oversight

Year 2000 Computing Challenge: Noteworthy Improvements in Readiness But Vulnerabilities Remain

Published by the Government Accountability Office on 1999-11-04.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Technology, Committee on
                          Science, and the Subcommittee on Government
                          Management, Information, and Technology, Committee on
                          Government Reform, House of Representatives

For Release on Delivery
Expected at
2 p.m.
                          YEAR 2000 COMPUTING
Thursday,
November 4, 1999          CHALLENGE

                          Noteworthy Improvements
                          in Readiness But
                          Vulnerabilities Remain
                          Statement of Joel C. Willemssen
                          Director, Civil Agencies Information Systems
                          Accounting and Information Management Division




GAO/T-AIMD-00-37
Ms. Chairwoman, Mr. Chairman, and Members of the Subcommittees:

Thank you for inviting us to participate in today’s hearing on the Year 2000
problem. According to the report of the President’s Commission on Critical
Infrastructure Protection, the United States—with close to half of all
computer capacity and 60 percent of Internet assets—is the world’s most
advanced and most dependent user of information technology.1 Moreover,
America’s infrastructures are a complex array of public and private
enterprises with many interdependencies at all levels. These many
interdependencies among governments and within key economic sectors
could cause a single failure to have adverse repercussions in other sectors.

Because of its urgent nature and the potentially devastating impact it could
have on critical government operations, in February 1997 we designated
the Year 2000 problem a high-risk area for the federal government.2 Since
that time, we have issued over 150 reports and testimony statements
detailing specific findings and numerous recommendations related to the
Year 2000 readiness of a wide range of federal agencies.3 We have also
issued guidance to help organizations successfully address the issue.4

The public faces the risk that critical services provided by the government
and the private sector could be disrupted by the Year 2000 computing
problem. As we have previously testified, financial transactions could be
delayed, flights grounded, power lost, and national defense affected.5
Substantial progress has been made to reduce these risks and, in the fast-


1
  Critical Foundations: Protecting America’s Infrastructures (President’s Commission on
Critical Infrastructure Protection, October 1997).
2
    High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).
3
 A list of these publications is included as an appendix to this statement. These publications
can be obtained through GAO’s World Wide Web page at www.gao.gov/y2kr.htm.
4
  Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an
exposure draft in February 1997 and in final form in September 1997); Year 2000 Computing
Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, issued as an
exposure draft in March 1998 and in final form in August 1998); Year 2000 Computing Crisis:
A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998 and in final
form in November 1998); and Y2K Computing Challenge: Day One Planning and Operations
Guide (GAO/AIMD-10.1.22, issued as a discussion draft in September 1999 and in final form
in October 1999).
5
Year 2000 Computing Crisis: Strong Leadership and Partnerships Needed to Mitigate Risk of
Major Disruptions (GAO/T-AIMD-98-262, August 13, 1998).




Page 1                                                                    GAO/T-AIMD-00-37
                       paced environment of the Year 2000 issue, progress continues to be made.
                       Today, I will discuss the federal government’s progress and challenges that
                       remain in correcting its systems; identify state and local government Year
                       2000 issues; and provide an overview of available information on the
                       readiness of key public infrastructure and economic sectors.



Federal Government’s   As the Year 2000 has grown nearer, the federal government’s response to
                       the problem has increased. Mr. Chairman, when we first testified on this
Progress Noteworthy    problem before you in February 1997, we stated that there was much that
But Additional Work    needed to be done if the federal government was to avoid the disruption of
                       important services, and that correcting the Year 2000 problem would be
Remains                labor-intensive and time-consuming.6 Moreover, we testified that whether
                       agencies succeeded and/or failed would be largely influenced by the quality
                       of executive leadership and program management. As we reported last
                       month, the government’s Year 2000 efforts have reinforced an
                       understanding of the importance of consistent and persistent top
                       management attention. 7

                       The Year 2000 problem has also demonstrated the importance of
                       congressional and executive branch leadership. At the urging of
                       congressional leaders and others, the Office of Management and Budget
                       (OMB) and the federal agencies have dramatically increased the amount of
                       attention and oversight given to the Year 2000 issue. Moreover, the
                       establishment of the President’s Council on Year 2000 Conversion—chaired
                       by an Assistant to the President and consisting of one representative from
                       each of the executive departments and from other federal agencies as may
                       be determined by the Chair—focused attention on the problem and
                       provided a forum for high-level communication among leaders in
                       government, the private sector, and the international community.

                       The success of these organizations’ efforts is demonstrated by figure 1,
                       which shows that the major departments and agencies have progressed
                       from a reported compliance rate of 21 percent in May 1997 to a reported
                       99 percent in October 1999. While this reported governmentwide progress


                       6
                         Year 2000 Computing Crisis: Strong Leadership Today Needed To Prevent Future
                       Disruption of Government Services (GAO/T-AIMD-97-51, February 24, 1997).
                       7
                       Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year 2000
                       Experiences (GAO/AIMD-00-1, October 1, 1999).




                       Page 2                                                               GAO/T-AIMD-00-37
                                         is notable, the Departments of Defense, Justice, and the Treasury and the
                                         U.S. Agency for International Development still have noncompliant
                                         systems.



Figure 1: Mission-Critical Systems Reported Year 2000 Compliant, May 1997-October 1999




                                         Source: May 1997 − August 1999 data are from the OMB quarterly reports. The October 1999 data are
                                         from OMB’s October 29, 1999, testimony before the House Subcommittee on Government
                                         Management, Information, and Technology, Committee on Government Reform; and the House
                                         Subcommittee on Technology, Committee on Science.


                                         In addition to mission-critical systems, other important areas for agencies
                                         are data exchanges, telecommunications, and building systems. Table 1
                                         shows the reported status of the 24 major departments and agencies in
                                         these areas as of mid-August. It demonstrates that many agencies have
                                         completed work but that several others were not expected to be done until
                                         this month or next month.




                                         Page 3                                                                       GAO/T-AIMD-00-37
Table 1: Compliance Status of Data Exchanges, Telecommunications, and Building Systems for the Major Departments and
Agencies

                                                                           Estimated date of 1999 compliance
Area                                Completed            August         September          October            November             December
                 a
Data exchanges                                   9              2                   5              2                    2                   3
Telecommunications                               8              2                   9              2                    2                   1
                   b
Building systems                                 7              1                   7              5                    2                   1


                                        a
                                            One agency could not forecast the completion date for its remaining exchanges.
                                        b
                                            The status was not provided for one agency.
                                        Source: Progress on Year 2000 Conversion: 10th Quarterly Report (OMB, data received August 13,
                                        1999; report issued September 13, 1999).


                                        While governmentwide progress has been significant, such progress has
                                        not been uniform among all federal agencies. Some agencies have long had
                                        strong Year 2000 programs in place, while others have improved their Year
                                        2000 approaches dramatically although risks remain. Some agencies,
                                        however, require continued close attention because of the criticality of
                                        information systems to their missions and the work that remains
                                        outstanding. The following highlights representative examples of the Year
                                        2000 progress of various agencies.

                                        Social Security Administration (SSA): Since October 1997 we have
                                        reported on SSA’s governmentwide leadership and significant progress in
                                        addressing the Year 2000 problem,8 and we have identified risk areas (such
                                        as the Year 2000 compliance of the systems used by the 54 state Disability
                                        Determination Services9 that help administer the disability programs) and
                                        made recommendations to address these risks. In July 1999, we reported
                                        that actions to implement these recommendations had either been taken or
                                        were underway.10 For example, SSA enhanced its monitoring and oversight
                                        of the state Disability Determination Services systems by establishing a


                                        8
                                        Social Security Administration: Significant Progress Made in Year 2000 Effort, But Key
                                        Risks Remain (GAO/AIMD-98-6, October 22, 1997).
                                        9
                                         These include the systems in all 50 states, the District of Columbia, Guam, Puerto Rico, and
                                        the Virgin Islands.
                                        10
                                         Social Security Administration: Update on Year 2000 and Other Key Information
                                        Technology Initiatives (GAO/T-AIMD-99-259, July 29, 1999).




                                        Page 4                                                                               GAO/T-AIMD-00-37
full-time project team, designating project managers and coordinators, and
requesting biweekly reports.

U.S. Customs Service: In February 1999, we testified that Customs had
made good progress in addressing its Year 2000 problem, due in large part
to the effective Year 2000 program management structures and processes
that it had put into place. 11 Mr. Chairman, in a briefing last month to your
Subcommittee staff on the high-impact cross-border inspection service
program, we reported that Customs’ progress continues. For example,
Customs had developed and implemented a Year 2000 master plan and a
high-impact area plan, identified and convened external business partners
integral to program delivery, and reported that it had completed most
planned tasks on or ahead of schedule.

Department of Veterans Affairs (VA): We have been monitoring and
evaluating VA’s actions to address the Year 2000 problem since 1996. During
that time, we have made numerous recommendations to reduce the risk
associated with Year 2000 failures. VA has been responsive to these
recommendations and actions to implement them have either been taken
or are underway. For example, in 1998 the Veterans Benefits
Administration reassessed its mission-critical efforts for the compensation
and pension on-line application and the Beneficiary Identification and
Record Locator Sub-System, as well as other technology initiatives to help
ensure that these critical undertakings were completed in time. As we
testified last week, VA has made much progress in addressing the Year 2000
problem, although some critical tasks remain in areas such as business
continuity and contingency planning.12




11
 Year 2000 Computing Crisis: Customs is Effectively Managing Its Year 2000 Program
(GAO/T-AIMD-99-85, February 24, 1999).
12
 Year 2000 Computing Challenge: Update on the Readiness of the Department of Veterans
Affairs (GAO/T-AIMD-00-39, October 28, 1999).




Page 5                                                               GAO/T-AIMD-00-37
Department of Education: In September 1998, we testified that
Education was very slow in implementing a comprehensive program to
address Year 2000 risks.13 In particular, significant risks faced the
department’s student financial aid delivery systems, risks that involved
systems testing, exchanging data with internal and external partners, and
developing business continuity and contingency plans. More recently, in
May 1999 we testified that the Department of Education had made progress
toward addressing these risks, although work remained ongoing.14 We
noted that much work on renovating and validating mission-critical
systems had been completed and the risk of student financial aid delivery
system failures has been significantly reduced. Nevertheless, Education
needed to continue making the Year 2000 problem a top priority and focus
attention on such issues as end-to-end testing.

Federal Aviation Administration (FAA): In January 1998, we reported
FAA had no central Year 2000 program management; an incomplete
inventory of mission-critical systems; no overall strategy for renovating,
validating, and implementing mission-critical systems; and no milestone
dates or schedules.15 At that time, we made several recommendations,
including that FAA establish plans to renovate, validate, and test all
converted and replaced systems. In September 1999, we testified that FAA
had addressed our recommendations and made excellent progress in its
Year 2000 readiness.16 Nevertheless, FAA continued to face challenges in
ensuring that its internal systems would work as intended through the year
2000 date change. For example, we found that (1) FAA had not effectively
implemented its policy for managing changes to compliant systems, (2) its
independent verification efforts were not adequately documented, and
(3) its end-to-end testing actions were not comprehensive.




13
  Year 2000 Computing Crisis: Significant Risks Remain to Department of Education’s
Student Financial Aid Systems (GAO/T-AIMD-98-302, September 17, 1998).
14
 Year 2000 Computing Challenge: Education Taking Needed Actions But Work Remains
(GAO/T-AIMD-99-180, May 12, 1999).
15
  FAA Computer Systems: Limited Progress on Year 2000 Issue Increases Risk Dramatically
(GAO/AIMD-98-45, January 30, 1998).
16
 Year 2000 Computing Challenge: FAA Continues to Make Important Strides, But
Vulnerabilities Remain (GAO/T-AIMD-99-285, September 9, 1999).




Page 6                                                                GAO/T-AIMD-00-37
Internal Revenue Service (IRS): In February 1999, we testified17 that
IRS had made considerable progress in completing its Year 2000 work since
our testimony in May 1998. 18 Nevertheless, it was behind schedule in
certain critical tasks, and, in some cases such as the replacement of
noncompliant personnel computers, its work is still not complete.
Moreover, IRS acknowledges that its review of its information system
inventory continues to identify inaccuracies—a significant risk area.
Accordingly, IRS reported that, among other activities to improve the
quality of its inventory, it has “wall-to-wall” inventory reviews underway at
major locations, which are to be completed before the end of the calendar
year. In addition, in September we reported that the two IRS business
continuity and contingency plans that addressed issuing refunds and
receiving paper submissions were inconsistent in two key areas—
performance goals and mitigating actions. 19 In testimony before you last
week, IRS’ Chief Information Officer stated that the agency had addressed
the suggestions in our September report.

Health Care Financing Administration (HCFA): We initially reported
on HCFA’s Year 2000 program in 1997, making recommendations to
improve the agency’s program management.20 In subsequent reports and
testimony statements, we disclosed that while HCFA had made
improvements and had been responsive to our recommendations, critical
Year 2000 risks and challenges remained.21 Most recently, we testified
before your Subcommittees in September that HCFA and its contractors
had made progress in addressing Medicare Year 2000 issues.22 However, as


17
 IRS’ Year 2000 Efforts: Status and Remaining Challenges (GAO/T-GGD-99-35, February 24,
1999).
18
 IRS’ Year 2000 Efforts: Status and Risks (GAO/T-GGD-98-123, May 7, 1998).
19
 IRS’ Year 2000 Efforts: Actions Are Under Way to Help Ensure That Contingency Plans Are
Complete and Consistent (GAO/GGD-99-176, September 14, 1999).
20
  Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and
Technical Weaknesses (GAO/AIMD-97-78, May 16, 1997).
21
 Medicare Computer Systems: Year 2000 Challenges Put Benefits and Services in Jeopardy
(GAO/AIMD-98-284, September 28, 1998); Year 2000 Computing Crisis: Readiness Status of
the Department of Health and Human Services (GAO/T-AIMD-99-92, February 26, 1999); and
Year 2000 Computing Crisis: Readiness of Medicare and the Health Care Sector
(GAO/T-AIMD-99-160, April 27, 1999).
22
  Year 2000 Computing Challenge: HCFA Action Needed to Address Remaining Medicare
Issues (GAO/T-AIMD-99-299, September 27, 1999).




Page 7                                                                 GAO/T-AIMD-00-37
stated then, until HCFA had completed its recertification tests that were
then ongoing, the final status of the agency’s Year 2000 compliance would
remain unknown (the tests were due to be completed by November 1,
1999). Moreover, HCFA must also continue to closely monitor contractor
testing with providers, which had been limited but which nevertheless had
uncovered Year 2000 problems. Accordingly, given the considerable
amount of work that remained, we considered it crucial that the
development and testing of internal, contractor, and managed care
organizations’ business continuity and contingency plans move forward
rapidly.

Department of Defense (DOD): Our reviews as well as those of the DOD
Inspector General indicate that DOD has made noteworthy progress in its
Year 2000 activities but that risks remain. For example, in March we
testified that DOD had made considerable progress in the prior 3 months23
but it faced two significant challenges: (1) completing remediation and
testing of its mission-critical systems and (2) having a reasonable level of
assurance that key processes will continue to work on a day-to-day basis
and that key operational missions necessary for national defense can be
successfully accomplished. Also, in September 1999, the DOD Inspector
General reported that DOD had made significant progress in addressing
some risk areas, including identifying and determining the Year 2000
readiness of its critical suppliers. Nevertheless, the Inspector General
noted that DOD still faced challenges in ensuring that adequate testing is
performed, testing results are sufficiently documented and analyzed, and
contingency plans are viable. Moreover, as of November 1, DOD reported
that it still had 31 mission-critical systems that were not Year 2000
compliant. Six of these systems are not expected to be compliant until
December.




23
 Year 2000 Computing Crisis: Defense Has Made Progress, But Additional Management
Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999).




Page 8                                                             GAO/T-AIMD-00-37
The Government’s            While it is important to achieve compliance for individual mission-critical
Approach Has Improved But   systems, realizing such compliance alone does not ensure that business
                            functions will continue to operate through the change of century—the
Risk Areas Remain           ultimate goal of Year 2000 efforts. Accordingly, in April 1998, we made
                            recommendations to improve the government’s overall Year 2000
                            approach.24 Since that time, the government has made progress in
                            addressing these recommendations, although not all actions are complete.

                            Priority Setting: Our April 1998 report recommended that
                            governmentwide priorities be set based on such criteria as the potential for
                            adverse health and safety effects, adverse financial effects on American
                            citizens, detrimental effects on national security, and adverse economic
                            consequences. On March 26, OMB implemented our recommendation by
                            issuing a memorandum to federal agencies designating lead agencies for
                            the government’s 42 high-impact programs (e.g., food stamps, Medicare,
                            and federal electric power generation and delivery. OMB later added a 43rd
                            high-impact program—the Department of Justice’s National Crime
                            Information Center.) For each program, the lead agency was charged with
                            identifying to OMB the partners integral to program delivery; taking a
                            leadership role in convening those partners; assuring that each partner had
                            an adequate Year 2000 plan and, if not, helping each partner without one;
                            and developing a plan to ensure that the program would operate effectively.
                            According to OMB, such a plan might include testing data exchanges
                            across partners, developing complementary business continuity and
                            contingency plans, sharing key information on readiness with other
                            partners and the public, and taking other steps necessary to ensure that the
                            program would work. OMB directed the lead agencies to provide a
                            schedule and milestones of key activities in their plans by April 15, and
                            asked agencies to provide monthly progress reports.




                            24
                             Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for Strong
                            Leadership and Partnerships (GAO/AIMD-98-85, April 30, 1998).




                            Page 9                                                                 GAO/T-AIMD-00-37
End-To-End Testing: The purpose of end-to-end testing is to verify that a
defined set of interrelated systems, which collectively support an
organizational core business area or function, will work as intended in an
operational environment. In the case of the year 2000, many systems in the
end-to-end chain will have been modified or replaced. As a result, the scope
and complexity of testing—and its importance—are dramatically
increased, as is the difficulty of isolating, identifying, and correcting
problems. Consequently, agencies must work early and continually with
their data exchange partners to plan and execute effective end-to-end tests.
Our Year 2000 testing guide sets forth a structured approach to testing,
including end-to-end testing.25

Our April 1998 report recommended that, for selected government
priorities, lead agencies be designated to ensure that end-to-end testing of
these processes and supporting systems occurred across organizational
boundaries. On March 31, OMB and the Chair of the President’s Council on
Year 2000 Conversion announced that one of the key priorities that federal
agencies would be pursuing during the rest of 1999 would be cooperative
end-to-end testing to demonstrate the Year 2000 readiness of federal
programs with states and other partners.

Agencies have also acted to address end-to-end testing. For example, on
October 18, we reported that DOD was conducting thousands of end-to-end
tests in four major business functions: Health Affairs, Communications,
Personnel, and Logistics.26 Each of the individual test events we attended
and reviewed within the four functional areas generally satisfied the key
processes that our test guide defines as necessary to effectively plan,
conduct, and report on end-to-end testing. We also reported in October that
the Department of the Treasury’s Financial Management Service, which
serves as the government’s financial manager, had established effective
management controls in performing its portion of Year 2000 end-to-end
tests for three critical business functions (Social Security payments,
Supplemental Security Income payments, and Internal Revenue Service tax
refund payments).27


25
 GAO/AIMD-10.1.21, November 1998.
26
  Defense Computers: DOD Y2K Functional End-to-End Testing Progress and Test Event
Management (GAO/AIMD-00-12, October 18, 1999).
27
 Year 2000 Computing Challenge: Financial Management Service Has Established Effective
Year 2000 Testing Controls (GAO/AIMD-00-24, October 29, 1999).




Page 10                                                             GAO/T-AIMD-00-37
Business Continuity and Contingency Plans: Business continuity and
contingency plans are essential. Without such plans, when failures occur,
agencies will not have well-defined responses and may not have enough
time to develop and test alternatives. Federal agencies depend on data
provided by their business partners as well as on services provided by the
public infrastructure (e.g., power, water, transportation, and voice and data
telecommunications). One weak link anywhere in the chain of critical
dependencies can cause major disruptions to business operations. Given
these interdependencies, it is imperative that contingency plans be
developed for all critical core business processes and supporting systems,
regardless of whether these systems are owned by the agency. Accordingly,
our April 1998 report recommended that agencies be required to develop
contingency plans for all critical core business processes.

Since 1998, the federal government has improved its approach to business
continuity and contingency planning. OMB has clarified its contingency
plan instructions and, along with the Chief Information Officers Council,
has adopted our business continuity and contingency planning guide for
federal use. In addition, on January 26, 1999, OMB called on federal
agencies to identify and report on the high-level core business functions
that are to be addressed in their business continuity and contingency plans,
as well as to provide key milestones for development and testing of such
plans in their February 1999 quarterly reports. In addition, on May 13, OMB
required agencies to submit high-level versions of these plans by June 15. In
its September 1999 quarterly report, OMB required agencies to submit
updated high-level business continuity and contingency plans by
October 15, 1999.




Page 11                                                      GAO/T-AIMD-00-37
As we testified before your Subcommittees last week, although more work
remains, agency business continuity and contingency planning has evolved
and improved since 1998.28 In March 1998 we testified that several agencies
reported that they planned to develop contingency plans only if they fell
behind schedule in completing their Year 2000 fixes.29 In June 1998, we
testified that only four agencies had reported that they had drafted
contingency plans for their core business functions.30 By contrast, in
January 1999 we testified that many agencies had reported that they had
completed or were drafting business continuity and contingency plans
while others were in the early stages of such planning.31 Also, as we
testified in August, according to an OMB official, all of the major
departments and agencies had submitted high-level business continuity and
contingency plans in response to OMB’s May 13, 1999, memorandum. 32 In
October, all of the major departments and agencies and the Postal Service
submitted updated high-level plans to OMB.

While OMB’s May 1999 memorandum directed agencies to describe their
overall strategies and processes for ensuring the readiness of key programs
and functions across the agency, it did not detail the format or reporting
elements that agencies were to follow. Accordingly, the plans vary
considerably in terms of format and level of detail. Some agencies, such as
the Departments of Justice and Labor, described their general approach or
strategy, while others, such as the Departments of Education and
Transportation, provided program or component-entity specific plans that
contained more detailed information. With respect to specific elements, all
of the plans in our review33 identified core business processes, as called for


28
  Year 2000 Computing Challenge: Federal Business Continuity and Contingency Plans and
Day One Strategies (GAO/T-AIMD-00-40, October 29, 1999).
29
 Year 2000 Computing Crisis: Strong Leadership and Effective Public/Private Cooperation
Needed to Avoid Major Disruptions (GAO/T-AIMD-98-101, March 18, 1998).
30
  Year 2000 Computing Crisis: Actions Must Be Taken Now to Address Slow Pace of Federal
Progress (GAO/T-AIMD-98-205, June 10, 1998).
31
 GAO/T-AIMD-99-50, January 20, 1999.
32
 Year 2000 Computing Challenge: Important Progress Made, Yet Much Work Remains to
Ensure Delivery of Critical Services (GAO/T-AIMD-99-266, August 13, 1999).
33
  While the Department of the Treasury and the General Services Administration reported
that they had provided their plans to OMB, we did not receive them in time to include them
in our analysis; therefore, we analyzed 23 submissions.




Page 12                                                                GAO/T-AIMD-00-37
in our guide. In addition, we were able to identify 20 agencies that
discussed their business continuity and contingency plan validation
strategies in their high-level plans. These strategies encompassed a range
of activities, including reviews, desktop exercises, simulations, and/or
quality assurance audits.

As noted in our business continuity and contingency planning guide, a key
element of such a plan is the development of a zero day or Day One risk
reduction strategy. In testimony in January 1999, we noted that the Social
Security Administration had developed a Day One strategy and suggested
that OMB consider requiring other agencies to develop such plans. 34 In its
September 1999 quarterly report, OMB subsequently required agencies to
submit Day One strategies to it, which each of the 24 major departments
and agencies and the Postal Service did. OMB subsequently asked agencies
to address seven elements in their plans: (1) a schedule of activities,
(2) personnel on call or on duty, (3) contractor availability,
(4) communications with the workforce, (5) facilities and services to
support the workforce, (6) security, and (7) communications with the
public. OMB also told the agencies to consider our Day One strategy
guidance carefully.

Our review of agency strategies found that about 40 percent addressed all
seven elements.35 For example, our testimony last week noted that the
Department of Veterans Affairs addressed all of OMB’s elements. 36 VA and
its agencies had developed a Day One strategy that should help the
department manage risks associated with the rollover period and better
position itself to address any disruptions that may occur. The strategy
included a time line of events between December 31 and January 1 and a
personnel strategy and leave policy that identifies key managerial and
technical personnel available to support Day One operations.

With respect to specific elements, we were able to identify 15 agencies that
included a schedule of activities and 17 that addressed staffing issues. In a
few cases, agencies addressed either OMB’s internal communications


34
 GAO/T-AIMD-99-50, January 20, 1999.
35
  While the U.S. Agency for International Development and the General Services
Administration reported that they had provided their plans to OMB, we did not receive them
in time to include them in our analysis. Therefore, we analyzed 23 agencies’ submissions.
36
 GAO/T-AIMD-00-39, October 28, 1999.




Page 13                                                                GAO/T-AIMD-00-37
                        element or external communications element but not both. Further, some
                        elements were addressed in a general manner and/or indicated that more
                        work needed to be completed. For example, one agency reported that it is
                        developing procedures to ensure its ability to identify, report, and respond
                        effectively to Year 2000-related events.



State and Local         Just as the federal government faces significant Year 2000 risks, so too do
                        state and local governments. If the Year 2000 problem is not properly
Governments Face        addressed, for example, (1) food stamps and other types of payments may
Significant Year 2000   not be made or could be made for incorrect amounts, (2) date-dependent
                        signal timing patterns could be incorrectly implemented at highway
Risks                   intersections, with safety severely compromised, and (3) prisoner release
                        or parole eligibility determinations might be adversely affected.

                        With respect to state Year 2000 efforts, recent information from the
                        National Association of State Information Resource Executives indicates
                        that states have greatly improved their readiness since the beginning of this
                        year. Table 2 provides a comparison of the percentage of mission-critical
                        systems37 reported as implemented by the states in January 1999 and in
                        October 1999, which shows that, in general, noteworthy progress has been
                        made during the year. 38




                        37
                         Mission-critical systems were defined as those that a state had identified as priorities for
                        prompt remediation.
                        38
                         Individual states submit periodic updates to the National Association of State Information
                        Resource Executives. For the October 28 report, about 60 percent of the states submitted
                        their data in October; the oldest data were provided on March 11 and the most recent on
                        October 27.




                        Page 14                                                                    GAO/T-AIMD-00-37
Table 2: Comparison of Percentages of Mission-Critical Systems Reported as
Implemented by the Statesa

                                               Number of states on              Number of states on
Percentage implemented                           January 15, 1999b                October 28, 1999c
1-24                                                                 9                                0
25-49                                                              12                                 1
50-74                                                              19                                 3
75-99                                                                6                               39
100 percent                                                          0                                5


a
 In some cases, states did not report on their mission-critical systems, instead reporting on, for
example, processes or on all systems.
b
    Four states did not respond to this question.
c
 Two states did not respond to the survey.
Source: National Association of State Information Resource Executives


In addition to reporting system remediation information, as of October 28,
all of the states responding to the National Association of State Information
Resource Executives survey reported that they were actively engaged in
internal and external contingency planning and that they had established
target dates for the completion of these plans. For nine states, however, the
deadline was December 1999.

It is also essential that local government systems be ready for the change of
century since critical functions involving, for example, public safety and
traffic management, are performed at the local level. Reports on local
governments have highlighted Year 2000 concerns. For example:




Page 15                                                                             GAO/T-AIMD-00-37
• In July, we issued a letter on the reported Year 2000 status of the 21
  largest U.S. cities.39 On average, cities reported completing work for 45
  percent of the key service areas in which they have responsibility. In
  addition, 2 cities reported that they had completed their Year 2000
  efforts, 9 expected to complete Year 2000 preparations by September 30,
  1999, and the remaining 10 cities expected to complete their preparation
  by December 31.40 In addition, 7 cities reported completing Year 2000
  contingency plans, while 14 reported that their plans were still being
  developed.
• Also in July, the National League of Cities reported on its survey of 403
  cities conducted in April 1999. This survey found that (1) 92 percent of
  cities had a citywide Year 2000 plan, (2) 74 percent had completed their
  assessment of critical systems, and (3) 66 percent had prepared
  contingency plans. (Of those that had not completed such plans, about
  half stated that they were planning to develop one.) In addition, 92
  percent of the cities reported that they expected that all of their critical
  systems would be compliant by January 1, 2000; 5 percent expected to
  have completed between 91 and 99 percent, and 3 percent expected to
  have completed between 81 and 90 percent of their critical systems by
  January 1.
• In June, the National Association of Counties announced the results of
  its April survey of 500 randomly selected counties. This survey found
  that (1) 74 percent of respondents had a countywide plan to address
  Year 2000 issues, (2) 51 percent had completed system assessments, and
  (3) 27 percent had completed systems testing. In addition, 190 counties
  had prepared contingency plans while 289 had not. Further, of the 114
  counties reporting that they planned to develop Year 2000 contingency
  plans, 22 planned to develop the plan from April through June, 64 from
  July through September, 18 from October through December, and 10 did
  not yet know.

Of critical importance to the nation are services, such as law enforcement,
that are essential to the safety and well-being of individuals across the
country. For the most part, responsibility for ensuring the continuity of law
enforcement operations resides with thousands of state and local


39
 Reported Y2K Status of the 21 Largest U.S. Cities (GAO/AIMD-99-246R, July 15, 1999).
40
 In most cities, the majority of city services were scheduled to be completed before this
completion date. For example, Los Angeles planned to have all key city systems ready by
September 30, except for its wastewater treatment systems, which were expected to be
completed in November.




Page 16                                                                 GAO/T-AIMD-00-37
jurisdictions. One critical system—the National Crime Information Center
2000—is operated by the Federal Bureau of Investigation and provides law-
enforcement users in 80,000 U.S. and foreign agencies critical access to
information on criminal activities. Mr. Chairman, we recently briefed your
Subcommittee staff on the status of this system. While the Federal Bureau
of Investigation reported that its Year 2000 remediation, validation, and
implementation activities were completed for the National Crime
Information Center 2000, the readiness of five state-level partners was
uncertain. Specifically, in assessing the readiness of each state, Puerto
Rico, and the District of Columbia, the Bureau found that 47 were Year 2000
ready, but that five had not completed Year 2000 remediation at the time of
the assessment. The Bureau plans to continue reviewing the readiness
status of these five.

Recognizing the seriousness of the Year 2000 risks facing state and local
governments, the President’s Council on Year 2000 Conversion developed
initiatives to address the readiness of state and local governments. For
example:

• The Council established working groups on state and local governments
  and tribal governments.
• Council officials participate in monthly, multistate conference calls with
  state Year 2000 coordinators.
• In July 1998, March 1999, and October 1999 the Council, in partnership
  with the National Governors’ Association, convened Year 2000 summits
  with state and U.S. territory Year 2000 coordinators.
• On May 24, the Council announced a nationwide campaign to promote
  “Y2K Community Conversations” to support and encourage efforts of
  government officials, business leaders, and interested citizens to share
  information on their progress. To support this initiative, the Council
  developed and is distributing a toolkit that provides examples of which
  sectors should be represented at these events and issues that should be
  addressed.




Page 17                                                     GAO/T-AIMD-00-37
State-Administered Federal   Among the critical functions performed by states are the administration of
Human Services Programs      federal human services programs. As we reported in November 1998, many
                             systems that support state-administered federal human services programs
Are At Risk                  were at risk, and much work remained to ensure that services would
                             continue.41 In February of this year, we testified that while some progress
                             had been achieved, many states’ systems were not scheduled to become
                             compliant until the last half of 1999.42 Accordingly, we concluded that,
                             given these risks, business continuity and contingency planning was even
                             more important in ensuring continuity of program operations and benefits
                             in the event of systems failures.

                             Subsequent to our November 1998 report, OMB directed federal oversight
                             agencies to include the status of selected state human services systems in
                             their quarterly reports. Specifically, in January 1999, OMB requested that
                             agencies describe actions to help ensure that federally supported, state-run
                             programs will be able to provide services and benefits. OMB further asked
                             that agencies report the date when each state’s systems will be Year 2000-
                             compliant.

                             Table 3 summarizes the latest information on state-administered federal
                             human services programs reported by OMB on September 13, 1999. 43 The
                             table indicates that while many states44 reported their programs to be
                             compliant, a number did not plan to complete Year 2000 efforts until the
                             last quarter of 1999. For example, nine states did not expect to be
                             compliant until the last quarter of 1999 for Child Support Enforcement,
                             seven states for Food Stamps, and four states for Unemployment
                             Insurance. Moreover, Year 2000 readiness information was unknown in
                             many cases. For example, according to OMB, the status of 16 states’ Low

                             41
                               Year 2000 Computing Crisis: Readiness of State Automated Systems to Support Federal
                             Welfare Programs (GAO/AIMD-99-28, November 6, 1998).
                             42
                              Year 2000 Computing Crisis: Readiness of State Automated Systems That Support Federal
                             Human Services Programs (GAO/T-AIMD-99-91, February 24, 1999).
                             43
                              For Medicaid, OMB reports on the two primary systems that states use to administer the
                             program: (1) the Integrated Eligibility System, used to determine whether an individual
                             applying for Medicaid meets the eligibility criteria for participation and (2) the Medicaid
                             management information system (MMIS), used to process claims and deliver payments for
                             services rendered. Integrated eligibility systems are also often used to determine eligibility
                             for other public assistance programs, such as Food Stamps.
                             44
                              In the context of this testimony, the term states can include the District of Columbia and
                             U.S. territories, such as Puerto Rico.




                             Page 18                                                                    GAO/T-AIMD-00-37
                                            Income Home Energy Assistance programs was unknown because
                                            applicable readiness information was not available.



Table 3: Reported State-level Readiness for Federally Supported Programsa

                                                                              Expected date of 1999 compliance
                                                           Estimated
                                                      compliance date
Program                        Compliantb         before August 1999c         Aug.     Sept.       Oct.       Nov.      Dec.        Unk.d       N/Ae
Child Nutrition                        41                               1         4         4          2          0          2           0          0
Food Stamps                            39                               0         3         5          3          4          0           0          0
Women, Infants, and
Children                               45                               0         0         2          3          3          1           0          0
Child Care                             25                             12          0         2          2          3          0           6          4
Child Support Enforcement              23                               9         2         7          4          3          2           4          0
Child Welfare                          23                             14          1         3          5          3          0           5          0
Low Income Home Energy
Assistance Program                     25                               2         3         3          2          0         0          16           3
Medicaid − Integrated
Eligibility System                     25                             18          0         5          4          0          0           2          0
Medicaid − Management
Information System                     22                             16          5         4          4          1          0           2          0
Temporary Assistance for
Needy Families                         27                             15          2         4          2          1          0           3          0
Unemployment Insurance                 39                               0         0        10          3          0         1            0          1


                                            a
                                             This chart contains readiness information from the 50 states, the District of Columbia, Guam, Puerto
                                            Rico, and the Virgin Islands.
                                            b
                                             OMB defined compliant as when the state or territory had determined that its systems were able to
                                            provide services, whether directly or indirectly, to beneficiaries.
                                            c
                                             In many cases, the report indicated a date instead of whether the state was compliant. According to
                                            OMB, in some cases, while the estimated dates had passed, confirmation of completion had not been
                                            received from the federal agencies.
                                            d
                                                Unknown indicates that, according to OMB, no information was reported by the agency.
                                            e
                                             N/A indicates that the states or territories reported that the data requested were not applicable to
                                            them.
                                            Source: Progress on Year 2000 Conversion: 10th Quarterly Report (OMB, data received August 13,
                                            1999; report issued September 13, 1999).


                                            The information in the OMB report was gathered, but not verified, by the
                                            Departments of Agriculture, HHS, and Labor, based on submissions by the
                                            states and territories. As a result, some of the state information reported by



                                            Page 19                                                                              GAO/T-AIMD-00-37
OMB may not be accurate or up-to-date. For example, in five cases, state
programs cited as compliant by OMB in its June quarterly report had
estimated compliance dates of October 1999 or later in its September
quarterly report.

Further, as we testified last month, the late reported compliance dates of
some states are problematic since schedule delays or unexpected problems
could well arise.45 Indeed, reported schedule delays have now occurred in
8 of the 10 state-administered programs since OMB’s June 1999 report. 46
For example, OMB’s June report showed that three states had estimated
compliance dates in the last quarter of 1999 for Food Stamps, while the
most recent OMB report indicates that seven states now have estimated
fourth quarter compliance dates. To illustrate, the June OMB report
indicated that a state and a territory were due to be compliant in June for
Food Stamps, but the September OMB report indicated that the date for
these entities had moved to November 1999.

In addition to obtaining state-reported readiness information, the three
federal departments are taking other actions to assess the ability of state-
administered programs to continue operating successfully into the next
century.

Department of Agriculture: Agriculture’s Food and Nutrition Service
(FNS) is responsible for three state-administered federal human services
programs—Child Nutrition; Food Stamps; and Women, Infants, and
Children. To obtain assurance that state systems are compliant, FNS’
regional offices are collecting readiness status information from states as
part of their monitoring. Moreover, in June 1999, FNS required its regions
to provide, for each program, a copy of either a state letter certifying that it
was Year 2000 compliant or a business continuity and contingency plan. As
of August 25, 1999, FNS had received

• 15 certifications and 6 business continuity and contingency plans for
  Child Nutrition;
• 22 certifications and 16 business continuity and contingency plans for
  Food Stamps; and

45
 Year 2000 Computing Challenge: Readiness of Key State-Administered Federal Programs
(GAO/T-AIMD-00-9, October 6, 1999).
46
 There was no change in one state-administered federal program, and the number of states
with estimated compliance dates in the last quarter declined by one for a second program.




Page 20                                                               GAO/T-AIMD-00-37
• 25 certifications and 21 business continuity and contingency plans for
  Women, Infants, and Children.

Although agency officials instructed FNS regional offices to require state
agencies for all three programs to prepare business continuity and
contingency plans, it remains unclear whether all states have adequate
plans to ensure the continuity of these programs. For example, a June 18
FNS document summarizing the agency’s review of contingency plans
received to date noted that “all need work.” As of September 15, FNS
officials told us that only two states had submitted suitable contingency
plans. FNS intends to have its contractor review contingency plans for
those states that reported that they expected to be compliant after
September 30, 1999.

Department of Health and Human Services: Six of the 10 state-
administered federal human services programs are overseen by either one
of two HHS component entities, HCFA or the Administration for Children
and Families (ACF). As we stated in October, HCFA has adopted an
approach that includes three rounds of on-site contractor reviews of states
(performed in conjunction with HCFA regional and headquarters offices)
using a standard methodology. 47 With respect to the risk levels assigned to
the states, as of October 4, 1999,

• 4 eligibility systems and 5 MMISs were assessed at high risk,
• 13 eligibility systems and 8 MMISs were assessed at medium risk, and
• 36 eligibility systems and 40 MMISs were assessed at low risk. 48

HCFA’s current state risk ratings represent an overall improvement from
those assigned after the first round of reviews, although many issues
continue to be unresolved with the states.




47
 Reported Medicaid Year 2000 Readiness (GAO/AIMD-00-22R, October 5, 1999).
48
  Forty state risk ratings were based on second-round visits (conducted between May and
September 1999), while 13 state risk ratings in the low category are based on the results of
first-round visits because the states were not visited in the second round.




Page 21                                                                  GAO/T-AIMD-00-37
To complement its system reviews, HCFA obtained another contractor to
review state business continuity and contingency plans. In June 1999,
HCFA’s business continuity and contingency plan contractor began
reviewing the quality of state plans through either a desk audit alone or
both a desk audit and an on-site visit. Of the 33 states and two territories
that have been reviewed by the contractor as of October 1, 1999, 49 11 were
high risk, 11 were medium risk, and 13 were low risk.

Regarding the other five HHS state-administered federal programs, ACF
modeled its state assessment program after that of HCFA. Table 4 shows
the number of states placed in each risk assessment level as of October 21.



Table 4: Summary of Risk Levels as of October 21, 1999

                                                                                 Risk levels
                                                            Number of
Program                                                   state reports High          Medium      Low
ACF - Child Care                                                       55       3           16        36
ACF - Child Support Enforcementa                                      54        3           12        39
ACF - Child Welfarea                                                   54       0           14        40
ACF - Low Income Home Energy Assistance
Programa                                                              54        1           16        37
ACF - Temporary Assistance for Needy
Familiesa                                                             54        3             9       42


a
 These programs were not evaluated for one of the U.S. territories or a territory does not have the
program.


According to an ACF official, although the agency has not completed a
reassessment of state risk ratings, most state programs with high or
medium risk ratings have improved their status since the original
assessment was completed (May through September).

Department of Labor: With respect to Unemployment Insurance, the 53
State Employment Security Agencies (SESAs) use their own systems to pay
unemployment insurance compensation benefits to eligible workers and
collect state unemployment taxes from employers. As of November 1,

49
 As of October 1, 1999, 16 state business continuity and contingency plans had not been
reviewed, and 2 states had not provided their plans to HCFA.




Page 22                                                                             GAO/T-AIMD-00-37
                  according to the Labor Department, 51 of 53 SESAs reported that their
                  benefits systems were Year 2000 compliant, while 50 of the 53 tax systems
                  were reported as such.

                  In September 1998, Labor established a valuable tool in gauging the
                  readiness of state Unemployment Insurance systems by requiring that all
                  SESAs arrange for independent verification and validation. Based on the
                  results of these reviews, Labor has indicated that the Secretary will be
                  sending letters to the governors of 11 states considered to be in need of
                  further attention concerning their Year 2000 compliance efforts. Labor
                  reported to us that it would continue to work aggressively with the SESAs
                  needing further attention.

                  To provide further assurance that unemployment insurance benefits will
                  continue without interruption in the Year 2000, Labor has required that the
                  SESAs develop detailed business continuity and contingency plans for their
                  automated systems. According to Labor, a PC-based Automated
                  Contingency System has been developed to permit the interim payment of
                  benefits should a Year 2000 failure occur. Labor reports that nine states
                  have adopted this system as part of their contingency planning.



Mixed Year 2000   Beyond the risks faced by federal, state, and local governments, the year
                  2000 also poses a serious challenge to the public infrastructure, key
Progress in Key   economic sectors, and to other countries. To address these concerns, in
Sectors           April 1998 we recommended that the President’s Council use a sector-based
                  approach and establish the effective public-private partnerships necessary
                  to address this issue.50 The Council subsequently established over 25
                  sector-based working groups and has been initiating outreach activities
                  since it became operational last spring. In addition, the Chair of the Council
                  has formed a senior advisors group of representatives from private-sector
                  firms across key economic sectors. Members of this group are expected to
                  offer perspectives on crosscutting issues, information sharing, and
                  appropriate federal responses to potential Year 2000 failures.

                  Our April 1998 report also recommended that the President’s Council
                  develop a comprehensive picture of the nation’s Year 2000 readiness, to
                  include identifying and assessing risks to the nation’s key economic


                  50
                   GAO/AIMD-98-85, April 30, 1998.




                  Page 23                                                       GAO/T-AIMD-00-37
sectors−including risks posed by international links. In October 1998 the
Chair directed the Council’s sector working groups to begin assessing their
sectors. The Chair also provided a recommended guide of core questions
that the Council asked to be included in surveys by the associations
performing the assessments. These questions included the percentage of
work that has been completed in the assessment, renovation, validation,
and implementation phases. The Council then began issuing quarterly
public reports summarizing these assessments, beginning in January 1999.

The Council’s August 1999 report stated that important national systems
will make a successful transition to the year 2000 but that much work, such
as contingency planning, remains to be done. 51 In particular, the Council
expressed a high degree of confidence in five major domestic areas:
financial institutions, electric power, telecommunications, air travel, and
the federal government. For example, the Council stated that on August 2,
federal bank, thrift, and credit union regulators reported that 99 percent of
federally insured financial institutions have completed testing of critical
systems for Year 2000 readiness.

The Council had concerns in four significant areas: local government,
health care, education, and small businesses. For example, according to the
Council report, many school districts could move into the new century with
dysfunctional information technology systems, since only 28 percent and
30 percent, respectively, of Superintendent/Local Educational Agencies and
postsecondary institutions reported that their mission-critical systems
were Year 2000 compliant.

In the international arena, the Council stated that the Year 2000 readiness
of other countries was improving but remains a concern. The Council
reported that the June 1999 meeting of National Year 2000 Coordinators
held at the United Nations found that the 173 countries in attendance were
clearly focused on the Year 2000 problem but that many will likely not have
enough time or resources to finish preparations before the end of 1999.

In addition to our work related to federal, state, and local government Year
2000 progress, we have also issued several publications related to key
economic sectors. Our analysis has identified sectors that are leaders in
resolving Year 2000 problems, others that require sustained attention


51
 The Council’s three reports are available on its web site, www.y2k.gov. The Council’s next
report is due to be released shortly.




Page 24                                                                 GAO/T-AIMD-00-37
because of their importance and continued risk, and a few that are lagging
behind. In addition, variance in the level of readiness within segments of a
sector can exist. The following are representative samples of the readiness
of key sectors.

Banking and Finance Sector: The banking and finance sector is
considered a Year 2000 leader. A large portion of the institutions that make
up this sector are overseen by one or more federal regulatory agencies. In
September 1998 we testified on the efforts of five federal financial
regulatory agencies 52 to ensure that the institutions they oversee are ready
to handle the Year 2000 problem.53 Regulators had made significant
progress in assessing the readiness of member institutions and in raising
awareness on important issues, such as contingency planning and testing.
Regulator examinations of bank, thrift, and credit union Year 2000 activities
found that the vast majority were doing a satisfactory job of addressing the
problem. Nevertheless, regulators faced the challenge of ensuring that they
were ready to take swift action to address those institutions that falter in
the later stages of correction and to address disruptions caused by
international and public infrastructure failures.




52
 The National Credit Union Administration, the Federal Deposit Insurance Corporation, the
Office of Thrift Supervision, the Federal Reserve System, and the Office of the Comptroller
of the Currency.
53
 Year 2000 Computing Crisis: Federal Depository Institution Regulators Are Making
Progress, But Challenges Remain (GAO/T-AIMD-98-305, September 17, 1998).




Page 25                                                                 GAO/T-AIMD-00-37
In April, we reported that the Federal Reserve System−which is
instrumental to our nation’s economic well-being since it provides
depository institutions and government agencies with services such as
processing checks and transferring funds and securities—had effective
controls to help ensure that its Year 2000 progress is reported accurately
and reliably.54 It also was effectively managing the renovation and testing of
its internal systems and the development and planned testing of
contingency plans for continuity of business operations. Nevertheless, the
Federal Reserve System still had much to accomplish before it was fully
ready for January 1, 2000, such as completing validation and
implementation of all of its internal systems and completing its
contingency plans.

In addition to the domestic banking and finance sector, large U.S. financial
institutions have financial exposures and relationships with international
financial institutions and markets that may be at risk if these international
organizations are not ready for the date change occurring on January 1,
2000. In April, we reported55 that foreign financial institutions had
reportedly lagged behind their U.S. counterparts in preparing for the Year
2000 date change. Officials from four of the seven large foreign financial
institutions we visited said they had scheduled completion of their Year
2000 preparations about 3 to 6 months after their U.S. counterparts, but
that they planned to complete their actions by mid-1999 at the latest.
Moreover, key international market supporters, such as those that transmit
financial messages and provide clearing and settlement services, told us
that their systems were ready for the date change and that they had begun
testing with the financial organizations that depend on these systems. We
further found that seven large U.S. banks and securities firms that we
visited were taking actions to address their international risks. Finally, U.S.
banking and securities regulators were addressing the international Year
2000 risks of the institutions that they oversee.




54
  Year 2000 Computing Crisis: Federal Reserve Has Established Effective Year 2000
Management Controls for Internal Systems Conversion (GAO/AIMD-99-78, April 9, 1999).
55
 Year 2000: Financial Institution and Regulatory Efforts to Address International Risks
(GAO/GGD-99-62, April 27, 1999).




Page 26                                                                  GAO/T-AIMD-00-37
With respect to the insurance industry, in March, we concluded that the
insurance regulator presence in the Year 2000 area was not as strong as that
exhibited by the banking and securities industry. 56 State insurance
regulators we contacted were late in raising industry awareness of
potential Year 2000 problems, provided little guidance to regulated
institutions, and failed to convey clear regulatory expectations to
companies about Year 2000 preparations and milestones. Nevertheless, the
insurance industry is reported by both its regulators and by other outside
observers to be generally on track to being ready for 2000. However, most
of these reports are based on self-reported information and, compared with
other financial regulators, insurance regulators’ efforts to validate this
information generally began late and were more limited.

In a related report, in April 57 we stated that variations in oversight
approaches by state insurance regulators also made it difficult to ascertain
the overall status of the insurance industry’s Year 2000 readiness. We
reported that the magnitude of insurers’ Year 2000-related liability
exposures could not be estimated at that time but that costs associated
with these exposures could be substantial for some property-casualty
insurers, particularly those concentrated in commercial-market sectors. In
addition, despite efforts to mitigate potential exposures, the Year 2000-
related costs that may be incurred by insurers would remain uncertain until
key legal issues and actions on pending legislation were resolved.

Telecommunications: In September, we reported that basic network
services are unlikely to be immediately disrupted by Year 2000-related
problems if networks are left unremediated, according to experts who have
been tracking and studying the telecommunications industry’s Year 2000
risks.58 However, telecommunications carriers could still experience
problems with network maintenance, service billing, or operator
interfaces, such as incorrect date or day-of-week displays. We also said that
major U.S. public telecommunications carriers reported making good
progress in remediating their networks and supporting systems in order to


56
 Insurance Industry: Regulators Are Less Active in Encouraging and Validating Year 2000
Preparedness (GAO/T-GGD-99-56, March 11, 1999).
57
  Year 2000: State Insurance Regulators Face Challenges in Determining Industry Readiness
(GAO/GGD-99-87, April 30, 1999).
58
 Year 2000 Computing Crisis: Readiness of the Telecommunications Industry
(GAO/AIMD-99-293, September 30, 1999).




Page 27                                                               GAO/T-AIMD-00-37
prevent these types of Year 2000-related problems. Less information was
available on the status of medium and small carriers but efforts to collect
more data on these carriers were ongoing.

From an international telecommunications perspective, in July 1999, the
Network Reliability and Interoperability Council reported that while
countries around the globe continue to make progress, their efforts—with
some exceptions—have not matched the pace of efforts in the United
States and Canada. Regions considered to be at high risk were Central and
South America (including Mexico), the Indian sub-continent, Sub-Sahara
Africa, Eastern Europe, the Middle East and North Africa (excluding
Israel), and Asia Pacific. The Network Reliability and Interoperability
Council cautioned, however, that the information available was limited and
varied in its view from source to source. Moreover, the results of the
assessment varied widely within each region. For example, while Asia
Pacific is considered to be a region of high risk, some nations within that
region, such as Australia, are considered to be at low risk.

Energy Sector: As we testified last week, while progress had been made
in making the nation’s nuclear power plants and fuel processing facilities
Year 2000 ready, some risk remained.59 At particular risk were the two
plants that do not yet have their nonsafety systems ready, especially the
one with a completion date scheduled for more than 30 days from now.
Similarly, the four nuclear fuel facilities that were not Year 2000 ready by
September 1, 1999, raise concern. Likewise, not knowing the current Year
2000 status of all 14 decommissioned plants with spent fuel also raised
concern. Finally, the lack of information on two key issues—independent
reviews of Year 2000 testing and emergency Year 2000 exercises—and the
lack of requirements for Day One planning increases the Year 2000 risk to
the nuclear power industry.

To further reduce risks, we pointed out that the Nuclear Regulatory
Commission (NRC) and the nuclear power industry could still take specific
actions to ensure Year 2000-related plant safety.

• First, NRC should evaluate and report on the Year 2000 status of all
  decommissioned plants with spent fuel status that previously reported
  that they were not Year 2000 ready.


59
 Y2K Computing Challenge: Nuclear Power Industry Reported Nearly Ready; More Risk
Reduction Measures Can Be Taken (GAO/T-AIMD-00-27, October 26, 1999).




Page 28                                                            GAO/T-AIMD-00-37
• Second, NRC should survey the 103 operational nuclear power plants to
  gain an understanding of what independent reviews were completed.
  Based on this information, NRC should then identify plants that may
  need additional reviews.
• Third, NRC should obtain information on the scope and extent of
  nuclear power plants’ emergency exercises, and whether these
  exercises have incorporated Year 2000 scenarios.
• Finally, NRC should ensure that all nuclear facilities have developed Day
  One plans.

In April, we reported that while the electric power industry had concluded
that it had made substantial progress in making its systems and equipment
ready to continue operations into the year 2000, significant risks remained
since many reporting organizations did not expect to be Year 2000 ready
within the June 1999 industry target date.60 We therefore suggested that the
Department of Energy (1) work with the Electric Power Working Group to
ensure that remediation activities were accelerated for the utilities that
expected to miss the June 1999 deadline for achieving Year 2000 readiness,
and (2) encourage state regulatory utility commissions to require a full
public disclosure of Year 2000 readiness status of entities transmitting and
distributing electric power.

Subsequent to our report, on August 3, 1999, the North American Electric
Reliability Council released its fourth status report on electric power
systems. This report disclosed those organizations that were Year 2000
ready or Year 2000 ready with limited exceptions. According to the Council,
as of June 30, 1999, 251 of 268 (94 percent) of bulk electric organizations
were Year 2000 ready or Year 2000 ready with limited exceptions.61 In
addition, this report stated that 96 percent of local distribution systems
were reported Year 2000 ready.62 The North American Electric Reliability


60
 Year 2000 Computing Crisis: Readiness of the Electric Power Industry (GAO/AIMD-99-114,
April 6, 1999).
61
  The North American Electric Reliability Council reported that 64 of these organizations
had exceptions but that it “believes that the work schedule provided to complete these
exception items in the next few months represents a prudent use of resources and does not
increase risks associated with reliable electric service into the Year 2000.”
62
 This was based on the percentage of the total megawatts of the systems reported as Year
2000 ready by investor-owned, public power, and cooperative organizations. The report did
not identify the number of local distribution organizations that reported that they were Year
2000 ready.




Page 29                                                                  GAO/T-AIMD-00-37
Council stated that the information it uses is principally self-reported but
that 84 percent of the organizations reported that their Year 2000 programs
had also been audited by internal and/or external auditors.

In May we reported63 that while the domestic oil and gas industries had
reported that they had made substantial progress in making their
equipment and systems ready to continue operations into the year 2000,
risks remained. For example, although over half of our oil is imported, little
was known about the Year 2000 readiness of foreign oil suppliers. Further,
while individual domestic companies reported that they were developing
Year 2000 contingency plans, there were no plans to perform a national-
level risk assessment and develop contingency plans to deal with potential
shortages or disruptions to the nation’s overall oil and gas supplies. We
suggested that the Council’s oil and gas working group (1) work with
industry associations to perform national-level risk assessments and
develop and publish credible, national-level scenarios regarding the impact
of potential Year 2000 failures, and (2) develop national-level contingency
plans.

The results of the latest oil and gas industry survey were provided at the
October 21 Federal Energy Regulatory Commission Technical Conference.
This survey found that 92 percent of oil and gas companies’ business
systems, 93 percent of their embedded systems, and 83 percent of their
supply chain were Year 2000 ready. In addition, the survey found that
90 percent of the oil and gas companies had contingency plans in place, and
77 percent had tested them.

Transportation Sector: Airports make up a key component of the nation’s
transportation sector. In January we reported on our survey of 413 airports,
finding that while the nation’s airports were making progress in preparing
for the year 2000, such progress varied.64 Of the 334 airports responding to
our survey, about one-third reported that they would complete their Year
2000 preparations by June 30, 1999. The other two-thirds either planned on
a later date or failed to estimate any completion date. Moreover, about half
of the airports in our survey did not have contingency plans for any of
14 core airport functions. Although most of those not expecting to be ready

63
  Year 2000 Computing Crisis: Readiness of the Oil and Gas Industries (GAO/AIMD-99-162,
May 19, 1999).
64
 Year 2000 Computing Crisis: Status of Airports’ Efforts to Deal With Date Change Problem
(GAO/RCED/AIMD-99-57, January 29, 1999).




Page 30                                                                GAO/T-AIMD-00-37
by June 30 were small airports, 26 of them were among the nation’s largest
50 airports.

More recently, we testified in September on the Year 2000 information
collected by the Federal Aviation Administration on 113 U.S. airports. 65
According to FAA’s information at that time, about 20 percent of the 113
airports reported that they had completed their Year 2000 preparations.
Another 58 percent estimated that they would complete Year 2000 efforts
by September 30, and the remaining 22 percent either planned on a later
date or did not provide an estimated completion date. Among the group
planning to complete their Year 2000 efforts after September 30 but by
November 30 were five of the nation’s largest international airports.

Just 2 days ago, the Department of Transportation announced that none of
the 565 airports regulated by FAA had been found to have Year 2000
problems that will affect their ability to meet regulatory safety
requirements—which would include airfield operations such as aircraft
rescue and firefighting response but not ground transportation systems. To
make this assessment, FAA determined whether airport operators had
taken the necessary measures to ensure that such systems were Year 2000
compliant or had developed an alternate means for complying with these
requirements. For example, in the case of runway and taxiway lighting,
FAA required that an airport operator ensure that computers used to
control these lights were Year 2000 compliant or that control of the lights
could be performed manually.

Another essential element in this sector is the readiness of airlines.
According to FAA’s information at the time of our September testimony,
about 33 percent of 146 airlines reported that their systems were Year 2000
compliant. Another 35 percent planned to complete their Year 2000 efforts
by September 30, and the remaining 32 percent either planned on a later
date or did not provide any date. Among the group planning to complete
their Year 2000 work after September 30 but by December 31, 1999 were
four of the nation’s major airlines.




65
 GAO/T-AIMD-99-285, September 9, 1999.




Page 31                                                     GAO/T-AIMD-00-37
Education: On September 21, we reported on the Year 2000 readiness
status of 25 large school districts, showing that much work remained.66 Of
the 25 school districts surveyed, seven reported that all of their systems
that support mission-critical business functions were Year 2000 compliant.
Two districts reported that their mission-critical systems would be Year
2000 compliant by the end of September. The remaining 16 districts
reported that their systems would be ready by the last quarter of 1999 or
later, including nine reporting that compliance would be achieved after
November 30, 1999.

More recently, Education completed surveys of a random sample of
1,200 school districts and 1,600 postsecondary institutions during the first
week of October. Regarding the 985 school district respondents, (1) 64
percent reported that all mission-critical systems were compliant, (2) 96
percent expected that all of their mission-critical systems would be
compliant by January 1, 2000, (3) 65 percent reported that contingency
plans were completed, and (4) 83 percent expected that contingency plans
would be completed by January 1. For the 1,352 postsecondary institution
respondents, (1) 61 percent reported that all mission-critical systems were
compliant, (2) 97 percent expected that all of their mission-critical systems
would be compliant by January 1, 2000, (3) 73 percent reported that
contingency plans were completed, and (4) 88 percent expected that
contingency plans would be completed by January 1.

Health Care Sector: This sector, which includes health care providers
(such as hospitals and emergency health care services), insurers (such as
Medicare and Medicaid), and biomedical equipment, is not as far along in
its readiness as other sectors. In July we reported67 that HCFA had taken
aggressive and comprehensive outreach action with regard to its over
1.1 million health care providers that administer services for Medicare-
insured patients.68 Despite these efforts, HCFA data showed that provider
participation in its outreach activities had been low. Our July report also
found that although many surveys had been completed in 1999 on the Year


66
 Reported Year 2000 (Y2K) Readiness Status of 25 Large School Districts
(GAO/AIMD-99-296R, September 21, 1999).
67
  Year 2000 Computer Crisis: Status of Medicare Providers Unknown (GAO/AIMD-99-243,
July 28, 1999).
68
 Examples of such providers are hospitals, laboratories, physicians, and skilled
nursing/long-term care facilities.




Page 32                                                                  GAO/T-AIMD-00-37
2000 readiness of health care providers, none of the 11 surveys we
reviewed provided sufficient information with which to assess the Year
2000 status of the health care provider community. Each of the surveys had
low response rates, and several did not address critical questions about
testing and contingency planning.

To reduce the risk of Year 2000-related failures in the Medicare provider
community, our July report suggested that HCFA consider, for example,
using additional outreach methods, such as public service announcements,
and set milestones for Medicare contractors for testing with providers. We
also made suggestions to the President’s Council on Year 2000 Conversion’s
healthcare sector working group, including a suggestion to consider
working with associations to publicize those providers who respond to
future surveys in order to increase survey response rates.

Of Medicare’s 39 million beneficiaries, about 6.9 million are enrolled in
383 managed care organizations. We testified in September that HCFA, with
assistance from a contractor, performed a risk assessment of 425 managed
care organizations69 using certification statements and associated
qualifications and other criteria.70 HCFA’s June 1999 risk assessment
concluded that 94 managed care organizations were high risk (22 percent),
314 were medium risk (74 percent), and 17 were low risk (4 percent). Also,
as of September 2, 1999, HCFA had received business continuity and
contingency plans from 310 of the 383 managed care organizations. Its
review of these 310 plans concluded that 69 percent needed major
improvement, 18 percent needed minor improvement, and 13 percent were
reasonable.




69
 Since July 1999, the number of managed care organizations decreased from 425 to 383,
because 52 left the Medicare program while 10 new managed care organizations joined.
70
 GAO/T-AIMD-99-299, September 27, 1999.




Page 33                                                               GAO/T-AIMD-00-37
With respect to biomedical equipment, on June 10 we testified71 that, in
response to our September 1998 recommendation, 72 HHS, in conjunction
with the Department of Veterans Affairs, had established a clearinghouse
on biomedical equipment. As we recently testified, as of October 4, 1999,
4,288 biomedical equipment manufacturers had submitted data to the
clearinghouse.73 About 61 percent of these manufacturers reported having
products that do not employ dates and about 8 percent (342
manufacturers) reported having date-related problems such as an incorrect
display of date/time. According to the Food and Drug Administration, a
component agency of HHS, the 342 manufacturers reported 1,035 specific
products with date-related problems. However, not all compliance
information was available on the clearinghouse because the clearinghouse
referred the user to 429 manufacturers’ web sites. Accordingly, we
reviewed the web sites of these manufacturers and testified in October that
we found a total of 32,598 products.74 Of these products, 17,505 were
reported as not employing a date, 9,585 were reported as compliant,
4,053 were shown as not compliant, and the compliance status of 1,455 was
unknown.

In addition to the establishment of a clearinghouse, our September 1998
report75 also recommended that HHS and the Department of Veterans
Affairs take prudent steps to jointly review manufacturers’ test results for
critical care/life support biomedical equipment. We were especially
concerned that the departments review test results for equipment
previously deemed to be noncompliant but now deemed by manufacturers
to be compliant, or equipment for which concerns about compliance
remained. In May 1999 as well the Food and Drug Administration
announced that it planned to develop a list of critical care/life support


71
  Year 2000 Computing Challenge: Concerns About Compliance Information on Biomedical
Equipment (GAO/T-AIMD-99-209, June 10, 1999).
72
 Year 2000 Computing Crisis: Compliance Status of Many Biomedical Equipment Items Still
Unknown (GAO/AIMD-98-240, September 18, 1998).
73
  Year 2000 Computing Challenge: Compliance Status Information on Biomedical Equipment
(GAO/T-AIMD-00-26, October 21, 1999).
74
 Because of limitations in many of the manufacturers’ web sites, our ability to determine
the total number of biomedical equipment products reported and their compliance status
was impaired. Accordingly, the actual number of products reported by the manufacturers
could be significantly higher than the 32,598 products that we counted.
75
 GAO/AIMD-98-240, September 18, 1998.




Page 34                                                                 GAO/T-AIMD-00-37
medical devices and the manufacturers of these devices, select a sample of
manufacturers for review, and hire a contractor to develop a program to
assess manufacturers’ activities to identify and correct Year 2000 problems
for these medical devices. In addition, if the results of this review indicated
a need for further review of manufacturer activities, the contractor would
review a portion of the remaining manufacturers not yet reviewed.

The Food and Drug Administration identified 90 types of products that it
refers to as computer-controlled, potentially high-risk devices, and
identified 803 manufacturing sites that produce equipment sold in the
United States. Of these sites, a Food and Drug Administration contractor
completed 80 site visits and had prepared 62 assessment reports. We
reviewed 25 manufacturer site visit reports that were completed by the
examiners and available to us as of September 10, 1999. For 20 of these
assessments, the examiners’ assessed concern was low. At the 5 remaining
manufacturers’ sites, the examiner found at least one item of moderate
concern, such as test planning and procedures. According to the survey
project manager, the areas identified in the site visit reports as medium risk
do not constitute a risk to patient health or safety.

In testimony on October 28,76 we also reported on the results of a
Department of Veterans Affairs survey of 517 companies classified as
“pharmaceutical firms,” “pharmaceutical, other firms,” and “medical-
surgical firms.” As of August 1, of the 186 “pharmaceutical firms” that
responded to the survey, 30 percent reported that they were Year 2000
compliant. Of the 72 “pharmaceutical, other firms” that responded to the
survey, 39 percent were compliant. Finally, of the 259 “medical-surgical
firms” that responded, 56 percent reported that they were compliant.




76
 GAO/T-AIMD-00-39, October 28,1999.




Page 35                                                       GAO/T-AIMD-00-37
International: In addition to the risks associated with the nation’s key
economic sectors, one of the largest and most uncertain areas of risk
relates to the global nature of the problem. On October 21, we testified that
through its leadership of the President’s Council’s International Relations
Working Group, the State Department has worked to increase awareness of
the Year 2000 problem throughout the world, collected and shared
information on the problem with other federal agencies and foreign
nations, and encouraged the remediation of faulty computer systems. 77
Similarly, we found that the U.S. Agency for International Development had
devoted resources to assessing what Year 2000 problems could occur at
many of its worldwide missions and on projects that it has funded that are
currently underway within the countries where these missions are located.
The collective efforts of State and the U.S. Agency for International
Development to analyze international Year 2000 readiness have shown that
some countries will simply not make their Year 2000 deadlines and, in fact,
are likely to suffer disruptions in critical infrastructure-related services
such as power, water, and finance.

The impact of Year 2000-induced failures in foreign countries could
adversely affect the United States, particularly as it relates to the supply
chain. To address the international supply chain issue, in January 1999 we
suggested78 that the President’s Council on Year 2000 Conversion prioritize
trade and commerce activities that are critical to the nation’s well-being
(e.g., oil, food, pharmaceuticals) and, working with the private sector,
identify options for obtaining these materials through alternative avenues
in the event that Year 2000-induced failures in the other country or in the
transportation sector prevent these items from reaching the United States.
In commenting on this suggestion, the Chair stated that the Council had
(1) worked with federal agencies to identify sectors with the greatest
dependence on international trade, (2) held industry roundtable
discussions with the pharmaceutical and food supply sectors, and
(3) hosted bilateral and trilateral meetings with the Council’s counterparts
in Canada and Mexico—the United States’ largest trading partners.

In summary, while much improvement has been shown, additional work
remains at the national, federal, state, and local levels to ensure that major


77
  Year 2000 Computing Challenge: State and USAID Need to Strengthen Business Continuity
Planning (GAO/T-AIMD-00-25, October 21, 1999).
78
 GAO/T-AIMD-99-50, January 20, 1999.




Page 36                                                              GAO/T-AIMD-00-37
           service disruptions do not occur. Specifically, remediation must be
           completed, end-to-end testing performed, and business continuity and
           contingency plans and Day One strategies developed and validated. Similar
           actions remain to be completed by the nation’s key sectors. Whether the
           United States successfully confronts the Year 2000 challenge will largely
           depend on the success of federal, state, and local governments, as well as
           the private sector working together to complete these actions. Accordingly,
           strong leadership and partnerships must be maintained to ensure that the
           needs of the public are met at the turn of the century.

           Ms. Chairwoman, Mr. Chairman, this concludes my statement. I would be
           pleased to respond to any questions that you or other members of the
           Subcommittees may have at this time.



Contacts   For information about this testimony, please contact Joel Willemssen at
           (202) 512-6253 or by e-mail at willemssenj.aimd@gao.gov.




           Page 37                                                    GAO/T-AIMD-00-37
Appendix I

GAO Reports and Testimony Addressing the
Year 2000 Crisis                                                                                Appendx
                                                                                                      Ii




Overall Year 2000   Year 2000 Computing Challenge: Federal Government Making Progress But
                    Critical Issues Must Still Be Addressed to Minimize Disruptions
Issues              (GAO/T-AIMD-99-144, April 14, 1999)

                    Year 2000 Computing Crisis: Additional Work Remains to Ensure Delivery
                    of Critical Services (GAO/T-AIMD-99-143, April 13, 1999)

                    High-Risk Series: An Update (GAO/HR-99-1, January 1999)

                    Year 2000 Computing Crisis: Readiness Improving, But Much Work
                    Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20, 1999)

                    Year 2000 Computing Challenge: Readiness Improving, But Critical Risks
                    Remain (GAO/T-AIMD-99-49, January 20, 1999)

                    Year 2000 Computing Crisis: Actions Must Be Taken Now to Address Slow
                    Pace of Federal Progress (GAO/T-AIMD-98-205, June 10, 1998)

                    Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for
                    Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, 1998)

                    Year 2000 Computing Crisis: Strong Leadership Needed to Avoid Disruption
                    of Essential Services (GAO/T-AIMD-98-117, March 24, 1998)

                    Year 2000 Computing Crisis: Strong Leadership and Effective Public/Private
                    Cooperation Needed to Avoid Major Disruptions (GAO/T-AIMD-98-101,
                    March 18, 1998)

                    Year 2000 Computing Crisis: Success Depends Upon Strong Management
                    and Structured Approach (GAO/T-AIMD-97-173, September 25, 1997)

                    Year 2000 Computing Crisis: Time is Running Out for Federal Agencies to
                    Prepare for the New Millennium (GAO/T-AIMD-97-129, July 10, 1997)

                    Year 2000 Computing Crisis: Risk of Serious Disruption to Essential
                    Government Functions Calls for Agency Action Now (GAO/T-AIMD-97-52,
                    February 27, 1997)

                    Year 2000 Computing Crisis: Strong Leadership Today Needed To Prevent
                    Future Disruption of Government Services (GAO/T-AIMD-97-51,
                    February 24, 1997)




                    Page 38                                                    GAO/T-AIMD-00-37
                      Appendix I
                      GAO Reports and Testimony Addressing the
                      Year 2000 Crisis




                      High-Risk Series: Information Management and Technology (GAO/HR-97-9,
                      February 1997)



Banking and Finance   Year 2000: State Insurance Regulators Face Challenges in Determining
                      Industry Readiness (GAO/GGD-99-87, April 30, 1999)

                      Year 2000: Financial Institution and Regulatory Efforts to Address
                      International Risks (GAO/GGD-99-62, April 27, 1999)

                      Year 2000 Computing Crisis: Federal Reserve Has Established Effective
                      Year 2000 Management Controls for Internal Systems Conversion
                      (GAO/AIMD-99-78, April 9, 1999)

                      Insurance Industry: Regulators Are Less Active in Encouraging and
                      Validating Year 2000 Preparedness (GAO/T-GGD-99-56, March 11, 1999)

                      Year 2000 Computing Crisis: Federal Depository Institution Regulators Are
                      Making Progress, But Challenges Remain (GAO/T-AIMD-98-305,
                      September 17, 1998)

