<DOC> [106 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:58306.wais] S. Hrg. 106-219 JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING ======================================================================= HEARING before the SUBCOMMITTEE OF THE COMMITTEE ON APPROPRIATIONS and SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM UNITED STATES SENATE ONE HUNDRED SIXTH CONGRESS FIRST SESSION __________ SPECIAL HEARING __________ Printed for the use of the Committee on Appropriations and the Special Committee on the Year 2000 Technology Problem Available via the World Wide Web: http://www.access.gpo.gov/congress/senate ______ _______________________________________________________________________ For sale by the U.S. Government Printing Office Superintendent of Documents, Congressional Sales Office, Washington, DC 20402 COMMITTEE ON APPROPRIATIONS TED STEVENS, Alaska, Chairman THAD COCHRAN, Mississippi ROBERT C. BYRD, West Virginia ARLEN SPECTER, Pennsylvania DANIEL K. INOUYE, Hawaii PETE V. DOMENICI, New Mexico ERNEST F. HOLLINGS, South Carolina CHRISTOPHER S. BOND, Missouri PATRICK J. LEAHY, Vermont SLADE GORTON, Washington FRANK R. LAUTENBERG, New Jersey MITCH McCONNELL, Kentucky TOM HARKIN, Iowa CONRAD BURNS, Montana BARBARA A. MIKULSKI, Maryland RICHARD C. SHELBY, Alabama HARRY REID, Nevada JUDD GREGG, New Hampshire HERB KOHL, Wisconsin ROBERT F. BENNETT, Utah PATTY MURRAY, Washington BEN NIGHTHORSE CAMPBELL, Colorado BYRON L. DORGAN, North Dakota LARRY CRAIG, Idaho DIANNE FEINSTEIN, California KAY BAILEY HUTCHISON, Texas RICHARD J. DURBIN, Illinois JON KYL, Arizona Steven J. Cortese, Staff Director Lisa Sutherland, Deputy Staff Director James H. English, Minority Staff Director ------ SPECIAL COMMITTEE ON THE YEAR 2000 TECHNOLOGY PROBLEM ROBERT F. BENNETT, Utah, Chairman CHRISTOPHER J. DODD, Connecticut, Vice Chairman JON KYL, Arizona DANIEL PATRICK MOYNIHAN, New York GORDON SMITH, Oregon ROBERT C. BYRD, West Virginia (ex SUSAN M. COLLINS, Maine officio) TED STEVENS, Alaska (ex officio) Robert Cresanti, Staff Director Wilke Green, Minority Staff Director<greek-l> C O N T E N T S ---------- Page Statement of Hon. David M. Walker, Comptroller General, General Accounting Office.............................................. 1 Statement of Jacob J. Lew, Director, Office of Management and Budget......................................................... 1 Opening statement of Hon. Robert F. Bennett...................... 1 Prepared statement of Senator Robert F. Bennett.................. 3 Statement of Hon. Ted Stevens.................................... 3 Prepared statement of Senator Robert C. Byrd..................... 4 Statement of Hon. David M. Walker................................ 5 Prepared statement........................................... 8 Results in brief................................................. 8 Background....................................................... 9 Estimated year 2000 costs continue to escalate................... 11 Emergency funds to be used for a variety of purposes............. 13 Costs for fiscal year 2000 and beyond............................ 14 Program and information technology initiatives delayed by Y2K.... 15 Lessons learned from the Government's year 2000 efforts can be applied to future information technology activities............ 16 Contact and acknowledgments...................................... 18 Statement of Jacob J. Lew........................................ 19 Prepared statement........................................... 22 Federal progress................................................. 23 Y2K costs and funding............................................ 23 Next steps....................................................... 26 Number of Federal mission-critical systems that are Y2K compliant 28 Has the Y2K problem undermined computer security?................ 30 Progress on nonmission-critical systems.......................... 33 Are additional Y2K supplemental funds required?.................. 35 What progress is being made in contingency planning?............. 36 What is the difference between mission-critical and nonmission- critical?...................................................... 38 Who will agencies turn to if they have Y2K problems?............. 40 Is the Postal Service Y2K compliant?............................. 41 Need for progress for Federal systems that interact with State and local systems.............................................. 41 Progress with our international partners......................... 42 Need for additional Y2K funding.................................. 43 Potential need for another flexible fund to respond to Y2K problems....................................................... 45 (iii) JOINT HEARING ON FEDERAL AGENCY Y2K SPENDING ---------- TUESDAY, JUNE 22, 1999 U.S. Senate, Committee on Appropriations, Special Committee on the Year 2000 Technology Problem, Washington, DC. The committees met at 9:35 a.m., in room SD-192, Dirksen Senate Office Building, Hon. Robert F. Bennett (chairman of the Special Committee on the Year 2000 Technology Problem) presiding. Present: Senators Bennett, Stevens, and Gorton. GENERAL ACCOUNTING OFFICE STATEMENT OF HON. DAVID M. WALKER, COMPTROLLER GENERAL ACCOMPANIED BY JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES INFORMATION SYSTEMS OFFICE OF MANAGEMENT AND BUDGET STATEMENT OF JACOB J. LEW, DIRECTOR opening statement of hon. robert f. bennett Chairman Bennett. We welcome you to this morning's hearing, which is a joint hearing of the Senate Appropriations Committee and the Senate Special Committee on the Year 2000 Technology Problem. Senator Stevens has asked that I chair the committee, and I am grateful to him for his courtesy. We want to welcome our witnesses for coming today as well. The topic for today's hearing is oversight of spending on the year 2000 technology problem within the Federal Government. Let me start out by noting that questioning Government spending on Y2K has been likened in some circles to questioning a firefighter on the use of water during a fight against a fire in a burning building, and I agree with that to a certain extent. I think it would be a tragedy if we get to the year 2000 and have serious problems. To have them traced to a lack of money and say, ``well, we knew what to do, we had the plans in place to do them, but we just did not have the money.'' I certainly do not want anyone to accuse the Congress of being complicit in a situation like that. Ensuring the uninterrupted flow of critical Federal services is too important. Our purpose here today is not to assail the Federal agencies or the administration for the amount or manner of Y2K spending. We recognize that the biggest roadblock we face toward getting this problem under control, the biggest scarcity we have, is time, not money. However, there is always the possibility within the Federal Government that money that is appropriated for good and proper purposes ends up being diverted some place else. We have a responsibility to ensure that the taxpayer dollars have been spent for the purpose for which they were appropriated, and at the same time that there will be sufficient funds left for unexpected Y2K costs that will shortly crop up this year and next. The appropriations that were made, were made with the assumption that there would be some left over after we get to January 2000 to take care of problems. We simply do not know how much needs to be left over, but it would be irresponsible to say, well, this money is available, let's just go ahead and spend it. Now, here is what we do know. According to the General Accounting Office (GAO), Federal spending on Y2K readiness is currently estimated to be $8.7 billion, and that is up from $2.3 billion that was estimated in February of 1997. I remember when that estimate was made, members of our committee were highly skeptical that it could be achieved for that, so we are now more than three times that original estimate. We may see an escalation in the $8.7 billion. It may continue up after January 1, 2000. Now, we have also learned that many Government agencies are not tracking their Y2K costs, and this includes costs funded from the $3.35 billion emergency supplemental appropriation. That breaks down to $1.1 billion for defense, and $2.25 billion for nondefense. We need to determine if these funds are being used appropriately and, if not, we should determine where additional oversight is necessary. The charts displayed here show the growth in Federal agencies' Y2K cost estimates and the status of emergency supplemental funding for nondefense agencies. That second chart is a little hard--not a little hard, it is impossible to read, except when you have a hard copy of it in front of you. We tried to simplify it but we were unable to because the information on it is vital. The charts indicate that we have only $450 million left through September 30, 2001, the life of the fund. That is one of the reasons for this hearing. We are concerned about whether there will be money left to clean up problems that come after the year 2000 turns, so we must determine if there are adequate resources available to meet the future Y2K demands, and we suspect that more and more will be spent for Federal agencies' contingency plans. Now, unfortunately the current pace of contingency planning presents us with one of our blind spots as far as congressional oversight is concerned, because many Government agencies missed the June 15 deadline for submitting contingency plans. This failure not only deprives us of any confidence we might have in their ability to handle the emergencies, but it also prevents the Office of Management and Budget (OMB), GAO, and the Congress from estimating how much these contingency plans may cost if they are required. So with time running out, contingency planning for Y2K becomes very important. As we explore the flow of funding to the Federal agencies, a lack of contingency planning is not a blind spot we can afford to have. So with that, Senator Stevens, if you have an opening comment we will call upon you now. [The statement follows:] Prepared Statement of Senator Robert F. Bennett Good morning. I would like to thank Chairman Stevens for presiding over this joint hearing of the Senate Appropriations and Y2K committees. I would also like to thank our witnesses for coming today. The topic of today's hearing is federal Y2K spending. Before proceeding, I think it is important to note that, in some circles, questioning government spending on Y2K is likened to questioning a firefighter on his use of water on a burning building. I agree with that statement to an extent. In fact, I believe we should continue to make available the necessary resources to ensure that government continues to function on January 1, 2000 and beyond. We don't want the lack of money to be a reason why the federal government is not prepared for Y2K--ensuring the uninterrupted flow of critical federal services is simply too important. Therefore, my purpose here today is not to assail the federal agencies or the administration for the amount or manner of Y2K spending. The biggest roadblock to Y2K readiness at this point--with only 192 days left--is the scarcity of time, not money. Having said that, we have a responsibility to ensure that taxpayer dollars are not being spent frivolously, and that there will be sufficient funds left for the continued unexpected Y2K costs that will surely crop up later this year, and next. But the truth is, we simply don't know enough to say exactly how much will be needed for the remainder of this year and future years. Here is what we do know: According to GAO, federal spending on Y2K readiness is currently estimated to be $8.7 billion--up from $2.3 billion in February 1997--and may continue upward after January 1, 2000. We have also learned that many government agencies are not tracking Y2K costs--this includes costs funded from the $3.35 billion emergency supplemental appropriation. We need to determine if these funds are being used appropriately. If not, we should determine whether additional oversight is necessary. We must determine if there are adequate resources available to meet future Y2K funding demands. In particular, we suspect that more and more will be spent for federal agencies' contingency plans. Unfortunately, the current pace of contingency planning presents us with another blind spot, as far as congressional oversight is concerned. Many government agencies missed the June 15 deadline for submitting contingency plans. This failure not only deprives us of any confidence we might have in their ability to handle Y2K-induced emergencies, but also prevents OMB, GAO and the Congress from estimating how much contingency plans may cost. With time running short, contingency planning for Y2K becomes very important. As we explore the flow of funding to the federal agencies, a lack of contingency planning is not a blind spot we can afford to have. Thank you very much. statement of hon. ted stevens Chairman Stevens. Well, thank you very much, Senator Bennett. I welcome the chance to jointly review this problem with you. The emergency supplemental funding is what worries me, and I hope that we are keeping track of not only what has been spent, but what the demand will be between now and the turn of the century. It does appear to me that we have a little glitch in terms of contingency planning. I do want to go into that with our witnesses this morning. I do not have an opening statement. I appreciate these charts. They are a little busy, but they contain a great deal of information. I do not know if we have copies we could provide to the press out there so they can understand what we are talking about. Chairman Bennett. Yes, indeed. Chairman Stevens. Thank you very much. Chairman Bennett. Thank you, and everyone should recognize that we would not be in the good position we are with respect to funds for the year 2000 if it were not for Senator Stevens and his very early recognition of this problem and his willingness to carve out of the appropriations bill these funds. Any other appropriations chairman might have taken the position of, ``well, let's wait and see.'' Senator Stevens recognized early on that there is no time to wait and see, and we are in the good position we are because of Senator Stevens. prepared statement of senator byrd Chairman Stevens. Mr. Chairman, Senator Byrd is detained, and I would like to have his statement placed in the record, and he does have some questions he would like to submit for the record. Chairman Bennett. That will be placed in the record, and we will be happy to forward his questions and receive them at such time as he might be available. [The statement follows:] Prepared Statement of Senator Robert C. Byrd Thank you, Mr. Chairman, for calling this joint hearing of the Appropriations Committee and the Special Committee on the Year 2000 (Y2K) Technology Problem to examine budgeting efforts to ensure the Y2K readiness of the executive branch. You have provided important leadership on this issue. As an Ex-Officio Member of the Special Committee on the Year 2000 Technology Problem, I also thank Chairman Bennett and Senator Dodd for their good work on this vexing problem. You have both worked diligently to raise awareness about this issue and to monitor the progress our nation is making toward meeting the immovable deadline of midnight, December 31. Our nation, indeed, the entire world, is increasingly reliant on technology. In the case of the federal government and its responsibilities in areas such as defense, emergency management services, telecommunications, and benefit programs, Y2K readiness is critical. Congress has recognized and responded to the importance of this issue by providing considerable funds to bring federal systems into compliance. The costs are substantial. GAO estimates that federal Y2K costs as of May 1999 total $8.7 billion, a dramatic increase from the $2.3 billion cost estimated in early 1997. In response to emergency needs cited by federal agencies, last year Congress provided $3.35 billion in emergency funding through the Omnibus Consolidated and Emergency Supplemental Appropriations Act. Of the $3.35 billion, $2.25 billion was provided for non-defense agencies and $1.1 billion for Department of Defense (DOD). Thus far, a substantial portion of these emergency funds have been allocated to federal agencies by the Office of Management and Budget (OMB). It is important that these Committees provide oversight of this spending. As December 31, 1999, draws near, we must make every effort to ensure that the federal government is Y2K ready. As appropriators, we have a responsibility to ensure that the funds provided for Y2K conversion are in fact achieving federal Y2K readiness and that these funds are accounted for carefully. We must also explore whether additional resources will be necessary to finish the job, to implement contingency plans, and to meet any outstanding needs. I look forward to receiving the testimony of our witnesses this morning as we delve into these important issues. Chairman Bennett. Our witnesses this morning are Hon. David Walker, who is the Comptroller General of the U.S. General Accounting Office, and Hon. Jacob Lew, who is the Director of the Office of Management and Budget. Between the two of you, you probably represent more expertise on the budget and the cash flow of the Federal Government than any other two individuals available, and we are grateful to you for your willingness to appear here and look forward to hearing from you both. We will start, Mr. Walker, with you. statement of hon. david m. walker Mr. Walker. Thank you, Mr. Chairman. Good morning, Chairman Bennett, Chairman Stevens. Thank you for inviting me to testify today on Y2K costs and to discuss more broadly the implications of Y2K on future information technology activities. Since our February 1997 designation of the year 2000 problem as a high risk area for the Federal Government, action to address the Y2K threat has intensified. In response to a growing recognition of the challenge, as well as urging from congressional leaders, the administration has strengthened the Government's Y2K preparations. For example, OMB has now established 43 high impact program areas as Government priorities. This list includes such programs as Social Security, food stamps, and Medicare. It does not, however, include direct national security and revenue collection activities. Many congressional committees have been extremely diligent in addressing the year 2000 challenge by holding agencies accountable for demonstrating progress, and by heightening public appreciation of the problem. In particular, work done by the Senate Special Committee on the Year 2000 Technology Problem has fostered a greater understanding of this issue and focused attention on much- needed actions. Despite the improvements in the Government's Y2K approach, significant challenges remain. In particular, through year 2000 testing is essential. Further, adequate business continuity and contingency plans must be successfully completed and tested. As shown by this chart, Mr. Chairman, the total estimated Y2K costs for the 24 major Federal agencies have more than tripled during the last 2 years. A total of about $8.7 billion as of the end of last month. Within this $8.7 billion, Federal agencies have reported that their year 2000 costs for fiscal years 1996 to 1998 were over $3 billion. Some agencies told us that they reported these based on actual costs, while others reported some costs as actuals, and others as estimates. Still others included total estimates, and did not maintain actual costs for Y2K, other than for the emergency supplemental. With agencies' estimates of Y2K costs increasing dramatically, and with limited time remaining to complete needed actions, many agencies have requested emergency funds in fiscal year 1999. According to their justification submissions to the Congress and OMB, three categories of reasons emerge to explain organizations' requests for emergency funds: First, new requirements that had not been planned for fiscal 1999; second, cost increases to complete ongoing Y2K activities; and, third, the unavailability of regular appropriations for planned Y2K work. New requirements included outreach, independent verification validation, as well as decisions to replace personal computers and network hardware and software for a variety of reasons, including to assure Y2K compliance. In May 1999, the 24 major departments and agencies estimated their fiscal year 2000 costs for Y2K activities at about $981 million, almost a ninefold increase from the original year 2000 estimate of about $111 million provided in February 1997. Determining the extent of continued Y2K cost estimation is difficult because of many uncertainties. For example, 10 agencies reported that they have not completed work on their mission-critical systems as of mid-May 1999. Key factors that could fuel additional cost increases include agencies determining that they must implement business continuity and contingency plans, or if there are any other anticipated events that occur due to the Y2K problem that must be addressed. For example, in August of 1998, the Health Care Financing Administration (HCFA) estimated that it would need between $300 million and $500 million to handle emergency contingency situations that could result from the Y2K problem. HCFA reported that the types of activities that these funds would be needed for included unforeseen software, hardware, and telecommunications failures, increased paper claims due to provider