United States General Accounting Office GAO Report to Congressional Requesters October 1997 SOCIAL SECURITY ADMINISTRATION Significant Progress Made in Year 2000 Effort, But Key Risks Remain GAO/AIMD-98-6 United States GAO General Accounting Office Washington, D.C. 20548 Accounting and Information Management Division B-276351 October 22, 1997 The Honorable Jim Bunning Chairman, Subcommittee on Social Security Committee on Ways and Means House of Representatives The Honorable Charles E. Grassley Chairman The Honorable John B. Breaux Ranking Minority Member Special Committee on Aging United States Senate Unless timely corrective action is taken, the Social Security Administration (SSA), like other federal agencies, could face critical computer system failures at the turn of the century due to incorrect information processing relating to dates. In many systems, the year 2000 will be indistinguishable from 1900. If left uncorrected, this could result in Social Security benefit checks being issued incorrectly—or not on time—beginning in January 2000 and in the malfunctioning of other beneficiary services supported by automated systems. Because of the potential for serious governmentwide disruption to critical functions and services from the upcoming change of century, the Year 2000 computing problem has been added to our list of high-risk issues.1 In light of the critical challenge facing SSA, you requested that we review the agency’s actions to achieve Year 2000 information systems compliance. Accordingly, this report discusses our assessment of the adequacy of steps taken by SSA to ensure that computing problems related to the year 2000 are fully addressed, including its oversight of state Disability Determination Services’ (DDS) Year 2000 program activities. SSA first recognized the potential impact of the Year 2000 problem almost a Results in Brief decade ago and, in so doing, was able to launch an early response to this challenge. It initiated early awareness activity and has made significant progress in assessing and renovating mission-critical mainframe software that enables it to provide Social Security benefits and other assistance to the public. Because of the knowledge and experience gained through its early Year 2000 efforts, SSA has come to be regarded as a federal leader in 1 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997). Page 1 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 addressing this issue. SSA’s Assistant Deputy Commissioner for Systems currently chairs the Chief Information Officers Council’s Subcommittee on the Year 2000 and works with other federal agencies to address Year 2000 issues across government. While SSA deserves credit for its leadership, the agency remains at risk that not all of its mission-critical systems—those necessary to prevent the disruption of benefits—will be corrected before January 1, 2000. At particular risk are the systems that have not yet been assessed for the 54 state DDSs that provide vital support to SSA in administering its disability insurance programs. Private contractors SSA hired to make 42 of the 54 state DDS systems Year 2000 compliant reported that these offices had at least 33 million additional lines of software code that must be assessed and, where necessary, renovated. Given the potential magnitude of this undertaking, SSA could face major disruptions in its ability to process initial disability claims for millions of individuals throughout the country if these systems are not addressed in time for corrective action to be completed before the change of century. SSA also faces the challenge of ensuring that its critical data exchanges with federal and state agencies and other businesses are Year 2000 compliant. It has taken a number of positive steps in this direction, such as identifying incoming and outgoing file exchanges with the external business community and developing a database to maintain information on the status of compliance activities. However, because SSA must rely on the hundreds of federal and state agencies and the thousands of businesses with which it exchanges files to make their systems compliant, SSA faces a definite risk that inaccurate data will be introduced into its databases. That risk could be magnified if SSA does not develop contingency plans to ensure the continuity of its critical systems and activities should systems not be corrected in time. SSA’s programs touch the lives of almost every individual in this country. Background Its Old Age, Survivors, and Disability Insurance (OASDI) programs—which comprise what is commonly called Social Security—provide benefits to retired and disabled workers and their dependents and survivors; its Supplemental Security Income (SSI) program provides assistance to aged, blind, and disabled individuals with limited income and resources.2 2 SSA’s OASDI and SSI programs are authorized under Titles II and XVI, respectively, of the Social Security Act. Page 2 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 In addition to paying benefits, SSA issues Social Security numbers to eligible individuals and maintains and provides earnings records for individuals working under employment covered by the program. SSA also helps process claims for black lung benefits and provides support to other programs, such as Medicare, Medicaid, and Railroad Retirement. More than 50 million beneficiaries receive benefits and services under SSA’s programs, which in fiscal year 1996 accounted for $386 billion—nearly one-quarter of the nation’s $1.6 trillion in federal expenditures. SSA administers its programs through five core business processes—enumeration, earnings, claims, postentitlement, and informing the public. Through these