[Senate Hearing 116-644]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 116-644

                    THE DEPARTMENT OF DEFENSE AUDIT

=======================================================================

                                HEARING

                               BEFORE THE

                     SUBCOMMITTEE ON READINESS AND
                           MANAGEMENT SUPPORT

                                 OF THE

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION
                               __________

                           NOVEMBER 20, 2019
                               __________

         Printed for the use of the Committee on Armed Services
         

                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]         


                 Available via: http://www.govinfo.gov
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
54-854 PDF                 WASHINGTON : 2024  

                      COMMITTEE ON ARMED SERVICES

                  JAMES M. INHOFE, Oklahoma, Chairman
ROGER F. WICKER, Mississippi		JACK REED, Rhode Island
DEB FISCHER, Nebraska			JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas			KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota		RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa			MAZIE K. HIRONO, Hawaii
THOM TILLIS, North Carolina		TIM KAINE, Virginia
DAN SULLIVAN, Alaska			ANGUS S. KING, Jr., Maine
DAVID PERDUE, Georgia			MARTIN HEINRICH, New Mexico
KEVIN CRAMER, North Dakota		ELIZABETH WARREN, Massachusetts
MARTHA McSALLY, Arizona			GARY C. PETERS, Michigan
RICK SCOTT, Florida			JOE MANCHIN, West Virginia			
MARSHA BLACKBURN, Tennessee		TAMMY DUCKWORTH, Illinois
JOSH HAWLEY, Missouri			DOUG JONES, Alabama                
                                                                                                                                                 
                      John Bonsell, Staff Director
              Elizabeth L. King, Minority Staff Director

                               __________

            Subcommittee on Readiness and Management Support

                   DAN SULLIVAN, Alaska, Chairman
DEB FISCHER, Nebraska			TIM KAINE, Virginia
JONI ERNST, Iowa			JEANNE SHAHEEN, New Hampshire
DAVID PERDUE, Georgia			MAZIE K. HIRONO, Hawaii
MARTHA McSALLY, Arizona			TAMMY DUCKWORTH, Illinois
MARSHA BLACKBURN, Tennessee		DOUG JONES, Alabama          
                                     
                                     
                                     
                                     

                                  (ii)

  
                            C O N T E N T S

                               __________

                           November 20, 2019

                                                                   Page

The Department of Defense Audit..................................     1

                           Members Statements

Statement of Senator Dan Sullivan................................     1

Statement of Senator Tim Kaine...................................     2

                           Witness Statements

Norquist, Hon. David L., Deputy Secretary of Defense.............     4

Questions for the Record.........................................    40

Appendix A
  Details Related to the Service Fiscal Year 2020 Marks..........    47

Appendix B
  Supporting documents...........................................    48

                                 (iii)

 
                    THE DEPARTMENT OF DEFENSE AUDIT

                              ----------                              


                      WEDNESDAY, NOVEMBER 20, 2019

                  United States Senate,    
                      Subcommittee on Readiness    
                            and Management Support,
                               Committee on Armed Services,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 9:30 a.m. in 
room SR-222, Russell Senate Office Building, Senator Dan 
Sullivan (Chairman of the Subcommittee) presiding.
    Members present: Senators Sullivan, Fischer, Ernst, Perdue, 
Blackburn, Shaheen, Hirono, Kaine, and Jones.

           OPENING STATEMENT OF SENATOR DAN SULLIVAN

    Senator Sullivan. Good morning. This hearing on the 
Subcommittee on Readiness and Management Support will come to 
order.
    Today, this Subcommittee meets to receive testimony from 
Deputy Secretary of Defense David Norquist concerning the 
Department of Defense's (DOD) 2018 and 2019 audits. Last year, 
when he was serving as the DOD Comptroller, Secretary Norquist 
completed the first DOD audit ever. Soon thereafter, Secretary 
Norquist was nominated and then confirmed as Deputy Secretary 
of Defense with overwhelming Senate support from both sides of 
the aisle. He is a wealth of knowledge on these issues, and I 
thank him for being here today.
    To a lot of people, aside from my good friend Senator 
Perdue, who I'm hopeful will be here a little bit later, the 
DOD audit might not come across as the most interesting topic 
in the world. However, Ranking Member Kaine and I take our 
oversight responsibility seriously and are happy to have this 
important and timely hearing.
    Another responsibility we take seriously has been one of 
providing the funding needed to rebuild our military, with a 
specific focus on restoring readiness.
    Conducting an audit of this magnitude is a massive 
undertaking, as I'm sure we'll hear. In fact, until Secretary 
Norquist arrived, it had never happened. The Pentagon had never 
completed an audit. Let me repeat that. In its history, the 
Department of Defense had never completed an audit. Kind of 
remarkable.
    The fiscal year 2019 DOD audit is one of the largest audits 
of any organization in history. Over the course of this year, 
this audit has required more than 1,400 auditors and hundreds 
of DOD site inspections. These auditors and inspections 
evaluated thousands of sample and document items to account for 
the roughly $2.8 trillion in DOD assets. Conducting an audit of 
this size is no easy task, but it's a critical function that 
DOD must do, and the results reveal issues that we all must 
learn from. There is still much, much more work to be done, but 
I commend the Secretary for undertaking this difficult, but 
important, task.
    As of last Friday, the Department of Defense completed its 
second agency-wide audit. While it did not receive an overall 
clean opinion, much knowledge was gained from actually doing 
the audit. I'm sure we'll hear more, but of the 24 individual 
audits done across the different agencies, 7 did come back 
clean.
    So, why do we take the time to do an audit? In part, it is 
to encourage the more responsible use of resources within the 
Department, and, from a readiness perspective, the ability to 
promote real change within the Department. While identifying 
cyber vulnerabilities in DOD information technology systems or 
locating unaccounted-for equipment or improving the 
recordkeeping of personnel is not a glamorous undertaking, it 
does produce process improvements and technological upgrades 
that are long overdue. These improvements are critical to DOD's 
responsibility that, ``It's important to gain full value from 
every taxpayer dollar spent on defense, thereby earning the 
trust of Congress''. That is from the 2019 National Defense 
Strategy (NDS). In other words, if DOD wants Congress to 
continue to fund the military in order to counter great-power 
competition, like that from Russia and China, as laid out in 
the 2019 NDS, we, in the Congress, and the American people need 
to have the confidence that these dollars are being spent 
wisely.
    As Chairman Inhofe regularly states, the NDS has been 
preparing our military for a return to strategic competition 
and does represent a prime example of bipartisanship for the 
support of that strategy and our troops in the Senate. The NDS 
explicitly states the audit as a priority towards driving a 
better budget discipline for the Department and achieving our 
overall national defense goals. I hope this budget discipline 
starts with the audit and spreads throughout the Department to 
all the financial processes within DOD, including our 
procurement, acquisition, and contracting processes that this 
subcommittee has oversight of. I look forward to hearing about 
the progress, some of the successes, some of the failures.
    I know my Ranking Member, Senator Kaine, is also 
interested, so I will turn the dais over to him for his opening 
remarks.

