Year 2000 Computing Crisis: The District of Columbia Remains Behind
Schedule (Testimony, 02/19/99, GAO/T-AIMD-99-84).

Pursuant to a congressional request, GAO discussed the challenges facing
the District of Columbia in addressing the year 2000 problem, focusing
on: (1) the District of Columbia's progress in fixing its information
systems; and (2) the risks it now faces.

GAO noted that: (1) the District Year 2000 Program Office has
established an orderly process for addressing the year 2000 problem and
has been working hard to develop an understanding of its core business
processes and supporting information systems; (2) the Year 2000 Program
Manager holds weekly meetings to review deviations from schedule
baselines and to monitor the overall program status; (3) additionally,
the Program Office recently began preparing year 2000 report cards for
all systems included in the District year 2000 effort; (4) these report
cards, which are provided to each agency, summarize the progress being
made on each system; (5) the District's recent actions reflect a
commitment to protect its key business processes from year 2000 failure;
(6) however, its schedule for fulfilling this commitment is highly
compressed and moves through four phases of the year 2000 process in
less than one year-assessment by the end of February, renovation and
contingency planning by the end of September, and system validation by
the end of October; (7) the District remains over one year behind GAO's
recommended schedule and is just now transitioning from the assessment
to the renovation phase of the year 2000 conversion model; (8) according
to the District's Year 2000 Program Manager, at this time, the District
has only renovated about 5 percent of its mission-critical systems, with
less than 1 percent of its mission-critical systems completing
validation; (9) further, only one of the District's over 200
mission-critical systems, which is responsible for paying District
employees and pensioners, has been through the entire conversion process
and is now implemented; (10) only six business continuity plans--such as
the plan for documenting the manual registering of students for the
University of the District of Columbia' student enrollment process--have
been finalized; (11) it will be difficult for the District to adequately
compensate for its late start in initiating effective action on the year
2000 challenge; and (12) given the District's compressed year 2000
schedule--which allows no margin for error--and to have a reasonable
chance of avoiding serious disruption to public services, it must be
well prepared for likely project delays and failures of mission-critical
systems.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-84
     TITLE:  Year 2000 Computing Crisis: The District of Columbia 
             Remains Behind Schedule
      DATE:  02/19/99
   SUBJECT:  Y2K
             Computer software
             Systems conversions
             Schedule slippages
             Municipal governments
             Information resources management
             Strategic information systems planning
             Computer software verification and validation
             Data integrity
IDENTIFIER:  Y2K
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
ai99084t.PDF A Testimony Before the Subcommittee on the District
of Columbia, Committee on Government Reform, House of
Representatives

For Release on Delivery Expected at

YEAR 2000 COMPUTING

9:30 a.m. Friday,

CRISIS

February 19, 1999

The District of Columbia Remains Behind Schedule

Statement of Jack L. Brock, Jr. Director, Governmentwide and
Defense Information Systems Accounting and Information Management
Division

GAO

United States General Accounting Office

GAO/T-AIMD-99-84


Page 1 

GAO/T-AIMD-99-84

Page 1   GAO/T-AIMD-99-84

Mr. Chairman and Members of the Subcommittee: Thank you for
inviting me to participate in today's hearing on the challenges
facing the District of Columbia in addressing the Year 2000
problem. As you know, the District of Columbia, like many public
and private organizations, is extremely vulnerable to Year 2000
problems due to its widespread dependence on computer systems to
deliver vital public services and carry out its operations. If
these problems are not addressed in time, the District may be
unable to effectively ensure public safety, collect revenue,
educate students, and provide health care services. Today, I will
discuss the District's progress in fixing its systems and the
risks it now faces.

In October 1998 we testified that the District was seriously
behind, but noted that a number of positive steps were underway to
accelerate its progress on the Year 2000 problem. 1 At that time,
the District had hired a new chief technology officer, appointed a
full- time Year 2000 program manager, established a Year 2000
program office, launched an aggressive strategy to compensate for
lost time, assigned more resources, and contracted with an
information technology firm to assist with all phases of the Year
2000 correction process. Still, we stressed that because the
District was so far behind in addressing the problem, it was at
significant risk that critical processes could fail. Consequently,
we recommended that the District promptly identify its most
important operations, determine which systems supporting these
operations could be fixed before the Year 2000 deadline, and
ensure that business continuity and contingency plans were
developed for core business operations for which supporting
systems would not be renovated on time. Since we last testified,
the District has started implementing these recommendations and
has taken additional steps to address the Year 2000 problem.

Nevertheless, the District remains far behind, but is not alone in
its predicament. According to a November 1998 National Association
of Counties survey of 500 counties representing 46 states, about
two- thirds of counties had not yet completed the assessment phase
of their Year 2000 work and about half did not yet have a
countywide plan for addressing Year 2000 conversion issues. States
are also experiencing Year 2000 challenges.

1 Year 2000 Computing Crisis: The District of Columbia Faces
Tremendous Challenges in Ensuring Vital Services Are Not Disrupted
(GAO/T-AIMD-99-4, October 2, 1998).

Page 2 GAO/T-AIMD-99-84

A recent survey of state Year 2000 efforts 2 indicates that over
40 percent of the states are less than halfway through remediating
their mission- critical systems. 3 To prepare for this testimony,
we conducted a quick overview of the

District's recent efforts to address risks associated with the
Year 2000 date change and compared these efforts to criteria
detailed in our Year 2000 Assessment Guide, 4 Business Continuity
and Contingency Planning Guide, 5 and Testing Guide. 6 We reviewed
a number of key project documents

including the District's Enterprise Project Plan, Contingency
Planning Workbook (that describes the District's approach to
contingency planning), and Test Strategy. We interviewed District
officials responsible for overseeing the Year 2000 effort,
including the Year 2000 Program Manager, the Year 2000 Contingency
Planning Manager, the Director for Systems Audits in the Office of
the Inspector General, and the Year 2000 contractor's Program
Executive and Contingency Planning Manager. Finally, we reviewed
information collected by the National Association of State
Information Resource Executives and a study of county government
Year 2000 preparedness conducted by the National Association of
Counties. We performed our work in Washington, D. C., between
February 2 and February 17, 1999, in accordance with generally
accepted government auditing standards.

2 Individual states submit periodic Year 2000 progress updates to
the National Association of State Information Resource Executives.
For the January 15th report, the states submitted their data
between December 7, 1998, and January 14, 1999.

3 Four states did not respond to this question. 4 Year 2000
Computing Crisis: An Assessment Guide (GAO/ AIMD- 10.1.14).
Published as an exposure draft in February 1997 and finalized in
September 1997, the guide was issued to help federal agencies
prepare for the Year 2000 conversion.

5 Year 2000 Computing Crisis: Business Continuity and Contingency
Planning (GAO/ AIMD- 10.1.19). Published as an exposure draft in
March 1998 and issued in August 1998, this guide provides a
conceptual framework for helping organizations to manage the risk
of potential Year 2000- induced disruptions to their operations.
It discusses the scope and challenge and offers a structured
approach for reviewing the adequacy of agency Year 2000 business
continuity and contingency planning efforts.

6 Year 2000 Computing Crisis: A Testing Guide (GAO/ AIMD-
10.1.21). Published as an exposure draft in June 1998 and issued
in November 1998, this guide addresses the need to plan and
conduct Year 2000 tests in a structured and disciplined fashion.
The guide describes a step- by- step framework for managing, and a
checklist for assessing, all Year 2000 testing activities
including those activities associated with computer systems or
system components (such as embedded processors) that are vendor
supported.

Page 3 GAO/T-AIMD-99-84

District of Columbia Efforts to Address the Year 2000 Problem

Since our initial assessment, the District Year 2000 Program
Office has established an orderly process for addressing the Year
2000 problem and has been working hard to develop an understanding
of its core business processes and supporting information systems.
For example, the District has:

 identified 18 agencies that are critical to providing vital
services to the city;  identified and prioritized 75 core business
processes and over 200

mission- critical systems that support these processes;  developed
a detailed project plan for remediating, testing, and

implementing its mission- critical systems;  prepared and tested a
contingency planning methodology and has begun

to apply the methodology in developing business continuity and
contingency plans for core business processes;  developed a system
testing strategy;  strengthened its Year 2000 organization by
hiring additional staff; and  developed crisis management
procedures to be used in the event that a

Year 2000 failure is imminent or occurs. The Year 2000 Program
Manager holds weekly meetings to review deviations from schedule
baselines and monitor the overall program status. Additionally,
the Program Office recently began preparing Year 2000 report cards
for all systems included in the District's Year 2000 effort. These
report cards, which are provided to each agency, summarize the
progress being made on each system.

The District Is Still Behind Schedule

The District's recent actions reflect a commitment to protect its
key business processes from Year 2000 failure. However, its
schedule for fulfilling this commitment is highly compressed and
moves through four phases of the Year 2000 process in less than 1
year-- assessment by the end of February, renovation and
contingency planning by the end of September, and system
validation by the end of October. Currently, the District remains
over 1 year behind our recommended schedule and is just now
transitioning from the assessment to the renovation phase of the
Year 2000 conversion model. By contrast, our Assessment Guide
recommends that renovation should have been completed by the end
of August 1998 to allow ample time for validation and
implementation and that organizations should now be well along in
their contingency planning efforts-- testing and implementing
business continuity and contingency plans for their core

Page 4 GAO/T-AIMD-99-84

business processes and mission- critical systems. 7 As illustrated
in the following figure, organizations should also now be well
into validating and implementing their renovated systems.

Figure 1: The District's Reported Year 2000 Status Compared to Our
Recommended Year 2000 Schedule

According to the District's Year 2000 Program Manager, at this
time, the District has only renovated about 5 percent of its
mission- critical systems, with less than 1 percent of its
mission- critical systems completing validation. Further, only one
of the District's over 200 mission- critical systems, which is
responsible for paying District employees and pensioners, has been
through the entire conversion process and is now implemented. Only
six business continuity plans such as the plan for documenting the
manual registering of students for the University of the District
of Columbia's student enrollment process have been finalized.

The District of Columbia Faces a Risk That Critical Services Will
Be Disrupted

It will be difficult for the District to adequately compensate for
its late start in initiating effective action on the Year 2000
challenge. As a result, it faces a significant risk that vital
services will be disrupted-- and tremendously important tasks lie
ahead. For example, according to the District's project plan,
testing for a majority of its mission- critical systems will peak
over the next few months and finish in October. Experience shows
that Year 2000 testing-- the linchpin for providing reasonable
assurance that systems process dates correctly is the most time-
consuming and difficult phase of

7 Although the District has finished assessing its mission-
critical systems, it does not expect to finish assessing non- IT
assets until the end of February 1999. According to the District's
Year 2000 Program Manager, about 36 percent of the District's non-
IT assets have been assessed .

1 9 9 6 1 9 9 9 1 9 9 8 1 9 9 7 a w a r e n e s s r e n o v a t i
o n

a s s e s s m e n t v a l i d a t i o n & i m p l e m e n t a t i
o n w h e r e t h e

D i s t r i c t i s w h e r e t h e

D i s t r i c t s h o u l d b e

Page 5 GAO/T-AIMD-99-84

nearly all Year 2000 projects. Similarly, development and testing
of the District's contingency plans, which are intended to reduce
the risk and potential impact of Year 2000- induced information
system failures on its core business processes, are likewise
scheduled for completion in the fall. Given the District's
compressed Year 2000 schedule-- which allows no margin for error--
and to have a reasonable chance of avoiding serious disruption to
public services, it must be well prepared for likely project
delays and/ or failures of mission- critical systems.

The District Must Take Steps to Mitigate Risks

The District's schedule for Year 2000 compliance offers little
opportunity for further compression, no margin for error, and
little room for corrective action if test results show continued
problems with mission- critical systems.

 First, to partially compensate, we recommend that the District
place increased emphasis on (1) completing business continuity and
contingency plans as early as possible to allow time for testing
and funding and (2) ensuring that contingency plans and priorities
are updated to reflect information that becomes available as the
Year 2000 project progresses, including new risk assessments based
on the successes and failures encountered in the validation phase
of the project.  Second, efforts to address the Year 2000 problem
must have continued

top- level attention, commitment, and input from key stakeholders
(including the Mayor, department and agency heads, and the Control
Board 8 ) who own the Year 2000 process. These stakeholders must
participate in making critical decisions throughout the remainder
of

the project,  continue to provide resources and support for the
program, and  take action necessary to eliminate obstacles that
could reduce the

Year 2000 Program Office's chances of successfully executing its
project plan.

8 The District of Columbia Financial Responsibility and Management
Assistance Authority, also known as the District of Columbia
Control Board, was established in April 1995 by Public Law 104- 8.
The Board's responsibilities include improving the District's
financial planning, budgeting, and revenue forecasting as well as
ensuring the most efficient and effective delivery of city
services. The Board is also responsible for conducting
investigations to determine the fiscal status and operational
efficiency of the District government.

Letter

Page 6 GAO/T-AIMD-99-84

Mr. Chairman, this concludes my statement. I will be happy to
answer any questions you or Members of the Subcommittee may have.
(511142) Letter

Ordering Information The first copy of each GAO report and
testimony is free. Additional copies are $2 each. Orders should be
sent to the following address, accompanied by a check or money
order made out to the Superintendent of Documents, when necessary,
VISA and MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail: U. S. General Accounting Office P. O. Box 37050
Washington, DC 20013

or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW)
U. S. General Accounting Office Washington, DC

Orders may also be placed by calling (202) 512- 6000 or by using
fax number (202) 512- 6061, or TDD (202) 512- 2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512- 6000 using a
touchtone phone. A recorded menu will provide information on how
to obtain these lists.

For information on how to access GAO reports on the INTERNET, send
an e- mail message with info in the body to:

info@ www. gao. gov or visit GAO's World Wide Web Home Page at:
http:// www. gao. gov

United States General Accounting Office Washington, D. C. 20548-
0001

Official Business Penalty for Private Use $300

Address Correction Requested Bulk Rate

Postage & Fees Paid GAO Permit No. GI00

*** End of document. ***