oversight

GSA's Effort to Develop Year 2000 Business Continuity and Contingency Plans for Telecommunications Systems

Published by the Government Accountability Office on 1999-06-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

n      United
           states
a-A0   General Accounting
       Washington,
                           Of&e
                    D.C. 20548

       Accounting and Information
       Management  Division


       B-282829.1

       June 16,1999
       The Honorable David J. Barram
       Administrator, GeneralServicesAdministration
       Subject: GSA’sEffort to DevelouYear 2000BusinessContinuitv and
                Contingencv Plans for TelecommunicationsS&ems
       Dear Mr. Bar-ram:
       On March 25,1999, we met with GeneralServiceAdministration (GSA) Year 2000
       program officials to discussthe status of GSA’sefforts to ensurethat the
       telecommunications systemsit managesfor the federal governmentare Year 2000
       compliant. During this meeting, we highlighted severalsuggestionsto enhanceGSA’s
       businesscontinuity and contingencyplans for telecommunications. The purpose of
       this letter is to summarizethese suggestionsand the actions GSAYear 2000officials
       agreedto take in response.
       Background

       As you know, GSA provides, among other services,voice, data, and video
       telecommunications systemsto federal agenciesboth directly and through contracts
       with local and,long-distancetelecommunicationsvendors. Theseservicessupport a
       wide range of critical federal operations,including revenue collections,benefit
       payments, and automated cutiomer service operations. In addition to managing
       contracts with service providers for long-distancecommunications,local
       communications, wireless communications,and paging services,GSAis responsible
       for 423 telecommunications systems-156 of these are directly managedby GSA and
       267 are vendor-owned and controlled.’ All of these systemsare vulnerable to Year
       2000problems that could result in network disruptions or evena complete loss of
       communications links. For example,Year 2000problems could disrupt IRS’ability to
       receive and process electronic tax refunds and the Health Care Finance
       Administration’s ability to make electronic Medicarepayments.

       ‘Specifically, GSA directly manages 156 Private Branch Exchanges (PBX) on government premises and manages contracts for
       Central Exchange (Centrex) services at 267 sites. PBX telephone systems are owned and operated by an organization that
       switches calls between usem on local lines while allowing users to share a certain number of external phone lines. Centrex is a
       service offered by local telephone companies in which facilities at the telephone company’s central (local) office are offered to
       business users so that lhey do not need to purchase their own PBX.




                                                                             GAO/A&ID-99-201R
                                                                                           GSA’sYear2000Effort
B-282829.1


As of May 1999,GSA reported that Year 2000fixes had been completed on 153of the
156systems(98 percent) directly managedby GSA GSA has also reported that it has
obtained commitment letters from vendorsstating that their systemswill be
renovated and tested by the end of 1999. GSAis in the processof verifying vendor-
certified systemseither by observingvendor tests or by observingindependenttests
carried out at other governmentagencies.GSAalso included requirementsin
recently awarded FTS 2001’contracts that obligatethe contractor to provide Year
2000compliant hardware, software, and equipment.
GSA Has CornDIeted a Business Contiuuitv and
Contingency Plan for Telecommunications Snstems

In September1998,GSAcompleteda businesscontinuity and contingency plan for its
telecommunicationssystems. Becauseunforeseennetwork problems could cause
widespreaddisruptions in many important federal operationsand GSAis relying on
third party testing to ensurethat its telecommunicationsserviceswiIl not suffer Year
2000~relatedimpairments,it is vital that GSAdevelopeffective continuity plans and
that it work with its federal agencycustomersto ensurethat they are fully aware of
GSA’scontingency strategies,priorities, and implementationmodes.
According to GSAYear 2000program officials, GSAhas been following our Business
Continuitv and ContingencvPlanningguide,”which provides a conceptual framework
for managingthe risk of potential Year 2000induceddisruptions to operations and
incorporates best practices in contingencyplanning and disasterrecovery. Our guide
describesa structured approachfor (1) initiating a businesscontingencyproject,
(2) assessingthe potential impact of mission-criticalfailures on agencycore business
processes,(3) identifying and documentingcontingencyplans and implementation
modes, and (4) validating the businesscontinuity strategy. It recommendsthat
agenciesdevelop a businesscontinuity plan consistingof a set of contingency plans
with a single plan for each core businessareaand infrastructure component (e.g.,
power and electricity). Each plan shouldprovide a description of the resources,staff
roles, procedures,and timetables neededfor its implementation.
Suaestions for Enhancing Businesg
Continuitv and Continrtencv Planning

In our discussions .with GSAYear 2000program officials, we made several
suggestionsfor enhancingtheir businesscontinuity and contingencyplan.


%lS 2001 is a nonmandatory use contract designed to serve as the federal government’s primary source of longdistance
telecommunications services, including worldwide long-distance, voice, data, and other optional services.

 vear 2000 ComDutinn Crisis: Business Continuitv and Continrrencv Planning (GAWAIMD-10.1.19).    Issued as an exposure draft
 in March 1998; issued in final in Augur.1 1998.




 Page2                                                              GAO/AlMD-99-201R
                                                                                  GSA’sYear2000Effort
B-282829.1



F’irst,in developingits businesscontinuity and contingencyplan, GSAdid not work
with its customersto ensurethat customers’businesscontinuity and planningtasks
and activities are fully coordinatedwith GSA’splans. GSA customer agenciesare at
risk for a wide range of disruptions in their mission-critical operations,including
breakdownsin automatedcustomer service operations,loss of accessto key
databasesand program managementfunctions, and even a completeloss of
communicationslinks. To ensurethat its own plans can be implementedquickly and
effectively, GSAshould make sure that its customer agenciesare fully aware of its
strategy and priorities and that they know what their own responsibilitiesare during
network disruptions. Also, by sharingits contingencyplans with agencies;GSAcould
obtain input from customers on the effectivenessof the contingencystrategiesand
priorities. Further, in coordinating its contingencyplans with agencies,GSAcould be
sharingwith its customersits information on known telecommunicationsservice
risks, enablingthose customersto plan accordingly.ln commentingon a draft of this
report, GSAofficials acknowledgedthat they did not contact customersat the start of
their contingencyplanning effort, but that they fully intended to involve customersin
that effort through the regional plans.

Second,while GSA’splan anticipated a total loss of federal telecommunications
services,it did not anticipate the possibility of partial losses4in service,which is more
likely to occur. Consideringpartial lossesin serviceis important becauseit may
require different recovery priorities and timing.
Third, GSAdid not incorporate the contingencyplans of its regional offices, which
play a critical role in providing telecommunicationsservicesto federal agencies.The
regional role would be particularly important in the event of geographicallyconfined
outages,which, as noted above,were not anticipatedin the overall plans. At the time
of our review, the regions were stilI in the process of developingtheir continuity and
contingencyplans and were not expectedto be done until June 1999. ln commenting
on a draft of this report, GSA officials statedthat althoughregional contingencyplans
were not yet available,regions were provided the opportunity to contribute to the
overall plan during the drafting phase.
GSA officials told us that they did not work with customersor addressa partial loss
scenarioin developingthe contingencyand continuity plan becausethey wantedto
completethe plan in time for GSAregionsto use it as a guide in developingtheir own
plans. However,they agreedthat the plan would be more effective ifit addressed
partial lossesand if customerswere awareof GSA’sown plan. GSAofficials stated
that they would work with customersin developingcoordinatedbusinesscontinuity
and contingencyplans and that they would developa strategy of action addressing
the possibility of partial loss of telecommunicationssesvices. They also agreedto
incorporate the regional plans into the headquartersplan.
‘A partial loss of service could be one or more sites experiencing a year 2000-related service degradation of performance.




Page 3                                                                GAO/AIMD-99-201R
                                                                                    GSA’sYear2000Effort
B-282829.1


The actions that GSA’sofficials agreedto take should strengthenGSA’sbusiness
continuity and contingencyplanning strategy. It will be important for GSAto quickly
implement them to allow enoughtime to ensurethat continuity and contingencyplans
are practical and cost effective. Therefore,within 30 days of the date of this letter, we
would appreciatereceiving a written statementon the status of GSA’seffort to
(1) coordinate contingencyand continuity planning efforts with customers,
(2) addressthe possibility of partial lossesof services,and (3) incorporate the plans
of regional offices.
At a June 1,1999,meetingto obtain oral agencycommentson a draft of this letter, the
GSA CIO and Year 2000officials generallyagreedwith the information presented. We
have incorporated their commentswhere appropriate.


During the course of our work, we reviewed GSA’srenovationplan, systemvalidation
plan, continuity and contingencyplan, OMB quarterly reports, Inspector General
reports, GSA contract language(warranty clauses),and vendor certification letters as
well as Year 2000assessmentsof the Network Reliability and Interoperability Council.
We also attended GSAmeetingson telecommunicationsYear 2000issuesand spoke
with Year 2000program officials from GSAheadquartersand three regional offices.
We conducted our work from Jtiuary 1999through April 1999in Washington,D.C.,
New York, New York, and KansasCity, Missouri, in accordancewith generally
accepted governmentauditing standards.
We are sending copies of this letter today to the HonorableFred Thompson,
Chairman, and the HonorableJosephLieberman,RankingMinority Member, Senate
Committee on GovernmentalAffairs, and to the HonorableDan Burton, Chairman,
and the Honorable Henry Waxman,Ranking Minority Member,HouseCommittee on
Government Reform. We are also sendinga copy to the HonorableJacob Lew,
Director, Office of Managementand Budget. If you have any questionsregardingthis
report, pleasecontact me or Kevin Conway,AssistantDirector, at (202) 512-6246.

Sincerely yours,



                      v
Linda D. Koontz
Associate Director, Governmentwideand Defense
 Information Systems


 (511154)


 Page4                                           GAO/AIMD-9%201R
                                                              GSA’sYear2000Effort
Ordering    Information

The first copy of each GAO report and testimony is free.
Additional  copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent    of Documents, when
necessary. VISA and Mastercard     credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting   Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony.   To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu wilI provide information         on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States
General Accounting Office                Bulk Rat9
Washington, D.C. 20548-0001        Postage & Fees Paid
                                            GAO
                                     Permit No. GlOO
Official Business
Penalty for Private    Use $300
Address   Correction   Requested