Here is the first post of the GAO report for the State of Y2K as of
July 99
GAO
Report Important Progress Made, Yet Much Work Remains to Avoid Disruption
of Critical
And the second part of three.
Part 2
http://www.gao.gov/new.items/ai99234t.pdf
United States General Accounting Office Testimony
Before the Subcommittee on Government Management,
Information and Technology, Committee on Government
Reform, House of Representatives
For Release on Delivery Expected at 9 a.m. EDT Friday, July 9, 1999
YEAR 2000 COMPUTING CHALLENGE
Important Progress Made, Yet Much Work Remains to Avoid Disruption
of Critical Services
Statement of Joel C. Willemssen
Director, Civil Agencies Information Systems
Accounting and Information Management Division
Page 9
Recent OMB Action Could Help Ensure Business Continuity of High-Impact
Programs
While individual agencies have been identifying and remediating
mission-critical systems, the government�s future actions need to be
focused on its high-priority programs and ensuring the continuity of
these
programs, including the continuity of federal programs that are
administered by states. Accordingly, governmentwide priorities need
to be
based on such criteria as the potential for adverse health and safety
effects,
adverse financial effects on American citizens, detrimental effects
on
national security, and adverse economic consequences. In April 1998
we
recommended that the President�s Council on Year 2000 Conversion
establish governmentwide priorities and ensure that agencies set
agencywide priorities.24
On March 26, OMB implemented our recommendation by issuing a
memorandum to federal agencies designating lead agencies for the
government�s 42 high-impact programs (e.g., food stamps, Medicare,
and
federal electric power generation and delivery). (OMB later added a
43rd
high-impact program.) Appendix I lists these programs and their lead
agencies. For each program, the lead agency was charged with identifying
to OMB the partners integral to program delivery; taking a leadership
role
in convening those partners; assuring that each partner has an adequate
Year 2000 plan and, if not, helping each partner without one; and
developing a plan to ensure that the program will operate effectively.
According to OMB, such a plan might include testing data exchanges
across partners, developing complementary business continuity and
contingency plans, sharing key information on readiness with other
partners and the public, and taking other steps necessary to ensure
that the
program will work. OMB directed the lead agencies to provide a schedule
and milestones of key activities in the plan by April 15. OMB also
asked
agencies to provide monthly progress reports. As you know, we are
currently reviewing agencies� progress in ensuring the readiness of
their
high-impact programs for this subcommittee.
State and Local Governments Face Significant Year 2000 Risks
Just as the federal government faces significant Year 2000 risks, so
too do
state and local governments. If the Year 2000 problem is not properly
addressed, for example, (1) food stamps and other types of payments
may
not be made or could be made for incorrect amounts; (2) date-dependent
signal timing patterns could be incorrectly implemented at highway
intersections, with safety severely compromised; and (3) prisoner release
or parole eligibility determinations may be adversely affected.
Nevertheless, available information on the Year 2000 readiness of state
and
local governments indicates that much work remains.
According to information on state Year 2000 activities reported to the
National Association of State Information Resource Executives as of
June
17, 1999, 25 states 26 reported having thousands of mission-critical
systems.27With respect to completing the implementation phase for
these systems,
� 5 states 28 reported that they had completed between 25 and
49 percent,
� 13 states 29 reported completing between 50 and 74 percent,
and
� 30 states 30 reported completing 75 percent or more.31
All of the states responding to the National Association of State
Information Resource Executives survey reported that they were actively
engaged in internal and external contingency planning and that they
had
established target dates for the completion of these plans; 14 (28
percent)
reported the deadline as October 1999 or later.
25 Individual states submit periodic updates to the National Association
of State Information Resource
Executives. For the June 17 report, over half of the states submitted
their data in May and June 1999.
The oldest data were provided on March 4 and the most recent data on
June 16. All but three states
responded to the survey.
26 In the context of the National Association of State Information
Resource Executives survey, the term
�states� includes the District of Columbia, Guam, and Puerto Rico.
27 The National Association of State Information Resource Executives
defined mission-critical systems
as those that a state had identified as priorities for prompt remediation.
28 Three states reported on their mission-critical systems, one state
reported on its processes, and one
reported on its functions.
29 Eleven states reported on their mission-critical systems, one reported
on all systems, and one
reported on projects.
30 Twenty-five states reported on their mission-critical systems, two
states reported on their
applications, one reported on its �priority business activities,� one
reported on its �critical compliance
units,� and one reported on all systems.
31 Of the states that responded to the survey, two did not respond
to this question.
State audit organizations have also identified significant Year 2000
concerns. In January, the National State Auditors Association reported
on
the results of its mid-1998 survey of Year 2000 compliance among states.32
This report stated that, for the 12 state audit organizations that
provided
Year 2000-related reports, concerns had been raised in areas such as
planning, testing, embedded systems, business continuity and contingency
planning, and the adequacy of resources to address the problem.
We identified additional products by 15 state-level audit organizations
and
Guam that discussed the Year 2000 problem and that had been issued
since
October 1, 1998. Several of these state-level audit organizations noted
that
progress had been made. However, the audit organizations also expressed
concerns that were consistent with those reported by the National State
Auditors Association, for example:
� In December 1998 the Vermont State Auditor reported 33 that
the state
Chief Information Officer did not have a comprehensive control list
of
the state�s information technology systems. Accordingly, the audit
office
stated that, even if all mission-critical state systems were checked,
these
systems could be endangered by information technology components
that had not been checked or by linkages with the state�s external
electronic partners.
� In April, New York�s Division of Management Audit and State Financial
Services reported that state agencies did not adequately control the
critical process of testing remediated systems.34 Further, most
agencies
were in the early stages of addressing potential problems related to
data
exchanges and embedded systems and none had completed substantive
work on contingency planning. The New York audit office subsequently
issued 7 reports on 13 of the state�s mission-critical and high-priority
systems that included concerns about contingency planning and testing.
� In February, the California State Auditor reported 35 that
key agencies
responsible for emergency services, corrections, and water resources,
among other areas, had not fully addressed embedded
technology-related threats. Regarding emergency services, the
California report stated that if remediation of the embedded technology
in its networks were not completed, the Office of Emergency Services
might have to rely on cumbersome manual processes, significantly
increasing response time to disasters.
32 Year 2000: State Compliance Efforts (National State Auditors Association,
January 1999).
33 Vermont State Auditor�s Report on State Government�s Year 2000 Preparedness
(Y2K Compliance) for
the Period Ending November 1, 1998 (Office of the State Auditor, December
31, 1998).
34 New York�s Preparation for the Year 2000: A Second Look (Office
of the State Comptroller, Division of
Management Audit and State Financial Services, Report 98-S-21, April
5, 1999).
35 Year 2000 Computer Problem: The State�s Agencies Are Progressing
Toward Compliance but Key
Steps Remain Incomplete (California State Auditor, February 18, 1999).
� In March, Oregon�s Audits Division reported 36 that 11 of the
12 state
agencies reviewed did not have business continuity plans addressing
potential Year 2000 problems for their core business functions.
� In March, North Carolina�s State Auditor reported 37 that resource
restrictions had limited the state�s Year 2000 Project Office�s ability
to
verify data reported by state agencies.
In the case of Michigan, in May 1999, the Office of the Auditor General
reported that the state�s Year 2000 Project Office had effectively
implemented key processes to achieve Year 2000 compliance. 38
However,
the report stated that because of the unprecedented nature of the Year
2000
issue, sufficient audit evidence did not exist to conclude that the
state will
be successful in its remediation efforts or that essential business
functions
will not be affected by either internal or external factors. The audit
office
also found that state agencies had not reported their assessments of,
for
example, the status of regulated industries� Year 2000 remediation
efforts to
the Emergency Management Division. The audit office concluded that
without this information, the Emergency Management Division would find
it more difficult to assess the vulnerabilities of the state�s health
and safety
infrastructure.
It is also critical that local government systems be ready for the change
of
century since critical functions involving, for example, public safety
and
traffic management, are performed at the local level. Recent reports
on
local governments have highlighted Year 2000 concerns, for example:
� On June 23, the National Association of Counties announced the results
of its April survey of 500 randomly selected counties. This survey
found
that (1) 74 percent of respondents had a countywide plan to address
Year 2000 issues, (2) 51 percent had completed system assessments,
and
(3) 27 percent had completed system testing. In addition, 190 counties
had prepared contingency plans and 289 had not. Further, of the
114 counties reporting that they planned to develop Year 2000
contingency plans, 22 planned to develop the plan in April-June, 64
in
July-September, 18 in October- December, and 10 did not know.
36 Department of Administrative Services Year 2000 Statewide Project
Office Review (Secretary of State,
Audits Division, State of Oregon Report No. 99-05, March 16, 1999).
37 Department of Commerce, Information Technology Services Year 2000
Project Office (Office of the
State Auditor, State of North Carolina, March 18, 1999).
38 Performance Audit of the Year 2000 Issues For Information Systems,
Year 2000 Project Office,
Department of Management and Budget (Office of the Auditor General,
State of Michigan, May 1999).
� The National League of Cities conducted a poll during its annual
conference in March 1999 that included over 400 responses. The poll
found that (1) 340 respondents stated that over 75 percent of their
cities�
critical systems would be Year 2000 compliant by January 1, 2000,
(2) 35 stated that 51-75 percent would be compliant, (3) 16 stated
that
25-50 percent would be compliant, and (4) 16 stated that less than
25 percent would be compliant. Moreover, 34 percent of respondents
reported that they had contingency plans, 46 percent stated that they
were in the process of developing plans, 12 percent stated that plans
would be developed, and 8 percent said they did not intend to develop
contingency plans.
� In January 1999, the United States Conference of Mayors reported on
the results of its survey of 220 cities. It found that (1) 97 percent
had a
citywide plan to address Year 2000 issues, (2) 22 percent had repaired
or
replaced less than half of their systems, and (3) 45 percent had
completed less than half of their testing.
Of critical importance to the nation are services essential to the safety
and
well-being of individuals across the country, namely 9-1-1 systems
and law
enforcement. For the most part, responsibility for ensuring continuity
of
service for 9-1-1 calls and law enforcement resides with thousands
of state
and local jurisdictions. On April 29 we testified that not enough was
known
about the status of either 9-1-1 systems or of state and local law
enforcement activities to conclude about either�s ability during the
transition to the year 2000 to meet the public safety and well-being
needs of
local communities across the nation.39 While the federal government
planned additional actions to determine the status of these areas,
we stated
that the President�s Council on Year 2000 Conversion should use such
information to identify specific risks and develop appropriate strategies
and contingency plans to respond to those risks.
39 Year 2000 Computing Challenge: Status of Emergency and State and
Local Law Enforcement Systems
Is Still Unknown
Recognizing the seriousness of the Year 2000 risks facing state and
local
governments, the President�s Council has developed initiatives to address
the readiness of state and local governments, for example:
� The Council established working groups on state and local governments
and tribal governments.
� Council officials participate in monthly multistate conference calls.
� In July 1998 and March 1999, the Council, in partnership with the
National Governors� Association, convened Year 2000 summits with
state and U.S. territory Year 2000 coordinators.
� On May 24, the Council announced a nationwide campaign to promote
�Y2K Community Conversations� to support and encourage efforts of
government officials, business leaders, and interested citizens to
share
information on their progress. To support this initiative, the Council
has
developed and is distributing a toolkit that provides examples of which
sectors should be represented at these events and issues that should
be
addressed.
State-Administered Federal Human Services Programs Are At Risk
Among the critical functions performed by states are the administration
of
federal human services programs. As we reported in November 1998, many
systems that support state-administered federal human services programs
were at risk, and much work remained to ensure that services would
continue.40 In February of this year, we testified that while
some progress
had been achieved, many states� systems were not scheduled to become
compliant until the last half of 1999. 41 Accordingly, we concluded
that,
given these risks, business continuity and contingency planning was
even
more important in ensuring continuity of program operations and benefits
in the event of systems failures.
Subsequent to our November 1998 report, OMB directed federal oversight
agencies to include the status of selected state human services systems
in
their quarterly reports. Specifically, in January 1999, OMB requested
that
agencies describe actions to help ensure that federally supported,
state-run
programs will be able to provide services and benefits. OMB further
asked
that agencies report the date when each state�s systems will be Year
2000-compliant. Tables 1 and 2 summarize the information gathered by
the
Departments of Agriculture and Health and Human Services (HHS),
respectively, on the compliance status of state-level organizations.
The
information indicates that a number of states do not plan to complete
their
Year 2000 efforts until the last quarter of 1999.
40 Year 2000 Computing Crisis: Readiness of State Automated Systems
to Support Federal Welfare
Programs (GAO/AIMD-99-28, November 6, 1998).
41 Year 2000 Computing Crisis: Readiness of State Automated Systems
That Support Federal Human
Services Programs (GAO/T-AIMD-99-91, February 24, 1999).
Table sniped
In addition, in June 1999, OMB reported that, as of March 31, 1999,
27
states� unemployment insurance systems were compliant, 11 planned to
be
completed between April and June 1999, 10 planned to be completed
between July and September, and 5 planned to be completed between
October and December.
Along with obtaining readiness information from the states, agencies
have
initiated additional actions to help ensure the Year 2000 compliance
of
state-administered programs. About a quarter of the federal government�s
programs designated high-impact by OMB are state-administered, such
as
Food Stamps and Temporary Assistance for Needy Families. In response
to
OMB�s March memorandum regarding the high-impact programs, the
departments of Agriculture, Health and Human Services, and Labor
reported on various actions that they are taking or plan to take to
help
ensure the Year 2000 compliance of their state-administered programs.
For
example:
� The Department of Agriculture reported in May that its Food and
Nutrition Service requested that states provide their contingency plans
and had contracted for technical support services to review these plans,
as needed, and to assist in its oversight of other state Year 2000
activities.
� The Department of Health and Human Services reported that its
Administration for Children and Families and Health Care Financing
Administration had contracted for on-site assessments of state partners,
which will include reviews of business continuity and contingency
plans.
� The Department of Labor reported that states are required to submit
a
certification of Year 2000 compliance for their benefit and tax systems
along with an independent verification and validation report. In
addition, Labor required that state agencies prepare business continuity
and contingency plans, which will be reviewed by Labor officials.
Further, the department plans to design and develop a prototype
PC-based system to be used in the event that a state�s unemployment
insurance system is unusable due to a Year 2000-induced problem.
An example of the benefits that federal/state partnerships can provide
is
illustrated by the Department of Labor�s unemployment services program.
In September 1998, we reported that many state employment security
agencies were at risk of failure as early as January 1999 and urged
the
Department of Labor to initiate the development of realistic contingency
plans to ensure continuity of core business processes in the event
of Year
2000-induced failures.42 Just last month, we testified that
four state
agencies� systems could have failed if systems in those states had
not been
programmed with an emergency patch in December 1998. This patch was
developed by several of the state agencies and promoted to other state
agencies by the Department of Labor. 43
Year 2000 Readiness Information Available in Some Sectors, But
Key Information Still Missing or Incomplete
Beyond the risks faced by federal, state, and local governments, the
year
2000 also poses a serious challenge to the public infrastructure, key
economic sectors, and to other countries. To address these concerns,
in
April 1998 we recommended that the Council use a sector-based approach
and establish the effective public-private partnerships necessary to
address
this issue.44 The Council subsequently established over 25 sector-based
working groups and has been initiating outreach activities since it
became
operational last spring. In addition, the Chair of the Council has
formed a
Senior Advisors Group composed of representatives from private-sector
firms across key economic sectors. Members of this group are expected
to
offer perspectives on cross-cutting issues, information sharing, and
appropriate federal responses to potential Year 2000 failures.
42 Year 2000 Computing Crisis: Progress Made at Department of Labor,
But Key Systems at Risk
(GAO/T-AIMD-98-303, September 17, 1998).
43 Year 2000 Computing Challenge: Labor Has Progressed But Selected
Systems Remain at Risk
(GAO/T-AIMD-99-179, May 12, 1999).
44 GAO/AIMD-98-85, April 30, 1998.
Our April 1998 report also recommended that the President's Council
develop a comprehensive picture of the nation�s Year 2000 readiness,
to
include identifying and assessing risks to the nation's key economic
sectors--including risks posed by international links. In October 1998
the
Chair directed the Council's sector working groups to begin assessing
their
sectors. The Chair also provided a recommended guide of core questions
that the Council asked to be included in surveys by the associations
performing the assessments. These questions included the percentage
of
work that has been completed in the assessment, renovation, validation,
and implementation phases. The Chair then planned to issue quarterly
public reports summarizing these assessments. The first such report
was
issued on January 7, 1999.
The Council�s second report was issued on April 21, 1999.45 The
report
stated that substantial progress had been made in the prior 6 to 12
months,
but that there was still much work to be done. According to the Council,
most industries had projected completion target dates between June
and
September and were in, or would soon be moving into, the critical testing
phase. Key points in the Council�s April assessment included the following:
� National Year 2000 failures in key U.S. infrastructures such as power,
banking, telecommunications, and transportation are unlikely.
� Organizations that are not paying appropriate attention to the Year
2000
problem or that are adopting a �wait and see� strategy�an attitude
prevalent among some small businesses and local governments�are
putting themselves and those that depend upon them at great risk.
� International Year 2000 activity, although increasing, is lagging
and will
be the source of the greatest risk.
The Council�s assessment reports have substantially increased the nation�s
understanding of the Year 2000 readiness of key industries. However,
the
picture remained incomplete in certain key areas because the surveys
conducted did not have a high response rate, the assessment was general,
or the data were old. For example, according to the assessment report,
only 13 percent of the nation�s 9-1-1 centers had responded to a survey
being conducted by the Federal Emergency Management Agency in
conjunction with the National Emergency Number Association, calling
into
question whether the results of the survey accurately portrayed the
readiness of the sector. In the case of drinking water, both the January
and
April reports provided a general assessment but did not contain detailed
data as to the status of the sector (e.g., the average percentage of
an
organization�s systems that are Year 2000 compliant or the percentage
of
organizations that are in the assessment, renovation, or validation
phases).
Finally, in some cases, such as the transit industry, the sector surveys
had
been conducted months earlier.
45 Both of the Council�s reports are available on its web site, www.y2k.gov.
In addition, the Council, in
conjunction with the Federal Trade Commission and the General Services
Administration, has
established a toll-free Year 2000 information line, 1-888-USA-4Y2K.
The Federal Trade Commission has
also included Year 2000 information of interest to consumers on its
web site, www.consumer.gov.
-- Brian (imager@home.com), July 30, 1999