oversight

Year 2000 Computing Challenge: Agencies' Reporting of Mission-Critical Classified Systems

Published by the Government Accountability Office on 1999-08-05.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  United States General Accounting Office

GAO               Report to the Chairman, Subcommittee
                  on Government Management,
                  Information and Technology, Committee
                  on Government Reform, House of
                  Representatives
August 1999
                  YEAR 2000
                  COMPUTING
                  CHALLENGE

                  Agencies’ Reporting of
                  Mission-Critical
                  Classified Systems




GAO/AIMD-99-218
United States General Accounting Office                                                            Accounting and Information
Washington, D.C. 20548                    Leter
                                                                                                        Management Division



                                    B-282438                                                                                       Letter

                                    August 5, 1999

                                    The Honorable Stephen Horn
                                    Chairman
                                    Subcommittee on Government Management,
                                     Information and Technology
                                    Committee on Government Reform
                                    House of Representatives

                                    Dear Mr. Chairman:

                                    At your request, we obtained information on federal agencies’ reporting to
                                    the Office of Management and Budget (OMB) on the Year 2000 status of
                                    their classified systems. Our objectives were to determine (1) whether
                                    agencies are including classified systems in their quarterly reports to OMB,
                                    (2) whether agencies are separately reporting to OMB on the status of their
                                    classified systems,1 and, if so, how OMB uses the information, and (3) for
                                    those agencies not reporting to OMB, the status of those systems. On May
                                    27, 1999, we briefed your office on the results of our work. This letter
                                    summarizes and updates the information presented at that briefing.

                                    To accomplish our objectives, we surveyed both OMB and the 34 major
                                    federal agencies that report quarterly to OMB on the status of their Year
                                    2000 efforts. We then interviewed OMB and agency officials and requested
                                    and reviewed supporting documents, as appropriate, to clarify survey
                                    responses. We achieved a 100-percent response rate to our survey. We did
                                    not verify agency responses. We performed our work from March through
                                    July 1999 in accordance with generally accepted government auditing
                                    standards.

                                    We requested comments from key agencies discussed in this letter. Their
                                    comments are discussed in the “Agency Comments” section of this letter.



                                    1
                                     For purposes of our survey, we defined “classified system” as any system that receives, processes, or
                                    transmits top secret, secret, or confidential information. These classifications are defined as the
                                    following. Top secret–any information for which the unauthorized disclosure could reasonably be
                                    expected to cause exceptionally grave damage to national security. Secret–any information for which
                                    the unauthorized disclosure could reasonably be expected to cause serious damage to national security.
                                    Confidential–any information for which the unauthorized disclosure could reasonably be expected to
                                    cause damage to national security.




                   Leter            Page 1                                         GAO/AIKMD-99-218 Classified Systems Reporting
                      B-282438




Results in Brief      Of the 34 federal agencies surveyed, 21 agencies reported that they do not
                      have any classified systems. Of the remaining 13 federal agencies, 12
                      agencies2 reported that they include the Year 2000 status of their mission-
                      critical, classified systems in their reports to OMB. OMB uses the
                      information provided by the agencies to monitor Year 2000 progress across
                      the federal government and to keep the Congress informed of agencies’
                      Year 2000 progress.

                      As of July 1999, the Department of the Treasury had not reported the status
                      of all of its mission-critical, classified systems to OMB. However, it plans to
                      do so in its subsequent reports to OMB. Treasury reported that it has 13
                      systems that are not reported to OMB. Of these 13 systems, 7 systems are
                      Year 2000 compliant, 5 systems are being repaired, and 1 system is being
                      replaced. According to Treasury, the 5 systems being repaired and the 1
                      system being replaced are all in the testing/validation phase.



Background            In a May 7, 1997, memorandum, and in subsequent memorandums, OMB
                      directed selected federal agencies to report to it quarterly on their Year
                      2000 progress.3 Among other things, OMB directed agencies to report on
                      the status of their (1) data exchanges, (2) continuity and contingency
                      planning efforts, (3) independent verification and validation methods,
                      (4) Year 2000 remediation costs for mission-critical and nonmission-critical
                      systems, (5) non-IT equipment (i.e., any products or devices using
                      embedded chips), and (6) mission-critical information systems. For those
                      systems being repaired, OMB directed the agencies to report on milestones
                      and number of systems completed for each remediation phase:

                      • Assessment—includes completing the inventory and assessment of
                        information systems and their components and assessing the severity of
                        the Year 2000 problem across the enterprise.




                      2The Executive Office of the President, Office of Administration, and the Department of Transportation
                      began reporting the Year 2000 status of their mission-critical, classified systems to OMB in May 1999
                      and July 1999, respectively.

                      3OMB issued several memorandums to selected federal agencies regarding its Year 2000 quarterly
                      reporting requirements (OMB issued Memorandum 97-13 on May 7, 1997; Memorandum 98-02 on
                      January 20, 1998; Memorandum 98-07 on March 9, 1998; Memorandum 98-12 on July 22, 1998; and
                      Memorandum 99-09 on January 26,1999).




              Leter   Page 2                                         GAO/AIKMD-99-218 Classified Systems Reporting
                         B-282438




                         • Renovation—includes converting, replacing, or eliminating selected
                           platforms, applications, databases, and utilities and the modification of
                           interfaces.
                         • Validation—includes testing, verification, and validating converted or
                           replaced platforms, applications, databases, and utilities.
                         • Implementation—includes implementing converted or replaced
                           platforms, applications, databases, and utilities.

                         OMB established March 31, 1999, as the milestone date for completing
                         implementation of all mission-critical systems. OMB also directed agencies
                         to provide a list of those mission-critical systems that could not be
                         implemented by the March 1999 deadline.



Most Agencies That       Most federal agencies that reported having mission-critical, classified
                         systems report the Year 2000 status of these systems to OMB’s Office of
Reported Having          Information and Regulatory Affairs (OIRA). Of the 34 major federal
Classified Systems Are   agencies reporting to OMB, 21 agencies reported that they do not have any
                         classified systems. Of the 13 federal agencies that reported having
Reporting Their Year     classified systems, 12 agencies4 reported that they include the Year 2000
2000 Status to OMB       status of these systems in their reports to OMB. Eleven agencies submit
                         their reports to OMB’s Office of Information and Regulatory Affairs.
                         According to OMB officials, OMB uses the information provided by the
                         agencies to monitor Year 2000 progress across the federal government and
                         to keep the Congress informed of agencies’ Year 2000 progress.

                         The CIA reports the status of its mission-critical, classified systems
                         quarterly to OMB’s National Security Division for Command, Control,
                         Computer, Communications, and Intelligence (NSD/C4I). NSD/C4I also
                         uses the information provided by the CIA to monitor its Year 2000 progress
                         and has shared this information upon request with the President’s Council
                         on Year 2000 Conversion.




                         4
                          The Executive Office of the President, Office of Administration, began reporting on its mission-critical,
                         classified systems in its May 1999 quarterly report to OMB. At this time, the Executive Office of the
                         President, Office of Administration, reported that it has eight mission-critical, classified systems under
                         repair: two systems in the renovation phase, five systems in the validation phase, and one system in the
                         implementation phase. All eight systems are scheduled to be Year 2000 compliant by September 30,
                         1999. The Department of Transportation began reporting on its mission-critical, classified system in its
                         July 1999 monthly report to OMB and noted in its report that the system is Year 2000 compliant.




                         Page 3                                           GAO/AIKMD-99-218 Classified Systems Reporting
                           B-282438




One Agency Plans to        As of July 1999, one agency—the Department of the Treasury—has not
                           reported the status of its mission-critical, classified systems to OMB,
Report the Status of Its   however it plans to do so in its subsequent reports to OMB.
Classified Systems to
                           Treasury reported that it has 15 mission-critical, classified systems. Of
OMB                        these 15 systems, Treasury reports the Year 2000 status of only 2 to OMB.
                           The status of the other 13 is not reported. According to Treasury, 7 systems
                           are Year 2000 compliant, 5 systems are being repaired, and 1 system is
                           being replaced. The 5 systems being repaired and the 1 system being
                           replaced are all in the testing/validation phase. Treasury plans to have all
                           of its mission-critical, classified systems fully implemented by August 31,
                           1999.



Agency Comments            We received comments from the Secretary of the Treasury, the Secretary of
                           Transportation, the Director of the Executive Office of the President, Office
                           of Administration, and the Director of the Office of Management and
                           Budget. The main thrust of their comments was to provide updated
                           information on the status of their Year 2000 reporting. We have
                           incorporated the updated information in this letter as appropriate.


                           We are sending copies of this report to Representative Jim Turner, Ranking
                           Minority Member, Subcommittee on Government Management,
                           Information and Technology, House Committee on Government Reform;
                           Senator Robert F. Bennett, Chairman, and Senator Christopher J. Dodd,
                           Vice Chairman, Senate Special Committee on the Year 2000 Technology
                           Problem; The Honorable Jacob J. Lew, Director, Office of Management and
                           Budget; and John Koskinen, Chairman of the President’s Council on Year
                           2000 Conversion. Copies will be made available to others upon request.




                           Page 4                             GAO/AIKMD-99-218 Classified Systems Reporting
                   B-282438




                   If you have questions about this report, please contact me at
                   (202) 512-6240, or by e-mail at hiter.aimd@gao.gov. Key contributors to this
                   assignment were R.E. Canjar and Deborah Davis.

                   Sincerely yours,




                   Randolph C. Hite
                   Associate Director, Governmentwide and
                   Defense Information Systems




(511145)   Leter   Page 5                             GAO/AIKMD-99-218 Classified Systems Reporting
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested