oversight

Year 2000 Computing Crisis: Status of Bureau of Prisons' Year 2000 Efforts

Published by the Government Accountability Office on 1999-01-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Honorable
                 Trent Lott, U.S. Senate



January 1999
                 YEAR 2000
                 COMPUTING CRISIS

                 Status of Bureau of
                 Prisons’ Year 2000
                 Efforts




GAO/AIMD-99-23
                   United States
GAO                General Accounting Office
                   Washington, D.C. 20548                                                                                     Leter




                   Accounting and Information
                   Management Division                                                                                        Leter




                   B-280106

                   January 27, 1999

                   The Honorable Trent Lott
                   United States Senate


                   Dear Senator Lott:

                   This letter responds to your request that we assess how well the Bureau of
                   Prisons (BOP), an agency of the Department of Justice (DOJ), is managing
                   its Year 2000 program.1 This letter summarizes (1) the status of the
                   Bureau's Year 2000 program and (2) recent actions it has taken to
                   strengthen its management of the program and improve Year 2000
                   assistance to state and local government institutions. On September 10,
                   1998, we briefed your office on the status of BOP's Year 2000 program. This
                   letter updates the information that we provided during the briefing.



Results in Brief   BOP has assessed, tested, and implemented its only mission-critical
                   information technology (IT) system and reports that it is Year 2000
                   compliant. In addition, BOP reports that it has assessed, renovated/
                   replaced, and implemented 94 percent of its 2,021 mission-critical non-IT
                   systems.2 For those that are not yet implemented, BOP plans to do so by
                   March 1999.

                   During the course of our review, BOP has acted to strengthen its Year 2000
                   program management, including (1) defining its Year 2000 program
                   structure and developing a Year 2000 conversion plan, (2) expanding its
                   Year 2000 program scope to include its 250 contract facilities, (3) tracking
                   the status of workstation testing and non-IT assessments, (4) hiring a
                   contractor to validate the vendors’ Year 2000 compliance certifications for
                   non-IT systems, and (5) directing all offices, including contract facilities,
                   and institutions to review, revise as necessary, and test their emergency
                   preparedness plans for consideration of the threat of external

                   1For the past several decades, computer systems have typically used two digits to represent the year,
                   such as “98” for 1998, in order to conserve electronic space and reduce operating costs. In this format,
                   however, 2000 is indistinguishable from 1900 because both are represented as “00.” As a result, if not
                   modified, computer systems or applications that use dates or perform date- or time-sensitive
                   calculations may generate incorrect results beyond 1999.

                   2
                     Non-IT systems include facilities’ equipment (e.g., elevators) and security systems manufactured by
                   multiple vendors.




                   Page 1                                     GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
             B-280106




             infrastructure (for example, telecommunications and utilities) and internal
             system failures.

             However, BOP’s outreach efforts to the state and local corrections
             community have not been proactive. During the course of our review, BOP
             updated the BOP and National Institute of Corrections (NIC)3 Internet sites
             to provide links to government and private sector Year 2000 sites and
             identify BOP and NIC points of contact. However, this requires that state
             and local corrections officials come to BOP to obtain the information. BOP
             agreed with our recommendation that it could be more effective in
             promoting awareness and providing assistance by proactively identifying
             state and local organizations needing assistance and sharing experiences
             and lessons learned.



Background   BOP's mission is to protect society by confining offenders in the controlled
             environments of prisons and community-based facilities that are safe,
             humane, and appropriately secure. BOP is managed from a national office
             that provides long-range planning and policy formulation, and six regional
             offices that provide technical support and on-site assistance to (1) 94
             institutions, one of which is privately managed, and (2) over 250 contract
             facilities, which are owned and operated by contractors, and include
             primarily community-based halfway houses, as well as some state and local
             jails.

             BOP's only mission-critical IT system, SENTRY, manages and tracks
             inmates, including monitoring inmate population, computing inmate
             sentences, documenting work assignments, and tracking disciplinary
             actions and institution designations. SENTRY applications were designed
             to process eight-digit dates, including a four-digit year, and currently
             process dates using a single subroutine, called DATETIME. SENTRY
             applications run in real time on a mainframe computer operated by DOJ
             and are accessed by about 200 DOJ and BOP facilities through a network of
             about 11,000 personal computers with 3270 emulation4 communicating
             through BOP's Washington, D.C., network control center. The network


             3The National Institute of Corrections is an agency within BOP that provides training, technical
             assistance, information services, and policy/program development assistance to federal, state, and local
             corrections agencies.

             4
               A program that enables a microcomputer to appear to be a mainframe terminal by using the
             procedures and codes expected by the mainframe.




             Page 2                                     GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
                         B-280106




                         communication links are provided by Sprint (FTS 2000 carrier)5 and the
                         local exchange carriers. BOP reports that SENTRY processes more than
                         one million transactions each day and provides data files to a number of
                         external organizations, including the U.S. Pardon Attorney, U.S. Marshals
                         Service, Federal Bureau of Investigation, and U.S. Parole Commission.

                         In addition to SENTRY, BOP has eight categories of mission-critical non-IT
                         systems, consisting of 2,021 individual systems that rely on embedded
                         computers.6 These systems are critical to maintaining the security of its
                         institutions, as well as ensuring continued operations of normal business
                         functions. These eight categories of non-IT systems are security systems,
                         video surveillance systems, perimeter detection systems, fire alarm
                         systems, boiler controls and energy management systems, elevators,
                         telephone switches, and radio systems.



Objectives, Scope, and   In assessing actions taken by BOP to address the Year 2000 problem, our
                         objective was to assess how well BOP is managing its Year 2000 program.
Methodology
                         To satisfy this objective, we reviewed and analyzed key BOP documents,
                         including (1) its Year 2000 guidance and Program Plan, (2) network,
                         software, and non-IT inventory databases, (3) SENTRY test plan and
                         results, (4) BOP quarterly reports, and (5) relevant correspondence to BOP
                         regions and institutions, contractors, and product vendors. We also
                         reviewed Office of Management and Budget and DOJ Year 2000 guidance.
                         We used GAO's Year 2000 guidance to assess BOP's management of its
                         programs.7

                         To supplement our analyses, we interviewed the BOP Year 2000 program
                         manager and project team members. We also interviewed representatives
                         from the Community Corrections and Detention Division, Federal Prison
                         Industries, Health Services Division, and the Office of Emergency


                         5
                          The Federal Telecommunications System 2000 currently provides intercity telecommunications
                         services for federal government agencies.

                         6Embedded   computers are special-purpose computers built into other devices.

                         7
                           Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
                         February 1997; issued in final in September 1997); Year 2000 Computing Crisis: Business Continuity and
                         Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in February 1998; issued in final
                         in August 1998); and Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an
                         exposure draft in June 1998; issued in final in November 1998).




                         Page 3                                    GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
                                B-280106




                                Preparedness. We interviewed representatives from two BOP institutions,
                                including the Year 2000 Program manager, security officers, facilities
                                managers, IT managers, and the Emergency Preparedness Manager. We did
                                not verify the Year 2000 status information provided by BOP.

                                We performed our work at BOP headquarters in Washington, D.C., and at
                                two BOP correctional facilities in Florence, Colorado, and Taft, California.8
                                Our work was performed from May 1998 through January 1999, in
                                accordance with generally accepted government auditing standards. We
                                requested comments from the Director of BOP or her designee. On
                                December 3, 1998, we obtained oral comments from BOP officials,
                                including the Year 2000 Program Manager. Their comments are discussed
                                in the "Agency Comments and Our Evaluation" section of this report.



Status of BOP’s Efforts         BOP has assessed, tested, and implemented its only mission-critical IT
                                system, and reports that it is Year 2000 compliant. In addition, BOP reports
for Mission-Critical            that it has assessed, renovated/replaced, and implemented 94 percent of its
Systems                         mission-critical non-IT systems. BOP plans to implement the remaining 6
                                percent by March 1999.


Status of Mission-Critical IT   SENTRY consists of (1) software applications, (2) mainframe hardware and
Systems                         systems software, (3) workstations, (4) telecommunications hardware and
                                software, and (5) leased telecommunications lines. According to BOP
                                officials, all SENTRY system components have been assessed for Year 2000
                                compliance. BOP tested the SENTRY system for correct processing of
                                critical Year 2000 dates, and certified that, except for four percent of the
                                11,189 SENTRY workstations, it is compliant. BOP plans to replace the
                                noncompliant workstations by March 1999. According to BOP officials,
                                however, this four percent will not affect the operation of SENTRY. BOP’s
                                certification of SENTRY has not yet been independently verified and
                                validated, but BOP is working with a DOJ independent verification and
                                validation (IV&V) contractor to review and validate BOP's test activities. In
                                addition, BOP contacted its telecommunications provider to determine its
                                Year 2000 compliance, and according to BOP officials, it was told that the



                                8
                                  We selected these two facilities because Florence is one of the newest maximum-security institutions,
                                and Taft is the only BOP-owned institution that is run by a private correctional management
                                organization.




                                Page 4                                    GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
                             B-280106




                             provider's service delivery business area would be Year 2000 compliant by
                             June 1999.


Status of Mission-Critical   As of January 1999, BOP reported that 94 percent of its 2,021 mission-
Non-IT Systems               critical non-IT systems were Year 2000 compliant, 4 percent were
                             scheduled to be repaired or replaced, and 2 percent were still being
                             assessed. BOP plans to complete all conversion activities by March 1999.
                             For example, because BOP depends on vendors to provide the information
                             to complete its assessment activities, it has specified in its plans (1) trigger
                             dates beyond which BOP can no longer wait for vendor information and (2)
                             potential alternative courses of action, such as replacing the systems.

                             As of January 1999, BOP reported the following status of its eight
                             categories of mission-critical non-IT systems:

                             • Of 106 security systems, 72 were reported to be Year 2000 compliant; 15
                               are still being assessed and 19 are scheduled to be repaired by March
                               1999.
                             • All 811 surveillance equipment systems were reported to be Year 2000
                               compliant.
                             • All 96 perimeter detection systems were reported to be Year 2000
                               compliant.
                             • Of 274 fire alarm systems, 269 were reported to be Year 2000 compliant;
                               the 5 noncompliant systems are scheduled to repaired or replaced by
                               March 1999.
                             • Of 443 boiler control and energy management systems, 394 were
                               reported to be Year 2000 compliant and the remaining 49 are scheduled
                               to be repaired by March 1999.
                             • All 109 elevator systems were reported to be Year 2000 compliant.
                             • All 94 BOP-owned telephone switches were reported to be Year 2000
                               compliant.
                             • Of 88 radio systems, 49 were reported to be Year 2000 compliant; 19 are
                               still being assessed and 20 are scheduled to be repaired by March 1999.

                             BOP is working with a contractor to independently validate the vendors’
                             Year 2000 compliance certifications for non-IT systems. In addition to
                             validating compliance, the contractor also is to assess the completeness of
                             the non-IT system inventories at several institutions.




                             Page 5                           GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
                         B-280106




Recent BOP Actions to    During the course of our review, we identified several program
                         management weaknesses and discussed each with BOP officials. BOP
Strengthen Year 2000     officials responded quickly to our concerns by initiating the following
Program Management       actions to strengthen its Year 2000 program management:

                         • defined its Year 2000 program structure, including organizational roles
                           and responsibilities, and developed a Year 2000 conversion plan;
                         • expanded its Year 2000 program scope to include its 250 contract
                           facilities;
                         • developed a Year 2000 test plan and procedures for the SENTRY system
                           that included testing for correct processing of critical Year 2000 dates;
                         • implemented methods to track the status and results of SENTRY
                           workstation testing and non-IT systems assessments and renovation
                           efforts; and
                         • hired a contractor to validate vendors' Year 2000 compliance
                           certifications of its non-IT systems and assess the accuracy of its non-IT
                           system inventories.

                         Further, since we briefed your office and BOP officials in September 1998
                         on the need to strengthen contingency planning for continuity of
                         operations, the Program Manager has directed all offices, including its
                         contract facilities, and institutions to (1) review and analyze their
                         emergency preparedness plans for consideration of the threat of external
                         infrastructure (for example, telecommunications and utilities) and internal
                         system failures, (2) revise the emergency plans as necessary by March 1,
                         1999, to address Year 2000 contingencies, and (3) test the revised plans
                         prior to April 5, 1999. In addition, the BOP Year 2000 Program Manager
                         tasked each regional director with designating a liaison to coordinate the
                         analysis, revision, and testing of institution and regional contingency plans,
                         and report monthly on the status of achieving the enhancement and testing
                         milestones.



BOP Needs to             In June 1998, the Chairman of the President's Council on Year 2000
                         Conversion tasked federal agencies with coordinating outreach efforts with
Proactively Reach Out    their counterparts in state and local governments and the private sector.
to the State and Local   According to the Chairman, such outreach efforts could expedite the year
                         2000 efforts of late starting nonfederal organizations.
Correctional
Community                In September 1998, we briefed BOP officials on the need to strengthen its
                         outreach efforts. Subsequently, BOP issued its Federal Bureau of Prisons'



                         Page 6                          GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
                      B-280106




                      Year 2000 (Y2K) Outreach Plan to State and Local Corrections
                      Organizations. As part of its outreach effort, BOP updated the BOP and
                      National Institute of Corrections (NIC) internet sites to (1) provide links to
                      government and private sector sites where Year 2000 information is
                      available and (2) identify a BOP and NIC point of contact for those who
                      may need specific guidance on Year 2000 issues germane to the corrections
                      environment.

                      While these actions represent a start towards reaching out to the state and
                      local corrections community, they require that state and local corrections
                      officials come to BOP to obtain the information. BOP could be more
                      effective in promoting awareness and providing assistance by proactively
                      identifying state and local organizations needing assistance and sharing
                      experiences and lessons learned. One way to reach state and local
                      organizations is to use established networks, such as the National Sheriff’s
                      Association and the National Association of Chiefs of Police.



Conclusions           Given BOP’s progress to date, and its plans for completing remaining Year
                      2000 activities, the risk that BOP will not complete remaining renovation,
                      validation, and implementation activities by January 1, 2000, currently
                      appears low. Further, while BOP has initiated some actions to reach state
                      and local corrections officials, its actions may not allow these officials to
                      fully benefit from BOP experiences and lessons learned.



Recommendation        To promote awareness and provide assistance to the state and local
                      corrections community, we recommend that the Director, Bureau of
                      Prisons, direct the Year 2000 Program Manager to proactively identify
                      organizations needing assistance and share BOP experiences and lessons
                      learned. This could be done through established networks, such as the
                      National Sheriff’s Association and the National Association of Chiefs of
                      Police.



Agency Comments and   BOP officials, including the Year 2000 Program, agreed with our
                      conclusions and recommendations. The BOP Program Manager stated that
Our Evaluation        he recognizes the limitations of BOP’s existing outreach efforts and stated
                      that BOP will actively identify organizations needing assistance and share
                      BOP’s lessons learned and relevant Year 2000 guidance.




                      Page 7                          GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
B-280106




BOP officials also provided updated information on the status of its Year
2000 efforts. We have incorporated the updated information in the report
where appropriate.

We are making copies of this letter available to the Chairmen and Ranking
Minority Members of the House Committee on Government Reform and
Oversight, Subcommittee on Government Management, Information, and
Technology and the Senate Special Committee on the Year 2000 Technology
Problem; the Director of the Office of Management and Budget; the
Attorney General; the Director of the Bureau of Prisons; and other
interested parties. We will also make copies available to others on request.

If you have any questions about this report, please contact me at (202) 512-
6240 or, by e-mail, at brockj.aimd@gao.gov.

Sincerely yours,




Jack L. Brock, Jr.
Director, Governmentwide and
Defense Information Systems




Page 8                         GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
Appendix I

Major Contributors to This Report                                                                      AppenIx
                                                                                                             di




Accounting and         Dr. Rona B. Stillman, Chief Scientist for Computers and
                        Telecommunications
Information            Randolph C. Hite, Associate Director
Management Division,   Deborah A. Davis, Assistant Director
Washington, D.C.

Chicago Field Office   Sanford F. Reigle, Information Systems Analyst
                       Phillip E. Rutar, Information Systems Analyst




(511121)     Letr
                       Page 9                        GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested