, Office of Inspector General
\
j Report of Review
fy
MAJOR EPA INFORMATION SYSTEMS
ARE VULNERABLE TO FAILURE
DUE TO THE
UPCOMING CENTURY CHANGE
MARCH 14, 1996
Audit Report E1NMB5-15-3038-6400036
-------�
Inspector General Division
Conducting the Audit;
Region Covered:
i
Program Offices Involved:
ADP Audits and
Assistance Staff
Agency-wide
OARM
OAR
OECA
OPPTS
OSWER
OH
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
MAR I 4 1996
OFFICE OF
THE INSPECTOR GENERAL
MEMORANDUM
SUBJECT: Report of Review - Major EPA Information Systems are
Vulnerable to Failure Due to the Upcoming Century Change
Report No. E1NMB5-15-3038-6400036
FROM: Patricia H. Hill,
ADP Audits and Assistance Staff (A
TO: Paul A. Wohlleben, Acting Director
Office of Information Resources Management (OIRM) (3401)
Attached is a special review report entitled "Major EPA Information Systems are Vulnerable to
Failure Due to the Upcoming Century Change." The primary objectives of the review were to:
(1) determine how major EPA application systems currently store date information; (2) determine
which application systems will require modification; (3) determine if planning for upgrade of these
systems is adequate; and (4) determine how vendors of major EPA platforms are addressing the
century change in their operating systems.
My staff discussed these issues with your staff and were very pleased with the cooperation we
received from them. Their assistance and suggestions have made this a better report. This special
report describes problems and recommended corrective actions the Office of Inspector General (OIG)
has identified. We ask that you provide us, within 90 days, a report on the actions you have taken as a
result of our recommendations. If your proposed actions will not be complete, we ask that you
describe the actions that are ongoing and provide a timetable for completions. We appreciate your
positive response to the recommendations presented in the report and the many actions you and your
staff have initiated to address the issues concerning the upcoming century change.
We have no objection to the further release of this report to the public. Should you or your staff
have any questions regarding this report, please contact me at (202) 260-1072.
Attachment
Print*) with Soy/Canoi* ink on paper thai
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Major EPA Information Systems are Vulnerable to Failure
Due to the Upcoming Century Change
Report No. E1NMB5-15-3038-6400036
System managers within EPA are not fully prepared to address the problems associated with the year
2000. Although the scope of this review was limited to 22 major application systems and seven major
hardware platforms, the potential effect of the problem within EPA is tremendous. EPA's Information
Systems Inventory (ISI) describes approximately 300 systems, databases, models, modules, and other
computer applications. EPA's Office of Information Resources Management (OIRM) must accelerate
its Year 2000 campaign in order to ensure Agency preparedness for the century change. In order to
reduce EPA's exposure to major system failure, a determination of the risks associated with each
system in the year 2000 must be made. Once the risks have been evaluated, careful planning and
budgeting must be conducted to ensure that all necessary changes are identified, performed, and tested
in time to prevent system failure.
Purpose
The objectives of this survey were to: (1) determine how major EPA application systems currently
store date information; (2) determine which application systems will require modification;
(3) determine if planning for upgrade of these systems is adequate; and (4) determine how vendors of
major EPA platforms are addressing the century change in their operating systems.
Background
The upcoming century change is considered to be one of the most critical problems facing data
processing today. Because most computer systems were developed to maximize storage capacity,
dates were often stored as 6-digit numeric fields, omitting the century identifier. This was an effective
cost saving technique in the early days of computers. However, as the century change approaches,
information resources management (IRM) is beginning to realize the potential impact of this
methodology on major information systems. Because almost every system performs date calculations,
almost every system is vulnerable to failure or production of unreliable information.
There are two basic problems associated with the year 2000: inverse dates and incorrect leap year
assumptions. The first problem, inverse dates, primarily effects application systems and is caused by
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA information Systems are Vulnerable to Failure Due to the Upcoming Century Change
application logic interpreting "00" as occurring prior to "99". When this occurs, dates associated with
"2000" will be interpreted as "1900", causing the system to either fail or return nonsensical dates.
Either result would have extremely negative impacts on mission-critical Agency systems.
Example: A human resources system determines length of service by subtracting an employee's
service computation date (SCD) from the current date.
Current Date: 11/15/05 - SCD: 11/15/70 = Length of Service: -65 Years
The second problem, incorrect leap year assumptions, primarily effects the hardware platform's system
software and occurs as a result of the inverse date problem. There are three leap year rules:
If the year is divisible by four, it is a leap year unless -
It is divisible by 100, in which case it is not a leap year.
However, if it is divisible by 400, it is a leap year.
Because 2000 is divisible by 4 and 400, it is a leap year. The incorrect leap year assumption occurs
when the system interprets "00" as "1900" and assumes it is not a leap year. This result could also
have negative impacts on individual hardware platforms, as well as the processing of mission-critical
systems.
Although the problems themselves are relatively simple, the solutions can be complex. In order to
fully assess the magnitude of the problem in a system, several issues need to be addressed:
Sources of Data - If an organization has complete control over the data entry process, this issue
is less complicated. However, if data is imported in from other systems or organizations, the
date format of those systems becomes critical.
Embedded Date Codes - If a date, or part of a date, is used as part of another field, logic and
sorting problems can occur. Two digit year codes are often used in numbering invoices, cases,
permits, and other documents. In the year 2000, a tracking number of'001234' will
incorrectly sort before '991234.'
« Interfaces with Other Systems - When systems interface, date codes are often exchanged. The
number, location, and formatting of date fields exchanged with other systems should be known
and coordinated in advance.
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Operating System Dependencies - The year 2000 compliance status of the operating system
and associated tools and utilities can have tremendous impact on the proper functioning of
applications. Application logic would be adversely affected if the operating system provides an
invalid date, incorrect day of year, or incorrect day of week.
Historical Data Requirements - If all data is considered current, all data must be reformatted.
into the new date format. However, if some data is archived and seldom used, it may not need
to be reformatted.
Effects on User Community - Changes in field formats could have a profound effect on self-
developed user programs, data retrievals, and reports. All changes should be communicated to
users so they can modify their programs accordingly.
Changes in Output/Reports - When field formats are changed, output record layouts and report
layouts must also be modified to accept the expanded data. Additionally, lines associated with
display screens and reports might exceed normal limits, causing data to unexpectedly move to a
new line.
EPA's OIRM has begun an information campaign to make the IRM community aware of the problems
and solutions associated with the year 2000. The Director of OIRM sent a memorandum to all Senior
Information Resources Management Officials (SIRMOs), System Managers, and Regional IRM Chiefs
informing them of the problem and advising them to expand all necessary date fields to prepare for the
century rollover. As part of a monthly project status briefing, the Systems Development Center (SDC)
evaluated the year 2000 status of 36 EPA systems being developed or modified at the center.
Additionally, Enterprise Technology Services Division (ETSD) personnel developed several queries
which will help managers of systems within the central database identify potential date codes that need
to be modified. Finally, EPA will be participating as a member of the Federal IRM Policy Council
(FIRMPOC) government-wide taskforce on the year 2000.
Scope and Methodology
The primary focus of this audit was to evaluate EPA's vulnerability to major system failure due to the
upcoming century change. Fieldwork was conducted from June through October 1995, at EPA
Headquarters, Washington, D.C., and the ETSD, Research Triangle Park, NIC. We selected 22 major
Report No. ElNMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
application systems in 6 program offices for review to evaluate their planning for year 2000'. We
requested data dictionaries and other forms of year 2000 documentation from system managers. We
also discussed operating system preparedness and testing for seven major Agency platforms with
ETSD representatives. This work was not conducted as part of an audit, and accordingly was not done
in accordance with governmental auditing standards. Instead, the work represented a special review
which was conducted in accordance with provisions of OIG Manual Chapter 150.
Year 2000 Requirements and Guidance
Office of Management and Budget (OMB) Circulars A-130, A-123, and A-127 respectively provide
Government-wide policy and guidance for: (I) the management of Federal information resources;
(2) the improvement of accountability and effectiveness in Federal programs and operations via
management controls; and (3) the development, operation, evaluation, and reporting requirements of
financial management systems. OMB Circulars A-130 and A-123 outline policy and guidance that
define the basic responsibilities of Federal managers. They impact directly or indirectly on all
managerial decisions and activities, including those that affect the threats associated with the year
2000. OMB Circular A-127 addresses the issue of 1RM standards and has more direct influence on
year 2000 solutions. Date standards are critical to the development of a successful strategy to combat
the threats associated with the year 2000.
OMB Circular A-127 states "Standard data classifications (definitions and formats) shall be established
and used for recording financial events. Common data elements shall be used to meet reporting
requirements and, to the extent possible, used throughout the agency for collection, storage and
retrieval of financial information." This circular also states "Common processes shall be used for
processing similar kinds of transactions throughout the system to enable these transactions to be
reported in a consistent manner."