                      Year 2000 Computing Crisis: Federal Reserve Is Acting to Ensure Financial
                      Institutions Are Fixing Systems But Challenges Remain
                      (GAO/AIMD-98-248, September 17, 1998)

                      Securities Pricing: Actions Needed for Conversion to Decimals
                      (GAO/T-GGD-98-121, May 8, 1998)

                      Year 2000 Computing Crisis: Federal Regulatory Efforts to Ensure Financial
                      Institution Systems Are Year 2000 Compliant (GAO/T-AIMD-98-116,
                      March 24, 1998)

                      Year 2000 Computing Crisis: Office of Thrift Supervision’s Efforts to Ensure
                      Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102, March 18,
                      1998)

                      Post-Hearing Questions on the Federal Deposit Insurance Corporation’s
                      Year 2000 (Y2K) Preparedness (AIMD-98-108R, March 18, 1998)

                      SEC Year 2000 Report: Future Reports Could Provide More Detailed
                      Information (GAO/GGD/AIMD-98-51, March 6, 1998)




                      Page 39                                                     GAO/T-AIMD-00-37
                       Appendix I
                       GAO Reports and Testimony Addressing the
                       Year 2000 Crisis




                       Year 2000 Computing Crisis: Federal Deposit Insurance Corporation’s
                       Efforts to Ensure Bank Systems Are Year 2000 Compliant
                       (GAO/T-AIMD-98-73, February 10, 1998)

                       Year 2000 Computing Crisis: Actions Needed to Address Credit Union
                       Systems’ Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998)

                       Year 2000 Computing Crisis: National Credit Union Administration’s Efforts
                       to Ensure Credit Union Systems Are Year 2000 Compliant
                       (GAO/T-AIMD-98-20, October 22, 1997)



Telecommunications     Year 2000 Computing Crisis: Readiness of the Telecommunications
                       Industry (GAO/AIMD-99-293, September 30, 1999)

                       GSA’s Effort to Develop Year 2000 Business Continuity and Contingency
                       Plans for Telecommunications Systems (GAO/AIMD-99-201R, June 16,
                       1999)

                       Year 2000 Computing Crisis: Telecommunications Readiness Critical, Yet
                       Overall Status Largely Unknown (GAO/T-AIMD-98-212, June 16, 1998)



Power Generation and   Y2K Computing Challenge: Nuclear Power Industry Reported Nearly
                       Ready; More Risk Reduction Measures Can Be Taken (GAO/T-AIMD-00-27,
Distribution           October 26, 1999)

                       Year 2000 Computing Crisis: Readiness of the Oil and Gas Industries
                       (GAO/AIMD-99-162, May 19, 1999)

                       Year 2000 Computing Crisis: Readiness of the Electric Power Industry
                       (GAO/AIMD-99-114, April 6, 1999)

                       Year 2000 Readiness: NRC’s Proposed Approach Regarding Nuclear
                       Powerplants (GAO/AIMD-98-90R, March 6, 1998)



Safety and Emergency   Year 2000 Computing Challenge: FBI Needs to Complete Business
                       Continuity Plans (GAO/AIMD-00-11, October 22, 1999)
Services


                       Page 40                                                    GAO/T-AIMD-00-37
                 Appendix I
                 GAO Reports and Testimony Addressing the
                 Year 2000 Crisis




                 Year 2000 Computing Challenge: DEA Has Developed Plans and
                 Established Controls for Business Continuity Planning (GAO/AIMD-00-8,
                 October 14, 1999)

                 Emergency and State and Local Law Enforcement Systems: Committee
                 Questions Concerning Year 2000 Challenges (GAO/AIMD-99-247R, July 14,
                 1999)

                 Year 2000 Computing Challenge: Status of Emergency and State and Local
                 Law Enforcement Systems Is Still Unknown (GAO/T-AIMD-99-163, April 29,
                 1999)

                 Year 2000 Computing Crisis: Status of Bureau of Prisons’ Year 2000 Efforts
                 (GAO/AIMD-99-23, January 27, 1999)



Water            Year 2000 Computing Crisis: Status of the Water Industry
                 (GAO/AIMD-99-151, April 21, 1999)



Transportation   Year 2000 Computing Challenge: FAA Continues to Make Important Strides,
                 But Vulnerabilities Remain (GAO/T-AIMD-99-285, September 9, 1999)

                 Year 2000 Computing Crisis: FAA Is Making Progress But Important
                 Challenges Remain (GAO/T-AIMD/RCED-99-118, March 15, 1999)

                 Year 2000 Computing Crisis: Status of Airports’ Efforts to Deal With Date
                 Change Problem (GAO/RCED/AIMD-99-57, January 29, 1999)

                 Status Information: FAA’s Year 2000 Business Continuity and Contingency
                 Planning Efforts Are Ongoing (GAO/AIMD-99-40R, December 4, 1998)

                 Responses to Questions on FAA’s Computer Security and Year 2000
                 Program (GAO/AIMD-98-301R, September 14, 1998)

                 FAA Systems: Serious Challenges Remain in Resolving Year 2000 and
                 Computer Security Problems (GAO/T-AIMD-98-251, August 6, 1998)

                 Air Traffic Control: FAA Plans to Replace Its Host Computer System
                 Because Future Availability Cannot Be Assured (GAO/AIMD-98-138R,
                 May 1, 1998)



                 Page 41                                                    GAO/T-AIMD-00-37
         Appendix I
         GAO Reports and Testimony Addressing the
         Year 2000 Crisis




         Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent Systems
         Failures (GAO/T-AIMD-98-63, February 4, 1998)

         FAA Computer Systems: Limited Progress on Year 2000 Issue Increases
         Risk Dramatically (GAO/AIMD-98-45, January 30, 1998)



Health   Year 2000 Computing Challenge: Compliance Status Information on
         Biomedical Equipment (GAO/T-AIMD-00-26, October 21, 1999)

         Reported Medicaid Year 2000 Readiness (GAO/AIMD-00-22R, October 5,
         1999)

         Year 2000 Computing Challenge: HCFA Action Needed to Address
         Remaining Medicare Issues (GAO/T-AIMD-99-299, September 27, 1999)

         Year 2000 Computing Crisis: Status of Medicare Providers Unknown
         (GAO/AIMD-99-243, July 28, 1999)

         Year 2000 Computing Challenge: Concerns About Compliance Information
         on Biomedical Equipment (GAO/T-AIMD-99-209, June 10, 1999)

         Year 2000 Computing Challenge: Much Biomedical Equipment Status
         Information Available, Yet Concerns Remain (GAO/T-AIMD-99-197, May 25,
         1999)

         Year 2000 Computing Crisis: Readiness of Medicare and the Health Care
         Sector (GAO/T-AIMD-99-160, April 27, 1999)

         Year 2000 Computing Crisis: Action Needed to Ensure Continued Delivery
         of Veterans Benefits and Health Care Services (GAO/T-AIMD-99-136,
         April 15, 1999)

         Year 2000 Computing Crisis: Readiness Status of the Department of Health
         and Human Services (GAO/T-AIMD-99-92, February 26, 1999)

         Year 2000 Computing Crisis: Medicare and the Delivery of Health Services
         Are at Risk (GAO/T-AIMD-99-89, February 24, 1999)

         Medicare Computer Systems: Year 2000 Challenges Put Benefits and
         Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998)




         Page 42                                                   GAO/T-AIMD-00-37
                     Appendix I
                     GAO Reports and Testimony Addressing the
                     Year 2000 Crisis




                     Year 2000 Computing Crisis: Leadership Needed to Collect and Disseminate
                     Critical Biomedical Equipment Information (GAO/T-AIMD-98-310,
                     September 24, 1998)

                     Year 2000 Computing Crisis: Compliance Status of Many Biomedical
                     Equipment Items Still Unknown (GAO/AIMD-98-240, September 18, 1998)

                     Veterans Health Administration Facility Systems: Some Progress Made In
                     Ensuring Year 2000 Compliance, But Challenges Remain
                     (GAO/AIMD-98-31R, November 7, 1997)

                     Medicare Transaction System: Success Depends Upon Correcting Critical
                     Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16, 1997)

                     Medicare Transaction System: Serious Managerial and Technical
                     Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997)



Revenue Collection   IRS’ Year 2000 Efforts: Actions Are Under Way to Help Ensure That
                     Contingency Plans Are Complete and Consistent (GAO/GGD-99-176,
                     September 14, 1999)

                     Year 2000 Computing Crisis: Customs is Making Good Progress
                     (GAO/T-AIMD-99-225, June 29, 1999)

                     Tax Administration: IRS’ Fiscal Year 2000 Budget Request and 1999 Tax
                     Filing Season (GAO/T-GGD/AIMD-99-140, April 13, 1999).

                     Year 2000 Computing Crisis: Customs Has Established Effective Year 2000
                     Program Controls (GAO/AIMD-99-37, March 29, 1999)

                     IRS’ Year 2000 Efforts: Status and Remaining Challenges
                     (GAO/T-GGD-99-35, February 24, 1999)

                     Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000
                     Program (GAO/T-AIMD-99-85, February 24, 1999)

                     Internal Revenue Service: Impact of the IRS Restructuring and Reform Act
                     on Year 2000 Efforts (GAO/GGD-98-158R, August 4, 1998)

                     IRS’ Year 2000 Efforts: Business Continuity Planning Needed for Potential
                     Year 2000 System Failures (GAO/GGD-98-138, June 15, 1998)



                     Page 43                                                   GAO/T-AIMD-00-37
                   Appendix I
                   GAO Reports and Testimony Addressing the
                   Year 2000 Crisis




                   IRS’ Year 2000 Efforts: Status and Risks (GAO/T-GGD-98-123, May 7, 1998)

                   Tax Administration: IRS’ Fiscal Year 1999 Budget Request and Fiscal Year
                   1998 Filing Season (GAO/T-GGD/AIMD-98-114, March 31, 1998)



Benefit Payments   Year 2000 Computing Challenge: Update on the Readiness of the
                   Department of Veterans Affairs (GAO/T-AIMD-00-39, October 28, 1999)

                   Reported Y2K Readiness of State Employment Security Agencies’
                   Unemployment Insurance Benefits and Tax Systems (GAO/AIMD-00-28R,
                   October 28, 1999)

                   Year 2000 Computing Challenge: Readiness of USDA High-Impact Programs
                   Improving, But More Action Is Needed (GAO/AIMD-99-284, September 30,
                   1999)

                   Social Security Administration: Update on Year 2000 and Other Key
                   Information Technology Initiatives (GAO/T-AIMD-99-259, July 29, 1999)

                   Year 2000 Computing Crisis: Actions Needed to Ensure Continued Delivery
                   of Veterans Benefits and Health Care Services (GAO/AIMD-99-190R,
                   June 11, 1999)

                   VA Y2K Challenges: Responses to Post-Testimony Questions
                   (GAO/AIMD-99-199R, May 24, 1999)

                   Year 2000 Computing Challenge: Education Taking Needed Actions But
                   Work Remains (GAO/T-AIMD-99-180, May 12, 1999)

                   Year 2000 Computing Challenge: Labor Has Progressed But Selected
                   Systems Remain at Risk (GAO/T-AIMD-99-179, May 12, 1999)

                   Year 2000 Computing Crisis: Key Actions Remain to Ensure Delivery of
                   Veterans Benefits and Health Services (GAO/T-AIMD-99-152, April 20, 1999)

                   Year 2000 Computing Crisis: Update on the Readiness of the Social Security
                   Administration (GAO/T-AIMD-99-90, February 24, 1999)

                   Year 2000 Computing Crisis: Updated Status of Department of Education’s
                   Information Systems (GAO/T-AIMD-99-8, October 8, 1998)




                   Page 44                                                    GAO/T-AIMD-00-37
                    Appendix I
                    GAO Reports and Testimony Addressing the
                    Year 2000 Crisis




                    Year 2000 Computing Crisis: Significant Risks Remain to Department of
                    Education’s Student Financial Aid Systems (GAO/T-AIMD-98-302,
                    September 17, 1998)

                    Year 2000 Computing Crisis: Progress Made at Department of Labor, But
                    Key Systems at Risk (GAO/T-AIMD-98-303, September 17, 1998)

                    Year 2000 Computing Crisis: Progress Made in Compliance of VA Systems,
                    But Concerns Remain (GAO/AIMD-98-237, August 21, 1998)

                    Social Security Administration: Subcommittee Questions Concerning
                    Information Technology Challenges Facing the Commissioner
                    (GAO/AIMD-98-235R, July 10, 1998)

                    Year 2000 Computing Crisis: Continuing Risks of Disruption to Social
                    Security, Medicare, and Treasury Programs (GAO/T-AIMD-98-161, May 7,
                    1998)

                    Social Security Administration: Significant Progress Made in Year 2000
                    Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997)

                    Veterans Affairs Computer Systems: Action Underway Yet Much Work
                    Remains To Resolve Year 2000 Crisis (GAO/T-AIMD-97-174, September 25,
                    1997)

                    Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits
                    Depends on Timely Correction of Year-2000 Problems
                    (GAO/T-AIMD-97-114, June 26, 1997)

                    Veterans Benefits Computer Systems: Risks of VBA’s Year-2000 Efforts
                    (GAO/AIMD-97-79, May 30, 1997)



National Security   Year 2000 Computing Challenge: State and USAID Need to Strengthen
                    Business Continuity Planning (GAO/T-AIMD-00-25, October 21, 1999)

                    Defense Computers: DOD Y2K Functional End-to-End Testing Progress and
                    Test Event Management (GAO/AIMD-00-12, October 18, 1999)

                    Nuclear Weapons: Year 2000 Status of the Nation’s Nuclear Weapons
                    Stockpile (GAO/RCED-99-272R, August 20, 1999)




                    Page 45                                                    GAO/T-AIMD-00-37
Appendix I
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Defense Computers: Management Controls Are Critical To Effective Year
2000 Testing (GAO/AIMD-99-172, June 30, 1999)

Year 2000 Computing Crisis: Defense Has Made Progress, But Additional
Management Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999)

Defense Information Management: Continuing Implementation Challenges
Highlight the Need for Improvement (GAO/T-AIMD-99-93, February 25,
1999)

Defense Computers: DOD’s Plan for Execution of Simulated Year 2000
Exercises (GAO/AIMD-99-52R, January 29, 1999)

Year 2000 Computing Crisis: State Department Needs To Make
Fundamental Improvements To Its Year 2000 Program (GAO/AIMD-98-162,
August 28, 1998)

Defense Computers: Year 2000 Computer Problems Put Navy Operations At
Risk (GAO/AIMD-98-150, June 30, 1998)

Defense Computers: Army Needs to Greatly Strengthen Its Year 2000
Program (GAO/AIMD-98-53, May 29, 1998)

Defense Computers: Year 2000 Computer Problems Threaten DOD
Operations (GAO/AIMD-98-72, April 30, 1998)

Defense Computers: Air Force Needs to Strengthen Year 2000 Oversight
(GAO/AIMD-98-35, January 16, 1998)

Defense Computers: Technical Support Is Key to Naval Supply Year 2000
Success (GAO/AIMD-98-7R, October 21, 1997)

Defense Computers: LSSC Needs to Confront Significant Year 2000 Issues
(GAO/AIMD-97-149, September 26, 1997)

Defense Computers: SSG Needs to Sustain Year 2000 Progress
(GAO/AIMD-97-120R, August 19, 1997)

Defense Computers: Improvements to DOD Systems Inventory Needed for
Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997)




Page 46                                                 GAO/T-AIMD-00-37
                   Appendix I
                   GAO Reports and Testimony Addressing the
                   Year 2000 Crisis




                   Defense Computers: Issues Confronting DLA in Addressing Year 2000
                   Problems (GAO/AIMD-97-106, August 12, 1997)

                   Defense Computers: DFAS Faces Challenges in Solving the Year 2000
                   Problem (GAO/AIMD-97-117, August 11, 1997)



Other Government   Year 2000 Computing Challenge: Financial Management Service Has
                   Established Effective Year 2000 Testing Controls (GAO/AIMD-00-24,
Services           October 29, 1999)

                   Year 2000 Computing Challenge: SBA Needs to Strengthen Systems Testing
                   to Ensure Readiness (GAO/AIMD-99-265, August 27, 1999)

                   Year 2000 Computing Challenge: OPM Has Made Progress on Business
                   Continuity Planning (GAO/GGD-99-66, May 24, 1999)

                   Year 2000 Computing Crisis: USDA Needs to Accelerate Time Frames for
                   Completing Contingency Planning (GAO/AIMD-99-178, May 21, 1999)

                   Year 2000 Computing Challenge: Time Issues Affecting the Global
                   Positioning System (GAO/T-AIMD-99-187, May 12, 1999)

                   U.S. Postal Service: Subcommittee Questions Concerning Year 2000
                   Challenges Facing the Service (GAO/AIMD-99-150R, April 23, 1999)

                   Department of Commerce: National Weather Service Modernization and
                   NOAA Fleet Issues (GAO/T-AIMD/GGD-99-97, February 24, 1999)

                   Year 2000 Computing Crisis: Challenges Still Facing the U.S. Postal Service
                   (GAO/T-AIMD-99-86, February 23, 1999)

                   Year 2000 Computing: EFT 99 Is Not Expected to Affect Year 2000
                   Remediation Efforts (GAO/AIMR-98-272R, August 28, 1998)

                   Year 2000 Computing Crisis: USDA Faces Tremendous Challenges in
                   Ensuring That Vital Public Services Are Not Disrupted
                   (GAO/T-AIMD-98-167, May 14, 1998)

                   Department of the Interior: Year 2000 Computing Crisis Presents Risk of
                   Disruption to Key Operations (GAO/T-AIMD-98-149, April 22, 1998)




                   Page 47                                                    GAO/T-AIMD-00-37
                  Appendix I
                  GAO Reports and Testimony Addressing the
                  Year 2000 Crisis




State and Local   Year 2000 Computing Challenge: Readiness of Key State-Administered
                  Federal Programs (GAO/T-AIMD-00-9, October 6, 1999)
Government
                  Year 2000 Computing Challenge: Status of the District of Columbia’s Efforts
                  to Renovate Systems and Develop Contingency and Continuity Plans
                  (GAO/T-AIMD-99-297, September 24, 1999)

                  Year 2000 Computing Challenge: The District of Columbia Cannot Reliably
                  Track Y2K Costs (GAO/T-AIMD-99-298, September 24, 1999)

                  Reported Year 2000 (Y2K) Readiness Status of 25 Large School Districts
                  (GAO/AIMD-99-296R, September 21, 1999)

                  Year 2000 Computing Challenge: Readiness Improving Yet Essential
                  Actions Remain to Ensure Delivery of Critical Services
                  (GAO/T-AIMD-99-268, August 17, 1999)

                  Year 2000 Computing Challenge: Important Progress Made, But Much Work
                  Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-99-267,
                  August 14, 1999)

                  Year 2000 Computing Challenge: Important Progress Made, Yet Much Work
                  Remains to Ensure Delivery of Critical Services (GAO/T-AIMD-99-266,
                  August 13, 1999)

                  Reported Y2K status of the 21 Largest U.S. Cities (GAO/AIMD-99-246R,
                  July 15, 1999)

                  Year 2000 Computing Challenge: Federal Efforts to Ensure Continued
                  Delivery of Key State-Administered Benefits (GAO/T-AIMD-99-241, July 15,
                  1999)

                  Year 2000 Computing Challenge: Important Progress Made, Yet Much Work
                  Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-99-234,
                  July 9, 1999)

                  Year 2000 Computing Challenge: Readiness Improving Yet Avoiding
                  Disruption of Critical Services Will Require Additional Work
                  (GAO/T-AIMD-99-233, July 8, 1999)




                  Page 48                                                    GAO/T-AIMD-00-37
Appendix I
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Challenge: Readiness Improving But Much Work
Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-99-232,
July 7, 1999)

Year 2000 Computing Challenge: Delivery of Key Benefits Hinges on States’
Achieving Compliance (GAO/T-AIMD/GGD-99-221, June 23, 1999)

Year 2000 Computing Crisis: Readiness Improving But Much Work Remains
To Ensure Delivery of Critical Services (GAO/T-AIMD-99-149, April 19,
1999)

Year 2000 Computing Crisis: Readiness of State Automated Systems That
Support Federal Human Services Programs (GAO/T-AIMD-99-91,
February 24, 1999)

Year 2000 Computing Crisis: The District of Columbia Remains Behind
Schedule (GAO/T-AIMD-99-84, February 19, 1999)

Year 2000 Computing Crisis: Readiness of State Automated Systems to
Support Federal Welfare Programs (GAO/AIMD-99-28, November 6, 1998)

Year 2000 Computing Crisis: The District of Columbia Faces Tremendous
Challenges in Ensuring That Vital Services Are Not Disrupted
(GAO/T-AIMD-99-4, October 2, 1998)

Year 2000 Computing Crisis: Severity of Problem Calls for Strong
Leadership and Effective Partnerships (GAO/T-AIMD-98-278, September 3,
1998)

Year 2000 Computing Crisis: Strong Leadership and Effective Partnerships
Needed to Reduce Likelihood of Adverse Impact (GAO/T-AIMD-98-277,
September 2, 1998)

Year 2000 Computing Crisis: Strong Leadership and Effective Partnerships
Needed to Mitigate Risks (GAO/T-AIMD-98-276, September 1, 1998)

Year 2000 Computing Crisis: Avoiding Major Disruptions Will Require
Strong Leadership and Effective Partnerships (GAO/T-AIMD-98-267,
August 19, 1998)

Year 2000 Computing Crisis: Strong Leadership and Partnerships Needed to
Address Risk of Major Disruptions (GAO/T-AIMD-98-266, August 17, 1998)



Page 49                                                   GAO/T-AIMD-00-37
                       Appendix I
                       GAO Reports and Testimony Addressing the
                       Year 2000 Crisis




                       Year 2000 Computing Crisis: Strong Leadership and Partnerships Needed to
                       Mitigate Risk of Major Disruptions (GAO/T-AIMD-98-262, August 13, 1998)



Cross-Cutting Issues   Year 2000 Computing Challenge: Federal Business Continuity and
                       Contingency Plans and Day One Strategies (GAO/T-AIMD-00-40,
                       October 29, 1999)

                       Y2K Computing Challenge: Day One Planning and Operations Guide
                       (GAO/AIMD-10.1.22, October, 1999)

                       Critical Infrastructure Protection: Comprehensive Strategy Can Draw on
                       Year 2000 Experiences (GAO/AIMD-00-1, October 1, 1999)

                       Year 2000 Computing Challenge: Agencies’ Reporting of Mission-Critical
                       Classified Systems (GAO/AIMD-99-218, August 5, 1999)

                       Year 2000 Computing Challenge: Estimated Costs, Planned Uses of
                       Emergency Funding, and Future Implications (GAO/T-AIMD-99-214,
                       June 22, 1999).

                       Year 2000 Computing Crisis: Costs and Planned Use of Emergency Funds
                       (GAO/AIMD-99-154, April 28, 1999)

                       Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21,
                       November 1998)

                       Year 2000 Computing Crisis: Status of Efforts to Deal With Personnel Issues
                       (GAO/AIMD/GGD-99-14, October 22, 1998)

                       Year 2000 Computing Crisis: Business Continuity and Contingency Planning
                       (GAO/AIMD-10.1.19, August 1998)

                       Year 2000 Computing Crisis: Actions Needed on Electronic Data Exchanges
                       (GAO/AIMD-98-124, July 1, 1998)

                       Year 2000 Computing Crisis: Testing and Other Challenges Confronting
                       Federal Agencies (GAO/T-AIMD-98-218, June 22, 1998)

                       GAO Views on Year 2000 Testing Metrics (GAO/AIMD-98-217R, June 16,
                       1998)




                       Page 50                                                    GAO/T-AIMD-00-37
                   Appendix I
                   GAO Reports and Testimony Addressing the
                   Year 2000 Crisis




                   Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14,
                   September 1997)




(511813)   Leter   Page 51                                                GAO/T-AIMD-00-37
United States                       Bulk Mail
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested