GAO Report Important Progress Made, Yet Much Work Remains to Avoid Disruption of Critical Services : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Here is a GAO report that didn't get much notice. This is odd as it seems to be a pretty detailed rundown of the State of Y2K as we know it today. Due to the length I will be posting this in three different sections. This is quite the document and is recommended reading. As far as I am concerned Joel Willemssen is one of the more unbiased individuals looking at the effects of Y2K. He clearly states that the work is not done.

I have kept the refferances on this document. There are numbers in the text that reffer to previous GAO documents and others.

United States General Accounting Office Testimony

Before the Subcommittee on Government Management,
Information and Technology, Committee on Government
Reform, House of Representatives

For Release on Delivery Expected at 9 a.m. EDT Friday, July 9, 1999

Important Progress Made, Yet Much Work Remains to  Avoid Disruption of Critical Services

Statement of Joel C. Willemssen

Director, Civil Agencies Information Systems

Accounting and Information Management Division


Mr. Chairman and Members of the Subcommittee:

Thank you for inviting us to participate in today's hearing on the Year 2000
problem. According to the report of the President's Commission on
Critical Infrastructure Protection, the United States--with close to half of all
computer capacity and 60 percent of Internet assets--is the world's most
advanced and most dependent user of information technology.1 Should
these systems--which perform functions and services critical to our
nation--suffer problems, it could create widespread disruption.
Accordingly, the upcoming change of century is a sweeping and urgent
challenge for public- and private-sector organizations alike.

Because of its urgent nature and the potentially devastating impact it could
have on critical government operations, in February 1997 we designated
the Year 2000 problem a high-risk area for the federal government.2 Since
that time, we have issued over 120 reports and testimony statements
detailing specific findings and numerous recommendations related to the
Year 2000 readiness of a wide range of federal agencies.3 We have also
issued guidance to help organizations successfully address the issue.4

Today I will highlight the Year 2000 risks facing the nation, discuss the
federal government's progress and challenges that remain in correcting its
system, identify state and local government Year 2000 issues, and provide
an overview of available information on the readiness of key public
infrastructure and economic sectors.

1 Critical Foundations: Protecting America's Infrastructures (President's Commission on Critical
Infrastructure Protection, October 1997).

2 High-Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997).

3 A list of these publications is included as an attachment to this statement. These publications can be
obtained through GAOs World Wide Web page at

4 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in
February 1997 and in final form in September 1997), which addresses the key tasks needed to complete
each phase of a Year 2000 program (awareness, assessment, renovation, validation, and
implementation); Year 2000 Computing Crisis: Business Continuity and Contingency Planning
(GAO/AIMD-10.1.19, issued as an exposure draft in March 1998 and in final form in August 1998), which
describes the tasks needed to ensure the continuity of agency operations; and Year 2000 Computing
Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998 and in final form
in November 1998), which discusses the need to plan and conduct Year 2000 tests in a structured and
disciplined fashion.

The Public Faces Risk
of Year 2000

The public faces the risk that critical services provided by the government
and the private sector could be severely disrupted by the Year 2000
computing problem. Financial transactions could be delayed, flights
grounded, power lost, and national defense affected. Moreover, America's
infrastructures are a complex array of public and private enterprises with
many interdependencies at all levels. These many interdependencies
among governments and within key economic sectors could cause a single
failure to have adverse repercussions in other sectors. Key sectors that
could be seriously affected if their systems are not Year 2000 compliant
include information and telecommunications; banking and finance; health,
safety, and emergency services; transportation; power and water; and
manufacturing and small business.

The following are examples of some of the major disruptions the public and
private sectors could experience if the Year 2000 problem is not corrected.

 With respect to aviation, there could be grounded or delayed flights,
degraded safety, customer inconvenience, and increased airline costs.5

 Aircraft and other military equipment could be grounded because the
computer systems used to schedule maintenance and track supplies
may not work. Further, the Department of Defense could incur
shortages of vital items needed to sustain military operations and

 Medical devices and scientific laboratory equipment may experience
problems beginning January 1, 2000, if their software applications or
embedded chips use two-digit fields to represent the year.

Recognizing the seriousness of the Year 2000 problem, on February 4, 1998,
the President signed an executive order that established the President's
Council on Year 2000 Conversion, chaired by an Assistant to the President
and consisting of one representative from each of the executive
departments and from other federal agencies as may be determined by the
Chair. The Chair of the Council was tasked with the following Year 2000

(1) overseeing the activities of agencies, (2) acting as chief
spokesperson in national and international forums, (3) providing policy
5 FAA Systems: Serious Challenges Remain in Resolving Year 2000 and Computer Security Problems
coordination of executive branch activities with state, local, and tribal
governments, and (4) promoting appropriate federal roles with respect to
private-sector activities.

Improvements Made But Much Work Remains

Addressing the Year 2000 problem is a tremendous challenge for the federal
government. Many of the federal government's computer systems were
originally designed and developed 20 to 25 years ago, are poorly
documented, and use a wide variety of computer languages, many of which
are obsolete. Some applications include thousands, tens of thousands, or
even millions of lines of code, each of which must be examined for
date-format problems.

To meet this challenge and monitor individual agency efforts, the Office of
Management and Budget (OMB) directed the major departments and
agencies to submit quarterly reports on their progress, beginning May 15,
1997. These reports contain information on where agencies stand with
respect to the assessment, renovation, validation, and implementation of
mission-critical systems, as well as other management information on
items such as costs and business continuity and contingency plans.

The federal government's most recent reports show improvement in
addressing the Year 2000 problem. While much work remains, the federal
government has significantly increased its percentage of mission-critical
systems that are reported to be Year 2000 compliant, as chart 1 illustrates.
In particular, while the federal government did not meet its goal of having
all mission-critical systems compliant by March 1999, as of mid-May 1999,
93 percent of these systems were reported compliant.


While this reported progress is notable, OMB reported that 10 agencies
have mission-critical systems that were not yet compliant.7 In addition, as
we testified in April, some of the systems that were not yet compliant
support vital government functions.8 For example, some of the systems
that were not compliant were among the 26 mission-critical systems that
the Federal Aviation Administration (FAA) has identified as posing the
greatest risk to the National Airspace Systemthe network of equipment,
facilities, and information that supports U.S. aviation operations.

Additionally, not all systems have undergone an independent verification
and validation process. For example, in April 1999 the Department of
Commerce awarded a contract for independent verification and validation
reviews of approximately 40 mission-critical systems that support that
departments most critical business processes.

7 The 10 agencies were the departments of Agriculture, Commerce, Defense, Energy, Health and Human
Services, Justice, Transportation, Treasury; the National Aeronautics and Space Administration; and the
U.S. Agency for International Development.
8 Year 2000 Computing Challenge: Federal Government Making Progress But Critical Issues Must Still
Be Addressed to Minimize Disruptions (GAO/T-AIMD-99-144, April 14,

 These reviews are to
continue through the summer of 1999. In some cases, independent
verification and validation of compliant systems have found serious
problems. For example, as we testified this past February, 9 none of 54
external mission-critical systems of the Health Care Financing
Administration reported by the Department of Health and Human Services
(HHS) as compliant as of December 31, 1998, was Year 2000 ready, based
on serious qualifications identified by the independent verification and
validation contractor.

Reviews Show Uneven Federal Agency Progress

 In March we testified that FAA had made tremendous progress over the
prior year.10 However, much remained to be done to complete validating
and implementing FAAs mission-critical systems. Specifically, the
challenges that FAA faced included (1) ensuring that systems validation
efforts were adequate, (2) implementing multiple systems at numerous
facilities, (3) completing data exchange efforts, and (4) completing
end-to-end testing. Because of the risks associated with FAAs Year 2000
program, we have advocated that the agency develop business
continuity and contingency plans.11 FAA agreed and has activities
underway, which we are currently reviewing.

 In May we testified 12 that the Department of Education had made
progress toward addressing the significant risks we had identified in
September 1998 13 related to systems testing, exchanging data with
internal and external partners, and developing business continuity and
contingency plans. Nevertheless, work remained ongoing in these
areas. For example, Education had scheduled a series of tests with its
data exchange partners, such as schools, through the early part of the

9 Year 2000 Computing Crisis: Readiness Status of the Department of Health and Human Services
(GAO/T-AIMD-99-92, February 26, 1999).
10 Year 2000 Computing Crisis: FAA Is Making Progress But Important Challenges Remain
(GAO/T-AIMD/RCED-99-118, March 15, 1999).
11 FAA Computer Systems: Limited Progress on Year 2000 Issue Increases Risk Dramatically
(GAO/AIMD-98-45, January 30, 1998), GAO/T-AIMD-98-251, August 6, 1998, and
GAO/T-AIMD/RCED-99-118, March 15, 1999.
12 Year 2000 Computing Challenge: Education Taking Needed Actions But Work Remains
(GAO/T-AIMD-99-180, May 12, 1999).
13 Year 2000 Computing Crisis: Significant Risks Remain to Department of Educations Student Financial
Aid Systems (GAO/T-AIMD-98-302, September 17, 1998).

 Our work has shown that the Department of Defense and the military
services face significant problems.14 In March we testified that, despite
considerable progress made in the preceding 3 months, Defense was
still well behind schedule.15 We found that Defense faced two significant
challenges: (1) completing remediation and testing of its
mission-critical systems and (2) having a reasonable level of assurance
that key processes will continue to work on a day-to-day basis and key
operational missions necessary for national defense can be successfully
accomplished. We concluded that such assurance could only be
provided if Defense took steps to improve its visibility over the status of
key business processes.

End-to-End Testing Must Be Completed

While it is important to achieve compliance for individual mission-critical
systems, realizing such compliance alone does not ensure that business
functions will continue to operate through the change of centurythe
ultimate goal of Year 2000 efforts. The purpose of end-to-end testing is to
verify that a defined set of interrelated systems, which collectively support
an organizational core business area or function, will work as intended in
an operational environment. In the case of the year 2000, many systems in
the end-to-end chain will have been modified or replaced. As a result, the
scope and complexity of testing---and its importance--are dramatically
increased, as is the difficulty of isolating, identifying, and correcting
problems. Consequently, agencies must work early and continually with
their data exchange partners to plan and execute effective end-to-end tests.
(Our Year 2000 testing guide sets forth a structured approach to testing,
including end-to-end testing.16 )

In January we testified that with the time available for end-to-end testing
diminishing, OMB should consider, for the governments most critical
functions, setting target dates, and having agencies report against them, for
the development of end-to-end test plans, the establishment of test
schedules, and the completion of the tests.17 On March 31, OMB and the
Chair of the Presidents Council on Year 2000 Conversion announced that
one of the key priorities that federal agencies will be pursuing during the
rest of 1999 will be cooperative end-to-end testing to demonstrate the Year
2000 readiness of federal programs with states and other partners.

14 Defense Computers: Year 2000 Computer Problems Put Navy Operations at Risk (GAO/AIMD-98-150,
June 30, 1998); Defense Computers: Army Needs to Greatly Strengthen Its Year 2000 Program
(GAO/AIMD-98-53, May 29, 1998); GAO/AIMD-98-72, April 30, 1998; and Defense Computers: Air Force
Needs to Strengthen Year 2000 Oversight (GAO/AIMD-98-35, January 16, 1998).
15 Year 2000 Computing Crisis: Defense Has Made Progress, But Additional Management Controls Are

Agencies have also acted to address end-to-end testing. For example, our
March FAA testimony 18 found that the agency had addressed our prior
concerns about the lack of detail in its draft end-to-end test program plan
and had developed a detailed end-to-end testing strategy and plans.19 At the
Department of Defense, last month we reported 20 that the department had
underway or planned hundreds of related Year 2000 end-to-end test and
evaluation activities and that, thus far, it was taking steps to ensure that
these related end-to-end tests were effectively coordinated. However, we
concluded that Defense was far from successfully finishing its various Year
2000 end-to-end test activities and that it must complete efforts to establish
end-to-end management controls, such as establishing an independent
quality assurance program.

Business Continuity andContingency Plans Are Needed

Business continuity and contingency plans are essential. Without such
plans, when unpredicted failures occur, agencies will not have well-defined
responses and may not have enough time to develop and test alternatives.
Federal agencies depend on data provided by their business partners as
well as on services provided by the public infrastructure (e.g., power,
water, transportation, and voice and data telecommunications). One weak
link anywhere in the chain of critical dependencies can cause major
disruptions to business operations. Given these interdependencies, it is
imperative that contingency plans be developed for all critical core
business processes and supporting systems, regardless of whether these
systems are owned by the agency. Accordingly, in April 1998 we
recommended that the Council require agencies to develop contingency
plans for all critical core business processes.21

17 Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major
Disruptions (GAO/T-AIMD-99-50, January 20, 1999).
18 GAO/T-AIMD/RCED-99-118, March 15, 1999.
19 GAO/T-AIMD-98-251, August 6, 1998.
20 Defense Computers: Management Controls Are Critical To Effective Year 2000 Testing

OMB has clarified its contingency plan instructions and, along with the
Chief Information Officers Council, has adopted our business continuity
and contingency planning guide.22 In particular, on January 26, 1999, OMB
called on federal agencies to identify and report on the high-level core
business functions that are to be addressed in their business continuity and
contingency plans, as well as to provide key milestones for development
and testing of such plans in their February 1999 quarterly reports. In
addition, on May 13 OMB required agencies to submit high-level versions of
these plans by June 15. According to an OMB official, OMB has received
almost all of the agency plans. This official stated that OMB planned to
review the plans, discuss them with the agencies, determine whether there
were any common themes, and report on the plans status in its next
quarterly report.

To provide assurance that agencies business continuity and contingency
plans will work if needed, on January 20 we suggested that OMB may want
to consider requiring agencies to test their business continuity strategy and
set a target date, such as September 30, 1999, for the completion of this
validation. 23 Our review of the 24 major departments and agencies May
1999 quarterly reports found 14 cases in which agencies did not identify
test dates for their business continuity and contingency plans or reported
test dates subsequent to September 30, 1999.

On March 31, OMB and the Chair of the Presidents Council announced that
completing and testing business continuity and contingency plans as
insurance against disruptions to federal service delivery and operations
from Year 2000-related failures will be one of the key priorities that federal
agencies will be pursuing through the rest of 1999. Accordingly, OMB
should implement our suggestion and establish a target date for the
validation of these business continuity and contingency plans.

21 Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for Strong Leadership and Parternships (GAO/AIMD-98-85, April 30, 1998).
22 GAO/AIMD-10.1.19, August 1998.
23 GAO/T-AIMD-99-50, January 20, 1999.

-- Brian (, July 29, 1999


Response to GAO Report Important Progress Made, Yet Much Work Remains to Avoid Disruption of Critical Services


Thanks for finding this.

-- Linkmeister (, July 29, 1999.

Response to GAO Report Important Progress Made, Yet Much Work Remains to Avoid Disruption of Critical Services

Thanks, Brian. And thanks Linkmeister for a couple you posted today. I love the fact that I can quote government sources ONLY in trying to convince people of the seriousness of this thing. That makes it more real. My friend woke me up this morning with the news that the government is opening a command bunker in DC on 10/31--posted here today. Like if that doesn't tell you something...

-- Mara Wayne (, July 29, 1999.

Moderation questions? read the FAQ