United States General Accounting Office GAO Testimony Before the Subcommittee on Government Management, Information and Technology, House Committee on Government Reform and Oversight, and the Subcommittee on Technology, House Committee on Science For Release on Delivery Expected at 10 a.m. YEAR 2000 Thursday, July 10, 1997 COMPUTING CRISIS Time Is Running Out for Federal Agencies to Prepare for the New Millennium Statement of Joel C. Willemssen Director, Information Resources Management Accounting and Information Management Division GAO/T-AIMD-97-129 Mr. Chairman, Ms. Chairwoman, and Members of the Subcommittees: During the past 12 months, the year 2000 computing problem has received increased attention—and deservedly so—in large part thanks to the efforts of your Subcommittees. Much has happened since the initial congressional hearings on this matter were held just over a year ago on whether computer systems that support federal programs will be equipped to handle dates later than 1999. At that time, most federal agencies were just beginning to be aware of the year 2000 issue and its importance, and few had prepared plans for addressing it. Now, agencies report to the Office of Management and Budget (OMB) that they are in a much better position to resolve the year 2000 challenge before the actual change of millennium. However, while agencies have certainly made progress over the last year, we believe that the pace needs to be significantly accelerated if widespread systems problems are to be avoided as the year 2000 approaches. Our testimony today will describe the federal government’s strategy for addressing the year 2000 problem, and agencies’ reported status in resolving the issue. In addition, we will provide observations on federal efforts to date based on work we have completed at certain agencies and on our review of OMB’s implementation of the federal strategy, including year 2000 reports submitted by 24 federal agencies. The federal strategy for resolving the year 2000 computing crisis is Readiness for the Year detailed in a document OMB submitted on February 6 of this year to three 2000: The Federal House Committees: Government Reform and Oversight, Science, and Strategy Appropriations. The strategy is predicated on three assumptions: (1) senior agency managers will take whatever action is necessary to address the problem once they are aware of its potential consequences; (2) a single solution to the problem does not exist, and solving it requires modification or replacement of agency information systems; and (3) given the limited amount of time available, emphasis will be placed on mission-critical systems. At the department and agency level, this strategy relies on the recently established chief information officers, or CIOs, to direct year 2000 actions. To complement individual agency efforts, OMB is (1) requesting that departments and agencies submit quarterly reports on their progress, and Page 1 GAO/T-AIMD-97-129 (2) sharing management and technical expertise through its CIO Council and the Council’s Subcommittee on the Year 2000. In addition, OMB has set as the standard that agency year 2000 activities should adhere to industry best practices for the five delineated phases of an effective year 2000 program: awareness, assessment, renovation, validation, and implementation. In consonance with these phases, we have developed and disseminated an assessment guide to help agencies plan, manage, and evaluate their year 2000 programs.1 The guide provides information on the scope of the challenge and offers a structured approach for agencies to use. We are following the approach outlined in the guide for our reviews at selected agencies, and are encouraging others to use it as well. To date, we have received over 16,000 requests for copies. For each of the five phases, OMB has set the following governmentwide milestones for agencies to complete the majority of the work. OMB’s Governmentwide Year 2000 Milestones Phase Completion measure Completion date Awareness Agency strategy approved 12/96 by CIO Assessment Inventory and scope 3/97 completed System plans/schedules 6/97 approved by CIO Renovation Coding completed 12/98 Validation Management sign-off 1/99 Implementation Integrated testing 11/99 completed Source: OMB. On June 23, 1997, OMB transmitted its first quarterly report, dated May 15, Status of Agencies’ 1997, to selected congressional committees on the progress of federal Year 2000 Programs agencies in correcting the year 2000 problem.2 This report is based on the quarterly reports submitted by the individual departments and agencies, 1 Year 2000 Computing Crisis: An Assessment Guide [exposure draft] (GAO/AIMD-10.1.14, February 1997). 2 Getting Federal Computers Ready for 2000, Progress Report, U. S. Office of Management and Budget, May 15, 1997. Page 2 GAO/T-AIMD-97-129 which address questions of organizational responsibility, program status, cost, and mission-critical systems that are behind schedule. In its report, based on May 1997 agency estimates, OMB noted that agencies expect to spend about $2.75 billion correcting systems to be what is called year 2000 compliant. This is an increase of nearly $500 million, or about 20 percent, over the February 1997 estimate. OMB noted in its summary report that its next quarterly report will likely provide a higher cost estimate as more agencies complete the assessment phase. While acknowledging that much work remains, OMB—on the basis of the agency reports —expressed its belief that agencies had made a good start in addressing the problem. OMB further summarized that most agencies had completed or would shortly complete their assessments of the problem, many had begun systems renovation, and no mission-critical systems were reported to be behind schedule. The OMB report includes agency-specific schedules for completing the assessment, renovation, validation, and implementation phases of the year 2000 effort. Our accompanying chart, which appears at the end of this statement, summarizes those schedules. As shown on our chart, 18 of 24 departments and agencies reported that they would complete the assessment phase as of last month, the deadline in OMB’s governmentwide schedule. Six reported that they would not meet the assessment phase deadline: Defense, Transportation, Treasury, Veterans Affairs, the Agency for International Development (AID), and the Nuclear Regulatory Commission (NRC). The current estimated cost for achieving year 2000 compliance for these 6 entities is about $1.9 billion, or about 70 percent of the total for the 24 agencies. To complete the assessment phase, an agency needs to undertake a variety of activities. In our view these should include, at a minimum, (1) assessing the severity and timing of the impact of year 2000-induced failures; (2) developing a thorough inventory of all of its systems; (3) establishing priorities and schedules as to whether—and which—systems should be converted, replaced, or eliminated; (4) developing validation strategies and test plans; (5) addressing interface and data exchange issues; and (6) developing contingency plans for critical systems in the event of failure. Page 3 GAO/T-AIMD-97-129 Our evaluations of year 2000 readiness at component agencies of both the Department of Veterans Affairs—one of the six reporting to OMB that its assessment was still underway —and of Health and Human Services—which reported that this phase would be completed in June 1997—show that assessment activities have not yet been completed.3 For example, we recently testified that key readiness assessment processes at the Veterans Benefits Administration—including determining the potential severity of impact of the year 2000 on agency operations, inventorying information systems and their components, and developing contingency plans—had not been completed. The Department has indicated that it will complete its assessment next January.4 We also reported and testified this past May that the Health Care Financing Administration (HCFA)—a major component agency within the Department of Health and Human Services (HHS)—had not completed numerous critical assessment activities for the systems run by its contractors to process approximately $200 billion annually in Medicare claims.5 Specifically, HCFA had not required systems contractors to submit year 2000 plans for approval, and lacked contracts or other legal agreements detailing how or when the year 2000 problem would be corrected, or indeed whether contractors would even certify that they would correct the problem. We made several recommendations to HCFA to address its shortcomings in this area, including regular reporting to HHS on its progress. HHS reported in May that it expected to complete the assessment phase last month. As we have pointed out in earlier testimony, if systems that millions of Urgent Need to Americans have come to rely on for regular benefits malfunction, the Accelerate Agency ensuing delays could be disastrous.6 OMB’s perspective that agencies have Year 2000 Programs made a good start and that no mission-critical systems were reported to be behind schedule would seem to imply that there is no cause for alarm. On 3 We currently have ongoing year 2000 evaluations at the Department of Defense, Department of State, Social Security Administration, Federal Aviation Administration, and Internal Revenue Service; in addition, we will shortly begin work at the Veterans Health Administration. 4 Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits Depends on Timely Correction of Year 2000 Problems (GAO/T-AIMD-97-114, June 26, 1997) and Veterans Benefits Computer Systems: Risks of VBA’s Year 2000 Efforts (GAO/AIMD-97-79, May 30, 1997). 5 Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16, 1997) and Medicare Transaction System: Serious Managerial and Technical Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997). 6 Year 2000 Computing Crisis: Strong Leadership Today Needed To Prevent Future Disruption of Government Services (GAO/T-AIMD-97-51, Feb. 24, 1997). Page 4 GAO/T-AIMD-97-129 the contrary, we believe ample evidence exists that OMB and key federal agencies need to heighten their levels of concern and move with more urgency. A closer look reveals why. First, the agencies’ reported schedules show that most are leaving essentially no margin of error for unanticipated schedule delays; 15 of 24 expect to complete implementation in either November or December of 1999. This leaves only a matter of weeks, at most, if something should require more work before January 1, 2000. According to their own reports, six agencies, including four large departments, have already missed OMB’s June 1997 deadline for completion of assessment. Where assessments of mission criticality have not been completed, it is logical to assume that schedules for correcting those systems have not been made final. Given these factors, it is essential that OMB continue to monitor agency schedules to identify delays so that necessary action can be taken to enable programs to finish in time. Second, OMB’s perspective is based on agency self-reporting, which has not been independently validated. Indications are that agency reports may not be accurate; those saying that assessment has been completed include HHS which, as I have highlighted today, still has much to do. Third, entities may have interpreted mission-critical in various ways—even within departments. For example, the Department of the Army reports that 7 percent of its systems are mission-critical, yet the Defense Information Systems Agency, a Defense Department support agency, considers all of its systems—100 percent—to be mission-critical. A further look within Defense shows that almost two-thirds of over 2,750 “mission-critical” systems slated for repair are still in the assessment phase. And this excludes over 11,000 lower priority systems that are in varying stages of assessment. Fourth, OMB, in its governmentwide schedule, has established only 1 month—from December 1998 to January 1999—to complete validation. The validation phase is critical for thorough testing of all converted or replaced system components to (1) uncover any errors introduced during conversion or renovation, (2) validate year 2000 compliance, and (3) verify operational readiness. Without adequate testing, agencies can have no assurance that their solutions will actually work. According to the Gartner Group, a private research firm acknowledged for its expertise in year 2000 issues, activities such as unit and system testing could consume up to 40 percent of the time and resources dedicated to an entire year 2000 Page 5 GAO/T-AIMD-97-129 program. OMB’s timeline does not convey this message. Accordingly, agencies may perceive that OMB does not view testing and validation activities as especially critical, and that OMB may approve overly optimistic schedules. Beyond the major areas covered in agency reports to OMB and, in turn, in Other Critical OMB’s report to Committees of the Congress, other issues surrounding Readiness Issues That year 2000 readiness are quickly emerging that will be of major importance Demand High-Priority as agencies move farther along in their year 2000 programs. These include data interfaces and exchanges, systems prioritization, and contingency Attention planning. Our recent reports on year 2000 programs at the Veterans Benefits Administration and the Health Care Financing Administration include several recommendations to address these issues. Data exchange. Many agencies exchange data with hundreds if not thousands of external entities. Unless both parties to any exchange are year 2000 compliant, information systems and databases may easily be contaminated by coding embedded in noncompliant systems. To combat this, agencies must inventory and assess all internal and external data exchanges, make appropriate notifications and, if necessary, develop appropriate bridges or filters to maintain the integrity of replaced or converted systems and the data within them. Systems prioritization. It is becoming increasingly clear that agencies will likely be unable to correct all noncompliant systems before 2000. Accordingly, it is imperative that agencies set priorities, on the basis of mission needs and the timing and expected impact of year 2000-induced failures. Identification of mission-critical systems is not enough; each department’s and agency’s most important business activities must be given top priority to ensure their continued, uninterrupted operation. Contingency planning. Because the cost of systems failure—in terms beyond just the monetary—can be very high, contingency plans must be prepared so that core business functions will continue to be performed even if systems have not been made year 2000 compliant. We consider it essential that OMB emphasize in its ongoing oversight and monitoring these issues that we expect to grow in significance in the next 2 years. Page 6 GAO/T-AIMD-97-129 In closing, as we have reiterated previously, preparing for the year 2000 is much more of a management challenge than a technical one. Managers—in the agencies and in OMB—must ensure that the technical solutions are implemented on time. It can be done, and the public is depending on us to do it. Continuing congressional oversight, such as this hearing, will be an important catalyst to effective, timely actions to ensure that information systems are prepared for the year 2000. Mr. Chairman, Ms. Chairwoman, and Members of the Subcommittees, this concludes my statement. I would be pleased to respond to any questions you may have at this time. Page 7 GAO/T-AIMD-97-129 Agency Progress and Plans for Year-2000 GAO Compliance of Mission-Critical Systems 1996 1997 1998 1999 M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D Agriculture Agriculture Commerce Commerce Defense Defense Education Education Energy Energy HHS HHS HUD HUD Interior Interior Justice Justice Labor Labor State State Transportation Transportation Treasury Treasury Veterans Affairs Veterans Affairs AID TBD TBD AID EPA EPA FEMA FEMA GSA GSA NASA NASA NSF NSF NRC NRC OPM OPM SBA SBA SSA SSA Assessment OMB Milestones Renovation Assessment Renovation Validation Implementation Validation completed completed completed completed Implementation Source: OMB. (511225) Page 8 GAO/T-AIMD-97-129 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 6015 Gaithersburg, MD 20884-6015 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (301) 258-4066, or TDD (301) 413-0006. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Time Is Running Out for Federal Agencies to Prepare for the New Millennium
Published by the Government Accountability Office on 1997-07-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)