United States General Accounting Office GAO Report to the Honorable Trent Lott, U.S. Senate January 1999 YEAR 2000 COMPUTING CRISIS Status of Bureau of Prisons’ Year 2000 Efforts GAO/AIMD-99-23 United States GAO General Accounting Office Washington, D.C. 20548 Leter Accounting and Information Management Division Leter B-280106 January 27, 1999 The Honorable Trent Lott United States Senate Dear Senator Lott: This letter responds to your request that we assess how well the Bureau of Prisons (BOP), an agency of the Department of Justice (DOJ), is managing its Year 2000 program.1 This letter summarizes (1) the status of the Bureau's Year 2000 program and (2) recent actions it has taken to strengthen its management of the program and improve Year 2000 assistance to state and local government institutions. On September 10, 1998, we briefed your office on the status of BOP's Year 2000 program. This letter updates the information that we provided during the briefing. Results in Brief BOP has assessed, tested, and implemented its only mission-critical information technology (IT) system and reports that it is Year 2000 compliant. In addition, BOP reports that it has assessed, renovated/ replaced, and implemented 94 percent of its 2,021 mission-critical non-IT systems.2 For those that are not yet implemented, BOP plans to do so by March 1999. During the course of our review, BOP has acted to strengthen its Year 2000 program management, including (1) defining its Year 2000 program structure and developing a Year 2000 conversion plan, (2) expanding its Year 2000 program scope to include its 250 contract facilities, (3) tracking the status of workstation testing and non-IT assessments, (4) hiring a contractor to validate the vendors’ Year 2000 compliance certifications for non-IT systems, and (5) directing all offices, including contract facilities, and institutions to review, revise as necessary, and test their emergency preparedness plans for consideration of the threat of external 1For the past several decades, computer systems have typically used two digits to represent the year, such as “98” for 1998, in order to conserve electronic space and reduce operating costs. In this format, however, 2000 is indistinguishable from 1900 because both are represented as “00.” As a result, if not modified, computer systems or applications that use dates or perform date- or time-sensitive calculations may generate incorrect results beyond 1999. 2 Non-IT systems include facilities’ equipment (e.g., elevators) and security systems manufactured by multiple vendors. Page 1 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 infrastructure (for example, telecommunications and utilities) and internal system failures. However, BOP’s outreach efforts to the state and local corrections community have not been proactive. During the course of our review, BOP updated the BOP and National Institute of Corrections (NIC)3 Internet sites to provide links to government and private sector Year 2000 sites and identify BOP and NIC points of contact. However, this requires that state and local corrections officials come to BOP to obtain the information. BOP agreed with our recommendation that it could be more effective in promoting awareness and providing assistance by proactively identifying state and local organizations needing assistance and sharing experiences and lessons learned. Background BOP's mission is to protect society by confining offenders in the controlled environments of prisons and community-based facilities that are safe, humane, and appropriately secure. BOP is managed from a national office that provides long-range planning and policy formulation, and six regional offices that provide technical support and on-site assistance to (1) 94 institutions, one of which is privately managed, and (2) over 250 contract facilities, which are owned and operated by contractors, and include primarily community-based halfway houses, as well as some state and local jails. BOP's only mission-critical IT system, SENTRY, manages and tracks inmates, including monitoring inmate population, computing inmate sentences, documenting work assignments, and tracking disciplinary actions and institution designations. SENTRY applications were designed to process eight-digit dates, including a four-digit year, and currently process dates using a single subroutine, called DATETIME. SENTRY applications run in real time on a mainframe computer operated by DOJ and are accessed by about 200 DOJ and BOP facilities through a network of about 11,000 personal computers with 3270 emulation4 communicating through BOP's Washington, D.C., network control center. The network 3The National Institute of Corrections is an agency within BOP that provides training, technical assistance, information services, and policy/program development assistance to federal, state, and local corrections agencies. 4 A program that enables a microcomputer to appear to be a mainframe terminal by using the procedures and codes expected by the mainframe. Page 2 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 communication links are provided by Sprint (FTS 2000 carrier)5 and the local exchange carriers. BOP reports that SENTRY processes more than one million transactions each day and provides data files to a number of external organizations, including the U.S. Pardon Attorney, U.S. Marshals Service, Federal Bureau of Investigation, and U.S. Parole Commission. In addition to SENTRY, BOP has eight categories of mission-critical non-IT systems, consisting of 2,021 individual systems that rely on embedded computers.6 These systems are critical to maintaining the security of its institutions, as well as ensuring continued operations of normal business functions. These eight categories of non-IT systems are security systems, video surveillance systems, perimeter detection systems, fire alarm systems, boiler controls and energy management systems, elevators, telephone switches, and radio systems. Objectives, Scope, and In assessing actions taken by BOP to address the Year 2000 problem, our objective was to assess how well BOP is managing its Year 2000 program. Methodology To satisfy this objective, we reviewed and analyzed key BOP documents, including (1) its Year 2000 guidance and Program Plan, (2) network, software, and non-IT inventory databases, (3) SENTRY test plan and results, (4) BOP quarterly reports, and (5) relevant correspondence to BOP regions and institutions, contractors, and product vendors. We also reviewed Office of Management and Budget and DOJ Year 2000 guidance. We used GAO's Year 2000 guidance to assess BOP's management of its programs.7 To supplement our analyses, we interviewed the BOP Year 2000 program manager and project team members. We also interviewed representatives from the Community Corrections and Detention Division, Federal Prison Industries, Health Services Division, and the Office of Emergency 5 The Federal Telecommunications System 2000 currently provides intercity telecommunications services for federal government agencies. 6Embedded computers are special-purpose computers built into other devices. 7 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in February 1997; issued in final in September 1997); Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in February 1998; issued in final in August 1998); and Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998; issued in final in November 1998). Page 3 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 Preparedness. We interviewed representatives from two BOP institutions, including the Year 2000 Program manager, security officers, facilities managers, IT managers, and the Emergency Preparedness Manager. We did not verify the Year 2000 status information provided by BOP. We performed our work at BOP headquarters in Washington, D.C., and at two BOP correctional facilities in Florence, Colorado, and Taft, California.8 Our work was performed from May 1998 through January 1999, in accordance with generally accepted government auditing standards. We requested comments from the Director of BOP or her designee. On December 3, 1998, we obtained oral comments from BOP officials, including the Year 2000 Program Manager. Their comments are discussed in the "Agency Comments and Our Evaluation" section of this report. Status of BOP’s Efforts BOP has assessed, tested, and implemented its only mission-critical IT system, and reports that it is Year 2000 compliant. In addition, BOP reports for Mission-Critical that it has assessed, renovated/replaced, and implemented 94 percent of its Systems mission-critical non-IT systems. BOP plans to implement the remaining 6 percent by March 1999. Status of Mission-Critical IT SENTRY consists of (1) software applications, (2) mainframe hardware and Systems systems software, (3) workstations, (4) telecommunications hardware and software, and (5) leased telecommunications lines. According to BOP officials, all SENTRY system components have been assessed for Year 2000 compliance. BOP tested the SENTRY system for correct processing of critical Year 2000 dates, and certified that, except for four percent of the 11,189 SENTRY workstations, it is compliant. BOP plans to replace the noncompliant workstations by March 1999. According to BOP officials, however, this four percent will not affect the operation of SENTRY. BOP’s certification of SENTRY has not yet been independently verified and validated, but BOP is working with a DOJ independent verification and validation (IV&V) contractor to review and validate BOP's test activities. In addition, BOP contacted its telecommunications provider to determine its Year 2000 compliance, and according to BOP officials, it was told that the 8 We selected these two facilities because Florence is one of the newest maximum-security institutions, and Taft is the only BOP-owned institution that is run by a private correctional management organization. Page 4 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 provider's service delivery business area would be Year 2000 compliant by June 1999. Status of Mission-Critical As of January 1999, BOP reported that 94 percent of its 2,021 mission- Non-IT Systems critical non-IT systems were Year 2000 compliant, 4 percent were scheduled to be repaired or replaced, and 2 percent were still being assessed. BOP plans to complete all conversion activities by March 1999. For example, because BOP depends on vendors to provide the information to complete its assessment activities, it has specified in its plans (1) trigger dates beyond which BOP can no longer wait for vendor information and (2) potential alternative courses of action, such as replacing the systems. As of January 1999, BOP reported the following status of its eight categories of mission-critical non-IT systems: • Of 106 security systems, 72 were reported to be Year 2000 compliant; 15 are still being assessed and 19 are scheduled to be repaired by March 1999. • All 811 surveillance equipment systems were reported to be Year 2000 compliant. • All 96 perimeter detection systems were reported to be Year 2000 compliant. • Of 274 fire alarm systems, 269 were reported to be Year 2000 compliant; the 5 noncompliant systems are scheduled to repaired or replaced by March 1999. • Of 443 boiler control and energy management systems, 394 were reported to be Year 2000 compliant and the remaining 49 are scheduled to be repaired by March 1999. • All 109 elevator systems were reported to be Year 2000 compliant. • All 94 BOP-owned telephone switches were reported to be Year 2000 compliant. • Of 88 radio systems, 49 were reported to be Year 2000 compliant; 19 are still being assessed and 20 are scheduled to be repaired by March 1999. BOP is working with a contractor to independently validate the vendors’ Year 2000 compliance certifications for non-IT systems. In addition to validating compliance, the contractor also is to assess the completeness of the non-IT system inventories at several institutions. Page 5 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 Recent BOP Actions to During the course of our review, we identified several program management weaknesses and discussed each with BOP officials. BOP Strengthen Year 2000 officials responded quickly to our concerns by initiating the following Program Management actions to strengthen its Year 2000 program management: • defined its Year 2000 program structure, including organizational roles and responsibilities, and developed a Year 2000 conversion plan; • expanded its Year 2000 program scope to include its 250 contract facilities; • developed a Year 2000 test plan and procedures for the SENTRY system that included testing for correct processing of critical Year 2000 dates; • implemented methods to track the status and results of SENTRY workstation testing and non-IT systems assessments and renovation efforts; and • hired a contractor to validate vendors' Year 2000 compliance certifications of its non-IT systems and assess the accuracy of its non-IT system inventories. Further, since we briefed your office and BOP officials in September 1998 on the need to strengthen contingency planning for continuity of operations, the Program Manager has directed all offices, including its contract facilities, and institutions to (1) review and analyze their emergency preparedness plans for consideration of the threat of external infrastructure (for example, telecommunications and utilities) and internal system failures, (2) revise the emergency plans as necessary by March 1, 1999, to address Year 2000 contingencies, and (3) test the revised plans prior to April 5, 1999. In addition, the BOP Year 2000 Program Manager tasked each regional director with designating a liaison to coordinate the analysis, revision, and testing of institution and regional contingency plans, and report monthly on the status of achieving the enhancement and testing milestones. BOP Needs to In June 1998, the Chairman of the President's Council on Year 2000 Conversion tasked federal agencies with coordinating outreach efforts with Proactively Reach Out their counterparts in state and local governments and the private sector. to the State and Local According to the Chairman, such outreach efforts could expedite the year 2000 efforts of late starting nonfederal organizations. Correctional Community In September 1998, we briefed BOP officials on the need to strengthen its outreach efforts. Subsequently, BOP issued its Federal Bureau of Prisons' Page 6 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 Year 2000 (Y2K) Outreach Plan to State and Local Corrections Organizations. As part of its outreach effort, BOP updated the BOP and National Institute of Corrections (NIC) internet sites to (1) provide links to government and private sector sites where Year 2000 information is available and (2) identify a BOP and NIC point of contact for those who may need specific guidance on Year 2000 issues germane to the corrections environment. While these actions represent a start towards reaching out to the state and local corrections community, they require that state and local corrections officials come to BOP to obtain the information. BOP could be more effective in promoting awareness and providing assistance by proactively identifying state and local organizations needing assistance and sharing experiences and lessons learned. One way to reach state and local organizations is to use established networks, such as the National Sheriff’s Association and the National Association of Chiefs of Police. Conclusions Given BOP’s progress to date, and its plans for completing remaining Year 2000 activities, the risk that BOP will not complete remaining renovation, validation, and implementation activities by January 1, 2000, currently appears low. Further, while BOP has initiated some actions to reach state and local corrections officials, its actions may not allow these officials to fully benefit from BOP experiences and lessons learned. Recommendation To promote awareness and provide assistance to the state and local corrections community, we recommend that the Director, Bureau of Prisons, direct the Year 2000 Program Manager to proactively identify organizations needing assistance and share BOP experiences and lessons learned. This could be done through established networks, such as the National Sheriff’s Association and the National Association of Chiefs of Police. Agency Comments and BOP officials, including the Year 2000 Program, agreed with our conclusions and recommendations. The BOP Program Manager stated that Our Evaluation he recognizes the limitations of BOP’s existing outreach efforts and stated that BOP will actively identify organizations needing assistance and share BOP’s lessons learned and relevant Year 2000 guidance. Page 7 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts B-280106 BOP officials also provided updated information on the status of its Year 2000 efforts. We have incorporated the updated information in the report where appropriate. We are making copies of this letter available to the Chairmen and Ranking Minority Members of the House Committee on Government Reform and Oversight, Subcommittee on Government Management, Information, and Technology and the Senate Special Committee on the Year 2000 Technology Problem; the Director of the Office of Management and Budget; the Attorney General; the Director of the Bureau of Prisons; and other interested parties. We will also make copies available to others on request. If you have any questions about this report, please contact me at (202) 512- 6240 or, by e-mail, at firstname.lastname@example.org. Sincerely yours, Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems Page 8 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts Appendix I Major Contributors to This Report AppenIx di Accounting and Dr. Rona B. Stillman, Chief Scientist for Computers and Telecommunications Information Randolph C. Hite, Associate Director Management Division, Deborah A. Davis, Assistant Director Washington, D.C. Chicago Field Office Sanford F. Reigle, Information Systems Analyst Phillip E. Rutar, Information Systems Analyst (511121) Letr Page 9 GAO/AIMD-99-23 Bureau of Prisons’ Year 2000 Efforts Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Status of Bureau of Prisons' Year 2000 Efforts
Published by the Government Accountability Office on 1999-01-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)