Year 2000 Computing Crisis

The Social Security Administration (SSA) has made significant early progress in becoming Year 2000 compliant. However, three areas of significant risk remain that could threaten the agency's ability to deliver benefit payments. First, SSA has not included the 54 state disability determination services, which provide vital support to SSA in administering its disability programs, in its initial assessment of systems that it considered a priority for correction. Second, SSA has thousands of data exchanges with other organizations, including the Treasury Department, the Internal Revenue Service, and the states. Unless SAA can ensure that the data received are Year 2000 compliant, program benefits and eligibility computations that are derived from that data may be compromised and SSA's databases corrupted. Third, the risks to SSA's Year 2000 program are compounded by the lack of contingency plans to ensure business continuity in the event of systems failure.

GAO noted that: (1) a previous report and testimony noted that SSA had made significant early progress in its efforts to become year 2000 compliant; (2) SSA initiated early awareness activities and made significant progress in assessing and renovating mission-critical mainframe software that enables it to provide social security benefits and other assistance to the public; (3) while SSA deserves credit for its leadership, GAO's earlier report and testimony pointed out that three key areas of risk nonetheless threatened to disrupt its ability to deliver benefits payments; (4) one major risk concerned year 2000 compliance of mission-critical systems used by the 54 state Disability Determination Services (DDS) that provide vital support to SSA in administering its disability programs; (5) a second major risk in SSA's year 2000 program concerned the compliance of its data exchanges with outside sources, such as other federal agencies, state agencies, and private businesses; (6) third, the risks to SSA's year 2000 program were compounded by the lack of contingency plans to ensure business continuity in the event of systems failure; (7) SSA has enhanced its monitoring and oversight of state DDSs by establishing a full-time DDS project team, designating project managers and coordinators, and requesting biweekly status reports; (8) among SSA's most critical data exchanges are those with the Federal Reserve and the Financial Management Service (FMS) for the disbursement of Title II and Title XVI benefits checks and direct deposit payments; (9) SSA began working with FMS in March 1998 to ensure the compliance of these exchanges, and recently reported that the joint testing of check payment files and the end-to-end testing from SSA, through FMS and the Federal Reserve for direct deposit payments, had been successfully completed; (10) turning to contingency planning, SSA has instituted a number of key elements in accordance with GAO's business continuity and contingency planning guidance; (11) SSA is now in the process of developing local contingency plans to support its core business operations; (12) another key element of a business continuity and contingency plan is the development of a zero-day or day-one risk reduction strategy, and procedures for the period between late December 1999 and early January 2000; (13) SSA has developed such a strategy; (14) there has been significant continuing progress in SSA's efforts to become year 2000 compliant; and (15) it is important to note, however, that SSA still needs to effectively complete certain critical tasks to better ensure the success of its efforts.