DEFENSE INFRASTRUCTURE:

Guidance Needed to Develop Metrics and Implement Cybersecurity Requirements for Utilities Privatization Contracts

GAO-18-558: Published: Sep 4, 2018. Publicly Released: Sep 4, 2018.

Additional Materials:

Contact:

Brian J. Lepore
(202) 512-4523
leporeb@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The military departments have some types of information about privatized utility systems, but they have not tracked contract performance or developed measurable performance standards for these contracts. Specifically:

Costs for Utility Infrastructure Improvements: The military departments estimated the cost avoidance at the time of contract award; however, none of the military departments have determined whether the utilities privatization contracts are on track to achieve those estimates.

Costs for Utility Commodities: Military department officials stated that they have observed reduced usage of commodity utilities, such as water usage, and thus decreased commodity costs, through utilities privatization; however, the officials have not tracked the data and any associated savings. Furthermore, the officials have not determined whether any savings were fully attributable to utilities privatization, recognizing that other factors may have affected commodity usage.

System Reliability: Military department officials stated that they have perceived improvements in utility system reliability since utilities privatization and have access to contractor-provided data to assess reliability; however, the military departments have not used this data to determine reliability trends over time.

Contractor Performance Evaluations: The military departments use the Contractor Performance Assessment Reporting System to evaluate each utility system owner's performance; however, based on GAO's review of the evaluations associated with the contracts in its sample, the evaluations were anecdotal and varied in frequency and quality.

Department of Defense (DOD) guidance does not require the development of metrics and associated measurable performance standards to track utilities privatization contract performance. Without a requirement to develop these metrics and standards, DOD will lack information on the performance of utilities privatization contracts and thus may not be able to perform effective program management and oversight for these long-term contracts.

DOD has taken steps to add a cybersecurity clause to its utilities privatization contracts that requires contractors take steps to ensure safeguards are put in place to protect covered defense information, which is defined as information that is processed, stored, or transmitted on the contractor's information system or industrial control systems. To implement the clause, DOD first must identify what, if any, covered defense information is provided to or developed by the contractor in performance of the contract. However, the Defense Logistics Agency (DLA) and military department officials stated that they have not begun to implement the clause because they need DOD to issue procedures concerning how the military departments are to determine what, if any, covered defense information associated with utilities privatization contracts is provided or developed by the contractor in performance of the contract. Without these procedures, the military departments and DLA will not have assurance that such information is being safeguarded.

Why GAO Did This Study

Since Congress provided statutory authority in 1997 for the privatization of utility systems at military installations, the military departments have privatized nearly 600 utility systems. According to DOD officials, utilities privatization enables military installations to obtain safe, reliable, and technologically current utility systems at a relatively lower cost than they would under continued government ownership.

The Senate report accompanying a bill for the National Defense Authorization Act for Fiscal Year 2018 included a provision that GAO review DOD's utilities privatization program. This report assesses the extent to which DOD has (1) tracked utilities privatization contract performance and developed measureable performance standards, and (2) implemented cybersecurity guidance for industrial control systems associated with privatized utility systems. GAO reviewed relevant policies and internal control standards, analyzed a non-generalizable sample of utilities privatization contract documents, and interviewed DOD and selected military installation officials and privatized utility system owners.

What GAO Recommends

GAO recommends that DOD issue guidance requiring the military departments and DLA to develop metrics to track utilities privatization contract performance, and issue procedures concerning how the military departments are to determine what constitutes covered defense information as it relates to utilities privatization contracts. DOD concurred with both recommendations.

For more information, contact Brian J. Lepore at (202) 512-4523 or leporeb@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment, in consultation with the military departments, issues guidance requiring the military departments and DLA to develop and implement performance metrics and measurable performance standards to track utilities privatization contract performance for future utilities privatization contracts, and develops similar guidance for current utilities privatization contracts. (Recommendation 1)

    Agency Affected: Department of Defense

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment (a) issues procedures concerning how the military departments are to determine what constitutes covered defense information and what, if any, of this information is provided to or developed by the contractor in the performance of utilities privatization contracts, and (b) takes appropriate steps to protect such information. (Recommendation 2)

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2018

Sep 10, 2018

Sep 6, 2018

Sep 5, 2018

Sep 4, 2018

Aug 16, 2018

Aug 15, 2018

Aug 10, 2018

Aug 8, 2018

Looking for more? Browse all our products here