| | |
STATEMENT OF
JACOB J. LEW
DIRECTOR
OFFICE OF MANAGEMENT AND BUDGET
BEFORE THE
COMMITTEE ON APPROPRIATIONS
AND THE SENATE SPECIAL COMMITTEE ON THE
YEAR 2000 TECHNOLOGY PROBLEM
June 22, 1999
Good morning, Chairman Stevens, Chairman Bennett, Senator Byrd, and Senator Dodd. I am
pleased to appear before the Committees to discuss the Federal Government's progress in
addressing one of the most complex management challenges it has ever faced, the year 2000
problem. The Federal Government is not alone in addressing this challenge, as the Senate wisely
recognized last year when it formed the Senate Special Committee on the Year 2000 Technology
Problem. This is a problem with potentially enormous implications for our Nation. Every sector
of our economy and all organizations large and small must work together so that we can, as the
President said in his State of the Union Address, make sure that the Y2K computer bug will be
remembered as the last headache of the 20th century, not the first crisis of the 21st.
Today, I would like to address three topics. First, I will describe Federal progress in addressing
the Y2K challenge. Second, I will discuss Federal agency costs and funding for these efforts.
Third, I will describe our next steps to assure that Federal programs that people depend upon will
not be disrupted. These next steps include focusing on completion of individual systems,
ensuring the readiness of Federal programs, and completion of business continuity and
contingency plans.
FEDERAL PROGRESS
As you know, the Federal Government has been working for more than three years on this
problem. Last week I sent to Congress OMB's ninth quarterly report on Federal agency progress
in addressing the Year 2000 problem. That report shows that Federal agencies continue to make
excellent progress in addressing this challenge. In particular, it shows that 93 percent of the
Federal Government's mission critical systems are now compliant, an increase from 79 percent
reported in February.
Fourteen of the 24 major Federal departments and agencies now report that 100 percent of their
mission critical systems are Y2K compliant. These agencies are: the Departments of Education,
Housing and Urban Development, Interior, Labor, State, and Veterans Affairs; the Environmental
Protection Agency, the Federal Emergency Management Agency, the General Services
Administration, the National Science Foundation, the Nuclear Regulatory Commission, the Office
of Personnel Management, the Social Security Administration, and the Small Business
Administration.
In addition, two agencies, Commerce and NASA, report that 99 percent of their mission critical
systems are compliant and that they expect to be finished soon. Three agencies, the Departments
of Agriculture, Energy, and Health and Human Services, are between 96 and 97 percent
compliant. Four agencies report that between 90 and 94 percent of their mission critical systems
are compliant, including the Departments of Justice and Transportation at 92 percent. The
Department of Defense reports that 87 percent of its systems are compliant, while the U.S.
Agency for International Development has completed implementation of three of its seven
mission critical systems.
From a base of 6,190 mission critical systems at this time, 410 mission critical systems remain to
be finished, down from 1,354 in the last report. The compliant systems include those that have
been repaired or replaced as well as systems that were already compliant. Of the mission critical
systems that remain to be finished, 87 (82 percent) are being repaired, 35 (10 percent) are being
replaced, and 24 (eight percent) are being retired. We are monitoring the completion of each
remaining system through monthly reports from the agencies.
This progress is a tribute to the hard, skillful, and dedicated work of thousands of Federal
employees and contractors. Moreover, the rapid availability of funds through the contingent
emergency reserve has been key to ensuring progress. I would like to thank the Committees for
ensuring that Federal agencies will not fail to meet the Year 2000 deadline because of lack of
adequate funding.
While much work remains to be done, we fully expect that all of the Government's mission
critical systems will be Y2K compliant before January 1, 2000. For some time, fixing the Year
2000 problem has been the agencies' number one information technology (IT) priority, as other
IT projects are being delayed until the Y2K work is done. This action has been managed
throughout OMB's budget process.
Additionally, agencies are minimizing any kind of changes to their systems unrelated to Y2K in
order to ensure that they will be able to maintain the schedules they have set for completion of
their work. Changes not only divert resources from fixing the Y2K problem, but may also undo
Y2K fixes. Based on guidance I issued on May 14, 1999, "Minimizing Regulatory and
Information Technology Requirements," (M-99-17), agencies are using change management
processes to ensure that new IT requirements or changes to IT systems are minimized.
Again, this effort will ensure that agencies set realistic goals for the completion of their work and
will enable them -- and us -- to measure their progress against their own goals. Agencies are
working hard to finish fixing their systems, and we are confident that every mission critical
system will be ready for the year 2000.
Y2K COSTS AND FUNDING
First and foremost, I want to recognize that the transition into the Year 2000 has posed a unique
challenge. Formulating the Federal response has required a great deal of attention, hard work,
and flexibility. In advance of my more detailed comments on this subject, let me thank you for all
of your work and leadership in helping to ensure that sufficient funds are available in a timely
manner to address Y2K remediation. As we have scrutinized agency requests and funded the
most critical ones, the utility of this funding mechanism has been proven many times. Simply
put, without such a fund, many Federal agencies would not be nearly as far along in their efforts
as they are today.
I would also like to emphasize that the Administration's strategy for monitoring Government-wide progress on Y2K has been predicated on agency accountability. We have systematically
monitored agency progress using a range of performance measures -- compliance of mission
critical systems, status of mission critical systems being repaired, progress on high impact
programs, etc., as well as agency Y2K cost estimates. These measures are linked, and together
provide the most accurate picture of the Government's overall readiness. On a quarterly basis (or
more frequently, if needed), agencies have been required to update OMB on their Y2K progress
and to explain all significant changes in these measures.
We have tried to strike the appropriate balance to ensure agency accountability without diverting
vital resources from Y2K compliance activities to reporting requirements. In addition, the
Administration has tried to be as forthright as possible in sharing information about Y2K
readiness. OMB has directed that agency quarterly reports and detailed spending plans be
forwarded to Congress, and we have appreciated your input as we have worked together to
address the challenge posed by Y2K.
As you know, last September the Administration requested an FY 1998 supplemental
appropriation for $3.25 billion in contingent emergency funding to address urgent, emerging
needs associated with Y2K conversion activities. This request was consistent with Senate action
to that point. The Omnibus bill provided contingent emergency funding of $2.25 billion for non-defense activities and $1.1 billion for defense-related activities for Y2K computer conversion. As
you also know, OMB is responsible for allocating the non-defense contingent emergency reserve.
To date, $1.768 billion has been allocated from the non-defense reserve, and $14 million has been
returned to the reserve at the request of the House Appropriations Committee. Therefore, $496
remains in reserve for unforeseen requirements. Of the $1.1 billion provided for defense-related
activities, $935 million has been released and $165 remains in reserve.
In order to determine how to best utilize all available non-defense funding for Y2K -- both base
appropriations and emergency funding -- OMB has worked with agencies on an ongoing basis to
evaluate total Y2K requirements. First, OMB made certain that agencies received funding for
activities that were requested in the President's FY 1999 Budget, but were directed to be funded
from the contingent emergency reserve. Since then, agencies have been asked to forward requests
for contingent emergency funding on an as-needed basis. These requests are then reviewed by
OMB examiners from both the Resource Management Offices (RMOs) - liaisons to the
individual agencies - and analysts from our Information Policy and Technology Branch. In
combination, they review these requests to ensure that requested funding is:
- Y2K-related and is the most cost-effective option to facilitate compliance.
- Addresses an unforeseen need, not one accounted for within existing agency plans.
- Cannot be accommodated within appropriated levels for FY 1999.
- Cannot be addressed using unobligated balances of Y2K emergency funding.
In some cases, funds have also been requested to support outreach to non-Federal entities in
support of the efforts of the President's Council on Year 2000 Conversion.
Once reviewed and discussed with the affected agency, OMB staff make recommendations to
OMB policy officials. These levels are then finalized and included in an emergency release. As
you know, pursuant to last Omnibus Act, detailed information on each affected agency's spending
plan, as well as an account-by-account breakdown of the request as a whole, is provided to your
and other Committees. The funds in the release are not made available to the agencies until 15
days after the transmittal.
Once the funds are allocated, each Resource Management Office has been tasked with tracking
the Y2K-related expenditures for the agencies it oversees, including emergency expenditures. At
a minimum, the RMOs review the agency quarterly report to confirm that appropriate progress is
being made and that the each agency can cogently explain its cost levels and cost changes. Then,
depending on an agency's status, RMOs have used different methods to track Y2K-related
spending. All agencies that have received emergency funding have forwarded data on obligations
to date to their RMOs. This data has informed our consideration of subsequent emergency
requests, and has resulted in several reprogramming requests rather than additional releases. For
example, in the Department of Health and Human Services, we recently reprogrammed funds
from HCFA to the Administration for Children and Families. More reprogramming actions may
be forthcoming as agencies further refine their estimates for FY 1999 and 2000.
In addition, some RMOs monitor Y2K-related obligations and/or outlays on a more regular basis,
and require detailed information on the expenditure of both base and emergency resources.
Finally, because of their unique period of availability (FY 1999 - FY 2001), emergency funds are
very transparent in terms of budget execution. The RMOs have been given discretion in terms of
treatment of both base and emergency funds in the apportionment process, as is OMB's general
policy.
Your Committees have asked me to focus on the cost increases since the 1st OMB Y2K Quarterly
Report, which was issued February 1997. In that report, the five year (FYs 1996 - 2000) Federal
cost of Y2K was reported estimated at $2.3 billion. However, it is now clear that in the first
quarterly report, we were not fully aware of the magnitude of the year 2000 problem. Initially, it
was thought that fixing the problem would primarily involve mainframe computers and legacy
applications.
However, as we and others learned in the course or remediation, the problem was far more
complex, involving desktop personal computers, embedded chips, and telecommunications
components. Cost increases from the 1st to 4th OMB Quarterly Report (through March 1998),
totaling $2.4 billion, resulted from a better understanding of the scope of the problem and
increasing agency attention on the cost estimates. It is important to note that until FY 1999
agencies funded their year 2000 costs exclusively out of base appropriations. Prior to the
availability of emergency funding, all costs increases were absorbed within agency operating
budgets.
Since the broader universe of Y2K remediation was clearly established, costs have remained
within a more predictable band. From the 4th OMB Quarterly Report (March 1998) to the 9th
OMB Quarterly Report (June 1999), costs reported for FYs 1996 - 1998 changed by $164 million,
or 4.7 percent of the three-year total. Of this, estimates for Defense have changed by $128
million, or 3.6 percent of the three-year total. Since last March, then, cost estimates for non-defense agencies for FYs 1996 - 1998 for have changed by a little more than one percent.
The increase in FY 1999 funding, $2.8 billion between the 4th and 9th OMB Quarterly Reports,
has supported activities that have been subjected to the rigorous policy review that I have
discussed. Most of the cost increases can be attributed to specific activities: remediation for
information technology systems, testing to ensure that systems are Y2K compliant, replacement
of embedded computer chips, and creation and verification of BCCPs. I am confident that this
funding has helped to ensure that important Federal programs will have a smooth transition into
the year 2000. FY 2000 costs, which have increased by $509 million over the same period, are
primarily for Y2K project offices to manage and monitor the transition into 2000, as well as for
retesting and recertifying contingency plans. The details of agency spending plans continue to be
made available for your review as this process moves forward.
I would now like to turn to another issue that I have been asked to address: the difference
between agency estimates and actual costs. I believe that this question stems from the cost table
in each OMB Quarterly Report. In that table, past years (FYs 1996 - 1998) are characterized as
estimates even though, as you know, the budgetary data for those years reflects actual
expenditures. With OMB's approval, agencies have refined the universe of Y2K-related costs
since FY 1996. As an activity is added to the Y2K universe, we want to make certain that we are
capturing the five-year cost of that activity. For example, a Department may not have reported
embedded chip replacement as part of their initial Y2K estimate. However, they later received
guidance to so. In such a case, OMB has worked with the Department to verify that the multi-year cost of embedded chip replacement was being reported. If this required changing an estimate
in a past fiscal year, agencies did so with OMB approval. At the same time, future year estimates
may have been adjusted to account for newly recognized activities. Thus, although the budget
data for FYs 1996 - 1998 are actuals, since recognition of the scope of the Y2K problem has
changed over time, OMB has not asked for or characterized costs for those years as actuals.
Another component of this issue is that Y2K-related expenses can be aggregated at a level below
or above budget accounts. Y2K-related expenses are embedded in broader operating budgets.
We have worked to ensure that we are capturing Y2K-related costs and that agencies are making
defensible and standardized assumptions about these costs. Conversely, we are trying to filter out
activities that were wholly planned for and would have been implemented regardless of Y2K.
NEXT STEPS
As I stated earlier, now that most of the work on fixing mission critical systems is completed,
OMB will shift its focus from aggregate figures for system readiness to ensuring the readiness of
individual systems. In addition, OMB and the agencies are beginning to focus on two new
priorities.
- Ensuring the readiness of Federal programs, particularly 43 high impact programs that we have
identified.
- Planning for business continuity and contingencies.
Ensuring the Readiness of Federal Programs
While we have made excellent progress in preparing our systems, we are not yet done. We must
make sure that Federal programs, particularly those that have a direct and immediate affect on the
health, safety, and well-being of the public, function smoothly. As I have just related to you, we
are confident that critical systems will be ready. But because Federal programs partner with other
entities, including other Federal agencies; State, Tribal, and local governments; banks;
contractors; vendors; and other entities; it is critically important to ensure that all partners are
working together to ensure that the program they support will be ready. The critical task is to
make sure that not just systems, but the programs they support, will be ready.
Accordingly, on March 26, 1999, I asked agencies to take this next step. I also identified 42
"high impact" Federally supported programs and directed Federal agencies to take the lead on
working with other Federal agencies, State, Tribal, and local governments, contractors, banks, and
others to ensure that programs critical to public health, safety, and well-being will provide
uninterrupted services. Examples include Medicare and Unemployment Insurance. The list was
subsequently revised to include the National Crime Information Center at the Department of
Justice, bringing the total to 43.
Agencies have also been asked to help partners develop year 2000 plans if they have not already
done so to ensure that these programs will operate effectively. Such plans are to include end-to-end testing, developing complementary business continuity and contingency plans, and sharing
key information on readiness with partner organizations and with the public. Agencies are
reporting to us monthly and will demonstrate the readiness of each program by September 30,
1999. A table of the programs, including the partners agencies are working with is included last
week's quarterly report.
Business Continuity and Contingency Planning
Although we expect all Federal mission critical systems to be ready by January 1, 2000, and
although we are prepared to demonstrate the readiness of a number of critical programs, it is still
important that every agency, no matter how well prepared, have a business continuity and
contingency plan (BCCP) in place.
Agencies have identified their core business functions and are using these as a basis for
developing business continuity and contingency plans, which will ensure that these core business
functions will operate smoothly, no matter what glitch may occur in an agencies' systems or with
an agencies' partners. While we are confident that the measures taken for Y2K compliance are
sound, the chance remains that, despite testing, a bug may still slip through. Furthermore,
elements beyond an agency's control are at risk from the Y2K problem as well. For example, bad
data from a data exchange partner or the inability of a vendor to provide key supplies could
disrupt work at an agency.
Let me make it clear that we do not anticipate any disastrous consequences as a result of year
2000 computer problems in Federal systems. It is possible, and even likely in some situations,
that there will be glitches in systems that result in minor disruptions to the ways that agencies
operate. Accordingly, for each core business function and its associated systems, agencies have
identified risk factors, and assigned them a probability rating as well as an impact rating. The
agencies use these ratings to prioritize functions and systems. Work-arounds and back-up plans
are established as contingencies.
Although we do not expect any disasters, it is always wise to prepare for the worst. Since the
1970s, agencies have been required to have in place Continuity of Operations plans (COOP
plans), to address such emergencies. In the event of a disaster, whether related to Y2K or to a
national emergency, such as a terrorist attack or regional weather emergency such as a tornado or
violent snowstorm, agencies are using their COOP plans to ensure that the agency will continue to
function. I also asked agencies to ensure that the development of their BCCP was coordinated
with pending revisions to each agency's COOP plan. Again, although we do not expect any kind
of Y2K disaster, agencies are developing plans, in coordination with their BCCPs, to address this
contingency.
On May 13, 1999, I issued guidance on this subject, "Business Continuity and Contingency
Planning for the Year 2000," (M99-16). This memorandum asked all agencies, including small
and independent agencies, to submit to OMB by June 15 their business continuity and
contingency plans (BCCPs). This memorandum also identified a number of infrastructure areas
for which agencies should make common assumptions, such as electric power, financial services,
and public voice and data communications. This common assumption is that there will be no
nation-wide disruptions within these infrastructure services.
By setting these risk areas aside from agencies' business continuity and contingency planning,
agencies are able to focus on ensuring that their core business functions and affiliated systems
will work. In the extremely unlikely event that a catastrophic emergency occurs that damages
local infrastructure, communications, or the agency building itself -- whether caused by Y2K, or
by a natural disaste
On the international side, the State Department is leading a working group of those agencies with
employees overseas in order to develop risk assumptions and appropriate responses, to be used in
the development and refinement of those programs' BCCPs.
BCCPs are an increasingly important component of agency progress. Like a good insurance
policy, a sound plan is important, no matter how well you have taken care of your systems. To
ensure quality and consistency, I have directed agencies to use the General Accounting Office's
(GAO) guidance on this subject in preparing their plans. Additionally, many agencies are
working closely with their Inspectors General and/or expert contractors in the development and
testing of these plans. Finally, OMB is reviewing the high-level BCCPs of agencies, which were
due June 15, and will provide feedback and guidance to the agencies on an individual basis.
Prepayment
As part of their contingency planning, some agencies have explored the possibility of making
some payments in December that would otherwise be due in January to beneficiaries, contractors,
and others. However, the Administration has determined that such actions are not necessary at
this time, given the level of readiness of agency payment systems and agency business continuity
and contingency plans. Moreover, the extensive downside risk to prepayment mitigates strongly
against implementing this contingency plan in all but the most exceptional circumstances.
First, and most importantly, issuing such payments early would require reprogramming of payroll
and other financial management systems. I have previously stated that any changes to systems
should be minimized as they not only divert resources from fixing the Y2K problem, but also may
undo Y2K fixes. It would be highly irresponsible to implement a contingency plan that could
worsen the year 2000 problem.
Second, making early payments would have tax implications for individuals and businesses.
Undoing any tax implications would require legislative changes for the Internal Revenue Service,
which in turn would be required to make changes to the tax code and to their systems. All of
these actions would be both costly and time-consuming.
Third, such actions could easily be interpreted by the public as an overall sign of lack of
confidence in the ability of the Government to make its payments after January 1. Such a signal
could prove disastrous for the national economy as panicked citizens turn to withdrawing their
currency in anticipation of a currency shortage. This sort of panic is a self-fulfilling prophecy.
Public panic and overreaction is a problem far larger than the technology problem and something
we are very concerned about.
Finally, even allowing prepayment in extremely limited areas increases pressure to provide early
payment for everyone.
Any uncertainty about the readiness of agencies to make benefits payments should be mitigated
by continuing to focus on fixing and testing systems. Agencies should also consider alternative
contingency plans that do not introduce such high levels of Y2K risk into systems or that could
propagate public panic.
Despite these concerns, however, there may be a few rare instances in which early payment is the
best option. In any such instances, agencies may request authority from OMB to pay certain
benefits early if certain criteria are met. These include demonstration that there will be
substantial harm to individuals from not getting a timely payment, a high likelihood that timely
payments (either by normal program operation or through a contingency) will not be made,
assurance that early payments made will be targeted only to those recipients who would be
harmed, and that early payment will substantially mitigate the harm. The agency must also be
willing to make a public announcement of these decisions and to work with the Department of
Treasury so that adequate cash management practices are maintained. Throughout the remainder
of the year, we will continue to review this matter with agencies.
CONCLUSIONS
In conclusion, during the 192 days remaining before the year 2000, we plan to:
- Complete work on remaining mission critical systems and on other Federal systems.
- Conduct end-to-end testing with the States and other key partners, placing special emphasis on
ensuring the readiness of programs that have a direct and immediate impact on public health,
safety, and well-being.
- Complete and test business continuity and contingency plans as insurance against any
disruptions related to Y2K failures.
- Promote Y2K awareness with State, local, and Tribal governments, with the private sector, and
with other Nations.
Thank you for the opportunity to allow me to share information with you on the Administration's
progress. The Administration continues to treat this challenge with the direct, high-level attention
it deserves. The additional focus on the year 2000 problem by the President, Congress, and the
public has resulted in agencies focusing management attention on the issue and taking a close
look at their resource needs. The Year 2000 contingent emergency reserve has helped ensure that
agencies have access to funds to facilitate their work. OMB remains committed to working with
the Committees and Congress on this critical issue. I would be pleased to answer any questions
you may have.
|
|