Year 2000 Computing Crisis: The District of Columbia Faces Tremendous
Challenges in Ensuring Vital Services Are Not Disrupted (Testimony,
10/02/98, GAO/T-AIMD-99-4).
Pursuant to a congressional request, GAO discussed the year 2000 risks
facing the District of Columbia, focusing on: (1) its progress to date
in fixing its systems; and (2) the District's remediation strategy.
GAO noted that: (1) until June 1998, the District had made very little
progress in addressing the year 2000 problem; (2) to compensate for its
late start, the District has hired a new chief technology officer,
appointed a full-time year 2000 program manager, established a year 2000
program office, and continued to use its chief technology officer
council to help coordinate and prioritize efforts; (3) the District also
contracted with an information technology firm to assist in completing
the remediation effort; (4) to accomplish this in the short time
remaining, the District and the contractor plan to concurrently: (a)
remediate and test system applications; (b) assess and fix the
information technology (IT) infrastructure, including the data centers,
hardware, operating systems, and telecommunications equipment; (c)
assess and correct noninformation technology assets; and (d) develop
contingency plans; (5) the District has done the following: (a)
developed an inventory of information technology applications; (b)
initiated pilot remediation and test efforts with the pension and
payroll system; (c) adopted a contingency planning methodology which it
is now piloting on the 911 system, the water and sewer system, and the
lottery board system; and (d) developed a strategy for remediating
non-IT assets which is now being tested on the water and sewer system;
(6) the District's recent actions reflect a commitment on the part of
the city to address the year 2000 problem and to make up for the lack of
progress; (7) however, the District is still significantly behind in
addressing the problem; (8) the District has not: (a) identified all of
its essential business functions that must continue to operate; (b)
finished assessing its IT infrastructure and its non-information
technology assets; (c) provided guidance to its agencies on testing; and
(d) identified resources that will be needed to complete remediation and
testing; (9) until the District completes the assessment phase, it will
not have reliable estimates on how long it will take to renovate and
test mission-critical systems and processes and to develop business
continuity and contingency plans; (10) District officials acknowledge
that the city is not able to provide assurance that all critical systems
will be remediated on time; and (11) therefore, to minimize disruptions
to vital city services, it will be essential for the District to
effectively manage risks over the next 15 months.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: T-AIMD-99-4
TITLE: Year 2000 Computing Crisis: The District of Columbia Faces
Tremendous Challenges in Ensuring Vital Services
Are Not Disrupted
DATE: 10/02/98
SUBJECT: Municipal governments
Embedded computer systems
Systems conversions
Strategic information systems planning
Systems compatibility
Data integrity
Information resources management
Information systems
Computer software verification and validation
IDENTIFIER: Y2K
District of Columbia
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Before Congressional Requesters
For Release on Delivery
Expected at
1:30 p.m.
Friday,
October 2, 1998
YEAR 2000 COMPUTING CRISIS - THE
DISTRICT OF COLUMBIA FACES
TREMENDOUS CHALLENGES IN ENSURING
VITAL SERVICES ARE NOT DISRUPTED
Statement of Jack L. Brock, Jr.
Director, Governmentwide and Defense Information Systems
Accounting and Information Management Division
GAO/T-AIMD-99-4
GAO/AIMD-99-4T
(511130)
Abbreviations
=============================================================== ABBREV
IT -
============================================================ Chapter 0
Mrs. Chairwoman, Mr. Chairmen, and Members of the Subcommittees:
Thank you for inviting me to participate in today's hearing on the
District of Columbia's Year 2000 problem. As you know, the District
of Columbia, like other local and state governments, is extremely
vulnerable to Year 2000 problems due to its widespread dependence on
computer systems to deliver vital public services and carry out its
operations. If the problems are not addressed in time, systems
supporting important functions such as public safety, revenue
collection, traffic control, payroll, and pensions may be unable to
operate. Today, I will discuss the Year 2000 risks facing the
District, its progress to date in fixing systems, and our concerns
with the District's remediation strategy.
Until this past June, the District had made only limited progress in
addressing the Year 2000 problem. It lacked both the structure and
the resources necessary to address the issue. Since June, the pace
of the District's Year 2000 effort has picked up considerably. The
District hired a contractor to assist in remediating systems,
established a Year 2000 program management office, assigned more
resources, and began a more aggressive strategy to compensate for
lost time. These actions will substantially improve its ability to
complete the difficult tasks that lay ahead. But because the
District is so far behind in addressing the problem, the risk that
critical processes could fail is greatly increased. As a result, it
is vital that the District promptly identify its most important
operations, determine which systems supporting these operations can
be fixed before the Year 2000 deadline, and ensure that business
continuity and contingency plans are developed for systems that will
not be renovated on time.
To prepare for this testimony, we evaluated the District's efforts to
address risks associated with the Year 2000 date change and compared
these efforts to criteria detailed in our Year 2000 Assessment
Guide,\1 Business Continuity and Contingency Planning Guide,\2 and
Testing Guide.\3 We interviewed District officials responsible for
overseeing the Year 2000 effort, including the Chief Management
Officer and her deputy, the Acting Chief Technology Officer, the Year
2000 Program Manager, the Chief Procurement Officer, and Office of
Inspector General officials. We reviewed and analyzed the District's
request for contractor assistance in assessing, renovating, and
testing city systems. We also attended two hearings held by the
District of Columbia Council in May and July 1998 on the status of
the city's Year 2000 efforts. Finally, we interviewed officials from
Public Technology, Inc., the International City/County Management
Association, the National Association of State Information Resources
Executives, the National Governors' Association, and the Regional
Council of Governments to evaluate the progress of other state and
local governments. We performed our work in Washington, D.C., from
March through September 1998, in accordance with generally accepted
government auditing standards.
--------------------
\1 Year 2000 Computing Crisis: An Assessment Guide
(GAO/AIMD-10.1.14). Published as an exposure draft in February 1997
and finalized in September 1997, the guide was issued to help federal
agencies prepare for the Year 2000 conversion.
\2 Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/AIMD-10.1.19). Published as an exposure draft in March
1998 and finalized in August 1998, this guide provides a conceptual
framework for helping organizations to manage the risk of potential
Year 2000-induced disruptions to their operations. It discusses the
scope and challenge and offers a structured approach for reviewing
the adequacy of agency Year 2000 business continuity and contingency
planning efforts.
\3 Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21,
Exposure Draft, June 1998). This guide addresses the need to plan
and conduct Year 2000 tests in a structured and disciplined fashion.
The guide describes a step-by-step framework for managing and a
checklist for assessing all Year 2000 testing activities, including
those activities associated with computer systems or system
components (such as embedded processors) that are vendor supported.
YEAR 2000 RISKS FACING THE
DISTRICT OF COLUMBIA
---------------------------------------------------------- Chapter 0:1
Addressing the Year 2000 problem in time will be a formidable
challenge for the District of Columbia. The District government is
composed of approximately 80 entities, responsible for carrying out a
vast array of services for a diverse group of stakeholders. These
services include municipal, state, and federal functions, such as
street maintenance and repairs, economic development and regulation,
trash pick-up, water and sewer services, educational institutions,
hospital and health care, public safety, and correctional
institutions. Each of these services is susceptible to the Year 2000
problem.
The Year 2000 problem is rooted in the way dates are recorded and
computed in automated information systems. For the past several
decades, systems have typically used two digits to represent the
year, such as "97" representing 1997, in order to conserve on
electronic data storage and reduce operating costs. With this
two-digit format, however, the year 2000 is indistinguishable from
1900, or 2001 from 1901. As a result of this ambiguity, system or
application programs that use dates to perform calculations,
comparisons, or sorting may generate incorrect results.
The District has a widespread and complex data processing
environment, including a myriad of organizations and functions.
There are four major data centers located throughout the city, each
serving divergent groups of users, running multiple applications, and
using various types of computer platforms and systems. Most of the
District's computer systems were not designed to recognize dates
beyond 1999 and will thus need to be remediated, retired, or replaced
before 2000.
To complicate matters, each District agency must also consider
computer systems belonging to other city agencies, other governments,
and private sector contractors that interface with their systems.
For example, the Social Security Administration exchanges data files
with the District to determine the eligibility of disabled persons
for disability benefits. Even more important, the District houses
the most critical elements of the federal government. The ability of
the District to perform critical government services after the
century date change is not only essential to District residents but
also important to the continuity of operations of the executive,
congressional, and judicial offices housed here.
In addition, the Year 2000 could cause problems for the many
facilities used by the District of Columbia that were built or
renovated within the last 20 years and contain embedded computer
systems to control, monitor, or assist in operations. For example,
water and sewer systems, building security systems, elevators,
telecommunications systems, and air conditioning and heating
equipment could malfunction or cease to operate.
The District cannot afford to neglect any of these issues. If it
does, the impact of Year 2000 failures could potentially be
disruptive to vital city operations and harmful to the local economy.
For example:
-- Critical service agencies, such as the District's fire and
police departments, may be unable to provide adequate and prompt
responses to emergencies due to malfunctions or failures of
computer reliant equipment and communications systems.
-- The city's unemployment insurance benefit system may be unable
to accurately process benefit checks as early as January 4,
1999.\4
-- The city's tax and business systems may not be able to
effectively process tax bills, licenses, and building permits.
Such problems could hamper local businesses as well as revenue
collection.
-- Payroll and retirement systems may be unable to accurately
calculate pay and retirement checks.
-- Security systems, including alarm systems, automatic door
locking and opening systems and identification systems, could
operate erratically or not all, putting people and goods at risk
and disabling authorized access to important functions.
To address these Year 2000 challenges, we issued our Year 2000
Assessment Guide to help federal agencies plan, manage, and evaluate
their efforts. This guide provides a structured approach to planning
and managing five delineated phases of an effective Year 2000
program. The phases include (1) raising awareness of the problem,
(2) assessing the complexity and impact the problem can have on
systems, (3) renovating, or correcting, systems, (4) validating, or
testing, corrections, and (5) implementing corrected systems. We
have also identified other dimensions to solving the Year 2000
problem, such as identifying interfaces with outside organizations
specifying how data will be exchanged in the year 2000 and beyond and
developing business continuity and contingency plans to ensure that
core business functions can continue to be performed even if systems
have not been made Year 2000 compliant.
--------------------
\4 Because of benefit year date calculations used in determining
claimant eligibility, many state unemployment systems are at risk of
Year 2000 failures as early as January 1999. For example, if a claim
is filed January 4, 1999, it will have a benefit year ending date of
January 3, 2000. If a state's benefits system has not been repaired,
it may fail as early as January 1999 because it would not properly
recognize dates beyond 2000. Because the District had not yet
procured a contractor to remediate its unemployment system, GAO and
the Department of Labor's Inspector General recently reported that
the system was at a high risk of failing. (Year 2000 Computing
Crisis: Progress Made at Department of Labor, But Key Systems at
Risk (GAO/T-AIMD-98-303, September 17, 1998)).
LIKE THE DISTRICT, OTHER LOCAL
AND STATE GOVERNMENTS ARE
FACING FORMIDABLE YEAR 2000
CHALLENGES
---------------------------------------------------------- Chapter 0:2
Based on the limited data available on the status of local and state
governments, we believe that the District's Year 2000 status is not
atypical. For example, a survey conducted by Public Technology, Inc.
and the International City/County Management Association in the fall
and winter of 1997, found that of about 1,650 cities that
acknowledged an impact from Year 2000, nearly a quarter had not begun
to address the problem.
In addition, state governments are also reporting areas where they
are behind in fixing Year 2000 problems. For example, as we recently
testified before the Subcommittee on Government Management,
Information and Technology, House Committee on Government Reform and
Oversight,\5 a June 1998 survey conducted by the Department of
Agriculture's Food and Nutrition Service, found that only 3 states
reported that their Food Stamp Program systems were Year 2000
compliant and only 14 states reported that their Women, Infants, and
Children program were compliant. Moreover, four states reported that
their Food Stamp Program systems would not be compliant until the
last quarter of calendar year 1999, and five states reported a
similar compliance time frame for the Women, Infants, and Children
program.
--------------------
\5 Year 2000 Computing Crisis: Severity of Problem Calls for Strong
Leadership and Effective Partnerships (GAO/T-AIMD-98-278, September
3, 1998).
DESPITE SLOW START, THE
DISTRICT IS ACTING TO ADDRESS
THE YEAR 2000 PROBLEM
---------------------------------------------------------- Chapter 0:3
Until June 1998, the District had made very little progress in
addressing the Year 2000 problem. It had not identified all of its
mission-critical systems, established reporting mechanisms to
evaluate the progress of remediation efforts, or developed detailed
plans for remediation and testing. In addition, it lacked the basic
tools necessary to move its program forward. For example, it had not
assigned a full-time executive to lead its Year 2000 effort,
established an executive council or committee to help set priorities
and mobilize its agencies, or identified management points-of-contact
in business areas.
Since this past June, the District has recognized the severity of its
situation and taken a number of actions to strengthen program
management and to develop a strategy that is designed to help the
city compensate for its late start. For example, to improve program
management, the District has hired a new chief technology officer,
appointed a full-time Year 2000 program manager, established a Year
2000 program office, and continued to use its chief technology
officer council to help coordinate and prioritize efforts.
The District also contracted with an information technology firm to
assist in completing the remediation effort. To accomplish this in
the short time remaining, the District and the contractor plan to
concurrently (1) remediate and test system applications, (2) assess
and fix the information technology (IT) infrastructure, including the
data centers, hardware, operating systems, and telecommunications
equipment, (3) assess and correct noninformation technology assets,
and (4) develop contingency plans. So far, the District has done the
following.
-- Developed an inventory of information technology applications.
Of the 336 applications identified, the District and its
contractor determined that 84 are deemed Year 2000 compliant,
135 have already been remediated but still need to be tested,
and 117 need to be remediated and tested. According to the
District, over 9 million lines of code still need to be
remediated.
-- Initiated pilot remediation and test efforts with the pension
and payroll system. The system has been converted and the
conversion results are being readied for system users to review.
The District expects to complete the pilot by December 31, 1998.
-- Adopted a contingency planning methodology that it is now
piloting on the 911 system, the water and sewer system, and the
lottery board system. It expects to complete the first two
pilots by October 31, 1998, and the remaining one during the
first quarter of fiscal year 1999.
-- Developed a strategy for remediating non-IT assets that is now
being tested on the water and sewer system. This is also
expected to be done by October 31, 1998. After this effort is
completed, the District and the contractor will begin to assess
and remediate non-IT equipment at agencies providing critical
safety, health, and environmental services.
THE DISTRICT IS STILL
SIGNIFICANTLY BEHIND IN
ADDRESSING THE YEAR 2000
PROBLEM
---------------------------------------------------------- Chapter 0:4
The District's recent actions reflect a commitment on the part of the
city to address the Year 2000 problem and to make up for the lack of
progress. However, the District is still significantly behind in
addressing the problem. As illustrated in the following figure, our
Assessment Guide recommends that organizations should now be testing
their systems in order to have enough time to implement them. They
should also have business continuity and contingency plans in place
for mission-critical systems to ensure the continuity of core
business operations if critical systems are not corrected in time.
By contrast, the District is still in the assessment process--more
than 1 year behind our recommended timetable. For example, it has
not
-- identified all of its essential business functions that must
continue to operate,
-- finished assessing its IT infrastructure and its non-IT assets,
-- provided guidance to its agencies on testing, and
-- identified resources that will be needed to complete remediation
and testing.
Figure 1: The District's Year
2000 Status Compared to Our
Recommended Year 2000 Schedule
(See figure in printed
edition.)
