Good morning Mr. Chairman, I welcome your invitation to participate in this panel on the status of the Year 2000 (Y2K) problem. You and the entire committee should be commended for your foresight in recognizing the significance of this global problem. I thank you all for helping to educate the public and focus the attention of the government leaders on the Y2K problem. I share your commitment and look forward to working closely with you, your committee, and the Congress as we grapple with this threat to our national and economic security.
Our job is clear in the Department of Defense -- to ensure our national security before, on and after the Year 2000. Today we are here to report where we are, where we need to be, and what we are doing to get there.
THE YEAR 2000 PROBLEM IN DOD
Mr. Chairman, DoD needs to do a much better job in preparing for the Year 2000. We are making progress, but the leadership -- civilian and military, fighting forces and support personnel -- cannot and will not be satisfied until we are confident that we can protect and defend our nation on January 1, 2000, and beyond.
In March of this year, the DoD Chief Information Officer assigned to me the responsibility as Special Assistant for Y2K Oversight and charged me to accelerate the department's efforts in preparing for the Year 2000 rollover in our computer systems.
I am an engineer and a manager, and I understand the technical aspects of the Year 2000 problem and what it means to work on large, complex, interconnected information systems and manage a large scale endeavor.
I am a retired Army officer with combat experience. I understand profoundly what is at stake for our men and women who are charged with preserving our freedom.
In my first action as Special Assistant, I reviewed your scoring of the department's progress, the GAO [General Accounting Office] reports, Office of Management and Budget Quarterly reports, DoD Inspector General reports, and the Defense Science Board recommendations. We fundamentally agree with the findings of these reports and studies.
The Department of Defense is fortunate to have the benefit of these painstaking studies. Your subcommittee's assessments have shown the critical need for a more comprehensive strategy for getting the mission critical systems in shape. The guidance from OMB has been essential in framing the critical mission and non-critical mission references and providing specific milestones by which to measure progress. All provide rich and meaningful insights into program status -- where we are and where we are not. We are leveraging this information from these various reports to focus our efforts more precisely and to hone the direction of our program.
Deputy Secretary [of Defense] Hamre stated last week in his testimony to the Senate Armed Services Committee that the Department of Defense is at least four months behind schedule. We agree with the recent OMB evaluation that DoD is in the "Tier One" or red zone. We appreciate your recent upgrade of DoD from an "F" to a "D." I believe that your improved grade is based more on our recent management actions than on our actual results to date. This low score reflects the work that remains to be done in DoD.
When I was asked to assume oversight for DoD's Year 2000 efforts, the department was lagging far behind where we needed to be, and the DoD Chief Information Officer recognized the need for change. The senior leadership of the department has accepted the findings of this committee, the GAO, OMB and the DoD IG. We recognize that the Year 2000 poses a real, mission problem. We have made significant changes at all levels of the department in response.
We have redirected our efforts by keeping our eyes on our goal. The Department of Defense is focused on ensuring we have on January 1, 2000, a force that is able to execute the National Military Strategy, unaffected by a date-related failure of its computer systems.
As you know, the Year 2000 problem affects four aspects of computer systems: software, hardware, firmware and embedded chips. The Department of Defense has approximately 25,000 computer systems. About 2,800 are mission critical (11 percent). These include command and control systems, satellite systems, inventory management systems, transportation management systems, medical systems and equipment, and pay and personnel systems. The Year 2000 problem is an especially challenging for the Department of Defense because we are global, we engage in diverse activities, and we have a mix of new technologies and old legacy systems. However, we can't afford to fail. We must make sure the American people know that they are safe and that our potential adversaries know that that the Year 2000 does not pose a vulnerability that they can exploit. We must be prepared to provide humanitarian assistance where needed, and we must be prepared to respond to any attack that is predicated on the assumption that the Year 2000 presents a target of opportunity.
THE Y2K PROBLEM AS A GLOBAL PROBLEM
Senator [Bob] Bennett stated recently that the Department of Defense is as interrelated as industry is today. Our suppliers are commercial industry, and our customers are our warfighters and peacekeepers as well as our allies and partners with whom we jointly work. The Department of Defense is dependent on its suppliers in commercial industry because DoD is also a just-in-time user of supplies and services, as is most of the world economy. We no longer have stockpiles of inventory in our warehouses and depots as in years past. Our infrastructure is also dependent on commercial industry. DoD operates many military bases, which are really small cities, where the infrastructure can also be vulnerable to Year 2000 problems. Y2K failures in the commercial power grid and commercial communications could affect our military bases, both in the United States and around the world
DoD's plan is to work across boundaries and borders to surface, address and resolve critical Y2K issues, develop contingency plans, and lead efforts to orchestrate partnerships and alliances where appropriate.
OVERALL DOD STRATEGY
I would like to outline some strategies and actions we have implemented to gain better managerial control of our Year 2000 activities.
Since the beginning of its Year 2000 efforts, DoD has used a management strategy that combines centralized policy and oversight with decentralized execution. We divide our work on each system into five phases -- Awareness, Assessment, Renovation, Validation, and Implementation, which are defined by GAO and OMB in numerous reports. All military departments and defense agencies use these phases to track progress on Y2K compliance. While these phases are useful for determining progress on a system-by-system basis, we have gone beyond seeing the Year 2000 as an information technology problem to being an operations and readiness issue.
Organizing For Results
As this committee pointed out, a traditional organizational structure is not equipped to deal with a problem that cuts across all organizational levels and functions. To make the problem manageable, we have divided the DoD's activities into 20 functional areas. These functional areas slice across all military departments and defense agencies. This functional partitioning allows us to frame the challenge in a meaningful way. Some examples of functional areas are command and control, nuclear capabilities, weapon systems, logistics, finance, personnel and transportation.
Mr. Chairman, we have set up several organizations to execute our Year 2000 strategy. We believe the Y2K problem warrants the attention and leadership of a CEO, not just a CIO. We have organized Y2K efforts in the DoD to provide the leadership we need. To that end, the Deputy Secretary of Defense chairs the DoD Y2K Steering Committee. This committee reviews the progress of all DoD components, serves as a forum for sharing information, surfaces management and resource issues, and identifies opportunities to accelerate progress on the Year 2000 problem. Senior representatives from all major DoD components participate in this forum.
The DoD CIO has overall responsibility for managing DoD's Year 2000 efforts. The Department of Defense Chief Information Officer function is assigned to the Senior Civilian Official of the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence is the DoD CIO. The DoD CIO sets Y2K policy, coordinates the efforts of the services and defense agencies, and monitors Y2K progress on behalf of the Secretary of Defense.
As the DoD CIO's Special Assistant for Year 2000, I lead the DoD Year 2000 Oversight and Contingency Planning Office. Both the GAO report and the recent Defense Science Board Task Force report recommended assignment of a strong central leader. These recommendations were captured in the March 1998 blueprint for restructuring the Office of the ASD (C3I) and accepted by the Secretary of Defense. I was assigned roughly sixty days ago to lead the day-to-day Y2K efforts in DoD. My staff handles all multi-component Y2K actions, such as developing DoD Y2K policy, management plans, consolidated reporting, interface assessments, contingency planning guidance and oversight, and testing oversight.
Each DoD component head is responsible for assuring all software and systems correctly process dates. The military departments' and defense agencies' chief information officers have the responsibility for monitoring their progress and ensuring their systems are Y2K compliant before January 1, 2000, and for reporting status of their systems to the DoD CIO. Overall tracking is done through the new Y2K central database.
We have the commitment of all the CINC's in addressing the Year 2000 issue as an operations and readiness issue rather than as a computer problem. This awareness permeates the department, throughout all commands and all mission areas.
DOD'S ENTERPRISE LEVEL STRATEGY
The DoD leadership has endorsed a broad attack on the Year 2000 problem. This attack is organized around three principal vectors:
- Report and Evaluation
- Programmatic Oversight and Coordination
- Test and Contingency Planning
REPORT AND EVALUATION VECTOR
DoD's strategy relies upon all DoD components to provide accurate information on Y2K progress and lessons learned. DoD has established a Y2K central database on DoD's most important systems to expedite Y2K reporting. Each component also has a Y2K database to provide detailed information on Y2K progress. The goal of this database structure is to meet the needs of DoD's senior leadership, OMB and Congress in managing Year 2000 efforts and ascertaining the impact on DoD's mission capabilities. We began populating the Y2K database on June 1, 1998. The database is, as yet, incomplete on all specifics on all systems. We are working with the DoD components to complete the database and to make sure the data is reported accurately. For instance, information in the database on projected completion of Year 2000 milestones should reflect the actual anticipated dates rather than the target dates. We need full and open reporting from our program managers so that DoD can make plans according to actual capabilities.
We are also creating the ability to access Year 2000 data with a new powerful analytical ability which will assist DoD in forecasting Year 2000 shortfalls and ensuring timely resolution of Year 2000 issues. The new ability will also help DoD in:
- Streamlining the reporting process
- Allowing quicker answers, and
- Querying for more meaningful aggregations of information.
DoD is making the DoD Year 2000 data available to the GAO, OMB, DoD IG, and other federal assessment and evaluation bodies. This will reduce time lags that could hinder their work. This should enable DoD to make necessary corrections faster and with a higher degree of precision.
PROGRAMMATIC OVERSIGHT AND COORDINATION VECTOR
Through oversight and coordination, the department addresses enterprise analysis, identification of opportunities for improvement, lessons learned, candidate metrics and performance measures, organizational interfaces and resource tracking for Y2K efforts. One of the primary areas of progress in programmatic coordination has been in the acceleration of DoD's interface assessment workshops, so that every functional area will have completed three assessments by September 1998.
We are conducting workshops in each functional area every sixty days. We meet with the functional area leaders, who are responsible for ensuring that interfaced systems will be compliant and compatible. Assessment workshops identify common systems, action plans and review implementation progress for each functional area. The assessment workshops include representatives of other federal Agencies, DoD allies and partners, GAO, DoD IG and OMB.
Interface with Allies and Partners
DoD has initiated several efforts to coordinate with our allies and partners. The President made Y2K an agenda item at the last Group of Eight conference in the United Kingdom. The Secretary of Defense will discuss the Y2K problem at a NATO conference this week. Regional CINCs will sponsor follow-on workshops with allies and U.S. security assistance officers. DoD seeks to establish ties to allied defense ministries for critical defense systems, which are jointly operated. While our allies are aware of the Y2K problem, there is concern that the level of attention is not as great as it is in the U.S. For example, Europe is more focused on the equally complex and time-sensitive transition to the European monetary system than to the Year 2000 problem.
The DoD Inspector General (DoD IG), in conjunction with the audit entities for each of the military departments and defense agencies, assists in the independent data validation process. These audit efforts are crucial to verification of Y2K actions. The short time frame remaining for Y2K fixes requires further innovation in oversight processes that have already been streamlined by acquisition reform. In addition, the services' audit agencies are part of DoD's verification process. For example, the Army Audit Agency, working as an internal management consultant for the Army CIO, is performing "Y2K readiness assessments" on critical systems and facilities and is also serving as an independent verifier of Y2K compliance certification documents.
DoD is placing increased emphasis on Y2K compliance, from the Secretary of Defense to the individual system manager. DoD views Y2K compliance as an operational readiness issue. We have to be and we will be prepared to fight, if necessary, and to provide assistance, wherever called upon. The department is addressing the findings and recommendations of the various assessments made on its Y2K program by the GAO and the DoD IG.
TEST AND CONTINGENCY PLANNING VECTOR
In FY [fiscal year] 1999, DoD's primary focus will be the progress of testing and contingency planning . We will develop schema for Y2K tests, adopt best commercial practices, define testing strategies, and perform continuity planning for our most critical systems and functions. Contingency plans for both mission critical and non-mission critical systems will mature as well. Mission critical systems receive the highest priority in contingency planning.
DoD's contingency planning will come to the fore as the results of testing beyond the system level take place. DoD's operational tempo and complexity of interactions among systems require that testing take place across DoD functions and throughout an entire theater. DoD is establishing plans for including Y2K testing as part of special functional area tests and CINC-led Y2K operational evaluations, commencing as soon as possible and continuing through FY 1999. These should result in contingency planning refinement at departmental, functional and theater levels.
Testing From Three Perspectives
DoD is using three approaches to test its Year 2000 compliance. Systems-centric testing addresses individual systems. Functional-centric testing assures both Y2K compliant systems and functional effectiveness by end-to-end testing of DoD functional activities (accounting and finance, etc.). Mission-centric tests assure end-to-end performance of systems and interfaces to maintain the mission effectiveness of U.S. forces.
System Level Testing. Systems-level testing is conducted by each service, agency and field activity, under the oversight of a designated Y2K focal point or program office and is intended to ensure that individual systems are Y2K compliant and can perform as originally designed.
Functional Evaluations. Functional evaluations will be based on strategies and data collection from Interface Assessment Workshops. This includes a combination of interoperability and laboratory testing across components, departments, and where feasible, NATO and allies. The nuclear community is a good example of collaboration to develop an end-to-end evaluation of the nuclear C4I system of systems. The process will demonstrate interoperability from sensor to shooter. Virtual and physical test methods will be needed to complete end-to-end testing as dictated by factors such as time, risk, cost, and resource availability. The single string approach facilitates fault isolation while maintaining readiness.
End-To-End Mission Level Evaluations. These will be used to demonstrate DoD's operational readiness in a Y2K scenario. Mission-level operational evaluations will augment DoD's Y2K verification and testing efforts and are planned to be carried out in conjunction with joint and CINC exercises. This testing requires defining specific Y2K objectives that address primary end-to-end operational capabilities, continuity of operations planning and risk areas.
Continuity of Operations
DoD components are applying extraordinary efforts to meet the technical challenges of Y2K compliance. Despite these efforts, however, we know that all DoD systems will not be Year 2000 compliant by the immovable deadline of January 1, 2000. Some systems whose risks have been mitigated through renovation and testing may fail, and the failure of one system could disrupt many others. Other, lower priority systems will not be ready in time because of the limitations on available human resources to fix legacy software.
There are two areas of risk that must be considered in planning for Year 2000 disruptions:
- Known or suspected sources of disruption, and
- Unanticipated disruptions
The department has assessed virtually all of our systems and identified Y2K issues for corrective action. Renovation of systems is in progress, and schedules have been developed for testing each system. Resources are identified and available for accomplishing these actions.
Notwithstanding these efforts, contingency planning is critical to ensure continuity of operations. These plans must address:
- Failure of the system
- Disruptions at interfaces
- Receipt of corrupt data
- Failure of utilities and infrastructure
Specific workarounds will be addressed, including providing manual processes or non-automated tactics, to supplant systems that do not meet Year 2000 requirements.
The Department's Year 2000 Oversight and Contingency Planning Office is establishing and participating in working groups at all levels to interject Year 2000 threats, such as infrastructure failures, into existing contingency plans. The Department of Defense is expanding contingency plans at three major levels: system, component and department. System level contingency plans are the primary management tools in preparing for unanticipated disruptions. Individual systems could have formal plans, or may rely on operating manuals, procedure guides, or other documents. These documents must address failure of the system. Components plan to test system level contingency plans to be sure they can be executed.
Contingency plans for each DoD Component will include a prioritized list of systems and major actions taken to minimize Y2K disruptions to the core missions of the component. At the department level, continuity of operations plans will be reviewed and Y2K scenarios will be incorporated.
DOD'S RECENT INNOVATIONS
We are instituting a High Risk Systems Board to meet with the CEO, CIO and CFO responsible for each system in Y2K jeopardy. The board will review their progress every month and prioritize our efforts.
We are developing plans to field an independent enterprise-wide evaluation force of 250 individuals to support and independently validate the compliance of our most important systems, especially in functional testing, in mission testing and for emergency responses.
We are developing a proposal to place a moratorium on modifications to existing systems that are not Y2K compliant.
We will develop contingency plans for every mission critical system, and we will include testing of contingency plans in our validation process.
Mr. Chairman, your letter of invitation to today's hearing asked me what you could do to remove impediments to our efforts. There are two areas where this subcommittee and the Congress could assist us.
We ask that you resist helping us by legislating more reporting requirements or by legislating particular approaches to solving the Year 2000 problem. While well meaning, such actions add administrative burdens that take resources away from fixing the problem or could even cause serious distortions in our contingency planning. For example, there are some legacy systems we should enhance to hedge against the potential failure of other systems that may fail. We are streamlining our reporting and data collection and will share our status data with you. We have also invited the GAO and OMB to attend all of our DoD interface assessment workshops and all meetings of the Year 2000 Steering Committee.
More importantly, we need flexibility in applying resources to this problem. DoD's senior leadership needs to be given the maximum flexibility and minimum red tape to assign resources -- be it money, people or materiel -- to make sure that January 1, 2000, comes and goes without any degradation in DoD's mission capabilities.
Thank you again, Mr. Chairman, for your support in our efforts to meet the Year 2000 challenge.
Other Related Sites of Interest:
Published by the American Forces Information Service, a field activity of the Office of the Assistant Secretary of Defense (Public Affairs), Washington, D.C. Parenthetical entries are speaker/author notes; bracketed entries are editorial notes. This material is in the public domain and may be reprinted without permission.