oversight

Year 2000 Computing Challenge: Estimated Costs, Planned Uses of Emergency Funding, and Future Implications

Published by the Government Accountability Office on 1999-06-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Committee on Appropriations and the Special
                          Committee on the Year 2000 Technology Problem, U.S.
                          Senate


For Release on Delivery
Expected at
9:30 a.m.
                          YEAR 2000 COMPUTING
Tuesday,
June 22, 1999             CHALLENGE

                          Estimated Costs, Planned
                          Uses of Emergency
                          Funding, and Future
                          Implications
                          Statement of David M. Walker
                          Comptroller General of the United States




GAO/T-AIMD-99-214
                      Messrs. Chairmen and Members of the Committees:

                      We are pleased to be here today to present information on Year 2000 (Y2K)1
                      costs and funding and to discuss more broadly what implications the
                      government’s necessary short-term focus on preparing for the year
                      2000 will have on future information technology activities. In 1997, we
                      designated the Year 2000 computing problem as a high-risk area because
                      computer failures could disrupt functions and services that are critical to
                      our nation.2 After providing a brief summary of the issues and background
                      information, my testimony today will highlight (1) estimated Y2K costs and
                      agency processes to track costs to date, (2) planned uses of emergency
                      funding, (3) Y2K costs for fiscal year 2000 and beyond, (4) agency program
                      and information technology initiatives delayed by Y2K activities, and
                      (5) lessons learned from Y2K efforts that can be applied to other
                      information technology activities.



Results in Brief      Meeting the Year 2000 challenge has been necessary but expensive, with
                      estimated federal costs rising from $2.3 billion in February 1997 to
                      $8.7 billion as of last month. From February through May 1999, the
                      estimated cost rose $1.2 billion. With respect to Y2K costs incurred through
                      fiscal year 1998, the 24 major federal departments and agencies reported
                      costs exceeding $3 billion. While some agencies reported actual costs
                      incurred through 1998, others reported estimates. In fiscal year 1999,
                      agencies have requested emergency funds and plan to spend much of these
                      funds on renovation, validation, and implementation activities, along with
                      replacing personal computers and network hardware and software.
                      Beyond fiscal year 1999, estimated Y2K costs have continued to climb, now
                      reaching over one billion dollars. Determining the extent of continued Y2K
                      cost escalation is difficult because of many uncertainties. One major
                      unknown is whether agencies will have to implement their business
                      continuity and contingency plans. Such plans, if triggered, could entail
                      substantial costs. Agencies’ high-level business continuity and contingency
                      plans were due to the Office of Management and Budget (OMB) by June 15.

                      1
                       The Y2K problem is rooted in how dates are recorded and computed. For the past several decades,
                      computer systems typically used two digits to represent the year, such as “99” for 1999, in order to
                      conserve electronic data storage and reduce operating costs. In this format, however, 2000 is
                      indistinguishable from 1900 because both are represented as “00.” As a result, if not modified, systems
                      or applications that use dates or perform date- or time-sensitive calculations may generate incorrect
                      results beyond 1999.
                      2
                       High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).




              Leter   Page 1                                                                          GAO/T-AIMD-99-214
                     OMB’s review of these plans should consider whether agencies provided
                     estimated business continuity and contingency plan costs. If not, OMB
                     needs to require that this information be provided expeditiously so that it
                     can provide the Congress with information on potential future funding
                     needs. We intend to review the plans submitted to OMB and advise the
                     Congress of potential funding ramifications.

                     Another less direct but undeniable issue associated with the Year 2000
                     challenge has been the postponement of many program and information
                     technology initiatives so that resources could be dedicated to Y2K. Such
                     demands—including system enhancements and computer security—have
                     not vanished; in fact, they have grown. On the positive side, however, the
                     government will likely approach these future information technology
                     challenges better prepared, having gained much valuable information from
                     experiences in meeting the Y2K challenge. For example, this was the
                     motivator that resulted in many agencies’ taking charge of their
                     information technology resources in much more active ways, from
                     inventorying and prioritizing systems to implementing reliable processes
                     and better controls. Such lessons should not be lost on future information
                     technology projects.



Background           With close to half of all computer capacity and 60 percent of Internet
                     assets, the United States is the world's most advanced and most dependent
                     user of information technology.3 Such systems perform functions and
                     services critical to our nation; disruption could create widespread
                     hardship, including problems in key federal operations ranging from
                     national defense to benefits payments to air traffic management.
                     Accordingly, the upcoming change of century is a sweeping and urgent
                     challenge for public- and private-sector organizations alike, in this country
                     and around the world.

                     Since our February 1997 designation of the Year 2000 problem as a
                     high-risk area for the federal government, action to address the Y2K threat
                     has intensified. In response to a growing recognition of the challenge and
                     urging from congressional leaders and others, the administration
                     strengthened the government’s Year 2000 preparation. In February 1998,
                     the President took a major step in establishing the President's Council on


                     3
                       Critical Foundations: Protecting America's Infrastructures (President's Commission on Critical
                     Infrastructure Protection, October 1997).




             Leter   Page 2                                                                          GAO/T-AIMD-99-214
Year 2000 Conversion. The President also (1) established the goal that no
system critical to the federal government's mission experience disruption
because of the Year 2000 problem and (2) charged agency heads with
ensuring that this issue receive the highest priority attention. Further, the
Chair of the Council was tasked with the following Year 2000 roles:
(1) overseeing the activities of agencies, (2) acting as chief spokesperson in
national and international forums, (3) providing policy coordination of
executive branch activities with state, local, and tribal governments, and
(4) promoting appropriate federal roles with respect to private-sector
activities.

Among the initiatives the Chair of the Council has implemented in carrying
out these responsibilities are attending monthly meetings with senior
managers of agencies that are not making sufficient progress, establishing
numerous working groups to increase awareness of and gain cooperation
in addressing the Y2K problem in various economic sectors, and
emphasizing the importance of federal/state data exchanges. In addition,
on June 14, 1999, the President ordered the creation of an Information
Coordination Center—consisting of officials from executive agencies—to
assist the Chair of the Council in addressing Year 2000 conversion
problems both domestically and internationally. Among its duties, the
Information Coordination Center is to assist in making preparations for
information sharing and coordination within the federal government and
key components of the public and private sectors.

Many congressional committees have been extremely diligent in addressing
the Year 2000 challenge by holding agencies accountable for demonstrating
progress and by heightening public appreciation of the problem. By holding
numerous hearings on important topics such as health care, the food
sector, electric power, and financial services and in issuing a major report 4
on the impact of the Year 2000 problem, the Senate Special Committee on
the Year 2000 Technology Problem has fostered a greater understanding of
the problem and focused attention on actions needed.

OMB, for its part, has taken more aggressive action on Year 2000 matters
over the past year and a half and has been responsive to our
recommendations. For example, in its quarterly report issued in December
1997, OMB accelerated its milestone for agencies to complete the


4
 Investigating the Impact of the Year 2000 Problem (United States Senate, Special Committee on the
Year 2000 Technology Problem, February 24, 1999).




Page 3                                                                         GAO/T-AIMD-99-214
implementation phase of Y2K conversion by 8 months, from November to
March 1999. OMB has also tightened requirements on agency reporting of
Year 2000 progress. It now requires that beyond the original 24 major
departments and agencies that have been reporting, 9 additional agencies
(such as the Tennessee Valley Authority and the Postal Service) report
quarterly on their Year 2000 progress, and that additional information be
reported from all agencies. Additionally, in response to our April 1998
recommendation,5 on March 26, 1999, OMB issued a memorandum to
federal agencies designating lead agencies for the government’s 42
high-impact programs, including those delivering critical benefits such as
social security, food stamps, and Medicare; ensuring adequate weather
forecasting capabilities; and providing federal electric power generation
and delivery. (OMB later added a 43rd high-impact program—the National
Crime Information Center.) Further, OMB has clarified instructions for
agencies relative to preparing business continuity and contingency plans,
and required agencies to submit high-level versions of these plans just last
week, on June 15. We intend to review the plans submitted to OMB and
advise the Congress of our results.

As you know, we have been very active in working with the Congress as
well as federal agencies to both strengthen agency processes and to
evaluate their progress in addressing these challenges. To help agencies
mitigate their Year 2000 risks, we produced a series of Year 2000 guides on
enterprise readiness, business continuity and contingency planning, and
testing.6 In addition, we have issued over 100 reports and testimony
statements detailing specific findings and have made dozens of
recommendations related to the Year 2000 readiness of the government as a
whole and of a wide range of individual agencies.

Fortunately, the past 2 years have witnessed marked improvement in
preparedness as the government has revised and intensified its approach to
this problem. Nevertheless, significant challenges remain. In particular,
complete and thorough Year 2000 testing is essential to providing
reasonable assurance that new or modified systems will be able to process


5
Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for Strong Leadership and
Partnerships (GAO/AIMD-98-85, April 30, 1998).
6
 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
February 1997 and in final form in September 1997), Year 2000 Computing Crisis: Business Continuity
and Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998 and in final
form in August 1998), and Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as
an exposure draft in June 1998 and in final form in November 1998).




Page 4                                                                        GAO/T-AIMD-99-214
                            dates correctly and not jeopardize agencies’ abilities to perform core
                            business operations. Moreover, adequate business continuity and
                            contingency plans must be successfully completed and tested throughout
                            government.


The Congress Appropriated   To address Y2K resource needs, last year the Congress appropriated
Emergency Year 2000         $2.25 billion for civilian agencies7 and $1.1 billion for the Department of
                            Defense for emergency expenses related to Year 2000 conversion of federal
Funding                     information technology systems. Through May 1999, OMB made six
                            separate allocations totaling about $1.724 billion8 to civil agencies
                            (77 percent of the $2.25 billion in civilian emergency funds) and one
                            allocation of $935 million to the Department of Defense (85 percent of its
                            emergency funds). Figure 1 illustrates the cumulative amount of
                            emergency funds allocated to nondefense organizations and the
                            Department of Defense, and that about $661 million remains.




                            7
                            As part of the $2.25 billion for civilian departments and agencies, $16.873 million and $13.044 million
                            were designated for the legislative and judicial branches, respectively.
                            8
                             This amount does not include $13.65 million that OMB allocated to the Department of Energy but did
                            not transfer to the department because, according to OMB, the House Appropriations Committee did
                            not consider the planned use of these monies an appropriate use of emergency funding.




                            Page 5                                                                           GAO/T-AIMD-99-214
Figure 1: Emergency Supplemental Funds Allocated to Agencies (Dollars in Millions)
3,500                                                                                Total emergency funds

3,000


2,500


2,000


1,500


1,000


 500


    0
              11/98 C ivil   12/98 C ivil   2/99 C ivil   3/99 D e fe nse   3/99 C ivil    4/99 C ivil    5/99 C ivil
                                                   Alloca tions

                                                Note: This chart does not include the amount set aside for the legislative and judicial branches
                                                ($29.9 million).
                                                Source: OMB.




                                                Page 6                                                                           GAO/T-AIMD-99-214
Figure 2 illustrates the entities that received the largest allocations.



Figure 2: Entities With the Largest Emergency Funding Allocations as of May 1999
(Dollars in Millions)

 $1,000
                $935
  $900

  $800

  $700
                                  $602
  $600

  $500

  $400
                                                   $324
  $300                                                                                                                                                        $254

                                                                    $193
  $200

  $100                                                                           $84          $80        $65                $64             $58


    $0




                                                                                                                            a
                                              es




                                                                                                                                                           es
                                                                                e




                                                                                             r
                                                                    n




                                                                                                                                          ce
                                                                                                     e
               se




                             ry




                                                                                                                        bi
                                                                                            rio
                                                                                ic
                                                                tio




                                                                                                    at
                                              ic




                                                                                                                                                          iti
                            su




                                                                                                                       um




                                                                                                                                       er
          en




                                                                            st
                                           rv




                                                                                                    St
                                                                                        te




                                                                                                                                                         nt
                                                               ta




                                                                           Ju
                       ea




                                                                                                                                      m
          ef




                                         Se




                                                                                       In




                                                                                                                   ol




                                                                                                                                                     re
                                                           or




                                                                                                                                  om
      D




                       Tr




                                                                                                                   C
                                                          sp




                                                                                                                                                    he
                                      an




                                                                                                               of




                                                                                                                                  C
                                                     an




                                                                                                                                                ot
                                   um




                                                                                                              ct
                                                    Tr




                                                                                                                                               32
                                                                                                         tri
                                  H




                                                                                                         is
                              &




                                                                                                     D
                            lth
                        ea
                       H




Note: Appendix I lists all of the entities that received emergency funding allocations.
Source: OMB.


Regarding Y2K costs and funding, the House Majority Leader asked us to
(1) identify agency-reported Year 2000 costs through fiscal year 1998 and
the agencies’ processes used to track these costs, (2) determine the
reported status of fiscal year 1999 obligations for Year 2000 activities,
(3) identify estimated Year 2000 costs for fiscal year 1999 and the planned
uses of the emergency allocations, and (4) identify the Year 2000 costs for
fiscal year 2000. In addressing these questions, we requested
documentation of actual and planned costs from 29 federal agencies that
provide quarterly Y2K compliance information to OMB, plus an additional
12 organizations that had received emergency funding. We provided a
report to the House Majority Leader on this information in April 1999.9



9
  Year 2000 Computing Crisis: Costs and Planned Use of Emergency Funds
(GAO/AIMD-99-154, April 28, 1999).




Page 7                                                                                                                            GAO/T-AIMD-99-214
                      In my testimony before the Senate Committee on Appropriations in
                      January,10 Chairman Stevens, you asked me to return and discuss these
                      costs issues further. Accordingly, to prepare for this testimony, we updated
                      the information in our April report to include (1) the latest cost estimates
                      from the 24 major departments and agencies and (2) information on
                      releases from the emergency fund subsequent to our prior work.11



Estimated Year 2000   As figure 3 indicates, the total estimated costs of ensuring that the
                      computer systems of the 24 major federal agencies perform as expected
Costs Continue to     beyond 1999 more than tripled during the last 2 years—to a total of about
Escalate              $8.7 billion as of last month—up $1.2 billion in the past 3 months alone.



                      Figure 3: Estimated Total Reported Year 2000 Costs of the 24 Major Federal
                      Departments/Agencies, February 1997 Through May 1999 (Dollars in Billions)

                      10

                           9                                                                                     8.7

                           8                                                                              7.5
                                                                                                 7.2
                           7
                                                                                      6.3
                           6
                                                                      4.7     5.0
                           5
                                                              3.9
                           4                          3.8
                                              2.8
                           3          2.3
                           2
                           1
                           0

                               Feb-         May-    Aug-    Nov-    Feb-    May-    Aug-       Nov-     Feb-    May-
                                97           97      97      97      98      98      98          98      99       99




                                                                                            (Figure notes on next page)




                      10
                       Year 2000 Computing Challenge: Readiness Improving, But Critical Risks Remain
                      (GAO/T-AIMD-99-49, January 20, 1999).
                      11
                       Seven additional agencies received emergency allocations subsequent to our prior work and,
                      therefore, were not included in our April 1999 report.




