b"<html>\n<title> - [H.A.S.C. No. 116-46] RESILIENCY OF MILITARY INSTALLATIONS TO EMERGING THREATS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n                                     \n \n                         [H.A.S.C. No. 116-46]\n\n        RESILIENCY OF MILITARY INSTALLATIONS TO EMERGING THREATS\n\n                               __________\n\n                             JOINT HEARING\n\n                               before the\n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n                          meeting jointly with\n\n                       SUBCOMMITTEE ON READINESS\n\n                                 of the\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                            OCTOBER 16, 2019\n\n\n                                     \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n              U.S. GOVERNMENT PUBLISHING OFFICE \n 39-804                 WASHINGTON : 2020 \n\n\n\n                                     \n  \n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n               JAMES R. LANGEVIN, Rhode Island, Chairman\n\nRICK LARSEN, Washington              ELISE M. STEFANIK, New York\nJIM COOPER, Tennessee                SAM GRAVES, Missouri\nTULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana\nANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas\nRO KHANNA, California                AUSTIN SCOTT, Georgia\nWILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee\nANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin\nCHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida\nJASON CROW, Colorado, Vice Chair     DON BACON, Nebraska\nELISSA SLOTKIN, Michigan             JIM BANKS, Indiana\nLORI TRAHAN, Massachusetts\n                Shannon Green, Professional Staff Member\n                Peter Villano, Professional Staff Member\n                         Caroline Kehrli, Clerk\n\n                                 ------                                \n\n                       SUBCOMMITTEE ON READINESS\n\n                  JOHN GARAMENDI, California, Chairman\n\nTULSI GABBARD, Hawaii                DOUG LAMBORN, Colorado\nANDY KIM, New Jersey, Vice Chair     AUSTIN SCOTT, Georgia\nKENDRA S. HORN, Oklahoma             JOE WILSON, South Carolina\nCHRISSY HOULAHAN, Pennsylvania       ROB BISHOP, Utah\nJASON CROW, Colorado                 MIKE ROGERS, Alabama\nXOCHITL TORRES SMALL, New Mexico     MO BROOKS, Alabama\nELISSA SLOTKIN, Michigan             ELISE M. STEFANIK, New York\nVERONICA ESCOBAR, Texas              JACK BERGMAN, Michigan\nDEBRA A. HAALAND, New Mexico\n               Jeanine Womble, Professional Staff Member\n                Dave Sienicki, Professional Staff Member\n                          Megan Handal, Clerk\n                          \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nGaramendi, Hon. John, a Representative from California, Chairman, \n  Subcommittee on Readiness......................................     3\nLamborn, Hon. Doug, a Representative from Colorado, Ranking \n  Member, Subcommittee on Readiness..............................     4\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Chairman, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     1\nStefanik, Hon. Elise M., a Representative from New York, Ranking \n  Member, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     2\n\n                               WITNESSES\n\nBeehler, Hon. Alex A., Secretary of the Army for Installations, \n    Energy, and the Environment, U.S. Army\nHenderson, Hon. John W., Assistant Secretary of the Air Force for \n    Installations, Environment, and Energy, U.S. Air Force\nMcMahon, Hon. Robert H., Assistant Secretary of Defense for \n    Sustainment, Office of the Secretary of Defense\nNiemeyer, Hon. Lucian, Acting Assistant Secretary of the Navy for \n    Energy, Installations and the Environment, U.S. Navy\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Beehler, Hon. Alex A.........................................    70\n    Garamendi, Hon. John.........................................    45\n    Henderson, Hon. John W.......................................    59\n    Lamborn, Hon. Doug...........................................    46\n    Langevin, Hon. James R.......................................    41\n    McMahon, Hon. Robert H.......................................    47\n    Niemeyer, Hon. Lucian........................................    82\n    Stefanik, Hon. Elise M.......................................    43\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Brooks...................................................   108\n    Mr. Kim......................................................   112\n    Ms. Stefanik.................................................    99\n    Ms. Torres Small.............................................   115\n        RESILIENCY OF MILITARY INSTALLATIONS TO EMERGING THREATS\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n     Subcommittee on Intelligence and Emerging Threats and \n    Capabilities, Meeting Jointly with the Subcommittee on \n                                                 Readiness,\n                       Washington, DC, Wednesday, October 16, 2019.\n    The subcommittees met, pursuant to call, at 2:55 p.m., in \nroom 2118, Rayburn House Office Building, Hon. James R. \nLangevin (chairman of the Subcommittee on Intelligence and \nEmerging Threats and Capabilities) presiding.\n\n OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE \n FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND \n               EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. The subcommittee will come to order. I want \nto welcome everyone to this joint hearing today with the Armed \nServices Subcommittee on Intelligence and Emerging Threats and \nCapabilities and the Readiness Subcommittee. Today we will \nexamine the resiliency of our military installations to \nemerging threats. Holding this hearing has been a priority of \nthe subcommittee for the past several months, and I want to, in \nparticular, thank Ranking Member Stefanik for her bipartisan \ncooperation to this hearing, and also I am thankful to my \nfriends Chairman Garamendi and Ranking Member Lamborn for \nworking so diligently in making this hearing possible.\n    So we are here today to ensure the Department is prepared \nto account for and address vulnerabilities--physical and \ndigital--to our military installations at home and overseas. \nThis includes the effects of climate change, energy dependence, \nland management, and cyber incidents, among others, on the \nthreat assessments, resources, and readiness of our Nation's \nmilitary. This also includes the risk to conducting operations \nboth today and in the future.\n    This subcommittee as well as the Readiness Subcommittee \nhave conducted rigorous oversight into installation resilience, \nbut I continue to be concerned about what the Department is \ndoing to ensure our installations are able to withstand ever-\nincreasing threats from malicious cyber activities and severe \nclimate events among other things. When it comes to our Armed \nForces, we as a Nation have not given these threats to our \ninstallations the attention that they deserve. So I would like \nto remind those in attendance that this hearing marks 1 year \nsince the Department suffered nearly $10 billion in damage from \njust two extreme weather events at Tyndall Air Force Base and \nCamp Lejeune.\n    Now, I could not think of better examples of the perils our \ndefense infrastructure faces from climate change, perils that \nwill only increase as we pump more greenhouse gases into our \natmosphere. So our committee has acted on a bipartisan basis to \nacknowledge these risks, but I must say I am disappointed in \nthe Department's response to our oversight. By way of example, \nthe initial accounting of at-risk bases we received did not \neven include Camp Lejeune or Tyndall Air Force Base at all. If \nthose are the low-risk bases, one can only wonder what we are \nlikely to see soon from the installations the Department \nidentified as being of particular concern. So we need a clear \naccounting of the risks, with dollar figures attached, or else \nwe will continue the cycle of throwing good money after bad, \nwhich is not only fiscally irresponsible, but places our \nservice members and readiness at risk.\n    So I also want to make it clear to everyone that we will be \nholding an IETC [Intelligence and Emerging Threats and \nCapabilities] Subcommittee hearing specific to the emerging \nthreat of climate change later this year.\n    Now, in addition to the threats posed by extreme climate \nevents, the threats presented by attacks on cyber and energy \ninfrastructure, by both state and nonstate actors, continue to \ngrow and evolve at a rapid pace. So, these threats can target \ncritical infrastructure on our military installations, \nincluding electric grid, water supply, or even medical \nfacilities. An attack on our electric grid could have profound \neffects on the ability of the force to carry out critical \nmissions. So we must increase the resilience of operational \ntechnology on installations, ensure we sufficiently focus on \nsecuring cyber-physical systems as well as traditional IT \n[information technology] infrastructure. So I am interested in \nhearing more about how the Department is building cyber \nresilience at installations at home and abroad.\n    It is incumbent upon the Department and Congress to ensure \nthat we are properly preparing for these threats to \ninstallations, and I look forward to hearing from our witnesses \non this topic. Before I turn to Ranking Member Stefanik, in the \ninterest of time it has been agreed upon with the chairs and \nranking members of the committee that we are going to forgo the \nwitnesses' statements, since we have those for the record, and \nwe are going to be going right into questions. So, with that, I \nwould like now to turn it over to Ranking Member Stefanik, and \nthen we will, in turn, hear from Chairman Garamendi and also \nRanking Member Lamborn for their remarks.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 41.]\n\nSTATEMENT OF HON. ELISE M. STEFANIK, A REPRESENTATIVE FROM NEW \nYORK, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE AND EMERGING \n                    THREATS AND CAPABILITIES\n\n    Ms. Stefanik. Thank you, Jim. I would like to start by \nthanking Chairmen Langevin and Garamendi, as well as my fellow \nranking member, Mr. Lamborn, for holding this important hearing \ntoday to discuss resiliency of the Department of Defense \ninstallations and facilities. And welcome, of course, to our \nwitnesses. We have a lot of ground to cover, so I will keep my \nremarks short.\n    As I think about resiliency of military installations and \ninfrastructure, I am concerned about shortfalls in both the \nphysical and digital domains. First, we remain vulnerable to \nextreme weather events and climate change. We have seen these \nevents adversely impact public safety, our economic security, \nand our national security. Our intelligence community continues \nto assess that global environmental degradation and climate \nchange are likely to fuel competition for resources, economic \ndistress, and social discontent across the globe through 2019 \nand beyond. And we continue to experience extreme weather \nevents at home, including in my own district in northern New \nYork.\n    We must, therefore, factor in these environmental changes \nwhen discussing resiliency of military installations, and I \nlook forward to hearing from our witnesses exactly how we are \nplanning for these extreme weather events and climate change.\n    Second, and equally as important, I continue to have \nconcerns about installation and infrastructure vulnerabilities \nin the digital domain. Congress, and indeed this very \ncommittee, had the foresight to understand these challenges, \nand 3 years ago we directed the Department to conduct a \ncomprehensive review to evaluate cybersecurity vulnerabilities \nof DOD [Department of Defense] infrastructure. Unfortunately, \nthis review and the subsequent corrective actions remain far \nfrom complete, and we are still incredibly vulnerable to \nattack. I feel we have not yet identified the scale and scope \nof our problems, let alone begun to mitigate our most \nconcerning shortfalls. When we consider resiliency, we must \nremember that advances in information technology, \ncybersecurity, and information assurances are primary \nprerequisites for the future of warfare. These enabling \ntechnologies form the foundation where information and data are \na strategic resource to be protected, preserved, and fully \nactioned. Only then will we be able to leverage evolutionary \nand even revolutionary technologies such as AI [artificial \nintelligence], 5G, high-performance computing, and even quantum \ncomputing. This future begins and ends with our facilities and \ninstallations, which will be our greatest resource or our \nweakest links. I look forward to discussing today how we can \nwork together to ensure that resiliency in both physical and \nthe digital domain is prioritized so that we are prepared for \nthese challenges in our increasingly complex digital age. Thank \nyou, and I yield back.\n    [The prepared statement of Ms. Stefanik can be found in the \nAppendix on page 43.]\n    Mr. Langevin. Thank you, Ranking Member Stefanik.\n    I would like now to turn to the chairman of the Readiness \nSubcommittee, Mr. Garamendi, for his statement.\n\n    STATEMENT OF HON. JOHN GARAMENDI, A REPRESENTATIVE FROM \n        CALIFORNIA, CHAIRMAN, SUBCOMMITTEE ON READINESS\n\n    Mr. Garamendi. Thank you, Jim. I really appreciate the \nopportunity to be here with you to work with you on this \nextremely important issue, and your committee and the Ranking \nMember Lamborn, who is on the other side. Installation \nresiliency is the foundation to readiness. Our bases and \ninfrastructure investments must be able to withstand to the \nmaximum extent possible the spectrum of resiliency threats from \nenergy disruption, cyberattack, natural disasters, floods, \nfires, hurricanes, you name it--oh, earthquakes, too.\n    Both of our subcommittees have put in a lot of time into \nthis, and we are going to continue doing it. Over the last \nyear, we have seen the aftermath of extreme weather events such \nas Hurricanes Florence and Michael, and flooding at Offutt, and \nearthquakes at China Lake, and fires along the way, billions of \ndollars of damage. In fact, I think when we add it up, the \nentire year's worth of MILCON [military construction] \nconstruction could be consumed in just four natural disaster \nevents at our bases.\n    Going forward, I know that my committee will insist that we \nbe forward-looking, that we do assessments of the threats, from \nsea-level rise to weather events, and so that even the roofs \nget repaired. You know, maintenance, folks, rather important. \nInstallation resiliency in its broader--is much broader than \nweather resiliency. The recovery from the disasters is equally \nimportant. I am interested in hearing what our witnesses have \nto say, and I want to thank them for their written reports. \nWhen taken together--and perhaps, Mr. McMahon, this is your \ntask, to pull all of these together--if they were all done by \nall departments, it would be a very, very good--not start, but \nwell down the path.\n    I have questions about the Department's preparedness for \nenergy disruptions and cybersecurity. You have just heard that. \nWe want to be sure that we are on top of those issues. Energy, \nwater, sanitation, you name it, all of these things are \nimportant and all of this has to be taken into the account that \nwe reduce our dependency and reduce our energy consumption \nalong the way. A lot of things to do. The written testimony is \nexcellent. I ask that all of us pay attention to it, and I \nwould ask the four witnesses, when they go back to their jobs, \nsome of which won't be there very long--we will take that up \nlater--but when you go back, that you read the testimony from \nthe brother and sister services. I think you will find it \nuseful. And then inculcate that into your work. Thank you very \nmuch. I yield back.\n    [The prepared statement of Mr. Garamendi can be found in \nthe Appendix on page 45.]\n    Mr. Langevin. Thank you, Chairman Garamendi, I would like \nto now turn to Ranking Member Lamborn for any comments he may \nhave.\n\nSTATEMENT OF HON. DOUG LAMBORN, A REPRESENTATIVE FROM COLORADO, \n           RANKING MEMBER, SUBCOMMITTEE ON READINESS\n\n    Mr. Lamborn. Well, thank you, Chairman Langevin, Chairman \nGaramendi, and Representative Stefanik for calling this joint \nsubcommittee hearing on such an important topic. Installation \nresilience has always been important to our national defense, \nbut given the dynamic and evolving nature of the threats we \nface, it is becoming even more critical. Most of our \ninstallations rely, at least in part, on power generated in \nnearby communities. At the same time, the Armed Forces have \ninvested significantly in renewable energy. I am very \ninterested to hear from our witnesses today regarding their \nefforts to improve energy resilience and efficiency on our \nmilitary installations, as well as to protect it from capable \nand cunning adversaries.\n    Having recently visited all four bases damaged by storms \nand earthquakes that we are addressing in our fiscal year 2020 \nNational Defense Authorization Act, I am also concerned about \ngetting our work done quickly to fund the $5 billion necessary \nfor reconstruction.\n    Without this funding, the critical missions will continue \nto be negatively impacted, including the air sovereignty and F-\n22 training missions at Tyndall Air Force Base; one-of-a-kind \nNavy research testing missions at China Lake; runway \noperations, tanker simulator, and critical missions of the 55th \nWing at Offutt Air Force Base; and the Marines at Camp Lejeune \nand Cherry Point continuing to operate after approximately 800 \nbuildings were compromised, with 500 severely damaged.\n    And we also owe it to our military families to ensure that \nthe privatized military family housing is fully restored. The \ndamage in North Carolina and Florida continue to create a \nburden for these families. So I look forward to hearing from \nour witnesses about how they are ensuring that we plan \neffectively, build to appropriate building codes, incorporate \nlessons learned from recent disasters, and inspect work on new \nconstruction to ensure that it meets specifications. Thank you \nfor your testimony today, and I yield back.\n    [The prepared statement of Mr. Lamborn can be found in the \nAppendix on page 46.]\n    Mr. Langevin. Thank you, Ranking Member Lamborn.\n    With that, now, because again of the delayed start due to \nvotes, we are going to forgo the witnesses' opening statements. \nWe are going to go right into questions. Before doing so, I \nwould like to introduce the individuals that we have with us \ntoday.\n    Mr. Robert McMahon, Assistant Secretary of Defense for \nSustainment. Mr. McMahon, it is good to see you again. Thank \nyou for being here. I understand that you are going to be \nleaving the Department next month, and I just want to take this \nopportunity to thank you for your many decades of service to \nthe country both in uniform and in your current role now, and I \nwish you well in your next chapter. Thank you for being here \ntoday.\n    [The prepared statement of Secretary McMahon can be found \nin the Appendix on page 47.]\n    Mr. Langevin. Next, Mr. John Henderson, Assistant Secretary \nof the Air Force for Installations, Environment, and Energy.\n    [The prepared statement of Secretary Henderson can be found \nin the Appendix on page 59.]\n    Mr. Langevin. Next, Mr. Alex Beehler, Secretary of the Army \nfor Installations, Energy, and the Environment.\n    [The prepared statement of Secretary Beehler can be found \nin the Appendix on page 70.]\n    Mr. Langevin. And then also Mr. Lucian Niemeyer, Acting \nAssistant Secretary of the Navy for Energy, Installations and \nthe Environment.\n    [The prepared statement of Mr. Niemeyer can be found in the \nAppendix on page 82.]\n    Mr. Langevin. Thank you all for being here today. I look \nforward to a robust discussion today, and with that, I am going \nto recognize myself for 5 minutes. Members will be recognized \nafter the chairs and ranking members in the order of seniority \nand attendance. So, with that, let me begin.\n    So the climate has changed significantly over the last \ndecade, and--several decades, and it is going to continue \nmore--to change more in the coming years. All of the services \nhave incurred climate-related debt because installations were \nbuilt with risk assessments that did not reflect the reality of \ntoday or the increased threats of the future. So my question \nis, what is your assessment of the unmitigated climate risk you \nface in your legacy installations in terms of dollars and \ncents, and what methodologies do you use to determine those \nrisks?\n    Secretary McMahon. Mr. Chairman, I will begin and provide \nmy comments, and I will give my peers the opportunity as well. \nFirst, thank you to you and Chairman Garamendi and both of our \nranking members for the opportunity to be here today to talk \nabout something that is equally as important to Secretary \nEsper, our respective service secretaries, and clearly to the \nfour of us.\n    As we move forward, to your point, as we look out over the \nlast decade or two decades, the challenges and threats that we \nface within our installations have grown dramatically. And as \nyou have pointed out, it is climate. It is the challenge that \nwe also face with regards to natural disasters, whether that be \nearthquakes, whether that be forest fires, whether that be \ndeforestation or drought. In addition, it is the physical--and \nto Congresswoman Stefanik's point--the digital world as well, \nso it is this holistic approach that we have to look at when we \ndeal with it.\n    Specifically to the climate, we have got to acknowledge \nthat the climate is changing, the fact that we have seen, for \nexample, a rise in our seas at the same time that, as we \nconsume water, that we are seeing a degradation in our water \nsupplies and the fact that that is having an adverse effect on \nour soils and our land as well. And so this holistic impact, as \nwe look at the climate, how do we deal with that?\n    We look at the way that we proactively put together our \nstandards, our building standards. They need to be continuously \nupdated as we learn about what is occurring with these natural \ndisasters. How do we update that? We need to be more proactive, \nbut we also have to do it in the context that, as we look at \nthe holistic challenges that we face within the Department and \nour installations, that that is just a single portion of it \nthat we have to deal with. And so we have got to be aggressive \nwith it, with new standards and where we have the opportunity \nto infuse those standards, and we do that, but we also have to \ndo it in the context of the broader threat that we face.\n    Mr. Langevin. Do you feel you have an adequate \nunderstanding of the dollars and cents involved?\n    Secretary McMahon. I don't. And to that point, recently I \nhave asked the services to come back with an assessment of what \nthat looks like. What I can tell you is, there is $4 billion \nworth of damage at Tyndall Air Force Base. There is more than \n$4 billion--or roughly $4 billion of damage at China Lake. So, \nas you look at that and try to apply that across the \nenterprise, there is a significant bill out there that I don't \nthink we fully understand or comprehend the full cost of, just \non the facilities, let alone when you start talking about \ncounter-UAS [unmanned aerial systems], when you start talking \nabout cyber, and the other elements, and we can throw EMP \n[electromagnetic pulse] in there as well. And so I don't think \ncollectively we understand what the full assessment is.\n    Mr. Langevin. Well, it is essential that we continue to \ndrill down on this to get our arms around that because the \ntaxpayers deserve no less, the Congress needs to know this \ninformation, and it is the right thing to do for the country \nand the military.\n    Secretary McMahon. Mr. Chairman, I absolutely agree and I \nwould say that all four of us would agree with you, and it is \ngetting our arms around that, and we are on the road to do \nthat.\n    Mr. Langevin. Secretary Beehler, Henderson, Niemeyer, do \nyou have anything else to add?\n    Secretary Beehler. Yes, sir. The Army has benefited already \nfrom the fact that the U.S. Army Corps of Engineers has \ndeveloped a climate assessment vulnerability tool using a \nvariety of data from other Federal agencies that are constantly \nbeing refined and updated as they receive more and more data. \nThat tool has been used and will continue to be used on an \nongoing basis by Army installations as they do their every 5 \nyears update in their installation management plans that \ncertainly will address this issue, and they have been basically \nprescribed to do so, as well as the installation, energy, and \nwater management plans that are ongoing for all of the major \nArmy installations. And so, through that exercise, we will \nbegin to get a handle on just exactly what the cost and other \nmeasures needed to be taken to address extreme----\n    Mr. Langevin. When do you think those assessments will be \ncompleted?\n    Secretary Beehler. Well, at the--on the water and--energy \nand water plans, they are in three phases. The first phase, \nwhich covers the major or top critical mission priority \ninstallations of about 22, expected to be done by the end of \nthis calendar year, and then the next tranche within 12 months' \ntime afterwards and the third tranche 12 months after that. The \ninstallation management plans are upgraded and reviewed every 5 \nyears. That covers roughly the 150 Army installations. And so, \ntherefore, you have that incorporated at roughly about 30 \ninstallation plans a year.\n    Mr. Langevin. And then, finally, to that followup, so the \nArmy would then be developing strategies for addressing the \nrisks identified from those assessments?\n    Secretary Beehler. I am sorry, sir. I missed----\n    Mr. Langevin. I said, is the Army then planning to develop \nstrategies once the assessments are completed?\n    Secretary Beehler. Oh, absolutely. And that is the \nwonderful thing about these several efforts that are going on \nsimultaneously. Each will help the other to become a greater \ngranularity in a way forward.\n    Mr. Langevin. Well, that is going to be essential for us to \nfollow up on that.\n    Secretary Beehler. Absolutely.\n    Mr. Langevin. I am going to hold there, and now turn to \nRanking Member Stefanik.\n    Secretary McMahon. Mr. Chairman, before you yield on this, \nI would like to add just one point. Secretary Beehler referred \nto the climate tool that is being used by the Corps of \nEngineers. We have just funded for all the services to be able \nto utilize that up to 15 bases stateside and 10 bases overseas \nfor each of the services, recognizing the value of that tool \nand making sure that all the services can benefit from it.\n    Mr. Langevin. Thank you for adding that important point.\n    Ranking Member Stefanik is recognized.\n    Ms. Stefanik. Thank you, I am going to jump right into my \nopening remarks where I referenced our cyber vulnerabilities. \nAs you know, in fiscal year 2017 NDAA [National Defense \nAuthorization Act], section 1650 required a review of those \nvulnerabilities, and this review includes information and \noperational technology such as industrial control systems. So I \nwant to start with OSD [Office of the Secretary of Defense].\n    Mr. McMahon, can you give us an update on where things \nstand with respect to implementation of 1650, and tell us what \nyour role in the capacity of OSD is in overseeing this review \nto ensure we have identified and are correcting cyber \nvulnerabilities? Because my concern is that we have not yet \nidentified the scale and scope of cyber vulnerabilities in our \ninstallations.\n    Secretary McMahon. Congresswoman Stefanik, I would agree \nwith you that we have not fully sized that. As I think you are \naware, the Under Secretary for Acquisition and Sustainment \nEllen Lord has recently brought on an expert, Ms. Katie \nArrington, whose purpose is to oversee cybersecurity for the \nDepartment for both acquisition and sustainment. Her focus \nearly on is ensuring that we are considering, as part of the \nsupply chain, what that looks like, but also looking across \nindustrial control systems throughout the Department and is \nleading that effort in conjunction with the CIO [chief \ninformation officer] to give us the appropriate view and \nunderstanding of what the threat is and, more importantly, how \nwe deal with that holistically both on the acquisition and the \nsustainment side.\n    Ms. Stefanik. So, when I ask who the lead for 1650 \nimplementation, it is a combination of Katie Arrington and the \nCIO [Dana] Deasy?\n    Secretary McMahon. As well as in specifically as we get \ninto industrial controls, would be myself.\n    Ms. Stefanik. Okay. So the fiscal year 2017 NDAA was a \ncouple years ago.\n    Secretary McMahon. It was.\n    Ms. Stefanik. And the fact that we are now getting an \nanswer about who is responsible, what has happened in between?\n    Secretary McMahon. I think what I would tell you is there \nhas been a tremendous amount of discussion about what we need \nto do in understanding, characterizing what the threat is, what \nit looks like, the amount of execution, and, to your measure \nand my measure, is what is actually in place, not the level \nthat I would expect to have at this point in time.\n    Ms. Stefanik. So can you provide characterization of what \nthat threat is and what our assessment is?\n    Secretary McMahon. I would be happy to provide that. I \nwould like to take that for the record, to come back to you in \ndetail to answer that.\n    Ms. Stefanik. Okay. I think this highlights again my \nconcern with not even understanding the scale and scope, let \nalone what our mitigation efforts are going to be. So I look \nforward to getting that response for the record because again \nwe have had years since that language was written in the fiscal \nyear 2017 NDAA, and I was here when we did that.\n    [The information referred to was not available at the time \nof printing.]\n    Ms. Stefanik. I want to move to Mr. Henderson from the Air \nForce and then Mr. Niemeyer from the Navy. Both of you \naddressed this in your written opening statements. How have you \nboth worked to identify digital vulnerabilities, and how much \nwork would you say remains to be done and when do you expect to \ncomplete the review?\n    Secretary Henderson. I thank you. For the Air Force, there \nhas been a number of assessments going on, and like Mr. \nMcMahon, in the installations portfolio we focus primarily on \nthe industrial controls piece of that assessment. But there \nis--across the Air Force, this crosses a number of staff \nfunctions that are working on this. So, for instance, there is \nseveral cross-functional teams working a number of areas, and I \nam just going to list a few of them just so that--just to give \nappreciation for the group of the breadth of assessment that is \ngoing on. But they are doing full threat assessments going up \nto a very highly classified level. There is actually going to \nbe an Air Force senior leader summit on this. Actually, this \nwork is coming to culminate at a summit here in about 3 weeks \nin the middle of November: these cross-functional assessments \ngoing on with weapons system security, something called the Air \nForce Risk Executive Mission Assurance, which covers 17 \nprograms; supply chain risk management; Air Force control \nsystems, which is a sprint that we are working with, with our \nA4; mission defense teams that are focused on several areas to \ninclude cyber--command cyber readiness inspections; the \nprotection of critical technology; supervisory control and data \nacquisition, or SCADA systems; and so on. So there is a large \ngroup of people working in a cross-functional way to address \nthis holistically with the Air Force, and we expect to bring \nthis to our senior leaders here in about 3 weeks, about the \nmiddle of November.\n    Ms. Stefanik. Three weeks, okay. So that would be the \ncomplete review.\n    And, Mr. Niemeyer, from the Navy, you have 30 seconds, \nsorry.\n    Mr. Niemeyer. So what we--I think we are leading the \nservices as far as our ability to enclave some of our critical \nfacilities. We started with what we considered to be our tier 1 \nand tier 2 most critical facilities across Department of the \nNavy. We have already taken steps to separate those critical \ncontrol systems in those facilities, and we are now moving \ntowards the long-term mitigation of those systems. We are also \nlooking at assessments at the next level. We have completed \nhundreds of assessments and started on real-world mitigation \nefforts to start a short term to isolate the problem and work \non long-term solutions.\n    I will tell you, ma'am--I have been spending a lot of time \non this issue--we really need a national policy and a national \nanswer on how we address control system security. I would also \nlike to get to 5G if I can. We are working very aggressively on \nthat, but I am not sure that was the exact intent of your \nquestion, but I would love to get there as well.\n    Ms. Stefanik. So we can get to 5G later on, maybe with a \nsecond round of questions. Again, I just want to highlight my \nconcerns. We wrote the language that was signed into law in the \nfiscal year 2017 NDAA, and it is concerning to me that the \nimplementation has lagged. So we don't even have our arms \naround the scope of this problem, let alone the mitigation. I \nappreciate all the work the service is doing.\n    I yield back.\n    Mr. Langevin. Thank you, Elise. I now recognize the \nchairman of the Readiness Subcommittee, Mr. Garamendi.\n    Mr. Garamendi. First, I want to thank, Jim, you and Ms. \nStefanik for the work you have done on cybersecurity. You have \nreally pushed that forward. And I know, Mr. Chairman, you have \nalso pushed the climate issue forward.\n    I want to really go to the documents that the four of you \nhave submitted to the committee. Mr. McMahon, you have kind of \ngiven us a going-away present. And to the services, the same \nthing. If they were to carry out the things that you laid out \nin your memo, we would be well down the line on each and every \none of these. There are some things that are missing, and we \nwill identify those as we go along. Specifically, in the new \nNDAA that is hopefully going to get completed in the very near \nterm, there is a requirement that every base have a plan that \nincludes all that we have talked about here, weather related, \nflood related, other kinds of threats to that base. So we would \nexpect--well, you should expect and your successors should \nexpect, to get what Ms. Stefanik just gave you a few moments \nago, and that is, what have you done about this particular \nissue. Good for her, and for you, not getting it done yet. So I \nwant to just basically put to each of you, among the things \nthat you have written in your--submitted in your testimony, \nwhat is the most important? You don't have to answer the \ncybersecurity. We have already taken care of that piece of it. \nLet's start at this end of the table and then go down. Mr. \nNiemeyer.\n    Mr. Niemeyer. That would be great, thanks so much, Mr. \nChairman, for the question. The most important thing for us is \nstrategic contingency risk. We have a concern worldwide about \nour access to installations, ports, airfields. From a \nresiliency long-term aspect that to us is probably the most \nimportant factor that allows us to continue to project naval \npower to protect the sea lanes and to protect our interests for \nboth ourselves and our allies. Right behind that is energy and \nwater security risk, and right behind that is, I would say, \ndata and network risk, and the ability to secure our control \nsystems. Then we have got physical risks. Right now, Department \nof Navy and our sister services are working a counter-drone, \ncounter-UAS strategy, to look at new kinetic threats to our \nbases in addition to traditional ones.\n    And then we also have what we would call an environmental \nrisk, and it is just a range of factors, as you know. We are \ngetting a lot of support from the committee in our response to \nChina Lake. That was an earthquake. You know it is tough to \npredict where the next earthquake is going to happen or the \nnext tornado or the next tsunami. So we are working on \nenvironmental risk from a holistic perspective. We do roll this \nup into what we call a mission assurance framework. I would \nlove to come back and talk to the staff about how we can get \nsome support from the committee on taking the mission assurance \nframework, so we are starting at the most critical facilities \naround the Department of the Navy that support national \nmissions and how we can develop a comprehensive plan to \nidentify the most critical vulnerabilities across the whole \ndomain of threats that face us--not just natural, but we think \nman-made, or adversary threats are much more substantial. How \ndo we address those for each of our critical facilities?\n    Mr. Garamendi. The new NDAA will give you the direction to \ndo that or the requirement to do that. And I would like to know \nwhat you need that you don't presently have to do that, but \nthat will be--come back at us. Mr. Henderson.\n    Secretary Henderson. Yes, thank you. For the Air Force, we \nare doing something called mission threat analysis. So, instead \nof doing this threat assessment by base--and a lot of our bases \nhave many different missions on them--we are taking the mission \nitself and looking at the whole mission chain because it takes \na global--it takes a global network of facilities to do some of \nour missions. So we take the full mission, and we look at the \nvulnerabilities there. And there is a whole host of threats, as \nMr. Niemeyer said, and I won't go back through them, but this \nisn't just about cyber or just about weather or just about \nclimate. This is the whole vast array of threats facing our \ninstallations that we have to look at. And so----\n    Mr. Garamendi. I will let you off there.\n    Mr. Beehler.\n    Secretary Beehler. Sir, in addition to what has already \nbeen mentioned by my colleagues of the other two services, the \nArmy also focuses on the fact that, as the National Defense \nStrategy from 2018 has said, that the homeland is no longer a \nsanctuary. And for us that means that our installations are \ndirectly part of the battlespace, of the battlefront, and part \nof the strategic support area. So that is where we----\n    Mr. Garamendi. You have 24 seconds. I am just going to wrap \nup here. I have read that, and I think the rest of us can read \nit also. Here is my point and the reason I asked the question: \nEach of you has set out a set of priorities generally, and then \nyou narrowed it down granularly, the word we use nowadays, to \nspecific actions. Here is what I want you to do for the next \nmonth and a half, and that is read your colleagues' work and \nfigure out what you are not doing that they are doing. And if \nyou would stick around another month and a half, Mr. McMahon, I \nwould ask you to do it also or see that they got it done. There \nis extraordinary opportunity and necessity that your--the other \nservices are involved in that one or the other of you are not \ndoing. And so I want you to--the other, you know, get a big pot \nof coffee and sit down and read each other's work. The \nsolutions are all there. And you got to tell us what we need to \ndo to give you the tools to carry out those solutions.\n    With that, I yield back.\n    Mr. Langevin. I thank the gentleman, and now Ranking Member \nLamborn is recognized.\n    Mr. Lamborn. Thank you, Mr. Chairman.\n    Mr. McMahon, I am going to address this to you. Because of \nsake of time, I can't have everyone answer this question, and I \nwant to thank you for your service to our country as you go \ninto, like the chairman said, your next chapter.\n    In my recent visits to survey the damage at Tyndall, \nOffutt, and China Lake, I was struck by how much that advanced \nplanning and up-to-date construction techniques can help \nmitigate when disaster strikes. So what have we learned from \nrecent natural disasters of all types to make things better in \nthe future, for more resiliency? And I am thinking, for \ninstance, of sacrificial first floors. They are doing that at \nOffutt. You don't have all the expensive HVAC [heating, \nventilation, and air conditioning] and computers on the first \nfloor, in case you have a flood. You put them up higher. So \nwhat are some examples of what we are learning?\n    Secretary McMahon. Congressman Lamborn, what I would tell \nyou is, that as we look at the lessons that we have learned, \nthere is a variety of--rather than get into specifics, as you \nlook at we establish our essentially building standards, which \nis a continuous process to update, we take the lessons that we \nlearned from each of these installations, whether it is the \nconstruction, whether it is the roofing, what we are doing on \none floor versus another. And roll that in on an annual basis \nto continuously update what those standards are, to ensure that \nas we get to the next either rehab or new construction, that \nthose standards are, in fact, reflected in the way that we \nbuild the facility.\n    Mr. Lamborn. Okay, thank you. And the military has a \nseparate building code that is more stringent than local \nbuilding codes. Is that correct?\n    Secretary McMahon. The standards that we are utilizing in \nmost cases represent either national or State standards, in \nsome cases, lag a little bit on State, but you would have in \nsome cases actually exceed what those States and national \nstandards are.\n    Mr. Lamborn. Okay, thank you. Shifting gears, Mr. Niemeyer, \nI want to drill down on nuclear energy. The Navy has a long and \nstoried history of small nuclear reactors on vessels, starting \n65 years ago, the USS Nautilus was launched. So what can you \ntell us about micro reactors, about their safety and their \neffectiveness?\n    Mr. Niemeyer. So we are working with other services and OSD \nto partner up with the Department of Energy on a couple of \ninitiatives. We believe that there is a future for micro \nnuclear technology within the services. And there is a concern \nwithin the Navy about staying in what I would call the white \nworld, as far as the technology. But we do believe that there \nare vendors out there, there are technologies out there, that \nultimately could be used on a military installation to island \nthat installation off of commercial power, particularly where \nwe have critical assets, and run it on a very micro reactor, \nabout 5 to 10 meg [megawatt] of electricity, plus another 10 \nmeg of thermal, and continue to run that critical asset without \nany concern about having the commercial rig go down. So we \nbelieve there is a near-term and mid-term goals to get to that, \nand we continue to work with OSD. Bob's been putting a lot of \neffort into it and his staff to try to get those vendors to us, \ntalk to us, and eventually get the technology incorporated.\n    Mr. Lamborn. And we don't have Yucca Mountain figured out \nyet. So, with some of the nuclear waste that is in storage, is \nit possible that some of these new designs can actually use \nwhat currently is stored uselessly?\n    Mr. Niemeyer. With some adjustments, I think that is one of \nthe things we are most concerned about, is, what is the fuel \nsource going to be? There is an opportunity to deplete uranium. \nWe are asking the vendors that very question: Where would you \nget it from? What would we need to do to make it useful? Those \nare the things that we are working with not just the vendors \nbut with the NRC [Nuclear Regulatory Commission] in trying to \ncome up with a plan moving forward.\n    Mr. Lamborn. Okay, thank you.\n    And, Mr. McMahon, I will finish with you. What are we doing \nwith not just natural disasters but attacks on our physical \ninfrastructure? We have talked about cyberattacks, but kinetic \nattacks or cyberattacks going against the electrical grid; EMP \nis a possibility that is out there. What are some things we are \ndoing to protect the physical infrastructure?\n    Secretary McMahon. When you talk about physical, one of the \nthings we have not yet mentioned is the UAS threat that we face \nat all of our installations and how is it that we can create \nthe counter-UAS capability. Secretary Lord has taken that on \nfor the Department, with regards to small counter-UAS activity. \nWe have--the Joint Staff is working larger issues, but that is, \nhow do I protect my installation? With regards to EMP, \nobviously, earlier this year there was an executive order that \nprovided guidance as to move forward with that. Clearly not \nevery facility needs to be EMP hardened. It is understanding \nwhat those are and what are the specific actions that we can \ntake to make that happen, to ensure that that is there for \neither those installations or those portions of installation \nwhere that is critical.\n    Mr. Lamborn. Thank you. I yield back the balance of my \ntime.\n    Mr. Langevin. Thank you, Mr. Lamborn.\n    Mr. Kim is now recognized for 5 minutes.\n    Mr. Kim. Thank you, Mr. Chairman. I wanted to just hone in \non the ``black-start'' exercises. I have been very intrigued by \nthis.\n    And, Mr. McMahon and Mr. Beehler, I just wanted to hear \nfrom you, what are the top lessons that we have learned so far \nfrom doing these black-start exercises? Mr. McMahon, we will \nstart with you.\n    Secretary McMahon. Congressman, thank you for the question. \nWe are tremendously proud of the effort. As we talk about \nbuilding resilience, it is understanding, you know, we can do \nall the tabletop exercises in the world, but when you actually \npull the plug, the question is, what actually goes on? And so \nthe investment--and they run somewhere between $250,000, \n$500,000 per exercise. We have had a total of four thus far. I \nwill let Alex talk a little bit about some of those specifics. \nWe still have two additional that we will do, but the reality \nis, and perhaps the most important lesson that I have seen is a \nlack of appreciation and understanding by our senior leaders at \nthe installation level, all the way up to my level, of what we \nthought was going to happen versus what actually occurred. And \nthen being able to apply those lessons learned down the road as \nwe move forward. Lots of tactical issues, but at the strategic \nlevel, I think that is the most important.\n    Mr. Kim. Go ahead, Mr. Beehler.\n    Secretary Beehler. Sort of amplifying what Mr. McMahon just \nsaid, it is the basic verification of backup energy, and also \nwater, whether we really have what we think we have. And if we \ndon't have it, what do we need to do to get it? And there is \nnothing like doing for verification. And at least on behalf of \nthe Army, we think that, so far, they have been very effective. \nWe have done, as Mr. McMahon said, we have done three through \nthe means of OSD, but we have done others on our own, and we \nwill continue to do more on our own because we believe it has \nbeen very effective to show exactly what works, what doesn't \nwork, what needs to be improved and enhanced.\n    Mr. Kim. Well, I appreciate that. It certainly seems like \nan operation that really hits where the rubber hits the road \nand just tries to put this all into reality of what is going to \nhappen. So I am certainly very supportive of the program and \nglad that it is continuing. In that similar vein, so, in my \ndistrict, a district with Joint Base Maguire-Dix-Lakehurst, we \ngot crushed by Superstorm Sandy, and that was something that we \nsaw full force there. That base was able to have--the \nresiliency of that base being able to get up and running 24 \nhours later was critical not just for the base but for the \nsurrounding community. As you know, that base really served the \npurpose for being the FEMA [Federal Emergency Management \nAgency] center for that area. So I guess my question to you, \nkind of building out from there, when we are talking not just \nresiliency of the bases but potentially for natural disasters, \nsupporting the community around it, what exercise--are you \ndoing tabletop exercises or real-world exercises planned with \nFEMA or other organizations? I am just kind of curious, you \nknow, what we have been able to learn from Superstorm Sandy and \nother places where our military installations end up playing a \ncritical role in the revival of these communities after these \ndisasters. Maybe Mr. Henderson, some of your thoughts, and Mr. \nBeehler.\n    Secretary Henderson. Yeah, thank you. So, for the defense \nsupport to civilian authorities, the Air Force plays a large \nrole in that usually with air transport, offering up logistics \nhubs and bases and stuff. So we participate with the Department \nof Defense in support of the FEMA exercises that go on. So I \nknow that is our participation and the exercises that we do in \nconjunction with FEMA.\n    Secretary Beehler. Sir, a variety of things. One is that we \nat Fort Bragg participated in a project that I believe was \ninitiated by OSD, but it also included Department of Energy, \nDepartment of Homeland Security, and the Federal Regulatory \nCommission in the development of a defense-critical, electric \ninfrastructure pilot program, to evaluate the resilience of \noff-post electric infrastructure, you know, support. But more \nbroadspread, each installation does, on an annual basis, an \nemergency response exercise that by its very nature closely \nengages the surrounding communities at all appropriate levels. \nThe other thing that we have done on an ad hoc, utility-to-\nutility connection, is discussions on how appropriately located \nArmy bases--this is particularly relevant to the southeastern \narea--can help as temporary--I don't know whether staging \ngrounds is perhaps the best term, but really a place where \nutilities and emergency crews that are going to a scene that \nhas faced hurricanes or severe weather events, and actually \nuse, for whatever period of time, Army base facilities to help \nthem position in the case of a major climatic event.\n    Mr. Kim. Well, I appreciate that.\n    Chairman, I yield back.\n    Mr. Langevin. Thank the gentleman.\n    Mr. Scott is now recognized for 5 minutes.\n    Mr. Scott. Thank you, Mr. Chairman.\n    General McMahon, I hate to see you retire. Thirty-four \nyears in uniform, the best at Robins Air Force Base, I am sure. \nAnd for those of you who don't know, he is an exceptionally \ngood production manager. He turned Robins Air Force Base, its \nefficiency around, and did an extremely good job there, so I \nwant to thank you for that and your work there. And the average \nIQ of Alabama is about to go way up. I do trust you won't pull \nfor their football teams, though.\n    I have a couple of questions. You mentioned drones or the \nUASes. Do the FAA [Federal Aviation Administration] rules that \nthey have, that protect drones, apply to somebody who would \nperhaps fly a drone over one of our military bases?\n    Secretary McMahon. Congressman, I would rather get into \nthose specifics outside of this environment, if I could push \nthat back to you. I could take that for the record and come \nback to you.\n    Mr. Scott. That is fine. I just want to make sure that you \nhave whatever authorizations you need and that we don't have \nany conflict between Federal agencies as sometimes happens.\n    Secretary McMahon. Yes, sir.\n    Mr. Scott. I want to make sure that we have the ability to \nprotect you from that.\n    Another question, we have the Marine Corps logistics base \nin Albany, Georgia, the first net zero base in the country. Do \nwe have any other bases that have achieved net zero with regard \nto energy?\n    Mr. Niemeyer. I will take that question. So Albany is \nactually a shining star within the Department of the Navy as an \ninstallation that has truly achieved the energy resilience that \nwe are looking for where, if the grid goes down, we can still \nconduct the critical missions there at Albany. I look to other \nMarine Corps installations, also the Marine Corps does seem to \nbe leading the way around the Nation at Yuma in Arizona, at \nMiramar in California, an amazing effort there combining a \nseries of initiatives over the last 10 years. It truly creates \nthe resiliency we are looking for with that installation, using \na variety of fuel sources. I want to make this clear. Within \nthe Department of the Navy, we look at all fuel sources as an \nopportunity to provide us the resiliency. Miramar is using all \nthose to create a pretty significant capability that, if the \nlights go out, we could conduct those critical missions in \nMiramar to launch our aircraft.\n    Mr. Scott. So we have multiple fuel sources but the way--if \nI am not mistaken, the way the Marine Corps logistics base in \nAlbany, Georgia, achieved that was through a public-private \npartnership. And are we utilizing the public-private \npartnerships in other bases as well?\n    Mr. Niemeyer. I am sorry, sir. Yes, we are. We look at a \nwhole host of authorities that are available to us thanks to \nCongress: energy savings performance contracts, service \ncontracts, power purchase agreements. I think my sister \nservices share the desire to want to use all the authorities \nthat are available to us to look at, what is the best \ncomprehensive energy solution for a particular installation? \nAnd that takes into account a full range of fuel sources as \nwell as what the community and the private sector can partner \nup with us on delivering those efficiencies and resiliency.\n    Mr. Scott. My concern is just making sure that you have the \nflexibility to achieve what needs to be achieved in the most \nefficient manner possible and that we are not showing \npreferential treatment to certain types of fuel sources.\n    Secretary McMahon. What I would offer to that, Congressman, \nis that we are agnostic, especially when we start talking about \nrenewable energy. As you know, with all the installations in \nthe State of Georgia, Georgia Power has come forward and has \nput solar on each of those to help get us where we need to be. \nThey have helped funded it. And the point of that is, there are \nopportunities for all of our installations to partner, both in \npublic-private opportunities, but also in the opportunity to be \nable to create relationships as we look at relationships \nbetween the public and private sector where the private sector \ncan come in and help our installations get to where we need to \nbe at little or no cost to the Department.\n    Mr. Scott. I know we talk about energy a lot. Mr. Beehler, \nyou mentioned water. I was glad to hear you mention water as \nwell. I hope that is something that we will focus on going \nforward. I think we spend an awful lot of time talking about \nthe air, and I don't think we have spent enough time talking \nabout water and making sure that we have access to clean water \nat our bases. And that when water leaves our bases, that it is \nas clean as it can possibly be before we reintroduce it to the \nenvironment.\n    Secretary Beehler. Absolutely agree. Extremely important \nand particularly given--and from the standpoint of the Army, \nthe number of Army bases that are in potentially drought area \nor just an area that receives very little precipitation.\n    Mr. Scott. Gentlemen, thank you for your service.\n    Mr. Langevin. Thank you, Mr. Scott. Ms. Houlahan is \nrecognized for 5 minutes.\n    Ms. Houlahan. Thank you, Mr. Chair, and thank you so much, \nsir, for your service. I hope you enjoy your next chapter as \nwell. I come from Pennsylvania, but I did my field training at \nTyndall Air Force Base, and so that is a personal special place \nin my heart. And it struck me during the testimony--and this is \nlargely me pontificating and less a question--$4 billion to \nrestore that base to operation; $4 billion every time something \nlike Tyndall happens. It seems as though we would be well \nserved if we could find $4 billion to try and prevent these \nkinds of things from happening, from not necessarily a \nresilience standpoint but actually addressing the root cause of \nit, which is the climate that is changing around us. And so \nthat is more of a pontification than anything.\n    My questions are springboarding off Mr. Scott's questions \nin some ways. My first question has to do with public-private \npartnerships to the degree that you guys can answer the \nquestion with specificity on cyber. He asked questions about \nenergy sources. Do you feel as though you are empowered to be \nable to pursue public-private partnerships with people in the \ncyberspace? If not, why not? And if so, can you give me some \nexamples of that and I would welcome any one of you to answer \nthat question.\n    Mr. Niemeyer. So we are updating our processes for our full \nrange of interactions with our private partners. I will pick \none specifically, energy savings performance contracts [ESPCs]. \nSo, for years, these performance contracts have been used \npredominantly to find savings in how we install new technology. \nWe are now saying: Okay, in addition to whatever we do with the \nESPC, we are going to make ensured it has got an energy \nresiliency component, that we are making our control systems, \nthat we are making our energy systems stronger as we are \nimplementing these agreements. The private sector is very \nresponsive to that. And I think they are doing an outstanding \njob of taking what we give as them as a requirement and then \ncoming back with pretty innovative solutions on how we can use \nthese partnerships to enhance not just our mitigation but our \nunderstanding of how best to mitigate. So that is just one \nexample. I could go around the Department of the Navy where we \nwork on the ESPCs. We just recently cut the largest one for the \nnaval base we have at Guantanamo Bay and the largest one in the \nFederal Government, which has significant resiliency measures \nand steps within that deal. So we are looking across all our \nenergy projects. In the past--I will be honest with you--a lot \nof our energy projects, particularly for renewables, has not \nhad a resiliency piece to that. Our projects face the grid. \nThey don't allow us to have mission assurance when the grid \ngoes down. That is a problem. So we are looking at our full \nrange of energy portfolio, to what degree those projects can be \nused to power critical missions if the grid goes down.\n    Ms. Houlahan. Thank you. Any other responses from you all, \ngentlemen?\n    Secretary McMahon. What I would offer across the entire \nspectrum as we talk about our ESPCs, we have the opportunity to \nupgrade, and when we think about that, that is replacing an old \nboiler with a new kit capacity or an old HVAC system with a new \nHVAC system. It is the controls, as Lucian alluded to, as part \nof that as we begin to think differently about what that \nopportunity is and as we put those contracts in place, being \nable to leverage not only the capacity and the newness of the \nnew systems but, more importantly, the control systems that go \nwith that, and leveraging as part of the project. And that is \npart of the new thinking I think we are beginning to see across \nthe board.\n    Ms. Houlahan. Thank you. And with my remaining 1 minute and \n30 seconds, I typically ask questions about whether or not you \nfeel as though your workforce is prepared and has the right \nskill set. I really was impressed by your backgrounds, and \nclearly you have the right skill set to be sitting in your \nseats. But do you feel as though you have the right chain of \npeople coming up through the ranks to have these kinds of \nreally critical skills, whether they be cyber, whether they be \nwater expertise, whether they be energy expertise?\n    Mr. Niemeyer. I can go ahead and get started with that. \nFirst of all, the Department of Navy team is both on the \nsecretariat, and I have actually represented two outstanding \nleaders from each service--General Chuck Chiarotti and Admiral \nRicky Williamson--together we form a team, collective team, \nthat looks at the resiliency challenges across the board. We \nprobably could do better in educating our energy managers, to \nbe more proactive at installation level. We are working \ncollectively across the Navy and the Marine Corps to be able to \ndo that. So those base-level managers are bringing up those \nideas to us so we can actually incorporate. So we have still \ngot a little work to do on the education front.\n    Secretary Henderson. For the Air Force, we recently hired a \nprofessor to develop a curriculum to help with the education \nand training of our engineers, our civil engineers, on this \nindustrial controls and the cybersecurity of industrial \ncontrols, which is kind of our piece of that. So we are making \nefforts to take the workforce we have and kind of update their \nskill set so that we better understand how to install and \noperate these systems. Additionally, with regard to personnel \nand having the right personnel, the direct hire authorities \nthat have come through some of these highly specialized, low-\ndensity career fields has been very helpful for us in the Air \nForce.\n    Ms. Houlahan. Thank you, and I am out of time. I yield \nback. Thank you.\n    Mr. Langevin. Thank you, Ms. Houlahan.\n    Mr. Bacon is now recognized for 5 minutes.\n    Mr. Bacon. Thank you, Mr. Chairman.\n    I appreciate all four of you being here. My first question \nis directed more to Mr. McMahon and Mr. Beehler, but please \njump in if you can add in. I want to talk about the levee \nsystem and the permit process that we have to go through. And I \nhave a specific example, but it is not just this example. I \nhear about it all over. So what we had in 2011, we had the \nworst flood in about 50 years in eastern Nebraska. I was a \ncommander at Offutt Air Force Base. We worked for months to \nsave the base. Hundreds of thousands of sandbags. FEMA came in \nafterwards and said: Hey, you need to raise the levees 2 to 3 \nfeet. This was in 2012. And so then our NRD [Natural Resources \nDistrict] with the State came forward with a proposal that cost \n$35 million and wanted to get it done, but it took 5 years to \nget a permit--5 years. And here is the deal, 5 years to get a \npermit to do $35 million worth of work. We got it all approved \nfinally. In February of this year, we had the worst flood in \nNebraska's history. It is going to be a billion dollars in \ndamage. Now, if it was just a one-off incident, I got it. But I \nhear it from all over the place, all of our mayors, 5 to 7 \nyears is the norm to get a permit. It is inexcusable. It is \nintolerable. It is bad for the taxpayer. It was bad for our \nnational security. So what can we do to fix this?\n    So it fell on the Air Force, but I don't want you to--I \nthink it was--it is not just one group, though. It is a \ncumulative problem. But go ahead.\n    Secretary Henderson. So, first of all, you and I have \ndiscussed that specific permit in my previous position. So I am \nnot going to speak on behalf of the Corps of Engineers here, \nbut you and I have a lot of carnal knowledge on that specific \nsituation. I will share your frustration with the permitting \nprocess writ large, and whether it is FAA permits, NEPA \n[National Environmental Policy Act] work that we have to do, \neven those of us who are in the Corps of Engineers, used to be \nin the Corps of Engineers, the permits that are involved in \nthere can be very slow, very bureaucratic, and they take a long \ntime. And I would say a lot of that, just from my experience, a \nlot of that is linked back to, in order to issue those permits \nin a lot of cases, the NEPA work has to be done. And the NEPA \nwork ends up being the long pole in the tent a lot of times. \nSpecific with the Offutt levees, which have a huge impact on \nthe Air Force base, but the Air Force does not have an equity \nin that levee. It is owned by the NRD. It is permitted by the \nCorps in combination with FEMA obviously. So I say that to say, \nas we have extreme interest in making sure the levee gets \nupgraded, it makes our installation there more resilient. In \nthat particular case, as you know, in order to get the permits \nfrom the Corps, in this case specifically, a 408 permit, the \nNRD had to run the hydraulics to make sure that any work they \nwere doing on the levees on the Nebraska side of the river \nweren't going to impact the main river levees on the Iowa side \nof the river, and that--and then the NEPA work associated with \nthat, and that took a lot of time. And it was a lot of \nengineering technical work. It wasn't necessarily sitting in \nanybody's inbox. It was work that had to be done and a lot of \nback and forth as you know. And so--and that part of the permit \nprocess is very frustrating, but it takes a lot of time to get \nit right. And I would say it is important to get it right the \nfirst time. You wouldn't want to do something on one side of a \nriver that has detrimental effects to the public on the other \nside of the river. And in that particular case on that permit, \nthat took some extra time.\n    Mr. Bacon. I would think, if it is just a one-off, I got \nit. But I hear about this from--I mean, we have 10 mayors in \nour district, and I hear over and over again 5 to 7 years to \nget a permit. And I just think that we can put our brains \ntogether here and figure out how to do it, and I would like to \nwork on how we streamline this process because it is good for \nthe taxpayer, and it is unacceptable. We built the Pentagon in \n1 year. We got to figure this out.\n    Secretary Henderson. Sir, I got to say, from that \nperspective, we share your frustration because all of us up \nhere are trying to deliver MILCON projects----\n    Mr. Bacon. Right.\n    Secretary Henderson [continuing]. Projects, and there is \nusually a NEPA permitting component that we have to comply \nwith----\n    Mr. Bacon. Yeah.\n    Secretary Henderson [continuing]. And it takes a long time. \nAnd it is frustrating. I think there is a lot of opportunity \nthere to expedite those.\n    Mr. Bacon. I have one follow-on question if I may because I \nhave only got one more--45 seconds. One of the things I am also \nconcerned about is Russian gas fueling our bases in Europe. It \nis not a one-off there either. A lot of our bases are doing it. \nAnd the new hospital being built at Ramstein is designed to \nhave Russian gas, and we are there because of Russia, and they \ncan just turn it off. And it is a readiness issue. So what are \nwe doing to wean ourselves off that, and what are we \nspecifically doing with the hospital to make sure that we are \nnot dependent on Russian gas?\n    Secretary McMahon. Congressman, two comments on that. \nFirst, as you know, we don't dictate what nations, where they \nsource their fuel from, and given--number one. Number two, \nthough, is this entire idea of installation resilience and \nbeing able to go off grid gives us the flexibility that if what \nyou just suggested were to occur, we have the ability to \nrespond to that and be able to continue the operations in a way \nthat make sense and allow us to be able to achieve the mission \nthat we have been given.\n    Mr. Bacon. So you can assure us we have that at the new \nhospital?\n    Secretary McMahon. I am not going to assure you of that, \nsir, but I am going to assure you that we are working \naggressively not only for there, at Ramstein, but every other \ninstallation that we have, to be able to achieve that.\n    Mr. Bacon. Okay. Thank you.\n    I am out of time. I yield back. Thank you.\n    Mr. Langevin. Thank you, Mr. Bacon.\n    Ms. Escobar is recognized for 5 minutes.\n    Ms. Escobar. Thank you, Chairman. I am so grateful to you \nand the ranking member for this important hearing.\n    And many thanks to our witnesses today. I reviewed the list \nof the top 10 Army facilities that are vulnerable to climate \nchange. All of those facilities are in the West or the \nSouthwest, and the threat is listed as drought. And so I am \nwondering if you can expand on how you all intend to attack \nthat, what the plan is, and what the theory is around \nassisting--ensure the sustainability of the West and \nSouthwestern facilities vulnerable to drought?\n    Secretary Beehler. Sorry. Ma'am, this is one of the things \nthat will be accomplished through our installations energy and \nwater programs plans that are being done at all of the major \nArmy installations, including all of the ones in the Southwest. \nThey are to address, in effect, your question, which is, how do \nwe ensure at a given installation, adequate water supply, \naccess to water. It also gets incorporated when an installation \nupgrades and reviews its broader installation management plan, \nwhich is done every 5 years for each installation.\n    As I mentioned earlier, the first tranche of these energy \nand water plans are due to be completed at the end of this \ncalendar year, which, I believe, includes some of the \ninstallations in the Southwest. So we will then have--those \ninstallations will have a way forward as to what they need to \ndo to make sure they have good access to water.\n    Ms. Escobar. One of the installations on that top 10 list \nis Fort Bliss----\n    Secretary Beehler. Yes.\n    Ms. Escobar [continuing]. Which is in my district, which \nobviously has a very sophisticated desal [desalination] plant \nin the district that has really been focused on ensuring water, \nnot just for the military installation, but for the community. \nWas that taken into consideration when Fort Bliss was placed on \nthe top 10 list?\n    Secretary Beehler. Well, the top 10 list was looking at \nthreats.\n    Ms. Escobar. Okay.\n    Secretary Beehler. And it is great that there is this \ndesalination plant, but that doesn't remove the effect of the \nthreat.\n    Ms. Escobar. Gotcha. Okay. But my followup question to that \nis, you know, obviously we do want to consider the threats, but \nalso the opportunities.\n    Secretary Beehler. Yes.\n    Ms. Escobar. And Fort Bliss has, for some time, was being \nvery thoughtful about the opportunities around solar. And it \nseems to me that all of our Western and Southwestern \ninstallations have that same opportunity. And I am wondering \nhow the plan seizes on the opportunity for solar as a major \nopportunity for renewable and sustainable energy.\n    Secretary Beehler. Well, certainly, as I think we mentioned \nbefore, the goal of these plans is for each installation to \nhave the necessary access to energy to carry out critical \nmissions however best means that make sense given the specific \ninstallations. So I think, generally, solar is always part of \nthe consideration as long as it can be effectively both cost \neffective and logistically applied and included. Obviously, I \ndon't know about the specific case of the Fort Bliss plan that \nis obviously under development, but that is something that I am \nhappy to look into and get back to you with what their thinking \nis, as it develops. And happy to give a brief.\n    Ms. Escobar. I appreciate that. I really do believe, \nespecially hearing in this hearing alone, listening to concerns \nabout the grid, and our vulnerabilities with regard to the \ngrid, that we should be showing far more leadership in saying, \nyou know, we are going to draft a plan that leads the way, \nleads the country in sustainability, and that takes some of \nthose critical threats away because we are leading on that \nfront. So that would be my hope.\n    Secretary Beehler. Thank you.\n    Ms. Escobar. Thank you.\n    Mr. Langevin. Thank you, Ms. Escobar.\n    Mr. Waltz is now recognized for 5 minutes.\n    Mr. Waltz. Thank you, Mr. Chairman, and thank you, ranking \nmembers. This is, I think, a fantastic hearing and topic. You \nknow, I have a lot--a little bit of skin in this game on the \ntactical side. I can't tell you how many soldiers are no longer \nwith us because of their supply lines being attacked carting \nfuel out to remote outposts that, frankly, could have had some \npanels and a turbine and been much more self-sufficient. Then \nyou magnify that from the tactical to the global and strategic \nin terms of our supply lines that our fantastic Navy seeks to \nsupply. So could you talk to me for a moment about what we are \ndoing on the tactical sustainability side, particularly for our \nspecial operations forces who, as you know, are in anywhere \nfrom 60 to 70 countries as we speak today, and allowing them to \nhave portable and tactical sustainment systems?\n    Mr. Niemeyer. This is a tough issue, because everything \nthat we have looked at in the past, I know both the Marine \nCorps and special operations forces and Army forces in the past \nhave looked at what tactical generation can do for us. And any \nform of tactical generation creates pros and cons. I mean, \nthere is a lot of folks who are concerned that by setting up \nthose solar panels in a remote area, you actually--they are \neasily spotted and they are easily taken out. So the goal \nhere--and this goes back to the heart of the National Defense \nStrategy--is, how do you provide agile logistics in a contested \nenvironment? And I got to tell you, our adversaries know that \nthat is probably our weak spot. How do we power the next \ngeneration of equipment? It is not what we just have today, \nCongressman. It is what we are looking at--you know, autonomous \nvehicles, robotics, direct energy programs. What we are going \nto need in the next 10 years is more energy on the battlefield. \nThat is something that in our research and development we are \ntaking a hard look at what batteries we can use, what can be \ndone for next generations of tactical energy sources that \ndoesn't rely on fuel supplies. It is something we are working \nvery hard on across the Department of Defense.\n    Mr. Waltz. Thank you. And please, Mr. McMahon.\n    Secretary McMahon. Congressman, what I would add to that, \nagain at the tactical level, but a very strategic concept is \nthis idea--Mr. Niemeyer talked a little bit about small, \nmodular reactors. There is also an effort within our research \nand engineering concepts, under Dr. Griffin, to be able to look \nat the micro capability. Is there something we can actually put \nin the back of a ton-and-a-half truck that could take forward \nthat would give us, for a forward-operating base as an example, \nthe ability to operate with a micro nuclear reactor. That is--\n--\n    Mr. Waltz. What do you need from this committee to move \nthose concepts forward?\n    Secretary McMahon. Moving forward today, quite frankly, \nmany of the challenges that we face are working through some of \nthe regulatory issues. It is a science issue on the micro that \nwe are still trying to work through. But at least at the small \nnuclear reactor capability, I think we are moving forward. It \nis just working through the regulatory process that is \nnecessary to get to where we need to be.\n    Mr. Waltz. Okay. Thank you for that. And just shifting back \nto the basing issues, resiliency is something Florida takes \nvery seriously. Obviously, we have to deal with it every year, \nwith storms, with flooding. There are areas of Florida now that \nare flooding and on a sunny day. The sea level is rising and we \nhave to deal with it. We need to move beyond that debate. In \nfact, the Governor of Florida, my predecessor in this seat, \njust named a chief resiliency officer to pull together our \nstatewide strategy. We have a Florida defense task force that \nis very focused on these issues.\n    On the Navy side, Secretary Niemeyer, the engineering \ncommand issued what I think is a detailed and a comprehensive \nhandbook for installation commanders, ``Climate Change, \nInstallation Adaption and Resilience.'' What step are you \ntaking to ensure installation commanders are actually \nimplementing the recommendations in this handbook in their \ninstallation master plans and then also coordinating--because \nthis is a broader issue. This is wetlands. This is offshore. \nThis is seawalls. It is a huge issue that I am trying to deal \nwith the Corps of Engineers as well for properties. How are you \nintegrating locally, and how are you ensuring each installation \ncommander implements those plans?\n    Mr. Niemeyer. I mean, that is something we are working on \ntoday with the southeast region. The goal here is to allow that \ninstallation commander the range of resources and to include \nthat pamphlet and that guidance in addition to other guidance \nand look at the most critical assets on that installation and \nwhat really delivers the projection of that power for the naval \nbase, and use the guidance we have given them to direct \nresources towards making sure that that particular asset has \nmission assurance from a full range of threats. So it is \nreally----\n    Mr. Waltz. Are you confident they are doing it?\n    Mr. Niemeyer. Yes, I am. In their capitalization and \ninstallation master plans.\n    Mr. Waltz. Great. Thank you so much.\n    I yield my time.\n    Mr. Langevin. Thank you, Mr. Waltz.\n    Ms. Haaland is now recognized for 5 minutes.\n    Ms. Haaland. Thank you, Chairman.\n    And thank you to our witnesses for coming here today to \ndiscuss this important issue important to national security. I \nam glad to see that our national security infrastructure is \ninvesting in innovations in resiliency and renewable energy. In \nmy own district, Sandia National Laboratories and Emera \nTechnologies are working through a Cooperative Research and \nDevelopment Agreement, a CRADA, on microgrids that locally \nmanage energy storage and resources such as solar, wind, and \nthermal systems. Chairman Adam Smith and I recently visited the \npilot project at Kirtland Air Force Base where they will be \ntesting innovations in distributed generation to make units \nmore resilient to weather, physical, and cyber attacks. If one \nunit goes out, the others could operate independently. If \nsuccessful, this system could provide highly reliable and \nrenewable power supply. And I will just add that, in New \nMexico, we have over 300 days of sun per year, so it makes \nsense to try it there. This is an excellent example of how our \nNational Labs support innovation and resiliency and renewable \nenergy research development. So Assistant Secretary McMahon, \ncan you describe the DOD's plans to increase research \ndevelopment, test, and evaluation in energy storage, microgrid, \nand energy resiliency? And does the DOD intend to further \nexpand the energy resilience and conservation investment \nprogram?\n    Secretary McMahon. First of all, Congresswoman, we would \nlike to say thank you to the Congress for the support that we \nhave had. A tremendous amount of our innovation, imagination, \nresearch, and development comes from the funding that you all \nhave provided us. One of the conversations, as I saw \nCongresswoman Slotkin come in, talk about PFAS [per- and \npolyfluoroalkyl substances], PFOA [perfluorooctanoic acid], a \nlot of our effort in that area as well is coming out of this \nR&D [research and development]. So the question becomes, do we \nhave the right funding? The answer is we do. We have continued \nto leverage that for a variety of different innovative areas. \nYou have already covered a couple of those. But what we are \ndoing today gets us to where we need to be, and if additional \nfunding is made available--though I think we have sufficient \nfunding today--we will continue to apply it in innovative ways.\n    Ms. Haaland. Excellent. And, again, Assistant Secretary \nMcMahon, can you share your thoughts on how best we can expand \nthe role of our National Labs in public-private partnerships \nlike CRADAs in support of DOD's resiliency efforts?\n    Secretary McMahon. Congresswoman, we talked earlier about \nthe level of experience and knowledge that we have. Clearly, \nour labs are national treasures, and we continue to leverage \nthose to the best of our ability in terms of research and \ndevelopment. At the same time, many of our universities across \nthe Nation are equally as successful. And so it is a matter of \nsimply ensuring that we are leveraging all of our sources, both \nour labs and our universities, for the innovative ideas that we \nneed. But, clearly, I think that part of what has made us as \nsuccessful as we have been are our labs and the innovation that \nwe see coming out of them.\n    Ms. Haaland. Thank you so much.\n    Assistant Secretary Henderson, you mentioned that the Air \nForce is taking the necessary steps to build resilient \ninstallations that are ready to withstand and recover from \nmanmade and natural events. How do microgrids and distributed \ngeneration factor into the Air Force's approach to resiliency?\n    Secretary Henderson. Yes, Congresswoman, absolutely. And we \ndo that through--we are doing installation energy and water \ndevelopment plans on each of our installations in conjunction \nwith the master plans that we are doing, and then we are \nfunding any vulnerabilities and gaps in that regard in a \npriority basis through an investment strategy that we have \nacross the enterprise.\n    Ms. Haaland. Excellent. Thank you. One more minute. And \nback to you, Assistant Secretary McMahon. The Annual Energy \nManagement and Resilience Report for Fiscal Year 2018 showed \nthat the DOD is falling short of its goal to consume 7.5 \npercent of its energy from renewable sources. What challenges \nis the DOD facing in attaining this goal, and what does the DOD \nneed to achieve the goal?\n    Secretary McMahon. Congresswoman, what I would offer to you \nis that we continue to focus--we are agnostic on the type of \nrenewable that we are talking about. But I would share with you \nan evolution over the last couple of years, as we have looked \nat the National Defense Strategy and we have begun to consider \nwhat occurs in great power competition, and to focus less on \nrenewables as an end in itself, rather becoming a means to an \nend, and the means to an end is creating that resilience. So we \nare applying renewables where it makes logical sense to give us \nthat kind of resilience that we need, rather than simply \ngenerating renewables for the sake of doing renewables.\n    Ms. Haaland. Thank you so much.\n    I yield, Chairman.\n    Mr. Langevin. Okay. Thank you, Ms. Haaland. And Mr. Banks \nis now recognized for 5 minutes.\n    Mr. Banks. Thank you, Mr. Chairman. Recently we had Mr. \nWilson, the DASD [Deputy Assistant Secretary of Defense] for \nCyber Policy, and representatives throughout the interagency \ntestify before this subcommittee regarding internet security. \nDuring that hearing, I highlighted the fact that, in DOD's 2019 \nDigital Modernization Strategy, it states that the DOD utilizes \n10,000 operational IT systems. The amount of access points \nprovides enormous vulnerabilities as the DOD moves forward and \ntoward an increasingly internet integrated warfighting posture.\n    Mr. McMahon, what role do you play in the oversight of \nphysical internet and network security?\n    Secretary McMahon. Congressman, thank you for the question. \nWhat I would tell you, I am one of those that lies awake at \nnight as we look forward to the future and see 5G come forward, \nthe threat that it provides to our already capable system, and \nthe fact that more and more systems will be utilizing 5G in the \nfuture, where those systems come from, and the infrastructure \nchallenges that we face in terms of espionage, not knowing the \nsource of that 5G capability, and being able to ensure that it \nis secure. More and more data will be utilized. And so the \nquestion becomes, how do we ensure that the infrastructure, in \nconjunction with the CIO, in conjunction with our new----\n    Mr. Banks. Help me out real quick and tell me the specific \nrole that you play organizationally.\n    Secretary McMahon. From my perspective, what I worry about \nmost of all is with installation industrial control systems as \nit plays directly and then tangentially as we put \ninfrastructure capability in place, our comm [communications] \nCIO looks at the specifics of that security.\n    Mr. Banks. Okay. The witnesses then were not able to tell \nme that the DOD has a complete inventory of all the items that \ncan access the network in that particular hearing. But in your \ntestimony, you said that your office is developing the \nframework for identifying the required resources for \ninventorying, assessing, mitigating, and sustaining facility-\nrelated control systems. So, to your knowledge, is there any \nsource that can show internet-dependent resources on military \ninstallations?\n    Secretary McMahon. Holistically, I am not aware of that, \nCongressman.\n    Mr. Banks. Okay. DOD CIO Dana Deasy recently said in an \ninterview, quote, The Department will need to do some work to \nhelp industry better understand the things that it needs to \nmeet the new challenges in cyber, end quote. Mr. McMahon, how \ndoes DOD improve communications with industry in setting clear \ncyberspace--I am sorry--cybersecurity expectations?\n    Secretary McMahon. As I mentioned earlier, Congressman, the \nUnder Secretary of Defense for Acquisition and Sustainment has \nput in place a cyber czar, Ms. Katie Arrington, whose \nresponsibility is to look across the acquisition community as \nwell as the sustainment community, looking at all elements of \nthis, to include in conjunction with the CIO, looking at how we \nare doing business with the acquisition systems, through the \nsupply chain, to ensure that there is security there, and \nbecomes a first step in getting us to where we need to be, in \ncreating, for example, a CMMI-like [Capability Maturity Model \nIntegration] system and capability that all of our suppliers \nand contractors would have to be able to achieve to ensure a \nlevel of security we do not have today.\n    Mr. Banks. What would you say that the--what are the--what \nrole do cyber training ranges, like Muscatatuck Urban Training \nCenter in Indiana, play for advancing cyber readiness on the \nbattlefield and on U.S. bases?\n    Secretary McMahon. Clearly, Congressman, all of our cyber \nranges provide an opportunity to further educate and train our \ncyber warriors and make awareness out there. Though I don't \nthink we are at the point that we are fully utilizing them \nbecause this is a learning business, if you will, to understand \nwhere we are. There are those that are probably much more \nexpert in describing to you how best to utilize those cyber \nranges, acknowledging that we see them as critical to the way \nforward.\n    Mr. Banks. Got it. One of the goals from the 2018 DOD Cyber \nStrategy is to increase cybersecurity accountability. \nSpecifically, the strategy stated, reducing the Department's \nattacks--attacks surface requires an increase in cybersecurity \nawareness and accountability across the Department. We will \nhold DOD personnel and our private sector partners accountable \nfor their cybersecurity practices and choices, end quote. Last \nquestion. What kinds of cybersecurity accountability changes \nhave been made since the release of that strategy?\n    Secretary McMahon. What I would tell you is, we are in the \nmidst right now, as I just described, a CMMI-like capability \nwhere our OEMs, original equipment manufacturers, our sources \nof supply, have to be able to put in place the capabilities to \nattest that they have control over their supply chains, not \nonly at the first tier, second tier, third tier, but down as \nfar as they go, something that I think is a new experience for \nall of us, as we get to that level of understanding, to be able \nto understand the lineage of all the parts that we have within \nour weapon systems as well as within our infrastructure.\n    Mr. Banks. Thank you very much.\n    With that, my time has expired.\n    Mr. Langevin. Thank you, Mr. Banks.\n    Ms. Torres Small is recognized for 5 minutes.\n    Ms. Torres Small. Thank you all for your work, creating \nresiliency for our military installations.\n    I have the honor of representing New Mexico's Second \nCongressional District, which includes White Sands Missile \nRange. Geographically, it is the largest range in the United \nStates, and it is located in the middle of the desert. It is \nfundamental to our testing mission, and it has some of the most \ncutting-edge technological design, research, and testing but it \nhasn't had a military construction investment for--since the \n1970s.\n    And so a key example of the needs that we have is the \ninformation facility--the information systems facility, which \nwas built in 1962. The facility serves as a gateway for all of \nour communications and data to the outside world and houses \ncritical equipment, providing support for administrative \ncommands and control and testing and evaluation users. The \nfacility is relied upon to provide critical support for modern \nmissile testing, ranging from the Standard Missile-2 and the \nPatriot Missile System 3 to next-generation weapons systems. \nBut the facility is 57 years old.\n    So, Assistant Secretary Beehler, would you agree that in \nthe era of big data and technology, a modern information \nfacility is critical for transmitting the vast amounts of data \ngenerated during military testing?\n    Secretary Beehler. Yes, I agree.\n    Ms. Torres Small. Thank you.\n    And can you please speak to how conducting operations in a \n57-year-old facility could stunt the efforts for maximizing \ninstallation resiliency?\n    Secretary Beehler. I would be happy--oh, sorry. I am sorry \nabout that.\n    I would be happy to take that for the record and provide \ngreater detail and also come back with a briefing on that.\n    [The information referred to was not available at the time \nof printing.]\n    Ms. Torres Small. Thank you very much. But, shortly, it \ngenerally does impact our cybersecurity.\n    Secretary Beehler. Yes.\n    Ms. Torres Small. Thank you.\n    I want to pick up where my colleagues Congressman Scott and \nCongresswoman Escobar were talking about water because it is a \ndeep need. And as you mentioned, Assistant Secretary Beehler, \nit is a challenge that many military installations are facing. \nIn fact, I believe it is over half of our military \ninstallations that face either current or future drought \nvulnerability. I wanted to talk more about the work that is \nbeing done for the energy and water plans. You mentioned that \nall of the installations are putting those together now.\n    Do you know if they are assessing the resources that are \navailable including the quality and quantity of water in nearby \naquifers?\n    Secretary Beehler. It is certainly my understanding that \nthey would take that into account because their thrust is \naccess to quality water. So they obviously are going to have to \nlook at the sources from which this water is coming for their \nuse in installations.\n    Once again, the plans for the first tranche have not yet \nbeen completed. When they are, and particularly relevant to the \ngeographical area in which you are interested, be happy to \nprovide that further information, come in with a briefing.\n    Ms. Torres Small. That is great. That is fantastic because \nit really is important as we assess what we have available that \nwe are looking at all of the aquifers and what might be \navailable, especially if we are able to do more desalination \nplants to clean up some of the brackish water as we have seen \nbe so successful in Fort Bliss.\n    Secretary Beehler. Absolutely.\n    Ms. Torres Small. Shifting to Mr. Niemeyer, I know that \nthere is an energy savings performance contract, and it has \nbeen used for water conservation, specifically within the Navy. \nI would love if you could speak briefly on that and how it has \nbeen--if there are any efforts to scale that to other military \ninstallations.\n    Mr. Niemeyer. Sure. So, yeah, we were able to successfully \nfind savings that allowed us to do some water system upgrades. \nI do believe that there is a--we can get to water conservation \nand aquifer management. We could take regional approaches. I \nthink we need to work collectively with our services to see how \na series of bases could work regionally to do a common aquifer \nmanagement plan. That is something that we have been working on \nfor a couple of years. I think there are opportunities around \nthe country.\n    And also, we need to, and the other services also, use the \nprivatization of water systems as another way, probably for us \nthe most significant way to conserve water over time and to \nhave our partners that we do have privatized citizens who work \nwith those regional water authorities.\n    So the goal here is to use the whole range of authorities. \nYes, I am proud of the ESPC, but that is just one step we have \non how we can get much more collaborative with industry and \nregions on addressing common aquifer management.\n    Ms. Torres Small. Great. Thank you all.\n    I yield back the rest of my time.\n    Mr. Langevin. Thank you, Ms. Torres Small.\n    Ms. Slotkin is now recognized for 5 minutes.\n    Ms. Slotkin. Great.\n    Thank you, gentlemen, for being here.\n    Assistant Secretary McMahon, thank you especially to you \nand your team for coming to my office and wearing your PFAS \ntask force hat, coming in and briefing us. I sent you a \nfollowup letter on October 7th, but just since I have you on \nthe record here, I was just home in my district, and I can't \nexpress enough to all of you how important the issue of PFAS \naround our military bases is to my constituents and the feeling \nlike the Defense Department is dragging their feet on this \nissue.\n    I know, when we talked, you still had concerns, but for the \nrecord, are we still at loggerheads when it comes to the issue \nof transitioning off PFAS firefighting foam by 2025?\n    Secretary McMahon. Congresswoman, first, thanks for the \nopportunity to talk about PFAS, PFOA.\n    When I talk about the task force, I do it in conjunction \nwith the three gentlemen sitting here. It is weekly. We spent \nan hour and half today talking about what it is that we do.\n    As I laid out, since you gave me this opportunity, we are \nconcerned about three things. One, how do we mitigate what we \nare doing today? How do we ensure that we understand the health \nof the individuals that may have been affected by this? And \nthen, finally, how do we clean up the messes that are out there \ntoday that we go through?\n    Again, this is a national issue. It is just not a DOD \nissue. You understand that clearly without any military \ninstallations in your district, yet it is a big issue. So, we \nhave got to deal with this. This is a national issue.\n    With regards to your specific question, we continue to work \naggressively to try to find an AFFF [aqueous film forming foam] \nversion that is fluorine-free. On the I think it is the 14th of \nNovember in conjunction with my partners, we will hold a summit \nto go through all of the work that is being done to understand \nwhere we are, what the process, what work is being done today, \nand whether or not we can make that kind of date.\n    I don't want to commit to you today that I can because I \ndon't know what--where we are, what the work that is being done \nwith the research and development. If we aren't able to do it, \nit certainly is not due to a lack of effort though.\n    Ms. Slotkin. Can I just--I appreciate that. My \nunderstanding is that some of the militaries in Europe have \ndone some good work researching alternatives, and would just \nurge a real push on this.\n    The other thing I just want to, if I could have all four of \nyou on the record, since you are all kind of in this together, \nI know that what I had understood is that the military was no \nlonger using PFAS foam during exercises, that, of course, if we \nhad an emergency, we are reliant on what we have now, but there \nis no need in places like Camp Grayling in Michigan, Selfridge \nAir Force Base, in order to use those in exercises.\n    Can you just confirm for me? Because I have heard \nconflicting responses on this from rank-and-file folks who are \nsaying that it is still being used. Can I get a yes or no from \nall four of you? Is PFAS firefighting foam being used in \nexercises by your respective branches and by the military?\n    Secretary McMahon. I will let the services answer, and then \ngive you an OSD answer.\n    Secretary Beehler. Army, the answer is, no, they are not.\n    Secretary Henderson. For the Air Force, the policy is no. I \nheard the same things that you are, and we are following up to \nmake sure that everybody hears that loud and clear.\n    Mr. Niemeyer. For the Department of the Navy, land-based \nexercises, absolutely not.\n    Ms. Slotkin. Yes, and we know that on ships we have a \nspecial case. We want to make sure, if there is a fire on a \nship, we have everything that we need.\n    Secretary McMahon. Categorically, our goal is to make sure \nthat the only time it is used is in an actual emergency, and \nthen it is treated as a spill and cleaned up appropriately, \nwhich ought to dramatically reduce any additional exposures \nuntil we find that replacement.\n    Ms. Slotkin. And I would just ask, now that we have you \nguys officially on record, that you do everything you can to \ntry and make sure that we are adhering to that policy way down \nthe chain.\n    Lastly, as I wrote to you, I have had a lot of \nfirefighters, including Federal firefighters, come and visit \nme. And they were concerned that there is no representation \nthat I know of on your PFAS task force of Federal firefighters. \nI thought that was a kind of an easy ask and a kind of a ``no \nduh'' that the folks who are using this foam most frequently be \nrepresented on the task force.\n    Can I get your thoughts on that?\n    Secretary McMahon. What I would offer is that our medical \nfolks play an integral role. The firefighters work for the \ngentlemen sitting to my left, and so that representation is \nthere. Clearly, our attempt is to be as transparent as \npossible. So, in our minds, up to this point, that \nrepresentation was taking place through the individuals \nimmediately to my left.\n    Mr. Niemeyer. I would also add that, since the Navy is the \nlead for coming up with a MIL SPEC [military specification] \nthat is going to be an alternative for AFFF, we are reaching \nout to the military firefighting community to see what is out \nthere, not just what they know, but what they know and sharing \nwith our Federal firefighters and also our private \nfirefighters.\n    So I would suggest, yes, they probably--they do need a \nvoice. They are represented. They do come through my \nrepresentatives into the task force meetings weekly to present \na concern.\n    For instance, we do have a concern about meeting that \ndeadline by 2025. We have a lot of equipment we are going to \nneed to replace. It is lot of money. We are talking hundreds of \nmillions, maybe 15 to 20 years to get this done to truly get to \nthe point the committee wants where we are not using AFFF even \nin residual levels. So those are the types of issues that, yes, \nour firefighters are clearly passing up to the task force and \nwe are addressing.\n    Ms. Slotkin. I would just say some of the dissenting voices \non how the Pentagon is doing have come from Federal \nfirefighters. So the idea of just going that extra step and \nputting one on the task force, I understand you are hearing \nthem. Just as a former Pentagon official, it probably isn't--\nthe juice isn't worth the squeeze to leave them off, but thank \nyou, gentlemen.\n    I think my time has expired. So thanks very much.\n    Mr. Langevin. Thank you, Ms. Slotkin.\n    And since there so few of us, we are going to do a brief \nsecond round. So if you want to stick around, you have \nadditional questions, you are welcome to ask additional \nquestions.\n    Secretary Henderson, several years ago, the Air Force had \nrequested considerable additional funds to address structural \ndamage to facilities at Eielson Air Force Base resulting from \nmelting permafrost. Last year, Congress directed a detailed \nassessment of the risks from melting permafrost installations \nin Alaska, Greenland, and Northern Europe.\n    Since many of those are Air Force installations, has the \nAir Force completed those assessments?\n    Secretary Henderson. So I think we are still working on \nthem. What I would like to do is take that for the record, make \nsure I give you a detailed response of what the status of those \nassessment are and where we are at. I know we have done a lot \nof work in correcting the problems caused by melting \npermafrost, by shoreline erosion also in Alaska, and then the \npermafrost issues that we are seeing at Thule, Greenland.\n    In Eielson, for instance, we are having to modify the \ndesigns of some of our structures there to use deep pile \ndesigns so we can get down and have the support for those \nfacilities against the bedrock. In Thule, Alaska, we are \nactually going the other way and putting piping systems in to \nkeep the ground frozen underneath there so the ground remains \nstable.\n    Then, with the eroding shoreline in northern Alaska for our \nradar sites and stuff, we are trying to find better predictive \nmodels to incorporate what is a better characterization of the \nchanging climate and a number of other factors that is \naffecting the shoreline erosion there so we can put together a \nmitigation strategy for that.\n    I will answer back on what the status of that assessment \nand that document is, though.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Langevin. Fair enough. We will look forward to the \nfollowup assessment.\n    I will yield to Garamendi.\n    Mr. Garamendi. I have got you guys now.\n    First of all, as I said earlier, your papers taken together \nreally cover the entire array of challenges and most of the \nsolutions that are out there, and I am really quite serious \nabout you reading each other's papers and circling those things \nthat you're not doing, that you might very well be doing.\n    It has been mentioned by two of you, three of you, the Army \nCorp of Engineers Assessment Program. Could you send some \ndetail on to the committee on what that is?\n    Secretary McMahon. Let me take that for record, Mr. \nChairman, and provide that to you.\n    Mr. Garamendi. If you would, please.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Garamendi. Also, as we have discussed before, I think \nalmost individually--well, not quite individually with all of \nyou--the reconstruction plans for the bases that have been \ndecimated--Tyndall, Lejeune, China Lake, Offutt--those plans \nare in process, as I understand. They are not yet complete. \nThere is a significant pile of money that has been and will be \nappropriated ahead of the plans, that is, the completion of the \nplans.\n    I want to--I will say it very clearly. That money must be \nspent in a manner that maximizes the resiliency of that base, \nwhichever it happens to be. The standards to be applied must be \nthe strongest standards available in the world, not just in the \nStates, earthquakes specifically and flood standards and so \nforth.\n    So we will see those detailed plans as they are completed, \nbut I know the money is already out there in some of the cases \nand so be aware you don't want to have to come and explain why \nyou didn't build to the maximum standard. Do you? No, you \ndon't. No, you don't. So please keep that in mind as you go \nabout your work on rebuilding.\n    I do have some specific concerns. Some of this has been \nshared with the--actually a fellow behind you. There he is. So \nplease pay attention to that.\n    Also, Mr. Waltz raised a point that we are going to take up \ngoing into the future, and that is it is not just the facility. \nIt is the equipment and particularly the transportation \nequipment that is used on the bases. Part of what is in the \nNDAA and will be even stronger in the future is energy \nconservation.\n    For the Navy, I want to know why you have only built one \ndestroyer with a hybrid system, why you are not building \nmultiple destroyers and other facilities.\n    You have got an answer for that already, Mr. Niemeyer?\n    Mr. Niemeyer. No, I was going take that for the record.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Garamendi. Take it for the record.\n    I will tell you why. There was insufficient energy \ngenerated for both the hybrid system and the electronic warfare \nsystems. And when I asked, ``Well, how do you solve that,'' the \nanswer was, ``Well, we won't do hybrid.'' I am going, ``Why \ndon't you get a bigger generator?'' And you will tell me why, \nMr. Niemeyer, you are not getting a bigger generator for the \nships.\n    Mr. Niemeyer. I do know that I have spent a lot of time \nwith my colleagues over in the acquisition world of the Navy \ntrying to determine what is the ideal configuration on a ship. \nAs you know, we are adding a lot of new weapons systems that \nare all energy draws. We are looking at potentially putting \ndirected energy programs on our ships, huge energy draw. So we \nhave to manage that on the ship.\n    Mr. Garamendi. Yep, that is true. And the biggest energy \ndraw of all is to move the ship. Okay? So the answer was not \nsatisfactory. Send that back.\n    We are going to miss you, Mr. McMahon. You have been very \ngood to work with, and we really appreciate your work on \nissues. I am not so sure you are going to be around for our \nnext family housing issue. You jumped on that. I think you \njumped on the gentlemen at the table with you, and we will see \nhow well everybody is doing. We are going to come back in \nDecember, and we will review the family housing and go at that \nagain and look for progress along the way.\n    Secretary McMahon. Yes, sir.\n    Mr. Garamendi. One of the things that both Jim and I intend \nto do is, and that is we are not going to forget what we asked \nyou to do last year, and so we will be following up as best we \ncan, and I am sure you will, too.\n    I think, Jim, I could probably go on for hours here, but I \nam actually going to get an answer on that destroyer at 5 \no'clock.\n    Thank you so very much, gentlemen. Thank you.\n    Jim.\n    Mr. Langevin. Thank you, John.\n    So, Mr. McMahon, just to follow up on Mr. Kim's question \nearlier, the concept of resilience in the context of the \nlogistics, sustainment, and reconstitution, is critical to \njoint force operations. Has this concept been included in any \nof the Joint Staff globally integrated exercises?\n    Secretary McMahon. Mr. Chairman, thank you for the \nquestion.\n    As we talk about what do we include in the exercises, we \nhave just completed an energy war game with the INDOPACOM [U.S. \nIndo-Pacific Command] staff focused specifically on fuel for \nthe INDOPACOM theater. It was the first time we have done \nsomething along those lines to look at holistically what that \nimpact is, where our shortfalls were not only in our planning \nbut in the execution. So was it a baby step? The answer is yes. \nDid we learn how we need to expand that?\n    But the thought that energy is an integral part of our \nplanning purposes and, more importantly, our tabletop \nexercises, we underscored that point. And we are going to apply \nthat in the next series of exercises that we do with the Joint \nStaff.\n    Mr. Langevin. I hope we will see that expand and broaden to \nlook at other aspects of sustainment and reconstitution. I \nthink that is critically important.\n    Secretary McMahon. We are tremendously proud of what we did \nthere, Mr. Chairman. And although it was a baby step, the fact \nthat we have got that as part of the conversation and applying \nit to the operational community, in particular the INDOPACOM \ntheater and the challenges there, this was tremendously \nimportant for us.\n    Mr. Langevin. Can you on one other thing--did you have \nsomething specific?\n    Mr. Garamendi. Go ahead. Finish now. I do have one more.\n    Mr. Langevin. Can you please specify just on cyber-related \nresponsibilities of individual installations by service or \ndepartment, departmental level organizations and components? \nFor example, the Air Force is creating mission defense teams \nbuilt for cybersecurity of installations, teams that exist \noutside the Cyber Mission Force.\n    Secretary McMahon. What I will tell you is, Mr. Chairman, \nthat I think we are in the early stages of understanding \nholistically to look at installations from a cyber perspective. \nI think there are multiple owners, whether it is the CIO, \nwhether it is us, when we get into the specifics of industrial \ncontrols, whether we look at the supply chain, the elements of \nthat from an acquisition process. I think, on a daily basis, we \ncontinue to learn, and I continue to underscore the fact that \nSecretary Lord has identified a cyber czar exactly for the \npurpose of providing greater clarity of how we move forward \nwith this. I am not sure if that scratched your itch here, but \npart of this is, quite frankly, we are still getting our arms \naround the whole discussion. We can--we could put glossy words \non it, but we are still trying to figure it out.\n    Mr. Langevin. This is something else we are going to be \nfollowing up on.\n    Anything else you wanted to add?\n    Mr. Niemeyer. Mr. Chairman, one specific issue we haven't \nhad a chance to talk much today, and that is the development of \na national small-cell infrastructure, 5G technology. We are \nbeing very aggressive in providing information to the \ninstallation commanders in ultimately how do we both advocate \nfor and receive applications from internet providers who want \nto install 5G infrastructure on our bases. It is going to be \nmuch more extensive than what we have for 4G, and we have some \nguidance making sure that equipment is secure; it is not \nnecessarily from a foreign manufacturer, but allows us the \nresiliency we need for future data management.\n    Mr. Langevin. That is a good segue into my final question. \nDo you have something to add, Secretary Henderson?\n    Secretary Henderson. I was just going to say with regard to \nthe mission support team, from the Air Force perspective, that \nis one of a number of holistic initiatives we are taking to \nlook at our missions to include, you know, threats for mission \nassurance, all the way down to the cyber ties, down to each \ndevice that is connected.\n    From our perspective, from an installations perspective, we \nare really focused on the installation control systems. And \nlike Mr. Niemeyer mentioned what the Navy had done earlier, as \npart of that to protect the network from some of the \ninstallation control vulnerabilities, we have installed 56 \nbase-level network enclaves to logically segment the control \nsystems from the business network to mitigate those risks.\n    So, you know, that mission defense team is one of a number \nof initiatives the Air Force is doing. But that is kind of the \none that falls in our installations portfolio, so to speak.\n    Mr. Langevin. Well, we are going be following up on that, \ntoo, and see how, where that expands to and how it unfolds. I \nthink it is important to consider those issues.\n    Last thing I had, then I am going to turn to Mr. Garamendi \nfor a final question, China appears--and this is going back to \nthe 5G--appears far ahead of us, the U.S., in its development \nand deployment of 5G. Reuters reported just yesterday that \nmobile operators in Europe are queueing up to buy Huawei gear \nfor their next-generation 5G networks, despite U.S. concerns \nthat Huawei equipment contains backdoors open to cyber spies, \nquote. That is end quote.\n    If local power and telecom companies in Europe employ \nChinese 5G networks, how well would the U.S. military be \nequipped to protect its installations across Europe? And how \nresilient is our IT infrastructure?\n    Mr. Niemeyer. We could spend about 4 hours on that \nparticular answer. Let me try to give you an unclassified, \nbasic view. So we are working on innovative technologies that \nwould allow us to distribute our own 5G network separate from \nwhat we might have to rely on in a host nation.\n    Domestically we need to start working with States to ensure \nthat the concerns that we have with security of 5G network is \npassed on to the State and community permitting process so that \nway we don't have States inadvertently installing or permitting \nor allowing a system to be installed that is going to create a \nresiliency or threat concern for the Department of Defense.\n    So it is combination of the base of the future, whether \ndomestic or overseas, needing that secure 5G network. We are \nworking on ways overseas to not have to rely on the host nation \n5G network but installing one of our own that we can be much \nmore secure.\n    Secretary McMahon. Mr. Chairman, what I would only add to \nthat is I think all of us in the Department of Defense are \ngravely concerned about our international partners where there \nis a 5G system put in, what the vulnerabilities of that are, \nwhat the capability for espionage might be, and all the \nelements associated with that I think are front and center in \nour minds. I would defer to some of our experts to give you \nmore detail probably in a classified setting, but from our \nperspective, from an installation perspective and the reliance, \nfor example, on energy from a local industry provider in a \nforeign country, I think there is some concern about that.\n    Mr. Langevin. I am glad we are not going into it without \nblinders on. We need to continue to follow this topic as well.\n    With that, I will yield to Mr. Garamendi for the last \nrounds of questions, and then we are going to conclude.\n    Mr. Garamendi. Mr. Chairman, we need to have a classified \nhearing not only with our committee but also with the Energy \nand Commerce Committee on this issue of 5G. Not enough time to \ngo into it and probably not the right place to go into it, but \nwe are headed for a very, very serious problem here. So we will \nsee if we can get that together right away. Some of that is \nalso in the NDAA now in a rather controversial way.\n    Let me see. We have $3.5 billion of military construction \nprojects that are delayed, unfunded, defunded. Uh-huh. So I \nwant the four of you--I think--yeah, we have got the Marine \nCorps behind you--to tell us within the next 2 weeks what you \nintend to do with those projects that are defunded. Okay? It is \na serious problem. I spent the last--spent a week in Europe on \nthis, and the problem is of paramount importance there. Mr. \nPutin could not have had a greater gift than the message that \nthe President delivered that we really don't care about \nEuropean Deterrence Initiative.\n    So there are projects there. I appreciate the Army \nparticularly coming forward with specific information, also the \nAir Force, about projects that are defunded, the importance of \nthem, but it is much more than that. So, we don't need to worry \nabout those, that I did have the opportunity to see last week, \nbut the rest of them. So you are going have to restack, and we \nare going to spend a lot of time on this restacking. So get \nprepared.\n    The other thing is--I think I better let it go at that \npoint. You may get me started on something that will get ugly \nreal fast.\n    So thank you very much, gentlemen.\n    Jim, thank you for the opportunity for additional \nquestions.\n    I will look forward to that--week and a half--information. \nThank you very much.\n    Mr. Langevin. Very good. Thank you, John.\n    I just want to thank Chairman Garamendi and Ranking Member \nStefanik and Ranking Member Lamborn, the members of the \ncommittee, both committees, for this joint hearing and for our \nwitnesses' testimony. I know there is some followup that you \nwill need to do with us, get back to the committee and do the \nquestions we have asked. Look forward to those answers.\n    Members may have additional questions that they will \nsubmit. We would ask that you would respond to those as \nexpeditiously as possible but want to thank you all for the \nwork you are doing on behalf of the country. This is an \nimportant hearing, a good hearing, and a lot of important \ninformation we were able to cover.\n    So, with that, this subcommittee stands adjourned.\n    [Whereupon, at 4:45 p.m., the subcommittees were \nadjourned.]\n\n\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                            October 16, 2019\n\n=======================================================================\n\n      \n\n\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                            October 16, 2019\n\n=======================================================================\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n      \n    \n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                            October 16, 2019\n\n=======================================================================\n\n      \n\n                  QUESTIONS SUBMITTED BY MS. STEFANIK\n\n    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? \nHow much (if any) of this is a contractor work force?\n    Secretary McMahon. The Deputy Secretary of Defense designated the \nDOD CIO as the official responsible for the cybersecurity of industrial \ncontrol systems for the DOD. Subsequently, in a December 2018 memo, the \nDOD CIO delineated responsibilities to the DOD Components to implement \ncybersecurity requirements for control systems. The policy memo also \nclarifies that DOD cybersecurity requirements are applicable to all DOD \ncontrol systems. In addition, the Department is developing enhanced \ncybersecurity implementation guidance for control systems. \nOperationally, U.S. Cyber Command and JFHQ-DODIN have a critical role \nin defending all DOD systems including ICS/SCADA systems, however it is \nthe system owners and operators that are ultimately responsible for the \nsafety and security of their systems. The contractor workforce is not \ndifferentiated from the overall cyber workforce comprised of government \ncivilians, military personnel, and contractors. Currently, ICS/SCADA \nsystems owners and operators are not included in the cyber workforce \nrequirements. Integrating ICS/SCADA competencies in the forthcoming \nupdate to the DOD cyber workforce policy (DOD Issuance 8140) will \nenable those distinctions.\n    Ms. Stefanik. What coordination takes place with cyber defensive \nteams? Are your service cyber forces familiar enough with local ICS/\nSCADA to assist?\n    Secretary McMahon. The DOD CIO ensures Cyber Mission Forces and \ncyber protection teams are establishing the processes to work \ncollaboratively with local facilities managers and other stakeholders \nto provide assessments and mitigations of mission relevant ICS/SCADA \nsystems and networks. Steady progress is being tracked by the \nComponents with a focus on the most critical mission relevant systems \nbeing assessed through FY20. As the expertise of these teams grows and \nthe processes are optimized, DOD is confident the proper coordination \nand collaboration will occur at the installation-level.\n    Ms. Stefanik. Are ICS/SCADA systems subject to the same security \nand accreditation standards as DOD networks are? Or are there \ndifferences with these so-called ``operational systems''?\n    Secretary McMahon. Yes, the DOD requires all DOD systems and \ntechnology, including ICS/SCADA systems, must have cybersecurity \napplied IAW existing policy as described in DODI 8500.01, Cybersecurity \nand follow authorization processes as described in the DODI 8510.01, \nRisk Management Framework for DOD IT. The DOD does not differentiate \ncybersecurity policy requirements by system type, rather, the policies \napply to all and are inclusive of varied cybersecurity implementation \nrisk-based approaches to different system and technology types.\n    Ms. Stefanik. Similar to our supply chain concerns with Huawei \ncomponents being in critical defense systems, do we have any concerns \nwith foreign components being used within ICS/SCADA hardware? Is this \nsomething you have surveyed or considered? How are you mitigating this \nconcern?\n    Secretary McMahon. Yes, the DOD is concerned about the supply chain \nassociated with ICS/SCADA hardware. Compared to information technology, \nICS supply chains are challenged by the inherent lack of security, \nlimited monitoring, and constrained vendor support (often the original \nequipment manufacturer) for these products. To address these concerns, \nthe OUSD (Acquisition) Chief Information Security Officer has taken a \nnumber of steps to reduce the vulnerabilities and impacts of \ncompromised devices and components. The DOD has adopted the NIST SP \n800-161 Supply Chain Risk Management Practices for Federal Information \nSystems and Organizations and is working with the Defense Industrial \nBase, suppliers, vendors, and other organizations such as the \nInternational Society of Automation to ensure that supply chain risk \nmanagement processes are implemented. In addition, the U.S. Army Combat \nCapabilities Development Command--Aviation & Missile Center (DEVCOM) is \ndeveloping a Tested Products List for Control Systems certification \nprocess for the DOD. This process will allow vendors/products to go \nthrough cybersecurity testing and enable Type Authorization (test once \nand use many times) at lower cost in less time.\n    Ms. Stefanik. One of the other focus areas for the IETC \nsubcommittee is science and technology, which is a community that for \ndecades has leveraged advances in modeling and simulation and other \ntechnologies to understand complex and unpredictable problems. With \nrespect to climate change and extreme weather events--how are you \nworking with the DOD S&T community and academia to understand and \nprepare for extreme weather events, to include modeling and simulation \nand other technologies that could help and develop and enhance \nresiliency for installations and infrastructure?\n    Secretary McMahon. OASD(S) works closely with OUSD(R&E) as well as \nthe Military Departments, academia, and the broader research and \nengineering community through communication and coordination, \ntechnology development and implementation, and research. Communication \nand coordination is evidenced in many ways. OASD(S) supports OUSD(R&E) \nas DOD's principal agency representative to the U.S. Global Climate \nChange Research Program (USGCRP), Subcommittee on Global Change \nResearch (SGCR) and their leadership of DOD's work within the Earth \nSystem Prediction Capability interagency coordination activity. OASD(S) \nsupports technology development and implementation with a focus of \nunderstanding and preparing for extreme weather events. For example, we \nare supporting the development of a web-based assessment tool to \nprovide better insight into DOD's exposure to extreme weather and \nclimate impacts. This tool is a text book example of how critically \nimportant modeling and simulation technologies developed by other \nagencies, academia, and the DOD S&T community is used to prepare for \nextreme weather events and climate change. DOD's Strategic \nEnvironmental Research and Development Program (SERDP) and \nEnvironmental Security Technology Certification Program (ESTCP) \nprograms harness the latest science and technology to improve DOD's \nenvironmental performance, reduce costs, and enhance and sustain \nmission capabilities. SERDP and ESTCP support research collaboration in \nacademia, industry, the Military Departments, and other Federal \nagencies. For example, SERDP leadership, in conjunction with the \nNational Oceanic and Atmospheric Administration (NOAA), the U.S. Army \nCorps of Engineers (USACE), U.S. Geological Survey (USGS), numerous \nuniversities and others, resulted in the development of DOD's Regional \nSea Level (DRSL) database for projected sea level rise at all coastal \ninstallations, a key tool for understanding coastal sea level rise.\n    Ms. Stefanik. How are you preparing for emerging technologies such \nas 5G and what will be an exponential increase in IOT devices? In 2017 \nwe saw some 8.4 billion devices connected to the internet--but by 2020 \nit is estimated that we may see up to 75 billion connected devices, \ndepending on what estimate you use. This presents tremendous \nopportunity but also significant challenges. Can you outline how you \nare thinking about 5G and this massive increase of IOT?\n    Secretary McMahon. The DOD CIO continuously assesses new technology \ntypes against existing policies to identify areas where additional \npolicy or implementation guidance may be required. The DOD reviewed and \nassessed existing cybersecurity, operations security, physical \nsecurity, and information security policies for guidance on Internet Of \nThings (IOT) devices. While IOT is not directly mentioned, the \nDepartment has found existing policies to be sufficient to address IOT \nsecurity requirements. From a cybersecurity perspective, all IOT must \nhave DOD cybersecurity applied IAW existing policy as described in DODI \n8500.01, Cybersecurity.\n    Ms. Stefanik. If there was a crippling cyber-attack on one of our \nmajor installations that took down critical infrastructure such as \npower, or disabled ICS/SCADA systems, can you walk us through how a \nmilitary installation would handle such an incident? What \nresponsibilities are within your portfolios, as compared to and \ncoordinated with CYBER COMMAND, and those that are providing Service \nMission Defense Teams, for example?\n    Secretary McMahon. As ASD(S), I oversee the cyber security of DOD \nfacility-related control systems and the resilience of enduring \ninstallations to energy disruptions. My office established the \nrequirement for the Services to develop installation energy plans and \nsupporting cyber security plans to identify critical energy \nrequirements, assess vulnerabilities, take action to mitigate risks, \nand conduct sustained maintenance and testing of these systems over \ntime. OASD(S) provides policy and governance to enable energy \nresilience at enduring installations, ensures that cyber security and \nenergy resilience are integrated into third party financed energy \nimprovements, and funds military construction projects that improve \nenergy resilience and contribute to mission assurance through the \nEnergy Resilience and Conservation Investment Program. Likewise, the \nDepartment is implementing a series of Energy Resilience and Readiness \nexercises that use ``black start'' scenarios to test and evaluate \nenergy systems at our installations. Each of these efforts supports the \ncapability of the Services to carry out critical missions in spite of \nenergy disruptions or cyber-attacks. Cyber defense best practices \nincludes two methods of defending control systems. First, there is a \nlogical separation of networks that limit communications between \ninformation technology and operational technology networks with very \nfew exceptions. Secondly, asset owners maintain a manual method of \noperation that does not require the use of a network to maintain \noperation. Should an attack occur, the on-site maintenance and \noperational personnel would take the respective system off line and \nmanually operate the system. In the event of a power outage, mission \nowners would immediately turn to backup power options (e.g., on-site \ngenerator, on-site distributed energy resources, and uninterruptible \npower sources) to sustain critical missions over the short-term. Based \non assigned mission assurance responsibilities, Combatant Command and \nOUSD(Policy) would begin coordinating with any non-DOD power providers \nregarding the timely restoration of power to the installations. \nDepending on the duration of the energy disruption, Services and \nCombatant Commands also would consider transitioning to continuity of \noperations posture and/or transitioning affected missions to other \nlocations. Cyber Command activities are outside the purview of this \noffice. As such, any questions referring to Cyber Command \nresponsibilities should be redirected to that office.\n    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or \nelectricity--we had an attack on the entire Military Electronic Health \nRecords System that prevented our military health care installations \nand systems from functioning--similar to the WannaCry attack that \ncrippled the U.K.'s National Health Service? Do we have incident \nresponse plans in effect to deal with these types of cyber incidents \nthat could impact our installations?\n    Secretary McMahon. The Defense Health Agency (DHA) has implemented \nsignificant cyber protections both at an enterprise level and at the \nlocal unit level that mitigates the risks from WannaCry and any other \ncyber exploit. In fact, DHA's military electronic health record system \nprogram vendor, Cerner Corporation, was responsible for providing the \nfirst copy of the WannaCry software code in America to both the Federal \nBureau of Investigation and the Department of Defense (DOD). As part of \nstandard DOD policies and procedures established for security \naccreditation, incident response plans are required for Authority To \nOperate (ATO) certification and are independently evaluated by the \naccreditation authority. MHS GENESIS, the new electronic health record \nfor the Military Health System, was implemented with a defense-in-depth \nstrategy. The first layer of defense is the protected network called \nthe Medical Community of Interest (MEDCOI). At the enterprise-level, \nMEDCOI separates health- related network traffic from all DOD network \nand internet traffic that is also monitored by Cyber Security Service \nProvider. MHS GENESIS has a full suite of active and passive cyber \nmeasures to predict, identify, and isolate threats. Furthermore, MHS \nGENESIS is building a continuity-of-operations and disaster recovery \n(COOP&DR) solution that will restore mission critical capabilities to \nend users within 4 hours of a declared disaster event. This solution \nwill be in place September 2020. This multi-tiered defense-in-depth \nstrategy provides MHS GENESIS with state-of-the-art protection measures \nensuring the delivery of capability to the Defense Health Community and \nthe Veterans Administration even in the face of a catastrophic event. \nEach Military Treatment Facility is also architected with a suite of \ncyber defenses customized to the unique requirements of that facility. \nIn the current state, each facility operates under their service \nspecific legacy downtime procedures moving to paper when the electronic \nsystems are not available. DHA's Health Informatics Division is \ndeveloping a standardized enterprise wide downtime procedure to include \nscheduled downtime, unscheduled downtime, and recovery.\n    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? \nHow much (if any) of this is a contractor work force?\n    Secretary Beehler. The Army has multiple stakeholders responsible \nfor defending ICS/SCADA systems. Army Chief Information Officer/G-6 is \nresponsible for establishing cybersecurity policies. Those policies are \nimplemented by mission and asset owners and enforced by authorizing \nofficials that approve and allow the use of the systems, and are \nrequired to align the systems to a Cybersecurity Service Provider \n(CSSP). Army Cyber Command (ARCYBER) is responsible for CSSP services, \nto include defensive cyber operations--internal defensive measures \n(DCO-IDM). ARCYBER has delegated some CSSP authority to certain \ncommands, such as U.S. Army Corps of Engineers (USACE) and United \nStates Army Space and Missile Defense Command (USASMDC) to provide CSSP \nfor their portion of the Army network under the purview of ARCYBER. On \n4 October 2019, the Director of the Army Staff designated U.S. Army \nChief of Engineers to develop a program managed structure that covers \nprocurement, configuration, cybersecurity, testing, and lifecycle for \nICS. The Army has not conducted a full inventory of ICS/SCADA hardware, \nhence it is not possible to determine how much of the Army ICS/SCADA \nsystems are defended by contractors. Based on the completed NDAA \nSec. 1650 assessments, the Army does not have the internal resources \n(trained manpower/equipment/money) to properly defend existing ICS/\nSCADA systems.\n    Ms. Stefanik. What coordination takes place with cyber defensive \nteams? Are your service cyber forces familiar enough with local ICS/\nSCADA to assist?\n    Secretary Beehler. Coordination to defend resources between \nelements of the Army cyber defense community is an on-going activity. \nThe proliferation of types of devices and wide range in age of devices \nsupporting Army infrastructure makes developing expertise in all areas \nchallenging. The Army is developing a greater familiarity with local \nICS/SCADA systems. For ICS/SCADA systems currently connected to \nnetworks, the Army has expertise in assessments.\n    Ms. Stefanik. Are ICS/SCADA systems subject to the same security \nand accreditation standards as DOD networks are? Or are there \ndifferences with these so-called ``operational systems''?\n    Secretary Beehler. Yes, ICS/SCADA control systems must follow the \nsame Department of Defense (DOD) security and accreditation standards \nas DOD networks.\n    Ms. Stefanik. Similar to our supply chain concerns with Huawei \ncomponents being in critical defense systems, do we have any concerns \nwith foreign components being used within ICS/SCADA hardware? Is this \nsomething you have surveyed or considered? How are you mitigating this \nconcern?\n    Secretary Beehler. The Army shares concerns about supply chain \nsecurity across all our data systems. These concerns are larger than \nany single supplier (such as Huawei) or even solely suppliers with \nforeign origins. We must ensure that our systems, regardless of origin, \nare effective for their purpose, including being cyber secure. The Army \nhas entered into an enterprise-wide effort to survey/inventory and \nassess the installations to better bound what control systems we have \non our installations, how they are connected, and how they are \nconstructed/serviced so that we can assess risk. The Army is already \nimplementing measures to mitigate risk; from implementing Unified \nFacility Criteria and Specifications used to incorporate cybersecurity \nmeasures across the infrastructure lifecycle, ensuring that control \nsystems are assessed and authorized using the DOD Risk Management \nFramework (RMF), and ensuring a continuous cybersecurity monitoring \nstrategy is in place to ensure vulnerabilities are identified and \nremediated.\n    Ms. Stefanik. One of the other focus areas for the IETC \nsubcommittee is science and technology, which is a community that for \ndecades has leveraged advances in modeling and simulation and other \ntechnologies to understand complex and unpredictable problems. With \nrespect to climate change and extreme weather events--how are you \nworking with the DOD S&T community and academia to understand and \nprepare for extreme weather events, to include modeling and simulation \nand other technologies that could help and develop and enhance \nresiliency for installations and infrastructure?\n    Secretary Beehler. The Army Climate Assessment Tool, developed with \nthe U.S. Army Corps of Engineers, incorporates the latest actionable \nscience data and model results from the scientific community regarding \nclimate change and extreme weather. The sources of this data include \nthe U.S. Geological Survey (USGS), National Atmospheric and Oceanic \nAdministration (NOAA), Federal Emergency Management Agency (FEMA), the \nFourth National Climate Assessment volumes released by the U.S. Global \nChange Research Program, and the DOD's Strategic Environmental Research \nand Development Program (SERDP), which itself includes interagency and \nacademic experts. Additional information derives from peer-reviewed \nscientific literature, including work sponsored in part by the U.S. \nArmy Corps of Engineers. The tool uses this data to indicate exposure \nof select locations to coastal and riverine flooding, drought, \ndesertification, wildfire, and thawing permafrost. Observed historical \ndata regarding hurricane and tornado intensity and location is also \nincorporated into the tool. This information provides a screening-level \nassessment of the exposure of Army locations to extreme weather and \nchanging climate, allowing prioritization of more detailed studies to \nreduce vulnerability and enhance resilience to these impacts. \nInstallation managers will use the information provided by this tool \ninform master planning and to identify ways to improve the resilience \nof their installations to extreme weather events and other climate-\nrelated threats.\n    Ms. Stefanik. How are you preparing for emerging technologies such \nas 5G and what will be an exponential increase in IOT devices? In 2017 \nwe saw some 8.4 billion devices connected to the internet--but by 2020 \nit is estimated that we may see up to 75 billion connected devices, \ndepending on what estimate you use. This presents tremendous \nopportunity but also significant challenges. Can you outline how you \nare thinking about 5G and this massive increase of IOT?\n    Secretary Beehler. There are three steps the Army is taking to \nprepare for the integration of emerging technologies: assessing the \ncurrent state of installation information technology (IT), developing a \ncyber supply chain risk management governance structure to mitigate \ncybersecurity risks to ensure warfighter and installation security and \nreadiness, and leveraging new technologies to increase readiness. As \npart of the Army's holistic modernization efforts, the Army is working \nwith DOD to conduct 5G experiments at DOD facilities. Each Service \nnominated, and DOD approved one location, each as the first \nexperimentation site in FY20. The Army recommended Joint Base Lewis-\nMcChord (JBLM), WA. JBLM was nominated asthe first site based on the \npotential to prove out technology in multiple-use case areas, alignment \nto Army modernization priorities as well as JBLM being the site for the \nArmy's existing Multi-Domain Task Force, a National Guard and Reserve \nforce generation site, a future synthetic training environment location \nand a Joint Base. DOD secured $52M in FY19 to support initial 5G \nefforts and intends to release an initial Request for Proposal (RFP) in \nNovember 2019 and allow industry to provide feedback and then release \nthe final RFP in early December. The additional selection of sites and \nbroader experimentation are subject to funding and continuing \nresolution. As part of DOD's established Scoping and Mitigation program \nto scrutinize Supply Chain vendors using the U.S. Code Sec. 2339A \nreview process (FY19 NDAA, Section 889), the Army is developing a \nSupply Chain Risk Management governance structure. The Army is also \nconducting supply chain analysis leveraging public data research \ncombined with advanced analytics to address national-level requirements \nin support of FY16 NDAA, Section 1647, and FY17 NDAA, Section 1650. As \nthe number of IT devices increases, the scrutiny of the cyber supply \nchain will assist in securing our warfighters and installations. To \nprepare for future conflicts, the Army is also ensuring Soldiers are \nready and armed with the latest technology. The driving force behind \nthis modernization effort is U.S. Army Futures Command (AFC) in \nconjunction with Assistant Secretary of the Army for Acquisition, \nLogistics and Technology (ASA(ALT)), created to streamline \nmodernization efforts and field new equipment and capabilities more \nquickly to Soldiers. Additionally, the Army is leveraging previously \ngranted authorities like Other Transactional Authority agreements \n(OTA's) to tap into innovation from nontraditional suppliers of \ncommercial technology for research and prototyping.\n    Ms. Stefanik. If there was a crippling cyber-attack on one of our \nmajor installations that took down critical infrastructure such as \npower, or disabled ICS/SCADA systems, can you walk us through how a \nmilitary installation would handle such an incident? What \nresponsibilities are within your portfolios, as compared to and \ncoordinated with CYBER COMMAND, and those that are providing Service \nMission Defense Teams, for example?\n    Secretary Beehler. Regardless of the cause of an outage event, \ncyber, or other, Army installations have robust planning in place to \nensure continuity of critical operations. Each installation has a \nspecific emergency response plan and all critical missions have \ncontinuity of operations plans to ensure mission effectiveness \nthroughout the duration of an event and for priority restoration of \nservices to recover from an event. From an energy and water \nperspective, Army Directive 2017-07 sets the requirement for Army \ninstallations to secure critical missions by being capable of \nwithstanding an extended utility outage of 14 days. This includes \ntimeframes to accomplish, curtail, or relocate the critical mission(s), \nas needed. The Army is also taking proactive measures to test our \nability to withstand a long-duration outage. Through the Army \nprotection program, installations regularly conduct integrated \nprotection exercises related to Defense and Army critical \ninfrastructure. Army installations are also required to complete full-\nscale and routine testing of emergency and standby energy generation \nsystems that support their critical energy requirements. Select \ninstallations have further tested their systems by completing Energy \nResilience Readiness Exercises that simultaneously disconnect the \nentire installation (or a subset) from utility power in a controlled \nenvironment to test system backups and validate installation backup and \nrestoration procedures. Installation Department of Public Works (DPW) \npersonnel work closely with Army Cyber Command personnel to respond and \nrecover from cyber-attacks. A critical part of this team effort is the \nuse of the Advanced Cyber Industrial Control Systems (ICS) Tactics, \nTechniques, and Procedures (TTP) to guide Army response. The ACI TTP \nprovides procedures that enable ICS managers and network managers to \ndetect cyber-attacks, mitigate the effects of those attacks, and \nrecover their networks following an attack. The primary goal during a \ncyber-attack is to retain operations of the critical infrastructure \npriorities (e.g., electric, water, etc.).\n    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or \nelectricity--we had an attack on the entire Military Electronic Health \nRecords System that prevented our military health care installations \nand systems from functioning--similar to the WannaCry attack that \ncrippled the U.K.'s National Health Service? Do we have incident \nresponse plans in effect to deal with these types of cyber incidents \nthat could impact our installations?\n    Secretary Beehler. Incident response plans and Continuity of \nOperations (COOP) plans are in place and practiced throughout the \nMedical Treatment Facilities (MTF) and these are inspected by the \nServices and Joint Commission (JC). The WannaCry virus exploited \nunpatched systems, and is a reason why DOD is focused on making sure \ncomputers are all patched with the latest software from vendors today. \nThe Military Electronic Health Records enterprise is currently \ncomprised of multiple systems that include but are not limited to Armed \nForces Health Longitudinal Technology Application, Composite Health \nCare System, and Essentris and is actively migrating to Military Health \nSystem GENESIS, the new DOD Electronic Health Record. Each of these \nsystems are architected in a different fashion and has internal \nsecurity built into the systems; they also sit in a Defense in Depth \nposture (isolated Virtual Local Area Networks (VLANS)) as well as \nperimeter security. With the incident response and COOP plans in place, \nthe MTFs are still able to provide health care. They would document the \ncare on paper versus in the electronic health record. The concern is \ndepending on the length of ``down time'' that may affect access to \nprevious data to facilitate the care.\n    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? \nHow much (if any) of this is a contractor work force?\n    Secretary Henderson. Sixteenth Air Force (16 AF) is responsible for \ndefending all Air Force Information Networks (AFIN), of which ICS/SCADA \nis a portion. The 16 AF defense work force is primarily comprised of \ngovernment personnel (military & civilian), with a few contractors in \nvarious units.\n    Ms. Stefanik. What coordination takes place with cyber defensive \nteams? Are your service cyber forces familiar enough with local ICS/\nSCADA to assist?\n    Secretary Henderson. Should an ICS/SCADA-impacting cyber attack \noccur, the Air Force has seven service-reallocated Cyber Protection \nTeams which it can direct to respond. Those teams can leverage greater \nUSCYBERCOM resources if warranted. Air Force defensive teams are \ntrained and equipped to respond to a broad range of cyber activity, and \nwill apply that training to any area of need. Additionally, they are \nexpected to be familiar with any cyber terrain on which their supported \nmissions rely, including AF-owned and civilian ICS/SCADA.\n    Ms. Stefanik. Are ICS/SCADA systems subject to the same security \nand accreditation standards as DOD networks are? Or are there \ndifferences with these so-called ``operational systems''?\n    Secretary Henderson. The ``security and accreditation'' is \naccomplished in accordance with DODI 8510.10 and implemented by AFI 17-\n101 RISK MANAGEMENT FRAMEWORK (RMF) FOR AIR FORCE INFORMATION \nTECHNOLOGY (IT) to address both traditional IT and control systems \nusing tailored security protocols based on their applicability to the \nsystem.\n    Ms. Stefanik. Similar to our supply chain concerns with Huawei \ncomponents being in critical defense systems, do we have any concerns \nwith foreign components being used within ICS/SCADA hardware? Is this \nsomething you have surveyed or considered? How are you mitigating this \nconcern?\n    Secretary Henderson. The integrity and supply chain risk of foreign \ncomponents in ICS/SCADA systems is of concern, especially where these \nsystems directly support Defense Critical Infrastructure and Defense \nCritical Missions. Supply chain risk management is a consideration in \nthe Air Force control systems cybersecurity strategy that is in \ndevelopment. An element of the strategy is to evolve our acquisition \nprocesses to reduce the risk of cyber vulnerabilities in ICS/SCADA \nsystems. To mitigate the concern in currently-fielded hardware, we are \nworking towards more advanced network hardening, monitoring and \ndefensive cyber operations.\n    Ms. Stefanik. One of the other focus areas for the IETC \nsubcommittee is science and technology, which is a community that for \ndecades has leveraged advances in modeling and simulation and other \ntechnologies to understand complex and unpredictable problems. With \nrespect to climate change and extreme weather events--how are you \nworking with the DOD S&T community and academia to understand and \nprepare for extreme weather events, to include modeling and simulation \nand other technologies that could help and develop and enhance \nresiliency for installations and infrastructure?\n    Secretary Henderson. We work with DOD, federal, and academic \nentities to understand and enhance installation resilience and share \nthe following examples. The DOD's Strategic Environmental Research and \nDevelopment Program (SERDP) led the development of the Regionalized Sea \nLevel Change Scenarios and Extreme Water Level Statistics database, a \nvaluable resource for localized sea level rise scenarios and historical \nstorm surge statistics. As noted in the Report on Effects of a Changing \nClimate to the Department of Defense (Jan 2019), SERDP and DOD's \nEnvironmental Security Technology Certification Program (ESTCP) \ninvestments support the development of the science, technology, and \nmethods needed to manage and enhance resilience. The Report outlines \nefforts by SERDP, ESTCP, and the Lawrence Berkeley National Laboratory \non understanding sea level rise, drought, wildfire risk, and permafrost \ndegradation. We are working with the Colorado State University Center \nfor Environmental Management of Military Lands to improve floodplain \ndelineation and explore the potential sea level rise, storm surge, and \nchanges in temperature and precipitation patterns on 60+ Air Force \nsites across the world. The intent is identification of potential \nvulnerabilities and possible adaptation strategies to feed into our \ninstallation Integrated Natural Resource Management Plans. In the \nfuture, we hope to use this information to inform siting and planning \napplications. Working with the University of Alaska--Anchorage we are \npursuing more accurate Alaska shoreline erosion prediction models that \ntake into account warming water near the shore, increasing air \ntemperatures, longer periods when sea ice is gone, increasing spatial \nextent of open water, increasing wind speeds, storm surges, wave \nheight, and thawing of permafrost. We rely on the USACE Cold Regions \nResearch and Engineering Laboratory (CCREL) expertise for its work on \nconstruction techniques in permafrost regions. We are also partnering \nwith ASD(S) and the Massachusetts Institute of Technology Lincoln Lab \nto develop a ``pull-the-plug'' exercise framework to baseline \ncapabilities and identify vulnerabilities. We will continue to \ncollaborate across the DOD, federal, and academic S&T communities to \nenhance our installation and mission resilience.\n    Ms. Stefanik. How are you preparing for emerging technologies such \nas 5G and what will be an exponential increase in IOT devices? In 2017 \nwe saw some 8.4 billion devices connected to the internet--but by 2020 \nit is estimated that we may see up to 75 billion connected devices, \ndepending on what estimate you use. This presents tremendous \nopportunity but also significant challenges. Can you outline how you \nare thinking about 5G and this massive increase of IOT?\n    Secretary Henderson. The Air Force is aware of the potential and \npromise of 5G and is pursuing opportunities to address gaps in \ncoverage. The Air Force will continue to pursue ways to leverage 5G to \ndrive a resilient warfighting communications architecture to promote \nour multi-domain command and control capabilities to preserve the Joint \nForce's and the Air Force's competitive advantage in today's strategic \nenvironment. The Air Force streamlined the process to grant leases for \ncommercial broadband. Currently, ten bases in the Southeast have leases \npending that will enable small node, whole-base commercial broadband \ncoverage. The next leasing opportunity will be for 17 bases in the \nNorthwest region later this calendar year. In addition to this, the AF \nis participating in DOD's 5G experiments to evaluate various 5G \ncapabilities such as smart depots, shared spectrum and mission planning \nthat will assess various 5G configurations for optimal mission usage.\n    Ms. Stefanik. If there was a crippling cyber-attack on one of our \nmajor installations that took down critical infrastructure such as \npower, or disabled ICS/SCADA systems, can you walk us through how a \nmilitary installation would handle such an incident? What \nresponsibilities are within your portfolios, as compared to and \ncoordinated with CYBER COMMAND, and those that are providing Service \nMission Defense Teams, for example?\n    Secretary Henderson. During their initial response, Civil \nEngineering Squadron (CES) operators or support contractors could \nidentify malicious cyber activity and trigger the appropriate response \nin partnership with a local Mission Defense Team (MDT), if applicable. \nThat response would include notifying the 624th Operations Center at \n16th Air Force, which would coordinate further response actions with \nCYBERCOM, including the deployment of a service-reallocated Cyber \nProtection Team (CPT) if warranted. The CPT would partner with the MDT \nto optimally understand the affected terrain and respond to the \nmalicious activity.\n    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or \nelectricity--we had an attack on the entire Military Electronic Health \nRecords System that prevented our military health care installations \nand systems from functioning--similar to the WannaCry attack that \ncrippled the U.K.'s National Health Service? Do we have incident \nresponse plans in effect to deal with these types of cyber incidents \nthat could impact our installations?\n    Secretary Henderson. Any questions specific to enterprise system \nrecovery or redundancy would have to be answered by the Defense Health \nAgency or Program Executive Office Defense Health Modernization System. \nThe answer below pertains to the local military treatment center \nactions. Each military treatment facility has contingency response \nplans for how to operate should the electronic health record be \nunavailable. These plans typically include paper-based processes for \ndocumenting care. There is often a reliance on civilian pharmacy \nnetworks to fill routine non-urgent medications during an outage, \nshould a patient not be able to wait until the system is restored. For \na prolonged outage, elective care may be delayed or deferred. Much of \nthe Military Health System's clinical data is shared with the \nDepartment of Veterans Affairs (Joint Legacy Viewer) through health \ninformation exchanges, or replicated in various data warehouses \n(Carepoint, Medical Data Repository, etc). In a prolonged outage these \ndata sources may become alternative means to access clinical \ninformation to support continued operations. Most routine acute care \ncan continue simply by collecting background information from the \npatient at the time of care (normal clinical practice). Local recovery \noperations will require care documented on paper or other means to be \nentered into the electronic health record once it becomes available. \nThis is commonly accomplished via scanning of paper documentation into \nthe record. In a small number of cases, specific data elements may have \nto be transcribed into the record as part of the recovery.\n    Ms. Stefanik. Who is responsible for defending ICS/SCADA systems? \nHow much (if any) of this is a contractor work force?\n    Mr. Niemeyer. The responsibility for cyber defense of Navy ICS/\nSCADA resides with the local system owners at the installations. System \nowners work closely with Naval Facilities Engineering Command (NAVFAC) \nwho is the cybersecurity technical authority for these systems. \nLeveraging a workforce of about 40% contractor and 60% Government \n(military and civilian) worldwide.\n    Answer (MCICOM): The responsibility for defensive cyber operations \nof ICS/SCADA systems is Marine Corps Forces Cyberspace Command \n(MARFORCYBER) and its subordinate command, the Marine Corps Cyber \nOperations Group (MCCOG). MARFORCYBER is responsible for the overall \nsecurity, operations, and defense of the Marine Corps Enterprise \nNetwork. MCCOG performs those duties as the Cyber Security Service \nProvider (CSSP) for the Marine Corps.\n    Ms. Stefanik. What coordination takes place with cyber defensive \nteams? Are your service cyber forces familiar enough with local ICS/\nSCADA to assist?\n    Mr. Niemeyer. Within the Navy, Naval Facilities Engineering Command \n(NAVFAC) regularly coordinates with Navy Cyber Defense Operations \nCommand (NCDOC) and their higher headquarters, Navy Fleet Cyber Command \n(FCC). The Navy's Service Defense Teams are aware of U.S. Cyber Command \ntactics, techniques, and procedures (TTP) for ICS/SCADA cybersecurity. \nThey regularly receive updates of the latest control systems \ncybersecurity including the development of technological advances and \nprocedures.\n    Answer (MCICOM): Within the Marine Corps coordination between cyber \ndefensive teams, the local IT and the local ICS/SCADA operators \ncurrently occurs on an ad-hoc basis. This is absent the adoption of an \nEnterprise Architecture which can provide visibility of the local FRCS \nnetworks to a dedicated Cyber Security Service Provider (CSSP) network \noperations center, similar to those that exist for the Marine Corps \nEnterprise Network (MCEN). Cyber forces are engaged at the stakeholder \nlevel in the developing of this Enterprise Architecture and aware of \nthe need to standup expertise for ICS/SCADA. The service cyber forces \nhave a very limited familiarity with ICS/SCADA systems, and training \nfor cyber forces on ICS/SCADA is not formalized. Marine Corps Forces \nCyberspace Command (MARFORCYBER) as the responsible party for \ncybersecurity and Marine Corps Installations Command (MCICOM) as the \nresponsible party for the operation of ICS/SCADA are aware of this gap \nand are actively working to address it.\n    Ms. Stefanik. Are ICS/SCADA systems subject to the same security \nand accreditation standards as DOD networks are? Or are there \ndifferences with these so-called ``operational systems''?\n    Mr. Niemeyer. Yes, DON ICS/SCADA systems are subject to the same \nDOD Risk Management Framework and security and accreditation standards \nused for information technology systems and networks. Differences for \nICS and SCADA are addressed in NIST Special Publication 800-82 Revision \n2: Guide to Industrial Control Systems (ICS) Security.\n    Ms. Stefanik. Similar to our supply chain concerns with Huawei \ncomponents being in critical defense systems, do we have any concerns \nwith foreign components being used within ICS/SCADA hardware? Is this \nsomething you have surveyed or considered? How are you mitigating this \nconcern?\n    Mr. Niemeyer. The Department of Navy shares concerns about supply \nchain security across our industrial control systems. Foreign \ncomponents being used within ICS/SCADA pose a significant concern to \nmission critical and essential operational facilities worldwide. To \nsurvey and mitigate this risk, the DON leverages our Navy and Marine \nCorps Mission Assurance Assessment programs to assess the function and \nresilience of ICS/SCADA systems critical to the performance of DOD \nMission Essential Functions across the supply chain. To mitigate risk \nin acquisitions, we utilize Defense Federal Acquisition Regulations \n(DFAR) clauses in our contracts. When assessments and monitoring \ndetermine an elevated risk, we use immediate remediation techniques and \ntechnical solutions such as disconnecting those systems from the \ninternet. To improve our understanding of the issue and maintain \ncontinuous awareness of the cyber battle space, we are developing \ninfrastructure and governance processes to continuously monitor our \ncritical ICS/SCADA systems worldwide.\n    Ms. Stefanik. One of the other focus areas for the IETC \nsubcommittee is science and technology, which is a community that for \ndecades has leveraged advances in modeling and simulation and other \ntechnologies to understand complex and unpredictable problems. With \nrespect to climate change and extreme weather events--how are you \nworking with the DOD S&T community and academia to understand and \nprepare for extreme weather events, to include modeling and simulation \nand other technologies that could help and develop and enhance \nresiliency for installations and infrastructure?\n    Mr. Niemeyer. The DON actively participates with in the DOD's \nStrategic Environmental Research Development Program (SERDP) and \nEnvironmental Security Technology Certification Program (ESTCP) in \npartnership with DOE, EPA, and academia in the development of research \nand resulting projects focused on ``Resource Conservation and \nResiliency'' which includes evaluating climate and weather. The DON \nincorporates climate resilience as a crosscutting consideration for our \nplanning and decisions making process. As an example the DON is closely \nworking with DOD to leverage the U.S. Army Corps of Engineers climate \nexposure tool to analyze climate impacts and natural hazards at 60 DON \nlocations (50 sites CONUS and 10 OCONUS), which is planned to be \ncomplete by September 2020.\n    Ms. Stefanik. How are you preparing for emerging technologies such \nas 5G and what will be an exponential increase in IOT devices? In 2017 \nwe saw some 8.4 billion devices connected to the internet--but by 2020 \nit is estimated that we may see up to 75 billion connected devices, \ndepending on what estimate you use. This presents tremendous \nopportunity but also significant challenges. Can you outline how you \nare thinking about 5G and this massive increase of IOT?\n    Mr. Niemeyer. DON and DOD are collaborating as part of a U.S. \n``Whole of Government'' approach to foster 5G innovations and mitigate \nsecurity risks. We are working with universities and commercial vendors \n(5G infrastructure and handsets) on efforts related to 5G. \nAdditionally, the Department of Navy is participating in the 5G study \nwith OUSD R&E to test 5G applications on our installations. These \npilots will enable the evaluation of 5G cyber security risks in \naddition to new attack surfaces that 5G may expose given the wider \nnetwork connectivity (e.g., Internet of Things). Navy continues to make \nsignificant progress and investments in ``trusted'' HW/SW/networking \nfor C2 and combat systems and these solutions are applicable to 5G. One \nexample is Network Slicing technology used by the DON to create \nmultiple logical networks with different performance characteristics \noverlaid on a single physical network enabling data segregations and \nslice specific security solutions. Slicing is not unique to 5G networks \nbut will be an enabler in increasing the security of 5G. If DOD employs \nIOT devices on our installations to create a smart port or smart depot, \nwe can use slicing to create partitioned networks for isolating the IOT \ndevices from the main enterprise network. Additionally, OUSD (R&E) is \npursuing measures to add greater protection and resiliency to a network \nthat is using slices. We are directly taking on the security risks \nposed by installed equipment manufactured from untrusted companies, by \npublishing guidance by January 2020 for use by installation commanders \nwhen considering the development of 5G infrastructure on bases and \nranges. We are also working with States and local communities on the \nestablishment of security requirements through state legislation within \npermitting processes to ensure 5G networks around bases and ranges do \nnot pose a security risk to critical DON missions. Our goal is to \nensure the military value of bases in the future are rewarded by the \ndevelopment of a secure 5G network.\n    Ms. Stefanik. If there was a crippling cyber-attack on one of our \nmajor installations that took down critical infrastructure such as \npower, or disabled ICS/SCADA systems, can you walk us through how a \nmilitary installation would handle such an incident? What \nresponsibilities are within your portfolios, as compared to and \ncoordinated with CYBER COMMAND, and those that are providing Service \nMission Defense Teams, for example?\n    Mr. Niemeyer. When personnel with DOD information network (DODIN) \nsecurity responsibilities detect compromise of cyberspace security \nmeasures, they transition, in accordance with standing authorities \ndelegated by the commander, to the cyberspace defense actions of \nDefensive Cyberspace Operations-Internal Defensive Measures to restore \nsecurity to their assigned portion of the DODIN. Their effectiveness in \nmaking this transition depends upon their level of training and \nresources to detect and respond to threats. If discovery and mitigation \nof malicious cyberspace activity requires expertise beyond that \navailable to the network operator and/or the ISP, the cyberspace \nprotection teams (CPTs) may respond to provide support conducting \ncyberspace defense actions, either remotely or by deploying to the \naffected location. CPTs perform other tasks to support network \noperators, including penetration testing, security surveys, and \nassessment. National-level CPT support can be extended to defend non-\nDOD mission partner or critical infrastructure networks when ordered by \nSecretary of Defense.\n    Ms. Stefanik. What if--instead of an attack on ICS/SCADA or \nelectricity--we had an attack on the entire Military Electronic Health \nRecords System that prevented our military health care installations \nand systems from functioning--similar to the WannaCry attack that \ncrippled the U.K.'s National Health Service? Do we have incident \nresponse plans in effect to deal with these types of cyber incidents \nthat could impact our installations?\n    Mr. Niemeyer. To ensure warfighters and decision makers have access \nto information systems and data after a disruption, DOD Instruction \n8500.01 requires that DOD Component heads develop Information Systems \nContingency Plans (ISCPs) and conduct testing to recover information \nsystem services following an emergency or other disruption. An ISCP is \nthe coordinated strategy involving plans, procedures, and technical \nmeasures that enable the recovery of information systems, operations, \nand data after a disruption. In the Department of Navy, System Owners/\nProgram Managers are responsible for having an operational ISCP as a \npart of their accreditation approval by the Navy or Marine Corps \nAuthorizing Official.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. BROOKS\n    Mr. Brooks. In July of 2015, the Government Accountability Office \nissued a report (GAO-15-749) that stated, ``as of February 2015, none \nof the military services had a complete inventory of existing \nIndustrial Control Systems.'' It's been four years since that report \nwas issued. Does the Office of the Assistant Secretary of Defense for \nSustainment (OASD(S)) have a complete inventory of existing Industrial \nControl Systems on all DOD installations managed through the Office of \nFacilities Management? Who has responsibility of the Industrial Control \nSystems on an individual installation? Who operates Industrial Control \nSystems on installations--military personnel, Department of Defense \ncivilians, or contractors? How has OASD(S) utilized Industrial Control \nSystem Subject Matter Experts during cyber vulnerability threat \nassessments? Is there a deadline set for all Industrial Control Systems \non installations managed by the Office of Facilities Management to be \ncybersecure? What is the estimated cost to secure Industrial Control \nSystems across all installations managed by the Office of Facilities \nManagement? What is the acquisition plan for software and/or hardware \nto cybersecure Industrial Control Systems? Who within the DOD is \nresponsible for that acquisition effort?\n    Secretary McMahon. Does the Office of the Assistant Secretary of \nDefense for Sustainment (OASD(S)) have a complete inventory of existing \nIndustrial Control Systems on all DOD installations managed through the \nOffice of Facilities Management? The Components are developing \ninstallation-level cybersecurity plans that show their progress towards \ninventorying, assessing, mitigating, and monitoring their ICS. These \nplans address all elements of a control system, such as computer \nhardware, software, and associated sensors, and address the full range \nof infrastructure and facilities across the Department (e.g., \ninstallation electricity, water, wastewater, natural gas, lighting, \nbuilding heating and air conditioning equipment, building control \nsystems, etc.). The DOD Components are required to implement these \nplans and account for an inventory of facility-related control systems \nsupporting Defense Critical Assets and Tier 1 Task Critical Assets \n(TCAs), as well as facility-related control systems that are connected \nto DOD networks, are internet-facing and/or stand-alone, and require \nAuthorization to Operate (ATO).\n    Who has responsibility of the Industrial Control Systems on an \nindividual installation? System asset owners have responsibility for \nthe Industrial Control Systems on an individual installation.\n    Who operates Industrial Control Systems on installations--military \npersonnel, Department of Defense civilians, or contractors? Depending \non the asset and installation, military personnel, DOD civilians, and \ncontractors may operate industrial control systems.\n    How has OASD(S) utilized Industrial Control System Subject Matter \nExperts during cyber vulnerability threat assessments? Subject matter \nexperts are used throughout the Department's effort to secure \nIndustrial Control Systems. For instance, subject matter experts from \nindustry, the Services, and national laboratories are informing the \ndevelopment of a Tested Products List for ICS. The Tested Projects List \nwill enable vendors/products to go through cybersecurity testing and \nenable Type Authorization (test once and use many times) in less time \nand at lower cost. DOD's Environmental Security Technology \nCertification Program also funded a number of cybersecurity projects \nassociated with Smart Grids, Energy Storage, Heating, Ventilation and \nAir Conditioning, and Cloud/Mobile/Internet of Things that evaluate \nnext generation devices and components capabilities and how vendor/\nsuppliers can meet the new NIST ICS guidelines and standards. DOD also \ncreated Advanced Cyber Industrial Control System Tactics, Techniques, \nand Procedures (ACI TTP) to enhance the detection, mitigation, and \nrecovery of cyber-attacks on control systems and support the training \nof risk assessment teams across the Department.\n    Is there a deadline set for all Industrial Control Systems on \ninstallations managed by the Office of Facilities Management to be \ncybersecure? As required by the FY 2017 NDAA Sec. 1650, ``Evaluation of \ncyber vulnerabilities of DOD critical infrastructure,'' Components are \nresponsible for completing an inventory of ICS for defense critical and \ntask critical assets by the end of CY2020.\n    What is the estimated cost to secure Industrial Control Systems \nacross all installations managed by the Office of Facilities \nManagement? Estimated costs to secure Facility-Related Control Systems \nacross all DOD installations are being collected as part of the POM22 \ncycle and will be formalized as a standalone budget exhibit to improve \nthe policy and governance of overall DOD investments in ICS security.\n    What is the acquisition plan for software and/or hardware to \ncybersecure Industrial Control Systems? Who within the DOD is \nresponsible for that acquisition effort? The DOD has taken a number of \nsteps to reduce the vulnerabilities and impacts of compromised devices \nand components. The DOD has adopted the NIST SP 800-161 Supply Chain \nRisk Management Practices for Federal Information Systems and \nOrganizations and is working with the Defense Industrial Base, \nsuppliers and vendors, and other organizations such as the \nInternational Society of Automation to ensure the implementation of \nappropriate supply chain risk management processes. Additionally, \ncybersecurity has been integrated into installation policy and \nguidance. This guidance requires control systems to incorporate the \ncybersecurity requirements established in the Unified Facilities \nCriteria 4-01-16 and meet cybersecurity risk management framework \nrequirements of DOD Instruction 8510.01 Risk Management Framework \n(RMF).\n    Mr. Brooks. In July of 2015, the Government Accountability Office \nissued a report (GAO-15-749) that stated, ``as of February 2015, none \nof the military services had a complete inventory of existing \nIndustrial Control Systems.'' It's been four years since that report \nwas issued. Does the Army currently have a complete inventory of \nexisting Industrial Control Systems on all Army installations? Who has \nresponsibility of the Industrial Control Systems on an individual \ninstallation? Who operates Industrial Control Systems on \ninstallations--military personnel, Department of Defense civilians, or \ncontractors? How has your department utilized Industrial Control System \nSubject Matter Experts during cyber vulnerability threat assessments? \nIs there a deadline set for all Industrial Control Systems on Army \ninstallations to be cybersecure? What is the estimated cost to secure \nIndustrial Control Systems across all Army installations? What is the \nacquisition plan for software and/or hardware to cybersecure Industrial \nControl Systems? Who within the Army is responsible for that \nacquisition effort?\n    Secretary Beehler. a) Does the Army currently have a complete \ninventory of existing Industrial Control Systems on all Army \ninstallations? For control systems installed as part new construction, \nrenovation, or modernization efforts, as well as the identification of \ncontrol systems discovered during cybersecurity assessments since 2017, \nthe Army has a complete inventory. To address the installed base of \ncontrol systems across its infrastructure, the Army has been \nsystematically inventorying control systems using priorities as scaled \nin the Army's Cybersecurity Strategy for Facility-Related Control \nSystems. Army expects to have a complete inventory of all Facility-\nRelated Control systems by 2025. The initial focus of this effort is \ncentered on the Army defense critical assets and Tier 1 task critical \nassets as part of the requirements of the FY17 NDAA Section 1650. Army \nCyber Command (ARCYBER) is the executing authority for the FY17 NDAA \nSection 1650 cyber assessments. The Army continues to make gains in the \ninventory of the installed base of control systems outside of the NDAA \n1650 efforts. Army has identified over 365 control systems, and have \ncompleted cyber assessments on over 120 of them. Army plans to release \na Fragmentation Order (FRAGO) to Execution Order (EXORD) 141-18 \ndirecting Army organization to increase efforts on the inventory and \ncyber assessment of FRCS.\n    b) Who has responsibility of the Industrial Control Systems on an \nindividual installation? All control systems must have an appointed \nowner responsible for the overall procurement, development, \nintegrations, modification, or operation and maintenance of the system. \nPrimarily those owners are members of the local Installation or \nindustrial activity staff.\n    c) Who operates Industrial Control Systems on installations--\nmilitary personnel, Department of Defense civilians, or contractors? \nThe Army control system workforce is a mixture of DOD civilians, \nmilitary, and contractor support.\n    d) How has your department utilized Industrial Control System \nSubject Matter Experts during cyber vulnerability threat assessments? \nThe Army has chosen to develop a training pipeline and equip teams to \nsupport FY 17-NDAA 1650 assessments for critical infrastructure. We are \nalso developing an ICS Red Team capability under the Army Corps of \nEngineers, and have executed several missions with Cyber Protection \nTeams and USACE infrastructure. In most cases, the ICS/SCADA systems \nare connected to, controlled, and managed by more traditional IT \nsystems, resulting in a training cross over from more traditional \ndefensive cyber operations to ICS/SCADA networks.\n    e) Is there a deadline set for all Industrial Control Systems on \nArmy installations to be cybersecure? Based on priorities as scaled in \nthe Army's Cybersecurity Strategy for Facility-Related Control Systems. \nArmy's expects to complete the assessment of all Facility-Related \nControl systems by 2025. The initial focus of this effort is centered \non the Army defense critical assets and Tier 1 task critical assets as \npart of the requirements of the FY17 NDAA Section 1650. Army Cyber \nCommand (ARCYBER) is the executing authority for the FY17 NDAA Section \n1650 cyber assessments. To date ARCYBER has completed 11 of 26 cyber \nassessments IAW the NDAA 1650, and expects to complete all assessments \nby the December 2020 deadline.\n    f) What is the estimated cost to secure Industrial Control Systems \nacross all Army installations? The completed cyber assessments are \nproviding critical insight to the challenges of securing control \nsystems and will inform mitigation prioritization effort. While the \ntotal cost for expected modernization and changes is difficult to \ndetermine at this point, based on existing assessments, hardware \nreplacement and software upgrades will be required.\n    g) What is the acquisition plan for software and/or hardware to \ncybersecure Industrial Control Systems? Since 2017, Army has integrated \ncybersecurity into its Installation policy and guidance. This guidance \nrequires control systems to incorporate the cybersecurity requirements \nestablished in the Unified Facilities Criteria 4-010-16 and meet \ncybersecurity risk management framework requirements of DOD Instruction \n8510.01 Risk Management Framework (RMF).\n    h) Who within the Army is responsible for that acquisition effort? \nAcquisition is largely decentralized. Control systems are generally \nlocally budgeted, acquired, maintained, and operated at each \nInstallation. However, Army guidance requires control systems to \nincorporate the cybersecurity requirements established in the Unified \nFacilities Criteria 4-010-16 and meet cybersecurity risk management \nframework requirements of DOD Instruction 8510.01 Risk Management \nFramework (RMF).\n    Mr. Brooks. In July of 2015, the Government Accountability Office \nissued a report (GAO-15-749) that stated, ``as of February 2015, none \nof the military services had a complete inventory of existing \nIndustrial Control Systems.'' It's been four years since that report \nwas issued. Does the Air Force currently have a complete inventory of \nexisting Industrial Control Systems on all Army installations? Who has \nresponsibility of the Industrial Control Systems on an individual \ninstallation? Who operates Industrial Control Systems on \ninstallations--military personnel, Department of Defense civilians, or \ncontractors? How has your department utilized Industrial Control System \nSubject Matter Experts during cyber vulnerability threat assessments? \nIs there a deadline set for all Industrial Control Systems on Air Force \ninstallations to be cybersecure? What is the estimated cost to secure \nIndustrial Control Systems across all Air Force installations? What is \nthe acquisition plan for software and/or hardware to cybersecure \nIndustrial Control Systems? Who within the Air Force is responsible for \nthat acquisition effort?\n    Secretary Henderson. The Army is developing its own inventory of \ntheir installation's control systems. The Air Force has conducted a \nfront-end inventory of Civil Engineer systems across Active Duty bases \nand the Air National Guard has started a similar effort. The scope of \nthe inventory does not include end-devices but focuses on the number of \ndifferent control system types at an AF base (e.g. the Energy \nManagement Control System is counted as one--the count is not every \nfacility's HVAC, etc.). The installation commander has authority over \nall control systems on an Air Force installation, and the operation and \nmaintenance of Civil Engineer-owned Facility Related Control Systems is \nconducted by the Civil Engineer Squadron. The operation of control \nsystems is specific to each base, but includes all three categories \n(military personnel, Department of Defense civilians, and contractors). \nThe Air Force Civil Engineer community has established partnerships \nwith Idaho National Labs through their fellowship program, National \nSecurity Agency through assessment expertise, and Sandia National Labs \nthrough a Joint Capability Technology Demonstration. The Air Force is \nusing a continual process improvement approach as cybersecurity is a \nconstantly evolving issue. Total security is unattainable. The Air \nForce is using a risk-based approach to focus resources on \ncybersecurity that enable Department of Defense and Air Force core \nmissions. The approach is to identify and mitigate the cyber \nvulnerabilities of the Air Force's highest-priority critical assets and \nsupporting infrastructure that enable Combatant Command warfighting \ncapabilities. Acquisition of control systems requires a partnership \nwith industry who designs the system architecture. Our plan is to \ncollaborate with industry and to produce standards for requirements \ndevelopment and contract language in order to mature the resiliency of \nIndustrial Control Systems. Acquisition authority resides with SAF/AQ, \nbut each system owner develops the requirements for every contract. A \nteam approach will be needed to ensure we obtain cyber resilient \nsystems and some clauses exist while striving to improve.\n    Mr. Brooks. In July of 2015, the Government Accountability Office \nissued a report (GAO-15-749) that stated, ``as of February 2015, none \nof the military services had a complete inventory of existing \nIndustrial Control Systems.'' It's been four years since that report \nwas issued. Does the Navy and Marine Corps currently have a complete \ninventory of existing Industrial Control Systems on all Army \ninstallations? Who has responsibility of the Industrial Control Systems \non an individual installation? Who operates Industrial Control Systems \non installations--military personnel, Department of Defense civilians, \nor contractors? How has your department utilized Industrial Control \nSystem Subject Matter Experts during cyber vulnerability threat \nassessments? Is there a deadline set for all Industrial Control Systems \non Navy and Marine Corps installations to be cybersecure? What is the \nestimated cost to secure Industrial Control Systems across all Navy and \nMarine Corps installations? What is the acquisition plan for software \nand/or hardware to cybersecure Industrial Control Systems? Who within \nthe Navy and the Marine Corps is responsible for that acquisition \neffort?\n    Mr. Niemeyer. 1) The DON has developed and is maintaining a \ncomprehensive inventory of its Industrial Control Systems through \nseveral ongoing efforts including: Mission Assurance Assessments, Cyber \nHygiene Assessments, Building and Utility Control System Implementation \nPlan Assessments, and ICS authorization and accreditation.\n    2) On an individual U.S. Navy installation, responsibility of ICS/\nSCADA falls to the system owner, who also has the responsibility for \nmanaging its operations. Within the Marine Corps. MCICOM is responsible \nfor the secure operation of ICS/SCADA.\n    3) Navy ICS/SCADA systems are operated by leveraging a workforce \nabout 40% contractor and 60% Government (military and civilian) \nworldwide. The Marine Corps is still developing its workforce \ncapability but expects to use a mix of military, civilian and \ncontractor resources.\n    4) Navy and Marine Corps ICS/SCADA Subject Matter Experts are an \nintegral members of the Cyber Vulnerability Threat Assessment Team \nproviding architectural knowledge and validating recommendations and \nmitigations.\n    5) Both Navy and Marine Corps have taken a deliberate phased \napproach to securing ICS/SCADA worldwide. The Navy is currently on \ntrack with securing the most critical infrastructure first and plan to \nbe complete with this first phase by the end of FY21. The Marine Corps \nplan all of its ICS/SCADA cyber secure by the end of FY25.\n    6) The Navy and Marine Corps have taken a deliberate phased \napproach to securing ICS/SCADA worldwide. The Navy is currently on \ntrack with securing the most critical infrastructure first and plan to \nbe complete with this first phase by the end of FY21. The Marine Corps \nplan all of its ICS/SCADA cyber secure by the end of FY25.\n    7) The DON does not have a final cost estimate to secure all ICS \nacross all Navy and Marine Corps installation, but instead is focusing \nits resources on mitigation of its most critical risks as outlined in \nDON facility related control system plans.\n    8) DON is pursuing policies for standardizing control systems at \nthe installation level as way to reduce cybersecurity and lifecycle \ncontrol system modernization costs.\n    9) NAVFAC is leading the acquisition efforts in their role as the \nICS/SCADA acquisition and technical authority. Marine Corps intends to \npurchase necessary hardware and software through Navy and Marine Corps \nacquisition avenues based on best value.\n                                 ______\n                                 \n                     QUESTIONS SUBMITTED BY MR. KIM\n    Mr. Kim. Please describe the top lessons you learned from the \nblack-start exercises.\n    Secretary McMahon. As indicated in the National Defense Strategy, \nresilient forces and facilities are a critical component of deterring \nand defeating adversaries. The Energy Resilience Readiness Exercises, \nalso referred to as black-start exercises, executed by the DOD in \ncollaboration with its Components are designed to ensure military \ninstallations are energy resilient and have the power they need to \noperate their critical missions in the event of a disruption. The four \nexercises completed to date have provided invaluable lessons learned \nthat fall within four key areas. First, we've learned that unknown \ninterdependences exist between the energy systems and other systems on \nour installations, such as communications and life, health, and safety \nsystems. Second, full operational testing and exercises ensure that all \ncritical building loads (e.g., elevators, emergency signs/lights, SIPR \ndoors, etc.) are on the backup system when power is disrupted. Third, \nmilitary installations lack the appropriate resourcing strategy for \ninterior electrical systems contributing to energy resilience, such as \npurchases of transfer switches and uninterruptable power systems as \nwell as insufficient resources needed for facility engineers to \nmaintain these systems. Last, the exercises provided information to \nprioritize energy resilience gaps to remediate risks and \nvulnerabilities that would prevent mission degradation or failure. The \nDOD is addressing these gaps through our Installation Energy Plans \nprocess to identify the most cost-effective solutions that provide the \nmaximum benefit towards improving energy resilience and mission \nreadiness.\n    Mr. Kim. What have you done to implement lessons learned from \nblack-start exercises?\n    Secretary McMahon. The DOD has taken the lessons learned from the \nEnergy Resilience Readiness Exercises (ERRE) and developed several \nsolutions for closing gaps, reducing risk, and enhancing our energy \nresilience posture across the Department. The Department works with \neach of its Components to develop solutions to addressing these gaps. \nThis is accomplished by coordinating with the Services to document gaps \nand necessary mitigations in each installation's Installation Energy \nPlan and ensure that solutions are implemented a timely and effective \nmanner. The DOD has also developed ERRE framework guidance which \nprovides the Components the necessary policy statement to resource and \nto continue to routinely perform exercises and to monitor the \neffectiveness of implemented energy resilience solutions. Lastly, the \nDepartment plans to enhance the ERRE framework and augment future \nexercises with additional elements, such as simulated cyber-attacks. \nThese efforts promote specific actions that all installations can take \nto identify and mitigate mission-related risks and enhance energy \nresilience.\n    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint \nBase McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve \nas a staging area for FEMA. In the event of future natural disasters or \ncyber-attacks, the destruction will not be limited to just bases; what \nare you doing to work with FEMA and other organizations to prepare? Are \nthere any tabletop/real world exercises planned?\n    Secretary McMahon. DLA is synched with FEMA, USNORTHCOM, NGB, etc. \non disaster preparedness plans. We participate in FEMA's yearly \nexercises such as the 2019 Hurricane Preparedness Exercise conducted in \nJuly 2019 based on the 2017 Hurricane Maria that devastated Puerto \nRico. FEMA has begun the initial planning for a Utah Wasatch earthquake \nexercise in May 2020 and FEMA's Binary Blackout Exercise as part of \nEagle Horizon. DLA will participate in both exercises. DLA also \nparticipates in FEMA's annual Senior Leader Seminar along with U.S. \nArmy Corps of Engineers. We utilize disaster lessons learned and \nplanned exercises to develop and refine our Pre-scripted Mission \nAssignments so they are current for quick menu use during hurricane \nseason and any natural disasters. The exercises revolve around \npreparedness and DLA's ability to support through commodities such as \nfood, water, cots, generators, and fuel to name a few. We also execute \nquarterly USNORTHCOM DSCA Executive Seminars. Although Eagle Horizon \nand Binary Blackout will address cyber issues, exercises previously \nexecuted have not specifically addressed cyber issues or the resiliency \nof military organizations.\n    Mr. Kim. Please describe the top lessons you learned from the \nblack-start exercises.\n    Secretary Beehler. Energy Resilience Readiness Exercises (ERREs) \nhave enabled installations to uncover hidden dependencies among \ncritical systems. Backup energy infrastructure often exists in \nconfigurations that are either unknown or not documented. The ERREs \nprovide verification of backup energy system configurations including: \nidentification of critical facilities that do not have backup \ngeneration, confirmation that all critical loads are connected to \nbackup generation circuits, and evaluation of outage recovery \nprocesses. Planning for an ERRE forces discussions to happen amongst \nvarious internal and external stakeholders. The planning supports clear \ndetermination of critical load requirements, and documentation of back \nstart procedures and emergency response plans.\n    Mr. Kim. What have you done to implement lessons learned from \nblack-start exercises?\n    Secretary Beehler. Energy Resilience Readiness Exercises (ERREs) \nhave helped installations identify deficiencies in backup power \ncapabilities in the event of a wide spread grid outage. The scope and \nscale of deficiencies varies and installations are working to address \nboth near-term and longer-term mitigation actions. In the weeks and \nmonths following the ERREs, installations have taken immediate action \nto address deficiencies like re-assigning backup generators to better \nalign with critical facilities; purchasing new uninterruptible power \nsupply (UPS) systems for mission-essential equipment; and updating \nmaintenance and emergency response procedures with privatized utility \nproviders. Additional deficiencies identified during the ERREs require \nmore significant technical solution development (engineering design) or \nlarger capital investment. These projects are being included for action \nin the Installation Energy and Water Plans (IEWPs). The IEWPs provide \nan installation-wide prioritized list of actions to address energy and \nwater resilience gaps and will guide both appropriated and third-party \nfunding project investment.\n    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint \nBase McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve \nas a staging area for FEMA. In the event of future natural disasters or \ncyber-attacks, the destruction will not be limited to just bases; what \nare you doing to work with FEMA and other organizations to prepare? Are \nthere any tabletop/real world exercises planned?\n    Secretary Beehler. In December 2006, the Joint Requirements \nOversight Council Memorandum (JROCM) 263-06 established requirements \nfor the National Guard Bureau (NGB) and USNORTHCOM to establish a \nNational Guard (NG) joint interagency training program that included \nfour regional NG command post exercises annually. As a result of this \nrequirement, the NGB and USNORTHCOM developed the Vigilant Guard (VG) \nJoint Exercise Program. VIGILANT GUARD is a USNORTHCOM Joint Exercise \nProgram conducted in conjunction with NGB. The VG program provides an \nopportunity for State National Guard Headquarters, State Joint Task \nForces and Field Units to improve command and control and operational \nrelationships with Federal, Regional, State, and Local civilian and \nmilitary partners. Routine participants in VG exercises include:\n    <bullet>  State Joint Force Headquarters (JFHQs) and Joint Task \nForces (JTFs) per DOD Directive 5105.83\n    <bullet>  State emergency management agencies and City/County \nemergency operations centers\n    <bullet>  National Guard Reaction Forces (NGRFs), Civil Support \nTeams (CSTs), CBRNE Enhanced Response Force Packages (CERFPs), and \nHomeland Response Forces (HRFs)\n    <bullet>  Various Federal civilian partners (e.g., DHS, FEMA) and \nFederal military partners (e.g. USNORTHCOM, ARNORTH) as dictated by the \nscenario.\n    The NGB also establish the Special Focus Joint Exercise (SFE) \nProgram. The SFE is a NGB full scale exercise that enables Joint NG and \ninteragency operations at the local, state and regional level, \nemphasizing how the participants establish liaison relationships within \nthe Incident Command Structure. Routine participants in the SFE \nexercises include:\n    <bullet>  State Agencies\n    <bullet>  Federal Civilian Partners (e.g., DOE, DHS,FEMA, USCG)\n    <bullet>  Federal Military Partners (e.g., ARNORTH)\n    <bullet>  State emergency management agencies and City/County \nemergency operations centers, and Incident Management Teams\n    <bullet>  Local/State Civilian Partners (e.g., Police, Fire)\n    <bullet>  Regional Response Partners (e.g., SAR teams)\n    <bullet>  Volunteer Organizations in Disasters\n    <bullet>  Non-Governmental Organizations\n    <bullet>  Private Sector Partners\n    <bullet>  Faith Based Groups\n    Additionally, in an effort to meet the requirements outlined in \nJROCM 263-06, the NG, in conjunction with USNORTHCOM, participates in \nthe National Exercise Program (NEP). NEP is a two-year cycle of \nexercises across the nation that examine and validate capabilities in \nall preparedness mission areas. Within the program, FEMA facilitates \nNational Level Exercises (NLE) built upon real-world incidents to make \nsure that our nation is better prepared when the next disaster strikes. \nThese exercises are whole of community engagements.\n    Mr. Kim. Please describe the top lessons you learned from the \nblack-start exercises.\n    Secretary Henderson. The Air Force recently completed two planned \nEnergy Resilience Readiness Exercises (ERREs) at Hanscom Air Force Base \n(AFB) and Vandenberg AFB. Both exercises went very well, and the final \nreports on these are due to OSD in March of 2020. At this time, the \nfindings are preliminary and general, but the Air Force would \nappreciate the opportunity to provide a more-detailed briefing on our \nlessons learned after we have had the opportunity to fully assess the \noutcomes from these exercises. In general, it is clear that these ERREs \nidentified asset interdependencies that will enable the installation to \nbetter-prepare for and recover from energy disruptions in the future.\n    Mr. Kim. What have you done to implement lessons learned from \nblack-start exercises?\n    Secretary Henderson. The Air Force is still awaiting the full \nanalysis and report from the Hanscom AFB ERRE. Upon receipt of that \nreport and the results of the Vandenberg ERRE later this fall, SAF/IEE \nwill look for patterns and lessons learned to implement across \ninstallations. The results of these lessons learned may be incorporated \ninto Installation Energy Plans (IEPs) or specific project \nrecommendations on Hanscom or Vandenberg AFBs. Currently USAF policies \nor procedures have not changed as a result of the Hanscom AFB ERRE. The \nERREs help baseline readiness posture installation by installation, and \nthe Air Force will need to complete more exercises across the \nenterprise before changes to policy are enacted.\n    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint \nBase McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve \nas a staging area for FEMA. In the event of future natural disasters or \ncyber-attacks, the destruction will not be limited to just bases; what \nare you doing to work with FEMA and other organizations to prepare? Are \nthere any tabletop/real world exercises planned?\n    Secretary Henderson. The Department of Defense actively supports \nand participates in FEMA's National Level Exercise program, which \npromotes preparedness and response to catastrophic events across the \nfederal agencies.. For example, Ardent Sentry is an annual North \nAmerican Aerospace Defense Command and U.S. Northern Command exercise \nthat is part of the Federal Emergency Management Agency's national \nlevel exercise. Each year a different event type is exercised using a \nmock catastrophic event (such as Atlantic Hurricane, Southern \nCalifornia Earthquake, Cascadia Subduction Zone Earthquake, New Madrid \nSeismic Zone Earthquake, 10kt Nuclear Detonation, and Alaska \nEarthquake). The Air Force and other military departments participate \nin a supporting role to Federal Emergency Management Agency in these \nexercises. In addition, Air Force forces may be provided to a combatant \ncommander for directed exercises designed to improve force readiness to \naccomplish Defense Support of Civil Authorities related operations. \nFinally, Air Force Emergency Preparedness Liaison Officers participate \nin local, state, and regional exercises.\n    Mr. Kim. Please describe the top lessons you learned from the \nblack-start exercises.\n    Mr. Niemeyer. The DON has taken a deliberate approach to black \nstarts, investing in tabletop exercises and comprehensive mission \nassurance assessments as a precursor. DON has partnered with \nOASD(Energy) and the Massachusetts Institute of Technology-Lincoln Labs \nto conduct dozens of tabletop energy resilience assessments at multiple \ninstallations in California, Washington State, Pennsylvania, Virginia \nas well as overseas in Guam and Italy. Theses tabletop exercises \nsimulate a multi-state outage of the electrical grid for 30-days while \nthe installation maintains a state of constant readiness. From these \nexercises, we learned that installations often do not have a perfect \nunderstanding of the energy requirements, generation and distribution \nneeded to sustain operations over many weeks. Installations also \ncurrently operate with unknown risks and interdependencies to systems \nand missions, and more work is necessary to ensure installations have a \ncomprehensive site picture of the energy system capabilities during a \nreal outage. Moving forward, the DON is planning a large and several \nsmaller scale exercises in 2020 at MCAS Miramar, MCB Butler and Camp \nLejeune.\n    Mr. Kim. What have you done to implement lessons learned from \nblack-start exercises?\n    Mr. Niemeyer. The DON is implementing the lessons learned from our \ntabletop exercises through our established Mission Assurance Program. \nDON's Mission Assurance Program provides an integrative framework and a \nprocess to protect or ensure the continued function and resilience of \ncapabilities and assets critical to the performance of Department of \nDefense mission-essential functions in any operating environment or \ncondition.\n    Mr. Kim. In 2012 when Hurricane Sandy ravaged my district, Joint \nBase McGuire-Dix-Lakehurst's resiliency allowed it to rebound and serve \nas a staging area for FEMA. In the event of future natural disasters or \ncyber-attacks, the destruction will not be limited to just bases; what \nare you doing to work with FEMA and other organizations to prepare? Are \nthere any tabletop/real world exercises planned?\n    Mr. Niemeyer. The DON is implementing the lessons learned from our \ntabletop exercises through our established Mission Assurance Program. \nDON's Mission Assurance Program provides an integrative framework and a \nprocess to protect or ensure the continued function and resilience of \ncapabilities and assets critical to the performance of Department of \nDefense mission-essential functions in any operating environment or \ncondition.\n                                 ______\n                                 \n                QUESTIONS SUBMITTED BY MS. TORRES SMALL\n    Ms. Torres Small. During the hearing Congresswoman Torres Small \ndiscussed the aging infrastructure at White Sands Missile Range. In \nparticular, she discussed an information systems facility built in \n1962. The facility serves as the gateway for all communications and \ndata to the outside world, and houses critical equipment providing \nsupport for administrative command and control and testing and \nevaluation users. The facility is relied upon to provide critical \nsupport for modern missile testing ranging from the Standard Missile-2 \nand Patriot Missile System-3 to next generation weapon systems. Can you \nplease speak to how conducting operations in a 57-year-old facility \ncould stunt the efforts for maximizing installation resiliency? How \ndoes this impact our cyber security?\n    Secretary Beehler. Currently, the Information System Facility (ISF) \noperates out of ten separate buildings located at WSMR. Each assigned \nbuilding has undergone varying levels of retrofit to accommodate the \ncurrent ISF mission. Current geographically separated space is \nsuboptimal and in regard to facilitating the operational synergy \nrequired for 24-hour information management and the necessary workforce \nfusion required for network defense and security. The Army assesses \nrisks and needs in determining where to allocate funds for military \nconstruction (MILCON) and facility sustainment, restoration and \nmodernization. At this time, the ISF project will compete for funding \nin FY21.\n\n                                  <all>\n</pre></body></html>\n"