Year 2000 Contingency Planning and Certification Reporting

United States Risk Stop 0801

Agriculture Agency Washington, DC 20250-0801

Department of Management 1400 Independence Avenue, SW

BULLETIN NO.: MGR-98-023 TO: All Reinsured Companies

FROM: Kenneth D. Ackerman Administrator

SUBJECT: Year 2000 Contingency Planning and Certification Reporting

BACKGROUND:

There is growing concern about the ability of government agencies and their private sector partners to deliver Department of Agriculture (USDA) benefits to their customers in year 2000. Year 2000 compliance includes information technology, communications, and other vulnerable systems and processes such as buildings and facilities.

On April 28, 1998, the Risk Management Agency (RMA) issued Informational Memorandum R&D-98-016, Year 2000 Compliance, which provided certification to companies regarding RMA’s Year 2000 readiness and compliance. This informational memorandum also discusses reinsured company responsibility to report company compliance for the Year 2000. A copy of R&D-98-016 is provided as Attachment 1.

During the last year RMA has had several discussions at Data Processing Managers meetings regarding Year 2000 compliance issues. In addition, this issue has also been discussed at Technology and Information Processing Committee meetings. In these discussions, RMA has communicated certification requirements that will be needed from the companies to verify Y2K compliance.

The Office of the Chief Information Officer (OCIO), USDA, has published a guide on

contingency planning reporting and certification of system compliance. Information regarding this USDA document and its reporting guidelines are provided in Attachment 2. A certification form

(Attachment 3) is provided by OCIO-USDA and is required for each system involved in program

delivery that must be verified for Y2K compliance.

It is critical that RMA’s delivery partners provide contingency plans for continuity of service and certification of system compliance through the millennium change.

BULLETIN NO.: MGR-98-023 2

ACTION:

Reinsured companies are requested to provide a contingency plan for continuity of service to RMA no later than September 8, 1998. In addition, reinsured companies are also requested to provide certification of those systems involved in benefit and program delivery for RMA programs no later than November 1, 1998.

DISPOSAL:

This bulletin is for the purpose of transmitting/updating information. The expiration date is December 31, 1998.

BULLETIN NO.: MGR-98-023 3

FCIC:KC/R&D:DHoffmann:flm:926-3406:8/04/98:\mgr98xxx.wpd

ATTACHMENT 1 United States Risk Research

Department of Management and Kansas City, Agriculture Agency Development Missouri 64141

P. O. Box 419293

April 28, 1998

INFORMATIONAL MEMORANDUM: R&D 98-016

TO: All Reinsured Companies FROM: Tim B. Witt

Deputy Administrator SUBJECT: Year 2000 Compliance

The Risk Management Agency (RMA) has received requests from companies to provide certification that there will be no disruption of RMA’s operations through the year 2000.

Following is a synopsis of steps that the Agency is taking to assure compliance. Companies may wish to provide a copy of this letter to State insurance departments as needed.

Definition:

Year 2000 (Y2K) compliant means, with respect to information technology, that the information technology accurately processes date/time data (including, but not limited to, calculating,

comparing, and sequencing) from, into and between the 20th and 21st centuries, and the years 1999 and 2000 and leap year calculations, to the extent that other information technology, used in combination with the information technology being acquired, properly exchanges date/time data with it.

RMA Responsibility:

RMA is participating in Department of Agriculture (USDA) initiatives for Y2K compliance. These efforts include assuring smooth operation of software applications, operating systems, and hardware into the new millennium. Software applications currently operating for Data

Acceptance System (DAS) processing are Y2K compliant and any new development will be compliant. Older systems are either being retired, reengineered, or removed from operation. The operating system on the SUN SPARC and Reporting Organization server that is used by RMA to share information with companies is Y2K compliant.

Software applications such as DAS, Premium Calculator, Reinsured Accounting System, Actuarial Filing System, and others all have been developed with a 4-digit year in date fields.

ATTACHMENT 1

INFORMATIONAL MEMORANDUM: R&D 98-016 2

A contract for independent verification and validation has been awarded. This is scheduled to begin June 1, 1998. Third party certification and validation will be done on both RMA platforms and applications. This process will test date calculations for Y2K compliance and provide required documentation of compliance. Plans are being made to include company reporting capabilities in future testing. RMA is working with the National Crop Insurance Services (NCIS) Telecommunications Information Processing (TIP) committee to develop a method of reporting compliance of the agency and companies ability to deliver program services in year 2000.

Baseline Information Resource Management (IRM) standards are being used in each Y2K project and subproject. Technical managers for each project assure that projects can meet IRM, audit and internal control standards for configuration management, tracking, scheduling, etc. Third-party review by auditors (yearly) and internal controls staff (every other year) provide neutral review and reporting to the agency confirming technical manager’s oversight.

A high level approach to the overall project was documented and distributed to all RMA

personnel and industry data processing managers in a series of Y2K briefings. Included with the plan were impact, time frames, potential problems for systems, subsystems, applications, hardware and personal applications.

Mission critical systems and vulnerable non-information technology systems have been inventoried and scheduled for repair, replacement or retirement. RMA core business processes included in this inventory are: 1) Financial Management; 2) Corporate Insurance Information and

Interchange; 3) Compliance Tracking; and, 4) Infrastructure.

RMA provides monthly reports of Y2K progress to the Office of the Chief Information Officer who is responsible for assuring that all USDA agencies are Y2K compliant. All RMA systems will be completely compliant by March 1999.

RMA received certification for Y2K compliance of its facility at 9435 Holmes Road, Kansas City, Missouri, on March 31, 1998.

Reinsured Company Responsibility:

Each reinsured company is responsible to make any changes, upgrades, or enhancements needed to assure all operational systems used in RMA program delivery are Y2K compliant. A form for companies to certify compliance can be found in the 1998 and 1999 DAS Handbooks (M-13). USDA is requiring reports on the ability of agencies and delivery partners to receive premium payments, issue checks, pay indemnities, and provide services. RMA will continue coordinating reporting requirements through the NCIS TIP committee meetings.

ATTACHMENT 2 Year 2000 Issues and Requirements

The OCIO-USDA is coordinating and overseeing the progress and accomplishment of Year 2000 readiness for all USDA agencies. This effort involves concerns regarding agency readiness for Year 2000, the continuity of business, development of actions to mitigate those risks and contingency plans to continue business if failure occurs.

The potential impact of the Year 2000 issue extends beyond USDA’s internal information systems. USDA and its agencies depends on data provided by its business partners including other Federal agencies, State agencies, third parties, vendors and other private industry entities who deliver services, telecommunications, software or delivery of program benefits.

There is, therefore, a very large effort to ensure the continuity of USDA core business processes to avoid a crisis that could result if systems are unable to recognize Year 2000 dates. This same concern extends to those business partners involved in the delivery of services provided by USDA programs. As a result of this concern, USDA has requested that agencies prepared a Year 2000 Business Continuity (Contingency) Plan (BCP) to address business continuity issues.

“The BCP identifies risks and threats, establishes mitigation strategies for the identified risks and threats; and provides contingencies in the event risk mitigation efforts fail.”1/ _{Agencies are to} “coordinate efforts with all external public and private organizations to ensure business continuity of services provided will continue with little or no disruption as a result of the Year 2000 problem for each Mission Area.”1/

It is with these directions that Risk Management Agency comes to the Reinsured companies who work in concert with RMA in the delivery of the risk management tools for the American

producer. The Year 2000 project that is well underway has been discussed with company representatives at both Data Processing Managers meetings and Technology & Information Processing (TIP) Committee meetings during the past year. An awareness presentation was given, information provided on the current status of this initiatives within RMA and discussions held involving both companies and RMA staff on this issue. The need for contingency planning has been discussed during these times and reports requested from attendees

In addition, an R&D Bulletin, R&D98-016, has been issued providing companies with assurance that RMA systems an facilities are Year 2000 compliant in response to company inquiries

resulting from State Board of Insurance inquiries. RMA is well into the Year 2000 project and is following USDA requests for contingency planning. RMA must now ask that companies provide reports showing contingency planning is being done or is completed in each company to ensure that critical business processes related to the delivery of USDA-RMA programs will not suffer any sustained or prolonged disruption. USDA has published guidance on this issue as the Year 2000 Business Continuity (Contingency) Planning Guide, dated July 2, 1998 and identified as USDA-98-002.

ATTACHMENT 2

Specifically for purposes of benefit delivery to American producers, RMA needs to show business continuity in the area of ability to deliver payments, ability to show proof of benefit delivery and ability to send and receive data from RMA. Data exchange is critical to the provision of product actuarial data and ability of companies to send and receive data for payment purposes.

Critical processes may include assessment of potential system failure, including but not limited to telecommunications, ability to pick up data from the RO server and ability to send data to RO server for processing by RMA. Critical relationships and processes will include identifying any other entities a company may have involved in data processing in the delivery of risk management products.

Other critical issues include telecommunications, telephone systems, facilities functions such as utilities, elevators, security systems, fire alarms and so on.

USDA’s guidance document includes information on BCP development as a 5 phase process. These processes include:

1) Initiation: A Senior Executive is assigned responsibility for the Year 2000 project and begins by organizing a work group team to develop a high-level business continuity planning strategy consistent with core business processes. The planning strategy includes key issues such as identifying core business processes, define roles and assign responsibilities, develop master schedule and milestones, implement a risk management process and reporting system; assess existing business continuity, contingency and disaster recovery plans and capabilities and implement independent reviews.

2) Analysis & Definition: Defining the essential business functions that must be performed to continue providing the expected service; define and document information requirements, methods and techniques to be used; define and document Year 2000 failure scenarios.

3) Risk and Impact Assessment: Perform risk and impact analyses of each core business process; determine impact of internal and external information system failures and infrastructure services on each core business process; assess and document infrastructure risks; define minimum acceptable level of outputs and services for each core business process.

ATTACHMENT 2

4) Contingency Planning: Integrates and acts on the results of business impact analysis; assess benefits, costs, and risks of alternative contingency strategies; important factors in selection process are functionality, deployment schedule and cost; identify and document contingency plans and implementation modes; define and document triggers for activating contingency plans;

establish a business resumption team for each core business process; and develop and document “zero day” strategy and procedures. Zero Day is involving development of a risk-reduction strategy and procedures for the period between Thursday, December 30, 1999, and Saturday, January 1, 2000.

5) Validation Testing: Evaluate whether individual contingency plans are capable of providing the desired level for support to the mission area’s core business processes and whether the plans can be implemented within a specific time period; validate business continuity strategy; develop and document contingency test plans; establish test teams and acquire contingency resources; prepare for and execute tests; validate the capability of contingency plans; rehearse business resumption teams; update the business continuity plan based upon lessons learned and re-test if necessary and update disaster recovery plans and procedures.

A BCP matrices was provided by USDA in its guidance. The document is included in the Planning Guide as Appendix B with instructions for use found in Section 3.2 of the document. The document follows:

ATTACHMENT 2

5.1 Core Business Process: National Finance Center, Earnings Posting No. Risk/Threat Event

Horizon Time to Failure)

Business Priority Risk Mitigation

Contingency & Triggers

Risk Asses

sment Impact Score _{Mitigation Strategy}

Milestone Date Action Agent 5.1.1 National Finance Center (NFC) is unable to post earnings (W-2s), make corrections to Earnings records, or access earnings data due to Year 2000 related problems with automated systems. Earning processes are supported by automated systems such as Annual Wage reporting (AWR), Detailed Earnings Query (DEQ), Summary Earnings Query (SEQ), and Employer Earnings System (EES). Interfacing systems are: Individual Income and Wage Reporting (IIWR), Treasury and Summary Employee Earnings Statement (SEES) Social Security Administration.

Jan 3, 2999 .2 20 2.0 A) Complete renovation of all Earnings software and related systems.

B) Complete forward date, system and integration testing of all Earnings and related systems. C) Develop local Year 2000 contingency plans.

D) Provide refresher training on related forms processing. E) Develop plans to hire and train on contingency basis administrative staff from local area.

F) Establish the Business Resumption Team for the Earnings process. Oct 1998 Jan 1999 Feb 1999 March 1999 March 1999 NRS NRS NFC NRS NFC

1. In the event that PRS and other systems are unable to provide automated support to the Earnings process due to critical Year 2000 date problems, The Business Resumption team for the Earning Process will analyze the problem, make corrections and retest immediately. 2) Automated processing of Earnings Process will be suspended until corrections are made. 3) Operations components will implement the NFC Year 2000 Contingency Plan.

ATTACHMENT 2 5.1.2

5.1.3

This template should be completed for each core business process and all templates returned to RMA for inclusion in Y2K reporting, document tracking and informational purposes.

RMA is required to provide a monthly Y2K report to OCIO. RMA would like to include periodic updates of the contingency reporting from its private industry partners as well. RMA requests that all companies provide monthly to RMA on the status of Year 2000 compliancy efforts within the company as well as on going contingency planning efforts.

A copy of the USDA Year 2000 Business Continuity (Contingency) Planning Guide is available upon request.

1/ _{from USDA Year 2000 Business Continuity (Contingency) Planning Guide, July 2, 1998, USDA-98-002}

rocontng.wpd 7/21/98

ATTACHMENT 3 Department of Agriculture

Office of the Chief Information Officer Year 2000 Program Office

CERTIFICATE OF YEAR 2000 COMPLIANCE

DEFINITION OF YEAR 2000 COMPLIANCE

Year 2000 means, with respect to Information Technology, that the Information Technology accurately processes date/time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the twentieth and twenty-first centuries, and the years 1999 and 2000 and leap year calculations, to the extent that other information technology, used in combination with the information being acquired, properly exchanges date/time data with it. ---FEDERAL ACQUISITION REGULATION 39.002

This certifies to the Office of the Chief Information Officer that the referenced system has been assessed and is Year 2000 date compliant. For purposes of this certification, Year 2000 compliance includes information technology, or telecommunication, or vulnerable systems and processes (building’s and facilities, or scientific and laboratory equipment.)

SYSTEM NAME:

AGENCY:

EXECUTIVE SPONSOR:

DATE: