19 February 2001
Source: http://www.dodig.osd.mil/audit/reports/99-235.pdf


[25 pages.]

Audit Report

YEAR 2000 STATUS OF THE
DEFENSE THREAT REDUCTION AGENCY
NUCLEAR WEAPON INFORMATION TRACKING SYSTEMS

Report No. 99-235                        August 19, 1999

Office of the Inspector General
Department of Defense


Additional Copies

To obtain additional copies of this audit report, contact the Secondary Reports Distribution Unit of the Audit Followup and Technical Support Directorate at (703) 604-8937 (DSN 6648937) or fax (703) 604-8932 or visit the Inspector General, DOD, Home Page at: www.dodig.osd.mil.

Suggestions for Future Audits

To suggest ideas for or to request future audits, contact the Audit Followup and Technical Support Directorate at (703) 6048940 (DSN 6648940) or fax (703) 604-8932. Ideas and requests can also be mailed to:

OAIG-AUD (ATTN: AFTS Audit Suggestions)
Inspector General, Department of Defense
400 Army Navy Drive (Room 801)
Arlington, VA 22202-2884

Defense Hotline

To report fraud, waste, or abuse, contact the Defense Hotline by calling (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by writing to the Defense Hotline, The Pentagon, Washington, D.C. 20301-1900. The identity of each writer and caller is fully protected.


Acronyms
COTS Commercial Off the Shelf
DTRA Defense Threat Reduction Agency
NUMIS
Nuclear Management Information System
NWCOM Nuclear Weapons Contingency Operations Module
SWIM Special Weapons Information Management System
Y2K Year 2000



INSPECTOR GENERAL
DEPARTMENT OF DEFENSE
400 ARMY NAVY DRIVE
ARLINGTON, VIRGINIA 22202

August 19, 1999

MEMORANDUM FOR DIRECTOR, DEFENSE THREAT REDUCTION AGENCY

SUBJECT: Audit Report on the Year 2000 Status of the Defense Threat Reduction Agency Nuclear Weapon Information Tracking Systems (Report No. 99-235)

We are providing this report for your information and use. Because this report contains no findings or recommendations, no written comments were required, and none were received. We conducted the audit in response to the requirement in the National Defense Authorization Act and the DOD Appropriations Act for FY 1999.

We appreciate the courtesies extended to the audit staff. For additional information on this report, please contact Mr. Scott S. Brittingham at (703) 604-9068 (DSN 664-9068) (sbrittingha@dodig.osd.mil) or Ms. Kathryn M. Truex at (703) 604-9045 (DSN 664-9045) (kmtruex@dodig.osd.mil). See Appendix C for the report distribution. The audit team members are listed inside the back cover.

[Signature]

Robert J. Lieberman
Assistant Inspector General
for Auditing


Office of the Inspector General, DOD

Report No. 99-235                                 August 19, 1999

(Project No. 9AS-0090.09)

Year 2000 Status of the Defense Threat Reduction Agency
Nuclear Weapon Information Tracking Systems

Executive Summary

Introduction. The National Defense Authorization Act and the DOD Appropriations Act for FY 1999 require the Inspector General, DOD, to selectively audit information technology and national security systems certified as year 2000 compliant to evaluate the ability of systems to successfully operate during the year 2000, including the ability of systems to access and transmit information from point of origin to point of termination. This is one in a series of reports being issued by the Inspector General, DOD, in accordance with an informal partnership with the Chief Information Officer, DOD, to monitor DOD efforts to address the year 2000 computing challenge. For a listing of audit projects addressing the issue, see the year 2000 webpage on the IGnet at http://www.ignet.gov.

Nuclear Weapon Status Information Systems. The Defense Threat Reduction Agency is the owner of three mission-critical Nuclear Weapon Information Tracking Systems. The Nuclear Management Information System, the Nuclear Weapons Contingency Operations Module, and the Special Weapons Information Management System, interface with each other and provide DOD with the ability to track the location of nuclear weapons and components from cradle-to-grave. The Defense Threat Reduction Agency provides information on the status and location of the national nuclear weapon stockpile to the Department of Energy and DOD Components.

Objectives. The overall audit objective was to evaluate the ability of the Defense Threat Reduction Agency Nuclear Weapons Information Tracking Systems to operate successfully in the year 2000, including the systems’ ability to access and transmit information from point of origin to point of termination. Additionally, the audit determined whether an adequate contingency plan existed to ensure continuity of operations and whether the status of the system has been accurately reported.

Results. The Defense Threat Reduction Agency exercised due diligence in validating the year 2000 readiness of its mission-critical Nuclear Weapon Information Tracking Systems. Specifically, for the Nuclear Management Information System, the Nuclear Weapons Contingency Operations Module, and the Special Weapons Information Management System, the Defense Threat Reduction Agency assessed the year 2000 compliance of the system inventory; conducted year 2000 system verification and certification testing; assessed the system interfaces; developed and tested its system contingency plans; participated in the first of the two required operational readiness tests; and scheduled a second operational readiness test. As a result, the Defense Threat Reduction Agency has obtained a reasonable level of assurance that the functions performed by the Nuclear Management Information System, the Nuclear Weapons Contingency Operations Module, and the Special Weapons Information Management System will continue after the year 2000.

Management Comments. We provided a draft of this report on July 26, 1999. Because the report contained no findings or recommendations, written comments were not required, and none were received. Therefore, we are publishing this report in final form.


Table of Contents

Executive Summary

Introduction

Background
Objectives

Finding

Year 2000 Status of Defense Threat Reduction Agency Nuclear Weapon Information Tracking Systems

Appendixes

A. Audit Process
Scope
Methodology

B. Summary of Prior Coverage

C. Report Distribution


Introduction

The National Defense Authorization Act and the DOD Appropriations Act for FY 1999 require the Inspector General, DOD, to selectively audit information technology and national security systems certified as year 2000 (Y2K) compliant to evaluate the ability of systems to successfully operate during the year 2000, including the ability of the systems to access and transmit information from point of origin to point of termination.

Additionally, the DOD Appropriations Act for FY 1999 requires that all mission-critical systems expected to be used if the Armed Forces are involved in a conflict in a major theater of war be tested in at least two exercises. The DOD Y2K office clarified congressional requirements stating that systems that appear on the Commander-in-Chief thinline architectures must be evaluated twice. The evaluations can be accomplished with:

This is one in a series of reports addressing those requirements. In addition, this is one in a larger series of reports being issued by the Inspector General, DOD, in accordance with an informal partnership with the Chief Information Officer, DOD, to monitor DOD efforts to address the Y2K computing challenge. For a listing of audit projects addressing the issue, see the Y2K webpage on the IGnet at http://www.ignet.gov.

Background

DOD Year 2000 Management Strategy. In his role as the DOD Chief Information Officer, the Senior Civilian Official, Office of the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence), issued the “DOD Year 2000 Management Plan” (DOD Management Plan) version 2.0, in December 1998. The goal of the DOD Y2K program is to ensure the continuance of a mission-capable force able to execute the national military strategy before, on, and after, January 1, 2000, unaffected by the failure of mission-critical or support systems to properly process date-related information.

Defense Threat Reduction Agency. The Secretary of Defense’s November 1997 Defense Reform Initiative directed the creation of the Defense Threat Reduction Agency (DTRA). On October 1, 1998, elements of the Office of the Secretary of Defense staff, the Defense Technology Security Administration, the Defense Special Weapons Agency, and the On-Site Inspection Agency were consolidated to form DTRA.

The Director, DTRA, reports directly to the Under Secretary of Defense for Acquisition and Technology. The Director’s advisors include senior officials from the Department of State, , the Department of Energy, and the Federal Bureau of Investigation. The mission of DTRA is to:

DTRA executes its mission through the execution of technology security activities; cooperative threat reduction programs; arms control treaty monitoring and on-site inspection; force protection; nuclear, biological, and chemical defense; and counterproliferation.

Nuclear Weapon Information Tracking Systems. DTRA is the owner of three mission-critical Nuclear Weapon Information Tracking Systems. The Nuclear Management Information System (NUMIS), Nuclear Weapons Contingency Operations Module (NWCOM), and the Special Weapons Information Management System (SWIM), interface with each other and provide DOD with the ability to track the location of nuclear weapons and components from cradle-to-grave. DTRA also. exchanges information with the Department of Energy.

NUMIS. NUMIS is the designated system of record for nuclear stockpile tracking and management. NUMIS provides detailed information on the quantity and location of U.S. nuclear weapons. DTRA provides NUMIS information on the status and location of the national nuclear weapon stockpile to the Department of Energy and DOD Components.

NWCOM. NWCOM is a wartime, contingency operation, command and control database system that provides summarized information on all nuclear weapons. NWCOM tracks nuclear weapons information, using data extracted from NUMIS and SWIM, from the time the weapons are built until the time they are physically torn down by the Department of Energy. At a predetermined defense readiness condition level, nuclear weapon custodial sites cease reporting detailed information and begin reporting summarized information only.

SWIM. SWIM software provides site-specific reporting and tracking information on the U.S. nuclear weapons stockpile. SWIM software facilitates nuclear weapons reporting at all nuclear custodial units worldwide. SWIM generates the document of origination, the Weapon Status Report.

Nuclear Support and Operations. DTRA, Nuclear Support Directorate is the Program Management Office for NUMIS, NWCOM, and SWIM. As the Program Office, the Nuclear Support Directorate provides:

Operational Environment. NUMIS/NWCOM consisted of two classified Sun Microsystems, Incorporated (Sun) SPARCserver 2000 production servers, and two unclassified developmental Sun SPARCserver 1000 servers. The servers are located at DTRA Headquarters, Alexandria, Virginia, and DTRA, Albuquerque Field Operations, Kirtland Air Force Base, New Mexico. The NUMIWNWCOM production servers use Solaris 2.5.1 as the operating system and Oracle 7.3.2.3 as the database server software. During the audit, DTRA replaced the SPARCserver 2000, Alexandria, with a SPARCserver 5500. DTRA has stated that it will re-test the new server for Y2K compliance.

System Connectivity. NUMIS, NWCOM, and SWIM communicate via the Automatic Digital Network and Secret Internet Protocol Router Network.

SWIM. SWIM data is transmitted, via the DOD Components communications center, over the Automatic Digital Network. SWIM sends data to NUMIS or NWCOM but does not receive data from them.

NUMIS/NWCOM. NUMIS and NWCOM receive messages via the Automatic Digital Network, Message Distribution Terminal, and the Multifunctional Secure Gateway System. Message traffic is passed over the Automatic Digital Network and received via the Message Distribution Terminal for routing or distribution. Messages can be designated for the NUMIS or NWCOM system. The messages are routed to, then through, the Multifunctional Secure Gateway System. In addition, NUMIS sends messages to NWCOM using the reverse process.

The Defense Information Systems Agency reports the Automatic Digital Network and the Secret Internet Protocol Router Network in the DOD Y2K database as Y2K compliant. In addition, DTRA confirmed with the Air Force program office the Y2K compliance of the Message Distribution Terminal.

To ensure Y2K compliance of DTRA's message traffic handler, the Defense Information System Agency procured the Multifunctional Secure Gateway System. The Joint Interoperability Test Command tested the system at the DTRA and recommended the system be certified as Y2K compliant at the full independent validation assurance level.

Department of Energy. NUMIS receives nuclear weapons information daily from the Department of Energy Weapons Inventory System. Information is transmitted from the Weapons Inventory System over the Automatic Digital Network to a message-received directory on the Multifunctional Secure Gateway System. DTRA stated every Department of Energy message is automatically rejected by NUMIS and placed in a suspense area for manual manipulation. The process is also performed in reverse when NUMIS sends the daily change report to the Weapons Inventory System. Therefore, NUMIS and the Weapon Inventory System do not electronically exchange data. Additionally, DTRA and the Department of Energy conduct a monthly manual reconciliation of the NUMIS and Weapon Inventory System databases for common data fields. DTRA provided the Department of Energy a draft memorandum of agreement to document the Y2K compliance of the systems and the nature of the interface. Although it has not yet coordinated on the memorandum of agreement, the Department of Energy provided DTRA with the Weapon Inventory System Y2K compliance certification.

Objectives

The overall audit objective was to evaluate the ability of the DTRA Nuclear Weapons Information Tracking Systems to operate successfully in Y2K, including the systems’ ability to access and transmit information from point of origin to point of termination. Additionally, the audit determined whether an adequate contingency plan existed to ensure continuity of operations and whether the status of the system has been accurately reported. See Appendix A for a discussion of the audit scope and methodology. See Appendix B for a discussion of prior coverage.


Year 2000 Status of Defense Threat
Reduction Agency Nuclear Weapon
Information Tracking Systems

DTRA exercised due diligence in validating the Y2K readiness of its mission-critical Nuclear Weapon Information Tracking Systems. Specifically - for NUMIS, NWCOM, and SWIM - DTRA:

As a result, DTRA has obtained a reasonable level of assurance that the functions performed by NUMIS, NWCOM, and SWIM will continue after the Y2K.

System Inventory

The DTRA assessed the Y2K compliance of the system inventory for its Nuclear Weapon Information Tracking Systems. On November 6, 1997, DTRA issued a memorandum stating that it needed to evaluate and identify all Commercial Off-the-Shelf (COTS) products and in-house developed software that may be noncompliant prior to briefing the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) in December 1997. The DTRA stated that it would:

COTS Assessment. As of August 27, 1998, DTRA verified all COTS software and hardware packages as Y2K compliant, via vendor certifications and testing. We reviewed the vendor Y2K certifications and noted that Oracle 7.3.2.3 was not listed as Y2K compliant. However, Oracle has since stated that versions 7.1 and higher are Y2K compliant. However, Oracle 7.3.2.3 has been desupported. For desupported products, Oracle states that it may not provide complete information on the Y2K status or correct any Y2K errors detected in the future. Oracle strongly advises customers to upgrade to a supported version of the product as soon as possible.

Operating System and Hardware. As of July 15, 1998, and August 27, 1998, DTRA assessed the status of the NUMIS and NWCOM Sun equipment and made the necessary upgrades and implemented the necessary patches. During June 1998, DTRA upgraded the Sun SPARCservers 1000 and 2000 at Alexandria and Albuquerque to electronically erasable programmable read only memory version 2.31. Additionally, DTRA loaded the Sun Operating System version 5.6 on the SPARCserver 1000 and implemented the patch upgrades required by Sun. On June 24, 1998, DTRA tested the Suntoperating system and hardware dates by verifying the creation times of several files.

Remote sites. For NUMIS and NWCOM clients, DTRA purchased 24 vendor certified Y2K compliant workstations from Micron Electronics, shipped July 20, 1998. Micron Electronics stated that computers sold after August 26, 1996, have either passed a Y2K compliance test or were self-certified by Micron Electronics to be Y2K compliant. Additibnally, DTRA stated it tested the computers before shipping to the client sites. Although DTRA does not own the SWIM computer hardware (with the exception of the hard-drive), DTRA sent a message to the client sites and requested that they check the Y2K compliance of SWIM personal computer hardware and notify DTRA on the status of the check.

System Testing and Certification

DTRA certified NUMIS, NWCOM, and SWIM as Y2K compliant. We concluded, based on our review of supporting documentation and discussions with DTRA personnel, that the three systems were adequately tested.

NUMIS and NWCOM. Initially, DTRA completed in-house testing June 25, 1998, and August 27, 1998, for NUMIS and NWCOM. Both systems were certified as Y2K compliant August 28, 1998. DTRA certified the systems using the “Draft DOD Management Plan, Version 2.0,” Y2K Compliance Checklist, April 1998. Although optional, DTRA certified that it had determined Y2K compliance for its COTS via vendor certification and prior Y2K testing. DTRA conducted tests to verify that the Sun operating system recognized and processed the year 2000 as a leap year.

After the initial certifications, DTRA made several modifications to NUMIS and NWCOM. As a result, DTRA prepared a Y2K Regression Test Plan, February 10, 1999, with the intent of determining if any Y2K related degradation had occurred within either system since the last series of Y2K testing. The NUMIS and NWCOM were re-tested from February 10-18, 1999.

According to the Test Analysis Report, only three display-related problems were identified in the NUMIS client software and none in the NUMIS server software. The problems centered on the client screen displaying 2-digit years instead of 4-digit years and were considered cosmetic fixes. For NWCOM, no problems were identified in the client software and one leap year related problem was found in the server software. The problem centered on a weapon status report with an effective date of December 31, 1999, being processed on January 1, 2000. Because of the way the NWCOM server software interpreted effective dates, it stored the information as of December 30, 1999. The Test Analysis Report states that both problems were corrected.

SWIM. DTRA initially completed testing November 5, 1998. DTRA certified SWIM as Y2K compliant January 9, 1999. DTRA documented in the Y2K Compliance Checklist that Y2K certification was determined by a contractor and verified by the DTRA Program Management Office.

SWIM was retested as a result of new functionality additions to the software. DTRA certified SWIM March 26, 1999, for testing completed March 24, 1999. The test analysis report states that no Y2K-related problems were identified in the SWIM software and that as of March 31, 1999, ‘SWIM contained no known or preexisting system deficiencies or outstanding Y2K problems.

Independent Verification and Validation. Logicon Corporation conducted an independent verification and validation of testing and certification documentation from March 10-12, 1999. In general, Logicon Corporation concluded that the documentation provided was thorough and comprehensive.

Logicon Corporation personnel were present for the tests conducted from February 9-11, 1999. During the tests, Logicon Corporation recommended several improvements to further increase the level of confidence in DTRA Y2K testing of the systems; the subsequent test results and analyses provided indicated that several recommendations and DTRA lessons-learned were implemented during the tests to improve the reliability and reproducibility of the testing.

The Logicon Corporation independent verification and validation assessed NUMIS and NWCOM as low- to moderate-level of risk of Y2K noncompliance. The Logicon Corporation assessed SWIM as a moderate-level of risk of Y2K noncompliance. SWIM was found to be moderate risk because:

However, Logicon Corporation stated that the level of system knowledge possessed by the test manager resulted in more detailed test results than were specified by the SWIM test plan. Logicon Corporation’s discussion with DTRA test personnel indicated that functions with dates/date functionality was assessed and any screen with dates/date functionality was tested. Finally, Logicon Corporation's discussion with SWIM test personnel indicated that the 2-digit dates displayed are based on the system design specifications. Logicon Corporation requested DTRA provide a formal memorandum for the record to document the design specification of 2-digit display dates. DTRA stated the SWIM test team would look at the testing documentation, and develop a matrix that indicates the date fields tested from the database. If any date fields were not tested, DTRA would develop a new test plan and complete regression testing.

Certification Level. DTRA certified NUMIS and NWCOM as Level 1 based on the August 28, 1998, certifications. The Y2K test officer acted as the program management office independent verification officer monitoring the Y2K testing conducted by a Y2K test tearn composed of developers, database engineers, system administrators, and application testers. However, we believe the Logicon Corporation, independent verification and validation constitutes a Level 2 certification, independent audit of system and existing testing. Level 1 indicates full independent testing conducted by an outside group having no previous association with the development or renovation of the system. For example, testing conducted by the Joint Interoperability Test Command is considered full independent testing.

Operational Readiness Testing

In accordance with the DoD Appropriations Act for FY 1999, DTRA exercised NUMIS, and its two interfaces NWCOM and SWIM in the first of two required operational readiness tests. DTRA scheduled the systems for the second operational readiness test. The first test was an operational evaluation and the second test will be a functional end-to-end test.

The operational evaluation was designed to verify that NUMIS, NWCOM, and SWIM were capable of processing messages passed through a Y2K compliant communications system. The DTRA tested the systems as part of the Strategic Air Command Operational Evaluation Y2K test performed April 19-23, 1999.

The test analysis report states that NUMIS and NWCOM NT workstations were connected to the test Sun server by LAN, SIPRNET, or remote access dial-in secure telephone unit device. For SWIM testing, one NT workstation performed stand-alone operations, generated one classified weapon status report and weapon status report emergency test message and sent the message to the Alexandria facility via secure fax. Logicon Corporation independent verification and validation cited that a review of the documentation indicated that, by necessity, the electronic link was simulated and the test environment did not precisely mirror the production environment. The data is normally transmitted via the Automatic Digital Network; however, DoD is not permitted to conduct Y2K tests over "live" DoD telecommunications.

The test analysis report documented that all software subjected to Y2K operational evaluation verification testing was also subjected to, and passed, performance capability testing. No operational problems were encountered during the verification testing and only one ancillary Y2K problem was identified through the entire series of testing. The problem was evaluated as being noncritical because it deals with an old laser printer printing banner sheets as 1900 instead of 2000.

