Year 2000 Computing Challenge: Readiness Improving Yet Essential Actions
Remain to Ensure Delivery of Critical Services (Testimony, 08/17/1999,
GAO/T-AIMD-99-268).
Pursuant to a congressional request, GAO discussed the progress being
made in addressing the year 2000 computing challenge, focusing on: (1)
the federal government's progress and the challenges that remain in
correcting its systems; (2) state and local government year 2000 issues;
and (3) the readiness of key public infrastructure and economic sectors.
GAO noted that: (1) the public faces the risk that critical services
provided by the government and the private sector could be severely
disrupted by the year 2000 computing problem; (2) to meet this challenge
and monitor individual agency efforts, the Office of Management and
Budget (OMB) directed the major departments and agencies to submit
quarterly reports on their progress; (3) the federal government's most
recent reports show improvement in addressing the year 2000 problem; (4)
while much work remains, the federal government has significantly
increased its percentage of mission-critical systems that are reported
to be year 2000 compliant; (5) while this progress is notable, OMB
reported that 10 agencies have mission-critical systems that were not
yet compliant; (6) while the overall year 2000 readiness of the
government has improved, GAO's reviews of agency year 2000 programs have
found uneven progress; (7) some agencies had made good progress while
other agencies were significantly behind schedule but had taken actions
to improve their readiness; (8) on March 31, 1999, OMB and the Chair of
the President's Council on Year 2000 Conversion announced that one of
the key priorities that federal agencies will be pursuing during the
rest of 1999 will be cooperative end-to-end testing to demonstrate the
year 2000 readiness of federal programs with states and other partners;
(9) on January 26, 1999, OMB called on federal agencies to identify and
report on the high-level core business functions that are to be
addressed in their business and continuity plans; (10) according to an
OMB official, OMB has received plans from the 24 major agencies and it
will report on the plans' status in its next quarterly report; (11)
according to information on state year 2000 activities reported to the
National Association of State Information Resource Executives as of
August 3, 1999, states reported having thousands of mission-critical
systems; (12) with respect to completing the implementation phase for
these systems: (a) 2 states reported that they had completed between 25
and 49 percent; (b) 6 states reported completing between 50 and 74
percent; and (c) 38 states reported completing 75 percent or more; (13)
beyond the risks faced by federal, state, and local governments, the
year 2000 also poses a serious challenge to the public infrastructure,
key economic sectors, and to other countries; and (14) the Council
reported that important national systems will make a successful
transition to the year 2000 but that much work remains to be done.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: T-AIMD-99-268
TITLE: Year 2000 Computing Challenge: Readiness Improving Yet
Essential Actions Remain to Ensure Delivery of Critical
Services
DATE: 08/17/1999
SUBJECT: Computer software verification and validation
Systems conversions
Y2K
Computer software
State-administered programs
Information resources management
Strategic information systems planning
Data integrity
Federal/state relations
Systems compatibility
IDENTIFIER: Y2K
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. This text was extracted from a PDF file. **
** Delineations within the text indicating chapter titles, **
** headings, and bullets have not been preserved, and in some **
** cases heading text has been incorrectly merged into **
** body text in the adjacent column. Graphic images have **
** not been reproduced, but figure captions are included. **
** Tables are included, but column deliniations have not been **
** preserved. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
1-LG-BW logo.eps GAO United States General Accounting Office
Testimony Before the Subcommittee on Government Management,
Information and Technology, Committee on Government Reform, House
of Representatives
For Release on Delivery Expected at 9 a. m. PDT Tuesday, August
17, 1999
YEAR 2000 COMPUTING CHALLENGE Readiness Improving Yet Essential
Actions Remain to Ensure Delivery of Critical Services
Statement of Joel C. Willemssen Director, Civil Agencies
Information Systems Accounting and Information Management Division
GAO/T-AIMD-99-268
Page 1 GAO/T-AIMD-99-268
Mr. Chairman and Members of the Subcommittee: Thank you for
inviting us to participate in today's hearing on the Year 2000
problem. According to the report of the President's Commission on
Critical Infrastructure Protection, the United States with close
to half of all computer capacity and 60 percent of Internet assets
is the world's most advanced and most dependent user of
information technology. 1 Should these systems which perform
functions and services critical to our
nation suffer problems, it could create widespread disruption.
Accordingly, the upcoming change of century is a sweeping and
urgent challenge for public- and private- sector organizations
alike. Because of its urgent nature and the potentially
devastating impact it could have on critical government
operations, in February 1997 we designated the Year 2000 problem a
high- risk area for the federal government. 2 Since that time, we
have issued over 130 reports and testimony statements detailing
specific findings and numerous recommendations related to the Year
2000 readiness of a wide range of federal agencies. 3 We have also
issued guidance to help organizations successfully address the
issue. 4 Today, I will highlight the Year 2000 risks facing the
nation, discuss the federal government's progress and challenges
that remain in correcting its systems, identify state and local
government Year 2000 issues, and provide
an overview of available information on the readiness of key
public infrastructure and economic sectors. 1 Critical
Foundations: Protecting America's Infrastructures (President's
Commission on Critical Infrastructure Protection, October 1997). 2
High- Risk Series: Information Management and Technology (GAO/HR-
97-9, February 1997). 3 A list of these publications is included
as an attachment to this statement. These publications can be
obtained through GAO's World Wide Web page at www. gao. gov/ y2kr.
htm.
4 Year 2000 Computing Crisis: An Assessment Guide (GAO/ AIMD- 10.
1. 14, issued as an exposure draft in February 1997 and in final
form in September 1997), which addresses the key tasks needed to
complete each phase of a Year 2000 program (awareness, assessment,
renovation, validation, and implementation); Year 2000 Computing
Crisis: Business Continuity and Contingency Planning (GAO/ AIMD-
10.1.19, issued as an exposure draft in March 1998 and in final
form in August 1998), which
describes the tasks needed to ensure the continuity of agency
operations; and Year 2000 Computing Crisis: A Testing Guide (GAO/
AIMD- 10. 1. 21, issued as an exposure draft in June 1998 and in
final form in November 1998), which discusses the need to plan and
conduct Year 2000 tests in a structured and disciplined fashion.
Letter
Page 2 GAO/T-AIMD-99-268
The Public Faces Risk of Year 2000 Disruptions The public faces
the risk that critical services provided by the government and the
private sector could be severely disrupted by the Year 2000
computing problem. Financial transactions could be delayed,
flights grounded, power lost, and national defense affected.
Moreover, America's infrastructures are a complex array of public
and private enterprises with many interdependencies at all levels.
These many interdependencies among governments and within key
economic sectors could cause a single failure to have adverse
repercussions in other sectors. Key sectors that could be
seriously affected if their systems are not Year 2000 compliant
include information and telecommunications; banking and finance;
health, safety, and emergency services; transportation; power and
water; and manufacturing and small business. The following are
examples of some of the major disruptions the public and private
sectors could experience if the Year 2000 problem is not
corrected. With respect to aviation, there could be grounded or
delayed flights, degraded safety, customer inconvenience, and
increased airline costs. 5 Aircraft and other military equipment
could be grounded because the
computer systems used to schedule maintenance and track supplies
may not work. Further, the Department of Defense could incur
shortages of vital items needed to sustain military operations and
readiness. 6 Medical devices and scientific laboratory equipment
may experience problems beginning January 1, 2000, if their
software applications or embedded chips use two- digit fields to
represent the year. Recognizing the seriousness of the Year 2000
problem, on February 4, 1998, the President signed an executive
order that established the President's Council on Year 2000
Conversion, chaired by an Assistant to the President and
consisting of one representative from each of the executive
departments and from other federal agencies as may be determined
by the Chair. The Chair of the Council was tasked with the
following Year 2000 roles: (1) overseeing the activities of
agencies, (2) acting as chief spokesperson in national and
international forums, (3) providing policy
5 FAA Systems: Serious Challenges Remain in Resolving Year 2000
and Computer Security Problems (GAO/T-AIMD-98-251, August 6, 1998)
and Year 2000 Computing Crisis: FAA Is Making Progress But
Important Challenges Remain (GAO/ T- AIMD/ RCED- 99- 118, March
15, 1999). 6 Defense Computers: Year 2000 Computer Problems
Threaten DOD Operations (GAO/AIMD-98-72, April 30, 1998).
Letter
Page 3 GAO/T-AIMD-99-268
coordination of executive branch activities with state, local, and
tribal governments, and (4) promoting appropriate federal roles
with respect to private- sector activities.
Improvements Made But Much Work Remains Addressing the Year 2000
problem is a tremendous challenge for the federal
government. Many of the federal government's computer systems were
originally designed and developed 20 to 25 years ago, are poorly
documented, and use a wide variety of computer languages, many of
which are obsolete. Some applications include thousands, tens of
thousands, or even millions of lines of code, each of which must
be examined for dateformat
problems. To meet this challenge and monitor individual agency
efforts, the Office of Management and Budget (OMB) directed the
major departments and agencies to submit quarterly reports on
their progress, beginning May 15, 1997. These reports contain
information on where agencies stand with respect to the
assessment, renovation, validation, and implementation of mission-
critical systems, as well as other management information on items
such as costs and business continuity and contingency plans.
The federal government's most recent reports show improvement in
addressing the Year 2000 problem. While much work remains, the
federal government has significantly increased its percentage of
mission- critical systems that are reported to be Year 2000
compliant, as figure 1 illustrates. In particular, while the
federal government did not meet its goal of having all mission-
critical systems compliant by March 1999, as of mid- May 1999,
93 percent of these systems were reported compliant.
Page 4 GAO/T-AIMD-99-268
Figure 1: Mission- Critical Systems Reported Year 2000 Compliant,
May 1997 Through May 1999
Source: May 1997 through May 1999 data are from the OMB quarterly
reports.
While this reported progress is notable, OMB also noted that 10
agencies have mission- critical systems that were not yet
compliant. 7 In addition, as we testified in April, some of the
systems that were not yet compliant support vital government
functions. 8 For example, some of the systems that were not
compliant were among the 26 mission- critical systems that the
Federal Aviation Administration (FAA) has identified as posing the
greatest risk to the National Airspace System the network of
equipment, facilities, and information that supports U. S.
aviation operations.
Additionally, not all systems have undergone an independent
verification and validation process. For example, in April 1999
the Department of Commerce awarded a contract for independent
verification and validation 7 The 10 agencies were the Departments
of Agriculture, Commerce, Defense, Energy, Health and Human
Services, Justice, Transportation, and the Treasury and the
National Aeronautics and Space Administration and the U. S. Agency
for International Development.
8 Year 2000 Computing Challenge: Federal Government Making
Progress But Critical Issues Must Still Be Addressed to Minimize
Disruptions (GAO/T-AIMD-99-144, April 14, 1999).
93% 79%
61% 21% 19%
27% 35%
50% 40%
0% 10%
20% 30%
40% 50%
60% 70%
80% 90%
100% May- 97 Aug- 97 Nov- 97 Feb- 98 May- 98 Aug- 98 Nov- 98 Feb-
99 May- 99
Page 5 GAO/T-AIMD-99-268
reviews of approximately 40 mission- critical systems that support
that department's most critical business processes. These reviews
are to continue through the summer of 1999. In some cases,
independent verification and validation of compliant systems have
found serious problems. For example, as we testified this past
February, 9 none of 54 external mission- critical systems of the
Health Care Financing Administration reported by the Department of
Health and Human Services (HHS) as compliant as of December 31,
1998, was Year 2000 ready at that time, based on serious
qualifications identified by the independent verification and
validation contractor. Reviews Show Uneven
Federal Agency Progress While the overall Year 2000 readiness of
the government has improved, our reviews of federal agency Year
2000 programs have found uneven progress. Some agencies had made
good progress while other agencies were significantly behind
schedule but had taken actions to improve their readiness. For
example:
In October 1997, we reported that while the Social Security
Administration (SSA) had made significant progress in assessing
and renovating mission- critical mainframe software, certain areas
of risk in its Year 2000 program remained. 10 Accordingly, we made
several recommendations to address these risk areas, which
included the Year 2000 compliance of the systems used by the 54
state Disability Determination Services 11 that help administer
the disability programs. SSA agreed with these recommendations
and, in July 1999, we reported that actions to implement these
recommendations had either been taken or were underway. 12 For
example, regarding the state Disability
Determination Services systems, SSA enhanced its monitoring and
oversight by establishing a full- time project team, designating
project managers and coordinators, and requesting biweekly
reports. While
9 Year 2000 Computing Crisis: Readiness Status of the Department
of Health and Human Services (GAO/T-AIMD-99-92, February 26,
1999). 10 Social Security Administration: Significant Progress
Made in Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6,
October 22, 1997). 11 These include the systems in all 50 states,
the District of Columbia, Guam, Puerto Rico, and the Virgin
Islands. 12 Social Security Administration: Update on Year 2000
and Other Key Information Technology Initiatives (GAO/T-AIMD-99-
259, July 29, 1999).
Page 6 GAO/T-AIMD-99-268
actions such as these demonstrated SSA's leadership in addressing
the Year 2000 problem, it still needed to complete critical tasks
to ensure readiness, including (1) ensuring the compliance of all
external data exchanges, (2) completing tasks outlined in its
contingency plans, (3) certifying the compliance of one remaining
mission- critical system, (4) completing hardware and software
upgrades in the Office of Telecommunications and Systems
Operations, and (5) correcting date
field errors identified through its quality assurance process. In
May 1999, we testified 13 that the Department of Education had
made progress toward addressing the significant risks we had
identified in September 1998 14 related to systems testing,
exchanging data with internal and external partners, and
developing business continuity and contingency plans.
Nevertheless, work remained ongoing in these areas. For example,
Education had scheduled a series of tests with its data exchange
partners, such as schools, through the early part of the fall.
Tests such as these are important since Education's student
financial aid environment is very large and complex, including
over 7,000 schools, 6,500 lenders, and 36 guaranty agencies, as
well as other federal agencies; we have reported that Education
has experienced serious data integrity problems in the past. 15
Accordingly, our May testimony stated that Education needed to
continue end- to- end testing of critical
business processes involving Education's internal systems and its
external data exchange partners and continue its outreach
activities with schools, guaranty agencies, and other participants
in the student financial aid community. Our work has shown that
the Department of Defense and the military services face
significant problems. 16 This March we testified that despite
considerable progress made in the preceding 3 months, the 13 Year
2000 Computing Challenge: Education Taking Needed Actions But Work
Remains (GAO/T-AIMD-99-180, May 12, 1999). 14 Year 2000 Computing
Crisis: Significant Risks Remain to Department of Education's
Student Financial
Aid Systems (GAO/T-AIMD-98-302, September 17, 1998). 15 Student
Financial Aid Information: Systems Architecture Needed to Improve
Programs' Efficiency (GAO/AIMD-97-122, July 29, 1997).
16 Defense Computers: Year 2000 Computer Problems Put Navy
Operations at Risk (GAO/AIMD-98-150, June 30, 1998); Defense
Computers: Army Needs to Greatly Strengthen Its Year 2000 Program
(GAO/AIMD-98-53, May 29, 1998); GAO/AIMD-98-72, April 30, 1998;
and Defense Computers: Air Force Needs to Strengthen Year 2000
Oversight (GAO/AIMD-98-35, January 16, 1998).
Page 7 GAO/T-AIMD-99-268
department was still well behind schedule. 17 We found that the
Department of Defense faced two significant challenges: (1)
completing remediation and testing of its mission- critical
systems and (2) having a reasonable level of assurance that key
processes will continue to work on a day- to- day basis and key
operational missions necessary for national defense can be
successfully accomplished. We concluded that such assurance could
only be provided if Defense took steps to improve its visibility
over the status of key business processes. End- to- End Testing
Must Be Completed
While it is important to achieve compliance for individual
mission- critical systems, realizing such compliance alone does
not ensure that business functions will continue to operate
through the change of century the ultimate goal of Year 2000
efforts. The purpose of end- to- end testing is to verify that a
defined set of interrelated systems, which collectively support an
organizational core business area or function, will work as
intended in an operational environment. In the case of the year
2000, many systems in the end- to- end chain will have been
modified or replaced. As a result, the scope and complexity of
testing and its importance are dramatically
increased, as is the difficulty of isolating, identifying, and
correcting problems. Consequently, agencies must work early and
continually with their data exchange partners to plan and execute
effective end- to- end tests. (Our Year 2000 testing guide sets
forth a structured approach to testing, including end- to- end
testing. 18 )
In January, we testified that with the time available for end- to-
end testing diminishing, OMB should consider, for the government's
most critical functions, setting target dates, and having agencies
report against them, for the development of end- to- end test
plans, the establishment of test schedules, and the completion of
the tests. 19 On March 31, OMB and the Chair of the President's
Council on Year 2000 Conversion announced that one of the key
priorities that federal agencies will be pursuing during the rest
of 1999 will be cooperative end- to- end testing to demonstrate
the Year 2000 readiness of federal programs with states and other
partners.
17 Year 2000 Computing Crisis: Defense Has Made Progress, But
Additional Management Controls Are Needed (GAO/T-AIMD-99-101,
March 2, 1999).
18 GAO/ AIMD- 10.1.21, November 1998. 19 Year 2000 Computing
Crisis: Readiness Improving, But Much Work Remains to Avoid Major
Disruptions (GAO/T-AIMD-99-50, January 20, 1999).
Page 8 GAO/T-AIMD-99-268
Agencies have also acted to address end- to- end testing. For
example, our March FAA testimony 20 found that the agency had
addressed our prior concerns about the lack of detail in its draft
end- to- end test program plan and had developed a detailed end-
to- end testing strategy and plans. 21 Also, in June 1999 we
reported 22 that the Department of Defense had underway or planned
hundreds of related Year 2000 end- to- end test and evaluation
activities and that, thus far, it was taking steps to ensure that
these related end- to- end tests were effectively coordinated.
However, we concluded that the Department of Defense was far from
successfully finishing its various Year 2000 end- to- end test
activities and that it must complete efforts to establish end- to-
end management controls, such as establishing an independent
quality assurance program.
Business Continuity and Contingency Plans Are Needed
Business continuity and contingency plans are essential. Without
such plans, when unpredicted failures occur, agencies will not
have well- defined responses and may not have enough time to
develop and test alternatives. Federal agencies depend on data
provided by their business partners as well as on services
provided by the public infrastructure (e. g., power, water,
transportation, and voice and data telecommunications). One weak
link anywhere in the chain of critical dependencies can cause
major disruptions to business operations. Given these
interdependencies, it is imperative that contingency plans be
developed for all critical core
business processes and supporting systems, regardless of whether
these systems are owned by the agency. Accordingly, in April 1998
we recommended that the Council require agencies to develop
contingency plans for all critical core business processes. 23
OMB has clarified its contingency plan instructions and, along
with the Chief Information Officers Council, has adopted our
business continuity and contingency planning guide. 24 In
particular, on January 26, 1999, OMB 20 GAO/ T- AIMD/ RCED- 99-
118, March 15, 1999. 21 GAO/T-AIMD-98-251, August 6, 1998.
22 Defense Computers: Management Controls Are Critical to
Effective Year 2000 Testing (GAO/AIMD-99-172, June 30, 1999). 23
Year 2000 Computing Crisis: Potential for Widespread Disruption
Calls for Strong Leadership and Partnerships (GAO/AIMD-98-85,
April 30, 1998). 24 GAO/ AIMD- 10.1.19, August 1998.
Page 9 GAO/T-AIMD-99-268
called on federal agencies to identify and report on the high-
level core business functions that are to be addressed in their
business continuity and contingency plans, as well as to provide
key milestones for development and testing of such plans in their
February 1999 quarterly reports. In addition, on May 13 OMB
required agencies to submit high- level versions of these plans by
June 15. According to an OMB official, OMB has received
plans from the 24 major departments and agencies. This official
stated that OMB planned to review the plans, discuss them with the
agencies, determine whether there were any common themes, and
report on the plans' status in its next quarterly report. To
provide assurance that agencies' business continuity and
contingency plans will work if needed, on January 20 we suggested
that OMB may want to consider requiring agencies to test their
business continuity strategy and
set a target date, such as September 30, 1999, for the completion
of this validation. 25 Our review of the 24 major departments and
agencies' May 1999 quarterly reports found 14 cases in which
agencies did not identify test dates for their business continuity
and contingency plans or reported test dates subsequent to
September 30, 1999.
On March 31, OMB and the Chair of the President's Council
announced that completing and testing business continuity and
contingency plans as insurance against disruptions to federal
service delivery and operations from Year 2000- related failures
will be one of the key priorities that federal agencies will be
pursuing through the rest of 1999. Accordingly, OMB should
implement our suggestion and establish a target date for the
validation of agency business continuity and contingency plans.
Our reviews of specific agency business continuity and contingency
plans have found that agencies are in varying stages of
completion. For example:
We testified in July 1999 that SSA was in the process of testing
all of its contingency plans, with expected completion in
September. 26 In addition, SSA planned to assist the Department of
the Treasury in developing alternative disbursement processes for
problematic financial institutions. 25 GAO/T-AIMD-99-50, January
20, 1999. 26 GAO/T-AIMD-99-259, July 29, 1999.
Page 10 GAO/T-AIMD-99-268
This June, we testified that the U. S. Customs Service had
implemented sound management processes for developing business
continuity and contingency plans and was in the process of testing
its plans. 27 Customs expected to complete contingency plan
testing by October 1999. In May 1999, we reported 28 that the
Department of Agriculture's
component agencies were actively engaged in developing business
continuity and contingency plans but that much work remained to
complete and test these plans. Further, its December 1999
departmentwide goal of completing business continuity and
contingency plans left no room for delays or sufficient time for
correcting, revising, and retesting plans, if necessary.
Consequently, we recommended that the Department of Agriculture
advance its time frame to no later than September 30, 1999, and
develop priorities for completing and testing business continuity
and contingency plans that are aligned with the department's
highest priority business processes, to ensure that remaining work
addresses these processes first. The Department of Agriculture's
Chief Information Officer stated that the
department planned to implement our recommendations. This June,
we reported 29 that the General Services Administration had
completed its telecommunications business continuity and
contingency
plan in September 1998. However, we made several suggestions for
enhancing this plan, including that the General Services
Administration work with its customers to ensure that the
customers' business continuity and contingency plans are fully
coordinated with the General Services Administration's plan and
that it consider the possibility of partial loss of service. The
General Services Administration agreed to implement our
suggestions.
OMB Action Could Help Ensure Business Continuity of High- Impact
Programs While individual agencies have been identifying and
remediating missioncritical
systems, the government's future actions need to be focused on its
high- priority programs and ensuring the continuity of these
programs, including the continuity of federal programs that are
administered by states. Accordingly, governmentwide priorities
need to be based on such 27 Year 2000 Computing Crisis: Customs Is
Making Good Progress (GAO/T-AIMD-99-225, June 29, 1999). 28 Year
2000 Computing Crisis: USDA Needs to Accelerate Time Frames for
Completing Contingency Planning (GAO/AIMD-99-178, May 21, 1999).