EPA developed policies and guidance which augment these Federal directives. For example, the
Information Resources Management Policy Manual contains policy statements that assign the primary
functional responsibility for IRM policy development and overall management of the Agency's IRM
program to the Director of the OIRM. Furthermore, the Agency Catalog of Data Policies and
1 The following systems were surveyed: AIRS, CFEIS, GMISS, CPS, EPAYS, FINDS,
GICS, ICMS, IFMS, MATS, SCRIPS, CRIMDOCK, DOCKET, PCS, TRIS, CERCLIS, CLP,
RCRIS, FRDS/SDWIS, IDEA, NEEDS, and STORET. The platforms reviewed included: PC
Workstations, LAN servers, IBM Mainframe, DEC/VAX Cluster, Cray Supercomputer, UNIX
Workstations, and Macintosh Workstations.
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Standards states that it is EPA policy to create and maintain consistency in the form of data elements
that have more than one application within the Agency. This consistency will permit the cross media
approach necessary to achieve environmental results. This catalog also acknowledges EPA's adherence
to Federal Information Processing Standard (FIPS) 4-1, entitled "Representation for Calendar Date and
Ordinal Date for Information Interchange," which states that the standard format for the year contains
four digits.
EPA's Office of Administration and Resources Management (OARM) fiscal 1995 IRM Strategic Plan
discussed "...a bold new course for information management at EPA." The plan states that "EPA will
ensure its data can be integrated to support comprehensive environmental protection and public access
to environmental information." The plan further states that "EPA commits to standardize its data,
thereby increasing the value and usefulness of its information resources." This plan was developed by
a team with broad representation including the Agency's Senior Management, program and IRM staff,
external stakeholders, and partners.
Finally, in May, 1995, the Director of OIRM issued a memo regarding the year 2000 date change. In
this memo, he reminded Agency management of the need for providing four digits for the year instead
of two. To reiterate the point he stated again that,"in most circumstances, it would be better to change
the year to four digits rather than try to formulate (and then maintain) logic work-arounds."
Major EPA Systems Are Not Fully Prepared for the Century Change
OIRM's awareness campaign has been successful in that nearly all system managers interviewed were
aware of the year 2000 problem and understood the importance of addressing it. However, during the
interview process, several system managers stated that they were unaware of some of the issues
brought out by the questions asked (e.g., sources of data, embedded date codes, etc.). Additionally,
several system managers expressed concern over the lack of detailed information from OIRM, stating
that an electronic forum for posting information, questions, and answers would be helpful to them.
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Despite the general awareness of the
problems associated with the century
change, only three system managers
(CLP, CERCLIS and SCRIPS) stated
that their systems are currently year
2000 compliant2. As Table 1 indicates,
the remaining systems are in varying
states of readiness. The majority of
these remaining systems are in the early
stages of planning complete
modernizations of their systems or
expansion of date fields. It is generally
believed that one of the more difficult
tasks associated with this planning
process is locating all date fields within
complex systems. However, the queries
developed by ETSD may help those
systems within the central database
environment locate potential date codes
in need of modification. This should
ease the burden on system managers
just starting the process.
Status of Year 2000 Compliance for
Major EPA Systems Surveyed
Status
Year 2000 Compliant
Partially Compliant
Modernization Planned
Planning Stage
Logic Work-Around
See No Need to Comply
Totals
Number
3
2
5
5
5
2
22
Percentage
14%
9%
23%
23%
23%
9%
100%
Table 1
There is great variety in the way system managers have responded to the OIRM memorandum
encouraging system managers to upgrade their information systems to handle dates beyond 2000. For
example, 9% of the system managers interviewed felt that there was no need to make changes to their
system. Additionally, while-industry recommendations and the OIRM memorandum state that it is
preferable to expand year fields to four digits rather than try to formulate and maintain logic work-
arounds, 23% of the system managers interviewed are planning to implement some form of logic work-
around in their system. The remaining 68% of system managers intend to expand all date fields to four
digit years as recommended or are unsure of how they will address the problem.
Every system surveyed exchanges data with at least one other Agency system. Additionally, 54% of
the systems exchange data with systems outside EPA (e.g., Federal, State, and Industry systems).
However, only 15% of the system managers surveyed have addressed their systems' interfaces.
2 The term "year 2000 compliant" is used to describe a system where all date fields have been
expanded to use 4-digit years.
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Table 2 provides a summary of how system managers planning to address the year 2000 problem
intend to address their system interfaces. While 25% of system managers indicated that their interfaces
would not be effected by year 2000 compliance, the remaining 60% of systems rely on date-sensitive
interfaces and have few plans to ensure that these interfaces will continue to function at the century
change.
Finally, the system software associated
with EPA's hardware platforms (e.g.
IBM Mainframe, UNIX workstations,
Supercomputer, etc.) supporting most of
these major information systems may
not be completely year 2000 compliant.
When we interviewed ETSD staff
regarding the ability of EPA's major
platforms to correctly process dates
beyond 1999, the response was initially
positive. Many of the Agency points of
contact for these platforms indicated
that they had performed, or were
willing to perform, some level of testing
to ensure that dates beyond 2000 were
considered valid. However, there was
no consistent test plan used to ensure
that all idiosyncrasies of the operating
systems were tested and some points of
contact stated that they had not tested the validity of leap year processing in 2000.
Status of Year 2000 Interface Planning
for Major EPA Systems
Status
Addressed
Planning Stage
Not In Current Plan
Unsure
Not Necessary
Totals
Number
3
4
4
4
5 '
20
Percentage
15%
20%
20%
20%
25%
100%
Table 2
EPA Systems are Vulnerable to Year 2000 Problems
The effects of year 2000 related problems are generally described in terms of 'event horizons.'3 In
1995, four major Agency systems experienced problems when processing permits and contracts with a
five year event horizon. Because these systems would not accept dates beyond 1999 as valid, it was
necessary for date information to be stored manually. This information will be re-entered into the
3 An application's event horizon is defined as the latest future date that will be processed in
the application;
7
Report No. ElNMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
systems as they are upgraded to accept future dates, [n the mean time, these systems still contain
improper dates that compromise the integrity of Agency data.
As time goes by, more systems will reach the point where their event cycle crosses the year 2000
boundary. This will cause increasing problems with the integrity and usability of Agency data.
Although many systems are beginning to plan for modernization or upgrade of their systems, time is
running short. A common industry recommendation is for year 2000 compliant systems to be fully
implemented by the end of 1998, in order to allow for one full year of normal, year-end, and quarter-
end processing. However, systems should be completely modified by the end of 1997 in order to
accommodate the lengthy testing, training, and implementation processes. Based on the lack of
detailed plans, current budget uncertainties, and time delays associated with contracting, it is
questionable whether or not these systems will be fully compliant before their event horizon reaches
2000.
Additionally, the use of logic work arounds by several systems only postpones the general problem.
Currently, all date dependent systems must deal with a failure date of 2000. However, as system
managers decide to implement the logic work-around approach, they will choose the most appropriate
cut-off date for their system. This will effectively hide the problem within the code of each application
and scatter failure dates randomly across the Agency.
The large quantity of date-dependent interfaces within major Agency information systems further
complicates EPA's vulnerability. Because system managers are using inconsistent methods of dealing
with the year 2000, there is uncertainty regarding how well these systems will interact. One of the
biggest interface concerns is the network of financial systems within EPA. IFMS, the main financial
information system, is planning to implement a logic work-around approach to the year 2000. This
approach will require systems supplying data to IFMS to strip off the first two digits of the year prior
to sending the data to IFMS. IFMS will then use an algorithm to determine if the 2-digit year should
be preceded by a ' 19' or a '20' and add the appropriate number. This same process will be reversed for
systems pulling data from IFMS. This process is inefficient, contrary to the requirements of A-127.
and could lead to incorrect century assumptions. Finally, while IFMS system management believes
that the algorithm to determine the appropriate century will not fail, this belief is offset by the
criticality of IFMS's and other financial system data.
As paper-based processes are replaced with system interfaces, the stability and integrity of those
interfaces becomes critical. However, the majority of system managers have not yet begun to address
the question of how their system will exchange data with other systems. Because of this, there is no
guarantee that data will flow correctly from system to system. This situation reduces the integrity of
shared data and jeopardizes the current Agency initiatives regarding electronic data interchange, data
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
sharing, and public access. These initiatives are totally dependent on exchanging correct data among
EPA systems, as well as with other Federal Agencies and industry.
Regardless of the level of planning and upgrading done by system managers, each major application is
ultimately vulnerable to the faults of the hardware platform on which it resides. Almost all system
managers reported being dependent on the operating system to provide the correct date. Additionally,
system managers listed several operating system tools and utilities which are necessary for their
programs to function. There is no consistent approach to ensuring that the operating system will return
the correct date in the years beyond 2000, and no methodology for evaluating software tools and
utilities for year 2000 compliance. Because of this, system managers have no guarantee that their
programs will continue to function as intended in the year 2000.
OIRM Needs to Accelerate Their Year 2000 Campaign
According to the IRM Policy Manual, OIRM is responsible for the development of IRM policy and
overall management of the Agency IRM program, including development of data policies and
standards. The framework provided by this policy invests OIRM with the right and responsibility to
lead the Agency's effort to respond to the year 2000 threat. Although OIRM has launched an effective
year 2000 awareness campaign, they have not stepped forward with specific policies, procedures, and
methodologies. This has left system managers on their own to bring their systems into year 2000
compliance.
During audit interviews, several system managers stated that they were unaware of some of the
anticipated problems. Unfortunately, date logic is pervasive, and some of the more serious problems
will result because important aspects are overlooked during upgrades. Identification of these more
obscure concerns need to be addressed during the planning stages of modifications so that solutions
can be formulated. Retrofitting a solution can be both^time-consuming and costly. Identification of
these issues can be addressed through the dissemination of guidance, as well as interactive discussion
with responsible management.
Contrary to OIRM's earlier memorandum, they have since determined that the existing Agency data
standard, requiring a four-digit year date, is too restrictive. However, they have not introduced
supplemental guidance to identify acceptable alternative solutions. At a time when so many systems
are undergoing change, standards are necessary to ensure consistency for data integration and data
sharing across the Agency. The use of standards can also cut costs. A reliable, comprehensible and
portable date routine is an integral part of the overall 2000 solution, and would help lessen testing costs
and save project dollars. As the Agency's manager for establishing IRM policy, OIRM has a
responsibility to promulgate and enforce the use of data standards across the Agency.
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
We recognize that year 2000 testing should be relative to the complexity of the individual application,
the criticality of its data, as well as the particular system'senvironment However, we discovered that
certain common aspects of testing had not been adequately addressed within the Agency. For example,
little emphasis had been placed on developing tests to: (1) ensure the accurate operation of date-
sensitive interfaces; (2) detect operating system idiosyncrasies; or (3) validate leap year processing. In
order to effectively address these common problems, OIRM needs to devise and disseminate a testing
strategy which adequately addresses these and other concerns, and yet is flexible enough to permit
creativity and customization, depending on each system's particular needs. This strategy should
provide guidance and set milestones for system managers. Because the modification process is lengthy
and deadlines are critical, strategic progress should be measurable and problems must surface as early
as possible.
OIRM has acknowledged the need to assume a broader role. To successfully address the many
challenges associated with year 2000 exposures, it is imperative that this effort is managed through a
central focal point. This focal point should be responsible for critical project aspects, such as setting
general milestone dates, coordinating commercial vendor actions, and establishing a consistent
methodology through all project phases. During a recent discussion, OIRM representatives described
their plan to embark upon a comprehensive year 2000 campaign which encompasses all of the
aforementioned areas. Unfortunately, OIRM's plant is not scheduled to begin until fiscal 1997.
Meanwhile, some Agency systems have already experienced year 2000 problems and system managers
are actively seeking solutions. OIRM must begin immediately to analyze the extent of the Agency's
problem and accelerate it's year 2000 campaign, accordingly. There is a problem now and there will
undoubtedly be additional future repercussions, unless the time to act is moved forward rather than
backward.
Recommendations
1. OIRM endorse the use of its existing four-digit year standard, and require the system managers
to obtain a waiver if they choose a solution other than the standard.
2. OIRM expedite the development of guidance documents to direct ongoing and future efforts to
overcome the year 2000 dilemma. At a minimum, guidance documents should: (!) identify
common problematic concerns; (2) identify reliable methods for testing date fields for year
2000 compliance; and (3) identify tests designed to ensure compatibility between Agency
applications systems.
10
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA information Systems are Vulnerable to Failure Due to the Upcoming Century Change
3. OIRM employ one of its existing communications mechanisms to: (1) disseminate guidance to
system managers; (2) serve as a central repository devoted to year 2000 issues; and (3) provide
an avenue for the exchange of ideas and experiences among system managers.
Agency Comments and OIG Evaluation
In a memorandum dated December 12, 1995, the Acting Director for Information Resources
Management responded to our draft report (see Appendix 1). In summary, the Agency partially agreed
with all three of our recommendations. Discussions with OIRM representatives resulted in a revised
set of recommendations which should alleviate some of OIRM's concerns and yet adequately address
the conditions noted in our draft report. To provide a balanced understanding of the issues, we have
summarized and commented on the Agency's general concerns regarding the draft report.
OIRM officials believe that the Agency should be evaluated on the current status of its planning
efforts to achieve year 2000 readiness, rather than on a 1995 snapshot of major systems' status.
The year 2000 date change is a time sensitive crisis and the status of OIRM's planning efforts
do not reflect the urgency of the situation. We found little in the way of current plans or
guidance to assist system managers who are actively pursuing year 2000 solutions. OIRM's
May 22, 1995 memorandum regarding the Year 2000 Date Change stated that they will ensure
proper attention to the year 2000 issue beginning with the fiscal 1997 IRM planning process.
In our opinion, plans formulated or presented in fiscal 1997 wili be of little benefit to those
system managers who are currently addressing year 2000 issues. Furthermore, four EPA
systems have already experienced year 2000 problems because they could not accept dates
beyond 1999. By fiscal 1997, the number of systems experiencing similar problems is certain
to increase.
OIRM management maintains that they demonstrated appropriate leadership in concert with
current, year 2000 policy in the Federal Government, as well as with trends in the private
sector.
We acknowledge that OIRM demonstrated management leadership with its awareness
campaign, and through ETSD efforts to identify date codes in various systems. However, our
review reveals that continued and added support is necessary. EPA system managers expressed
a desire for more direction from OIRM. In addition, we found that system managers were
inconsistent in their methods to resolve year 2000 problems, and were not fully aware of
concerns commonly associated with the century change. This type of Agency-wide effort
requires central management. Central management should assume responsibility for overall
11
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
scheduling by implementing and coordinating a consistent methodology throughout the entire
process. In addition, central management is necessary to respond to problems which fall
outside the authority of individual systems managers. It is central management's responsibility
to set the overall objectives, identify acceptable solutions, direct their implementation, and
determine when the objectives have been satisfied. In our opinion, OIRM has not exhibited this
type of active involvement. OIRM needs a strategy that will allow them to become the focal
point for directing this Agency-wide challenge. OIG recommendations were conceived to
promote that objective.
The Agency's response noted inaccuracies and/or omissions in our draft report. We have addressed
these concerns below:
OIRM noted that the draft report did not mention that FIPS Publications 4-1 allows for a two-
character date field as an alternative to a four-character date field.
The FIPS Publication 4-1 option, permitting use of a two-digit date field, is the primary reason
that we face a crisis with the upcoming century change. Continued use of this option is
considered a temporary fix which will ultimately need to be replaced. Furthermore, when this
option is exercised, it becomes necessary to develop logic and write additional code to sustain
its use. OIRM is allowing individual system managers to develop this logic and generate
additional code as they deem appropriate. However, OIRM has not provided formal guidance
to advise managers of the consequences such a decision could have on data integrity or Agency
data integration initiatives.
OIRM stated that the draft report did not mention resources as a valid concern involved in
selecting a year 2000 solution. The Agency's response states that the year 2000 solution must,
to some extent, be driven by a cost benefit analysis of alternatives.
Very few of the system managers interviewed cited a lack of resources as a major problem.
Most systems were well beyond cost benefit analyses and management was actively engaged in
implementing their solutions. The few system managers who voiced resource concerns had not
developed any formal plans. Their resource concerns were more speculation about the
possibility of resource problems, rather than hard facts based on analysis. Moreover, while the
lack of resources is a genuine concern, it is not an acceptable excuse for declining to address the
problem.
The Agency disputed the number of EPA systems, databases, etc. stated in the draft report, and
quoted "300" as the correct number.
12
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
We obtained our number from the IG's Special Review, which relied on information from a
previous version of the EPA's 1SI. During the audit entrance conference, the Director for
Information Resources Management expressed concern that because the ISI is self-reported, it
might not effectively represent the most critical Agency systems. Therefore, he suggested that
we rely of the IG's Special Review which ranked systems according to risk. The final report
was changed to reflect 300 systems.
The following Agency comments relate to specific recommendations cited in the draft report.
However, this final report contains a revised set of recommendations.
Recommendation 1. While OIRM officials agree that they should establish a standard for the date
field, they maintain that the four digit approach is too restrictive. They stated that FIPS Publication 4-1
allows for the use of a four or a two digit date field. OIRM insists that system managers have the
flexibility to build year 2000 compliance within their unique technology framework and in the most
cost effective way. The Agency responded that, whatever standard is established, there "should be a
requirement built into the IRM procurement process through the EPA Acquisition Regulations. This
would require that all commercial software developers and providers assure year 2000 compliance in
all future software development or enhancement products they provide to the Agency."
According to FIPS Publication 4-1 and EPA's Data Standards Catalog, the four-digit year is the
existing Agency standard for the date field. As an existing Agency standard, it is already required by
EPA Acquisition Regulations. However, we realize that to rigidly impose this standard on all existing
systems would be impractical. There are a number of reasons why existing systems might be exempt
from the standard. For example, expanding the date field is too costly a solution for systems nearing
replacement or retirement. Our concerns are based on the fact that there are a number of alternative
approaches being used throughout the Agency, but few of the system managers interviewed had plans
to ensure that their system interfaces would operate properly.
We recommend the use of waivers to accommodate situations where systems are justifiably exempted
from the standard. We contend that the use of waivers allows system managers ample flexibility in
justified situations. In addition, the use of waivers would provide OIRM with a much needed
mechanism for controlling, coordinating and acknowledging decisions to deviate from the Agency
standard. Despite OIRM's objections to the use of waivers, we found that Agency Directive 2100
clearly advocates their use.
Recommendation 2. OIRM agreed that reliable methods for testing date fields for year 2000
compliance were necessary. However, the Agency suggested that the recommendation be reworded to
use the phrase "test methods guidance document." In their opinion, this terminology would allow
system managers more flexibility to choose a methodology appropriate and cost effective for their
13
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
environments. In addition, OIRM anticipates that commercial vendors will modernize their operating
system utilities and software tools to accommodate the century date change within the next one to two
years.
We have no objection to modifying the wording of this recommendation. We agree with the need to
have reliable methods for testing date fields for year 2000 compliance. In our opinion, these guidance
documents will provide (1) consistency to the issues being contemplated when planning a solution and
(2) uniformity in the approaches being taken to carry out those plans. We reiterate that these guidance
documents should be completed in a timely manner, to allow adequate time for the implementation of
suggested methodologies.
Recommendation 3. OIRM agreed that managers needed to be kept informed of relevant year'2000
policies, procedures and methodologies, but maintained that there are sufficient existing
communication mechanisms to facilitate this process.
We concur that there is no need to establish a new forum. Our intention is to influence the Agency to
utilize an existing forum to disseminate guidance or relevant information, as well as encourage an open
exchange of ideas and experiences among system managers.
14
Report No. E1NMBS-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
KEEP AS SPACING FOR APPENDIX 1, PAGE 1 OF 3
15
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Appendix 1
Page 1 of 3
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D.C. 204^0
DEC f 2
C. ADMNOTMTOI
ANOMESOUflCKS
MEMORANDUM
SUBJECT: Response to Draft Report of Review - Major Information Systems are Vulnerable
To FaihueCue To jypoMftin/tfntury Change
FROM: Paui
Office of Information Resources Management
TO: Patricia Hill, Director
ADP Audits and Assistance Staff
We appreciate the opportunity to comment on your Draft Report of Review on "Major
Information Systems are Vulnerable To Failure Due To Upcoming Century Change".
General Comments:
We agree that the year 2000 issue is a serious problem. We do not agree with your
comment on page 8 of your report which states that "OIRM Has Not Provided Appropriate
Leadership In Addressing The Year 2000 Problem." The Office of Information Resources
Management (OIRM) has demonstrated appropriate management leadership in concert with
current, year 2000 policy in the FederaT government and with trends in the private sector.
OIRM* s leadership is exemplified by compliance with current Federal Information Processing
Standard (FTPS) Publication 4*1; conduct of an OIRM-sponsored, Agency-wide information
awareness campaign to communicate on issues related to year 2000; and issuance of year 2000-
related memos to Agency Senior Information Resources Management Officials and to the IRM
community. In addition, OIRM has taken the lead in assessing the problem through EPA's
Systems Development Center efforts which checked on the year 2000 status of 36 Agency
systems; through the Enterprise Technology Services Division's work in identifying date codes in
systems; and through inclusion of a status question on year 2000 readiness in the recent Agency-
wide, IRM data call. To maintain our leadership role and stay in concert with other Federal
agencies on year 2000 planning, OIRM is an active member of a new Interagency Task Force on
the year 2000 issue.
We believe that the Agency should be evaluated on the current status of its planning
efforts to achieve year 2000 readiness, rather than on a 199 5 snapshot of major systems' status.
15 _
aw tnir
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
KEEP AS SPACING FOR APPENDIX 1, PAGE 2 OF 3
16
Report No. E1NMBS-15-3038-6400036
-------�
-------�
Page 2 of 3
-2-
Like most government and private enterprises in 1995, EPA is analyzing the scope of the problem
and planning a strategy that will place the Agency on track to handle the century change. We
believe that the outcome of the year 2000 planning process will not result in a "one-size.-fits-air
solution. Our current system environments are varied, and each needs to be closely examined to
determine the best and most cost effective year 2000 solution. We recognize that for each system
the year 2000 solution must consider the technical environment, expected system life, available
resources, and any published, government-wide standards, as well as provide for successful data
sharing and transfer.
Inaccuracies/Omissions Noted:
o The report fails to mention that the FIPS Publication 4-1 allows for a two-character date
field as an option to a four-character date field.
o There is no mention of the resource concerns expressed by system managers during your
interviews. As you know, the solution to the year 2000 problem must, to some extent, be
driven by a cost benefit analysis of alternatives.
o The first paragraph on page I of your report mentions that there are "approximately 500
systems, databases, models, modules, and other computer applications" in EPA's
Application Systems Inventory The number 500 is incorrect. The correct number is 300.
Comments on Recommendations:
Recommendation #/; Establish an EPA standard requiring the use of 4-digit years in ail
applications by 1997.
Partially Agree. EPA should establish a standard for the date field, however we believe that the
four digit approach is top restrictive. The FIPS Publication 4-1 allows the use of a four or a two
digit date field. Our discussions with officials at the National Institute of Standards revealed that
there are no current plans to update that publication. We are concerned that the issuance of a
too-restrictive, Agency standard would force an unreasonable "one-size fits all" solution on
existing Agency systems. We agree with the comments from the Agency's major system
managers that they must have flexibility to build year 2000 compliance within their unique
technology framework and in the most cost effective way. For example, one system manager
pointed out that merely storing date in a packed hexadecimal date formal, as opposed to
alphanumeric or numeric date field, provides great flexibility on how the date information can be
formatted for output or exchange by using edit masks. For other short-lived systems that are
close to replacement or retirement, a logic work around may be the most cost effective solution.
We also believe that whatever standard is established, it should be a requirement built into the
ERM procurement process through the EPA Acquisition Regulations. This would require that ail
commercial software developers and providers assure year 2000 compliance in ail future software
development or enhancement products they provide to the Agency.
Recommendation #2. Establish a standard testing methodology to be used to ensure that all
16
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
KEEP AS SPACING FOR APPENDIX 1, PAGE 3 OF 3
17
Report No. E1NMB5-15-3038-6400036
-------�
-------�
appendix
Page 3 of
-3-
application systems, interfaces, operating systems, and tools/'utilities are year 2000 compliant
Partially Agree. We would prefer to modify this recommendation to change the words "a
standard testing methodology" to "a test methods guidance document." A "test methods
guidance document" would focus on good, reliable methods that can be used for testing date
fields for year 2000 compliance. This would allow system managers using different hardware and
software tools to be able to choose a methodology that is best suited and most cost effective for
their environment. For operating systems, software tools, and utilities, we expect that in the next
one to two years commercial software vendors providing those products must, by necessity,
modernize and test their products to accommodate the century date change, and the Agency will
benefit from those changes.
Recommendation it 3: Establish a mechanism to (I) keep system managers informed of policies,
procedures, and methodologies associated with year 2000 compliance and testing, and (2) allow
system managers to ask questions and share information with each other.
Partially Agree: We agree that managers need to be kept informed of policies, procedures and
methodologies associated with year 2000; however, we do not believe that new communication
mechanisms are needed. There are currently numerous, existing forums for communication to
take place, which include regular meetings of the Executive Steering Committee for CRM, Senior
Information Resources Management Officials (SERMOs), Regional IRM Branch Chiefs, PC Site
Coordinators, LAN Administrators, System Managers, ADP Coordinators, etc. All of these
forums present opportunities for communication on the year 2000 issue. In addition, we can
continue to use the Agency's EMAIL system, LAN mail, mainframe UMATL, and Washington
Information Center and OIRM newsletters to communicate with the Agency on year 2000
matters. All of the existing communication forums encourage system managers to ask questions
and share information.
If you have any questions about this response, please contact Michael Carpentier, OIRM
Audit Coordinator, IRM Policy and Evaluation Division, on (202) 260-2415.
cc: MJchele Zenon, Director IRMPED
Michael Carpentier, IRMPED
17
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Appendix 2
REPORT DISTRIBUTION
Office of Inspector General
Inspector General (2410)
Deputy Inspector General (2410)
Assistant Inspector General for Audit (2421)
Principal Deputy Assistant Inspector General for Audit (2421)
Associate Assistant Inspector General for Internal and Performance Audits (2421)
EPA Headquarters
Acting Director, Office of Information Resources Management (3401)
Associate Administrator for Congressional and Legislative Affairs (1301)
Agency Followup Official (3101)
Attn.: Assistant Administrator for Administration and Resources Management
Agency Followup Coordinator (3304)
Attn.: Director, Resources Management Division
Audit Followup Coordinator (3102)
Attn.: Program & Policy Coordination Office
EPA Headquarters Library
Audit Liaison, Office of Air and Radiation (6102)
Audit Liaison, Office of Administration and Resources Management (3102)
18
Report No. E1NMB5-15-3038-6400036
-------�
-------�
Major EPA Information Systems are Vulnerable to Failure Due to the Upcoming Century Change
Audit Liaison, Office of Enforcement and Compliance Assurance (2221)
Audit Liaison. Office of Policy, Planning, and Evaluation (7101)
Audit Liaison, Office of Solid Waste and Emergency Response (5101)
Audit Liaison, Office of Water (4102)
Audit Liaison, Office of Information Resources Management (3401)
Research Triangle Park. North Carolina
Director, Office of Administration and Resources Management (MD-20)
Director, Enterprise Technology Services Division/OARM (MD-34)
Appendix 2
19
Report No. E1NMB5-15-3038-6400036
-------�
»
4.
-------� |