United States General Accounting Office GAO Testimony Before the Subcommittee on Government Management, Information and Technology, Committee on Government Reform, and the Subcommittee on Technology, Committee on Science, House of Representatives For Release on Delivery Expected at 1 p.m. YEAR 2000 COMPUTING Tuesday, April 13, 1999 CRISIS Additional Work Remains to Ensure Delivery of Critical Services Statement of Joel C. Willemssen Director, Civil Agencies Information Systems Accounting and Information Management Division GAO/T-AIMD-99-143 Mr. Chairman, Ms. Chairwoman, and Members of the Subcommittees: I am pleased to appear today to discuss progress being made in addressing the Year 2000 computing challenge and to outline actions needed to ensure a smooth conversion to the next century. The federal government--with its widespread dependence on large-scale, complex computer systems to deliver vital public services and carry out its massive operations--faces an especially enormous and difficult task. Unless adequately confronted, Year 2000 computing problems could lead to serious disruptions in key federal operations, ranging from national defense to benefits payments to air traffic management. Consequently, in February 1997, we designated the Year 2000 computing problem as a high-risk area. Our purpose was to stimulate greater attention to assessing the government's exposure to Year 2000 risks and to strengthen planning for achieving Year 2000 compliance for mission-critical systems. Fortunately, the past 2 years have witnessed marked improvement in preparedness as the government has revised and intensified its approach to this problem. Today, I will discuss the status of the federal government’s remediation of its mission-critical systems. In addition, I will lay out some of the remaining challenges facing the government in ensuring the continuity of business operations, namely end-to-end testing and business continuity and contingency planning, and the Office of Management and Budget’s (OMB) efforts to identify the government’s high-impact programs. Finally, I will discuss the readiness of state systems that are essential to the delivery of federal human services programs. Improvements Made Addressing the Year 2000 problem is a tremendous challenge for the federal government. To meet this challenge and monitor individual agency efforts, But Much Work OMB directed the major departments and agencies to submit quarterly Remains reports on their progress, beginning May 15, 1997. These reports contain information on where agencies stand with respect to the assessment, renovation, validation, and implementation of mission-critical systems, as well as other management information on items such as business continuity and contingency plans and costs. The federal government's most recent reports show improvement in addressing the Year 2000 problem. While much work remains, the federal government has significantly increased the percentage of mission-critical Page 1 GAO/T-AIMD-99-143 systems that are reported to be Year 2000 compliant, as figure 1 illustrates. In particular, while the federal government did not meet its goal of having all mission-critical systems compliant by March 1999, 92 percent of these systems were reported to have met this goal. Figure 1: Mission-Critical Systems Reported Year 2000 Compliant, May 1997-March 1999 Source: May 1997 through February 1999 data are from the OMB quarterly reports. The March 1999 data are from the President’s Council on Year 2000 Conversion and OMB. While this progress is notable, 11 agencies did not meet OMB’s deadline for all of their mission-critical systems.1 Some of the systems that were not yet compliant support vital government functions. For example, many of the Federal Aviation Administration’s (FAA) systems were not compliant as of the March deadline. As we testified last month, several of these systems provide critical functions, ranging from communications to radar 1 The 11 agencies were the Departments of Agriculture, Commerce, Defense, Energy, Health and Human Services, Justice, State, Transportation, and the Treasury and the National Aeronautics and Space Administration and the U.S. Agency for International Development. Page 2 GAO/T-AIMD-99-143 processing to weather surveillance.2 Among other systems that did not meet the March 1999 deadline are those operated by Health Care Financing Administration (HCFA) contractors. As we testified in February 1999, these systems are critical to processing Medicare claims.3 Additionally, not all systems have undergone an independent verification and validation process. For example, the Environmental Protection Agency and the Department of the Interior reported that 57 and 3 of their systems, respectively, deemed compliant were still undergoing independent verification and validation. In some cases, independent verification and validation of compliant systems have found serious problems. For example, as we testified before you this February,4 none of HCFA’s 54 external mission-critical systems reported by the Department of Health and Human Services as compliant as of December 31, 1998, was Year 2000 ready, based on serious qualifications identified by the independent verification and validation contractor. Other examples have been cited in agency quarterly reports. • In February 1999, the Department of Commerce reclassified a system from compliant to noncompliant because an independent verification and validation contractor had concerns about some of the commercial- off-the-shelf software used in the system and wanted to review additional test data. • In February 1999, the Environmental Protection Agency reported that its independent third-party review process found a Year 2000 error in a system that was later repaired, tested, and returned to production. • In November 1998, the Department of Health and Human Services reported that it removed four Indian Health Service systems from compliant status because an independent verification and validation contractor found that their data exchanges were not compliant. 2 Year 2000 Computing Crisis: FAA Is Making Progress But Important Challenges Remain (GAO/T- AIMD/RCED-99-118, March 15, 1999). 3Year 2000 Computing Crisis: Medicare and the Delivery of Health Services Are at Risk (GAO/T-AIMD- 99-89, February 24, 1999) and Year 2000 Computing Crisis: Readiness Status of the Department of Health and Human Services (GAO/T-AIMD-99-92, February 26, 1999). 4 GAO/T-AIMD-99-92, February 26, 1999. Page 3 GAO/T-AIMD-99-143 Much Work Remains to Achieving individual system compliance, although important, does not necessarily ensure that a business function will continue to operate Ensure Continuity of through the change of century--the ultimate goal of Year 2000 efforts. Key Federal Operations actions, such as end-to-end testing and business continuity and contingency planning, are vital to ensuring that this goal is met. Further, OMB has recently taken action on our April 1998 recommendation to set governmentwide priorities and has identified the government’s high-impact programs.5 This is an excellent step toward ensuring the continuing delivery of vital services. End-to-End Testing To ensure that their mission-critical systems can reliably exchange data with other systems and that they are protected from errors that can be introduced by external systems, agencies must perform end-to-end testing of their critical core business processes. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, will work as intended in an operational environment. In the case of the year 2000, many systems in the end-to-end chain will have been modified or replaced. As a result, the scope and complexity of testing--and its importance--are dramatically increased, as is the difficulty of isolating, identifying, and correcting problems. Consequently, agencies must work early and continually with their data exchange partners to plan and execute effective end-to-end tests (our Year 2000 testing guide sets forth a structured approach to testing, including end-to-end testing).6 In January 1999, we testified that with the time available for end-to-end testing diminishing, OMB should consider, for the government’s most critical functions, setting target dates, and having agencies report against them, for the development of end-to-end test plans, the establishment of test schedules, and the completion of the tests.7 On March 31, OMB and the Chair of the President’s Council on Year 2000 Conversion announced that one of the key priorities that federal agencies will be pursuing during the rest of 1999 will be cooperative efforts regarding end-to-end testing to 5 Year 2000 Computing Crisis: Potential for Widespread Disruption Call for Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, 1998). 6Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, November 1998). 7 Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20, 1999). Page 4 GAO/T-AIMD-99-143 demonstrate the Year 2000 readiness of federal programs with states and other partners critical to the administration of those programs. We are also encouraged by some agencies’ recent actions. For example, we testified this March, that the Department of Defense’s Principal Staff Assistants are planning to conduct end-to-end tests to ensure that systems that collectively support core business areas can interoperate as intended in a Year 2000 environment.8 Further, our March 1999 testimony9 found that FAA had addressed our prior concerns with the lack of detail in its draft end-to-end test program plan and had developed a detailed end-to-end testing strategy and plans.10 Business Continuity and Business continuity and contingency plans are essential. Without such Contingency Plans plans, when unpredicted failures occur, agencies will not have well-defined responses and may not have enough time to develop and test alternatives. Federal agencies depend on data provided by their business partners as well as on services provided by the public infrastructure (e.g., power, water, transportation, and voice and data telecommunications). One weak link anywhere in the chain of critical dependencies can cause major disruptions to business operations. Given these interdependencies, it is imperative that contingency plans be developed for all critical core business processes and supporting systems, regardless of whether these systems are owned by the agency. Accordingly, in April 1998, we recommended that the Council require agencies to develop contingency plans for all critical core business processes. 11 OMB has clarified its contingency plan instructions and, along with the Chief Information Officers Council, has adopted our business continuity and contingency planning guide.12 In particular, on January 26, 1999, OMB called on federal agencies to identify and report on the high-level core 8 Year 2000 Computing Crisis: Defense Has Made Progress, But Additional Management Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999). 9 GAO/T-AIMD/RCED-99-118, March 15, 1999. 10 FAA Systems: Serious Challenges Remain in Resolving Year 2000 and Computer Security Problems (GAO/T-AIMD-98-251, August 6, 1998). 11GAO/AIMD-98-85, April 30, 1998. 12 Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, August 1998). Page 5 GAO/T-AIMD-99-143 business functions that are to be addressed in their business continuity and contingency plans as well as to provide key milestones for development and testing of business continuity and contingency plans in their February 1999 quarterly reports. Accordingly, in their February 1999 reports, almost all agencies listed their high-level core business functions. Indeed, major departments and agencies listed over 400 core business functions. For example, the Department of Veterans Affairs classified its core business functions into two critical areas: benefits delivery (six business lines supported this area) and health care. Our review of the 24 major departments’ and agencies’ February 1999 quarterly reports found that business continuity and contingency planning was generally well underway. However, we also found cases in which agencies (1) were in the early stages of business continuity and contingency planning, (2) did not indicate when they planned to complete and/or test their plan, (3) did not intend to complete their plans until after April 1999, or (4) did not intend to finish testing the plans until after September 1999. In January 1999, we testified before you that OMB could consider setting a target date, such as April 30, 1999, for the completion of business continuity and contingency plans, and require agencies to report on their progress against this milestone.13 This would encourage agencies to expeditiously develop and finalize their plans and would provide the President’s Council on Year 2000 Conversion and OMB with more complete information on agencies’ status on this critical issue. To provide assurance that agencies’ business continuity and contingency plans will work if they are needed, we also suggested that OMB may want to consider requiring agencies to test their business continuity strategy and set a target date, such as September 30, 1999, for the completion of this validation. On March 31, OMB and the Chair of the President’s Council on Year 2000 Conversion announced that completing and testing business continuity and contingency plans as insurance against disruptions to federal service delivery and operations from Year 2000-related failures will be one of the key priorities that federal agencies will be pursuing through the rest of 1999. OMB also announced that it planned to ask agencies to submit their business continuity and contingency plans in June. In addition to this action, we would encourage OMB to implement the suggestion that we made in our January 20 testimony and establish a target date for the validation of these business continuity and contingency plans. 13 GAO/T-AIMD-99-50, January 20, 1999. Page 6 GAO/T-AIMD-99-143 Recent OMB Action Could While individual agencies have been identifying and remediating mission- Help Ensure Business critical systems, the government’s future actions need to be focused on its high-priority programs and ensuring the continuity of these programs, Continuity of High-Impact including the continuity of federal programs that are administered by Programs states. Accordingly, governmentwide priorities need to be based on such criteria as the potential for adverse health and safety effects, adverse financial effects on American citizens, detrimental effects on national security, and adverse economic consequences. In April 1998, we recommended that the President’s Council on Year 2000 Conversion establish governmentwide priorities and ensure that agencies set agencywide priorities.14 On March 26, 1999, OMB implemented our recommendation by issuing a memorandum to federal agencies designating lead agencies for the government’s 42 high-impact programs (e.g., food stamps, Medicare, and federal electric power generation and delivery); the attachment contains a list of these programs and lead agencies. For each program, the lead agency was charged with identifying to OMB the partners integral to program delivery; taking a leadership role in convening those partners; assuring that each partner has an adequate Year 2000 plan and, if not, helping each partner without one; and developing a plan to ensure that the program will operate effectively. According to OMB, such a plan might include testing data exchanges across partners, developing complementary business continuity and contingency plans, sharing key information on readiness with other partners and the public, and taking other steps necessary to ensure that the program will work. OMB directed the lead agencies to provide a schedule and milestones of key activities in the plan by April 15. OMB also asked agencies to provide monthly progress reports. States’ Systems’ OMB’s March 1999 memorandum identifies several high-impact state- administered programs, such as Food Stamps, Medicaid, and Temporary Readiness Essential to Assistance for Needy Families, in which both the federal government and the Delivery of Federal the states have a huge vested interest, both financial and social. Reports by us and the federal lead agencies have indicated the need for the lead federal Human Services agency to work together with the states to ensure that programs vital to so Programs many individuals can continue through the change of century. 14 GAO/AIMD-98-85, April 30, 1998. Page 7 GAO/T-AIMD-99-143 As we reported in November 1998, many systems that support such human services programs were at risk and much work remained to ensure continued services.15 In February 1999, we testified that while some progress had been achieved, many states’ systems have been reported to be at risk and were not scheduled to become compliant until the last half of 1999.16 Further, progress reports had been based largely on state self- reporting, which, upon site visits, has occasionally been found to be overly optimistic. Accordingly, we concluded that given these risks, business continuity and contingency planning was even more important in ensuring continuity of program operations and benefits in the event of systems failures. In January 1999, OMB implemented a requirement that federal oversight agencies include the status of selected state human services systems in their quarterly reports. Specifically, OMB requested that the agencies describe actions to help ensure that federally supported, state-run programs will be able to provide services and benefits. OMB further asked that agencies report the date when each state’s systems will be Year 2000 compliant. Table 1 summarizes the information gathered by the Departments of Agriculture, Health and Human Services, and Labor on how many state-level organizations are compliant or when in 1999 they planned to be compliant. Table 1: Reported State-Level Readiness for Key Federally Supported Programsa January- April- July- October- No Program Compliant March June September December report Food Stamps 15 10 12 8 5 0 Unemployment Insurance 21 6 13 8 1 1 Temporary Assistance for Needy Families 7 3 12 4 2 22 Medicaid--Integrated Eligibility System 3 1 8 5 1 33 Medicaid--Management Information Systems 7 7 14 12 2 9 Child Support 4 6 10 3 2 25 (continued) 15Year2000 Computing Crisis: Readiness of State Automated Systems to Support Federal Welfare Programs (GAO/AIMD-99-28, November 6, 1998). 16 Year 2000 Computing Crisis: Readiness of State Automated Systems That Support Federal Human Services Programs (GAO/T-AIMD-99-91, February 24, 1999). Page 8 GAO/T-AIMD-99-143 January- April- July- October- No Program Compliant March June September December report Child Care 4 3 8 5 2 31 Child Welfare 6 3 8 5 2 27 Women, Infants, and Children 24 8 6 6 6 0 aAccording to OMB, the Departments of Agriculture and Health and Human Services were still collecting information from the states on the status of the Child Nutrition Program and the Low Income Home Energy Assistance Program, respectively. Note: OMB reported the status of 5 programs for 50 state-level organizations (Food Stamps, Unemployment Insurance, Temporary Assistance for Needy Families, Child Support, and Women, Infants, and Children). The status of 2 programs was provided for 51 state-level organizations (Medicaid and Child Welfare). The status of Child Care was provided for 53 state-level organizations. Source: Progress on Year 2000 Conversion, (OMB, data received February 12, 1999, issued on March 18, 1999). This table illustrates the need for federal/state partnerships to ensure the continuity of these vital services, since a considerable number of state-level organizations are not due to be compliant until the last half of 1999, and the agencies have not received reports from many states. Such partnerships could include the coordination of federal and state business continuity and contingency plans for human resources programs. One agency that could serve as a model to other federal agencies in working with state partners is the Social Security Administration, which relies on states to help process claims under its disability insurance program. In October 1997, we made recommendations to the Social Security Administration to improve its monitoring and oversight of state disability determination services and to develop contingency plans that consider the disability claims processing functions within state disability determination services systems.17 The Social Security Administration agreed with these recommendations and, as we testified this February, has taken several actions.18 For example, it established a full-time disability determination services project team, designating project managers and coordinators and requesting biweekly status reports. The agency also obtained from each state disability determination service (1) a plan specifying the specific milestones, resources, and schedules for completing Year 2000 conversion tasks and (2) contingency plans. Such an approach 17Social Security Administration: Significant Progress Made in Year 2000 Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997). 18 Year 2000 Computing Crisis: Update on the Readiness of the Social Security Administration (GAO/T- AIMD-99-90, February 24, 1999). Page 9 GAO/T-AIMD-99-143 could be valuable to other federal agencies in helping ensure the continued delivery of services. In addition to the state systems that support federal programs, another important aspect of the federal government’s Year 2000 efforts with the states are data exchanges. For example, the Social Security Administration exchanges data files with the states to determine the eligibility of disabled persons for disability payments and the National Highway Traffic Safety Administration provides states with information needed for drivers registration. As part of addressing this issue, the General Services Administration is collecting information from federal agencies and the states on the status of their exchanges through a secured Internet World Wide Web site. According to an official at the General Services Administration, 70 percent of federal/state data exchanges are Year 2000 compliant. However, this official would not provide us with supporting documentation for this statement nor would the General Services Administration allow us access to its database. Accordingly, we could not verify the status of federal/state data exchanges. In conclusion, it is clear that much progress has been made in addressing the Year 2000 challenge. It is equally clear, however, that much additional work remains to ensure the continued delivery of vital services. The federal government and its partners must work diligently and cooperatively so that such services are not disrupted. Mr. Chairman, Ms. Chairwoman, this concludes my statement. I will be pleased to respond to any questions that you or other members of the Subcommittees may have at this time. Page 10 GAO/T-AIMD-99-143 Attachment Federal High-Impact Programs and Lead Agencies Agency Program Department of Agriculture Child Nutrition Programs Department of Agriculture Food Safety Inspection Department of Agriculture Food Stamps Department of Agriculture Special Supplemental Nutrition Program for Women, Infants, and Children Department of Commerce Patent and trademark processing Department of Commerce Weather Service Department of Defense Military Hospitals Department of Defense Military Retirement Department of Education Student Aid Department of Energy Federal electric power generation and delivery Department of Health and Human Services Child Care Department of Health and Human Services Child Support Enforcement Department of Health and Human Services Child Welfare Department of Health and Human Services Disease monitoring and the ability to issue warnings Department of Health and Human Services Indian Health Service Department of Health and Human Services Low Income Home Energy Assistance Program Department of Health and Human Services Medicaid Department of Health and Human Services Medicare Department of Health and Human Services Organ Transplants Department of Health and Human Services Temporary Assistance for Needy Families Department of Housing and Urban Development Housing loans (Government National Mortgage Association) Department of Housing and Urban Development Section 8 Rental Assistance Department of Housing and Urban Development Public Housing Department of Housing and Urban Development FHA Mortgage Insurance Department of Housing and Urban Development Community Development Block Grants Department of the Interior Bureau of Indians Affairs programs Department of Justice Federal Prisons Department of Justice Immigration Department of Labor Unemployment Insurance Department of State Passport Applications and Processing Department of Transportation Air Traffic Control system Department of Transportation Maritime Search and Rescue Department of the Treasury Cross-border Inspection Services Department of Veterans Affairs Veterans’ Benefits Department of Veterans Affairs Veterans’ Health Care Federal Emergency Management Agency Disaster Relief Office of Personnel Management Federal Employee Health Benefits (continued) Leter Page 11 GAO/T-AIMD-99-143 Attachment Federal High-Impact Programs and Lead Agencies Agency Program Office of Personnel Management Federal Employee Life Insurance Office of Personnel Management Federal Employee Retirement Benefits Railroad Retirement Board Retired Rail Workers Benefits Social Security Administration Social Security Benefits U.S. Postal Service Mail Service (511750) Leter Page 12 GAO/T-AIMD-99-143 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Additional Work Remains to Ensure Delivery of Critical Services
Published by the Government Accountability Office on 1999-04-13.
Below is a raw (and likely hideous) rendition of the original report. (PDF)