or billing companies' inability to transmit electronically, and claims reprocessing to correct erroneous repayments. The Health and Human Services (HHS) reported to us that it requested about $165 million for Y2K activities in its fiscal year 2000 budget request. This amount, however, excluded any amounts for the implementation of HCFA contingency plans should those plans prove to be necessary. Other agencies could also have higher costs if business contingency and continuity plans need to be implemented. OMB's review of agency contingency plans should therefore consider whether agencies have provided information on the cost of implementing contingency plans if that should be required. If not, OMB needs to gather this information quickly so that it can share with the Congress what impact this would have on potential future funding needs. Additional costs could also be incurred if some States do not complete their year 2000 work on systems that support critical Federal programs such as food stamps and Medicaid. Importantly, 10 of OMB's designated high impact programs rely on State-level implementation. Information indicates that some State systems are not scheduled to be compliant until the last quarter of 1999. If States do not complete their year 2000 remediation in time, or if those remediation efforts fail, the States would have to implement their business continuity and contingency plans, which could encompass Federal Government assistance because of the cost reimbursement mechanisms under those programs. While making systems ready for year 2000 has been an enormous job, other program and information technology needs have not disappeared. In fact, they have grown, and continue to grow. In particular, because of the year 2000 problem, agencies have delayed implementation of regulatory requirements and planned information technology enhancements. There is a pent-up demand and growing backlog of such initiatives which may have significant implications for future funding level requests. The total Government-wide volume of program and information technology activities delayed by Y2K is not known. Therefore, the potential demand for additional information technology resources in the future is difficult to predict. However, the cost of these delayed activities could be significant. Accordingly, OMB will need to work with the agencies to determine the magnitude of these pent-up demands in order to make informed management and funding decisions in the future. In addition to these demands, increased resources will likely be needed for another key issue that has garnered increased attention, namely information security. As we reported in September 1998, the expanded amount of audit evidence that has become available since mid-1996 describes widespread and serious weaknesses to adequately protect Federal assets, sensitive information, and critical operations. The computer security issue, which is already on our high risk list, will follow on the heels of the Y2K challenge. Computer security issues have a range of potential national security, economic security, and personal privacy implications. There has importantly been a silver lining to the Y2K challenge. The Government organizations' experiences in becoming prepared for the year 2000 hold valuable lessons about how information technology can best be managed. For many agencies, the threat posed by the year 2000 problem was a much- needed wake-up call. Because of the urgency of the issues, agencies could not afford to carry on in the same manner that resulted in a decade of poor information technology planning and program management. Earlier this year, we reported that the year 2000 provided the opportunity to institutionalize valuable lessons, such as the importance of consistent and persistent top management attention to be accompanied by reliable processes and reasonable controls. Another benefit of the year 2000 effort was the establishment of much-needed information technology policies in such areas as configuration management, quality assurance, risk management, project scheduling and tracking, and metrics. Beyond individual agencies, the year 2000 problem holds lessons in overseeing and managing information technology on a Government-wide basis. In particular, actions taken by the Congress and the executive branch have demonstrated that effective oversight and guidance can have a positive influence on major information technology efforts. In conclusion, Mr. Chairman, it is clear that Y2K expenditures have been significant, sometimes unpredictable, and constantly growing. Further, Y2K cost growth may continue, especially if business and continuity contingency plans must be put into operation, or if State-administered Federal program system efforts are not completed. In addition, pent-up demand exists for information technology enhancements and security activities. OMB needs to take steps to estimate the nature and extent of these pent-up demands, as well as the contingency expenditures that could be incurred related to Y2K. On the positive side, while correcting the Y2K problem has been and continues to be costly, the experiences of individual agencies and the Government as a whole in meeting this challenge have provided renewed and needed focus on information systems. As we attempt to meet future information technology and security challenges, these lessons must not be lost. prepared statement This completes my summary statement, Mr. Chairman. I would be happy to answer any questions at the appropriate time. Thank you. Chairman Bennett. Thank you very much. We appreciate your statement. Your full statement will be made a part of the record. [The statement follows:] Prepared Statement of David M. Walker Messrs. Chairmen and Members of the Committees: We are pleased to be here today to present information on Year 2000 (Y2K) \1\ costs and funding and to discuss more broadly what implications the government's necessary short-term focus on preparing for the year 2000 will have on future information technology activities. In 1997, we designated the Year 2000 computing problem as a high-risk area because computer failures could disrupt functions and services that are critical to our nation. \2\ After providing a brief summary of the issues and background information, my testimony today will highlight (1) estimated Y2K costs and agency processes to track costs to date, (2) planned uses of emergency funding, (3) Y2K costs for fiscal year 2000 and beyond, (4) agency program and information technology initiatives delayed by Y2K activities, and (5) lessons learned from Y2K efforts that can be applied to other information technology activities. --------------------------------------------------------------------------- \1\ The Y2K problem is rooted in how dates are recorded and computed. For the past several decades, computer systems typically used two digits to represent the year, such as ``99'' for 1999, in order to conserve electronic data storage and reduce operating costs. In this format, however, 2000 is indistinguishable from 1900 because both are represented as ``00''. As a result, if not modified, systems or applications that use dates or perform date- or time-sensitive calculations may generate incorrect results beyond 1999. \2\ High-Risk Series: Information Management and Technology (GAO/ HR-97-9, February 1997). --------------------------------------------------------------------------- results in brief Meeting the Year 2000 challenge has been necessary but expensive, with estimated federal costs rising from $2.3 billion in February 1997 to $8.7 billion as of last month. From February through May 1999, the estimated cost rose $1.2 billion. With respect to Y2K costs incurred through fiscal year 1998, the 24 major federal departments and agencies reported costs exceeding $3 billion. While some agencies reported actual costs incurred through 1998, others reported estimates. In fiscal year 1999, agencies have requested emergency funds and plan to spend much of these funds on renovation, validation, and implementation activities, along with replacing personal computers and network hardware and software. Beyond fiscal year 1999, estimated Y2K costs have continued to climb, now reaching over $1 billion. Determining the extent of continued Y2K cost escalation is difficult because of many uncertainties. One major unknown is whether agencies will have to implement their business continuity and contingency plans. Such plans, if triggered, could entail substantial costs. Agencies' high-level business continuity and contingency plans were due to the Office of Management and Budget (OMB) by June 15. OMB's review of these plans should consider whether agencies provided estimated business continuity and contingency plan costs. If not, OMB needs to require that this information be provided expeditiously so that it can provide the Congress with information on potential future funding needs. We intend to review the plans submitted to OMB and advise the Congress of potential funding ramifications. Another less direct but undeniable issue associated with the Year 2000 challenge has been the postponement of many program and information technology initiatives so that resources could be dedicated to Y2K. Such demands--including system enhancements and computer security--have not vanished; in fact, they have grown. On the positive side, however, the government will likely approach these future information technology challenges better prepared, having gained much valuable information from experiences in meeting the Y2K challenge. For example, this was the motivator that resulted in many agencies' taking charge of their information technology resources in much more active ways, from inventorying and prioritizing systems to implementing reliable processes and better controls. Such lessons should not be lost on future information technology projects. background With close to half of all computer capacity and 60 percent of Internet assets, the United States is the world's most advanced and most dependent user of information technology.\3\ Such systems perform functions and services critical to our nation; disruption could create widespread hardship, including problems in key federal operations ranging from national defense to benefits payments to air traffic management. Accordingly, the upcoming change of century is a sweeping and urgent challenge for public- and private-sector organizations alike, in this country and around the world. --------------------------------------------------------------------------- \3\ Critical Foundations: Protecting America's Infrastructures (President's Commission on Critical Infrastructure Protection, October 1997). --------------------------------------------------------------------------- Since our February 1997 designation of the Year 2000 problem as a high-risk area for the federal government, action to address the Y2K threat has intensified. In response to a growing recognition of the challenge and urging from congressional leaders and others, the administration strengthened the government's Year 2000 preparation. In February 1998, the President took a major step in establishing the President's Council on Year 2000 Conversion. The President also (1) established the goal that no system critical to the federal government's mission experience disruption because of the Year 2000 problem and (2) charged agency heads with ensuring that this issue receive the highest priority attention. Further, the Chair of the Council was tasked with the following Year 2000 roles: (1) overseeing the activities of agencies, (2) acting as chief spokesperson in national and international forums, (3) providing policy coordination of executive branch activities with state, local, and tribal governments, and (4) promoting appropriate federal roles with respect to private- sector activities. Among the initiatives the Chair of the Council has implemented in carrying out these responsibilities are attending monthly meetings with senior managers of agencies that are not making sufficient progress, establishing numerous working groups to increase awareness of and gain cooperation in addressing the Y2K problem in various economic sectors, and emphasizing the importance of federal/state data exchanges. In addition, on June 14, 1999, the President ordered the creation of an Information Coordination Center--consisting of officials from executive agencies--to assist the Chair of the Council in addressing Year 2000 conversion problems both domestically and internationally. Among its duties, the Information Coordination Center is to assist in making preparations for information sharing and coordination within the federal government and key components of the public and private sectors. Many congressional committees have been extremely diligent in addressing the Year 2000 challenge by holding agencies accountable for demonstrating progress and by heightening public appreciation of the problem. By holding numerous hearings on important topics such as health care, the food sector, electric power, and financial services and in issuing a major report \4\ on the impact of the Year 2000 problem, the Senate Special Committee on the Year 2000 Technology Problem has fostered a greater understanding of the problem and focused attention on actions needed. --------------------------------------------------------------------------- \4\ Investigating the Impact of the Year 2000 Problem (United States Senate, Special Committee on the Year 2000 Technology Problem, February 24, 1999). --------------------------------------------------------------------------- OMB, for its part, has taken more aggressive action on Year 2000 matters over the past year and a half and has been responsive to our recommendations. For example, in its quarterly report issued in December 1997, OMB accelerated its milestone for agencies to complete the implementation phase of Y2K conversion by 8 months, from November to March 1999. OMB has also tightened requirements on agency reporting of Year 2000 progress. It now requires that beyond the original 24 major departments and agencies that have been reporting, 9 additional agencies (such as the Tennessee Valley Authority and the Postal Service) report quarterly on their Year 2000 progress, and that additional information be reported from all agencies. Additionally, in response to our April 1998 recommendation,\5\ on March 26, 1999, OMB issued a memorandum to federal agencies designating lead agencies for the government's 42 high-impact programs, including those delivering critical benefits such as social security, food stamps, and Medicare; ensuring adequate weather forecasting capabilities; and providing federal electric power generation and delivery. (OMB later added a 43rd high-impact program--the National Crime Information Center.) Further, OMB has clarified instructions for agencies relative to preparing business continuity and contingency plans, and required agencies to submit high-level versions of these plans just last week, on June 15. We intend to review the plans submitted to OMB and advise the Congress of our results. --------------------------------------------------------------------------- \5\ Year 2000 Computing Crisis: Potential for Widespread Disruption Calls for Strong Leadership and Partnerships (GAO/AIMD-98-85, April 30, 1998). --------------------------------------------------------------------------- As you know, we have been very active in working with the Congress as well as federal agencies to both strengthen agency processes and to evaluate their progress in addressing these challenges. To help agencies mitigate their Year 2000 risks, we produced a series of Year 2000 guides on enterprise readiness, business continuity and contingency planning, and testing.\6\ In addition, we have issued over 100 reports and testimony statements detailing specific findings and have made dozens of recommendations related to the Year 2000 readiness of the government as a whole and of a wide range of individual agencies. --------------------------------------------------------------------------- \6\ Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD- 10.1.14, issued as an exposure draft in February 1997 and in final form in September 1997), Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998 and in final form in August 1998), and Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998 and in final form in November 1998). --------------------------------------------------------------------------- Fortunately, the past 2 years have witnessed marked improvement in preparedness as the government has revised and intensified its approach to this problem. Nevertheless, significant challenges remain. In particular, complete and thorough Year 2000 testing is essential to providing reasonable assurance that new or modified systems will be able to process dates correctly and not jeopardize agencies' abilities to perform core business operations. Moreover, adequate business continuity and contingency plans must be successfully completed and tested throughout government. The Congress Appropriated Emergency Year 2000 Funding To address Y2K resource needs, last year the Congress appropriated $2.25 billion for civilian agencies \7\ and $1.1 billion for the Department of Defense for emergency expenses related to Year 2000 conversion of federal information technology systems. Through May 1999, OMB made six separate allocations totaling about $1.724 billion \8\ to civil agencies (77 percent of the $2.25 billion in civilian emergency funds) and one allocation of $935 million to the Department of Defense (85 percent of its emergency funds). Figure 1 illustrates the cumulative amount of emergency funds allocated to nondefense organizations and the Department of Defense, and that about $661 million remains. --------------------------------------------------------------------------- \7\ As part of the $2.25 billion for civilian departments and agencies, $16.873 million and $13.044 million were designated for the legislative and judicial branches, respectively. \8\ This amount does not include $13.65 million that OMB allocated to the Department of Energy but did not transfer to the department because, according to OMB, the House Appropriations Committee did not consider the planned use of these monies an appropriate use of emergency funding. [GRAPHIC] [TIFF OMITTED] T14JU22S.000 Note: This chart does not include the amount set aside for the --------------------------------------------------------------------------- legislative and judicial branches ($29.9 million). Source: OMB. Figure 2 illustrates the entities that received the largest allocations. [GRAPHIC] [TIFF OMITTED] T14JU22S.001 Note: Appendix I lists all of the entities that received emergency funding allocations. Source: OMB. Regarding Y2K costs and funding, the House Majority Leader asked us to (1) identify agency-reported Year 2000 costs through fiscal year 1998 and the agencies' processes used to track these costs, (2) determine the reported status of fiscal year 1999 obligations for Year 2000 activities, (3) identify estimated Year 2000 costs for fiscal year 1999 and the planned uses of the emergency allocations, and (4) identify the Year 2000 costs for fiscal year 2000. In addressing these questions, we requested documentation of actual and planned costs from 29 federal agencies that provide quarterly Y2K compliance information to OMB, plus an additional 12 organizations that had received emergency funding. We provided a report to the House Majority Leader on this information in April 1999.\9\ --------------------------------------------------------------------------- \9\ Year 2000 Computing Crisis: Costs and Planned Use of Emergency Funds (GAO/AIMD-99-154, April 28, 1999). --------------------------------------------------------------------------- In my testimony before the Senate Committee on Appropriations in January,\10\ Chairman Stevens, you asked me to return and discuss these costs issues further. Accordingly, to prepare for this testimony, we updated the information in our April report to include (1) the latest cost estimates from the 24 major departments and agencies and (2) information on releases from the emergency fund subsequent to our prior work.\11\ --------------------------------------------------------------------------- \10\ Year 2000 Computing Challenge: Readiness Improving, But Critical Risks Remain (GAO/T-AIMD-99-49, January 20, 1999). \11\ Seven additional agencies received emergency allocations subsequent to our prior work and, therefore, were not included in our April 1999 report. --------------------------------------------------------------------------- estimated year 2000 costs continue to escalate As figure 3 indicates, the total estimated costs of ensuring that the computer systems of the 24 major federal agencies perform as expected beyond 1999 more than tripled during the last 2 years--to a total of about $8.7 billion as of last month--up $1.2 billion in the past 3 months alone. [GRAPHIC] [TIFF OMITTED] T14JU22S.002 Note: The August 1998 through May 1999 figures are totals of all individual submissions from the 24 major departments and agencies. In its summary of agency reports, OMB decreased total estimated Year 2000 costs for the 24 major agencies by about $900 million in August 1998, $800 million in November 1998, $779 million in February 1999, and $688 million in May 1999. For the August 1998 costs, OMB did not include all costs in its estimate because, for example, it was still reviewing some of the estimates provided by the agencies. For the November 1998 and February 1999 costs, OMB did not provide explanations in its report for all of the discrepancies between the agency reports and their total estimated Y2K cost figure. However, the OMB reports covering the November 1998 and February 1999 periods did not include $81.3 million and $91.7 million in Transportation and Treasury costs, respectively, that they stated were non-Y2K costs funded from emergency supplemental funds. In OMB's report covering the May 1999 period, it revised the amount of Transportation's non-Y2K costs funded from emergency supplemental funds to $52 million, but Treasury's amount remained the same. Source: February 1997 data are from OMB's report Getting Federal Computers Ready for 2000, February 6, 1997. May 1997 through May 1998 data are from OMB's quarterly reports. The August 1998 through May 1999 data are from the quarterly reports of the 24 major departments and agencies. Among the agencies that had substantial increases from February 1997 through May 1999 were the Department of Defense--$969.6 million to $3.66 billion (277 percent increase), the Department of the Treasury-- $318.5 million to $1.9 billion (497 percent increase), and the Department of Health and Human Services (HHS)--$90.7 million to $1.111 billion (1,125 percent increase). Several Agencies Did Not Separately Track Actual Year 2000 Costs for Fiscal Years 1996 Through 1998 Reported Year 2000 costs incurred each year from 1996 through 1998 for the 24 major departments and agencies have also grown dramatically. Reported fiscal year 1996 costs were about $72 million,\12\ fiscal year 1997 costs were about $830 million, and fiscal year 1998 costs were over $2.7 billion. These reported costs, however, still represent less than half of the total Year 2000 costs of $8.7 billion estimated last month by the 24 major departments and agencies. --------------------------------------------------------------------------- \12\ One agency also reported Year 2000 costs that were prior to fiscal year 1996. --------------------------------------------------------------------------- While federal agencies reported that their Year 2000 costs from fiscal years 1996 through 1998 were over $3 billion, some agencies reported actual costs while others reported some costs as actual and others as estimates; still others reported just estimates. In particular, at the time of our report,\13\ of the 24 major departments and agencies, 7 reported that their fiscal years 1996 through 1998 costs were actual (3 used financial management systems while 4 used reports from component entities to track costs), 5 reported that some costs were actual while others were estimates (e.g., contract costs were actual while labor costs were estimates), 9 reported that they did not separately track actual costs for fiscal years 1996 through 1998, and 3 did not provide information on cost tracking. --------------------------------------------------------------------------- \13\ GAO/AIMD-99-154, April 28, 1999. --------------------------------------------------------------------------- With respect to the nine major agencies that reported not separately tracking actual costs for fiscal years 1996 through 1998, at least three cited as a reason that they were not required to do so. For example, the Department of the Interior reported that aside from the 1999 Y2K Supplemental Funding, the Department has never tracked Y2K funding separately from other appropriated funds, as there has never been any requirement to do so. With respect to tracking of actual costs associated with the emergency funding, five of the nine agencies that reported estimated costs for fiscal years 1996 through 1998 reported that they were tracking, or planned to track, actual costs associated with the emergency funding allocation (the other four agencies did not address whether they were tracking these funds or had not received emergency allocations). While agencies may not be required to track actual costs of Y2K activities, we believe that the criticality of Year 2000 activities and the significance of the costs--hundreds of million of dollars in some cases--indicate that prudent management practices warrant cost tracking. Specifically, our enterprise readiness guide \14\ states that agencies' Year 2000 program management staff should be able to track the cost and schedule of individual Year 2000 projects. --------------------------------------------------------------------------- \14\ GAO/AIMD-10.1.14, September 1997. --------------------------------------------------------------------------- emergency funds to be used for a variety of purposes With agencies' estimates of Y2K costs increasing dramatically and with limited time remaining to complete needed actions, many agencies requested emergency funds in fiscal year 1999. Thirty-nine civilian agencies and the District of Columbia have requested--and received-- emergency funding for a variety of uses, as shown in figure 4. [GRAPHIC] [TIFF OMITTED] T14JU22S.003 Note: The other category primarily includes funds for replacement of personal computers and network hardware and software. In their justifications, some organizations said the personal computers and network hardware and software could not be upgraded to be Y2K compliant, and in other cases they determined that it would not be economical to upgrade obsolete equipment. In addition, the total amount in this chart does not equal the total amount allocated because the justification data from two organizations did not equal the total allocations reported by OMB. Source: GAO analysis based on agency justifications. In its response to our request, the Department of Defense reported that it is targeting almost $525 million for testing, about $262 million for contingency planning, and $148 million for operational evaluations. According to their justification submissions to the Congress and OMB, three categories of reasons emerged to explain organizations' requests for emergency funds: (1) new requirements that had not been planned for fiscal year 1999, (2) cost increases to complete ongoing Y2K activities, and (3) the unavailability of regular appropriations for planned Y2K work. New requirements included outreach and independent verification and validation (IV&V) (cited by 24 organizations), and decisions to replace personal computers and network hardware and software (cited by 23 organizations)--activities not initially in agencies' fiscal year 1999 plans. For example, the Department of Commerce requested about $32 million for IV&V and $25 million for outreach activities not previously anticipated. Costs for ongoing Y2K activities also increased for 25 organizations, beyond the fiscal year 1999 projections on which budget requests were based. For instance, HHS' Health Care Financing Administration (HCFA) requested over $28 million for IV&V activities because such work had increased beyond the level planned for fiscal year 1999. The Department of Energy requested just under $14 million to accelerate renovation, validation, and implementation. Finally, in several cases, agencies reported that their budget requests were reduced and Year 2000 emergency funding was utilized to help make up the difference, even though not all of the activities in the original budget request were Y2K-related. While no legislative or statutory requirements explicitly provide for the use of emergency funds as an alternative to general appropriations, the House-Senate conference report on Treasury and Department of State appropriations for fiscal year 1999 acknowledges the need for additional monies to achieve Y2K compliance, and part of the Treasury and General Government Appropriations Act permits use of Treasury funds to achieve Y2K compliance until * * * supplemental appropriations are made available * * *. costs for fiscal year 2000 and beyond In May 1999, the 24 major departments and agencies estimated their fiscal year 2000 costs for Y2K activities at about $981 million--almost a nine-fold increase from the original fiscal year 2000 estimate of about $111 million provided in February 1997. In addition, in their May 1999 quarterly reports to OMB, three agencies estimated that they would incur about $127.4 million in Year 2000 costs beyond fiscal year 2000.\15\ During our work for the House Majority Leader, we asked agencies whether they expected to have Year 2000 costs beyond those projected in their budgets. HHS was the only agency that identified a specific need: it reported that it had begun to identify possible Y2K needs of grantees. --------------------------------------------------------------------------- \15\ The vast majority of these costs were reported by the Department of the Treasury, which reported that the Internal Revenue Service's Y2K costs after fiscal year 2000 would be about $125 million. --------------------------------------------------------------------------- Determining the extent of continued Y2K cost escalation is difficult because of many uncertainties; 10 agencies reported that they had not completed work on their mission-critical systems as of mid-May 1999, many agencies are still planning or undergoing end-to-end testing to ensure that data can be properly transferred and processed among systems, and much work with states and other partners remains. Key factors that could fuel additional cost increases include agencies' determining that they must implement business continuity and contingency plans, or the occurrence of other, unanticipated events due to the Y2K problem that must be addressed. In August 1998, HCFA estimated, for example, that it would need between $311.2 million (most likely scenario) and $536.7 million (pessimistic scenario) to handle emergency situations that could result from the Y2K problem. HCFA reported that the types of activities that these funds would be needed for included (1) unforeseen software, hardware, and telecommunications failures, (2) increased paper claims due to provider or billing companies' inability to transmit electronically, and (3) claims reprocessing to correct erroneous payments. HHS' August 1998, November 1998, February 1999, and May 1999 quarterly reports to OMB included the $311.2 million in contingent HCFA costs in its Year 2000 cost estimate. HHS reported to us that it had requested about $165 million for Y2K activities in its fiscal year 2000 budget request--the amount it estimated that it needed to fund other Year 2000 activities, excluding the implementation of HCFA contingency plans. Consistent with this, OMB has not included HCFA's contingency costs when reporting Y2K costs. Other agencies could also have higher costs if business continuity and contingency plans need to be implemented. For example, the Department of Education's May 1999 quarterly report stated that it planned to estimate the cost to implement its contingency plans in the next few months and that these estimates would be likely to increase its fiscal year 2000 and overall Y2K cost estimates. Similarly, the Office of Personnel Management's May 1999 quarterly report said that it would continue to evaluate the need for additional Y2K-related funding for business continuity and contingency plan implementation and will advise OMB of those requirements. Our guide on business continuity and contingency planning calls on agencies to assess the cost and benefits of identified alternatives.\16\ In its May 13 memo requiring agencies to submit high- level business continuity and contingency plans on June 15, OMB stated that agencies should follow our guide in preparing these plans. Accordingly, OMB's review of these plans should consider whether agencies provided estimated business continuity and contingency plan costs. If not, OMB needs to require that this information be provided expeditiously so that it can provide the Congress with information on potential future funding needs. --------------------------------------------------------------------------- \16\ GAO/AIMD-10.1.19, August 1998. --------------------------------------------------------------------------- Additional costs could also be incurred if some states do not complete their Year 2000 work on systems that support federal programs, such as food stamps and Medicaid. Recent information indicates that some state systems are not scheduled to be compliant until the last quarter of 1999. For example, according to OMB's latest quarterly report dated June 15, 1999, three states or U.S. territories did not expect to complete testing of their food stamp systems and four states or U.S. territories did not expect to complete testing of their Medicaid eligibility systems until the last quarter of 1999. Because these deadlines are so close to the turn of the century, the risk of disruption to these states' and territories' programs substantially increases, especially if delays occur or if unexpected problems arise. If states do not complete their Year 2000 remediation in time, or if those remediation efforts fail, the states would have to implement their business continuity and contingency plans, which could encompass federal government assistance. An example of such assistance is the Department of Labor's April 2, 1999, emergency funding request of $274,000 to design and develop a prototype PC-based system to be used in the event that a state's unemployment insurance system is unusable due to a Y2K-induced problem. In addition, many state-administered federal programs, such as Medicaid and child support enforcement, require the federal government to reimburse states for a percentage of their administrative costs, which would be expected to increase in the event that business continuity and contingency plans are implemented. program and information technology initiatives delayed by y2k While making systems ready for the year 2000 has been an enormous job, other program and information technology needs have not disappeared; in fact, they continue to grow. In particular, because of the Year 2000 problem, agencies or the Congress have delayed implementation of regulatory requirements and planned information technology initiatives. In addition, many agencies have implemented or plan to implement moratoriums on software changes until some time after the rollover to the new century. For example: --In July 1998, HCFA notified the Congress of its intention to delay implementation of certain provisions of the Balanced Budget Act of 1997 that would have required changes to systems on which Year 2000 modifications were being made. As of June 16, 1999, HCFA had delayed work on seven provisions, in whole or in part, associated with this act in order to meet the Year 2000 challenge. In addition, HCFA reported that it had delayed another information technology initiative because it would have caused an unacceptable resource drain from the Year 2000 effort. According to a HCFA official, the agency is in the process of carefully examining all of the work associated with the Balanced Budget Act of 1997 provisions and the other initiative in order to make decisions as to the order and time frames in which each will be accomplished after the Y2K effort. --As we reported last year, the level of effort required for the Internal Revenue Service (IRS) to make its information systems compliant is without precedent.\17\ Accordingly, as the Senate was debating the IRS Restructuring and Reform Act of 1998, the IRS Commissioner provided the Joint Committee on Taxation with a listing of 28 provisions that given their effective dates, could affect IRS' ability to complete its Y2K work as planned. The final act extended the effective dates for 13 of the 28 provisions about which IRS had expressed concern. --------------------------------------------------------------------------- \17\ Internal Revenue Service: Impact of the IRS Restructuring and Reform Act on Year 2000 Efforts (GAO/GGD-98-158R, August 4, 1998). --------------------------------------------------------------------------- --Some agencies have delayed planned information technology initiatives in order to concentrate on their Year 2000 efforts. In December 1998 we reported that the Department of Housing and Urban Development suspended systems integration work on three mission-critical systems so that the department could focus its resources on completing Y2K renovations.\18\ Also, in September 1998, the Department of State imposed a moratorium on non-Year 2000-related system development projects to focus scarce resources on Y2K remediation. --------------------------------------------------------------------------- \18\ HUD Information Systems: Improved Management Practices Needed to Control Integration Cost and Schedule (GAO/AIMD-99-25, December 18, 1998). --------------------------------------------------------------------------- --A backlog of system modifications will have to be addressed subsequent to the change of century. In response to our January 1999 suggestion,\19\ OMB issued a memorandum in May stating that agencies should follow a policy that allows system changes only where absolutely necessary because such changes can introduce additional risk into systems that have already been certified as Y2K compliant and could divert resources from other Year 2000 efforts. Accordingly, at least six agencies have established, or plan to establish, moratoriums or restrictions on system changes during parts of 1999 and early 2000. --------------------------------------------------------------------------- \19\ Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid Major Disruptions (GAO/T-AIMD-99-50, January 20, 1999). --------------------------------------------------------------------------- The total governmentwide volume of program and information technology activities delayed by Y2K efforts is not known; therefore, the potential demand for additional information technology resources in the future is difficult to predict. However, the costs of these delayed activities could be significant. Accordingly, OMB will need to work with the agencies to determine the magnitude of these pent-up demands in order to make informed funding decisions in the future. In addition to these demands, increased resources will likely be needed for another key issue that has been garnering increased attention--information security. This issue has many dimensions, ranging from national security to economic disruption to privacy considerations. As we reported in September 1998, the expanded amount of audit evidence that has become available since mid-1996 describes widespread and serious weaknesses in adequately protecting federal assets, sensitive information, and critical operations.\20\ These weaknesses place critical government operations, such as national security, tax collection, and benefit payments, as well as assets associated with these operations, at great risk of fraud, disruption, and inappropriate disclosures. Further, as we testified in September 1998, the Year 2000 crisis is the most dramatic example yet of why we need to protect critical computer systems because it illustrates the government's widespread dependence on information systems and our vulnerability to their disruption.\21\ --------------------------------------------------------------------------- \20\ Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk (GAO/AIMD-98-92, September 23, 1998). \21\ Information Security: Strengthened Management Needed to Protect Critical Federal Operations and Assets (GAO/T-AIMD-98-312, September 23, 1998). --------------------------------------------------------------------------- Because of the longer-term danger of malicious attack from individuals or groups, it is important that the government design long- term solutions to this and other security risks. Accordingly, in response to recommendations by the President's Commission on Critical Infrastructure Protection, Presidential Decision Directive 63 was issued in May 1998, which, among other provisions, required federal agencies to develop plans for protecting their own critical infrastructure, including cyber-based systems. These plans are currently undergoing review by the Critical Infrastructure Assurance Office, which was established by the Presidential Directive. lessons learned from the government's year 2000 efforts can be applied to future information technology activities Throughout government--and likely in the private sector as well-- organizations' experiences in addressing Y2K hold valuable lessons about how information technology can best be managed. For many agencies, the threat posed by the Year 2000 problem was a much-needed wake-up call. Because of the urgency of the issue, agencies could not afford to carry on in the same manner that had resulted in over a decade of poor information technology planning and program management. Accordingly, lessons learned from the Year 2000 challenge should be applied to agencies' implementation of the Clinger-Cohen Act of 1996 which, in part, seeks to strengthen executive leadership in information management and institute sound capital investment decision-making to maximize the return on information systems investments. Indeed, the Department of Defense has reported that its response to the Year 2000 problem has become an example of an enterprisewide approach to information technology management advocated by the Clinger-Cohen Act of 1996. It is important that agencies institutionalize the processes that they have established to contend with the Year 2000 problem so that future information technology initiatives benefit from this massive effort. Year 2000 programs provided agencies with the incentive and opportunity to assume control of their information technology environment. In many instances, it forced agencies to inventory their information systems, link those systems to agency core business processes, and jettison systems of marginal value. For example, in response to recommendations in our August 1998 report, the Department of State is in the process of identifying its core business functions and determining the relative importance of each function.