Feds not IDing key systems for Y2K fixes, GAO says

Although the Clinton administration has directed agencies to focus on fixing mission-critical systems for the Year 2000 bug, many agencies still have not identified what systems are mission critical, a top General Accounting Office official said this month.

Since February 1997, the Office of Management and Budget has required agencies to prioritize their Year 2000 fixes to systems that are most critical to core operations. Soon after OMB issued its guidance, GAO supported OMB's policy.But some agencies still have not identified mission-critical systems, which has put Year 2000 efforts far behind schedule, Joel Willemssen, GAO director for civil agencies information systems, told an audience gathered in Washington, D.C., for the E-Gov 98 conference.

Priority-setting becomes increasingly important as time for fixing the Year 2000 problem runs short, Willemssen said. Fewer than 530 days remain until the Year 2000. "We've been acknowledging now for some time...there is not enough time to get everything done," he said.

Willemssen did not identify which federal agencies had yet to identify all mission-critical systems.

Bruce Webster, chairman of the Washington, D.C., Year 2000 Group, said prioritization is "absolutely essential," even if agencies are trying to fix everything. In particular, agencies will have to decide their priorities before they can prepare contingency plans for carrying out their missions in the event their computer systems do indeed fail on Jan. 1, 2000."Some agencies do have a better handle on which systems are mission critical and which are not," said Olga Grkavac, senior vice president of the Information Technology Association of America's Systems Integration Division. "Certainly, it is clear that reassessment of what are critical systems is ongoing, since in the latest [OMB] report some agencies continue to reduce the number of those that are classified as mission critical."

In OMB's Year 2000 quarterly report released in May, agencies identified about 6,500 computer systems as mission-critical, compared to more than 6,800 mission-critical systems in the previous quarter.

Not all agencies, however, are narrowing their definition of mission-critical systems. The Department of Veterans Affairs, for example, has consistently reported to OMB that it has 11 mission-critical "business areas" encompassing about 400 applications, said Ernesto Castro, the VA's Year 2000 program manager. The VA has fixed the Year 2000 problem in about 60 percent of its systems and has put those systems back into regular operation, Castro said.

He said the VA is focused on fixing the Year 2000 problem in all its systems by March 1999, but he explained the agency has prioritized the systems, although not by categorizing them as mission critical or non-mission critical.Willemssen also said he has urged the Clinton administration to appoint someone to oversee the mission-critical systems that interact with more than one agency, such as those systems at the U.S. Treasury Financial Management Service, which process checks for federal employees and for Social Security recipients.

"If they haven't dealt with data exchanges, all that good work could go for naught," Willemssen said. "We need somebody to be in charge of a particular mission-critical business process across government."

Grkavac agreed. "I have long been frustrated that the federal agencies have not placed more importance on interface testing," she said.