To fulfill the second requirement of an operational readiness test, DTRA documented that it will conduct a functional end-to-end test of NUMIS, NWCOM, and SWIM in August 1999. DTRA stated that the testing would occur from August 23 to September 3, 1999.

Contingency Plans

As required by the DOD Management Plan, DTRA has prepared system and operational contingency plans for NUMIS, NWCOM, and SWIM. The DTRA Y2K office reviewed the plans and determined that the plans met the requirements of both a system and an operational contingency plan. The plans incorporate the contingencies for all three systems. The contingency plans address key areas such as system compliance plan, interfaces, risk potential and impacts, alternative strategies, system backup, lost or damaged data recovery, and contingency actions. As required by the DoD Management Plan, DTRA tested its contingency plans June 16 and 17, 1999. Based on the results of the tests and lessons-learned, DTRA stated that it is in the process of refining its contingency plans and will staff the revised plans during July and August 1999.

Conclusion

The DTRA has undertaken due diligence to ensure that NUMIS, NWCOM, and SWIM will operate in the Y2K without undue disruption. DTRA has displayed its commitment to test and retest it Nuclear Weapon Information Tracking Systems to ensure operational readiness into the Y2K. The DTRA should continue its approach and retest systems if system software changes are made before the millennium crossover.


Appendix A. Audit Process

This is one in a series of reports being issued by the Inspector General, DoD accordance with an informal partnership with the Chief Information Office DoD, to monitor DoD efforts to address the Y2K computing challenge. list of audit projects addressing the issue, see the Y2K web pages on IGnet http://www.ignet.gov.

Scope

Review of the NUMIS, NWCOM, and SWIM. We reviewed and evaluated the testing as a basis for Y2K compliance, and the contingency plan. The Technical Assessment Division for the Office of the Inspector General, DoD, assisted in reviewing and evaluating the test plans and test results of NUMIS, NWCOM, and SWIM to determine whether the system was adequately tested. We compared the Y2K testing efforts and contingency plans with the requirements in the DoD Management Plan.

DoD-wide Corporate Level Government Performance and Results Act Goals. In response to the Government Performance Results Act, the Department of Defense has established 6 Dol)-wide corporate level performance objectives and 14 goals for meeting these objectives. This report pertains to achievement of the following objectives and goals.

Objective: Prepare now for an uncertain future. Goal: Pursue a focused modernization effort that maintains U.S. qualitative superiority in key warfighting capabilities. (DoD-3)

DoD Functional Area Reform Goals. Most major DoD functional areas have also established performance improvement reform objectives and goals. This report pertains to achievement of the following functional area objectives and goals.

General Accounting Office High-Risk Area. The General Accounting Office has identified several high-risk areas in the DoD. This report provides coverage of the Information Management and Technology high-risk area.

Methodology

Audit Type, Dates, and Standards. We performed this economy and efficiency audit from April through June 1999 in accordance with auditing standards issued by the Comptroller General of the United States, as implemented by the Inspector General, DoD. We did not use computer-processed data for this audit.

Contacts During the Audit. We visited or contacted individuals and organizations within DoD. Further details are available on request.

Management Control Program. We did not review the management control program related to the overall audit objective because DoD recognized the YX issue as a material management control weakness area in the FY 1998 Annual Statement of Assurance.


Appendix B. Summary of Prior Coverage

The General Accounting Office and the Inspector General, DoD, have conducted multiple reviews related to Y2K issues. General Accounting Office reports can be accessed over the Internet at http://www.gao.gov. Inspector General, DoD, reports can be accessed over the Internet at http://www.dodig.osd.mil/. The following Y2K reports relating to DTRA have been issued.

Inspector General, DoD, Project No. 99-234, "Year 2000 Status of the Nudear Inventory Management and Cataloging System," August 19, 1999. The reports states that DTRA, Albuquerque Operations adequately assessed Y2K issues to ensure Y2K compliance of the Nuclear Inventory Management and Cataloging System, but did not fully document all relevant information that should have been included as the basis of Y2K certification. The Nuclear Inventory Management and Cataloging System inventory did not show the version of the product used; test plan and report did not adequately describe test procedures, expected results, and actual results; and the contingency plan was not practical. Also, the level of certification was incorrect. The report states that initial errors in the System and Operational Contingency Plan were corrected.

The report recommended that the Chief Information Officer, DTRA, provide active ongoing oversight of the Nuclear Inventory Management and Cataloging System to include the completion of the following: update and maintain the Nuclear Inventory Management and Cataloging System inventory, test plan, and certification checklist; revise the Office of the Secretary of Defense Y2K database to reflect the appropriate certification level; update the contingency plan; and verify the Y2K compliance of the equipment requirements for the backup server when conducting the contingency plan test.

The DTRA provided information subsequent to the draft report that was a significant improvement and included necessary information as the basis of Y2K certification. Also, the DTRA provided an After Action Plan of the lessons learned, a Test Analysis Report, and an updated Nuclear Inventory Management and Cataloging System and Operational Contingency Plan. However, the DTRA did not agree that the certification level was inaccurate. With the exception of the certification level, the DTRA comments were responsive. The DTRA believes it accurately reported the certification level in accordance with the DoD Management Plan.

The DTRA comments on the need to improve documentation for inventory list, testing documentation, Y2K compliance checklist, and Y2K contingency plan were responsive. The DTRA comments on the level of certification were nonresponsive. The report requested that the DTRA coordinate with the DoD Y2K Program Office on certification level and provide additional comments.

Inspector General, DoD, Report No. 99-034, "Management of the On-Site Inspection Agency Year 2000 Program," November 12, 1998. The report states that the On-Site Inspection Agency did not update its draft Y2K management plan to reflect the latest changes in the Draft DoD Management Plan. Also, it did not update the contingency plan for its mission-critical system and develop contingency plans for any other system the failure of which may cause disruption to the mission of the On-Site Inspection Agency. Additionally, the On-Site Inspection Agency did not:

The report states that the On-Site Inspection Agency did not take a proactive stance with regard to sector outreach. The report states that the On-Site Inspection Agency was not aware of the Sector Analysis, which assigns sectors of the Federal Government to lead Federal agencies to coordinate, plan, and lead the execution of Y2K actions across all other agencies. As a result of the audit, the On-Site Inspection Agency started taking a proactive stance with regard to sector analysis.

The report recommended that the On-Site Inspection Agency implement the revisions from the DoD Management Plan, document changes in the status of systems, update the contingency plan for its mission-critical system and develop plans for any other system whose failure might cause disruptions to its mission, document the testing methodology to show how systems are determined to be compliant, update the continuity-of-operations plan to address the Y2K issue, and continue taking a proactive stance with regard to sector outreach. The On-Site Inspection Agency concurred with all the recommendations stating progress made and future intentions for each recommendation.

Inspector General, DoD, Report No. 99-030, "Management of the Defense Technology Security Administration Year 2000 Program, November 3, 1998. The report states that the Defense Technology Security Administration should classify systems as Y2K compliant only after completing Y2K compliance checklists; submit quarterly reports to the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence); develop written contingency and continuity-of-operations plans; and take a proactive stance with regard to sector outreach. Further, unless the Defense Technology Security Administration made further progress on mitigating Y2K risks, the Defense Technology Security Administration, as part of the Defense Threat Reduction Agency, might not have been able to fully execute its mission without undue disruptions. The report recommended that the Defense Technology Security Administration:

The Defense Technology Security Administration concurred with the recommendations and stated that it had already developed a compliance checklist and was currently testing components.

Inspector General, DoD, Report No. 99-M, "Management of the Defense Special Weapons Agency Year 2000 Program," October 30, 1998. The report states that the Defense Special Weapons Agency recognized the importance of the Y2K issue and took positive actions to address the Y2K problem. However, the progress that the Defense Special Weapons Agency made in resolving its Y2K computing issue was not complete.

Additionally, the report states that the Defense Special Weapons Agency classified one mission-critical system, the Nuclear Management Information System, as compliant after testing was completed; however, three other mission-critical systems were classified as compliant prior to testing the systems. The Defense Special Weapons Agency had since tested two of the three systems. The Defense Special Weapons Agency tested the Nuclear Weapons Contingency Operations Module and the Nuclear Inventory Management Accounting Control System and was to begin testing the Special Weapons Information Management System.

The report recommended that the Defense Special Weapons Agency report systems as compliant only after completing Y2K testing and Y2K compliance checklists, develop contingency plans for its mission-critical systems and any other system of which its failure could cause disruption to the Defense Special Weapons Agency's mission, update the continuity-of-operations plan to specifically address the Y2K issue, assume a proactive stance with regard to sector outreach, and implement revisions to the Dol) Y2K Management Plan and other DoD and Presidential guidance.

The Defense Special Weapons Agency concurred with recommendations. The Defense Special Weapons Agency stated that it would:


Appendix C. Report Distribution

Office of the Secretary of Defense

Under Secretary of Defense for Acquisition and Technology
    Director, Defense Logistics Studies Information Exchange

Under Secretary of Defense (Comptroller)
    Deputy Chief Financial Officer
    Deputy Comptroller (Program/Budget)

Assistant Secretary of Defense (Command, Control, Communications, and Intelligence)
    Deputy Assistant Secretary of Defense (Command, Control, Communications, and
        Intelligence, Surveillance, Reconnaissance, and Space Systems)
    Deputy Chief Information Officer and Deputy Assistant Secretary of Defense (Chief
        Information Officer Policy and Implementation)
        Principal Director for Year 2000

Joint Staff

Director, Joint Staff

Department of the Army

Assistant Secretary of the Army (Financial Management and Comptroller)
Chief Information Officer, Army
Inspector General, Department of the Army
Auditor General, Department of the Amy

Department of the Navy

Assistant Secretary of the Navy (Financial Management and Comptroller)
Chief Information Officer, Navy
Inspector General, Department of the Navy
Auditor General, Department of the Navy
Inspector General, Marine Corps

Department of the Air Force

Assistant Secretary of the Air Force (Financial Management and Comptroller)
Chief Information Officer, Air Force
Inspector General, Department of the Air Force
Auditor General, Department of the Air Force

Unified Commands

Commander in Chief, U.S. European Command
Commander in Chief, U.S. Pacific Command
Commander in Chief, U.S. Atlantic Command
Commander in Chief, U.S. Southern Command
Commander in Chief, U.S. Central Command
Commander in Chief, U.S. Space Command
Commander in Chief, U.S. Special Operations
Command Commander in Chief, U.S. Transportation Command
Commander in Chief, U.S. Strategic Command

Other Defense Organizations

Director, Defense Contract Audit Agency
Director, Defense Information Systems Agency
    Chief Information Officer, Defense Information Systems Agency
    Inspector General, Defense Information Systems Agency
    United Kingdom Liaison Officer, Defense Information Systems Agency
Director, Defense Logistics Agency
Director, Defense Threat Reduction Agency
    Chief Information Officer, Defense Threat Reduction Agency
    Inspector General, Defense Threat Reduction Agency
Director, National Security Agency
    Inspector General, National Security Agency
Inspector General, Defense Intelligence Agency
Inspector General, National Imagery and Mapping Agency
Inspector General, National Reconnaissance Office

Non-Defense Federal Organizations and Individuals

Chief Information Officer, General Services Administration
Office of the Management and Budget
    Office of Information and Regulatory Affairs
General Accounting Office
    National Security and International Affairs Division
        Technical Information Center
Director, Defense Information and Financial Management Systems, Accounting and
    Information Management Division, General Accounting Officer

Congressional Committees and Subcommittees, Chairman and Ranking Minority Member

Senate Committee on Appropriations
Senate Subcommittee on Defense, Committee on Appropriations
Senate Committee on Armed Services
Senate Committee on Governmental Affairs
Senate Special Committee on the Year 2000 Technology Problem
House Committee on Appropriations
House Subcommittee on Defense, Committee on Appropriations
House Committee on Armed Services
House Committee on Government Reform
House Subcommittee on Government Management, Information, and Technology,
    Committee on Government Reform
House Subcommittee on National Security, Veterans Affairs, and International
    Relations, Committee on Government Reform
House Subcommittee on Technology, Committee on Science

Audit Team Members

The Acquisition Management Directorate, Office of the Assistant Inspector General for Auditing, DoD, prepared this report.

Thomas F. Gimble
Patricia A. Brannin
Mary Lu Ugone
Kathryn M. Truex
Scott S. Brittingham
John J. Jenkins
Dan B. Convis
Major Michael D. Walker


Transcription and HTML by Cryptome.