n United states a-A0 General Accounting Washington, Of&e D.C. 20548 Accounting and Information Management Division B-282829.1 June 16,1999 The Honorable David J. Barram Administrator, GeneralServicesAdministration Subject: GSA’sEffort to DevelouYear 2000BusinessContinuitv and Contingencv Plans for TelecommunicationsS&ems Dear Mr. Bar-ram: On March 25,1999, we met with GeneralServiceAdministration (GSA) Year 2000 program officials to discussthe status of GSA’sefforts to ensurethat the telecommunications systemsit managesfor the federal governmentare Year 2000 compliant. During this meeting, we highlighted severalsuggestionsto enhanceGSA’s businesscontinuity and contingencyplans for telecommunications. The purpose of this letter is to summarizethese suggestionsand the actions GSAYear 2000officials agreedto take in response. Background As you know, GSA provides, among other services,voice, data, and video telecommunications systemsto federal agenciesboth directly and through contracts with local and,long-distancetelecommunicationsvendors. Theseservicessupport a wide range of critical federal operations,including revenue collections,benefit payments, and automated cutiomer service operations. In addition to managing contracts with service providers for long-distancecommunications,local communications, wireless communications,and paging services,GSAis responsible for 423 telecommunications systems-156 of these are directly managedby GSA and 267 are vendor-owned and controlled.’ All of these systemsare vulnerable to Year 2000problems that could result in network disruptions or evena complete loss of communications links. For example,Year 2000problems could disrupt IRS’ability to receive and process electronic tax refunds and the Health Care Finance Administration’s ability to make electronic Medicarepayments. ‘Specifically, GSA directly manages 156 Private Branch Exchanges (PBX) on government premises and manages contracts for Central Exchange (Centrex) services at 267 sites. PBX telephone systems are owned and operated by an organization that switches calls between usem on local lines while allowing users to share a certain number of external phone lines. Centrex is a service offered by local telephone companies in which facilities at the telephone company’s central (local) office are offered to business users so that lhey do not need to purchase their own PBX. GAO/A&ID-99-201R GSA’sYear2000Effort B-282829.1 As of May 1999,GSA reported that Year 2000fixes had been completed on 153of the 156systems(98 percent) directly managedby GSA GSA has also reported that it has obtained commitment letters from vendorsstating that their systemswill be renovated and tested by the end of 1999. GSAis in the processof verifying vendor- certified systemseither by observingvendor tests or by observingindependenttests carried out at other governmentagencies.GSAalso included requirementsin recently awarded FTS 2001’contracts that obligatethe contractor to provide Year 2000compliant hardware, software, and equipment. GSA Has CornDIeted a Business Contiuuitv and Contingency Plan for Telecommunications Snstems In September1998,GSAcompleteda businesscontinuity and contingency plan for its telecommunicationssystems. Becauseunforeseennetwork problems could cause widespreaddisruptions in many important federal operationsand GSAis relying on third party testing to ensurethat its telecommunicationsserviceswiIl not suffer Year 2000~relatedimpairments,it is vital that GSAdevelopeffective continuity plans and that it work with its federal agencycustomersto ensurethat they are fully aware of GSA’scontingency strategies,priorities, and implementationmodes. According to GSAYear 2000program officials, GSAhas been following our Business Continuitv and ContingencvPlanningguide,”which provides a conceptual framework for managingthe risk of potential Year 2000induceddisruptions to operations and incorporates best practices in contingencyplanning and disasterrecovery. Our guide describesa structured approachfor (1) initiating a businesscontingencyproject, (2) assessingthe potential impact of mission-criticalfailures on agencycore business processes,(3) identifying and documentingcontingencyplans and implementation modes, and (4) validating the businesscontinuity strategy. It recommendsthat agenciesdevelop a businesscontinuity plan consistingof a set of contingency plans with a single plan for each core businessareaand infrastructure component (e.g., power and electricity). Each plan shouldprovide a description of the resources,staff roles, procedures,and timetables neededfor its implementation. Suaestions for Enhancing Businesg Continuitv and Continrtencv Planning In our discussions .with GSAYear 2000program officials, we made several suggestionsfor enhancingtheir businesscontinuity and contingencyplan. %lS 2001 is a nonmandatory use contract designed to serve as the federal government’s primary source of longdistance telecommunications services, including worldwide long-distance, voice, data, and other optional services. vear 2000 ComDutinn Crisis: Business Continuitv and Continrrencv Planning (GAWAIMD-10.1.19). Issued as an exposure draft in March 1998; issued in final in Augur.1 1998. Page2 GAO/AlMD-99-201R GSA’sYear2000Effort B-282829.1 F’irst,in developingits businesscontinuity and contingencyplan, GSAdid not work with its customersto ensurethat customers’businesscontinuity and planningtasks and activities are fully coordinatedwith GSA’splans. GSA customer agenciesare at risk for a wide range of disruptions in their mission-critical operations,including breakdownsin automatedcustomer service operations,loss of accessto key databasesand program managementfunctions, and even a completeloss of communicationslinks. To ensurethat its own plans can be implementedquickly and effectively, GSAshould make sure that its customer agenciesare fully aware of its strategy and priorities and that they know what their own responsibilitiesare during network disruptions. Also, by sharingits contingencyplans with agencies;GSAcould obtain input from customers on the effectivenessof the contingencystrategiesand priorities. Further, in coordinating its contingencyplans with agencies,GSAcould be sharingwith its customersits information on known telecommunicationsservice risks, enablingthose customersto plan accordingly.ln commentingon a draft of this report, GSAofficials acknowledgedthat they did not contact customersat the start of their contingencyplanning effort, but that they fully intended to involve customersin that effort through the regional plans. Second,while GSA’splan anticipated a total loss of federal telecommunications services,it did not anticipate the possibility of partial losses4in service,which is more likely to occur. Consideringpartial lossesin serviceis important becauseit may require different recovery priorities and timing. Third, GSAdid not incorporate the contingencyplans of its regional offices, which play a critical role in providing telecommunicationsservicesto federal agencies.The regional role would be particularly important in the event of geographicallyconfined outages,which, as noted above,were not anticipatedin the overall plans. At the time of our review, the regions were stilI in the process of developingtheir continuity and contingencyplans and were not expectedto be done until June 1999. ln commenting on a draft of this report, GSA officials statedthat althoughregional contingencyplans were not yet available,regions were provided the opportunity to contribute to the overall plan during the drafting phase. GSA officials told us that they did not work with customersor addressa partial loss scenarioin developingthe contingencyand continuity plan becausethey wantedto completethe plan in time for GSAregionsto use it as a guide in developingtheir own plans. However,they agreedthat the plan would be more effective ifit addressed partial lossesand if customerswere awareof GSA’sown plan. GSAofficials stated that they would work with customersin developingcoordinatedbusinesscontinuity and contingencyplans and that they would developa strategy of action addressing the possibility of partial loss of telecommunicationssesvices. They also agreedto incorporate the regional plans into the headquartersplan. ‘A partial loss of service could be one or more sites experiencing a year 2000-related service degradation of performance. Page 3 GAO/AIMD-99-201R GSA’sYear2000Effort B-282829.1 The actions that GSA’sofficials agreedto take should strengthenGSA’sbusiness continuity and contingencyplanning strategy. It will be important for GSAto quickly implement them to allow enoughtime to ensurethat continuity and contingencyplans are practical and cost effective. Therefore,within 30 days of the date of this letter, we would appreciatereceiving a written statementon the status of GSA’seffort to (1) coordinate contingencyand continuity planning efforts with customers, (2) addressthe possibility of partial lossesof services,and (3) incorporate the plans of regional offices. At a June 1,1999,meetingto obtain oral agencycommentson a draft of this letter, the GSA CIO and Year 2000officials generallyagreedwith the information presented. We have incorporated their commentswhere appropriate. During the course of our work, we reviewed GSA’srenovationplan, systemvalidation plan, continuity and contingencyplan, OMB quarterly reports, Inspector General reports, GSA contract language(warranty clauses),and vendor certification letters as well as Year 2000assessmentsof the Network Reliability and Interoperability Council. We also attended GSAmeetingson telecommunicationsYear 2000issuesand spoke with Year 2000program officials from GSAheadquartersand three regional offices. We conducted our work from Jtiuary 1999through April 1999in Washington,D.C., New York, New York, and KansasCity, Missouri, in accordancewith generally accepted governmentauditing standards. We are sending copies of this letter today to the HonorableFred Thompson, Chairman, and the HonorableJosephLieberman,RankingMinority Member, Senate Committee on GovernmentalAffairs, and to the HonorableDan Burton, Chairman, and the Honorable Henry Waxman,Ranking Minority Member,HouseCommittee on Government Reform. We are also sendinga copy to the HonorableJacob Lew, Director, Office of Managementand Budget. If you have any questionsregardingthis report, pleasecontact me or Kevin Conway,AssistantDirector, at (202) 512-6246. Sincerely yours, v Linda D. Koontz Associate Director, Governmentwideand Defense Information Systems (511154) Page4 GAO/AIMD-9%201R GSA’sYear2000Effort Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and Mastercard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu wilI provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States General Accounting Office Bulk Rat9 Washington, D.C. 20548-0001 Postage & Fees Paid GAO Permit No. GlOO Official Business Penalty for Private Use $300 Address Correction Requested
GSA's Effort to Develop Year 2000 Business Continuity and Contingency Plans for Telecommunications Systems
Published by the Government Accountability Office on 1999-06-16.
Below is a raw (and likely hideous) rendition of the original report. (PDF)