[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]



                                     
 
                         [H.A.S.C. No. 116-46]

        RESILIENCY OF MILITARY INSTALLATIONS TO EMERGING THREATS

                               __________

                             JOINT HEARING

                               before the

   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES

                          meeting jointly with

                       SUBCOMMITTEE ON READINESS

                                 of the

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                            OCTOBER 16, 2019


                                     
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




              U.S. GOVERNMENT PUBLISHING OFFICE 
 39-804                 WASHINGTON : 2020 



                                     
  

   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES

               JAMES R. LANGEVIN, Rhode Island, Chairman

RICK LARSEN, Washington              ELISE M. STEFANIK, New York
JIM COOPER, Tennessee                SAM GRAVES, Missouri
TULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana
ANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas
RO KHANNA, California                AUSTIN SCOTT, Georgia
WILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee
ANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin
CHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida
JASON CROW, Colorado, Vice Chair     DON BACON, Nebraska
ELISSA SLOTKIN, Michigan             JIM BANKS, Indiana
LORI TRAHAN, Massachusetts
                Shannon Green, Professional Staff Member
                Peter Villano, Professional Staff Member
                         Caroline Kehrli, Clerk

                                 ------                                

                       SUBCOMMITTEE ON READINESS

                  JOHN GARAMENDI, California, Chairman

TULSI GABBARD, Hawaii                DOUG LAMBORN, Colorado
ANDY KIM, New Jersey, Vice Chair     AUSTIN SCOTT, Georgia
KENDRA S. HORN, Oklahoma             JOE WILSON, South Carolina
CHRISSY HOULAHAN, Pennsylvania       ROB BISHOP, Utah
JASON CROW, Colorado                 MIKE ROGERS, Alabama
XOCHITL TORRES SMALL, New Mexico     MO BROOKS, Alabama
ELISSA SLOTKIN, Michigan             ELISE M. STEFANIK, New York
VERONICA ESCOBAR, Texas              JACK BERGMAN, Michigan
DEBRA A. HAALAND, New Mexico
               Jeanine Womble, Professional Staff Member
                Dave Sienicki, Professional Staff Member
                          Megan Handal, Clerk
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Garamendi, Hon. John, a Representative from California, Chairman, 
  Subcommittee on Readiness......................................     3
Lamborn, Hon. Doug, a Representative from Colorado, Ranking 
  Member, Subcommittee on Readiness..............................     4
Langevin, Hon. James R., a Representative from Rhode Island, 
  Chairman, Subcommittee on Intelligence and Emerging Threats and 
  Capabilities...................................................     1
Stefanik, Hon. Elise M., a Representative from New York, Ranking 
  Member, Subcommittee on Intelligence and Emerging Threats and 
  Capabilities...................................................     2

                               WITNESSES

Beehler, Hon. Alex A., Secretary of the Army for Installations, 
    Energy, and the Environment, U.S. Army
Henderson, Hon. John W., Assistant Secretary of the Air Force for 
    Installations, Environment, and Energy, U.S. Air Force
McMahon, Hon. Robert H., Assistant Secretary of Defense for 
    Sustainment, Office of the Secretary of Defense
Niemeyer, Hon. Lucian, Acting Assistant Secretary of the Navy for 
    Energy, Installations and the Environment, U.S. Navy

                                APPENDIX

Prepared Statements:

    Beehler, Hon. Alex A.........................................    70
    Garamendi, Hon. John.........................................    45
    Henderson, Hon. John W.......................................    59
    Lamborn, Hon. Doug...........................................    46
    Langevin, Hon. James R.......................................    41
    McMahon, Hon. Robert H.......................................    47
    Niemeyer, Hon. Lucian........................................    82
    Stefanik, Hon. Elise M.......................................    43

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    Mr. Brooks...................................................   108
    Mr. Kim......................................................   112
    Ms. Stefanik.................................................    99
    Ms. Torres Small.............................................   115
        RESILIENCY OF MILITARY INSTALLATIONS TO EMERGING THREATS

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
     Subcommittee on Intelligence and Emerging Threats and 
    Capabilities, Meeting Jointly with the Subcommittee on 
                                                 Readiness,
                       Washington, DC, Wednesday, October 16, 2019.
    The subcommittees met, pursuant to call, at 2:55 p.m., in 
room 2118, Rayburn House Office Building, Hon. James R. 
Langevin (chairman of the Subcommittee on Intelligence and 
Emerging Threats and Capabilities) presiding.

 OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE 
 FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND 
               EMERGING THREATS AND CAPABILITIES

    Mr. Langevin. The subcommittee will come to order. I want 
to welcome everyone to this joint hearing today with the Armed 
Services Subcommittee on Intelligence and Emerging Threats and 
Capabilities and the Readiness Subcommittee. Today we will 
examine the resiliency of our military installations to 
emerging threats. Holding this hearing has been a priority of 
the subcommittee for the past several months, and I want to, in 
particular, thank Ranking Member Stefanik for her bipartisan 
cooperation to this hearing, and also I am thankful to my 
friends Chairman Garamendi and Ranking Member Lamborn for 
working so diligently in making this hearing possible.
    So we are here today to ensure the Department is prepared 
to account for and address vulnerabilities--physical and 
digital--to our military installations at home and overseas. 
This includes the effects of climate change, energy dependence, 
land management, and cyber incidents, among others, on the 
threat assessments, resources, and readiness of our Nation's 
military. This also includes the risk to conducting operations 
both today and in the future.
    This subcommittee as well as the Readiness Subcommittee 
have conducted rigorous oversight into installation resilience, 
but I continue to be concerned about what the Department is 
doing to ensure our installations are able to withstand ever-
increasing threats from malicious cyber activities and severe 
climate events among other things. When it comes to our Armed 
Forces, we as a Nation have not given these threats to our 
installations the attention that they deserve. So I would like 
to remind those in attendance that this hearing marks 1 year 
since the Department suffered nearly $10 billion in damage from 
just two extreme weather events at Tyndall Air Force Base and 
Camp Lejeune.
    Now, I could not think of better examples of the perils our 
defense infrastructure faces from climate change, perils that 
will only increase as we pump more greenhouse gases into our 
atmosphere. So our committee has acted on a bipartisan basis to 
acknowledge these risks, but I must say I am disappointed in 
the Department's response to our oversight. By way of example, 
the initial accounting of at-risk bases we received did not 
even include Camp Lejeune or Tyndall Air Force Base at all. If 
those are the low-risk bases, one can only wonder what we are 
likely to see soon from the installations the Department 
identified as being of particular concern. So we need a clear 
accounting of the risks, with dollar figures attached, or else 
we will continue the cycle of throwing good money after bad, 
which is not only fiscally irresponsible, but places our 
service members and readiness at risk.
    So I also want to make it clear to everyone that we will be 
holding an IETC [Intelligence and Emerging Threats and 
Capabilities] Subcommittee hearing specific to the emerging 
threat of climate change later this year.
    Now, in addition to the threats posed by extreme climate 
events, the threats presented by attacks on cyber and energy 
infrastructure, by both state and nonstate actors, continue to 
grow and evolve at a rapid pace. So, these threats can target 
critical infrastructure on our military installations, 
including electric grid, water supply, or even medical 
facilities. An attack on our electric grid could have profound 
effects on the ability of the force to carry out critical 
missions. So we must increase the resilience of operational 
technology on installations, ensure we sufficiently focus on 
securing cyber-physical systems as well as traditional IT 
[information technology] infrastructure. So I am interested in 
hearing more about how the Department is building cyber 
resilience at installations at home and abroad.
    It is incumbent upon the Department and Congress to ensure 
that we are properly preparing for these threats to 
installations, and I look forward to hearing from our witnesses 
on this topic. Before I turn to Ranking Member Stefanik, in the 
interest of time it has been agreed upon with the chairs and 
ranking members of the committee that we are going to forgo the 
witnesses' statements, since we have those for the record, and 
we are going to be going right into questions. So, with that, I 
would like now to turn it over to Ranking Member Stefanik, and 
then we will, in turn, hear from Chairman Garamendi and also 
Ranking Member Lamborn for their remarks.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 41.]

STATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW 
YORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING 
                    THREATS AND CAPABILITIES

    Ms. Stefanik. Thank you, Jim. I would like to start by 
thanking Chairmen Langevin and Garamendi, as well as my fellow 
ranking member, Mr. Lamborn, for holding this important hearing 
today to discuss resiliency of the Department of Defense 
installations and facilities. And welcome, of course, to our 
witnesses. We have a lot of ground to cover, so I will keep my 
remarks short.
    As I think about resiliency of military installations and 
infrastructure, I am concerned about shortfalls in both the 
physical and digital domains. First, we remain vulnerable to 
extreme weather events and climate change. We have seen these 
events adversely impact public safety, our economic security, 
and our national security. Our intelligence community continues 
to assess that global environmental degradation and climate 
change are likely to fuel competition for resources, economic 
distress, and social discontent across the globe through 2019 
and beyond. And we continue to experience extreme weather 
events at home, including in my own district in northern New 
York.
    We must, therefore, factor in these environmental changes 
when discussing resiliency of military installations, and I 
look forward to hearing from our witnesses exactly how we are 
planning for these extreme weather events and climate change.
    Second, and equally as important, I continue to have 
concerns about installation and infrastructure vulnerabilities 
in the digital domain. Congress, and indeed this very 
committee, had the foresight to understand these challenges, 
and 3 years ago we directed the Department to conduct a 
comprehensive review to evaluate cybersecurity vulnerabilities 
of DOD [Department of Defense] infrastructure. Unfortunately, 
this review and the subsequent corrective actions remain far 
from complete, and we are still incredibly vulnerable to 
attack. I feel we have not yet identified the scale and scope 
of our problems, let alone begun to mitigate our most 
concerning shortfalls. When we consider resiliency, we must 
remember that advances in information technology, 
cybersecurity, and information assurances are primary 
prerequisites for the future of warfare. These enabling 
technologies form the foundation where information and data are 
a strategic resource to be protected, preserved, and fully 
actioned. Only then will we be able to leverage evolutionary 
and even revolutionary technologies such as AI [artificial 
intelligence], 5G, high-performance computing, and even quantum 
computing. This future begins and ends with our facilities and 
installations, which will be our greatest resource or our 
weakest links. I look forward to discussing today how we can 
work together to ensure that resiliency in both physical and 
the digital domain is prioritized so that we are prepared for 
these challenges in our increasingly complex digital age. Thank 
you, and I yield back.
    [The prepared statement of Ms. Stefanik can be found in the 
Appendix on page 43.]
    Mr. Langevin. Thank you, Ranking Member Stefanik.
    I would like now to turn to the chairman of the Readiness 
Subcommittee, Mr. Garamendi, for his statement.

    STATEMENT OF HON. JOHN GARAMENDI, A REPRESENTATIVE FROM 
        CALIFORNIA, CHAIRMAN, SUBCOMMITTEE ON READINESS

    Mr. Garamendi. Thank you, Jim. I really appreciate the 
opportunity to be here with you to work with you on this 
extremely important issue, and your committee and the Ranking 
Member Lamborn, who is on the other side. Installation 
resiliency is the foundation to readiness. Our bases and 
infrastructure investments must be able to withstand to the 
maximum extent possible the spectrum of resiliency threats from 
energy disruption, cyberattack, natural disasters, floods, 
fires, hurricanes, you name it--oh, earthquakes, too.
    Both of our subcommittees have put in a lot of time into 
this, and we are going to continue doing it. Over the last 
year, we have seen the aftermath of extreme weather events such 
as Hurricanes Florence and Michael, and flooding at Offutt, and 
earthquakes at China Lake, and fires along the way, billions of 
dollars of damage. In fact, I think when we add it up, the 
entire year's worth of MILCON [military construction] 
construction could be consumed in just four natural disaster 
events at our bases.
    Going forward, I know that my committee will insist that we 
be forward-looking, that we do assessments of the threats, from 
sea-level rise to weather events, and so that even the roofs 
get repaired. You know, maintenance, folks, rather important. 
Installation resiliency in its broader--is much broader than 
weather resiliency. The recovery from the disasters is equally 
important. I am interested in hearing what our witnesses have 
to say, and I want to thank them for their written reports. 
When taken together--and perhaps, Mr. McMahon, this is your 
task, to pull all of these together--if they were all done by 
all departments, it would be a very, very good--not start, but 
well down the path.
    I have questions about the Department's preparedness for 
energy disruptions and cybersecurity. You have just heard that. 
We want to be sure that we are on top of those issues. Energy, 
water, sanitation, you name it, all of these things are 
important and all of this has to be taken into the account that 
we reduce our dependency and reduce our energy consumption 
along the way. A lot of things to do. The written testimony is 
excellent. I ask that all of us pay attention to it, and I 
would ask the four witnesses, when they go back to their jobs, 
some of which won't be there very long--we will take that up 
later--but when you go back, that you read the testimony from 
the brother and sister services. I think you will find it 
useful. And then inculcate that into your work. Thank you very 
much. I yield back.
    [The prepared statement of Mr. Garamendi can be found in 
the Appendix on page 45.]
    Mr. Langevin. Thank you, Chairman Garamendi, I would like 
to now turn to Ranking Member Lamborn for any comments he may 
have.

STATEMENT OF HON. DOUG LAMBORN, A REPRESENTATIVE FROM COLORADO, 
           RANKING MEMBER, SUBCOMMITTEE ON READINESS

    Mr. Lamborn. Well, thank you, Chairman Langevin, Chairman 
Garamendi, and Representative Stefanik for calling this joint 
subcommittee hearing on such an important topic. Installation 
resilience has always been important to our national defense, 
but given the dynamic and evolving nature of the threats we 
face, it is becoming even more critical. Most of our 
installations rely, at least in part, on power generated in 
nearby communities. At the same time, the Armed Forces have 
invested significantly in renewable energy. I am very 
interested to hear from our witnesses today regarding their 
efforts to improve energy resilience and efficiency on our 
military installations, as well as to protect it from capable 
and cunning adversaries.
    Having recently visited all four bases damaged by storms 
and earthquakes that we are addressing in our fiscal year 2020 
National Defense Authorization Act, I am also concerned about 
getting our work done quickly to fund the $5 billion necessary 
for reconstruction.
    Without this funding, the critical missions will continue 
to be negatively impacted, including the air sovereignty and F-
22 training missions at Tyndall Air Force Base; one-of-a-kind 
Navy research testing missions at China Lake; runway 
operations, tanker simulator, and critical missions of the 55th 
Wing at Offutt Air Force Base; and the Marines at Camp Lejeune 
and Cherry Point continuing to operate after approximately 800 
buildings were compromised, with 500 severely damaged.
    And we also owe it to our military families to ensure that 
the privatized military family housing is fully restored. The 
damage in North Carolina and Florida continue to create a 
burden for these families. So I look forward to hearing from 
our witnesses about how they are ensuring that we plan 
effectively, build to appropriate building codes, incorporate 
lessons learned from recent disasters, and inspect work on new 
construction to ensure that it meets specifications. Thank you 
for your testimony today, and I yield back.
    [The prepared statement of Mr. Lamborn can be found in the 
Appendix on page 46.]
    Mr. Langevin. Thank you, Ranking Member Lamborn.
    With that, now, because again of the delayed start due to 
votes, we are going to forgo the witnesses' opening statements. 
We are going to go right into questions. Before doing so, I 
would like to introduce the individuals that we have with us 
today.
    Mr. Robert McMahon, Assistant Secretary of Defense for 
Sustainment. Mr. McMahon, it is good to see you again. Thank 
you for being here. I understand that you are going to be 
leaving the Department next month, and I just want to take this 
opportunity to thank you for your many decades of service to 
the country both in uniform and in your current role now, and I 
wish you well in your next chapter. Thank you for being here 
today.
    [The prepared statement of Secretary McMahon can be found 
in the Appendix on page 47.]
    Mr. Langevin. Next, Mr. John Henderson, Assistant Secretary 
of the Air Force for Installations, Environment, and Energy.
    [The prepared statement of Secretary Henderson can be found 
in the Appendix on page 59.]
    Mr. Langevin. Next, Mr. Alex Beehler, Secretary of the Army 
for Installations, Energy, and the Environment.
    [The prepared statement of Secretary Beehler can be found 
in the Appendix on page 70.]
    Mr. Langevin. And then also Mr. Lucian Niemeyer, Acting 
Assistant Secretary of the Navy for Energy, Installations and 
the Environment.
    [The prepared statement of Mr. Niemeyer can be found in the 
Appendix on page 82.]
    Mr. Langevin. Thank you all for being here today. I look 
forward to a robust discussion today, and with that, I am going 
to recognize myself for 5 minutes. Members will be recognized 
after the chairs and ranking members in the order of seniority 
and attendance. So, with that, let me begin.
    So the climate has changed significantly over the last 
decade, and--several decades, and it is going to continue 
more--to change more in the coming years. All of the services 
have incurred climate-related debt because installations were 
built with risk assessments that did not reflect the reality of 
today or the increased threats of the future. So my question 
is, what is your assessment of the unmitigated climate risk you 
face in your legacy installations in terms of dollars and 
cents, and what methodologies do you use to determine those 
risks?
    Secretary McMahon. Mr. Chairman, I will begin and provide 
my comments, and I will give my peers the opportunity as well. 
First, thank you to you and Chairman Garamendi and both of our 
ranking members for the opportunity to be here today to talk 
about something that is equally as important to Secretary 
Esper, our respective service secretaries, and clearly to the 
four of us.
    As we move forward, to your point, as we look out over the 
last decade or two decades, the challenges and threats that we 
face within our installations have grown dramatically. And as 
you have pointed out, it is climate. It is the challenge that 
we also face with regards to natural disasters, whether that be 
earthquakes, whether that be forest fires, whether that be 
deforestation or drought. In addition, it is the physical--and 
to Congresswoman Stefanik's point--the digital world as well, 
so it is this holistic approach that we have to look at when we 
deal with it.
    Specifically to the climate, we have got to acknowledge 
that the climate is changing, the fact that we have seen, for 
example, a rise in our seas at the same time that, as we 
consume water, that we are seeing a degradation in our water 
supplies and the fact that that is having an adverse effect on 
our soils and our land as well. And so this holistic impact, as 
we look at the climate, how do we deal with that?
    We look at the way that we proactively put together our 
standards, our building standards. They need to be continuously 
updated as we learn about what is occurring with these natural 
disasters. How do we update that? We need to be more proactive, 
but we also have to do it in the context that, as we look at 
the holistic challenges that we face within the Department and 
our installations, that that is just a single portion of it 
that we have to deal with. And so we have got to be aggressive 
with it, with new standards and where we have the opportunity 
to infuse those standards, and we do that, but we also have to 
do it in the context of the broader threat that we face.
    Mr. Langevin. Do you feel you have an adequate 
understanding of the dollars and cents involved?
    Secretary McMahon. I don't. And to that point, recently I 
have asked the services to come back with an assessment of what 
that looks like. What I can tell you is, there is $4 billion 
worth of damage at Tyndall Air Force Base. There is more than 
$4 billion--or roughly $4 billion of damage at China Lake. So, 
as you look at that and try to apply that across the 
enterprise, there is a significant bill out there that I don't 
think we fully understand or comprehend the full cost of, just 
on the facilities, let alone when you start talking about 
counter-UAS [unmanned aerial systems], when you start talking 
about cyber, and the other elements, and we can throw EMP 
[electromagnetic pulse] in there as well. And so I don't think 
collectively we understand what the full assessment is.
    Mr. Langevin. Well, it is essential that we continue to 
drill down on this to get our arms around that because the 
taxpayers deserve no less, the Congress needs to know this 
information, and it is the right thing to do for the country 
and the military.
    Secretary McMahon. Mr. Chairman, I absolutely agree and I 
would say that all four of us would agree with you, and it is 
getting our arms around that, and we are on the road to do 
that.
    Mr. Langevin. Secretary Beehler, Henderson, Niemeyer, do 
you have anything else to add?
    Secretary Beehler. Yes, sir. The Army has benefited already 
from the fact that the U.S. Army Corps of Engineers has 
developed a climate assessment vulnerability tool using a 
variety of data from other Federal agencies that are constantly 
being refined and updated as they receive more and more data. 
That tool has been used and will continue to be used on an 
ongoing basis by Army installations as they do their every 5 
years update in their installation management plans that 
certainly will address this issue, and they have been basically 
prescribed to do so, as well as the installation, energy, and 
water management plans that are ongoing for all of the major 
Army installations. And so, through that exercise, we will 
begin to get a handle on just exactly what the cost and other 
measures needed to be taken to address extreme----
    Mr. Langevin. When do you think those assessments will be 
completed?
    Secretary Beehler. Well, at the--on the water and--energy 
and water plans, they are in three phases. The first phase, 
which covers the major or top critical mission priority 
installations of about 22, expected to be done by the end of 
this calendar year, and then the next tranche within 12 months' 
time afterwards and the third tranche 12 months after that. The 
installation management plans are upgraded and reviewed every 5 
years. That covers roughly the 150 Army installations. And so, 
therefore, you have that incorporated at roughly about 30 
installation plans a year.
    Mr. Langevin. And then, finally, to that followup, so the 
Army would then be developing strategies for addressing the 
risks identified from those assessments?
    Secretary Beehler. I am sorry, sir. I missed----
    Mr. Langevin. I said, is the Army then planning to develop 
strategies once the assessments are completed?
    Secretary Beehler. Oh, absolutely. And that is the 
wonderful thing about these several efforts that are going on 
simultaneously. Each will help the other to become a greater 
granularity in a way forward.
    Mr. Langevin. Well, that is going to be essential for us to 
follow up on that.
    Secretary Beehler. Absolutely.
    Mr. Langevin. I am going to hold there, and now turn to 
Ranking Member Stefanik.
    Secretary McMahon. Mr. Chairman, before you yield on this, 
I would like to add just one point. Secretary Beehler referred 
to the climate tool that is being used by the Corps of 
Engineers. We have just funded for all the services to be able 
to utilize that up to 15 bases stateside and 10 bases overseas 
for each of the services, recognizing the value of that tool 
and making sure that all the services can benefit from it.
    Mr. Langevin. Thank you for adding that important point.
    Ranking Member Stefanik is recognized.
    Ms. Stefanik. Thank you, I am going to jump right into my 
opening remarks where I referenced our cyber vulnerabilities. 
As you know, in fiscal year 2017 NDAA [National Defense 
Authorization Act], section 1650 required a review of those 
vulnerabilities, and this review includes information and 
operational technology such as industrial control systems. So I 
want to start with OSD [Office of the Secretary of Defense].
    Mr. McMahon, can you give us an update on where things 
stand with respect to implementation of 1650, and tell us what 
your role in the capacity of OSD is in overseeing this review 
to ensure we have identified and are correcting cyber 
vulnerabilities? Because my concern is that we have not yet 
identified the scale and scope of cyber vulnerabilities in our 
installations.
    Secretary McMahon. Congresswoman Stefanik, I would agree 
with you that we have not fully sized that. As I think you are 
aware, the Under Secretary for Acquisition and Sustainment 
Ellen Lord has recently brought on an expert, Ms. Katie 
Arrington, whose purpose is to oversee cybersecurity for the 
Department for both acquisition and sustainment. Her focus 
early on is ensuring that we are considering, as part of the 
supply chain, what that looks like, but also looking across 
industrial control systems throughout the Department and is 
leading that effort in conjunction with the CIO [chief 
information officer] to give us the appropriate view and 
understanding of what the threat is and, more importantly, how 
we deal with that holistically both on the acquisition and the 
sustainment side.
    Ms. Stefanik. So, when I ask who the lead for 1650 
implementation, it is a combination of Katie Arrington and the 
CIO [Dana] Deasy?
    Secretary McMahon. As well as in specifically as we get 
into industrial controls, would be myself.
    Ms. Stefanik. Okay. So the fiscal year 2017 NDAA was a 
couple years ago.
    Secretary McMahon. It was.
    Ms. Stefanik. And the fact that we are now getting an 
answer about who is responsible, what has happened in between?
    Secretary McMahon. I think what I would tell you is there 
has been a tremendous amount of discussion about what we need 
to do in understanding, characterizing what the threat is, what 
it looks like, the amount of execution, and, to your measure 
and my measure, is what is actually in place, not the level 
that I would expect to have at this point in time.
    Ms. Stefanik. So can you provide characterization of what 
that threat is and what our assessment is?
    Secretary McMahon. I would be happy to provide that. I 
would like to take that for the record, to come back to you in 
detail to answer that.
    Ms. Stefanik. Okay. I think this highlights again my 
concern with not even understanding the scale and scope, let 
alone what our mitigation efforts are going to be. So I look 
forward to getting that response for the record because again 
we have had years since that language was written in the fiscal 
year 2017 NDAA, and I was here when we did that.
    [The information referred to was not available at the time 
of printing.]
    Ms. Stefanik. I want to move to Mr. Henderson from the Air 
Force and then Mr. Niemeyer from the Navy. Both of you 
addressed this in your written opening statements. How have you 
both worked to identify digital vulnerabilities, and how much 
work would you say remains to be done and when do you expect to 
complete the review?
    Secretary Henderson. I thank you. For the Air Force, there 
has been a number of assessments going on, and like Mr. 
McMahon, in the installations portfolio we focus primarily on 
the industrial controls piece of that assessment. But there 
is--across the Air Force, this crosses a number of staff 
functions that are working on this. So, for instance, there is 
several cross-functional teams working a number of areas, and I 
am just going to list a few of them just so that--just to give 
appreciation for the group of the breadth of assessment that is 
going on. But they are doing full threat assessments going up 
to a very highly classified level. There is actually going to 
be an Air Force senior leader summit on this. Actually, this 
work is coming to culminate at a summit here in about 3 weeks 
in the middle of November: these cross-functional assessments 
going on with weapons system security, something called the Air 
Force Risk Executive Mission Assurance, which covers 17 
programs; supply chain risk management; Air Force control 
systems, which is a sprint that we are working with, with our 
A4; mission defense teams that are focused on several areas to 
include cyber--command cyber readiness inspections; the 
protection of critical technology; supervisory control and data 
acquisition, or SCADA systems; and so on. So there is a large 
group of people working in a cross-functional way to address 
this holistically with the Air Force, and we expect to bring 
this to our senior leaders here in about 3 weeks, about the 
middle of November.
    Ms. Stefanik. Three weeks, okay. So that would be the 
complete review.
    And, Mr. Niemeyer, from the Navy, you have 30 seconds, 
sorry.
    Mr. Niemeyer. So what we--I think we are leading the 
services as far as our ability to enclave some of our critical 
facilities. We started with what we considered to be our tier 1 
and tier 2 most critical facilities across Department of the 
Navy. We have already taken steps to separate those critical 
control systems in those facilities, and we are now moving 
towards the long-term mitigation of those systems. We are also 
looking at assessments at the next level. We have completed 
hundreds of assessments and started on real-world mitigation 
efforts to start a short term to isolate the problem and work 
on long-term solutions.
    I will tell you, ma'am--I have been spending a lot of time 
on this issue--we really need a national policy and a national 
answer on how we address control system security. I would also 
like to get to 5G if I can. We are working very aggressively on 
that, but I am not sure that was the exact intent of your 
question, but I would love to get there as well.
    Ms. Stefanik. So we can get to 5G later on, maybe with a 
second round of questions. Again, I just want to highlight my 
concerns. We wrote the language that was signed into law in the 
fiscal year 2017 NDAA, and it is concerning to me that the 
implementation has lagged. So we don't even have our arms 
around the scope of this problem, let alone the mitigation. I 
appreciate all the work the service is doing.
    I yield back.
    Mr. Langevin. Thank you, Elise. I now recognize the 
chairman of the Readiness Subcommittee, Mr. Garamendi.
    Mr. Garamendi. First, I want to thank, Jim, you and Ms. 
Stefanik for the work you have done on cybersecurity. You have 
really pushed that forward. And I know, Mr. Chairman, you have 
also pushed the climate issue forward.
    I want to really go to the documents that the four of you 
have submitted to the committee. Mr. McMahon, you have kind of 
given us a going-away present. And to the services, the same 
thing. If they were to carry out the things that you laid out 
in your memo, we would be well down the line on each and every 
one of these. There are some things that are missing, and we 
will identify those as we go along. Specifically, in the new 
NDAA that is hopefully going to get completed in the very near 
term, there is a requirement that every base have a plan that 
includes all that we have talked about here, weather related, 
flood related, other kinds of threats to that base. So we would 
expect--well, you should expect and your successors should 
expect, to get what Ms. Stefanik just gave you a few moments 
ago, and that is, what have you done about this particular 
issue. Good for her, and for you, not getting it done yet. So I 
want to just basically put to each of you, among the things 
that you have written in your--submitted in your testimony, 
what is the most important? You don't have to answer the 
cybersecurity. We have already taken care of that piece of it. 
Let's start at this end of the table and then go down. Mr. 
Niemeyer.
    Mr. Niemeyer. That would be great, thanks so much, Mr. 
Chairman, for the question. The most important thing for us is 
strategic contingency risk. We have a concern worldwide about 
our access to installations, ports, airfields. From a 
resiliency long-term aspect that to us is probably the most 
important factor that allows us to continue to project naval 
power to protect the sea lanes and to protect our interests for 
both ourselves and our allies. Right behind that is energy and 
water security risk, and right behind that is, I would say, 
data and network risk, and the ability to secure our control 
systems. Then we have got physical risks. Right now, Department 
of Navy and our sister services are working a counter-drone, 
counter-UAS strategy, to look at new kinetic threats to our 
bases in addition to traditional ones.
    And then we also have what we would call an environmental 
risk, and it is just a range of factors, as you know. We are 
getting a lot of support from the committee in our response to 
China Lake. That was an earthquake. You know it is tough to 
predict where the next earthquake is going to happen or the 
next tornado or the next tsunami. So we are working on 
environmental risk from a holistic perspective. We do roll this 
up into what we call a mission assurance framework. I would 
love to come back and talk to the staff about how we can get 
some support from the committee on taking the mission assurance 
framework, so we are starting at the most critical facilities 
around the Department of the Navy that support national 
missions and how we can develop a comprehensive plan to 
identify the most critical vulnerabilities across the whole 
domain of threats that face us--not just natural, but we think 
man-made, or adversary threats are much more substantial. How 
do we address those for each of our critical facilities?
    Mr. Garamendi. The new NDAA will give you the direction to 
do that or the requirement to do that. And I would like to know 
what you need that you don't presently have to do that, but 
that will be--come back at us. Mr. Henderson.
    Secretary Henderson. Yes, thank you. For the Air Force, we 
are doing something called mission threat analysis. So, instead 
of doing this threat assessment by base--and a lot of our bases 
have many different missions on them--we are taking the mission 
itself and looking at the whole mission chain because it takes 
a global--it takes a global network of facilities to do some of 
our missions. So we take the full mission, and we look at the 
vulnerabilities there. And there is a whole host of threats, as 
Mr. Niemeyer said, and I won't go back through them, but this 
isn't just about cyber or just about weather or just about 
climate. This is the whole vast array of threats facing our 
installations that we have to look at. And so----
    Mr. Garamendi. I will let you off there.
    Mr. Beehler.
    Secretary Beehler. Sir, in addition to what has already 
been mentioned by my colleagues of the other two services, the 
Army also focuses on the fact that, as the National Defense 
Strategy from 2018 has said, that the homeland is no longer a 
sanctuary. And for us that means that our installations are 
directly part of the battlespace, of the battlefront, and part 
of the strategic support area. So that is where we----
    Mr. Garamendi. You have 24 seconds. I am just going to wrap 
up here. I have read that, and I think the rest of us can read 
it also. Here is my point and the reason I asked the question: 
Each of you has set out a set of priorities generally, and then 
you narrowed it down granularly, the word we use nowadays, to 
specific actions. Here is what I want you to do for the next 
month and a half, and that is read your colleagues' work and 
figure out what you are not doing that they are doing. And if 
you would stick around another month and a half, Mr. McMahon, I 
would ask you to do it also or see that they got it done. There 
is extraordinary opportunity and necessity that your--the other 
services are involved in that one or the other of you are not 
doing. And so I want you to--the other, you know, get a big pot 
of coffee and sit down and read each other's work. The 
solutions are all there. And you got to tell us what we need to 
do to give you the tools to carry out those solutions.
    With that, I yield back.
    Mr. Langevin. I thank the gentleman, and now Ranking Member 
Lamborn is recognized.
    Mr. Lamborn. Thank you, Mr. Chairman.
    Mr. McMahon, I am going to address this to you. Because of 
sake of time, I can't have everyone answer this question, and I 
want to thank you for your service to our country as you go 
into, like the chairman said, your next chapter.
    In my recent visits to survey the damage at Tyndall, 
Offutt, and China Lake, I was struck by how much that advanced 
planning and up-to-date construction techniques can help 
mitigate when disaster strikes. So what have we learned from 
recent natural disasters of all types to make things better in 
the future, for more resiliency? And I am thinking, for 
instance, of sacrificial first floors. They are doing that at 
Offutt. You don't have all the expensive HVAC [heating, 
ventilation, and air conditioning] and computers on the first 
floor, in case you have a flood. You put them up higher. So 
what are some examples of what we are learning?
    Secretary McMahon. Congressman Lamborn, what I would tell 
you is, that as we look at the lessons that we have learned, 
there is a variety of--rather than get into specifics, as you 
look at we establish our essentially building standards, which 
is a continuous process to update, we take the lessons that we 
learned from each of these installations, whether it is the 
construction, whether it is the roofing, what we are doing on 
one floor versus another. And roll that in on an annual basis 
to continuously update what those standards are, to ensure that 
as we get to the next either rehab or new construction, that 
those standards are, in fact, reflected in the way that we 
build the facility.
    Mr. Lamborn. Okay, thank you. And the military has a 
separate building code that is more stringent than local 
building codes. Is that correct?
    Secretary McMahon. The standards that we are utilizing in 
most cases represent either national or State standards, in 
some cases, lag a little bit on State, but you would have in 
some cases actually exceed what those States and national 
standards are.
    Mr. Lamborn. Okay, thank you. Shifting gears, Mr. Niemeyer, 
I want to drill down on nuclear energy. The Navy has a long and 
storied history of small nuclear reactors on vessels, starting 
65 years ago, the USS Nautilus was launched. So what can you 
tell us about micro reactors, about their safety and their 
effectiveness?
    Mr. Niemeyer. So we are working with other services and OSD 
to partner up with the Department of Energy on a couple of 
initiatives. We believe that there is a future for micro 
nuclear technology within the services. And there is a concern 
within the Navy about staying in what I would call the white 
world, as far as the technology. But we do believe that there 
are vendors out there, there are technologies out there, that 
ultimately could be used on a military installation to island 
that installation off of commercial power, particularly where 
we have critical assets, and run it on a very micro reactor, 
about 5 to 10 meg [megawatt] of electricity, plus another 10 
meg of thermal, and continue to run that critical asset without 
any concern about having the commercial rig go down. So we 
believe there is a near-term and mid-term goals to get to that, 
and we continue to work with OSD. Bob's been putting a lot of 
effort into it and his staff to try to get those vendors to us, 
talk to us, and eventually get the technology incorporated.
    Mr. Lamborn. And we don't have Yucca Mountain figured out 
yet. So, with some of the nuclear waste that is in storage, is 
it possible that some of these new designs can actually use 
what currently is stored uselessly?
    Mr. Niemeyer. With some adjustments, I think that is one of 
the things we are most concerned about, is, what is the fuel 
source going to be? There is an opportunity to deplete uranium. 
We are asking the vendors that very question: Where would you 
get it from? What would we need to do to make it useful? Those 
are the things that we are working with not just the vendors 
but with the NRC [Nuclear Regulatory Commission] in trying to 
come up with a plan moving forward.
    Mr. Lamborn. Okay, thank you.
    And, Mr. McMahon, I will finish with you. What are we doing 
with not just natural disasters but attacks on our physical 
infrastructure? We have talked about cyberattacks, but kinetic 
attacks or cyberattacks going against the electrical grid; EMP 
is a possibility that is out there. What are some things we are 
doing to protect the physical infrastructure?
    Secretary McMahon. When you talk about physical, one of the 
things we have not yet mentioned is the UAS threat that we face 
at all of our installations and how is it that we can create 
the counter-UAS capability. Secretary Lord has taken that on 
for the Department, with regards to small counter-UAS activity. 
We have--the Joint Staff is working larger issues, but that is, 
how do I protect my installation? With regards to EMP, 
obviously, earlier this year there was an executive order that 
provided guidance as to move forward with that. Clearly not 
every facility needs to be EMP hardened. It is understanding 
what those are and what are the specific actions that we can 
take to make that happen, to ensure that that is there for 
either those installations or those portions of installation 
where that is critical.
    Mr. Lamborn. Thank you. I yield back the balance of my 
time.
    Mr. Langevin. Thank you, Mr. Lamborn.
    Mr. Kim is now recognized for 5 minutes.
    Mr. Kim. Thank you, Mr. Chairman. I wanted to just hone in 
on the ``black-start'' exercises. I have been very intrigued by 
this.
    And, Mr. McMahon and Mr. Beehler, I just wanted to hear 
from you, what are the top lessons that we have learned so far 
from doing these black-start exercises? Mr. McMahon, we will 
start with you.
    Secretary McMahon. Congressman, thank you for the question. 
We are tremendously proud of the effort. As we talk about 
building resilience, it is understanding, you know, we can do 
all the tabletop exercises in the world, but when you actually 
pull the plug, the question is, what actually goes on? And so 
the investment--and they run somewhere between $250,000, 
$500,000 per exercise. We have had a total of four thus far. I 
will let Alex talk a little bit about some of those specifics. 
We still have two additional that we will do, but the reality 
is, and perhaps the most important lesson that I have seen is a 
lack of appreciation and understanding by our senior leaders at 
the installation level, all the way up to my level, of what we 
thought was going to happen versus what actually occurred. And 
then being able to apply those lessons learned down the road as 
we move forward. Lots of tactical issues, but at the strategic 
level, I think that is the most important.
    Mr. Kim. Go ahead, Mr. Beehler.
    Secretary Beehler. Sort of amplifying what Mr. McMahon just 
said, it is the basic verification of backup energy, and also 
water, whether we really have what we think we have. And if we 
don't have it, what do we need to do to get it? And there is 
nothing like doing for verification. And at least on behalf of 
the Army, we think that, so far, they have been very effective. 
We have done, as Mr. McMahon said, we have done three through 
the means of OSD, but we have done others on our own, and we 
will continue to do more on our own because we believe it has 
been very effective to show exactly what works, what doesn't 
work, what needs to be improved and enhanced.
    Mr. Kim. Well, I appreciate that. It certainly seems like 
an operation that really hits where the rubber hits the road 
and just tries to put this all into reality of what is going to 
happen. So I am certainly very supportive of the program and 
glad that it is continuing. In that similar vein, so, in my 
district, a district with Joint Base Maguire-Dix-Lakehurst, we 
got crushed by Superstorm Sandy, and that was something that we 
saw full force there. That base was able to have--the 
resiliency of that base being able to get up and running 24 
hours later was critical not just for the base but for the 
surrounding community. As you know, that base really served the 
purpose for being the FEMA [Federal Emergency Management 
Agency] center for that area. So I guess my question to you, 
kind of building out from there, when we are talking not just 
resiliency of the bases but potentially for natural disasters, 
supporting the community around it, what exercise--are you 
doing tabletop exercises or real-world exercises planned with 
FEMA or other organizations? I am just kind of curious, you 
know, what we have been able to learn from Superstorm Sandy and 
other places where our military installations end up playing a 
critical role in the revival of these communities after these 
disasters. Maybe Mr. Henderson, some of your thoughts, and Mr. 
Beehler.
    Secretary Henderson. Yeah, thank you. So, for the defense 
support to civilian authorities, the Air Force plays a large 
role in that usually with air transport, offering up logistics 
hubs and bases and stuff. So we participate with the Department 
of Defense in support of the FEMA exercises that go on. So I 
know that is our participation and the exercises that we do in 
conjunction with FEMA.
    Secretary Beehler. Sir, a variety of things. One is that we 
at Fort Bragg participated in a project that I believe was 
initiated by OSD, but it also included Department of Energy, 
Department of Homeland Security, and the Federal Regulatory 
Commission in the development of a defense-critical, electric 
infrastructure pilot program, to evaluate the resilience of 
off-post electric infrastructure, you know, support. But more 
broadspread, each installation does, on an annual basis, an 
emergency response exercise that by its very nature closely 
engages the surrounding communities at all appropriate levels. 
The other thing that we have done on an ad hoc, utility-to-
utility connection, is discussions on how appropriately located 
Army bases--this is particularly relevant to the southeastern 
area--can help as temporary--I don't know whether staging 
grounds is perhaps the best term, but really a place where 
utilities and emergency crews that are going to a scene that 
has faced hurricanes or severe weather events, and actually 
use, for whatever period of time, Army base facilities to help 
them position in the case of a major climatic event.
    Mr. Kim. Well, I appreciate that.
    Chairman, I yield back.
    Mr. Langevin. Thank the gentleman.
    Mr. Scott is now recognized for 5 minutes.
    Mr. Scott. Thank you, Mr. Chairman.
    General McMahon, I hate to see you retire. Thirty-four 
years in uniform, the best at Robins Air Force Base, I am sure. 
And for those of you who don't know, he is an exceptionally 
good production manager. He turned Robins Air Force Base, its 
efficiency around, and did an extremely good job there, so I 
want to thank you for that and your work there. And the average 
IQ of Alabama is about to go way up. I do trust you won't pull 
for their football teams, though.
    I have a couple of questions. You mentioned drones or the 
UASes. Do the FAA [Federal Aviation Administration] rules that 
they have, that protect drones, apply to somebody who would 
perhaps fly a drone over one of our military bases?
    Secretary McMahon. Congressman, I would rather get into 
those specifics outside of this environment, if I could push 
that back to you. I could take that for the record and come 
back to you.
    Mr. Scott. That is fine. I just want to make sure that you 
have whatever authorizations you need and that we don't have 
any conflict between Federal agencies as sometimes happens.
    Secretary McMahon. Yes, sir.
    Mr. Scott. I want to make sure that we have the ability to 
protect you from that.
    Another question, we have the Marine Corps logistics base 
in Albany, Georgia, the first net zero base in the country. Do 
we have any other bases that have achieved net zero with regard 
to energy?
    Mr. Niemeyer. I will take that question. So Albany is 
actually a shining star within the Department of the Navy as an 
installation that has truly achieved the energy resilience that 
we are looking for where, if the grid goes down, we can still 
conduct the critical missions there at Albany. I look to other 
Marine Corps installations, also the Marine Corps does seem to 
be leading the way around the Nation at Yuma in Arizona, at 
Miramar in California, an amazing effort there combining a 
series of initiatives over the last 10 years. It truly creates 
the resiliency we are looking for with that installation, using 
a variety of fuel sources. I want to make this clear. Within 
the Department of the Navy, we look at all fuel sources as an 
opportunity to provide us the resiliency. Miramar is using all 
those to create a pretty significant capability that, if the 
lights go out, we could conduct those critical missions in 
Miramar to launch our aircraft.
    Mr. Scott. So we have multiple fuel sources but the way--if 
I am not mistaken, the way the Marine Corps logistics base in 
Albany, Georgia, achieved that was through a public-private 
partnership. And are we utilizing the public-private 
partnerships in other bases as well?
    Mr. Niemeyer. I am sorry, sir. Yes, we are. We look at a 
whole host of authorities that are available to us thanks to 
Congress: energy savings performance contracts, service 
contracts, power purchase agreements. I think my sister 
services share the desire to want to use all the authorities 
that are available to us to look at, what is the best 
comprehensive energy solution for a particular installation? 
And that takes into account a full range of fuel sources as 
well as what the community and the private sector can partner 
up with us on delivering those efficiencies and resiliency.
    Mr. Scott. My concern is just making sure that you have the 
flexibility to achieve what needs to be achieved in the most 
efficient manner possible and that we are not showing 
preferential treatment to certain types of fuel sources.
    Secretary McMahon. What I would offer to that, Congressman, 
is that we are agnostic, especially when we start talking about 
renewable energy. As you know, with all the installations in 
the State of Georgia, Georgia Power has come forward and has 
put solar on each of those to help get us where we need to be. 
They have helped funded it. And the point of that is, there are 
opportunities for all of our installations to partner, both in 
public-private opportunities, but also in the opportunity to be 
able to create relationships as we look at relationships 
between the public and private sector where the private sector 
can come in and help our installations get to where we need to 
be at little or no cost to the Department.
    Mr. Scott. I know we talk about energy a lot. Mr. Beehler, 
you mentioned water. I was glad to hear you mention water as 
well. I hope that is something that we will focus on going 
forward. I think we spend an awful lot of time talking about 
the air, and I don't think we have spent enough time talking 
about water and making sure that we have access to clean water 
at our bases. And that when water leaves our bases, that it is 
as clean as it can possibly be before we reintroduce it to the 
environment.
    Secretary Beehler. Absolutely agree. Extremely important 
and particularly given--and from the standpoint of the Army, 
the number of Army bases that are in potentially drought area 
or just an area that receives very little precipitation.
    Mr. Scott. Gentlemen, thank you for your service.
    Mr. Langevin. Thank you, Mr. Scott. Ms. Houlahan is 
recognized for 5 minutes.
    Ms. Houlahan. Thank you, Mr. Chair, and thank you so much, 
sir, for your service. I hope you enjoy your next chapter as 
well. I come from Pennsylvania, but I did my field training at 
Tyndall Air Force Base, and so that is a personal special place 
in my heart. And it struck me during the testimony--and this is 
largely me pontificating and less a question--$4 billion to 
restore that base to operation; $4 billion every time something 
like Tyndall happens. It seems as though we would be well 
served if we could find $4 billion to try and prevent these 
kinds of things from happening, from not necessarily a 
resilience standpoint but actually addressing the root cause of 
it, which is the climate that is changing around us. And so 
that is more of a pontification than anything.
    My questions are springboarding off Mr. Scott's questions 
in some ways. My first question has to do with public-private 
partnerships to the degree that you guys can answer the 
question with specificity on cyber. He asked questions about 
energy sources. Do you feel as though you are empowered to be 
able to pursue public-private partnerships with people in the 
cyberspace? If not, why not? And if so, can you give me some 
examples of that and I would welcome any one of you to answer 
that question.
    Mr. Niemeyer. So we are updating our processes for our full 
range of interactions with our private partners. I will pick 
one specifically, energy savings performance contracts [ESPCs]. 
So, for years, these performance contracts have been used 
predominantly to find savings in how we install new technology. 
We are now saying: Okay, in addition to whatever we do with the 
ESPC, we are going to make ensured it has got an energy 
resiliency component, that we are making our control systems, 
that we are making our energy systems stronger as we are 
implementing these agreements. The private sector is very 
responsive to that. And I think they are doing an outstanding 
job of taking what we give as them as a requirement and then 
coming back with pretty innovative solutions on how we can use 
these partnerships to enhance not just our mitigation but our 
understanding of how best to mitigate. So that is just one 
example. I could go around the Department of the Navy where we 
work on the ESPCs. We just recently cut the largest one for the 
naval base we have at Guantanamo Bay and the largest one in the 
Federal Government, which has significant resiliency measures 
and steps within that deal. So we are looking across all our 
energy projects. In the past--I will be honest with you--a lot 
of our energy projects, particularly for renewables, has not 
had a resiliency piece to that. Our projects face the grid. 
They don't allow us to have mission assurance when the grid 
goes down. That is a problem. So we are looking at our full 
range of energy portfolio, to what degree those projects can be 
used to power critical missions if the grid goes down.
    Ms. Houlahan. Thank you. Any other responses from you all, 
gentlemen?
    Secretary McMahon. What I would offer across the entire 
spectrum as we talk about our ESPCs, we have the opportunity to 
upgrade, and when we think about that, that is replacing an old 
boiler with a new kit capacity or an old HVAC system with a new 
HVAC system. It is the controls, as Lucian alluded to, as part 
of that as we begin to think differently about what that 
opportunity is and as we put those contracts in place, being 
able to leverage not only the capacity and the newness of the 
new systems but, more importantly, the control systems that go 
with that, and leveraging as part of the project. And that is 
part of the new thinking I think we are beginning to see across 
the board.
    Ms. Houlahan. Thank you. And with my remaining 1 minute and 
30 seconds, I typically ask questions about whether or not you 
feel as though your workforce is prepared and has the right 
skill set. I really was impressed by your backgrounds, and 
clearly you have the right skill set to be sitting in your 
seats. But do you feel as though you have the right chain of 
people coming up through the ranks to have these kinds of 
really critical skills, whether they be cyber, whether they be 
water expertise, whether they be energy expertise?
    Mr. Niemeyer. I can go ahead and get started with that. 
First of all, the Department of Navy team is both on the 
secretariat, and I have actually represented two outstanding 
leaders from each service--General Chuck Chiarotti and Admiral 
Ricky Williamson--together we form a team, collective team, 
that looks at the resiliency challenges across the board. We 
probably could do better in educating our energy managers, to 
be more proactive at installation level. We are working 
collectively across the Navy and the Marine Corps to be able to 
do that. So those base-level managers are bringing up those 
ideas to us so we can actually incorporate. So we have still 
got a little work to do on the education front.
    Secretary Henderson. For the Air Force, we recently hired a 
professor to develop a curriculum to help with the education 
and training of our engineers, our civil engineers, on this 
industrial controls and the cybersecurity of industrial 
controls, which is kind of our piece of that. So we are making 
efforts to take the workforce we have and kind of update their 
skill set so that we better understand how to install and 
operate these systems. Additionally, with regard to personnel 
and having the right personnel, the direct hire authorities 
that have come through some of these highly specialized, low-
density career fields has been very helpful for us in the Air 
Force.
    Ms. Houlahan. Thank you, and I am out of time. I yield 
back. Thank you.
    Mr. Langevin. Thank you, Ms. Houlahan.
    Mr. Bacon is now recognized for 5 minutes.
    Mr. Bacon. Thank you, Mr. Chairman.
    I appreciate all four of you being here. My first question 
is directed more to Mr. McMahon and Mr. Beehler, but please 
jump in if you can add in. I want to talk about the levee 
system and the permit process that we have to go through. And I 
have a specific example, but it is not just this example. I 
hear about it all over. So what we had in 2011, we had the 
worst flood in about 50 years in eastern Nebraska. I was a 
commander at Offutt Air Force Base. We worked for months to 
save the base. Hundreds of thousands of sandbags. FEMA came in 
afterwards and said: Hey, you need to raise the levees 2 to 3 
feet. This was in 2012. And so then our NRD [Natural Resources 
District] with the State came forward with a proposal that cost 
$35 million and wanted to get it done, but it took 5 years to 
get a permit--5 years. And here is the deal, 5 years to get a 
permit to do $35 million worth of work. We got it all approved 
finally. In February of this year, we had the worst flood in 
Nebraska's history. It is going to be a billion dollars in 
damage. Now, if it was just a one-off incident, I got it. But I 
hear it from all over the place, all of our mayors, 5 to 7 
years is the norm to get a permit. It is inexcusable. It is 
intolerable. It is bad for the taxpayer. It was bad for our 
national security. So what can we do to fix this?
    So it fell on the Air Force, but I don't want you to--I 
think it was--it is not just one group, though. It is a 
cumulative problem. But go ahead.
    Secretary Henderson. So, first of all, you and I have 
discussed that specific permit in my previous position. So I am 
not going to speak on behalf of the Corps of Engineers here, 
but you and I have a lot of carnal knowledge on that specific 
situation. I will share your frustration with the permitting 
process writ large, and whether it is FAA permits, NEPA 
[National Environmental Policy Act] work that we have to do, 
even those of us who are in the Corps of Engineers, used to be 
in the Corps of Engineers, the permits that are involved in 
there can be very slow, very bureaucratic, and they take a long 
time. And I would say a lot of that, just from my experience, a 
lot of that is linked back to, in order to issue those permits 
in a lot of cases, the NEPA work has to be done. And the NEPA 
work ends up being the long pole in the tent a lot of times. 
Specific with the Offutt levees, which have a huge impact on 
the Air Force base, but the Air Force does not have an equity 
in that levee. It is owned by the NRD. It is permitted by the 
Corps in combination with FEMA obviously. So I say that to say, 
as we have extreme interest in making sure the levee gets 
upgraded, it makes our installation there more resilient. In 
that particular case, as you know, in order to get the permits 
from the Corps, in this case specifically, a 408 permit, the 
NRD had to run the hydraulics to make sure that any work they 
were doing on the levees on the Nebraska side of the river 
weren't going to impact the main river levees on the Iowa side 
of the river, and that--and then the NEPA work associated with 
that, and that took a lot of time. And it was a lot of 
engineering technical work. It wasn't necessarily sitting in 
anybody's inbox. It was work that had to be done and a lot of 
back and forth as you know. And so--and that part of the permit 
process is very frustrating, but it takes a lot of time to get 
it right. And I would say it is important to get it right the 
first time. You wouldn't want to do something on one side of a 
river that has detrimental effects to the public on the other 
side of the river. And in that particular case on that permit, 
that took some extra time.
    Mr. Bacon. I would think, if it is just a one-off, I got 
it. But I hear about this from--I mean, we have 10 mayors in 
our district, and I hear over and over again 5 to 7 years to 
get a permit. And I just think that we can put our brains 
together here and figure out how to do it, and I would like to 
work on how we streamline this process because it is good for 
the taxpayer, and it is unacceptable. We built the Pentagon in 
1 year. We got to figure this out.
    Secretary Henderson. Sir, I got to say, from that 
perspective, we share your frustration because all of us up 
here are trying to deliver MILCON projects----
    Mr. Bacon. Right.
    Secretary Henderson [continuing]. Projects, and there is 
usually a NEPA permitting component that we have to comply 
with----
    Mr. Bacon. Yeah.
    Secretary Henderson [continuing]. And it takes a long time. 
And it is frustrating. I think there is a lot of opportunity 
there to expedite those.
    Mr. Bacon. I have one follow-on question if I may because I 
have only got one more--45 seconds. One of the things I am also 
concerned about is Russian gas fueling our bases in Europe. It 
is not a one-off there either. A lot of our bases are doing it. 
And the new hospital being built at Ramstein is designed to 
have Russian gas, and we are there because of Russia, and they 
can just turn it off. And it is a readiness issue. So what are 
we doing to wean ourselves off that, and what are we 
specifically doing with the hospital to make sure that we are 
not dependent on Russian gas?
    Secretary McMahon. Congressman, two comments on that. 
First, as you know, we don't dictate what nations, where they 
source their fuel from, and given--number one. Number two, 
though, is this entire idea of installation resilience and 
being able to go off grid gives us the flexibility that if what 
you just suggested were to occur, we have the ability to 
respond to that and be able to continue the operations in a way 
that make sense and allow us to be able to achieve the mission 
that we have been given.
    Mr. Bacon. So you can assure us we have that at the new 
hospital?
    Secretary McMahon. I am not going to assure you of that, 
sir, but I am going to assure you that we are working 
aggressively not only for there, at Ramstein, but every other 
installation that we have, to be able to achieve that.
    Mr. Bacon. Okay. Thank you.
    I am out of time. I yield back. Thank you.
    Mr. Langevin. Thank you, Mr. Bacon.
    Ms. Escobar is recognized for 5 minutes.
    Ms. Escobar. Thank you, Chairman. I am so grateful to you 
and the ranking member for this important hearing.
    And many thanks to our witnesses today. I reviewed the list 
of the top 10 Army facilities that are vulnerable to climate 
change. All of those facilities are in the West or the 
Southwest, and the threat is listed as drought. And so I am 
wondering if you can expand on how you all intend to attack 
that, what the plan is, and what the theory is around 
assisting--ensure the sustainability of the West and 
Southwestern facilities vulnerable to drought?
    Secretary Beehler. Sorry. Ma'am, this is one of the things 
that will be accomplished through our installations energy and 
water programs plans that are being done at all of the major 
Army installations, including all of the ones in the Southwest. 
They are to address, in effect, your question, which is, how do 
we ensure at a given installation, adequate water supply, 
access to water. It also gets incorporated when an installation 
upgrades and reviews its broader installation management plan, 
which is done every 5 years for each installation.
    As I mentioned earlier, the first tranche of these energy 
and water plans are due to be completed at the end of this 
calendar year, which, I believe, includes some of the 
installations in the Southwest. So we will then have--those 
installations will have a way forward as to what they need to 
do to make sure they have good access to water.
    Ms. Escobar. One of the installations on that top 10 list 
is Fort Bliss----
    Secretary Beehler. Yes.
    Ms. Escobar [continuing]. Which is in my district, which 
obviously has a very sophisticated desal [desalination] plant 
in the district that has really been focused on ensuring water, 
not just for the military installation, but for the community. 
Was that taken into consideration when Fort Bliss was placed on 
the top 10 list?
    Secretary Beehler. Well, the top 10 list was looking at 
threats.
    Ms. Escobar. Okay.
    Secretary Beehler. And it is great that there is this 
desalination plant, but that doesn't remove the effect of the 
threat.
    Ms. Escobar. Gotcha. Okay. But my followup question to that 
is, you know, obviously we do want to consider the threats, but 
also the opportunities.
    Secretary Beehler. Yes.
    Ms. Escobar. And Fort Bliss has, for some time, was being 
very thoughtful about the opportunities around solar. And it 
seems to me that all of our Western and Southwestern 
installations have that same opportunity. And I am wondering 
how the plan seizes on the opportunity for solar as a major 
opportunity for renewable and sustainable energy.
    Secretary Beehler. Well, certainly, as I think we mentioned 
before, the goal of these plans is for each installation to 
have the necessary access to energy to carry out critical 
missions however best means that make sense given the specific 
installations. So I think, generally, solar is always part of 
the consideration as long as it can be effectively both cost 
effective and logistically applied and included. Obviously, I 
don't know about the specific case of the Fort Bliss plan that 
is obviously under development, but that is something that I am 
happy to look into and get back to you with what their thinking 
is, as it develops. And happy to give a brief.
    Ms. Escobar. I appreciate that. I really do believe, 
especially hearing in this hearing alone, listening to concerns 
about the grid, and our vulnerabilities with regard to the 
grid, that we should be showing far more leadership in saying, 
you know, we are going to draft a plan that leads the way, 
leads the country in sustainability, and that takes some of 
those critical threats away because we are leading on that 
front. So that would be my hope.
    Secretary Beehler. Thank you.
    Ms. Escobar. Thank you.
    Mr. Langevin. Thank you, Ms. Escobar.
    Mr. Waltz is now recognized for 5 minutes.
    Mr. Waltz. Thank you, Mr. Chairman, and thank you, ranking 
members. This is, I think, a fantastic hearing and topic. You 
know, I have a lot--a little bit of skin in this game on the 
tactical side. I can't tell you how many soldiers are no longer 
with us because of their supply lines being attacked carting 
fuel out to remote outposts that, frankly, could have had some 
panels and a turbine and been much more self-sufficient. Then 
you magnify that from the tactical to the global and strategic 
in terms of our supply lines that our fantastic Navy seeks to 
supply. So could you talk to me for a moment about what we are 
doing on the tactical sustainability side, particularly for our 
special operations forces who, as you know, are in anywhere 
from 60 to 70 countries as we speak today, and allowing them to 
have portable and tactical sustainment systems?
    Mr. Niemeyer. This is a tough issue, because everything 
that we have looked at in the past, I know both the Marine 
Corps and special operations forces and Army forces in the past 
have looked at what tactical generation can do for us. And any 
form of tactical generation creates pros and cons. I mean, 
there is a lot of folks who are concerned that by setting up 
those solar panels in a remote area, you actually--they are 
easily spotted and they are easily taken out. So the goal 
here--and this goes back to the heart of the National Defense 
Strategy--is, how do you provide agile logistics in a contested 
environment? And I got to tell you, our adversaries know that 
that is probably our weak spot. How do we power the next 
generation of equipment? It is not what we just have today, 
Congressman. It is what we are looking at--you know, autonomous 
vehicles, robotics, direct energy programs. What we are going 
to need in the next 10 years is more energy on the battlefield. 
That is something that in our research and development we are 
taking a hard look at what batteries we can use, what can be 
done for next generations of tactical energy sources that 
doesn't rely on fuel supplies. It is something we are working 
very hard on across the Department of Defense.
    Mr. Waltz. Thank you. And please, Mr. McMahon.
    Secretary McMahon. Congressman, what I would add to that, 
again at the tactical level, but a very strategic concept is 
this idea--Mr. Niemeyer talked a little bit about small, 
modular reactors. There is also an effort within our research 
and engineering concepts, under Dr. Griffin, to be able to look 
at the micro capability. Is there something we can actually put 
in the back of a ton-and-a-half truck that could take forward 
that would give us, for a forward-operating base as an example, 
the ability to operate with a micro nuclear reactor. That is--
--
    Mr. Waltz. What do you need from this committee to move 
those concepts forward?
    Secretary McMahon. Moving forward today, quite frankly, 
many of the challenges that we face are working through some of 
the regulatory issues. It is a science issue on the micro that 
we are still trying to work through. But at least at the small 
nuclear reactor capability, I think we are moving forward. It 
is just working through the regulatory process that is 
necessary to get to where we need to be.
    Mr. Waltz. Okay. Thank you for that. And just shifting back 
to the basing issues, resiliency is something Florida takes 
very seriously. Obviously, we have to deal with it every year, 
with storms, with flooding. There are areas of Florida now that 
are flooding and on a sunny day. The sea level is rising and we 
have to deal with it. We need to move beyond that debate. In 
fact, the Governor of Florida, my predecessor in this seat, 
just named a chief resiliency officer to pull together our 
statewide strategy. We have a Florida defense task force that 
is very focused on these issues.
    On the Navy side, Secretary Niemeyer, the engineering 
command issued what I think is a detailed and a comprehensive 
handbook for installation commanders, ``Climate Change, 
Installation Adaption and Resilience.'' What step are you 
taking to ensure installation commanders are actually 
implementing the recommendations in this handbook in their 
installation master plans and then also coordinating--because 
this is a broader issue. This is wetlands. This is offshore. 
This is seawalls. It is a huge issue that I am trying to deal 
with the Corps of Engineers as well for properties. How are you 
integrating locally, and how are you ensuring each installation 
commander implements those plans?
    Mr. Niemeyer. I mean, that is something we are working on 
today with the southeast region. The goal here is to allow that 
installation commander the range of resources and to include 
that pamphlet and that guidance in addition to other guidance 
and look at the most critical assets on that installation and 
what really delivers the projection of that power for the naval 
base, and use the guidance we have given them to direct 
resources towards making sure that that particular asset has 
mission assurance from a full range of threats. So it is 
really----
    Mr. Waltz. Are you confident they are doing it?
    Mr. Niemeyer. Yes, I am. In their capitalization and 
installation master plans.
    Mr. Waltz. Great. Thank you so much.
    I yield my time.
    Mr. Langevin. Thank you, Mr. Waltz.
    Ms. Haaland is now recognized for 5 minutes.
    Ms. Haaland. Thank you, Chairman.
    And thank you to our witnesses for coming here today to 
discuss this important issue important to national security. I 
am glad to see that our national security infrastructure is 
investing in innovations in resiliency and renewable energy. In 
my own district, Sandia National Laboratories and Emera 
Technologies are working through a Cooperative Research and 
Development Agreement, a CRADA, on microgrids that locally 
manage energy storage and resources such as solar, wind, and 
thermal systems. Chairman Adam Smith and I recently visited the 
pilot project at Kirtland Air Force Base where they will be 
testing innovations in distributed generation to make units 
more resilient to weather, physical, and cyber attacks. If one 
unit goes out, the others could operate independently. If 
successful, this system could provide highly reliable and 
renewable power supply. And I will just add that, in New 
Mexico, we have over 300 days of sun per year, so it makes 
sense to try it there. This is an excellent example of how our 
National Labs support innovation and resiliency and renewable 
energy research development. So Assistant Secretary McMahon, 
can you describe the DOD's plans to increase research 
development, test, and evaluation in energy storage, microgrid, 
and energy resiliency? And does the DOD intend to further 
expand the energy resilience and conservation investment 
program?
    Secretary McMahon. First of all, Congresswoman, we would 
like to say thank you to the Congress for the support that we 
have had. A tremendous amount of our innovation, imagination, 
research, and development comes from the funding that you all 
have provided us. One of the conversations, as I saw 
Congresswoman Slotkin come in, talk about PFAS [per- and 
polyfluoroalkyl substances], PFOA [perfluorooctanoic acid], a 
lot of our effort in that area as well is coming out of this 
R&D [research and development]. So the question becomes, do we 
have the right funding? The answer is we do. We have continued 
to leverage that for a variety of different innovative areas. 
You have already covered a couple of those. But what we are 
doing today gets us to where we need to be, and if additional 
funding is made available--though I think we have sufficient 
funding today--we will continue to apply it in innovative ways.
    Ms. Haaland. Excellent. And, again, Assistant Secretary 
McMahon, can you share your thoughts on how best we can expand 
the role of our National Labs in public-private partnerships 
like CRADAs in support of DOD's resiliency efforts?
    Secretary McMahon. Congresswoman, we talked earlier about 
the level of experience and knowledge that we have. Clearly, 
our labs are national treasures, and we continue to leverage 
those to the best of our ability in terms of research and 
development. At the same time, many of our universities across 
the Nation are equally as successful. And so it is a matter of 
simply ensuring that we are leveraging all of our sources, both 
our labs and our universities, for the innovative ideas that we 
need. But, clearly, I think that part of what has made us as 
successful as we have been are our labs and the innovation that 
we see coming out of them.
    Ms. Haaland. Thank you so much.
    Assistant Secretary Henderson, you mentioned that the Air 
Force is taking the necessary steps to build resilient 
installations that are ready to withstand and recover from 
manmade and natural events. How do microgrids and distributed 
generation factor into the Air Force's approach to resiliency?
    Secretary Henderson. Yes, Congresswoman, absolutely. And we 
do that through--we are doing installation energy and water 
development plans on each of our installations in conjunction 
with the master plans that we are doing, and then we are 
funding any vulnerabilities and gaps in that regard in a 
priority basis through an investment strategy that we have 
across the enterprise.
    Ms. Haaland. Excellent. Thank you. One more minute. And 
back to you, Assistant Secretary McMahon. The Annual Energy 
Management and Resilience Report for Fiscal Year 2018 showed 
that the DOD is falling short of its goal to consume 7.5 
percent of its energy from renewable sources. What challenges 
is the DOD facing in attaining this goal, and what does the DOD 
need to achieve the goal?
    Secretary McMahon. Congresswoman, what I would offer to you 
is that we continue to focus--we are agnostic on the type of 
renewable that we are talking about. But I would share with you 
an evolution over the last couple of years, as we have looked 
at the National Defense Strategy and we have begun to consider 
what occurs in great power competition, and to focus less on 
renewables as an end in itself, rather becoming a means to an 
end, and the means to an end is creating that resilience. So we 
are applying renewables where it makes logical sense to give us 
that kind of resilience that we need, rather than simply 
generating renewables for the sake of doing renewables.
    Ms. Haaland. Thank you so much.
    I yield, Chairman.
    Mr. Langevin. Okay. Thank you, Ms. Haaland. And Mr. Banks 
is now recognized for 5 minutes.
    Mr. Banks. Thank you, Mr. Chairman. Recently we had Mr. 
Wilson, the DASD [Deputy Assistant Secretary of Defense] for 
Cyber Policy, and representatives throughout the interagency 
testify before this subcommittee regarding internet security. 
During that hearing, I highlighted the fact that, in DOD's 2019 
Digital Modernization Strategy, it states that the DOD utilizes 
10,000 operational IT systems. The amount of access points 
provides enormous vulnerabilities as the DOD moves forward and 
toward an increasingly internet integrated warfighting posture.
    Mr. McMahon, what role do you play in the oversight of 
physical internet and network security?
    Secretary McMahon. Congressman, thank you for the question. 
What I would tell you, I am one of those that lies awake at 
night as we look forward to the future and see 5G come forward, 
the threat that it provides to our already capable system, and 
the fact that more and more systems will be utilizing 5G in the 
future, where those systems come from, and the infrastructure 
challenges that we face in terms of espionage, not knowing the 
source of that 5G capability, and being able to ensure that it 
is secure. More and more data will be utilized. And so the 
question becomes, how do we ensure that the infrastructure, in 
conjunction with the CIO, in conjunction with our new----
    Mr. Banks. Help me out real quick and tell me the specific 
role that you play organizationally.
    Secretary McMahon. From my perspective, what I worry about 
most of all is with installation industrial control systems as 
it plays directly and then tangentially as we put 
infrastructure capability in place, our comm [communications] 
CIO looks at the specifics of that security.
    Mr. Banks. Okay. The witnesses then were not able to tell 
me that the DOD has a complete inventory of all the items that 
can access the network in that particular hearing. But in your 
testimony, you said that your office is developing the 
framework for identifying the required resources for 
inventorying, assessing, mitigating, and sustaining facility-
related control systems. So, to your knowledge, is there any 
source that can show internet-dependent resources on military 
installations?
    Secretary McMahon. Holistically, I am not aware of that, 
Congressman.
    Mr. Banks. Okay. DOD CIO Dana Deasy recently said in an 
interview, quote, The Department will need to do some work to 
help industry better understand the things that it needs to 
meet the new challenges in cyber, end quote. Mr. McMahon, how 
does DOD improve communications with industry in setting clear 
cyberspace--I am sorry--cybersecurity expectations?
    Secretary McMahon. As I mentioned earlier, Congressman, the 
Under Secretary of Defense for Acquisition and Sustainment has 
put in place a cyber czar, Ms. Katie Arrington, whose 
responsibility is to look across the acquisition community as 
well as the sustainment community, looking at all elements of 
this, to include in conjunction with the CIO, looking at how we 
are doing business with the acquisition systems, through the 
supply chain, to ensure that there is security there, and 
becomes a first step in getting us to where we need to be, in 
creating, for example, a CMMI-like [Capability Maturity Model 
Integration] system and capability that all of our suppliers 
and contractors would have to be able to achieve to ensure a 
level of security we do not have today.
    Mr. Banks. What would you say that the--what are the--what 
role do cyber training ranges, like Muscatatuck Urban Training 
Center in Indiana, play for advancing cyber readiness on the 
battlefield and on U.S. bases?
    Secretary McMahon. Clearly, Congressman, all of our cyber 
ranges provide an opportunity to further educate and train our 
cyber warriors and make awareness out there. Though I don't 
think we are at the point that we are fully utilizing them 
because this is a learning business, if you will, to understand 
where we are. There are those that are probably much more 
expert in describing to you how best to utilize those cyber 
ranges, acknowledging that we see them as critical to the way 
forward.
    Mr. Banks. Got it. One of the goals from the 2018 DOD Cyber 
Strategy is to increase cybersecurity accountability. 
Specifically, the strategy stated, reducing the Department's 
attacks--attacks surface requires an increase in cybersecurity 
awareness and accountability across the Department. We will 
hold DOD personnel and our private sector partners accountable 
for their cybersecurity practices and choices, end quote. Last 
question. What kinds of cybersecurity accountability changes 
have been made since the release of that strategy?
    Secretary McMahon. What I would tell you is, we are in the 
midst right now, as I just described, a CMMI-like capability 
where our OEMs, original equipment manufacturers, our sources 
of supply, have to be able to put in place the capabilities to 
attest that they have control over their supply chains, not 
only at the first tier, second tier, third tier, but down as 
far as they go, something that I think is a new experience for 
all of us, as we get to that level of understanding, to be able 
to understand the lineage of all the parts that we have within 
our weapon systems as well as within our infrastructure.
    Mr. Banks. Thank you very much.
    With that, my time has expired.
    Mr. Langevin. Thank you, Mr. Banks.
    Ms. Torres Small is recognized for 5 minutes.
    Ms. Torres Small. Thank you all for your work, creating 
resiliency for our military installations.
    I have the honor of representing New Mexico's Second 
Congressional District, which includes White Sands Missile 
Range. Geographically, it is the largest range in the United 
States, and it is located in the middle of the desert. It is 
fundamental to our testing mission, and it has some of the most 
cutting-edge technological design, research, and testing but it 
hasn't had a military construction investment for--since the 
1970s.
    And so a key example of the needs that we have is the 
information facility--the information systems facility, which 
was built in 1962. The facility serves as a gateway for all of 
our communications and data to the outside world and houses 
critical equipment, providing support for administrative 
commands and control and testing and evaluation users. The 
facility is relied upon to provide critical support for modern 
missile testing, ranging from the Standard Missile-2 and the 
Patriot Missile System 3 to next-generation weapons systems. 
But the facility is 57 years old.
    So, Assistant Secretary Beehler, would you agree that in 
the era of big data and technology, a modern information 
facility is critical for transmitting the vast amounts of data 
generated during military testing?
    Secretary Beehler. Yes, I agree.
    Ms. Torres Small. Thank you.
    And can you please speak to how conducting operations in a 
57-year-old facility could stunt the efforts for maximizing 
installation resiliency?
    Secretary Beehler. I would be happy--oh, sorry. I am sorry 
about that.
    I would be happy to take that for the record and provide 
greater detail and also come back with a briefing on that.
    [The information referred to was not available at the time 
of printing.]
    Ms. Torres Small. Thank you very much. But, shortly, it 
generally does impact our cybersecurity.
    Secretary Beehler. Yes.
    Ms. Torres Small. Thank you.
    I want to pick up where my colleagues Congressman Scott and 
Congresswoman Escobar were talking about water because it is a 
deep need. And as you mentioned, Assistant Secretary Beehler, 
it is a challenge that many military installations are facing. 
In fact, I believe it is over half of our military 
installations that face either current or future drought 
vulnerability. I wanted to talk more about the work that is 
being done for the energy and water plans. You mentioned that 
all of the installations are putting those together now.
    Do you know if they are assessing the resources that are 
available including the quality and quantity of water in nearby 
aquifers?
    Secretary Beehler. It is certainly my understanding that 
they would take that into account because their thrust is 
access to quality water. So they obviously are going to have to 
look at the sources from which this water is coming for their 
use in installations.
    Once again, the plans for the first tranche have not yet 
been completed. When they are, and particularly relevant to the 
geographical area in which you are interested, be happy to 
provide that further information, come in with a briefing.
    Ms. Torres Small. That is great. That is fantastic because 
it really is important as we assess what we have available that 
we are looking at all of the aquifers and what might be 
available, especially if we are able to do more desalination 
plants to clean up some of the brackish water as we have seen 
be so successful in Fort Bliss.
    Secretary Beehler. Absolutely.
    Ms. Torres Small. Shifting to Mr. Niemeyer, I know that 
there is an energy savings performance contract, and it has 
been used for water conservation, specifically within the Navy. 
I would love if you could speak briefly on that and how it has 
been--if there are any efforts to scale that to other military 
installations.
    Mr. Niemeyer. Sure. So, yeah, we were able to successfully 
find savings that allowed us to do some water system upgrades. 
I do believe that there is a--we can get to water conservation 
and aquifer management. We could take regional approaches. I 
think we need to work collectively with our services to see how 
a series of bases could work regionally to do a common aquifer 
management plan. That is something that we have been working on 
for a couple of years. I think there are opportunities around 
the country.
    And also, we need to, and the other services also, use the 
privatization of water systems as another way, probably for us 
the most significant way to conserve water over time and to 
have our partners that we do have privatized citizens who work 
with those regional water authorities.
    So the goal here is to use the whole range of authorities. 
Yes, I am proud of the ESPC, but that is just one step we have 
on how we can get much more collaborative with industry and 
regions on addressing common aquifer management.
    Ms. Torres Small. Great. Thank you all.
    I yield back the rest of my time.
    Mr. Langevin. Thank you, Ms. Torres Small.
    Ms. Slotkin is now recognized for 5 minutes.
    Ms. Slotkin. Great.
    Thank you, gentlemen, for being here.
    Assistant Secretary McMahon, thank you especially to you 
and your team for coming to my office and wearing your PFAS 
task force hat, coming in and briefing us. I sent you a 
followup letter on October 7th, but just since I have you on 
the record here, I was just home in my district, and I can't 
express enough to all of you how important the issue of PFAS 
around our military bases is to my constituents and the feeling 
like the Defense Department is dragging their feet on this 
issue.
    I know, when we talked, you still had concerns, but for the 
record, are we still at loggerheads when it comes to the issue 
of transitioning off PFAS firefighting foam by 2025?
    Secretary McMahon. Congresswoman, first, thanks for the 
opportunity to talk about PFAS, PFOA.
    When I talk about the task force, I do it in conjunction 
with the three gentlemen sitting here. It is weekly. We spent 
an hour and half today talking about what it is that we do.
    As I laid out, since you gave me this opportunity, we are 
concerned about three things. One, how do we mitigate what we 
are doing today? How do we ensure that we understand the health 
of the individuals that may have been affected by this? And 
then, finally, how do we clean up the messes that are out there 
today that we go through?
    Again, this is a national issue. It is just not a DOD 
issue. You understand that clearly without any military 
installations in your district, yet it is a big issue. So, we 
have got to deal with this. This is a national issue.
    With regards to your specific question, we continue to work 
aggressively to try to find an AFFF [aqueous film forming foam] 
version that is fluorine-free. On the I think it is the 14th of 
November in conjunction with my partners, we will hold a summit 
to go through all of the work that is being done to understand 
where we are, what the process, what work is being done today, 
and whether or not we can make that kind of date.
    I don't want to commit to you today that I can because I 
don't know what--where we are, what the work that is being done 
with the research and development. If we aren't able to do it, 
it certainly is not due to a lack of effort though.
    Ms. Slotkin. Can I just--I appreciate that. My 
understanding is that some of the militaries in Europe have 
done some good work researching alternatives, and would just 
urge a real push on this.
    The other thing I just want to, if I could have all four of 
you on the record, since you are all kind of in this together, 
I know that what I had understood is that the military was no 
longer using PFAS foam during exercises, that, of course, if we 
had an emergency, we are reliant on what we have now, but there 
is no need in places like Camp Grayling in Michigan, Selfridge 
Air Force Base, in order to use those in exercises.
    Can you just confirm for me? Because I have heard 
conflicting responses on this from rank-and-file folks who are 
saying that it is still being used. Can I get a yes or no from 
all four of you? Is PFAS firefighting foam being used in 
exercises by your respective branches and by the military?
    Secretary McMahon. I will let the services answer, and then 
give you an OSD answer.
    Secretary Beehler. Army, the answer is, no, they are not.
    Secretary Henderson. For the Air Force, the policy is no. I 
heard the same things that you are, and we are following up to 
make sure that everybody hears that loud and clear.
    Mr. Niemeyer. For the Department of the Navy, land-based 
exercises, absolutely not.
    Ms. Slotkin. Yes, and we know that on ships we have a 
special case. We want to make sure, if there is a fire on a 
ship, we have everything that we need.
    Secretary McMahon. Categorically, our goal is to make sure 
that the only time it is used is in an actual emergency, and 
then it is treated as a spill and cleaned up appropriately, 
which ought to dramatically reduce any additional exposures 
until we find that replacement.
    Ms. Slotkin. And I would just ask, now that we have you 
guys officially on record, that you do everything you can to 
try and make sure that we are adhering to that policy way down 
the chain.
    Lastly, as I wrote to you, I have had a lot of 
firefighters, including Federal firefighters, come and visit 
me. And they were concerned that there is no representation 
that I know of on your PFAS task force of Federal firefighters. 
I thought that was a kind of an easy ask and a kind of a ``no 
duh'' that the folks who are using this foam most frequently be 
represented on the task force.
    Can I get your thoughts on that?
    Secretary McMahon. What I would offer is that our medical 
folks play an integral role. The firefighters work for the 
gentlemen sitting to my left, and so that representation is 
there. Clearly, our attempt is to be as transparent as 
possible. So, in our minds, up to this point, that 
representation was taking place through the individuals 
immediately to my left.
    Mr. Niemeyer. I would also add that, since the Navy is the 
lead for coming up with a MIL SPEC [military specification] 
that is going to be an alternative for AFFF, we are reaching 
out to the military firefighting community to see what is out 
there, not just what they know, but what they know and sharing 
with our Federal firefighters and also our private 
firefighters.
    So I would suggest, yes, they probably--they do need a 
voice. They are represented. They do come through my 
representatives into the task force meetings weekly to present 
a concern.
    For instance, we do have a concern about meeting that 
deadline by 2025. We have a lot of equipment we are going to 
need to replace. It is lot of money. We are talking hundreds of 
millions, maybe 15 to 20 years to get this done to truly get to 
the point the committee wants where we are not using AFFF even 
in residual levels. So those are the types of issues that, yes, 
our firefighters are clearly passing up to the task force and 
we are addressing.
    Ms. Slotkin. I would just say some of the dissenting voices 
on how the Pentagon is doing have come from Federal 
firefighters. So the idea of just going that extra step and 
putting one on the task force, I understand you are hearing 
them. Just as a former Pentagon official, it probably isn't--
the juice isn't worth the squeeze to leave them off, but thank 
you, gentlemen.
    I think my time has expired. So thanks very much.
    Mr. Langevin. Thank you, Ms. Slotkin.
    And since there so few of us, we are going to do a brief 
second round. So if you want to stick around, you have 
additional questions, you are welcome to ask additional 
questions.
    Secretary Henderson, several years ago, the Air Force had 
requested considerable additional funds to address structural 
damage to facilities at Eielson Air Force Base resulting from 
melting permafrost. Last year, Congress directed a detailed 
assessment of the risks from melting permafrost installations 
in Alaska, Greenland, and Northern Europe.
    Since many of those are Air Force installations, has the 
Air Force completed those assessments?
    Secretary Henderson. So I think we are still working on 
them. What I would like to do is take that for the record, make 
sure I give you a detailed response of what the status of those 
assessment are and where we are at. I know we have done a lot 
of work in correcting the problems caused by melting 
permafrost, by shoreline erosion also in Alaska, and then the 
permafrost issues that we are seeing at Thule, Greenland.
    In Eielson, for instance, we are having to modify the 
designs of some of our structures there to use deep pile 
designs so we can get down and have the support for those 
facilities against the bedrock. In Thule, Alaska, we are 
actually going the other way and putting piping systems in to 
keep the ground frozen underneath there so the ground remains 
stable.
    Then, with the eroding shoreline in northern Alaska for our 
radar sites and stuff, we are trying to find better predictive 
models to incorporate what is a better characterization of the 
changing climate and a number of other factors that is 
affecting the shoreline erosion there so we can put together a 
mitigation strategy for that.
    I will answer back on what the status of that assessment 
and that document is, though.
    [The information referred to was not available at the time 
of printing.]
    Mr. Langevin. Fair enough. We will look forward to the 
followup assessment.
    I will yield to Garamendi.
    Mr. Garamendi. I have got you guys now.
    First of all, as I said earlier, your papers taken together 
really cover the entire array of challenges and most of the 
solutions that are out there, and I am really quite serious 
about you reading each other's papers and circling those things 
that you're not doing, that you might very well be doing.
    It has been mentioned by two of you, three of you, the Army 
Corp of Engineers Assessment Program. Could you send some 
detail on to the committee on what that is?
    Secretary McMahon. Let me take that for record, Mr. 
Chairman, and provide that to you.
    Mr. Garamendi. If you would, please.
    [The information referred to was not available at the time 
of printing.]
    Mr. Garamendi. Also, as we have discussed before, I think 
almost individually--well, not quite individually with all of 
you--the reconstruction plans for the bases that have been 
decimated--Tyndall, Lejeune, China Lake, Offutt--those plans 
are in process, as I understand. They are not yet complete. 
There is a significant pile of money that has been and will be 
appropriated ahead of the plans, that is, the completion of the 
plans.
    I want to--I will say it very clearly. That money must be 
spent in a manner that maximizes the resiliency of that base, 
whichever it happens to be. The standards to be applied must be 
the strongest standards available in the world, not just in the 
States, earthquakes specifically and flood standards and so 
forth.
    So we will see those detailed plans as they are completed, 
but I know the money is already out there in some of the cases 
and so be aware you don't want to have to come and explain why 
you didn't build to the maximum standard. Do you? No, you 
don't. No, you don't. So please keep that in mind as you go 
about your work on rebuilding.
    I do have some specific concerns. Some of this has been 
shared with the--actually a fellow behind you. There he is. So 
please pay attention to that.
    Also, Mr. Waltz raised a point that we are going to take up 
going into the future, and that is it is not just the facility. 
It is the equipment and particularly the transportation 
equipment that is used on the bases. Part of what is in the 
NDAA and will be even stronger in the future is energy 
conservation.
    For the Navy, I want to know why you have only built one 
destroyer with a hybrid system, why you are not building 
multiple destroyers and other facilities.
    You have got an answer for that already, Mr. Niemeyer?
    Mr. Niemeyer. No, I was going take that for the record.
    [The information referred to was not available at the time 
of printing.]
    Mr. Garamendi. Take it for the record.
    I will tell you why. There was insufficient energy 
generated for both the hybrid system and the electronic warfare 
systems. And when I asked, ``Well, how do you solve that,'' the 
answer was, ``Well, we won't do hybrid.'' I am going, ``Why 
don't you get a bigger generator?'' And you will tell me why, 
Mr. Niemeyer, you are not getting a bigger generator for the 
ships.
    Mr. Niemeyer. I do know that I have spent a lot of time 
with my colleagues over in the acquisition world of the Navy 
trying to determine what is the ideal configuration on a ship. 
As you know, we are adding a lot of new weapons systems that 
are all energy draws. We are looking at potentially putting 
directed energy programs on our ships, huge energy draw. So we 
have to manage that on the ship.
    Mr. Garamendi. Yep, that is true. And the biggest energy 
draw of all is to move the ship. Okay? So the answer was not 
satisfactory. Send that back.
    We are going to miss you, Mr. McMahon. You have been very 
good to work with, and we really appreciate your work on 
issues. I am not so sure you are going to be around for our 
next family housing issue. You jumped on that. I think you 
jumped on the gentlemen at the table with you, and we will see 
how well everybody is doing. We are going to come back in 
December, and we will review the family housing and go at that 
again and look for progress along the way.
    Secretary McMahon. Yes, sir.
    Mr. Garamendi. One of the things that both Jim and I intend 
to do is, and that is we are not going to forget what we asked 
you to do last year, and so we will be following up as best we 
can, and I am sure you will, too.
    I think, Jim, I could probably go on for hours here, but I 
am actually going to get an answer on that destroyer at 5 
o'clock.
    Thank you so very much, gentlemen. Thank you.
    Jim.
    Mr. Langevin. Thank you, John.
    So, Mr. McMahon, just to follow up on Mr. Kim's question 
earlier, the concept of resilience in the context of the 
logistics, sustainment, and reconstitution, is critical to 
joint force operations. Has this concept been included in any 
of the Joint Staff globally integrated exercises?
    Secretary McMahon. Mr. Chairman, thank you for the 
question.
    As we talk about what do we include in the exercises, we 
have just completed an energy war game with the INDOPACOM [U.S. 
Indo-Pacific Command] staff focused specifically on fuel for 
the INDOPACOM theater. It was the first time we have done 
something along those lines to look at holistically what that 
impact is, where our shortfalls were not only in our planning 
but in the execution. So was it a baby step? The answer is yes. 
Did we learn how we need to expand that?
    But the thought that energy is an integral part of our 
planning purposes and, more importantly, our tabletop 
exercises, we underscored that point. And we are going to apply 
that in the next series of exercises that we do with the Joint 
Staff.
    Mr. Langevin. I hope we will see that expand and broaden to 
look at other aspects of sustainment and reconstitution. I 
think that is critically important.
    Secretary McMahon. We are tremendously proud of what we did 
there, Mr. Chairman. And although it was a baby step, the fact 
that we have got that as part of the conversation and applying 
it to the operational community, in particular the INDOPACOM 
theater and the challenges there, this was tremendously 
important for us.
    Mr. Langevin. Can you on one other thing--did you have 
something specific?
    Mr. Garamendi. Go ahead. Finish now. I do have one more.
    Mr. Langevin. Can you please specify just on cyber-related 
responsibilities of individual installations by service or 
department, departmental level organizations and components? 
For example, the Air Force is creating mission defense teams 
built for cybersecurity of installations, teams that exist 
outside the Cyber Mission Force.
    Secretary McMahon. What I will tell you is, Mr. Chairman, 
that I think we are in the early stages of understanding 
holistically to look at installations from a cyber perspective. 
I think there are multiple owners, whether it is the CIO, 
whether it is us, when we get into the specifics of industrial 
controls, whether we look at the supply chain, the elements of 
that from an acquisition process. I think, on a daily basis, we 
continue to learn, and I continue to underscore the fact that 
Secretary Lord has identified a cyber czar exactly for the 
purpose of providing greater clarity of how we move forward 
with this. I am not sure if that scratched your itch here, but 
part of this is, quite frankly, we are still getting our arms 
around the whole discussion. We can--we could put glossy words 
on it, but we are still trying to figure it out.
    Mr. Langevin. This is something else we are going to be 
following up on.
    Anything else you wanted to add?
    Mr. Niemeyer. Mr. Chairman, one specific issue we haven't 
had a chance to talk much today, and that is the development of 
a national small-cell infrastructure, 5G technology. We are 
being very aggressive in providing information to the 
installation commanders in ultimately how do we both advocate 
for and receive applications from internet providers who want 
to install 5G infrastructure on our bases. It is going to be 
much more extensive than what we have for 4G, and we have some 
guidance making sure that equipment is secure; it is not 
necessarily from a foreign manufacturer, but allows us the 
resiliency we need for future data management.
    Mr. Langevin. That is a good segue into my final question. 
Do you have something to add, Secretary Henderson?
    Secretary Henderson. I was just going to say with regard to 
the mission support team, from the Air Force perspective, that 
is one of a number of holistic initiatives we are taking to 
look at our missions to include, you know, threats for mission 
assurance, all the way down to the cyber ties, down to each 
device that is connected.
    From our perspective, from an installations perspective, we 
are really focused on the installation control systems. And 
like Mr. Niemeyer mentioned what the Navy had done earlier, as 
part of that to protect the network from some of the 
installation control vulnerabilities, we have installed 56 
base-level network enclaves to logically segment the control 
systems from the business network to mitigate those risks.
    So, you know, that mission defense team is one of a number 
of initiatives the Air Force is doing. But that is kind of the 
one that falls in our installations portfolio, so to speak.
    Mr. Langevin. Well, we are going be following up on that, 
too, and see how, where that expands to and how it unfolds. I 
think it is important to consider those issues.
    Last thing I had, then I am going to turn to Mr. Garamendi 
for a final question, China appears--and this is going back to 
the 5G--appears far ahead of us, the U.S., in its development 
and deployment of 5G. Reuters reported just yesterday that 
mobile operators in Europe are queueing up to buy Huawei gear 
for their next-generation 5G networks, despite U.S. concerns 
that Huawei equipment contains backdoors open to cyber spies, 
quote. That is end quote.
    If local power and telecom companies in Europe employ 
Chinese 5G networks, how well would the U.S. military be 
equipped to protect its installations across Europe? And how 
resilient is our IT infrastructure?
    Mr. Niemeyer. We could spend about 4 hours on that 
particular answer. Let me try to give you an unclassified, 
basic view. So we are working on innovative technologies that 
would allow us to distribute our own 5G network separate from 
what we might have to rely on in a host nation.
    Domestically we need to start working with States to ensure 
that the concerns that we have with security of 5G network is 
passed on to the State and community permitting process so that 
way we don't have States inadvertently installing or permitting 
or allowing a system to be installed that is going to create a 
resiliency or threat concern for the Department of Defense.
    So it is combination of the base of the future, whether 
domestic or overseas, needing that secure 5G network. We are 
working on ways overseas to not have to rely on the host nation 
5G network but installing one of our own that we can be much 
more secure.
    Secretary McMahon. Mr. Chairman, what I would only add to 
that is I think all of us in the Department of Defense are 
gravely concerned about our international partners where there 
is a 5G system put in, what the vulnerabilities of that are, 
what the capability for espionage might be, and all the 
elements associated with that I think are front and center in 
our minds. I would defer to some of our experts to give you 
more detail probably in a classified setting, but from our 
perspective, from an installation perspective and the reliance, 
for example, on energy from a local industry provider in a 
foreign country, I think there is some concern about that.
    Mr. Langevin. I am glad we are not going into it without 
blinders on. We need to continue to follow this topic as well.
    With that, I will yield to Mr. Garamendi for the last 
rounds of questions, and then we are going to conclude.
    Mr. Garamendi. Mr. Chairman, we need to have a classified 
hearing not only with our committee but also with the Energy 
and Commerce Committee on this issue of 5G. Not enough time to 
go into it and probably not the right place to go into it, but 
we are headed for a very, very serious problem here. So we will 
see if we can get that together right away. Some of that is 
also in the NDAA now in a rather controversial way.
    Let me see. We have $3.5 billion of military construction 
projects that are delayed, unfunded, defunded. Uh-huh. So I 
want the four of you--I think--yeah, we have got the Marine 
Corps behind you--to tell us within the next 2 weeks what you 
intend to do with those projects that are defunded. Okay? It is 
a serious problem. I spent the last--spent a week in Europe on 
this, and the problem is of paramount importance there. Mr. 
Putin could not have had a greater gift than the message that 
the President delivered that we really don't care about 
European Deterrence Initiative.
    So there are projects there. I appreciate the Army 
particularly coming forward with specific information, also the 
Air Force, about projects that are defunded, the importance of 
them, but it is much more than that. So, we don't need to worry 
about those, that I did have the opportunity to see last week, 
but the rest of them. So you are going have to restack, and we 
are going to spend a lot of time on this restacking. So get 
prepared.
    The other thing is--I think I better let it go at that 
point. You may get me started on something that will get ugly 
real fast.
    So thank you very much, gentlemen.
    Jim, thank you for the opportunity for additional 
questions.
    I will look forward to that--week and a half--information. 
Thank you very much.
    Mr. Langevin. Very good. Thank you, John.
    I just want to thank Chairman Garamendi and Ranking Member 
Stefanik and Ranking Member Lamborn, the members of the 
committee, both committees, for this joint hearing and for our 
witnesses' testimony. I know there is some followup that you 
will need to do with us, get back to the committee and do the 
questions we have asked. Look forward to those answers.
    Members may have additional questions that they will 
submit. We would ask that you would respond to those as 
expeditiously as possible but want to thank you all for the 
work you are doing on behalf of the country. This is an 
important hearing, a good hearing, and a lot of important 
information we were able to cover.
    So, with that, this subcommittee stands adjourned.
    [Whereupon, at 4:45 p.m., the subcommittees were 
adjourned.]



      
=======================================================================




                            A P P E N D I X

                            October 16, 2019

=======================================================================

      



      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                            October 16, 2019

=======================================================================


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
      
    

      
=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                            October 16, 2019

=======================================================================

      

                  QUESTIONS SUBMITTED BY MS. STEFANIK

    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? 
How much (if any) of this is a contractor work force?
    Secretary McMahon. The Deputy Secretary of Defense designated the 
DOD CIO as the official responsible for the cybersecurity of industrial 
control systems for the DOD. Subsequently, in a December 2018 memo, the 
DOD CIO delineated responsibilities to the DOD Components to implement 
cybersecurity requirements for control systems. The policy memo also 
clarifies that DOD cybersecurity requirements are applicable to all DOD 
control systems. In addition, the Department is developing enhanced 
cybersecurity implementation guidance for control systems. 
Operationally, U.S. Cyber Command and JFHQ-DODIN have a critical role 
in defending all DOD systems including ICS/SCADA systems, however it is 
the system owners and operators that are ultimately responsible for the 
safety and security of their systems. The contractor workforce is not 
differentiated from the overall cyber workforce comprised of government 
civilians, military personnel, and contractors. Currently, ICS/SCADA 
systems owners and operators are not included in the cyber workforce 
requirements. Integrating ICS/SCADA competencies in the forthcoming 
update to the DOD cyber workforce policy (DOD Issuance 8140) will 
enable those distinctions.
    Ms. Stefanik. What coordination takes place with cyber defensive 
teams? Are your service cyber forces familiar enough with local ICS/
SCADA to assist?
    Secretary McMahon. The DOD CIO ensures Cyber Mission Forces and 
cyber protection teams are establishing the processes to work 
collaboratively with local facilities managers and other stakeholders 
to provide assessments and mitigations of mission relevant ICS/SCADA 
systems and networks. Steady progress is being tracked by the 
Components with a focus on the most critical mission relevant systems 
being assessed through FY20. As the expertise of these teams grows and 
the processes are optimized, DOD is confident the proper coordination 
and collaboration will occur at the installation-level.
    Ms. Stefanik. Are ICS/SCADA systems subject to the same security 
and accreditation standards as DOD networks are? Or are there 
differences with these so-called ``operational systems''?
    Secretary McMahon. Yes, the DOD requires all DOD systems and 
technology, including ICS/SCADA systems, must have cybersecurity 
applied IAW existing policy as described in DODI 8500.01, Cybersecurity 
and follow authorization processes as described in the DODI 8510.01, 
Risk Management Framework for DOD IT. The DOD does not differentiate 
cybersecurity policy requirements by system type, rather, the policies 
apply to all and are inclusive of varied cybersecurity implementation 
risk-based approaches to different system and technology types.
    Ms. Stefanik. Similar to our supply chain concerns with Huawei 
components being in critical defense systems, do we have any concerns 
with foreign components being used within ICS/SCADA hardware? Is this 
something you have surveyed or considered? How are you mitigating this 
concern?
    Secretary McMahon. Yes, the DOD is concerned about the supply chain 
associated with ICS/SCADA hardware. Compared to information technology, 
ICS supply chains are challenged by the inherent lack of security, 
limited monitoring, and constrained vendor support (often the original 
equipment manufacturer) for these products. To address these concerns, 
the OUSD (Acquisition) Chief Information Security Officer has taken a 
number of steps to reduce the vulnerabilities and impacts of 
compromised devices and components. The DOD has adopted the NIST SP 
800-161 Supply Chain Risk Management Practices for Federal Information 
Systems and Organizations and is working with the Defense Industrial 
Base, suppliers, vendors, and other organizations such as the 
International Society of Automation to ensure that supply chain risk 
management processes are implemented. In addition, the U.S. Army Combat 
Capabilities Development Command--Aviation & Missile Center (DEVCOM) is 
developing a Tested Products List for Control Systems certification 
process for the DOD. This process will allow vendors/products to go 
through cybersecurity testing and enable Type Authorization (test once 
and use many times) at lower cost in less time.
    Ms. Stefanik. One of the other focus areas for the IETC 
subcommittee is science and technology, which is a community that for 
decades has leveraged advances in modeling and simulation and other 
technologies to understand complex and unpredictable problems. With 
respect to climate change and extreme weather events--how are you 
working with the DOD S&T community and academia to understand and 
prepare for extreme weather events, to include modeling and simulation 
and other technologies that could help and develop and enhance 
resiliency for installations and infrastructure?
    Secretary McMahon. OASD(S) works closely with OUSD(R&E) as well as 
the Military Departments, academia, and the broader research and 
engineering community through communication and coordination, 
technology development and implementation, and research. Communication 
and coordination is evidenced in many ways. OASD(S) supports OUSD(R&E) 
as DOD's principal agency representative to the U.S. Global Climate 
Change Research Program (USGCRP), Subcommittee on Global Change 
Research (SGCR) and their leadership of DOD's work within the Earth 
System Prediction Capability interagency coordination activity. OASD(S) 
supports technology development and implementation with a focus of 
understanding and preparing for extreme weather events. For example, we 
are supporting the development of a web-based assessment tool to 
provide better insight into DOD's exposure to extreme weather and 
climate impacts. This tool is a text book example of how critically 
important modeling and simulation technologies developed by other 
agencies, academia, and the DOD S&T community is used to prepare for 
extreme weather events and climate change. DOD's Strategic 
Environmental Research and Development Program (SERDP) and 
Environmental Security Technology Certification Program (ESTCP) 
programs harness the latest science and technology to improve DOD's 
environmental performance, reduce costs, and enhance and sustain 
mission capabilities. SERDP and ESTCP support research collaboration in 
academia, industry, the Military Departments, and other Federal 
agencies. For example, SERDP leadership, in conjunction with the 
National Oceanic and Atmospheric Administration (NOAA), the U.S. Army 
Corps of Engineers (USACE), U.S. Geological Survey (USGS), numerous 
universities and others, resulted in the development of DOD's Regional 
Sea Level (DRSL) database for projected sea level rise at all coastal 
installations, a key tool for understanding coastal sea level rise.
    Ms. Stefanik. How are you preparing for emerging technologies such 
as 5G and what will be an exponential increase in IOT devices? In 2017 
we saw some 8.4 billion devices connected to the internet--but by 2020 
it is estimated that we may see up to 75 billion connected devices, 
depending on what estimate you use. This presents tremendous 
opportunity but also significant challenges. Can you outline how you 
are thinking about 5G and this massive increase of IOT?
    Secretary McMahon. The DOD CIO continuously assesses new technology 
types against existing policies to identify areas where additional 
policy or implementation guidance may be required. The DOD reviewed and 
assessed existing cybersecurity, operations security, physical 
security, and information security policies for guidance on Internet Of 
Things (IOT) devices. While IOT is not directly mentioned, the 
Department has found existing policies to be sufficient to address IOT 
security requirements. From a cybersecurity perspective, all IOT must 
have DOD cybersecurity applied IAW existing policy as described in DODI 
8500.01, Cybersecurity.
    Ms. Stefanik. If there was a crippling cyber-attack on one of our 
major installations that took down critical infrastructure such as 
power, or disabled ICS/SCADA systems, can you walk us through how a 
military installation would handle such an incident? What 
responsibilities are within your portfolios, as compared to and 
coordinated with CYBER COMMAND, and those that are providing Service 
Mission Defense Teams, for example?
    Secretary McMahon. As ASD(S), I oversee the cyber security of DOD 
facility-related control systems and the resilience of enduring 
installations to energy disruptions. My office established the 
requirement for the Services to develop installation energy plans and 
supporting cyber security plans to identify critical energy 
requirements, assess vulnerabilities, take action to mitigate risks, 
and conduct sustained maintenance and testing of these systems over 
time. OASD(S) provides policy and governance to enable energy 
resilience at enduring installations, ensures that cyber security and 
energy resilience are integrated into third party financed energy 
improvements, and funds military construction projects that improve 
energy resilience and contribute to mission assurance through the 
Energy Resilience and Conservation Investment Program. Likewise, the 
Department is implementing a series of Energy Resilience and Readiness 
exercises that use ``black start'' scenarios to test and evaluate 
energy systems at our installations. Each of these efforts supports the 
capability of the Services to carry out critical missions in spite of 
energy disruptions or cyber-attacks. Cyber defense best practices 
includes two methods of defending control systems. First, there is a 
logical separation of networks that limit communications between 
information technology and operational technology networks with very 
few exceptions. Secondly, asset owners maintain a manual method of 
operation that does not require the use of a network to maintain 
operation. Should an attack occur, the on-site maintenance and 
operational personnel would take the respective system off line and 
manually operate the system. In the event of a power outage, mission 
owners would immediately turn to backup power options (e.g., on-site 
generator, on-site distributed energy resources, and uninterruptible 
power sources) to sustain critical missions over the short-term. Based 
on assigned mission assurance responsibilities, Combatant Command and 
OUSD(Policy) would begin coordinating with any non-DOD power providers 
regarding the timely restoration of power to the installations. 
Depending on the duration of the energy disruption, Services and 
Combatant Commands also would consider transitioning to continuity of 
operations posture and/or transitioning affected missions to other 
locations. Cyber Command activities are outside the purview of this 
office. As such, any questions referring to Cyber Command 
responsibilities should be redirected to that office.
    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or 
electricity--we had an attack on the entire Military Electronic Health 
Records System that prevented our military health care installations 
and systems from functioning--similar to the WannaCry attack that 
crippled the U.K.'s National Health Service? Do we have incident 
response plans in effect to deal with these types of cyber incidents 
that could impact our installations?
    Secretary McMahon. The Defense Health Agency (DHA) has implemented 
significant cyber protections both at an enterprise level and at the 
local unit level that mitigates the risks from WannaCry and any other 
cyber exploit. In fact, DHA's military electronic health record system 
program vendor, Cerner Corporation, was responsible for providing the 
first copy of the WannaCry software code in America to both the Federal 
Bureau of Investigation and the Department of Defense (DOD). As part of 
standard DOD policies and procedures established for security 
accreditation, incident response plans are required for Authority To 
Operate (ATO) certification and are independently evaluated by the 
accreditation authority. MHS GENESIS, the new electronic health record 
for the Military Health System, was implemented with a defense-in-depth 
strategy. The first layer of defense is the protected network called 
the Medical Community of Interest (MEDCOI). At the enterprise-level, 
MEDCOI separates health- related network traffic from all DOD network 
and internet traffic that is also monitored by Cyber Security Service 
Provider. MHS GENESIS has a full suite of active and passive cyber 
measures to predict, identify, and isolate threats. Furthermore, MHS 
GENESIS is building a continuity-of-operations and disaster recovery 
(COOP&DR) solution that will restore mission critical capabilities to 
end users within 4 hours of a declared disaster event. This solution 
will be in place September 2020. This multi-tiered defense-in-depth 
strategy provides MHS GENESIS with state-of-the-art protection measures 
ensuring the delivery of capability to the Defense Health Community and 
the Veterans Administration even in the face of a catastrophic event. 
Each Military Treatment Facility is also architected with a suite of 
cyber defenses customized to the unique requirements of that facility. 
In the current state, each facility operates under their service 
specific legacy downtime procedures moving to paper when the electronic 
systems are not available. DHA's Health Informatics Division is 
developing a standardized enterprise wide downtime procedure to include 
scheduled downtime, unscheduled downtime, and recovery.
    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? 
How much (if any) of this is a contractor work force?
    Secretary Beehler. The Army has multiple stakeholders responsible 
for defending ICS/SCADA systems. Army Chief Information Officer/G-6 is 
responsible for establishing cybersecurity policies. Those policies are 
implemented by mission and asset owners and enforced by authorizing 
officials that approve and allow the use of the systems, and are 
required to align the systems to a Cybersecurity Service Provider 
(CSSP). Army Cyber Command (ARCYBER) is responsible for CSSP services, 
to include defensive cyber operations--internal defensive measures 
(DCO-IDM). ARCYBER has delegated some CSSP authority to certain 
commands, such as U.S. Army Corps of Engineers (USACE) and United 
States Army Space and Missile Defense Command (USASMDC) to provide CSSP 
for their portion of the Army network under the purview of ARCYBER. On 
4 October 2019, the Director of the Army Staff designated U.S. Army 
Chief of Engineers to develop a program managed structure that covers 
procurement, configuration, cybersecurity, testing, and lifecycle for 
ICS. The Army has not conducted a full inventory of ICS/SCADA hardware, 
hence it is not possible to determine how much of the Army ICS/SCADA 
systems are defended by contractors. Based on the completed NDAA 
Sec. 1650 assessments, the Army does not have the internal resources 
(trained manpower/equipment/money) to properly defend existing ICS/
SCADA systems.
    Ms. Stefanik. What coordination takes place with cyber defensive 
teams? Are your service cyber forces familiar enough with local ICS/
SCADA to assist?
    Secretary Beehler. Coordination to defend resources between 
elements of the Army cyber defense community is an on-going activity. 
The proliferation of types of devices and wide range in age of devices 
supporting Army infrastructure makes developing expertise in all areas 
challenging. The Army is developing a greater familiarity with local 
ICS/SCADA systems. For ICS/SCADA systems currently connected to 
networks, the Army has expertise in assessments.
    Ms. Stefanik. Are ICS/SCADA systems subject to the same security 
and accreditation standards as DOD networks are? Or are there 
differences with these so-called ``operational systems''?
    Secretary Beehler. Yes, ICS/SCADA control systems must follow the 
same Department of Defense (DOD) security and accreditation standards 
as DOD networks.
    Ms. Stefanik. Similar to our supply chain concerns with Huawei 
components being in critical defense systems, do we have any concerns 
with foreign components being used within ICS/SCADA hardware? Is this 
something you have surveyed or considered? How are you mitigating this 
concern?
    Secretary Beehler. The Army shares concerns about supply chain 
security across all our data systems. These concerns are larger than 
any single supplier (such as Huawei) or even solely suppliers with 
foreign origins. We must ensure that our systems, regardless of origin, 
are effective for their purpose, including being cyber secure. The Army 
has entered into an enterprise-wide effort to survey/inventory and 
assess the installations to better bound what control systems we have 
on our installations, how they are connected, and how they are 
constructed/serviced so that we can assess risk. The Army is already 
implementing measures to mitigate risk; from implementing Unified 
Facility Criteria and Specifications used to incorporate cybersecurity 
measures across the infrastructure lifecycle, ensuring that control 
systems are assessed and authorized using the DOD Risk Management 
Framework (RMF), and ensuring a continuous cybersecurity monitoring 
strategy is in place to ensure vulnerabilities are identified and 
remediated.
    Ms. Stefanik. One of the other focus areas for the IETC 
subcommittee is science and technology, which is a community that for 
decades has leveraged advances in modeling and simulation and other 
technologies to understand complex and unpredictable problems. With 
respect to climate change and extreme weather events--how are you 
working with the DOD S&T community and academia to understand and 
prepare for extreme weather events, to include modeling and simulation 
and other technologies that could help and develop and enhance 
resiliency for installations and infrastructure?
    Secretary Beehler. The Army Climate Assessment Tool, developed with 
the U.S. Army Corps of Engineers, incorporates the latest actionable 
science data and model results from the scientific community regarding 
climate change and extreme weather. The sources of this data include 
the U.S. Geological Survey (USGS), National Atmospheric and Oceanic 
Administration (NOAA), Federal Emergency Management Agency (FEMA), the 
Fourth National Climate Assessment volumes released by the U.S. Global 
Change Research Program, and the DOD's Strategic Environmental Research 
and Development Program (SERDP), which itself includes interagency and 
academic experts. Additional information derives from peer-reviewed 
scientific literature, including work sponsored in part by the U.S. 
Army Corps of Engineers. The tool uses this data to indicate exposure 
of select locations to coastal and riverine flooding, drought, 
desertification, wildfire, and thawing permafrost. Observed historical 
data regarding hurricane and tornado intensity and location is also 
incorporated into the tool. This information provides a screening-level 
assessment of the exposure of Army locations to extreme weather and 
changing climate, allowing prioritization of more detailed studies to 
reduce vulnerability and enhance resilience to these impacts. 
Installation managers will use the information provided by this tool 
inform master planning and to identify ways to improve the resilience 
of their installations to extreme weather events and other climate-
related threats.
    Ms. Stefanik. How are you preparing for emerging technologies such 
as 5G and what will be an exponential increase in IOT devices? In 2017 
we saw some 8.4 billion devices connected to the internet--but by 2020 
it is estimated that we may see up to 75 billion connected devices, 
depending on what estimate you use. This presents tremendous 
opportunity but also significant challenges. Can you outline how you 
are thinking about 5G and this massive increase of IOT?
    Secretary Beehler. There are three steps the Army is taking to 
prepare for the integration of emerging technologies: assessing the 
current state of installation information technology (IT), developing a 
cyber supply chain risk management governance structure to mitigate 
cybersecurity risks to ensure warfighter and installation security and 
readiness, and leveraging new technologies to increase readiness. As 
part of the Army's holistic modernization efforts, the Army is working 
with DOD to conduct 5G experiments at DOD facilities. Each Service 
nominated, and DOD approved one location, each as the first 
experimentation site in FY20. The Army recommended Joint Base Lewis-
McChord (JBLM), WA. JBLM was nominated asthe first site based on the 
potential to prove out technology in multiple-use case areas, alignment 
to Army modernization priorities as well as JBLM being the site for the 
Army's existing Multi-Domain Task Force, a National Guard and Reserve 
force generation site, a future synthetic training environment location 
and a Joint Base. DOD secured $52M in FY19 to support initial 5G 
efforts and intends to release an initial Request for Proposal (RFP) in 
November 2019 and allow industry to provide feedback and then release 
the final RFP in early December. The additional selection of sites and 
broader experimentation are subject to funding and continuing 
resolution. As part of DOD's established Scoping and Mitigation program 
to scrutinize Supply Chain vendors using the U.S. Code Sec. 2339A 
review process (FY19 NDAA, Section 889), the Army is developing a 
Supply Chain Risk Management governance structure. The Army is also 
conducting supply chain analysis leveraging public data research 
combined with advanced analytics to address national-level requirements 
in support of FY16 NDAA, Section 1647, and FY17 NDAA, Section 1650. As 
the number of IT devices increases, the scrutiny of the cyber supply 
chain will assist in securing our warfighters and installations. To 
prepare for future conflicts, the Army is also ensuring Soldiers are 
ready and armed with the latest technology. The driving force behind 
this modernization effort is U.S. Army Futures Command (AFC) in 
conjunction with Assistant Secretary of the Army for Acquisition, 
Logistics and Technology (ASA(ALT)), created to streamline 
modernization efforts and field new equipment and capabilities more 
quickly to Soldiers. Additionally, the Army is leveraging previously 
granted authorities like Other Transactional Authority agreements 
(OTA's) to tap into innovation from nontraditional suppliers of 
commercial technology for research and prototyping.
    Ms. Stefanik. If there was a crippling cyber-attack on one of our 
major installations that took down critical infrastructure such as 
power, or disabled ICS/SCADA systems, can you walk us through how a 
military installation would handle such an incident? What 
responsibilities are within your portfolios, as compared to and 
coordinated with CYBER COMMAND, and those that are providing Service 
Mission Defense Teams, for example?
    Secretary Beehler. Regardless of the cause of an outage event, 
cyber, or other, Army installations have robust planning in place to 
ensure continuity of critical operations. Each installation has a 
specific emergency response plan and all critical missions have 
continuity of operations plans to ensure mission effectiveness 
throughout the duration of an event and for priority restoration of 
services to recover from an event. From an energy and water 
perspective, Army Directive 2017-07 sets the requirement for Army 
installations to secure critical missions by being capable of 
withstanding an extended utility outage of 14 days. This includes 
timeframes to accomplish, curtail, or relocate the critical mission(s), 
as needed. The Army is also taking proactive measures to test our 
ability to withstand a long-duration outage. Through the Army 
protection program, installations regularly conduct integrated 
protection exercises related to Defense and Army critical 
infrastructure. Army installations are also required to complete full-
scale and routine testing of emergency and standby energy generation 
systems that support their critical energy requirements. Select 
installations have further tested their systems by completing Energy 
Resilience Readiness Exercises that simultaneously disconnect the 
entire installation (or a subset) from utility power in a controlled 
environment to test system backups and validate installation backup and 
restoration procedures. Installation Department of Public Works (DPW) 
personnel work closely with Army Cyber Command personnel to respond and 
recover from cyber-attacks. A critical part of this team effort is the 
use of the Advanced Cyber Industrial Control Systems (ICS) Tactics, 
Techniques, and Procedures (TTP) to guide Army response. The ACI TTP 
provides procedures that enable ICS managers and network managers to 
detect cyber-attacks, mitigate the effects of those attacks, and 
recover their networks following an attack. The primary goal during a 
cyber-attack is to retain operations of the critical infrastructure 
priorities (e.g., electric, water, etc.).
    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or 
electricity--we had an attack on the entire Military Electronic Health 
Records System that prevented our military health care installations 
and systems from functioning--similar to the WannaCry attack that 
crippled the U.K.'s National Health Service? Do we have incident 
response plans in effect to deal with these types of cyber incidents 
that could impact our installations?
    Secretary Beehler. Incident response plans and Continuity of 
Operations (COOP) plans are in place and practiced throughout the 
Medical Treatment Facilities (MTF) and these are inspected by the 
Services and Joint Commission (JC). The WannaCry virus exploited 
unpatched systems, and is a reason why DOD is focused on making sure 
computers are all patched with the latest software from vendors today. 
The Military Electronic Health Records enterprise is currently 
comprised of multiple systems that include but are not limited to Armed 
Forces Health Longitudinal Technology Application, Composite Health 
Care System, and Essentris and is actively migrating to Military Health 
System GENESIS, the new DOD Electronic Health Record. Each of these 
systems are architected in a different fashion and has internal 
security built into the systems; they also sit in a Defense in Depth 
posture (isolated Virtual Local Area Networks (VLANS)) as well as 
perimeter security. With the incident response and COOP plans in place, 
the MTFs are still able to provide health care. They would document the 
care on paper versus in the electronic health record. The concern is 
depending on the length of ``down time'' that may affect access to 
previous data to facilitate the care.
    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? 
How much (if any) of this is a contractor work force?
    Secretary Henderson. Sixteenth Air Force (16 AF) is responsible for 
defending all Air Force Information Networks (AFIN), of which ICS/SCADA 
is a portion. The 16 AF defense work force is primarily comprised of 
government personnel (military & civilian), with a few contractors in 
various units.
    Ms. Stefanik. What coordination takes place with cyber defensive 
teams? Are your service cyber forces familiar enough with local ICS/
SCADA to assist?
    Secretary Henderson. Should an ICS/SCADA-impacting cyber attack 
occur, the Air Force has seven service-reallocated Cyber Protection 
Teams which it can direct to respond. Those teams can leverage greater 
USCYBERCOM resources if warranted. Air Force defensive teams are 
trained and equipped to respond to a broad range of cyber activity, and 
will apply that training to any area of need. Additionally, they are 
expected to be familiar with any cyber terrain on which their supported 
missions rely, including AF-owned and civilian ICS/SCADA.
    Ms. Stefanik. Are ICS/SCADA systems subject to the same security 
and accreditation standards as DOD networks are? Or are there 
differences with these so-called ``operational systems''?
    Secretary Henderson. The ``security and accreditation'' is 
accomplished in accordance with DODI 8510.10 and implemented by AFI 17-
101 RISK MANAGEMENT FRAMEWORK (RMF) FOR AIR FORCE INFORMATION 
TECHNOLOGY (IT) to address both traditional IT and control systems 
using tailored security protocols based on their applicability to the 
system.
    Ms. Stefanik. Similar to our supply chain concerns with Huawei 
components being in critical defense systems, do we have any concerns 
with foreign components being used within ICS/SCADA hardware? Is this 
something you have surveyed or considered? How are you mitigating this 
concern?
    Secretary Henderson. The integrity and supply chain risk of foreign 
components in ICS/SCADA systems is of concern, especially where these 
systems directly support Defense Critical Infrastructure and Defense 
Critical Missions. Supply chain risk management is a consideration in 
the Air Force control systems cybersecurity strategy that is in 
development. An element of the strategy is to evolve our acquisition 
processes to reduce the risk of cyber vulnerabilities in ICS/SCADA 
systems. To mitigate the concern in currently-fielded hardware, we are 
working towards more advanced network hardening, monitoring and 
defensive cyber operations.
    Ms. Stefanik. One of the other focus areas for the IETC 
subcommittee is science and technology, which is a community that for 
decades has leveraged advances in modeling and simulation and other 
technologies to understand complex and unpredictable problems. With 
respect to climate change and extreme weather events--how are you 
working with the DOD S&T community and academia to understand and 
prepare for extreme weather events, to include modeling and simulation 
and other technologies that could help and develop and enhance 
resiliency for installations and infrastructure?
    Secretary Henderson. We work with DOD, federal, and academic 
entities to understand and enhance installation resilience and share 
the following examples. The DOD's Strategic Environmental Research and 
Development Program (SERDP) led the development of the Regionalized Sea 
Level Change Scenarios and Extreme Water Level Statistics database, a 
valuable resource for localized sea level rise scenarios and historical 
storm surge statistics. As noted in the Report on Effects of a Changing 
Climate to the Department of Defense (Jan 2019), SERDP and DOD's 
Environmental Security Technology Certification Program (ESTCP) 
investments support the development of the science, technology, and 
methods needed to manage and enhance resilience. The Report outlines 
efforts by SERDP, ESTCP, and the Lawrence Berkeley National Laboratory 
on understanding sea level rise, drought, wildfire risk, and permafrost 
degradation. We are working with the Colorado State University Center 
for Environmental Management of Military Lands to improve floodplain 
delineation and explore the potential sea level rise, storm surge, and 
changes in temperature and precipitation patterns on 60+ Air Force 
sites across the world. The intent is identification of potential 
vulnerabilities and possible adaptation strategies to feed into our 
installation Integrated Natural Resource Management Plans. In the 
future, we hope to use this information to inform siting and planning 
applications. Working with the University of Alaska--Anchorage we are 
pursuing more accurate Alaska shoreline erosion prediction models that 
take into account warming water near the shore, increasing air 
temperatures, longer periods when sea ice is gone, increasing spatial 
extent of open water, increasing wind speeds, storm surges, wave 
height, and thawing of permafrost. We rely on the USACE Cold Regions 
Research and Engineering Laboratory (CCREL) expertise for its work on 
construction techniques in permafrost regions. We are also partnering 
with ASD(S) and the Massachusetts Institute of Technology Lincoln Lab 
to develop a ``pull-the-plug'' exercise framework to baseline 
capabilities and identify vulnerabilities. We will continue to 
collaborate across the DOD, federal, and academic S&T communities to 
enhance our installation and mission resilience.
    Ms. Stefanik. How are you preparing for emerging technologies such 
as 5G and what will be an exponential increase in IOT devices? In 2017 
we saw some 8.4 billion devices connected to the internet--but by 2020 
it is estimated that we may see up to 75 billion connected devices, 
depending on what estimate you use. This presents tremendous 
opportunity but also significant challenges. Can you outline how you 
are thinking about 5G and this massive increase of IOT?
    Secretary Henderson. The Air Force is aware of the potential and 
promise of 5G and is pursuing opportunities to address gaps in 
coverage. The Air Force will continue to pursue ways to leverage 5G to 
drive a resilient warfighting communications architecture to promote 
our multi-domain command and control capabilities to preserve the Joint 
Force's and the Air Force's competitive advantage in today's strategic 
environment. The Air Force streamlined the process to grant leases for 
commercial broadband. Currently, ten bases in the Southeast have leases 
pending that will enable small node, whole-base commercial broadband 
coverage. The next leasing opportunity will be for 17 bases in the 
Northwest region later this calendar year. In addition to this, the AF 
is participating in DOD's 5G experiments to evaluate various 5G 
capabilities such as smart depots, shared spectrum and mission planning 
that will assess various 5G configurations for optimal mission usage.
    Ms. Stefanik. If there was a crippling cyber-attack on one of our 
major installations that took down critical infrastructure such as 
power, or disabled ICS/SCADA systems, can you walk us through how a 
military installation would handle such an incident? What 
responsibilities are within your portfolios, as compared to and 
coordinated with CYBER COMMAND, and those that are providing Service 
Mission Defense Teams, for example?
    Secretary Henderson. During their initial response, Civil 
Engineering Squadron (CES) operators or support contractors could 
identify malicious cyber activity and trigger the appropriate response 
in partnership with a local Mission Defense Team (MDT), if applicable. 
That response would include notifying the 624th Operations Center at 
16th Air Force, which would coordinate further response actions with 
CYBERCOM, including the deployment of a service-reallocated Cyber 
Protection Team (CPT) if warranted. The CPT would partner with the MDT 
to optimally understand the affected terrain and respond to the 
malicious activity.
    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or 
electricity--we had an attack on the entire Military Electronic Health 
Records System that prevented our military health care installations 
and systems from functioning--similar to the WannaCry attack that 
crippled the U.K.'s National Health Service? Do we have incident 
response plans in effect to deal with these types of cyber incidents 
that could impact our installations?
    Secretary Henderson. Any questions specific to enterprise system 
recovery or redundancy would have to be answered by the Defense Health 
Agency or Program Executive Office Defense Health Modernization System. 
The answer below pertains to the local military treatment center 
actions. Each military treatment facility has contingency response 
plans for how to operate should the electronic health record be 
unavailable. These plans typically include paper-based processes for 
documenting care. There is often a reliance on civilian pharmacy 
networks to fill routine non-urgent medications during an outage, 
should a patient not be able to wait until the system is restored. For 
a prolonged outage, elective care may be delayed or deferred. Much of 
the Military Health System's clinical data is shared with the 
Department of Veterans Affairs (Joint Legacy Viewer) through health 
information exchanges, or replicated in various data warehouses 
(Carepoint, Medical Data Repository, etc). In a prolonged outage these 
data sources may become alternative means to access clinical 
information to support continued operations. Most routine acute care 
can continue simply by collecting background information from the 
patient at the time of care (normal clinical practice). Local recovery 
operations will require care documented on paper or other means to be 
entered into the electronic health record once it becomes available. 
This is commonly accomplished via scanning of paper documentation into 
the record. In a small number of cases, specific data elements may have 
to be transcribed into the record as part of the recovery.
    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? 
How much (if any) of this is a contractor work force?
    Mr. Niemeyer. The responsibility for cyber defense of Navy ICS/
SCADA resides with the local system owners at the installations. System 
owners work closely with Naval Facilities Engineering Command (NAVFAC) 
who is the cybersecurity technical authority for these systems. 
Leveraging a workforce of about 40% contractor and 60% Government 
(military and civilian) worldwide.
    Answer (MCICOM): The responsibility for defensive cyber operations 
of ICS/SCADA systems is Marine Corps Forces Cyberspace Command 
(MARFORCYBER) and its subordinate command, the Marine Corps Cyber 
Operations Group (MCCOG). MARFORCYBER is responsible for the overall 
security, operations, and defense of the Marine Corps Enterprise 
Network. MCCOG performs those duties as the Cyber Security Service 
Provider (CSSP) for the Marine Corps.
    Ms. Stefanik. What coordination takes place with cyber defensive 
teams? Are your service cyber forces familiar enough with local ICS/
SCADA to assist?
    Mr. Niemeyer. Within the Navy, Naval Facilities Engineering Command 
(NAVFAC) regularly coordinates with Navy Cyber Defense Operations 
Command (NCDOC) and their higher headquarters, Navy Fleet Cyber Command 
(FCC). The Navy's Service Defense Teams are aware of U.S. Cyber Command 
tactics, techniques, and procedures (TTP) for ICS/SCADA cybersecurity. 
They regularly receive updates of the latest control systems 
cybersecurity including the development of technological advances and 
procedures.
    Answer (MCICOM): Within the Marine Corps coordination between cyber 
defensive teams, the local IT and the local ICS/SCADA operators 
currently occurs on an ad-hoc basis. This is absent the adoption of an 
Enterprise Architecture which can provide visibility of the local FRCS 
networks to a dedicated Cyber Security Service Provider (CSSP) network 
operations center, similar to those that exist for the Marine Corps 
Enterprise Network (MCEN). Cyber forces are engaged at the stakeholder 
level in the developing of this Enterprise Architecture and aware of 
the need to standup expertise for ICS/SCADA. The service cyber forces 
have a very limited familiarity with ICS/SCADA systems, and training 
for cyber forces on ICS/SCADA is not formalized. Marine Corps Forces 
Cyberspace Command (MARFORCYBER) as the responsible party for 
cybersecurity and Marine Corps Installations Command (MCICOM) as the 
responsible party for the operation of ICS/SCADA are aware of this gap 
and are actively working to address it.
    Ms. Stefanik. Are ICS/SCADA systems subject to the same security 
and accreditation standards as DOD networks are? Or are there 
differences with these so-called ``operational systems''?
    Mr. Niemeyer. Yes, DON ICS/SCADA systems are subject to the same 
DOD Risk Management Framework and security and accreditation standards 
used for information technology systems and networks. Differences for 
ICS and SCADA are addressed in NIST Special Publication 800-82 Revision 
2: Guide to Industrial Control Systems (ICS) Security.
    Ms. Stefanik. Similar to our supply chain concerns with Huawei 
components being in critical defense systems, do we have any concerns 
with foreign components being used within ICS/SCADA hardware? Is this 
something you have surveyed or considered? How are you mitigating this 
concern?
    Mr. Niemeyer. The Department of Navy shares concerns about supply 
chain security across our industrial control systems. Foreign 
components being used within ICS/SCADA pose a significant concern to 
mission critical and essential operational facilities worldwide. To 
survey and mitigate this risk, the DON leverages our Navy and Marine 
Corps Mission Assurance Assessment programs to assess the function and 
resilience of ICS/SCADA systems critical to the performance of DOD 
Mission Essential Functions across the supply chain. To mitigate risk 
in acquisitions, we utilize Defense Federal Acquisition Regulations 
(DFAR) clauses in our contracts. When assessments and monitoring 
determine an elevated risk, we use immediate remediation techniques and 
technical solutions such as disconnecting those systems from the 
internet. To improve our understanding of the issue and maintain 
continuous awareness of the cyber battle space, we are developing 
infrastructure and governance processes to continuously monitor our 
critical ICS/SCADA systems worldwide.
    Ms. Stefanik. One of the other focus areas for the IETC 
subcommittee is science and technology, which is a community that for 
decades has leveraged advances in modeling and simulation and other 
technologies to understand complex and unpredictable problems. With 
respect to climate change and extreme weather events--how are you 
working with the DOD S&T community and academia to understand and 
prepare for extreme weather events, to include modeling and simulation 
and other technologies that could help and develop and enhance 
resiliency for installations and infrastructure?
    Mr. Niemeyer. The DON actively participates with in the DOD's 
Strategic Environmental Research Development Program (SERDP) and 
Environmental Security Technology Certification Program (ESTCP) in 
partnership with DOE, EPA, and academia in the development of research 
and resulting projects focused on ``Resource Conservation and 
Resiliency'' which includes evaluating climate and weather. The DON 
incorporates climate resilience as a crosscutting consideration for our 
planning and decisions making process. As an example the DON is closely 
working with DOD to leverage the U.S. Army Corps of Engineers climate 
exposure tool to analyze climate impacts and natural hazards at 60 DON 
locations (50 sites CONUS and 10 OCONUS), which is planned to be 
complete by September 2020.
    Ms. Stefanik. How are you preparing for emerging technologies such 
as 5G and what will be an exponential increase in IOT devices? In 2017 
we saw some 8.4 billion devices connected to the internet--but by 2020 
it is estimated that we may see up to 75 billion connected devices, 
depending on what estimate you use. This presents tremendous 
opportunity but also significant challenges. Can you outline how you 
are thinking about 5G and this massive increase of IOT?
    Mr. Niemeyer. DON and DOD are collaborating as part of a U.S. 
``Whole of Government'' approach to foster 5G innovations and mitigate 
security risks. We are working with universities and commercial vendors 
(5G infrastructure and handsets) on efforts related to 5G. 
Additionally, the Department of Navy is participating in the 5G study 
with OUSD R&E to test 5G applications on our installations. These 
pilots will enable the evaluation of 5G cyber security risks in 
addition to new attack surfaces that 5G may expose given the wider 
network connectivity (e.g., Internet of Things). Navy continues to make 
significant progress and investments in ``trusted'' HW/SW/networking 
for C2 and combat systems and these solutions are applicable to 5G. One 
example is Network Slicing technology used by the DON to create 
multiple logical networks with different performance characteristics 
overlaid on a single physical network enabling data segregations and 
slice specific security solutions. Slicing is not unique to 5G networks 
but will be an enabler in increasing the security of 5G. If DOD employs 
IOT devices on our installations to create a smart port or smart depot, 
we can use slicing to create partitioned networks for isolating the IOT 
devices from the main enterprise network. Additionally, OUSD (R&E) is 
pursuing measures to add greater protection and resiliency to a network 
that is using slices. We are directly taking on the security risks 
posed by installed equipment manufactured from untrusted companies, by 
publishing guidance by January 2020 for use by installation commanders 
when considering the development of 5G infrastructure on bases and 
ranges. We are also working with States and local communities on the 
establishment of security requirements through state legislation within 
permitting processes to ensure 5G networks around bases and ranges do 
not pose a security risk to critical DON missions. Our goal is to 
ensure the military value of bases in the future are rewarded by the 
development of a secure 5G network.
    Ms. Stefanik. If there was a crippling cyber-attack on one of our 
major installations that took down critical infrastructure such as 
power, or disabled ICS/SCADA systems, can you walk us through how a 
military installation would handle such an incident? What 
responsibilities are within your portfolios, as compared to and 
coordinated with CYBER COMMAND, and those that are providing Service 
Mission Defense Teams, for example?
    Mr. Niemeyer. When personnel with DOD information network (DODIN) 
security responsibilities detect compromise of cyberspace security 
measures, they transition, in accordance with standing authorities 
delegated by the commander, to the cyberspace defense actions of 
Defensive Cyberspace Operations-Internal Defensive Measures to restore 
security to their assigned portion of the DODIN. Their effectiveness in 
making this transition depends upon their level of training and 
resources to detect and respond to threats. If discovery and mitigation 
of malicious cyberspace activity requires expertise beyond that 
available to the network operator and/or the ISP, the cyberspace 
protection teams (CPTs) may respond to provide support conducting 
cyberspace defense actions, either remotely or by deploying to the 
affected location. CPTs perform other tasks to support network 
operators, including penetration testing, security surveys, and 
assessment. National-level CPT support can be extended to defend non-
DOD mission partner or critical infrastructure networks when ordered by 
Secretary of Defense.
    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or 
electricity--we had an attack on the entire Military Electronic Health 
Records System that prevented our military health care installations 
and systems from functioning--similar to the WannaCry attack that 
crippled the U.K.'s National Health Service? Do we have incident 
response plans in effect to deal with these types of cyber incidents 
that could impact our installations?
    Mr. Niemeyer. To ensure warfighters and decision makers have access 
to information systems and data after a disruption, DOD Instruction 
8500.01 requires that DOD Component heads develop Information Systems 
Contingency Plans (ISCPs) and conduct testing to recover information 
system services following an emergency or other disruption. An ISCP is 
the coordinated strategy involving plans, procedures, and technical 
measures that enable the recovery of information systems, operations, 
and data after a disruption. In the Department of Navy, System Owners/
Program Managers are responsible for having an operational ISCP as a 
part of their accreditation approval by the Navy or Marine Corps 
Authorizing Official.
                                 ______
                                 
                   QUESTIONS SUBMITTED BY MR. BROOKS
    Mr. Brooks. In July of 2015, the Government Accountability Office 
issued a report (GAO-15-749) that stated, ``as of February 2015, none 
of the military services had a complete inventory of existing 
Industrial Control Systems.'' It's been four years since that report 
was issued. Does the Office of the Assistant Secretary of Defense for 
Sustainment (OASD(S)) have a complete inventory of existing Industrial 
Control Systems on all DOD installations managed through the Office of 
Facilities Management? Who has responsibility of the Industrial Control 
Systems on an individual installation? Who operates Industrial Control 
Systems on installations--military personnel, Department of Defense 
civilians, or contractors? How has OASD(S) utilized Industrial Control 
System Subject Matter Experts during cyber vulnerability threat 
assessments? Is there a deadline set for all Industrial Control Systems 
on installations managed by the Office of Facilities Management to be 
cybersecure? What is the estimated cost to secure Industrial Control 
Systems across all installations managed by the Office of Facilities 
Management? What is the acquisition plan for software and/or hardware 
to cybersecure Industrial Control Systems? Who within the DOD is 
responsible for that acquisition effort?
    Secretary McMahon. Does the Office of the Assistant Secretary of 
Defense for Sustainment (OASD(S)) have a complete inventory of existing 
Industrial Control Systems on all DOD installations managed through the 
Office of Facilities Management? The Components are developing 
installation-level cybersecurity plans that show their progress towards 
inventorying, assessing, mitigating, and monitoring their ICS. These 
plans address all elements of a control system, such as computer 
hardware, software, and associated sensors, and address the full range 
of infrastructure and facilities across the Department (e.g., 
installation electricity, water, wastewater, natural gas, lighting, 
building heating and air conditioning equipment, building control 
systems, etc.). The DOD Components are required to implement these 
plans and account for an inventory of facility-related control systems 
supporting Defense Critical Assets and Tier 1 Task Critical Assets 
(TCAs), as well as facility-related control systems that are connected 
to DOD networks, are internet-facing and/or stand-alone, and require 
Authorization to Operate (ATO).
    Who has responsibility of the Industrial Control Systems on an 
individual installation? System asset owners have responsibility for 
the Industrial Control Systems on an individual installation.
    Who operates Industrial Control Systems on installations--military 
personnel, Department of Defense civilians, or contractors? Depending 
on the asset and installation, military personnel, DOD civilians, and 
contractors may operate industrial control systems.
    How has OASD(S) utilized Industrial Control System Subject Matter 
Experts during cyber vulnerability threat assessments? Subject matter 
experts are used throughout the Department's effort to secure 
Industrial Control Systems. For instance, subject matter experts from 
industry, the Services, and national laboratories are informing the 
development of a Tested Products List for ICS. The Tested Projects List 
will enable vendors/products to go through cybersecurity testing and 
enable Type Authorization (test once and use many times) in less time 
and at lower cost. DOD's Environmental Security Technology 
Certification Program also funded a number of cybersecurity projects 
associated with Smart Grids, Energy Storage, Heating, Ventilation and 
Air Conditioning, and Cloud/Mobile/Internet of Things that evaluate 
next generation devices and components capabilities and how vendor/
suppliers can meet the new NIST ICS guidelines and standards. DOD also 
created Advanced Cyber Industrial Control System Tactics, Techniques, 
and Procedures (ACI TTP) to enhance the detection, mitigation, and 
recovery of cyber-attacks on control systems and support the training 
of risk assessment teams across the Department.
    Is there a deadline set for all Industrial Control Systems on 
installations managed by the Office of Facilities Management to be 
cybersecure? As required by the FY 2017 NDAA Sec. 1650, ``Evaluation of 
cyber vulnerabilities of DOD critical infrastructure,'' Components are 
responsible for completing an inventory of ICS for defense critical and 
task critical assets by the end of CY2020.
    What is the estimated cost to secure Industrial Control Systems 
across all installations managed by the Office of Facilities 
Management? Estimated costs to secure Facility-Related Control Systems 
across all DOD installations are being collected as part of the POM22 
cycle and will be formalized as a standalone budget exhibit to improve 
the policy and governance of overall DOD investments in ICS security.
    What is the acquisition plan for software and/or hardware to 
cybersecure Industrial Control Systems? Who within the DOD is 
responsible for that acquisition effort? The DOD has taken a number of 
steps to reduce the vulnerabilities and impacts of compromised devices 
and components. The DOD has adopted the NIST SP 800-161 Supply Chain 
Risk Management Practices for Federal Information Systems and 
Organizations and is working with the Defense Industrial Base, 
suppliers and vendors, and other organizations such as the 
International Society of Automation to ensure the implementation of 
appropriate supply chain risk management processes. Additionally, 
cybersecurity has been integrated into installation policy and 
guidance. This guidance requires control systems to incorporate the 
cybersecurity requirements established in the Unified Facilities 
Criteria 4-01-16 and meet cybersecurity risk management framework 
requirements of DOD Instruction 8510.01 Risk Management Framework 
(RMF).
    Mr. Brooks. In July of 2015, the Government Accountability Office 
issued a report (GAO-15-749) that stated, ``as of February 2015, none 
of the military services had a complete inventory of existing 
Industrial Control Systems.'' It's been four years since that report 
was issued. Does the Army currently have a complete inventory of 
existing Industrial Control Systems on all Army installations? Who has 
responsibility of the Industrial Control Systems on an individual 
installation? Who operates Industrial Control Systems on 
installations--military personnel, Department of Defense civilians, or 
contractors? How has your department utilized Industrial Control System 
Subject Matter Experts during cyber vulnerability threat assessments? 
Is there a deadline set for all Industrial Control Systems on Army 
installations to be cybersecure? What is the estimated cost to secure 
Industrial Control Systems across all Army installations? What is the 
acquisition plan for software and/or hardware to cybersecure Industrial 
Control Systems? Who within the Army is responsible for that 
acquisition effort?
    Secretary Beehler. a) Does the Army currently have a complete 
inventory of existing Industrial Control Systems on all Army 
installations? For control systems installed as part new construction, 
renovation, or modernization efforts, as well as the identification of 
control systems discovered during cybersecurity assessments since 2017, 
the Army has a complete inventory. To address the installed base of 
control systems across its infrastructure, the Army has been 
systematically inventorying control systems using priorities as scaled 
in the Army's Cybersecurity Strategy for Facility-Related Control 
Systems. Army expects to have a complete inventory of all Facility-
Related Control systems by 2025. The initial focus of this effort is 
centered on the Army defense critical assets and Tier 1 task critical 
assets as part of the requirements of the FY17 NDAA Section 1650. Army 
Cyber Command (ARCYBER) is the executing authority for the FY17 NDAA 
Section 1650 cyber assessments. The Army continues to make gains in the 
inventory of the installed base of control systems outside of the NDAA 
1650 efforts. Army has identified over 365 control systems, and have 
completed cyber assessments on over 120 of them. Army plans to release 
a Fragmentation Order (FRAGO) to Execution Order (EXORD) 141-18 
directing Army organization to increase efforts on the inventory and 
cyber assessment of FRCS.
    b) Who has responsibility of the Industrial Control Systems on an 
individual installation? All control systems must have an appointed 
owner responsible for the overall procurement, development, 
integrations, modification, or operation and maintenance of the system. 
Primarily those owners are members of the local Installation or 
industrial activity staff.
    c) Who operates Industrial Control Systems on installations--
military personnel, Department of Defense civilians, or contractors? 
The Army control system workforce is a mixture of DOD civilians, 
military, and contractor support.
    d) How has your department utilized Industrial Control System 
Subject Matter Experts during cyber vulnerability threat assessments? 
The Army has chosen to develop a training pipeline and equip teams to 
support FY 17-NDAA 1650 assessments for critical infrastructure. We are 
also developing an ICS Red Team capability under the Army Corps of 
Engineers, and have executed several missions with Cyber Protection 
Teams and USACE infrastructure. In most cases, the ICS/SCADA systems 
are connected to, controlled, and managed by more traditional IT 
systems, resulting in a training cross over from more traditional 
defensive cyber operations to ICS/SCADA networks.
    e) Is there a deadline set for all Industrial Control Systems on 
Army installations to be cybersecure? Based on priorities as scaled in 
the Army's Cybersecurity Strategy for Facility-Related Control Systems. 
Army's expects to complete the assessment of all Facility-Related 
Control systems by 2025. The initial focus of this effort is centered 
on the Army defense critical assets and Tier 1 task critical assets as 
part of the requirements of the FY17 NDAA Section 1650. Army Cyber 
Command (ARCYBER) is the executing authority for the FY17 NDAA Section 
1650 cyber assessments. To date ARCYBER has completed 11 of 26 cyber 
assessments IAW the NDAA 1650, and expects to complete all assessments 
by the December 2020 deadline.
    f) What is the estimated cost to secure Industrial Control Systems 
across all Army installations? The completed cyber assessments are 
providing critical insight to the challenges of securing control 
systems and will inform mitigation prioritization effort. While the 
total cost for expected modernization and changes is difficult to 
determine at this point, based on existing assessments, hardware 
replacement and software upgrades will be required.
    g) What is the acquisition plan for software and/or hardware to 
cybersecure Industrial Control Systems? Since 2017, Army has integrated 
cybersecurity into its Installation policy and guidance. This guidance 
requires control systems to incorporate the cybersecurity requirements 
established in the Unified Facilities Criteria 4-010-16 and meet 
cybersecurity risk management framework requirements of DOD Instruction 
8510.01 Risk Management Framework (RMF).
    h) Who within the Army is responsible for that acquisition effort? 
Acquisition is largely decentralized. Control systems are generally 
locally budgeted, acquired, maintained, and operated at each 
Installation. However, Army guidance requires control systems to 
incorporate the cybersecurity requirements established in the Unified 
Facilities Criteria 4-010-16 and meet cybersecurity risk management 
framework requirements of DOD Instruction 8510.01 Risk Management 
Framework (RMF).
    Mr. Brooks. In July of 2015, the Government Accountability Office 
issued a report (GAO-15-749) that stated, ``as of February 2015, none 
of the military services had a complete inventory of existing 
Industrial Control Systems.'' It's been four years since that report 
was issued. Does the Air Force currently have a complete inventory of 
existing Industrial Control Systems on all Army installations? Who has 
responsibility of the Industrial Control Systems on an individual 
installation? Who operates Industrial Control Systems on 
installations--military personnel, Department of Defense civilians, or 
contractors? How has your department utilized Industrial Control System 
Subject Matter Experts during cyber vulnerability threat assessments? 
Is there a deadline set for all Industrial Control Systems on Air Force 
installations to be cybersecure? What is the estimated cost to secure 
Industrial Control Systems across all Air Force installations? What is 
the acquisition plan for software and/or hardware to cybersecure 
Industrial Control Systems? Who within the Air Force is responsible for 
that acquisition effort?
    Secretary Henderson. The Army is developing its own inventory of 
their installation's control systems. The Air Force has conducted a 
front-end inventory of Civil Engineer systems across Active Duty bases 
and the Air National Guard has started a similar effort. The scope of 
the inventory does not include end-devices but focuses on the number of 
different control system types at an AF base (e.g. the Energy 
Management Control System is counted as one--the count is not every 
facility's HVAC, etc.). The installation commander has authority over 
all control systems on an Air Force installation, and the operation and 
maintenance of Civil Engineer-owned Facility Related Control Systems is 
conducted by the Civil Engineer Squadron. The operation of control 
systems is specific to each base, but includes all three categories 
(military personnel, Department of Defense civilians, and contractors). 
The Air Force Civil Engineer community has established partnerships 
with Idaho National Labs through their fellowship program, National 
Security Agency through assessment expertise, and Sandia National Labs 
through a Joint Capability Technology Demonstration. The Air Force is 
using a continual process improvement approach as cybersecurity is a 
constantly evolving issue. Total security is unattainable. The Air 
Force is using a risk-based approach to focus resources on 
cybersecurity that enable Department of Defense and Air Force core 
missions. The approach is to identify and mitigate the cyber 
vulnerabilities of the Air Force's highest-priority critical assets and 
supporting infrastructure that enable Combatant Command warfighting 
capabilities. Acquisition of control systems requires a partnership 
with industry who designs the system architecture. Our plan is to 
collaborate with industry and to produce standards for requirements 
development and contract language in order to mature the resiliency of 
Industrial Control Systems. Acquisition authority resides with SAF/AQ, 
but each system owner develops the requirements for every contract. A 
team approach will be needed to ensure we obtain cyber resilient 
systems and some clauses exist while striving to improve.
    Mr. Brooks. In July of 2015, the Government Accountability Office 
issued a report (GAO-15-749) that stated, ``as of February 2015, none 
of the military services had a complete inventory of existing 
Industrial Control Systems.'' It's been four years since that report 
was issued. Does the Navy and Marine Corps currently have a complete 
inventory of existing Industrial Control Systems on all Army 
installations? Who has responsibility of the Industrial Control Systems 
on an individual installation? Who operates Industrial Control Systems 
on installations--military personnel, Department of Defense civilians, 
or contractors? How has your department utilized Industrial Control 
System Subject Matter Experts during cyber vulnerability threat 
assessments? Is there a deadline set for all Industrial Control Systems 
on Navy and Marine Corps installations to be cybersecure? What is the 
estimated cost to secure Industrial Control Systems across all Navy and 
Marine Corps installations? What is the acquisition plan for software 
and/or hardware to cybersecure Industrial Control Systems? Who within 
the Navy and the Marine Corps is responsible for that acquisition 
effort?
    Mr. Niemeyer. 1) The DON has developed and is maintaining a 
comprehensive inventory of its Industrial Control Systems through 
several ongoing efforts including: Mission Assurance Assessments, Cyber 
Hygiene Assessments, Building and Utility Control System Implementation 
Plan Assessments, and ICS authorization and accreditation.
    2) On an individual U.S. Navy installation, responsibility of ICS/
SCADA falls to the system owner, who also has the responsibility for 
managing its operations. Within the Marine Corps. MCICOM is responsible 
for the secure operation of ICS/SCADA.
    3) Navy ICS/SCADA systems are operated by leveraging a workforce 
about 40% contractor and 60% Government (military and civilian) 
worldwide. The Marine Corps is still developing its workforce 
capability but expects to use a mix of military, civilian and 
contractor resources.
    4) Navy and Marine Corps ICS/SCADA Subject Matter Experts are an 
integral members of the Cyber Vulnerability Threat Assessment Team 
providing architectural knowledge and validating recommendations and 
mitigations.
    5) Both Navy and Marine Corps have taken a deliberate phased 
approach to securing ICS/SCADA worldwide. The Navy is currently on 
track with securing the most critical infrastructure first and plan to 
be complete with this first phase by the end of FY21. The Marine Corps 
plan all of its ICS/SCADA cyber secure by the end of FY25.
    6) The Navy and Marine Corps have taken a deliberate phased 
approach to securing ICS/SCADA worldwide. The Navy is currently on 
track with securing the most critical infrastructure first and plan to 
be complete with this first phase by the end of FY21. The Marine Corps 
plan all of its ICS/SCADA cyber secure by the end of FY25.
    7) The DON does not have a final cost estimate to secure all ICS 
across all Navy and Marine Corps installation, but instead is focusing 
its resources on mitigation of its most critical risks as outlined in 
DON facility related control system plans.
    8) DON is pursuing policies for standardizing control systems at 
the installation level as way to reduce cybersecurity and lifecycle 
control system modernization costs.
    9) NAVFAC is leading the acquisition efforts in their role as the 
ICS/SCADA acquisition and technical authority. Marine Corps intends to 
purchase necessary hardware and software through Navy and Marine Corps 
acquisition avenues based on best value.
                                 ______
                                 
                     QUESTIONS SUBMITTED BY MR. KIM
    Mr. Kim. Please describe the top lessons you learned from the 
black-start exercises.
    Secretary McMahon. As indicated in the National Defense Strategy, 
resilient forces and facilities are a critical component of deterring 
and defeating adversaries. The Energy Resilience Readiness Exercises, 
also referred to as black-start exercises, executed by the DOD in 
collaboration with its Components are designed to ensure military 
installations are energy resilient and have the power they need to 
operate their critical missions in the event of a disruption. The four 
exercises completed to date have provided invaluable lessons learned 
that fall within four key areas. First, we've learned that unknown 
interdependences exist between the energy systems and other systems on 
our installations, such as communications and life, health, and safety 
systems. Second, full operational testing and exercises ensure that all 
critical building loads (e.g., elevators, emergency signs/lights, SIPR 
doors, etc.) are on the backup system when power is disrupted. Third, 
military installations lack the appropriate resourcing strategy for 
interior electrical systems contributing to energy resilience, such as 
purchases of transfer switches and uninterruptable power systems as 
well as insufficient resources needed for facility engineers to 
maintain these systems. Last, the exercises provided information to 
prioritize energy resilience gaps to remediate risks and 
vulnerabilities that would prevent mission degradation or failure. The 
DOD is addressing these gaps through our Installation Energy Plans 
process to identify the most cost-effective solutions that provide the 
maximum benefit towards improving energy resilience and mission 
readiness.
    Mr. Kim. What have you done to implement lessons learned from 
black-start exercises?
    Secretary McMahon. The DOD has taken the lessons learned from the 
Energy Resilience Readiness Exercises (ERRE) and developed several 
solutions for closing gaps, reducing risk, and enhancing our energy 
resilience posture across the Department. The Department works with 
each of its Components to develop solutions to addressing these gaps. 
This is accomplished by coordinating with the Services to document gaps 
and necessary mitigations in each installation's Installation Energy 
Plan and ensure that solutions are implemented a timely and effective 
manner. The DOD has also developed ERRE framework guidance which 
provides the Components the necessary policy statement to resource and 
to continue to routinely perform exercises and to monitor the 
effectiveness of implemented energy resilience solutions. Lastly, the 
Department plans to enhance the ERRE framework and augment future 
exercises with additional elements, such as simulated cyber-attacks. 
These efforts promote specific actions that all installations can take 
to identify and mitigate mission-related risks and enhance energy 
resilience.
    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint 
Base McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve 
as a staging area for FEMA. In the event of future natural disasters or 
cyber-attacks, the destruction will not be limited to just bases; what 
are you doing to work with FEMA and other organizations to prepare? Are 
there any tabletop/real world exercises planned?
    Secretary McMahon. DLA is synched with FEMA, USNORTHCOM, NGB, etc. 
on disaster preparedness plans. We participate in FEMA's yearly 
exercises such as the 2019 Hurricane Preparedness Exercise conducted in 
July 2019 based on the 2017 Hurricane Maria that devastated Puerto 
Rico. FEMA has begun the initial planning for a Utah Wasatch earthquake 
exercise in May 2020 and FEMA's Binary Blackout Exercise as part of 
Eagle Horizon. DLA will participate in both exercises. DLA also 
participates in FEMA's annual Senior Leader Seminar along with U.S. 
Army Corps of Engineers. We utilize disaster lessons learned and 
planned exercises to develop and refine our Pre-scripted Mission 
Assignments so they are current for quick menu use during hurricane 
season and any natural disasters. The exercises revolve around 
preparedness and DLA's ability to support through commodities such as 
food, water, cots, generators, and fuel to name a few. We also execute 
quarterly USNORTHCOM DSCA Executive Seminars. Although Eagle Horizon 
and Binary Blackout will address cyber issues, exercises previously 
executed have not specifically addressed cyber issues or the resiliency 
of military organizations.
    Mr. Kim. Please describe the top lessons you learned from the 
black-start exercises.
    Secretary Beehler. Energy Resilience Readiness Exercises (ERREs) 
have enabled installations to uncover hidden dependencies among 
critical systems. Backup energy infrastructure often exists in 
configurations that are either unknown or not documented. The ERREs 
provide verification of backup energy system configurations including: 
identification of critical facilities that do not have backup 
generation, confirmation that all critical loads are connected to 
backup generation circuits, and evaluation of outage recovery 
processes. Planning for an ERRE forces discussions to happen amongst 
various internal and external stakeholders. The planning supports clear 
determination of critical load requirements, and documentation of back 
start procedures and emergency response plans.
    Mr. Kim. What have you done to implement lessons learned from 
black-start exercises?
    Secretary Beehler. Energy Resilience Readiness Exercises (ERREs) 
have helped installations identify deficiencies in backup power 
capabilities in the event of a wide spread grid outage. The scope and 
scale of deficiencies varies and installations are working to address 
both near-term and longer-term mitigation actions. In the weeks and 
months following the ERREs, installations have taken immediate action 
to address deficiencies like re-assigning backup generators to better 
align with critical facilities; purchasing new uninterruptible power 
supply (UPS) systems for mission-essential equipment; and updating 
maintenance and emergency response procedures with privatized utility 
providers. Additional deficiencies identified during the ERREs require 
more significant technical solution development (engineering design) or 
larger capital investment. These projects are being included for action 
in the Installation Energy and Water Plans (IEWPs). The IEWPs provide 
an installation-wide prioritized list of actions to address energy and 
water resilience gaps and will guide both appropriated and third-party 
funding project investment.
    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint 
Base McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve 
as a staging area for FEMA. In the event of future natural disasters or 
cyber-attacks, the destruction will not be limited to just bases; what 
are you doing to work with FEMA and other organizations to prepare? Are 
there any tabletop/real world exercises planned?
    Secretary Beehler. In December 2006, the Joint Requirements 
Oversight Council Memorandum (JROCM) 263-06 established requirements 
for the National Guard Bureau (NGB) and USNORTHCOM to establish a 
National Guard (NG) joint interagency training program that included 
four regional NG command post exercises annually. As a result of this 
requirement, the NGB and USNORTHCOM developed the Vigilant Guard (VG) 
Joint Exercise Program. VIGILANT GUARD is a USNORTHCOM Joint Exercise 
Program conducted in conjunction with NGB. The VG program provides an 
opportunity for State National Guard Headquarters, State Joint Task 
Forces and Field Units to improve command and control and operational 
relationships with Federal, Regional, State, and Local civilian and 
military partners. Routine participants in VG exercises include:
      State Joint Force Headquarters (JFHQs) and Joint Task 
Forces (JTFs) per DOD Directive 5105.83
      State emergency management agencies and City/County 
emergency operations centers
      National Guard Reaction Forces (NGRFs), Civil Support 
Teams (CSTs), CBRNE Enhanced Response Force Packages (CERFPs), and 
Homeland Response Forces (HRFs)
      Various Federal civilian partners (e.g., DHS, FEMA) and 
Federal military partners (e.g. USNORTHCOM, ARNORTH) as dictated by the 
scenario.
    The NGB also establish the Special Focus Joint Exercise (SFE) 
Program. The SFE is a NGB full scale exercise that enables Joint NG and 
interagency operations at the local, state and regional level, 
emphasizing how the participants establish liaison relationships within 
the Incident Command Structure. Routine participants in the SFE 
exercises include:
      State Agencies
      Federal Civilian Partners (e.g., DOE, DHS,FEMA, USCG)
      Federal Military Partners (e.g., ARNORTH)
      State emergency management agencies and City/County 
emergency operations centers, and Incident Management Teams
      Local/State Civilian Partners (e.g., Police, Fire)
      Regional Response Partners (e.g., SAR teams)
      Volunteer Organizations in Disasters
      Non-Governmental Organizations
      Private Sector Partners
      Faith Based Groups
    Additionally, in an effort to meet the requirements outlined in 
JROCM 263-06, the NG, in conjunction with USNORTHCOM, participates in 
the National Exercise Program (NEP). NEP is a two-year cycle of 
exercises across the nation that examine and validate capabilities in 
all preparedness mission areas. Within the program, FEMA facilitates 
National Level Exercises (NLE) built upon real-world incidents to make 
sure that our nation is better prepared when the next disaster strikes. 
These exercises are whole of community engagements.
    Mr. Kim. Please describe the top lessons you learned from the 
black-start exercises.
    Secretary Henderson. The Air Force recently completed two planned 
Energy Resilience Readiness Exercises (ERREs) at Hanscom Air Force Base 
(AFB) and Vandenberg AFB. Both exercises went very well, and the final 
reports on these are due to OSD in March of 2020. At this time, the 
findings are preliminary and general, but the Air Force would 
appreciate the opportunity to provide a more-detailed briefing on our 
lessons learned after we have had the opportunity to fully assess the 
outcomes from these exercises. In general, it is clear that these ERREs 
identified asset interdependencies that will enable the installation to 
better-prepare for and recover from energy disruptions in the future.
    Mr. Kim. What have you done to implement lessons learned from 
black-start exercises?
    Secretary Henderson. The Air Force is still awaiting the full 
analysis and report from the Hanscom AFB ERRE. Upon receipt of that 
report and the results of the Vandenberg ERRE later this fall, SAF/IEE 
will look for patterns and lessons learned to implement across 
installations. The results of these lessons learned may be incorporated 
into Installation Energy Plans (IEPs) or specific project 
recommendations on Hanscom or Vandenberg AFBs. Currently USAF policies 
or procedures have not changed as a result of the Hanscom AFB ERRE. The 
ERREs help baseline readiness posture installation by installation, and 
the Air Force will need to complete more exercises across the 
enterprise before changes to policy are enacted.
    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint 
Base McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve 
as a staging area for FEMA. In the event of future natural disasters or 
cyber-attacks, the destruction will not be limited to just bases; what 
are you doing to work with FEMA and other organizations to prepare? Are 
there any tabletop/real world exercises planned?
    Secretary Henderson. The Department of Defense actively supports 
and participates in FEMA's National Level Exercise program, which 
promotes preparedness and response to catastrophic events across the 
federal agencies.. For example, Ardent Sentry is an annual North 
American Aerospace Defense Command and U.S. Northern Command exercise 
that is part of the Federal Emergency Management Agency's national 
level exercise. Each year a different event type is exercised using a 
mock catastrophic event (such as Atlantic Hurricane, Southern 
California Earthquake, Cascadia Subduction Zone Earthquake, New Madrid 
Seismic Zone Earthquake, 10kt Nuclear Detonation, and Alaska 
Earthquake). The Air Force and other military departments participate 
in a supporting role to Federal Emergency Management Agency in these 
exercises. In addition, Air Force forces may be provided to a combatant 
commander for directed exercises designed to improve force readiness to 
accomplish Defense Support of Civil Authorities related operations. 
Finally, Air Force Emergency Preparedness Liaison Officers participate 
in local, state, and regional exercises.
    Mr. Kim. Please describe the top lessons you learned from the 
black-start exercises.
    Mr. Niemeyer. The DON has taken a deliberate approach to black 
starts, investing in tabletop exercises and comprehensive mission 
assurance assessments as a precursor. DON has partnered with 
OASD(Energy) and the Massachusetts Institute of Technology-Lincoln Labs 
to conduct dozens of tabletop energy resilience assessments at multiple 
installations in California, Washington State, Pennsylvania, Virginia 
as well as overseas in Guam and Italy. Theses tabletop exercises 
simulate a multi-state outage of the electrical grid for 30-days while 
the installation maintains a state of constant readiness. From these 
exercises, we learned that installations often do not have a perfect 
understanding of the energy requirements, generation and distribution 
needed to sustain operations over many weeks. Installations also 
currently operate with unknown risks and interdependencies to systems 
and missions, and more work is necessary to ensure installations have a 
comprehensive site picture of the energy system capabilities during a 
real outage. Moving forward, the DON is planning a large and several 
smaller scale exercises in 2020 at MCAS Miramar, MCB Butler and Camp 
Lejeune.
    Mr. Kim. What have you done to implement lessons learned from 
black-start exercises?
    Mr. Niemeyer. The DON is implementing the lessons learned from our 
tabletop exercises through our established Mission Assurance Program. 
DON's Mission Assurance Program provides an integrative framework and a 
process to protect or ensure the continued function and resilience of 
capabilities and assets critical to the performance of Department of 
Defense mission-essential functions in any operating environment or 
condition.
    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint 
Base McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve 
as a staging area for FEMA. In the event of future natural disasters or 
cyber-attacks, the destruction will not be limited to just bases; what 
are you doing to work with FEMA and other organizations to prepare? Are 
there any tabletop/real world exercises planned?
    Mr. Niemeyer. The DON is implementing the lessons learned from our 
tabletop exercises through our established Mission Assurance Program. 
DON's Mission Assurance Program provides an integrative framework and a 
process to protect or ensure the continued function and resilience of 
capabilities and assets critical to the performance of Department of 
Defense mission-essential functions in any operating environment or 
condition.
                                 ______
                                 
                QUESTIONS SUBMITTED BY MS. TORRES SMALL
    Ms. Torres Small. During the hearing Congresswoman Torres Small 
discussed the aging infrastructure at White Sands Missile Range. In 
particular, she discussed an information systems facility built in 
1962. The facility serves as the gateway for all communications and 
data to the outside world, and houses critical equipment providing 
support for administrative command and control and testing and 
evaluation users. The facility is relied upon to provide critical 
support for modern missile testing ranging from the Standard Missile-2 
and Patriot Missile System-3 to next generation weapon systems. Can you 
please speak to how conducting operations in a 57-year-old facility 
could stunt the efforts for maximizing installation resiliency? How 
does this impact our cyber security?
    Secretary Beehler. Currently, the Information System Facility (ISF) 
operates out of ten separate buildings located at WSMR. Each assigned 
building has undergone varying levels of retrofit to accommodate the 
current ISF mission. Current geographically separated space is 
suboptimal and in regard to facilitating the operational synergy 
required for 24-hour information management and the necessary workforce 
fusion required for network defense and security. The Army assesses 
risks and needs in determining where to allocate funds for military 
construction (MILCON) and facility sustainment, restoration and 
modernization. At this time, the ISF project will compete for funding 
in FY21.