GAO offers guidelines for contingency plans

The General Accounting Office last week released a draft report to guide federal agencies through developing Year 2000 contingency plans in case computer systems fail in the next millennium.

Claiming many agencies "may face major disruptions in their operations" because of Year 2000 problems that were not properly fixed, GAO advised that "agencies must start business continuity and contingency planning now to reduce the risk of Year 2000 business failures."

Without the plans, unforeseen computer failures could cause airline flight delays, disrupt tax refunds and delay veterans' benefits payments and the issuance of college loans, GAO reported.

"It's imperative that contingency planning be under way right now for all agency activities," Gene Dodaro, GAO's assistant comptroller general, told a joint hearing of the House Government Reform and Oversight Committee's Subcommittee on Government Management, Information and Technology and the Science Committee's Subcommittee on Technology last week.

Guides Serve Two Camps

The guidelines are not only for systems that are projected to fail but also for systems that agencies believe to be compliant but that may turn out not to be. "As the clock is ticking and time is running out, more government agencies are concerned that they may not have enough time," said Joel Willemssen, GAO's director of information resources management. "At the same time, agencies that do make it must have contingency plans for their key business processes because there's no 100 percent guarantee that their renovation and validation work will not have some anticipated problems."

The draft, which is fashioned from GAO's guidelines for the five phases of OMB's Year 2000 compliance plan, has four phases that GAO believes federal agencies should follow as they prepare for potential failures.

While GAO is inviting comments from agency chief information officers and the report is subject to change, the four phases outlined in the draft report are:

* Initiation, which is the first step, identifies the person responsible for developing a high-level strategy that includes schedules and milestones that must be backed by executive support.

* Business impact analysis, in which agencies will assess the consequences of computer failures to their core business processes. This phase involves identifying agencies' Year 2000-related threats and risks and includes assessing infrastructure risks, such as threats to telecommunications.

* Contingency planning, which includes identifying and documenting contingency plans for each of the agencies' major lines of business.

* Testing, which includes end-to-end testing that ensures that the contingency plans will work as planned.

Dodaro said the Federal Aviation Administration and the Health Care Financing Administration are two agencies that particularly need to develop contingency plans because those agencies are so far behind in fixing computers.

"We have recommended that FAA develop contingency plans because of the difficulties it's facing and the late start that it received," Dodaro said. "Also, great concern continues to revolve around the systems to pay Medicare claims." With about 800 million claims processed a year, "[HCFA] continues to be concerned that the Medicare contractors will not be ready to meet the March 1999 deadline for completing the implementation phase."

John Koskinen, chairman of the President's Council on the Year 2000 Conversion, testified that he is conducting several meetings with agency chiefs, their deputies and CIOs who are leading the Year 2000 effort. Koskinen noted that discussions on contingency plans are a high priority. "In each meeting, I have been asking three key questions: 'What are your major risks? What are the most significant obstacles to removing those risks? What contingency plans are appropriate in light of that analysis?' " he said.

Many agencies have downplayed contingency plans, saying they are more concerned with fixing their lines of code. Cynthia Warner, chairwoman of the General Services Administration's support subcommittee for the CIO Council's Committee on the Year 2000, said contingency plans are needed, "but obviously they won't be used now" because agencies are spending more time fixing and testing systems.

However, Warner stressed the need for agencies to take contingency planing seriously. "What's important is that agencies do a thorough job and take the exercise seriously," she said. "It's also important that the contingency plan be completed in the event [that] system failures occur."

The Labor Department, which was added to the Office of Management and Budget's most-critical list of agencies that are showing "insufficient progress" in their Year 2000 conversion work, also welcomed the GAO draft. "The Department of Labor believes the GAO document on contingency planning is a very comprehensive document, timely addressing a topic on which guidelines have been scarce," said Shirley Malia, Labor's deputy CIO. "As part of our Year 2000 program, the Department of Labor is currently developing contingency plans for our benefits systems, financial systems and selected priority data exchanges. The GAO guidelines will greatly assist us in our contingency plan development process."

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected