Guidance Needed to Develop Metrics and Implement Cybersecurity Requirements for Utilities Privatization Contracts
GAO-18-558: Published: Sep 4, 2018. Publicly Released: Sep 4, 2018.
What GAO Found
The military departments have some types of information about privatized utility systems, but they have not tracked contract performance or developed measurable performance standards for these contracts. Specifically:
Costs for Utility Infrastructure Improvements: The military departments estimated the cost avoidance at the time of contract award; however, none of the military departments have determined whether the utilities privatization contracts are on track to achieve those estimates.
Costs for Utility Commodities: Military department officials stated that they have observed reduced usage of commodity utilities, such as water usage, and thus decreased commodity costs, through utilities privatization; however, the officials have not tracked the data and any associated savings. Furthermore, the officials have not determined whether any savings were fully attributable to utilities privatization, recognizing that other factors may have affected commodity usage.
System Reliability: Military department officials stated that they have perceived improvements in utility system reliability since utilities privatization and have access to contractor-provided data to assess reliability; however, the military departments have not used this data to determine reliability trends over time.
Contractor Performance Evaluations: The military departments use the Contractor Performance Assessment Reporting System to evaluate each utility system owner's performance; however, based on GAO's review of the evaluations associated with the contracts in its sample, the evaluations were anecdotal and varied in frequency and quality.
Department of Defense (DOD) guidance does not require the development of metrics and associated measurable performance standards to track utilities privatization contract performance. Without a requirement to develop these metrics and standards, DOD will lack information on the performance of utilities privatization contracts and thus may not be able to perform effective program management and oversight for these long-term contracts.
DOD has taken steps to add a cybersecurity clause to its utilities privatization contracts that requires contractors take steps to ensure safeguards are put in place to protect covered defense information, which is defined as information that is processed, stored, or transmitted on the contractor's information system or industrial control systems. To implement the clause, DOD first must identify what, if any, covered defense information is provided to or developed by the contractor in performance of the contract. However, the Defense Logistics Agency (DLA) and military department officials stated that they have not begun to implement the clause because they need DOD to issue procedures concerning how the military departments are to determine what, if any, covered defense information associated with utilities privatization contracts is provided or developed by the contractor in performance of the contract. Without these procedures, the military departments and DLA will not have assurance that such information is being safeguarded.
Why GAO Did This Study
Since Congress provided statutory authority in 1997 for the privatization of utility systems at military installations, the military departments have privatized nearly 600 utility systems. According to DOD officials, utilities privatization enables military installations to obtain safe, reliable, and technologically current utility systems at a relatively lower cost than they would under continued government ownership.
The Senate report accompanying a bill for the National Defense Authorization Act for Fiscal Year 2018 included a provision that GAO review DOD's utilities privatization program. This report assesses the extent to which DOD has (1) tracked utilities privatization contract performance and developed measureable performance standards, and (2) implemented cybersecurity guidance for industrial control systems associated with privatized utility systems. GAO reviewed relevant policies and internal control standards, analyzed a non-generalizable sample of utilities privatization contract documents, and interviewed DOD and selected military installation officials and privatized utility system owners.
What GAO Recommends
GAO recommends that DOD issue guidance requiring the military departments and DLA to develop metrics to track utilities privatization contract performance, and issue procedures concerning how the military departments are to determine what constitutes covered defense information as it relates to utilities privatization contracts. DOD concurred with both recommendations.
For more information, contact Brian J. Lepore at (202) 512-4523 or email@example.com.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: DOD concurred with this recommendation. In response to our report, the department recognized the importance of DOD's utilities privatization efforts and issued guidance on February 7, 2019, directing the DOD components to develop correlated, outcome-oriented performance metrics and measures to implement and manage their utility service contacts in order to meet economic, utility reliability, energy resilience, and cybersecurity requirements. The guidance requires DOD components to document the method and frequency by which metrics and measures will be gathered, monitored, analyzed, and reported. The guidance further required the components to establish baseline metrics at the inception of privatization actions in order to produce a framework for comprehensive continuous improvement, monitoring, and reporting.
Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment, in consultation with the military departments, issues guidance requiring the military departments and DLA to develop and implement performance metrics and measurable performance standards to track utilities privatization contract performance for future utilities privatization contracts, and develops similar guidance for current utilities privatization contracts. (Recommendation 1)
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD concurred with this recommendation. In response to our report, the department recognized the need to maintain access to reliable, resilient, and cybersecure energy resources, assets, infrastructure, and facility-related controls and data critical to mission execution. To ensure adequate security of how utility data is processed, stored, or transmitted on a privatized system owner's internal network, the department issued guidance on February 7, 2019, noting that all utility data will be handled as covered defense information/controlled unclassified information. The guidance further defined utility data as all types of data required to provide privatized utility services.
Recommendation: The Secretary of Defense should ensure that the Assistant Secretary of Defense for Energy, Installations, and Environment (a) issues procedures concerning how the military departments are to determine what constitutes covered defense information and what, if any, of this information is provided to or developed by the contractor in the performance of utilities privatization contracts, and (b) takes appropriate steps to protect such information. (Recommendation 2)
Agency Affected: Department of Defense