing the implementation phase for these systems, *2 s t a t
    e s 34 reported that they had completed between 25 and 49 percent,
*6 s t a t e s 35 reported completing between 50 and 74 percent, *
    38 states36 reported completing between 75 and 99 percent, and * 3
    states reported completing the implementation phase for all
    mission-critical systems.37 All of the states responding to the
    National Association of State Information Resource Executives
    survey reported that they were actively engaged in internal and
    external contingency planning and that they had established target
    dates for the completion of these plans; 14 states (28 percent)
    reported the deadline as October 1999 or later. State audit
    organizations have also identified significant Year 2000 concerns.
    In January, the National State Auditors Association reported on
    the results of its mid-1998 survey of Year 2000 compliance among
    states.38 This report stated that for the 12 state audit
    organizations that provided Year 2000-related reports, concerns
    had been raised in areas such as planning, testing, embedded
    systems, business continuity and contingency planning, and the
    adequacy of resources to address the problem. 31Individual states
    submit periodic updates to the National Association of State
    Information Resource Executives.  For the August 3 report, over
    three quarters of the states submitted their data after July 1,
    1999.  The oldest data were provided on March 11 and the most
    recent data on August 2. 32In the context of the National
    Association of State Information Resource Executives survey, the
    term "states" includes the District of Columbia and Puerto Rico.
    33Mission-critical systems were defined as those that a state had
    identified as priorities for prompt remediation. 34One state
    reported on its mission-critical systems and one state reported on
    its processes. 35Five states reported on their mission-critical
    systems and one reported on all systems. 36Thirty-one states
    reported on their mission-critical systems, 2 states reported on
    their applications, 1 reported on its "priority business
    activities," 1 reported on its "critical compliance units," 1
    reported on all systems, 1 reported on functions, and 1 reported
    on projects. 37Two states did not respond to the survey and one
    did not respond to this question. 38Year 2000:  State Compliance
    Efforts (National State Auditors Association, January 1999). Page
    12
    GAO/T-AIMD-99-266 We identified additional products by 17 state-
    level audit organizations and Guam that discussed the Year 2000
    problem and that had been issued since October 1, 1998.  Several
    of these state-level audit organizations noted that progress had
    been made.  However, the audit organizations also expressed
    concerns that were consistent with those reported by the National
    State Auditors Association.  For example: * In December 1998 the
    Vermont State Auditor reported39 that the state Chief Information
    Officer did not have a comprehensive control list of the state's
    information technology systems.  Accordingly, the audit office
    stated that even if all mission-critical state systems were
    checked, these systems could be endangered by information
    technology components that had not been checked or by linkages
    with the state's external electronic partners. * In April, New
    York's Division of Management Audit and State Financial Services
    reported that state agencies did not adequately control the
    critical process of testing remediated systems.40  Further, most
    agencies were in the early stages of addressing potential problems
    related to data exchanges and embedded systems and none had
    completed substantive work on contingency planning.  The New York
    audit office subsequently issued 27 reports on individual mission-
    critical and high-priority systems that included concerns about,
    for example, contingency planning and testing. * In March,
    Oregon's Audits Division reported41 that 11 of the 12 state
    agencies reviewed did not have business continuity plans
    addressing potential Year 2000 problems for their core business
    functions. * In March, North Carolina's State Auditor reported42
    that resource restrictions had limited the state's Year 2000
    Project Office's ability to verify data reported by state
    agencies. 39Vermont State Auditor's Report on State Government's
    Year 2000 Preparedness (Y2K Compliance) for the Period Ending
    November 1, 1998 (Office of the State Auditor, December 31, 1998).
    40New York's Preparation for the Year 2000:  A Second Look (Office
    of the State Comptroller, Division of Management Audit and State
    Financial Services, Report 98-S-21, April 5, 1999). 41Department
    of Administrative Services Year 2000 Statewide Project Office
    Review (Secretary of State, Audits Division, State of Oregon
    Report No. 99-05, March 16, 1999). 42Department of Commerce,
    Information Technology Services Year 2000 Project Office (Office
    of the State Auditor, State of North Carolina, March 18, 1999).
    Page 13
    GAO/T-AIMD-99-266 With respect to California, in February, the
    California State Auditor reported43 that state agencies were
    making progress in ensuring the uninterrupted delivery of critical
    services but that many of the 14 agencies that provide the most
    critical services had not completed their Year 2000 efforts.
    Eleven agencies had not completely tested their computer systems
    and 7 had not corrected or replaced embedded systems.  For
    example, key agencies responsible for emergency services,
    corrections, and water resources had not fully addressed embedded
    technology-related threats. Regarding emergency services, the
    California report stated that if remediation of the embedded
    technology in its networks was not completed, the Office of
    Emergency Services might have to rely on cumbersome manual
    processes, significantly increasing response time to disasters. It
    is also essential that local government systems be ready for the
    change of century since critical functions involving, for example,
    public safety and traffic management are performed at the local
    level.  Recent reports on local governments have highlighted Year
    2000 concerns.  For example: * On July 15, we reported on the
    reported Year 2000 status of the 21 largest U.S. cities.44  On
    average, cities reported completing work for 45 percent of the key
    service areas in which they have responsibility.  In addition, 2
    cities reported that they had completed their Year 2000 efforts, 9
    cities expected to complete their Year 2000 preparations by
    September 30, 1999, and the remaining 10 cities expected to
    complete their preparation by December 31.45  In addition, 7
    cities reported completing Year 2000 contingency plans, while 14
    cities reported that their plans were still being developed. * On
    July 9, the National League of Cities reported on its survey of
    403 cities conducted in April 1999.  This survey found that (1) 92
    percent of cities had a citywide Year 2000 plan, (2) 74 percent
    had completed their assessment of critical systems, and (3) 66
    percent had prepared contingency plans.  (Of those that had not
    completed such plans, about half stated that they were planning to
    develop one.)  In addition, 43Year 2000 Computer Problem: The
    State's Agencies Are Progressing Toward Compliance but Key Steps
    Remain Incomplete (California State Auditor, February 18, 1999).
    44Reported Y2K Status of the 21 Largest U.S. Cities (GAO/AIMD-99-
    246R, July 15, 1999). 45In most cities, the majority of city
    services are scheduled to be completed before this completion
    date. For example, Los Angeles plans to have all key city systems
    ready by September 30, except for its wastewater treatment
    systems, which are expected to be completed in November. Page 14
    GAO/T-AIMD-99-266 92 percent of the cities reported that they
    expect that all of their critical systems will be compliant by
    January 1, 2000; 5 percent expected to have completed between 91
    and 99 percent, and 3 percent expected to have completed between
    81 and 90 percent of their critical systems by January 1. * On
    June 23, the National Association of Counties announced the
    results of its April survey of 500 randomly selected counties.
    This survey found that (1) 74 percent of respondents had a
    countywide plan to address Year 2000 issues, (2) 51 percent had
    completed system assessments, and (3) 27 percent had completed
    system testing.  In addition, 190 counties had prepared
    contingency plans and 289 had not.  Further, of the 114 counties
    reporting that they planned to develop Year 2000 contingency
    plans, 22 planned to develop the plan in April-June, 64 in July-
    September, 18 in October-December, and 10 did not yet know. Of
    critical importance to the nation are services essential to the
    safety and well-being of individuals across the country, namely 9-
    1-1 systems and law enforcement.  For the most part,
    responsibility for ensuring continuity of service for 9-1-1 calls
    and law enforcement resides with thousands of state and local
    jurisdictions.  On April 29, we testified that not enough was
    known about the status of either 9-1-1 systems or of state and
    local law enforcement activities to conclude about either's
    ability during the transition to the year 2000 to meet the public
    safety and well-being needs of local communities across the
    nation.46  While the federal government planned additional actions
    to determine the status of these areas, we stated that the
    President's Council on Year 2000 Conversion should use such
    information to identify specific risks and develop appropriate
    strategies and contingency plans to respond to those risks. We
    subsequently reported47 that the Federal Emergency Management
    Agency and the Department of Justice have worked to increase the
    response rate to a survey of public safety organizations.  As of
    June 30, 1999, of the over 2,200 9-1-1 sites responding, 37
    percent reported that they were ready for the year 2000.  Another
    55 percent responded that they expected to be Year 2000 compliant
    in time for the change of century. 46Year 2000 Computing
    Challenge:  Status of Emergency and State and Local Law
    Enforcement Systems Is Still Unknown (GAO/T-AIMD-99-163, April 29,
    1999). 47Emergency and State and Local Law Enforcement Systems:
    Committee Questions Concerning Year 2000 Challenges (GAO/AIMD-99-
    247R, July 14, 1999). Page 15
    GAO/T-AIMD-99-266 Recognizing the seriousness of the Year 2000
    risks facing state and local governments, the President's Council
    has developed initiatives to address the readiness of state and
    local governments.  For example: * The Council established working
    groups on state and local governments and tribal governments. *
    Council officials participate in monthly multistate conference
    calls. * In July 1998 and March 1999, the Council, in partnership
    with the National Governors' Association, convened Year 2000
    summits with state and U.S. territory Year 2000 coordinators. * On
    May 24, the Council announced a nationwide campaign to promote
    "Y2K Community Conversations" to support and encourage efforts of
    government officials, business leaders, and interested citizens to
    share information on their progress.  To support this initiative,
    the Council has developed and is distributing a toolkit that
    provides examples of which sectors should be represented at these
    events and issues that should be addressed. State-Administered
    Federal  Among the critical functions performed by states are the
    administration of Human Services Programs            federal human
    services programs.  As we reported in November 1998, many Are at
    Risk                        systems that support state-
    administered federal human services programs were at risk, and
    much work remained to ensure that services would continue.48  In
    February of this year, we testified that while some progress had
    been achieved, many states' systems were not scheduled to become
    compliant until the last half of 1999.49  Accordingly, we
    concluded that given these risks, business continuity and
    contingency planning was even more important in ensuring
    continuity of program operations and benefits in the event of
    systems failures. Subsequent to our November 1998 report, OMB
    directed federal oversight agencies to include the status of
    selected state human services systems in their quarterly reports.
    Specifically, in January 1999, OMB requested that agencies
    describe actions to help ensure that federally supported, state-
    run programs will be able to provide services and benefits.  OMB
    further asked 48Year 2000 Computing Crisis:  Readiness of State
    Automated Systems to Support Federal Welfare Programs (GAO/AIMD-
    99-28, November 6, 1998). 49Year 2000 Computing Crisis:  Readiness
    of State Automated Systems That Support Federal Human Services
    Programs (GAO/T-AIMD-99-91, February 24, 1999). Page 16
    GAO/T-AIMD-99-266 that agencies report the date when each state's
    systems will be Year 2000 compliant. Table 1 summarizes the latest
    information on state-administered federal human services programs
    reported by OMB on June 15, 1999.50  This information was
    gathered, but not verified, by the Departments of Agriculture,
    HHS, and Labor.51  It indicates that while many states reported
    their programs to be compliant, a number of states did not plan to
    complete Year 2000 efforts until the last quarter of 1999.  For
    example, eight states did not expect to be compliant until the
    last quarter of 1999 for Child Support Enforcement, five states
    for Unemployment Insurance, and four states for Child Nutrition.
    Moreover, Year 2000 readiness information was unknown in many
    cases.  For example, according to OMB, the status of 32 states'
    Low Income Home Energy Assistance programs was unknown because
    applicable readiness information was not available. 50For
    Medicaid, OMB reports on the two primary systems that states use
    to administer the program: (1) the Integrated Eligibility System,
    to determine whether an individual applying for Medicaid meets the
    eligibility criteria for participation, and (2) the Medicaid
    Management Information System, to process claims and deliver
    payments for services rendered.  Integrated eligibility systems
    are also often used to determine eligibility for other public
    assistance programs, such as Food Stamps. 51The Department of
    Agriculture oversees the Child Nutrition, Food Stamp, and the
    Women, Infants, and Children programs.  HHS oversees the Child
    Care, Child Support Enforcement, Child Welfare, Low Income Home
    Energy Assistance, Medicaid, and Temporary Assistance for Needy
    Families programs. The Department of Labor oversees the
    Unemployment Insurance program. Page 17
    GAO/T-AIMD-99-266 Table 1:  Reported State-Level Readiness for
    Federally Supported Programs Expected Date of 1999 Compliance
    Programa                                       Compliantb Jan.-
    March April-June                  July-Sept. Oct.-Dec. Unknownc
    N/Ad Child Nutrition                                           29
    0               9             10              4                2
    0 Food Stamps                                               25
    0             12              14              3                0
    0 Women, Infants, and Children                              33
    0             11                7             3                0
    0 Child Care                                                24
    5               5               8             2                6
    4 Child Support Enforcement                                 15
    4             13                8             8                6
    0 Child Welfare                                             20
    5               9             11              3                5
    1 Low Income Home Energy Assistance Program                 10
    0               3               7             1              32
    1 Medicaid  Integrated Eligibility System                  20
    0             15               15             4                0
    0 Medicaid  Management Information System                  17
    0             19              14              4                0
    0 Temporary Assistance for Needy Families                   19
    3             12              15              1                4
    0 Unemployment Insurance                                    27
    0             11              10              5                0
    1 Note:  This table contains readiness information from the 50
    states, the District of Columbia, Guam, Puerto Rico, and the
    Virgin Islands. aAccording to OMB, the information regarding Child
    Care, Child Support Enforcement, the Low Income Home Energy
    Assistance Program, Medicaid, and Temporary Assistance for Needy
    Families was as of January 31, 1999; and the information for Child
    Nutrition, Food Stamps, and Women, Infants and Children was as of
    March 1999.  However, OMB provided a draft table to the National
    Association of State Information Resource Executives, which, in
    turn, provided the draft table to the states.  The states were
    asked to contact HHS and Agriculture and provide corrections by
    June 1, 1999.  For their part, HHS and Agriculture submitted
    updated state data to OMB in early June.  The information
    regarding Unemployment Insurance was as of March 31, 1999. bIn
    many cases, the report indicated a date instead of whether the
    state was compliant.  We assumed that states reporting completion
    dates in 1998 or earlier were compliant. cUnknown indicates that
    according to OMB, the data reported by the states were unclear or
    that no information was reported by the agency. dN/A indicates
    that the states or territories reported that the data requested
    were not applicable to them. Source:  Progress on Year 2000
    Conversion:  9th Quarterly Report (OMB, issued on June 15, 1999).
    Although many states have reported their state-administered
    programs to be compliant, additional work beyond individual system
    completion likely remains, such as end-to-end testing.  For
    example, of the states that OMB reported as having compliant
    Medicaid management information and/or integrated eligibility
    systems, at least four and five states, respectively, had not
    completed end-to-end testing. In addition to obtaining state-
    reported readiness status information for OMB, the three federal
    departments are taking other actions to assess the ability of
    state-administered programs to continue into the next century.
    Page 18
    GAO/T-AIMD-99-266 However, as table 2 shows, the approaches of the
    three departments in assessing the readiness of state-administered
    federal human services programs vary significantly.  For example,
    HHS' Health Care Financing Administration (HCFA) hired a
    contractor to perform comprehensive on-site reviews in all states,
    some more than once, using a standard methodology.  Agriculture's
    Food and Nutrition Service (FNS) approach includes such actions as
    having regional offices monitor state Year 2000 efforts and
    obtaining state certifications of compliance.  The Department of
    Labor is relying on its regional offices to monitor state Year
    2000 efforts as well as requiring states to obtain and submit
    independent verification and validation reports after declaring
    their systems compliant. Page 19
    GAO/T-AIMD-99-266 Table 2:  Number and Types of Assessments
    Performed Areas covered by assessments Number of states
    Project management/                              Business
    continuity and Agency/program           assessed
    planning               Test plans/results        contingency plans
    (BCCP) Agriculture/Child        Component entity's regional
    Varies by region           Varies by region          Varies by
    region Nutrition Program        offices are monitoring all states'
    efforts Agriculture/Food         Component entity's regional
    Varies by region           Varies by region          Varies by
    region Stamps                   offices are monitoring all states'
    efforts Agriculture/Women,       Component entity's regional
    Varies by region           Varies by region          Varies by
    region Infants, and Children    offices are monitoring all states'
    efforts HHS/Child Care           As of July 2, a contractor
    Yes                    Yes-all visits included  Partial-on-site
    visits included had conducted on-site
    reviews of test plans     reviews of states' BCCP reviews of 20
    states                                    and, where applicable,
    processes, but not their content test results HHS/Child Support
    As of July 2, a contractor       Yes                    Yes-all
    visits included  Partial-on-site visits included Enforcement
    had conducted on-site                                   reviews of
    test plans     reviews of states' BCCP reviews of 20 states
    and, where applicable,  processes, but not their content test
    results HHS/Child Welfare        As of July 2, a contractor
    Yes                    Yes-all visits included  Partial-on-site
    visits included had conducted on-site
    reviews of test plans     reviews of states' BCCP reviews of 20
    states                                    and, where applicable,
    processes, but not their content test results HHS/Low Income
    As of July 2, a contractor       Yes                    Yes-all
    visits included  Partial-on-site visits included Housing Energy
    had conducted on-site                                   reviews of
    test plans     reviews of states' BCCP Assistance Program
    reviews of 20 states                                    and, where
    applicable,  processes, but not their content test results
    HHS/Medicaid             A contractor conducted           Yes
    Yes-all visits included  Partial-Initial visits included on-site
    reviews of 50 states                            reviews of test
    plans     reviews of states' BCCP and the District of Columbia
    and, where applicable,  processes, and as of July 9, a once, and,
    as of June 30,                               test results
    contractor had reviewed the the contractor had
    content of 42 states' BCCPs, conducted follow-up
    either on site or at headquarters reviews of 14 states
    HHS/Temporary            As of July 2, a contractor       Yes
    Yes-all visits included  Partial-on-site visits included
    Assistance for Needy  had conducted on-site
    reviews of test plans     reviews of states' BCCP Families
    reviews of 20 states                                    and, where
    applicable,  processes, but not their content test results
    Labor/Unemployment  Labor's regional offices are  Unknown-not
    Unknown-not               Reviews ongoing Insurance
    monitoring all states' efforts specifically addressed
    specifically addressed in methodology         in methodology In
    addition to the completed reviews, all of the departments have
    ongoing initiatives to ensure that state-administered human
    services programs will Page 20
    GAO/T-AIMD-99-266 continue to function past the change of century.
    These initiatives are part of the departments' overall strategies
    to ensure the continued delivery of these high-impact programs.
    For example: * In June 1999, the Department of Agriculture's FNS
    required its regions to provide for each program a copy of either
    a state letter certifying that it was Year 2000 compliant or a
    business continuity and contingency plan. As of June 18, 1999, FNS
    had received (1) 9 certifications and 7 business continuity and
    contingency plans for Child Nutrition, (2) 12 certifications and
    16 business continuity and contingency plans for Food Stamps, and
    (3) 23 certifications and 23 business continuity and contingency
    plans for Women, Infants, and Children.  In addition, to help
    states' Year 2000 efforts, FNS employed a contractor to conduct
    on-site visits to 20 states for one or more programs.  As of July
    9, FNS officials told us 16 states had been visited.  With respect
    to the scope of these visits, FNS' regional offices determine for
    each state and program what specific areas it should encompass.
    These visits are principally intended to provide technical
    assistance to the states in areas such as Year 2000 project
    management, hardware and software testing, and contingency
    planning. * In its initial round of on-site reviews conducted
    between November 1998 and April 1999, the contractor hired by HHS'
    HCFA (1) identified barriers to successful remediation, (2) made
    recommendations to address specific areas of concern, and (3)
    placed Medicaid integrated eligibility and management information
    systems into low, medium, or high risk categories.  HCFA's
    contractor is currently conducting a second round of on-site
    reviews in at least 40 states-primarily those in which at least
    one of two systems was categorized as a high or medium risk during
    the initial visit.  As of June 30, 14 states had been visited
    during this round.  The focus of this second round of visits is on
    determining how states have resolved Year 2000 issues previously
    identified, as well as reviewing activities such as data exchanges
    and end-to-end testing.  HCFA plans to conduct a third round of
    on-site reviews in the fall of 1999 for those states that continue
    to have systems categorized as high risk.  Additionally, another
    HCFA contractor is reviewing the content of all states' business
    continuity and contingency plans, with some of these reviews being
    performed in conjunction with the second round of state visits. *
    In September 1998, the Department of Labor required that all State
    Employment Security Agencies conduct independent verification and
    validation reviews of their Unemployment Insurance programs.  The
    department set a target date of July 1, 1999, for states to submit
    Page 21
    GAO/T-AIMD-99-266 independent verification and validation
    certifications of their Unemployment Insurance systems to Labor's
    regional offices.  Labor required its regional offices to review
    independent verification and validation reports and certifications
    of Year 2000 compliance that State Employment Security Agencies
    submitted, and to ascertain whether the material met the
    department's requirements.  If Labor's requirements were met, the
    regional offices were to approve the State Employment Security
    Agencies' certification and independent verification and
    validation reports and forward copies of the approved
    certification and report, along with regional office comments, to
    Labor's national office. An example of the benefits that
    federal/state partnerships can provide is illustrated by the
    Department of Labor's unemployment services program. In September
    1998, we reported that many State Employment Security Agencies
    were at risk of failure as early as January 1999 and urged the
    Department of Labor to initiate the development of realistic
    contingency plans to ensure continuity of core business processes
    in the event of Year 2000-induced failures.52  In May, we
    testified that four state agencies' systems could have failed if
    systems in those states had not been programmed with an emergency
    patch in December 1998.  This patch was developed by several of
    the state agencies and promoted to other state agencies by the
    Department of Labor. 53 Year 2000 Readiness              Beyond
    the risks faced by federal, state, and local governments, the year
    Information Available  2000 also poses a serious challenge to the
    public infrastructure, key economic sectors, and to other
    countries.  To address these concerns, in in Some Sectors, But
    April 1998 we recommended that the Council use a sector-based
    approach Key Information Still            and establish the
    effective public-private partnerships necessary to address 54
    Missing or Incomplete this issue.   The Council subsequently
    established over 25 sector-based working groups and has been
    initiating outreach activities since it became operational last
    spring.  In addition, the Chair of the Council has formed a Senior
    Advisors Group composed of representatives from private-sector
    firms across key economic sectors.  Members of this group are
    expected to 52Year 2000 Computing Crisis:  Progress Made at
    Department of Labor, But Key Systems at Risk (GAO/T-AIMD-98-303,
    September 17, 1998). 53Year 2000 Computing Challenge:  Labor Has
    Progressed But Selected Systems Remain at Risk (GAO/T-AIMD-99-179,
    May 12, 1999). 54GAO/AIMD-98-85, April 30, 1998. Page 22
    GAO/T-AIMD-99-266 offer perspectives on crosscutting issues,
    information sharing, and appropriate federal responses to
    potential Year 2000 failures. Our April 1998 report also
    recommended that the President's Council develop a comprehensive
    picture of the nation's Year 2000 readiness, to include
    identifying and assessing risks to the nation's key economic
    sectors-including risks posed by international links.  In October
    1998, the Chair directed the Council's sector working groups to
    begin assessing their sectors.  The Chair also provided a
    recommended guide of core questions that the Council asked to be
    included in surveys by the associations performing the
    assessments.  These questions included the percentage of work that
    has been completed in the assessment, renovation, validation, and
    implementation phases.  The Chair then planned to issue quarterly
    public reports summarizing these assessments. The Council's most
    recent report was issued on August 5, 1999.55  The report stated
    that important national systems will make a successful transition
    to the year 2000 but that much work, such as contingency planning,
    remains to be done.  In particular, the Council expressed a high
    degree of confidence in five major domestic areas:  financial
    institutions, electric power, telecommunications, air travel, and
    the federal government. For example, the Council stated that on
    August 2, federal bank, thrift, and credit union regulators
    reported that 99 percent of federally insured financial
    institutions have completed testing of critical systems for Year
    2000 readiness.  The Council had concerns in four significant
    areas:  local government, health care, education, and small
    businesses.  For example, according to the Council report, many
    school districts could move into the new century with
    dysfunctional information technology systems, since only 28
    percent and 30 percent of Superintendent/Local Educational
    Agencies and postsecondary institutions, respectively, reported
    that their mission-critical systems were Year 2000 compliant.
    Internationally, the Council stated that the Year 2000 readiness
    of other countries was improving but was still a concern.  The
    Council reported that the June 1999 meeting of National Year 2000
    Coordinators held at the United Nations found that the 173
    countries in attendance were clearly focused on the Year 2000
    problem but that many countries will likely not have enough time
    or resources to finish before the end of 1999. 55The Council's
    three reports are available on its web site, www.y2k.gov.  In
    addition, the Council, in conjunction with the Federal Trade
    Commission and the General Services Administration, has
    established a toll-free Year 2000 information line, 1-888-USA-
    4Y2K.  The Federal Trade Commission has also included Year 2000
    information of interest to consumers on its web
    site,www.consumer.gov. Page 23
    GAO/T-AIMD-99-266 The Council's assessment reports have
    substantially increased the nation's understanding of the Year
    2000 readiness of key industries.  However, the picture remains
    incomplete in certain key areas because the surveys conducted to
    date did not have a high response rate or did not provide their
    response rate, the assessment was general or contained projections
    rather than current remediation information, or the data were old.
    For example, according to the Council's latest assessment report:
* Less than a quarter of the more than 16,000 Superintendents of
    Schools/Local Educational Agencies responded to a web-based survey
    of Year 2000 readiness among elementary and secondary schools.
    Similarly, less than a third of the more than 6,000 presidents
    and/or chancellors of postsecondary educational institutions
    responded to a web-based Year 2000 survey.  Also, surveys covering
    areas such as small and medium-sized chemical enterprises did not
    provide information on either the number of surveys distributed or
    the number returned.  Small response rates or the lack of
    information on response rates call into question whether the
    results of the survey accurately portray the readiness of the
    sector. * Information in areas such as state emergency management
    and broadcast television and radio provided a general assessment
    or projected compliance levels as of a certain date, but did not
    contain detailed data as to the current status of the sector
    (e.g., the average percentage of organizations' systems that are
    Year 2000 compliant or the percentage of organizations that are in
    the assessment, renovation, or validation phases). * In some
    cases, such as for grocery manufacturers, cable television,
    hospitals, physicians' practices, and railroads, the sector
    surveys had been conducted months earlier and/or current survey
    information was not yet available. In addition to our work related
    to the federal, state, and local government's Year 2000 progress,
    we have also issued several products related to key economic
    sectors.  I will now discuss the results of these reviews. Energy
    Sector    In April, we reported that while the electric power
    industry had concluded that it had made substantial progress in
    making its systems and equipment ready to continue operations into
    the year 2000, significant risks remained since many reporting
    organizations did not expect to be Year 2000 ready within the June
    1999 industry target date.56  We, therefore, suggested that the
    Department of Energy (1) work with the Electric Power Working
    Group Page 24
    GAO/T-AIMD-99-266 to ensure that remediation activities were
    accelerated for the utilities that expected to miss the June 1999
    deadline for achieving Year 2000 readiness and (2) encourage state
    regulatory utility commissions to require a full public disclosure
    of Year 2000 readiness status of entities transmitting and
    distributing electric power.  The Department of Energy generally
    agreed with our suggestions.  We also suggested that the Nuclear
    Regulatory Commission (1) in cooperation with the Nuclear Energy
    Institute, work with nuclear power plant licensees to accelerate
    the Year 2000 remediation efforts among the nuclear power plants
    that expect to meet the June 1999 deadline for achieving readiness
    and (2) publicly disclose the Year 2000 readiness of each of the
    nation's operational nuclear reactors.  In response, the Nuclear
    Regulatory Commission stated that it plans to focus its efforts on
    nuclear power plants that may miss the July 1, 1999, milestone and
    that it would release the readiness information on individual
    plants that same month. Subsequent to our report, on August 3,
    1999, the North American Electric Reliability Council released its
    fourth status report on electric power systems.  According to the
    Council, as of June 30, 1999-the industry target date for
    organizations to be Year 2000 ready-251 of 268 (94 percent) of
    bulk electric organizations were Year 2000 ready or Year 2000
    ready with limited exceptions.57  In addition, this report stated
    that 96 percent of local distribution systems were reported as
    Year 2000 ready.58  The North American Electric Reliability
    Council stated that the information it uses is principally self-
    reported but that 84 percent of the organizations reported that
    their Year 2000 programs had also been audited by internal and/or
    external auditors.  On July 19, the Nuclear Regulatory Commission
    stated that 68 of 103 (66 percent) nuclear power plants reported
    that all of their computer systems and digital embedded components
    that support plant operations are Year 2000 ready.  Of the 35
    plants that were not Year 2000 ready, 18 had systems or components
    that were not ready that could affect power generation. 56Year
    2000 Computing Crisis:  Readiness of the Electric Power Industry
    (GAO/AIMD-99-114, April 6, 1999). 57The North American Electric
    Reliability Council reported that 64 of these organizations had
    exceptions but that it "believes that the work schedule provided
    to complete these exception items in the next few months
    represents a prudent use of resources and does not increase risks
    associated with reliable electric service into the Year 2000."
    58This was based on the percentage of the total megawatts of the
    systems reported as Year 2000 ready by investor-owned, public
    power, and cooperative organizations.  The report did not identify
    the number of local distribution organizations that reported that
    they were Year 2000 ready. Page 25
    GAO/T-AIMD-99-266 In May, we reported59 that while the domestic
    oil and gas industries had reported that they had made substantial
    progress in making their equipment and systems ready to continue
    operations into the year 2000, risks remained.  For example,
    although over half of our oil is imported, little was known about
    the Year 2000 readiness of foreign oil suppliers. Further, while
    individual domestic companies reported that they were developing
    Year 2000 contingency plans, there were no plans to perform a
    national-level risk assessment and develop contingency plans to
    deal with potential shortages or disruptions in the nation's
    overall oil and gas supplies.  We suggested that the Council's oil
    and gas working group (1) work with industry associations to
    perform national-level risk assessments and develop and publish
    credible, national-level scenarios regarding the impact of
    potential Year 2000 failures and (2) develop national-level
    contingency plans.  The working group generally agreed with these
    suggestions. Water Sector    In April, we reported60 that
    insufficient information was available to assess and manage Year
    2000 efforts in the water sector, and little additional
    information was expected under the current regulatory approach.
    While the Council's water sector working group had undertaken an
    awareness campaign and had urged national water sector
    associations to continue to survey their memberships, survey
    response rates had been low.  Further, Environmental Protection
    Agency officials stated that the agency lacked the rules and
    regulations necessary to require water and wastewater facilities
    to report on their Year 2000 status. Our survey of state
    regulators found that a few states were proactively collecting
    Year 2000 compliance data from regulated facilities, a much larger
    group of states was disseminating Year 2000 information, while
    another group was not actively using either approach.
    Additionally, only a handful of state regulators believed that
    they were responsible for ensuring facilities' Year 2000
    compliance or overseeing facilities' business continuity and
    contingency plans.  Among our suggested actions was that the
    Council, the Environmental Protection Agency, and the states
    determine which regulatory organization should take responsibility
    for assessing and publicly disclosing the status and outlook of
    water sector facilities' Year 59Year 2000 Computing Crisis:
    Readiness of the Oil and Gas Industries (GAO/AIMD-99-162, May 19,
    1999). 60Year 2000 Computing Crisis:  Status of the Water Industry
    (GAO/AIMD-99-151, April 21, 1999). Page 26
    GAO/T-AIMD-99-266 2000 business continuity and contingency plans.
    The Environmental Protection Agency generally agreed with our
    suggestions but one official noted that additional legislation may
    be needed if the agency is to take responsibility for overseeing
    facilities' Year 2000 business continuity and contingency plans.
    Health Sector    The health sector includes health care providers
    (such as hospitals and emergency health care services), insurers
    (such as Medicare and Medicaid), and biomedical equipment.  Last
    month, we reported61 that HCFA had taken aggressive and
    comprehensive outreach efforts with regard to its over 1.1 million
    healthcare providers that administer services for Medicare-insured
    patients.62  Despite these efforts, HCFA data show that provider
    participation in its outreach activities has been low.  Further,
    although HCFA has tasked contractors that process Medicare claims
    with testing with providers using future-dated claims, such
    testing had been limited and the testing that had occurred had
    identified problems.  Our July report also found that although
    many surveys had been completed in 1999 on the Year 2000 readiness
    of healthcare providers, none of the 11 surveys we reviewed
    provided sufficient information with which to assess the Year 2000
    status of the healthcare provider community.  Each of the surveys
    had low response rates, and several did not address critical
    questions about testing and contingency planning. To reduce the
    risk of Year 2000-related failures in the Medicare provider
    community, our July report suggested, for example, that HCFA
    consider using additional outreach methods, such as public service
    announcements, and set milestones for Medicare contractors for
    testing with providers.  We also made suggestions to the
    President's Council on Year 2000 Conversion's healthcare sector
    working group, including a suggestion to consider working with
    associations to publicize those providers who respond to future
    surveys in order to increase survey response rates.  The HCFA
    Administrator generally agreed with our suggested actions. 61Year
    2000 Computer Crisis:  Status of Medicare Providers Unknown
    (GAO/AIMD-99-243, July 28, 1999). 62Examples of such providers are
    hospitals, laboratories, physicians, and skilled nursing/long-term
    care facilities. Page 27
    GAO/T-AIMD-99-266 With respect to biomedical equipment, on June 10
    we testified63 that in response to our September 1998
    recommendation, 64 HHS, in conjunction with the Department of
    Veterans Affairs, had established a clearinghouse on biomedical
    equipment.  As of June 1, 1999, 4,142 biomedical equipment
    manufacturers had submitted data to the clearinghouse.  About 61
    percent of these manufacturers reported having products that do
    not employ dates and about 8 percent (311 manufacturers) reported
    having date-related problems, such as an incorrect display of
    date/time.  According to the Food and Drug Administration, the 311
    manufacturers reported 897 products with date-related problems.
    However, not all compliance information was available on the
    clearinghouse because the clearinghouse referred the user to 427
    manufacturers' web sites.  Accordingly, we reviewed the web sites
    of these manufacturers and found, as of June 1, 1999, a total of
    35,446 products.65  Of these products, 18,466 were reported as not
    employing a date, 11,211 were reported as compliant, 4,445 were
    shown as not compliant, and the compliance status of 1,324 was
    unknown. In addition to the establishment of a clearinghouse, our
    September 1998 report66 also recommended that HHS and the
    Department of Veterans Affairs take prudent steps to jointly
    review manufacturers' test results for critical care/life support
    biomedical equipment.  We were especially concerned that the
    departments review test results for equipment previously deemed to
    be noncompliant but now deemed by manufacturers to be compliant,
    or equipment for which concerns about compliance remained.  In May
    1999, the Food and Drug Administration, a component agency of HHS,
    announced that it planned to develop a list of critical care/life
    support medical devices and the manufacturers of these devices,
    select a sample of manufacturers for review, and hire a contractor
    to develop a program to assess manufacturers' activities to
    identify and correct Year 2000 problems for these medical devices.
    In addition, if the results of this review indicated a need for
    further review of manufacturer 63Year 2000 Computing Challenge:
    Concerns About Compliance Information on Biomedical Equipment
    (GAO/T-AIMD-99-209, June 10, 1999). 64Year 2000 Computing Crisis:
    Compliance Status of Many Biomedical Equipment Items Still Unknown
    (GAO/AIMD-98-240, September 18, 1998). 65Because of limitations in
    many of the manufacturers web sites, our ability to determine the
    total number of biomedical equipment products reported and their
    compliance status was impaired. Accordingly, the actual number of
    products reported by the manufacturers could be significantly
    higher than the 35,446 products that we counted. 66GAO/AIMD-98-
    240, September 18, 1998. Page 28
    GAO/T-AIMD-99-266 activities, the contractor would review a
    portion of the remaining manufacturers not yet reviewed.
    Moreover, according to the Food and Drug Administration, any
    manufacturer whose quality assurance system appeared deficient
    based on the contractors review would be subject to additional
    reviews to determine what actions would be required to eliminate
    any risk posed by noncompliant devices. In April testimony,67 we
    also reported on the results of a Department of Veterans Affairs
    survey of 384 pharmaceutical firms and 459 medical-surgical firms
    with which it does business.  Of the 52 percent of pharmaceutical
    firms that responded to the survey, 32 percent reported that they
    were compliant.  Of the 54 percent of the medical-surgical firms
    that responded, about two-thirds reported that they were
    compliant. Banking and Finance Sector A large portion of the
    institutions that make up the banking and finance sector are
    overseen by one or more federal regulatory agencies.   In
    September 1998, we testified on the efforts of five federal
    financial regulatory agencies68 to ensure that the institutions
    that they oversee are ready to handle the Year 2000 problem.69  We
    concluded that the regulators had made significant progress in
    assessing the readiness of member institutions and in raising
    awareness on important issues such as contingency planning and
    testing.  Regulator examinations of bank, thrift, and credit union
    Year 2000 efforts found that the vast majority were doing a
    satisfactory job of addressing the problem.  Nevertheless, the
    regulators faced the challenge of ensuring that they are ready to
    take swift action to address those institutions that falter in the
    later stages of correction and to address disruptions caused by
    international and public infrastructure failures. In April, we
    reported that the Federal Reserve System-which is instrumental to
    our nation's economic well-being, since it provides depository
    institutions and government agencies services such as processing
    checks and transferring funds and securities-has effective 67Year
    2000 Computing Crisis:  Action Needed to Ensure Continued Delivery
    of Veterans Benefits and Health Care Services (GAO/T-AIMD-99-136,
    April 15, 1999). 68The National Credit Union Administration, the
    Federal Deposit Insurance Corporation, the Office of Thrift
    Supervision, the Federal Reserve System, and the Office of the
    Comptroller of the Currency. 69Year 2000 Computing Crisis:
    Federal Depository Institution Regulators Are Making Progress, But
    Challenges Remain (GAO/T-AIMD-98-305, September 17, 1998). Page 29
    GAO/T-AIMD-99-266 controls to help ensure that its Year 2000
    progress is reported accurately and reliably.70  We also found
    that it is effectively managing the renovation and testing of its
    internal systems and the development and planned testing of
    contingency plans for continuity of business operations.
    Nevertheless, the Federal Reserve System still had much to
    accomplish before it is fully ready for January 1, 2000, such as
    completing validation and implementation of all of its internal
    systems and completing its contingency plans. In addition to the
    domestic banking and finance sector, large U.S. financial
    institutions have financial exposures and relationships with
    international financial institutions and markets that may be at
    risk if these international organizations are not ready for the
    date change occurring on January 1, 2000.  In April, we reported71
    that foreign financial institutions had reportedly lagged behind
    their U.S. counterparts in preparing for the Year 2000 date
    change.  Officials from four of the seven large foreign financial
    institutions we visited said they had scheduled completion of
    their Year 2000 preparations about 3 to 6 months after their U.S.
    counterparts, but they planned to complete their efforts by mid-
    1999 at the latest.  Moreover, key international market
    supporters, such as those that transmit financial messages and
    provide clearing and settlement services, told us that their
    systems were ready for the date change and that they had begun
    testing with the financial organizations that depended on these
    systems.  Further, we found that seven large U.S. banks and
    securities firms we visited were taking actions to address their
    international risks.  In addition, U.S. banking and securities
    regulators were also addressing the international Year 2000 risks
    of the institutions that they oversee. With respect to the
    insurance industry, in March, we concluded that insurance
    regulator presence regarding the Year 2000 area was not as strong
    as that exhibited by the banking and securities industry.72  State
    insurance regulators we contacted were late in raising industry
    awareness of potential Year 2000 problems, provided little
    guidance to regulated institutions, and failed to convey clear
    regulatory expectations to 70Year 2000 Computing Crisis:  Federal
    Reserve Has Established Effective Year 2000 Management Controls
    for Internal Systems Conversion (GAO/AIMD-99-78, April 9, 1999).
    71Year 2000:  Financial Institution and Regulatory Efforts to
    Address International Risks (GAO/GGD-99-62, April 27, 1999).
    72Insurance Industry:  Regulators Are Less Active in Encouraging
    and Validating Year 2000 Preparedness (GAO/T-GGD-99-56, March 11,
    1999). Page 30
    GAO/T-AIMD-99-266 companies about Year 2000 preparations and
    milestones.  Nevertheless, the insurance industry is reported by
    both its regulators and by other outside observers to be generally
    on track to being ready for 2000.  However, most of these reports
    are based on self-reported information and, compared to other
    financial regulators, insurance regulators' efforts to validate
    this information generally began late and were more limited. In a
    related report in April,73 we stated that variations in oversight
    approaches by state insurance regulators also made it difficult to
    ascertain the overall status of the insurance industry's Year 2000
    readiness.  We reported that the magnitude of insurers' Year 2000-
    related liability exposures could not be estimated at that time
    but that costs associated with these exposures could be
    substantial for some property-casualty insurers, particularly
    those concentrated in commercial-market sectors.  In addition,
    despite efforts to mitigate potential exposures, the Year 2000-
    related costs that may be incurred by insurers would remain
    uncertain until key legal issues and actions on pending
    legislation were resolved. Transportation Sector    A key
    component to the nation's transportation sector are airports.
    This January, we reported on our survey of 413 airports.74  We
    found that while the nation's airports were making progress in
    preparing for the year 2000, such progress varied.  Of the 334
    airports responding to our survey, about one-third reported that
    they would complete their Year 2000 preparations by June 30, 1999.
    The other two-thirds either planned on a later date or failed to
    estimate any completion date, and half of these airports did not
    have contingency plans for any of 14 core airport functions.
    Although most of those not expecting to be ready by June 30 are
    small airports, 26 of them are among the nation's 50 largest
    airports. International            In addition to the risks
    associated with the nation's key economic sectors, one of the
    largest and most uncertain area of risk relates to the global
    nature of the problem.  Table 3 summarizes the results of the
    Department of State's Office of the Inspector General's analysis
    of "Y2K Host Country Infrastructure" assessments submitted by U.S.
    embassies in 161 countries 73Year 2000:  State Insurance
    Regulators Face Challenges in Determining Industry Readiness
    (GAO/GGD-99-87, April 30, 1999). 74Year 2000 Computing Crisis:
    Status of Airports' Efforts to Deal With Date Change Problem
    (GAO/RCED/AIMD-99-57, January 29, 1999). Page 31
    GAO/T-AIMD-99-266 (98 from the developing world, 24 from former
    Easter bloc countries and the New Independent States, and 39 from
    industrialized countries).  The following table shows that about
    half of the countries are reported to be at medium or high risk of
    having Year 2000-related failures in the key areas of
    telecommunications, transportation, and energy.  While a smaller
    number of countries were reported at medium or high risk in the
    finance and water sectors, at least one-third of the countries
    fell into the medium or high risk categories. Table 3:  Risk of
    Year 2000-Related Sector Failures in 161 Countries Risk level
    Finance Telecommunications Transportation                   Energy
    Water High                   11                         35
    18          26               7 Medium                 43
    56                  61          64              52 Low
    107                         70                  82          71
    102 Source:  Year 2000 Computer Problem:  Global Readiness and
    International Trade (Statement of the Department of State's
    Inspector General before the Senate Special Committee on the Year
    2000 Technology Problem, July 22, 1999). The Department of State
    Inspector General concluded that the global community is likely to
    experience varying degrees of Year 2000-related failures-from mere
    annoyances to failures in key infrastructure systems- in every
    sector, region, and economic level.  In particular, the Inspector
    General testified on July 22, 1999, that * industrialized
    countries were generally at low risk of having Year 2000-related
    infrastructure failures, although some of these countries were at
    risk; * developing countries were lagging behind and were
    struggling to find the financial and technical resources needed to
    resolve their Year 2000 problems; and * former Eastern bloc
    countries were late in getting started and were generally unable
    to provide detailed information on their Year 2000 programs. The
    impact of Year 2000-induced failures in foreign countries could
    adversely affect the United States, particularly as it relates to
    the supply chain.  To address the international supply chain
    issue, in January 1999 we Page 32
    GAO/T-AIMD-99-266 suggested75 that the President's Council on Year
    2000 Conversion prioritize trade and commerce activities that are
    critical to the nation's well-being (e.g., oil, food,
    pharmaceuticals) and, working with the private sector, identify
    options for obtaining these materials through alternative avenues
    in the event that Year 2000-induced failures in the other country
    or in the transportation sector prevent these items from reaching
    the United States. In commenting on this suggestion, the Chair
    stated that the Council had (1) worked with federal agencies to
    identify sectors with the greatest dependence on international
    trade, (2) held industry roundtable discussions with the
    pharmaceutical and food supply sectors, and (3) hosted bilateral
    and trilateral meetings with the Council's counterparts in Canada
    and Mexico-the United States' largest trading partners. In
    summary, while improvement has been shown, much work remains at
    the national, federal, state, and local levels to ensure that
    major service disruptions do not occur.  Specifically, remediation
    must be completed, end-to-end testing performed, and business
    continuity and contingency plans developed.  Similar actions
    remain to be completed by the nation's key sectors.  Accordingly,
    whether the United States successfully confronts the Year 2000
    challenge will largely depend on the success of federal, state,
    and local governments, as well as the private sector working
    separately and together to complete these actions.  Accordingly,
    strong leadership and partnerships must be maintained to ensure
    that the needs of the public are met at the turn of the century.
    Mr. Chairman, this concludes my statement.  I would be happy to
    respond to any questions that you or other members of the
    Subcommittee may have at this time. Contact    For information
    concerning this testimony, please contact Joel Willemssen at (202)
    512-6253 or by e-mail at [email protected]. 75GAO/T-AIMD-
    99-50, January 20, 1999. Page 33
    GAO/T-AIMD-99-266 Appendix I Federal High-Impact Programs and Lead
    Agencies
    Appendix I Agency
    Program Department of Agriculture                        Child
    Nutrition Programs Department of Agriculture
    Food Safety Inspection Department of Agriculture
    Food Stamps Department of Agriculture
    Special Supplemental Nutrition Program for Women, Infants, and
    Children Department of Commerce                           Patent
    and trademark processing Department of Commerce
    Weather Service Department of Defense
    Military Hospitals Department of Defense
    Military Retirement Department of Education
    Student Aid Department of Energy
    Federal electric power generation and delivery Department of
    Health and Human Services          Child Care Department of Health
    and Human Services          Child Support Enforcement Department
    of Health and Human Services          Child Welfare Department of
    Health and Human Services          Disease monitoring and the
    ability to issue warnings Department of Health and Human Services
    Indian Health Service Department of Health and Human Services
    Low Income Home Energy Assistance Program Department of Health and
    Human Services          Medicaid Department of Health and Human
    Services          Medicare Department of Health and Human Services
    Organ Transplants Department of Health and Human Services
    Temporary Assistance for Needy Families Department of Housing and
    Urban Development      Housing loans (Government National Mortgage
    Association) Department of Housing and Urban Development
    Section 8 Rental Assistance Department of Housing and Urban
    Development      Public Housing Department of Housing and Urban
    Development      FHA Mortgage Insurance Department of Housing and
    Urban Development      Community Development Block Grants
    Department of the Interior                       Bureau of Indian
    Affairs programs Department of Justice
    Federal Prisons Department of Justice
    Immigration Department of Justice
    National Crime Information Center Department of Labor
    Unemployment Insurance Department of State
    Passport Applications and Processing Department of Transportation
    Air Traffic Control System Department of Transportation
    Maritime Safety Program Department of the Treasury
    Cross-border Inspection Services Department of Veterans Affairs
    Veterans' Benefits Department of Veterans Affairs
    Veterans' Health Care Federal Emergency Management Agency
    Disaster Relief (continued) Page 34
    GAO/T-AIMD-99-266 Appendix I Federal High-Impact Programs and Lead
    Agencies Agency                                  Program Office of
    Personnel Management          Federal Employee Health Benefits
    Office of Personnel Management          Federal Employee Life
    Insurance Office of Personnel Management          Federal Employee
    Retirement Benefits Railroad Retirement Board
    Retired Rail Workers Benefits Social Security Administration
    Social Security Benefits U.S. Postal Service
    Mail Service Page 35                                       GAO/T-
    AIMD-99-266 GAO Reports and Testimony Addressing the Year 2000
    Crisis Year 2000 Computing Challenge:  Agencies' Reporting of
    Mission-Critical Classified Systems (GAO/AIMD-99-218, August 5,
    1999). Social Security Administration:  Update on Year 2000 and
    Other Key Information Technology Initiatives (GAO/T-AIMD-99-259,
    July 29, 1999). Year 2000 Computing Crisis:  Status of Medicare
    Providers Unknown (GAO/AIMD-99-243, July 28, 1999). Reported Y2K
    Status of the 21 Largest U.S. Cities (GAO/AIMD-99-246R, July 15,
    1999). Year 2000 Computing Challenge:  Federal Efforts to Ensure
    Continued Delivery of Key State-Administered Benefits (GAO/T-AIMD-
    99-241, July 15, 1999). Emergency and State and Local Law
    Enforcement Systems:  Committee Questions Concerning Year 2000
    Challenges (GAO/AIMD-99-247R, July 14, 1999). Year 2000 Computing
    Challenge:  Important Progress Made, Yet Much Work Remains to
    Avoid Disruption of Critical Services (GAO/T-AIMD-99-234, July 9,
    1999). Year 2000 Computing Challenge:  Readiness Improving Yet
    Avoiding Disruption of Critical Services Will Require Additional
    Work (GAO/T-AIMD-99-233, July 8, 1999). Year 2000 Computing
    Challenge:  Readiness Improving But Much Work Remains to Avoid
    Disruption of Critical Services (GAO/T-AIMD-99-232, July 7, 1999).
    Defense Computers:  Management Controls Are Critical to Effective
    Year 2000 Testing (GAO/AIMD-99-172, June 30, 1999). Year 2000
    Computing Crisis:  Customs Is Making Good Progress (GAO/T-AIMD-99-
    225, June 29, 1999). Year 2000 Computing Challenge:  Delivery of
    Key Benefits Hinges on States' Achieving Compliance (GAO/T-
    AIMD/GGD-99-221, June 23, 1999). Letter    Page 36
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Challenge:  Estimated Costs,
    Planned Uses of Emergency Funding, and Future Implications (GAO/T-
    AIMD-99-214, June 22, 1999). GSA's Effort to Develop Year 2000
    Business Continuity and Contingency Plans for Telecommunications
    Systems (GAO/AIMD-99-201R, June 16, 1999). Year 2000 Computing
    Crisis:  Actions Needed to Ensure Continued Delivery of Veterans
    Benefits and Health Care Services (GAO/AIMD-99-190R, June 11,
    1999). Year 2000 Computing Challenge:  Concerns About Compliance
    Information on Biomedical Equipment (GAO/T-AIMD-99-209, June 10,
    1999). Year 2000 Computing Challenge:  Much Biomedical Equipment
    Status Information Available, Yet Concerns Remain (GAO/T-AIMD-99-
    197, May 25, 1999). Year 2000 Computing Challenge:  OPM Has Made
    Progress on Business Continuity Planning (GAO/GGD-99-66, May 24,
    1999). VA Y2K Challenges:  Responses to Post-Testimony Questions
    (GAO/AIMD-99-199R, May 24, 1999). Year 2000 Computing Crisis:
    USDA Needs to Accelerate Time Frames for Completing Contingency
    Planning (GAO/AIMD-99-178, May 21, 1999). Year 2000 Computing
    Crisis:  Readiness of the Oil and Gas Industries (GAO/AIMD-99-162,
    May 19, 1999). Year 2000 Computing Challenge:  Time Issues
    Affecting the Global Positioning System (GAO/T-AIMD-99-187, May
    12, 1999). Year 2000 Computing Challenge:  Education Taking Needed
    Actions But Work Remains (GAO/T-AIMD-99-180, May 12, 1999). Year
    2000 Computing Challenge:  Labor Has Progressed But Selected
    Systems Remain at Risk (GAO/T-AIMD-99-179, May 12, 1999). Year
    2000: State Insurance Regulators Face Challenges in Determining
    Industry Readiness (GAO/GGD-99-87, April 30, 1999). Letter    Page
    37                                                   GAO/T-AIMD-
    99-266 GAO Reports and Testimony Addressing the Year 2000 Crisis
    Year 2000 Computing Challenge:  Status of Emergency and State and
    Local Law Enforcement Systems Is Still Unknown (GAO/T-AIMD-99-163,
    April 29, 1999). Year 2000 Computing Crisis:  Costs and Planned
    Use of Emergency Funds (GAO/AIMD-99-154, April 28, 1999). Year
    2000:  Financial Institution and Regulatory Efforts to Address
    International Risks (GAO/GGD-99-62, April 27, 1999). Year 2000
    Computing Crisis:  Readiness of Medicare and the Health Care
    Sector (GAO/T-AIMD-99-160, April 27, 1999). U.S. Postal Service:
    Subcommittee Questions Concerning Year 2000 Challenges Facing the
    Service (GAO/AIMD-99-150R, April 23, 1999). Year 2000 Computing
    Crisis:  Status of the Water Industry (GAO/AIMD-99-151, April 21,
    1999). Year 2000 Computing Crisis:  Key Actions Remain to Ensure
    Delivery of Veterans Benefits and Health Services (GAO/T-AIMD-99-
    152, April 20, 1999). Year 2000 Computing Crisis:  Readiness
    Improving But Much Work Remains to Ensure Delivery of Critical
    Services (GAO/T-AIMD-99-149, April 19, 1999). Year 2000 Computing
    Crisis:  Action Needed to Ensure Continued Delivery of Veterans
    Benefits and Health Care Services (GAO/T-AIMD-99-136, April 15,
    1999). Year 2000 Computing Challenge:  Federal Government Making
    Progress But Critical Issues Must Still Be Addressed to Minimize
    Disruptions (GAO/T-AIMD-99-144, April 14, 1999). Year 2000
    Computing Crisis:  Additional Work Remains to Ensure Delivery of
    Critical Services (GAO/T-AIMD-99-143, April 13, 1999). Tax
    Administration:  IRS' Fiscal Year 2000 Budget Request and 1999 Tax
    Filing Season (GAO/T-GGD/AIMD-99-140, April 13, 1999). Page 38
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  Federal Reserve Has
    Established Effective Year 2000 Management Controls for Internal
    Systems Conversion (GAO/AIMD-99-78, April 9, 1999). Year 2000
    Computing Crisis:  Readiness of the Electric Power Industry
    (GAO/AIMD-99-114, April 6, 1999). Year 2000 Computing Crisis:
    Customs Has Established Effective Year 2000 Program Controls
    (GAO/AIMD-99-37, March 29, 1999). Year 2000 Computing Crisis:  FAA
    Is Making Progress But Important Challenges Remain (GAO/T-
    AIMD/RCED-99-118, March 15, 1999). Insurance Industry:  Regulators
    Are Less Active in Encouraging and Validating Year 2000
    Preparedness (GAO/T-GGD-99-56, March 11, 1999). Year 2000
    Computing Crisis:  Defense Has Made Progress, But Additional
    Management Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999).
    Year 2000 Computing Crisis:  Readiness Status of the Department of
    Health and Human Services (GAO/T-AIMD-99-92, February 26, 1999).
    Defense Information Management:  Continuing Implementation
    Challenges Highlight the Need for Improvement (GAO/T-AIMD-99-93,
    February 25, 1999). IRS' Year 2000 Efforts:  Status and Remaining
    Challenges (GAO/T-GGD-99-35, February 24, 1999). Department of
    Commerce:  National Weather Service Modernization and NOAA Fleet
    Issues (GAO/T-AIMD/GGD-99-97, February 24, 1999). Year 2000
    Computing Crisis:  Medicare and the Delivery of Health Services
    Are at Risk (GAO/T-AIMD-99-89, February 24, 1999). Year 2000
    Computing Crisis:  Readiness of State Automated Systems That
    Support Federal Human Services Programs (GAO/T-AIMD-99-91,
    February 24, 1999). Year 2000 Computing Crisis:  Customs Is
    Effectively Managing Its Year 2000 Program (GAO/T-AIMD-99-85,
    February 24, 1999). Page 39
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  Update on the Readiness
    of the Social Security Administration (GAO/T-AIMD-99-90, February
    24, 1999). Year 2000 Computing Crisis:  Challenges Still Facing
    the U.S. Postal Service (GAO/T-AIMD-99-86, February 23, 1999).
    Year 2000 Computing Crisis:  The District of Columbia Remains
    Behind Schedule (GAO/T-AIMD-99-84, February 19, 1999). High-Risk
    Series:  An Update (GAO/HR-99-1, January 1999). Year 2000
    Computing Crisis:  Status of Airports' Efforts to Deal With Date
    Change Problem (GAO/RCED/AIMD-99-57, January 29, 1999). Defense
    Computers:  DOD's Plan for Execution of Simulated Year 2000
    Exercises (GAO/AIMD-99-52R, January 29, 1999). Year 2000 Computing
    Crisis:  Status of Bureau of Prisons' Year 2000 Efforts (GAO/AIMD-
    99-23, January 27, 1999). Year 2000 Computing Crisis:  Readiness
    Improving, But Much Work Remains to Avoid Major Disruptions
    (GAO/T-AIMD-99-50, January 20, 1999). Year 2000 Computing
    Challenge:  Readiness Improving, But Critical Risks Remain (GAO/T-
    AIMD-99-49, January 20, 1999). Status Information:  FAA's Year
    2000 Business Continuity and Contingency Planning Efforts Are
    Ongoing (GAO/AIMD-99-40R, December 4, 1998). Year 2000 Computing
    Crisis:  A Testing Guide (GAO/AIMD-10.1.21, November 1998). Year
    2000 Computing Crisis:  Readiness of State Automated Systems to
    Support Federal Welfare Programs (GAO/AIMD-99-28, November 6,
    1998). Year 2000 Computing Crisis:  Status of Efforts to Deal With
    Personnel Issues (GAO/AIMD/GGD-99-14, October 22, 1998). Year 2000
    Computing Crisis:  Updated Status of Department of Education's
    Information Systems (GAO/T-AIMD-99-8, October 8, 1998). Page 40
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  The District of Columbia
    Faces Tremendous Challenges in Ensuring That Vital Services Are
    Not Disrupted (GAO/T-AIMD-99-4, October 2, 1998). Medicare
    Computer Systems:  Year 2000 Challenges Put Benefits and Services
    in Jeopardy (GAO/AIMD-98-284, September 28, 1998). Year 2000
    Computing Crisis:  Leadership Needed to Collect and Disseminate
    Critical Biomedical Equipment Information (GAO/T-AIMD-98-310,
    September 24, 1998). Year 2000 Computing Crisis:  Compliance
    Status of Many Biomedical Equipment Items Still Unknown (GAO/AIMD-
    98-240, September 18, 1998). Year 2000 Computing Crisis:
    Significant Risks Remain to Department of Education's Student
    Financial Aid Systems (GAO/T-AIMD-98-302, September 17, 1998).
    Year 2000 Computing Crisis:  Progress Made at Department of Labor,
    But Key Systems at Risk (GAO/T-AIMD-98-303, September 17, 1998).
    Year 2000 Computing Crisis:  Federal Depository Institution
    Regulators Are Making Progress, But Challenges Remain (GAO/T-AIMD-
    98-305, September 17, 1998). Year 2000 Computing Crisis:  Federal
    Reserve Is Acting to Ensure Financial Institutions Are Fixing
    Systems But Challenges Remain (GAO/AIMD-98-248, September 17,
    1998). Responses to Questions on FAA's Computer Security and Year
    2000 Program (GAO/AIMD-98-301R, September 14, 1998). Year 2000
    Computing Crisis:  Severity of Problem Calls for Strong Leadership
    and Effective Partnerships (GAO/T-AIMD-98-278, September 3, 1998).
    Year 2000 Computing Crisis:  Strong Leadership and Effective
    Partnerships Needed to Reduce Likelihood of Adverse Impact (GAO/T-
    AIMD-98-277, September 2, 1998). Year 2000 Computing Crisis:
    Strong Leadership and Effective Partnerships Needed to Mitigate
    Risks (GAO/T-AIMD-98-276, September 1, 1998). Page 41
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  State Department Needs To
    Make Fundamental Improvements To Its Year 2000 Program (GAO/AIMD-
    98-162, August 28, 1998). Year 2000 Computing:  EFT 99 Is Not
    Expected to Affect Year 2000 Remediation Efforts (GAO/AIMD-98-
    272R, August 28, 1998). Year 2000 Computing Crisis:  Progress Made
    in Compliance of VA Systems, But Concerns Remain (GAO/AIMD-98-237,
    August 21, 1998). Year 2000 Computing Crisis:  Avoiding Major
    Disruptions Will Require Strong Leadership and Effective
    Partnerships (GAO/T-AIMD-98-267, August 19, 1998). Year 2000
    Computing Crisis:  Strong Leadership and Partnerships Needed to
    Address Risk of Major Disruptions (GAO/T-AIMD-98-266, August 17,
    1998). Year 2000 Computing Crisis:  Strong Leadership and
    Partnerships Needed to Mitigate Risk of Major Disruptions (GAO/T-
    AIMD-98-262, August 13, 1998). FAA Systems:  Serious Challenges
    Remain in Resolving Year 2000 and Computer Security Problems
    (GAO/T-AIMD-98-251, August 6, 1998). Year 2000 Computing Crisis:
    Business Continuity and Contingency Planning (GAO/AIMD-10.1.19,
    August 1998). Internal Revenue Service:  Impact of the IRS
    Restructuring and Reform Act on Year 2000 Efforts (GAO/GGD-98-
    158R, August 4, 1998). Social Security Administration:
    Subcommittee Questions Concerning Information Technology
    Challenges Facing the Commissioner (GAO/AIMD-98-235R, July 10,
    1998). Year 2000 Computing Crisis:  Actions Needed on Electronic
    Data Exchanges (GAO/AIMD-98-124, July 1, 1998). Defense Computers:
    Year 2000 Computer Problems Put Navy Operations at Risk (GAO/AIMD-
    98-150, June 30, 1998). Page 42
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  Testing and Other
    Challenges Confronting Federal Agencies (GAO/T-AIMD-98-218, June
    22, 1998). Year 2000 Computing Crisis:  Telecommunications
    Readiness Critical, Yet Overall Status Largely Unknown (GAO/T-
    AIMD-98-212, June 16, 1998). GAO Views on Year 2000 Testing
    Metrics (GAO/AIMD-98-217R, June 16, 1998). IRS' Year 2000 Efforts:
    Business Continuity Planning Needed for Potential Year 2000 System
    Failures (GAO/GGD-98-138, June 15, 1998). Year 2000 Computing
    Crisis:  Actions Must Be Taken Now to Address Slow Pace of Federal
    Progress (GAO/T-AIMD-98-205, June 10, 1998). Defense Computers:
    Army Needs to Greatly Strengthen Its Year 2000 Program (GAO/AIMD-
    98-53, May 29, 1998). Year 2000 Computing Crisis:  USDA Faces
    Tremendous Challenges in Ensuring That Vital Public Services Are
    Not Disrupted (GAO/T-AIMD-98-167, May 14, 1998). Securities
    Pricing:  Actions Needed for Conversion to Decimals (GAO/T-GGD-98-
    121, May 8, 1998). Year 2000 Computing Crisis:  Continuing Risks
    of Disruption to Social Security, Medicare, and Treasury Programs
    (GAO/T-AIMD-98-161, May 7, 1998). IRS' Year 2000 Efforts:  Status
    and Risks (GAO/T-GGD-98-123, May 7, 1998). Air Traffic Control:
    FAA Plans to Replace Its Host Computer System Because Future
    Availability Cannot Be Assured (GAO/AIMD-98-138R, May 1, 1998).
    Year 2000 Computing Crisis:  Potential for Widespread Disruption
    Calls for Strong Leadership and Partnerships (GAO/AIMD-98-85,
    April 30, 1998). Defense Computers:  Year 2000 Computer Problems
    Threaten DOD Operations (GAO/AIMD-98-72, April 30, 1998). Page 43
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Department of the Interior:  Year 2000 Computing
    Crisis Presents Risk of Disruption to Key Operations (GAO/T-AIMD-
    98-149, April 22, 1998). Tax Administration:  IRS' Fiscal Year
    1999 Budget Request and Fiscal Year 1998 Filing Season (GAO/T-
    GGD/AIMD-98-114, March 31, 1998). Year 2000 Computing Crisis:
    Strong Leadership Needed to Avoid Disruption of Essential Services
    (GAO/T-AIMD-98-117, March 24, 1998). Year 2000 Computing Crisis:
    Federal Regulatory Efforts to Ensure Financial Institution Systems
    Are Year 2000 Compliant (GAO/T-AIMD-98-116, March 24, 1998). Year
    2000 Computing Crisis:  Office of Thrift Supervision's Efforts to
    Ensure Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102,
    March 18, 1998). Year 2000 Computing Crisis:  Strong Leadership
    and Effective Public/Private Cooperation Needed to Avoid Major
    Disruptions (GAO/T-AIMD-98-101, March 18, 1998). Post-Hearing
    Questions on the Federal Deposit Insurance Corporation's Year 2000
    (Y2K) Preparedness (AIMD-98-108R, March 18, 1998). SEC Year 2000
    Report:  Future Reports Could Provide More Detailed Information
    (GAO/GGD/AIMD-98-51, March 6, 1998). Year 2000 Readiness:  NRC's
    Proposed Approach Regarding Nuclear Powerplants (GAO/AIMD-98-90R,
    March 6, 1998). Year 2000 Computing Crisis:  Federal Deposit
    Insurance Corporation's Efforts to Ensure Bank Systems Are Year
    2000 Compliant (GAO/T-AIMD-98-73, February 10, 1998). Year 2000
    Computing Crisis:  FAA Must Act Quickly to Prevent Systems
    Failures (GAO/T-AIMD-98-63, February 4, 1998). FAA Computer
    Systems:  Limited Progress on Year 2000 Issue Increases Risk
    Dramatically (GAO/AIMD-98-45, January 30, 1998). Defense
    Computers:  Air Force Needs to Strengthen Year 2000 Oversight
    (GAO/AIMD-98-35, January 16, 1998). Page 44
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  Actions Needed to Address
    Credit Union Systems' Year 2000 Problem (GAO/AIMD-98-48, January
    7, 1998). Veterans Health Administration Facility Systems:  Some
    Progress Made in Ensuring Year 2000 Compliance, But Challenges
    Remain (GAO/AIMD-98-31R,  November 7, 1997). Year 2000 Computing
    Crisis:  National Credit Union Administration's Efforts to Ensure
    Credit Union Systems Are Year 2000 Compliant (GAO/T-AIMD-98-20,
    October 22, 1997). Social Security Administration:  Significant
    Progress Made in Year 2000 Effort, But Key Risks Remain (GAO/AIMD-
    98-6, October 22, 1997). Defense Computers:  Technical Support Is
    Key to Naval Supply Year 2000 Success (GAO/AIMD-98-7R, October 21,
    1997). Defense Computers:  LSSC Needs to Confront Significant Year
    2000 Issues (GAO/AIMD-97-149,  September 26, 1997). Veterans
    Affairs Computer Systems:  Action Underway Yet Much Work Remains
    To Resolve Year 2000 Crisis (GAO/T-AIMD-97-174, September 25,
    1997). Year 2000 Computing Crisis:  Success Depends Upon Strong
    Management and Structured Approach (GAO/T-AIMD-97-173, September
    25, 1997). Year 2000 Computing Crisis:  An Assessment Guide
    (GAO/AIMD-10.1.14, September 1997). Defense Computers:  SSG Needs
    to Sustain Year 2000 Progress (GAO/AIMD-97-120R, August 19, 1997).
    Defense Computers:  Improvements to DOD Systems Inventory Needed
    for Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997). Defense
    Computers:  Issues Confronting DLA in Addressing Year 2000
    Problems (GAO/AIMD-97-106, August 12, 1997). Defense Computers:
    DFAS Faces Challenges in Solving the Year 2000 Problem (GAO/AIMD-
    97-117, August 11, 1997). Page 45
    GAO/T-AIMD-99-266 GAO Reports and Testimony Addressing the Year
    2000 Crisis Year 2000 Computing Crisis:  Time Is Running Out for
    Federal Agencies to Prepare for the New Millennium (GAO/T-AIMD-97-
    129, July 10, 1997). Veterans Benefits Computer Systems:
    Uninterrupted Delivery of Benefits Depends on Timely Correction of
    Year-2000 Problems (GAO/T-AIMD-97-114, June 26, 1997). Veterans
    Benefits Computer Systems:  Risks of VBA's Year-2000 Efforts
    (GAO/AIMD-97-79, May 30, 1997). Medicare Transaction System:
    Success Depends Upon Correcting Critical Managerial and Technical
    Weaknesses (GAO/AIMD-97-78, May 16, 1997). Medicare Transaction
    System:  Serious Managerial and Technical Weaknesses Threaten
    Modernization (GAO/T-AIMD-97-91, May 16, 1997). Year 2000
    Computing Crisis:  Risk of Serious Disruption to Essential
    Government Functions Calls for Agency Action Now (GAO/T-AIMD-97-
    52, February 27, 1997). Year 2000 Computing Crisis:  Strong
    Leadership Today Needed To Prevent Future Disruption of Government
    Services (GAO/T-AIMD-97-51, February 24, 1997). High-Risk Series:
    Information Management and Technology (GAO/HR-97-9, February
    1997). (511787)    Letter    Page 46
    GAO/T-AIMD-99-266 Ordering Information The first copy of each GAO
    report and testimony is free. Additional copies are $2 each.
    Orders should be sent to the following address, accompanied by a
    check or money order made out to the Superintendent of Documents,
    when necessary, VISA and MasterCard credit cards are accepted,
    also. Orders for 100 or more copies to be mailed to a single
    address are discounted 25 percent. Orders by mail: U.S. General
    Accounting Office P.O. Box 37050 Washington, DC  20013 or visit:
    Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S.
    General Accounting Office Washington, DC Orders may also be placed
    by calling (202) 512-6000 or by using fax number (202) 512-6061,
    or TDD (202) 512-2537. Each day, GAO issues a list of newly
    available reports and testimony.  To receive facsimile copies of
    the daily list or any list from the past 30 days, please call
    (202) 512-6000 using a touchtone phone.  A recorded menu will
    provide information on how to obtain these lists. For information
    on how to access GAO reports on the INTERNET, send an e-mail
    message with "info" in the body to: [email protected] or visit
    GAO's World Wide Web Home Page at: http://www.gao.gov United
    States                        Bulk Mail General Accounting Office
    Postage & Fees Paid Washington, D.C. 20548-0001            GAO
    Permit No. GI00 Official Business Penalty for Private Use $300
    Address Correction Requested

*** End of document. ***