GAO offers guidelines for contingency plans

The General Accounting Office last week released a draft report to guide federal agencies through developing Year 2000 contingency plans in case computer systems fail in the next millennium.

Claiming many agencies "may face major disruptions in their operations" because of Year 2000 problems that were not properly fixed, GAO advised that "agencies must start business continuity and contingency planning now to reduce the risk of Year 2000 business failures."

Without the plans, unforeseen computer failures could cause airline flight delays, disrupt tax refunds and delay veterans' benefits payments and the issuance of college loans, GAO reported.

"It's imperative that contingency planning be under way right now for all agency activities," Gene Dodaro, GAO's assistant comptroller general, told a joint hearing of the House Government Reform and Oversight Committee's Subcommittee on Government Management, Information and Technology and the Science Committee's Subcommittee on Technology last week.

Guides Serve Two Camps

The guidelines are not only for systems that are projected to fail but also for systems that agencies believe to be compliant but that may turn out not to be. "As the clock is ticking and time is running out, more government agencies are concerned that they may not have enough time," said Joel Willemssen, GAO's director of information resources management. "At the same time, agencies that do make it must have contingency plans for their key business processes because there's no 100 percent guarantee that their renovation and validation work will not have some anticipated problems."

The draft, which is fashioned from GAO's guidelines for the five phases of OMB's Year 2000 compliance plan, has four phases that GAO believes federal agencies should follow as they prepare for potential failures.

While GAO is inviting comments from agency chief information officers and the report is subject to change, the four phases outlined in the draft report are:

* Initiation, which is the first step, identifies the person responsible for developing a high-level strategy that includes schedules and milestones that must be backed by executive support.

* Business impact analysis, in which agencies will assess the consequences of computer failures to their core business processes. This phase involves identifying agencies' Year 2000-related threats and risks and includes assessing infrastructure risks, such as threats to telecommunications.

* Contingency planning, which includes identifying and documenting contingency plans for each of the agencies' major lines of business.

* Testing, which includes end-to-end testing that ensures that the contingency plans will work as planned.

Dodaro said the Federal Aviation Administration and the Health Care Financing Administration are two agencies that particularly need to develop contingency plans because those agencies are so far behind in fixing computers.

"We have recommended that FAA develop contingency plans because of the difficulties it's facing and the late start that it received," Dodaro said. "Also, great concern continues to revolve around the systems to pay Medicare claims." With about 800 million claims processed a year, "[HCFA] continues to be concerned that the Medicare contractors will not be ready to meet the March 1999 deadline for completing the implementation phase."

John Koskinen, chairman of the President's Council on the Year 2000 Conversion, testified that he is conducting several meetings with agency chiefs, their deputies and CIOs who are leading the Year 2000 effort. Koskinen noted that discussions on contingency plans are a high priority. "In each meeting, I have been asking three key questions: 'What are your major risks? What are the most significant obstacles to removing those risks? What contingency plans are appropriate in light of that analysis?' " he said.

Many agencies have downplayed contingency plans, saying they are more concerned with fixing their lines of code. Cynthia Warner, chairwoman of the General Services Administration's support subcommittee for the CIO Council's Committee on the Year 2000, said contingency plans are needed, "but obviously they won't be used now" because agencies are spending more time fixing and testing systems.

However, Warner stressed the need for agencies to take contingency planing seriously. "What's important is that agencies do a thorough job and take the exercise seriously," she said. "It's also important that the contingency plan be completed in the event [that] system failures occur."

The Labor Department, which was added to the Office of Management and Budget's most-critical list of agencies that are showing "insufficient progress" in their Year 2000 conversion work, also welcomed the GAO draft. "The Department of Labor believes the GAO document on contingency planning is a very comprehensive document, timely addressing a topic on which guidelines have been scarce," said Shirley Malia, Labor's deputy CIO. "As part of our Year 2000 program, the Department of Labor is currently developing contingency plans for our benefits systems, financial systems and selected priority data exchanges. The GAO guidelines will greatly assist us in our contingency plan development process."


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.