Here is a GAO report that didn't get much notice. This
is odd as it seems to be a pretty detailed rundown of the State of Y2K
as we know it today. Due to the length I will be posting this in three
different sections. This is quite the document and is recommended reading.
As far as I am concerned Joel Willemssen is one of the more unbiased individuals
looking at the effects of Y2K. He clearly states that the work is not done.
I have kept the refferances on this document. There are numbers in the
text that reffer to previous GAO documents and others.
http://www.gao.gov/new.items/ai99234t.pdf
United States General Accounting Office Testimony
Before the Subcommittee on Government Management,
Information and Technology, Committee on Government
Reform, House of Representatives
For Release on Delivery Expected at 9 a.m. EDT Friday, July 9, 1999
YEAR 2000 COMPUTING CHALLENGE
Important Progress Made, Yet Much Work Remains to Avoid Disruption
of Critical Services
Statement of Joel C. Willemssen
Director, Civil Agencies Information Systems
Accounting and Information Management Division
GAO/T-AIMD-99-234
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting us to participate in today's hearing on the Year
2000
problem. According to the report of the President's Commission on
Critical Infrastructure Protection, the United States--with close to
half of all
computer capacity and 60 percent of Internet assets--is the world's
most
advanced and most dependent user of information technology.1 Should
these systems--which perform functions and services critical to our
nation--suffer problems, it could create widespread disruption.
Accordingly, the upcoming change of century is a sweeping and urgent
challenge for public- and private-sector organizations alike.
Because of its urgent nature and the potentially devastating impact
it could
have on critical government operations, in February 1997 we designated
the Year 2000 problem a high-risk area for the federal government.2
Since
that time, we have issued over 120 reports and testimony statements
detailing specific findings and numerous recommendations related to
the
Year 2000 readiness of a wide range of federal agencies.3 We have also
issued guidance to help organizations successfully address the issue.4
Today I will highlight the Year 2000 risks facing the nation, discuss
the
federal government's progress and challenges that remain in correcting
its
system, identify state and local government Year 2000 issues, and provide
an overview of available information on the readiness of key public
infrastructure and economic sectors.
1 Critical Foundations: Protecting America's Infrastructures (President's
Commission on Critical
Infrastructure Protection, October 1997).
2 High-Risk Series: Information Management and Technology (GAO/HR-97-9,
February 1997).
3 A list of these publications is included as an attachment to this
statement. These publications can be
obtained through GAO�s World Wide Web page at www.gao.gov/y2kr.htm.
4 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14,
issued as an exposure draft in
February 1997 and in final form in September 1997), which addresses
the key tasks needed to complete
each phase of a Year 2000 program (awareness, assessment, renovation,
validation, and
implementation); Year 2000 Computing Crisis: Business Continuity and
Contingency Planning
(GAO/AIMD-10.1.19, issued as an exposure draft in March 1998 and in
final form in August 1998), which
describes the tasks needed to ensure the continuity of agency operations;
and Year 2000 Computing
Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft
in June 1998 and in final form
in November 1998), which discusses the need to plan and conduct Year
2000 tests in a structured and
disciplined fashion.
The Public Faces Risk
of Year 2000
Disruptions
The public faces the risk that critical services provided by the government
and the private sector could be severely disrupted by the Year 2000
computing problem. Financial transactions could be delayed, flights
grounded, power lost, and national defense affected. Moreover, America's
infrastructures are a complex array of public and private enterprises
with
many interdependencies at all levels. These many interdependencies
among governments and within key economic sectors could cause a single
failure to have adverse repercussions in other sectors. Key sectors
that
could be seriously affected if their systems are not Year 2000 compliant
include information and telecommunications; banking and finance; health,
safety, and emergency services; transportation; power and water; and
manufacturing and small business.
The following are examples of some of the major disruptions the public
and
private sectors could experience if the Year 2000 problem is not corrected.