Until the District completes the assessment phase, it will not have
reliable estimates of how long it will take to renovate and test
mission-critical systems and processes and to develop business
continuity and contingency plans. The District will also be unable
to provide a reliable estimate of the costs to implement an effective
Year 2000 program.
Further, the District has had some problems in completing the
assessment phase. For example, according to program office
officials, three agencies--the Court System, Superior Court, and
Housing Authority--have refused to participate in the program
office's assessment activities. Agencies also do not consistently
attend program office meetings and do not always follow though on
their assessment commitments, such as ensuring that program office
and contractor teams have access to agency personnel and data.
Program office officials attributed these problems to the office's
limited authority and the lack of mandatory requirements to
participate in the Year 2000 program. Failure to fully engage in the
Year 2000 program can only increase the risks the District faces in
trying to ensure continuity of service in key business process areas.
ESSENTIAL STEPS NEEDED TO
MITIGATE INCREASED RISKS
---------------------------------------------------------- Chapter 0:5
District officials acknowledge that the city is not able to provide
assurance that all critical systems will be remediated on time. We
agree. Therefore, to minimize disruptions to vital city services, it
will be essential for the District to effectively manage risks over
the next 15 months.
First, because it is likely that there will not be enough time to
remediate all systems, the District must identify and prioritize its
most critical operations. This decision must collectively reside
with the key stakeholders involved in providing District services and
must represent a consensus of the key processes and their relative
priority. The results of this decision should drive remediation,
testing, and business continuity and contingency planning and should
provide increased focus to the efforts of the Year 2000 office and
its contractor. To this end, we recommend that the District, along
with its current Year 2000 efforts, identify and rank the most
critical business operations and systems by October 31, 1998. The
District should use this ranking to determine by November 30, 1998,
the priority in which supporting systems will be renovated and
tested. Continuity of operations and contingency plans for these
processes and systems should also be initiated at this time if such
action is not already underway.
Second, for systems that may not complete remediation but that are
still important to city operations, managers will need to develop
contingency plans for continued operations. It is essential that
such plans be developed early to provide stakeholders as much time as
possible to provide resources, develop "workarounds," or secure
legislative or administrative approvals as necessary to execute the
plans.
Third, because of the dependencies between the District and the
surrounding local and federal government entities, the District will
need to work closely with those bodies to both identify and prepare
appropriate remedial steps and contingency plans to accommodate those
dependencies. We recommend that the District immediately develop an
outreach program to first identify its dependencies and then
determine the remediation required to minimize the risk of Year 2000
failure.
Finally, efforts to address this problem must have continued
top-level commitment from the Chief Management Officer and the
department and agency heads, the Mayor's office, and the control
board.\6 Establishing a program office and hiring a contractor with
significant expertise is a good first step. However, the key
stakeholders need to "own" the process, i.e., participate in critical
decision-making on program direction, provide resources and support
for the program, and ensure that all District agencies and offices
fully participate in the process.
--------------------
\6 The District of Columbia Financial Responsibility and Management
Assistance Authority, also known as the District of Columbia Control
Board, was established in April 1995 by Public Law 104-8. The
board's responsibilities include improving the District's financial
planning, budgeting, and revenue forecasting as well as ensuring the
most efficient and effective delivery of city services. The board is
also responsible for conducting investigations to determine the
fiscal status and operational efficiency of the District government.
-------------------------------------------------------- Chapter 0:5.1
To conclude, we believe the District's Year 2000 program needs an
absolute commitment from its leadership to make the most of the short
time remaining. By addressing the steps outlined above, the District
can better ensure a shared understanding of the key business
processes that must be remediated, a shared understanding of the
risks being assumed in establishing priorities for remediation,
testing, and business continuity and contingency planning, and a
shared commitment to provide the resources required to address those
priorities.
Mrs. Chairwoman and Mr. Chairmen, this concludes my statement. I
will be happy to answer any questions you or Members of the
Subcommittees may have.
*** End of document. ***