                      Page 8                                                                           GAO/T-AIMD-99-214
                             Note: The August 1998 through May 1999 figures are totals of all individual submissions from the
                             24 major departments and agencies. In its summary of agency reports, OMB decreased total
                             estimated Year 2000 costs for the 24 major agencies by about $900 million in August 1998,
                             $800 million in November 1998, $779 million in February 1999, and $688 million in May 1999. For the
                             August 1998 costs, OMB did not include all costs in its estimate because, for example, it was still
                             reviewing some of the estimates provided by the agencies. For the November 1998 and February 1999
                             costs, OMB did not provide explanations in its report for all of the discrepancies between the agency
                             reports and their total estimated Y2K cost figure. However, the OMB reports covering the November
                             1998 and February 1999 periods did not include $81.3 million and $91.7 million in Transportation and
                             Treasury costs, respectively, that they stated were non-Y2K costs funded from emergency
                             supplemental funds. In OMB’s report covering the May 1999 period, it revised the amount of
                             Transportation’s non-Y2K costs funded from emergency supplemental funds to $52 million, but
                             Treasury’s amount remained the same.
                             Source: February 1997 data are from OMB's report Getting Federal Computers Ready for 2000,
                             February 6, 1997. May 1997 through May 1998 data are from OMB's quarterly reports. The August
                             1998 through May 1999 data are from the quarterly reports of the 24 major departments and agencies.


                             Among the agencies that had substantial increases from February 1997
                             through May 1999 were the Department of Defense—$969.6 million to
                             $3.66 billion (277 percent increase), the Department of the Treasury—
                             $318.5 million to $1.9 billion (497 percent increase), and the Department of
                             Health and Human Services (HHS)—$90.7 million to $1.111 billion
                             (1125 percent increase).



Several Agencies Did Not     Reported Year 2000 costs incurred each year from 1996 through 1998 for
Separately Track Actual      the 24 major departments and agencies have also grown dramatically.
                             Reported fiscal year 1996 costs were about $72 million,12 fiscal year 1997
Year 2000 Costs for Fiscal   costs were about $830 million, and fiscal year 1998 costs were over
Years 1996 Through 1998      $2.7 billion. These reported costs, however, still represent less than half of
                             the total Year 2000 costs of $8.7 billion estimated last month by the
                             24 major departments and agencies.

                             While federal agencies reported that their Year 2000 costs from fiscal years
                             1996 through 1998 were over $3 billion, some agencies reported actual
                             costs while others reported some costs as actual and others as estimates;
                             still others reported just estimates. In particular, at the time of our report,13
                             of the 24 major departments and agencies,

                             • 7 reported that their fiscal years 1996 through 1998 costs were actual
                               (3 used financial management systems while 4 used reports from
                               component entities to track costs),


                             12
                              One agency also reported Year 2000 costs that were prior to fiscal year 1996.
                             13
                              GAO/AIMD-99-154, April 28, 1999.




                             Page 9                                                                           GAO/T-AIMD-99-214
                           • 5 reported that some costs were actual while others were estimates
                             (e.g., contract costs were actual while labor costs were estimates),
                           • 9 reported that they did not separately track actual costs for fiscal years
                             1996 through 1998, and
                           • 3 did not provide information on cost tracking.

                           With respect to the nine major agencies that reported not separately
                           tracking actual costs for fiscal years 1996 through 1998, at least three cited
                           as a reason that they were not required to do so. For example, the
                           Department of the Interior reported that “aside from the 1999 Y2K
                           Supplemental Funding, the Department has never tracked Y2K funding
                           separately from other appropriated funds, as there has never been any
                           requirement to do so.” With respect to tracking of actual costs associated
                           with the emergency funding, five of the nine agencies that reported
                           estimated costs for fiscal years 1996 through 1998 reported that they were
                           tracking, or planned to track, actual costs associated with the emergency
                           funding allocation (the other four agencies did not address whether they
                           were tracking these funds or had not received emergency allocations).

                           While agencies may not be required to track actual costs of Y2K activities,
                           we believe that the criticality of Year 2000 activities and the significance of
                           the costs—hundreds of million of dollars in some cases—indicate that
                           prudent management practices warrant cost tracking. Specifically, our
                           enterprise readiness guide14 states that agencies’ Year 2000 program
                           management staff should be able to track the cost and schedule of
                           individual Year 2000 projects.



Emergency Funds to         With agencies’ estimates of Y2K costs increasing dramatically and with
                           limited time remaining to complete needed actions, many agencies
Be Used for a Variety of   requested emergency funds in fiscal year 1999. Thirty-nine civilian agencies
Purposes                   and the District of Columbia have requested—and received—emergency
                           funding for a variety of uses, as shown in figure 4.




                           14
                            GAO/AIMD-10.1.14, September 1997.




                           Page 10                                                      GAO/T-AIMD-99-214
Figure 4: Civil Agencies’ Proposed Uses for Year 2000 Emergency Funds by Type of
Activity (Dollars in Millions)

    Embedded systems            $36



  Contingency planning            $77


Independent verification
                                      $98
      & validation


               Outreach                 $137


 Renovation, validation,
                                                                                            $720
    implementation


                   Other                                                             $655


                           $0               $200           $400              $600              $800




Note: The other category primarily includes funds for replacement of personal computers and network
hardware and software. In their justifications, some organizations said the personal computers and
network hardware and software could not be upgraded to be Y2K compliant, and in other cases they
determined that it would not be economical to upgrade obsolete equipment. In addition, the total
amount in this chart does not equal the total amount allocated because the justification data from two
organizations did not equal the total allocations reported by OMB.
Source: GAO analysis based on agency justifications.


In its response to our request, the Department of Defense reported that it is
targeting almost $525 million for testing, about $262 million for
contingency planning, and $148 million for operational evaluations.

According to their justification submissions to the Congress and OMB,
three categories of reasons emerged to explain organizations’ requests for
emergency funds: (1) new requirements that had not been planned for
fiscal year 1999, (2) cost increases to complete ongoing Y2K activities, and
(3) the unavailability of regular appropriations for planned Y2K work.

New requirements included outreach and independent verification and
validation (IV&V) (cited by 24 organizations), and decisions to replace
personal computers and network hardware and software (cited by
23 organizations)—activities not initially in agencies’ fiscal year 1999 plans.



Page 11                                                                        GAO/T-AIMD-99-214
                        For example, the Department of Commerce requested about $32 million for
                        IV&V and $25 million for outreach activities not previously anticipated.

                        Costs for ongoing Y2K activities also increased for 25 organizations,
                        beyond the fiscal year 1999 projections on which budget requests were
                        based. For instance, HHS’ Health Care Financing Administration (HCFA)
                        requested over $28 million for IV&V activities because such work had
                        increased beyond the level planned for fiscal year 1999. The Department of
                        Energy requested just under $14 million to accelerate renovation,
                        validation, and implementation.

                        Finally, in several cases, agencies reported that their budget requests were
                        reduced and Year 2000 emergency funding was utilized to help make up the
                        difference, even though not all of the activities in the original budget
                        request were Y2K-related. While no legislative or statutory requirements
                        explicitly provide for the use of emergency funds as an alternative to
                        general appropriations, the House-Senate conference report on Treasury
                        and Department of State appropriations for fiscal year 1999 acknowledges
                        the need for additional monies to achieve Y2K compliance, and part of the
                        Treasury and General Government Appropriations Act permits use of
                        Treasury funds to achieve Y2K compliance “until . . . supplemental
                        appropriations are made available . . . .”



Costs for Fiscal Year   In May 1999, the 24 major departments and agencies estimated their fiscal
                        year 2000 costs for Y2K activities at about $981 million—almost a nine-fold
2000 and Beyond         increase from the original fiscal year 2000 estimate of about $111 million
                        provided in February 1997. In addition, in their May 1999 quarterly reports
                        to OMB, three agencies estimated that they would incur about
                        $127.4 million in Year 2000 costs beyond fiscal year 2000.15 During our work
                        for the House Majority Leader, we asked agencies whether they expected
                        to have Year 2000 costs beyond those projected in their budgets. HHS was
                        the only agency that identified a specific need: it reported that it had begun
                        to identify possible Y2K needs of grantees.

                        Determining the extent of continued Y2K cost escalation is difficult
                        because of many uncertainties; 10 agencies reported that they had not
                        completed work on their mission-critical systems as of mid-May 1999,


                        15
                         The vast majority of these costs were reported by the Department of the Treasury, which reported that
                        the Internal Revenue Service’s Y2K costs after fiscal year 2000 would be about $125 million.




                        Page 12                                                                        GAO/T-AIMD-99-214
many agencies are still planning or undergoing end-to-end testing to ensure
that data can be properly transferred and processed among systems, and
much work with states and other partners remains. Key factors that could
fuel additional cost increases include agencies’ determining that they must
implement business continuity and contingency plans, or the occurrence of
other, unanticipated events due to the Y2K problem that must be
addressed.

In August 1998, HCFA estimated, for example, that it would need between
$311.2 million (most likely scenario) and $536.7 million (pessimistic
scenario) to handle emergency situations that could result from the Y2K
problem. HCFA reported that the types of activities that these funds would
be needed for included (1) unforeseen software, hardware, and
telecommunications failures, (2) increased paper claims due to provider or
billing companies’ inability to transmit electronically, and (3) claims
reprocessing to correct erroneous payments. HHS’ August 1998, November
1998, February 1999, and May 1999 quarterly reports to OMB included the
$311.2 million in contingent HCFA costs in its Year 2000 cost estimate. HHS
reported to us that it had requested about $165 million for Y2K activities in
its fiscal year 2000 budget request—the amount it estimated that it needed
to fund other Year 2000 activities, excluding the implementation of HCFA
contingency plans. Consistent with this, OMB has not included HCFA’s
contingency costs when reporting Y2K costs.

Other agencies could also have higher costs if business continuity and
contingency plans need to be implemented. For example, the Department
of Education’s May 1999 quarterly report stated that it planned to estimate
the cost to implement its contingency plans in the next few months and
that these estimates would be likely to increase its fiscal year 2000 and
overall Y2K cost estimates. Similarly, the Office of Personnel Management’s
May 1999 quarterly report said that it would continue to evaluate the need
for additional Y2K-related funding for business continuity and contingency
plan implementation and will advise OMB of those requirements.

Our guide on business continuity and contingency planning calls on
agencies to assess the cost and benefits of identified alternatives. 16 In its
May 13 memo requiring agencies to submit high-level business continuity
and contingency plans on June 15, OMB stated that agencies should follow
our guide in preparing these plans. Accordingly, OMB’s review of these


16
 GAO/AIMD-10.1.19, August 1998.




Page 13                                                      GAO/T-AIMD-99-214
                         plans should consider whether agencies provided estimated business
                         continuity and contingency plan costs. If not, OMB needs to require that
                         this information be provided expeditiously so that it can provide the
                         Congress with information on potential future funding needs.

                         Additional costs could also be incurred if some states do not complete their
                         Year 2000 work on systems that support federal programs, such as food
                         stamps and Medicaid. Recent information indicates that some state
                         systems are not scheduled to be compliant until the last quarter of 1999.
                         For example, according to OMB’s latest quarterly report dated June 15,
                         1999, three states or U.S. territories did not expect to complete testing of
                         their food stamp systems and four states or U.S. territories did not expect
                         to complete testing of their Medicaid eligibility systems until the last
                         quarter of 1999. Because these deadlines are so close to the turn of the
                         century, the risk of disruption to these states’ and territories’ programs
                         substantially increases, especially if delays occur or if unexpected
                         problems arise.

                         If states do not complete their Year 2000 remediation in time, or if those
                         remediation efforts fail, the states would have to implement their business
                         continuity and contingency plans, which could encompass federal
                         government assistance. An example of such assistance is the Department
                         of Labor’s April 2, 1999, emergency funding request of $274,000 to design
                         and develop a prototype PC-based system to be used in the event that a
                         state’s unemployment insurance system is unusable due to a Y2K-induced
                         problem. In addition, many state-administered federal programs, such as
                         Medicaid and child support enforcement, require the federal government to
                         reimburse states for a percentage of their administrative costs, which
                         would be expected to increase in the event that business continuity and
                         contingency plans are implemented.



Program and              While making systems ready for the year 2000 has been an enormous job,
                         other program and information technology needs have not disappeared; in
Information              fact, they continue to grow. In particular, because of the Year 2000 problem,
Technology Initiatives   agencies or the Congress have delayed implementation of regulatory
                         requirements and planned information technology initiatives. In addition,
Delayed by Y2K           many agencies have implemented or plan to implement moratoriums on
                         software changes until some time after the rollover to the new century. For
                         example:




                         Page 14                                                     GAO/T-AIMD-99-214
• In July 1998, HCFA notified the Congress of its intention to delay
  implementation of certain provisions of the Balanced Budget Act of
  1997 that would have required changes to systems on which Year 2000
  modifications were being made. As of June 16, 1999, HCFA had delayed
  work on seven provisions, in whole or in part, associated with this act in
  order to meet the Year 2000 challenge. In addition, HCFA reported that it
  had delayed another information technology initiative because it would
  have caused an unacceptable resource drain from the Year 2000 effort.
  According to a HCFA official, the agency is in the process of carefully
  examining all of the work associated with the Balanced Budget Act of
  1997 provisions and the other initiative in order to make decisions as to
  the order and time frames in which each will be accomplished after the
  Y2K effort.
• As we reported last year, the level of effort required for the Internal
  Revenue Service (IRS) to make its information systems compliant is
  without precedent. 17 Accordingly, as the Senate was debating the IRS
  Restructuring and Reform Act of 1998, the IRS Commissioner provided
  the Joint Committee on Taxation with a listing of 28 provisions that
  given their effective dates, could affect IRS’ ability to complete its Y2K
  work as planned. The final act extended the effective dates for 13 of the
  28 provisions about which IRS had expressed concern.
• Some agencies have delayed planned information technology initiatives
  in order to concentrate on their Year 2000 efforts. In December 1998 we
  reported that the Department of Housing and Urban Development
  suspended systems integration work on three mission-critical systems
  so that the department could focus its resources on completing Y2K
  renovations.18 Also, in September 1998, the Department of State
  imposed a moratorium on non-Year 2000-related system development
  projects to focus scarce resources on Y2K remediation.
• A backlog of system modifications will have to be addressed subsequent
  to the change of century. In response to our January 1999 suggestion,19
  OMB issued a memorandum in May stating that agencies should follow a
  policy that allows system changes only where absolutely necessary
  because such changes can introduce additional risk into systems that


17
  Internal Revenue Service: Impact of the IRS Restructuring and Reform Act on Year 2000 Efforts
(GAO/GGD-98-158R, August 4, 1998).
18
 HUD Information Systems: Improved Management Practices Needed to Control Integration Cost and
Schedule (GAO/AIMD-99-25, December 18, 1998).
19
 Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major
Disruptions (GAO/T-AIMD-99-50, January 20, 1999).




Page 15                                                                       GAO/T-AIMD-99-214
     have already been certified as Y2K compliant and could divert resources
     from other Year 2000 efforts. Accordingly, at least six agencies have
     established, or plan to establish, moratoriums or restrictions on system
     changes during parts of 1999 and early 2000.

The total governmentwide volume of program and information technology
activities delayed by Y2K efforts is not known; therefore, the potential
demand for additional information technology resources in the future is
difficult to predict. However, the costs of these delayed activities could be
significant. Accordingly, OMB will need to work with the agencies to
determine the magnitude of these pent-up demands in order to make
informed funding decisions in the future.

In addition to these demands, increased resources will likely be needed
for another key issue that has been garnering increased attention—
information security. This issue has many dimensions, ranging from
national security to economic disruption to privacy considerations. As we
reported in September 1998, the expanded amount of audit evidence that
has become available since mid-1996 describes widespread and serious
weaknesses in adequately protecting federal assets, sensitive information,
and critical operations.20 These weaknesses place critical government
operations, such as national security, tax collection, and benefit payments,
as well as assets associated with these operations, at great risk of fraud,
disruption, and inappropriate disclosures. Further, as we testified in
September 1998, the Year 2000 crisis is the most dramatic example yet of
why we need to protect critical computer systems because it illustrates the
government’s widespread dependence on information systems and our
vulnerability to their disruption.21

Because of the longer-term danger of malicious attack from individuals or
groups, it is important that the government design long-term solutions to
this and other security risks. Accordingly, in response to recommendations
by the President’s Commission on Critical Infrastructure Protection,
Presidential Decision Directive 63 was issued in May 1998, which, among
other provisions, required federal agencies to develop plans for protecting
their own critical infrastructure, including cyber-based systems. These


20
  Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk
(GAO/AIMD-98-92, September 23, 1998).
21
 Information Security: Strengthened Management Needed to Protect Critical Federal Operations and
Assets (GAO/T-AIMD-98-312, September 23, 1998).




Page 16                                                                        GAO/T-AIMD-99-214
                        plans are currently undergoing review by the Critical Infrastructure
                        Assurance Office, which was established by the Presidential Directive.



Lessons Learned From    Throughout government—and likely in the private sector as well—
                        organizations’ experiences in addressing Y2K hold valuable lessons about
the Government’s Year   how information technology can best be managed. For many agencies, the
2000 Efforts Can Be     threat posed by the Year 2000 problem was a much-needed wake-up call.
                        Because of the urgency of the issue, agencies could not afford to carry on
Applied to Future       in the same manner that had resulted in over a decade of poor information
Information             technology planning and program management. Accordingly, lessons
Technology Activities   learned from the Year 2000 challenge should be applied to agencies’
                        implementation of the Clinger-Cohen Act of 1996 which, in part, seeks to
                        strengthen executive leadership in information management and institute
                        sound capital investment decision-making to maximize the return on
                        information systems investments. Indeed, the Department of Defense has
                        reported that its response to the Year 2000 problem has become an
                        example of an enterprisewide approach to information technology
                        management advocated by the Clinger-Cohen Act of 1996. It is important
                        that agencies institutionalize the processes that they have established to
                        contend with the Year 2000 problem so that future information technology
                        initiatives benefit from this massive effort.

                        Year 2000 programs provided agencies with the incentive and opportunity
                        to assume control of their information technology environment. In many
                        instances, it forced agencies to inventory their information systems, link
                        those systems to agency core business processes, and jettison systems of
                        marginal value. For example, in response to recommendations in our
                        August 1998 report, the Department of State is in the process of identifying
                        its core business functions and determining the relative importance of each
                        function.22

                        Earlier this year we also reported23 that the Year 2000 problem provided the
                        opportunity to institutionalize valuable lessons, such as the importance of
                        consistent and persistent top management attention, accompanied by


                        22
                         Year 2000 Computing Crisis: State Department Needs To Make Fundamental Improvements To Its Year
                        2000 Program (GAO/AIMD-98-162, August 28, 1998).
                        23
                         Defense Information Management: Continuing Implementation Challenges Highlight the Need for
                        Improvement (GAO/T-AIMD-99-93, February 25, 1999) and Year 2000 Computing Crisis: Defense Has
                        Made Progress, But Additional Management Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999).




                        Page 17                                                                    GAO/T-AIMD-99-214
reliable processes and reasonable controls. More specifically, complete and
accurate inventories of information systems can facilitate remediation,
testing, and validation activities. Information gained from identifying and
prioritizing mission-critical systems can further be used to identify and
retire duplicative or unproductive systems, and work that has been done to
identify and establish controls over data interfaces can help prevent data
exchange problems in the future. Similar lessons have been learned at the
state level, according to three state Year 2000 project managers. Other
critical success factors cited by one of these project managers that could
be used in future information technology initiatives are the need to
measure performance, outline responsibilities, and ensure accountability.

Another benefit of the Year 2000 effort was the establishment of
much-needed information technology policies. Our Year 2000 enterprise
readiness guide24 called on agencies to develop and implement policies,
guidelines, and procedures in such critical areas as configuration
management, quality assurance, risk management, project scheduling and
tracking, and metrics. Several agencies have implemented such policies.
For example:

• In April 1999, we reported that according to Postal Service officials, the
  service is implementing improved processes for documenting software,
  testing, quality control, and configuration management.25
• As part of its Year 2000 effort, HCFA has implemented policies and
  procedures related to configuration management, quality assurance,
  risk management, project scheduling and tracking, and performance
  metrics for its internal systems.
• As we testified in February, the Customs Commissioner has committed
  to leveraging the agency’s Year 2000 experience by extending the level of
  project management discipline and rigor being employed on the year
  2000 to other information technology programs and projects.26

Beyond individual agencies, the Year 2000 problem holds lessons in
overseeing and managing information technology on a governmentwide
basis. In particular, actions taken by the Congress and the Chief


24
 GAO/AIMD-10.1.14, September 1997.
25
 U.S. Postal Service: Subcommittee Questions Concerning Year 2000 Challenges Facing the Service
(GAO/AIMD-99-150R, April 23, 1999).
26
  Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000 Program
(GAO/T-AIMD-99-85, February 24, 1999).




Page 18                                                                       GAO/T-AIMD-99-214
Information Officers Council have demonstrated that effective oversight
and guidance can have a positive influence on major information
technology efforts. Congressional oversight played a crucial role in
focusing OMB and agency attention on the Y2K problem. In addition,
congressional hearings on international, national, governmentwide, and
agency-specific Year 2000 problems exposed the threat that this problem
poses to the public. The Chief Information Officers Council has proved
useful in addressing governmentwide issues through its Year 2000
Committee; this committee and its subcommittees have dealt with
important issues such as best practices, telecommunications, and data
exchanges. Continued oversight and guidance from the Congress and the
Chief Information Officers Council will be essential to ensuring the future
effectiveness of information technology initiatives.

Another lesson that could be adopted in the future is the use of
public/private partnerships. To address the Year 2000 problem from a
national perspective, the President’s Council on Year 2000 Conversion
adopted a sector-based focus and has been initiating outreach activities
since it became operational last spring. As a result, the Council and federal
agencies have partnered with private-sector organizations, such as the
North American Electric Reliability Council, to gather information critical
to the nation’s Year 2000 efforts and to address issues such as contingency
planning. In addition, the Chair of the Council has formed a Senior Advisors
Group composed of representatives from private-sector firms across key
economic sectors. Members of this group are expected to offer
perspectives on crosscutting issues, information-sharing, and appropriate
federal responses to potential Year 2000 failures. Other major information
technology areas, such as information security, could benefit from such an
approach.


In summary, it is clear that Year 2000 expenditures have been significant,
sometimes unpredictable, and growing. Emergency supplemental funds are
planned for a variety of purposes, including renovation, validation, and
implementation of individual systems and the independent verification and
validation of these systems. Moreover, Y2K cost growth may continue,
especially if business continuity and contingency plans must be put into
operation or if state-administered federal program remediation efforts are
not completed. While correcting the Y2K problem has been and continues
to be costly, the experiences of individual agencies and the government as a
whole in meeting this challenge have provided a renewed and needed focus
on information systems. We have come to realize how much we depend on



Page 19                                                     GAO/T-AIMD-99-214
                  them, and have been reminded of how they must be well-managed. As we
                  attempt to meet future information technology and security challenges,
                  these lessons should not be lost.

                  Messrs. Chairmen, this completes my statement. I would be happy to
                  respond to any questions that you or other members of the Committees
                  may have at this time.



Contact and       For information about this testimony, please contact Joel Willemssen at
                  (202) 512-6253 or by e-mail at willemssenj.aimd@gao.gov. Individuals
Acknowledgments   making key contributions to this testimony included Michael Fruitman,
                  James Hamilton, James Houtz, Linda Lambert, Michael Tovares, and Daniel
                  Wexler.




                  Page 20                                                GAO/T-AIMD-99-214
Page 21   GAO/T-AIMD-99-214
Appendix I

Organizations Receiving Emergency
Allocations (as of May 1999)                                                                              ApIenxdi




Organization                                                                Amount allocated (in thousands)
Department of theTreasury                                                                         $602,223
Department of Health and Human Services                                                            323,858
Department of Transportation                                                                       192,789
Department of Justice                                                                               84,396
Department of the Interior                                                                          80,347
Department of State                                                                                 64,918
District of Columbia                                                                                64,049
Department of Commerce                                                                              57,920
General Services Administration                                                                     48,407
Department of Agriculture                                                                           46,168
Executive Office of the President—Office of Administration                                          29,791
Department of Energya                                                                               23,840
Department of Labor                                                                                 17,792
Department of Housing and Urban Development                                                         12,200
Agency for International Development                                                                10,200
United States Information Agency                                                                     9,562
Federal Communications Commission                                                                    8,516
Securities and Exchange Commission                                                                   8,175
Federal Emergency Management Agency                                                                  7,352
National Archives and Records Administration                                                         6,662
Small Business Administration                                                                        4,840
Smithsonian Institution                                                                              4,801
Department of Education                                                                              3,846
Federal Trade Commission                                                                             2,599
Office of Personnel Management                                                                       2,428
Overseas Private Investment Corporation                                                              2,100
United States Holocaust Memorial Council                                                               900
Corporation for National and Community Service                                                         800
Executive Office of the President—Office of the U.S. Trade Representative                              498
Export-Import Bank of the United States                                                                400
Railroad Retirement Board                                                                              398
National Capital Planning Commission                                                                   381
Commodity Futures Trading Commission                                                                   356
Selective Service System                                                                               250
Federal Labor Relations Authority                                                                      243
African Development Foundation                                                                         137




                                               Page 22                                   GAO/T-AMID-99-214
                                             Appendix I
                                             Organizations Receiving Emergency
                                             Allocations (as of May 1999)




Organization                                                                                             Amount allocated (in thousands)
Office of Special Counsel                                                                                                                   100
Merit Systems Protection Board                                                                                                               66
Architectural and Transportation Barriers Compliance Board                                                                                   60
Marine Mammal Commission                                                                                                                     38
Total – civil agencies                                                                                                              $1,724,406
Department of Defense                                                                                                                  935,000
Total allocations                                                                                                                   $2,659,406
                                             aThis amount does not include $13.65 million that was allocated to the Department of Energy but was
                                             not transferred.
                                             Source: OMB.




(511764)                    Leret            Page 23                                                                      GAO/T-AMID-99-214
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Mail
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested