(PART Two) GAO Report Important Progress Made, Yet Much Work Remains to Avoid Disruption of Critical Servicesgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
Here is the first post of the GAO report for the State of Y2K as of July 99
GAO Report Important Progress Made, Yet Much Work Remains to Avoid Disruption of Critical
And the second part of three.
United States General Accounting Office TestimonyBefore the Subcommittee on Government Management,
Information and Technology, Committee on Government
Reform, House of Representatives
For Release on Delivery Expected at 9 a.m. EDT Friday, July 9, 1999
YEAR 2000 COMPUTING CHALLENGE
Important Progress Made, Yet Much Work Remains to Avoid Disruption of Critical Services
Statement of Joel C. Willemssen
Director, Civil Agencies Information SystemsAccounting and Information Management Division
Recent OMB Action Could Help Ensure Business Continuity of High-Impact
While individual agencies have been identifying and remediating
mission-critical systems, the governments future actions need to be
focused on its high-priority programs and ensuring the continuity of these
programs, including the continuity of federal programs that are
administered by states. Accordingly, governmentwide priorities need to be
based on such criteria as the potential for adverse health and safety effects,
adverse financial effects on American citizens, detrimental effects on
national security, and adverse economic consequences. In April 1998 we
recommended that the Presidents Council on Year 2000 Conversion
establish governmentwide priorities and ensure that agencies set
On March 26, OMB implemented our recommendation by issuing a
memorandum to federal agencies designating lead agencies for the
governments 42 high-impact programs (e.g., food stamps, Medicare, and
federal electric power generation and delivery). (OMB later added a 43rd
high-impact program.) Appendix I lists these programs and their lead
agencies. For each program, the lead agency was charged with identifying
to OMB the partners integral to program delivery; taking a leadership role
in convening those partners; assuring that each partner has an adequate
Year 2000 plan and, if not, helping each partner without one; and
developing a plan to ensure that the program will operate effectively.
According to OMB, such a plan might include testing data exchanges
across partners, developing complementary business continuity and
contingency plans, sharing key information on readiness with other
partners and the public, and taking other steps necessary to ensure that the
program will work. OMB directed the lead agencies to provide a schedule
and milestones of key activities in the plan by April 15. OMB also asked
agencies to provide monthly progress reports. As you know, we are
currently reviewing agencies progress in ensuring the readiness of their
high-impact programs for this subcommittee.
State and Local Governments Face Significant Year 2000 Risks
Just as the federal government faces significant Year 2000 risks, so too do
state and local governments. If the Year 2000 problem is not properly
addressed, for example, (1) food stamps and other types of payments may
not be made or could be made for incorrect amounts; (2) date-dependent
signal timing patterns could be incorrectly implemented at highway
intersections, with safety severely compromised; and (3) prisoner release
or parole eligibility determinations may be adversely affected.
Nevertheless, available information on the Year 2000 readiness of state and
local governments indicates that much work remains.
According to information on state Year 2000 activities reported to the
National Association of State Information Resource Executives as of June
17, 1999, 25 states 26 reported having thousands of mission-critical systems.27With respect to completing the implementation phase for these systems,
5 states 28 reported that they had completed between 25 and 49 percent,
13 states 29 reported completing between 50 and 74 percent, and
30 states 30 reported completing 75 percent or more.31
All of the states responding to the National Association of State
Information Resource Executives survey reported that they were actively
engaged in internal and external contingency planning and that they had
established target dates for the completion of these plans; 14 (28 percent)
reported the deadline as October 1999 or later.
25 Individual states submit periodic updates to the National Association of State Information Resource
Executives. For the June 17 report, over half of the states submitted their data in May and June 1999.
The oldest data were provided on March 4 and the most recent data on June 16. All but three states
responded to the survey.
26 In the context of the National Association of State Information Resource Executives survey, the term
states includes the District of Columbia, Guam, and Puerto Rico.
27 The National Association of State Information Resource Executives defined mission-critical systems
as those that a state had identified as priorities for prompt remediation.
28 Three states reported on their mission-critical systems, one state reported on its processes, and one
reported on its functions.
