Year 2000 Computing Challenge:

FBI Needs to Complete Business Continuity Plans

AIMD-00-11: Published: Oct 22, 1999. Publicly Released: Oct 22, 1999.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on the Federal Bureau of Investigation's (FBI) plans and controls for year 2000 business continuity planning, focusing on: (1) the status of and plans for completing the FBI's contingency planning for continuity of operations; and (2) whether the FBI's contingency planning efforts satisfy the key processes in GAO's year 2000 business continuity and contingency planning guide.

GAO noted that: (1) the FBI reported that it has renovated, tested, and certified as year 2000 compliant all but 1 of its 43 mission-critical systems and has developed system-level contingency plans for all but 2 of the 43; (2) the FBI has made some progress in its year 2000 business continuity planning, but this very important effort is running late; (3) to ensure that there will be sufficient time to develop, test, and finalize plans, GAO recommended in earlier testimony that plans be developed by April 30, 1999, and tested, including addressing problems and retesting by September 30, 1999, in order to allow agencies sufficient time to evaluate whether the plans will provide the level of core business capability needed and whether the plans can be implemented within a specified timeframe; (4) however, the FBI had not yet developed division-level business continuity plans or field office plans, and it did not expect to complete the integration of the division plans until September 1999; (5) further, it had not established a target date for completing field office plans or testing both field-level and division-level plans; (6) these delays left the FBI with little time to complete the many planning tasks that remain and ensure that it is ready to minimize the impact of possible year 2000-induced system failures; (7) the FBI also did not have many of the management controls and processes needed to effectively guide its continuity planning effort through the short time remaining before the year 2000 deadline; (8) according to the year 2000 official, the FBI had not implemented these controls and processes because the Department of Justice's guidance focuses on system-level contingency plans and does not require business continuity planning; (9) further, the official stated that the FBI is inherently capable of ensuring continuity of operations because its agents in both headquarters and the field are well trained and prepared for responding to various emergency circumstances, of which potential year 2000 system failure is just one; and (10) by not employing the management rigor and discipline specified in GAO's year 2000 business continuity planning guide, the FBI will not be able to ensure that it: (a) properly focuses its planning effort on the agency's most critical operations; (b) selects the best strategies to protect these operations; (c) has sufficient resources and staff dedicated to implementing continuity plans; and (d) can efficiently and effectively invoke its continuity plans, if necessary.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In response to the report, Justice convened a meeting of its component bureaus, which GAO attended and facilitated. The purpose of the meeting was to specify the requirement for, and explain the importance of, Year 2000 business continuity plans.

    Recommendation: The Attorney General should direct the Department of Justice's Year 2000 Program Office to clarify the department's expectations for Year 2000 business continuity planning for all Justice bureaus, emphasizing the need for these plans and discussing Office of Management and Budget's adoption of GAO's guidance as a federal standard.

    Agency Affected: Department of Justice

  2. Status: Closed - Implemented

    Comments: The FBI Year 2000 Program Management Office developed a plan for developing and testing business continuity plans. The plan required FBI headquarters and field offices to develop and test business continuity plans by November 1, 1999, and December 15, 1999, respectively.

    Recommendation: The Attorney General should direct the Director, FBI, to establish and implement a plan for the timely development and testing of effective headquarters and field office year 2000 business continuity plans, including incremental milestones for completing all relevant key processes in GAO's guide associated with business impact analysis, plan development, and plan testing.

    Agency Affected: Department of Justice

  3. Status: Closed - Implemented

    Comments: The FBI's actions were limited to business continuity plan testing. Specifically, the FBI tested its headquarters business continuity plans on November 18, 1999 and December 2, 1999. In addition, the FBI also conducted joint testing of headquarters and field offices' business continuity plans on December 8-9, 1999.

    Recommendation: The Attorney General should direct the Director, FBI, to establish and implement effective controls and structures for managing year 2000 business continuity planning, including each of the relevant key processes addressed in GAO's year 2000 continuity planning guide and discussed in this report as not yet being satisfied.

    Agency Affected: Department of Justice

 

Explore the full database of GAO's Open Recommendations »

Jan 13, 2021

Dec 16, 2020

Dec 9, 2020

Dec 3, 2020

Nov 30, 2020

Nov 24, 2020

Nov 23, 2020

Nov 18, 2020

Oct 7, 2020

Looking for more? Browse all our products here