STATEMENT OF
JACOB J. LEW
DIRECTOR
OFFICE OF MANAGEMENT AND BUDGET
BEFORE THE
COMMITTEE ON APPROPRIATIONS
AND THE SENATE SPECIAL COMMITTEE ON THE
YEAR 2000 TECHNOLOGY PROBLEM

June 22, 1999

Good morning, Chairman Stevens, Chairman Bennett, Senator Byrd, and Senator Dodd. I am pleased to appear before the Committees to discuss the Federal Government's progress in addressing one of the most complex management challenges it has ever faced, the year 2000 problem. The Federal Government is not alone in addressing this challenge, as the Senate wisely recognized last year when it formed the Senate Special Committee on the Year 2000 Technology Problem. This is a problem with potentially enormous implications for our Nation. Every sector of our economy and all organizations large and small must work together so that we can, as the President said in his State of the Union Address, make sure that the Y2K computer bug will be remembered as the last headache of the 20th century, not the first crisis of the 21st.

Today, I would like to address three topics. First, I will describe Federal progress in addressing the Y2K challenge. Second, I will discuss Federal agency costs and funding for these efforts. Third, I will describe our next steps to assure that Federal programs that people depend upon will not be disrupted. These next steps include focusing on completion of individual systems, ensuring the readiness of Federal programs, and completion of business continuity and contingency plans.

FEDERAL PROGRESS

As you know, the Federal Government has been working for more than three years on this problem. Last week I sent to Congress OMB's ninth quarterly report on Federal agency progress in addressing the Year 2000 problem. That report shows that Federal agencies continue to make excellent progress in addressing this challenge. In particular, it shows that 93 percent of the Federal Government's mission critical systems are now compliant, an increase from 79 percent reported in February.

Fourteen of the 24 major Federal departments and agencies now report that 100 percent of their mission critical systems are Y2K compliant. These agencies are: the Departments of Education, Housing and Urban Development, Interior, Labor, State, and Veterans Affairs; the Environmental Protection Agency, the Federal Emergency Management Agency, the General Services Administration, the National Science Foundation, the Nuclear Regulatory Commission, the Office of Personnel Management, the Social Security Administration, and the Small Business Administration.

In addition, two agencies, Commerce and NASA, report that 99 percent of their mission critical systems are compliant and that they expect to be finished soon. Three agencies, the Departments of Agriculture, Energy, and Health and Human Services, are between 96 and 97 percent compliant. Four agencies report that between 90 and 94 percent of their mission critical systems are compliant, including the Departments of Justice and Transportation at 92 percent. The Department of Defense reports that 87 percent of its systems are compliant, while the U.S. Agency for International Development has completed implementation of three of its seven mission critical systems.

From a base of 6,190 mission critical systems at this time, 410 mission critical systems remain to be finished, down from 1,354 in the last report. The compliant systems include those that have been repaired or replaced as well as systems that were already compliant. Of the mission critical systems that remain to be finished, 87 (82 percent) are being repaired, 35 (10 percent) are being replaced, and 24 (eight percent) are being retired. We are monitoring the completion of each remaining system through monthly reports from the agencies.

This progress is a tribute to the hard, skillful, and dedicated work of thousands of Federal employees and contractors. Moreover, the rapid availability of funds through the contingent emergency reserve has been key to ensuring progress. I would like to thank the Committees for ensuring that Federal agencies will not fail to meet the Year 2000 deadline because of lack of adequate funding.

While much work remains to be done, we fully expect that all of the Government's mission critical systems will be Y2K compliant before January 1, 2000. For some time, fixing the Year 2000 problem has been the agencies' number one information technology (IT) priority, as other IT projects are being delayed until the Y2K work is done. This action has been managed throughout OMB's budget process.

Additionally, agencies are minimizing any kind of changes to their systems unrelated to Y2K in order to ensure that they will be able to maintain the schedules they have set for completion of their work. Changes not only divert resources from fixing the Y2K problem, but may also undo Y2K fixes. Based on guidance I issued on May 14, 1999, "Minimizing Regulatory and Information Technology Requirements," (M-99-17), agencies are using change management processes to ensure that new IT requirements or changes to IT systems are minimized.

Again, this effort will ensure that agencies set realistic goals for the completion of their work and will enable them -- and us -- to measure their progress against their own goals. Agencies are working hard to finish fixing their systems, and we are confident that every mission critical system will be ready for the year 2000.

Y2K COSTS AND FUNDING

First and foremost, I want to recognize that the transition into the Year 2000 has posed a unique challenge. Formulating the Federal response has required a great deal of attention, hard work, and flexibility. In advance of my more detailed comments on this subject, let me thank you for all of your work and leadership in helping to ensure that sufficient funds are available in a timely manner to address Y2K remediation. As we have scrutinized agency requests and funded the most critical ones, the utility of this funding mechanism has been proven many times. Simply put, without such a fund, many Federal agencies would not be nearly as far along in their efforts as they are today.

I would also like to emphasize that the Administration's strategy for monitoring Government-wide progress on Y2K has been predicated on agency accountability. We have systematically monitored agency progress using a range of performance measures -- compliance of mission critical systems, status of mission critical systems being repaired, progress on high impact programs, etc., as well as agency Y2K cost estimates. These measures are linked, and together provide the most accurate picture of the Government's overall readiness. On a quarterly basis (or more frequently, if needed), agencies have been required to update OMB on their Y2K progress and to explain all significant changes in these measures.

We have tried to strike the appropriate balance to ensure agency accountability without diverting vital resources from Y2K compliance activities to reporting requirements. In addition, the Administration has tried to be as forthright as possible in sharing information about Y2K readiness. OMB has directed that agency quarterly reports and detailed spending plans be forwarded to Congress, and we have appreciated your input as we have worked together to address the challenge posed by Y2K.

As you know, last September the Administration requested an FY 1998 supplemental appropriation for $3.25 billion in contingent emergency funding to address urgent, emerging needs associated with Y2K conversion activities. This request was consistent with Senate action to that point. The Omnibus bill provided contingent emergency funding of $2.25 billion for non-defense activities and $1.1 billion for defense-related activities for Y2K computer conversion. As you also know, OMB is responsible for allocating the non-defense contingent emergency reserve. To date, $1.768 billion has been allocated from the non-defense reserve, and $14 million has been returned to the reserve at the request of the House Appropriations Committee. Therefore, $496 remains in reserve for unforeseen requirements. Of the $1.1 billion provided for defense-related activities, $935 million has been released and $165 remains in reserve.

In order to determine how to best utilize all available non-defense funding for Y2K -- both base appropriations and emergency funding -- OMB has worked with agencies on an ongoing basis to evaluate total Y2K requirements. First, OMB made certain that agencies received funding for activities that were requested in the President's FY 1999 Budget, but were directed to be funded from the contingent emergency reserve. Since then, agencies have been asked to forward requests for contingent emergency funding on an as-needed basis. These requests are then reviewed by OMB examiners from both the Resource Management Offices (RMOs) - liaisons to the individual agencies - and analysts from our Information Policy and Technology Branch. In combination, they review these requests to ensure that requested funding is:

In some cases, funds have also been requested to support outreach to non-Federal entities in support of the efforts of the President's Council on Year 2000 Conversion.

Once reviewed and discussed with the affected agency, OMB staff make recommendations to OMB policy officials. These levels are then finalized and included in an emergency release. As you know, pursuant to last Omnibus Act, detailed information on each affected agency's spending plan, as well as an account-by-account breakdown of the request as a whole, is provided to your and other Committees. The funds in the release are not made available to the agencies until 15 days after the transmittal.

Once the funds are allocated, each Resource Management Office has been tasked with tracking the Y2K-related expenditures for the agencies it oversees, including emergency expenditures. At a minimum, the RMOs review the agency quarterly report to confirm that appropriate progress is being made and that the each agency can cogently explain its cost levels and cost changes. Then, depending on an agency's status, RMOs have used different methods to track Y2K-related spending. All agencies that have received emergency funding have forwarded data on obligations to date to their RMOs. This data has informed our consideration of subsequent emergency requests, and has resulted in several reprogramming requests rather than additional releases. For example, in the Department of Health and Human Services, we recently reprogrammed funds from HCFA to the Administration for Children and Families. More reprogramming actions may be forthcoming as agencies further refine their estimates for FY 1999 and 2000.

In addition, some RMOs monitor Y2K-related obligations and/or outlays on a more regular basis, and require detailed information on the expenditure of both base and emergency resources. Finally, because of their unique period of availability (FY 1999 - FY 2001), emergency funds are very transparent in terms of budget execution. The RMOs have been given discretion in terms of treatment of both base and emergency funds in the apportionment process, as is OMB's general policy.

Your Committees have asked me to focus on the cost increases since the 1st OMB Y2K Quarterly Report, which was issued February 1997. In that report, the five year (FYs 1996 - 2000) Federal cost of Y2K was reported estimated at $2.3 billion. However, it is now clear that in the first quarterly report, we were not fully aware of the magnitude of the year 2000 problem. Initially, it was thought that fixing the problem would primarily involve mainframe computers and legacy applications.

However, as we and others learned in the course or remediation, the problem was far more complex, involving desktop personal computers, embedded chips, and telecommunications components. Cost increases from the 1st to 4th OMB Quarterly Report (through March 1998), totaling $2.4 billion, resulted from a better understanding of the scope of the problem and increasing agency attention on the cost estimates. It is important to note that until FY 1999 agencies funded their year 2000 costs exclusively out of base appropriations. Prior to the availability of emergency funding, all costs increases were absorbed within agency operating budgets.

Since the broader universe of Y2K remediation was clearly established, costs have remained within a more predictable band. From the 4th OMB Quarterly Report (March 1998) to the 9th OMB Quarterly Report (June 1999), costs reported for FYs 1996 - 1998 changed by $164 million, or 4.7 percent of the three-year total. Of this, estimates for Defense have changed by $128 million, or 3.6 percent of the three-year total. Since last March, then, cost estimates for non-defense agencies for FYs 1996 - 1998 for have changed by a little more than one percent.

The increase in FY 1999 funding, $2.8 billion between the 4th and 9th OMB Quarterly Reports, has supported activities that have been subjected to the rigorous policy review that I have discussed. Most of the cost increases can be attributed to specific activities: remediation for information technology systems, testing to ensure that systems are Y2K compliant, replacement of embedded computer chips, and creation and verification of BCCPs. I am confident that this funding has helped to ensure that important Federal programs will have a smooth transition into the year 2000. FY 2000 costs, which have increased by $509 million over the same period, are primarily for Y2K project offices to manage and monitor the transition into 2000, as well as for retesting and recertifying contingency plans. The details of agency spending plans continue to be made available for your review as this process moves forward.

I would now like to turn to another issue that I have been asked to address: the difference between agency estimates and actual costs. I believe that this question stems from the cost table in each OMB Quarterly Report. In that table, past years (FYs 1996 - 1998) are characterized as estimates even though, as you know, the budgetary data for those years reflects actual expenditures. With OMB's approval, agencies have refined the universe of Y2K-related costs since FY 1996. As an activity is added to the Y2K universe, we want to make certain that we are capturing the five-year cost of that activity. For example, a Department may not have reported embedded chip replacement as part of their initial Y2K estimate. However, they later received guidance to so. In such a case, OMB has worked with the Department to verify that the multi-year cost of embedded chip replacement was being reported. If this required changing an estimate in a past fiscal year, agencies did so with OMB approval. At the same time, future year estimates may have been adjusted to account for newly recognized activities. Thus, although the budget data for FYs 1996 - 1998 are actuals, since recognition of the scope of the Y2K problem has changed over time, OMB has not asked for or characterized costs for those years as actuals.

Another component of this issue is that Y2K-related expenses can be aggregated at a level below or above budget accounts. Y2K-related expenses are embedded in broader operating budgets. We have worked to ensure that we are capturing Y2K-related costs and that agencies are making defensible and standardized assumptions about these costs. Conversely, we are trying to filter out activities that were wholly planned for and would have been implemented regardless of Y2K.

NEXT STEPS

As I stated earlier, now that most of the work on fixing mission critical systems is completed, OMB will shift its focus from aggregate figures for system readiness to ensuring the readiness of individual systems. In addition, OMB and the agencies are beginning to focus on two new priorities.

Ensuring the Readiness of Federal Programs

While we have made excellent progress in preparing our systems, we are not yet done. We must make sure that Federal programs, particularly those that have a direct and immediate affect on the health, safety, and well-being of the public, function smoothly. As I have just related to you, we are confident that critical systems will be ready. But because Federal programs partner with other entities, including other Federal agencies; State, Tribal, and local governments; banks; contractors; vendors; and other entities; it is critically important to ensure that all partners are working together to ensure that the program they support will be ready. The critical task is to make sure that not just systems, but the programs they support, will be ready.

Accordingly, on March 26, 1999, I asked agencies to take this next step. I also identified 42 "high impact" Federally supported programs and directed Federal agencies to take the lead on working with other Federal agencies, State, Tribal, and local governments, contractors, banks, and others to ensure that programs critical to public health, safety, and well-being will provide uninterrupted services. Examples include Medicare and Unemployment Insurance. The list was subsequently revised to include the National Crime Information Center at the Department of Justice, bringing the total to 43.

Agencies have also been asked to help partners develop year 2000 plans if they have not already done so to ensure that these programs will operate effectively. Such plans are to include end-to-end testing, developing complementary business continuity and contingency plans, and sharing key information on readiness with partner organizations and with the public. Agencies are reporting to us monthly and will demonstrate the readiness of each program by September 30, 1999. A table of the programs, including the partners agencies are working with is included last week's quarterly report.

Business Continuity and Contingency Planning

Although we expect all Federal mission critical systems to be ready by January 1, 2000, and although we are prepared to demonstrate the readiness of a number of critical programs, it is still important that every agency, no matter how well prepared, have a business continuity and contingency plan (BCCP) in place.

Agencies have identified their core business functions and are using these as a basis for developing business continuity and contingency plans, which will ensure that these core business functions will operate smoothly, no matter what glitch may occur in an agencies' systems or with an agencies' partners. While we are confident that the measures taken for Y2K compliance are sound, the chance remains that, despite testing, a bug may still slip through. Furthermore, elements beyond an agency's control are at risk from the Y2K problem as well. For example, bad data from a data exchange partner or the inability of a vendor to provide key supplies could disrupt work at an agency.

Let me make it clear that we do not anticipate any disastrous consequences as a result of year 2000 computer problems in Federal systems. It is possible, and even likely in some situations, that there will be glitches in systems that result in minor disruptions to the ways that agencies operate. Accordingly, for each core business function and its associated systems, agencies have identified risk factors, and assigned them a probability rating as well as an impact rating. The agencies use these ratings to prioritize functions and systems. Work-arounds and back-up plans are established as contingencies.

Although we do not expect any disasters, it is always wise to prepare for the worst. Since the 1970s, agencies have been required to have in place Continuity of Operations plans (COOP plans), to address such emergencies. In the event of a disaster, whether related to Y2K or to a national emergency, such as a terrorist attack or regional weather emergency such as a tornado or violent snowstorm, agencies are using their COOP plans to ensure that the agency will continue to function. I also asked agencies to ensure that the development of their BCCP was coordinated with pending revisions to each agency's COOP plan. Again, although we do not expect any kind of Y2K disaster, agencies are developing plans, in coordination with their BCCPs, to address this contingency.

On May 13, 1999, I issued guidance on this subject, "Business Continuity and Contingency Planning for the Year 2000," (M99-16). This memorandum asked all agencies, including small and independent agencies, to submit to OMB by June 15 their business continuity and contingency plans (BCCPs). This memorandum also identified a number of infrastructure areas for which agencies should make common assumptions, such as electric power, financial services, and public voice and data communications. This common assumption is that there will be no nation-wide disruptions within these infrastructure services.

By setting these risk areas aside from agencies' business continuity and contingency planning, agencies are able to focus on ensuring that their core business functions and affiliated systems will work. In the extremely unlikely event that a catastrophic emergency occurs that damages local infrastructure, communications, or the agency building itself -- whether caused by Y2K, or by a natural disaste

On the international side, the State Department is leading a working group of those agencies with employees overseas in order to develop risk assumptions and appropriate responses, to be used in the development and refinement of those programs' BCCPs.

BCCPs are an increasingly important component of agency progress. Like a good insurance policy, a sound plan is important, no matter how well you have taken care of your systems. To ensure quality and consistency, I have directed agencies to use the General Accounting Office's (GAO) guidance on this subject in preparing their plans. Additionally, many agencies are working closely with their Inspectors General and/or expert contractors in the development and testing of these plans. Finally, OMB is reviewing the high-level BCCPs of agencies, which were due June 15, and will provide feedback and guidance to the agencies on an individual basis.

Prepayment

As part of their contingency planning, some agencies have explored the possibility of making some payments in December that would otherwise be due in January to beneficiaries, contractors, and others. However, the Administration has determined that such actions are not necessary at this time, given the level of readiness of agency payment systems and agency business continuity and contingency plans. Moreover, the extensive downside risk to prepayment mitigates strongly against implementing this contingency plan in all but the most exceptional circumstances.

First, and most importantly, issuing such payments early would require reprogramming of payroll and other financial management systems. I have previously stated that any changes to systems should be minimized as they not only divert resources from fixing the Y2K problem, but also may undo Y2K fixes. It would be highly irresponsible to implement a contingency plan that could worsen the year 2000 problem.

Second, making early payments would have tax implications for individuals and businesses. Undoing any tax implications would require legislative changes for the Internal Revenue Service, which in turn would be required to make changes to the tax code and to their systems. All of these actions would be both costly and time-consuming.

Third, such actions could easily be interpreted by the public as an overall sign of lack of confidence in the ability of the Government to make its payments after January 1. Such a signal could prove disastrous for the national economy as panicked citizens turn to withdrawing their currency in anticipation of a currency shortage. This sort of panic is a self-fulfilling prophecy. Public panic and overreaction is a problem far larger than the technology problem and something we are very concerned about.

Finally, even allowing prepayment in extremely limited areas increases pressure to provide early payment for everyone.

Any uncertainty about the readiness of agencies to make benefits payments should be mitigated by continuing to focus on fixing and testing systems. Agencies should also consider alternative contingency plans that do not introduce such high levels of Y2K risk into systems or that could propagate public panic.

Despite these concerns, however, there may be a few rare instances in which early payment is the best option. In any such instances, agencies may request authority from OMB to pay certain benefits early if certain criteria are met. These include demonstration that there will be substantial harm to individuals from not getting a timely payment, a high likelihood that timely payments (either by normal program operation or through a contingency) will not be made, assurance that early payments made will be targeted only to those recipients who would be harmed, and that early payment will substantially mitigate the harm. The agency must also be willing to make a public announcement of these decisions and to work with the Department of Treasury so that adequate cash management practices are maintained. Throughout the remainder of the year, we will continue to review this matter with agencies.

CONCLUSIONS

In conclusion, during the 192 days remaining before the year 2000, we plan to:

Thank you for the opportunity to allow me to share information with you on the Administration's progress. The Administration continues to treat this challenge with the direct, high-level attention it deserves. The additional focus on the year 2000 problem by the President, Congress, and the public has resulted in agencies focusing management attention on the issue and taking a close look at their resource needs. The Year 2000 contingent emergency reserve has helped ensure that agencies have access to funds to facilitate their work. OMB remains committed to working with the Committees and Congress on this critical issue. I would be pleased to answer any questions you may have.