29 Eleven states reported on their mission-critical systems, one reported on all systems, and one
reported on projects.
30 Twenty-five states reported on their mission-critical systems, two states reported on their
applications, one reported on its priority business activities, one reported on its critical compliance
units, and one reported on all systems.
31 Of the states that responded to the survey, two did not respond to this question.
State audit organizations have also identified significant Year 2000
concerns. In January, the National State Auditors Association reported on
the results of its mid-1998 survey of Year 2000 compliance among states.32
This report stated that, for the 12 state audit organizations that provided
Year 2000-related reports, concerns had been raised in areas such as
planning, testing, embedded systems, business continuity and contingency
planning, and the adequacy of resources to address the problem.
We identified additional products by 15 state-level audit organizations and
Guam that discussed the Year 2000 problem and that had been issued since
October 1, 1998. Several of these state-level audit organizations noted that
progress had been made. However, the audit organizations also expressed
concerns that were consistent with those reported by the National State
Auditors Association, for example:
In December 1998 the Vermont State Auditor reported 33 that the state
Chief Information Officer did not have a comprehensive control list of
the states information technology systems. Accordingly, the audit office
stated that, even if all mission-critical state systems were checked, these
systems could be endangered by information technology components
that had not been checked or by linkages with the states external
In April, New Yorks Division of Management Audit and State Financial
Services reported that state agencies did not adequately control the
critical process of testing remediated systems.34 Further, most agencies
were in the early stages of addressing potential problems related to data
exchanges and embedded systems and none had completed substantive
work on contingency planning. The New York audit office subsequently
issued 7 reports on 13 of the states mission-critical and high-priority
systems that included concerns about contingency planning and testing.
In February, the California State Auditor reported 35 that key agencies
responsible for emergency services, corrections, and water resources,
among other areas, had not fully addressed embedded
technology-related threats. Regarding emergency services, the
California report stated that if remediation of the embedded technology
in its networks were not completed, the Office of Emergency Services
might have to rely on cumbersome manual processes, significantly
increasing response time to disasters.
32 Year 2000: State Compliance Efforts (National State Auditors Association, January 1999).
33 Vermont State Auditors Report on State Governments Year 2000 Preparedness (Y2K Compliance) for
the Period Ending November 1, 1998 (Office of the State Auditor, December 31, 1998).
34 New Yorks Preparation for the Year 2000: A Second Look (Office of the State Comptroller, Division of
Management Audit and State Financial Services, Report 98-S-21, April 5, 1999).
35 Year 2000 Computer Problem: The States Agencies Are Progressing Toward Compliance but Key
Steps Remain Incomplete (California State Auditor, February 18, 1999).
In March, Oregons Audits Division reported 36 that 11 of the 12 state
agencies reviewed did not have business continuity plans addressing
potential Year 2000 problems for their core business functions.
In March, North Carolinas State Auditor reported 37 that resource
restrictions had limited the states Year 2000 Project Offices ability to
verify data reported by state agencies.
In the case of Michigan, in May 1999, the Office of the Auditor General
reported that the states Year 2000 Project Office had effectively
implemented key processes to achieve Year 2000 compliance. 38 However,
the report stated that because of the unprecedented nature of the Year 2000
issue, sufficient audit evidence did not exist to conclude that the state will
be successful in its remediation efforts or that essential business functions
will not be affected by either internal or external factors. The audit office
also found that state agencies had not reported their assessments of, for
example, the status of regulated industries Year 2000 remediation efforts to
the Emergency Management Division. The audit office concluded that
without this information, the Emergency Management Division would find
it more difficult to assess the vulnerabilities of the states health and safety
It is also critical that local government systems be ready for the change of
century since critical functions involving, for example, public safety and
traffic management, are performed at the local level. Recent reports on
local governments have highlighted Year 2000 concerns, for example:
On June 23, the National Association of Counties announced the results
of its April survey of 500 randomly selected counties. This survey found
that (1) 74 percent of respondents had a countywide plan to address
Year 2000 issues, (2) 51 percent had completed system assessments, and
(3) 27 percent had completed system testing. In addition, 190 counties
had prepared contingency plans and 289 had not. Further, of the
114 counties reporting that they planned to develop Year 2000
contingency plans, 22 planned to develop the plan in April-June, 64 in
July-September, 18 in October- December, and 10 did not know.
36 Department of Administrative Services Year 2000 Statewide Project Office Review (Secretary of State,
Audits Division, State of Oregon Report No. 99-05, March 16, 1999).
37 Department of Commerce, Information Technology Services Year 2000 Project Office (Office of the
State Auditor, State of North Carolina, March 18, 1999).
38 Performance Audit of the Year 2000 Issues For Information Systems, Year 2000 Project Office,
Department of Management and Budget (Office of the Auditor General, State of Michigan, May 1999).
The National League of Cities conducted a poll during its annual
conference in March 1999 that included over 400 responses. The poll
found that (1) 340 respondents stated that over 75 percent of their cities
critical systems would be Year 2000 compliant by January 1, 2000,
(2) 35 stated that 51-75 percent would be compliant, (3) 16 stated that
25-50 percent would be compliant, and (4) 16 stated that less than
25 percent would be compliant. Moreover, 34 percent of respondents
reported that they had contingency plans, 46 percent stated that they
were in the process of developing plans, 12 percent stated that plans
would be developed, and 8 percent said they did not intend to develop
In January 1999, the United States Conference of Mayors reported on
the results of its survey of 220 cities. It found that (1) 97 percent had a
citywide plan to address Year 2000 issues, (2) 22 percent had repaired or
replaced less than half of their systems, and (3) 45 percent had
completed less than half of their testing.
Of critical importance to the nation are services essential to the safety and
well-being of individuals across the country, namely 9-1-1 systems and law
enforcement. For the most part, responsibility for ensuring continuity of
service for 9-1-1 calls and law enforcement resides with thousands of state
and local jurisdictions. On April 29 we testified that not enough was known
about the status of either 9-1-1 systems or of state and local law
enforcement activities to conclude about eithers ability during the
transition to the year 2000 to meet the public safety and well-being needs of
local communities across the nation.39 While the federal government
planned additional actions to determine the status of these areas, we stated
that the Presidents Council on Year 2000 Conversion should use such
information to identify specific risks and develop appropriate strategies
and contingency plans to respond to those risks.
39 Year 2000 Computing Challenge: Status of Emergency and State and Local Law Enforcement Systems
Is Still Unknown
Recognizing the seriousness of the Year 2000 risks facing state and local
governments, the Presidents Council has developed initiatives to address
the readiness of state and local governments, for example:
The Council established working groups on state and local governments
and tribal governments.
Council officials participate in monthly multistate conference calls.
In July 1998 and March 1999, the Council, in partnership with the
National Governors Association, convened Year 2000 summits with
state and U.S. territory Year 2000 coordinators.
On May 24, the Council announced a nationwide campaign to promote
Y2K Community Conversations to support and encourage efforts of
government officials, business leaders, and interested citizens to share
information on their progress. To support this initiative, the Council has
developed and is distributing a toolkit that provides examples of which
sectors should be represented at these events and issues that should be
State-Administered Federal Human Services Programs Are At Risk
Among the critical functions performed by states are the administration of
federal human services programs. As we reported in November 1998, many
systems that support state-administered federal human services programs
were at risk, and much work remained to ensure that services would
continue.40 In February of this year, we testified that while some progress
had been achieved, many states systems were not scheduled to become
compliant until the last half of 1999. 41 Accordingly, we concluded that,
given these risks, business continuity and contingency planning was even
more important in ensuring continuity of program operations and benefits
in the event of systems failures.
Subsequent to our November 1998 report, OMB directed federal oversight
agencies to include the status of selected state human services systems in
their quarterly reports. Specifically, in January 1999, OMB requested that
agencies describe actions to help ensure that federally supported, state-run
programs will be able to provide services and benefits. OMB further asked
that agencies report the date when each states systems will be Year
2000-compliant. Tables 1 and 2 summarize the information gathered by the
Departments of Agriculture and Health and Human Services (HHS),
respectively, on the compliance status of state-level organizations. The
information indicates that a number of states do not plan to complete their
Year 2000 efforts until the last quarter of 1999.
40 Year 2000 Computing Crisis: Readiness of State Automated Systems to Support Federal Welfare
Programs (GAO/AIMD-99-28, November 6, 1998).
41 Year 2000 Computing Crisis: Readiness of State Automated Systems That Support Federal Human
Services Programs (GAO/T-AIMD-99-91, February 24, 1999).
In addition, in June 1999, OMB reported that, as of March 31, 1999, 27
states unemployment insurance systems were compliant, 11 planned to be
completed between April and June 1999, 10 planned to be completed
between July and September, and 5 planned to be completed between
October and December.
Along with obtaining readiness information from the states, agencies have
initiated additional actions to help ensure the Year 2000 compliance of
state-administered programs. About a quarter of the federal governments
programs designated high-impact by OMB are state-administered, such as
Food Stamps and Temporary Assistance for Needy Families. In response to
OMBs March memorandum regarding the high-impact programs, the
departments of Agriculture, Health and Human Services, and Labor
reported on various actions that they are taking or plan to take to help
ensure the Year 2000 compliance of their state-administered programs. For
The Department of Agriculture reported in May that its Food and
Nutrition Service requested that states provide their contingency plans
and had contracted for technical support services to review these plans,
as needed, and to assist in its oversight of other state Year 2000
The Department of Health and Human Services reported that its
Administration for Children and Families and Health Care Financing
Administration had contracted for on-site assessments of state partners,
which will include reviews of business continuity and contingency
The Department of Labor reported that states are required to submit a
certification of Year 2000 compliance for their benefit and tax systems
along with an independent verification and validation report. In
addition, Labor required that state agencies prepare business continuity
and contingency plans, which will be reviewed by Labor officials.
Further, the department plans to design and develop a prototype
PC-based system to be used in the event that a states unemployment
insurance system is unusable due to a Year 2000-induced problem.
An example of the benefits that federal/state partnerships can provide is
illustrated by the Department of Labors unemployment services program.
In September 1998, we reported that many state employment security
agencies were at risk of failure as early as January 1999 and urged the
Department of Labor to initiate the development of realistic contingency
plans to ensure continuity of core business processes in the event of Year
2000-induced failures.42 Just last month, we testified that four state
agencies systems could have failed if systems in those states had not been
programmed with an emergency patch in December 1998. This patch was
developed by several of the state agencies and promoted to other state
agencies by the Department of Labor. 43
Year 2000 Readiness Information Available in Some Sectors, But
Key Information Still Missing or Incomplete
Beyond the risks faced by federal, state, and local governments, the year
2000 also poses a serious challenge to the public infrastructure, key
economic sectors, and to other countries. To address these concerns, in
April 1998 we recommended that the Council use a sector-based approach
and establish the effective public-private partnerships necessary to address
this issue.44 The Council subsequently established over 25 sector-based
working groups and has been initiating outreach activities since it became
operational last spring. In addition, the Chair of the Council has formed a
Senior Advisors Group composed of representatives from private-sector
firms across key economic sectors. Members of this group are expected to
offer perspectives on cross-cutting issues, information sharing, and
appropriate federal responses to potential Year 2000 failures.
42 Year 2000 Computing Crisis: Progress Made at Department of Labor, But Key Systems at Risk
(GAO/T-AIMD-98-303, September 17, 1998).
43 Year 2000 Computing Challenge: Labor Has Progressed But Selected Systems Remain at Risk
(GAO/T-AIMD-99-179, May 12, 1999).
44 GAO/AIMD-98-85, April 30, 1998.
Our April 1998 report also recommended that the President's Council
develop a comprehensive picture of the nations Year 2000 readiness, to
include identifying and assessing risks to the nation's key economic
sectors--including risks posed by international links. In October 1998 the
Chair directed the Council's sector working groups to begin assessing their
sectors. The Chair also provided a recommended guide of core questions
that the Council asked to be included in surveys by the associations
performing the assessments. These questions included the percentage of
work that has been completed in the assessment, renovation, validation,
and implementation phases. The Chair then planned to issue quarterly
public reports summarizing these assessments. The first such report was
issued on January 7, 1999.
The Councils second report was issued on April 21, 1999.45 The report
stated that substantial progress had been made in the prior 6 to 12 months,
but that there was still much work to be done. According to the Council,
most industries had projected completion target dates between June and
September and were in, or would soon be moving into, the critical testing
phase. Key points in the Councils April assessment included the following:
National Year 2000 failures in key U.S. infrastructures such as power,
banking, telecommunications, and transportation are unlikely.
Organizations that are not paying appropriate attention to the Year 2000
problem or that are adopting a wait and see strategyan attitude
prevalent among some small businesses and local governmentsare
putting themselves and those that depend upon them at great risk.
International Year 2000 activity, although increasing, is lagging and will
be the source of the greatest risk.
The Councils assessment reports have substantially increased the nations
understanding of the Year 2000 readiness of key industries. However, the
picture remained incomplete in certain key areas because the surveys
conducted did not have a high response rate, the assessment was general,
or the data were old. For example, according to the assessment report,
only 13 percent of the nations 9-1-1 centers had responded to a survey
being conducted by the Federal Emergency Management Agency in
conjunction with the National Emergency Number Association, calling into
question whether the results of the survey accurately portrayed the
readiness of the sector. In the case of drinking water, both the January and
April reports provided a general assessment but did not contain detailed
data as to the status of the sector (e.g., the average percentage of an
organizations systems that are Year 2000 compliant or the percentage of
organizations that are in the assessment, renovation, or validation phases).
Finally, in some cases, such as the transit industry, the sector surveys had
been conducted months earlier.
45 Both of the Councils reports are available on its web site, www.y2k.gov. In addition, the Council, in
conjunction with the Federal Trade Commission and the General Services Administration, has
established a toll-free Year 2000 information line, 1-888-USA-4Y2K. The Federal Trade Commission has
also included Year 2000 information of interest to consumers on its web site, www.consumer.gov.
-- Brian (email@example.com), July 30, 1999
They don't make it easy to read, do they, Brian? I cut to the chase.
Some good news--"National Year 2000 failures in key U.S. infrastructures such as power, banking, telecommunications, and transportation are unlikely."
Some bad news--"Organizations that are not paying appropriate attention to the Year 2000 problem or that are adopting a wait and see strategyan attitude prevalent among some small businesses and local governmentsare putting themselves and those that depend upon them at great risk."
And more bad news, but no surprise--"International Year 2000 activity, although increasing, is lagging and will be the source of the greatest risk." As for domestic readiness:
". . .the picture remained incomplete in certain key areas because the surveys conducted did not have a high response rate, the assessment was general, or the data were old. [E.g.], only 13 percent of the nations 9-1-1 centers had responded to a survey . . . calling into question whether the results of the survey accurately portrayed the readiness of the sector."
My cynical mind tells me people who aren't finished with their remediation or who aren't sure are much less likely to respond to a survey than those who have good news.
"In the case of drinking water, both the January and April reports provided a general assessment but did not contain detailed data as to the status of the sector (e.g., the average percentage of an organizations systems that are Year 2000 compliant or the percentage of organizations that are in the assessment, renovation, or validation phases)."
And we all know drinking water is of prime concern. "Finally, in some cases, such as the transit industry, the sector surveys had been conducted months earlier."
Basically, I guess the GAO is saying they don't really know.
-- Old Git (firstname.lastname@example.org), July 30, 1999.
Certianly in the case of water "no one knows". It is the one area that I think Canada and the States share. There is very little information on water and municipal governments up here.
This is one reason that the iron triangle is crap. No one needs phones and a bank to survive. But water???? The Iron Triangle will sink with out water.
Figure out where your water - waste water systems stand folks. Phone and bug them and don't take Bla Bla for an answer. I would walk in and expect a facility to sign a legal document stating unequivically their status. IT IS JUST TO DAMM IMPORTANT.
Fortunately where I live water is gravity fed from lakes. 100% compliant. Septic system 100% compliant.
-- Brian (email@example.com), July 30, 1999.