oversight

Year 2000 Computing Crisis: Time Is Running Out for Federal Agencies to Prepare for the New Millennium

Published by the Government Accountability Office on 1997-07-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Government Management,
                          Information and Technology, House Committee on
                          Government Reform and Oversight, and the Subcommittee
                          on Technology, House Committee on Science

For Release on Delivery
Expected at
10 a.m.
                          YEAR 2000
Thursday,
July 10, 1997             COMPUTING CRISIS

                          Time Is Running Out for
                          Federal Agencies to Prepare
                          for the New Millennium
                          Statement of Joel C. Willemssen
                          Director, Information Resources Management
                          Accounting and Information Management Division




GAO/T-AIMD-97-129
                         Mr. Chairman, Ms. Chairwoman, and Members of the Subcommittees:

                         During the past 12 months, the year 2000 computing problem has received
                         increased attention—and deservedly so—in large part thanks to the efforts
                         of your Subcommittees. Much has happened since the initial congressional
                         hearings on this matter were held just over a year ago on whether
                         computer systems that support federal programs will be equipped to
                         handle dates later than 1999. At that time, most federal agencies were just
                         beginning to be aware of the year 2000 issue and its importance, and few
                         had prepared plans for addressing it.

                         Now, agencies report to the Office of Management and Budget (OMB) that
                         they are in a much better position to resolve the year 2000 challenge
                         before the actual change of millennium. However, while agencies have
                         certainly made progress over the last year, we believe that the pace needs
                         to be significantly accelerated if widespread systems problems are to be
                         avoided as the year 2000 approaches.

                         Our testimony today will describe the federal government’s strategy for
                         addressing the year 2000 problem, and agencies’ reported status in
                         resolving the issue. In addition, we will provide observations on federal
                         efforts to date based on work we have completed at certain agencies and
                         on our review of OMB’s implementation of the federal strategy, including
                         year 2000 reports submitted by 24 federal agencies.


                         The federal strategy for resolving the year 2000 computing crisis is
Readiness for the Year   detailed in a document OMB submitted on February 6 of this year to three
2000: The Federal        House Committees: Government Reform and Oversight, Science, and
Strategy                 Appropriations. The strategy is predicated on three assumptions:
                         (1) senior agency managers will take whatever action is necessary to
                         address the problem once they are aware of its potential consequences;
                         (2) a single solution to the problem does not exist, and solving it requires
                         modification or replacement of agency information systems; and (3) given
                         the limited amount of time available, emphasis will be placed on
                         mission-critical systems.

                         At the department and agency level, this strategy relies on the recently
                         established chief information officers, or CIOs, to direct year 2000 actions.
                         To complement individual agency efforts, OMB is (1) requesting that
                         departments and agencies submit quarterly reports on their progress, and




                         Page 1                                                      GAO/T-AIMD-97-129
                      (2) sharing management and technical expertise through its CIO Council
                      and the Council’s Subcommittee on the Year 2000.

                      In addition, OMB has set as the standard that agency year 2000 activities
                      should adhere to industry best practices for the five delineated phases of
                      an effective year 2000 program: awareness, assessment, renovation,
                      validation, and implementation. In consonance with these phases, we have
                      developed and disseminated an assessment guide to help agencies plan,
                      manage, and evaluate their year 2000 programs.1 The guide provides
                      information on the scope of the challenge and offers a structured
                      approach for agencies to use. We are following the approach outlined in
                      the guide for our reviews at selected agencies, and are encouraging others
                      to use it as well. To date, we have received over 16,000 requests for copies.

                      For each of the five phases, OMB has set the following governmentwide
                      milestones for agencies to complete the majority of the work.


                                            OMB’s Governmentwide Year 2000 Milestones
                      Phase                              Completion measure                           Completion date
                      Awareness                          Agency strategy approved                                  12/96
                                                         by CIO
                      Assessment                         Inventory and scope                                         3/97
                                                         completed

                                                         System plans/schedules                                      6/97
                                                         approved by CIO
                      Renovation                         Coding completed                                          12/98
                      Validation                         Management sign-off                                         1/99
                      Implementation                     Integrated testing                                        11/99
                                                         completed
                      Source: OMB.




                      On June 23, 1997, OMB transmitted its first quarterly report, dated May 15,
Status of Agencies’   1997, to selected congressional committees on the progress of federal
Year 2000 Programs    agencies in correcting the year 2000 problem.2 This report is based on the
                      quarterly reports submitted by the individual departments and agencies,


                      1
                        Year 2000 Computing Crisis: An Assessment Guide [exposure draft] (GAO/AIMD-10.1.14,
                      February 1997).
                      2
                        Getting Federal Computers Ready for 2000, Progress Report, U. S. Office of Management and Budget,
                      May 15, 1997.



                      Page 2                                                                        GAO/T-AIMD-97-129
which address questions of organizational responsibility, program status,
cost, and mission-critical systems that are behind schedule.

In its report, based on May 1997 agency estimates, OMB noted that
agencies expect to spend about $2.75 billion correcting systems to be what
is called year 2000 compliant. This is an increase of nearly $500 million, or
about 20 percent, over the February 1997 estimate. OMB noted in its
summary report that its next quarterly report will likely provide a higher
cost estimate as more agencies complete the assessment phase.

While acknowledging that much work remains, OMB—on the basis of the
agency reports —expressed its belief that agencies had made a good start
in addressing the problem. OMB further summarized that most agencies
had completed or would shortly complete their assessments of the
problem, many had begun systems renovation, and no mission-critical
systems were reported to be behind schedule.

The OMB report includes agency-specific schedules for completing the
assessment, renovation, validation, and implementation phases of the year
2000 effort. Our accompanying chart, which appears at the end of this
statement, summarizes those schedules.

As shown on our chart, 18 of 24 departments and agencies reported that
they would complete the assessment phase as of last month, the deadline
in OMB’s governmentwide schedule. Six reported that they would not
meet the assessment phase deadline: Defense, Transportation, Treasury,
Veterans Affairs, the Agency for International Development (AID), and the
Nuclear Regulatory Commission (NRC). The current estimated cost for
achieving year 2000 compliance for these 6 entities is about $1.9 billion, or
about 70 percent of the total for the 24 agencies.

To complete the assessment phase, an agency needs to undertake a variety
of activities. In our view these should include, at a minimum, (1) assessing
the severity and timing of the impact of year 2000-induced failures;
(2) developing a thorough inventory of all of its systems; (3) establishing
priorities and schedules as to whether—and which—systems should be
converted, replaced, or eliminated; (4) developing validation strategies and
test plans; (5) addressing interface and data exchange issues; and
(6) developing contingency plans for critical systems in the event of
failure.




Page 3                                                      GAO/T-AIMD-97-129
                     Our evaluations of year 2000 readiness at component agencies of both the
                     Department of Veterans Affairs—one of the six reporting to OMB that its
                     assessment was still underway —and of Health and Human
                     Services—which reported that this phase would be completed in June
                     1997—show that assessment activities have not yet been completed.3 For
                     example, we recently testified that key readiness assessment processes at
                     the Veterans Benefits Administration—including determining the potential
                     severity of impact of the year 2000 on agency operations, inventorying
                     information systems and their components, and developing contingency
                     plans—had not been completed. The Department has indicated that it will
                     complete its assessment next January.4

                     We also reported and testified this past May that the Health Care
                     Financing Administration (HCFA)—a major component agency within the
                     Department of Health and Human Services (HHS)—had not completed
                     numerous critical assessment activities for the systems run by its
                     contractors to process approximately $200 billion annually in Medicare
                     claims.5 Specifically, HCFA had not required systems contractors to
                     submit year 2000 plans for approval, and lacked contracts or other legal
                     agreements detailing how or when the year 2000 problem would be
                     corrected, or indeed whether contractors would even certify that they
                     would correct the problem. We made several recommendations to HCFA
                     to address its shortcomings in this area, including regular reporting to
                     HHS on its progress. HHS reported in May that it expected to complete the
                     assessment phase last month.


                     As we have pointed out in earlier testimony, if systems that millions of
Urgent Need to       Americans have come to rely on for regular benefits malfunction, the
Accelerate Agency    ensuing delays could be disastrous.6 OMB’s perspective that agencies have
Year 2000 Programs   made a good start and that no mission-critical systems were reported to be
                     behind schedule would seem to imply that there is no cause for alarm. On

                     3
                      We currently have ongoing year 2000 evaluations at the Department of Defense, Department of State,
                     Social Security Administration, Federal Aviation Administration, and Internal Revenue Service; in
                     addition, we will shortly begin work at the Veterans Health Administration.
                     4
                     Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits Depends on Timely
                     Correction of Year 2000 Problems (GAO/T-AIMD-97-114, June 26, 1997) and Veterans Benefits
                     Computer Systems: Risks of VBA’s Year 2000 Efforts (GAO/AIMD-97-79, May 30, 1997).
                     5
                      Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and Technical
                     Weaknesses (GAO/AIMD-97-78, May 16, 1997) and Medicare Transaction System: Serious Managerial
                     and Technical Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997).
                     6
                     Year 2000 Computing Crisis: Strong Leadership Today Needed To Prevent Future Disruption of
                     Government Services (GAO/T-AIMD-97-51, Feb. 24, 1997).



                     Page 4                                                                        GAO/T-AIMD-97-129
the contrary, we believe ample evidence exists that OMB and key federal
agencies need to heighten their levels of concern and move with more
urgency. A closer look reveals why.

First, the agencies’ reported schedules show that most are leaving
essentially no margin of error for unanticipated schedule delays; 15 of 24
expect to complete implementation in either November or December of
1999. This leaves only a matter of weeks, at most, if something should
require more work before January 1, 2000. According to their own reports,
six agencies, including four large departments, have already missed OMB’s
June 1997 deadline for completion of assessment. Where assessments of
mission criticality have not been completed, it is logical to assume that
schedules for correcting those systems have not been made final. Given
these factors, it is essential that OMB continue to monitor agency
schedules to identify delays so that necessary action can be taken to
enable programs to finish in time.

Second, OMB’s perspective is based on agency self-reporting, which has
not been independently validated. Indications are that agency reports may
not be accurate; those saying that assessment has been completed include
HHS which, as I have highlighted today, still has much to do.

Third, entities may have interpreted mission-critical in various ways—even
within departments. For example, the Department of the Army reports that
7 percent of its systems are mission-critical, yet the Defense Information
Systems Agency, a Defense Department support agency, considers all of
its systems—100 percent—to be mission-critical. A further look within
Defense shows that almost two-thirds of over 2,750 “mission-critical”
systems slated for repair are still in the assessment phase. And this
excludes over 11,000 lower priority systems that are in varying stages of
assessment.

Fourth, OMB, in its governmentwide schedule, has established only 1
month—from December 1998 to January 1999—to complete validation.
The validation phase is critical for thorough testing of all converted or
replaced system components to (1) uncover any errors introduced during
conversion or renovation, (2) validate year 2000 compliance, and (3) verify
operational readiness. Without adequate testing, agencies can have no
assurance that their solutions will actually work. According to the Gartner
Group, a private research firm acknowledged for its expertise in year 2000
issues, activities such as unit and system testing could consume up to
40 percent of the time and resources dedicated to an entire year 2000



Page 5                                                    GAO/T-AIMD-97-129
                        program. OMB’s timeline does not convey this message. Accordingly,
                        agencies may perceive that OMB does not view testing and validation
                        activities as especially critical, and that OMB may approve overly
                        optimistic schedules.


