August 6, 1999

M-99-21

MEMORANDUM FOR THE HEADS OF SELECTED DEPARTMENTS AND AGENCIES

Over the past several years we have made great progress in addressing the year 2000 problem. With less than six months left until January, however, we must assure that our preparations are as complete as possible. In particular, we should focus our efforts in the remaining months on finishing work on any unfinished systems, testing to ensure and demonstrating that Federal programs will work, and preparing plans to assure that we can carry out our business.

We must inform the Congress and the public of our readiness. To assist in that, I am revising the quarterly reporting requirement and creating a new monthly reporting requirement on the status of unfinished mission critical systems. This memorandum supercedes OMB Memorandum No. 99-09, "Revised Reporting Guidance on Year 2000 Efforts," (January 26, 1999) and OMB Memorandum No. 99-15, "Reporting Continued Progress Addressing the Year 2000 Problem," (April 30, 1999).

1. Quarterly Reporting Requirement. The quarterly reporting requirement is contained in Attachment A and is due August 13, 1999, and November 15, 1999. Please note several important changes to the quarterly reporting requirements.

• Progress on Mission Critical Systems. In lieu of a summary of progress in repairing mission critical systems, provide a report on the status of each remaining mission critical system that is not yet complete. (See section I, B.)

• Other Progress. You have been reporting progress in a number of other areas potentially affected by the Y2K problem, including telecommunications and buildings. At this point, for telecommunications and buildings that are owned or managed by your agency, please provide a description of efforts to ensure that you will be Y2K compliant. Also provide a date by which you expect all telecommunications and buildings used by your agency to be Y2K compliant. (See Section II, C and D.)

• High Impact Plans. In OMB Memorandum No. 99-12, "Assuring the Year 2000 Readiness of High Impact Federal Programs," (March 26, 1999) I asked that Federal agencies take the lead in coordinating end-to-end testing and demonstrating that programs will work. I also asked that the lead agencies for 43 high impact programs provide OMB with monthly updates on their progress. I now ask that those agencies also include a summary of their progress in their August and November quarterly reports. (See Section IV.)

• Change Management and Verification Efforts. In OMB Memorandum No. 99-17, "Minimizing Regulatory and Information Technology Requirements That Could Affect Progress Fixing the Year 2000 Problem," (May 14, 1999) I asked that you put in place a change control process to minimize changes to internal systems. I now ask that you describe that process in the August and November quarterly reports. (See Section V, B and C.) That Memorandum also asked that you consider the year 2000 impact of new regulations before issuing them. Please include in your future quarterly reports a description of your process for reviewing regulations to consider the year 2000 effects. (See Section VI.)

• Business Continuity and Contingency Plans. It is also important to reassure the Congress and the public that we are prepared for any disruptions that may occur. In June, you provided a copy of your headquarters-level business continuity and contingency plan (BCCP). We will continue to work with your staff to refine and improve those plans. To help us assess the readiness of your total organization, please provide information to us about the progress of any agency offices in implementing plans. In addition, I ask that you describe how BCCPs are being coordinated with agency Continuity of Operations Plans (COOPs). (See Section VII.)

2. Monthly Reporting Requirement. To facilitate reporting, the monthly requirement is incorporated into the quarterly report as Section I, B. Monthly reports are due on the 15th of September, October, and December. For the August and November quarterly reports, agencies need not submit separate monthly reports.

As in the past, you or your Chief Operating Officer should sign both reports. Please address the reports to me, but send them to:

Reports may also be faxed to 202-395-5806. Any questions regarding the procedures of submitting a report may be directed to Ms. Pamela Beverly, telephone 202-395-6881.

As in the past, OMB may need to require further information from you related to your year 2000 progress. Such information requests may be part of the budget process or through OMB’s other authorities.

Finally, as you are aware, the Congress is deeply interested in agency progress as well. I encourage you to send your plans and reports to concerned Members of Congress at the same time that you submit them to OMB.

Thank you for your continued work and cooperation in this critical effort. It is vital that we continue to work closely together on this problem as January approaches.

Attachments

Attachment A

Status of (Department/Agency’s) Year 2000 Efforts:
Quarterly Progress Report
Due August 13 and November 15, 1999

I. Progress on Mission Critical Systems.

A. Indicate whether you have completed work on all mission critical systems. Please ensure that your report is consistent with the CIO Council’s best practices and GAO’s assessment guide, "Year 2000 Computing Crisis: An Assessment Guide."

Total Number of Mission Critical Systems	Number Compliant	Number to be Replaced	Number to be Repaired	Number to be Retired

B. For those agencies with unfinished mission critical systems, provide a list of all such systems, whether to be replaced, repaired, or retired. ¹ The list should include:

1. The name of the system.
2. A brief description of its function.
3. The date when the agency expects to make the system compliant. If there has been a change since previous reports in the date when the system is expected to be compliant, please explain.
4. A brief description of the implications of the system not being ready and whether there is a contingency plan in place. If there is no contingency plan, indicate when one will be complete.
5. The reason the system is not yet compliant.

II. Other Progress

A. Provide a description of progress to make non-mission critical systems compliant, including measures that demonstrate that progress.

B. Provide a description of progress to make data exchanges compliant with all entities external to your agency, including other Federal agencies and the private sector. Include:

1. The total number of data exchanges, the number that are compliant on both sides, and the number which have been fixed on the Federal side.
2. When you expect that all your data exchanges will be compliant.
3. A brief description of any difficulties you have encountered in making the exchanges compliant.

C. Provide a summary description of efforts to assure that telecommunications systems and networks owned or managed by your agency are compliant. Also provide a date by which you expect all telecommunications systems and networks used by your agency to be compliant and describe any difficulties you are encountering.

D. Provide a summary description of efforts to assure that buildings owned or managed by your agency are compliant. Also provide a date by which you expect all of the buildings used by your agency to be compliant.

E. Provide a summary description of progress to assure that other systems or equipment, including biomedical equipment and laboratory devices and any other products or devices using embedded chips that your agency uses are compliant. Describe any difficulties you are encountering in ensuring that such equipment is compliant.

F. Please include any additional information that demonstrates your agency’s progress.

III. Federally supported, State-run Programs. Describe efforts to ensure that Federally supported, State-run programs (including those programs run by territories and the District of Columbia) will be able to provide services and benefits. In particular, Federal agencies should be sensitive to programs that will have a direct and immediate affect on individuals’ health, safety, or well-being. Include a description of efforts to assess the impact of the year 2000 problem and to assure that the program will operate. In addition, the Department of Health and Human Services, the Department of Labor, and the U.S. Department of Agriculture must provide the following information for those programs listed in Attachment D.

A. The date when each State’s systems supporting the program will be Y2K compliant. Compliant here indicates the date when the State has determined when its systems will be able to provide services, whether directly or indirectly, to beneficiaries.

B. A list of States, if any, for which the Y2K problem is likely to cause significant difficulties in the State’s operation of the program. Also provide a list of States which are not likely to encounter significant difficulties.

C. For those States likely to have significant difficulties, a brief description of any action that the Department is taking to assure that the program will operate.

D. For each program, provide an estimate by fiscal year of the Federal share of State costs associated with efforts to achieve Y2K compliance (report totals in millions and tenths):

IV. High Impact Plans. For each of the 43 high impact programs for which your agency is the lead, as listed in Attachment C, provide: ²

A. Key partners necessary to ensure that program benefits and services will be delivered.

B. A brief description of the process to ensure that the program will be ready, which may include internal testing, data exchanges, and end-to-end testing, and provide a date when that process was or will be complete.

C. A date or dates to inform the public of program readiness. Include dates even if they have passed.

V. Change Management and Verification Efforts

A. Describe how and to what extent internal performance reports, (i.e., compliance of systems repaired and replaced) are independently verified. Provide a brief description of activities to assure independent verification that systems are fixed and to assure that information reported is accurate. Also identify who is providing verification services (for example, Inspectors General or contractors).

B. Describe your agency’s change management process to assure that the effect on year 2000 readiness is considered prior to establishing new requirements or changes to IT systems.³

C. Describe any ongoing testing your agency is undertaking to ensure readiness of systems, such as integration testing, end-to-end testing, and retesting of key systems to further ensure readiness.

VI. Regulatory Review. Describe your agency’s process for reviewing regulations to consider the effect of the regulation on the Year 2000 readiness of regulated entities and to consider alternatives to minimize that effect. ³

VII. Business Continuity and Contingency Plans (BCCPs). Provide information on progress in developing and testing BCCPs in your agency. ⁴ Include:

A. Assurances that local and regional offices have developed and tested business continuity and contingency plans in coordination with headquarters. Also provide the total number of such offices which require BCCPs and the number that have such plans in place.

B. Describe how your agency is coordinating its BCCP with its Continuity of Operations (COOP) planning efforts.

VIII. Other Management Information.

A. Report your estimates of costs associated with year 2000 remediation, ⁵ including both information technology ⁶ costs as well as costs associated with non-IT systems. Report totals in millions of dollars. (For amounts under $10 million, report to tenths of a million.)

Fiscal Year	1996	1997	1998	1999	2000	Total
Current Cost

B. Please identify any costs within these estimates that are not covered by base funds and/or emergency funds that have already been released.

C. If there have been dramatic changes in cost, please explain.

D. Describe any concerns with availability of key personnel, including ensuring that key staff will be available during the weeks before and after the transition to the year 2000.

E. Describe any problems that are affecting progress.

Attachment B

Agencies

Attachment C

43 High Impact Federal Programs

Attachment D

Selected Federally-supported, State-run Programs

Footnotes:

¹ This information is to be provided on a monthly basis, but is to be included in the quarterly reports of August and November in lieu of monthly reports.

² OMB Memorandum 99-12, "Assuring the Year 2000 Readiness of Federal High Impact Programs," March 26, 1999, asks agencies to report on the status of their programs monthly until a public announcement is made. The requirement above is for additional summary information to be included in the August and November quarterly reports.

³ See OMB Memorandum 99-17, Minimizing Regulatory and Information Technology Requirements," May 14, 1999.

⁴ See OMB Memorandum 99-16, "Business Continuity and Contengency Planning for the Year 2000," May 13, 1999.

⁵ These estimates should include the costs of information technology remediation as well as non-information technology products and systems such as air conditioning and heating. Costs for outreach activities to non-Federal entities should also be included. Agencies should also include costs associated with business continuity and contingency planning as well as the implementation of those plans. In addition to regular appropriations, agency costs should include monies received by the agency for Y2K from the contingent emergency Y2K fund appropriated in P.L. 105-277, the Omnibus Consolidated and Emergency supplemental Appropriations Act, 1999. However, agency cost estimates should not include any non-Y2K costs that were funded from P.L. 105-277. Finally, these costs should not include upgrades or replacements that would otherwise occur as part of the normal systems life cycle. They should not include the Federal share of the costs for State information systems that support Federal programs. DoD should report obligattional authority requirements for business and weapons systems.

⁶ Information technology costs to be included as described in Section 53 (formerly section 42) of OMB Circular A-11. DoD should report obligational authority requirements for business and weapons systems.