processes, as shown in table 1, SSA processes claims for benefits, adjudicates appeals on disputed decisions, and handles the millions of actions required each year to keep beneficiary records current and accurate. Table 1: SSA Core Business Processes Process and Fiscal Year 1996 Workload Description Enumeration Process through which SSA assigns Social Security numbers to identify workers and beneficiaries, issues 16 million requests for new or replacement cards to individuals with existing numbers, replacement Social Security and verifies Social Security numbers for employers and cards government agencies. Earnings Process used by SSA to establish and maintain a record of an individual’s earnings for use in determining insured 240 million earnings records status for entitlement to retirement, survivors’ disability, processed and health insurance benefits and in calculating payment amounts. Claims Process comprising actions taken by SSA to determine an individual’s eligibility for benefits, beginning with the Initial Claims individual’s initial contact with SSA and continuing through payment initiation or the three levels of OASDI: 5 million administrative appeal that a claimant may request. SSI: 2 million Postentitlement Process involving actions that SSA takes after an individual becomes entitled to Social Security or SSI 99 million transactions benefits to ensure continuing eligibility and timely and correct payment of benefits, such as changes of address, benefits recomputations, and reviews of continuing eligibility. Informing the Public Process used by SSA to disseminate information about the programs it administers, including the issuance of 9 million statements issued Personal Earnings & Benefit Estimate Statements. Source: SSA. Page 3 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 SSA serves the public through its central office in Baltimore, Maryland, and a network of field offices that includes 10 regional offices, approximately 1,300 field offices, and a nationwide toll-free telephone number. Field offices are located in cities and rural communities across the nation and are the agency’s physical point of contact with beneficiaries and the public. SSA also depends on 54 state DDS offices, along with one federally administered DDS, to help process claims under its disability insurance programs.3 State DDSs provide crucial support to the initial disability claims process—one that accounts for a large proportion of SSA’s workload—through their role in determining an individual’s medical eligibility for disability benefits. DDSs make decisions regarding disability claims in accordance with federal regulations and policies; the federal government reimburses 100 percent of all DDS costs in making disability determination decisions. The DDSs, during fiscal year 1996, processed more than 2 million initial disability determination claims. The process begins when individuals apply for disability benefits at an SSA field office, where determinations are made on whether they meet nonmedical criteria for eligibility. The field office then forwards these applications to the appropriate state DDS, where a disability examiner collects the necessary medical evidence to make the initial determination of whether the applicant meets the definition of disability. Once the applicant’s medical eligibility is determined, the DDS forwards this decision to SSA for final processing. Both SSA and the DDSs rely on information systems to support the processing of benefits. SSA uses an information processing network that links its distributed (field level) operations with its centralized mainframe computers at headquarters. Each core process is supported by hundreds of software programs that enable field office staff to perform data collection and on-line editing of client information, using either terminals or recently installed personal computers4 that communicate with SSA’s centralized mainframe computers. These mainframe computers establish and update beneficiary claims, process applications for Social Security numbers, and establish and maintain individuals’ earnings histories. SSA’s 3 The DDSs include all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. The federal DDS provides back-up services to state DDSs when the state offices are unable to keep up with workloads and serves as a model office for testing new technologies and work processes. 4 SSA’s “dumb” terminals are connected to its mainframe computers through its data network and are controlled by software executed on the mainframes. Its personal computers, called intelligent workstations, have their own data storage and processing capabilities. Page 4 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 Chief Information Officer (CIO) provides primary oversight of the agency’s information systems investments; the Office of the Deputy Commissioner for Systems (referred to as the Office of Systems) is responsible for managing all facets of information systems planning, development, acquisition, and operation. State DDSs rely primarily on their internal systems to process medical determinations. In general, DDS computers are comprised of unique state-owned hardware of various ages and stages of completion and with differing capacity and maintenance levels. Similarly, the types of systems and levels of software used vary according to individual state needs. The majority of the DDSs—42 of the 54—use software developed by two private contractors, while the remaining 12 DDSs—referred to as independent DDSs—either process disability claims manually or use software that they have developed. DDS systems are linked to SSA’s mainframe computers via the National Disability Determination Service System (NDDSS). Records are established on the NDDSS through direct input by DDS staff or by uploading data from local databases. Since 1992, SSA’s Office of Systems has been responsible for disability system development. The office serves as the focal point for all disability-related hardware and software initiatives for the DDSs and is responsible for ensuring the integration of these activities on an enterprise basis. Because of its heavy reliance on technology, the Year 2000 problem presents SSA with the enormous challenge of reviewing all of its computer software and making the conversions required to ensure that its systems can handle the first change to a new century since the computer age began. The CIO has overall responsibility for the Year 2000 program; however, day-to-day responsibility for ensuring that changes are made to all systems used by SSA and the DDSs to support core business processes resides with the Office of Systems. In assessing the actions taken by SSA to address the Year 2000 problem, we Scope and reviewed numerous documents, including its Year 2000 tactical plan, Methodology systems inventories, test plans, and implementation schedules. We also analyzed internal tracking reports developed by the agency to monitor the progress of its Year 2000 activities, as well as its Year 2000 quarterly reports submitted to the Office of Management and Budget (OMB). We discussed SSA’s Year 2000 program activities with officials in various headquarters offices, including the Offices of the Deputy Commissioners Page 5 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 for Systems; Operations; Finance, Assessment, and Management; and Programs and Policy. We also met with management and staff at SSA’s program service centers in Birmingham, Alabama, and Philadelphia, Pennsylvania, and at its regional office in Atlanta, Georgia. In addition, we examined Year 2000 program activities at DDS offices in Albany, New York; Birmingham, Alabama; and Decatur, Georgia. We also interviewed representatives of the two private contractors responsible for performing Year 2000 work at most of the DDSs. We used our Year 2000 assessment guide in evaluating SSA’s and the DDSs’ readiness to achieve Year 2000 compliance.5 We conducted our review from January 1997 through September 1997, in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the Commissioner of Social Security or his designee. The Commissioner provided written comments, which are discussed in the “Agency Comments” section and are reprinted in appendix I. At 12:01 a.m. on January 1, 2000, many computer systems worldwide could Structured Approach malfunction or produce inaccurate information simply because the date and Rigorous Program has changed. Unless corrected, such failures could affect SSA benefits Management Can payments received by millions of Americans. Reduce Year 2000 The problem is rooted in how dates are recorded and computed. For the Risk past several decades, systems have typically used two digits to represent the year—such as “97” for 1997—to save electronic storage space and reduce operating costs. In such a format, however, 2000 is indistinguishable from 1900. As an example of the potential impact of this ambiguity, a beneficiary born in 1925 and therefore turning 75 in 2000 could be seen as being negative 25 years old (if “now” is 1900)—not even born yet—and therefore ineligible for benefits that the individual had been receiving. Correcting this problem will not be easy or inexpensive and must be done while such systems continue to operate. Many of the government’s computer systems were developed 20 to 25 years ago, use a wide array of computer languages, and lack full documentation. Systems may contain up to several million lines of software code that must be examined for potential date-format problems. 5 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997). Page 6 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 The enormous challenge involved in correcting these systems is primarily managerial. Agencies’ success or failure will be determined largely by the quality of their program management and executive leadership. Top agency officials must understand the importance and urgency of this undertaking and communicate this to all employees. The outcome of these efforts will also depend on the extent to which agencies have institutionalized key systems-development and program-management practices, and on their experience with such large-scale software development or conversion projects. Accordingly, agencies must assess their information resources management capabilities and, where necessary, upgrade them. In so doing, they should consider soliciting the assistance of other organizations experienced in these endeavors. To assist agencies with these tasks, our assessment guide6 discusses the scope of the challenge and offers a structured, step-by-step approach for reviewing and assessing an agency’s readiness to handle the Year 2000 problem. The guide describes in detail five phases, each of which represents a major Year 2000 program activity or segment. These are the following: • Awareness. This is a critical first step. Although many people may have heard about a Year 2000 problem, they may not know what it entails or why it matters. For agency personnel, this knowledge is imperative. This is also the phase in which the team within the agency that will take the lead in correcting the problem is identified. The team then examines the problem’s potential impact, gauges the adequacy of agency resources, develops a strategy, and secures strong, visible executive support. • Assessment. The main thrust of this phase is separating mission-critical systems—which must be converted or replaced—from important ones that should be converted or replaced and marginal ones that may be addressed now or deferred. Since the Year 2000 problem is primarily a business problem, it is essential to assess its likely impact on the agency’s major business functions. Following this, information systems in each business area should be inventoried and prioritized; project teams are then established and program plans devised. Testing strategies must be identified, and contingency planning must be initiated as well. • Renovation. This phase deals with actual changes—converting, replacing, or eliminating selected systems and applications. In so doing, it is important to consider the complex interdependencies among them. Changes must be consistent agencywide and information about them clearly disseminated to users. 6 GAO/AIMD-10.1.14, September 1997. Page 7 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 • Validation. Here, agencies test, verify, and validate all converted or replaced systems and applications, ensuring that they perform as expected. This critical phase may take over a year and consume up to half of the Year 2000 program’s budget and resources. It is essential that agencies satisfy themselves that their testing procedures can meet the challenge and that their results can be trusted. • Implementation. Deploying and implementing Year 2000 compliant systems and components requires extensive integration and acceptance testing. And since not all agency systems will be converted or replaced simultaneously, it may be wise to operate in a parallel processing environment for a time, using old and new systems side by side. Such redundancy can act as a fail-safe mechanism until it is clear that all changed systems are operating correctly. In February 1997 OMB, in consultation with the CIO Council, set governmentwide Year 2000 program milestones for completing the majority of the work in each phase of an agency’s Year 2000 activities. According to OMB’s schedule, the assessment phase for mission-critical systems, including performing an enterprisewide inventory, was to be completed by the end of June 1997. SSA began examining the Year 2000 problem almost a decade ago and since Significant Progress then has taken various steps to raise agency awareness of the issue. In Made in Awareness, addition, it has made significant progress in assessing and renovating Assessment, and much of the software on its centralized mainframe systems—the systems that are essential to processing beneficiary claims and providing other Renovation of SSA’s services vital to the public. Mission-Critical first became aware of the Year 2000 problem in 1989, when one of the Mainframe Systems SSA systems supporting its OASDI program experienced problems projecting dates past 1999. Drawing from its experiences in addressing this problem, SSA’s Office of Systems took the lead in raising awareness of the Year 2000 issue and its potential magnitude and impact on the agency’s operations. As part of these efforts, the Office of Systems developed a Year 2000 tactical plan that presented the agency’s strategy for addressing the problem. It also established a committee composed of senior management to gain executive support for the project’s activities, as well as a Year 2000 project team with responsibility for coordinating and reporting on the status of activities. Page 8 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 During its assessment phase, SSA completed key steps necessary for determining the extent to which its centralized mainframe systems were Year 2000 compliant. These steps included developing an inventory of these systems, procuring a software tool to assist in identifying date fields that needed changing, and developing program plans and schedules for addressing these systems. During this phase, SSA also established a strategy for testing its system solutions. According to the Assistant Deputy Commissioner for Systems, SSA’s overall approach gave highest priority to the major databases and mainframe systems developed and centrally managed by the Office of Systems because systems officials believed that these systems contained about 95 percent of all of the agency’s mission-critical software. The Assistant Deputy Commissioner defined the agency’s mission-critical software as being that which directly or indirectly affects SSA’s core business processes, such as the processing and issuance of monthly beneficiary checks. According to internal reports generated to track SSA’s progress, these systems have about 24,000 software modules7 and approximately 34 million lines of computer code. At the time of our review, SSA had made significant progress in the renovation of its mission-critical mainframe systems. Specifically, SSA reported that it had completed renovation and regression testing8 for almost 80 percent of its software modules. In addition, it had developed a Year 2000 test facility, as well as plans for conducting forward-date and integration testing. SSA expects all of its mission-critical systems to be certified as Year 2000 compliant and implemented by January 1999. An agencywide assessment and inventory of information systems and their State Disability components provide the necessary foundation for detailed Year 2000 Determination program planning. A thorough analysis and inventory ensure that all Services Excluded systems are identified and linked to a specific business area or process and that all crosscutting systems are considered. Without a complete From SSA’s Initial agencywide assessment, SSA cannot give full consideration to the extent of Year 2000 Assessment its Year 2000 problem and the level of effort required to correct it. 7 SSA is tracking its Year 2000 project at the module level due to the many systems that are integrated. SSA defines software modules as units of computer code that, when compiled/assembled and executed, perform a specific business function. 8 SSA has identified three phases of validation testing for Year 2000 compliance: regression testing, forward-date testing at the system unit level, and forward-date testing at its Year 2000 test facility. Regression testing, as the first test phase, is done to ensure that the basic functionality of the software still operates correctly after changes are made and when it is integrated with other software programs. Page 9 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 Moreover, until such an assessment has been completed, SSA increases the risk that benefits and services will be disrupted. SSA did not include the DDS systems in its initial assessment of systems that it considered a priority for correction. SSA acknowledges that these systems are mission-critical because of their importance in determining whether an individual is medically eligible to receive disability payments. Accordingly, in December 1996 SSA began taking steps to assess the level of effort required to address the Year 2000 problem at the DDSs. These steps included contracting with the two vendors that originally installed software in 42 of the 54 state DDSs to inventory, assess, renovate, and test this software for Year 2000 compliance. Within these offices, the contractors also are responsible for ensuring that the production databases and NDDSS interfaces are Year 2000 compliant. SSA will require the 12 independent DDSs whose software was not installed by these contractors to perform their own corrective actions or, in a limited number of cases, will perform corrective actions for them. Even with Year 2000 action now underway, however, the potential magnitude of the DDS problem makes systems correction by January 1, 2000, a high-risk area. In particular, although Office of Systems personnel believe that their assessment of centralized mainframe systems considered about 95 percent of the agency’s mission-critical software, inventories and assessments for most DDSs have not yet been completed. SSA therefore cannot yet know the full level of effort that will be required to make these mission-critical systems Year 2000 compliant. Estimates of the amount of software used by the DDSs suggest that extensive work would be necessary to make them Year 2000 compliant. Specifically, according to representatives of the two contractors, among the 42 DDSs for which they are responsible, about 33 million lines of software code must be considered for Year 2000 changes. They explained that because the software used by these DDSs to process disability claims has been modified over time to meet individual state needs, 42 different systems must essentially be assessed. In addition, although SSA did not have information on the total amount of disability software used by the independent DDSs, officials in just one of the offices that we visited said that they will have to review approximately 600,000 lines of code, involving over 400 programs, to determine where corrective action is needed. Page 10 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 Because DDS operations are vital to SSA’s ability to process initial disability claims, it is important that these systems be addressed as soon as possible. Disruptions to this service due to incomplete Year 2000 conversions will prevent or delay SSA’s assistance to millions of individuals across the country. In discussing the status of Year 2000 activity for the DDSs, SSA’s Assistant Deputy Commissioner for Systems acknowledged the need for more diligence in assessing and renovating the states’ systems and said that SSA oversight of this work will increase. An essential yet challenging aspect of SSA’s Year 2000 work will be Resolving Data ensuring that data exchanges with other federal and state agencies and Exchange Issues and businesses are Year 2000 compliant. This will not be easy, and cooperation Developing and assistance from other agencies and organizations will be crucial. However, given the vast number of entities with which SSA exchanges data, Contingency Plans it is a necessary step to avoid having SSA’s own data corrupted by Will Help Reduce Risk noncompliant information from other sources. SSA recognizes the importance of this matter and has taken a number of steps to address it. Because many of these steps were under development at the time of our review, we could not judge their effectiveness. As the year 2000 rapidly approaches, however, SSA must be diligent in implementing measures to monitor progress in this area and, where necessary, protect the integrity and usefulness of its data. At the same time, SSA needs to have contingency plans to ensure that strategies exist for mitigating any risks associated with this and any of the other Year 2000 related issues that can affect the agency’s ability to provide Social Security and other benefits and services to the public. Data Exchanges Present In addressing the Year 2000 problem, agencies need assurance that data Challenges received from other organizations are accurate. Even if an agency has made its own systems Year 2000 compliant, they can still be contaminated by incorrect data entering from external sources. To combat this, agencies must inventory and assess all internal and external data exchanges and coordinate Year 2000 compliance activities, including, if necessary, the development of appropriate bridges9 to maintain the integrity of replaced or converted systems and the data within them. SSAexchanges data files with hundreds of federal and state agencies and thousands of businesses. These files contain data from such organizations 9 Bridging involves receiving information in one format, modifying it, and writing the output in another format, such as receiving the year in a two-digit format, adding century information through the use of an algorithm, then writing the output with a four-digit year. Page 11 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 as the Internal Revenue Service, the Department of the Treasury, and the states. Such exchanges may involve, for example, data reported on individuals’ tax-withholding forms, or data pertaining to state wages and unemployment compensation. Unless SSA is able to exchange data that is Year 2000 compliant, program benefits and eligibility computations that are derived from the data provided through these exchanges may be compromised and SSA’s databases corrupted. SSA has for some time recognized the seriousness of this problem and is taking action to address it. In 1995, it began sending letters to its data exchange partners to advise them of the Year 2000 issue and the agency’s plans for addressing it. During our review, SSA was in the process of coordinating with external organizations on issues concerning data formats, schedules for conversion and completion, and the need for bridging to enable the exchange of data that are not compliant. In addition, to facilitate data exchange compliance, SSA has developed a database that maintains information on the status of compliance activities related to all of its incoming and outgoing file exchanges. At the time of our review, this database contained information on over 6,700 files that are exchanged with external organizations.10 Given the magnitude of its data exchanges, one of SSA’s biggest challenges will be coordinating its compliance work with that of its exchange partners and, where necessary, developing mechanisms to ensure the continued processing of its data. It will be critical for SSA to protect against the potential for introducing and propagating errors from one organization to another. In discussing SSA’s strategy for addressing this matter, the Assistant Deputy Commissioner for Systems stated that priority will be given to ensuring the compliance of data files received from external sources that affect SSA’s ability to process and pay benefits. SSA has identified approximately 100 files in this category, although the Year 2000 project director stated that this number could change as SSA continues to review and include compliance information in its tracking system. Further, because the accuracy of the data SSA receives is as important as whether the data are presented in the correct format, the Assistant Deputy Commissioner for Systems said that SSA plans to develop, and subject all incoming data files to “reasonableness” edit checks.11 10 In addition to these external exchanges, SSA has about 4,200 additional file exchanges internal to its own operations or transmitted through its data center. SSA reports that it has included information in its database on the compliance status of 90 percent of these almost 11,000 total files. 11 Reasonableness checks are tests applied to fields of data by comparing them with other data of known validity within transaction or master records. Page 12 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 These are positive steps on SSA’s behalf to ensure the integrity and accuracy of its data after the year 2000 arrives. However, SSA must be diligent in implementing strategies and measures that facilitate its coordination of compliance activities with other agencies and that give it precise knowledge of the status of its data exchanges. Contingency Plans Needed Contingency planning is essential to Year 2000 risk management. It is the to Help Mitigate Year 2000 mechanism by which an organization ensures that its core business Risks processes will continue if corrective work has not been completed. Agencies should develop realistic contingency plans, including the use of manual or contract procedures, to ensure the continuity of their major business processes. At the time of our review, SSA officials acknowledged the importance of contingency planning but had not developed specific plans to address how SSA would continue to support its core business processes if its Year 2000 conversion activities experienced unforeseen disruptions. SSA officials believe that the agency’s early start in addressing the initiative will ensure that all systems are converted before any system failures are experienced. In addition, SSA did not believe it had an alternative to completing its Year 2000 work on time since it cannot process and ensure the payment of benefits without its many integrated systems. In response to our concerns regarding the need for such plans, however, the Assistant Deputy Commissioner for Systems said that SSA will develop contingency plans to ensure the continued operation of systems supporting its core business processes. In this regard, SSA established a Year 2000 contingency workgroup and has begun outlining a contingency strategy for these processes. Like other federal agencies, SSA is vulnerable to systems failures resulting Conclusions from the computer software changes necessitated by the new millennium. Given that SSA’s programs touch virtually all of us, it is especially vital that this agency make sufficient plans to ensure that it achieves Year 2000 compliance on time. SSA has made significant progress in addressing many of the systems that are critical to its mission and is regarded by many as a leader in the federal arena. Nonetheless, the agency is at risk of not being able to adequately process disability benefits at the turn of the century because it has not assessed and corrected systems used by the state DDS offices to support Page 13 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 the processing of initial disability claims. Within the last year, SSA has begun to address the DDS issue. But until it has made a full assessment of these systems, it will not know the magnitude of the problem and, therefore, the level of effort required to correct it. Further, while SSA officials clearly recognize the importance of solving the Year 2000 problem, to reduce the risk of failure with its own effort, it is vital that the agency take every measure possible to ensure that it is well positioned to deal with unexpected problems and delays. This includes promptly addressing critical data exchange issues as well as implementing Year 2000 contingency planning. In light of the importance of SSA’s function to most Americans and the Recommendations risks associated with its Year 2000 program, we recommend that the Commissioner of Social Security direct SSA’s Chief Information Officer, in conjunction with the Deputy Commissioner for Systems, to take the following actions: • Require expeditious completion of the assessment of mission-critical systems at all state DDS offices and use the results of this assessment to develop a Year 2000 plan that identifies, for each system, the specific tasks and resources required and specific schedules and milestones for completing all tasks and phases of the conversion for each state system. • Strengthen SSA’s monitoring and oversight of all state DDS Year 2000 activities, including ensuring that all conversion milestones are met and that contractors and independent states submit biweekly reports that identify progress against milestones in renovating all claims processing software, databases, and data interfaces. • Include in SSA’s quarterly reports to OMB information on the status of DDS Year 2000 activities. • Require expeditious completion of the agency’s Year 2000 compliance coordination with all data exchange partners and of efforts to include specific information on the status of compliance activities in the automated data exchange tracking system. SSA should then use this system to measure and report on the progress and coordination of its data exchange compliance activities. • Develop contingency plans that articulate specific strategies for ensuring the continued operation of core business functions if planned corrections are not completed in time or if systems fail to operate as intended. These plans should fully consider the disability claims processing functions within the DDSs and the development and activation of manual or contract procedures, as appropriate. Page 14 GAO/AIMD-98-6 SSA’s Year 2000 Effort B-276351 In commenting on a draft of this report, SSA agreed with all five of our Agency Comments recommendations and identified specific actions that it will take to ensure an adequate transition to the year 2000. SSA also offered a specific comment directed to particular language in the draft report, which we incorporated where appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from its date. At that time, we will provide copies to the Commissioner of Social Security; the Director, Office of Management and Budget; appropriate congressional committees; and other interested parties. Copies will also be made available to others upon request. Please contact me at (202) 512-6253 or by e-mail at firstname.lastname@example.org if you have any questions concerning this report. Major contributors to this report are listed in appendix II. Joel C. Willemssen Director, Information Resources Management Page 15 GAO/AIMD-98-6 SSA’s Year 2000 Effort Contents Letter 1 Appendix I 18 Comments From the Social Security Administration Appendix II 23 Major Contributors to This Report Table Table 1: SSA Core Business Processes 3 Abbreviations CIO Chief Information Officer DDS Disability Determination Service NDDSS National Disability Determination Service System OASDI Old Age, Survivors, and Disability Insurance OMB Office of Management and Budget SSA Social Security Administration SSI Supplemental Security Income Page 16 GAO/AIMD-98-6 SSA’s Year 2000 Effort Page 17 GAO/AIMD-98-6 SSA’s Year 2000 Effort Appendix I Comments From the Social Security Administration Note: GAO comments supplementing those in the report text appear at the end of this appendix. Page 18 GAO/AIMD-98-6 SSA’s Year 2000 Effort Appendix I Comments From the Social Security Administration Page 19 GAO/AIMD-98-6 SSA’s Year 2000 Effort Appendix I Comments From the Social Security Administration Page 20 GAO/AIMD-98-6 SSA’s Year 2000 Effort Appendix I Comments From the Social Security Administration Now on p. 9. See comment 1. Page 21 GAO/AIMD-98-6 SSA’s Year 2000 Effort Appendix I Comments From the Social Security Administration The following is GAO’s comment on the Social Security Administration’s letter of October 2, 1997. 1. Report revised to reflect SSA’s comment. GAO Comment Page 22 GAO/AIMD-98-6 SSA’s Year 2000 Effort Appendix II Major Contributors to This Report Valerie C. Melvin, Assistant Director Accounting and Mirko J. Dolak, Technical Assistant Director Information William G. Barrick, Senior Information Systems Analyst Management Division, Michael A. Alexander, Senior Information Systems Analyst William N. Isrin, Operations Research Analyst Washington, D.C. Michael P. Fruitman, Communications Analyst (511215) Page 23 GAO/AIMD-98-6 SSA’s Year 2000 Effort Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Social Security Administration: Significant Progress Made in Year 2000 Effort, But Key Risks Remain
Published by the Government Accountability Office on 1997-10-22.
Below is a raw (and likely hideous) rendition of the original report. (PDF)