                        Beyond the major areas covered in agency reports to OMB and, in turn, in
Other Critical          OMB’s report to Committees of the Congress, other issues surrounding
Readiness Issues That   year 2000 readiness are quickly emerging that will be of major importance
Demand High-Priority    as agencies move farther along in their year 2000 programs. These include
                        data interfaces and exchanges, systems prioritization, and contingency
Attention               planning. Our recent reports on year 2000 programs at the Veterans
                        Benefits Administration and the Health Care Financing Administration
                        include several recommendations to address these issues.

                        Data exchange. Many agencies exchange data with hundreds if not
                        thousands of external entities. Unless both parties to any exchange are
                        year 2000 compliant, information systems and databases may easily be
                        contaminated by coding embedded in noncompliant systems. To combat
                        this, agencies must inventory and assess all internal and external data
                        exchanges, make appropriate notifications and, if necessary, develop
                        appropriate bridges or filters to maintain the integrity of replaced or
                        converted systems and the data within them.

                        Systems prioritization. It is becoming increasingly clear that agencies will
                        likely be unable to correct all noncompliant systems before 2000.
                        Accordingly, it is imperative that agencies set priorities, on the basis of
                        mission needs and the timing and expected impact of year 2000-induced
                        failures. Identification of mission-critical systems is not enough; each
                        department’s and agency’s most important business activities must be
                        given top priority to ensure their continued, uninterrupted operation.

                        Contingency planning. Because the cost of systems failure—in terms
                        beyond just the monetary—can be very high, contingency plans must be
                        prepared so that core business functions will continue to be performed
                        even if systems have not been made year 2000 compliant.

                        We consider it essential that OMB emphasize in its ongoing oversight and
                        monitoring these issues that we expect to grow in significance in the next
                        2 years.




                        Page 6                                                      GAO/T-AIMD-97-129
In closing, as we have reiterated previously, preparing for the year 2000 is
much more of a management challenge than a technical one.
Managers—in the agencies and in OMB—must ensure that the technical
solutions are implemented on time. It can be done, and the public is
depending on us to do it. Continuing congressional oversight, such as this
hearing, will be an important catalyst to effective, timely actions to ensure
that information systems are prepared for the year 2000.

Mr. Chairman, Ms. Chairwoman, and Members of the Subcommittees, this
concludes my statement. I would be pleased to respond to any questions
you may have at this time.




Page 7                                                      GAO/T-AIMD-97-129
                                       Agency Progress and Plans for Year-2000
           GAO                         Compliance of Mission-Critical Systems

                                       1996                 1997                     1998                           1999
                                 M J J A S O N D   J F M A M J J A S O N D   J F M A M J J A S O N D   J F M A M J J A S O N D
                  Agriculture                                                                                                         Agriculture
                   Commerce                                                                                                           Commerce
                     Defense                                                                                                          Defense
                    Education                                                                                                         Education
                       Energy                                                                                                         Energy
                         HHS                                                                                                          HHS
                        HUD                                                                                                           HUD
                      Interior                                                                                                        Interior
                       Justice                                                                                                        Justice
                        Labor                                                                                                         Labor
                         State                                                                                                        State
               Transportation                                                                                                         Transportation
                     Treasury                                                                                                         Treasury
              Veterans Affairs                                                                                                        Veterans Affairs
                         AID                                                           TBD                           TBD              AID
                         EPA                                                                                                          EPA
                       FEMA                                                                                                           FEMA
                         GSA                                                                                                          GSA
                       NASA                                                                                                           NASA
                         NSF                                                                                                          NSF
                         NRC                                                                                                          NRC
                        OPM                                                                                                           OPM
                         SBA                                                                                                          SBA
                         SSA                                                                                                          SSA

                                     Assessment                      OMB Milestones
                                     Renovation
                                                        Assessment                        Renovation   Validation    Implementation
                                     Validation         completed                         completed    completed     completed
                                     Implementation
           Source: OMB.




(511225)                                           Page 8                                                                                                GAO/T-AIMD-97-129
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested