oversight

Year 2000 Computing Crisis: Strong Leadership Today Needed To Prevent Future Disruption of Government Services

Published by the Government Accountability Office on 1997-02-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Government Management,
                          Information and Technology, Committee on Government
                          Reform and Oversight, House of Representatives


For Release on Delivery
Expected at
10 a.m.
                          YEAR 2000 COMPUTING
Monday,
February 24, 1997         CRISIS

                          Strong Leadership Today
                          Needed To Prevent Future
                          Disruption of Government
                          Services
                          Statement of Joel C. Willemssen
                          Director, Information Resources Management
                          Accounting and Information Management Division




GAO/T-AIMD-97-51
Mr. Chairman and Members of the Subcommittee:

I know that you are understandably concerned about the potential serious
disruption to critical government functions and services that may result
from the upcoming change of century. The year 2000 computing problem
has received a great deal of attention, deservedly so, in large part thanks to
the pioneering work by this subcommittee examining the potential impact
of this issue on federal agencies.

As you know, this area has recently been added to our list of high-risk
issues because of its potential for widespread adverse impact on
government operations. There is much that needs to be done if the federal
government is to avoid the disruption of important services on which
millions of Americans depend—and, fortunately, much that we can do. I
am pleased to share with you today information gathered from numerous
sources about the steps agencies can take to reduce the risk of year 2000
computer system failures by making their systems what is called year
2000-compliant.

Let me begin by very briefly summarizing the problem. For the past several
decades, systems have typically used two digits to represent the year, such
as “97” for 1997, in order to conserve electronic data storage and reduce
operating costs. In this format, however, 2000 is indistinguishable from
1900 because both are represented as “00.” As a result, if not modified,
computer systems or applications that use dates or perform date-or
time-sensitive calculations may generate incorrect results beyond 1999.

Who could be affected? Virtually every citizen. Every government program
that provides benefits in any way is subject to these problems, from social
security and veterans’ benefits to student loans and subsidized housing.
This is not simply a government issue, it is something that will touch us all.

Mr. Chairman, correcting the problem, in government as in the private
sector, will be labor-intensive and time-consuming—and must be done
while systems continue to operate. Many of the federal government’s
computer systems were originally designed and developed 20 to 25 years
ago, are poorly documented, and use a wide variety of computer
languages—many of which are old or obsolete. The systems consist of tens
or hundreds of computer programs, each with thousands, tens of
thousands, or even millions of lines of code, which must be examined for
date format problems. In addition, the systems have numerous




Page 1                                                       GAO/T-AIMD-97-51
components—hardware, operating systems, communications applications,
and database software—that are affected by the date problem.

Make no mistake: Every federal agency is at risk of system failures.
Modifying systems will be a massive undertaking, and agencies must begin
to address this challenge now—if they have not already started.

Ironically, perhaps, the enormous challenge involved in achieving year
2000 compliance is not technical; it is, rather, managerial. Whether
agencies succeed or fail will be largely influenced by the quality of
executive leadership and program management. Executive leadership sets
the tone; program management makes it happen. It will be imperative for
top agency management—including the agency head and the chief
information officer, or CIO—to not only be fully aware of the importance of
this undertaking, but to communicate this awareness and urgency to all
agency personnel in such a way that everyone understands why year 2000
compliance is so important.

An agency’s ability to successfully manage its year 2000 program will also
depend on the degree to which the agency has institutionalized key
systems development and program management practices, and on its
experience in managing large-scale software conversion or systems
development efforts. GAO has reported on numerous occasions that
agencies need to address and improve their management of information
technology. Accordingly, to carry out their year 2000 programs, agencies
likewise need to assess their information resources management, or IRM,
capabilities and, if necessary, upgrade them. In this process agencies
should also consider soliciting assistance from organizations experienced
in managing major software conversions.

Mr. Chairman, GAO has developed a guide that constitutes a framework
that agencies can use to assess their readiness to achieve year 2000
compliance. It provides information on the scope of the challenge and
offers a structured, step-by-step approach for reviewing the adequacy of
agency planning and management of its year 2000 program. The guide
draws heavily on the work of the Best Practices Subcommittee of the
Interagency Year 2000 Committee and incorporates guidance and practices
identified by leading information technology organizations. An exposure
draft of this guide is being released at this hearing today.

The guide is divided into five sections that correspond with the five phases
that we see representing a year 2000 program. Most of the remainder of my



Page 2                                                      GAO/T-AIMD-97-51
            statement today will discuss the substance of these five phases:
            awareness, assessment, renovation, validation, and implementation. Let
            me first describe each in broad terms. (Attached are illustrations of both
            the year 2000 program phases, and a timeline showing the important
            milestones from awareness through implementation.)

            Phase 1, AWARENESS, encompasses problem definition and executive
            support and sponsorship; the year 2000 team is assembled and an overall
            strategy developed. In phase 2, ASSESSMENT, the impact of the century
            change on the organization is examined, and core business processes are
            identified. Phase 3 is RENOVATION, in which technical system elements
            are converted or replaced. In phase 4, VALIDATION, replaced elements
            are thoroughly tested, as is overall performance. Finally, phase 5 is
            IMPLEMENTATION: New elements are integrated as part of the system.

            It must be remembered that management of the overall year 2000 program
            and its individual projects is ongoing, throughout all phases. The year 2000
            program should be planned and managed as a single, large
            information-systems project. Along with planned monitoring, policies and
            procedures that must be in place include quality assurance, risk
            management, scheduling and tracking, and budgeting.

            At this time, Mr. Chairman, I’d like to highlight in more detail the main
            points in each of the five phases.


            As mentioned earlier while discussing executive leadership, awareness is a
Awareness   critical first step. Many people who may have heard something about a
            year 2000 computer problem do not yet fully understand what it’s about
            and why it matters. For agency personnel, this is imperative. This is also
            the phase in which an organization within the agency is identified to take
            the lead in correcting the problem. The CIO, in concert with the project
            teams, must select a workable approach to the problem, examine the
            existing IRM infrastructure, and obtain needed resources.

            More specifically, during this phase, agencies should focus their energies
            on defining the year 2000 problem and its potential impact, assessing the
            adequacy of program management capabilities, developing a strategy,
            establishing an executive management council, appointing a program
            manager, and establishing a program office.




            Page 3                                                       GAO/T-AIMD-97-51
             The main thrust of assessment is separating the mission-critical
Assessment   systems—which must be converted or replaced—from important ones that
             should be converted or replaced and marginal ones that may be addressed
             now or deferred. It is important to remember that the year 2000 problem is
             primarily a business problem, not just an issue of information technology.
             This is why it is essential to assess the impact of potential year
             2000-induced system failures on core business functions and
             mission-critical processes.

             To determine specifically what must be done and when, agencies should
             inventory their information systems in each business area, assign priority
             to individual systems, establish project teams for business areas and major
             systems, and develop a program plan. Agencies should also develop
             validation strategies and testing plans, identify and acquire tools, and
             develop contingency plans. Assessments also need to include other
             systems that affect the business, such as telephone switching systems.


             This phase deals with making actual changes, whether eliminating,
Renovation   converting, or replacing hardware and software, and documenting those
             changes. In all cases, it will be important to consider the complex
             interdependencies among systems and applications. All changes also need
             to be consistent agencywide, and information about changes clearly
             disseminated to users.

             In addition to the conversion of selected applications and related system
             components, agencies must address data exchange issues, document code
             and system changes, and track and measure renovation processes.


             The validation phase may well take agencies over a year to complete, and
Validation   consume up to half of the year 2000 program’s budget and resources. This
             is due to the complex interrelationships among scores of applications,
             databases, and operating systems. Yet this is precisely why the testing and
             validation are so essential: It is the only way to ensure that changes
             expected to work do in fact work. It will be important for agencies to
             satisfy themselves that their testing procedures are indeed up to this
             challenge, that their results can be trusted.

             During this phase, agencies should develop and document test plans and
             schedules; develop a strategy for managing testing of contractor-converted
             systems; implement a year 2000 test facility; perform system testing; and



             Page 4                                                      GAO/T-AIMD-97-51
                 define, collect, and use test measurements for managing the validation
                 process.


                 Implementing year 2000-compliant systems and their components requires
Implementation   extensive integration and acceptance testing to ensure that all components
                 perform as needed in a heterogeneous operating environment. In addition,
                 since not all components will be converted or replaced simultaneously,
                 agencies may for a time operate with a mix of year 2000-compliant and
                 noncompliant systems. To reduce risk as systems are converted or
                 replaced, it may be wise for agencies to operate in a parallel processing
                 mode for a period for selected systems—using the old and new systems
                 side-by-side simultaneously—so that this redundancy may act as a fail-safe
                 mechanism until it is clear that all changed systems are operating
                 correctly.

                 During this phase, agencies must also define the transition environment
                 and procedures, develop an implementation schedule, resolve interagency
                 and data exchange concerns, address database questions, complete
                 acceptance testing, develop contingency plans, and update or develop
                 disaster recovery plans.

                 In closing, Mr. Chairman, I’d like to reiterate that while the year 2000
                 problem is serious and could well become a crisis for any
                 organization—public or private—that fails to take its demands seriously, it
                 is correctable. It will take long, hard effort, but it can—and must—be
                 done. There is much that can be done, and the time is now.


                 This concludes my statement, Mr. Chairman. I’d be pleased to respond to
                 any questions you or other members of the Subcommittee may have at this
                 time.




                 Page 5                                                     GAO/T-AIMD-97-51
Attachment I

Year 2000 Program Phases




         GAO Year 2000 Program Phases



                                                           Define problem
                                           Awareness       Ensure executive support
                                                           Spread word
                                                           Establish team

                                                           Assess impact
                                           Assessment      Identify core business
                                                           Inventory/prioritize systems
                                                           Develop contingency plans


               Program/Project                             Convert/replace/eliminate
                                           Renovation      as needed
                Management
                                                           Modify interfaces



                                                           Test/verify changed systems
                                            Validation     in operational environment




                                                           Put changed systems
                                          Implementation   into operation




                                 Page 6                                                   GAO/T-AIMD-97-51
Attachment II

Year 2000 Milestones




           GAO Year 2000 Milestones




                   Awareness



                                                   Assessment



                                                                                                       Renovation


                                                                                                                                                            Validation and
                                                                                                                                                           Implementation

           J   F   M   A   M   J   J   A   S   O   N   D   J   F   M   A   M   J   J   A   S   O   N   D   J   F   M   A   M   J   J   A   S   O   N   D   J   F   M   A   M   J   J   A   S   O   N   D




                           1996                                            1997                                            1998                                            1999




(511415)                                                               Page 7                                                                                                                      GAO/T-AIMD-97-51
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 6015
Gaithersburg, MD 20884-6015

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (301) 258-4066, or TDD (301) 413-0006.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested