How Grades were Assigned
freedom.gov
The primary determinant of grades is Mission-Critical Systems – specifically, the estimated completion date based upon agency self-reported current rate of progress.
Finishing before the OMB deadline of March 31, 1999 earns a base grade of A. Finishing in the year 2000 or 2001 is a base grade of C. 2002 is a base grade of D. And, anything over 2002 is an F. If there was such a thing as an F minus, AID clearly deserves it for its current progress – hopefully, they will improve next quarter.
We considered failing every agency with an estimated end date after the deadline, however, the estimated end dates are just that – estimates. We hope that agencies will improve their rates of progress and move from an estimated 2001 to successful completion before the deadline. Obviously, those agencies estimated to finish in 2001 have further to go than those estimated to finish in 2000.
There are four additional factors that lowered agency grades from their base grade:
1. Contingency Plans – agencies should have at least basic contingency plans in place already. Many agencies have made the fundamental error of preparing contingency plans only for those systems they know will be late. We and GAO insist that agencies prepare contingency plans that assume systems failures and still maintain basic operations. These plans are being called business continuity plans to distinguish them from current weak agency contingency plans.
2. Telecommunications Systems – In-house PBXs, LAN/WAN, and commercial switched networks are all vulnerable to Y2K problems. By now all agencies should have completed a thorough inventory and assessment of all telecommunications systems. We would expect a reasonable percentage to now be compliant and a realistic plan in place for the remainder.
3. Embedded Systems -- Microprocessor chips of various types are often built in (embedded) to control devices. They may measure such basic things as gallons per minute of water flowing through a pipe or read magnetic strips in security badges. Many embedded chips that have no overt date dependencies nonetheless use date related calculations. Unfortunately, the only way to know whether or not most embedded chips are compliant is to test them. Agencies should have a complete inventory of all embedded chips, know the compliance of a reasonable percentage thereof, and have a remediation plan in place.
4. External Data Exchange -- Like "no man is an island," so too, few computer systems are self-contained. Most computer systems exchange data with other computer systems. It is unfortunately easy for external data that is not Y2K compliant to corrupt another computer system that is Y2K compliant. All agencies should have a complete inventory of all data exchanges, with emphasis on external data exchanges, know which are compliant, and have a plan in place for the remainder.
Examples:
Social Security is projected to finish in 1999 with 100 percent of their mission-critical systems compliant by March 1999. Further, they have good business continuity contingency plans and a good knowledge of the status of all their external data exchanges. Plus, they have been very helpful to other agencies on governmentwide Y2K efforts.
HUD is projected to finish in 1999 but only 78 percent of their mission-critical systems will be compliant by OMB's deadline of March 1999. Worse, their contingency plans, embedded systems, and external data exchanges are very weak.
DOE is not projected to finish until 2004 and only 44 percent of their mission-critical systems will be compliant by OMB's deadline of March 1999. To make bad worse, they also have poor contingency plans, telecommunications systems, and embedded systems. If there was such a thing as F minus, DOE has earned it.
B.K. |
