[Senate Hearing 106-219]
[From the U.S. Government Publishing Office]
S. Hrg. 106-219
JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING
=======================================================================
HEARING
before the
SUBCOMMITTEE OF THE
COMMITTEE ON APPROPRIATIONS
and
SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
SPECIAL HEARING
__________
Printed for the use of the Committee on Appropriations and the Special
Committee on the Year 2000 Technology Problem
Available via the World Wide Web: http://www.access.gpo.gov/congress/senate
______
_______________________________________________________________________
For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC
20402
COMMITTEE ON APPROPRIATIONS
TED STEVENS, Alaska, Chairman
THAD COCHRAN, Mississippi ROBERT C. BYRD, West Virginia
ARLEN SPECTER, Pennsylvania DANIEL K. INOUYE, Hawaii
PETE V. DOMENICI, New Mexico ERNEST F. HOLLINGS, South Carolina
CHRISTOPHER S. BOND, Missouri PATRICK J. LEAHY, Vermont
SLADE GORTON, Washington FRANK R. LAUTENBERG, New Jersey
MITCH McCONNELL, Kentucky TOM HARKIN, Iowa
CONRAD BURNS, Montana BARBARA A. MIKULSKI, Maryland
RICHARD C. SHELBY, Alabama HARRY REID, Nevada
JUDD GREGG, New Hampshire HERB KOHL, Wisconsin
ROBERT F. BENNETT, Utah PATTY MURRAY, Washington
BEN NIGHTHORSE CAMPBELL, Colorado BYRON L. DORGAN, North Dakota
LARRY CRAIG, Idaho DIANNE FEINSTEIN, California
KAY BAILEY HUTCHISON, Texas RICHARD J. DURBIN, Illinois
JON KYL, Arizona
Steven J. Cortese, Staff Director
Lisa Sutherland, Deputy Staff Director
James H. English, Minority Staff Director
------
SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM
ROBERT F. BENNETT, Utah, Chairman
CHRISTOPHER J. DODD, Connecticut, Vice Chairman
JON KYL, Arizona DANIEL PATRICK MOYNIHAN, New York
GORDON SMITH, Oregon ROBERT C. BYRD, West Virginia (ex
SUSAN M. COLLINS, Maine officio)
TED STEVENS, Alaska (ex officio)
Robert Cresanti, Staff Director
Wilke Green, Minority Staff Director
C O N T E N T S
----------
Page
Statement of Hon. David M. Walker, Comptroller General, General
Accounting Office.............................................. 1
Statement of Jacob J. Lew, Director, Office of Management and
Budget......................................................... 1
Opening statement of Hon. Robert F. Bennett...................... 1
Prepared statement of Senator Robert F. Bennett.................. 3
Statement of Hon. Ted Stevens.................................... 3
Prepared statement of Senator Robert C. Byrd..................... 4
Statement of Hon. David M. Walker................................ 5
Prepared statement........................................... 8
Results in brief................................................. 8
Background....................................................... 9
Estimated year 2000 costs continue to escalate................... 11
Emergency funds to be used for a variety of purposes............. 13
Costs for fiscal year 2000 and beyond............................ 14
Program and information technology initiatives delayed by Y2K.... 15
Lessons learned from the Government's year 2000 efforts can be
applied to future information technology activities............ 16
Contact and acknowledgments...................................... 18
Statement of Jacob J. Lew........................................ 19
Prepared statement........................................... 22
Federal progress................................................. 23
Y2K costs and funding............................................ 23
Next steps....................................................... 26
Number of Federal mission-critical systems that are Y2K compliant 28
Has the Y2K problem undermined computer security?................ 30
Progress on nonmission-critical systems.......................... 33
Are additional Y2K supplemental funds required?.................. 35
What progress is being made in contingency planning?............. 36
What is the difference between mission-critical and nonmission-
critical?...................................................... 38
Who will agencies turn to if they have Y2K problems?............. 40
Is the Postal Service Y2K compliant?............................. 41
Need for progress for Federal systems that interact with State
and local systems.............................................. 41
Progress with our international partners......................... 42
Need for additional Y2K funding.................................. 43
Potential need for another flexible fund to respond to Y2K
problems....................................................... 45
(iii)
JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING
----------
TUESDAY, JUNE 22, 1999
U.S. Senate,
Committee on Appropriations,
Special Committee on the
Year 2000 Technology Problem,
Washington, DC.
The committees met at 9:35 a.m., in room SD-192, Dirksen
Senate Office Building, Hon. Robert F. Bennett (chairman of the
Special Committee on the Year 2000 Technology Problem)
presiding.
Present: Senators Bennett, Stevens, and Gorton.
GENERAL ACCOUNTING OFFICE
STATEMENT OF HON. DAVID M. WALKER, COMPTROLLER GENERAL
ACCOMPANIED BY JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES INFORMATION
SYSTEMS
OFFICE OF MANAGEMENT AND BUDGET
STATEMENT OF JACOB J. LEW, DIRECTOR
opening statement of hon. robert f. bennett
Chairman Bennett. We welcome you to this morning's hearing,
which is a joint hearing of the Senate Appropriations Committee
and the Senate Special Committee on the Year 2000 Technology
Problem. Senator Stevens has asked that I chair the committee,
and I am grateful to him for his courtesy.
We want to welcome our witnesses for coming today as well.
The topic for today's hearing is oversight of spending on the
year 2000 technology problem within the Federal Government. Let
me start out by noting that questioning Government spending on
Y2K has been likened in some circles to questioning a
firefighter on the use of water during a fight against a fire
in a burning building, and I agree with that to a certain
extent.
I think it would be a tragedy if we get to the year 2000
and have serious problems. To have them traced to a lack of
money and say, ``well, we knew what to do, we had the plans in
place to do them, but we just did not have the money.'' I
certainly do not want anyone to accuse the Congress of being
complicit in a situation like that. Ensuring the uninterrupted
flow of critical Federal services is too important.
Our purpose here today is not to assail the Federal
agencies or the administration for the amount or manner of Y2K
spending. We recognize that the biggest roadblock we face
toward getting this problem under control, the biggest scarcity
we have, is time, not money.
However, there is always the possibility within the Federal
Government that money that is appropriated for good and proper
purposes ends up being diverted some place else. We have a
responsibility to ensure that the taxpayer dollars have been
spent for the purpose for which they were appropriated, and at
the same time that there will be sufficient funds left for
unexpected Y2K costs that will shortly crop up this year and
next.
The appropriations that were made, were made with the
assumption that there would be some left over after we get to
January 2000 to take care of problems. We simply do not know
how much needs to be left over, but it would be irresponsible
to say, well, this money is available, let's just go ahead and
spend it.
Now, here is what we do know. According to the General
Accounting Office (GAO), Federal spending on Y2K readiness is
currently estimated to be $8.7 billion, and that is up from
$2.3 billion that was estimated in February of 1997. I remember
when that estimate was made, members of our committee were
highly skeptical that it could be achieved for that, so we are
now more than three times that original estimate. We may see an
escalation in the $8.7 billion. It may continue up after
January 1, 2000.
Now, we have also learned that many Government agencies are
not tracking their Y2K costs, and this includes costs funded
from the $3.35 billion emergency supplemental appropriation.
That breaks down to $1.1 billion for defense, and $2.25 billion
for nondefense. We need to determine if these funds are being
used appropriately and, if not, we should determine where
additional oversight is necessary.
The charts displayed here show the growth in Federal
agencies' Y2K cost estimates and the status of emergency
supplemental funding for nondefense agencies. That second chart
is a little hard--not a little hard, it is impossible to read,
except when you have a hard copy of it in front of you. We
tried to simplify it but we were unable to because the
information on it is vital.
The charts indicate that we have only $450 million left
through September 30, 2001, the life of the fund. That is one
of the reasons for this hearing. We are concerned about whether
there will be money left to clean up problems that come after
the year 2000 turns, so we must determine if there are adequate
resources available to meet the future Y2K demands, and we
suspect that more and more will be spent for Federal agencies'
contingency plans.
Now, unfortunately the current pace of contingency planning
presents us with one of our blind spots as far as congressional
oversight is concerned, because many Government agencies missed
the June 15 deadline for submitting contingency plans. This
failure not only deprives us of any confidence we might have in
their ability to handle the emergencies, but it also prevents
the Office of Management and Budget (OMB), GAO, and the
Congress from estimating how much these contingency plans may
cost if they are required.
So with time running out, contingency planning for Y2K
becomes very important. As we explore the flow of funding to
the Federal agencies, a lack of contingency planning is not a
blind spot we can afford to have.
So with that, Senator Stevens, if you have an opening
comment we will call upon you now.
[The statement follows:]
Prepared Statement of Senator Robert F. Bennett
Good morning. I would like to thank Chairman Stevens for
presiding over this joint hearing of the Senate Appropriations
and Y2K committees. I would also like to thank our witnesses
for coming today.
The topic of today's hearing is federal Y2K spending.
Before proceeding, I think it is important to note that, in
some circles, questioning government spending on Y2K is likened
to questioning a firefighter on his use of water on a burning
building. I agree with that statement to an extent. In fact, I
believe we should continue to make available the necessary
resources to ensure that government continues to function on
January 1, 2000 and beyond. We don't want the lack of money to
be a reason why the federal government is not prepared for
Y2K--ensuring the uninterrupted flow of critical federal
services is simply too important.
Therefore, my purpose here today is not to assail the
federal agencies or the administration for the amount or manner
of Y2K spending. The biggest roadblock to Y2K readiness at this
point--with only 192 days left--is the scarcity of time, not
money.
Having said that, we have a responsibility to ensure that
taxpayer dollars are not being spent frivolously, and that
there will be sufficient funds left for the continued
unexpected Y2K costs that will surely crop up later this year,
and next. But the truth is, we simply don't know enough to say
exactly how much will be needed for the remainder of this year
and future years.
Here is what we do know: According to GAO, federal spending
on Y2K readiness is currently estimated to be $8.7 billion--up
from $2.3 billion in February 1997--and may continue upward
after January 1, 2000. We have also learned that many
government agencies are not tracking Y2K costs--this includes
costs funded from the $3.35 billion emergency supplemental
appropriation. We need to determine if these funds are being
used appropriately. If not, we should determine whether
additional oversight is necessary.
We must determine if there are adequate resources available
to meet future Y2K funding demands. In particular, we suspect
that more and more will be spent for federal agencies'
contingency plans. Unfortunately, the current pace of
contingency planning presents us with another blind spot, as
far as congressional oversight is concerned. Many government
agencies missed the June 15 deadline for submitting contingency
plans. This failure not only deprives us of any confidence we
might have in their ability to handle Y2K-induced emergencies,
but also prevents OMB, GAO and the Congress from estimating how
much contingency plans may cost.
With time running short, contingency planning for Y2K
becomes very important. As we explore the flow of funding to
the federal agencies, a lack of contingency planning is not a
blind spot we can afford to have. Thank you very much.
statement of hon. ted stevens
Chairman Stevens. Well, thank you very much, Senator
Bennett. I welcome the chance to jointly review this problem
with you. The emergency supplemental funding is what worries
me, and I hope that we are keeping track of not only what has
been spent, but what the demand will be between now and the
turn of the century. It does appear to me that we have a little
glitch in terms of contingency planning. I do want to go into
that with our witnesses this morning. I do not have an opening
statement.
I appreciate these charts. They are a little busy, but they
contain a great deal of information. I do not know if we have
copies we could provide to the press out there so they can
understand what we are talking about.
Chairman Bennett. Yes, indeed.
Chairman Stevens. Thank you very much.
Chairman Bennett. Thank you, and everyone should recognize
that we would not be in the good position we are with respect
to funds for the year 2000 if it were not for Senator Stevens
and his very early recognition of this problem and his
willingness to carve out of the appropriations bill these
funds. Any other appropriations chairman might have taken the
position of, ``well, let's wait and see.'' Senator Stevens
recognized early on that there is no time to wait and see, and
we are in the good position we are because of Senator Stevens.
prepared statement of senator byrd
Chairman Stevens. Mr. Chairman, Senator Byrd is detained,
and I would like to have his statement placed in the record,
and he does have some questions he would like to submit for the
record.
Chairman Bennett. That will be placed in the record, and we
will be happy to forward his questions and receive them at such
time as he might be available.
[The statement follows:]
Prepared Statement of Senator Robert C. Byrd
Thank you, Mr. Chairman, for calling this joint hearing of
the Appropriations Committee and the Special Committee on the
Year 2000 (Y2K) Technology Problem to examine budgeting efforts
to ensure the Y2K readiness of the executive branch. You have
provided important leadership on this issue. As an Ex-Officio
Member of the Special Committee on the Year 2000 Technology
Problem, I also thank Chairman Bennett and Senator Dodd for
their good work on this vexing problem. You have both worked
diligently to raise awareness about this issue and to monitor
the progress our nation is making toward meeting the immovable
deadline of midnight, December 31.
Our nation, indeed, the entire world, is increasingly
reliant on technology. In the case of the federal government
and its responsibilities in areas such as defense, emergency
management services, telecommunications, and benefit programs,
Y2K readiness is critical. Congress has recognized and
responded to the importance of this issue by providing
considerable funds to bring federal systems into compliance.
The costs are substantial. GAO estimates that federal Y2K
costs as of May 1999 total $8.7 billion, a dramatic increase
from the $2.3 billion cost estimated in early 1997. In response
to emergency needs cited by federal agencies, last year
Congress provided $3.35 billion in emergency funding through
the Omnibus Consolidated and Emergency Supplemental
Appropriations Act. Of the $3.35 billion, $2.25 billion was
provided for non-defense agencies and $1.1 billion for
Department of Defense (DOD). Thus far, a substantial portion of
these emergency funds have been allocated to federal agencies
by the Office of Management and Budget (OMB). It is important
that these Committees provide oversight of this spending.
As December 31, 1999, draws near, we must make every effort
to ensure that the federal government is Y2K ready. As
appropriators, we have a responsibility to ensure that the
funds provided for Y2K conversion are in fact achieving federal
Y2K readiness and that these funds are accounted for carefully.
We must also explore whether additional resources will be
necessary to finish the job, to implement contingency plans,
and to meet any outstanding needs. I look forward to receiving
the testimony of our witnesses this morning as we delve into
these important issues.
Chairman Bennett. Our witnesses this morning are Hon. David
Walker, who is the Comptroller General of the U.S. General
Accounting Office, and Hon. Jacob Lew, who is the Director of
the Office of Management and Budget. Between the two of you,
you probably represent more expertise on the budget and the
cash flow of the Federal Government than any other two
individuals available, and we are grateful to you for your
willingness to appear here and look forward to hearing from you
both.
We will start, Mr. Walker, with you.
statement of hon. david m. walker
Mr. Walker. Thank you, Mr. Chairman. Good morning, Chairman
Bennett, Chairman Stevens. Thank you for inviting me to testify
today on Y2K costs and to discuss more broadly the implications
of Y2K on future information technology activities.
Since our February 1997 designation of the year 2000
problem as a high risk area for the Federal Government, action
to address the Y2K threat has intensified. In response to a
growing recognition of the challenge, as well as urging from
congressional leaders, the administration has strengthened the
Government's Y2K preparations.
For example, OMB has now established 43 high impact program
areas as Government priorities. This list includes such
programs as Social Security, food stamps, and Medicare. It does
not, however, include direct national security and revenue
collection activities. Many congressional committees have been
extremely diligent in addressing the year 2000 challenge by
holding agencies accountable for demonstrating progress, and by
heightening public appreciation of the problem.
In particular, work done by the Senate Special Committee on
the Year 2000 Technology Problem has fostered a greater
understanding of this issue and focused attention on much-
needed actions. Despite the improvements in the Government's
Y2K approach, significant challenges remain. In particular,
through year 2000 testing is essential. Further, adequate
business continuity and contingency plans must be successfully
completed and tested.
As shown by this chart, Mr. Chairman, the total estimated
Y2K costs for the 24 major Federal agencies have more than
tripled during the last 2 years. A total of about $8.7 billion
as of the end of last month. Within this $8.7 billion, Federal
agencies have reported that their year 2000 costs for fiscal
years 1996 to 1998 were over $3 billion. Some agencies told us
that they reported these based on actual costs, while others
reported some costs as actuals, and others as estimates. Still
others included total estimates, and did not maintain actual
costs for Y2K, other than for the emergency supplemental.
With agencies' estimates of Y2K costs increasing
dramatically, and with limited time remaining to complete
needed actions, many agencies have requested emergency funds in
fiscal year 1999. According to their justification submissions
to the Congress and OMB, three categories of reasons emerge to
explain organizations' requests for emergency funds: First, new
requirements that had not been planned for fiscal 1999; second,
cost increases to complete ongoing Y2K activities; and, third,
the unavailability of regular appropriations for planned Y2K
work.
New requirements included outreach, independent
verification validation, as well as decisions to replace
personal computers and network hardware and software for a
variety of reasons, including to assure Y2K compliance.
In May 1999, the 24 major departments and agencies
estimated their fiscal year 2000 costs for Y2K activities at
about $981 million, almost a ninefold increase from the
original year 2000 estimate of about $111 million provided in
February 1997.
Determining the extent of continued Y2K cost estimation is
difficult because of many uncertainties. For example, 10
agencies reported that they have not completed work on their
mission-critical systems as of mid-May 1999. Key factors that
could fuel additional cost increases include agencies
determining that they must implement business continuity and
contingency plans, or if there are any other anticipated events
that occur due to the Y2K problem that must be addressed.
For example, in August of 1998, the Health Care Financing
Administration (HCFA) estimated that it would need between $300
million and $500 million to handle emergency contingency
situations that could result from the Y2K problem. HCFA
reported that the types of activities that these funds would be
needed for included unforeseen software, hardware, and
telecommunications failures, increased paper claims due to
provider or billing companies' inability to transmit
electronically, and claims reprocessing to correct erroneous
repayments.
The Health and Human Services (HHS) reported to us that it
requested about $165 million for Y2K activities in its fiscal
year 2000 budget request. This amount, however, excluded any
amounts for the implementation of HCFA contingency plans should
those plans prove to be necessary.
Other agencies could also have higher costs if business
contingency and continuity plans need to be implemented. OMB's
review of agency contingency plans should therefore consider
whether agencies have provided information on the cost of
implementing contingency plans if that should be required. If
not, OMB needs to gather this information quickly so that it
can share with the Congress what impact this would have on
potential future funding needs.
Additional costs could also be incurred if some States do
not complete their year 2000 work on systems that support
critical Federal programs such as food stamps and Medicaid.
Importantly, 10 of OMB's designated high impact programs rely
on State-level implementation. Information indicates that some
State systems are not scheduled to be compliant until the last
quarter of 1999.
If States do not complete their year 2000 remediation in
time, or if those remediation efforts fail, the States would
have to implement their business continuity and contingency
plans, which could encompass Federal Government assistance
because of the cost reimbursement mechanisms under those
programs.
While making systems ready for year 2000 has been an
enormous job, other program and information technology needs
have not disappeared. In fact, they have grown, and continue to
grow. In particular, because of the year 2000 problem, agencies
have delayed implementation of regulatory requirements and
planned information technology enhancements. There is a pent-up
demand and growing backlog of such initiatives which may have
significant implications for future funding level requests.
The total Government-wide volume of program and information
technology activities delayed by Y2K is not known. Therefore,
the potential demand for additional information technology
resources in the future is difficult to predict. However, the
cost of these delayed activities could be significant.
Accordingly, OMB will need to work with the agencies to
determine the magnitude of these pent-up demands in order to
make informed management and funding decisions in the future.
In addition to these demands, increased resources will
likely be needed for another key issue that has garnered
increased attention, namely information security. As we
reported in September 1998, the expanded amount of audit
evidence that has become available since mid-1996 describes
widespread and serious weaknesses to adequately protect Federal
assets, sensitive information, and critical operations.
The computer security issue, which is already on our high
risk list, will follow on the heels of the Y2K challenge.
Computer security issues have a range of potential national
security, economic security, and personal privacy implications.
There has importantly been a silver lining to the Y2K
challenge. The Government organizations' experiences in
becoming prepared for the year 2000 hold valuable lessons about
how information technology can best be managed. For many
agencies, the threat posed by the year 2000 problem was a much-
needed wake-up call. Because of the urgency of the issues,
agencies could not afford to carry on in the same manner that
resulted in a decade of poor information technology planning
and program management.
Earlier this year, we reported that the year 2000 provided
the opportunity to institutionalize valuable lessons, such as
the importance of consistent and persistent top management
attention to be accompanied by reliable processes and
reasonable controls.
Another benefit of the year 2000 effort was the
establishment of much-needed information technology policies in
such areas as configuration management, quality assurance, risk
management, project scheduling and tracking, and metrics.
Beyond individual agencies, the year 2000 problem holds lessons
in overseeing and managing information technology on a
Government-wide basis. In particular, actions taken by the
Congress and the executive branch have demonstrated that
effective oversight and guidance can have a positive influence
on major information technology efforts.
In conclusion, Mr. Chairman, it is clear that Y2K
expenditures have been significant, sometimes unpredictable,
and constantly growing. Further, Y2K cost growth may continue,
especially if business and continuity contingency plans must be
put into operation, or if State-administered Federal program
system efforts are not completed.
In addition, pent-up demand exists for information
technology enhancements and security activities. OMB needs to
take steps to estimate the nature and extent of these pent-up
demands, as well as the contingency expenditures that could be
incurred related to Y2K.
On the positive side, while correcting the Y2K problem has
been and continues to be costly, the experiences of individual
agencies and the Government as a whole in meeting this
challenge have provided renewed and needed focus on information
systems. As we attempt to meet future information technology
and security challenges, these lessons must not be lost.
prepared statement
This completes my summary statement, Mr. Chairman. I would
be happy to answer any questions at the appropriate time. Thank
you.
Chairman Bennett. Thank you very much. We appreciate your
statement. Your full statement will be made a part of the
record.
[The statement follows:]
Prepared Statement of David M. Walker
Messrs. Chairmen and Members of the Committees: We are pleased to
be here today to present information on Year 2000 (Y2K) \1\ costs and
funding and to discuss more broadly what implications the government's
necessary short-term focus on preparing for the year 2000 will have on
future information technology activities. In 1997, we designated the
Year 2000 computing problem as a high-risk area because computer
failures could disrupt functions and services that are critical to our
nation. \2\ After providing a brief summary of the issues and
background information, my testimony today will highlight (1) estimated
Y2K costs and agency processes to track costs to date, (2) planned uses
of emergency funding, (3) Y2K costs for fiscal year 2000 and beyond,
(4) agency program and information technology initiatives delayed by
Y2K activities, and (5) lessons learned from Y2K efforts that can be
applied to other information technology activities.
---------------------------------------------------------------------------
\1\ The Y2K problem is rooted in how dates are recorded and
computed. For the past several decades, computer systems typically used
two digits to represent the year, such as ``99'' for 1999, in order to
conserve electronic data storage and reduce operating costs. In this
format, however, 2000 is indistinguishable from 1900 because both are
represented as ``00''. As a result, if not modified, systems or
applications that use dates or perform date- or time-sensitive
calculations may generate incorrect results beyond 1999.
\2\ High-Risk Series: Information Management and Technology (GAO/
HR-97-9, February 1997).
---------------------------------------------------------------------------
results in brief
Meeting the Year 2000 challenge has been necessary but expensive,
with estimated federal costs rising from $2.3 billion in February 1997
to $8.7 billion as of last month. From February through May 1999, the
estimated cost rose $1.2 billion. With respect to Y2K costs incurred
through fiscal year 1998, the 24 major federal departments and agencies
reported costs exceeding $3 billion. While some agencies reported
actual costs incurred through 1998, others reported estimates. In
fiscal year 1999, agencies have requested emergency funds and plan to
spend much of these funds on renovation, validation, and implementation
activities, along with replacing personal computers and network
hardware and software. Beyond fiscal year 1999, estimated Y2K costs
have continued to climb, now reaching over $1 billion. Determining the
extent of continued Y2K cost escalation is difficult because of many
uncertainties. One major unknown is whether agencies will have to
implement their business continuity and contingency plans. Such plans,
if triggered, could entail substantial costs. Agencies' high-level
business continuity and contingency plans were due to the Office of
Management and Budget (OMB) by June 15. OMB's review of these plans
should consider whether agencies provided estimated business continuity
and contingency plan costs. If not, OMB needs to require that this
information be provided expeditiously so that it can provide the
Congress with information on potential future funding needs. We intend
to review the plans submitted to OMB and advise the Congress of
potential funding ramifications.
Another less direct but undeniable issue associated with the Year
2000 challenge has been the postponement of many program and
information technology initiatives so that resources could be dedicated
to Y2K. Such demands--including system enhancements and computer
security--have not vanished; in fact, they have grown. On the positive
side, however, the government will likely approach these future
information technology challenges better prepared, having gained much
valuable information from experiences in meeting the Y2K challenge. For
example, this was the motivator that resulted in many agencies' taking
charge of their information technology resources in much more active
ways, from inventorying and prioritizing systems to implementing
reliable processes and better controls. Such lessons should not be lost
on future information technology projects.
background
With close to half of all computer capacity and 60 percent of
Internet assets, the United States is the world's most advanced and
most dependent user of information technology.\3\ Such systems perform
functions and services critical to our nation; disruption could create
widespread hardship, including problems in key federal operations
ranging from national defense to benefits payments to air traffic
management. Accordingly, the upcoming change of century is a sweeping
and urgent challenge for public- and private-sector organizations
alike, in this country and around the world.
---------------------------------------------------------------------------
\3\ Critical Foundations: Protecting America's Infrastructures
(President's Commission on Critical Infrastructure Protection, October
1997).
---------------------------------------------------------------------------
Since our February 1997 designation of the Year 2000 problem as a
high-risk area for the federal government, action to address the Y2K
threat has intensified. In response to a growing recognition of the
challenge and urging from congressional leaders and others, the
administration strengthened the government's Year 2000 preparation. In
February 1998, the President took a major step in establishing the
President's Council on Year 2000 Conversion. The President also (1)
established the goal that no system critical to the federal
government's mission experience disruption because of the Year 2000
problem and (2) charged agency heads with ensuring that this issue
receive the highest priority attention. Further, the Chair of the
Council was tasked with the following Year 2000 roles: (1) overseeing
the activities of agencies, (2) acting as chief spokesperson in
national and international forums, (3) providing policy coordination of
executive branch activities with state, local, and tribal governments,
and (4) promoting appropriate federal roles with respect to private-
sector activities.
Among the initiatives the Chair of the Council has implemented in
carrying out these responsibilities are attending monthly meetings with
senior managers of agencies that are not making sufficient progress,
establishing numerous working groups to increase awareness of and gain
cooperation in addressing the Y2K problem in various economic sectors,
and emphasizing the importance of federal/state data exchanges. In
addition, on June 14, 1999, the President ordered the creation of an
Information Coordination Center--consisting of officials from executive
agencies--to assist the Chair of the Council in addressing Year 2000
conversion problems both domestically and internationally. Among its
duties, the Information Coordination Center is to assist in making
preparations for information sharing and coordination within the
federal government and key components of the public and private
sectors.
Many congressional committees have been extremely diligent in
addressing the Year 2000 challenge by holding agencies accountable for
demonstrating progress and by heightening public appreciation of the
problem. By holding numerous hearings on important topics such as
health care, the food sector, electric power, and financial services
and in issuing a major report \4\ on the impact of the Year 2000
problem, the Senate Special Committee on the Year 2000 Technology
Problem has fostered a greater understanding of the problem and focused
attention on actions needed.
---------------------------------------------------------------------------
\4\ Investigating the Impact of the Year 2000 Problem (United
States Senate, Special Committee on the Year 2000 Technology Problem,
February 24, 1999).
---------------------------------------------------------------------------
OMB, for its part, has taken more aggressive action on Year 2000
matters over the past year and a half and has been responsive to our
recommendations. For example, in its quarterly report issued in
December 1997, OMB accelerated its milestone for agencies to complete
the implementation phase of Y2K conversion by 8 months, from November
to March 1999. OMB has also tightened requirements on agency reporting
of Year 2000 progress. It now requires that beyond the original 24
major departments and agencies that have been reporting, 9 additional
agencies (such as the Tennessee Valley Authority and the Postal
Service) report quarterly on their Year 2000 progress, and that
additional information be reported from all agencies. Additionally, in
response to our April 1998 recommendation,\5\ on March 26, 1999, OMB
issued a memorandum to federal agencies designating lead agencies for
the government's 42 high-impact programs, including those delivering
critical benefits such as social security, food stamps, and Medicare;
ensuring adequate weather forecasting capabilities; and providing
federal electric power generation and delivery. (OMB later added a 43rd
high-impact program--the National Crime Information Center.) Further,
OMB has clarified instructions for agencies relative to preparing
business continuity and contingency plans, and required agencies to
submit high-level versions of these plans just last week, on June 15.
We intend to review the plans submitted to OMB and advise the Congress
of our results.
---------------------------------------------------------------------------
\5\ Year 2000 Computing Crisis: Potential for Widespread Disruption
Calls for Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30,
1998).
---------------------------------------------------------------------------
As you know, we have been very active in working with the Congress
as well as federal agencies to both strengthen agency processes and to
evaluate their progress in addressing these challenges. To help
agencies mitigate their Year 2000 risks, we produced a series of Year
2000 guides on enterprise readiness, business continuity and
contingency planning, and testing.\6\ In addition, we have issued over
100 reports and testimony statements detailing specific findings and
have made dozens of recommendations related to the Year 2000 readiness
of the government as a whole and of a wide range of individual
agencies.
---------------------------------------------------------------------------
\6\ Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-
10.1.14, issued as an exposure draft in February 1997 and in final form
in September 1997), Year 2000 Computing Crisis: Business Continuity and
Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in
March 1998 and in final form in August 1998), and Year 2000 Computing
Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft
in June 1998 and in final form in November 1998).
---------------------------------------------------------------------------
Fortunately, the past 2 years have witnessed marked improvement in
preparedness as the government has revised and intensified its approach
to this problem. Nevertheless, significant challenges remain. In
particular, complete and thorough Year 2000 testing is essential to
providing reasonable assurance that new or modified systems will be
able to process dates correctly and not jeopardize agencies' abilities
to perform core business operations. Moreover, adequate business
continuity and contingency plans must be successfully completed and
tested throughout government.
The Congress Appropriated Emergency Year 2000 Funding
To address Y2K resource needs, last year the Congress appropriated
$2.25 billion for civilian agencies \7\ and $1.1 billion for the
Department of Defense for emergency expenses related to Year 2000
conversion of federal information technology systems. Through May 1999,
OMB made six separate allocations totaling about $1.724 billion \8\ to
civil agencies (77 percent of the $2.25 billion in civilian emergency
funds) and one allocation of $935 million to the Department of Defense
(85 percent of its emergency funds). Figure 1 illustrates the
cumulative amount of emergency funds allocated to nondefense
organizations and the Department of Defense, and that about $661
million remains.
---------------------------------------------------------------------------
\7\ As part of the $2.25 billion for civilian departments and
agencies, $16.873 million and $13.044 million were designated for the
legislative and judicial branches, respectively.
\8\ This amount does not include $13.65 million that OMB allocated
to the Department of Energy but did not transfer to the department
because, according to OMB, the House Appropriations Committee did not
consider the planned use of these monies an appropriate use of
emergency funding.
[GRAPHIC] [TIFF OMITTED] T14JU22S.000
Note: This chart does not include the amount set aside for the
---------------------------------------------------------------------------
legislative and judicial branches ($29.9 million).
Source: OMB.
Figure 2 illustrates the entities that received the largest
allocations.
[GRAPHIC] [TIFF OMITTED] T14JU22S.001
Note: Appendix I lists all of the entities that received emergency
funding allocations.
Source: OMB.
Regarding Y2K costs and funding, the House Majority Leader asked us
to (1) identify agency-reported Year 2000 costs through fiscal year
1998 and the agencies' processes used to track these costs, (2)
determine the reported status of fiscal year 1999 obligations for Year
2000 activities, (3) identify estimated Year 2000 costs for fiscal year
1999 and the planned uses of the emergency allocations, and (4)
identify the Year 2000 costs for fiscal year 2000. In addressing these
questions, we requested documentation of actual and planned costs from
29 federal agencies that provide quarterly Y2K compliance information
to OMB, plus an additional 12 organizations that had received emergency
funding. We provided a report to the House Majority Leader on this
information in April 1999.\9\
---------------------------------------------------------------------------
\9\ Year 2000 Computing Crisis: Costs and Planned Use of Emergency
Funds (GAO/AIMD-99-154, April 28, 1999).
---------------------------------------------------------------------------
In my testimony before the Senate Committee on Appropriations in
January,\10\ Chairman Stevens, you asked me to return and discuss these
costs issues further. Accordingly, to prepare for this testimony, we
updated the information in our April report to include (1) the latest
cost estimates from the 24 major departments and agencies and (2)
information on releases from the emergency fund subsequent to our prior
work.\11\
---------------------------------------------------------------------------
\10\ Year 2000 Computing Challenge: Readiness Improving, But
Critical Risks Remain (GAO/T-AIMD-99-49, January 20, 1999).
\11\ Seven additional agencies received emergency allocations
subsequent to our prior work and, therefore, were not included in our
April 1999 report.
---------------------------------------------------------------------------
estimated year 2000 costs continue to escalate
As figure 3 indicates, the total estimated costs of ensuring that
the computer systems of the 24 major federal agencies perform as
expected beyond 1999 more than tripled during the last 2 years--to a
total of about $8.7 billion as of last month--up $1.2 billion in the
past 3 months alone.
[GRAPHIC] [TIFF OMITTED] T14JU22S.002
Note: The August 1998 through May 1999 figures are totals of all
individual submissions from the 24 major departments and agencies. In
its summary of agency reports, OMB decreased total estimated Year 2000
costs for the 24 major agencies by about $900 million in August 1998,
$800 million in November 1998, $779 million in February 1999, and $688
million in May 1999. For the August 1998 costs, OMB did not include all
costs in its estimate because, for example, it was still reviewing some
of the estimates provided by the agencies. For the November 1998 and
February 1999 costs, OMB did not provide explanations in its report for
all of the discrepancies between the agency reports and their total
estimated Y2K cost figure. However, the OMB reports covering the
November 1998 and February 1999 periods did not include $81.3 million
and $91.7 million in Transportation and Treasury costs, respectively,
that they stated were non-Y2K costs funded from emergency supplemental
funds. In OMB's report covering the May 1999 period, it revised the
amount of Transportation's non-Y2K costs funded from emergency
supplemental funds to $52 million, but Treasury's amount remained the
same.
Source: February 1997 data are from OMB's report Getting Federal
Computers Ready for 2000, February 6, 1997. May 1997 through May 1998
data are from OMB's quarterly reports. The August 1998 through May 1999
data are from the quarterly reports of the 24 major departments and
agencies.
Among the agencies that had substantial increases from February
1997 through May 1999 were the Department of Defense--$969.6 million to
$3.66 billion (277 percent increase), the Department of the Treasury--
$318.5 million to $1.9 billion (497 percent increase), and the
Department of Health and Human Services (HHS)--$90.7 million to $1.111
billion (1,125 percent increase).
Several Agencies Did Not Separately Track Actual Year 2000 Costs for
Fiscal Years 1996 Through 1998
Reported Year 2000 costs incurred each year from 1996 through 1998
for the 24 major departments and agencies have also grown dramatically.
Reported fiscal year 1996 costs were about $72 million,\12\ fiscal year
1997 costs were about $830 million, and fiscal year 1998 costs were
over $2.7 billion. These reported costs, however, still represent less
than half of the total Year 2000 costs of $8.7 billion estimated last
month by the 24 major departments and agencies.
---------------------------------------------------------------------------
\12\ One agency also reported Year 2000 costs that were prior to
fiscal year 1996.
---------------------------------------------------------------------------
While federal agencies reported that their Year 2000 costs from
fiscal years 1996 through 1998 were over $3 billion, some agencies
reported actual costs while others reported some costs as actual and
others as estimates; still others reported just estimates. In
particular, at the time of our report,\13\ of the 24 major departments
and agencies, 7 reported that their fiscal years 1996 through 1998
costs were actual (3 used financial management systems while 4 used
reports from component entities to track costs), 5 reported that some
costs were actual while others were estimates (e.g., contract costs
were actual while labor costs were estimates), 9 reported that they did
not separately track actual costs for fiscal years 1996 through 1998,
and 3 did not provide information on cost tracking.
---------------------------------------------------------------------------
\13\ GAO/AIMD-99-154, April 28, 1999.
---------------------------------------------------------------------------
With respect to the nine major agencies that reported not
separately tracking actual costs for fiscal years 1996 through 1998, at
least three cited as a reason that they were not required to do so. For
example, the Department of the Interior reported that aside from the
1999 Y2K Supplemental Funding, the Department has never tracked Y2K
funding separately from other appropriated funds, as there has never
been any requirement to do so. With respect to tracking of actual costs
associated with the emergency funding, five of the nine agencies that
reported estimated costs for fiscal years 1996 through 1998 reported
that they were tracking, or planned to track, actual costs associated
with the emergency funding allocation (the other four agencies did not
address whether they were tracking these funds or had not received
emergency allocations).
While agencies may not be required to track actual costs of Y2K
activities, we believe that the criticality of Year 2000 activities and
the significance of the costs--hundreds of million of dollars in some
cases--indicate that prudent management practices warrant cost
tracking. Specifically, our enterprise readiness guide \14\ states that
agencies' Year 2000 program management staff should be able to track
the cost and schedule of individual Year 2000 projects.
---------------------------------------------------------------------------
\14\ GAO/AIMD-10.1.14, September 1997.
---------------------------------------------------------------------------
emergency funds to be used for a variety of purposes
With agencies' estimates of Y2K costs increasing dramatically and
with limited time remaining to complete needed actions, many agencies
requested emergency funds in fiscal year 1999. Thirty-nine civilian
agencies and the District of Columbia have requested--and received--
emergency funding for a variety of uses, as shown in figure 4.
[GRAPHIC] [TIFF OMITTED] T14JU22S.003
Note: The other category primarily includes funds for replacement
of personal computers and network hardware and software. In their
justifications, some organizations said the personal computers and
network hardware and software could not be upgraded to be Y2K
compliant, and in other cases they determined that it would not be
economical to upgrade obsolete equipment. In addition, the total amount
in this chart does not equal the total amount allocated because the
justification data from two organizations did not equal the total
allocations reported by OMB.
Source: GAO analysis based on agency justifications.
In its response to our request, the Department of Defense reported
that it is targeting almost $525 million for testing, about $262
million for contingency planning, and $148 million for operational
evaluations.
According to their justification submissions to the Congress and
OMB, three categories of reasons emerged to explain organizations'
requests for emergency funds: (1) new requirements that had not been
planned for fiscal year 1999, (2) cost increases to complete ongoing
Y2K activities, and (3) the unavailability of regular appropriations
for planned Y2K work.
New requirements included outreach and independent verification and
validation (IV&V) (cited by 24 organizations), and decisions to replace
personal computers and network hardware and software (cited by 23
organizations)--activities not initially in agencies' fiscal year 1999
plans. For example, the Department of Commerce requested about $32
million for IV&V and $25 million for outreach activities not previously
anticipated.
Costs for ongoing Y2K activities also increased for 25
organizations, beyond the fiscal year 1999 projections on which budget
requests were based. For instance, HHS' Health Care Financing
Administration (HCFA) requested over $28 million for IV&V activities
because such work had increased beyond the level planned for fiscal
year 1999. The Department of Energy requested just under $14 million to
accelerate renovation, validation, and implementation.
Finally, in several cases, agencies reported that their budget
requests were reduced and Year 2000 emergency funding was utilized to
help make up the difference, even though not all of the activities in
the original budget request were Y2K-related. While no legislative or
statutory requirements explicitly provide for the use of emergency
funds as an alternative to general appropriations, the House-Senate
conference report on Treasury and Department of State appropriations
for fiscal year 1999 acknowledges the need for additional monies to
achieve Y2K compliance, and part of the Treasury and General Government
Appropriations Act permits use of Treasury funds to achieve Y2K
compliance until * * * supplemental appropriations are made available *
* *.
costs for fiscal year 2000 and beyond
In May 1999, the 24 major departments and agencies estimated their
fiscal year 2000 costs for Y2K activities at about $981 million--almost
a nine-fold increase from the original fiscal year 2000 estimate of
about $111 million provided in February 1997. In addition, in their May
1999 quarterly reports to OMB, three agencies estimated that they would
incur about $127.4 million in Year 2000 costs beyond fiscal year
2000.\15\ During our work for the House Majority Leader, we asked
agencies whether they expected to have Year 2000 costs beyond those
projected in their budgets. HHS was the only agency that identified a
specific need: it reported that it had begun to identify possible Y2K
needs of grantees.
---------------------------------------------------------------------------
\15\ The vast majority of these costs were reported by the
Department of the Treasury, which reported that the Internal Revenue
Service's Y2K costs after fiscal year 2000 would be about $125 million.
---------------------------------------------------------------------------
Determining the extent of continued Y2K cost escalation is
difficult because of many uncertainties; 10 agencies reported that they
had not completed work on their mission-critical systems as of mid-May
1999, many agencies are still planning or undergoing end-to-end testing
to ensure that data can be properly transferred and processed among
systems, and much work with states and other partners remains. Key
factors that could fuel additional cost increases include agencies'
determining that they must implement business continuity and
contingency plans, or the occurrence of other, unanticipated events due
to the Y2K problem that must be addressed. In August 1998, HCFA
estimated, for example, that it would need between $311.2 million (most
likely scenario) and $536.7 million (pessimistic scenario) to handle
emergency situations that could result from the Y2K problem. HCFA
reported that the types of activities that these funds would be needed
for included (1) unforeseen software, hardware, and telecommunications
failures, (2) increased paper claims due to provider or billing
companies' inability to transmit electronically, and (3) claims
reprocessing to correct erroneous payments. HHS' August 1998, November
1998, February 1999, and May 1999 quarterly reports to OMB included the
$311.2 million in contingent HCFA costs in its Year 2000 cost estimate.
HHS reported to us that it had requested about $165 million for Y2K
activities in its fiscal year 2000 budget request--the amount it
estimated that it needed to fund other Year 2000 activities, excluding
the implementation of HCFA contingency plans. Consistent with this, OMB
has not included HCFA's contingency costs when reporting Y2K costs.
Other agencies could also have higher costs if business continuity
and contingency plans need to be implemented. For example, the
Department of Education's May 1999 quarterly report stated that it
planned to estimate the cost to implement its contingency plans in the
next few months and that these estimates would be likely to increase
its fiscal year 2000 and overall Y2K cost estimates. Similarly, the
Office of Personnel Management's May 1999 quarterly report said that it
would continue to evaluate the need for additional Y2K-related funding
for business continuity and contingency plan implementation and will
advise OMB of those requirements.
Our guide on business continuity and contingency planning calls on
agencies to assess the cost and benefits of identified
alternatives.\16\ In its May 13 memo requiring agencies to submit high-
level business continuity and contingency plans on June 15, OMB stated
that agencies should follow our guide in preparing these plans.
Accordingly, OMB's review of these plans should consider whether
agencies provided estimated business continuity and contingency plan
costs. If not, OMB needs to require that this information be provided
expeditiously so that it can provide the Congress with information on
potential future funding needs.
---------------------------------------------------------------------------
\16\ GAO/AIMD-10.1.19, August 1998.
---------------------------------------------------------------------------
Additional costs could also be incurred if some states do not
complete their Year 2000 work on systems that support federal programs,
such as food stamps and Medicaid. Recent information indicates that
some state systems are not scheduled to be compliant until the last
quarter of 1999. For example, according to OMB's latest quarterly
report dated June 15, 1999, three states or U.S. territories did not
expect to complete testing of their food stamp systems and four states
or U.S. territories did not expect to complete testing of their
Medicaid eligibility systems until the last quarter of 1999. Because
these deadlines are so close to the turn of the century, the risk of
disruption to these states' and territories' programs substantially
increases, especially if delays occur or if unexpected problems arise.
If states do not complete their Year 2000 remediation in time, or
if those remediation efforts fail, the states would have to implement
their business continuity and contingency plans, which could encompass
federal government assistance. An example of such assistance is the
Department of Labor's April 2, 1999, emergency funding request of
$274,000 to design and develop a prototype PC-based system to be used
in the event that a state's unemployment insurance system is unusable
due to a Y2K-induced problem. In addition, many state-administered
federal programs, such as Medicaid and child support enforcement,
require the federal government to reimburse states for a percentage of
their administrative costs, which would be expected to increase in the
event that business continuity and contingency plans are implemented.
program and information technology initiatives delayed by y2k
While making systems ready for the year 2000 has been an enormous
job, other program and information technology needs have not
disappeared; in fact, they continue to grow. In particular, because of
the Year 2000 problem, agencies or the Congress have delayed
implementation of regulatory requirements and planned information
technology initiatives. In addition, many agencies have implemented or
plan to implement moratoriums on software changes until some time after
the rollover to the new century. For example:
--In July 1998, HCFA notified the Congress of its intention to delay
implementation of certain provisions of the Balanced Budget Act
of 1997 that would have required changes to systems on which
Year 2000 modifications were being made. As of June 16, 1999,
HCFA had delayed work on seven provisions, in whole or in part,
associated with this act in order to meet the Year 2000
challenge. In addition, HCFA reported that it had delayed
another information technology initiative because it would have
caused an unacceptable resource drain from the Year 2000
effort. According to a HCFA official, the agency is in the
process of carefully examining all of the work associated with
the Balanced Budget Act of 1997 provisions and the other
initiative in order to make decisions as to the order and time
frames in which each will be accomplished after the Y2K effort.
--As we reported last year, the level of effort required for the
Internal Revenue Service (IRS) to make its information systems
compliant is without precedent.\17\ Accordingly, as the Senate
was debating the IRS Restructuring and Reform Act of 1998, the
IRS Commissioner provided the Joint Committee on Taxation with
a listing of 28 provisions that given their effective dates,
could affect IRS' ability to complete its Y2K work as planned.
The final act extended the effective dates for 13 of the 28
provisions about which IRS had expressed concern.
---------------------------------------------------------------------------
\17\ Internal Revenue Service: Impact of the IRS Restructuring and
Reform Act on Year 2000 Efforts (GAO/GGD-98-158R, August 4, 1998).
---------------------------------------------------------------------------
--Some agencies have delayed planned information technology
initiatives in order to concentrate on their Year 2000 efforts.
In December 1998 we reported that the Department of Housing and
Urban Development suspended systems integration work on three
mission-critical systems so that the department could focus its
resources on completing Y2K renovations.\18\ Also, in September
1998, the Department of State imposed a moratorium on non-Year
2000-related system development projects to focus scarce
resources on Y2K remediation.
---------------------------------------------------------------------------
\18\ HUD Information Systems: Improved Management Practices Needed
to Control Integration Cost and Schedule (GAO/AIMD-99-25, December 18,
1998).
---------------------------------------------------------------------------
--A backlog of system modifications will have to be addressed
subsequent to the change of century. In response to our January
1999 suggestion,\19\ OMB issued a memorandum in May stating
that agencies should follow a policy that allows system changes
only where absolutely necessary because such changes can
introduce additional risk into systems that have already been
certified as Y2K compliant and could divert resources from
other Year 2000 efforts. Accordingly, at least six agencies
have established, or plan to establish, moratoriums or
restrictions on system changes during parts of 1999 and early
2000.
---------------------------------------------------------------------------
\19\ Year 2000 Computing Crisis: Readiness Improving, But Much Work
Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20,
1999).
---------------------------------------------------------------------------
The total governmentwide volume of program and information
technology activities delayed by Y2K efforts is not known; therefore,
the potential demand for additional information technology resources in
the future is difficult to predict. However, the costs of these delayed
activities could be significant. Accordingly, OMB will need to work
with the agencies to determine the magnitude of these pent-up demands
in order to make informed funding decisions in the future.
In addition to these demands, increased resources will likely be
needed for another key issue that has been garnering increased
attention--information security. This issue has many dimensions,
ranging from national security to economic disruption to privacy
considerations. As we reported in September 1998, the expanded amount
of audit evidence that has become available since mid-1996 describes
widespread and serious weaknesses in adequately protecting federal
assets, sensitive information, and critical operations.\20\ These
weaknesses place critical government operations, such as national
security, tax collection, and benefit payments, as well as assets
associated with these operations, at great risk of fraud, disruption,
and inappropriate disclosures. Further, as we testified in September
1998, the Year 2000 crisis is the most dramatic example yet of why we
need to protect critical computer systems because it illustrates the
government's widespread dependence on information systems and our
vulnerability to their disruption.\21\
---------------------------------------------------------------------------
\20\ Information Security: Serious Weaknesses Place Critical
Federal Operations and Assets at Risk (GAO/AIMD-98-92, September 23,
1998).
\21\ Information Security: Strengthened Management Needed to
Protect Critical Federal Operations and Assets (GAO/T-AIMD-98-312,
September 23, 1998).
---------------------------------------------------------------------------
Because of the longer-term danger of malicious attack from
individuals or groups, it is important that the government design long-
term solutions to this and other security risks. Accordingly, in
response to recommendations by the President's Commission on Critical
Infrastructure Protection, Presidential Decision Directive 63 was
issued in May 1998, which, among other provisions, required federal
agencies to develop plans for protecting their own critical
infrastructure, including cyber-based systems. These plans are
currently undergoing review by the Critical Infrastructure Assurance
Office, which was established by the Presidential Directive.
lessons learned from the government's year 2000 efforts can be applied
to future information technology activities
Throughout government--and likely in the private sector as well--
organizations' experiences in addressing Y2K hold valuable lessons
about how information technology can best be managed. For many
agencies, the threat posed by the Year 2000 problem was a much-needed
wake-up call. Because of the urgency of the issue, agencies could not
afford to carry on in the same manner that had resulted in over a
decade of poor information technology planning and program management.
Accordingly, lessons learned from the Year 2000 challenge should be
applied to agencies' implementation of the Clinger-Cohen Act of 1996
which, in part, seeks to strengthen executive leadership in information
management and institute sound capital investment decision-making to
maximize the return on information systems investments. Indeed, the
Department of Defense has reported that its response to the Year 2000
problem has become an example of an enterprisewide approach to
information technology management advocated by the Clinger-Cohen Act of
1996. It is important that agencies institutionalize the processes that
they have established to contend with the Year 2000 problem so that
future information technology initiatives benefit from this massive
effort.
Year 2000 programs provided agencies with the incentive and
opportunity to assume control of their information technology
environment. In many instances, it forced agencies to inventory their
information systems, link those systems to agency core business
processes, and jettison systems of marginal value. For example, in
response to recommendations in our August 1998 report, the Department
of State is in the process of identifying its core business functions
and determining the relative importance of each function.\22\
---------------------------------------------------------------------------
\22\ Year 2000 Computing Crisis: State Department Needs To Make
Fundamental Improvements To Its Year 2000 Program (GAO/AIMD-98-162,
August 28, 1998).
---------------------------------------------------------------------------
Earlier this year we also reported \23\ that the Year 2000 problem
provided the opportunity to institutionalize valuable lessons, such as
the importance of consistent and persistent top management attention,
accompanied by reliable processes and reasonable controls. More
specifically, complete and accurate inventories of information systems
can facilitate remediation, testing, and validation activities.
Information gained from identifying and prioritizing mission-critical
systems can further be used to identify and retire duplicative or
unproductive systems, and work that has been done to identify and
establish controls over data interfaces can help prevent data exchange
problems in the future. Similar lessons have been learned at the state
level, according to three state Year 2000 project managers. Other
critical success factors cited by one of these project managers that
could be used in future information technology initiatives are the need
to measure performance, outline responsibilities, and ensure
accountability.
---------------------------------------------------------------------------
\23\ Defense Information Management: Continuing Implementation
Challenges Highlight the Need for Improvement (GAO/T-AIMD-99-93,
February 25, 1999) and Year 2000 Computing Crisis: Defense Has Made
Progress, But Additional Management Controls Are Needed (GAO/T-AIMD-99-
101, March 2, 1999).
---------------------------------------------------------------------------
Another benefit of the Year 2000 effort was the establishment of
much-needed information technology policies. Our Year 2000 enterprise
readiness guide \24\ called on agencies to develop and implement
policies, guidelines, and procedures in such critical areas as
configuration management, quality assurance, risk management, project
scheduling and tracking, and metrics. Several agencies have implemented
such policies. For example:
---------------------------------------------------------------------------
\24\ GAO/AIMD-10.1.14, September 1997.
---------------------------------------------------------------------------
--In April 1999, we reported that according to Postal Service
officials, the service is implementing improved processes for
documenting software, testing, quality control, and
configuration management.\25\
---------------------------------------------------------------------------
\25\ U.S. Postal Service: Subcommittee Questions Concerning Year
2000 Challenges Facing the Service (GAO/AIMD-99-150R, April 23, 1999).
---------------------------------------------------------------------------
--As part of its Year 2000 effort, HCFA has implemented policies and
procedures related to configuration management, quality
assurance, risk management, project scheduling and tracking,
and performance metrics for its internal systems.
--As we testified in February, the Customs Commissioner has committed
to leveraging the agency's Year 2000 experience by extending
the level of project management discipline and rigor being
employed on the year 2000 to other information technology
programs and projects.\26\
---------------------------------------------------------------------------
\26\ Year 2000 Computing Crisis: Customs Is Effectively Managing
Its Year 2000 Program (GAO/T-AIMD-99-85, February 24, 1999).
---------------------------------------------------------------------------
Beyond individual agencies, the Year 2000 problem holds lessons in
overseeing and managing information technology on a governmentwide
basis. In particular, actions taken by the Congress and the Chief
Information Officers Council have demonstrated that effective oversight
and guidance can have a positive influence on major information
technology efforts. Congressional oversight played a crucial role in
focusing OMB and agency attention on the Y2K problem. In addition,
congressional hearings on international, national, governmentwide, and
agency-specific Year 2000 problems exposed the threat that this problem
poses to the public. The Chief Information Officers Council has proved
useful in addressing governmentwide issues through its Year 2000
Committee; this committee and its subcommittees have dealt with
important issues such as best practices, telecommunications, and data
exchanges. Continued oversight and guidance from the Congress and the
Chief Information Officers Council will be essential to ensuring the
future effectiveness of information technology initiatives.
Another lesson that could be adopted in the future is the use of
public/private partnerships. To address the Year 2000 problem from a
national perspective, the President's Council on Year 2000 Conversion
adopted a sector-based focus and has been initiating outreach
activities since it became operational last spring. As a result, the
Council and federal agencies have partnered with private-sector
organizations, such as the North American Electric Reliability Council,
to gather information critical to the nation's Year 2000 efforts and to
address issues such as contingency planning. In addition, the Chair of
the Council has formed a Senior Advisors Group composed of
representatives from private-sector firms across key economic sectors.
Members of this group are expected to offer perspectives on
crosscutting issues, information-sharing, and appropriate federal
responses to potential Year 2000 failures. Other major information
technology areas, such as information security, could benefit from such
an approach.
In summary, it is clear that Year 2000 expenditures have been
significant, sometimes unpredictable, and growing. Emergency
supplemental funds are planned for a variety of purposes, including
renovation, validation, and implementation of individual systems and
the independent verification and validation of these systems. Moreover,
Y2K cost growth may continue, especially if business continuity and
contingency plans must be put into operation or if state-administered
federal program remediation efforts are not completed. While correcting
the Y2K problem has been and continues to be costly, the experiences of
individual agencies and the government as a whole in meeting this
challenge have provided a renewed and needed focus on information
systems. We have come to realize how much we depend on them, and have
been reminded of how they must be well-managed. As we attempt to meet
future information technology and security challenges, these lessons
should not be lost.
Messrs. Chairmen, this completes my statement. I would be happy to
respond to any questions that you or other members of the Committees
may have at this time.
contact and acknowledgments
For information about this testimony, please contact Joel
Willemssen at (202) 512-6253 or by e-mail at [email protected].
Individuals making key contributions to this testimony included Michael
Fruitman, James Hamilton, James Houtz, Linda Lambert, Michael Tovares,
and Daniel Wexler.
Appendix I.--Organizations Receiving Emergency Allocations (as of May
1999)
[In thousands]
Organization Amount allocated
Department of the Treasury.................................... $602,223
Department of Health and Human Services....................... 323,858
Department of Transportation.................................. 192,789
Department of Justice......................................... 84,396
Department of the Interior.................................... 80,347
Department of State........................................... 64,918
District of Columbia.......................................... 64,049
Department of Commerce........................................ 57,920
General Services Administration............................... 48,407
Department of Agriculture..................................... 46,168
Executive Office of the President--Office of Administration... 29,791
Department of Energy \1\...................................... 23,840
Department of Labor........................................... 17,792
Department of Housing and Urban Development................... 12,200
Agency for International Development.......................... 10,200
United States Information Agency.............................. 9,562
Federal Communications Commission............................. 8,516
Securities and Exchange Commission............................ 8,175
Federal Emergency Management Agency........................... 7,352
National Archives and Records Administration.................. 6,662
Small Business Administration................................. 4,840
Smithsonian Institution....................................... 4,801
Department of Education....................................... 3,846
Federal Trade Commission...................................... 2,599
Office of Personnel Management................................ 2,428
Overseas Private Investment Corporation....................... 2,100
United States Holocaust Memorial Council...................... 900
Corporation for National and Community Service................ 800
Executive Office of the President--Office of the U.S. Trade
Representative............................................ 498
Export-Import Bank of the United States....................... 400
Railroad Retirement Board..................................... 398
National Capital Planning Commission.......................... 381
Commodity Futures Trading Commission.......................... 356
Selective Service System...................................... 250
Federal Labor Relations Authority............................. 243
African Development Foundation................................ 137
Office of Special Counsel..................................... 100
Merit Systems Protection Board................................ 66
Architectural and Transportation Barriers Compliance Board.... 60
Marine Mammal Commission...................................... 38
--------------------------------------------------------------
____________________________________________________
Total civil agencies.................................... 1,724,406
Department of Defense......................................... 935,000
--------------------------------------------------------------
____________________________________________________
Total allocations....................................... 2,659,406
\1\ This amount does not include $13.65 million that was allocated to
the Department of Energy but was not transferred.
Source: OMB.
---------------------------------------------------------------------------
Statement of Jacob J. Lew
Chairman Bennett. Mr. Lew, let's go to you now.
Mr. Lew. Thank you, Mr. Chairman, Senator Stevens. I am
delighted to be here with you this morning. I appreciate the
invitation to testify on the progress the Federal Government
has made in addressing the year 2000 problem.
As you well know, this is a problem that potentially has
enormous implications for our Nation. I am very pleased we have
been able to work together, and I want to thank Senator Stevens
in particular for the cooperation on working to make sure that
the funding was in place to make sure that Y2K, as the
President has said, will be remembered as the last headache of
the 20th Century and not the first crisis of the 21st.
I would like to address three topics today: First, the
Federal progress in addressing the Y2K challenge; second,
Federal agency costs and funding for these efforts; and third,
the next steps to assure that Federal programs that people
depend on will not be disrupted.
As you know, last week I sent both committees OMB's ninth
quarterly report on Federal agency progress in addressing the
Y2K problem. That report shows that Federal agencies continue
to make excellent progress in addressing the challenge.
Ninety-three percent of the Federal Government's mission-
critical systems are now compliant, which is an increase from
79 percent reported in February. Fourteen of the 24 major
Federal departments and agencies now report that they have 100
percent of their mission-critical systems Y2K-compliant, and 9
are over 90 percent.
This progress is attributed to the hard work of thousands
of Federal employees and contractors and, I might add, to the
rapid and timely availability of funding through the contingent
emergency reserve. I would like to thank the committees for
ensuring Federal agencies have had adequate funds to address
Y2K remediation to date.
While much work remains to be done, we fully expect that
all of the Government's mission-critical systems will be Y2K-
compliant before January 1, 2000. For some time, fixing the Y2K
problem has been the agency's number one information technology
priority. Additionally, agencies are minimizing any kind of
changes to their systems that are not related to Y2K in order
to ensure that they will be able to maintain the schedules that
they have set.
Based on guidance that we sent out just last month,
agencies are using change management processes to ensure that
any new IT requirement changes and system changes are minimized
while they are completing dealing with the Y2K problem. This
effort will ensure that agencies set realistic goals for the
completion of their work, and will enable them and us to
measure their progress against their own goals. As I said, we
are confident that every mission-critical system will be ready
for the year 2000.
As you know, last September, the administration requested a
fiscal year 1998 supplemental appropriation for $3,250 million
in contingency emergency funding to address urgent emerging
needs related to Y2K activities. The 1999 omnibus bill provided
contingent funding of $2.25 billion for nondefense activities
and $1.1 billion for defense-related activities. OMB is
responsible for allocating the nondefense contingent emergency
reserve and for working with the Department of Defense (DOD) on
its share as well.
To date, $1,768 million has been allocated from the
nondefense reserve, and $14 million has been returned to the
reserve at the request of the House Appropriations Committee.
Therefore, $486 million remains in the reserve for unforeseen
requirements. Of the $1.1 billion provided for defense-related
activities, $935 million has been released, and $165 million
remains in the reserve.
OMB has worked with the agencies on an ongoing basis to
evaluate the total Y2K requirements and to determine how to
best utilize available nondefense funding for Y2K. First, OMB
made certain that agencies received funding for activities that
were requested in the President's fiscal year 1999 budget, but
were directed to be funded from the contingent emergency
reserve.
As you know, there were a number of specifically mentioned
items. Since then, agencies have been asked to forward requests
for contingent emergency funding on an as-needed basis. These
requests were then reviewed by OMB to ensure that the requested
funding meets the criteria for release. First, that the funding
is Y2K-related, and is the most cost-effective option to
facilitate compliance; second, that it addresses an unforeseen
need, not one accounted for within existing agency plans; and,
third, that it cannot be accommodated within appropriated
levels for fiscal year 1999. Finally, that they cannot be
addressed using unobligated balances of already-released Y2K
funds.
Once the funds are allocated, OMB tracks the Y2K-related
expenditures to confirm that appropriate progress is being
made, and that each agency can cogently explain its cost levels
and cost changes. All agencies that received emergency funding
have forwarded data on obligations to date to OMB, and this
data has informed our consideration of subsequent emergency
requests.
In the first OMB quarterly report issued in February 1997,
we estimated that the cost of Y2K compliance would be $2.3
billion. Initially, it was thought that fixing the problem
would primarily involve mainframe computers and legacy
applications. However, as we and others learned in the course
of remediation, the problem is far more complex, involving
desktop personal computers, embedded chips, and
telecommunications components.
Cost increases from the first to the fourth OMB quarterly
report--that would be through March 1998, totalling $2.4
billion--resulted from better understanding of the scope of the
problem and increasing agency attention to the cost estimates.
Since the broader universe of Y2K remediation was clearly
established, costs have remained within a much more predictable
band. From the fourth OMB quarterly report in March 1998, to
the ninth OMB quarterly report just this month, cost reports
reported change by 4.7 percent of the 3-year total. Of this,
estimates for defense have changed by 3.6 percent of the 3-year
total.
The increase in fiscal year 1999 funding, $2.8 billion
between the fourth and ninth OMB quarterly reports, has
reported activities that have been subjected to a rigorous
policy review. Most of the cost increases can be attributed to
specific activities, remediation of information technology
systems, testing to ensure that systems are Y2K compliant,
replacement of embedded computer chips, and creation and
verification of business continuity plans.
Fiscal year 2000 costs, which have increased by $509
million over the same period, are primarily for Y2K project
offices to manage and monitor the transition into 2000, as well
as for retesting and recertifying contingency plans. The
details of agency spending plans continue to be made available
for your review as the process moves forward.
Most of the work on fixing mission-critical systems is
completed, so OMB will focus its system-readiness on ensuring
the readiness of individual systems. In addition, OMB and the
agencies are beginning to focus on two new priorities: ensuring
the readiness of Federal programs, particularly 43 high-impact
programs that we have identified, and planning for business
continuity and contingencies.
We must make sure that the Federal programs, particularly
those that have a direct and immediate effect on health, safety
and well-being of the public, function smoothly. As I have just
related to you, we are confident that the mission-critical
systems will be ready, but because Federal programs partner
with other entities. It is critically important that all
partners are working together to ensure that the programs they
support will be ready.
The critical task is to make sure that not just systems but
the programs they support will be ready. Accordingly, I have
asked agencies to take this additional step.
OMB has also identified 43 high-impact, federally supported
programs, and directed Federal agencies to take the lead on
working with others to ensure that programs critical to health,
safety, and well-being will provide uninterrupted service.
Agencies have also been asked to help partners develop year
2000 plans if they have not already done so to ensure that
these programs will operate effectively.
Agencies are reporting to us monthly, and will demonstrate
the readiness of each program by September 30, 1999. Although
we expect all Federal mission-critical systems to be ready by
January 1, 2000, it is still important that every agency, no
matter how well-prepared, have a business continuity and
contingency plan in place.
Agencies have identified their core business functions and
are using this as a basis for developing business continuity
and contingency plans which will ensure that these core
business functions will operate smoothly no matter what kinds
of glitches occur in agency systems or with agency partners.
Let me make it clear, we do not anticipate disastrous
consequences as a result of the year 2000 computer problem in
Federal systems. However, it is possible there will be problems
that result in minor disruptions to the way agencies operate.
Agencies are prioritizing functions and systems and work-
arounds and backup plans are being established as
contingencies.
On May 13, I issued guidance on this subject, asking all
agencies, including small and independent agencies, to submit
to OMB by June 15 their business continuity and contingency
plans. These plans are an increasingly important component of
agency progress. Like a good insurance policy, a sound plan is
important no matter how well you are taking care of your
system. I have directed agencies to use the GAO guidance in
preparing their plans.
Additionally, many agencies are working closely with their
inspectors general and their expert contractors in the
development and testing of these plans. OMB is reviewing the
high-level business continuity and contingency plan (BCCP) of
agencies and will provide feedback and guidance to the agencies
on an individual basis.
In conclusion, during the 192 days remaining before the
year 2000, we plan to complete work on the remaining mission-
critical systems and on other Federal systems. We will conduct
end-to-end testing with the States and other key partners,
placing special emphasis on the readiness of programs that have
a direct and immediate impact on public health, safety, and
well-being.
We will complete and test business continuity and
contingency plans as insurance against any disruptions related
to Y2K failures. We will promote Y2K awareness with State,
local, and tribal governments with the private sector and with
other nations.
prepared statement
Again, I want to thank you for the opportunity for allowing
me to share this information with you. The administration
continues to treat this challenge with the high level of
attention that it deserves. We have enjoyed the cooperative
relationship that we have had with this committee and with the
Appropriations Committee to work together on this problem.
Thank you.
[The statement follows:]
Prepared Statement of Jacob J. Lew
Good morning, Chairman Stevens, Chairman Bennett, Senator Byrd, and
Senator Dodd. I am pleased to appear before the Committees to discuss
the Federal Government's progress in addressing one of the most complex
management challenges it has ever faced, the year 2000 problem. The
Federal Government is not alone in addressing this challenge, as the
Senate wisely recognized last year when it formed the Senate Special
Committee on the Year 2000 Technology Problem. This is a problem with
potentially enormous implications for our Nation. Every sector of our
economy and all organizations large and small must work together so
that we can, as the President said in his State of the Union Address,
make sure that the Y2K computer bug will be remembered as the last
headache of the 20th century, not the first crisis of the 21st.
Today, I would like to address three topics. First, I will describe
Federal progress in addressing the Y2K challenge. Second, I will
discuss Federal agency costs and funding for these efforts. Third, I
will describe our next steps to assure that Federal programs that
people depend upon will not be disrupted. These next steps include
focusing on completion of individual systems, ensuring the readiness of
Federal programs, and completion of business continuity and contingency
plans.
federal progress
As you know, the Federal Government has been working for more than
three years on this problem. Last week I sent to Congress OMB's ninth
quarterly report on Federal agency progress in addressing the Year 2000
problem. That report shows that Federal agencies continue to make
excellent progress in addressing this challenge. In particular, it
shows that 93 percent of the Federal Government's mission critical
systems are now compliant, an increase from 79 percent reported in
February.
Fourteen of the 24 major Federal departments and agencies now
report that 100 percent of their mission critical systems are Y2K
compliant. These agencies are: the Departments of Education, Housing
and Urban Development, Interior, Labor, State, and Veterans Affairs;
the Environmental Protection Agency, the Federal Emergency Management
Agency, the General Services Administration, the National Science
Foundation, the Nuclear Regulatory Commission, the Office of Personnel
Management, the Social Security Administration, and the Small Business
Administration.
In addition, two agencies, Commerce and NASA, report that 99
percent of their mission critical systems are compliant and that they
expect to be finished soon. Three agencies, the Departments of
Agriculture, Energy, and Health and Human Services, are between 96 and
97 percent compliant. Four agencies report that between 90 and 94
percent of their mission critical systems are compliant, including the
Departments of Justice and Transportation at 92 percent. The Department
of Defense reports that 87 percent of its systems are compliant, while
the U.S. Agency for International Development has completed
implementation of three of its seven mission critical systems.
From a base of 6,190 mission critical systems at this time, 410
mission critical systems remain to be finished, down from 1,354 in the
last report. The compliant systems include those that have been
repaired or replaced as well as systems that were already compliant. Of
the mission critical systems that remain to be finished, 87 (82
percent) are being repaired, 35 (10 percent) are being replaced, and 24
(eight percent) are being retired. We are monitoring the completion of
each remaining system through monthly reports from the agencies.
This progress is a tribute to the hard, skillful, and dedicated
work of thousands of Federal employees and contractors. Moreover, the
rapid availability of funds through the contingent emergency reserve
has been key to ensuring progress. I would like to thank the Committees
for ensuring that Federal agencies will not fail to meet the Year 2000
deadline because of lack of adequate funding.
While much work remains to be done, we fully expect that all of the
Government's mission critical systems will be Y2K compliant before
January 1, 2000. For some time, fixing the Year 2000 problem has been
the agencies' number one information technology (IT) priority, as other
IT projects are being delayed until the Y2K work is done. This action
has been managed throughout OMB's budget process.
Additionally, agencies are minimizing any kind of changes to their
systems unrelated to Y2K in order to ensure that they will be able to
maintain the schedules they have set for completion of their work.
Changes not only divert resources from fixing the Y2K problem, but may
also undo Y2K fixes. Based on guidance I issued on May 14, 1999,
``Minimizing Regulatory and Information Technology Requirements,'' (M-
99-17), agencies are using change management processes to ensure that
new IT requirements or changes to IT systems are minimized.
Again, this effort will ensure that agencies set realistic goals
for the completion of their work and will enable them--and us--to
measure their progress against their own goals. Agencies are working
hard to finish fixing their systems, and we are confident that every
mission critical system will be ready for the year 2000.
y2k costs and funding
First and foremost, I want to recognize that the transition into
the Year 2000 has posed a unique challenge. Formulating the Federal
response has required a great deal of attention, hard work, and
flexibility. In advance of my more detailed comments on this subject,
let me thank you for all of your work and leadership in helping to
ensure that sufficient funds are available in a timely manner to
address Y2K remediation. As we have scrutinized agency requests and
funded the most critical ones, the utility of this funding mechanism
has been proven many times. Simply put, without such a fund, many
Federal agencies would not be nearly as far along in their efforts as
they are today.
I would also like to emphasize that the Administration's strategy
for monitoring Government-wide progress on Y2K has been predicated on
agency accountability. We have systematically monitored agency progress
using a range of performance measures--compliance of mission critical
systems, status of mission critical systems being repaired, progress on
high impact programs, etc., as well as agency Y2K cost estimates. These
measures are linked, and together provide the most accurate picture of
the Government's overall readiness. On a quarterly basis (or more
frequently, if needed), agencies have been required to update OMB on
their Y2K progress and to explain all significant changes in these
measures.
We have tried to strike the appropriate balance to ensure agency
accountability without diverting vital resources from Y2K compliance
activities to reporting requirements. In addition, the Administration
has tried to be as forthright as possible in sharing information about
Y2K readiness. OMB has directed that agency quarterly reports and
detailed spending plans be forwarded to Congress, and we have
appreciated your input as we have worked together to address the
challenge posed by Y2K.
As you know, last September the Administration requested an fiscal
year 1998 supplemental appropriation for $3.25 billion in contingent
emergency funding to address urgent, emerging needs associated with Y2K
conversion activities. This request was consistent with Senate action
to that point. The Omnibus bill provided contingent emergency funding
of $2.25 billion for non-defense activities and $1.1 billion for
defense-related activities for Y2K computer conversion. As you also
know, OMB is responsible for allocating the non-defense contingent
emergency reserve. To date, $1.768 billion has been allocated from the
non-defense reserve, and $14 million has been returned to the reserve
at the request of the House Appropriations Committee. Therefore, $496
remains in reserve for unforeseen requirements. Of the $1.1 billion
provided for defense-related activities, $935 million has been released
and $165 million remains in reserve.
In order to determine how to best utilize all available non-defense
funding for Y2K--both base appropriations and emergency funding--OMB
has worked with agencies on an ongoing basis to evaluate total Y2K
requirements. First, OMB made certain that agencies received funding
for activities that were requested in the President's Fiscal Year 1999
Budget, but were directed to be funded from the contingent emergency
reserve. Since then, agencies have been asked to forward requests for
contingent emergency funding on an as-needed basis. These requests are
then reviewed by OMB examiners from both the Resource Management
Offices (RMOs)--liaisons to the individual agencies--and analysts from
our Information Policy and Technology Branch. In combination, they
review these requests to ensure that requested funding is:
--Y2K-related and is the most cost-effective option to facilitate
compliance.
--Addresses an unforeseen need, not one accounted for within existing
agency plans.
--Cannot be accommodated within appropriated levels for fiscal year
1999.
--Cannot be addressed using unobligated balances of Y2K emergency
funding.
In some cases, funds have also been requested to support outreach
to non-Federal entities in support of the efforts of the President's
Council on Year 2000 Conversion.
Once reviewed and discussed with the affected agency, OMB staff
make recommendations to OMB policy officials. These levels are then
finalized and included in an emergency release. As you know, pursuant
to last Omnibus Act, detailed information on each affected agency's
spending plan, as well as an account-by-account breakdown of the
request as a whole, is provided to your and other Committees. The funds
in the release are not made available to the agencies until 15 days
after the transmittal.
Once the funds are allocated, each Resource Management Office has
been tasked with tracking the Y2K-related expenditures for the agencies
it oversees, including emergency expenditures. At a minimum, the RMOs
review the agency quarterly report to confirm that appropriate progress
is being made and that each agency can cogently explain its cost levels
and cost changes. Then, depending on an agency's status, RMOs have used
different methods to track Y2K-related spending. All agencies that have
received emergency funding have forwarded data on obligations to date
to their RMOs. This data has informed our consideration of subsequent
emergency requests, and has resulted in several reprogramming requests
rather than additional releases. For example, in the Department of
Health and Human Services, we recently reprogrammed funds from HCFA to
the Administration for Children and Families. More reprogramming
actions may be forthcoming as agencies further refine their estimates
for fiscal year 1999 and 2000.
In addition, some RMOs monitor Y2K-related obligations and/or
outlays on a more regular basis, and require detailed information on
the expenditure of both base and emergency resources. Finally, because
of their unique period of availability (fiscal year 1999-fiscal year
2001), emergency funds are very transparent in terms of budget
execution. The RMOs have been given discretion in terms of treatment of
both base and emergency funds in the apportionment process, as is OMB's
general policy.
Your Committees have asked me to focus on the cost increases since
the 1st OMB Y2K Quarterly Report, which was issued February 1997. In
that report, the five year (fiscal years 1996-2000) Federal cost of Y2K
was reported estimated at $2.3 billion. However, it is now clear that
in the first quarterly report, we were not fully aware of the magnitude
of the year 2000 problem. Initially, it was thought that fixing the
problem would primarily involve mainframe computers and legacy
applications.
However, as we and others learned in the course or remediation, the
problem was far more complex, involving desktop personal computers,
embedded chips, and telecommunications components. Cost increases from
the 1st to 4th OMB Quarterly Report (through March 1998), totaling $2.4
billion, resulted from a better understanding of the scope of the
problem and increasing agency attention on the cost estimates. It is
important to note that until fiscal year 1999 agencies funded their
year 2000 costs exclusively out of base appropriations. Prior to the
availability of emergency funding, all costs increases were absorbed
within agency operating budgets.
Since the broader universe of Y2K remediation was clearly
established, costs have remained within a more predictable band. From
the 4th OMB Quarterly Report (March 1998) to the 9th OMB Quarterly
Report (June 1999), costs reported for fiscal years 1996-1998 changed
by $164 million, or 4.7 percent of the three-year total. Of this,
estimates for Defense have changed by $128 million, or 3.6 percent of
the three-year total. Since last March, then, cost estimates for non-
defense agencies for fiscal years 1996-1998 for have changed by a
little more than one percent.
The increase in fiscal year 1999 funding, $2.8 billion between the
4th and 9th OMB Quarterly Reports, has supported activities that have
been subjected to the rigorous policy review that I have discussed.
Most of the cost increases can be attributed to specific activities:
remediation for information technology systems, testing to ensure that
systems are Y2K compliant, replacement of embedded computer chips, and
creation and verification of BCCPs. I am confident that this funding
has helped to ensure that important Federal programs will have a smooth
transition into the year 2000. Fiscal year 2000 costs, which have
increased by $509 million over the same period, are primarily for Y2K
project offices to manage and monitor the transition into 2000, as well
as for retesting and recertifying contingency plans. The details of
agency spending plans continue to be made available for your review as
this process moves forward.
I would now like to turn to another issue that I have been asked to
address: the difference between agency estimates and actual costs. I
believe that this question stems from the cost table in each OMB
Quarterly Report. In that table, past years (fiscal years 1996-1998)
are characterized as estimates even though, as you know, the budgetary
data for those years reflects actual expenditures. With OMB's approval,
agencies have refined the universe of Y2K-related costs since fiscal
year 1996. As an activity is added to the Y2K universe, we want to make
certain that we are capturing the five-year cost of that activity. For
example, a Department may not have reported embedded chip replacement
as part of their initial Y2K estimate. However, they later received
guidance to do so. In such a case, OMB has worked with the Department
to verify that the multi-year cost of embedded chip replacement was
being reported. If this required changing an estimate in a past fiscal
year, agencies did so with OMB approval. At the same time, future year
estimates may have been adjusted to account for newly recognized
activities. Thus, although the budget data for fiscal years 1996-1998
are actuals, since recognition of the scope of the Y2K problem has
changed over time, OMB has not asked for or characterized costs for
those years as actuals.
Another component of this issue is that Y2K-related expenses can be
aggregated at a level below or above budget accounts. Y2K-related
expenses are embedded in broader operating budgets. We have worked to
ensure that we are capturing Y2K-related costs and that agencies are
making defensible and standardized assumptions about these costs.
Conversely, we are trying to filter out activities that were wholly
planned for and would have been implemented regardless of Y2K.
next steps
As I stated earlier, now that most of the work on fixing mission
critical systems is completed, OMB will shift its focus from aggregate
figures for system readiness to ensuring the readiness of individual
systems. In addition, OMB and the agencies are beginning to focus on
two new priorities.
--Ensuring the readiness of Federal programs, particularly 43 high
impact programs that we have identified.
--Planning for business continuity and contingencies.
Ensuring the Readiness of Federal Programs
While we have made excellent progress in preparing our systems, we
are not yet done. We must make sure that Federal programs, particularly
those that have a direct and immediate affect on the health, safety,
and well-being of the public, function smoothly. As I have just related
to you, we are confident that critical systems will be ready. But
because Federal programs partner with other entities, including other
Federal agencies; State, Tribal, and local governments; banks;
contractors; vendors; and other entities; it is critically important to
ensure that all partners are working together to ensure that the
program they support will be ready. The critical task is to make sure
that not just systems, but the programs they support, will be ready.
Accordingly, on March 26, 1999, I asked agencies to take this next
step. I also identified 42 ``high impact'' Federally supported programs
and directed Federal agencies to take the lead on working with other
Federal agencies, State, Tribal, and local governments, contractors,
banks, and others to ensure that programs critical to public health,
safety, and well-being will provide uninterrupted services. Examples
include Medicare and Unemployment Insurance. The list was subsequently
revised to include the National Crime Information Center at the
Department of Justice, bringing the total to 43.
Agencies have also been asked to help partners develop year 2000
plans if they have not already done so to ensure that these programs
will operate effectively. Such plans are to include end-to-end testing,
developing complementary business continuity and contingency plans, and
sharing key information on readiness with partner organizations and
with the public. Agencies are reporting to us monthly and will
demonstrate the readiness of each program by September 30, 1999. A
table of the programs, including the partners agencies are working with
is included last week's quarterly report.
Business Continuity and Contingency Planning
Although we expect all Federal mission critical systems to be ready
by January 1, 2000, and although we are prepared to demonstrate the
readiness of a number of critical programs, it is still important that
every agency, no matter how well prepared, have a business continuity
and contingency plan (BCCP) in place.
Agencies have identified their core business functions and are
using these as a basis for developing business continuity and
contingency plans, which will ensure that these core business functions
will operate smoothly, no matter what glitch may occur in an agencies'
systems or with an agencies' partners. While we are confident that the
measures taken for Y2K compliance are sound, the chance remains that,
despite testing, a bug may still slip through. Furthermore, elements
beyond an agency's control are at risk from the Y2K problem as well.
For example, bad data from a data exchange partner or the inability of
a vendor to provide key supplies could disrupt work at an agency.
Let me make it clear that we do not anticipate any disastrous
consequences as a result of year 2000 computer problems in Federal
systems. It is possible, and even likely in some situations, that there
will be glitches in systems that result in minor disruptions to the
ways that agencies operate. Accordingly, for each core business
function and its associated systems, agencies have identified risk
factors, and assigned them a probability rating as well as an impact
rating. The agencies use these ratings to prioritize functions and
systems. Work-arounds and back-up plans are established as
contingencies.
Although we do not expect any disasters, it is always wise to
prepare for the worst. Since the 1970s, agencies have been required to
have in place Continuity of Operations plans (COOP plans), to address
such emergencies. In the event of a disaster, whether related to Y2K or
to a national emergency, such as a terrorist attack or regional weather
emergency such as a tornado or violent snowstorm, agencies are using
their COOP plans to ensure that the agency will continue to function. I
also asked agencies to ensure that the development of their BCCP was
coordinated with pending revisions to each agency's COOP plan. Again,
although we do not expect any kind of Y2K disaster, agencies are
developing plans, in coordination with their BCCPs, to address this
contingency.
On May 13, 1999, I issued guidance on this subject, ``Business
Continuity and Contingency Planning for the Year 2000,'' (M99-16). This
memorandum asked all agencies, including small and independent
agencies, to submit to OMB by June 15 their business continuity and
contingency plans (BCCPs). This memorandum also identified a number of
infrastructure areas for which agencies should make common assumptions,
such as electric power, financial services, and public voice and data
communications. This common assumption is that there will be no nation-
wide disruptions within these infrastructure services.
By setting these risk areas aside from agencies' business
continuity and contingency planning, agencies are able to focus on
ensuring that their core business functions and affiliated systems will
work. In the extremely unlikely event that a catastrophic emergency
occurs that damages local infrastructure, communications, or the agency
building itself--whether caused by Y2K, or by a natural disaster,
terrorism, or war--the agency's COOP plan will address these
contingencies.
On the international side, the State Department is leading a
working group of those agencies with employees overseas in order to
develop risk assumptions and appropriate responses, to be used in the
development and refinement of those programs' BCCPs.
BCCPs are an increasingly important component of agency progress.
Like a good insurance policy, a sound plan is important, no matter how
well you have taken care of your systems. To ensure quality and
consistency, I have directed agencies to use the General Accounting
Office's (GAO) guidance on this subject in preparing their plans.
Additionally, many agencies are working closely with their Inspectors
General and/or expert contractors in the development and testing of
these plans. Finally, OMB is reviewing the high-level BCCPs of
agencies, which were due June 15, and will provide feedback and
guidance to the agencies on an individual basis.
Prepayment
As part of their contingency planning, some agencies have explored
the possibility of making some payments in December that would
otherwise be due in January to beneficiaries, contractors, and others.
However, the Administration has determined that such actions are not
necessary at this time, given the level of readiness of agency payment
systems and agency business continuity and contingency plans. Moreover,
the extensive downside risk to prepayment mitigates strongly against
implementing this contingency plan in all but the most exceptional
circumstances.
First, and most importantly, issuing such payments early would
require reprogramming of payroll and other financial management
systems. I have previously stated that any changes to systems should be
minimized as they not only divert resources from fixing the Y2K
problem, but also may undo Y2K fixes. It would be highly irresponsible
to implement a contingency plan that could worsen the year 2000
problem.
Second, making early payments would have tax implications for
individuals and businesses. Undoing any tax implications would require
legislative changes for the Internal Revenue Service, which in turn
would be required to make changes to the tax code and to their systems.
All of these actions would be both costly and time-consuming.
Third, such actions could easily be interpreted by the public as an
overall sign of lack of confidence in the ability of the Government to
make its payments after January 1. Such a signal could prove disastrous
for the national economy as panicked citizens turn to withdrawing their
currency in anticipation of a currency shortage. This sort of panic is
a self-fulfilling prophecy. Public panic and overreaction is a problem
far larger than the technology problem and something we are very
concerned about.
Finally, even allowing prepayment in extremely limited areas
increases pressure to provide early payment for everyone.
Any uncertainty about the readiness of agencies to make benefits
payments should be mitigated by continuing to focus on fixing and
testing systems. Agencies should also consider alternative contingency
plans that do not introduce such high levels of Y2K risk into systems
or that could propagate public panic.
Despite these concerns, however, there may be a few rare instances
in which early payment is the best option. In any such instances,
agencies may request authority from OMB to pay certain benefits early
if certain criteria are met. These include demonstration that there
will be substantial harm to individuals from not getting a timely
payment, a high likelihood that timely payments (either by normal
program operation or through a contingency) will not be made, assurance
that early payments made will be targeted only to those recipients who
would be harmed, and that early payment will substantially mitigate the
harm. The agency must also be willing to make a public announcement of
these decisions and to work with the Department of Treasury so that
adequate cash management practices are maintained. Throughout the
remainder of the year, we will continue to review this matter with
agencies.
conclusions
In conclusion, during the 192 days remaining before the year 2000,
we plan to:
--Complete work on remaining mission critical systems and on other
Federal systems.
--Conduct end-to-end testing with the States and other key partners,
placing special emphasis on ensuring the readiness of programs
that have a direct and immediate impact on public health,
safety, and well-being.
--Complete and test business continuity and contingency plans as
insurance against any disruptions related to Y2K failures.
--Promote Y2K awareness with State, local, and Tribal governments,
with the private sector, and with other Nations.
Thank you for the opportunity to allow me to share information with
you on the Administration's progress. The Administration continues to
treat this challenge with the direct, high-level attention it deserves.
The additional focus on the year 2000 problem by the President,
Congress, and the public has resulted in agencies focusing management
attention on the issue and taking a close look at their resource needs.
The Year 2000 contingent emergency reserve has helped ensure that
agencies have access to funds to facilitate their work. OMB remains
committed to working with the Committees and Congress on this critical
issue. I would be pleased to answer any questions you may have.
Number of Federal mission-critical systems that are Y2K compliant
Chairman Bennett. Thank you very much. You use the phrase,
93 percent compliant as of June. That is the same number that
John Koskinan reported in the end of March. Are you simply
reporting that number, or are you telling us subliminally that
there has been no progress from the end of March?
Mr. Lew. Well, the February report we submitted was at 79
percent, so from February until now we have gone to 93 percent.
I think you have to look at the other areas where we have
closed in on the 100 percent, and the fact that we have 14
agencies that are now 90 percent compliant or better.
Chairman Bennett. I do not want to quibble numbers with
you, but there are enough people who follow this on the
Internet. We need to be careful here and give you an
opportunity to focus on it.
The President set March 31 as the deadline by which every
Federal agency was supposed to be 100-percent compliant. A
number of agencies missed that deadline, and John Koskinan
reported when that deadline came, a 93-percent overall number
for the Federal Government. We are now 60 days beyond, 75 days
beyond March 31, and you are using the 93 percent number. Are
you using the 93 percent number because that is the last number
we have and it comes as of March 31, or are you telling us that
we are stuck, as of March 31, and we are still at the 93
percent number?
Mr. Lew. No, Senator, I am certainly not saying we are
stuck. The numbers I am using are based on the ninth quarterly
report we submitted to you last week. John Koskinan was basing
his comments in March on estimates which were not yet in our
quarterly report system and may have anticipated some of the
progress that has been made.
Chairman Bennett. So you are saying the 93 percent at the
end of March was not fully accurate.
Mr. Lew. Well, I am saying it was an estimate. The numbers
in the quarterly report are based on the rigorous review that
we do of each agency's reporting, and the estimate in between
reports is necessarily based on--I do not want to say less
accurate data, but estimates are different than actual numbers,
as we will probably discuss in other regards as well.
I think the important thing to focus on is that we are
making continuous progress and very rapid progress in the areas
where we had the most catching up to do. Look at the largest
and most complicated departments, an agency like HHS with HCFA,
where they have made tremendous progress such that HCFA is now
compliant. Some of the resources that we thought would be
needed for HCFA have actually been shifted over to other HHS
activities because HCFA has completed most of its work.
You look at the Defense Department, where they have more
systems than anywhere else. They are down to the point now
where they are working on their systems that are not yet in
service, the new technologies that have not yet been put in
place. They are making great progress to ensure that they have
continuity and that they do not have the kinds of delays that
we had feared, if they could not get new systems to be
compliant.
So I think we are continuing to make very good progress. I
do not want to suggest for a minute we do not have a lot of
work to do. We will be working very hard for the remainder of
the time we have, and I think you will see in May and June and
July and August considerable progress in each of the months.
As I looked over the report, I was struck at how many
agencies expected to be reporting substantial progress in the
very near-term timeframe. Now, I am not surprised by that. We
would hope, given that we are 192 days away from the year 2000,
that we would be seeing ourselves closing down problems at a
rapid pace, and that is what our reports are showing, so I
think we have continued to move forward. If there is some
confusion between the numbers that were based on estimates and
the quarterly reports, I would be happy to go through it
outside of the hearing and look at what might lie behind that.
Chairman Bennett. I think it is important to get it very
clear, because one of our problems with respect to Y2K is the
question of public confidence, and there are those who have
attacked this committee for being too alarmist. Saying we are
going to set off a panic that will be worse than the problem.
Obviously, I do not accept that criticism. I think the
committee has been responsible, but again, back to the public
perception here.
The President said 1 year, 1\1/2\ years ago when he made
his statement on Y2K, I believe it was at the National Science
Foundation, that every Federal agency would be 100 percent
compliant by March 31, 1999. We did not make that. I applauded
that as the goal at the time he said it, and said that is the
right goal, and that is what we should strive for, but
privately I thought, we are not going to make it.
All right, we did not. Now, the number that was put out by
the administration as of that date was 93 percent, and we were
told the new target date for 100-percent compliance is June 30.
Now, June 30 is 2 weeks away, and if there is an announcement
as of June 30 that we are 93 percent compliant, people who will
not go into the details that you have shared with us here are
going to start to panic and say, the Federal Government is not
making it, has not had any progress.
So without asking for a specific response here--and I will
be talking with John Koskinan tomorrow, we talk every week
either face-to-face or on the phone--I will just signal that
there is that public perception problem that has to be dealt
with. Either the statement is made as of the end of June we are
now up to 97, or whatever the number, or hey, we need to revise
what was said in March that it was an estimate. We now know
that the reality is that--I mean, we adjust statements around
here all the time, when more data comes in. This is where we
were in March, and we have made this much progress to June 30.
I am gathering from your testimony that we will not be able
to announce on June 30 that we are 100-percent compliant.
Mr. Lew. No, I do not think we will be able to announce we
are 100-percent compliant, but I am hopeful we will be able to
show more continuing progress. Obviously, from our report last
week to the end of June is a fairly short window, so I do not
want to raise unreasonable expectations about how much we will
be able to say, over what is really a matter of a few weeks,
but we are not just doing quarterly reports.
We are keeping daily contact, as you mentioned. We are in
regular contact with the committee as well. If there is a
concern that we are not putting out frequent enough benchmarks
of how much progress is made in a way that can be tracked
clearly by the public, that is something we can look into.
I think the underlying facts are better than the impression
that you are suggesting, which means we have a communication
problem.
Chairman Bennett. I think there are too, and I think it is
a joint responsibility of the Congress and the administration
to get the information out so that we do avoid panic.
Yes, Mr. Walker.
Mr. Walker. Mr. Chairman, for the benefit of you and the
committee, based upon self-reported data that we see from the
agencies as of May 14, the number was 94 percent, and hopefully
Jack will end up having more recent numbers in the near future.
Second, I have asked Joel Willemssen to join me, Mr.
Chairman, in part because of his expertise and in part because
of the recognition of the work that he and his team has done in
the Y2K area working with your committee and others.
Has the Y2K problem undermined computer security?
Chairman Bennett. Thank you, and the record will show, Mr.
Willemssen, that you are at the table and available. If the
time comes that you need to speak up, you will be identified
for the record.
Let me get a dialogue going between the two witnesses for
just a minute before I call on Senator Stevens. Mr. Walker, I
was impressed by your statement in two areas, both of which I
agree with absolutely. The first one had to do with pent-up
demand. We are finding that in the private sector as well that,
as we do our hearings in the special committee, more and more
industries are saying they are going to have no more IT
activity the last half of 1999 because we are concentrating so
heavily on testing and final installation of Y2K solutions, and
since we do not want any new initiatives, there will be a
significant pent-up demand.
Some high tech companies on the reverse side of that are
reporting anticipation of lower sales in the third and fourth
quarters of 1999, because they say that customers are so
wrapped up in Y2K they do not have the time to look at anything
now, and then it will explode in 2000.
Now, if we have serious Y2K problems, the preoccupation of
Y2K will not carry over in the first and second quarters of
2000. The pent-up demand will not hit until they are taken care
of, but is very much there. I would think, Mr. Lew, that it has
got to be a real planning headache for OMB, and it is
information that we in the Congress need as we face the
appropriations process.
Because, as Chairman Stevens can tell you more eloquently
than anybody, dealing with the caps and the challenges of the
appropriations process is very, very difficult. To say, ``Well,
there is all this pent-up demand, where we are going to need
more funds for Y2K capability,'' and that is caused by the
slow-down, or the interruption, rather, of the normal flow of
things as result of Y2K, that can be very serious business for
the Appropriations Committee and its various subcommittees.
The second issue that I would like you to talk about,
although perhaps not in the same breath, but just to alert you
to the other thing I am concerned about, is this question of
security. Now, Y2K has made a tremendous impact on me at least,
as it has forced me to confront what will happen to our society
if the computers fail.
Now, we are talking about close to $9 billion, and it may
get to $10 billion by the time we are through, just to keep the
Federal computers from failing. This amount in the general
economy is--pick a number--somewhere between $50 and $100
billion that private entities and the State and local
governments will spend just to keep the computers from failing.
The potential for failure is a problem that is built into the
software.
The potential for failure as a result of a deliberate act
on the part of a terrorist group is just as great, and will
cause just as much devastation as the Y2K. Right now, most of
the attack, cyber attack if you want to call it that, is coming
at the Defense Department. I have had conversations with
Secretary Hamre about that and will continue to have those
conversations. The Defense Department is hardening itself
against those kinds of attacks and is building some expertise
for dealing with them.
The rest of the economy is not, as nearly as I can tell,
and some Government agencies are not. I do not want to give
anybody any ideas, but I can see a scenario where a terrorist
group says, ``all right, if we want to take down the great
Satan, we will not attack their military, we will destroy their
ability to distribute welfare checks, and we can do that much
more easily than we can hack into the military computers.
If we want to cause disruption in America, we will shut
down the power grid, we will shut down the telephone system, we
will interrupt the flow of commerce by taking down the Fed
wire.''
A whole series of security issues that have nothing to do
with defense, but everything to do with our ability to continue
to function as a Nation have come to my attention as a result
of Y2K. I have spoken with the Majority Leader about it, and he
has encouraged me to use the Y2K Committee to examine these
issues in the time the committee has left. We go out of
business on February 29.
But these are very serious issues, and I was glad to see
you raise them, Mr. Walker, and at some point in this hearing
between the two of you, you might want to talk about that.
So those are the two issues that I want to focus on, the
pent-up demand, its immediate impact on the appropriations
process, and then the overall security issue. We will get into
those questions, Senator Stevens, unless you have a question
now.
Chairman Stevens. If they want to comment, that is fine.
Mr. Walker. Mr. Chairman, I will comment on that.
First off, on pent-up demand, my experience both in the
public and private sectors has shown over the years that there
is always a pent-up demand for wants in the area of information
technology, but what I think is different because of Y2K is
that there is increasing pent-up demand for needs.
You pointed to the fact that many, both public and private,
entities have frozen changes in their LANs, in their software,
in various other areas dealing with information technology to
focus full attention on the Y2K challenge. They need to
stabilize their environment in order to deal with their most
immediate time-sensitive need--that is Y2K.
The fact of the matter is that there is a pent-up demand
for needs for enhancements as well as the second issue that you
raise, which is computer security. Computer security is already
on our high risk list, just as Y2K is. Computer security is
going to follow up closely on the heels of Y2K. It has national
security, economic security, and personal privacy
considerations.
We are focusing a lot of our time and attention on that,
and believe that the Congress will need to do the same, as well
as the executive branch, and I am sure that they intend to do
so. I think these are two very real issues that not only are
important from a wants, needs and affords perspective. What can
we afford? And there are tradeoffs. Money is fungible, and so
the question is, What are the consequences of these choices?
Mr. Lew. Mr. Chairman, I think there is no doubt there will
be some pent-up demand, and that we have separate but very
important concerns about computer security that are unrelated
to Y2K. I think I would actually take a slightly different
tack, I think our experience with Y2K in some ways leaves us
more ready to deal with both of these issues than we otherwise
would be.
In the area of pent-up demand, there are many agencies that
have much more modern computer systems now than they would have
had if we had not been dealing with Y2K because, given the
tightness of appropriated resources they would not have
replaced their personal computers (PC's), they would not have
done the work that they have done over the last couple of
years.
That does not mean that it is all of what they need for the
next stage of agency operations, but I think we are left with
an architecture that is generally better, not just Y2K-
compatible. We need, as we calculate the pent-up demand, to
really look at what the net pent-up demand is, not of the
investments we have made.
The concerns I have looked at are more the programmatic
than the hardware issues, where agencies have deferred
activities. You look at HCFA. In order to comply with Y2K
compliance requirements, they deferred some of their rulemaking
activity.
There is going to be a pent-up demand which will mean that
people have to work on those projects in the coming year that
they should have done in the past year. I think that has
potentially programmatic implications. I do not know yet
whether it has funding implications. I think we have to get a
little farther into it to determine that.
In the area of computer security, one of the things that
the contingency planning process is serving to be very useful
for is to take contingency planning generally more seriously.
Many of the contingency plans for dealing with your potential
year 2000 disruptions are no different, as you mentioned, than
the kinds of disruptions that could occur from natural or
hostile acts.
The Y2K problem is more complex, because the potential of
things happening in a lot of places is greater, whereas when
there is a natural disaster it is very local. Presumably the
same would be true if there are hostile acts, though you raise
the good question of what the risks are, and are the risks
growing.
I think we are more prepared to deal with contingency
planning now than we were before Y2K remediation was
undertaken. We had underway, as you know, through the National
Security Council (NSC) process planning for contingencies in
this area. I think we need to continue to work together after
January 1, 2000 on that problem.
I do not at the moment expect a spike in funding
requirements for either pent-up demand or the security issues,
but that does not mean there will not be ongoing funding
requirements that we have to balance against other needs.
I think the core issue in both cases is, are the needs
there greater than the needs in other areas, and do they
warrant funding.
The thing about Y2K that was so unusual, and that did
require the extraordinary funding mechanism that we had, was
that all the expenses came at once, and we are marching against
an inflexible deadline, where if we do not do it by January 1,
2000, it will not deal with the problem.
In these other areas, while there are serious problems,
they are problems we can fit into the spectrum of all the other
things that we do have to worry about, and I look forward to
working with you on those issues.
Chairman Bennett. Senator Stevens.
Progress on nonmission-critical systems
Chairman Stevens. Mr. Lew, because of where I am from, I
worry about the nonmission-critical systems, and the definition
of those, and I raised this last year. Do we have any idea of
how many such systems there are that are nonmission-critical
systems?
Mr. Lew. I do not have a number. I understand the question,
and I will be happy to get back to you with a number. We are
not ignoring nonmission-critical systems. The fact that we are
setting a more absolute deadline for dealing with mission-
critical systems does not in any way mean that we are treating
the noncritical remediation as something that could wait until
later.
Chairman Stevens. Did you ever get an estimate of what it
would cost to deal with all Federal systems and Y2K
implications?
Mr. Lew. I believe the cost that we have been referring to
would be the $8.02 billion level.
Chairman Stevens. That is mission-critical.
Mr. Lew. It is more than mission-critical. It is the total
expenditure on Y2K. The total compliance is based on bringing
all the mission-critical systems into compliance at a
particular time.
If I could get back to you, Senator, what I would like to
do is ask some questions about what do we expect in terms of
lingering funding requirements after January 1 for the
nonmission-critical systems. I think that may give me a better
ability to answer your question, and I do not know off the top
of my head the answer to that question.
Chairman Stevens. The implication here is that, not
counting the emergency funds, that agencies have used
appropriated funds to pay for Y2K problems and deferred their
normal programming. Is that your statement? You have indicated
that.
Mr. Lew. I think it is a combination. I think some of the
things that they have done with the money were exclusively Y2K-
related. Other activities really have multiple purposes, and
one of the reasons it has been difficult to give actual numbers
is that the bookkeeping before 1997 was not very good in terms
of how much money was Y2K-related and how much of it was just
generally IT-related.
As Mr. Walker noted, even now we are dealing with agencies
that are being much more clear in terms of their defining Y2K
costs for the emergency funds than they are for their base
funds. Some of the costs have to be disaggregated to see
whether they are just Y2K. When you buy a new PC system, it
obviously is Y2K-related, but it is also giving you
infrastructure that the agency needed. They are all modernizing
their computer systems as quickly as they can.
Chairman Stevens. The indication here is that they deferred
normal programming activities in order to make those
adjustments. How extensive has that been?
Mr. Lew. I think what we have done is, we have built into
our budget request in the last several years additional
resources where we saw it as needed for Y2K, and we balanced it
against the ongoing programmatic activities.
I think the areas where it would have created the clearest
direct conflict were some of the funding that was directed to
come out of the Y2K emergency reserve, and actually that went
both directions. Some of that funding was really Y2K-related,
and some of it was funding that we had in the base that we
thought was only marginally Y2K-related, so a lot of these are
gray areas.
I think that when we are dealing with caps, as you and I
know painfully well, there are tough choices about how we can
deal with all of the competing needs.
Chairman Stevens. I am looking at it, as Senator Bennett
mentioned, from two sides. One, it appears there are a lot of
things that have been deferred, normal program activities,
because of the Y2K emergency, and on the other side of the coin
is that there are increasing demands on the budgets of all
agencies because of Y2K compliance activities.
Now, both of those add up to me to a need for more money,
but it is sort of a feather pillow. I am not getting what I
need.
Mr. Lew. I think there are really two different questions
there. One is, did they get more money than they otherwise
would have gotten to deal with Y2K within the base funding, and
in our budget proposals we were allocating dollars to Y2K where
we were not taking it necessarily from something else. We were
making our decisions from the ground up. What did an agency
need to do for its entire mission that had to do with Y2K? We
came to the conclusion that we could not do it within totals,
which is why we put the emergency fund proposal in our budget
last year. It got beyond the point of our ability to work
within the limits and still meet agency needs and Y2K needs.
Are additional Y2K supplemental funds required?
Chairman Stevens. That is what we anticipated, and that is
why we started the emergency presence. But what I am looking at
is whether or not, one, are we going to get a supplemental
request to make up for the moneys that agencies have spent, the
Y2K activities, in order that they may have the funds to carry
out their normal programming; and two, are we going to get a
supplemental request for Y2K activities? This $8.7 billion is
much higher than we anticipated 1 year ago, or 2 years ago. Are
there two supplementals out there staring us in the face?
Mr. Lew. We have no immediate plans for any additional
supplementals. Our calculation is $8.02 billion total, and does
assume that we use the emergency funds, but it does not assume
that we have any additional funding requirements in fiscal year
1999. The agencies have been using the emergency funds not just
to deal with mission-critical systems. They have been using the
emergency funds to deal with noncritical as well as critical.
I actually have never seen a breakout of how much of the
money has gone to mission-critical versus nonmission-critical,
and it is a good question. I actually will go back and ask to
see it broken out that way.
I tried to use the example of HCFA as the kind of activity
where we know that there was a deferral of some work. I do not
think that that necessarily means we will need a supplemental
appropriation for HCFA. It means there was a delay in putting
some regulations into effect. As HCFA works through its 2000
and 2001 work plans, they will integrate completing the work
that they deferred with the work that they have to do.
They may have increased needs overall. Agency needs change
from year to year. But I do not foresee a spike of additional
needs because of doing the deferred work that came about
because of dealing with Y2K remediation.
It is a fair question. It is something we are keeping our
eye on. I am not sure we can anticipate everything in advance,
but I certainly at the moment do not see a huge number of
deferred activities where we will need to come in for a
supplemental request.
Chairman Stevens. Do you have any comment on this, Mr.
Walker?
Mr. Walker. Mr. Chairman, first I would agree with Director
Lew that what we ought to focus on is the net need. Second, as
we say in our statement, we do believe that there is pent-up
demand and pent-up need, as there is in the private sector. We
believe it is important to try to survey that, and try to
understand the nature and extent of that.
Chairman Stevens. A need for non-Y2K funds, because of Y2K
activities?
Mr. Walker. A need for additional funds because there have
been projects that have been delayed that may represent need
rather than want. Director Lew mentioned one, where there are
some types of activities to implement certain regulations.
There also could be some computer security related system
enhancement needs that could be essential and cost beneficial,
however, they have been delayed.
I think there is a need to try to inventory that to
understand the nature and extent, but then there is a
management decision and a budget decision as to the merits of
those various proposals, and how they will be handled; but we
do think it is important to inventory it, because we do believe
it exists.
Mr. Lew. The only thing I would add, Senator, is that these
issues are not new issues, because we have been dealing with
Y2K. We faced it at the Treasury Department in terms of putting
a new computer system in place there, where completely apart
from the year 2000 there was a need for a long-term capital
program.
I am not sure, net of what we spent on Y2K, that it is as
much a question of pent-up demand as it is fitting those IT
requirements into the many demands that agencies have for
resources. If there is a pent-up demand we certainly should, as
the Comptroller General says, try to keep an eye on it and
coordinate it in a managed way.
I just would not put up a red flag that there is a crisis
looming. We may have additional requirements in these areas
completely apart from Y2K. The question of cyber security is
something we will have to keep dealing with. I do not think we
should confuse the pent-up demand issue with what the absolute
requirements are, and if so, it is just a timing question.
On the other hand, we should not panic. We are in better
shape now in terms of contingency planning than we have ever
been in the past, and I think as we continue to deal with these
questions we will have a much better knowledge.
What progress is being made in contingency planning?
Chairman Stevens. I visited two major industries where they
had been told that their systems were Y2K compliant and on a
test found that they were not. Now, we are relying on this
testing. It is sort of a self-testing process of each agency,
but as I understand it, the cost of contingency planning is not
permitted to be paid out of the emergency money, is that right?
Mr. Lew. Well, actually I would distinguish between
contingency planning and funding of the contingency plans. We
are helping agencies deal with funding requirements for the
contingency planning. We are just beginning to see them, so I
do not have a wealth of material to draw on yet.
As we see the plans, I think we can expect that the plans
will identify two kinds of risks. One is risks that their own
systems will fail and there may in fact be additional funding
requirements there. As you know we continue to have $496
million in the nondefense and $165 million in the defense
reserve, some of which may well be used for the agency
contingency plans.
Chairman Stevens. You use that for planning, or plans?
Mr. Lew. There may well be funding needed for plans. If
they need to back up their own systems internally there is a
whole separate kind of contingency planning where I do not know
that we have the authority to fund it. We may need to talk
further about this if they identify problems that are not their
own, but problems that are connected to the environments they
are in, such as telephone and electric grids.
Obviously, we do not have the resources to do contingency
plans for every agency so, if there is a localized power
failure for a brief period of time we will bring the whole grid
back up. Utilities are dealing with that, and they are dealing
with it quite well.
I think the question we have to answer is if there is a
localized problem, does each agency have a credible plan so
that it can continue its operations while the local utility is
dealing with the outside problem.
We may decide that we want to take on as a Federal
obligation, and I do not think I would recommend it, dealing
well beyond the ambit of Federal responsibility. Clearly we do
not have the resources for that, but that is also not a Federal
responsibility. What we are trying to do is make sure that it
is coordinated, that information is readily available, and to
provide the leadership so that each of the different parts of
the environment that Federal agencies find themselves in is
also making the kind of progress they need to make.
We do not anticipate the kind of massive electric or
telephone failures that people worried about years ago, but
that does not mean there will not be isolated incidents. The
purpose of contingency planning is to be able to respond, so we
have continuity in all Federal operations.
Chairman Stevens. Do we have any idea what the cost of
those plans will be?
Mr. Lew. The June 15 deadline just passed. We have received
some, not all. I would not even say most of them yet. Over the
next several weeks we will review them and we will continue to
work with the committees as we get a better understanding of
what the contingency plans call for.
I think the agencies are struggling a little bit in terms
of putting the price tag themselves on what are in some cases
fairly imponderable costs. I think as they narrow down to the
cost for their own backup plans, that is an area that is much
more concrete. We will start to see what the numbers are fairly
quickly on those. I do not anticipate that those will be
enormous, but if they do turn out larger than we expect, we
will come back as soon as we know more.
Chairman Stevens. Mr. Walker.
Mr. Walker. Mr. Chairman, we tried to note on page 13 of
the full statement how much of the emergency supplemental to
date has been spent for contingency planning. It is over $300
million, primarily the Defense Department, but also about $77
million for the civilian agencies.
As Director Lew noted, there is a need to try to get your
arms around what type of plans are necessary on a contingent
basis, and it is a separate and distinct matter as to what cost
might be necessary if those plans have to be implemented, and
that is something that is important to focus on.
Chairman Stevens. Do the contingency plans themselves have
to be tested, in your judgment?
Mr. Walker. We do believe they need to be reviewed. We plan
to review them. OMB needs to review them first. I believe they
are due later this month. Joel, do you have a comment?
Mr. Willemssen. Yes. OMB has noted that they are following
our guidance on contingency planning. One of the key phases in
doing that is validation and testing of those plans. We have
recommended that the validation and testing be completed no
later than September 30 of this year.
Chairman Stevens. Do you have the sense that we have enough
funds available now to deal with this total Y2K problem on the
Federal level without any additional money, Mr. Walker?
Mr. Walker. Mr. Chairman, the real key is that, for fiscal
year 2000, there are certain unknowns. As Director Lew said, we
have still got 10 Federal agencies that have not completed
their own remediation testing efforts.
Second, 10 of the 43 critical Federal programs have
significant State involvement. Many of those States are not
going to be completed with the Y2K efforts until the fourth
quarter of this calendar year.
In addition, there are other factors that frankly, until we
get more clarity on those, it is difficult, if not impossible,
to predict the funds that will be necessary. The real key is,
what are the tradeoffs?
If additional funds are needed for Y2K, there are several
ways to handle that. Obviously, one way is through a
supplemental. Another way is through changing priorities within
the existing baseline, and the key is to try to understand what
the possibilities are, what the magnitude might be, and to be
able to make informed choices about what those tradeoffs should
be.
What is the difference between mission-critical and nonmission-
critical?
Chairman Stevens. Both of you were talking about internal
reprogramming. There could be a massive amount if there are any
contingencies that develop between now and the end of the year,
and we are dealing with two different fiscal years as far as
the restraints on spending. I do hope that we are monitoring
the marshaling of this money towards achieving objectives
within the laws available. Maybe we need some additional
flexibility on this, and if you do, we might have to give it to
you in one of these bills. I would hope that you would both
look at that.
But one of the critical problems here to me is the
definition of what is critical. I am afraid the people sitting
here in Washington have an idea of what is critical, and people
out in the rural areas, and the western States in particular,
have an entirely different attitude about what is critical. Has
anyone reviewed the definition of what is critical in your
agency?
Mr. Walker. Mr. Chairman, let me comment on a couple of
things, and I would ask Joel to add. First, the dollars that
have been spent so far have been spent on Y2K, both mission-
critical and nonmission-critical systems. Second, at this point
in time we believe the important thing to focus on is the
programs.
Candidly, the taxpayers, our citizens care about the
results, they do not care about the process, and so the key is
to assure, either through the remediation efforts or through
the contingency planning that the programs will operate as
intended at the taxpayer and the citizen level.
And Joel, I would ask you to add.
Mr. Willemssen. Mr. Walker hit it right on the nail. We
have applauded what OMB has done in terms of moving its focus
away from systems and into programs. I think there is still
room for debate as to whether they have targeted the right
programs. As Mr. Walker mentioned in his statement, there are
some outliers that are not within the definition of the 43
programs that I think would raise some issues, but I believe
now OMB has the correct focus, especially on testing end-to-end
multiple systems. I think that is the appropriate emphasis that
now needs to be placed.
Mr. Lew. That is actually the point I was going to make.
The value of testing is that we will have a much better
understanding if there is going to be a problem in rural areas,
or in isolated areas. That is one of the reasons the funding
has been going out in the pattern it has. As we have discovered
problems, we have been using funds to deal with the problems.
We have been very careful, and frankly I think you deserve
a lot of credit for designing a flexible-enough authority so
that we have had the authority to fund basically everything we
have needed to fund while still reserving resources for the
final period.
The imponderable about the contingency planning is
different from whether we are taking the kinds of effective
steps to deal with the programmatic needs that agencies have,
and I think it would be a mistake to think that there is a
looming, huge problem in terms of basic agency operations that
are unfunded.
If we discover that the contingency plans have funding
requirements that are greater than what we think they will be,
I assure you it is not something we would just keep to
ourselves. Just as we shared with you the need for the $3\1/4\
billion emergency fund, we would come back. I just at this
moment do not anticipate it, and frankly it gets into an area
fairly quickly that is not the Federal Government's primary
responsibility. We have been using the money that was
appropriated to deal with the testing to make sure that we
discover, within the Federal systems, what else we need to do.
Who will agencies turn to if they have Y2K problems?
Chairman Stevens. Do we have any reserve capacity for the
Government as a whole? Is there an agency that has been
designated to come forward and assist any Federal program that
runs into a glitch in the last part of the year?
As the next fiscal year started sometime after October 1,
you run into problems. Who do these agencies turn to for
assistance if some real difficult problem emerges that has not
been contemplated?
Mr. Lew. As you know, John Koskinan has been coordinating
overall the administration's planning and implementation of the
Y2K effort. That has been, I think, a very effective process
where we have had agency heads take on the responsibility
personally to make sure that they were doing what needed to be
done, and coming in with the kind of technical support.
We do not have a formal process where there is one agency
that is doing things for the other agencies, but there has been
a lot of sharing of information and cooperation amongst
agencies in the way that you would want to see in a situation
like this. As one agency learns something we do not wait for
each of the others to discover it on their own, there is a
sharing of information.
Chairman Stevens. I am looking for something different. We
have the Federal Emergency Management Agency (FEMA) if there is
a natural disaster. What agency has the role of FEMA in dealing
with Y2K, if something really goes bad in December?
Mr. Lew. Let me distinguish the work up until January 1 and
deal a little bit separately with what happens in the immediate
period at the new year.
The President made it very clear that it was the obligation
of each agency head to assure that his or her agency was taking
the action needed. Frankly, if there was a more centralized
responsibility we would not be able to sit here today and
report the kind of progress that we have made.
Chairman Stevens. I am not interested in that. I am
interested in emergency assistance at a time when it may be
needed.
Mr. Lew. In terms of emergency assistance, we have planned
for what we call an Information Coordination Center which we
have worked with the committees on to bring together
information at the end of the year. At the beginning of the new
year, as we learn of disruptions, as we learn of problems, so
that there will be a clear flow of information and an ability
to muster appropriate responses.
I think that is more of an information exercise than it is
a command and control exercise. It is not that we have a
special weapons and tactics (SWAT) team that will go in, but it
is a way to marshall the resources of the Federal Government to
deal with situations as they occur. It is not the case, as in a
natural disaster, where we designate FEMA or one agency to be
the lead agency, because frankly, the problems are not
necessarily going to be within the expertise of one agency.
If you have a transportation issue, the Department of
Transportation is going to deal with it. If you have a
communication issue, it is largely going to be private, and
more information at the Federal level rather than action at the
Federal level.
But there is going to be information coming in. Frankly,
January 1 will come in many hours earlier in other parts of the
world. We will gather information from what happens in other
parts of the world and be able to perhaps take some
preventative steps as we learn what happens in other places and
be able to have the preparedness in real time.
I do not think that it would be as effective, frankly, if
we had a single designated agency that would deal with all
problems that might arise, because it would be more than any
one agency could handle within its expertise.
Mr. Walker. Mr. Chairman, four points that might be
helpful. Obviously, John Koskinan has been handling overall
interagency coordination and strategic planning. Second, it is
my understanding that for each of the high-impact programs OMB
has designated, in working with John Koskinan, a lead agency
has responsibility for that program, even though there may be
numerous agencies that have to be involved.
Third, based upon our experience so far, if there is one
agency that probably has shined in this, it has been the Social
Security Administration, but obviously no one agency, as
Director Lew noted, could really handle contingency planning
for everything.
Is the Postal Service Y2K compliant?
And last, but certainly not least, the Postal Service is
critical. They are making progress, but they represent the
contingency plan, or have an integral part in the contingency
plans of not only the Federal Government but, quite frankly,
the private sector, and that is one I think we have to keep our
eye on the ball.
Chairman Stevens. Who is monitoring that?
Mr. Walker. I am sure that OMB and we at GAO are monitoring
their progress.
Chairman Bennett. Can you tell us where they are?
Mr. Willemssen. The Postal Service after a fairly slow
start has made very rapid progress, and we have recently
testified that the kind of management controls that they have
put in place should give them greater assurance of being ready
in time. There are still some risks, such as a number of
systems that they have to get ready in a relatively short
period of time, but the attention is now being placed on that,
and frankly that was not the case some time ago.
I think one of the things that spurred the Postal Service
on was when OMB last year put their additional reporting
requirement on other entities beyond the 24 major Federal
departments and agencies. That led to the Postal Service coming
in with their first report, and that first report raised a lot
more questions than it did answers. That led to enhanced
oversight which contributed to the Postal Service being on the
road they need to be on.
Need for progress for Federal systems that interact with State and
local systems
Chairman Stevens. What about the Federal systems programs
that interface with the State and local activities such as food
stamps, Medicare, and others that are dependent on State
actions and State implementation?
Mr. Willemssen. I think there remains much room for concern
there, and OMB is very aware of those concerns. States are
working quite diligently with the Federal agencies, but many of
those States do not plan to be compliant until the end of the
year.
What we have seen as a model agency in terms of oversight
of State systems has been the Health Care Financing
Administration and Medicaid. When we came out with a report
last fall that indicated that only about 16 percent of those
systems were compliant, the Administrator of HCFA took the lead
and obtained needed contractor help.
They've gone out and done risk assessments and visits of
all States. They completed that first round in April and made
detailed risk assessments. They are now in the midst of doing a
second round of visits and, concurrent with that, they have
outside help focusing on contingency planning for those States.
It is really a very good model, one that could be emulated
by some of the other Federal agencies in working with their
State partners. Although it is getting fairly late in the game,
we think with the time remaining, activities like that could be
very beneficial.
Progress with our international partners
Chairman Stevens. I have taken a lot of time. One last
question, and this is a North American economy now, not a
United States economy. What about Canada and Mexico, and the
tremendous interface of our private economy with our neighbors
to the north and south?
Mr. Lew. Senator, we have participated actively in
international forums to help other countries learn from our
experience as we discovered what needed to be done. In fact,
the largest conference ever in terms of U.N. focusing on a
single topic is being held either this week or next week in New
York. I do not know for a fact, but I assume Mexico, Canada,
and most of the countries of the Western Hemisphere are
participating.
The challenge we have is, we clearly cannot take on as a
U.S. obligation direct responsibility for the systems in other
countries, but we have been trying very hard to share
information and help others learn to take responsibility and
take the actions necessary.
I do not have country-by-country reports. We would be happy
to get back to you if you have specific questions about Mexico
and Canada. I suspect the bigger concerns we have are in other
parts of the world, though.
Chairman Stevens. Well, that is a prime time for illegal
immigrants to cross the border from California all the way over
to Louisiana.
Mr. Lew. That is obviously a question of our critical
systems working, and that is our responsibility.
If I could just respond on the question of the States,
because I think it is one of the significant issues we have to
continue to focus on from now until the end of the year. It is
more difficult in the sense that it is not something we can
just go out and fix. We have to work with others to fix their
systems.
But we can encourage and require that there be backup
arrangements, and that there be testing. We have been providing
that leadership. Putting into the quarterly report the State-
by-State data we inputed was a very useful step in terms of
getting each of the agencies to work with the States on their
systems and, frankly, to put the public attention on which
States are scheduled to be completed and which States are
falling behind. I know that up here there is a lot of concern
not just for the aggregate number, but on each individual
State, and I would commend to your attention the State-by-State
data in the ninth quarterly report.
We are going to be doing that on a regular basis from now
through the end of the year. We have directed the agencies to
work closely with the States to try and be helpful to them as
they plan their own activities, but this is one of the
remaining challenges that is going to require a lot of our
attention.
Chairman Stevens. Thank you very much, Mr. Chairman.
Need for additional Y2K funding
Chairman Bennett. Thank you. This is just a little bit of
institutional jealousy, and I probably should not say it, but I
will anyway. Mr. Lew, you made the comment, in your words, ``we
shared with you the need for the $3\1/4\ billion emergency.''
Just for the record, the initiative for the $3\1/4\ billion
emergency came from Senator Stevens. I was in the room when he
came up with that number and announced it.
I remember the phone call I received from John Koskinan
where he said, ``Senator, we had no idea you were going to do
that. We had no tip-off at OMB in advance that this Congress
was going to do that.'' I thought he was going to complain that
the Congress was doing things, and then he said, and we think
it's a really, really, really good idea. So I think just for
the record Senator Stevens should receive the credit for having
come up with that.
Let me talk about that supplemental. After the allocations
against the funds, there is $165 million in reserve, as you
said, for defense, and $400 million for nondefense. Mr. Walker,
you say in your testimony that the cost of end-to-end testing
and contingency plans will be high.
Do you share my concern that these reserve funds may not be
enough? That too much of the money that was allocated in the
emergency, $3.25 billion in emergency money, has already been
spent, given the size of what we are still looking at, or do
you think the expenditures and allocations up until now have
been about right, and that these reserves are adequate? Either
one of you.
Mr. Walker. Mr. Chairman, I think there are two issues. One
issue is whether or not the remaining funds that exist in the
reserve will adequately cover all the additional Y2K costs
versus whether or not there is a need for an additional
supplemental, for example. I think there is a much higher risk
that there will be more money necessary in order to address all
the Y2K issues, given the contingencies that we have
articulated today.
I think it is a separate and important, yet somewhat
distinct, question as to how best to do that. Will it be
through tradeoffs in other funding that already exists in
fiscal year 2000 for these programs, or will there be a need
for supplemental funding, and I would ask Director Lew to
comment.
Chairman Bennett. Do you share that view? I have the
feeling you have a slightly different view.
Mr. Lew. The reason I am hesitant is that we are just
beginning to review the contingency plans for the agencies. The
real answer to the question will come after we have reviewed
their plans.
Frankly, the early plans we are getting do not have cost
estimates in them in many cases, so we have to go back and work
with the agencies. To the extent that contingency planning
costs are much larger than we have anticipated I would have a
very different response. If the contingency plans fit within
what we have expected, and I will not know that for several
weeks, to the extent that they identify expenses that are not
within the authority of the emergency fund, we would clearly
need to come back and seek additional flexibilities.
I did not mean to detract at all from the contributions of
Senator Stevens in particular. We very much appreciate it. We
put a place marker in our budget, as you know, and it became
real when Senator Stevens offered the amendment that he did and
the flexibility the fund provides is very helpful.
Chairman Bennett. Just a little executive branch-
legislative branch----
Mr. Lew. I appreciate that. The answer to your question
ultimately I think would be something I would want to get back
to you after we have reviewed the continuity and contingency
plans, because I think that is where the wild card would be.
At the moment, I cannot sit here today saying we anticipate
tremendous additional needs, though I think Mr. Walker is right
that to the extent that there are ongoing requirements. Either
at the very end of this year or at the beginning of next year,
there may be some tension within the existing budgets. That is
not always a bad thing. I mean, agencies do deal with some
costs that are outside of their normal business without it
causing tremendous disruption.
What happened in Y2K was the amounts required so far
exceeded the ability to manage the totals, so it was necessary
to have the emergency fund.
Chairman Bennett. Senator Stevens has an additional
question, but before he gets to that, let me just pick up on
what you are saying about the contingency plans. Your deadline
was June 15. By your testimony most of the agencies missed that
deadline, and that concerns us.
We do not have, as everybody knows, any fudge factor on the
ultimate date that is hitting us here, and just quickly, do you
have any sense when you will have all of the contingency plans
with estimates in front of you? Can you give us a new date that
we can hold people accountable for?
Mr. Lew. I cannot give you a firm date and, frankly, I
think what is going to be happening is, we are going to be
working with the agencies to refine what we get on an ongoing
basis. There will not be a date when they are finished. They
are going to keep proceeding with their planning and their work
right until the end. I think in the next several weeks we will
have a lot more than we have now. We have been working with the
committees' staff and with you directly on each of the
allocations, and we will continue to do so as we review the
contingency plans.
We have tried to be responsive to any of the issues raised
in the course of those consultations and would continue to do
so. If we discover a problem, or you discover a problem, we
would like to keep the conversation going.
I wish I could say that I will have all the plans on June
30. When we set deadlines we try to be realistic about agency
compliance patterns, and I think we are still in decent shape.
If the President had not set March 31 as a deadline, we would
not be sitting here today with the results that we have, and I
dare say the same is true about the June 15 deadline.
I would wish that at all times agencies would respond with
great punctuality, but we did build in a little bit of room.
Chairman Bennett. If my friend Senator Dodd were here, I
know he would have a few words to you to say about the
importance of meeting deadlines and how carefully he will
monitor those deadlines. Since he got married over the weekend
he may have other things on his mind, but I assure you that he
and the committee will be watching these dates very carefully.
Senator Stevens.
Potential need for another flexible fund to respond to Y2K problems
Chairman Stevens. Well, I want to make sure about this
authority problem that you have indicated a couple of times,
Mr. Lew. I have the same feeling. There is no basic authority
like the President, as Commander in Chief, possesses for taking
care of troops. You know, the food and forage concept.
I would like to contemplate, or like to have resolved how
to establish an emergency authority in one single area. I take
it would be the President's decision that would get that, but I
also assume it would be OMB. I think we have to have that. I
think we have to have someone with the authority to make the
decision to use funds from wherever they have to be taken if
there is an emergency that develops. We will be out of session.
It is the holiday period where these crises could take place.
We also have critical non-Federal actions that may need
correction, or might need assistance because they impact our
mission-critical systems at a time in an unexpected way. I do
not think you have the authority today to use funding for that
purpose, but I do think you should have it. I also think that
whatever we do along that line we should require a report from
you to Congress, so that when we come back into session we can
review what has happened and see whether adjustments are
necessary to other accounts because of that.
But I would urge you to think about that, and Mr. Walker,
you might review that also. I think in one of these bills that
is coming along we ought to start a basic designation of who
has that authority, how it is to be exercised, and what the
scope of it is. If it goes outside the mission-critical Federal
systems to the area where non-Federal actions might have an
impact on the plans or contingency plans that we may have to
put into effect.
Clearly, I think that the public is going to expect that we
have placed, somewhere in the administration, the authority to
take action, and I still believe it is sort of like any other
time of weakness.
Are you a fisherman? I remember when I was fishing down off
of Pulaski Light, and I learned how to fish for the giant
barracuda. You really fish for the mackerel, but just as the
mackerel hits the bait, that is when the barracuda likes to hit
the mackerel. I am thinking there are a lot of barracudas out
there that would like to have an impact on our Federal systems
at a time of apparent weakness. We ought to guard against that,
and we ought to have authority.
Again, I urge you to think about someone having a FEMA
responsibility. There has to be a fireman there somewhere, and
it is going to take some further analysis of this, as I am sure
that Senator Bennett's committee will do.
We are here today primarily because of the implications of
future funding that may be required. Even beyond that is the
basic authority to use whatever funds are available should a
substantial crisis develop.
Mr. Lew. Senator Stevens, I think it is an important
distinction, because the truth is, if there is an emergency in
an area where funds have been appropriated and authority
exists, you could spend down money and could replenish the
funds with a supplemental later on. I think the real critical
issue in terms of being able to respond in a timely manner is
whether the scope of authority is broad enough.
We have very substantial authorities to respond to most of
the contingencies that are directly Federal. I think the issue
here is whether it would be desirable to have a broader Federal
responsibility for non-Federal response.
Chairman Stevens. I am not talking about responsibility. I
am talking about ability to act where there is a definite
connection between the systems we rely on for our people
through the Federal Government and those that are non-Federal,
where the contingency planning or the planning may be
defective, and we will not know that until it is too late.
Mr. Lew. Just to use an example, if there is a Federal
agency where communications are critical, then the Federal
responsibility is to have backup communication capacity so the
Federal agency can communicate. It is not a Federal obligation
to bring up the telephone system for the entire area. We have
the authorities to our knowledge to do what we need for the
Federal backups to be provided for.
The area where there is a question about authority is also,
I think, where there is a question about whether it is a
desirable Federal role. As we go through these contingency
plans, if we discover additional needs for authority, I would
welcome the invitation to pursue it with you. We clearly want
to have whatever authorities we need to deal quickly and with
agility to things that almost by definition are as
unpredictable as the barracuda eating the mackerel.
Chairman Stevens. The National Guard is in every State, and
it is an entity in every State. I think somewhere along the
line there has to be some entity like that where the standby
capacity to assist in areas that are life threatening, that
relate to Federal activities, or are threatening to the economy
in general--well, we will work with you on it.
Mr. Walker.
Mr. Walker. Mr. Chairman, while obviously our first and
foremost priority needs to be Federal programs and U.S.
citizens, you touched on the international aspect. The fact of
the matter is, we are in a global economy, and as I looked
today at GAO's daily news clips, there is an article that comes
to mind, the source of which is published through the Gartner
Group, which is one of the leading information consulting
firms. It has attempted--we have not attempted to verify this--
to rank various countries into different levels, level 1 being
the best prepared, of which I am pleased to say the United
States and Canada are on that level; level 2 is where Mexico
falls; but if I look at level 4, which is the lowest level, you
have countries such as Russia and Pakistan, and clearly there
are security issues associated with that which I think we have
to keep in mind. While that is not our primary responsibility,
it is not inconceivable that there could be some issues there.
Thank you, Mr. Chairman.
Chairman Stevens. Thank you very much.
Chairman Bennett. Thank you. We appreciate your being here
and appreciate your patience with the questioning. If we have
further questions we will submit them to you in writing, and as
Senator Stevens said, Senator Byrd, who was not able to be with
us, will have some questions for you in writing.
conclusion of hearing
Chairman Bennett. Thank you very much. The committee is
recessed.
[Whereupon, at 11:10 a.m., Tuesday, June 22, the hearing
was concluded, and the joint committees were recessed, to
reconvene subject to the call of the Chair.]