oversight

Year 2000 Computing Challenge: Readiness Improving Yet Essential Actions Remain to Ensure Delivery of Critical Services

Published by the Government Accountability Office on 1999-08-17.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Government Management,
                          Information and Technology, Committee on Government
                          Reform, House of Representatives


For Release on Delivery
Expected at
9 a.m. PDT
                          YEAR 2000 COMPUTING
Tuesday,
August 17, 1999           CHALLENGE

                          Readiness Improving Yet
                          Essential Actions Remain
                          to Ensure Delivery of
                          Critical Services
                          Statement of Joel C. Willemssen
                          Director, Civil Agencies Information Systems
                          Accounting and Information Management Division




GAO/T-AIMD-99-268
        Mr. Chairman and Members of the Subcommittee:

        Thank you for inviting us to participate in today’s hearing on the Year 2000
        problem. According to the report of the President’s Commission on Critical
        Infrastructure Protection, the United States—with close to half of all
        computer capacity and 60 percent of Internet assets—is the world’s most
        advanced and most dependent user of information technology.1 Should
        these systems—which perform functions and services critical to our
        nation—suffer problems, it could create widespread disruption.
        Accordingly, the upcoming change of century is a sweeping and urgent
        challenge for public- and private-sector organizations alike.

        Because of its urgent nature and the potentially devastating impact it could
        have on critical government operations, in February 1997 we designated
        the Year 2000 problem a high-risk area for the federal government.2 Since
        that time, we have issued over 130 reports and testimony statements
        detailing specific findings and numerous recommendations related to the
        Year 2000 readiness of a wide range of federal agencies.3 We have also
        issued guidance to help organizations successfully address the issue.4

        Today, I will highlight the Year 2000 risks facing the nation, discuss the
        federal government’s progress and challenges that remain in correcting its
        systems, identify state and local government Year 2000 issues, and provide
        an overview of available information on the readiness of key public
        infrastructure and economic sectors.




        1 Critical
                 Foundations: Protecting America’s Infrastructures (President’s Commission on Critical
        Infrastructure Protection, October 1997).

        2 High-Risk Series:   Information Management and Technology (GAO/HR-97-9, February 1997).

        3 A list of these publications is included as an attachment to this statement. These publications can be
        obtained through GAO’s World Wide Web page at www.gao.gov/y2kr.htm.

        4 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
        February 1997 and in final form in September 1997), which addresses the key tasks needed to complete
        each phase of a Year 2000 program (awareness, assessment, renovation, validation, and
        implementation); Year 2000 Computing Crisis: Business Continuity and Contingency Planning
        (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998 and in final form in August 1998), which
        describes the tasks needed to ensure the continuity of agency operations; and Year 2000 Computing
        Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998 and in final form
        in November 1998), which discusses the need to plan and conduct Year 2000 tests in a structured and
        disciplined fashion.




Leter   Page 1                                                                            GAO/T-AIMD-99-268
The Public Faces Risk   The public faces the risk that critical services provided by the government
                        and the private sector could be severely disrupted by the Year 2000
of Year 2000            computing problem. Financial transactions could be delayed, flights
Disruptions             grounded, power lost, and national defense affected. Moreover, America’s
                        infrastructures are a complex array of public and private enterprises with
                        many interdependencies at all levels. These many interdependencies
                        among governments and within key economic sectors could cause a single
                        failure to have adverse repercussions in other sectors. Key sectors that
                        could be seriously affected if their systems are not Year 2000 compliant
                        include information and telecommunications; banking and finance; health,
                        safety, and emergency services; transportation; power and water; and
                        manufacturing and small business.

                        The following are examples of some of the major disruptions the public and
                        private sectors could experience if the Year 2000 problem is not corrected.

                        • With respect to aviation, there could be grounded or delayed flights,
                          degraded safety, customer inconvenience, and increased airline costs. 5
                        • Aircraft and other military equipment could be grounded because the
                          computer systems used to schedule maintenance and track supplies
                          may not work. Further, the Department of Defense could incur
                          shortages of vital items needed to sustain military operations and
                          readiness.6
                        • Medical devices and scientific laboratory equipment may experience
                          problems beginning January 1, 2000, if their software applications or
                          embedded chips use two-digit fields to represent the year.

                        Recognizing the seriousness of the Year 2000 problem, on February 4, 1998,
                        the President signed an executive order that established the President’s
                        Council on Year 2000 Conversion, chaired by an Assistant to the President
                        and consisting of one representative from each of the executive
                        departments and from other federal agencies as may be determined by the
                        Chair. The Chair of the Council was tasked with the following Year 2000
                        roles: (1) overseeing the activities of agencies, (2) acting as chief
                        spokesperson in national and international forums, (3) providing policy

                        5 FAA Systems: Serious Challenges Remain in Resolving Year 2000 and Computer Security Problems
                        (GAO/T-AIMD-98-251, August 6, 1998) and Year 2000 Computing Crisis: FAA Is Making Progress But
                        Important Challenges Remain (GAO/T-AIMD/RCED-99-118, March 15, 1999).

                        6 Defense Computers: Year 2000 Computer Problems Threaten DOD Operations (GAO/AIMD-98-72,
                        April 30, 1998).




            Leter       Page 2                                                                     GAO/T-AIMD-99-268
                    coordination of executive branch activities with state, local, and tribal
                    governments, and (4) promoting appropriate federal roles with respect to
                    private-sector activities.



Improvements Made   Addressing the Year 2000 problem is a tremendous challenge for the federal
                    government. Many of the federal government’s computer systems were
But Much Work       originally designed and developed 20 to 25 years ago, are poorly
Remains             documented, and use a wide variety of computer languages, many of which
                    are obsolete. Some applications include thousands, tens of thousands, or
                    even millions of lines of code, each of which must be examined for date-
                    format problems.

                    To meet this challenge and monitor individual agency efforts, the Office
                    of Management and Budget (OMB) directed the major departments and
                    agencies to submit quarterly reports on their progress, beginning
                    May 15, 1997. These reports contain information on where agencies stand
                    with respect to the assessment, renovation, validation, and implementation
                    of mission-critical systems, as well as other management information on
                    items such as costs and business continuity and contingency plans.

                    The federal government’s most recent reports show improvement in
                    addressing the Year 2000 problem. While much work remains, the federal
                    government has significantly increased its percentage of mission-critical
                    systems that are reported to be Year 2000 compliant, as figure 1 illustrates.
                    In particular, while the federal government did not meet its goal of having
                    all mission-critical systems compliant by March 1999, as of mid-May 1999,
                    93 percent of these systems were reported compliant.




                    Page 3                                                      GAO/T-AIMD-99-268
Figure 1: Mission-Critical Systems Reported Year 2000 Compliant, May 1997
Through May 1999

100%                                                                                     93%

 90%
                                                                               79%
 80%

 70%
                                                                    61%
 60%
                                                         50%
 50%
                                               40%
 40%                                35%
                         27%
 30%
         21%   19%
 20%

 10%

  0%
   May-97      Aug-97    Nov-97    Feb-98     May-98    Aug-98     Nov-98     Feb-99     May-99


Source: May 1997 through May 1999 data are from the OMB quarterly reports.


While this reported progress is notable, OMB also noted that 10 agencies
have mission-critical systems that were not yet compliant. 7 In addition, as
we testified in April, some of the systems that were not yet compliant
support vital government functions.8 For example, some of the systems
that were not compliant were among the 26 mission-critical systems that
the Federal Aviation Administration (FAA) has identified as posing the
greatest risk to the National Airspace System—the network of equipment,
facilities, and information that supports U.S. aviation operations.

Additionally, not all systems have undergone an independent verification
and validation process. For example, in April 1999 the Department of
Commerce awarded a contract for independent verification and validation


7 The10 agencies were the Departments of Agriculture, Commerce, Defense, Energy, Health and Human
Services, Justice, Transportation, and the Treasury and the National Aeronautics and Space
Administration and the U.S. Agency for International Development.

8 Year
     2000 Computing Challenge: Federal Government Making Progress But Critical Issues Must Still
Be Addressed to Minimize Disruptions (GAO/T-AIMD-99-144, April 14, 1999).




Page 4                                                                       GAO/T-AIMD-99-268
                          reviews of approximately 40 mission-critical systems that support that
                          department’s most critical business processes. These reviews are to
                          continue through the summer of 1999. In some cases, independent
                          verification and validation of compliant systems have found serious
                          problems. For example, as we testified this past February,9 none of
                          54 external mission-critical systems of the Health Care Financing
                          Administration reported by the Department of Health and Human Services
                          (HHS) as compliant as of December 31, 1998, was Year 2000 ready at that
                          time, based on serious qualifications identified by the independent
                          verification and validation contractor.


Reviews Show Uneven       While the overall Year 2000 readiness of the government has improved, our
Federal Agency Progress   reviews of federal agency Year 2000 programs have found uneven progress.
                          Some agencies had made good progress while other agencies were
                          significantly behind schedule but had taken actions to improve their
                          readiness. For example:

                          • In October 1997, we reported that while the Social Security
                            Administration (SSA) had made significant progress in assessing and
                            renovating mission-critical mainframe software, certain areas of risk in
                            its Year 2000 program remained.10 Accordingly, we made several
                            recommendations to address these risk areas, which included the Year
                            2000 compliance of the systems used by the 54 state Disability
                            Determination Services11 that help administer the disability programs.
                            SSA agreed with these recommendations and, in July 1999, we reported
                            that actions to implement these recommendations had either been taken
                            or were underway.12 For example, regarding the state Disability
                            Determination Services systems, SSA enhanced its monitoring and
                            oversight by establishing a full-time project team, designating project
                            managers and coordinators, and requesting biweekly reports. While



                          9 Year
                              2000 Computing Crisis: Readiness Status of the Department of Health and Human Services
                          (GAO/T-AIMD-99-92, February 26, 1999).

                          10Social
                                 Security Administration: Significant Progress Made in Year 2000 Effort, But Key Risks Remain
                          (GAO/AIMD-98-6, October 22, 1997).

                          11
                            These include the systems in all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin
                          Islands.

                          12Social  Security Administration: Update on Year 2000 and Other Key Information Technology
                          Initiatives (GAO/T-AIMD-99-259, July 29, 1999).




                          Page 5                                                                            GAO/T-AIMD-99-268
  actions such as these demonstrated SSA’s leadership in addressing the
  Year 2000 problem, it still needed to complete critical tasks to ensure
  readiness, including (1) ensuring the compliance of all external data
  exchanges, (2) completing tasks outlined in its contingency plans,
  (3) certifying the compliance of one remaining mission-critical system,
  (4) completing hardware and software upgrades in the Office of
  Telecommunications and Systems Operations, and (5) correcting date
  field errors identified through its quality assurance process.
• In May 1999, we testified13 that the Department of Education had made
  progress toward addressing the significant risks we had identified in
  September 199814 related to systems testing, exchanging data with
  internal and external partners, and developing business continuity and
  contingency plans. Nevertheless, work remained ongoing in these areas.
  For example, Education had scheduled a series of tests with its data
  exchange partners, such as schools, through the early part of the fall.
  Tests such as these are important since Education’s student financial aid
  environment is very large and complex, including over 7,000 schools,
  6,500 lenders, and 36 guaranty agencies, as well as other federal
  agencies; we have reported that Education has experienced serious data
  integrity problems in the past.15 Accordingly, our May testimony stated
  that Education needed to continue end-to-end testing of critical
  business processes involving Education’s internal systems and its
  external data exchange partners and continue its outreach activities
  with schools, guaranty agencies, and other participants in the student
  financial aid community.
• Our work has shown that the Department of Defense and the military
  services face significant problems. 16 This March we testified that
  despite considerable progress made in the preceding 3 months, the


13Year 2000 Computing Challenge: Education Taking Needed Actions But Work Remains
(GAO/T-AIMD-99-180, May 12, 1999).

14Year 2000Computing Crisis: Significant Risks Remain to Department of Education’s Student Financial
Aid Systems (GAO/T-AIMD-98-302, September 17, 1998).

15
  Student Financial Aid Information: Systems Architecture Needed to Improve Programs’ Efficiency
(GAO/AIMD-97-122, July 29, 1997).

16Defense Computers: Year 2000 Computer Problems Put Navy Operations at Risk (GAO/AIMD-98-150,
June 30, 1998); Defense Computers: Army Needs to Greatly Strengthen Its Year 2000 Program
(GAO/AIMD-98-53, May 29, 1998); GAO/AIMD-98-72, April 30, 1998; and Defense Computers: Air Force
Needs to Strengthen Year 2000 Oversight (GAO/AIMD-98-35, January 16, 1998).




Page 6                                                                       GAO/T-AIMD-99-268
                                department was still well behind schedule.17 We found that the
                                Department of Defense faced two significant challenges: (1) completing
                                remediation and testing of its mission-critical systems and (2) having a
                                reasonable level of assurance that key processes will continue to work
                                on a day-to-day basis and key operational missions necessary for
                                national defense can be successfully accomplished. We concluded that
                                such assurance could only be provided if Defense took steps to improve
                                its visibility over the status of key business processes.


End-to-End Testing Must Be   While it is important to achieve compliance for individual mission-critical
Completed                    systems, realizing such compliance alone does not ensure that business
                             functions will continue to operate through the change of century—the
                             ultimate goal of Year 2000 efforts. The purpose of end-to-end testing is to
                             verify that a defined set of interrelated systems, which collectively support
                             an organizational core business area or function, will work as intended in
                             an operational environment. In the case of the year 2000, many systems in
                             the end-to-end chain will have been modified or replaced. As a result, the
                             scope and complexity of testing—and its importance—are dramatically
                             increased, as is the difficulty of isolating, identifying, and correcting
                             problems. Consequently, agencies must work early and continually with
                             their data exchange partners to plan and execute effective end-to-end tests.
                             (Our Year 2000 testing guide sets forth a structured approach to testing,
                             including end-to-end testing.18)

                             In January, we testified that with the time available for end-to-end testing
                             diminishing, OMB should consider, for the government’s most critical
                             functions, setting target dates, and having agencies report against them, for
                             the development of end-to-end test plans, the establishment of test
                             schedules, and the completion of the tests. 19 On March 31, OMB and the
                             Chair of the President’s Council on Year 2000 Conversion announced that
                             one of the key priorities that federal agencies will be pursuing during the
                             rest of 1999 will be cooperative end-to-end testing to demonstrate the Year
                             2000 readiness of federal programs with states and other partners.


                             17Year
                                  2000 Computing Crisis: Defense Has Made Progress, But Additional Management Controls Are
                             Needed (GAO/T-AIMD-99-101, March 2, 1999).

                             18GAO/AIMD-10.1.21, November   1998.

                             19Year2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major
                             Disruptions (GAO/T-AIMD-99-50, January 20, 1999).




                             Page 7                                                                    GAO/T-AIMD-99-268
                          Agencies have also acted to address end-to-end testing. For example, our
                          March FAA testimony 20 found that the agency had addressed our prior
                          concerns about the lack of detail in its draft end-to-end test program plan
                          and had developed a detailed end-to-end testing strategy and plans.21 Also,
                          in June 1999 we reported22 that the Department of Defense had underway
                          or planned hundreds of related Year 2000 end-to-end test and evaluation
                          activities and that, thus far, it was taking steps to ensure that these related
                          end-to-end tests were effectively coordinated. However, we concluded that
                          the Department of Defense was far from successfully finishing its various
                          Year 2000 end-to-end test activities and that it must complete efforts to
                          establish end-to-end management controls, such as establishing an
                          independent quality assurance program.



Business Continuity and   Business continuity and contingency plans are essential. Without such
Contingency Plans Are     plans, when unpredicted failures occur, agencies will not have well-defined
                          responses and may not have enough time to develop and test alternatives.
Needed                    Federal agencies depend on data provided by their business partners as
                          well as on services provided by the public infrastructure (e.g., power,
                          water, transportation, and voice and data telecommunications). One weak
                          link anywhere in the chain of critical dependencies can cause major
                          disruptions to business operations. Given these interdependencies, it is
                          imperative that contingency plans be developed for all critical core
                          business processes and supporting systems, regardless of whether these
                          systems are owned by the agency. Accordingly, in April 1998 we
                          recommended that the Council require agencies to develop contingency
                          plans for all critical core business processes.23

                          OMB has clarified its contingency plan instructions and, along with the
                          Chief Information Officers Council, has adopted our business continuity
                          and contingency planning guide.24 In particular, on January 26, 1999, OMB



                          20
                           GAO/T-AIMD/RCED-99-118, March 15, 1999.

                          21GAO/T-AIMD-98-251,   August 6, 1998.

                          22Defense
                                  Computers: Management Controls Are Critical to Effective Year 2000 Testing
                          (GAO/AIMD-99-172, June 30, 1999).

                          23Year2000 Computing Crisis: Potential for Widespread Disruption Calls for Strong Leadership and
                          Partnerships (GAO/AIMD-98-85, April 30, 1998).

                          24GAO/AIMD-10.1.19, August   1998.




                          Page 8                                                                       GAO/T-AIMD-99-268
called on federal agencies to identify and report on the high-level core
business functions that are to be addressed in their business continuity and
contingency plans, as well as to provide key milestones for development
and testing of such plans in their February 1999 quarterly reports. In
addition, on May 13 OMB required agencies to submit high-level versions of
these plans by June 15. According to an OMB official, OMB has received
plans from the 24 major departments and agencies. This official stated that
OMB planned to review the plans, discuss them with the agencies,
determine whether there were any common themes, and report on the
plans’ status in its next quarterly report.

To provide assurance that agencies’ business continuity and contingency
plans will work if needed, on January 20 we suggested that OMB may want
to consider requiring agencies to test their business continuity strategy and
set a target date, such as September 30, 1999, for the completion of this
validation. 25 Our review of the 24 major departments and agencies’ May
1999 quarterly reports found 14 cases in which agencies did not identify
test dates for their business continuity and contingency plans or reported
test dates subsequent to September 30, 1999.

On March 31, OMB and the Chair of the President’s Council announced that
completing and testing business continuity and contingency plans as
insurance against disruptions to federal service delivery and operations
from Year 2000-related failures will be one of the key priorities that federal
agencies will be pursuing through the rest of 1999. Accordingly, OMB
should implement our suggestion and establish a target date for the
validation of agency business continuity and contingency plans.

Our reviews of specific agency business continuity and contingency plans
have found that agencies are in varying stages of completion. For example:

• We testified in July 1999 that SSA was in the process of testing all of its
  contingency plans, with expected completion in September. 26 In
  addition, SSA planned to assist the Department of the Treasury in
  developing alternative disbursement processes for problematic financial
  institutions.




25
 GAO/T-AIMD-99-50, January 20, 1999.

26GAO/T-AIMD-99-259,   July 29, 1999.




Page 9                                                       GAO/T-AIMD-99-268
                             • This June, we testified that the U.S. Customs Service had implemented
                               sound management processes for developing business continuity and
                               contingency plans and was in the process of testing its plans.27 Customs
                               expected to complete contingency plan testing by October 1999.
                             • In May 1999, we reported28 that the Department of Agriculture’s
                               component agencies were actively engaged in developing business
                               continuity and contingency plans but that much work remained to
                               complete and test these plans. Further, its December 1999
                               departmentwide goal of completing business continuity and
                               contingency plans left no room for delays or sufficient time for
                               correcting, revising, and retesting plans, if necessary. Consequently, we
                               recommended that the Department of Agriculture advance its time
                               frame to no later than September 30, 1999, and develop priorities for
                               completing and testing business continuity and contingency plans that
                               are aligned with the department’s highest priority business processes, to
                               ensure that remaining work addresses these processes first. The
                               Department of Agriculture’s Chief Information Officer stated that the
                               department planned to implement our recommendations.
                             • This June, we reported29 that the General Services Administration had
                               completed its telecommunications business continuity and contingency
                               plan in September 1998. However, we made several suggestions for
                               enhancing this plan, including that the General Services Administration
                               work with its customers to ensure that the customers’ business
                               continuity and contingency plans are fully coordinated with the General
                               Services Administration’s plan and that it consider the possibility of
                               partial loss of service. The General Services Administration agreed to
                               implement our suggestions.


OMB Action Could Help        While individual agencies have been identifying and remediating mission-
Ensure Business Continuity   critical systems, the government’s future actions need to be focused on its
                             high-priority programs and ensuring the continuity of these programs,
of High-Impact Programs      including the continuity of federal programs that are administered by
                             states. Accordingly, governmentwide priorities need to be based on such


                             27Year   2000 Computing Crisis: Customs Is Making Good Progress (GAO/T-AIMD-99-225, June 29, 1999).

                             28
                               Year 2000 Computing Crisis: USDA Needs to Accelerate Time Frames for Completing Contingency
                             Planning (GAO/AIMD-99-178, May 21, 1999).

                             29GSA’sEffort to Develop Year 2000 Business Continuity and Contingency Plans for
                             Telecommunications Systems (GAO/AIMD-99-201R, June 16, 1999).




                             Page 10                                                                       GAO/T-AIMD-99-268
                        criteria as the potential for adverse health and safety effects, adverse
                        financial effects on American citizens, detrimental effects on national
                        security, and adverse economic consequences. In April 1998, we
                        recommended that the President’s Council on Year 2000 Conversion
                        establish governmentwide priorities and ensure that agencies set
                        agencywide priorities.30

                        On March 26, OMB implemented our recommendation by issuing a
                        memorandum to federal agencies designating lead agencies for the
                        government’s 42 high-impact programs (e.g., food stamps, Medicare, and
                        federal electric power generation and delivery). (OMB later added a 43rd
                        high-impact program—the Department of Justice’s National Crime
                        Information Center.) Appendix I lists these programs and their lead
                        agencies. For each program, the lead agency was charged with identifying
                        to OMB the partners integral to program delivery; taking a leadership role
                        in convening those partners; assuring that each partner has an adequate
                        Year 2000 plan and, if not, helping each partner without one; and
                        developing a plan to ensure that the program will operate effectively.
                        According to OMB, such a plan might include testing data exchanges
                        across partners, developing complementary business continuity and
                        contingency plans, sharing key information on readiness with other
                        partners and the public, and taking other steps necessary to ensure that the
                        program will work. OMB directed the lead agencies to provide a schedule
                        and milestones of key activities in their plans by April 15. OMB also asked
                        agencies to provide monthly progress reports. As you know, we are
                        currently reviewing agencies’ progress in ensuring the readiness of their
                        high-impact programs for this Subcommittee.



State and Local         Just as the federal government faces significant Year 2000 risks, so too do
                        state and local governments. If the Year 2000 problem is not properly
Governments Face        addressed, for example, (1) food stamps and other types of payments may
Significant Year 2000   not be made or could be made for incorrect amounts, (2) date-dependent
                        signal timing patterns could be incorrectly implemented at highway
Risks                   intersections, with safety severely compromised, and (3) prisoner release
                        or parole eligibility determinations may be adversely affected.
                        Nevertheless, available information on the Year 2000 readiness of state and
                        local governments indicates that much work remains.



                        30GAO/AIMD-98-85, April   30, 1998.




                        Page 11                                                     GAO/T-AIMD-99-268
According to information on state Year 2000 activities reported to the
National Association of State Information Resource Executives as of
August 3, 1999, 31 states32 reported having thousands of mission-critical
systems.33 With respect to completing the implementation phase for these
systems,

•     2 states34 reported that they had completed between 25 and 49 percent,
•     6 states35 reported completing between 50 and 74 percent,
•     38 states36 reported completing between 75 and 99 percent, and
•     3 states reported completing the implementation phase for all
      mission-critical systems.37

All of the states responding to the National Association of State
Information Resource Executives survey reported that they were actively
engaged in internal and external contingency planning and that they had
established target dates for the completion of these plans; 14 states
(28 percent) reported the deadline as October 1999 or later.

State audit organizations have also identified significant Year 2000
concerns. In January, the National State Auditors Association reported on
the results of its mid-1998 survey of Year 2000 compliance among states.38
This report stated that for the 12 state audit organizations that provided
Year 2000-related reports, concerns had been raised in areas such as




31Individual states submit periodic updates to the National Association of State Information Resource
Executives. For the August 3 report, over three quarters of the states submitted their data after
July 1, 1999. The oldest data were provided on March 11 and the most recent data on August 2.

32In the context of the National Association of State Information Resource Executives survey, the term
“states” includes the District of Columbia and Puerto Rico.

33Mission-critical systems were defined as those that a state had identified as priorities for prompt
remediation.

34
    One state reported on its mission-critical systems and one state reported on its processes.

35Five   states reported on their mission-critical systems and one reported on all systems.

36Thirty-one states reported on their mission-critical systems, 2 states reported on their applications,
1 reported on its “priority business activities,” 1 reported on its “critical compliance units,” 1 reported
on all systems, 1 reported on functions, and 1 reported on projects.

37
    Two states did not respond to the survey and one did not respond to this question.

38Year   2000: State Compliance Efforts (National State Auditors Association, January 1999).




Page 12                                                                             GAO/T-AIMD-99-268
planning, testing, embedded systems, business continuity and contingency
planning, and the adequacy of resources to address the problem.

We identified additional products by 17 state-level audit organizations and
Guam that discussed the Year 2000 problem and that had been issued since
October 1, 1998. Several of these state-level audit organizations noted that
progress had been made. However, the audit organizations also expressed
concerns that were consistent with those reported by the National State
Auditors Association. For example:

• In December 1998 the Vermont State Auditor reported39 that the state
  Chief Information Officer did not have a comprehensive control list of
  the state’s information technology systems. Accordingly, the audit office
  stated that even if all mission-critical state systems were checked, these
  systems could be endangered by information technology components
  that had not been checked or by linkages with the state’s external
  electronic partners.
• In April, New York’s Division of Management Audit and State Financial
  Services reported that state agencies did not adequately control the
  critical process of testing remediated systems.40 Further, most agencies
  were in the early stages of addressing potential problems related to data
  exchanges and embedded systems and none had completed substantive
  work on contingency planning. The New York audit office subsequently
  issued 27 reports on individual mission-critical and high-priority
  systems that included concerns about, for example, contingency
  planning and testing.
• In February, the California State Auditor reported 41 that key agencies
  responsible for emergency services, corrections, and water resources,
  among other areas, had not fully addressed embedded technology-
  related threats. Regarding emergency services, the California report
  stated that if remediation of the embedded technology in its networks
  was not completed, the Office of Emergency Services might have to rely
  on cumbersome manual processes, significantly increasing response
  time to disasters.


39Vermont  State Auditor’s Report on State Government’s Year 2000 Preparedness (Y2K Compliance) for
the Period Ending November 1, 1998 (Office of the State Auditor, December 31, 1998).

40
  New York’s Preparation for the Year 2000: A Second Look (Office of the State Comptroller, Division of
Management Audit and State Financial Services, Report 98-S-21, April 5, 1999).

41Year2000 Computer Problem: The State’s Agencies Are Progressing Toward Compliance but Key
Steps Remain Incomplete (California State Auditor, February 18, 1999).




Page 13                                                                         GAO/T-AIMD-99-268
• In March, Oregon’s Audits Division reported42 that 11 of the 12 state
  agencies reviewed did not have business continuity plans addressing
  potential Year 2000 problems for their core business functions.
• In March, North Carolina’s State Auditor reported43 that resource
  restrictions had limited the state’s Year 2000 Project Office’s ability to
  verify data reported by state agencies.

It is also essential that local government systems be ready for the change of
century since critical functions involving, for example, public safety and
traffic management are performed at the local level. Recent reports on
local governments have highlighted Year 2000 concerns. For example:

• On July 15, we reported on the reported Year 2000 status of the
  21 largest U.S. cities. 44 On average, cities reported completing work for
  45 percent of the key service areas in which they have responsibility. In
  addition, 2 cities reported that they had completed their Year 2000
  efforts, 9 cities expected to complete their Year 2000 preparations by
  September 30, 1999, and the remaining 10 cities expected to complete
  their preparation by December 31.45 In addition, 7 cities reported
  completing Year 2000 contingency plans, while 14 cities reported that
  their plans were still being developed.
• On July 9, the National League of Cities reported on its survey of
  403 cities conducted in April 1999. This survey found that (1) 92 percent
  of cities had a citywide Year 2000 plan, (2) 74 percent had completed
  their assessment of critical systems, and (3) 66 percent had prepared
  contingency plans. (Of those that had not completed such plans, about
  half stated that they were planning to develop one.) In addition,
  92 percent of the cities reported that they expect that all of their critical
  systems will be compliant by January 1, 2000; 5 percent expected to
  have completed between 91 and 99 percent, and 3 percent expected to
  have completed between 81 and 90 percent of their critical systems by
  January 1.


42Department of Administrative Services Year 2000 Statewide Project Office Review (Secretary of State,
Audits Division, State of Oregon Report No. 99-05, March 16, 1999).

43Department   of Commerce, Information Technology Services Year 2000 Project Office (Office of the
State Auditor, State of North Carolina, March 18, 1999).

44
 Reported Y2K Status of the 21 Largest U.S. Cities (GAO/AIMD-99-246R, July 15, 1999).

45In most cities, the majority of city services are scheduled to be completed before this completion
date. For example, Los Angeles plans to have all key city systems ready by September 30, except for its
wastewater treatment systems, which are expected to be completed in November.




Page 14                                                                         GAO/T-AIMD-99-268
• On June 23, the National Association of Counties announced the results
  of its April survey of 500 randomly selected counties. This survey found
  that (1) 74 percent of respondents had a countywide plan to address
  Year 2000 issues, (2) 51 percent had completed system assessments, and
  (3) 27 percent had completed system testing. In addition, 190 counties
  had prepared contingency plans and 289 had not. Further, of the
  114 counties reporting that they planned to develop Year 2000
  contingency plans, 22 planned to develop the plan in April-June, 64 in
  July-September, 18 in October-December, and 10 did not yet know.

Of critical importance to the nation are services essential to the safety and
well-being of individuals across the country, namely 9-1-1 systems and law
enforcement. For the most part, responsibility for ensuring continuity of
service for 9-1-1 calls and law enforcement resides with thousands of state
and local jurisdictions. On April 29, we testified that not enough was known
about the status of either 9-1-1 systems or of state and local law
enforcement activities to conclude about either’s ability during the
transition to the year 2000 to meet the public safety and well-being needs of
local communities across the nation.46 While the federal government
planned additional actions to determine the status of these areas, we stated
that the President’s Council on Year 2000 Conversion should use such
information to identify specific risks and develop appropriate strategies
and contingency plans to respond to those risks.

We subsequently reported47 that the Federal Emergency Management
Agency and the Department of Justice have worked to increase the
response rate to a survey of public safety organizations. As of
June 30, 1999, of the over 2,200 9-1-1 sites responding (about half of the
9-1-1 call answering sites in the United States), 37 percent reported that
they were ready for the year 2000. Another 55 percent responded that they
expected to be Year 2000 compliant in time for the change of century.

Recognizing the seriousness of the Year 2000 risks facing state and local
governments, the President’s Council has developed initiatives to address
the readiness of state and local governments. For example:



46
  Year 2000 Computing Challenge: Status of Emergency and State and Local Law Enforcement Systems
Is Still Unknown (GAO/T-AIMD-99-163, April 29, 1999).

47Emergency  and State and Local Law Enforcement Systems: Committee Questions Concerning Year
2000 Challenges (GAO/AIMD-99-247R, July 14, 1999).




Page 15                                                                    GAO/T-AIMD-99-268
                             • The Council established working groups on state and local governments
                               and tribal governments.
                             • Council officials participate in monthly multistate conference calls.
                             • In July 1998 and March 1999, the Council, in partnership with the
                               National Governors’ Association, convened Year 2000 summits with
                               state and U.S. territory Year 2000 coordinators.
                             • On May 24, the Council announced a nationwide campaign to promote
                               “Y2K Community Conversations” to support and encourage efforts of
                               government officials, business leaders, and interested citizens to share
                               information on their progress. To support this initiative, the Council has
                               developed and is distributing a toolkit that provides examples of which
                               sectors should be represented at these events and issues that should be
                               addressed.


State-Administered Federal   Among the critical functions performed by states are the administration of
Human Services Programs      federal human services programs. As we reported in November 1998, many
                             systems that support state-administered federal human services programs
Are at Risk                  were at risk, and much work remained to ensure that services would
                             continue.48 In February of this year, we testified that while some progress
                             had been achieved, many states’ systems were not scheduled to become
                             compliant until the last half of 1999.49 Accordingly, we concluded that given
                             these risks, business continuity and contingency planning was even more
                             important in ensuring continuity of program operations and benefits in the
                             event of systems failures.

                             Subsequent to our November 1998 report, OMB directed federal oversight
                             agencies to include the status of selected state human services systems in
                             their quarterly reports. Specifically, in January 1999, OMB requested that
                             agencies describe actions to help ensure that federally supported, state-run
                             programs will be able to provide services and benefits. OMB further asked
                             that agencies report the date when each state’s systems will be Year 2000
                             compliant.




                             48
                              Year 2000 Computing Crisis: Readiness of State Automated Systems to Support Federal Welfare
                             Programs (GAO/AIMD-99-28, November 6, 1998).

                             49Year2000 Computing Crisis: Readiness of State Automated Systems That Support Federal Human
                             Services Programs (GAO/T-AIMD-99-91, February 24, 1999).




                             Page 16                                                                    GAO/T-AIMD-99-268
Table 1 summarizes the latest information on state-administered federal
human services programs reported by OMB on June 15, 1999. 50 This
information was gathered, but not verified, by the Departments of
Agriculture, HHS, and Labor. 51 It indicates that while many states reported
their programs to be compliant, a number of states did not plan to complete
Year 2000 efforts until the last quarter of 1999. For example, eight states did
not expect to be compliant until the last quarter of 1999 for Child Support
Enforcement, five states for Unemployment Insurance, and four states for
Child Nutrition. Moreover, Year 2000 readiness information was unknown
in many cases. For example, according to OMB, the status of 32 states’ Low
Income Home Energy Assistance programs was unknown because
applicable readiness information was not available.




50For Medicaid, OMB reports on the two primary systems that states use to administer the program:
(1) the Integrated Eligibility System, to determine whether an individual applying for Medicaid meets
the eligibility criteria for participation, and (2) the Medicaid Management Information System, to
process claims and deliver payments for services rendered. Integrated eligibility systems are also often
used to determine eligibility for other public assistance programs, such as Food Stamps.

51The Department of Agriculture oversees the Child Nutrition, Food Stamp, and the Women, Infants,
and Children programs. HHS oversees the Child Care, Child Support Enforcement, Child Welfare, Low
Income Home Energy Assistance, Medicaid, and Temporary Assistance for Needy Families programs.
The Department of Labor oversees the Unemployment Insurance program.




Page 17                                                                          GAO/T-AIMD-99-268
Table 1: Reported State-Level Readiness for Federally Supported Programs

                                                          Expected Date of 1999 Compliance
Programa                            Compliantb     Jan.-March      April-June        July-Sept.         Oct.-Dec.       Unknownc               N/Ad
Child Nutrition                            29                0                 9               10                 4                2                0
Food Stamps                                25                0               12                14                 3                0                0
Women, Infants, and Children               33                0               11                 7                 3                0                0
Child Care                                 24                5                 5                8                 2                6                4
Child Support Enforcement                  15                4               13                 8                 8                6                0
Child Welfare                              20                5                 9               11                 3                5                1
Low Income Home Energy
Assistance Program                         10                0                 3                7                 1               32                1
Medicaid – Integrated Eligibility
System                                     20                0               15                15                 4                0                0
Medicaid – Management
Information System                         17                0               19                14                 4                0                0
Temporary Assistance for
Needy Families                             19                3               12                15                 1                4                0
Unemployment Insurance                     27                0               11                10                 5                0                1
                                            Note: This table contains readiness information from the 50 states, the District of Columbia, Guam,
                                            Puerto Rico, and the Virgin Islands.
                                            a
                                             According to OMB, the information regarding Child Care, Child Support Enforcement, the Low
                                            Income Home Energy Assistance Program, Medicaid, and Temporary Assistance for Needy Families
                                            was as of January 31, 1999; and the information for Child Nutrition, Food Stamps, and Women, Infants
                                            and Children was as of March 1999. However, OMB provided a draft table to the National Association
                                            of State Information Resource Executives, which, in turn, provided the draft table to the states. The
                                            states were asked to contact HHS and Agriculture and provide corrections by June 1, 1999. For their
                                            part, HHS and Agriculture submitted updated state data to OMB in early June. The information
                                            regarding Unemployment Insurance was as of March 31, 1999.
                                            bIn many cases, the report indicated a date instead of whether the state was compliant. We assumed
                                            that states reporting completion dates in 1998 or earlier were compliant.
                                            c Unknown  indicates that according to OMB, the data reported by the states were unclear or that no
                                            information was reported by the agency.
                                            dN/A indicates that the states or territories reported that the data requested were not applicable to
                                            them.
                                            Source: Progress on Year 2000 Conversion: 9th Quarterly Report (OMB, issued on June 15, 1999).


                                            Although many states have reported their state-administered programs to
                                            be compliant, additional work beyond individual system completion likely
                                            remains, such as end-to-end testing. For example, of the states that OMB
                                            reported as having compliant Medicaid management information and/or
                                            integrated eligibility systems, at least four and five states, respectively, had
                                            not completed end-to-end testing.




                                            Page 18                                                                          GAO/T-AIMD-99-268
In addition to obtaining state-reported readiness status information for
OMB, the three federal departments are taking other actions to assess the
ability of state-administered programs to continue into the next century.
However, as table 2 shows, the approaches of the three departments in
assessing the readiness of state-administered federal human services
programs vary significantly. For example, HHS’ Health Care Financing
Administration (HCFA) hired a contractor to perform comprehensive
on-site reviews in all states, some more than once, using a standard
methodology. Agriculture’s Food and Nutrition Service (FNS) approach
includes such actions as having regional offices monitor state Year 2000
efforts and obtaining state certifications of compliance. The Department of
Labor is relying on its regional offices to monitor state Year 2000 efforts as
well as requiring states to obtain and submit independent verification and
validation reports after declaring their systems compliant.




Page 19                                                      GAO/T-AIMD-99-268
Table 2: Number and Types of Assessments Performed

                                                                               Areas covered by assessments
                                                          Project
                        Number of states                  management/                               Business continuity and
Agency/program          assessed                          planning       Test plans/results         contingency plans (BCCP)
Agriculture/Child       Component entity’s regional Varies by region Varies by region               Varies by region
Nutrition Program       offices are monitoring all
                        states’ efforts
Agriculture/Food        Component entity’s regional Varies by region Varies by region               Varies by region
Stamps                  offices are monitoring all
                        states’ efforts
Agriculture/Women,      Component entity’s regional Varies by region Varies by region               Varies by region
Infants, and Children   offices are monitoring all
                        states’ efforts
HHS/Child Care          As of July 2, a contractor        Yes            Yes—all visits           Partial—on-site visits included reviews
                        had conducted on-site                            included reviews of      of states’ BCCP processes, but not
                        reviews of 20 states                             test plans and, where their content
                                                                         applicable, test results
HHS/Child Support       As of July 2, a contractor        Yes            Yes—all visits           Partial—on-site visits included reviews
Enforcement             had conducted on-site                            included reviews of      of states’ BCCP processes, but not
                        reviews of 20 states                             test plans and, where their content
                                                                         applicable, test results
HHS/Child Welfare       As of July 2, a contractor        Yes            Yes—all visits           Partial—on-site visits included reviews
                        had conducted on-site                            included reviews of      of states’ BCCP processes, but not
                        reviews of 20 states                             test plans and, where their content
                                                                         applicable, test results
HHS/Low Income          As of July 2, a contractor        Yes            Yes—all visits           Partial—on-site visits included reviews
Housing Energy          had conducted on-site                            included reviews of      of states’ BCCP processes, but not
Assistance Program      reviews of 20 states                             test plans and, where their content
                                                                         applicable, test results
HHS/Medicaid            A contractor conducted on- Yes                   Yes—all visits             Partial—Initial visits included reviews of
                        site reviews of 50 states and                    included reviews of        states’ BCCP processes, and as of July
                        the District of Columbia                         test plans and, where      9, a contractor had reviewed the
                        once, and, as of June 30,                        applicable, test results   content of 42 states’ BCCPs, either on
                        the contractor had                                                          site or at headquarters
                        conducted follow-up reviews
                        of 14 states
HHS/Temporary           As of July 2, a contractor        Yes            Yes—all visits           Partial—on-site visits included reviews
Assistance for Needy    had conducted on-site                            included reviews of      of states’ BCCP processes, but not
Families                reviews of 20 states                             test plans and, where their content
                                                                         applicable, test results
Labor/Unemployment      Labor’s regional offices are      Unknown—not    Unknown—not            Reviews ongoing
Insurance               monitoring all states’ efforts    specifically   specifically addressed
                                                          addressed in   in methodology
                                                          methodology




                                                Page 20                                                                   GAO/T-AIMD-99-268
In addition to the completed reviews, all of the departments have ongoing
initiatives to ensure that state-administered human services programs will
continue to function past the change of century. These initiatives are part
of the departments’ overall strategies to ensure the continued delivery of
these high-impact programs. For example:

• In June 1999, the Department of Agriculture’s FNS required its regions to
  provide for each program a copy of either a state letter certifying that it
  was Year 2000 compliant or a business continuity and contingency plan.
  As of June 18, 1999, FNS had received (1) 9 certifications and 7 business
  continuity and contingency plans for Child Nutrition, (2) 12
  certifications and 16 business continuity and contingency plans for
  Food Stamps, and (3) 23 certifications and 23 business continuity and
  contingency plans for Women, Infants, and Children. In addition, to help
  states’ Year 2000 efforts, FNS employed a contractor to conduct on-site
  visits to 20 states for one or more programs. As of July 9, FNS officials
  told us 16 states had been visited. With respect to the scope of these
  visits, FNS’ regional offices determine for each state and program what
  specific areas it should encompass. These visits are principally intended
  to provide technical assistance to the states in areas such as Year 2000
  project management, hardware and software testing, and contingency
  planning.
• In its initial round of on-site reviews conducted between November 1998
  and April 1999, the contractor hired by HHS’ HCFA (1) identified
  barriers to successful remediation, (2) made recommendations to
  address specific areas of concern, and (3) placed Medicaid integrated
  eligibility and management information systems into low, medium, or
  high risk categories. HCFA’s contractor is currently conducting a second
  round of on-site reviews in at least 40 states—primarily those in which
  at least one of two systems was categorized as a high or medium risk
  during the initial visit. As of June 30, 14 states had been visited during
  this round. The focus of this second round of visits is on determining
  how states have resolved Year 2000 issues previously identified, as well
  as reviewing activities such as data exchanges and end-to-end testing.
  HCFA plans to conduct a third round of on-site reviews in the fall of
  1999 for those states that continue to have systems categorized as high
  risk. Additionally, another HCFA contractor is reviewing the content of
  all states’ business continuity and contingency plans, with some of these
  reviews being performed in conjunction with the second round of state
  visits.
• In September 1998, the Department of Labor required that all State
  Employment Security Agencies conduct independent verification and



Page 21                                                     GAO/T-AIMD-99-268
                           validation reviews of their Unemployment Insurance programs. The
                           department set a target date of July 1, 1999, for states to submit
                           independent verification and validation certifications of their
                           Unemployment Insurance systems to Labor’s regional offices. Labor
                           required its regional offices to review independent verification and
                           validation reports and certifications of Year 2000 compliance that State
                           Employment Security Agencies submitted, and to ascertain whether the
                           material met the department’s requirements. If Labor’s requirements
                           were met, the regional offices were to approve the State Employment
                           Security Agencies’ certification and independent verification and
                           validation reports and forward copies of the approved certification and
                           report, along with regional office comments, to Labor’s national office.

                        An example of the benefits that federal/state partnerships can provide is
                        illustrated by the Department of Labor’s unemployment services program.
                        In September 1998, we reported that many State Employment Security
                        Agencies were at risk of failure as early as January 1999 and urged the
                        Department of Labor to initiate the development of realistic contingency
                        plans to ensure continuity of core business processes in the event of Year
                        2000-induced failures.52 In May, we testified that four state agencies’
                        systems could have failed if systems in those states had not been
                        programmed with an emergency patch in December 1998. This patch was
                        developed by several of the state agencies and promoted to other state
                        agencies by the Department of Labor. 53



Year 2000 Readiness     Beyond the risks faced by federal, state, and local governments, the year
                        2000 also poses a serious challenge to the public infrastructure, key
Information Available   economic sectors, and to other countries. To address these concerns, in
in Some Sectors, But    April 1998 we recommended that the Council use a sector-based approach
                        and establish the effective public-private partnerships necessary to address
Key Information Still   this issue.54 The Council subsequently established over 25 sector-based
Missing or Incomplete   working groups and has been initiating outreach activities since it became
                        operational last spring. In addition, the Chair of the Council has formed a


                        52Year 2000 Computing Crisis: Progress Made at Department of Labor, But Key Systems at Risk
                        (GAO/T-AIMD-98-303, September 17, 1998).

                        53Year 2000 Computing Challenge: Labor Has Progressed But Selected Systems Remain at Risk
                        (GAO/T-AIMD-99-179, May 12, 1999).

                        54GAO/AIMD-98-85, April   30, 1998.




                        Page 22                                                                      GAO/T-AIMD-99-268
Senior Advisors Group composed of representatives from private-sector
firms across key economic sectors. Members of this group are expected to
offer perspectives on crosscutting issues, information sharing, and
appropriate federal responses to potential Year 2000 failures.

Our April 1998 report also recommended that the President’s Council
develop a comprehensive picture of the nation’s Year 2000 readiness, to
include identifying and assessing risks to the nation’s key economic
sectors—including risks posed by international links. In October 1998, the
Chair directed the Council’s sector working groups to begin assessing their
sectors. The Chair also provided a recommended guide of core questions
that the Council asked to be included in surveys by the associations
performing the assessments. These questions included the percentage of
work that has been completed in the assessment, renovation, validation,
and implementation phases. The Chair then planned to issue quarterly
public reports summarizing these assessments.

The Council’s most recent report was issued on August 5, 1999. 55 The
report stated that important national systems will make a successful
transition to the year 2000 but that much work, such as contingency
planning, remains to be done. In particular, the Council expressed a high
degree of confidence in five major domestic areas: financial institutions,
electric power, telecommunications, air travel, and the federal government.
For example, the Council stated that on August 2, federal bank, thrift, and
credit union regulators reported that 99 percent of federally insured
financial institutions have completed testing of critical systems for Year
2000 readiness. The Council had concerns in four significant areas: local
government, health care, education, and small businesses. For example,
according to the Council report, many school districts could move into the
new century with dysfunctional information technology systems, since
only 28 percent and 30 percent of Superintendent/Local Educational
Agencies and postsecondary institutions, respectively, reported that their
mission-critical systems were Year 2000 compliant. Internationally, the
Council stated that the Year 2000 readiness of other countries was
improving but was still a concern. The Council reported that the June 1999
meeting of National Year 2000 Coordinators held at the United Nations
found that the 173 countries in attendance were clearly focused on the Year


55The Council’s three reports are available on its web site, www.y2k.gov. In addition, the Council, in
conjunction with the Federal Trade Commission and the General Services Administration, has
established a toll-free Year 2000 information line, 1-888-USA-4Y2K. The Federal Trade Commission has
also included Year 2000 information of interest to consumers on its web site, www.consumer.gov.




Page 23                                                                         GAO/T-AIMD-99-268
                2000 problem but that many countries will likely not have enough time or
                resources to finish before the end of 1999.

                The Council’s assessment reports have substantially increased the nation’s
                understanding of the Year 2000 readiness of key industries. However, the
                picture remains incomplete in certain key areas because the surveys
                conducted to date did not have a high response rate or did not provide their
                response rate, the assessment was general or contained projections rather
                than current remediation information, or the data were old. For example,
                according to the Council’s latest assessment report:

                • Less than a quarter of the more than 16,000 Superintendents of
                  Schools/Local Educational Agencies responded to a web-based survey
                  of Year 2000 readiness among elementary and secondary schools.
                  Similarly, less than a third of the more than 6,000 presidents and/or
                  chancellors of postsecondary educational institutions responded to a
                  web-based Year 2000 survey. Also, surveys covering areas such as small
                  and medium-sized chemical enterprises did not provide information on
                  either the number of surveys distributed or the number returned. Small
                  response rates or the lack of information on response rates call into
                  question whether the results of the survey accurately portray the
                  readiness of the sector.
                • Information in areas such as state emergency management and
                  broadcast television and radio provided a general assessment or
                  projected compliance levels as of a certain date, but did not contain
                  detailed data as to the current status of the sector (e.g., the average
                  percentage of organizations’ systems that are Year 2000 compliant or the
                  percentage of organizations that are in the assessment, renovation, or
                  validation phases).
                • In some cases, such as for grocery manufacturers, cable television,
                  hospitals, physicians’ practices, and railroads, the sector surveys had
                  been conducted months earlier and/or current survey information was
                  not yet available.

                In addition to our work related to the federal, state, and local government’s
                Year 2000 progress, we have also issued several products related to key
                economic sectors. I will now discuss the results of these reviews.


Energy Sector   In April, we reported that while the electric power industry had concluded
                that it had made substantial progress in making its systems and equipment
                ready to continue operations into the year 2000, significant risks remained



                Page 24                                                     GAO/T-AIMD-99-268
since many reporting organizations did not expect to be Year 2000 ready
within the June 1999 industry target date.56 We, therefore, suggested that
the Department of Energy (1) work with the Electric Power Working Group
to ensure that remediation activities were accelerated for the utilities that
expected to miss the June 1999 deadline for achieving Year 2000 readiness
and (2) encourage state regulatory utility commissions to require a full
public disclosure of Year 2000 readiness status of entities transmitting and
distributing electric power. The Department of Energy generally agreed
with our suggestions. We also suggested that the Nuclear Regulatory
Commission (1) in cooperation with the Nuclear Energy Institute, work
with nuclear power plant licensees to accelerate the Year 2000 remediation
efforts among the nuclear power plants that expect to meet the June 1999
deadline for achieving readiness and (2) publicly disclose the Year 2000
readiness of each of the nation’s operational nuclear reactors. In response,
the Nuclear Regulatory Commission stated that it plans to focus its efforts
on nuclear power plants that may miss the July 1, 1999, milestone and that
it would release the readiness information on individual plants that same
month.

Subsequent to our report, on August 3, 1999, the North American Electric
Reliability Council released its fourth status report on electric power
systems. According to the Council, as of June 30, 1999—the industry target
date for organizations to be Year 2000 ready—251 of 268 (94 percent) of
bulk electric organizations were Year 2000 ready or Year 2000 ready with
limited exceptions. 57 In addition, this report stated that 96 percent of local
distribution systems were reported as Year 2000 ready.58 The North
American Electric Reliability Council stated that the information it uses is
principally self-reported but that 84 percent of the organizations reported
that their Year 2000 programs had also been audited by internal and/or
external auditors. On July 19, the Nuclear Regulatory Commission stated
that 68 of 103 (66 percent) nuclear power plants reported that all of their
computer systems and digital embedded components that support plant


56Year 2000 Computing Crisis: Readiness of the Electric Power Industry (GAO/AIMD-99-114,
April 6, 1999).

57The North American Electric Reliability Council reported that 64 of these organizations had
exceptions but that it “believes that the work schedule provided to complete these exception items in
the next few months represents a prudent use of resources and does not increase risks associated with
reliable electric service into the Year 2000.”

58This was based on the percentage of the total megawatts of the systems reported as Year 2000 ready
by investor-owned, public power, and cooperative organizations. The report did not identify the number
of local distribution organizations that reported that they were Year 2000 ready.




Page 25                                                                        GAO/T-AIMD-99-268
               operations are Year 2000 ready. Of the 35 plants that were not Year 2000
               ready, 18 had systems or components that were not ready that could affect
               power generation.

               In May, we reported59 that while the domestic oil and gas industries had
               reported that they had made substantial progress in making their
               equipment and systems ready to continue operations into the year 2000,
               risks remained. For example, although over half of our oil is imported, little
               was known about the Year 2000 readiness of foreign oil suppliers. Further,
               while individual domestic companies reported that they were developing
               Year 2000 contingency plans, there were no plans to perform a national-
               level risk assessment and develop contingency plans to deal with potential
               shortages or disruptions in the nation’s overall oil and gas supplies. We
               suggested that the Council’s oil and gas working group (1) work with
               industry associations to perform national-level risk assessments and
               develop and publish credible, national-level scenarios regarding the impact
               of potential Year 2000 failures and (2) develop national-level contingency
               plans. The working group generally agreed with these suggestions.



Water Sector   In April, we reported60 that insufficient information was available to assess
               and manage Year 2000 efforts in the water sector, and little additional
               information was expected under the current regulatory approach. While
               the Council’s water sector working group had undertaken an awareness
               campaign and had urged national water sector associations to continue to
               survey their memberships, survey response rates had been low. Further,
               Environmental Protection Agency officials stated that the agency lacked
               the rules and regulations necessary to require water and wastewater
               facilities to report on their Year 2000 status.

               Our survey of state regulators found that a few states were proactively
               collecting Year 2000 compliance data from regulated facilities, a much
               larger group of states was disseminating Year 2000 information, while
               another group was not actively using either approach. Additionally, only a
               handful of state regulators believed that they were responsible for ensuring
               facilities’ Year 2000 compliance or overseeing facilities’ business continuity



               59Year 2000 Computing Crisis: Readiness of the Oil and Gas Industries (GAO/AIMD-99-162,
               May 19, 1999).

               60Year   2000 Computing Crisis: Status of the Water Industry (GAO/AIMD-99-151, April 21, 1999).




               Page 26                                                                          GAO/T-AIMD-99-268
                and contingency plans. Among our suggested actions was that the Council,
                the Environmental Protection Agency, and the states determine which
                regulatory organization should take responsibility for assessing and
                publicly disclosing the status and outlook of water sector facilities’ Year
                2000 business continuity and contingency plans. The Environmental
                Protection Agency generally agreed with our suggestions but one official
                noted that additional legislation may be needed if the agency is to take
                responsibility for overseeing facilities’ Year 2000 business continuity and
                contingency plans.


Health Sector   The health sector includes health care providers (such as hospitals and
                emergency health care services), insurers (such as Medicare and
                Medicaid), and biomedical equipment. Last month, we reported61 that
                HCFA had taken aggressive and comprehensive outreach efforts with
                regard to its over 1.1 million healthcare providers that administer services
                for Medicare-insured patients.62 Despite these efforts, HCFA data show
                that provider participation in its outreach activities has been low. Further,
                although HCFA has tasked contractors that process Medicare claims with
                testing with providers using future-dated claims, such testing had been
                limited and the testing that had occurred had identified problems. Our July
                report also found that although many surveys had been completed in 1999
                on the Year 2000 readiness of healthcare providers, none of the 11 surveys
                we reviewed provided sufficient information with which to assess the Year
                2000 status of the healthcare provider community. Each of the surveys had
                low response rates, and several did not address critical questions about
                testing and contingency planning.

                To reduce the risk of Year 2000-related failures in the Medicare provider
                community, our July report suggested, for example, that HCFA consider
                using additional outreach methods, such as public service announcements,
                and set milestones for Medicare contractors for testing with providers. We
                also made suggestions to the President’s Council on Year 2000 Conversion’s
                healthcare sector working group, including a suggestion to consider
                working with associations to publicize those providers who respond to



                61
                  Year 2000 Computer Crisis: Status of Medicare Providers Unknown (GAO/AIMD-99-243,
                July 28, 1999).

                62Examples of such providers are hospitals, laboratories, physicians, and skilled nursing/long-term care
                facilities.




                Page 27                                                                          GAO/T-AIMD-99-268
future surveys in order to increase survey response rates. The HCFA
Administrator generally agreed with our suggested actions.

With respect to biomedical equipment, on June 10 we testified63 that in
response to our September 1998 recommendation, 64 HHS, in conjunction
with the Department of Veterans Affairs, had established a clearinghouse
on biomedical equipment. As of June 1, 1999, 4,142 biomedical equipment
manufacturers had submitted data to the clearinghouse. About 61 percent
of these manufacturers reported having products that do not employ dates
and about 8 percent (311 manufacturers) reported having date-related
problems, such as an incorrect display of date/time. According to the Food
and Drug Administration, the 311 manufacturers reported 897 products
with date-related problems. However, not all compliance information was
available on the clearinghouse because the clearinghouse referred the user
to 427 manufacturers’ web sites. Accordingly, we reviewed the web sites of
these manufacturers and found, as of June 1, 1999, a total of 35,446
products.65 Of these products, 18,466 were reported as not employing a
date, 11,211 were reported as compliant, 4,445 were shown as not
compliant, and the compliance status of 1,324 was unknown.

In addition to the establishment of a clearinghouse, our September 1998
report66 also recommended that HHS and the Department of Veterans
Affairs take prudent steps to jointly review manufacturers’ test results for
critical care/life support biomedical equipment. We were especially
concerned that the departments review test results for equipment
previously deemed to be noncompliant but now deemed by manufacturers
to be compliant, or equipment for which concerns about compliance
remained. In May 1999, the Food and Drug Administration, a component
agency of HHS, announced that it planned to develop a list of critical
care/life support medical devices and the manufacturers of these devices,
select a sample of manufacturers for review, and hire a contractor to


63
  Year 2000 Computing Challenge: Concerns About Compliance Information on Biomedical Equipment
(GAO/T-AIMD-99-209, June 10, 1999).

64Year
     2000 Computing Crisis: Compliance Status of Many Biomedical Equipment Items Still Unknown
(GAO/AIMD-98-240, September 18, 1998).

65Because of limitations in many of the manufacturers web sites, our ability to determine the total
number of biomedical equipment products reported and their compliance status was impaired.
Accordingly, the actual number of products reported by the manufacturers could be significantly higher
than the 35,446 products that we counted.

66GAO/AIMD-98-240,   September 18, 1998.




Page 28                                                                        GAO/T-AIMD-99-268
                             develop a program to assess manufacturers’ activities to identify and
                             correct Year 2000 problems for these medical devices. In addition, if the
                             results of this review indicated a need for further review of manufacturer
                             activities, the contractor would review a portion of the remaining
                             manufacturers not yet reviewed. Moreover, according to the Food and Drug
                             Administration, any manufacturer whose quality assurance system
                             appeared deficient based on the contractors review would be subject to
                             additional reviews to determine what actions would be required to
                             eliminate any risk posed by noncompliant devices.

                             In April testimony,67 we also reported on the results of a Department of
                             Veterans Affairs survey of 384 pharmaceutical firms and 459 medical-
                             surgical firms with which it does business. Of the 52 percent of
                             pharmaceutical firms that responded to the survey, 32 percent reported
                             that they were compliant. Of the 54 percent of the medical-surgical firms
                             that responded, about two-thirds reported that they were compliant.


Banking and Finance Sector   A large portion of the institutions that make up the banking and finance
                             sector are overseen by one or more federal regulatory agencies. In
                             September 1998, we testified on the efforts of five federal financial
                             regulatory agencies 68 to ensure that the institutions that they oversee are
                             ready to handle the Year 2000 problem.69 We concluded that the regulators
                             had made significant progress in assessing the readiness of member
                             institutions and in raising awareness on important issues such as
                             contingency planning and testing. Regulator examinations of bank, thrift,
                             and credit union Year 2000 efforts found that the vast majority were doing a
                             satisfactory job of addressing the problem. Nevertheless, the regulators
                             faced the challenge of ensuring that they are ready to take swift action to
                             address those institutions that falter in the later stages of correction and to
                             address disruptions caused by international and public infrastructure
                             failures.




                             67Year2000 Computing Crisis: Action Needed to Ensure Continued Delivery of Veterans Benefits and
                             Health Care Services (GAO/T-AIMD-99-136, April 15, 1999).

                             68
                               The National Credit Union Administration, the Federal Deposit Insurance Corporation, the Office of
                             Thrift Supervision, the Federal Reserve System, and the Office of the Comptroller of the Currency.

                             69Year2000 Computing Crisis: Federal Depository Institution Regulators Are Making Progress, But
                             Challenges Remain (GAO/T-AIMD-98-305, September 17, 1998).




                             Page 29                                                                        GAO/T-AIMD-99-268
In April, we reported that the Federal Reserve System—which is
instrumental to our nation’s economic well-being, since it provides
depository institutions and government agencies services such as
processing checks and transferring funds and securities—has effective
controls to help ensure that its Year 2000 progress is reported accurately
and reliably.70 We also found that it is effectively managing the renovation
and testing of its internal systems and the development and planned testing
of contingency plans for continuity of business operations. Nevertheless,
the Federal Reserve System still had much to accomplish before it is fully
ready for January 1, 2000, such as completing validation and
implementation of all of its internal systems and completing its
contingency plans.

In addition to the domestic banking and finance sector, large U.S. financial
institutions have financial exposures and relationships with international
financial institutions and markets that may be at risk if these international
organizations are not ready for the date change occurring on January 1,
2000. In April, we reported71 that foreign financial institutions had
reportedly lagged behind their U.S. counterparts in preparing for the Year
2000 date change. Officials from four of the seven large foreign financial
institutions we visited said they had scheduled completion of their Year
2000 preparations about 3 to 6 months after their U.S. counterparts, but
they planned to complete their efforts by mid-1999 at the latest. Moreover,
key international market supporters, such as those that transmit financial
messages and provide clearing and settlement services, told us that their
systems were ready for the date change and that they had begun testing
with the financial organizations that depended on these systems. Further,
we found that seven large U.S. banks and securities firms we visited were
taking actions to address their international risks. In addition, U.S. banking
and securities regulators were also addressing the international Year 2000
risks of the institutions that they oversee.

With respect to the insurance industry, in March, we concluded that
insurance regulator presence regarding the Year 2000 area was not as


70
 Year 2000 Computing Crisis: Federal Reserve Has Established Effective Year 2000 Management
Controls for Internal Systems Conversion (GAO/AIMD-99-78, April 9, 1999).

71Year
     2000: Financial Institution and Regulatory Efforts to Address International Risks
(GAO/GGD-99-62, April 27, 1999).




Page 30                                                                        GAO/T-AIMD-99-268
                        strong as that exhibited by the banking and securities industry.72 State
                        insurance regulators we contacted were late in raising industry awareness
                        of potential Year 2000 problems, provided little guidance to regulated
                        institutions, and failed to convey clear regulatory expectations to
                        companies about Year 2000 preparations and milestones. Nevertheless, the
                        insurance industry is reported by both its regulators and by other outside
                        observers to be generally on track to being ready for 2000. However, most
                        of these reports are based on self-reported information and, compared to
                        other financial regulators, insurance regulators’ efforts to validate this
                        information generally began late and were more limited.

                        In a related report in April,73 we stated that variations in oversight
                        approaches by state insurance regulators also made it difficult to ascertain
                        the overall status of the insurance industry’s Year 2000 readiness. We
                        reported that the magnitude of insurers’ Year 2000-related liability
                        exposures could not be estimated at that time but that costs associated
                        with these exposures could be substantial for some property-casualty
                        insurers, particularly those concentrated in commercial-market sectors.
                        In addition, despite efforts to mitigate potential exposures, the Year 2000-
                        related costs that may be incurred by insurers would remain uncertain until
                        key legal issues and actions on pending legislation were resolved.


Transportation Sector   A key component to the nation’s transportation sector are airports. This
                        January we reported on our survey of 413 airports. 74 We found that while
                        the nation’s airports were making progress in preparing for the year 2000,
                        such progress varied. Of the 334 airports responding to our survey, about
                        one-third reported that they would complete their Year 2000 preparations
                        by June 30, 1999. The other two-thirds either planned on a later date or
                        failed to estimate any completion date, and half of these airports did not
                        have contingency plans for any of 14 core airport functions. Although most
                        of those not expecting to be ready by June 30 are small airports, 26 of them
                        are among the nation’s 50 largest airports.



                        72Insurance Industry: Regulators Are Less Active in Encouraging and Validating Year 2000 Preparedness
                        (GAO/T-GGD-99-56, March 11, 1999).

                        73
                          Year 2000: State Insurance Regulators Face Challenges in Determining Industry Readiness
                        (GAO/GGD-99-87, April 30, 1999).

                        74Year
                             2000 Computing Crisis: Status of Airports’ Efforts to Deal With Date Change Problem
                        (GAO/RCED/AIMD-99-57, January 29, 1999).




                        Page 31                                                                       GAO/T-AIMD-99-268
International   In addition to the risks associated with the nation’s key economic sectors,
                one of the largest and most uncertain area of risk relates to the global
                nature of the problem. Table 3 summarizes the results of the Department of
                State’s Office of the Inspector General’s analysis of “Y2K Host Country
                Infrastructure” assessments submitted by U.S. embassies in 161 countries
                (98 from the developing world, 24 from former Easter bloc countries and
                the New Independent States, and 39 from industrialized countries). The
                following table shows that about half of the countries are reported to be at
                medium or high risk of having Year 2000-related failures in the key areas of
                telecommunications, transportation, and energy. While a smaller number of
                countries were reported at medium or high risk in the finance and water
                sectors, at least one-third of the countries fell into the medium or high risk
                categories.



                Table 3: Risk of Year 2000-Related Sector Failures in 161 Countries
                Risk level      Finance Telecommunications            Transportation       Energy         Water
                High                   11                       35                  18           26               7
                Medium                 43                       56                  61           64              52
                Low                  107                        70                  82           71         102
                Source: Year 2000 Computer Problem: Global Readiness and International Trade (Statement of the
                Department of State’s Inspector General before the Senate Special Committee on the Year 2000
                Technology Problem, July 22, 1999).


                The Department of State Inspector General concluded that the global
                community is likely to experience varying degrees of Year 2000-related
                failures—from mere annoyances to failures in key infrastructure systems—
                in every sector, region, and economic level. In particular, the Inspector
                General testified on July 22, 1999, that

                • industrialized countries were generally at low risk of having Year 2000-
                  related infrastructure failures, although some of these countries were at
                  risk;
                • developing countries were lagging behind and were struggling to find
                  the financial and technical resources needed to resolve their Year 2000
                  problems; and
                • former Eastern bloc countries were late in getting started and were
                  generally unable to provide detailed information on their Year 2000
                  programs.




                Page 32                                                                    GAO/T-AIMD-99-268
          The impact of Year 2000-induced failures in foreign countries could
          adversely affect the United States, particularly as it relates to the supply
          chain. To address the international supply chain issue, in January 1999 we
          suggested75 that the President’s Council on Year 2000 Conversion prioritize
          trade and commerce activities that are critical to the nation’s well-being
          (e.g., oil, food, pharmaceuticals) and, working with the private sector,
          identify options for obtaining these materials through alternative avenues
          in the event that Year 2000-induced failures in the other country or in the
          transportation sector prevent these items from reaching the United States.
          In commenting on this suggestion, the Chair stated that the Council had
          (1) worked with federal agencies to identify sectors with the greatest
          dependence on international trade, (2) held industry roundtable
          discussions with the pharmaceutical and food supply sectors, and
          (3) hosted bilateral and trilateral meetings with the Council’s counterparts
          in Canada and Mexico—the United States’ largest trading partners.


          In summary, while improvement has been shown, much work remains at
          the national, federal, state, and local levels to ensure that major service
          disruptions do not occur. Specifically, remediation must be completed,
          end-to-end testing performed, and business continuity and contingency
          plans developed. Similar actions remain to be completed by the nation’s
          key sectors. Accordingly, whether the United States successfully confronts
          the Year 2000 challenge will largely depend on the success of federal, state,
          and local governments, as well as the private sector working separately and
          together to complete these actions. Accordingly, strong leadership and
          partnerships must be maintained to ensure that the needs of the public are
          met at the turn of the century.

          Mr. Chairman, this concludes my statement. I would be happy to respond to
          any questions that you or other members of the Subcommittee may have at
          this time.



Contact   For information concerning this testimony, please contact Joel Willemssen
          at (202) 512-6253 or by e-mail at willemssenj.aimd@gao.gov.




          75GAO/T-AIMD-99-50, January   20, 1999.




          Page 33                                                     GAO/T-AIMD-99-268
Appendix I

Federal High-Impact Programs and Lead
Agencies                                                                                                                     Appenx
                                                                                                                                  Idi




Agency                                          Program
Department of Agriculture                       Child Nutrition Programs
Department of Agriculture                       Food Safety Inspection
Department of Agriculture                       Food Stamps
Department of Agriculture                       Special Supplemental Nutrition Program for Women, Infants, and Children
Department of Commerce                          Patent and trademark processing
Department of Commerce                          Weather Service
Department of Defense                           Military Hospitals
Department of Defense                           Military Retirement
Department of Education                         Student Aid
Department of Energy                            Federal electric power generation and delivery
Department of Health and Human Services         Child Care
Department of Health and Human Services         Child Support Enforcement
Department of Health and Human Services         Child Welfare
Department of Health and Human Services         Disease monitoring and the ability to issue warnings
Department of Health and Human Services         Indian Health Service
Department of Health and Human Services         Low Income Home Energy Assistance Program
Department of Health and Human Services         Medicaid
Department of Health and Human Services         Medicare
Department of Health and Human Services         Organ Transplants
Department of Health and Human Services         Temporary Assistance for Needy Families
Department of Housing and Urban Development     Housing loans (Government National Mortgage Association)
Department of Housing and Urban Development     Section 8 Rental Assistance
Department of Housing and Urban Development     Public Housing
Department of Housing and Urban Development     FHA Mortgage Insurance
Department of Housing and Urban Development     Community Development Block Grants
Department of the Interior                      Bureau of Indian Affairs programs
Department of Justice                           Federal Prisons
Department of Justice                           Immigration
Department of Justice                           National Crime Information Center
Department of Labor                             Unemployment Insurance
Department of State                             Passport Applications and Processing
Department of Transportation                    Air Traffic Control System
Department of Transportation                    Maritime Safety Program
Department of theTreasury                       Cross-border Inspection Services
Department of Veterans Affairs                  Veterans’ Benefits
Department of Veterans Affairs                  Veterans’ Health Care




                                          Page 34                                                            GAO/T-AIMD-99-268
                                      Appendix I
                                      Federal High-Impact Programs and Lead
                                      Agencies




Agency                                      Program
Federal Emergency Management Agency         Disaster Relief
Office of Personnel Management              Federal Employee Health Benefits
Office of Personnel Management              Federal Employee Life Insurance
Office of Personnel Management              Federal Employee Retirement Benefits
Railroad Retirement Board                   Retired Rail Workers Benefits
Social Security Administration              Social Security Benefits
U.S. Postal Service                         Mail Service




                                      Page 35                                      GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis

              Year 2000 Computing Challenge: Agencies’ Reporting of Mission-Critical
              Classified Systems (GAO/AIMD-99-218, August 5, 1999).

              Social Security Administration: Update on Year 2000 and Other Key
              Information Technology Initiatives (GAO/T-AIMD-99-259, July 29, 1999).

              Year 2000 Computing Crisis: Status of Medicare Providers Unknown
              (GAO/AIMD-99-243, July 28, 1999).

              Reported Y2K Status of the 21 Largest U.S. Cities (GAO/AIMD-99-246R,
              July 15, 1999).

              Year 2000 Computing Challenge: Federal Efforts to Ensure Continued
              Delivery of Key State-Administered Benefits (GAO/T-AIMD-99-241,
              July 15, 1999).

              Emergency and State and Local Law Enforcement Systems: Committee
              Questions Concerning Year 2000 Challenges (GAO/AIMD-99-247R,
              July 14, 1999).

              Year 2000 Computing Challenge: Important Progress Made, Yet Much Work
              Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-99-234,
              July 9, 1999).

              Year 2000 Computing Challenge: Readiness Improving Yet Avoiding
              Disruption of Critical Services Will Require Additional Work
              (GAO/T-AIMD-99-233, July 8, 1999).

              Year 2000 Computing Challenge: Readiness Improving But Much Work
              Remains to Avoid Disruption of Critical Services (GAO/T-AIMD-99-232,
              July 7, 1999).

              Defense Computers: Management Controls Are Critical to Effective Year
              2000 Testing (GAO/AIMD-99-172, June 30, 1999).

              Year 2000 Computing Crisis: Customs Is Making Good Progress
              (GAO/T-AIMD-99-225, June 29, 1999).

              Year 2000 Computing Challenge: Delivery of Key Benefits Hinges on States’
              Achieving Compliance (GAO/T-AIMD/GGD-99-221, June 23, 1999).




              Page 36                                                  GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Challenge: Estimated Costs, Planned Uses of
Emergency Funding, and Future Implications (GAO/T-AIMD-99-214,
June 22, 1999).

GSA’s Effort to Develop Year 2000 Business Continuity and Contingency
Plans for Telecommunications Systems (GAO/AIMD-99-201R,
June 16, 1999).

Year 2000 Computing Crisis: Actions Needed to Ensure Continued Delivery
of Veterans Benefits and Health Care Services (GAO/AIMD-99-190R,
June 11, 1999).

Year 2000 Computing Challenge: Concerns About Compliance Information
on Biomedical Equipment (GAO/T-AIMD-99-209, June 10, 1999).

Year 2000 Computing Challenge: Much Biomedical Equipment Status
Information Available, Yet Concerns Remain (GAO/T-AIMD-99-197,
May 25, 1999).

Year 2000 Computing Challenge: OPM Has Made Progress on Business
Continuity Planning (GAO/GGD-99-66, May 24, 1999).

VA Y2K Challenges: Responses to Post-Testimony Questions
(GAO/AIMD-99-199R, May 24, 1999).

Year 2000 Computing Crisis: USDA Needs to Accelerate Time Frames for
Completing Contingency Planning (GAO/AIMD-99-178, May 21, 1999).

Year 2000 Computing Crisis: Readiness of the Oil and Gas Industries
(GAO/AIMD-99-162, May 19, 1999).

Year 2000 Computing Challenge: Time Issues Affecting the Global
Positioning System (GAO/T-AIMD-99-187, May 12, 1999).

Year 2000 Computing Challenge: Education Taking Needed Actions But
Work Remains (GAO/T-AIMD-99-180, May 12, 1999).

Year 2000 Computing Challenge: Labor Has Progressed But Selected
Systems Remain at Risk (GAO/T-AIMD-99-179, May 12, 1999).

Year 2000: State Insurance Regulators Face Challenges in Determining
Industry Readiness (GAO/GGD-99-87, April 30, 1999).



Page 37                                                  GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Challenge: Status of Emergency and State and Local
Law Enforcement Systems Is Still Unknown (GAO/T-AIMD-99-163,
April 29, 1999).

Year 2000 Computing Crisis: Costs and Planned Use of Emergency Funds
(GAO/AIMD-99-154, April 28, 1999).

Year 2000: Financial Institution and Regulatory Efforts to Address
International Risks (GAO/GGD-99-62, April 27, 1999).

Year 2000 Computing Crisis: Readiness of Medicare and the Health Care
Sector (GAO/T-AIMD-99-160, April 27, 1999).

U.S. Postal Service: Subcommittee Questions Concerning Year 2000
Challenges Facing the Service (GAO/AIMD-99-150R, April 23, 1999).

Year 2000 Computing Crisis: Status of the Water Industry
(GAO/AIMD-99-151, April 21, 1999).

Year 2000 Computing Crisis: Key Actions Remain to Ensure Delivery of
Veterans Benefits and Health Services (GAO/T-AIMD-99-152,
April 20, 1999).

Year 2000 Computing Crisis: Readiness Improving But Much Work Remains
to Ensure Delivery of Critical Services (GAO/T-AIMD-99-149,
April 19, 1999).

Year 2000 Computing Crisis: Action Needed to Ensure Continued Delivery
of Veterans Benefits and Health Care Services (GAO/T-AIMD-99-136,
April 15, 1999).

Year 2000 Computing Challenge: Federal Government Making Progress But
Critical Issues Must Still Be Addressed to Minimize Disruptions
(GAO/T-AIMD-99-144, April 14, 1999).

Year 2000 Computing Crisis: Additional Work Remains to Ensure Delivery
of Critical Services (GAO/T-AIMD-99-143, April 13, 1999).

Tax Administration: IRS’ Fiscal Year 2000 Budget Request and 1999 Tax
Filing Season (GAO/T-GGD/AIMD-99-140, April 13, 1999).




Page 38                                                    GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Crisis: Federal Reserve Has Established Effective
Year 2000 Management Controls for Internal Systems Conversion
(GAO/AIMD-99-78, April 9, 1999).

Year 2000 Computing Crisis: Readiness of the Electric Power Industry
(GAO/AIMD-99-114, April 6, 1999).

Year 2000 Computing Crisis: Customs Has Established Effective Year 2000
Program Controls (GAO/AIMD-99-37, March 29, 1999).

Year 2000 Computing Crisis: FAA Is Making Progress But Important
Challenges Remain (GAO/T-AIMD/RCED-99-118, March 15, 1999).

Insurance Industry: Regulators Are Less Active in Encouraging and
Validating Year 2000 Preparedness (GAO/T-GGD-99-56, March 11, 1999).

Year 2000 Computing Crisis: Defense Has Made Progress, But Additional
Management Controls Are Needed (GAO/T-AIMD-99-101, March 2, 1999).

Year 2000 Computing Crisis: Readiness Status of the Department of Health
and Human Services (GAO/T-AIMD-99-92, February 26, 1999).

Defense Information Management: Continuing Implementation Challenges
Highlight the Need for Improvement (GAO/T-AIMD-99-93,
February 25, 1999).

IRS’ Year 2000 Efforts: Status and Remaining Challenges
(GAO/T-GGD-99-35, February 24, 1999).

Department of Commerce: National Weather Service Modernization and
NOAA Fleet Issues (GAO/T-AIMD/GGD-99-97, February 24, 1999).

Year 2000 Computing Crisis: Medicare and the Delivery of Health Services
Are at Risk (GAO/T-AIMD-99-89, February 24, 1999).

Year 2000 Computing Crisis: Readiness of State Automated Systems That
Support Federal Human Services Programs (GAO/T-AIMD-99-91,
February 24, 1999).

Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000
Program (GAO/T-AIMD-99-85, February 24, 1999).




Page 39                                                   GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Crisis: Update on the Readiness of the Social Security
Administration (GAO/T-AIMD-99-90, February 24, 1999).

Year 2000 Computing Crisis: Challenges Still Facing the U.S. Postal Service
(GAO/T-AIMD-99-86, February 23, 1999).

Year 2000 Computing Crisis: The District of Columbia Remains Behind
Schedule (GAO/T-AIMD-99-84, February 19, 1999).

High-Risk Series: An Update (GAO/HR-99-1, January 1999).

Year 2000 Computing Crisis: Status of Airports’ Efforts to Deal With Date
Change Problem (GAO/RCED/AIMD-99-57, January 29, 1999).

Defense Computers: DOD’s Plan for Execution of Simulated Year 2000
Exercises (GAO/AIMD-99-52R, January 29, 1999).

Year 2000 Computing Crisis: Status of Bureau of Prisons’ Year 2000 Efforts
(GAO/AIMD-99-23, January 27, 1999).

Year 2000 Computing Crisis: Readiness Improving, But Much Work
Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50,
January 20, 1999).

Year 2000 Computing Challenge: Readiness Improving, But Critical Risks
Remain (GAO/T-AIMD-99-49, January 20, 1999).

Status Information: FAA’s Year 2000 Business Continuity and Contingency
Planning Efforts Are Ongoing (GAO/AIMD-99-40R, December 4, 1998).

Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21,
November 1998).

Year 2000 Computing Crisis: Readiness of State Automated Systems to
Support Federal Welfare Programs (GAO/AIMD-99-28, November 6, 1998).

Year 2000 Computing Crisis: Status of Efforts to Deal With Personnel Issues
(GAO/AIMD/GGD-99-14, October 22, 1998).

Year 2000 Computing Crisis: Updated Status of Department of Education’s
Information Systems (GAO/T-AIMD-99-8, October 8, 1998).




Page 40                                                   GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Crisis: The District of Columbia Faces Tremendous
Challenges in Ensuring That Vital Services Are Not Disrupted
(GAO/T-AIMD-99-4, October 2, 1998).

Medicare Computer Systems: Year 2000 Challenges Put Benefits and
Services in Jeopardy (GAO/AIMD-98-284, September 28, 1998).

Year 2000 Computing Crisis: Leadership Needed to Collect and Disseminate
Critical Biomedical Equipment Information (GAO/T-AIMD-98-310,
September 24, 1998).

Year 2000 Computing Crisis: Compliance Status of Many Biomedical
Equipment Items Still Unknown (GAO/AIMD-98-240, September 18, 1998).

Year 2000 Computing Crisis: Significant Risks Remain to Department of
Education’s Student Financial Aid Systems (GAO/T-AIMD-98-302,
September 17, 1998).

Year 2000 Computing Crisis: Progress Made at Department of Labor, But
Key Systems at Risk (GAO/T-AIMD-98-303, September 17, 1998).

Year 2000 Computing Crisis: Federal Depository Institution Regulators Are
Making Progress, But Challenges Remain (GAO/T-AIMD-98-305,
September 17, 1998).

Year 2000 Computing Crisis: Federal Reserve Is Acting to Ensure Financial
Institutions Are Fixing Systems But Challenges Remain
(GAO/AIMD-98-248, September 17, 1998).

Responses to Questions on FAA’s Computer Security and Year 2000
Program (GAO/AIMD-98-301R, September 14, 1998).

Year 2000 Computing Crisis: Severity of Problem Calls for Strong
Leadership and Effective Partnerships (GAO/T-AIMD-98-278,
September 3, 1998).

Year 2000 Computing Crisis: Strong Leadership and Effective Partnerships
Needed to Reduce Likelihood of Adverse Impact (GAO/T-AIMD-98-277,
September 2, 1998).

Year 2000 Computing Crisis: Strong Leadership and Effective Partnerships
Needed to Mitigate Risks (GAO/T-AIMD-98-276, September 1, 1998).



Page 41                                                  GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Crisis: State Department Needs To Make
Fundamental Improvements To Its Year 2000 Program (GAO/AIMD-98-162,
August 28, 1998).

Year 2000 Computing: EFT 99 Is Not Expected to Affect Year 2000
Remediation Efforts (GAO/AIMD-98-272R, August 28, 1998).

Year 2000 Computing Crisis: Progress Made in Compliance of VA Systems,
But Concerns Remain (GAO/AIMD-98-237, August 21, 1998).

Year 2000 Computing Crisis: Avoiding Major Disruptions Will Require
Strong Leadership and Effective Partnerships (GAO/T-AIMD-98-267,
August 19, 1998).

Year 2000 Computing Crisis: Strong Leadership and Partnerships Needed to
Address Risk of Major Disruptions (GAO/T-AIMD-98-266, August 17, 1998).

Year 2000 Computing Crisis: Strong Leadership and Partnerships Needed to
Mitigate Risk of Major Disruptions (GAO/T-AIMD-98-262, August 13, 1998).

FAA Systems: Serious Challenges Remain in Resolving Year 2000 and
Computer Security Problems (GAO/T-AIMD-98-251, August 6, 1998).

Year 2000 Computing Crisis: Business Continuity and Contingency Planning
(GAO/AIMD-10.1.19, August 1998).

Internal Revenue Service: Impact of the IRS Restructuring and Reform Act
on Year 2000 Efforts (GAO/GGD-98-158R, August 4, 1998).

Social Security Administration: Subcommittee Questions Concerning
Information Technology Challenges Facing the Commissioner
(GAO/AIMD-98-235R, July 10, 1998).

Year 2000 Computing Crisis: Actions Needed on Electronic Data Exchanges
(GAO/AIMD-98-124, July 1, 1998).

Defense Computers: Year 2000 Computer Problems Put Navy Operations at
Risk (GAO/AIMD-98-150, June 30, 1998).

Year 2000 Computing Crisis: Testing and Other Challenges Confronting
Federal Agencies (GAO/T-AIMD-98-218, June 22, 1998).




Page 42                                                 GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Year 2000 Computing Crisis: Telecommunications Readiness Critical, Yet
Overall Status Largely Unknown (GAO/T-AIMD-98-212, June 16, 1998).

GAO Views on Year 2000 Testing Metrics (GAO/AIMD-98-217R,
June 16, 1998).

IRS’ Year 2000 Efforts: Business Continuity Planning Needed for Potential
Year 2000 System Failures (GAO/GGD-98-138, June 15, 1998).

Year 2000 Computing Crisis: Actions Must Be Taken Now to Address Slow
Pace of Federal Progress (GAO/T-AIMD-98-205, June 10, 1998).

Defense Computers: Army Needs to Greatly Strengthen Its Year 2000
Program (GAO/AIMD-98-53, May 29, 1998).

Year 2000 Computing Crisis: USDA Faces Tremendous Challenges in
Ensuring That Vital Public Services Are Not Disrupted
(GAO/T-AIMD-98-167, May 14, 1998).

Securities Pricing: Actions Needed for Conversion to Decimals
(GAO/T-GGD-98-121, May 8, 1998).

Year 2000 Computing Crisis: Continuing Risks of Disruption to Social
Security, Medicare, and Treasury Programs (GAO/T-AIMD-98-161,
May 7, 1998).

IRS’ Year 2000 Efforts: Status and Risks (GAO/T-GGD-98-123, May 7, 1998).

Air Traffic Control: FAA Plans to Replace Its Host Computer System
Because Future Availability Cannot Be Assured (GAO/AIMD-98-138R,
May 1, 1998).

Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for
Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, 1998).

Defense Computers: Year 2000 Computer Problems Threaten DOD
Operations (GAO/AIMD-98-72, April 30, 1998).

Department of the Interior: Year 2000 Computing Crisis Presents Risk of
Disruption to Key Operations (GAO/T-AIMD-98-149, April 22, 1998).




Page 43                                                  GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Tax Administration: IRS’ Fiscal Year 1999 Budget Request and Fiscal Year
1998 Filing Season (GAO/T-GGD/AIMD-98-114, March 31, 1998).

Year 2000 Computing Crisis: Strong Leadership Needed to Avoid Disruption
of Essential Services (GAO/T-AIMD-98-117, March 24, 1998).

Year 2000 Computing Crisis: Federal Regulatory Efforts to Ensure Financial
Institution Systems Are Year 2000 Compliant (GAO/T-AIMD-98-116,
March 24, 1998).

Year 2000 Computing Crisis: Office of Thrift Supervision’s Efforts to Ensure
Thrift Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102,
March 18, 1998).

Year 2000 Computing Crisis: Strong Leadership and Effective Public/Private
Cooperation Needed to Avoid Major Disruptions (GAO/T-AIMD-98-101,
March 18, 1998).

Post-Hearing Questions on the Federal Deposit Insurance Corporation’s
Year 2000 (Y2K) Preparedness (AIMD-98-108R, March 18, 1998).

SEC Year 2000 Report: Future Reports Could Provide More Detailed
Information (GAO/GGD/AIMD-98-51, March 6, 1998).

Year 2000 Readiness: NRC’s Proposed Approach Regarding Nuclear
Powerplants (GAO/AIMD-98-90R, March 6, 1998).

Year 2000 Computing Crisis: Federal Deposit Insurance Corporation’s
Efforts to Ensure Bank Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-73, February 10, 1998).

Year 2000 Computing Crisis: FAA Must Act Quickly to Prevent Systems
Failures (GAO/T-AIMD-98-63, February 4, 1998).

FAA Computer Systems: Limited Progress on Year 2000 Issue Increases
Risk Dramatically (GAO/AIMD-98-45, January 30, 1998).

Defense Computers: Air Force Needs to Strengthen Year 2000 Oversight
(GAO/AIMD-98-35, January 16, 1998).

Year 2000 Computing Crisis: Actions Needed to Address Credit Union
Systems’ Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998).



Page 44                                                    GAO/T-AIMD-99-268
GAO Reports and Testimony Addressing the
Year 2000 Crisis




Veterans Health Administration Facility Systems: Some Progress Made in
Ensuring Year 2000 Compliance, But Challenges Remain
(GAO/AIMD-98-31R, November 7, 1997).

Year 2000 Computing Crisis: National Credit Union Administration’s Efforts
to Ensure Credit Union Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-20, October 22, 1997).

Social Security Administration: Significant Progress Made in Year 2000
Effort, But Key Risks Remain (GAO/AIMD-98-6, October 22, 1997).

Defense Computers: Technical Support Is Key to Naval Supply Year 2000
Success (GAO/AIMD-98-7R, October 21, 1997).

Defense Computers: LSSC Needs to Confront Significant Year 2000 Issues
(GAO/AIMD-97-149, September 26, 1997).

Veterans Affairs Computer Systems: Action Underway Yet Much Work
Remains To Resolve Year 2000 Crisis (GAO/T-AIMD-97-174,
September 25, 1997).

Year 2000 Computing Crisis: Success Depends Upon Strong Management
and Structured Approach (GAO/T-AIMD-97-173, September 25, 1997).

Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14,
September 1997).

Defense Computers: SSG Needs to Sustain Year 2000 Progress
(GAO/AIMD-97-120R, August 19, 1997).

Defense Computers: Improvements to DOD Systems Inventory Needed for
Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997).

Defense Computers: Issues Confronting DLA in Addressing Year 2000
Problems (GAO/AIMD-97-106, August 12, 1997).

Defense Computers: DFAS Faces Challenges in Solving the Year 2000
Problem (GAO/AIMD-97-117, August 11, 1997).

Year 2000 Computing Crisis: Time Is Running Out for Federal Agencies to
Prepare for the New Millennium (GAO/T-AIMD-97-129, July 10, 1997).




Page 45                                                   GAO/T-AIMD-99-268
                   GAO Reports and Testimony Addressing the
                   Year 2000 Crisis




                   Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits
                   Depends on Timely Correction of Year-2000 Problems
                   (GAO/T-AIMD-97-114, June 26, 1997).

                   Veterans Benefits Computer Systems: Risks of VBA’s Year-2000 Efforts
                   (GAO/AIMD-97-79, May 30, 1997).

                   Medicare Transaction System: Success Depends Upon Correcting Critical
                   Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16, 1997).

                   Medicare Transaction System: Serious Managerial and Technical
                   Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997).

                   Year 2000 Computing Crisis: Risk of Serious Disruption to Essential
                   Government Functions Calls for Agency Action Now
                   (GAO/T-AIMD-97-52, February 27, 1997).

                   Year 2000 Computing Crisis: Strong Leadership Today Needed To Prevent
                   Future Disruption of Government Services (GAO/T-AIMD-97-51,
                   February 24, 1997).

                   High-Risk Series: Information Management and Technology
                   (GAO/HR-97-9, February 1997).




(511790)   Leter   Page 46                                                   GAO/T-AIMD-99-268
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Mail
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested