United States General Accounting Office GAO Testimony Before the Subcommittee on Technology, Committee on Science, and the Subcommittee on Government Management, Information and Technology, Committee on Government Reform, House of Representatives For Release on Delivery Expected at 10 a.m. YEAR 2000 COMPUTING Thursday, September 9, 1999 CHALLENGE FAA Continues to Make Important Strides, But Vulnerabilities Remain Statement of Joel C. Willemssen Director, Civil Agencies Information Systems Accounting and Information Management Division GAO/T-AIMD-99-285 Ms. Chairwoman, Mr. Chairman, and Members of the Subcommittees: We appreciate the opportunity to testify today on the Federal Aviation Administration’s (FAA) efforts to address the Year 2000 (Y2K) problem. With a little over 100 days remaining until January 1, 2000, the Y2K computing problem is at the forefront of the world’s information technology challenges and is especially crucial to FAA. Hundreds of critical computer systems make FAA’s operations possible. FAA uses these systems to control air traffic, target airlines for inspection, and provide up-to-date weather conditions to pilots and air traffic controllers. However, many of these systems could fail to perform as needed when using dates after 1999 unless proper date-related calculations can be ensured. Should systems fail or malfunction, hundreds of thousands of people could be affected through customer inconvenience, increased airline costs, grounded or delayed flights, or degraded levels of safety. My statement today will focus on four topics: (1) FAA’s progress to date, (2) challenges FAA faces in ensuring that its internal systems will work, (3) risks associated with external organizations—focusing specifically on airports, airlines, and international entities, and (4) the critical need for business continuity and contingency plans that identify how aviation operations will continue should systems fail. Our review of FAA’s Y2K program was performed in accordance with generally accepted government auditing standards from March through September 1999. We performed our work at FAA headquarters and facilities in Washington, D.C., and at facilities in Atlanta, Georgia; Dallas, Texas; and Denver, Colorado. We obtained comments on a draft of this testimony from FAA officials and incorporated these comments where appropriate. In brief, FAA and its employees have made excellent progress in tackling the monumental Y2K problem. The agency is now reporting that all of its systems are ready for the year 2000. However, FAA’s work is not yet done. The agency continues to face challenges in ensuring that its internal systems will work as intended through the Y2K date change. These challenges involve managing modifications to compliant systems, independent verification of systems’ compliance, and systems testing. FAA must also mitigate risks posed by external organizations, including airports, airlines, and foreign air traffic control systems. These factors could impede FAA’s ability to provide reliable aviation services, which could seriously affect the flow of air traffic across the nation and around the world. In the event that critical internal or external systems do not Page 1 GAO/T-AIMD-99-285 work as intended, FAA must have a comprehensive and tested business continuity and contingency plan ready to implement and train its staff in how to do so. FAA Has Made Over the past year and a half, FAA has made substantial progress. In January 1998, the agency had no central Y2K program management; an Excellent Progress in incomplete inventory of mission-critical systems; no overall strategy for Its Y2K Readiness renovating, validating, and implementing mission-critical systems; and no milestone dates or schedules.1 At that time, we recommended that FAA provide its Y2K program manager with the authority to enforce policies; outline FAA’s overall strategy for addressing the Y2K date change; complete inventories of all information systems and interfaces; set priorities; establish plans for renovating, validating, and testing all converted and replaced systems; and develop Y2K business continuity and contingency plans to ensure the continuity of critical operations. FAA has addressed our recommendations. The agency established a strong Y2K program office, and tasked it with providing leadership—guidance and oversight—to FAA’s business lines and aviation industry partners. The program office established (1) an overall Y2K strategy, (2) detailed standards and guidance for renovating, validating, and implementing mission-critical systems, (3) a database of schedules and milestones for these activities, and (4) a Y2K business continuity and contingency plan. The agency has also worked to repair or replace systems with date-related problems, test these systems, and implement these repairs and replacements in air traffic control facilities throughout the nation. Recently, the Department of Transportation (DOT) announced that—as of June 30—100 percent of FAA’s systems were fully Y2K compliant. Specifically, DOT stated that FAA had completed Y2K work on 424 mission-critical systems and 204 nonmission-critical systems. The department also reported that data verifying the compliance of all FAA systems had been examined and approved by Science Applications International Corporation (SAIC), an independent verification and validation (IV&V) contractor. DOT also noted that its Inspector General had examined a sample of systems and approved FAA’s work. 1 FAA Computer Systems: Limited Progress on Year 2000 Issue Increases Risk Dramatically (GAO/AIMD-98-45, January 30, 1998). Page 2 GAO/T-AIMD-99-285 Last month, FAA revised its Y2K project plan to identify key efforts for the remaining months before January 1, 2000. One key activity involves ensuring that systems that have been certified Y2K compliant maintain this status through a change-control process. Other activities include testing contingency plans and training systems users in how to implement them, if necessary. According to FAA, the agency is also having two independent contractors analyze selected compliant systems’ code for any date problems. Evidence Supports Systems To manage the deployment of hundreds of systems’ Y2K-related changes in Implementation facilities across the nation, FAA’s Y2K program office established implementation standards. These standards require system owners to complete a system’s Y2K certification, and, as applicable, test the system at key sites and deploy it nationally. When the system is implemented at every facility, system owners are then required to prepare a Y2K implementation results report. Once this report has been approved within the relevant business line, FAA’s IV&V contractor reviews it and other key implementation documents. Upon successful completion of this review, the system is considered implemented. When we last testified on this topic in March 1999,2 FAA estimated it had yet to complete roughly 4,500 implementation “events”—each one entailing the activation of a single system at a single site. FAA subsequently reported that it completed this task on June 30, 1999. To evaluate this effort, we reviewed implementation evidence for 18 mission-critical air traffic systems3 that were installed at one or more of 8 different facilities—totaling 49 implementation events in all. In evaluating implementation evidence, we reviewed hard copy and automated maintenance records to determine if the Y2K modification had been completed, and sought to identify compliant version numbers on system 2 Year 2000 Computing Crisis: FAA Is Making Progress But Important Challenges Remain (GAO/T-AIMD/RCED-99-118, March 15, 1999). 3 In choosing systems, we attempted to cover a range of air traffic control functions in different environments. We selected implemented systems from three different critical core functions (surveillance, weather information processing, and communications) that operate in one or more of the different air traffic control environments (en route, terminal, tower, and flight service station). Seven of these systems were also chosen because they were among the 26 systems identified by FAA as posing the greatest risk to the National Airspace System. Page 3 GAO/T-AIMD-99-285 consoles where possible. To the extent they were available, we also interviewed local technicians who implemented the modifications. We did not validate the effectiveness of the Y2K repairs. We found sufficient documentation supporting the implementation of these systems in all cases where this evidence was required. Of the 49 events, 39 required an entry in the maintenance records and 10 did not. The 39 events that required an entry were all documented in the facilities’ maintenance records. Additionally, we viewed compliant version numbers on backup console screens for 18 of the events. In some cases, we could not view the console screens because the system was on-line supporting air traffic control operations and would have had to be taken off-line for us to see version numbers. Of the 10 events that did not require an entry in the maintenance records, 5 were associated with leased systems, 2 were associated with prototype systems, and 3 were associated with systems that were not in operation at the facilities. FAA technicians explained that leased systems are maintained, monitored, and operated by a contractor—and thus are not tracked in FAA’s maintenance records. Similarly, the prototype systems we evaluated were maintained and managed by the National Aeronautics and Space Administration, and so were also not tracked in FAA’s maintenance records. Of the three systems that were not in operation at the facilities we visited, two had been decommissioned and one was maintained and managed at a distant location. FAA’s Year 2000 Efforts FAA faces several challenges that could affect its activities through the Y2K date change. These include addressing Face Important Challenges • changes to compliant systems that could introduce new Y2K problems, • independent verification efforts that were not documented, and • end-to-end testing efforts that were not comprehensive. Page 4 GAO/T-AIMD-99-285 Changes to Compliant As noted in our January 1999 testimony, changes made to systems after Systems Increase Risks of they have been certified as Y2K compliant can introduce new Y2K problems.4 To address this risk, we suggested the federal government adopt Y2K-Related Failures a strong Y2K change management policy—one that limits new software and systems changes. As an example of such a policy, we noted that the Social Security Administration had issued a moratorium on new systems changes on commercial-off-the-shelf and mainframe products from July 1, 1999 through March 31, 2000, and on programmatic applications from September 1, 1999 through March 31, 2000. We, therefore, suggested that the Office of Management and Budget (OMB) consider directing agencies to implement such a policy. In response to our suggestion, in May, OMB issued a memo to federal department heads stating the importance of considering the potential effect of changes to information technology systems on Y2K readiness, and urging agency heads to adopt a policy that only allows system changes where absolutely necessary. OMB also requested that agency heads summarize how they would implement such guidance in their quarterly Y2K progress reports. In its August 1999 quarterly report to OMB, DOT responded that it had a formal policy in place that required critical software and hardware modifications to be supported by formal, documented change control procedures. DOT also stated that on July 23, 1999, its Deputy Chief Information Officer (CIO) issued a memorandum calling for all operating administrations to examine any decision to proceed with new requirements or modifications to Y2K-compliant systems and to defer such modifications until after the Y2K date change, if possible. Prior to the Deputy CIO’s memo, on May 28, FAA established a policy calling for system owners to assess whether any completed modification to a Y2K-compliant system might affect the system’s compliance or its ability to process dates, and to disclose this information in a Y2K Certified System Change Report to their lines of business and the Y2K program office. According to the policy, if, as a result of this assessment, a modification were determined to have an impact on date processing or Y2K compliance, the system would have to be revalidated, recertified Y2K compliant, and reimplemented. 4 Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20, 1999). Page 5 GAO/T-AIMD-99-285 Although FAA recognized the criticality of controlling systems changes and established a policy for doing so, the agency has not yet effectively implemented this policy. As of August 24, FAA Y2K program officials told us that they had received three Y2K Certified System Change Reports and that they were following up on another four system modifications identified by the Inspector General that did not have supporting change reports. However, when we requested a list of all system modifications logged in FAA’s Maintenance Management System (MMS)—the agency’s national database of systems modifications, maintenance actions, and interruptions—from July 1, 1999 (the day after FAA’s systems were deemed fully compliant) through August 23, 1999, the resulting printout was 535 pages long. Our preliminary review of this information identified 967 completed system modifications5 that should have been linked to Certified Y2K Systems Change Reports.6 For example, on August 15, one facility reported modifying its Digital Bright Radar Indicator Tower Equipment. In another instance, a facility made modifications to its Automated Radar Terminal System. Both of these systems help air traffic controllers maintain adequate separation between aircraft. Beyond the completed modifications, we identified an additional 239 modifications that had been initiated and were in process. These also should generate change reports when they are completed. For example, on August 3, one facility initiated−but has not yet completed−a software upgrade to its Terminal Doppler Weather Radar. When asked about the large number of modifications that were not linked to the required change reports, FAA’s acting Y2K program manager7 stated that the program office recently realized that the change-control policy did not specify a deadline by which system owners must file their change reports. The Y2K manager explained that system owners might have 5 We focused on modifications that had been completed (and so would require a change report), and eliminated entries that stated that (1) the modification was not applicable to the subject facility, (2) this was a delayed entry and the modification had been made prior to June 30, or (3) the change only applied to systems documentation. We also eliminated duplicate entries. 6 Multiple system modifications may be linked to a single System Change Report because the maintenance management system lists each facility’s modifications separately, and several facilities could be implementing the same change. 7 In July 1999, FAA’s Y2K program manager accepted a different position in the agency; the deputy program manager is serving as acting program manager. Page 6 GAO/T-AIMD-99-285 delayed filing change reports because of this lack of a deadline. Yesterday, the Y2K program office modified the policy to require change reports no later than 2 weeks after the system owner assesses the Y2K impact of any system modification. Additionally, officials in FAA’s air traffic services line of business reviewed samples of the 535 pages of systems modifications and stated that they believed many of the modifications had been made prior to June 30, but that the technician did not reflect that in the entry. They stated that they will follow up on every entry in the MMS database to ensure that all modifications are tracked for Y2K compliance, and that in the future, they plan to use the MMS database to help them track all system modifications, including new modifications. In addition to its change control policy, FAA’s Y2K program office allowed each business line to determine if a policy implementing a moratorium on changes to Y2K compliant systems was appropriate for its organization. One organization, the office of the Associate Administrator for Research and Acquisitions (ARA)—which is responsible for developing new air traffic control systems—issued a policy calling for a moratorium on new system changes to certified systems from November 17, 1999 through January 7, 2000, and from February 1, 2000 through March 8, 2000. This policy also establishes a waiver process for mission-critical, safety-related, or other essential modifications required during the moratorium period, and states that waivers will be granted wherever a contract schedule would be affected by the moratorium. The FAA office responsible for operating the National Airspace System (NAS)—the network of equipment, facilities, and information that supports U.S. aviation operations—has drafted a similar policy. FAA’s ARA organization plans to waive the moratorium for at least one system change scheduled to occur during that time frame. The new Standard Terminal Automation Replacement System (STARS), which is to replace aging radar data processing systems, is scheduled to begin operating at the first two facilities in December 1999 and January 2000. The ARA Y2K program manager stated that he plans to grant this system a waiver to allow it to meet its schedule. Another major change affecting the NAS is scheduled to take place on December 30. This change, called the 56-day national database update, involves updating boundaries between facilities, navigational aids, weather locations, and airways structures throughout the national airspace. This Page 7 GAO/T-AIMD-99-285 change coincides with worldwide updating of aeronautical information by the International Civil Aviation Organization (ICAO), the international organization responsible for aviation standards. This updating process occurs regularly throughout the year and, according to an FAA official, has, on occasion, experienced problems. While this change is not expected to affect the Y2K status of systems, any change so soon before the date rollover complicates the process of identifying and correcting problems. FAA officials stated that they explored the possibility of delaying the 56-day update, but decided not to do so because of the safety implications resulting from not updating critical aviation information. Lack of Documentation As we previously reported, when OMB and the President’s Council on Year Supporting IV&V 2000 Conversion began collecting information on the Y2K progress of federal agencies, they had little assurance that they were receiving Contractor’s Efforts Raises accurate information because progress was predominantly based on Questions About Compliant agency reports that had not been consistently reviewed or verified.8 In fact, Systems we had found cases in which agencies’ reported compliance status was inaccurate. To address this issue, we recommended that the Council require agencies to develop an independent verification strategy. According to OMB, all agencies are now required to independently verify their validation process, and senior managers at all large agencies are now relying on independent verification to provide a double-check that their mission-critical systems will, in fact, be ready for the year 2000. To respond to this requirement, many agencies hired IV&V contractors to assist in their Y2K work. Such contractors provide quality assurance services ranging from reviewing systems’ documentation to independent testing of Y2K repairs. IV&V contractors often perform verification and validation services and summarize their results, together with any qualifications they may have, in the form of interim and final reports. FAA contracted with SAIC to perform an independent review of each system’s documentation throughout key Y2K program phases (assessment, renovation, validation, and implementation) and to report its findings in monthly status reports. The task order stated that SAIC would not be asked to certify that FAA systems were actually Y2K compliant. 8 GAO/T-AIMD-99-50. Page 8 GAO/T-AIMD-99-285 In reviewing FAA’s systems, SAIC used standard checklists identifying required documents for each phase, and reported any concerns to the Y2K program office during daily meetings.9 FAA’s acting Y2K program manager stated that agency officials saw these checklists during the meetings, and that the checklists often contained handwritten notes about concerns and how they were resolved. However, when SAIC completed its work and turned its files over to FAA, these handwritten checklists had been removed. Instead, SAIC provided electronic files that lacked a complete history of the concerns and the reviewer’s signature. Without this history, it is difficult to determine if all of the system-specific concerns raised during SAIC’s independent review had been addressed. For example, when we reviewed Y2K documentation for the Display System Replacement system,10 we found that SAIC had reported that there were several unexplained problems that needed to be addressed and retested during the validation phase. Later, SAIC approved the system for implementation, but there is no explanation of how the validation problems were resolved. Similarly, SAIC identified missing and incomplete information on FAA’s mission-critical heating, ventilation, and air conditioning (HVAC) system11 during renovation. SAIC later approved the system’s validation and implementation, but we were unable to find any documentation supporting how their renovation concerns had been resolved. Further, because FAA did not require it, SAIC did not originally provide written interim or final reports summarizing the outcome of its activities, including any issues or crosscutting concerns. Without interim or final IV&V reports, FAA did not have summary evidence that IV&V concerns and issues were raised and satisfactorily addressed. In response to our concern about the lack of an IV&V summary report, FAA’s acting Y2K program manager stated that while she was comfortable that all of SAIC’s concerns had been addressed, she recognized the value of having a summary 9 FAA’s acting Y2K program manager stated that the agency’s daily and weekly meetings with SAIC and the data sheets that were discussed during the meetings satisfied the requirement for monthly status reports. 10 The Display System Replacement displays radar data to controllers in the en route environment. 11 HVAC systems are needed to maintain critical air traffic control equipment in normal operating condition. Page 9 GAO/T-AIMD-99-285 statement. FAA obtained such a summary statement from SAIC on September 7, 1999. End-to-End Testing Integrated, end-to-end testing of multiple systems that have been Valuable, But Not individually deemed Y2K compliant ensures that the systems that collectively support a core business function will operate as intended. Comprehensive Without such testing, systems individually deemed compliant may not work as expected when linked with other systems in an operational environment. This testing should include not only those owned and managed by an organization, but also any external systems with which they interface. FAA’s end-to-end testing strategy related to the National Airspace System focused on systems that directly support navigation, surveillance, weather, maintenance, and air traffic control functions.12 FAA conducted three types of Y2K end-to-end testing: system integrity testing, operational demonstration, and field-site testing. FAA’s system integrity tests involved testing groups of systems supporting weather processing, communications, flight- and radar-data processing, and remote maintenance monitoring, to ensure that data were processed correctly across interfaces. To date, FAA has completed five system integrity tests and reported that there were no Y2K-related problems in any of the tests.13 One of these tests was performed in response to our concern, raised in March 1999, that FAA did not validate the radar tracking functions of its Automated Radar Terminal System (ARTS)-IIIA—a critical data processing system used in about 55 terminal radar approach control facilities.14 In this system integrity test, FAA compared ARTS-IIIA radar tracking information with two independent tracking systems and found no Y2K-related problems. The information from the three sources was consistent. 12 FAA also performed system-specific testing prior to certifying each systems’ Y2K compliance. 13 FAA officials stated that they performed a sixth system integrity test, but that the test results report has not yet been completed. 14 GAO/T-AIMD/RCED-99-118. Page 10 GAO/T-AIMD-99-285 FAA’s end-to-end operational demonstration simulated having aircraft pass through all phases of flight using recorded data, and tested the activities associated with these phases—such as weather briefings, clearances, aircraft tracking, rerouting, handoffs, and transfers. This test focused on FAA’s ability to continue intersystem and interfacility data communications through the Y2K date change. FAA officials reported that they completed this test in February, with no Y2K-related problems. FAA’s field-site testing involved a demonstration of core NAS functions using equipment at operational air traffic control facilities in order to demonstrate that functional components at selected sites were reliable under Y2K conditions. FAA ran this demonstration in a “split environment.” That is, the agency used redundant equipment for this demonstration while still controlling live air traffic with its primary air traffic control systems. FAA completed this testing in April and reported it a success. While these three types of tests are important in demonstrating FAA’s Y2K progress in successively increasing increments, the tests were not comprehensive. Specifically, of 21 mission-critical systems15 that FAA identified as posing the greatest risk to the national airspace system if not operational on January 1, 2000, 13 were not included in any end-to-end testing. These include four weather systems, four communications systems, and five facilities systems. For example, neither the Graphical Weather Display System (GWDS) nor the Terminal Doppler Weather Radar (TDWR) was included in any of the end-to-end tests. Both of these systems are critical to obtaining aviation weather information; GWDS provides graphical weather information to flight service stations while TDWR detects windshear events and reports these events to air traffic controllers. Additionally, the agency’s broadest end-to-end test, the field-site test, was limited in that it took place during low traffic conditions. Further, FAA did not exercise every system or interface in this test. For example, FAA was unable to use the critical Voice Switching and Control System—used for communications between air traffic controllers and pilots—because it could not be set up to operate in both a primary and redundant environment. Also, FAA did not test critical backup systems, such as the Direct Access Radar Channel, which is essential should the Host Computer System—the primary information processing system in an en route 15 FAA originally identified 26 systems as posing the greatest risk to the national airspace system, but 5 have since been decommissioned. Page 11 GAO/T-AIMD-99-285 center—fail. Finally, because FAA’s demonstration focused on air traffic control systems, it did not constitute an end-to-end test of all of the key components of the NAS—including mission-critical systems operated by airlines and airports. FAA officials agreed that their end-to-end tests were not comprehensive, but stated that they had tested many of their most important systems and functions and, therefore, do not plan to conduct additional end-to-end testing. Given the significance of the systems and functions that have not yet been tested end-to-end, FAA should consider performing additional testing in the time remaining before the Year 2000 date change. Risks Associated With In addition to the challenges FAA faces in ensuring its internal systems will work through the Y2K date change, the agency is at risk that critical External Partners external systems will fail, thereby affecting its operations. Three prime Could Affect Aviation areas of risk are airports, airlines, and international partners. Operations Many Airports Expected to The successful operation of the NAS depends, in part, on the equipment Complete Y2K Activities that airports use to carry out their operations. This equipment helps provide safe, secure, and efficient aircraft operations and other services to Late This Year the public; it includes controls for functions such as runway lighting, monitoring access to secured areas, handling baggage, providing emergency communications, and fueling aircraft. Because much of this equipment is automated, it is at risk of Y2K-induced failures and malfunctioning. While airport officials expressed confidence that they could resort to manual operations if automated systems fail, they noted that manual operations could decrease an airport’s efficiency—its ability to handle its normal number of scheduled flights per day—thereby causing flight delays. Delays at one airport could have a ripple effect, causing delays at other airports and eventually reducing the efficiency of the system nationwide. Page 12 GAO/T-AIMD-99-285 We raised concerns about the Y2K status of our nation’s airports in January 1999, when we reported that nearly two-thirds of 334 airports responding to our survey did not plan to complete their Y2K efforts by FAA’s recommended June 30 deadline.16 We also noted that while most of these were small airports, 26 of them were among the nation’s 50 largest airports. More recently, the International Civil Aviation Organization (ICAO) required member countries to report on the Y2K status of their civil aviation systems—including air traffic control systems, airports, and airlines—by July 1, 1999. FAA collected Y2K information on 113 U.S. airports, submitted it to ICAO on June 29, and is continuing to update this information.17 According to FAA’s latest information, about 20 percent of the 113 airports reported that they had completed their Y2K preparations. Another 58 percent estimated that they would complete Y2K efforts by September 30, and the remaining 22 percent of airports either planned on a later date or did not provide an estimated completion date. Among the group planning to complete their Y2K efforts after September 30, but by November 30, are five of the nation’s largest international airports. FAA is also collecting information on the Y2K status of 566 domestic airports’ safety systems and 459 airports’ security systems—systems that FAA certifies—but this information is not yet complete. FAA officials stated that the agency is requiring information on airports’ safety systems by October 15, but had not set a deadline for information on security systems. The agency will continue this information-collection effort through the end of 1999. To help ensure the safety of airports’ systems, on July 1, 1999, FAA proposed a requirement that airports test critical safety equipment early on January 1, 2000. The purpose of this proposed requirement was to have airports test equipment—such as emergency communications systems and fire trucks—that may not be in use during the Y2K date change. Several airports provided comments to FAA on this proposed rule change, and the agency is now evaluating those comments before proceeding to issue the new requirement. 16 Year 2000 Computing Crisis: Status of Airports’ Efforts to Deal With Date Change Problem (GAO/RCED/AIMD-99-57, January 29, 1999). 17 On August 31, FAA requested that we treat information on specific airports and airlines as “For Official Use Only” information, meaning that we are unable to report site-specific information in a public forum. Page 13 GAO/T-AIMD-99-285 Many Airlines Expected to Airlines, another key element of the National Airspace System, also rely Complete Y2K Activities heavily on automated systems to provide safe and efficient air transportation. These systems support communications, navigation, flight Late This Year management, aeronautical information processing, and weather information processing, as well as transponders and engine management. Responding to ICAO’s request for Y2K information on airlines, FAA collected Y2K information on 146 international airlines in April and May 1999, submitted it to ICAO on June 29 and is continuing to update this information. According to FAA’s latest information, about 33 percent of the 146 airlines reported that their systems were Y2K compliant. Another 35 percent planned to complete their Y2K efforts by September 30, and the remaining 32 percent either planned on a later date or did not provide any date. Among the group planning to complete their Y2K efforts after September 30, but by December 31, 1999, are four of the nation’s major airlines. FAA is also collecting Y2K status information from over 14,000 FAA- certified air carriers and operators. The agency distributed a questionnaire to certificate-holders in April 1999, and is currently following up with nonrespondents. In addition, FAA inspectors are beginning to ask questions of certificate-holders about their Y2K status. FAA officials stated that they will continue with these efforts through the Y2K date change. International Activity and American international carriers operate in over 90 countries and at over Coordination Is Continuing 200 foreign airports; similarly, over 125 foreign carriers cross FAA- controlled airspace. FAA lacks the authority and resources to ensure compliance of any foreign air traffic control system, but it nevertheless retains responsibility for ensuring safe, reliable aviation services for American travelers into 2000 and beyond. FAA’s international Y2K management team has been active. FAA is sharing information with its foreign counterparts and assisting them in addressing Y2K issues, such as business continuity and contingency planning. FAA is also actively working with ICAO to obtain Y2K status information on its international counterparts, and is prioritizing countries based on perceived risk in order to determine the level of testing to be performed with these countries. FAA reports that it has completed international testing with several countries, and plans to continue these tests throughout 1999. Page 14 GAO/T-AIMD-99-285 FAA’s Y2K international manager stated that FAA will provide status information on individual countries to the State Department to help develop consular information sheets—previously called travel advisories— regarding ICAO member countries. Both the departments of Transportation and State intend to issue information on individual countries later this month. Comprehensive Because of the risk of anticipated and unanticipated Y2K failures—whether from internal systems or due to reliance on external partners and Business Continuity suppliers—comprehensive business continuity and contingency plans are and Contingency crucial to continuing core operations. We have issued guidance on this topic,18 and OMB adopted this guidance as the standard that federal Planning Is Crucial agencies are to use in developing their business continuity and contingency plans. In accordance with this requirement, FAA drafted a Y2K business continuity and contingency plan in December 1998, and released iterations of this plan in April and July 1999. FAA’s plan defined its approach to business continuity and contingency planning and focused on developing risk matrices for each of the agency’s core business functions. These risk matrices, developed in conjunction with subject matter experts, identify risks, business impact, mitigation strategies, potential triggers, and contingency plans within each core business area.19 The latest version of the plan also describes FAA’s “Day One” strategy—plans and procedures for the time frame immediately before and after the date rollover, business resumption model, and plans for testing the contingency plan and training people in how to use it. For the portion of the plan that affects the NAS, the “Day One” strategy is a plan for reducing risk from December 31, 1999 through January 1, 2000. This includes the establishment of business resumption teams made up of experts who will be available to address problems, as well as a communications structure for coordinating responses to any problems that arise. 18 Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD- 10.1.19, August 1998). This product was available as an exposure draft in March 1998. 19 The information in these risk matrices is considered “For Official Use Only” and therefore cannot be discussed in this testimony. Page 15 GAO/T-AIMD-99-285 To test and improve the NAS portion of its business continuity and contingency plan, FAA has initiated rehearsal exercises. One such exercise took place last month, and another is scheduled for next month. During these exercises, experts in various facets of aviation operations work through different failure scenarios, determining how they would react and what further activities should be undertaken to better prepare the agency for such failures. These scenarios range from minor to major failures, and include failures of the national infrastructure. FAA officials stated that they will use suggestions generated during these exercises to improve their contingency plans. This is an extremely valuable exercise but, for it to be effective, FAA must follow through and act on key suggestions. FAA is also planning to train key systems users on the NAS portion of the business continuity and contingency plan. The air traffic services line of business is developing a training curriculum and intends to train air traffic controllers and systems specialists in the months preceding the date rollover. Because FAA’s business continuity and contingency plan provides a Y2K focus not included in the agency’s existing contingency plans, such training is crucial. This concludes my statement, and I would be happy to respond to any questions that you or other members of the Subcommittees may have at this time. Contact and If you have any questions regarding this testimony, please contact Joel Willemssen at (202) 512-6408 or by e-mail at firstname.lastname@example.org. Acknowledgements Individuals making key contributions to this testimony include Nabajyoti Barkakati, William Bumgarner, Cynthia Jackson, Colleen Phillips, and Glenda Wright. (511742) Leter Page 16 GAO/T-AIMD-99-285 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Mail General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Challenge: FAA Continues to Make Important Strides, But Vulnerabilities Remain
Published by the Government Accountability Office on 1999-09-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)