\22\ --------------------------------------------------------------------------- \22\ Year 2000 Computing Crisis: State Department Needs To Make Fundamental Improvements To Its Year 2000 Program (GAO/AIMD-98-162, August 28, 1998). --------------------------------------------------------------------------- Earlier this year we also reported \23\ that the Year 2000 problem provided the opportunity to institutionalize valuable lessons, such as the importance of consistent and persistent top management attention, accompanied by reliable processes and reasonable controls. More specifically, complete and accurate inventories of information systems can facilitate remediation, testing, and validation activities. Information gained from identifying and prioritizing mission-critical systems can further be used to identify and retire duplicative or unproductive systems, and work that has been done to identify and establish controls over data interfaces can help prevent data exchange problems in the future. Similar lessons have been learned at the state level, according to three state Year 2000 project managers. Other critical success factors cited by one of these project managers that could be used in future information technology initiatives are the need to measure performance, outline responsibilities, and ensure accountability. --------------------------------------------------------------------------- \23\ Defense Information Management: Continuing Implementation Challenges Highlight the Need for Improvement (GAO/T-AIMD-99-93, February 25, 1999) and Year 2000 Computing Crisis: Defense Has Made Progress, But Additional Management Controls Are Needed (GAO/T-AIMD-99- 101, March 2, 1999). --------------------------------------------------------------------------- Another benefit of the Year 2000 effort was the establishment of much-needed information technology policies. Our Year 2000 enterprise readiness guide \24\ called on agencies to develop and implement policies, guidelines, and procedures in such critical areas as configuration management, quality assurance, risk management, project scheduling and tracking, and metrics. Several agencies have implemented such policies. For example: --------------------------------------------------------------------------- \24\ GAO/AIMD-10.1.14, September 1997. --------------------------------------------------------------------------- --In April 1999, we reported that according to Postal Service officials, the service is implementing improved processes for documenting software, testing, quality control, and configuration management.\25\ --------------------------------------------------------------------------- \25\ U.S. Postal Service: Subcommittee Questions Concerning Year 2000 Challenges Facing the Service (GAO/AIMD-99-150R, April 23, 1999). --------------------------------------------------------------------------- --As part of its Year 2000 effort, HCFA has implemented policies and procedures related to configuration management, quality assurance, risk management, project scheduling and tracking, and performance metrics for its internal systems. --As we testified in February, the Customs Commissioner has committed to leveraging the agency's Year 2000 experience by extending the level of project management discipline and rigor being employed on the year 2000 to other information technology programs and projects.\26\ --------------------------------------------------------------------------- \26\ Year 2000 Computing Crisis: Customs Is Effectively Managing Its Year 2000 Program (GAO/T-AIMD-99-85, February 24, 1999). --------------------------------------------------------------------------- Beyond individual agencies, the Year 2000 problem holds lessons in overseeing and managing information technology on a governmentwide basis. In particular, actions taken by the Congress and the Chief Information Officers Council have demonstrated that effective oversight and guidance can have a positive influence on major information technology efforts. Congressional oversight played a crucial role in focusing OMB and agency attention on the Y2K problem. In addition, congressional hearings on international, national, governmentwide, and agency-specific Year 2000 problems exposed the threat that this problem poses to the public. The Chief Information Officers Council has proved useful in addressing governmentwide issues through its Year 2000 Committee; this committee and its subcommittees have dealt with important issues such as best practices, telecommunications, and data exchanges. Continued oversight and guidance from the Congress and the Chief Information Officers Council will be essential to ensuring the future effectiveness of information technology initiatives. Another lesson that could be adopted in the future is the use of public/private partnerships. To address the Year 2000 problem from a national perspective, the President's Council on Year 2000 Conversion adopted a sector-based focus and has been initiating outreach activities since it became operational last spring. As a result, the Council and federal agencies have partnered with private-sector organizations, such as the North American Electric Reliability Council, to gather information critical to the nation's Year 2000 efforts and to address issues such as contingency planning. In addition, the Chair of the Council has formed a Senior Advisors Group composed of representatives from private-sector firms across key economic sectors. Members of this group are expected to offer perspectives on crosscutting issues, information-sharing, and appropriate federal responses to potential Year 2000 failures. Other major information technology areas, such as information security, could benefit from such an approach. In summary, it is clear that Year 2000 expenditures have been significant, sometimes unpredictable, and growing. Emergency supplemental funds are planned for a variety of purposes, including renovation, validation, and implementation of individual systems and the independent verification and validation of these systems. Moreover, Y2K cost growth may continue, especially if business continuity and contingency plans must be put into operation or if state-administered federal program remediation efforts are not completed. While correcting the Y2K problem has been and continues to be costly, the experiences of individual agencies and the government as a whole in meeting this challenge have provided a renewed and needed focus on information systems. We have come to realize how much we depend on them, and have been reminded of how they must be well-managed. As we attempt to meet future information technology and security challenges, these lessons should not be lost. Messrs. Chairmen, this completes my statement. I would be happy to respond to any questions that you or other members of the Committees may have at this time. contact and acknowledgments For information about this testimony, please contact Joel Willemssen at (202) 512-6253 or by e-mail at willemssenj.aimd@gao.gov. Individuals making key contributions to this testimony included Michael Fruitman, James Hamilton, James Houtz, Linda Lambert, Michael Tovares, and Daniel Wexler. Appendix I.--Organizations Receiving Emergency Allocations (as of May 1999) [In thousands] Organization Amount allocated Department of the Treasury.................................... $602,223 Department of Health and Human Services....................... 323,858 Department of Transportation.................................. 192,789 Department of Justice......................................... 84,396 Department of the Interior.................................... 80,347 Department of State........................................... 64,918 District of Columbia.......................................... 64,049 Department of Commerce........................................ 57,920 General Services Administration............................... 48,407 Department of Agriculture..................................... 46,168 Executive Office of the President--Office of Administration... 29,791 Department of Energy \1\...................................... 23,840 Department of Labor........................................... 17,792 Department of Housing and Urban Development................... 12,200 Agency for International Development.......................... 10,200 United States Information Agency.............................. 9,562 Federal Communications Commission............................. 8,516 Securities and Exchange Commission............................ 8,175 Federal Emergency Management Agency........................... 7,352 National Archives and Records Administration.................. 6,662 Small Business Administration................................. 4,840 Smithsonian Institution....................................... 4,801 Department of Education....................................... 3,846 Federal Trade Commission...................................... 2,599 Office of Personnel Management................................ 2,428 Overseas Private Investment Corporation....................... 2,100 United States Holocaust Memorial Council...................... 900 Corporation for National and Community Service................ 800 Executive Office of the President--Office of the U.S. Trade Representative............................................ 498 Export-Import Bank of the United States....................... 400 Railroad Retirement Board..................................... 398 National Capital Planning Commission.......................... 381 Commodity Futures Trading Commission.......................... 356 Selective Service System...................................... 250 Federal Labor Relations Authority............................. 243 African Development Foundation................................ 137 Office of Special Counsel..................................... 100 Merit Systems Protection Board................................ 66 Architectural and Transportation Barriers Compliance Board.... 60 Marine Mammal Commission...................................... 38 -------------------------------------------------------------- ____________________________________________________ Total civil agencies.................................... 1,724,406 Department of Defense......................................... 935,000 -------------------------------------------------------------- ____________________________________________________ Total allocations....................................... 2,659,406 \1\ This amount does not include $13.65 million that was allocated to the Department of Energy but was not transferred. Source: OMB. --------------------------------------------------------------------------- Statement of Jacob J. Lew Chairman Bennett. Mr. Lew, let's go to you now. Mr. Lew. Thank you, Mr. Chairman, Senator Stevens. I am delighted to be here with you this morning. I appreciate the invitation to testify on the progress the Federal Government has made in addressing the year 2000 problem. As you well know, this is a problem that potentially has enormous implications for our Nation. I am very pleased we have been able to work together, and I want to thank Senator Stevens in particular for the cooperation on working to make sure that the funding was in place to make sure that Y2K, as the President has said, will be remembered as the last headache of the 20th Century and not the first crisis of the 21st. I would like to address three topics today: First, the Federal progress in addressing the Y2K challenge; second, Federal agency costs and funding for these efforts; and third, the next steps to assure that Federal programs that people depend on will not be disrupted. As you know, last week I sent both committees OMB's ninth quarterly report on Federal agency progress in addressing the Y2K problem. That report shows that Federal agencies continue to make excellent progress in addressing the challenge. Ninety-three percent of the Federal Government's mission- critical systems are now compliant, which is an increase from 79 percent reported in February. Fourteen of the 24 major Federal departments and agencies now report that they have 100 percent of their mission-critical systems Y2K-compliant, and 9 are over 90 percent. This progress is attributed to the hard work of thousands of Federal employees and contractors and, I might add, to the rapid and timely availability of funding through the contingent emergency reserve. I would like to thank the committees for ensuring Federal agencies have had adequate funds to address Y2K remediation to date. While much work remains to be done, we fully expect that all of the Government's mission-critical systems will be Y2K- compliant before January 1, 2000. For some time, fixing the Y2K problem has been the agency's number one information technology priority. Additionally, agencies are minimizing any kind of changes to their systems that are not related to Y2K in order to ensure that they will be able to maintain the schedules that they have set. Based on guidance that we sent out just last month, agencies are using change management processes to ensure that any new IT requirement changes and system changes are minimized while they are completing dealing with the Y2K problem. This effort will ensure that agencies set realistic goals for the completion of their work, and will enable them and us to measure their progress against their own goals. As I said, we are confident that every mission-critical system will be ready for the year 2000. As you know, last September, the administration requested a fiscal year 1998 supplemental appropriation for $3,250 million in contingency emergency funding to address urgent emerging needs related to Y2K activities. The 1999 omnibus bill provided contingent funding of $2.25 billion for nondefense activities and $1.1 billion for defense-related activities. OMB is responsible for allocating the nondefense contingent emergency reserve and for working with the Department of Defense (DOD) on its share as well. To date, $1,768 million has been allocated from the nondefense reserve, and $14 million has been returned to the reserve at the request of the House Appropriations Committee. Therefore, $486 million remains in the reserve for unforeseen requirements. Of the $1.1 billion provided for defense-related activities, $935 million has been released, and $165 million remains in the reserve. OMB has worked with the agencies on an ongoing basis to evaluate the total Y2K requirements and to determine how to best utilize available nondefense funding for Y2K. First, OMB made certain that agencies received funding for activities that were requested in the President's fiscal year 1999 budget, but were directed to be funded from the contingent emergency reserve. As you know, there were a number of specifically mentioned items. Since then, agencies have been asked to forward requests for contingent emergency funding on an as-needed basis. These requests were then reviewed by OMB to ensure that the requested funding meets the criteria for release. First, that the funding is Y2K-related, and is the most cost-effective option to facilitate compliance; second, that it addresses an unforeseen need, not one accounted for within existing agency plans; and, third, that it cannot be accommodated within appropriated levels for fiscal year 1999. Finally, that they cannot be addressed using unobligated balances of already-released Y2K funds. Once the funds are allocated, OMB tracks the Y2K-related expenditures to confirm that appropriate progress is being made, and that each agency can cogently explain its cost levels and cost changes. All agencies that received emergency funding have forwarded data on obligations to date to OMB, and this data has informed our consideration of subsequent emergency requests. In the first OMB quarterly report issued in February 1997, we estimated that the cost of Y2K compliance would be $2.3 billion. Initially, it was thought that fixing the problem would primarily involve mainframe computers and legacy applications. However, as we and others learned in the course of remediation, the problem is far more complex, involving desktop personal computers, embedded chips, and telecommunications components. Cost increases from the first to the fourth OMB quarterly report--that would be through March 1998, totalling $2.4 billion--resulted from better understanding of the scope of the problem and increasing agency attention to the cost estimates. Since the broader universe of Y2K remediation was clearly established, costs have remained within a much more predictable band. From the fourth OMB quarterly report in March 1998, to the ninth OMB quarterly report just this month, cost reports reported change by 4.7 percent of the 3-year total. Of this, estimates for defense have changed by 3.6 percent of the 3-year total. The increase in fiscal year 1999 funding, $2.8 billion between the fourth and ninth OMB quarterly reports, has reported activities that have been subjected to a rigorous policy review. Most of the cost increases can be attributed to specific activities, remediation of information technology systems, testing to ensure that systems are Y2K compliant, replacement of embedded computer chips, and creation and verification of business continuity plans. Fiscal year 2000 costs, which have increased by $509 million over the same period, are primarily for Y2K project offices to manage and monitor the transition into 2000, as well as for retesting and recertifying contingency plans. The details of agency spending plans continue to be made available for your review as the process moves forward. Most of the work on fixing mission-critical systems is completed, so OMB will focus its system-readiness on ensuring the readiness of individual systems. In addition, OMB and the agencies are beginning to focus on two new priorities: ensuring the readiness of Federal programs, particularly 43 high-impact programs that we have identified, and planning for business continuity and contingencies. We must make sure that the Federal programs, particularly those that have a direct and immediate effect on health, safety and well-being of the public, function smoothly. As I have just related to you, we are confident that the mission-critical systems will be ready, but because Federal programs partner with other entities. It is critically important that all partners are working together to ensure that the programs they support will be ready. The critical task is to make sure that not just systems but the programs they support will be ready. Accordingly, I have asked agencies to take this additional step. OMB has also identified 43 high-impact, federally supported programs, and directed Federal agencies to take the lead on working with others to ensure that programs critical to health, safety, and well-being will provide uninterrupted service. Agencies have also been asked to help partners develop year 2000 plans if they have not already done so to ensure that these programs will operate effectively. Agencies are reporting to us monthly, and will demonstrate the readiness of each program by September 30, 1999. Although we expect all Federal mission-critical systems to be ready by January 1, 2000, it is still important that every agency, no matter how well-prepared, have a business continuity and contingency plan in place. Agencies have identified their core business functions and are using this as a basis for developing business continuity and contingency plans which will ensure that these core business functions will operate smoothly no matter what kinds of glitches occur in agency systems or with agency partners. Let me make it clear, we do not anticipate disastrous consequences as a result of the year 2000 computer problem in Federal systems. However, it is possible there will be problems that result in minor disruptions to the way agencies operate. Agencies are prioritizing functions and systems and work- arounds and backup plans are being established as contingencies. On May 13, I issued guidance on this subject, asking all agencies, including small and independent agencies, to submit to OMB by June 15 their business continuity and contingency plans. These plans are an increasingly important component of agency progress. Like a good insurance policy, a sound plan is important no matter how well you are taking care of your system. I have directed agencies to use the GAO guidance in preparing their plans. Additionally, many agencies are working closely with their inspectors general and their expert contractors in the development and testing of these plans. OMB is reviewing the high-level business continuity and contingency plan (BCCP) of agencies and will provide feedback and guidance to the agencies on an individual basis. In conclusion, during the 192 days remaining before the year 2000, we plan to complete work on the remaining mission- critical systems and on other Federal systems. We will conduct end-to-end testing with the States and other key partners, placing special emphasis on the readiness of programs that have a direct and immediate impact on public health, safety, and well-being. We will complete and test business continuity and contingency plans as insurance against any disruptions related to Y2K failures. We will promote Y2K awareness with State, local, and tribal governments with the private sector and with other nations. prepared statement Again, I want to thank you for the opportunity for allowing me to share this information with you. The administration continues to treat this challenge with the high level of attention that it deserves. We have enjoyed the cooperative relationship that we have had with this committee and with the Appropriations Committee to work together on this problem. Thank you. [The statement follows:] Prepared Statement of Jacob J. Lew Good morning, Chairman Stevens, Chairman Bennett, Senator Byrd, and Senator Dodd. I am pleased to appear before the Committees to discuss the Federal Government's progress in addressing one of the most complex management challenges it has ever faced, the year 2000 problem. The Federal Government is not alone in addressing this challenge, as the Senate wisely recognized last year when it formed the Senate Special Committee on the Year 2000 Technology Problem. This is a problem with potentially enormous implications for our Nation. Every sector of our economy and all organizations large and small must work together so that we can, as the President said in his State of the Union Address, make sure that the Y2K computer bug will be remembered as the last headache of the 20th century, not the first crisis of the 21st. Today, I would like to address three topics. First, I will describe Federal progress in addressing the Y2K challenge. Second, I will discuss Federal agency costs and funding for these efforts. Third, I will describe our next steps to assure that Federal programs that people depend upon will not be disrupted. These next steps include focusing on completion of individual systems, ensuring the readiness of Federal programs, and completion of business continuity and contingency plans. federal progress As you know, the Federal Government has been working for more than three years on this problem. Last week I sent to Congress OMB's ninth quarterly report on Federal agency progress in addressing the Year 2000 problem. That report shows that Federal agencies continue to make excellent progress in addressing this challenge. In particular, it shows that 93 percent of the Federal Government's mission critical systems are now compliant, an increase from 79 percent reported in February. Fourteen of the 24 major Federal departments and agencies now report that 100 percent of their mission critical systems are Y2K compliant. These agencies are: the Departments of Education, Housing and Urban Development, Interior, Labor, State, and Veterans Affairs; the Environmental Protection Agency, the Federal Emergency Management Agency, the General Services Administration, the National Science Foundation, the Nuclear Regulatory Commission, the Office of Personnel Management, the Social Security Administration, and the Small Business Administration. In addition, two agencies, Commerce and NASA, report that 99 percent of their mission critical systems are compliant and that they expect to be finished soon. Three agencies, the Departments of Agriculture, Energy, and Health and Human Services, are between 96 and 97 percent compliant. Four agencies report that between 90 and 94 percent of their mission critical systems are compliant, including the Departments of Justice and Transportation at 92 percent. The Department of Defense reports that 87 percent of its systems are compliant, while the U.S. Agency for International Development has completed implementation of three of its seven mission critical systems. From a base of 6,190 mission critical systems at this time, 410 mission critical systems remain to be finished, down from 1,354 in the last report. The compliant systems include those that have been repaired or replaced as well as systems that were already compliant. Of the mission critical systems that remain to be finished, 87 (82 percent) are being repaired, 35 (10 percent) are being replaced, and 24 (eight percent) are being retired. We are monitoring the completion of each remaining system through monthly reports from the agencies. This progress is a tribute to the hard, skillful, and dedicated work of thousands of Federal employees and contractors. Moreover, the rapid availability of funds through the contingent emergency reserve has been key to ensuring progress. I would like to thank the Committees for ensuring that Federal agencies will not fail to meet the Year 2000 deadline because of lack of adequate funding. While much work remains to be done, we fully expect that all of the Government's mission critical systems will be Y2K compliant before January 1, 2000. For some time, fixing the Year 2000 problem has been the agencies' number one information technology (IT) priority, as other IT projects are being delayed until the Y2K work is done. This action has been managed throughout OMB's budget process. Additionally, agencies are minimizing any kind of changes to their systems unrelated to Y2K in order to ensure that they will be able to maintain the schedules they have set for completion of their work. Changes not only divert resources from fixing the Y2K problem, but may also undo Y2K fixes. Based on guidance I issued on May 14, 1999, ``Minimizing Regulatory and Information Technology Requirements,'' (M- 99-17), agencies are using change management processes to ensure that new IT requirements or changes to IT systems are minimized. Again, this effort will ensure that agencies set realistic goals for the completion of their work and will enable them--and us--to measure their progress against their own goals. Agencies are working hard to finish fixing their systems, and we are confident that every mission critical system will be ready for the year 2000. y2k costs and funding First and foremost, I want to recognize that the transition into the Year 2000 has posed a unique challenge. Formulating the Federal response has required a great deal of attention, hard work, and flexibility. In advance of my more detailed comments on this subject, let me thank you for all of your work and leadership in helping to ensure that sufficient funds are available in a timely manner to address Y2K remediation. As we have scrutinized agency requests and funded the most critical ones, the utility of this funding mechanism has been proven many times. Simply put, without such a fund, many Federal agencies would not be nearly as far along in their efforts as they are today. I would also like to emphasize that the Administration's strategy for monitoring Government-wide progress on Y2K has been predicated on agency accountability. We have systematically monitored agency progress using a range of performance measures--compliance of mission critical systems, status of mission critical systems being repaired, progress on high impact programs, etc., as well as agency Y2K cost estimates. These measures are linked, and together provide the most accurate picture of the Government's overall readiness. On a quarterly basis (or more frequently, if needed), agencies have been required to update OMB on their Y2K progress and to explain all significant changes in these measures. We have tried to strike the appropriate balance to ensure agency accountability without diverting vital resources from Y2K compliance activities to reporting requirements. In addition, the Administration has tried to be as forthright as possible in sharing information about Y2K readiness. OMB has directed that agency quarterly reports and detailed spending plans be forwarded to Congress, and we have appreciated your input as we have worked together to address the challenge posed by Y2K. As you know, last September the Administration requested an fiscal year 1998 supplemental appropriation for $3.25 billion in contingent emergency funding to address urgent, emerging needs associated with Y2K conversion activities. This request was consistent with Senate action to that point. The Omnibus bill provided contingent emergency funding of $2.25 billion for non-defense activities and $1.1 billion for defense-related activities for Y2K computer conversion. As you also know, OMB is responsible for allocating the non-defense contingent emergency reserve. To date, $1.768 billion has been allocated from the non-defense reserve, and $14 million has been returned to the reserve at the request of the House Appropriations Committee. Therefore, $496 remains in reserve for unforeseen requirements. Of the $1.1 billion provided for defense-related activities, $935 million has been released and $165 million remains in reserve. In order to determine how to best utilize all available non-defense funding for Y2K--both base appropriations and emergency funding--OMB has worked with agencies on an ongoing basis to evaluate total Y2K requirements. First, OMB made certain that agencies received funding for activities that were requested in the President's Fiscal Year 1999 Budget, but were directed to be funded from the contingent emergency reserve. Since then, agencies have been asked to forward requests for contingent emergency funding on an as-needed basis. These requests are then reviewed by OMB examiners from both the Resource Management Offices (RMOs)--liaisons to the individual agencies--and analysts from our Information Policy and Technology Branch. In combination, they review these requests to ensure that requested funding is: --Y2K-related and is the most cost-effective option to facilitate compliance. --Addresses an unforeseen need, not one accounted for within existing agency plans. --Cannot be accommodated within appropriated levels for fiscal year 1999. --Cannot be addressed using unobligated balances of Y2K emergency funding. In some cases, funds have also been requested to support outreach to non-Federal entities in support of the efforts of the President's Council on Year 2000 Conversion. Once reviewed and discussed with the affected agency, OMB staff make recommendations to OMB policy officials. These levels are then finalized and included in an emergency release. As you know, pursuant to last Omnibus Act, detailed information on each affected agency's spending plan, as well as an account-by-account breakdown of the request as a whole, is provided to your and other Committees. The funds in the release are not made available to the agencies until 15 days after the transmittal. Once the funds are allocated, each Resource Management Office has been tasked with tracking the Y2K-related expenditures for the agencies it oversees, including emergency expenditures. At a minimum, the RMOs review the agency quarterly report to confirm that appropriate progress is being made and that each agency can cogently explain its cost levels and cost changes. Then, depending on an agency's status, RMOs have used different methods to track Y2K-related spending. All agencies that have received emergency funding have forwarded data on obligations to date to their RMOs. This data has informed our consideration of subsequent emergency requests, and has resulted in several reprogramming requests rather than additional releases. For example, in the Department of Health and Human Services, we recently reprogrammed funds from HCFA to the Administration for Children and Families. More reprogramming actions may be forthcoming as agencies further refine their estimates for fiscal year 1999 and 2000. In addition, some RMOs monitor Y2K-related obligations and/or outlays on a more regular basis, and require detailed information on the expenditure of both base and emergency resources. Finally, because of their unique period of availability (fiscal year 1999-fiscal year 2001), emergency funds are very transparent in terms of budget execution. The RMOs have been given discretion in terms of treatment of both base and emergency funds in the apportionment process, as is OMB's general policy. Your Committees have asked me to focus on the cost increases since the 1st OMB Y2K Quarterly Report, which was issued February 1997. In that report, the five year (fiscal years 1996-2000) Federal cost of Y2K was reported estimated at $2.3 billion. However, it is now clear that in the first quarterly report, we were not fully aware of the magnitude of the year 2000 problem. Initially, it was thought that fixing the problem would primarily involve mainframe computers and legacy applications. However, as we and others learned in the course or remediation, the problem was far more complex, involving desktop personal computers, embedded chips, and telecommunications components. Cost increases from the 1st to 4th OMB Quarterly Report (through March 1998), totaling $2.4 billion, resulted from a better understanding of the scope of the problem and increasing agency attention on the cost estimates. It is important to note that until fiscal year 1999 agencies funded their year 2000 costs exclusively out of base appropriations. Prior to the availability of emergency funding, all costs increases were absorbed within agency operating budgets. Since the broader universe of Y2K remediation was clearly established, costs have remained within a more predictable band. From the 4th OMB Quarterly Report (March 1998) to the 9th OMB Quarterly Report (June 1999), costs reported for fiscal years 1996-1998 changed by $164 million, or 4.7 percent of the three-year total. Of this, estimates for Defense have changed by $128 million, or 3.6 percent of the three-year total. Since last March, then, cost estimates for non- defense agencies for fiscal years 1996-1998 for have changed by a little more than one percent. The increase in fiscal year 1999 funding, $2.8 billion between the 4th and 9th OMB Quarterly Reports, has supported activities that have been subjected to the rigorous policy review that I have discussed. Most of the cost increases can be attributed to specific activities: remediation for information technology systems, testing to ensure that systems are Y2K compliant, replacement of embedded computer chips, and creation and verification of BCCPs. I am confident that this funding has helped to ensure that important Federal programs will have a smooth transition into the year 2000. Fiscal year 2000 costs, which have increased by $509 million over the same period, are primarily for Y2K project offices to manage and monitor the transition into 2000, as well as for retesting and recertifying contingency plans. The details of agency spending plans continue to be made available for your review as this process moves forward. I would now like to turn to another issue that I have been asked to address: the difference between agency estimates and actual costs. I believe that this question stems from the cost table in each OMB Quarterly Report. In that table, past years (fiscal years 1996-1998) are characterized as estimates even though, as you know, the budgetary data for those years reflects actual expenditures. With OMB's approval, agencies have refined the universe of Y2K-related costs since fiscal year 1996. As an activity is added to the Y2K universe, we want to make certain that we are capturing the five-year cost of that activity. For example, a Department may not have reported embedded chip replacement as part of their initial Y2K estimate. However, they later received guidance to do so. In such a case, OMB has worked with the Department to verify that the multi-year cost of embedded chip replacement was being reported. If this required changing an estimate in a past fiscal year, agencies did so with OMB approval. At the same time, future year estimates may have been adjusted to account for newly recognized activities. Thus, although the budget data for fiscal years 1996-1998 are actuals, since recognition of the scope of the Y2K problem has changed over time, OMB has not asked for or characterized costs for those years as actuals. Another component of this issue is that Y2K-related expenses can be aggregated at a level below or above budget accounts. Y2K-related expenses are embedded in broader operating budgets. We have worked to ensure that we are capturing Y2K-related costs and that agencies are making defensible and standardized assumptions about these costs. Conversely, we are trying to filter out activities that were wholly planned for and would have been implemented regardless of Y2K. next steps As I stated earlier, now that most of the work on fixing mission critical systems is completed, OMB will shift its focus from aggregate figures for system readiness to ensuring the readiness of individual systems. In addition, OMB and the agencies are beginning to focus on two new priorities. --Ensuring the readiness of Federal programs, particularly 43 high impact programs that we have identified. --Planning for business continuity and contingencies. Ensuring the Readiness of Federal Programs While we have made excellent progress in preparing our systems, we are not yet done. We must make sure that Federal programs, particularly those that have a direct and immediate affect on the health, safety, and well-being of the public, function smoothly. As I have just related to you, we are confident that critical systems will be ready. But because Federal programs partner with other entities, including other Federal agencies; State, Tribal, and local governments; banks; contractors; vendors; and other entities; it is critically important to ensure that all partners are working together to ensure that the program they support will be ready. The critical task is to make sure that not just systems, but the programs they support, will be ready. Accordingly, on March 26, 1999, I asked agencies to take this next step. I also identified 42 ``high impact'' Federally supported programs and directed Federal agencies to take the lead on working with other Federal agencies, State, Tribal, and local governments, contractors, banks, and others to ensure that programs critical to public health, safety, and well-being will provide uninterrupted services. Examples include Medicare and Unemployment Insurance. The list was subsequently revised to include the National Crime Information Center at the Department of Justice, bringing the total to 43. Agencies have also been asked to help partners develop year 2000 plans if they have not already done so to ensure that these programs will operate effectively. Such plans are to include end-to-end testing, developing complementary business continuity and contingency plans, and sharing key information on readiness with partner organizations and with the public. Agencies are reporting to us monthly and will demonstrate the readiness of each program by September 30, 1999. A table of the programs, including the partners agencies are working with is included last week's quarterly report. Business Continuity and Contingency Planning Although we expect all Federal mission critical systems to be ready by January 1, 2000, and although we are prepared to demonstrate the readiness of a number of critical programs, it is still important that every agency, no matter how well prepared, have a business continuity and contingency plan (BCCP) in place. Agencies have identified their core business functions and are using these as a basis for developing business continuity and contingency plans, which will ensure that these core business functions will operate smoothly, no matter what glitch may occur in an agencies' systems or with an agencies' partners. While we are confident that the measures taken for Y2K compliance are sound, the chance remains that, despite testing, a bug may still slip through. Furthermore, elements beyond an agency's control are at risk from the Y2K problem as well. For example, bad data from a data exchange partner or the inability of a vendor to provide key supplies could disrupt work at an agency. Let me make it clear that we do not anticipate any disastrous consequences as a result of year 2000 computer problems in Federal systems. It is possible, and even likely in some situations, that there will be glitches in systems that result in minor disruptions to the ways that agencies operate. Accordingly, for each core business function and its associated systems, agencies have identified risk factors, and assigned them a probability rating as well as an impact rating. The agencies use these ratings to prioritize functions and systems. Work-arounds and back-up plans are established as contingencies. Although we do not expect any disasters, it is always wise to prepare for the worst. Since the 1970s, agencies have been required to have in place Continuity of Operations plans (COOP plans), to address such emergencies. In the event of a disaster, whether related to Y2K or to a national emergency, such as a terrorist attack or regional weather emergency such as a tornado or violent snowstorm, agencies are using their COOP plans to ensure that the agency will continue to function. I also asked agencies to ensure that the development of their BCCP was coordinated with pending revisions to each agency's COOP plan. Again, although we do not expect any kind of Y2K disaster, agencies are developing plans, in coordination with their BCCPs, to address this contingency. On May 13, 1999, I issued guidance on this subject, ``Business Continuity and Contingency Planning for the Year 2000,'' (M99-16). This memorandum asked all agencies, including small and independent agencies, to submit to OMB by June 15 their business continuity and contingency plans (BCCPs). This memorandum also identified a number of infrastructure areas for which agencies should make common assumptions, such as electric power, financial services, and public voice and data communications. This common assumption is that there will be no nation- wide disruptions within these infrastructure services. By setting these risk areas aside from agencies' business continuity and contingency planning, agencies are able to focus on ensuring that their core business functions and affiliated systems will work. In the extremely unlikely event that a catastrophic emergency occurs that damages local infrastructure, communications, or the agency building itself--whether caused by Y2K, or by a natural disaster, terrorism, or war--the agency's COOP plan will address these contingencies. On the international side, the State Department is leading a working group of those agencies with employees overseas in order to develop risk assumptions and appropriate responses, to be used in the development and refinement of those programs' BCCPs. BCCPs are an increasingly important component of agency progress. Like a good insurance policy, a sound plan is important, no matter how well you have taken care of your systems. To ensure quality and consistency, I have directed agencies to use the General Accounting Office's (GAO) guidance on this subject in preparing their plans. Additionally, many agencies are working closely with their Inspectors General and/or expert contractors in the development and testing of these plans. Finally, OMB is reviewing the high-level BCCPs of agencies, which were due June 15, and will provide feedback and guidance to the agencies on an individual basis. Prepayment As part of their contingency planning, some agencies have explored the possibility of making some payments in December that would otherwise be due in January to beneficiaries, contractors, and others. However, the Administration has determined that such actions are not necessary at this time, given the level of readiness of agency payment systems and agency business continuity and contingency plans. Moreover, the extensive downside risk to prepayment mitigates strongly against implementing this contingency plan in all but the most exceptional circumstances. First, and most importantly, issuing such payments early would require reprogramming of payroll and other financial management systems. I have previously stated that any changes to systems should be minimized as they not only divert resources from fixing the Y2K problem, but also may undo Y2K fixes. It would be highly irresponsible to implement a contingency plan that could worsen the year 2000 problem. Second, making early payments would have tax implications for individuals and businesses. Undoing any tax implications would require legislative changes for the Internal Revenue Service, which in turn would be required to make changes to the tax code and to their systems. All of these actions would be both costly and time-consuming. Third, such actions could easily be interpreted by the public as an overall sign of lack of confidence in the ability of the Government to make its payments after January 1. Such a signal could prove disastrous for the national economy as panicked citizens turn to withdrawing their currency in anticipation of a currency shortage. This sort of panic is a self-fulfilling prophecy. Public panic and overreaction is a problem far larger than the technology problem and something we are very concerned about. Finally, even allowing prepayment in extremely limited areas increases pressure to provide early payment for everyone. Any uncertainty about the readiness of agencies to make benefits payments should be mitigated by continuing to focus on fixing and testing systems. Agencies should also consider alternative contingency plans that do not introduce such high levels of Y2K risk into systems or that could propagate public panic. Despite these concerns, however, there may be a few rare instances in which early payment is the best option. In any such instances, agencies may request authority from OMB to pay certain benefits early if certain criteria are met. These include demonstration that there will be substantial harm to individuals from not getting a timely payment, a high likelihood that timely payments (either by normal program operation or through a contingency) will not be made, assurance that early payments made will be targeted only to those recipients who would be harmed, and that early payment will substantially mitigate the harm. The agency must also be willing to make a public announcement of these decisions and to work with the Department of Treasury so that adequate cash management practices are maintained. Throughout the remainder of the year, we will continue to review this matter with agencies. conclusions In conclusion, during the 192 days remaining before the year 2000, we plan to: --Complete work on remaining mission critical systems and on other Federal systems. --Conduct end-to-end testing with the States and other key partners, placing special emphasis on ensuring the readiness of programs that have a direct and immediate impact on public health, safety, and well-being. --Complete and test business continuity and contingency plans as insurance against any disruptions related to Y2K failures. --Promote Y2K awareness with State, local, and Tribal governments, with the private sector, and with other Nations. Thank you for the opportunity to allow me to share information with you on the Administration's progress. The Administration continues to treat this challenge with the direct, high-level attention it deserves. The additional focus on the year 2000 problem by the President, Congress, and the public has resulted in agencies focusing management attention on the issue and taking a close look at their resource needs. The Year 2000 contingent emergency reserve has helped ensure that agencies have access to funds to facilitate their work. OMB remains committed to working with the Committees and Congress on this critical issue. I would be pleased to answer any questions you may have. Number of Federal mission-critical systems that are Y2K compliant Chairman Bennett. Thank you very much. You use the phrase, 93 percent compliant as of June. That is the same number that John Koskinan reported in the end of March. Are you simply reporting that number, or are you telling us subliminally that there has been no progress from the end of March? Mr. Lew. Well, the February report we submitted was at 79 percent, so from February until now we have gone to 93 percent. I think you have to look at the other areas where we have closed in on the 100 percent, and the fact that we have 14 agencies that are now 90 percent compliant or better. Chairman Bennett. I do not want to quibble numbers with you, but there are enough people who follow this on the Internet. We need to be careful here and give you an opportunity to focus on it. The President set March 31 as the deadline by which every Federal agency was supposed to be 100-percent compliant. A number of agencies missed that deadline, and John Koskinan reported when that deadline came, a 93-percent overall number for the Federal Government. We are now 60 days beyond, 75 days beyond March 31, and you are using the 93 percent number. Are you using the 93 percent number because that is the last number we have and it comes as of March 31, or are you telling us that we are stuck, as of March 31, and we are still at the 93 percent number? Mr. Lew. No, Senator, I am certainly not saying we are stuck. The numbers I am using are based on the ninth quarterly report we submitted to you last week. John Koskinan was basing his comments in March on estimates which were not yet in our quarterly report system and may have anticipated some of the progress that has been made. Chairman Bennett. So you are saying the 93 percent at the end of March was not fully accurate. Mr. Lew. Well, I am saying it was an estimate. The numbers in the quarterly report are based on the rigorous review that we do of each agency's reporting, and the estimate in between reports is necessarily based on--I do not want to say less accurate data, but estimates are different than actual numbers, as we will probably discuss in other regards as well. I think the important thing to focus on is that we are making continuous progress and very rapid progress in the areas where we had the most catching up to do. Look at the largest and most complicated departments, an agency like HHS with HCFA, where they have made tremendous progress such that HCFA is now compliant. Some of the resources that we thought would be needed for HCFA have actually been shifted over to other HHS activities because HCFA has completed most of its work. You look at the Defense Department, where they have more systems than anywhere else. They are down to the point now where they are working on their systems that are not yet in service, the new technologies that have not yet been put in place. They are making great progress to ensure that they have continuity and that they do not have the kinds of delays that we had feared, if they could not get new systems to be compliant. So I think we are continuing to make very good progress. I do not want to suggest for a minute we do not have a lot of work to do. We will be working very hard for the remainder of the time we have, and I think you will see in May and June and July and August considerable progress in each of the months. As I looked over the report, I was struck at how many agencies expected to be reporting substantial progress in the very near-term timeframe. Now, I am not surprised by that. We would hope, given that we are 192 days away from the year 2000, that we would be seeing ourselves closing down problems at a rapid pace, and that is what our reports are showing, so I think we have continued to move forward. If there is some confusion between the numbers that were based on estimates and the quarterly reports, I would be happy to go through it outside of the hearing and look at what might lie behind that. Chairman Bennett. I think it is important to get it very clear, because one of our problems with respect to Y2K is the question of public confidence, and there are those who have attacked this committee for being too alarmist. Saying we are going to set off a panic that will be worse than the problem. Obviously, I do not accept that criticism. I think the committee has been responsible, but again, back to the public perception here. The President said 1 year, 1\1/2\ years ago when he made his statement on Y2K, I believe it was at the National Science Foundation, that every Federal agency would be 100 percent compliant by March 31, 1999. We did not make that. I applauded that as the goal at the time he said it, and said that is the right goal, and that is what we should strive for, but privately I thought, we are not going to make it. All right, we did not. Now, the number that was put out by the administration as of that date was 93 percent, and we were told the new target date for 100-percent compliance is June 30. Now, June 30 is 2 weeks away, and if there is an announcement as of June 30 that we are 93 percent compliant, people who will not go into the details that you have shared with us here are going to start to panic and say, the Federal Government is not making it, has not had any progress. So without asking for a specific response here--and I will be talking with John Koskinan tomorrow, we talk every week either face-to-face or on the phone--I will just signal that there is that public perception problem that has to be dealt with. Either the statement is made as of the end of June we are now up to 97, or whatever the number, or hey, we need to revise what was said in March that it was an estimate. We now know that the reality is that--I mean, we adjust statements around here all the time, when more data comes in. This is where we were in March, and we have made this much progress to June 30. I am gathering from your testimony that we will not be able to announce on June 30 that we are 100-percent compliant. Mr. Lew. No, I do not think we will be able to announce we are 100-percent compliant, but I am hopeful we will be able to show more continuing progress. Obviously, from our report last week to the end of June is a fairly short window, so I do not want to raise unreasonable expectations about how much we will be able to say, over what is really a matter of a few weeks, but we are not just doing quarterly reports. We are keeping daily contact, as you mentioned. We are in regular contact with the committee as well. If there is a concern that we are not putting out frequent enough benchmarks of how much progress is made in a way that can be tracked clearly by the public, that is something we can look into. I think the underlying facts are better than the impression that you are suggesting, which means we have a communication problem. Chairman Bennett. I think there are too, and I think it is a joint responsibility of the Congress and the administration to get the information out so that we do avoid panic. Yes, Mr. Walker. Mr. Walker. Mr. Chairman, for the benefit of you and the committee, based upon self-reported data that we see from the agencies as of May 14, the number was 94 percent, and hopefully Jack will end up having more recent numbers in the near future. Second, I have asked Joel Willemssen to join me, Mr. Chairman, in part because of his expertise and in part because of the recognition of the work that he and his team has done in the Y2K area working with your committee and others. Has the Y2K problem undermined computer security? Chairman Bennett. Thank you, and the record will show, Mr. Willemssen, that you are at the table and available. If the time comes that you need to speak up, you will be identified for the record. Let me get a dialogue going between the two witnesses for just a minute before I call on Senator Stevens. Mr. Walker, I was impressed by your statement in two areas, both of which I agree with absolutely. The first one had to do with pent-up demand. We are finding that in the private sector as well that, as we do our hearings in the special committee, more and more industries are saying they are going to have no more IT activity the last half of 1999 because we are concentrating so heavily on testing and final installation of Y2K solutions, and since we do not want any new initiatives, there will be a significant pent-up demand. Some high tech companies on the reverse side of that are reporting anticipation of lower sales in the third and fourth quarters of 1999, because they say that customers are so wrapped up in Y2K they do not have the time to look at anything now, and then it will explode in 2000. Now, if we have serious Y2K problems, the preoccupation of Y2K will not carry over in the first and second quarters of 2000. The pent-up demand will not hit until they are taken care of, but is very much there. I would think, Mr. Lew, that it has got to be a real planning headache for OMB, and it is information that we in the Congress need as we face the appropriations process. Because, as Chairman Stevens can tell you more eloquently than anybody, dealing with the caps and the challenges of the appropriations process is very, very difficult. To say, ``Well, there is all this pent-up demand, where we are going to need more funds for Y2K capability,'' and that is caused by the slow-down, or the interruption, rather, of the normal flow of things as result of Y2K, that can be very serious business for the Appropriations Committee and its various subcommittees. The second issue that I would like you to talk about, although perhaps not in the same breath, but just to alert you to the other thing I am concerned about, is this question of security. Now, Y2K has made a tremendous impact on me at least, as it has forced me to confront what will happen to our society if the computers fail. Now, we are talking about close to $9 billion, and it may get to $10 billion by the time we are through, just to keep the Federal computers from failing. This amount in the general economy is--pick a number--somewhere between $50 and $100 billion that private entities and the State and local governments will spend just to keep the computers from failing. The potential for failure is a problem that is built into the software. The potential for failure as a result of a deliberate act on the part of a terrorist group is just as great, and will cause just as much devastation as the Y2K. Right now, most of the attack, cyber attack if you want to call it that, is coming at the Defense Department. I have had conversations with Secretary Hamre about that and will continue to have those conversations. The Defense Department is hardening itself against those kinds of attacks and is building some expertise for dealing with them. The rest of the economy is not, as nearly as I can tell, and some Government agencies are not. I do not want to give anybody any ideas, but I can see a scenario where a terrorist group says, ``all right, if we want to take down the great Satan, we will not attack their military, we will destroy their ability to distribute welfare checks, and we can do that much more easily than we can hack into the military computers. If we want to cause disruption in America, we will shut down the power grid, we will shut down the telephone system, we will interrupt the flow of commerce by taking down the Fed wire.'' A whole series of security issues that have nothing to do with defense, but everything to do with our ability to continue to function as a Nation have come to my attention as a result of Y2K. I have spoken with the Majority Leader about it, and he has encouraged me to use the Y2K Committee to examine these issues in the time the committee has left. We go out of business on February 29. But these are very serious issues, and I was glad to see you raise them, Mr. Walker, and at some point in this hearing between the two of you, you might want to talk about that. So those are the two issues that I want to focus on, the pent-up demand, its immediate impact on the appropriations process, and then the overall security issue. We will get into those questions, Senator Stevens, unless you have a question now. Chairman Stevens. If they want to comment, that is fine. Mr. Walker. Mr. Chairman, I will comment on that. First off, on pent-up demand, my experience both in the public and private sectors has shown over the years that there is always a pent-up demand for wants in the area of information technology, but what I think is different because of Y2K is that there is increasing pent-up demand for needs. You pointed to the fact that many, both public and private, entities have frozen changes in their LANs, in their software, in various other areas dealing with information technology to focus full attention on the Y2K challenge. They need to stabilize their environment in order to deal with their most immediate time-sensitive need--that is Y2K. The fact of the matter is that there is a pent-up demand for needs for enhancements as well as the second issue that you raise, which is computer security. Computer security is already on our high risk list, just as Y2K is. Computer security is going to follow up closely on the heels of Y2K. It has national security, economic security, and personal privacy considerations. We are focusing a lot of our time and attention on that, and believe that the Congress will need to do the same, as well as the executive branch, and I am sure that they intend to do so. I think these are two very real issues that not only are important from a wants, needs and affords perspective. What can we afford? And there are tradeoffs. Money is fungible, and so the question is, What are the consequences of these choices? Mr. Lew. Mr. Chairman, I think there is no doubt there will be some pent-up demand, and that we have separate but very important concerns about computer security that are unrelated to Y2K. I think I would actually take a slightly different tack, I think our experience with Y2K in some ways leaves us more ready to deal with both of these issues than we otherwise would be. In the area of pent-up demand, there are many agencies that have much more modern computer systems now than they would have had if we had not been dealing with Y2K because, given the tightness of appropriated resources they would not have replaced their personal computers (PC's), they would not have done the work that they have done over the last couple of years. That does not mean that it is all of what they need for the next stage of agency operations, but I think we are left with an architecture that is generally better, not just Y2K- compatible. We need, as we calculate the pent-up demand, to really look at what the net pent-up demand is, not of the investments we have made. The concerns I have looked at are more the programmatic than the hardware issues, where agencies have deferred activities. You look at HCFA. In order to comply with Y2K compliance requirements, they deferred some of their rulemaking activity. There is going to be a pent-up demand which will mean that people have to work on those projects in the coming year that they should have done in the past year. I think that has potentially programmatic implications. I do not know yet whether it has funding implications. I think we have to get a little farther into it to determine that. In the area of computer security, one of the things that the contingency planning process is serving to be very useful for is to take contingency planning generally more seriously. Many of the contingency plans for dealing with your potential year 2000 disruptions are no different, as you mentioned, than the kinds of disruptions that could occur from natural or hostile acts. The Y2K problem is more complex, because the potential of things happening in a lot of places is greater, whereas when there is a natural disaster it is very local. Presumably the same would be true if there are hostile acts, though you raise the good question of what the risks are, and are the risks growing. I think we are more prepared to deal with contingency planning now than we were before Y2K remediation was undertaken. We had underway, as you know, through the National Security Council (NSC) process planning for contingencies in this area. I think we need to continue to work together after January 1, 2000 on that problem. I do not at the moment expect a spike in funding requirements for either pent-up demand or the security issues, but that does not mean there will not be ongoing funding requirements that we have to balance against other needs. I think the core issue in both cases is, are the needs there greater than the needs in other areas, and do they warrant funding. The thing about Y2K that was so unusual, and that did require the extraordinary funding mechanism that we had, was that all the expenses came at once, and we are marching against an inflexible deadline, where if we do not do it by January 1, 2000, it will not deal with the problem. In these other areas, while there are serious problems, they are problems we can fit into the spectrum of all the other things that we do have to worry about, and I look forward to working with you on those issues. Chairman Bennett. Senator Stevens. Progress on nonmission-critical systems Chairman Stevens. Mr. Lew, because of where I am from, I worry about the nonmission-critical systems, and the definition of those, and I raised this last year. Do we have any idea of how many such systems there are that are nonmission-critical systems? Mr. Lew. I do not have a number. I understand the question, and I will be happy to get back to you with a number. We are not ignoring nonmission-critical systems. The fact that we are setting a more absolute deadline for dealing with mission- critical systems does not in any way mean that we are treating the noncritical remediation as something that could wait until later. Chairman Stevens. Did you ever get an estimate of what it would cost to deal with all Federal systems and Y2K implications? Mr. Lew. I believe the cost that we have been referring to would be the $8.02 billion level. Chairman Stevens. That is mission-critical. Mr. Lew. It is more than mission-critical. It is the total expenditure on Y2K. The total compliance is based on bringing all the mission-critical systems into compliance at a particular time. If I could get back to you, Senator, what I would like to do is ask some questions about what do we expect in terms of lingering funding requirements after January 1 for the nonmission-critical systems. I think that may give me a better ability to answer your question, and I do not know off the top of my head the answer to that question. Chairman Stevens. The implication here is that, not counting the emergency funds, that agencies have used appropriated funds to pay for Y2K problems and deferred their normal programming. Is that your statement? You have indicated that. Mr. Lew. I think it is a combination. I think some of the things that they have done with the money were exclusively Y2K- related. Other activities really have multiple purposes, and one of the reasons it has been difficult to give actual numbers is that the bookkeeping before 1997 was not very good in terms of how much money was Y2K-related and how much of it was just generally IT-related. As Mr. Walker noted, even now we are dealing with agencies that are being much more clear in terms of their defining Y2K costs for the emergency funds than they are for their base funds. Some of the costs have to be disaggregated to see whether they are just Y2K. When you buy a new PC system, it obviously is Y2K-related, but it is also giving you infrastructure that the agency needed. They are all modernizing their computer systems as quickly as they can. Chairman Stevens. The indication here is that they deferred normal programming activities in order to make those adjustments. How extensive has that been? Mr. Lew. I think what we have done is, we have built into our budget request in the last several years additional resources where we saw it as needed for Y2K, and we balanced it against the ongoing programmatic activities. I think the areas where it would have created the clearest direct conflict were some of the funding that was directed to come out of the Y2K emergency reserve, and actually that went both directions. Some of that funding was really Y2K-related, and some of it was funding that we had in the base that we thought was only marginally Y2K-related, so a lot of these are gray areas. I think that when we are dealing with caps, as you and I know painfully well, there are tough choices about how we can deal with all of the competing needs. Chairman Stevens. I am looking at it, as Senator Bennett mentioned, from two sides. One, it appears there are a lot of things that have been deferred, normal program activities, because of the Y2K emergency, and on the other side of the coin is that there are increasing demands on the budgets of all agencies because of Y2K compliance activities. Now, both of those add up to me to a need for more money, but it is sort of a feather pillow. I am not getting what I need. Mr. Lew. I think there are really two different questions there. One is, did they get more money than they otherwise would have gotten to deal with Y2K within the base funding, and in our budget proposals we were allocating dollars to Y2K where we were not taking it necessarily from something else. We were making our decisions from the ground up. What did an agency need to do for its entire mission that had to do with Y2K? We came to the conclusion that we could not do it within totals, which is why we put the emergency fund proposal in our budget last year. It got beyond the point of our ability to work within the limits and still meet agency needs and Y2K needs. Are additional Y2K supplemental funds required? Chairman Stevens. That is what we anticipated, and that is why we started the emergency presence. But what I am looking at is whether or not, one, are we going to get a supplemental request to make up for the moneys that agencies have spent, the Y2K activities, in order that they may have the funds to carry out their normal programming; and two, are we going to get a supplemental request for Y2K activities? This $8.7 billion is much higher than we anticipated 1 year ago, or 2 years ago. Are there two supplementals out there staring us in the face? Mr. Lew. We have no immediate plans for any additional supplementals. Our calculation is $8.02 billion total, and does assume that we use the emergency funds, but it does not assume that we have any additional funding requirements in fiscal year 1999. The agencies have been using the emergency funds not just to deal with mission-critical systems. They have been using the emergency funds to deal with noncritical as well as critical. I actually have never seen a breakout of how much of the money has gone to mission-critical versus nonmission-critical, and it is a good question. I actually will go back and ask to see it broken out that way. I tried to use the example of HCFA as the kind of activity where we know that there was a deferral of some work. I do not think that that necessarily means we will need a supplemental appropriation for HCFA. It means there was a delay in putting some regulations into effect. As HCFA works through its 2000 and 2001 work plans, they will integrate completing the work that they deferred with the work that they have to do. They may have increased needs overall. Agency needs change from year to year. But I do not foresee a spike of additional needs because of doing the deferred work that came about because of dealing with Y2K remediation. It is a fair question. It is something we are keeping our eye on. I am not sure we can anticipate everything in advance, but I certainly at the moment do not see a huge number of deferred activities where we will need to come in for a supplemental request. Chairman Stevens. Do you have any comment on this, Mr. Walker? Mr. Walker. Mr. Chairman, first I would agree with Director Lew that what we ought to focus on is the net need. Second, as we say in our statement, we do believe that there is pent-up demand and pent-up need, as there is in the private sector. We believe it is important to try to survey that, and try to understand the nature and extent of that. Chairman Stevens. A need for non-Y2K funds, because of Y2K activities? Mr. Walker. A need for additional funds because there have been projects that have been delayed that may represent need rather than want. Director Lew mentioned one, where there are some types of activities to implement certain regulations. There also could be some computer security related system enhancement needs that could be essential and cost beneficial, however, they have been delayed. I think there is a need to try to inventory that to understand the nature and extent, but then there is a management decision and a budget decision as to the merits of those various proposals, and how they will be handled; but we do think it is important to inventory it, because we do believe it exists. Mr. Lew. The only thing I would add, Senator, is that these issues are not new issues, because we have been dealing with Y2K. We faced it at the Treasury Department in terms of putting a new computer system in place there, where completely apart from the year 2000 there was a need for a long-term capital program. I am not sure, net of what we spent on Y2K, that it is as much a question of pent-up demand as it is fitting those IT requirements into the many demands that agencies have for resources. If there is a pent-up demand we certainly should, as the Comptroller General says, try to keep an eye on it and coordinate it in a managed way. I just would not put up a red flag that there is a crisis looming. We may have additional requirements in these areas completely apart from Y2K. The question of cyber security is something we will have to keep dealing with. I do not think we should confuse the pent-up demand issue with what the absolute requirements are, and if so, it is just a timing question. On the other hand, we should not panic. We are in better shape now in terms of contingency planning than we have ever been in the past, and I think as we continue to deal with these questions we will have a much better knowledge. What progress is being made in contingency planning? Chairman Stevens. I visited two major industries where they had been told that their systems were Y2K compliant and on a test found that they were not. Now, we are relying on this testing. It is sort of a self-testing process of each agency, but as I understand it, the cost of contingency planning is not permitted to be paid out of the emergency money, is that right? Mr. Lew. Well, actually I would distinguish between contingency planning and funding of the contingency plans. We are helping agencies deal with funding requirements for the contingency planning. We are just beginning to see them, so I do not have a wealth of material to draw on yet. As we see the plans, I think we can expect that the plans will identify two kinds of risks. One is risks that their own systems will fail and there may in fact be additional funding requirements there. As you know we continue to have $496 million in the nondefense and $165 million in the defense reserve, some of which may well be used for the agency contingency plans. Chairman Stevens. You use that for planning, or plans? Mr. Lew. There may well be funding needed for plans. If they need to back up their own systems internally there is a whole separate kind of contingency planning where I do not know that we have the authority to fund it. We may need to talk further about this if they identify problems that are not their own, but problems that are connected to the environments they are in, such as telephone and electric grids. Obviously, we do not have the resources to do contingency plans for every agency so, if there is a localized power failure for a brief period of time we will bring the whole grid back up. Utilities are dealing with that, and they are dealing with it quite well. I think the question we have to answer is if there is a localized problem, does each agency have a credible plan so that it can continue its operations while the local utility is dealing with the outside problem. We may decide that we want to take on as a Federal obligation, and I do not think I would recommend it, dealing well beyond the ambit of Federal responsibility. Clearly we do not have the resources for that, but that is also not a Federal responsibility. What we are trying to do is make sure that it is coordinated, that information is readily available, and to provide the leadership so that each of the different parts of the environment that Federal agencies find themselves in is also making the kind of progress they need to make. We do not anticipate the kind of massive electric or telephone failures that people worried about years ago, but that does not mean there will not be isolated incidents. The purpose of contingency planning is to be able to respond, so we have continuity in all Federal operations. Chairman Stevens. Do we have any idea what the cost of those plans will be? Mr. Lew. The June 15 deadline just passed. We have received some, not all. I would not even say most of them yet. Over the next several weeks we will review them and we will continue to work with the committees as we get a better understanding of what the contingency plans call for. I think the agencies are struggling a little bit in terms of putting the price tag themselves on what are in some cases fairly imponderable costs. I think as they narrow down to the cost for their own backup plans, that is an area that is much more concrete. We will start to see what the numbers are fairly quickly on those. I do not anticipate that those will be enormous, but if they do turn out larger than we expect, we will come back as soon as we know more. Chairman Stevens. Mr. Walker. Mr. Walker. Mr. Chairman, we tried to note on page 13 of the full statement how much of the emergency supplemental to date has been spent for contingency planning. It is over $300 million, primarily the Defense Department, but also about $77 million for the civilian agencies. As Director Lew noted, there is a need to try to get your arms around what type of plans are necessary on a contingent basis, and it is a separate and distinct matter as to what cost might be necessary if those plans have to be implemented, and that is something that is important to focus on. Chairman Stevens. Do the contingency plans themselves have to be tested, in your judgment? Mr. Walker. We do believe they need to be reviewed. We plan to review them. OMB needs to review them first. I believe they are due later this month. Joel, do you have a comment? Mr. Willemssen. Yes. OMB has noted that they are following our guidance on contingency planning. One of the key phases in doing that is validation and testing of those plans. We have recommended that the validation and testing be completed no later than September 30 of this year. Chairman Stevens. Do you have the sense that we have enough funds available now to deal with this total Y2K problem on the Federal level without any additional money, Mr. Walker? Mr. Walker. Mr. Chairman, the real key is that, for fiscal year 2000, there are certain unknowns. As Director Lew said, we have still got 10 Federal agencies that have not completed their own remediation testing efforts. Second, 10 of the 43 critical Federal programs have significant State involvement. Many of those States are not going to be completed with the Y2K efforts until the fourth quarter of this calendar year. In addition, there are other factors that frankly, until we get more clarity on those, it is difficult, if not impossible, to predict the funds that will be necessary. The real key is, what are the tradeoffs? If additional funds are needed for Y2K, there are several ways to handle that. Obviously, one way is through a supplemental. Another way is through changing priorities within the existing baseline, and the key is to try to understand what the possibilities are, what the magnitude might be, and to be able to make informed choices about what those tradeoffs should be. What is the difference between mission-critical and nonmission- critical? Chairman Stevens. Both of you were talking about internal reprogramming. There could be a massive amount if there are any contingencies that develop between now and the end of the year, and we are dealing with two different fiscal years as far as the restraints on spending. I do hope that we are monitoring the marshaling of this money towards achieving objectives within the laws available. Maybe we need some additional flexibility on this, and if you do, we might have to give it to you in one of these bills. I would hope that you would both look at that. But one of the critical problems here to me is the definition of what is critical. I am afraid the people sitting here in Washington have an idea of what is critical, and people out in the rural areas, and the western States in particular, have an entirely different attitude about what is critical. Has anyone reviewed the definition of what is critical in your agency? Mr. Walker. Mr. Chairman, let me comment on a couple of things, and I would ask Joel to add. First, the dollars that have been spent so far have been spent on Y2K, both mission- critical and nonmission-critical systems. Second, at this point in time we believe the important thing to focus on is the programs. Candidly, the taxpayers, our citizens care about the results, they do not care about the process, and so the key is to assure, either through the remediation efforts or through the contingency planning that the programs will operate as intended at the taxpayer and the citizen level. And Joel, I would ask you to add. Mr. Willemssen. Mr. Walker hit it right on the nail. We have applauded what OMB has done in terms of moving its focus away from systems and into programs. I think there is still room for debate as to whether they have targeted the right programs. As Mr. Walker mentioned in his statement, there are some outliers that are not within the definition of the 43 programs that I think would raise some issues, but I believe now OMB has the correct focus, especially on testing end-to-end multiple systems. I think that is the appropriate emphasis that now needs to be placed. Mr. Lew. That is actually the point I was going to make. The value of testing is that we will have a much better understanding if there is going to be a problem in rural areas, or in isolated areas. That is one of the reasons the funding has been going out in the pattern it has. As we have discovered problems, we have been using funds to deal with the problems. We have been very careful, and frankly I think you deserve a lot of credit for designing a flexible-enough authority so that we have had the authority to fund basically everything we have needed to fund while still reserving resources for the final period. The imponderable about the contingency planning is different from whether we are taking the kinds of effective steps to deal with the programmatic needs that agencies have, and I think it would be a mistake to think that there is a looming, huge problem in terms of basic agency operations that are unfunded. If we discover that the contingency plans have funding requirements that are greater than what we think they will be, I assure you it is not something we would just keep to ourselves. Just as we shared with you the need for the $3\1/4\ billion emergency fund, we would come back. I just at this moment do not anticipate it, and frankly it gets into an area fairly quickly that is not the Federal Government's primary responsibility. We have been using the money that was appropriated to deal with the testing to make sure that we discover, within the Federal systems, what else we need to do. Who will agencies turn to if they have Y2K problems? Chairman Stevens. Do we have any reserve capacity for the Government as a whole? Is there an agency that has been designated to come forward and assist any Federal program that runs into a glitch in the last part of the year? As the next fiscal year started sometime after October 1, you run into problems. Who do these agencies turn to for assistance if some real difficult problem emerges that has not been contemplated? Mr. Lew. As you know, John Koskinan has been coordinating overall the administration's planning and implementation of the Y2K effort. That has been, I think, a very effective process where we have had agency heads take on the responsibility personally to make sure that they were doing what needed to be done, and coming in with the kind of technical support. We do not have a formal process where there is one agency that is doing things for the other agencies, but there has been a lot of sharing of information and cooperation amongst agencies in the way that you would want to see in a situation like this. As one agency learns something we do not wait for each of the others to discover it on their own, there is a sharing of information. Chairman Stevens. I am looking for something different. We have the Federal Emergency Management Agency (FEMA) if there is a natural disaster. What agency has the role of FEMA in dealing with Y2K, if something really goes bad in December? Mr. Lew. Let me distinguish the work up until January 1 and deal a little bit separately with what happens in the immediate period at the new year. The President made it very clear that it was the obligation of each agency head to assure that his or her agency was taking the action needed. Frankly, if there was a more centralized responsibility we would not be able to sit here today and report the kind of progress that we have made. Chairman Stevens. I am not interested in that. I am interested in emergency assistance at a time when it may be needed. Mr. Lew. In terms of emergency assistance, we have planned for what we call an Information Coordination Center which we have worked with the committees on to bring together information at the end of the year. At the beginning of the new year, as we learn of disruptions, as we learn of problems, so that there will be a clear flow of information and an ability to muster appropriate responses. I think that is more of an information exercise than it is a command and control exercise. It is not that we have a special weapons and tactics (SWAT) team that will go in, but it is a way to marshall the resources of the Federal Government to deal with situations as they occur. It is not the case, as in a natural disaster, where we designate FEMA or one agency to be the lead agency, because frankly, the problems are not necessarily going to be within the expertise of one agency. If you have a transportation issue, the Department of Transportation is going to deal with it. If you have a communication issue, it is largely going to be private, and more information at the Federal level rather than action at the Federal level. But there is going to be information coming in. Frankly, January 1 will come in many hours earlier in other parts of the world. We will gather information from what happens in other parts of the world and be able to perhaps take some preventative steps as we learn what happens in other places and be able to have the preparedness in real time. I do not think that it would be as effective, frankly, if we had a single designated agency that would deal with all problems that might arise, because it would be more than any one agency could handle within its expertise. Mr. Walker. Mr. Chairman, four points that might be helpful. Obviously, John Koskinan has been handling overall interagency coordination and strategic planning. Second, it is my understanding that for each of the high-impact programs OMB has designated, in working with John Koskinan, a lead agency has responsibility for that program, even though there may be numerous agencies that have to be involved. Third, based upon our experience so far, if there is one agency that probably has shined in this, it has been the Social Security Administration, but obviously no one agency, as Director Lew noted, could really handle contingency planning for everything. Is the Postal Service Y2K compliant? And last, but certainly not least, the Postal Service is critical. They are making progress, but they represent the contingency plan, or have an integral part in the contingency plans of not only the Federal Government but, quite frankly, the private sector, and that is one I think we have to keep our eye on the ball. Chairman Stevens. Who is monitoring that? Mr. Walker. I am sure that OMB and we at GAO are monitoring their progress. Chairman Bennett. Can you tell us where they are? Mr. Willemssen. The Postal Service after a fairly slow start has made very rapid progress, and we have recently testified that the kind of management controls that they have put in place should give them greater assurance of being ready in time. There are still some risks, such as a number of systems that they have to get ready in a relatively short period of time, but the attention is now being placed on that, and frankly that was not the case some time ago. I think one of the things that spurred the Postal Service on was when OMB last year put their additional reporting requirement on other entities beyond the 24 major Federal departments and agencies. That led to the Postal Service coming in with their first report, and that first report raised a lot more questions than it did answers. That led to enhanced oversight which contributed to the Postal Service being on the road they need to be on. Need for progress for Federal systems that interact with State and local systems Chairman Stevens. What about the Federal systems programs that interface with the State and local activities such as food stamps, Medicare, and others that are dependent on State actions and State implementation? Mr. Willemssen. I think there remains much room for concern there, and OMB is very aware of those concerns. States are working quite diligently with the Federal agencies, but many of those States do not plan to be compliant until the end of the year. What we have seen as a model agency in terms of oversight of State systems has been the Health Care Financing Administration and Medicaid. When we came out with a report last fall that indicated that only about 16 percent of those systems were compliant, the Administrator of HCFA took the lead and obtained needed contractor help. They've gone out and done risk assessments and visits of all States. They completed that first round in April and made detailed risk assessments. They are now in the midst of doing a second round of visits and, concurrent with that, they have outside help focusing on contingency planning for those States. It is really a very good model, one that could be emulated by some of the other Federal agencies in working with their State partners. Although it is getting fairly late in the game, we think with the time remaining, activities like that could be very beneficial. Progress with our international partners Chairman Stevens. I have taken a lot of time. One last question, and this is a North American economy now, not a United States economy. What about Canada and Mexico, and the tremendous interface of our private economy with our neighbors to the north and south? Mr. Lew. Senator, we have participated actively in international forums to help other countries learn from our experience as we discovered what needed to be done. In fact, the largest conference ever in terms of U.N. focusing on a single topic is being held either this week or next week in New York. I do not know for a fact, but I assume Mexico, Canada, and most of the countries of the Western Hemisphere are participating. The challenge we have is, we clearly cannot take on as a U.S. obligation direct responsibility for the systems in other countries, but we have been trying very hard to share information and help others learn to take responsibility and take the actions necessary. I do not have country-by-country reports. We would be happy to get back to you if you have specific questions about Mexico and Canada. I suspect the bigger concerns we have are in other parts of the world, though. Chairman Stevens. Well, that is a prime time for illegal immigrants to cross the border from California all the way over to Louisiana. Mr. Lew. That is obviously a question of our critical systems working, and that is our responsibility. If I could just respond on the question of the States, because I think it is one of the significant issues we have to continue to focus on from now until the end of the year. It is more difficult in the sense that it is not something we can just go out and fix. We have to work with others to fix their systems. But we can encourage and require that there be backup arrangements, and that there be testing. We have been providing that leadership. Putting into the quarterly report the State- by-State data we inputed was a very useful step in terms of getting each of the agencies to work with the States on their systems and, frankly, to put the public attention on which States are scheduled to be completed and which States are falling behind. I know that up here there is a lot of concern not just for the aggregate number, but on each individual State, and I would commend to your attention the State-by-State data in the ninth quarterly report. We are going to be doing that on a regular basis from now through the end of the year. We have directed the agencies to work closely with the States to try and be helpful to them as they plan their own activities, but this is one of the remaining challenges that is going to require a lot of our attention. Chairman Stevens. Thank you very much, Mr. Chairman. Need for additional Y2K funding Chairman Bennett. Thank you. This is just a little bit of institutional jealousy, and I probably should not say it, but I will anyway. Mr. Lew, you made the comment, in your words, ``we shared with you the need for the $3\1/4\ billion emergency.'' Just for the record, the initiative for the $3\1/4\ billion emergency came from Senator Stevens. I was in the room when he came up with that number and announced it. I remember the phone call I received from John Koskinan where he said, ``Senator, we had no idea you were going to do that. We had no tip-off at OMB in advance that this Congress was going to do that.'' I thought he was going to complain that the Congress was doing things, and then he said, and we think it's a really, really, really good idea. So I think just for the record Senator Stevens should receive the credit for having come up with that. Let me talk about that supplemental. After the allocations against the funds, there is $165 million in reserve, as you said, for defense, and $400 million for nondefense. Mr. Walker, you say in your testimony that the cost of end-to-end testing and contingency plans will be high. Do you share my concern that these reserve funds may not be enough? That too much of the money that was allocated in the emergency, $3.25 billion in emergency money, has already been spent, given the size of what we are still looking at, or do you think the expenditures and allocations up until now have been about right, and that these reserves are adequate? Either one of you. Mr. Walker. Mr. Chairman, I think there are two issues. One issue is whether or not the remaining funds that exist in the reserve will adequately cover all the additional Y2K costs versus whether or not there is a need for an additional supplemental, for example. I think there is a much higher risk that there will be more money necessary in order to address all the Y2K issues, given the contingencies that we have articulated today. I think it is a separate and important, yet somewhat distinct, question as to how best to do that. Will it be through tradeoffs in other funding that already exists in fiscal year 2000 for these programs, or will there be a need for supplemental funding, and I would ask Director Lew to comment. Chairman Bennett. Do you share that view? I have the feeling you have a slightly different view. Mr. Lew. The reason I am hesitant is that we are just beginning to review the contingency plans for the agencies. The real answer to the question will come after we have reviewed their plans. Frankly, the early plans we are getting do not have cost estimates in them in many cases, so we have to go back and work with the agencies. To the extent that contingency planning costs are much larger than we have anticipated I would have a very different response. If the contingency plans fit within what we have expected, and I will not know that for several weeks, to the extent that they identify expenses that are not within the authority of the emergency fund, we would clearly need to come back and seek additional flexibilities. I did not mean to detract at all from the contributions of Senator Stevens in particular. We very much appreciate it. We put a place marker in our budget, as you know, and it became real when Senator Stevens offered the amendment that he did and the flexibility the fund provides is very helpful. Chairman Bennett. Just a little executive branch- legislative branch---- Mr. Lew. I appreciate that. The answer to your question ultimately I think would be something I would want to get back to you after we have reviewed the continuity and contingency plans, because I think that is where the wild card would be. At the moment, I cannot sit here today saying we anticipate tremendous additional needs, though I think Mr. Walker is right that to the extent that there are ongoing requirements. Either at the very end of this year or at the beginning of next year, there may be some tension within the existing budgets. That is not always a bad thing. I mean, agencies do deal with some costs that are outside of their normal business without it causing tremendous disruption. What happened in Y2K was the amounts required so far exceeded the ability to manage the totals, so it was necessary to have the emergency fund. Chairman Bennett. Senator Stevens has an additional question, but before he gets to that, let me just pick up on what you are saying about the contingency plans. Your deadline was June 15. By your testimony most of the agencies missed that deadline, and that concerns us. We do not have, as everybody knows, any fudge factor on the ultimate date that is hitting us here, and just quickly, do you have any sense when you will have all of the contingency plans with estimates in front of you? Can you give us a new date that we can hold people accountable for? Mr. Lew. I cannot give you a firm date and, frankly, I think what is going to be happening is, we are going to be working with the agencies to refine what we get on an ongoing basis. There will not be a date when they are finished. They are going to keep proceeding with their planning and their work right until the end. I think in the next several weeks we will have a lot more than we have now. We have been working with the committees' staff and with you directly on each of the allocations, and we will continue to do so as we review the contingency plans. We have tried to be responsive to any of the issues raised in the course of those consultations and would continue to do so. If we discover a problem, or you discover a problem, we would like to keep the conversation going. I wish I could say that I will have all the plans on June 30. When we set deadlines we try to be realistic about agency compliance patterns, and I think we are still in decent shape. If the President had not set March 31 as a deadline, we would not be sitting here today with the results that we have, and I dare say the same is true about the June 15 deadline. I would wish that at all times agencies would respond with great punctuality, but we did build in a little bit of room. Chairman Bennett. If my friend Senator Dodd were here, I know he would have a few words to you to say about the importance of meeting deadlines and how carefully he will monitor those deadlines. Since he got married over the weekend he may have other things on his mind, but I assure you that he and the committee will be watching these dates very carefully. Senator Stevens. Potential need for another flexible fund to respond to Y2K problems Chairman Stevens. Well, I want to make sure about this authority problem that you have indicated a couple of times, Mr. Lew. I have the same feeling. There is no basic authority like the President, as Commander in Chief, possesses for taking care of troops. You know, the food and forage concept. I would like to contemplate, or like to have resolved how to establish an emergency authority in one single area. I take it would be the President's decision that would get that, but I also assume it would be OMB. I think we have to have that. I think we have to have someone with the authority to make the decision to use funds from wherever they have to be taken if there is an emergency that develops. We will be out of session. It is the holiday period where these crises could take place. We also have critical non-Federal actions that may need correction, or might need assistance because they impact our mission-critical systems at a time in an unexpected way. I do not think you have the authority today to use funding for that purpose, but I do think you should have it. I also think that whatever we do along that line we should require a report from you to Congress, so that when we come back into session we can review what has happened and see whether adjustments are necessary to other accounts because of that. But I would urge you to think about that, and Mr. Walker, you might review that also. I think in one of these bills that is coming along we ought to start a basic designation of who has that authority, how it is to be exercised, and what the scope of it is. If it goes outside the mission-critical Federal systems to the area where non-Federal actions might have an impact on the plans or contingency plans that we may have to put into effect. Clearly, I think that the public is going to expect that we have placed, somewhere in the administration, the authority to take action, and I still believe it is sort of like any other time of weakness. Are you a fisherman? I remember when I was fishing down off of Pulaski Light, and I learned how to fish for the giant barracuda. You really fish for the mackerel, but just as the mackerel hits the bait, that is when the barracuda likes to hit the mackerel. I am thinking there are a lot of barracudas out there that would like to have an impact on our Federal systems at a time of apparent weakness. We ought to guard against that, and we ought to have authority. Again, I urge you to think about someone having a FEMA responsibility. There has to be a fireman there somewhere, and it is going to take some further analysis of this, as I am sure that Senator Bennett's committee will do. We are here today primarily because of the implications of future funding that may be required. Even beyond that is the basic authority to use whatever funds are available should a substantial crisis develop. Mr. Lew. Senator Stevens, I think it is an important distinction, because the truth is, if there is an emergency in an area where funds have been appropriated and authority exists, you could spend down money and could replenish the funds with a supplemental later on. I think the real critical issue in terms of being able to respond in a timely manner is whether the scope of authority is broad enough. We have very substantial authorities to respond to most of the contingencies that are directly Federal. I think the issue here is whether it would be desirable to have a broader Federal responsibility for non-Federal response. Chairman Stevens. I am not talking about responsibility. I am talking about ability to act where there is a definite connection between the systems we rely on for our people through the Federal Government and those that are non-Federal, where the contingency planning or the planning may be defective, and we will not know that until it is too late. Mr. Lew. Just to use an example, if there is a Federal agency where communications are critical, then the Federal responsibility is to have backup communication capacity so the Federal agency can communicate. It is not a Federal obligation to bring up the telephone system for the entire area. We have the authorities to our knowledge to do what we need for the Federal backups to be provided for. The area where there is a question about authority is also, I think, where there is a question about whether it is a desirable Federal role. As we go through these contingency plans, if we discover additional needs for authority, I would welcome the invitation to pursue it with you. We clearly want to have whatever authorities we need to deal quickly and with agility to things that almost by definition are as unpredictable as the barracuda eating the mackerel. Chairman Stevens. The National Guard is in every State, and it is an entity in every State. I think somewhere along the line there has to be some entity like that where the standby capacity to assist in areas that are life threatening, that relate to Federal activities, or are threatening to the economy in general--well, we will work with you on it. Mr. Walker. Mr. Walker. Mr. Chairman, while obviously our first and foremost priority needs to be Federal programs and U.S. citizens, you touched on the international aspect. The fact of the matter is, we are in a global economy, and as I looked today at GAO's daily news clips, there is an article that comes to mind, the source of which is published through the Gartner Group, which is one of the leading information consulting firms. It has attempted--we have not attempted to verify this-- to rank various countries into different levels, level 1 being the best prepared, of which I am pleased to say the United States and Canada are on that level; level 2 is where Mexico falls; but if I look at level 4, which is the lowest level, you have countries such as Russia and Pakistan, and clearly there are security issues associated with that which I think we have to keep in mind. While that is not our primary responsibility, it is not inconceivable that there could be some issues there. Thank you, Mr. Chairman. Chairman Stevens. Thank you very much. Chairman Bennett. Thank you. We appreciate your being here and appreciate your patience with the questioning. If we have further questions we will submit them to you in writing, and as Senator Stevens said, Senator Byrd, who was not able to be with us, will have some questions for you in writing. conclusion of hearing Chairman Bennett. Thank you very much. The committee is recessed. [Whereupon, at 11:10 a.m., Tuesday, June 22, the hearing was concluded, and the joint committees were recessed, to reconvene subject to the call of the Chair.] <all>