� With respect to aviation, there could be grounded or delayed flights,
degraded safety, customer inconvenience, and increased airline costs.5
� Aircraft and other military equipment could be grounded because the
computer systems used to schedule maintenance and track supplies
may not work. Further, the Department of Defense could incur
shortages of vital items needed to sustain military operations and
readiness.6
� Medical devices and scientific laboratory equipment may experience
problems beginning January 1, 2000, if their software applications
or
embedded chips use two-digit fields to represent the year.
Recognizing the seriousness of the Year 2000 problem, on February 4,
1998,
the President signed an executive order that established the President's
Council on Year 2000 Conversion, chaired by an Assistant to the President
and consisting of one representative from each of the executive
departments and from other federal agencies as may be determined by
the
Chair. The Chair of the Council was tasked with the following Year
2000
roles:
(1) overseeing the activities of agencies, (2) acting as chief
spokesperson in national and international forums, (3) providing policy
5 FAA Systems: Serious Challenges Remain in Resolving Year 2000 and
Computer Security Problems
coordination of executive branch activities with state, local, and
tribal
governments, and (4) promoting appropriate federal roles with respect
to
private-sector activities.
Improvements Made But Much Work Remains
Addressing the Year 2000 problem is a tremendous challenge for the federal
government. Many of the federal government's computer systems were
originally designed and developed 20 to 25 years ago, are poorly
documented, and use a wide variety of computer languages, many of which
are obsolete. Some applications include thousands, tens of thousands,
or
even millions of lines of code, each of which must be examined for
date-format problems.
To meet this challenge and monitor individual agency efforts, the Office
of
Management and Budget (OMB) directed the major departments and
agencies to submit quarterly reports on their progress, beginning May
15,
1997. These reports contain information on where agencies stand with
respect to the assessment, renovation, validation, and implementation
of
mission-critical systems, as well as other management information on
items such as costs and business continuity and contingency plans.
The federal government's most recent reports show improvement in
addressing the Year 2000 problem. While much work remains, the federal
government has significantly increased its percentage of mission-critical
systems that are reported to be Year 2000 compliant, as chart 1 illustrates.
In particular, while the federal government did not meet its goal of
having
all mission-critical systems compliant by March 1999, as of mid-May
1999,
93 percent of these systems were reported compliant.
(Graph)
While this reported progress is notable, OMB reported that 10 agencies
have mission-critical systems that were not yet compliant.7 In addition,
as
we testified in April, some of the systems that were not yet compliant
support vital government functions.8 For example, some of the systems
that were not compliant were among the 26 mission-critical systems
that
the Federal Aviation Administration (FAA) has identified as posing
the
greatest risk to the National Airspace System�the network of equipment,
facilities, and information that supports U.S. aviation operations.
Additionally, not all systems have undergone an independent verification
and validation process. For example, in April 1999 the Department of
Commerce awarded a contract for independent verification and validation
reviews of approximately 40 mission-critical systems that support that
department�s most critical business processes.
7 The 10 agencies were the departments of Agriculture, Commerce, Defense,
Energy, Health and Human
Services, Justice, Transportation, Treasury; the National Aeronautics
and Space Administration; and the
U.S. Agency for International Development.
8 Year 2000 Computing Challenge: Federal Government Making Progress
But Critical Issues Must Still
Be Addressed to Minimize Disruptions (GAO/T-AIMD-99-144, April 14,
These reviews are to
continue through the summer of 1999. In some cases, independent
verification and validation of compliant systems have found serious
problems. For example, as we testified this past February, 9 none of
54
external mission-critical systems of the Health Care Financing
Administration reported by the Department of Health and Human Services
(HHS) as compliant as of December 31, 1998, was Year 2000 ready, based
on serious qualifications identified by the independent verification
and
validation contractor.
Reviews Show Uneven Federal Agency Progress
� In March we testified that FAA had made tremendous progress over the
prior year.10 However, much remained to be done to complete validating
and implementing FAA�s mission-critical systems. Specifically, the
challenges that FAA faced included (1) ensuring that systems validation
efforts were adequate, (2) implementing multiple systems at numerous
facilities, (3) completing data exchange efforts, and (4) completing
end-to-end testing. Because of the risks associated with FAA�s Year
2000
program, we have advocated that the agency develop business
continuity and contingency plans.11 FAA agreed and has activities
underway, which we are currently reviewing.
� In May we testified 12 that the Department of Education had made
progress toward addressing the significant risks we had identified
in
September 1998 13 related to systems testing, exchanging data with
internal and external partners, and developing business continuity
and
contingency plans. Nevertheless, work remained ongoing in these
areas. For example, Education had scheduled a series of tests with
its
data exchange partners, such as schools, through the early part of
the
fall.
9 Year 2000 Computing Crisis: Readiness Status of the Department of
Health and Human Services
(GAO/T-AIMD-99-92, February 26, 1999).
10 Year 2000 Computing Crisis: FAA Is Making Progress But Important
Challenges Remain
(GAO/T-AIMD/RCED-99-118, March 15, 1999).
11 FAA Computer Systems: Limited Progress on Year 2000 Issue Increases
Risk Dramatically
(GAO/AIMD-98-45, January 30, 1998), GAO/T-AIMD-98-251, August 6, 1998,
and
GAO/T-AIMD/RCED-99-118, March 15, 1999.
12 Year 2000 Computing Challenge: Education Taking Needed Actions But
Work Remains
(GAO/T-AIMD-99-180, May 12, 1999).
13 Year 2000 Computing Crisis: Significant Risks Remain to Department
of Education�s Student Financial
Aid Systems (GAO/T-AIMD-98-302, September 17, 1998).
� Our work has shown that the Department of Defense and the military
services face significant problems.14 In March we testified that, despite
considerable progress made in the preceding 3 months, Defense was
still well behind schedule.15 We found that Defense faced two significant
challenges: (1) completing remediation and testing of its
mission-critical systems and (2) having a reasonable level of assurance
that key processes will continue to work on a day-to-day basis and
key
operational missions necessary for national defense can be successfully
accomplished. We concluded that such assurance could only be
provided if Defense took steps to improve its visibility over the status
of
key business processes.
End-to-End Testing Must Be Completed
While it is important to achieve compliance for individual mission-critical
systems, realizing such compliance alone does not ensure that business
functions will continue to operate through the change of century�the
ultimate goal of Year 2000 efforts. The purpose of end-to-end testing
is to
verify that a defined set of interrelated systems, which collectively
support
an organizational core business area or function, will work as intended
in
an operational environment. In the case of the year 2000, many systems
in
the end-to-end chain will have been modified or replaced. As a result,
the
scope and complexity of testing---and its importance--are dramatically
increased, as is the difficulty of isolating, identifying, and correcting
problems. Consequently, agencies must work early and continually with
their data exchange partners to plan and execute effective end-to-end
tests.
(Our Year 2000 testing guide sets forth a structured approach to testing,
including end-to-end testing.16 )
In January we testified that with the time available for end-to-end
testing
diminishing, OMB should consider, for the government�s most critical
functions, setting target dates, and having agencies report against
them, for
the development of end-to-end test plans, the establishment of test
schedules, and the completion of the tests.17 On March 31, OMB and
the
Chair of the President�s Council on Year 2000 Conversion announced
that
one of the key priorities that federal agencies will be pursuing during
the
rest of 1999 will be cooperative end-to-end testing to demonstrate
the Year
2000 readiness of federal programs with states and other partners.
14 Defense Computers: Year 2000 Computer Problems Put Navy Operations
at Risk (GAO/AIMD-98-150,
June 30, 1998); Defense Computers: Army Needs to Greatly Strengthen
Its Year 2000 Program
(GAO/AIMD-98-53, May 29, 1998); GAO/AIMD-98-72, April 30, 1998; and
Defense Computers: Air Force
Needs to Strengthen Year 2000 Oversight (GAO/AIMD-98-35, January 16,
1998).
15 Year 2000 Computing Crisis: Defense Has Made Progress, But Additional
Management Controls Are
Needed
Agencies have also acted to address end-to-end testing. For example,
our
March FAA testimony 18 found that the agency had addressed our prior
concerns about the lack of detail in its draft end-to-end test program
plan
and had developed a detailed end-to-end testing strategy and plans.19
At the
Department of Defense, last month we reported 20 that the department
had
underway or planned hundreds of related Year 2000 end-to-end test and
evaluation activities and that, thus far, it was taking steps to ensure
that
these related end-to-end tests were effectively coordinated. However,
we
concluded that Defense was far from successfully finishing its various
Year
2000 end-to-end test activities and that it must complete efforts to
establish
end-to-end management controls, such as establishing an independent
quality assurance program.
Business Continuity andContingency Plans Are Needed
Business continuity and contingency plans are essential. Without such
plans, when unpredicted failures occur, agencies will not have well-defined
responses and may not have enough time to develop and test alternatives.
Federal agencies depend on data provided by their business partners
as
well as on services provided by the public infrastructure (e.g., power,
water, transportation, and voice and data telecommunications). One
weak
link anywhere in the chain of critical dependencies can cause major
disruptions to business operations. Given these interdependencies,
it is
imperative that contingency plans be developed for all critical core
business processes and supporting systems, regardless of whether these
systems are owned by the agency. Accordingly, in April 1998 we
recommended that the Council require agencies to develop contingency
plans for all critical core business processes.21
17 Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains
to Avoid Major
Disruptions (GAO/T-AIMD-99-50, January 20, 1999).
18 GAO/T-AIMD/RCED-99-118, March 15, 1999.
19 GAO/T-AIMD-98-251, August 6, 1998.
20 Defense Computers: Management Controls Are Critical To Effective
Year 2000 Testing
OMB has clarified its contingency plan instructions and, along with
the
Chief Information Officers Council, has adopted our business continuity
and contingency planning guide.22 In particular, on January 26, 1999,
OMB
called on federal agencies to identify and report on the high-level
core
business functions that are to be addressed in their business continuity
and
contingency plans, as well as to provide key milestones for development
and testing of such plans in their February 1999 quarterly reports.
In
addition, on May 13 OMB required agencies to submit high-level versions
of
these plans by June 15. According to an OMB official, OMB has received
almost all of the agency plans. This official stated that OMB planned
to
review the plans, discuss them with the agencies, determine whether
there
were any common themes, and report on the plans� status in its next
quarterly report.
To provide assurance that agencies� business continuity and contingency
plans will work if needed, on January 20 we suggested that OMB may
want
to consider requiring agencies to test their business continuity strategy
and
set a target date, such as September 30, 1999, for the completion of
this
validation. 23 Our review of the 24 major departments and agencies�
May
1999 quarterly reports found 14 cases in which agencies did not identify
test dates for their business continuity and contingency plans or reported
test dates subsequent to September 30, 1999.
On March 31, OMB and the Chair of the President�s Council announced
that
completing and testing business continuity and contingency plans as
insurance against disruptions to federal service delivery and operations
from Year 2000-related failures will be one of the key priorities that
federal
agencies will be pursuing through the rest of 1999. Accordingly, OMB
should implement our suggestion and establish a target date for the
validation of these business continuity and contingency plans.
21 Year 2000 Computing Crisis: Potential for Widespread Disruption Calls
for Strong Leadership and Parternships (GAO/AIMD-98-85, April 30, 1998).
22 GAO/AIMD-10.1.19, August 1998.
23 GAO/T-AIMD-99-50, January 20, 1999.
-- Brian (imager@home.com), July 29, 1999