<DOC>
[106th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:61119.wais]
Y2K AND CONTINGENCY AND DAY 1 PLANS: IF COMPUTERS FAIL, WHAT WILL YOU
DO?
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON GOVERNMENT REFORM
and the
SUBCOMMITTEE ON TECHNOLOGY
of the
COMMITTEE ON SCIENCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
FIRST SESSION
__________
OCTOBER 29, 1999
__________
Committee on Government Reform
Serial No. 106-51
Committee on Science
Serial No. 106-54
__________
Printed for the use of the Committee on Government Reform and the
Committee on Science
Available via the World Wide Web: http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
61-119 CC WASHINGTON : 1999
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
David A. Kass, Deputy Counsel and Parliamentarian
Carla J. Martin, Chief Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Matt Ryan, Senior Policy Director
Chip Ahlswede, Clerk
Trey Henderson, Minority Counsel
COMMITTEE ON SCIENCE
HON. F. JAMES SENSENBRENNER, Jr., (R-Wisconsin), Chairman
SHERWOOD L. BOEHLERT, New York RALPH M. HALL, Texas, RMM**
LAMAR SMITH, Texas BART GORDON, Tennessee
CONSTANCE A. MORELLA, Maryland JERRY F. COSTELLO, Illinois
CURT WELDON, Pennsylvania JAMES A. BARCIA, Michigan
DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas
JOE BARTON, Texas LYNN C. WOOLSEY, California
KEN CALVERT, California LYNN N. RIVERS, Michigan
NICK SMITH, Michigan ZOE LOFGREN, California
ROSCOE G. BARTLETT, Maryland MICHAEL F. DOYLE, Pennsylvania
VERNON J. EHLERS, Michigan* SHEILA JACKSON-LEE, Texas
DAVE WELDON, Florida DEBBIE STABENOW, Michigan
GIL GUTKNECHT, Minnesota BOB ETHERIDGE, North Carolina
THOMAS W. EWING, Illinois NICK LAMPSON, Texas
CHRIS CANNON, Utah JOHN B. LARSON, Connecticut
KEVIN BRADY, Texas MARK UDALL, Colorado
MERRILL COOK, Utah DAVID WU, Oregon
GEORGE R. NETHERCUTT, Jr., ANTHONY D. WEINER, New York
Washington MICHAEL E. CAPUANO, Massachusetts
FRANK D. LUCAS, Oklahoma BRIAN BAIRD, Washington
MARK GREEN, Wisconsin JOSEPH M. HOEFFEL, Pennsylvania
STEVEN T. KUYKENDALL, California DENNIS MOORE, Kansas
GARY G. MILLER, California VACANCY
JUDY BIGGERT, Illinois
MARSHALL ``MARK'' SANFORD, South
Carolina
JACK METCALF, Washington
Subcommittee on Technology
CONSTANCE A. MORELLA, Maryland, Chairwoman
CURT WELDON, Pennsylvania JAMES A. BARCIA, Michigan**
ROSCOE G. BARTLETT, Maryland LYNN N. RIVERS, Michigan
GIL GUTKNECHT, Minnesota* DEBBIE STABENOW, Michigan
THOMAS W. EWING, Illinois MARK UDALL, Colorado
CHRIS CANNON, Utah DAVID WU, Oregon
KEVIN BRADY, Texas ANTHONY D. WEINER, New York
MERRILL COOK, Utah MICHAEL E. CAPUANO, Massachusetts
MARK GREEN, Wisconsin BART GORDON, Tennessee
STEVEN T. KUYKENDALL, California BRIAN BAIRD, Washington
GARY G. MILLER, California
Ex Officio
F. JAMES SENSENBRENNER, Jr., RALPH M. HALL, Texas+
Wisconsin+
C O N T E N T S
----------
Page
Hearing held on October 29, 1999................................. 1
Statement of:
Dyer, John, Principal Deputy, Social Security Administration;
Marvin J. Langston, Deputy Assistant Secretary of Defense
for C3I and year 2000, Department of Defense, accompanied
by Rear Admiral Bob Willard and Bill Curtis, Department of
Defense; John Gilligan, Chief Information Officer,
Department of Energy; Paul Cosgrave, Chief Information
Officer, Internal Revenue Service; and Norman E. Lorentz,
senior vice president, Chief Technology Officer, U.S.
Postal Service............................................. 47
Willemssen, Joel C., Director, Civil Agencies Information
Systems, U.S. General Accounting Office; and John Spotila,
Administrator, Office of Information and Regulatory
Affairs, Office of Management and Budget................... 12
Letters, statements, etc., submitted for the record by:
Cosgrave, Paul, Chief Information Officer, Internal Revenue
Service, prepared statement of............................. 86
Davis, Hon. Thomas M., a Representative in Congress from the
State of Virginia, prepared statement of................... 11
Dyer, John, Principal Deputy, Social Security Administration,
prepared statement of...................................... 50
Gilligan, John, Chief Information Officer, Department of
Energy, prepared statement of.............................. 75
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 113
Langston, Marvin J., Deputy Assistant Secretary of Defense
for C3I and year 2000, Department of Defense, prepared
statement of............................................... 62
Lorentz, Norman E., senior vice president, Chief Technology
Officer, U.S. Postal Service, prepared statement of........ 91
Morella, Hon. Constance A., a Representative in Congress from
the State of Maryland:
Letter dated October 15, 1999............................ 102
Prepared statement of.................................... 3
Spotila, John, Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget,
prepared statement of...................................... 36
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 8
Willemssen, Joel C., Director, Civil Agencies Information
Systems, U.S. General Accounting Office, prepared statement
of......................................................... 14
Y2K AND CONTINGENCY AND DAY 1 PLANS: IF COMPUTERS FAIL, WHAT WILL YOU
DO?
----------
FRIDAY, OCTOBER 29, 1999
House of Representatives, Subcommittee on
Government Management, Information, and
Technology of the Committee on Government
Reform, joint with the Subcommittee on
Technology of the Committee on Science,
Washington, DC.
The subcommittees met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Connie Morella
(chairwoman of the Subcommittee on Technology) presiding.
Present: Representatives Morella, Davis, and Turner.
Staff present from the Subcommittee on Government
Management, Information, and Technology: J. Russell George,
staff director and chief counsel; Matt Ryan, senior policy
director; Bonnie Heald, communications director and
professional staff member; Chip Ahlswede, clerk; Rob Singer,
staff assistant; P.J. Caceres and Deborah Oppenheim, interns;
Trey Henderson, minority counsel; and Jean Gosa, minority staff
assistant.
Mr. Davis. This hearing will come to order. I would ask
unanimous consent that the cochair of the House Task Force on
the Year 2000 Problem, the Honorable Connie Morella of
Maryland, chairwoman of the House Science Subcommittee on
Technology, chair today's meeting.
Without objection, so ordered.
Mrs. Morella. Thank you. Thank you, Mr. Davis.
I want to welcome all of you on, the past 3\1/2\ years, my
Science Committee Technology Subcommittee and the Government
Reform Committee's Government Management, Information, and
Technology Subcommittee, chaired by Steve Horn of California,
who incidentally couldn't be here this morning. We have been
engaged in the review of the year 2000 computer problem with a
series of joint hearings and initiatives. Our two
subcommittees, which comprise the House Y2K Working Group, have
been pushing for greater Federal Y2K focus to correct the
millennium bug.
Since we first began our oversight hearings, we've seen
vast and significant progress from our Federal agencies. And in
most instances, Y2K was finally mandated as an agencywide
priority. Management leadership was required where previously
there was none, and we're very pleased with the results we've
seen.
We have been comforted by the actions of a greater majority
of Federal agencies. But unfortunately, with only 63 days
remaining before the January 1st, 2000, deadline, there still
remains some concern about certain agencies, especially with
regard to their contingency and day 1 plans. To be fully
prepared for Y2K, every organization must ensure that their day
1 strategies are ready and that practical contingency plans are
in place.
Contingency plans provide assurance that a Federal agency
has covered all predictable possibilities to ensure that its
mission-critical operations can continue without disruption.
Our day 1 strategy provides a comprehensive set of actions
to be executed by a Federal agency during the last days of 1999
and the first days of 2000. For those who may have watched the
recently concluded World Series on television, you may have
seen an advertisement, teaser, for an upcoming network movie on
Y2K. In an effort to hype the movie and to create interest in
viewers, in the teaser an ominous voice boomed, Y2K, what if
they're wrong?
Despite its questionable entertainment value, I think the
movie is the one that will actually have it all wrong. One of
the most effective methods, however, to survive the movie's
hype and to calm any fears that may result is for Federal
agencies to have effective contingency plans and day 1
strategies that provide all Americans adequate assurances our
Federal Government will not be adversely attacked and affected
by Y2K.
Recently, the Office of Management and Budget [OMB],
provided guidance to assist Federal agencies in preparing day 1
plans. These plans are prepared for finite timeframes, like the
end of December through early January, to help mitigate any
problems that may arise. They should address the full scope of
agency activity that will be underway during that period.
For example, agencies must prepare to mitigate the impact
of possible failures in internal systems, buildings and other
infrastructures. Furthermore, the plan should include agency
efforts to assess the Y2K impact on its business partners, such
as State and local governments, in delivering the Federal
programs.
I'm pleased to welcome representatives of a number of
Federal agencies to discuss and review the status of their
contingency plans and day 1 strategies. And I look forward to
the testimony from the Social Security Administration, the
Department of Defense, the Department of Energy, the Internal
Revenue Service and the Postal Service. And in our first panel,
we will hear from the General Accounting Office and the Office
of Management and Budget.
[The prepared statement of Hon. Constance A. Morella
follows:]
[GRAPHIC] [TIFF OMITTED]61119.001
[GRAPHIC] [TIFF OMITTED]61119.002
[GRAPHIC] [TIFF OMITTED]61119.003
[GRAPHIC] [TIFF OMITTED]61119.004
Mrs. Morella. And it's now my pleasure to recognize the
ranking member on the Subcommittee on Government Management,
Information, and Technology, the gentleman from Texas Mr.
Turner.
Mr. Turner. Thank you, Madam Chairman. I want to commend
you and Chairman Horn, the chairman of my subcommittee, for
your diligence in trying to be sure that we are ready in the
Federal Government for January 1, 2000.
We all know that the public faces some risk that critical
services provided by both the government and the private sector
may be disrupted by the Y2K computer problem. And as we get
closer to January 1st, we need to redouble our efforts to be
sure that any disruption is reduced to a minimum.
Because this is the first time we've ever dealt with a
problem of this nature and magnitude, I'm sure that we should
expect the unexpected. And for that reason, we've asked every
Federal agency to have in place a business continuity and
contingency plan, and a day 1 strategy to reduce the risk of
failures occurring in their systems, programs, and services.
Without such plans, when unpredicted failures occur,
agencies would not be able to have a well-defined response, nor
have adequate time to remedy whatever problem may arise. So I'm
confident that the review of the agencies' efforts today will
be productive. I think if the Federal Government reaches
January 1st, 2000, without significant disruptions, a large
part of that credit will be due to the work of these two
subcommittees that for many months now have diligently worked
to be sure that the Federal Government is prepared and ready.
Thank you, Madam Chairman. I look forward to hearing the
testimony today.
Mrs. Morella. Thank you very much, Mr. Turner. And I
appreciate your being here, too.
[The prepared statement of Hon. Jim Turner follows:]
[GRAPHIC] [TIFF OMITTED]61119.005
[GRAPHIC] [TIFF OMITTED]61119.006
Mrs. Morella. There's recognition that Congress on the
House side is not in session today; therefore, a number of the
members of the subcommittees will be reading the testimony and
discussing it upon their return.
It's now my pleasure to recognize for an opening statement
Mr. Davis, who is the chairman of one of the subcommittees of
Government Reform, the District of Columbia Subcommittee, and
is a member of the Subcommittee on Government Management,
Information, and Technology.
Mr. Davis. Thank you very much.
This is the 23rd hearing of the year on the year 2000
computer problem that this subcommittee has held during the
first session of the 106th Congress. Over the last 3 years, the
subcommittees have spent countless hours discussing mission-
critical systems and embedded chips. Federal departments and
agencies have spent far more hours attempting to fix these
potential problems.
Most recently we have looked at the Federal programs, such
as Medicare and Medicaid, that affect millions of the Nation's
most vulnerable citizens, the elderly, the impoverished and the
sick. But now with only 63 days remaining until the January 1st
deadline, it's time to talk about the contingencies, the what-
ifs.
What if, despite the best efforts, some computers fail?
What if they continue working but spew out erroneous data? How
prepared are Federal departments and agencies to cope with
these possible situations? What are their plans? What are their
plans for day 1, the critical days leading up to midnight
January 1st and the days immediately afterwards?
I'm concerned to hear that the Internal Revenue Service has
found some unsolved problems with its inventory. Could other
Federal agencies find similar discrepancies? Just, frankly, the
IRS under their leadership at this point, I think, is one of
the most progressive in terms of dealing with the computers and
the like. The head of the IRS comes out of that industry.
Clearly, we need to have a candid discussion on contingency
plans today. We need to ensure that the Federal Government and
the services it provides will not fail, whether the date is
December 31st, 1999, or January 1st, 2000.
Thank you.
Mrs. Morella. Thank you, Mr. Davis.
[The prepared statement of Hon. Thomas M. Davis follows:]
[GRAPHIC] [TIFF OMITTED]61119.007
Mrs. Morella. And now as we usually do, we will swear in
our witnesses, and on the first panel, Mr. Willemssen and Mr.
Spotila.
[Witnesses sworn.]
Mrs. Morella. The record will show that the panelists have
sworn to tell the truth.
And now, as is, again, our tradition, we will give you each
about 5 minutes, approximately, to give your testimony, knowing
full well that your entire testimony will be included verbatim
in the record.
And so we will start now, as usual, with Mr. Willemssen. I
don't know how many hearings you've been at, sir, but you
really have been stalwart. We feel that you're part of the
committee. Thank you, Mr. Willemssen.
STATEMENTS OF JOEL C. WILLEMSSEN, DIRECTOR, CIVIL AGENCIES
INFORMATION SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE; AND JOHN
SPOTILA, ADMINISTRATOR, OFFICE OF INFORMATION AND REGULATORY
AFFAIRS, OFFICE OF MANAGEMENT AND BUDGET
Mr. Willemssen. Thank you, Chairwoman Morella, Ranking
Member Turner, Congressman Davis. Thank you for inviting GAO to
testify today on Y2K business continuity and contingency
planning and day 1 planning.
As requested, I will briefly summarize our statement. We've
previously testified on the importance of Y2K business
continuity and contingency planning. No one knows exactly for
sure what the rollover period will bring, and, therefore, such
planning is essential to helping ensure continued agency
operations in the event that disruptions occur.
Over time we've seen major improvements in the Federal
agencies' efforts in business continuity and contingency
planning. For example, in early 1998, we testified that several
agencies reported that they plan to develop contingency plans
only if they fell behind schedule in completing their Y2K work.
By contrast, less than a year later, in January 1999, we
testified that many agencies had reported that they had either
completed or had drafted contingency plans. These improvements
continue. For example, we reviewed agencies' most recent
submissions to OMB of updated continuity and contingency plans
and found that all agencies had identified key business
processes as called for in our guidance. A key aspect of
business continuity and contingency planning is validating or
testing plans. It's one thing to develop a written plan, but
quite another to see whether the plan will actually work as
envisioned. That's why we've emphasized the need for testing of
contingency plans.
In reviewing the high-level plans submitted to OMB, we were
able to identify 20 agencies that discussed their validation
strategies. These strategies encompassed a range of activities,
including desktop exercises and simulations. In addition to
reviewing these high-level plans, we've previously reported on
the business continuity and contingency planning of agencies
and their components, and we found some uneven progress. For
example, we found some agencies have instituted key processes,
while other agencies still have a ways to go.
Another important element of business continuity and
contingency planning that has not yet been adequately addressed
is the potential cost of implementing plans. Our guide calls on
agencies to assess the costs and benefits of identified
alternative contingency strategies. We also testified in June
that OMB's assessment of agency plans should consider whether
agencies provided estimated costs, and, if not, OMB should
require that this information be submitted so that it is
available on a governmentwide basis. However, OMB has not yet
required agencies to provide these cost estimates, although we
did identify five agencies which did so in their submissions.
Regarding day 1 planning, earlier this month we did issue a
guide to assist agencies in implementing their strategies.
Briefly the objectives of a day 1 strategy are to, one,
position the organization to readily identify year 2000 induced
problems, take needed corrective actions, and minimize adverse
impact on agency operations and key business processes. And
second, it's very important that the organization be in a
position to provide information on their Y2K condition to their
top executives, other business partners and to the public. Our
guidance provides a conceptual framework for helping agencies
address those objectives.
For the day 1 plans that were due on October 15th, OMB
asked agencies to address seven key elements, elements such as
a schedule of activities, contractor availability,
communications with the work force, and communications with the
public. A review of the submissions found that about 40 percent
of the agencies addressed all required elements.
Another important part of day 1 planning is ensuring that
the day 1 strategy can actually be executed; therefore, day 1
plans and their key processes and timetables should be reviewed
and, if feasible, rehearsed. Our review of day 1 plans found
that 19 agencies discussed rehearsing their strategies,
although some did not provide specific dates of their planned
or completed rehearsals.
That completes a summary of my statement. And I would be
pleased to address any questions you may have. Thank you.
Mrs. Morella. Thank you Mr. Willemssen.
[The prepared statement of Mr. Willemssen follows:]
[GRAPHIC] [TIFF OMITTED]61119.008
[GRAPHIC] [TIFF OMITTED]61119.009
[GRAPHIC] [TIFF OMITTED]61119.010
[GRAPHIC] [TIFF OMITTED]61119.011
[GRAPHIC] [TIFF OMITTED]61119.012
[GRAPHIC] [TIFF OMITTED]61119.013
[GRAPHIC] [TIFF OMITTED]61119.014
[GRAPHIC] [TIFF OMITTED]61119.015
[GRAPHIC] [TIFF OMITTED]61119.016
[GRAPHIC] [TIFF OMITTED]61119.017
[GRAPHIC] [TIFF OMITTED]61119.018
[GRAPHIC] [TIFF OMITTED]61119.019
[GRAPHIC] [TIFF OMITTED]61119.020
[GRAPHIC] [TIFF OMITTED]61119.021
[GRAPHIC] [TIFF OMITTED]61119.022
[GRAPHIC] [TIFF OMITTED]61119.023
[GRAPHIC] [TIFF OMITTED]61119.024
[GRAPHIC] [TIFF OMITTED]61119.025
[GRAPHIC] [TIFF OMITTED]61119.026
[GRAPHIC] [TIFF OMITTED]61119.027
Mrs. Morella. We now look forward to hearing from Mr.
Spotila.
Mr. Spotila. Good morning, Chairwoman Morella and
Congressman Turner and Congressman Davis. Let me start by
thanking you for your continuing interest in the Y2K problem.
As I indicated to you in my testimony on October 6th, your
early and continued involvement in this issue has made a
dramatic difference in the Federal Government's preparedness.
Before discussing our day 1 planning efforts, let me update
you on the status of our other work. As of October, the
agencies report that 99 percent of Federal mission-critical
systems are compliant, an increase from the 98 percent that I
reported earlier this month.
This reflects notice from five more departments;
Agriculture, Commerce, Energy, Health and Human Services and
Transportation, that their critical systems are ready. Although
a small number of critical systems are still not quite done, in
all cases the agencies involved have assured us that they will
complete their work before the end of the year. Moreover, they
all have contingency plans in place for these systems. Compared
to where we were just last year, this is a huge accomplishment.
Even though we expect all of our mission-critical systems
to be ready by January 1st, it is still important that every
agency have a business continuity and contingency plan, or
BCCP, in place, including a detailed day 1 plan. These plans
describe the steps each agency will take to prepare for the 1st
of January. They should address the full scope of agency
activity with steps to mitigate the impact of any failures
involving internal systems, buildings or other infrastructure.
Agencies must be ready to assess the impact of any Y2K
problem on their partners and constituencies and to provide
them with appropriate assistance. They must also be ready to
provide information about any Y2K problem to their management
partners and the public.
As GAO's day 1 guidance notes, effective day 1 planning
will position an agency to identify year 2000 induced problems,
take corrective action and minimize adverse impact on agency
operations and key business processes. We are working closely
with the agencies and GAO to share information about how best
to develop effective plans. GAO and OMB have issued coordinated
guidance to the agencies.
My staff has reviewed agency plans and is working with
agencies to improve those plans. We are all learning as we go.
The work we are asking agencies to do has never been done
before. In an organization as large and diversified as the
Federal Government, there is no one-size-fits-all solution, and
given this challenge, the agencies have responded well.
Based on our initial review of agency plans, we believe
most large agencies are on track. While they need to add more
detail to the plans, most do address all of the critical
elements of effective day 1 planning. A few of the larger
agencies have had more difficulty. Here we have engaged them at
a senior level to ensure that their efforts improve. I have
already spoken personally with several agencies to see that
their plans are revised to address our concerns.
OMB staff are following up these discussions with each
agency individually. While a few of the small and independent
agencies have done excellent work, a number of them have
provided incomplete plans or none at all. To help speed their
work, we are meeting with them next week. We will have one or
two of the agencies that provided excellent plans describe what
the plans should entail. I note that GAO has agreed to
participate in that meeting as well. Their work has been
invaluable to agency progress in this area.
After further work with the agencies, we will ask them to
provide us with revised plans next month. From our review of
the existing day 1 plans, we are beginning to see some patterns
of best practices. The importance of good communications cannot
be underestimated. If unforeseen problems arise, agencies must
be able to communicate with their work force, their partners
and the public.
Assuring the ability to communicate is so important that a
redundant communications capability should be put into place.
The best plans provide a detailed schedule of activities that
will take place during the rollover period. They anticipate the
sequence and timing of such activities as shutting down
computer systems and bringing them back up, checking their
viability and contacting key business partners.
The best plans ensure that the right personnel will be
available at the right time, whether on duty or on call and
whether on or offsite. Such personnel may be contractors or
employees and may include building technicians, computer
programmers, telecommunications experts, program staff,
contracting officers, legal counsel, public affairs staff and
senior management.
Finally, we are aware that the Y2K transition is an
opportunity for those who might want to disrupt agency
activity, whether mischiefmakers or those with criminal intent.
The best plans describe additional steps to guard against such
security risks, whether to facilities, personnel or systems.
We are all on a learning curve here. As we identify other
best practices, we will share them across agencies. Such
cooperation will continue to be essential to our success in
preparing for Y2K. We are entering the home stretch of our year
2000 efforts. As in any race, it is time to begin sprinting
toward the finish. Day 1 plans are the critical last piece of
our preparations. There will be no letup in our efforts during
the remaining 63 days.
Thank you for the opportunity to continue to share
information with you on the administration's progress. I would
be pleased to answer any questions you may have.
Mrs. Morella. Thank you, Mr. Spotila.
[The prepared statement of Mr. Spotila follows:]
[GRAPHIC] [TIFF OMITTED]61119.028
[GRAPHIC] [TIFF OMITTED]61119.029
[GRAPHIC] [TIFF OMITTED]61119.030
[GRAPHIC] [TIFF OMITTED]61119.031
Mrs. Morella. I am particularly pleased having both of you
here, because you have been partners in trying to make sure
that the Federal agencies, as well as the outreach and end-to-
end testing, has been taking place.
As we start our questioning, I will start off with Mr.
Willemssen. In your statement you mention several agencies at
risk of not having solid, well-tested contingency plans,
including the IRS, that will be testifying today, Federal
Bureau of Investigations, Drug Enforcement Agency, Agency of
International Development.
I would like to have you tell us what you see the real-life
consequences of not having plans ready.
Mr. Willemssen. To the extent that agencies do not have
contingency plans and continuity plans ready, and to the extent
that those plans haven't been well tested, those agencies run
the risk that in the event that disruptions occur, their
responses to those disruptions will be more ad hoc and chaotic
in nature, rather than very well planned with a clear roadmap
on who is to do what and when, and who to report to who on what
is going on.
That is the whole basis of having these plans in place and
testing these plans. To the extent that that isn't there, we do
run this risk of an untrained response that is a more ad hoc in
nature, that may not be the right response, and, therefore, the
response may not address the Y2K problem that may have
occurred.
Mrs. Morella. So the planning is critically necessary even
though that may not be the end either, there may be some other
implications and consequences resulting from it, but far better
than to have what could happen without those contingency plans.
You mentioned also in your statement the Y2K risk facing
State-run programs--this concerns me greatly--like Medicaid and
unemployment insurance. Again, what are the consequences of not
having those plans ready?
Mr. Willemssen. The likely consequences in those kinds of
benefit-driven programs is that, in the event that there are
Y2K disruptions and contingency plans aren't ready to be
implemented, benefits could be delayed or benefit amounts could
be inaccurate. And, therefore, it's critically important that
the contingency plans be pursued and be tested.
I'm more optimistic actually in this area now because of
some of the fine efforts of the lead Federal agencies in
understanding that this is a critical issue, and States are
beginning--even those States that were lagging behind--are
beginning to address this very forcefully. So I think there's
reason for much more optimism, even compared to just a few
weeks ago.
Mrs. Morella. Agencies should not be advising the public,
should they, of possible consequences in terms of enlightening
them?
Mr. Willemssen. I think agencies have to make a very
reasoned decision on what they announce to the public and what
they don't. As a side note, many of the business continuity and
contingency plans and day 1 strategies do have some level of
classification such as for official use only. One of the
reasons for that relates to something you had mentioned early
on. There's a possible security risk to the extent that
agencies publish too much information about what they plan to
do in the event of a Y2K disruption. So that's something that I
think agencies have to make a reasoned decision on.
I think the bottom line is making sure that plans are in
place, that they have been tested, and that all the agencies
are poised during the rollover period to address any
disruptions that may result.
Mrs. Morella. Thank you.
Mr. Spotila, according to OMB--and I very much appreciate
your coming out with the requirement that by October 15th, the
agencies have their day 1 plans and contingency plans in
effect. But according to OMB, day 1 plans should include
specific data such as personnel that should be on call or on
duty. And I wonder, what do you believe will be the number of
Federal employees that will be on call or on duty, as the
statement designates, on January 1st, 2000?
I guess what I'm asking you is, how does this compare,
January 1st, 2000, with a regular day for the Federal
Government?
Mr. Spotila. We don't yet have a specific number of people
that we anticipate will be on duty in this effort. One of the
general comments that I made in my testimony concerning the day
1 plans was that a number of the agencies need to supply more
detail than they have. To some degree this is a process where
we think we will get more specific information very quickly in
the weeks to come.
Certainly not everyone will be working. We anticipate in
each case that core staffs will be available, targeted much
more at the specific needs of agencies on an individual basis.
Some of those needs relate to verifying that the systems are
going to work, bringing them down, bringing them back up again.
Some of them involve response capability. In some cases, there
will be people on call who will not physically be onsite as the
rollover occurs.
We will have better information as we get closer to the end
of the year in this regard, but we don't quite have it yet.
Mrs. Morella. But obviously there will be a tremendous
number of people who will be ready who will be on call, as you
say--.
Mr. Spotila. That's true.
Mrs. Morella [continuing]. Ready to respond? It would be
interesting as you continue on in the remaining couple of
months to keep us apprised of that, too.
And one final question, before I turn to Mr. Turner for his
line of questioning, is that Mr. Willemssen mentioned something
that I think you would agree with, and that is that we don't
really have the cost estimates of what implementation is going
to cost. And I'm curious about what you're going to do to
require it.
I don't think you've required it at this point, cost
estimates. And I think they should be something that we should
be able to scrutinize.
Mr. Spotila. We have had discussions with the agencies on
this subject. Our sense has been that the most important focus
for the agencies right now should be getting their plans, their
detailed plans, ready so that we know what it is they're going
to do or what they feel they will need to do.
From a costs standpoint, the agencies understand at the
moment that they are expected to absorb these costs initially;
they all have resources, we think, to do that. We made sure to
tell them that if any feel that budget considerations are
interfering with their plans, they need to let us know, and we
will make sure that resources are available.
We certainly will come back to the question of cost
estimating, but we need to do it after the plans are ready in
more detail so we know what it is that we are actually dealing
with. It's not something we're insensitive to, but it is true
we have not made this a priority equal to getting ready for the
event itself.
Mrs. Morella. You might consider having at least some
estimates submitted to scrutinize, because it was my
understanding that it was in August 1999 when I think it was
Department of Health and Human Services estimated that it would
cost about $99 to implement contingency and day 1 plan.
Mr. Spotila. I think that we will, in fact, ask for
estimates. We've actually gotten some of them in already. We've
encouraged agencies to give us estimates as they are ready to
do so, and I think as we proceed closer to the end of the year,
that is something we will be asking of them.
Mrs. Morella. Thank you.
I am now pleased to recognize Mr. Turner for his line of
questioning.
Mr. Turner. Thank you, Ms. Morella.
In my opening comments I made reference to the fact that we
probably should all put ourself in the state of mind where we
are ready to expect the unexpected. And one of the things that
has concerned me, even after all of our efforts to prepare for
Y2K it still seems to be very possible whether it's through
efforts by those who would do harm to our country or simply
from those who are on some college campus disseminating
information over the Internet, that perhaps we could have on
January 1st a lot of misinformation designed with ill intent or
simply out of a spirit of being a prankster to try to mislead
people and to cause people to take certain actions they might
not otherwise take based on the information that that is
disseminated.
I was wondering whether or not we have considered, or
perhaps Mr. Koskinen in his efforts has considered creating
some type of rapid response team that would act as a
clearinghouse as we enter the new year to provide a source of
credibility regarding misinformation or information that may
circulate, whether it be over the Internet or through some
other medium, about the existence or nonexistence of Y2K
problems.
It seems to me that that type of panel would need to be
people of some renown who bear credibility, perhaps a three-
member panel of members who would be the spokespersons
regarding Y2K problems. Madam Chairman, I know you get the same
kind of e-mail I do. There's always some kind of rumor
circulating on the Internet about something the government is
about to pass or put a tax on the Internet or something like
that, and we all end up writing these letters back saying
that's just a rumor, there's no basis, there's no legislation
pending on that subject.
It just strikes me that on January 1st, there's a
possibility that some may try to circulate misinformation that
might cause people to take actions that otherwise they would
not take. If we had a panel in place of credible individuals
through which all of that information could clear, then they
could turn to the agencies and turn to the private sector to
get the truth, and then be in a position to respond through the
media regarding what are the facts. Perhaps, we could avoid
some problems that might otherwise occur.
Have we given any thought to that, or have any of the
efforts of Mr. Koskinen directed in that way?
Mr. Spotila. Actually, Congressman, we've been giving quite
a bit of thought to that. Let me address it in two respects.
First of all, as I mentioned in my testimony, from a security
standpoint we're asking each agency in its day 1 plan to
address the question of protecting systems from anyone who
would cause mischief. That's an element here.
With respect to misinformation that might be put out, here,
too, agencies will be focused on how that information might
relate to them individually. In a coordinated way, the
Information Coordination Center will help, John Koskinen and
the President's Council on Year 2000 Conversion have a plan for
collecting and exchanging information in this area, working
closely with their private sector coordinators and others
throughout State and local government to be in a position to
verify what information is true and to be able to disseminate
it.
The Coordination Center will play a key role in terms of
overall coordination, even though we are also looking at
individual agencies to be prepared to address agency specific
concerns.
Mr. Turner. Well, I would urge you to maybe pursue it a
little bit further, because I think if we could enlist the
assistance of some high-profile personalities who have
credibility, a Walter Cronkite type who would be a
spokesperson, along perhaps with one or two others. I don't
think it's going to help if there's some rumor or
misinformation floating, say, on the Internet, and it's
reported that the government denies the report. Unfortunately,
we all know the government oftentimes does not have the
credibility that we might need.
So it would seem to me if we could attach a personality to
that effort that would be known to be trustworthy by the
American public, perhaps we could avoid some problems that
otherwise might occur.
Mr. Spotila. I think that's a very constructive suggestion.
We certainly will bring that up with John Koskinen and see what
can be done in that area.
Mr. Turner. Thank you. I don't have any other further
questions.
Mrs. Morella. What are you going to be doing, Mr. Spotila,
on that day? Where are you going to be?
Mr. Spotila. I think I will--actually, I asked my staff to
tell me where they think I should be.
Mrs. Morella. Never leave yourself so wide open.
Mr. Spotila. I'm certainly making myself available to be
right on duty here. But we're trying to determine whether that
would be positive or negative in the view of the people that
are actually going to be dealing with our problems.
Mrs. Morella. But I appreciate Mr. Turner asking that
question because as we go on, I would like to find out, you
know, specifically how that ICC is going to operate.
Mr. Spotila. Yes.
Mrs. Morella. I have a question, the same question actually
for both of you. IRS is going to be a witness on our next
panel, and recently IRS reported that the poor quality of its
computer inventory poses a high risk to its Y2K effort. I quote
that exactly. That was quoted in a letter to Mr. Archer, the
chairman of the Ways and Means Committee. And it says the
quality of the IRS's inventory currently poses a high risk to
the Y2K effort.
Therefore, my question to both of you is, in your opinion,
what can be done to--or what can the IRS do to mitigate that
potential Y2K problem, those failures, and does the IRS have a
practical contingency plan in place? They will have an
opportunity to respond, but I wanted to hear from you before we
dismiss this first panel.
Mr. Willemssen. Well, one, Chairwoman Morella, I think it
is of concern to hear a major Federal agency still talking
about the term ``inventory'' at this late date. In testifying
on the IRS, which I did as far back as February 1997, I know
the IRS has a far-flung information systems structure, many of
their systems out in the field, many of the systems homegrown,
so it is a difficult endeavor to get a handle on all of those.
In terms of your direct question on what should they do, I
think it's just ensuring that their key business processes,
whether they're tax refunds or tax processing, however IRS has
defined them, that they have thoroughly decomposed those
processes and identified their key systems that they need to be
ready in order to do business as usual come the turn of the
year.
Mrs. Morella. Do they have time to do that?
Mr. Willemssen. I think one thing in their favor is given
the background of the Commissioner of the Internal Revenue
Service, he's made it very clear this has been a top priority
for him for some time, and he also made it clear, I think, in
hearings I've been at with him that this was a massive
undertaking, that it had risks associated with it. And I think
there is time to focus again on those most important business
processes and decompose them and focus on the supporting
systems.
Mrs. Morella. Mr. Spotila.
Mr. Spotila. From our perspective, I agree completely with
Mr. Willemssen in all of those respects. We're concerned. We
have not had quite as much information of IRS as we would like
to see. We recognize the importance of this, and we certainly
are going to do what we can do to help the situation.
Mrs. Morella. Well, we will be interested to also hear from
IRS about, you know, what they are doing, particularly in light
of that rather frightening statement.
Let me ask you about GAO, you recently reported that only
40 percent of Federal agencies submitted complete contingency
plans with information on the seven criteria that you have
established. What are you going to do to make sure that
agencies complete these plans?
Mr. Willemssen. Well, in terms of their day 1 strategy and
the required seven elements of OMB, I would concur with Mr.
Spotila's comments that OMB is working with these agencies to
followup where there are holes and where more information is
needed. I think we also have to keep in mind that many agencies
were out front and had a lot of this detail all pulled
together; many did not.
The requirement for day 1 strategies was initially
contained in OMB's September 13th quarterly report summary. So
that was the first time a requirement was sent out. OMB's
guidance on what to include, I believe, came out on October
13th, and then the strategies were due 2 days later.
So we're talking about a very compressed time. I think we
have to give the agencies that did get a late start some
recognition that they have time to improve, but this has to be
a top priority at this point in time. I think OMB shares that
view, and through our reviews and evaluations, we have not seen
evidence of agencies resisting day 1 concept. What they don't
have in many cases are all the details worked out yet, and
that's what they have to focus on now.
Mrs. Morella. I know that GAO is the one who has suggested
that OMB come up with the criteria, which they did so well,
established the October 15th deadline. Now, in light of the
question that I asked Mr. Willemssen, which is directed to you
now, do you have another deadline that you have established
where you say you now must get the responses, your contingency
plans in effect by another deadline?
Mr. Spotila. We're proceeding on two levels: one,
individually with agencies, based on what they have submitted
to us, or in a couple of instances where they have not
submitted to us, to work with them to get this fixed.
We've also told them informally that we will be asking them
for a new updated report next month, so there is going to be a
new November deadline for them. That has not formally gone out
yet, but they have all been advised that it is coming. Our
priority has been working with GAO and working with the
agencies to get these plans in their proper shape.
Mrs. Morella. It appears as though they may be working very
long days in order to do it, and I think you should set an
early November deadline for that, too.
Mr. Spotila. We intend to.
Mrs. Morella. I guess I just have one more question so we
can get on to our next panel. And I know that you have always
been available to respond to other questions that we may
submit.
Another day 1 strategy requirement is to include data on
contractor availability. Do you believe that this requirement
is being followed, being overlooked? Because I think it's
exceedingly important, and we've discussed this in a number of
our other hearings, exceedingly important for interoperability
and for the successful operation of many of the Federal
mission-critical systems.
What have your investigations revealed thus far with
respect to Federal contractors?
Mr. Willemssen. In taking a look at the strategies that
have been submitted thus far, it's a bit of a mix. Some of the
agencies haven't addressed the issue, and don't know the
availability. Other agencies are still working on this. I think
this is a fairly critical issue, and it's critical from a
couple respects. One is making sure from a governmentwide basis
that not everyone thinks they have a relationship with the same
vendor, and making sure that that vendor isn't overextended.
And then second is laying out in specified detail exactly who
to contact with that contractor or vendor should disruptions
occur.
Mrs. Morella. Mr. Spotila, would you like to comment on
that?
Mr. Spotila. Yes. Once again I would agree. I think in
general, with most of the agencies, we need more detailed
information on this subject. One of our observations is that a
number of the agencies need to do more in this area. Some have
done real well. Social Security whom you will be hearing from,
has done an excellent job. NASA and the Department of
Transportation have done very well. But there are a number of
agencies that need to add considerable detail here, and that's
one of the areas we're pressing.
Mrs. Morella. This is going to be one of the questions
we're going to ask to our second panel what they're doing, and
I'm glad that you're both very aware of it and continue to ask
for that response.
Just finally the issue of computer security, this is one,
as you know, I think is critically important as it relates to
Y2K and even beyond that. How certain are you that the
remediation efforts of the Federal systems have been conducted
by firms that are U.S.-owned, and then if you would like to
comment on what the risks might be that foreign agents or those
with antigovernment views might have access to sensitive
computer data. If I could ask both of you if you can answer
that.
Mr. Willemssen. I will answer that in two ways. One is to
give you my nonscientific answer that I think overall if you
compare what has happened on remediation to what we thought
would happen in the 1996 or 1997 timeframe, we've been a little
surprised that more of the remediation work was actually done
in-house and by existing contractors as it pertains to Federal
agencies than we would have thought. There really wasn't as
much work that went outside of the existing agency-contractor
relationships as we would have envisioned.
Point two, we share your concern about Y2K security risks.
Frankly, we haven't at this point done a lot of work on this.
We do have some ongoing work looking at that right now with
some high-profile agencies, such as the Federal Aviation
Administration and Department of Energy. At these agencies we
are pursuing the issue to see what kind of controls and
processes the agencies have in place.
Overall, I think that the executive branch is very, very
aware of this particular issue, and it's brought up in almost
every meeting I'm in on Y2K over the last couple of months.
Mr. Spotila. I would echo those comments. In general, OMB
does not have individual agency information in this regard.
We've relied on the agencies and their decisionmaking process.
We have worked in coordination with the National Security
Council, with the President's advisor on counterterrorism Mr.
Clark, and the CIAO office. This is something we are sensitive
to. We have looked at security concerns here, and we think that
the right steps are being taken, but it certainly is not
something that we are taking for granted.
Mrs. Morella. Well, I'm glad to hear that because I think
it's critically important. We focus on it because this whole
concept of the potential for the computer security could dwarf
the problems of Y2K.
Mr. Turner, do you have any final comments?
Mr. Turner. No final questions, thank you.
Mrs. Morella. I want to thank panel one for the work you've
done not only in your presentations and responses today, but
continuously that you've done. Thank you very much.
Mr. Willemssen. Thank you.
Mr. Spotila. Thank you.
Mrs. Morella. Now we will ask the second panel to come
forward. Mr. Dyer, Mr. Langston, Mr. Gilligan, Mr. Cosgrave,
Mr. Lorentz.
Gentlemen, before you get comfortable, as we did with the
first panel, I would ask you kindly to stand and raise your
right hand.
[Witnesses sworn.]
Mrs. Morella. Again, the record will demonstrate
affirmative response to that.
So we're pleased to have on our second panel John Dyer,
Principal Deputy of the Social Security Administration; Dr.
Marvin J. Langston, Deputy Assistant Secretary of Defense for
C31 and the Year 2000, Department of Defense; John Gilligan,
Chief Information Officer of the Department of Energy; Mr. Paul
Cosgrave, who is the Chief Information Officer of the Internal
Revenue Service; Mr. Norman E. Lorentz, Senior Vice President,
Chief Technology Officer of the United States Postal Service.
Gentlemen, I'm glad you're here, it's very important that
we hear from you. And I think it was appropriate that you also
heard the testimony of GAO and OMB preceding you. And again,
following sort of a 5-minute rule, we're very flexible about
it.
We will start off, and I will let you know that we will
hope to have time for questioning and that your entire
statement will be in the record, so you can give us a synopsis,
if you desire. So we will start off with you then.
Mr. Dyer, thank you for being here.
STATEMENTS OF JOHN DYER, PRINCIPAL DEPUTY, SOCIAL SECURITY
ADMINISTRATION; MARVIN J. LANGSTON, DEPUTY ASSISTANT SECRETARY
OF DEFENSE FOR C3I AND YEAR 2000, DEPARTMENT OF DEFENSE,
ACCOMPANIED BY REAR ADMIRAL BOB WILLARD AND BILL CURTIS,
DEPARTMENT OF DEFENSE; JOHN GILLIGAN, CHIEF INFORMATION
OFFICER, DEPARTMENT OF ENERGY; PAUL COSGRAVE, CHIEF INFORMATION
OFFICER, INTERNAL REVENUE SERVICE; AND NORMAN E. LORENTZ,
SENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER, U.S. POSTAL
SERVICE
Mr. Dyer. Madam Chairwoman and Representative Turner, I
appreciate the opportunity to discuss the Social Security
Administration's day 1 and business continuity and contingency
plans for the year 2000 changeover. As a recognized leader in
Y2K readiness, we are confident that our monthly payments to 50
million people and the earnings records of 145 million workers
will not be affected; however, in the case of the unexpected,
we are prepared.
To begin with, all of our mission-critical systems are
certified as year 2000 compliant, along with all of the State
disability determination services referred to as DDSs.
Additionally, joint testing of payment files and direct deposit
procedures have been successfully completed, as is the Federal
Reserve Board testing with financial institutions, including
Social Security transactions. Last, as for trading partners,
Treasury and the Postal Service are also on board to handle
ongoing and incoming exchanges.
At this point I would like to review step by step our plans
for the last days of 1999 and the first days of 2000. For
December 30th to January 3rd, designated personnel will
inspect, evaluate and report on virtually every office. Social
Security headquarters will stop receiving on-line transactions
from field offices at 5 p.m. Eastern Standard Time on December
30th, allowing all officials to collect all of our 1999
computer transactions.
On December 31st, our computer systems will finish updating
SSA's master files. Just before midnight, the Social Security's
main data center in Baltimore will switch to jet fuel
generators until the power company notifies the agency that
everything is fine.
Immediately after midnight, December 31st, 1999, teams will
begin assessing our systems' capability to process transactions
for the year 2000. Later that day, staff at selected offices
across the country will enter data. We will also test the 800
number. Throughout New Year's Day, a group of programmers will
run checks on the computer systems for our 1,400 facilities.
Social Security managers will report to their offices,
checking all equipment and reporting their findings to regional
offices, which will then forward the data to the command center
in Baltimore. Approximately 100 sites will serve as barometer
offices, including the 55 that do the disability
determinations.
Agency technical staff will test software systems by
conducting a series of typical transactions. The Baltimore
command center will monitor the processing. If problems are
found, teams will be dispatched to make the necessary repairs.
Besides assessing Social Security's infrastructure, our command
center will communicate with several non-SSA sites, such as the
Treasury command center, to be alerted to any problems that
banks may have in posting electronic fund transfers. Moreover,
we will advise the White House Information Coordination Center,
the media and the Congress of SSA's status. Then on January
3rd, Social Security will open for business as usual.
SSA's day 1 strategy is part of our overall business
continuity and contingency plan. The plan prepares the agency
to avoid a possible crisis if its automated systems are unable
to recognize the year 2000. Within this larger plan, we have
local plans for each field office, teleservice centers,
processing centers, hearing offices and the State DDSs. We have
developed contingencies for benefit payment delivery, building
operations, human resources and communications.
For over a year both Social Security and SSI payments have
been made with year 2000 compliant systems. Furthermore, we
have developed a benefit payment delivery plan with the
Treasury Department and the Federal Reserve. In November 1999,
next month, field office employees will receive training as to
the actions and procedures they are to follow if such an
unanticipated problem occurs. SSA also has contingency plans
that deal with unforeseen emergencies, such as inclement
weather, natural disasters, accidents or equipment failure.
We want the public to understand that we're prepared for
the year 2000 conversion. We want the public to have accurate
information. Misinformation and confusion could generate
overwhelming workloads and cause disruptions. Therefore we
appreciate the Congress and others updating the American public
about the actions Social Security and other Federal agencies
have taken to prepare for the year 2000.
For our part we're committed to informing Members of
Congress if serious problems develop. If a service to any of
our local offices is interrupted, and contingency plans are
implemented, the manager of the affected office will call the
congressional office with specific information on how it will
provide service to the congressional representative,
congressional offices and to the constituents normally served
by that office.
In fact, on September 23rd, we sent a letter to the
Congress outlining these steps and listed the names and phone
numbers of the managers of each local office in each State
responsible for calling you.
Because of our early planning and testing, Social Security
fully expects that all of our processes will function properly
in the new millennium, and that we will continue to provide
world-class service to the American people.
I'm happy to answer any questions you might have. Thank
you.
Mrs. Morella. Thank you, Mr. Dyer. I know that Social
Security Administration started in 1989 in their preparation.
[The prepared statement of Mr. Dyer follows:]
[GRAPHIC] [TIFF OMITTED]61119.032
[GRAPHIC] [TIFF OMITTED]61119.033
[GRAPHIC] [TIFF OMITTED]61119.034
[GRAPHIC] [TIFF OMITTED]61119.035
[GRAPHIC] [TIFF OMITTED]61119.036
[GRAPHIC] [TIFF OMITTED]61119.037
[GRAPHIC] [TIFF OMITTED]61119.038
[GRAPHIC] [TIFF OMITTED]61119.039
[GRAPHIC] [TIFF OMITTED]61119.040
Mrs. Morella. Mr. Langston, Dr. Langston.
Mr. Langston. Chairwoman Morella, Mr. Turner, thank you
very much for your continued interest in this subject. The
Department of Defense is very proud of the progress that we
have made over the past 15 months of this ongoing year 2000
preparation effort.
I'm joined this morning by Rear Admiral Bob Willard, who
has been spearheading this effort in our unified forces and
services, and also Mr. Bill Curtis, who has been our full-time
person leading and directing the year 2000 event for the past
period of time.
We have addressed this issue in four major activities.
Those activities comprise systems compliance, operational
evaluation and testing, contingency planning, leadership
preparation and a transition period which has begun. I will
just spend a few minutes outlining the activity in these areas
for you.
In the systems compliance area we are tracking and
repairing over 7,500 systems. Over 2,000 of those are mission-
critical systems. The rest are non-mission-critical systems.
And in addition, we have 600 installations and 350 domains
among our main megacenter mainframe computers that we have
worked to repair. Of those systems we are confident that all of
them will be repaired and ready to go for this event, and
currently we are over 98 percent of our mission-critical
systems.
In the operational evaluation and testing area, this is the
largest effort in DOD's history. We have never conducted such
an integrated and large operational evaluation of our systems.
We have done it in two major ways. We have enlisted the
uniformed services through the support from the chairman of the
Joint Chiefs of Staff to conduct operational evaluations, which
are threaded evaluations of systems operations that support our
primary military functions. And we've also conducted functional
evaluations of all of the support operations that foundation
the Department; for example, financial systems, logistics
systems, and personnel systems.
We have also conducted a whole series of service
integration tests which are specific to each of our military
services and verify that those systems of systems among the
services are capable of supporting our needs.
In the contingency planning and leadership preparation
area, the chairman of the Joint Chiefs of Staff has conducted a
series of chairman contingency assessments personally led by
the chairman and supported by our four-star uniformed
commanders. They address mobilization, deployment operations
and sustainment. And these evaluations were 2 week-long periods
of removing tens of major systems from each of those areas to
evaluate the impact of the loss of those systems and the
support of the contingency plans that would be put in place
should those systems be removed on military operations.
In each of those cases we determined that our contingency
plans were an important element of what was needed, and that
we, in fact, could conduct military operations should we lose
those large number of systems.
We also conducted business continuity planning in terms of
both systems continuity plans and operational continuity plans,
meaning that we have a continuity plan for every system, and we
have a continuity plan for every operational functional area
that is a combination of systems or a larger function, and
therefore we have a way to support loss of capability in any
one of these events.
We've also enlisted the support of all of our inspector
generals, both the service inspector generals and the DOD
inspector generals, on all of our assessment agencies to make
sure that we have prepared good contingency plans and they are
in good shape for these operations.
And finally, in preparation for our leadership, we have
conducted a series of table top exercises which were literally
day-long workshops that prepared the senior leaders to explore
an enormous amount of unknown, what-if types of questions to
determine how we would operate the Department through any kind
of unknown surprise events.
Finally, the fourth area is a transition day 1 operations
period which we did begin in September, the 1st of September,
and we will operate through the 1st of March or the end of
March of this coming year. A major part of this activity has
been the preparation of a consequence management plan to help
all of our warfighting commanders and base commanders
understand how they can respond to situations and external
requests from the Department for aid and support throughout the
United States or other nations in the world. And in that
process, we have also established a posture-level instruction
which allows across five posture levels each of our commanders
to understand how we are postured and how they are to respond
specifically to those posture levels.
For example, in this consequence management activity our
first priority is, as Dr. Hamre, the Deputy Secretary, has
reiterated several times, is to support national command
authority or military operations in any form. Our second
priority is to support standing operations. Our third priority
is to support civil authorities and public health and safety.
And our fourth priority is to support civil authorities in
support of economic or national quality of life. These are all
well laid out and detailed plans which we continue to refine
wherever we find the need for such.
Finally, I would point out that we have had an ongoing
operation with foreign nations and our NATO allies with a large
amount of effort concentrated on the Russians and their
interaction with us for early warning events and for mitigating
any nuclear mishaps or missteps related to nuclear weapons. We
are currently planning to put in place our Center for Year 2000
Strategic Stability in Colorado Springs. We have conducted
successful negotiations with the Russians for them to
participate in this event. They will be arriving in Colorado
Springs on the 22nd of December and working with us through the
15th of January for that particular operation.
So in conclusion, I would suggest that we have conducted a
very extensive activity over this past year. The activity
actually transformed when Secretary Cohen and Dr. Hamre tasked
the uniform commanders and the under secretaries of the
functional support areas to be personally responsible for the
operations and mission continuity through this period of time.
I believe that it's fair to say that the Department literally
does contingency planning all the time because of the nature of
our business. We do continuously report activities on a 24 by 7
basis throughout the normal year, and the year 2000 event for
us is a significant event that we do not take lightly, but it
does fit directly into our normal operations, and we feel that
we will be ready and prepared to support any national security
situation throughout this period. Thank you.
Mrs. Morella. Thank you, Dr. Langston.
[The prepared statement of Mr. Langston follows:]
[GRAPHIC] [TIFF OMITTED]61119.041
[GRAPHIC] [TIFF OMITTED]61119.042
[GRAPHIC] [TIFF OMITTED]61119.043
[GRAPHIC] [TIFF OMITTED]61119.044
[GRAPHIC] [TIFF OMITTED]61119.045
[GRAPHIC] [TIFF OMITTED]61119.046
[GRAPHIC] [TIFF OMITTED]61119.047
[GRAPHIC] [TIFF OMITTED]61119.048
[GRAPHIC] [TIFF OMITTED]61119.049
[GRAPHIC] [TIFF OMITTED]61119.050
Mrs. Morella. Mr. Gilligan, pleasure to hear from you sir.
Mr. Gilligan. Thank you, Madam Chairwoman Morella and
Congressman Turner. I welcome this opportunity this morning to
discuss the Department of Energy's contingency, business
continuity and zero day plans. As Chief Information Officer for
the Department of Energy, I am responsible for the oversight,
coordination and facilitation of the Department's ongoing
efforts to address year 2000 issues.
The Department has made great progress since the last time
we testified before this subcommittee in June 1998, and I am
pleased to be here to discuss our progress with you. Achieving
100 percent year 2000 compliance has been one of Secretary
Richardson's top goals for the Department. When I joined the
Department in October 1998, the Department was the recipient of
a failing grade on its year 2000 progress from this committee,
and turning around the year 2000 program was my highest
priority.
As you are aware, we were able to rapidly improve our
progress to a B grade in early 1999. I am pleased to report to
you today that 100 percent of the Department's 420 mission-
critical systems are year 2000 compliant and have approved
contingency plans, and that the Department is more than 99.8
percent complete in remediating over 200,000 non-mission-
critical systems, embedded chips, telecommunications systems,
data exchanges and work stations.
The Department has taken a phased approach similar to other
large government agencies to its year 2000 preparation
activities. Phase I of our program focused on remediating the
Department's 420 mission-critical systems and approximately
200,000 non-mission-critical systems.
Phase II focused on implementation of additional risk
reduction and mitigation measures to help ensure that no
Department mission is compromised due to year 2000 transition,
and development of business continuity and zero day plans to
ensure the continuation of the Department's core business
processes in the event of a year 2000 related failure.
Phase III of our program is now focusing on refining our
business continuity and zero day plans that we have developed.
This will ensure that we have clear processes to deal with
potential year 2000 induced problems and that we have
identified individual roles and responsibilities for
monitoring, evaluating and responding to year 2000 related
events across the Department.
As I mentioned earlier, phase I of our year 2000 program is
nearly 100 percent complete. During the course of our phase I
year 2000 activities, the Department has also focused
particular attention on the systems that protect the health and
safety of the public, our workers and the environment. As of
the 1st of October, all of our more than 540 health and safety-
related systems are either year 2000 compliant or year 2000
ready, and we will continue to focus close attention on these
systems. Furthermore, positive validation of the functionality
of all operational health and safety systems will be required
within 12 hours of the year 2000 transition to ensure the
continued safety of the public, our workers and the
environment.
Phase II of our year 2000 program is almost fully complete
as well. During phase II we focused on implementation of
additional risk reduction and mitigation measures to help
ensure that no departmental mission is compromised due to the
year 2000 transition. We have conducted external independent
verification and validation of the year 2000 remediation
efforts as well as end-to-end testing for all mission-critical
systems and health and safety-related systems with year 2000
date-related issues. I am pleased to report that external IV&V
and end-to-end testing activities are complete for more than 99
percent of these systems.
Phase II of our program also focused on developing business
continuity and zero day plans to ensure the continuation of our
core business processes in the event that year 2000 failures
occur. Due to the complexity and diversity of the Department's
missions and activities and the recognition that the year 2000
transition poses a unique risk for each site, the Department
required business continuity plans for each of our 42 sites.
Sites have exercised their contingency and continuity plans
during phase II of our program. Our first formal readiness
exercise was conducted on April 9th and resulted in lessons
learned and best practices on contingency plans. On September
8th and 9th, 42 sites participated in our second year 2000
exercise. Sites tested failure scenarios and their planned
response to year 2000 related events, rehearsed their zero day
procedures and tested the Department's procedures for reporting
year 2000 events to our headquarters. Sites reported that the
exercise was very helpful in evaluating contingency and
business continuity plans and shared with my office a
significant number of lessons learned.
We also sponsored two Department-wide workshops on business
and continuity planning in May and October to share our year
2000 lessons learned and best practices.
We are now implementing phase III of our program, which
involves refining our business continuity and zero day plans.
In our review of site and business continuity plans, we have
found that they have addressed many of the elements contained
in the General Accounting Office's day 1 planning guidance.
However, we recently received comments from the Office of
Management and Budget that our headquarters business continuity
plan had some weaknesses, in particular with respect to lack of
prioritization of key processes, inadequate discussion of our
cybersecurity efforts and insufficient detail on our procedures
and responsibilities during the rollover period.
I have reviewed the plan and concur with OMB's assessment.
Fortunately, with the solid foundation of contingency planning
already completed, these weaknesses can be corrected quickly. I
have directed actions to revise our headquarters business
continuity plan by November 12th and resubmit it to OMB.
However, even after November 12th, we will continue to
fine-tune our plans to reflect final staffing decisions and the
results of year 2000 preparation drills within the Department
and with the President's Information Coordination Center.
At the Department's headquarters our zero day procedures
include the coordination of the Department of Energy as well as
national and international energy sector year 2000 monitoring
and reporting activities. We have developed plans with the
electricity, oil and natural gas industries to receive reports
of year 2000 related events as well as to analyze potential
impacts of any disruptions, including potential cybersecurity
incidents.
Our Emergency Operations Center at the Forrestal Building
will operate as the year 2000 command center for the
collection, compilation and analysis and reporting of
departmental site and energy sector year 2000 status
information to the President's Information Coordination Center.
Since March 1999, my staff and I have visited more than 30
departmental sites to assess their progress toward implementing
OMB and departmental guidance, to assess the compliance of the
status of their systems and to share year 2000 best practices
and lessons learned. I can say firsthand that all of the
Department's employees are focused on year 2000 and continue to
work aggressively that we will have a successful and smooth
transition. In my opinion, each site is well-positioned to
manage the risk potential of year 2000 related failures. Final
efforts over the next 63 days will ensure that we will
effectively handle any year 2000 events regardless of source.
Secretary Richardson and I are proud of the Department's
efforts to ensure that 100 percent of our systems are year 2000
compliant, and we are confident in our planning efforts for the
year 2000 transition. Our focus and commitment will continue as
we complete our preparation efforts. I look forward to your
questions. Thank you.
Mrs. Morella. Thank you, Mr. Gilligan.
[The prepared statement of Mr. Gilligan follows:]
[GRAPHIC] [TIFF OMITTED]61119.051
[GRAPHIC] [TIFF OMITTED]61119.052
[GRAPHIC] [TIFF OMITTED]61119.053
[GRAPHIC] [TIFF OMITTED]61119.054
[GRAPHIC] [TIFF OMITTED]61119.055
[GRAPHIC] [TIFF OMITTED]61119.056
[GRAPHIC] [TIFF OMITTED]61119.057
[GRAPHIC] [TIFF OMITTED]61119.058
[GRAPHIC] [TIFF OMITTED]61119.059
Mrs. Morella. Now pleased to recognize Mr. Cosgrave.
Mr. Cosgrave. Thank you, Madam Chairwoman, and thank you,
Representative Turner. I'm very happy to be here today to
discuss the status of the Internal Revenue Service's Y2K
business continuity and contingency plans and day 1, or as we
refer to it, our end game plans. I'm joined to as well by Bob
Albicker, my deputy. Mr. Albicker along with myself and our
Commissioner Mr. Rossotti have all personally made this our No.
1 priority. I am also joined today by Mr. John Yost, who is our
full-time executive managing this program. This is a program
that he oversees consisting of approximately 100 people that
are directly in his program office, plus he directly oversees
the thousands of people in the Internal Revenue Service who
engage in Y2K activities on a daily basis.
In order to save time, I'll refer you to our general update
on the overall status of our program which is in my written
testimony, and I'll focus just on contingency planning and day
1 planning.
The IRS is taking every step it can to mitigate the risks
that are involved with the Y2K challenge. Two ways that the IRS
is a prepared to address risks are through business continuity
and contingency plans as well as day 1 plans. With respect to
contingency plans, the IRS has developed 40 individual
contingency plans that are aligned with the 40 most critical
business processes that outline the necessary procedures to
follow in the event any of our mission-critical tax-processing
systems suffers a major failure.
We followed the planning format suggested to us last year
by the General Accounting Office. We've completed testing all
but two of those plans and have addressed GAO's suggestions
from a recent review of those plans. These contingency plans
concentrate on those areas that have the greatest impact on
tax-processing activities in addition to areas that could be
particularly affected by the Y2K problem. Because of the
extensive renovation and testing work that we have performed,
we do not anticipate a major failure; however, we have
developed the necessary contingency plans, and we are ready in
the event they are needed.
These plans address such issues as preserving files and
data, how to handle personnel, and procedural issues and
delivery of service until computer systems are restored. I must
emphasize, however, that these plans do not provide replacement
computer systems for our existing computer systems, and instead
they rely on alternative manual processes. Because we have
performed extensive end-to-end testing, we believe that it is
highly unlikely that we will need to invoke such plans;
nevertheless, we have tested them and are prepared to implement
them if necessary.
As for day 1 or end game planning, the IRS has devised an
end game strategy that will guide our activities during the
critical rollover weekend of December 31st, 1999, through
January 2, 2000. The end game strategy builds on our current
information system problem reporting resolution process and
identifies specific validation checklists to be used during the
rollover weekend.
The plan also recognizes a unique problem facing the IRS.
This problem is a result of the annual startup of the filing
season, which this year occurs simultaneous with the millennium
rollover weekend.
To ensure maximum risk reduction, therefore, the IRS is
taking the following actions. No. 1, we are backing up and then
quiescing the systems beginning at 10 p.m. On December 29th,
1999. This means the systems will be turned on, but will not be
running business applications. On January 1, 2000, the systems
will be brought back up to their normal operating status, this
time updated with our filing season 2000 programs and validated
against quality control checklists prior to the first day of
business on January 3rd, 2000.
Second, we are ensuring that sites and systems are
operational before the first business day of the new year by
conducting a validation check of all systems end facilities at
over 500 different posts of duty.
Third, we are reporting any problems that are encountered
throughout the weekend through our existing problem reporting
channels. All our organizations will be required to affirm that
they have checked critical facilities and systems at their
sites to our year 2000 command center, which will serve as the
IRS nerve center during the rollover weekend. Reports will be
provided to the Commissioner, myself, Mr. Albicker, et cetera,
on a regular basis as well as to the Department of Treasury
every 4 hours during the rollover weekend.
Please keep in mind the successful rollover weekend is just
a small part, however, of meeting the Y2K challenge. Problems
for us may arise well into the new year impacting the filing
season. For example, our computers may generate erroneous
notices to taxpayers as late as March or April. However, we
have procedures in place to resolve any problems that arise,
including scanning for large erroneous dollar amounts and dates
specifying 1900. Additionally, the command center will continue
to operate through April 15th, 2000, or longer if necessary,
depending on the status of the filing season. We will rehearse
our rollover weekend plan on November 20th, 1999, to prepare
participants for this event and to fine-tune our end game
strategy.
In conclusion, we're confident the IRS will be capable of
fulfilling its mission in the year 2000 and beyond. While we
recognize that risks still exist, we believe we are taking the
necessary steps to address them. Thank you.
Mrs. Morella. Thank you, Mr. Cosgrave.
[The prepared statement of Mr. Cosgrave follows:]
[GRAPHIC] [TIFF OMITTED]61119.060
[GRAPHIC] [TIFF OMITTED]61119.061
[GRAPHIC] [TIFF OMITTED]61119.062
Mrs. Morella. I'm now pleased to recognize Mr. Lorentz of
the Postal Service.
Mr. Lorentz. Good morning, Chairwoman Morella and
Representative Turner. With me this morning are Nick Barranca,
who is the Vice President of Operations Planning, and Rick
Weirich, who is our Vice President of Information Systems and
our Chief Information Officer.
I'm pleased to report this morning that we have completed
all the technical work on our mission-critical systems,
including independent verification, testing, and implementation
of a system freeze.
We began testing our mail processing equipment in 1998 and
extended to other sites last year. In August, at our Merrifield
northern Virginia site, we started a 6-week test of critical
mail processing equipment. This equipment ran continuously in a
year 2000 calendar mode, in a live processing environment,
testing all equipment types and all mail types. This facility
handles 5 million pieces of mail a day, and we have experienced
no problems.
We have also created plans to protect against potential
disruptions of other systems and processes. We respond to
disruptions every day. In the last 2 weeks we've dealt with
Hurricane Irene in Florida and the Hector Mines earthquake in
Los Angeles. Locally, last year's storm in Montgomery County
left 48 of 60 Montgomery County delivery units that were
without power, and we delivered mail. I know in my home in
Bethesda, all 3 days that we were without power, I got normal
mail delivery even though I had to walk outside to read it.
Our business continuity plans and contingency plans are
building on our experience and formalizing our response to
disruption, both internal and external. Our continuity plans
deal with the external infrastructure. Our internal contingency
component plans deal with the infrastructure all the way from
timekeeping to mail processing. Our plans includes working with
customers, with other Federal agencies, and particularly with
agencies that deliver benefit payments to the American people.
We anticipate that some of the mailers may divert
electronic communications to hard copy mail. With that in mind,
we're holding the enlarged infrastructure that we normally put
in place for the holiday season, including staff,
transportation, and sorting capability, through January.
So what is day 1 going to look like for us? First of all,
it's going to be business as usual, but prepared for whatever
might occur. Robust day 1 plans are developed to preempt any
kind of problems. Systems are in place to identify, report,
track, resolve any Y2K issues.
To communicate internally, with customers, with employees
and with all stakeholders, we have emergency communication
capability. Our network operations center has been converted
into an internal ICC. Our national and field operations centers
will operate 24 by 7 to assess USPS status and provide resource
and decision support.
Our day 1 activities will also involve onsite participation
at the President's Council's Information Coordination Center
and Joint Public Information Center. At a recent meeting of the
President's Council on Year 2000, Chairman John Koskinen
recognized us as the early warning beacon. We are the only
organization that goes everywhere, every day, and we'll be very
happy to perform in that role.
Our plans have focused on Y2K as a business problem. And we
have three very simple goals: To protect our customers by
delivering the mail, to protect our employees' safety and pay;
and to protect our business by collecting the money due and
paying what we owe.
We also have a heightened awareness to security problems.
We have engaged reputable contractors with full security
background checks and clearances, and we are providing
instructions to the field to protect against any viruses. In a
forward-looking mode, we're also working with the President's
Council on cyber assurance issues. Protecting our work protects
America's mail.
We believe that the United States Postal Service is ready,
and I look forward to answering your questions.
Mrs. Morella. Thank you, Mr. Lorentz.
[The prepared statement of Mr. Lorentz follows:]
[GRAPHIC] [TIFF OMITTED]61119.063
[GRAPHIC] [TIFF OMITTED]61119.064
[GRAPHIC] [TIFF OMITTED]61119.065
[GRAPHIC] [TIFF OMITTED]61119.066
[GRAPHIC] [TIFF OMITTED]61119.067
Mrs. Morella. I won't ask you about whether those ponies
are ready. But it's interesting, as I scrutinized the panel,
that it was planned that we picked those five agencies that--I
don't mean to prioritize as the most important, but have the
greatest influence or effect on our American economy and our
Nation: Social Security, Department of Defense, Department of
Energy, Internal Revenue Service and the Postal Service. And I
appreciate your being here. I think I'll try to ask each of you
maybe one question and then see if it evolves into others.
First of all, as I mentioned, Mr. Dyer, I commend you on
having started looking to Y2K and what needed to be done back
in 1989. We have recognized your leadership in this regard. And
yet what if the computers fail; what specific plans does Social
Security Administration have to ensure that its millions of
recipients receive their Social Security checks? I mean, you
are very close to the people.
Mr. Dyer. We are, of course, concerned, and we are
committed to delivering those checks. The Supplemental Security
Income checks go out before the end of the year. They'll be
issued on Thursday. So they're before we turn over. The regular
Title II or Social Security checks, they go out on Monday. We
have worked very closely with the Federal Reserve, the
Department of Treasury and the Postal Service to assure that we
can get the direct deposit or the checks that go through mail
there on time. We're positioning the checks and the tapes in
advance. We worked through and tested it from beginning to end.
So we're very confident that the payments are going to go.
If, however, some areas, checks do not reach it, we have fall-
back plans. If it's with a financial institution with a direct
deposit, where the bank fails to be able to push through the
direct deposit, we would find another bank that could do the
direct deposit, and if not, we would work out how to get a
paper check to the individual.
If it's in terms of the paper checks, we're very confident
because we've worked out contingency plans with the Postal
Service, and, as you know, in hurricanes and other disasters,
we've always been able with the Postal Service to be right
there onsite and get the checks to the people.
Mrs. Morella. So we can tell the viewers, listeners, our
constituents, do not worry, the check is in the mail or you
will get the check.
Mr. Dyer. You will get your check, or you will get your
direct deposit in your bank.
Mrs. Morella. Exactly. And we will be continuing to watch
to make sure that that you can continue that way, and feel
confident that you will.
With regard to, Dr. Langston, the Department of Defense, it
really is--you're really the largest Federal entity in terms of
personnel and Y2K mission-critical systems. I think you have
like 37 percent of all the mission-critical systems are within
the Department of Defense. Consequently your mission-critical
contingency plans or your contingency plans for all of your
missions have got to be very detailed. I wonder how many
personnel that you're planning to have ready on December 31st
to implement the day 1 plan? And do you have any idea what the
cost might be to implement your day 1 plan? Have you estimated?
Mr. Langston. I thought about both of those questions when
you asked them earlier. In terms of our contingency planning
personnel operations, as I mentioned earlier, we are, of
course, on duty 24 hours a day, 7 days a week, around the
world. That operation is actually just being augmented by folks
that support the year 2000 systems. So in other words, we have
compiled detailed lists of technical experts or operational
experts that support any of the contingency plans; those names,
telephone numbers, all the contact points have been
established. We are establishing augmentation cells for the
year 2000 to support any of our normal watch stations or
command centers, if you will, in major command areas like our
unified commanders, and like our Pentagon command center, and
for the service command centers as well as the Joint Chiefs.
In terms of my--I do not have an actual number for you. My
estimate is that we're operating--we will be operating 5 to 10
percent more personnel in a duty--nonduty status than we
normally operate. In terms of how many--how much money we have
spent to support contingency planning, we, of course, continue
to report to OMB the expenditures for Y2K. Our most recent
report, I believe, specified that we will spend by the time
we're through with this transition phase about $3.6 billion on
the year 2000. My estimate, although I do not have this broken
out exactly in the reports, is that approximately 25 percent of
our effort has been toward consequence management, contingency
planning or preparation other than the remediation and testing
events that we have conducted.
Mrs. Morella. Do you think that money, that you could find
that within your budget?
Mr. Langston. Could we have found that money?
Mrs. Morella. Have you thought about finding that money
within the budget that's already been allocated?
Mr. Langston. Well, of that $3.6 billion, all of it was DOD
money with the exception of the $1.1 billion augmentation
budget that we were provided. We have been committed all along
to doing whatever we had to do to find the money to support
this. This has been Dr. Hamre and Secretary Cohen's No. 1
priority for the Department other than national security.
Mrs. Morella. So your financial planning has been done
satisfactorily up to this point.
Mr. Langston. Yes, ma'am.
Mrs. Morella. All right. I'm interested in how we connect
with Russia and what we are doing to help Russia. I know you've
got the command station that you mentioned in Colorado and in
the Denver area. When will that U.S.-Russia strategic command
be ready?
Mr. Langston. It's actually ready now. And as I mentioned,
we will have Russian people arriving on the 22nd of December
and staying in this operational sense through the 15th. We have
been conducting a series of meetings with Russia, both in
Russia and in the United States. The most recent meeting was on
the 18th through the 21st of October in Russia. And we will
continue to interact with them as much as possible to do
everything we can to prepare for this event.
Mrs. Morella. Have they been cooperating?
Mr. Langston. Yes, ma'am. They have been very cooperative
with the exception of the period of time through the Kosovo
operations when we were, for political reasons, stopped for
this activity.
Mrs. Morella. Do you have any interface with the other--as
they call them, the NIS, the newly emerging States? That would
be like Georgia, Armenia, Azerbaijan.
Mr. Langston. We have not had extra activity associated
with those folks. We have had a large host nation support
interaction ongoing. We cooperate and work with the State
Department on that, and we have also been working with all of
our NATO allies in support of their preparations for these
events. And our local base commanders, wherever they reside in
foreign countries, are working with those local organizations
to ensure the support or verify as much as possible how much
support we will get through this period of time. That has been
part of our host Nation support activity.
Mrs. Morella. You have a tremendous task, and I commend you
and want you to know that we really want to help whenever we
can and stay with it.
With regard to Mr. Gilligan and Energy, I'm curious. This
afternoon I'm going to be going to the Nuclear Regulatory
Commission for the swearing in of the new Director. And I'm
just wondering how do you, Department of Energy, coordinate
with the Nuclear Regulatory Commission to ensure that our
nuclear power plants will be ready for the year 2000? I know
that it's not within your jurisdiction, NRC specifically, but
your interconnection?
Mr. Gilligan. The Nuclear Regulatory Commission, as you
know, has the regulatory legal authority over the domestic
nuclear power plants, and so they have been issuing guidance,
and that guidance has been implemented within the plants. We
have been monitoring those activities through two means: One,
we have a relationship with the North American Electric
Reliability Council, NERC, which has been assigned domestically
for electricity and to coordinate the Y2K activities.
As the nuclear plants are part of our electricity
generators, they are being monitored through the reporting
activities, and those activities are then reported to us.
Second, we have established a relationship, we actually
have an ongoing relationship, with the Nuclear Regulatory
Commission. We have participation in their emergency operations
facilities, and we are continuing to track their progress, and
we expect that one of the key partnerships that we will have
during the rollover will be with their command centers, as well
as, we will have Nuclear Regulatory Commission participation at
our energy sector desk in the Information Coordination Center.
Mrs. Morella. I think you also said in your statement that
you have found that you are all 100 percent compliant?
Mr. Gilligan. For our mission-critical and health and
safety systems, that's correct.
Mrs. Morella. That's great. How about your liaison with
contractors, would you like to comment on that?
Mr. Gilligan. Sure. As you may know, the Department of
Energy is structured where we have very heavy reliance on
contractors. So of our roughly 120,000 employees, about 110,000
are contractors. And so we have an in-house, if you will, body
of contractors, and it has been those contractors that we rely
on day in and day out who have done the vast majority of our
Y2K remediation activities. We have brought in external
independent verification and validation contractors to help
oversee the process to ensure that we were getting objectivity,
and that's worked very well. We only have isolated incidents
where we have brought in new contractors for the purpose of
doing Y2K remediation at our sites.
Mrs. Morella. So you feel the selection of your validation
crew is adequate for total assurance that the contractors are
following through?
Mr. Gilligan. We believe that this was critical to our
process, because of the potential danger of a contractor who
does this work day in and day out potentially missing
something, that we require the external and independent
verification and validation. We defined a process for
conducting that. We defined a reporting process that went
through line management at each of our sites for each of our
mission-critical and health and safety systems. So this became
a very important part of our confidence building through the
line management chain that our remediation activities had been
done properly. And I'm pleased to report that we found very few
discrepancies or items of concern in our independent
verification and validation.
Mrs. Morella. I'm glad to hear that.
Mr. Turner's been very kind to let me continue to ask each
of you a question, then I'll turn to him.
And, Mr. Cosgrave, you knew--you knew we were coming to you
with regard to what I had posed to the first panel and that
letter that was written to Bill Archer on October 15th that you
reported that the quality of your computer systems' inventory
currently poses a high risk to the Y2K effort. You addressed it
a little bit in your statement, your oral statement. I just
wondered if you would give us an update of the status to
complete the inventory process. I wonder when it will be
completed, why did it take so long. I mean, were there some
glitches here that if could you go back you would have changed?
And how would you adequately plan contingencies in the event
of--given the fact that you're still determining the systems
that you now have, how would you adequately plan contingencies
in the event of a Y2K problem or failure?
Mr. Cosgrave. Thank you for asking the question. Let me try
to answer the questions. Let me try to hit them all. I need to
first explain some background on this.
Tracking inventory in a large enterprise such as the
Internal Revenue Service is a major problem for any large
enterprise. It's significantly more difficult for us because of
the highly decentralized nature of the way the Internal Revenue
Service has historically operated and, frankly, because of the
level of detail at which we are now trying to track this data.
Based on my 25 years of working in private industry, I
don't think the problem is different for anybody else on the
panel or anybody else in private industry. It is just made more
difficult at the IRS by the highly decentralized nature of our
operations. To give you an example of how complicated this is,
we have recognized this problem as a material weakness in the
Internal Revenue Service dating back to 1984. So it has been
recognized as a 15-year-old problem we still haven't been able
to solve.
Specifically for Y2K purposes we are tracking about 800,000
items in our inventory, 800,000. To give you an example, we
would track every PC, every piece of equipment, every piece of
software that is on that equipment, and for Y2K purposes we
have to track every release version of every piece of software
that's on every computer. So it gets extremely detailed when
you're up to 800,000 individual items.
However, maybe this is a good example of where Y2K has
finally given us the push to solve a long-standing problem. In
fact, prior to starting our Y2K program, we were probably in
many cases at best 50 percent accurate in our inventories. I
can report to you today that based on some of our most recent
tests, we're now over the 90 percent level. However, there
still are issues.
We have a three-step process in place right now to bring
this together and make sure it's in place not only for January
1st, but also for October 1st, which was a critical date for
establishing a year-end evaluation for the fiscal year for
financial purposes. So we're working both those problems
simultaneously for the financial records as well as for the Y2K
inventory.
We are addressing the problem now with three specific
actions. We're doing on-the-ground, wall-to-wall inventories in
all our computing centers, all our service centers and 11 of
our 33 districts. We, furthermore, are doing independent
verification and validation of those results here at the
national office for all our largest computers, our tier 1, tier
2 computers, and doing detailed comparisons between what's
recorded from the inventory and what we have actually on the
floor.
And then third, we have started the independent audit and
readiness verification, which is also going out to all our
computer centers, all our service centers, and, again, 13 of
the 33 districts, different ones this time, to essentially make
sure that we, in fact, can validate, get as close as 100
percent.
What's different now most importantly is that the CIO is
now 100 percent responsible for the inventory. That was not the
case prior to my arrival last July. The inventory
responsibility was a decentralized responsibility, and as a
result we were not able to adequately get our hands around
this. Longer term the solution to this problem will clearly be
automatic tracking, which we're in the process of implementing
so that, in fact, we can automatically record everything that's
on our network.
Mrs. Morella. Could--I know the people who are listening
and watching would like to know could IRS computer problems
result in more citizens being audited?
Mr. Cosgrave. I'm not sure that that would be a concern. I
think from the perspective of the individual person looking at
this testimony, I would think their major concern would be
probably around whether they're going to get their refund on
time. So we're implementing special processes, much like the
ones that Social Security described, to make sure that refund
checks are processed on a timely basis. Of course, our process
for sending out refunds would start toward the end of January
rather than the beginning of January. So we have a little more
ample time to make sure that everything is working properly.
But we go through exactly the same processes that SSA described
in working with FMS and the Postal Office to make sure that
those checks get distributed. So I think probably that is the
thing that your viewers would be most concerned about.
Mrs. Morella. Is there anything that the public should do
to protect themselves against possible IRS computer failure?
Mr. Cosgrave. What the public needs to do is what the tax
preparers would recommend they do every year, and that is keep
tax records at home. I mean, they will need tax records if, in
fact, they are summoned in for an examination, and therefore
they need to keep good, accurate records like they would any
other year.
Mrs. Morella. Thank you. I'm going to ask unanimous consent
that the letter from IRS sent to Chairman Archer be included in
the record. Without objection, it will be so ordered. Thank
you.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED]61119.068
[GRAPHIC] [TIFF OMITTED]61119.069
[GRAPHIC] [TIFF OMITTED]61119.070
[GRAPHIC] [TIFF OMITTED]61119.071
Mrs. Morella. Now for our Postal Service. At the hearing we
had back in February of this year, Mr. Lorentz, you stated that
the Postal Service's contingency plan was itself. And you kind
of implied that today, too; that is, there is no other
organization that can deliver mail in the event of unforeseen
computer failures. And you say that mail will be delivered. I
wonder who can deliver the mail in the event of unforeseen
computer problems? And what are your main contingency plan
risks, and what have you done then to mitigate your risks?
Mr. Lorentz. The answer to the first issue is that for our
own computer systems, we have focused on the severe and
critical systems. For severe and critical systems, 33 percent
of the functionality has already been tested with the fiscal
year turn. We have experienced no operational failures at all.
We've had 17 anomalies where the wrong data appeared on a
screen or perhaps printed on a piece of paper, but no
operational failures whatsoever in the system so far. And as I
mentioned previously, we have tested our mail processing
equipment in many locations under full volume, so we're very
confident that those systems have been mitigated. We are the
ultimate contingency.
So how will the mail be delivered? It wasn't too many years
ago that our sortation and delivery was done manually with
little mechanization. We have not forgotten those tool sets. I
think the major risk that we have that we've also addressed in
our continuity plans is loss of major infrastructure
capabilities, power, telecommunications, et cetera. We have
detailed plans in place to mitigate that. We do that as a
normal manner of course. We just did it in Florida. We just did
it in North Carolina. We had to do it in L.A. We're used to
working with without those capabilities. So we can do that just
like anyone else. If it was a more of a general failure, that
would be the highest risk.
Mrs. Morella. And you would probably take care of that by
manually making sure the mail is--.
Mr. Lorentz. Absolutely.
Mrs. Morella [continuing]. Delivered. I thank you.
I now would like to turn to the distinguished ranking
member, Mr. Turner, for his turn at any questioning or
statements.
Mr. Turner. Thank you, Madam Chairman.
You know, I've often wondered when we go through January
1st if we go through it with relatively minor disruption, if we
want to look back and wonder if we avoided one of the greatest
threats to our domestic tranquility and threats to national
security that we've ever experienced in this country, or
whether we'll look back and think, well, we dealt with one of
the most overstated, overstudied, overdiscussed problems that
cost us literally billions of dollars in both the public and
private sector.
I thought it would be helpful in terms of trying to allow
the general public to understand what all of this study, all
these contingency plans, all these validation efforts have been
about if I could ask each of you to give us an example of one
specific problem that you did discover, that you did fix, and
if you haven't fixed it, what would have been the significant
consequence of the failure to have discovered it and fixed it?
And I'll give you a little time to think about that. I have
a few other questions I want to address. I'll leave that for my
last question for each of you, because I think if we could come
up with a good example from each of you, it might help the
public understand what all this effort and expenditure was
really all about. You know, it's all well and good to hear
we're checking our systems, we validate, we know there's not
going to be a problem, but I think it's also helpful to know
what problem was really found and fixed.
One long-term consequence, I think, of the effort that
you've made that will have lasting value is in terms of our
national security. We all know that we talk a lot about the
threat of nuclear warfare, the threat of chemical warfare, the
threat of biological warfare. But we also know that at the end
of this century we also face the threat of cyber warfare. And I
want to address this question to Dr. Langston because I think
that it is important for us, having gone through the effort to
address the Y2K problem, that once we hopefully successfully
move through it, that we not take all of our contingency plans
and throw them in the wastebasket. But recognize that they do
perhaps have some long-term benefit in terms of being prepared
for the threat of cyber warfare.
Dr. Langston, if you would, just address the implications
of what you have done in the Department of Defense which would
obviously be directly related to the issue I raised as well as
what you might see as the benefits of the efforts that have
been made all across the public and private sector with regard
to preparation for cyber warfare.
Mr. Langston. Thank you sir for that question. We currently
operate, as I mentioned, with year 2000 as our highest priority
in the Department short of military operations, and we also
operate with cyber threat as our second highest priority for
everything that relates to the movement of information within
the Department. We have in this past year stood up what we call
a Joint Task Force for Computer Network Defense, which has now
been moved under the Unified Commander for CINC Space,
signifying the importance of this operation. In other words, we
believe that it is an operational four-star commander's
importance level, level of importance for supporting and
monitoring and preparing for computer network defense. That's
an indication that our operational forces have realized that
these computer networks are critical and integral part of all
our war-fighting operations, and they include, of course,
support operations, logistics, finance, personnel, as well as
direct military mission operations.
So therefore, we plan to continue on through the
preparation and development of cyber warfare defensive
measures. We posture and are working right now on what we call
an information assurance architecture, which is literally a
defense in-depth architecture that will allow us to specify for
all of our operational forces and systems how we want them to
use the technologies of today and the technologies that emerge
for information assurance.
In addition, we have already put policy in place--I'm
talking about policy signed out by Dr. Hamre, the Deputy
Secretary, to install key infrastructure. These are encrypted
certificates that will allow us to understand who it is that is
at the end of every computer transaction, both internal to our
Department and external to the Department, and to put these in
place in the next 3 years. And in addition, we have taken a
step to move toward using the new smart card technology, which
are literally credit cards with a chip in them, as a part of
this security network defense operation to allow these smart
card chips to become hardware stanchions of these encrypted
certificates to represent who we are.
So we take it all very seriously. We believe that the
pressure that has been applied through both the executive
branch and the congressional legislative branch for critical
infrastructure protection is vitally important to all of us.
And we work very hard with judicial department and State
Department and others to help put in place these efforts and
make them a major part of what we do.
Mr. Turner. It seems obvious to me that our technological
superiority which has caused us to be the world's greatest
military force perhaps is also our greatest vulnerability.
What about my suggestion that the other agencies of
government and perhaps the private sector are not simply
putting all of their plans in the wastebasket, but remember
that there is an ongoing national security threat to all of us
that perhaps those plans would be useful in preparing for?
Mr. Langston. Thank you for reminding me of that question.
I meant to suggest as we went through our--what I call our
chairman's contingency assessment where we took major systems
off line from our operational forces, in every one of those
events, the unified commanders came back and said to the
chairman, this was a very useful exercise, it was money and
energy well spent. It allowed us to update our contingency
plans, and it reminded us that we need to refine and continue
to exercise those plans.
We, of course, in the military have always had contingency
plans and always had back-up plans for everything we do. But
like any organization, it's easy to not exercise them as often
as you might need to given the press of ongoing business. So we
plan to continue to use the contingency plans as an operation.
And, in fact, working with the GAO and recent legislation in
the appropriations bill, we plan to follow on with our year
2000 data base to support the tracking of these information
systems and the evolution of this entire information assurance
architecture that I suggested.
Mr. Turner. Let me ask the question that I posed at the
outset, and starting with Mr. Dyer, could you cite for us one
problem that was discovered that you fixed and share with us
the consequence that may have resulted had you failed to fix
it? When we started out this effort many months, years ago, we
all heard there wasn't enough computer programmers available to
fix all these problems. Some months ago we asked at one hearing
whether or not that was still the case, and we learned that
really wasn't a real problem. So, obviously we've been able to
cope thus far with the available personnel. I still assume that
it took many man-hours of computer programmers to check out
these systems, and in the process they found some things that
they fixed. If you would, Mr. Dyer, give us a good example from
your agency of something you found and fixed.
Mr. Dyer. As Madam Chairwoman said, we started back in
1989, so we've had a long time to do it. As we've been updating
software over the years, we've been continuously doing it. I'll
give you the major problems that would have happened. If the
software was not adjusted, when the software ran, the computers
would get the dates and everything confused; which would have
meant that the calculations for what our beneficiaries would
have been paid for the month would be all wrong and, on top of
that, would probably stop the messages from going through to
actually print out the checks and send the direct deposits.
In terms of very small kinds of things, as we went through
telecommunications systems and looked at them, what would have
happened is that certain data that we would have been
transmitting over satellites to move various things around the
country would just not have happened.
Mr. Turner. Dr. Langston, without breaching national
security or revealing anything that might be top secret, could
you give us an example of something that was found and fixed
and the consequence of failure to do so?
Mr. Langston. Yes, sir. An indication of how critical this
has become for us is that many people in the early days of the
year 2000 problem dismissed it as not a very significant or
real problem. And as each of our folks, including our very
senior managers and leaders, have gotten involved with it, they
have all been very--become very serious about the importance of
it as they've discovered what kinds of examples have come
forward.
Let me just give you a couple of examples. In our finance
and accounting systems, we have found that we would not have
been able to move money between ourselves and our vendors our
through the financial system, and we would not have been able
to make payment to our retirees without fixing those systems.
In our medical equipment systems, we have found many
examples of where we would have not been able to support the
medical records or even the medical processes that distributed
medical activity to the medical recipients. In a very vivid
example, our communications switches, which are commercial
switches, but which we purchase over long periods of time,
often don't keep them up to date with the latest changes in the
commercial switch market. We found over 120 switches that would
have gone down during the Y2K period of time and literally
taken down all of our telephones within the Department and
therefore rendered us virtually without communications to
support anything we've done.
And even in the weapons systems area, we have weapons
planning systems that support the distribution of plans out to
our weapons platforms, and there were Y2K problems in those
systems that would have created a need for contingency backups.
Mr. Turner. Thank you. Mr. Gilligan.
Mr. Gilligan. As you know, the Department of Energy has a
range of missions, from nuclear missions to academic oriented
research. The example that I would like to discuss is at one of
our nuclear waste processing plants at our Savannah River site
in Aiken, SC. We have a series of systems that are
interconnected that provide for processing and treatment of
nuclear waste, high level nuclear waste products,
containerizing them and shipping them. In the course of the
analysis and the inventorying of those systems, we found that
many of the embedded processor chips that were involved with
the process control of moving the waste from one station to
another, as well as those computers that monitored the exhaust
stacks for possible increased levels of radiation, had Y2K
related problems.
Those were, in many cases, easily fixed. In some cases,
they redesigned new special-purpose computers in order to be
able to fix the problems. And so--and those systems then were
installed. They had to be installed during downtimes of the
process so they would not disrupt operations. Now, many would
fear that a possible Y2K failure would result in a nuclear
accident.
That is not, in fact, the case. In all of those
circumstances, what would have happened if we had not repaired
those systems is that the processor would have failed, would
have triggered automatic shut-down procedures. But the
automatic shut-down procedures, while they protect against any
nuclear release of contamination, they do cost money because we
would have an approximately $3 million a day impact in cost of
lost opportunity if, in fact, those systems had not been
prepared. That is an example where obviously there is high
visibility because of the nuclear processing. We felt
confident, even though these problems existed, they would not
have caused a health and safety consequence; but they would
have had a fairly significant financial impact if we had not
repaired them prior to January 1st.
Mr. Turner. Thank you. Mr. Cosgrave.
Mr. Cosgrave. Mr. Turner, if I may, I would like to give
you three quick examples, all stemming, frankly, from the
neglect that allowed us to have an antiquated infrastructure
that hadn't been addressed in a long time.
The first example, probably the most important, is we have
replaced the entire submissions and remittent processing system
that operates in our service centers for processing the tax
returns when they come in. The system was, in many cases, 15-
and 20-year-old hardware that, frankly, we couldn't even get
replacement parts that were Y2K compliant to meet the needs. So
we had no choice but to replace that entire system with modern
technology. So we literally would not have been able to process
tax returns.
The second example is with respect to security. We have
been running a fairly old security environment that was
decentralized like many things at the IRS, and it was very
clear that we needed to bring that up to speed and up to date.
So we have made a major improvement in our security environment
as a result of the Y2K effort.
The third example, and probably the most dramatic to people
listening in, is that when our revenue agents went out and
visited taxpayers, they were often embarrassed because they
were carrying with them either a PC that was of 286- or 386-
type vintage. If you don't follow the Intel market, they were
issued back in the early 1980's. Quite honestly, that is not
adequate given what they are facing when they deal with the
taxpayers today who quite often have much more sophisticated
technology. So we have replaced all of those PCs with modern
Pentium computers and now at least are on an even par with the
taxpayers.
Mr. Turner. Thank you. Dr. Lorentz.
Mr. Lorentz. I guess I would answer the question two ways.
The two specific examples I would give are: First of all, we
identified an accounts payable problem, one that if it hadn't
been identified, if the process hadn't pointed it out to us,
would have resulted in late or no payments at all going to some
of our suppliers.
The second example is our air dispatch system. In that
case, we have an automated system that literally takes the mail
once it has been sorted and prepared and dispatches it to
aircraft. A substantial portion of the mail is airborne now. So
it would have given us an inability to do that in a mechanized
way.
Those were two significant areas that were very
constructive. The second answer to the question is that this
has caused us to put process discipline in our business and we
now have business owners of these issues, not just technology
owners. So we literally have--we are going to leverage this in
how we look at security.
Security is not a chief technology officer issue. It is a
business issue. To give you an example in a more pedestrian
way, we had the best close of our financial books that we have
had in recent memory because we had significant configuration
management in place. So the discipline that has been caused by
going through Y2K preparation, as well as the retirement of
unneeded systems, has given us a positive outcome.
Mr. Turner. Thank you. I must say that listening to all of
you, the direct and secondary benefits of the efforts seem to
be very apparent. Thank you, Mr. Chairman.
Mrs. Morella. Thank you, Mr. Turner. Following up on the
questions that you asked, I thought that was excellent, did any
of you have any trouble with 9-9-99? Can we just very quickly,
did you have any trouble?
Mr. Langston. No, ma'am; but I would point out that in our
testing efforts, we have found as many problems in the leap
year rollover period which will occur the end of February as we
have in the Y2K period, the rollover date.
Mrs. Morella. So you are preparing for that. I think that
we all should--.
Mr. Langston. That is why our transition period includes
that.
Mrs. Morella. Mr. Gilligan.
Mr. Gilligan. We had no problems on the 9th of September.
We did, in fact though, have one system at the beginning of our
fiscal year of October 1st that experienced a failure. This was
a failure of a subportion of our procurement data tracking
system. It was fixed within about a half hour, and the
transactions were rerun and the permanent fix was done within
about 24 hours. But it did give us clear indication that we
need to have processes in place to be able to respond.
Mrs. Morella. OK. Mr. Cosgrave.
Mr. Cosgrave. Our experience was very similar to what the
Department of Defense is experiencing. I would reiterate the
leap-year problem because we are focused on that as part of our
testing as well.
Mr. Lorentz. Not to our knowledge we didn't have any 9-9-99
problems. We did have a couple of cases where we printed the
wrong dates, but it didn't do anything to the internal code.
Mrs. Morella. Several of you have already commented on the
information computer security problem. Not only is it enormous
with DOD, but obviously very important with all of you. I just
wondered if you are taking precautions. Now, I heard what you
said that is being done, Dr. Lorentz. You talked a little bit
about it, Mr. Cosgrave. I wondered if the others might want to
comment. Are you taking any precautions for this day 1 plan in
terms of the information technology security?
Mr. Dyer. We are quite concerned about security. We are
going to be doing extra monitoring of all of our systems. We
have a special team in place to concentrate totally on all of
the security issues.
Mrs. Morella. Mr. Gilligan.
Mr. Gilligan. We have an organization called the Computer
Incident Advisory Capability that is co-located at Lawrence
Livermore Laboratory. They are our cyber-security investigation
and response cell. They will be active as will their points of
contact at all of our sites. We have established reporting
procedures. They will be part of our emergency operations
center contingent active through this rollover period.
Mr. Lorentz. We have put in place all of the industry
standard firewalls and virus protection on our case-hardened
side. We have given specific special instructions to the field
on what to look for in the intervention of viruses. The
additional area that we are looking at both as far as the day 1
as well as the future, is more e-commerce exposure.
We have, so far, issued 150,000 digital certificates for
the online stamp capability. We see potential exposure
certainly in e-commerce along with everybody else. We are
especially monitoring those aspects of the business. We are
also participating in the cyber assurance effort as part of the
Y2K council in partnership with other agencies.
Mrs. Morella. Thank you. I think you have all done a great
job of sharing the experiences looking back, looking ahead, but
more needs to be done of your agencies. I want to announce
that--do you have any other questions or comments?
Mr. Turner. No.
Mrs. Morella. It has been an excellent hearing. Please note
that all of the members of the subcommittee again will get the
full testimony. We would like your permission to be able to
submit any further questioning to you from ourselves and other
members of the subcommittee.
I am going to ask unanimous consent that Chairman Horn's
opening statement be included in the record. If no objection,
it will be so ordered.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED]61119.072
[GRAPHIC] [TIFF OMITTED]61119.073
Mrs. Morella. The next hearing of the House Y2K working
group is going to be held next Thursday, November 4. It will be
at 2 o'clock in the afternoon, room 2318 of this building. The
hearing is going to be entitled ``Y2K Myths and Realties; What
Every American Needs to Know in the Remaining 50 days.'' it is
now count down 63 today, but it will be 50 at that time. The
hearing is designated to be the culmination of our over 3\1/2\
years and over 100 congressional hearings on the Y2K computer
glitch.
I just want to thank the following people who have been
involved in some way in putting this hearing together: The
majority staff of the Government Reform Committee: J. Russell
George, staff director and chief counsel; Matt Ryan, senior
policy advisor; Bonnie Heald, the communications director and
professional staff member; Chip Ahlswede, clerk; Rob Singer
staff assistant; P.J. Caceres, an intern; Deborah Oppenheim, an
intern; the Technology Subcommittee: Jeff Grove, staff
director; Ben Wu, professional staff member; Joe Sullivan,
staff assistant; minority staff of Government Reform: Trey
Henderson, minority counsel; Jean Gosa, staff assistant; of the
Technology Subcommittee minority staff: Michael Quear,
professional staff assistant; Marty Ralston, staff assistant;
the court reporters: Cindy Sebo and Randy Sandefer who has come
on the scene here, too.
And so I thank all of them. I want to thank Congressman
Turner for being with us for the entire hearing. I want very
much to thank both of our panels. We appreciate it very much.
Thank you very much.
The subcommittee is now adjourned.
[Whereupon, at 12:12 p.m., the subcommittee was adjourned.]
-