29 GSA's Effort to Develop Year 2000 Business Continuity and
Contingency Plans for Telecommunications Systems (GAO/AIMD-99-
201R, June 16, 1999).
Page 11 GAO/T-AIMD-99-268
criteria as the potential for adverse health and safety effects,
adverse financial effects on American citizens, detrimental
effects on national security, and adverse economic consequences.
In April 1998, we recommended that the President's Council on Year
2000 Conversion establish governmentwide priorities and ensure
that agencies set agencywide priorities. 30 On March 26, OMB
implemented our recommendation by issuing a
memorandum to federal agencies designating lead agencies for the
government's 42 high- impact programs (e. g., food stamps,
Medicare, and federal electric power generation and delivery).
(OMB later added a 43rd high- impact program the Department of
Justice's National Crime
Information Center.) Appendix I lists these programs and their
lead agencies. For each program, the lead agency was charged with
identifying to OMB the partners integral to program delivery;
taking a leadership role in convening those partners; assuring
that each partner has an adequate Year 2000 plan and, if not,
helping each partner without one; and developing a plan to ensure
that the program will operate effectively. According to OMB, such
a plan might include testing data exchanges across partners,
developing complementary business continuity and contingency
plans, sharing key information on readiness with other
partners and the public, and taking other steps necessary to
ensure that the program will work. OMB directed the lead agencies
to provide a schedule and milestones of key activities in their
plans by April 15. OMB also asked agencies to provide monthly
progress reports. As you know, we are currently reviewing
agencies' progress in ensuring the readiness of their high- impact
programs for this Subcommittee.
State and Local Governments Face Significant Year 2000 Risks Just
as the federal government faces significant Year 2000 risks, so
too do state and local governments. If the Year 2000 problem is
not properly addressed, for example, (1) food stamps and other
types of payments may
not be made or could be made for incorrect amounts, (2) date-
dependent signal timing patterns could be incorrectly implemented
at highway intersections, with safety severely compromised, and
(3) prisoner release or parole eligibility determinations may be
adversely affected. Nevertheless, available information on the
Year 2000 readiness of state and local governments indicates that
much work remains. 30 GAO/AIMD-98-85, April 30, 1998.
Page 12 GAO/T-AIMD-99-268
According to information on state Year 2000 activities reported to
the National Association of State Information Resource Executives
as of August 3, 1999, 31 states 32 reported having thousands of
mission- critical systems. 33 With respect to completing the
implementation phase for these systems, 2 states 34 reported that
they had completed between 25 and 49 percent,
6 states 35 reported completing between 50 and 74 percent, 38
states 36 reported completing between 75 and 99 percent, and 3
states reported completing the implementation phase for all
mission- critical systems. 37 All of the states responding to the
National Association of State
Information Resource Executives survey reported that they were
actively engaged in internal and external contingency planning and
that they had established target dates for the completion of these
plans; 14 states
(28 percent) reported the deadline as October 1999 or later. State
audit organizations have also identified significant Year 2000
concerns. In January, the National State Auditors Association
reported on the results of its mid- 1998 survey of Year 2000
compliance among states. 38 This report stated that for the 12
state audit organizations that provided
Year 2000- related reports, concerns had been raised in areas such
as 31 Individual states submit periodic updates to the National
Association of State Information Resource Executives. For the
August 3 report, over three quarters of the states submitted their
data after July 1, 1999. The oldest data were provided on March 11
and the most recent data on August 2. 32 In the context of the
National Association of State Information Resource Executives
survey, the term states includes the District of Columbia and
Puerto Rico.
33 Mission- critical systems were defined as those that a state
had identified as priorities for prompt remediation. 34 One state
reported on its mission- critical systems and one state reported
on its processes. 35 Five states reported on their mission-
critical systems and one reported on all systems. 36 Thirty- one
states reported on their mission- critical systems, 2 states
reported on their applications, 1 reported on its priority
business activities, 1 reported on its critical compliance units,
1 reported
on all systems, 1 reported on functions, and 1 reported on
projects. 37 Two states did not respond to the survey and one did
not respond to this question. 38 Year 2000: State Compliance
Efforts (National State Auditors Association, January 1999).
Page 13 GAO/T-AIMD-99-268
planning, testing, embedded systems, business continuity and
contingency planning, and the adequacy of resources to address the
problem. We identified additional products by 17 state- level
audit organizations and Guam that discussed the Year 2000 problem
and that had been issued since
October 1, 1998. Several of these state- level audit organizations
noted that progress had been made. However, the audit
organizations also expressed concerns that were consistent with
those reported by the National State Auditors Association. For
example: In December 1998 the Vermont State Auditor reported 39
that the state
Chief Information Officer did not have a comprehensive control
list of the state's information technology systems. Accordingly,
the audit office stated that even if all mission- critical state
systems were checked, these systems could be endangered by
information technology components that had not been checked or by
linkages with the state's external electronic partners.
In April, New York's Division of Management Audit and State
Financial Services reported that state agencies did not adequately
control the critical process of testing remediated systems. 40
Further, most agencies were in the early stages of addressing
potential problems related to data exchanges and embedded systems
and none had completed substantive
work on contingency planning. The New York audit office
subsequently issued 27 reports on individual mission- critical and
high- priority systems that included concerns about, for example,
contingency planning and testing. In February, the California
State Auditor reported 41 that key agencies responsible for
emergency services, corrections, and water resources, among other
areas, had not fully addressed embedded technologyrelated
threats. Regarding emergency services, the California report
stated that if remediation of the embedded technology in its
networks was not completed, the Office of Emergency Services might
have to rely on cumbersome manual processes, significantly
increasing response time to disasters.
39 Vermont State Auditor's Report on State Government's Year 2000
Preparedness (Y2K Compliance) for the Period Ending November 1,
1998 (Office of the State Auditor, December 31, 1998). 40 New
York's Preparation for the Year 2000: A Second Look (Office of the
State Comptroller, Division of Management Audit and State
Financial Services, Report 98- S- 21, April 5, 1999).
41 Year 2000 Computer Problem: The State's Agencies Are
Progressing Toward Compliance but Key Steps Remain Incomplete
(California State Auditor, February 18, 1999).
Page 14 GAO/T-AIMD-99-268
In March, Oregon's Audits Division reported 42 that 11 of the 12
state agencies reviewed did not have business continuity plans
addressing potential Year 2000 problems for their core business
functions.
In March, North Carolina's State Auditor reported 43 that
resource restrictions had limited the state's Year 2000 Project
Office's ability to verify data reported by state agencies.
It is also essential that local government systems be ready for
the change of century since critical functions involving, for
example, public safety and traffic management are performed at the
local level. Recent reports on local governments have highlighted
Year 2000 concerns. For example: On July 15, we reported on the
reported Year 2000 status of the 21 largest U. S. cities. 44 On
average, cities reported completing work for
45 percent of the key service areas in which they have
responsibility. In addition, 2 cities reported that they had
completed their Year 2000 efforts, 9 cities expected to complete
their Year 2000 preparations by September 30, 1999, and the
remaining 10 cities expected to complete their preparation by
December 31. 45 In addition, 7 cities reported completing Year
2000 contingency plans, while 14 cities reported that their plans
were still being developed.
On July 9, the National League of Cities reported on its survey
of 403 cities conducted in April 1999. This survey found that (1)
92 percent of cities had a citywide Year 2000 plan, (2) 74 percent
had completed their assessment of critical systems, and (3) 66
percent had prepared contingency plans. (Of those that had not
completed such plans, about half stated that they were planning to
develop one.) In addition, 92 percent of the cities reported that
they expect that all of their critical systems will be compliant
by January 1, 2000; 5 percent expected to have completed between
91 and 99 percent, and 3 percent expected to have completed
between 81 and 90 percent of their critical systems by January 1.
42 Department of Administrative Services Year 2000 Statewide
Project Office Review (Secretary of State, Audits Division, State
of Oregon Report No. 99- 05, March 16, 1999). 43 Department of
Commerce, Information Technology Services Year 2000 Project Office
(Office of the State Auditor, State of North Carolina, March 18,
1999). 44 Reported Y2K Status of the 21 Largest U. S. Cities
(GAO/AIMD-99-246R, July 15, 1999). 45 In most cities, the majority
of city services are scheduled to be completed before this
completion date. For example, Los Angeles plans to have all key
city systems ready by September 30, except for its wastewater
treatment systems, which are expected to be completed in November.
Page 15 GAO/T-AIMD-99-268
On June 23, the National Association of Counties announced the
results of its April survey of 500 randomly selected counties.
This survey found that (1) 74 percent of respondents had a
countywide plan to address Year 2000 issues, (2) 51 percent had
completed system assessments, and (3) 27 percent had completed
system testing. In addition, 190 counties had prepared contingency
plans and 289 had not. Further, of the 114 counties reporting that
they planned to develop Year 2000 contingency plans, 22 planned to
develop the plan in April- June, 64 in July- September, 18 in
October- December, and 10 did not yet know.
Of critical importance to the nation are services essential to the
safety and well- being of individuals across the country, namely
9- 1- 1 systems and law enforcement. For the most part,
responsibility for ensuring continuity of service for 9- 1- 1
calls and law enforcement resides with thousands of state and
local jurisdictions. On April 29, we testified that not enough was
known about the status of either 9- 1- 1 systems or of state and
local law enforcement activities to conclude about either's
ability during the transition to the year 2000 to meet the public
safety and well- being needs of local communities across the
nation. 46 While the federal government planned additional actions
to determine the status of these areas, we stated that the
President's Council on Year 2000 Conversion should use such
information to identify specific risks and develop appropriate
strategies and contingency plans to respond to those risks. We
subsequently reported 47 that the Federal Emergency Management
Agency and the Department of Justice have worked to increase the
response rate to a survey of public safety organizations. As of
June 30, 1999, of the over 2,200 9- 1- 1 sites responding (about
half of the 9- 1- 1 call answering sites in the United States), 37
percent reported that they were ready for the year 2000. Another
55 percent responded that they
expected to be Year 2000 compliant in time for the change of
century. Recognizing the seriousness of the Year 2000 risks facing
state and local governments, the President's Council has developed
initiatives to address the readiness of state and local
governments. For example:
46 Year 2000 Computing Challenge: Status of Emergency and State
and Local Law Enforcement Systems Is Still Unknown (GAO/T-AIMD-99-
163, April 29, 1999). 47 Emergency and State and Local Law
Enforcement Systems: Committee Questions Concerning Year 2000
Challenges (GAO/AIMD-99-247R, July 14, 1999).
Page 16 GAO/T-AIMD-99-268
The Council established working groups on state and local
governments and tribal governments. Council officials participate
in monthly multistate conference calls. In July 1998 and March
1999, the Council, in partnership with the National Governors'
Association, convened Year 2000 summits with state and U. S.
territory Year 2000 coordinators. On May 24, the Council
announced a nationwide campaign to promote
Y2K Community Conversations to support and encourage efforts of
government officials, business leaders, and interested citizens to
share information on their progress. To support this initiative,
the Council has developed and is distributing a toolkit that
provides examples of which sectors should be represented at these
events and issues that should be addressed.
State- Administered Federal Human Services Programs Are at Risk
Among the critical functions performed by states are the
administration of federal human services programs. As we reported
in November 1998, many systems that support state- administered
federal human services programs were at risk, and much work
remained to ensure that services would continue. 48 In February of
this year, we testified that while some progress
had been achieved, many states' systems were not scheduled to
become compliant until the last half of 1999. 49 Accordingly, we
concluded that given these risks, business continuity and
contingency planning was even more important in ensuring
continuity of program operations and benefits in the event of
systems failures. Subsequent to our November 1998 report, OMB
directed federal oversight agencies to include the status of
selected state human services systems in their quarterly reports.
Specifically, in January 1999, OMB requested that agencies
describe actions to help ensure that federally supported, state-
run programs will be able to provide services and benefits. OMB
further asked that agencies report the date when each state's
systems will be Year 2000
compliant. 48 Year 2000 Computing Crisis: Readiness of State
Automated Systems to Support Federal Welfare Programs (GAO/AIMD-
99-28, November 6, 1998). 49 Year 2000 Computing Crisis: Readiness
of State Automated Systems That Support Federal Human Services
Programs (GAO/T-AIMD-99-91, February 24, 1999).
Page 17 GAO/T-AIMD-99-268
Table 1 summarizes the latest information on state- administered
federal human services programs reported by OMB on June 15, 1999.
50 This information was gathered, but not verified, by the
Departments of Agriculture, HHS, and Labor. 51 It indicates that
while many states reported their programs to be compliant, a
number of states did not plan to complete Year 2000 efforts until
the last quarter of 1999. For example, eight states did not expect
to be compliant until the last quarter of 1999 for Child Support
Enforcement, five states for Unemployment Insurance, and four
states for Child Nutrition. Moreover, Year 2000 readiness
information was unknown in many cases. For example, according to
OMB, the status of 32 states' Low Income Home Energy Assistance
programs was unknown because applicable readiness information was
not available.
50 For Medicaid, OMB reports on the two primary systems that
states use to administer the program: (1) the Integrated
Eligibility System, to determine whether an individual applying
for Medicaid meets the eligibility criteria for participation, and
(2) the Medicaid Management Information System, to process claims
and deliver payments for services rendered. Integrated eligibility
systems are also often used to determine eligibility for other
public assistance programs, such as Food Stamps. 51 The Department
of Agriculture oversees the Child Nutrition, Food Stamp, and the
Women, Infants, and Children programs. HHS oversees the Child
Care, Child Support Enforcement, Child Welfare, Low Income Home
Energy Assistance, Medicaid, and Temporary Assistance for Needy
Families programs. The Department of Labor oversees the
Unemployment Insurance program.
Page 18 GAO/T-AIMD-99-268
Table 1: Reported State- Level Readiness for Federally Supported
Programs
Note: This table contains readiness information from the 50
states, the District of Columbia, Guam, Puerto Rico, and the
Virgin Islands. a According to OMB, the information regarding
Child Care, Child Support Enforcement, the Low Income Home Energy
Assistance Program, Medicaid, and Temporary Assistance for Needy
Families was as of January 31, 1999; and the information for Child
Nutrition, Food Stamps, and Women, Infants and Children was as of
March 1999. However, OMB provided a draft table to the National
Association
of State Information Resource Executives, which, in turn, provided
the draft table to the states. The states were asked to contact
HHS and Agriculture and provide corrections by June 1, 1999. For
their part, HHS and Agriculture submitted updated state data to
OMB in early June. The information regarding Unemployment
Insurance was as of March 31, 1999. b In many cases, the report
indicated a date instead of whether the state was compliant. We
assumed that states reporting completion dates in 1998 or earlier
were compliant.
c Unknown indicates that according to OMB, the data reported by
the states were unclear or that no information was reported by the
agency. d N/ A indicates that the states or territories reported
that the data requested were not applicable to them. Source:
Progress on Year 2000 Conversion: 9th Quarterly Report (OMB,
issued on June 15, 1999).
Although many states have reported their state- administered
programs to be compliant, additional work beyond individual system
completion likely remains, such as end- to- end testing. For
example, of the states that OMB reported as having compliant
Medicaid management information and/ or integrated eligibility
systems, at least four and five states, respectively, had not
completed end- to- end testing. Expected Date of 1999 Compliance
Program a Compliant b Jan.- March April- June July- Sept. Oct.-
Dec. Unknown c N/ A d
Child Nutrition 29 0 9 10 4 2 0 Food Stamps 25 0 12 14 3 0 0
Women, Infants, and Children 33 0 11 7 3 0 0 Child Care 24 5 5 8 2
6 4 Child Support Enforcement 15 4 13 8 8 6 0 Child Welfare 20 5 9
11 3 5 1 Low Income Home Energy Assistance Program 10 0 3 7 1 32 1
Medicaid Integrated Eligibility System 20 0 15 15 4 0 0
Medicaid Management Information System 17 0 19 14 4 0 0 Temporary
Assistance for Needy Families 19 3 12 15 1 4 0 Unemployment
Insurance 27 0 11 10 5 0 1
Page 19 GAO/T-AIMD-99-268
In addition to obtaining state- reported readiness status
information for OMB, the three federal departments are taking
other actions to assess the ability of state- administered
programs to continue into the next century. However, as table 2
shows, the approaches of the three departments in assessing the
readiness of state- administered federal human services programs
vary significantly. For example, HHS' Health Care Financing
Administration (HCFA) hired a contractor to perform comprehensive
on- site reviews in all states, some more than once, using a
standard methodology. Agriculture's Food and Nutrition Service
(FNS) approach includes such actions as having regional offices
monitor state Year 2000 efforts and obtaining state certifications
of compliance. The Department of Labor is relying on its regional
offices to monitor state Year 2000 efforts as well as requiring
states to obtain and submit independent verification and
validation reports after declaring their systems compliant.
Page 20 GAO/T-AIMD-99-268
Table 2: Number and Types of Assessments Performed Areas covered
by assessments
Agency/ program Number of states assessed Project management/
planning Test plans/ results Business continuity and contingency
plans (BCCP)
Agriculture/ Child Nutrition Program Component entity's regional
offices are monitoring all states' efforts Varies by region Varies
by region Varies by region
Agriculture/ Food Stamps Component entity's regional offices are
monitoring all states' efforts
Varies by region Varies by region Varies by region Agriculture/
Women, Infants, and Children Component entity's regional offices
are monitoring all states' efforts
Varies by region Varies by region Varies by region HHS/ Child Care
As of July 2, a contractor had conducted on- site
reviews of 20 states Yes Yes all visits included reviews of test
plans and, where
applicable, test results Partial on- site visits included reviews
of states' BCCP processes, but not their content HHS/ Child
Support Enforcement As of July 2, a contractor had conducted on-
site
reviews of 20 states Yes Yes all visits included reviews of test
plans and, where
applicable, test results Partial on- site visits included reviews
of states' BCCP processes, but not their content HHS/ Child
Welfare As of July 2, a contractor had conducted on- site
reviews of 20 states Yes Yes all visits included reviews of test
plans and, where
applicable, test results Partial on- site visits included reviews
of states' BCCP processes, but not their content HHS/ Low Income
Housing Energy Assistance Program
As of July 2, a contractor had conducted on- site reviews of 20
states
Yes Yes all visits included reviews of test plans and, where
applicable, test results
Partial on- site visits included reviews of states' BCCP
processes, but not their content
HHS/ Medicaid A contractor conducted on site reviews of 50 states
and the District of Columbia once, and, as of June 30,
the contractor had conducted follow- up reviews of 14 states
Yes Yes all visits included reviews of test plans and, where
applicable, test results
Partial Initial visits included reviews of states' BCCP processes,
and as of July 9, a contractor had reviewed the content of 42
states' BCCPs, either on site or at headquarters
HHS/ Temporary Assistance for Needy Families As of July 2, a
contractor had conducted on- site
reviews of 20 states Yes Yes all visits included reviews of test
plans and, where
applicable, test results Partial on- site visits included reviews
of states' BCCP processes, but not their content Labor/
Unemployment Insurance Labor's regional offices are
monitoring all states' efforts Unknown not specifically addressed
in methodology Unknown not specifically addressed
in methodology Reviews ongoing
Page 21 GAO/T-AIMD-99-268
In addition to the completed reviews, all of the departments have
ongoing initiatives to ensure that state- administered human
services programs will continue to function past the change of
century. These initiatives are part of the departments' overall
strategies to ensure the continued delivery of these high- impact
programs. For example: In June 1999, the Department of
Agriculture's FNS required its regions to provide for each program
a copy of either a state letter certifying that it was Year 2000
compliant or a business continuity and contingency plan. As of
June 18, 1999, FNS had received (1) 9 certifications and 7
business continuity and contingency plans for Child Nutrition, (2)
12
certifications and 16 business continuity and contingency plans
for Food Stamps, and (3) 23 certifications and 23 business
continuity and contingency plans for Women, Infants, and Children.
In addition, to help states' Year 2000 efforts, FNS employed a
contractor to conduct on- site visits to 20 states for one or more
programs. As of July 9, FNS officials told us 16 states had been
visited. With respect to the scope of these visits, FNS' regional
offices determine for each state and program what specific areas
it should encompass. These visits are principally intended to
provide technical assistance to the states in areas such as Year
2000
project management, hardware and software testing, and contingency
planning. In its initial round of on- site reviews conducted
between November 1998
and April 1999, the contractor hired by HHS' HCFA (1) identified
barriers to successful remediation, (2) made recommendations to
address specific areas of concern, and (3) placed Medicaid
integrated eligibility and management information systems into
low, medium, or high risk categories. HCFA's contractor is
currently conducting a second round of on- site reviews in at
least 40 states primarily those in which at least one of two
systems was categorized as a high or medium risk during the
initial visit. As of June 30, 14 states had been visited during
this round. The focus of this second round of visits is on
determining how states have resolved Year 2000 issues previously
identified, as well as reviewing activities such as data exchanges
and end- to- end testing. HCFA plans to conduct a third round of
on- site reviews in the fall of 1999 for those states that
continue to have systems categorized as high risk. Additionally,
another HCFA contractor is reviewing the content of all states'
business continuity and contingency plans, with some of these
reviews being performed in conjunction with the second round of
state visits. In September 1998, the Department of Labor required
that all State Employment Security Agencies conduct independent
verification and
Page 22 GAO/T-AIMD-99-268
validation reviews of their Unemployment Insurance programs. The
department set a target date of July 1, 1999, for states to submit
independent verification and validation certifications of their
Unemployment Insurance systems to Labor's regional offices. Labor
required its regional offices to review independent verification
and validation reports and certifications of Year 2000 compliance
that State
Employment Security Agencies submitted, and to ascertain whether
the material met the department's requirements. If Labor's
requirements were met, the regional offices were to approve the
State Employment Security Agencies' certification and independent
verification and validation reports and forward copies of the
approved certification and report, along with regional office
comments, to Labor's national office. An example of the benefits
that federal/ state partnerships can provide is illustrated by the
Department of Labor's unemployment services program. In September
1998, we reported that many State Employment Security Agencies
were at risk of failure as early as January 1999 and urged the
Department of Labor to initiate the development of realistic
contingency plans to ensure continuity of core business processes
in the event of Year 2000- induced failures. 52 In May, we
testified that four state agencies' systems could have failed if
systems in those states had not been programmed with an emergency
patch in December 1998. This patch was developed by several of the
state agencies and promoted to other state agencies by the
Department of Labor. 53
Year 2000 Readiness Information Available in Some Sectors, But Key
Information Still Missing or Incomplete
Beyond the risks faced by federal, state, and local governments,
the year 2000 also poses a serious challenge to the public
infrastructure, key economic sectors, and to other countries. To
address these concerns, in April 1998 we recommended that the
Council use a sector- based approach and establish the effective
public- private partnerships necessary to address this issue. 54
The Council subsequently established over 25 sector- based working
groups and has been initiating outreach activities since it became
operational last spring. In addition, the Chair of the Council has
formed a 52 Year 2000 Computing Crisis: Progress Made at
Department of Labor, But Key Systems at Risk (GAO/T-AIMD-98-303,
September 17, 1998). 53 Year 2000 Computing Challenge: Labor Has
Progressed But Selected Systems Remain at Risk (GAO/T-AIMD-99-179,
May 12, 1999). 54 GAO/AIMD-98-85, April 30, 1998.
Page 23 GAO/T-AIMD-99-268
Senior Advisors Group composed of representatives from private-
sector firms across key economic sectors. Members of this group
are expected to offer perspectives on crosscutting issues,
information sharing, and appropriate federal responses to
potential Year 2000 failures.
Our April 1998 report also recommended that the President's
Council develop a comprehensive picture of the nation's Year 2000
readiness, to include identifying and assessing risks to the
nation's key economic sectors including risks posed by
international links. In October 1998, the Chair directed the
Council's sector working groups to begin assessing their sectors.
The Chair also provided a recommended guide of core questions
that the Council asked to be included in surveys by the
associations performing the assessments. These questions included
the percentage of work that has been completed in the assessment,
renovation, validation, and implementation phases. The Chair then
planned to issue quarterly public reports summarizing these
assessments. The Council's most recent report was issued on August
5, 1999. 55 The report stated that important national systems will
make a successful transition to the year 2000 but that much work,
such as contingency planning, remains to be done. In particular,
the Council expressed a high degree of confidence in five major
domestic areas: financial institutions, electric power,
telecommunications, air travel, and the federal government. For
example, the Council stated that on August 2, federal bank,
thrift, and credit union regulators reported that 99 percent of
federally insured
financial institutions have completed testing of critical systems
for Year 2000 readiness. The Council had concerns in four
significant areas: local government, health care, education, and
small businesses. For example, according to the Council report,
many school districts could move into the new century with
dysfunctional information technology systems, since
only 28 percent and 30 percent of Superintendent/ Local
Educational Agencies and postsecondary institutions, respectively,
reported that their mission- critical systems were Year 2000
compliant. Internationally, the Council stated that the Year 2000
readiness of other countries was improving but was still a
concern. The Council reported that the June 1999
meeting of National Year 2000 Coordinators held at the United
Nations found that the 173 countries in attendance were clearly
focused on the Year 55 The Council's three reports are available
on its web site, www. y2k. gov. In addition, the Council, in
conjunction with the Federal Trade Commission and the General
Services Administration, has established a toll- free Year 2000
information line, 1- 888- USA- 4Y2K. The Federal Trade Commission
has also included Year 2000 information of interest to consumers
on its web site, www. consumer. gov.
Page 24 GAO/T-AIMD-99-268
2000 problem but that many countries will likely not have enough
time or resources to finish before the end of 1999. The Council's
assessment reports have substantially increased the nation's
understanding of the Year 2000 readiness of key industries.
However, the picture remains incomplete in certain key areas
because the surveys conducted to date did not have a high response
rate or did not provide their response rate, the assessment was
general or contained projections rather
than current remediation information, or the data were old. For
example, according to the Council's latest assessment report:
Less than a quarter of the more than 16,000 Superintendents of
Schools/ Local Educational Agencies responded to a web- based
survey of Year 2000 readiness among elementary and secondary
schools. Similarly, less than a third of the more than 6,000
presidents and/ or chancellors of postsecondary educational
institutions responded to a web- based Year 2000 survey. Also,
surveys covering areas such as small and medium- sized chemical
enterprises did not provide information on either the number of
surveys distributed or the number returned. Small response rates
or the lack of information on response rates call into question
whether the results of the survey accurately portray the
readiness of the sector. Information in areas such as state
emergency management and broadcast television and radio provided a
general assessment or projected compliance levels as of a certain
date, but did not contain detailed data as to the current status
of the sector (e. g., the average percentage of organizations'
systems that are Year 2000 compliant or the percentage of
organizations that are in the assessment, renovation, or
validation phases).
In some cases, such as for grocery manufacturers, cable
television, hospitals, physicians' practices, and railroads, the
sector surveys had been conducted months earlier and/ or current
survey information was not yet available. In addition to our work
related to the federal, state, and local government's Year 2000
progress, we have also issued several products related to key
economic sectors. I will now discuss the results of these reviews.
Energy Sector In April, we reported that while the electric power
industry had concluded that it had made substantial progress in
making its systems and equipment ready to continue operations into
the year 2000, significant risks remained
Page 25 GAO/T-AIMD-99-268
since many reporting organizations did not expect to be Year 2000
ready within the June 1999 industry target date. 56 We, therefore,
suggested that the Department of Energy (1) work with the Electric
Power Working Group to ensure that remediation activities were
accelerated for the utilities that expected to miss the June 1999
deadline for achieving Year 2000 readiness and (2) encourage state
regulatory utility commissions to require a full public disclosure
of Year 2000 readiness status of entities transmitting and
distributing electric power. The Department of Energy generally
agreed with our suggestions. We also suggested that the Nuclear
Regulatory Commission (1) in cooperation with the Nuclear Energy
Institute, work with nuclear power plant licensees to accelerate
the Year 2000 remediation efforts among the nuclear power plants
that expect to meet the June 1999
deadline for achieving readiness and (2) publicly disclose the
Year 2000 readiness of each of the nation's operational nuclear
reactors. In response, the Nuclear Regulatory Commission stated
that it plans to focus its efforts on nuclear power plants that
may miss the July 1, 1999, milestone and that it would release the
readiness information on individual plants that same
month. Subsequent to our report, on August 3, 1999, the North
American Electric Reliability Council released its fourth status
report on electric power systems. According to the Council, as of
June 30, 1999 the industry target date for organizations to be
Year 2000 ready 251 of 268 (94 percent) of bulk electric
organizations were Year 2000 ready or Year 2000 ready with limited
exceptions. 57 In addition, this report stated that 96 percent of
local
distribution systems were reported as Year 2000 ready. 58 The
North American Electric Reliability Council stated that the
information it uses is principally self- reported but that 84
percent of the organizations reported that their Year 2000
programs had also been audited by internal and/ or external
auditors. On July 19, the Nuclear Regulatory Commission stated
that 68 of 103 (66 percent) nuclear power plants reported that all
of their computer systems and digital embedded components that
support plant 56 Year 2000 Computing Crisis: Readiness of the
Electric Power Industry (GAO/AIMD-99-114, April 6, 1999). 57 The
North American Electric Reliability Council reported that 64 of
these organizations had exceptions but that it believes that the
work schedule provided to complete these exception items in the
next few months represents a prudent use of resources and does not
increase risks associated with reliable electric service into the
Year 2000. 58 This was based on the percentage of the total
megawatts of the systems reported as Year 2000 ready by investor-
owned, public power, and cooperative organizations. The report did
not identify the number of local distribution organizations that
reported that they were Year 2000 ready.
Page 26 GAO/T-AIMD-99-268
operations are Year 2000 ready. Of the 35 plants that were not
Year 2000 ready, 18 had systems or components that were not ready
that could affect power generation.
In May, we reported 59 that while the domestic oil and gas
industries had reported that they had made substantial progress in
making their equipment and systems ready to continue operations
into the year 2000, risks remained. For example, although over
half of our oil is imported, little was known about the Year 2000
readiness of foreign oil suppliers. Further, while individual
domestic companies reported that they were developing Year 2000
contingency plans, there were no plans to perform a nationallevel
risk assessment and develop contingency plans to deal with
potential shortages or disruptions in the nation's overall oil and
gas supplies. We suggested that the Council's oil and gas working
group (1) work with industry associations to perform national-
level risk assessments and develop and publish credible, national-
level scenarios regarding the impact
of potential Year 2000 failures and (2) develop national- level
contingency plans. The working group generally agreed with these
suggestions. Water Sector In April, we reported 60 that
insufficient information was available to assess and manage Year
2000 efforts in the water sector, and little additional
information was expected under the current regulatory approach.
While
the Council's water sector working group had undertaken an
awareness campaign and had urged national water sector
associations to continue to survey their memberships, survey
response rates had been low. Further, Environmental Protection
Agency officials stated that the agency lacked the rules and
regulations necessary to require water and wastewater facilities
to report on their Year 2000 status. Our survey of state
regulators found that a few states were proactively collecting
Year 2000 compliance data from regulated facilities, a much larger
group of states was disseminating Year 2000 information, while
another group was not actively using either approach.
Additionally, only a handful of state regulators believed that
they were responsible for ensuring facilities' Year 2000
compliance or overseeing facilities' business continuity 59 Year
2000 Computing Crisis: Readiness of the Oil and Gas Industries
(GAO/AIMD-99-162, May 19, 1999). 60 Year 2000 Computing Crisis:
Status of the Water Industry (GAO/AIMD-99-151, April 21, 1999).
Page 27 GAO/T-AIMD-99-268
and contingency plans. Among our suggested actions was that the
Council, the Environmental Protection Agency, and the states
determine which regulatory organization should take responsibility
for assessing and publicly disclosing the status and outlook of
water sector facilities' Year
2000 business continuity and contingency plans. The Environmental
Protection Agency generally agreed with our suggestions but one
official noted that additional legislation may be needed if the
agency is to take responsibility for overseeing facilities' Year
2000 business continuity and contingency plans.
Health Sector The health sector includes health care providers
(such as hospitals and emergency health care services), insurers
(such as Medicare and Medicaid), and biomedical equipment. Last
month, we reported 61 that HCFA had taken aggressive and
comprehensive outreach efforts with regard to its over 1.1 million
healthcare providers that administer services for Medicare-
insured patients. 62 Despite these efforts, HCFA data show that
provider participation in its outreach activities has been low.
Further, although HCFA has tasked contractors that process
Medicare claims with testing with providers using future- dated
claims, such testing had been limited and the testing that had
occurred had identified problems. Our July report also found that
although many surveys had been completed in 1999 on the Year 2000
readiness of healthcare providers, none of the 11 surveys we
reviewed provided sufficient information with which to assess the
Year 2000 status of the healthcare provider community. Each of the
surveys had low response rates, and several did not address
critical questions about testing and contingency planning.
To reduce the risk of Year 2000- related failures in the Medicare
provider community, our July report suggested, for example, that
HCFA consider using additional outreach methods, such as public
service announcements, and set milestones for Medicare contractors
for testing with providers. We also made suggestions to the
President's Council on Year 2000 Conversion's healthcare sector
working group, including a suggestion to consider working with
associations to publicize those providers who respond to 61 Year
2000 Computer Crisis: Status of Medicare Providers Unknown
(GAO/AIMD-99-243, July 28, 1999). 62 Examples of such providers
are hospitals, laboratories, physicians, and skilled nursing/
long- term care facilities.
Page 28 GAO/T-AIMD-99-268
future surveys in order to increase survey response rates. The
HCFA Administrator generally agreed with our suggested actions.
With respect to biomedical equipment, on June 10 we testified 63
that in response to our September 1998 recommendation, 64 HHS, in
conjunction with the Department of Veterans Affairs, had
established a clearinghouse on biomedical equipment. As of June 1,
1999, 4,142 biomedical equipment manufacturers had submitted data
to the clearinghouse. About 61 percent of these manufacturers
reported having products that do not employ dates and about 8
percent (311 manufacturers) reported having date- related
problems, such as an incorrect display of date/ time. According to
the Food and Drug Administration, the 311 manufacturers reported
897 products with date- related problems. However, not all
compliance information was available on the clearinghouse because
the clearinghouse referred the user to 427 manufacturers' web
sites. Accordingly, we reviewed the web sites of these
manufacturers and found, as of June 1, 1999, a total of 35, 446
products. 65 Of these products, 18,466 were reported as not
employing a date, 11, 211 were reported as compliant, 4, 445 were
shown as not compliant, and the compliance status of 1, 324 was
unknown. In addition to the establishment of a clearinghouse, our
September 1998 report 66 also recommended that HHS and the
Department of Veterans Affairs take prudent steps to jointly
review manufacturers' test results for critical care/ life support
biomedical equipment. We were especially
concerned that the departments review test results for equipment
previously deemed to be noncompliant but now deemed by
manufacturers to be compliant, or equipment for which concerns
about compliance remained. In May 1999, the Food and Drug
Administration, a component agency of HHS, announced that it
planned to develop a list of critical care/ life support medical
devices and the manufacturers of these devices, select a sample of
manufacturers for review, and hire a contractor to 63 Year 2000
Computing Challenge: Concerns About Compliance Information on
Biomedical Equipment (GAO/T-AIMD-99-209, June 10, 1999). 64 Year
2000 Computing Crisis: Compliance Status of Many Biomedical
Equipment Items Still Unknown (GAO/AIMD-98-240, September 18,
1998). 65 Because of limitations in many of the manufacturers web
sites, our ability to determine the total number of biomedical
equipment products reported and their compliance status was
impaired.
Accordingly, the actual number of products reported by the
manufacturers could be significantly higher than the 35,446
products that we counted. 66 GAO/AIMD-98-240, September 18, 1998.
Page 29 GAO/T-AIMD-99-268
develop a program to assess manufacturers' activities to identify
and correct Year 2000 problems for these medical devices. In
addition, if the results of this review indicated a need for
further review of manufacturer activities, the contractor would
review a portion of the remaining manufacturers not yet reviewed.
Moreover, according to the Food and Drug Administration, any
manufacturer whose quality assurance system appeared deficient
based on the contractors review would be subject to
additional reviews to determine what actions would be required to
eliminate any risk posed by noncompliant devices. In April
testimony, 67 we also reported on the results of a Department of
Veterans Affairs survey of 384 pharmaceutical firms and 459
medicalsurgical firms with which it does business. Of the 52
percent of pharmaceutical firms that responded to the survey, 32
percent reported that they were compliant. Of the 54 percent of
the medical- surgical firms that responded, about two- thirds
reported that they were compliant.
Banking and Finance Sector A large portion of the institutions
that make up the banking and finance sector are overseen by one or
more federal regulatory agencies. In September 1998, we testified
on the efforts of five federal financial regulatory agencies 68 to
ensure that the institutions that they oversee are
ready to handle the Year 2000 problem. 69 We concluded that the
regulators had made significant progress in assessing the
readiness of member institutions and in raising awareness on
important issues such as contingency planning and testing.
Regulator examinations of bank, thrift, and credit union Year 2000
efforts found that the vast majority were doing a
satisfactory job of addressing the problem. Nevertheless, the
regulators faced the challenge of ensuring that they are ready to
take swift action to address those institutions that falter in the
later stages of correction and to address disruptions caused by
international and public infrastructure failures. 67 Year 2000
Computing Crisis: Action Needed to Ensure Continued Delivery of
Veterans Benefits and Health Care Services (GAO/T-AIMD-99-136,
April 15, 1999). 68 The National Credit Union Administration, the
Federal Deposit Insurance Corporation, the Office of Thrift
Supervision, the Federal Reserve System, and the Office of the
Comptroller of the Currency.
69 Year 2000 Computing Crisis: Federal Depository Institution
Regulators Are Making Progress, But Challenges Remain (GAO/T-AIMD-
98-305, September 17, 1998).
Page 30 GAO/T-AIMD-99-268
In April, we reported that the Federal Reserve System which is
instrumental to our nation's economic well- being, since it
provides depository institutions and government agencies services
such as processing checks and transferring funds and securities
has effective controls to help ensure that its Year 2000 progress
is reported accurately and reliably. 70 We also found that it is
effectively managing the renovation and testing of its internal
systems and the development and planned testing
of contingency plans for continuity of business operations.
Nevertheless, the Federal Reserve System still had much to
accomplish before it is fully ready for January 1, 2000, such as
completing validation and implementation of all of its internal
systems and completing its contingency plans.
In addition to the domestic banking and finance sector, large U.
S. financial institutions have financial exposures and
relationships with international financial institutions and
markets that may be at risk if these international organizations
are not ready for the date change occurring on January 1, 2000. In
April, we reported 71 that foreign financial institutions had
reportedly lagged behind their U. S. counterparts in preparing for
the Year 2000 date change. Officials from four of the seven large
foreign financial
institutions we visited said they had scheduled completion of
their Year 2000 preparations about 3 to 6 months after their U. S.
counterparts, but they planned to complete their efforts by mid-
1999 at the latest. Moreover, key international market supporters,
such as those that transmit financial messages and provide
clearing and settlement services, told us that their systems were
ready for the date change and that they had begun testing with the
financial organizations that depended on these systems. Further,
we found that seven large U. S. banks and securities firms we
visited were taking actions to address their international risks.
In addition, U. S. banking and securities regulators were also
addressing the international Year 2000 risks of the institutions
that they oversee. With respect to the insurance industry, in
March, we concluded that insurance regulator presence regarding
the Year 2000 area was not as 70 Year 2000 Computing Crisis:
Federal Reserve Has Established Effective Year 2000 Management
Controls for Internal Systems Conversion (GAO/AIMD-99-78, April 9,
1999). 71 Year 2000: Financial Institution and Regulatory Efforts
to Address International Risks (GAO/GGD-99-62, April 27, 1999).
Page 31 GAO/T-AIMD-99-268
strong as that exhibited by the banking and securities industry.
72 State insurance regulators we contacted were late in raising
industry awareness of potential Year 2000 problems, provided
little guidance to regulated institutions, and failed to convey
clear regulatory expectations to companies about Year 2000
preparations and milestones. Nevertheless, the
insurance industry is reported by both its regulators and by other
outside observers to be generally on track to being ready for
2000. However, most of these reports are based on self- reported
information and, compared to
other financial regulators, insurance regulators' efforts to
validate this information generally began late and were more
limited. In a related report in April, 73 we stated that
variations in oversight approaches by state insurance regulators
also made it difficult to ascertain the overall status of the
insurance industry's Year 2000 readiness. We reported that the
magnitude of insurers' Year 2000- related liability
exposures could not be estimated at that time but that costs
associated with these exposures could be substantial for some
property- casualty insurers, particularly those concentrated in
commercial- market sectors. In addition, despite efforts to
mitigate potential exposures, the Year 2000- related costs that
may be incurred by insurers would remain uncertain until key legal
issues and actions on pending legislation were resolved.
Transportation Sector A key component to the nation's
transportation sector are airports. This January we reported on
our survey of 413 airports. 74 We found that while the nation's
airports were making progress in preparing for the year 2000,
such progress varied. Of the 334 airports responding to our
survey, about one- third reported that they would complete their
Year 2000 preparations by June 30, 1999. The other two- thirds
either planned on a later date or failed to estimate any
completion date, and half of these airports did not have
contingency plans for any of 14 core airport functions. Although
most of those not expecting to be ready by June 30 are small
airports, 26 of them are among the nation's 50 largest airports.
72 Insurance Industry: Regulators Are Less Active in Encouraging
and Validating Year 2000 Preparedness (GAO/T-GGD-99-56, March 11,
1999). 73 Year 2000: State Insurance Regulators Face Challenges in
Determining Industry Readiness (GAO/GGD-99-87, April 30, 1999). 74
Year 2000 Computing Crisis: Status of Airports' Efforts to Deal
With Date Change Problem (GAO/ RCED/ AIMD- 99- 57, January 29,
1999).
Page 32 GAO/T-AIMD-99-268
International In addition to the risks associated with the
nation's key economic sectors, one of the largest and most
uncertain area of risk relates to the global nature of the
problem. Table 3 summarizes the results of the Department of
State's Office of the Inspector General's analysis of Y2K Host
Country Infrastructure assessments submitted by U. S. embassies in
161 countries (98 from the developing world, 24 from former Easter
bloc countries and the New Independent States, and 39 from
industrialized countries). The following table shows that about
half of the countries are reported to be at medium or high risk of
having Year 2000- related failures in the key areas of
telecommunications, transportation, and energy. While a smaller
number of countries were reported at medium or high risk in the
finance and water sectors, at least one- third of the countries
fell into the medium or high risk categories.
Table 3: Risk of Year 2000- Related Sector Failures in 161
Countries
Source: Year 2000 Computer Problem: Global Readiness and
International Trade (Statement of the Department of State's
Inspector General before the Senate Special Committee on the Year
2000 Technology Problem, July 22, 1999).
The Department of State Inspector General concluded that the
global community is likely to experience varying degrees of Year
2000- related failures from mere annoyances to failures in key
infrastructure systems in every sector, region, and economic
level. In particular, the Inspector General testified on July 22,
1999, that
industrialized countries were generally at low risk of having
Year 2000- related infrastructure failures, although some of these
countries were at risk;
developing countries were lagging behind and were struggling to
find the financial and technical resources needed to resolve their
Year 2000 problems; and former Eastern bloc countries were late
in getting started and were generally unable to provide detailed
information on their Year 2000
programs.
Risk level Finance Telecommunications Transportation Energy Water
High 11 35 18 26 7 Medium 43 56 61 64 52 Low 107 70 82 71 102
Page 33 GAO/T-AIMD-99-268
The impact of Year 2000- induced failures in foreign countries
could adversely affect the United States, particularly as it
relates to the supply chain. To address the international supply
chain issue, in January 1999 we suggested 75 that the President's
Council on Year 2000 Conversion prioritize trade and commerce
activities that are critical to the nation's well- being (e. g.,
oil, food, pharmaceuticals) and, working with the private sector,
identify options for obtaining these materials through alternative
avenues
in the event that Year 2000- induced failures in the other country
or in the transportation sector prevent these items from reaching
the United States. In commenting on this suggestion, the Chair
stated that the Council had (1) worked with federal agencies to
identify sectors with the greatest dependence on international
trade, (2) held industry roundtable discussions with the
pharmaceutical and food supply sectors, and (3) hosted bilateral
and trilateral meetings with the Council's counterparts in Canada
and Mexico the United States' largest trading partners.
In summary, while improvement has been shown, much work remains at
the national, federal, state, and local levels to ensure that
major service disruptions do not occur. Specifically, remediation
must be completed, end- to- end testing performed, and business
continuity and contingency plans developed. Similar actions remain
to be completed by the nation's key sectors. Accordingly, whether
the United States successfully confronts
the Year 2000 challenge will largely depend on the success of
federal, state, and local governments, as well as the private
sector working separately and together to complete these actions.
Accordingly, strong leadership and partnerships must be maintained
to ensure that the needs of the public are met at the turn of the
century. Mr. Chairman, this concludes my statement. I would be
happy to respond to any questions that you or other members of the
Subcommittee may have at this time. Contact For information
concerning this testimony, please contact Joel Willemssen at (202)
512- 6253 or by e- mail at willemssenj. aimd@ gao. gov. 75 GAO/T-
AIMD-99-50, January 20, 1999.
Page 34 GAO/T-AIMD-99-268
Appendix I Federal High- Impact Programs and Lead Agencies Appendi
x I
Agency Program
Department of Agriculture Child Nutrition Programs Department of
Agriculture Food Safety Inspection Department of Agriculture Food
Stamps Department of Agriculture Special Supplemental Nutrition
Program for Women, Infants, and Children Department of Commerce
Patent and trademark processing Department of Commerce Weather
Service Department of Defense Military Hospitals Department of
Defense Military Retirement Department of Education Student Aid
Department of Energy Federal electric power generation and
delivery Department of Health and Human Services Child Care
Department of Health and Human Services Child Support Enforcement
Department of Health and Human Services Child Welfare Department
of Health and Human Services Disease monitoring and the ability to
issue warnings Department of Health and Human Services Indian
Health Service Department of Health and Human Services Low Income
Home Energy Assistance Program Department of Health and Human
Services Medicaid Department of Health and Human Services Medicare
Department of Health and Human Services Organ Transplants
Department of Health and Human Services Temporary Assistance for
Needy Families Department of Housing and Urban Development Housing
loans (Government National Mortgage Association) Department of
Housing and Urban Development Section 8 Rental Assistance
Department of Housing and Urban Development Public Housing
Department of Housing and Urban Development FHA Mortgage Insurance
Department of Housing and Urban Development Community Development
Block Grants Department of the Interior Bureau of Indian Affairs
programs Department of Justice Federal Prisons Department of
Justice Immigration Department of Justice National Crime
Information Center Department of Labor Unemployment Insurance
Department of State Passport Applications and Processing
Department of Transportation Air Traffic Control System Department
of Transportation Maritime Safety Program Department of the
Treasury Cross- border Inspection Services Department of Veterans
Affairs Veterans' Benefits Department of Veterans Affairs
Veterans' Health Care
Appendix I Federal High- Impact Programs and Lead Agencies
Page 35 GAO/T-AIMD-99-268
Agency Program
Federal Emergency Management Agency Disaster Relief Office of
Personnel Management Federal Employee Health Benefits Office of
Personnel Management Federal Employee Life Insurance Office of
Personnel Management Federal Employee Retirement Benefits Railroad
Retirement Board Retired Rail Workers Benefits Social Security
Administration Social Security Benefits U. S. Postal Service Mail
Service
Page 36 GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the Year 2000 Crisis
Year 2000 Computing Challenge: Agencies' Reporting of Mission-
Critical Classified Systems (GAO/AIMD-99-218, August 5, 1999).
Social Security Administration: Update on Year 2000 and Other Key
Information Technology Initiatives (GAO/T-AIMD-99-259, July 29,
1999).
Year 2000 Computing Crisis: Status of Medicare Providers Unknown
(GAO/AIMD-99-243, July 28, 1999). Reported Y2K Status of the 21
Largest U. S. Cities (GAO/AIMD-99-246R, July 15, 1999). Year 2000
Computing Challenge: Federal Efforts to Ensure Continued Delivery
of Key State- Administered Benefits (GAO/T-AIMD-99-241, July 15,
1999).
Emergency and State and Local Law Enforcement Systems: Committee
Questions Concerning Year 2000 Challenges (GAO/AIMD-99-247R, July
14, 1999).
Year 2000 Computing Challenge: Important Progress Made, Yet Much
Work Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-
99-234, July 9, 1999).
Year 2000 Computing Challenge: Readiness Improving Yet Avoiding
Disruption of Critical Services Will Require Additional Work
(GAO/T-AIMD-99-233, July 8, 1999).
Year 2000 Computing Challenge: Readiness Improving But Much Work
Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-99-
232, July 7, 1999).
Defense Computers: Management Controls Are Critical to Effective
Year 2000 Testing (GAO/AIMD-99-172, June 30, 1999).
Year 2000 Computing Crisis: Customs Is Making Good Progress
(GAO/T-AIMD-99-225, June 29, 1999). Year 2000 Computing Challenge:
Delivery of Key Benefits Hinges on States' Achieving Compliance
(GAO/ T- AIMD/ GGD- 99- 221, June 23, 1999).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 37
GAO/T-AIMD-99-268
Year 2000 Computing Challenge: Estimated Costs, Planned Uses of
Emergency Funding, and Future Implications (GAO/T-AIMD-99-214,
June 22, 1999).
GSA's Effort to Develop Year 2000 Business Continuity and
Contingency Plans for Telecommunications Systems (GAO/AIMD-99-
201R, June 16, 1999).
Year 2000 Computing Crisis: Actions Needed to Ensure Continued
Delivery of Veterans Benefits and Health Care Services (GAO/AIMD-
99-190R, June 11, 1999).
Year 2000 Computing Challenge: Concerns About Compliance
Information on Biomedical Equipment (GAO/T-AIMD-99-209, June 10,
1999).
Year 2000 Computing Challenge: Much Biomedical Equipment Status
Information Available, Yet Concerns Remain (GAO/T-AIMD-99-197, May
25, 1999).
Year 2000 Computing Challenge: OPM Has Made Progress on Business
Continuity Planning (GAO/GGD-99-66, May 24, 1999).
VA Y2K Challenges: Responses to Post- Testimony Questions
(GAO/AIMD-99-199R, May 24, 1999). Year 2000 Computing Crisis: USDA
Needs to Accelerate Time Frames for Completing Contingency
Planning (GAO/AIMD-99-178, May 21, 1999).
Year 2000 Computing Crisis: Readiness of the Oil and Gas
Industries (GAO/AIMD-99-162, May 19, 1999). Year 2000 Computing
Challenge: Time Issues Affecting the Global Positioning System
(GAO/T-AIMD-99-187, May 12, 1999).
Year 2000 Computing Challenge: Education Taking Needed Actions But
Work Remains (GAO/T-AIMD-99-180, May 12, 1999).
Year 2000 Computing Challenge: Labor Has Progressed But Selected
Systems Remain at Risk (GAO/T-AIMD-99-179, May 12, 1999).
Year 2000: State Insurance Regulators Face Challenges in
Determining Industry Readiness (GAO/GGD-99-87, April 30, 1999).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 38
GAO/T-AIMD-99-268
Year 2000 Computing Challenge: Status of Emergency and State and
Local Law Enforcement Systems Is Still Unknown (GAO/T-AIMD-99-163,
April 29, 1999).
Year 2000 Computing Crisis: Costs and Planned Use of Emergency
Funds (GAO/AIMD-99-154, April 28, 1999). Year 2000: Financial
Institution and Regulatory Efforts to Address International Risks
(GAO/GGD-99-62, April 27, 1999).
Year 2000 Computing Crisis: Readiness of Medicare and the Health
Care Sector (GAO/T-AIMD-99-160, April 27, 1999).
U. S. Postal Service: Subcommittee Questions Concerning Year 2000
Challenges Facing the Service (GAO/AIMD-99-150R, April 23, 1999).
Year 2000 Computing Crisis: Status of the Water Industry
(GAO/AIMD-99-151, April 21, 1999). Year 2000 Computing Crisis: Key
Actions Remain to Ensure Delivery of Veterans Benefits and Health
Services (GAO/T-AIMD-99-152, April 20, 1999).
Year 2000 Computing Crisis: Readiness Improving But Much Work
Remains to Ensure Delivery of Critical Services (GAO/T-AIMD-99-
149, April 19, 1999).
Year 2000 Computing Crisis: Action Needed to Ensure Continued
Delivery of Veterans Benefits and Health Care Services (GAO/T-
AIMD-99-136, April 15, 1999).
Year 2000 Computing Challenge: Federal Government Making Progress
But Critical Issues Must Still Be Addressed to Minimize
Disruptions (GAO/T-AIMD-99-144, April 14, 1999).
Year 2000 Computing Crisis: Additional Work Remains to Ensure
Delivery of Critical Services (GAO/T-AIMD-99-143, April 13, 1999).
Tax Administration: IRS' Fiscal Year 2000 Budget Request and 1999
Tax Filing Season (GAO/ T- GGD/ AIMD- 99- 140, April 13, 1999).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 39
GAO/T-AIMD-99-268
Year 2000 Computing Crisis: Federal Reserve Has Established
Effective Year 2000 Management Controls for Internal Systems
Conversion (GAO/AIMD-99-78, April 9, 1999).
Year 2000 Computing Crisis: Readiness of the Electric Power
Industry (GAO/AIMD-99-114, April 6, 1999). Year 2000 Computing
Crisis: Customs Has Established Effective Year 2000 Program
Controls (GAO/AIMD-99-37, March 29, 1999).
Year 2000 Computing Crisis: FAA Is Making Progress But Important
Challenges Remain (GAO/ T- AIMD/ RCED- 99- 118, March 15, 1999).
Insurance Industry: Regulators Are Less Active in Encouraging and
Validating Year 2000 Preparedness (GAO/T-GGD-99-56, March 11,
1999).
Year 2000 Computing Crisis: Defense Has Made Progress, But
Additional Management Controls Are Needed (GAO/T-AIMD-99-101,
March 2, 1999).
Year 2000 Computing Crisis: Readiness Status of the Department of
Health and Human Services (GAO/T-AIMD-99-92, February 26, 1999).
Defense Information Management: Continuing Implementation
Challenges Highlight the Need for Improvement (GAO/T-AIMD-99-93,
February 25, 1999).
IRS' Year 2000 Efforts: Status and Remaining Challenges (GAO/T-
GGD-99-35, February 24, 1999). Department of Commerce: National
Weather Service Modernization and NOAA Fleet Issues (GAO/ T- AIMD/
GGD- 99- 97, February 24, 1999).
Year 2000 Computing Crisis: Medicare and the Delivery of Health
Services Are at Risk (GAO/T-AIMD-99-89, February 24, 1999).
Year 2000 Computing Crisis: Readiness of State Automated Systems
That Support Federal Human Services Programs (GAO/T-AIMD-99-91,
February 24, 1999).
Year 2000 Computing Crisis: Customs Is Effectively Managing Its
Year 2000 Program (GAO/T-AIMD-99-85, February 24, 1999).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 40
GAO/T-AIMD-99-268
Year 2000 Computing Crisis: Update on the Readiness of the Social
Security Administration (GAO/T-AIMD-99-90, February 24, 1999).
Year 2000 Computing Crisis: Challenges Still Facing the U. S.
Postal Service (GAO/T-AIMD-99-86, February 23, 1999). Year 2000
Computing Crisis: The District of Columbia Remains Behind Schedule
(GAO/T-AIMD-99-84, February 19, 1999).
High- Risk Series: An Update (GAO/HR-99-1, January 1999). Year
2000 Computing Crisis: Status of Airports' Efforts to Deal With
Date Change Problem (GAO/ RCED/ AIMD- 99- 57, January 29, 1999).
Defense Computers: DOD's Plan for Execution of Simulated Year 2000
Exercises (GAO/AIMD-99-52R, January 29, 1999).
Year 2000 Computing Crisis: Status of Bureau of Prisons' Year 2000
Efforts (GAO/AIMD-99-23, January 27, 1999). Year 2000 Computing
Crisis: Readiness Improving, But Much Work Remains to Avoid Major
Disruptions (GAO/T-AIMD-99-50, January 20, 1999).
Year 2000 Computing Challenge: Readiness Improving, But Critical
Risks Remain (GAO/T-AIMD-99-49, January 20, 1999).
Status Information: FAA's Year 2000 Business Continuity and
Contingency Planning Efforts Are Ongoing (GAO/AIMD-99-40R,
December 4, 1998).
Year 2000 Computing Crisis: A Testing Guide (GAO/ AIMD- 10. 1. 21,
November 1998). Year 2000 Computing Crisis: Readiness of State
Automated Systems to Support Federal Welfare Programs (GAO/AIMD-
99-28, November 6, 1998).
Year 2000 Computing Crisis: Status of Efforts to Deal With
Personnel Issues (GAO/ AIMD/ GGD- 99- 14, October 22, 1998). Year
2000 Computing Crisis: Updated Status of Department of Education's
Information Systems (GAO/T-AIMD-99-8, October 8, 1998).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 41
GAO/T-AIMD-99-268
Year 2000 Computing Crisis: The District of Columbia Faces
Tremendous Challenges in Ensuring That Vital Services Are Not
Disrupted (GAO/T-AIMD-99-4, October 2, 1998).
Medicare Computer Systems: Year 2000 Challenges Put Benefits and
Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998).
Year 2000 Computing Crisis: Leadership Needed to Collect and
Disseminate Critical Biomedical Equipment Information (GAO/T-AIMD-
98-310, September 24, 1998).
Year 2000 Computing Crisis: Compliance Status of Many Biomedical
Equipment Items Still Unknown (GAO/AIMD-98-240, September 18,
1998).
Year 2000 Computing Crisis: Significant Risks Remain to Department
of Education's Student Financial Aid Systems (GAO/T-AIMD-98-302,
September 17, 1998).
Year 2000 Computing Crisis: Progress Made at Department of Labor,
But Key Systems at Risk (GAO/T-AIMD-98-303, September 17, 1998).
Year 2000 Computing Crisis: Federal Depository Institution
Regulators Are Making Progress, But Challenges Remain (GAO/T-AIMD-
98-305, September 17, 1998).
Year 2000 Computing Crisis: Federal Reserve Is Acting to Ensure
Financial Institutions Are Fixing Systems But Challenges Remain
(GAO/AIMD-98-248, September 17, 1998).
Responses to Questions on FAA's Computer Security and Year 2000
Program (GAO/AIMD-98-301R, September 14, 1998).
Year 2000 Computing Crisis: Severity of Problem Calls for Strong
Leadership and Effective Partnerships (GAO/T-AIMD-98-278,
September 3, 1998).
Year 2000 Computing Crisis: Strong Leadership and Effective
Partnerships Needed to Reduce Likelihood of Adverse Impact (GAO/T-
AIMD-98-277, September 2, 1998).
Year 2000 Computing Crisis: Strong Leadership and Effective
Partnerships Needed to Mitigate Risks (GAO/T-AIMD-98-276,
September 1, 1998).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 42
GAO/T-AIMD-99-268
Year 2000 Computing Crisis: State Department Needs To Make
Fundamental Improvements To Its Year 2000 Program (GAO/AIMD-98-
162, August 28, 1998).
Year 2000 Computing: EFT 99 Is Not Expected to Affect Year 2000
Remediation Efforts (GAO/AIMD-98-272R, August 28, 1998).
Year 2000 Computing Crisis: Progress Made in Compliance of VA
Systems, But Concerns Remain (GAO/AIMD-98-237, August 21, 1998).
Year 2000 Computing Crisis: Avoiding Major Disruptions Will
Require Strong Leadership and Effective Partnerships (GAO/T-AIMD-
98-267, August 19, 1998).
Year 2000 Computing Crisis: Strong Leadership and Partnerships
Needed to Address Risk of Major Disruptions (GAO/T-AIMD-98-266,
August 17, 1998).
Year 2000 Computing Crisis: Strong Leadership and Partnerships
Needed to Mitigate Risk of Major Disruptions (GAO/T-AIMD-98-262,
August 13, 1998).
FAA Systems: Serious Challenges Remain in Resolving Year 2000 and
Computer Security Problems (GAO/T-AIMD-98-251, August 6, 1998).
Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/ AIMD- 10. 1.19, August 1998). Internal Revenue
Service: Impact of the IRS Restructuring and Reform Act on Year
2000 Efforts (GAO/GGD-98-158R, August 4, 1998).
Social Security Administration: Subcommittee Questions Concerning
Information Technology Challenges Facing the Commissioner
(GAO/AIMD-98-235R, July 10, 1998).
Year 2000 Computing Crisis: Actions Needed on Electronic Data
Exchanges (GAO/AIMD-98-124, July 1, 1998). Defense Computers: Year
2000 Computer Problems Put Navy Operations at Risk (GAO/AIMD-98-
150, June 30, 1998).
Year 2000 Computing Crisis: Testing and Other Challenges
Confronting Federal Agencies (GAO/T-AIMD-98-218, June 22, 1998).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 43
GAO/T-AIMD-99-268
Year 2000 Computing Crisis: Telecommunications Readiness Critical,
Yet Overall Status Largely Unknown (GAO/T-AIMD-98-212, June 16,
1998).
GAO Views on Year 2000 Testing Metrics (GAO/AIMD-98-217R, June 16,
1998). IRS' Year 2000 Efforts: Business Continuity Planning Needed
for Potential Year 2000 System Failures (GAO/GGD-98-138, June 15,
1998).
Year 2000 Computing Crisis: Actions Must Be Taken Now to Address
Slow Pace of Federal Progress (GAO/T-AIMD-98-205, June 10, 1998).
Defense Computers: Army Needs to Greatly Strengthen Its Year 2000
Program (GAO/AIMD-98-53, May 29, 1998).
Year 2000 Computing Crisis: USDA Faces Tremendous Challenges in
Ensuring That Vital Public Services Are Not Disrupted (GAO/T-AIMD-
98-167, May 14, 1998).
Securities Pricing: Actions Needed for Conversion to Decimals
(GAO/T-GGD-98-121, May 8, 1998). Year 2000 Computing Crisis:
Continuing Risks of Disruption to Social Security, Medicare, and
Treasury Programs (GAO/T-AIMD-98-161, May 7, 1998).
IRS' Year 2000 Efforts: Status and Risks (GAO/T-GGD-98-123, May 7,
1998). Air Traffic Control: FAA Plans to Replace Its Host Computer
System Because Future Availability Cannot Be Assured (GAO/AIMD-98-
138R, May 1, 1998).
Year 2000 Computing Crisis: Potential for Widespread Disruption
Calls for Strong Leadership and Partnerships (GAO/AIMD-98-85,
April 30, 1998).
Defense Computers: Year 2000 Computer Problems Threaten DOD
Operations (GAO/AIMD-98-72, April 30, 1998).
Department of the Interior: Year 2000 Computing Crisis Presents
Risk of Disruption to Key Operations (GAO/T-AIMD-98-149, April 22,
1998).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 44
GAO/T-AIMD-99-268
Tax Administration: IRS' Fiscal Year 1999 Budget Request and
Fiscal Year 1998 Filing Season (GAO/ T- GGD/ AIMD- 98- 114, March
31, 1998).
Year 2000 Computing Crisis: Strong Leadership Needed to Avoid
Disruption of Essential Services (GAO/T-AIMD-98-117, March 24,
1998).
Year 2000 Computing Crisis: Federal Regulatory Efforts to Ensure
Financial Institution Systems Are Year 2000 Compliant (GAO/T-AIMD-
98-116, March 24, 1998).
Year 2000 Computing Crisis: Office of Thrift Supervision's Efforts
to Ensure Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-98-
102, March 18, 1998).
Year 2000 Computing Crisis: Strong Leadership and Effective
Public/ Private Cooperation Needed to Avoid Major Disruptions
(GAO/T-AIMD-98-101, March 18, 1998).
Post- Hearing Questions on the Federal Deposit Insurance
Corporation's Year 2000 (Y2K) Preparedness (AIMD- 98- 108R, March
18, 1998).
SEC Year 2000 Report: Future Reports Could Provide More Detailed
Information (GAO/ GGD/ AIMD- 98- 51, March 6, 1998).
Year 2000 Readiness: NRC's Proposed Approach Regarding Nuclear
Powerplants (GAO/AIMD-98-90R, March 6, 1998).
Year 2000 Computing Crisis: Federal Deposit Insurance
Corporation's Efforts to Ensure Bank Systems Are Year 2000
Compliant (GAO/T-AIMD-98-73, February 10, 1998).
Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent
Systems Failures (GAO/T-AIMD-98-63, February 4, 1998).
FAA Computer Systems: Limited Progress on Year 2000 Issue
Increases Risk Dramatically (GAO/AIMD-98-45, January 30, 1998).
Defense Computers: Air Force Needs to Strengthen Year 2000
Oversight (GAO/AIMD-98-35, January 16, 1998). Year 2000 Computing
Crisis: Actions Needed to Address Credit Union Systems' Year 2000
Problem (GAO/AIMD-98-48, January 7, 1998).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 45
GAO/T-AIMD-99-268
Veterans Health Administration Facility Systems: Some Progress
Made in Ensuring Year 2000 Compliance, But Challenges Remain
(GAO/AIMD-98-31R, November 7, 1997).
Year 2000 Computing Crisis: National Credit Union Administration's
Efforts to Ensure Credit Union Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-20, October 22, 1997).
Social Security Administration: Significant Progress Made in Year
2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22,
1997).
Defense Computers: Technical Support Is Key to Naval Supply Year
2000 Success (GAO/AIMD-98-7R, October 21, 1997).
Defense Computers: LSSC Needs to Confront Significant Year 2000
Issues (GAO/AIMD-97-149, September 26, 1997). Veterans Affairs
Computer Systems: Action Underway Yet Much Work Remains To Resolve
Year 2000 Crisis (GAO/T-AIMD-97-174, September 25, 1997).
Year 2000 Computing Crisis: Success Depends Upon Strong Management
and Structured Approach (GAO/T-AIMD-97-173, September 25, 1997).
Year 2000 Computing Crisis: An Assessment Guide (GAO/ AIMD- 10. 1.
14, September 1997). Defense Computers: SSG Needs to Sustain Year
2000 Progress (GAO/AIMD-97-120R, August 19, 1997). Defense
Computers: Improvements to DOD Systems Inventory Needed for Year
2000 Effort (GAO/AIMD-97-112, August 13, 1997).
Defense Computers: Issues Confronting DLA in Addressing Year 2000
Problems (GAO/AIMD-97-106, August 12, 1997).
Defense Computers: DFAS Faces Challenges in Solving the Year 2000
Problem (GAO/AIMD-97-117, August 11, 1997).
Year 2000 Computing Crisis: Time Is Running Out for Federal
Agencies to Prepare for the New Millennium (GAO/T-AIMD-97-129,
July 10, 1997).
GAO Reports and Testimony Addressing the Year 2000 Crisis Page 46
GAO/T-AIMD-99-268
Veterans Benefits Computer Systems: Uninterrupted Delivery of
Benefits Depends on Timely Correction of Year- 2000 Problems
(GAO/T-AIMD-97-114, June 26, 1997).
Veterans Benefits Computer Systems: Risks of VBA's Year- 2000
Efforts (GAO/AIMD-97-79, May 30, 1997). Medicare Transaction
System: Success Depends Upon Correcting Critical Managerial and
Technical Weaknesses (GAO/AIMD-97-78, May 16, 1997).
Medicare Transaction System: Serious Managerial and Technical
Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16,
1997).
Year 2000 Computing Crisis: Risk of Serious Disruption to
Essential Government Functions Calls for Agency Action Now (GAO/T-
AIMD-97-52, February 27, 1997).
Year 2000 Computing Crisis: Strong Leadership Today Needed To
Prevent Future Disruption of Government Services (GAO/T-AIMD-97-
51, February 24, 1997).
High- Risk Series: Information Management and Technology (GAO/HR-
97-9, February 1997).
(511790) Le t t er
Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and
MasterCard credit cards are accepted, also. Orders for 100 or more
copies to be mailed to a single address are discounted 25 percent.
Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013
or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC
Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.
Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists. For information on how to access GAO
reports on the INTERNET, send an e- mail message with info in the
body to: info@ www. gao. gov or visit GAO's World Wide Web Home
Page at: http:// www. gao. gov
United States General Accounting Office Washington, D. C. 20548-
0001
Official Business Penalty for Private Use $300
Address Correction Requested Bulk Mail
Postage & Fees Paid GAO Permit No. GI00
*** End of document. ***