                 STATEMENT OF SENATOR TIM KAINE

    Senator Kaine. Thank you, Mr. Chairman.
    Secretary Norquist, it's good to have you here. When I saw 
the amount of press streaming into the Capitol this morning, I 
thought finally the Pentagon audit is going to get the 
attention that it has deserved.
    [Laughter.]
    Senator Kaine. Apparently, there's other things going on, 
on the Hill. But, I do want to welcome you and thank you for 
your long record of public service, but also for your making 
sure that the auditability of the DOD is a top priority.
    The fact that all Federal agencies were mandated to do 
audits, really beginning in 1990, and that the DOD has been the 
last to get in line is well known, so much so that the NDAA 
[National Defense Authorization Act], in, I believe, 2015, this 
committee sort of said, ``Okay, you had enough time, you've got 
to make this happen.'' I was gratified to be part of the 
committee when we finally gave the ultimatum, and I'm gratified 
that, under your leadership, the DOD is moving to get this 
done.
    Last week, the Department announced that it had officially 
failed the 2019 audit. That's not surprising. I think, 
actually, you would have found a great deal of skepticism on 
this committee had the 2019 report said, ``Hey, everything's 
fine.'' When you start something as complex as this, if you're 
not finding areas to improve, failings that need to be 
corrected, then you lead policymakers to question the veracity 
or the sufficiency of the effort.
    But, what the report last week showed is that there's so 
much more to be done to get warfighters and taxpayers what they 
deserve, a fully auditable Pentagon. We had a witness testify 
before the full committee recently. I'm blanking on the 
witness's name, but she used the phrase ``efficiency for 
lethality,'' the idea that the audit should drive us to not 
spend on things we shouldn't, reduce spending on things we 
shouldn't, as a way of then directing those resources to more 
lethality, to a more effective Department of Defense.
    I hope we can talk about a number of issues today. What 
benefits are the military forces already seeing from the audit 
and its findings? Benefits in efficiency, but it was always my 
hope, as a mayor and Governor, in looking at audits, to also 
learn some things that might improve the effectiveness of 
operations. I don't think it's just a number-counting exercise 
and an exercise that should lead to saving a dollar here or a 
dollar there. It should also lead to greater efficiencies and 
effectiveness. And so, I hope we can talk about benefits.
    How is the process of the audit already helping the 
Pentagon clean up any data or accounting practices that need to 
be improved? What resources are being applied to the audit? Are 
there additional resources that need to be applied so that it 
can be as effective as possible, moving forward? And, in your 
opinion, Secretary Norquist, how long will it be, 
realistically, before the DOD will be in a position where the 
audits will be clean audits across all the numerous audits that 
are done?
    So, I look forward to working with the committee, under 
your leadership, with the Department, to make good on this 
promise made so long ago to the American taxpayer that every 
aspect of the American Federal Government would be subject to 
an audit, and that we would learn from the audit in a process 
of continuous improvement so that we can get better at what we 
do.
    Thank you.
    Senator Sullivan. Thank you, Senator Kaine.
    And, Mr. Secretary, thanks again for being here. We look 
forward to your opening statement. If you want a longer written 
statement, that will be submitted for the record.
    The floor is yours.

   STATEMENT OF HON. DAVID L. NORQUIST, DEPUTY SECRETARY OF 
                            DEFENSE

    Secretary Norquist. Thank you, Mr. Chairman.
    Chairman Sullivan, Ranking Member Kaine, distinguished 
Members of the Committee, thank you for the opportunity to 
testify before you today on the Department of Defense financial 
statement audit.
    There are three major questions about the audit I'd like to 
briefly address. First, why do we even have an audit? Second, 
what are the results of this year's audit? And third, how does 
the audit and other reforms benefit American taxpayers?
    The short answer on why we have an audit is that DOD is an 
extraordinarily large and complex organization. We employ 
nearly 3 million servicemembers and civilians. While a typical 
commercial airline manages between 300 and 1,600 aircraft, the 
military services fly approximately 16,000 aircraft. We also 
manage 292 billion in inventory, more than 6 times the size of 
Walmart, the world's largest retail company. Financial 
statement audits are a proven commercial solution that uses 
independent auditors to effectively assess complex operations. 
A financial statement audit is comprehensive, and it includes 
verifying the count, location, and condition of our military 
equipment, property, material, and supplies. It tests 
vulnerabilities in our security system of our business systems, 
and it validates the accuracy of records and actions, such as 
promotions and separations. In short, it provides the 
independent feedback that both DOD leadership and Congress 
needs.
    This year, more than 1,400 auditors conducted over 600 site 
visits, with the following results: consistent with last year, 
they reported no evidence of fraud, no significant issues with 
the amounts paid to civilian or military members, and that DOD 
could account for the existence and completeness of major 
military equipment. In addition, one more organization received 
a clean opinion: the Defense Commissary Agency. Now 7 of the 24 
will have an unmodified or clean opinion this year. And of the 
2,377 findings in fiscal year 2018, the Department was 
successful in closing more than 550, or 23 percent, of the 
findings. The audit demonstrates progress, but we have a lot 
more to do.
    How does the audit benefit the American taxpayer? Well, the 
original and primary purpose in an audit is transparency. But, 
at DOD, we have seen how the audit saves money by improving 
inventory management, identifying vulnerabilities in 
cybersecurity, and providing better data for decisionmaking. 
Let me give two examples:
    The Navy, at Fleet Logistics Center (FLC) Jacksonville, 
conducted a 10-week assessment, and they identified $81 million 
worth of active material not tracked in the inventory system. 
That was now available for immediate use, decreasing 
maintenance time and filling 174 requisitions. They also 
eliminated unneeded equipment, freeing up approximately 200,000 
square feet, the equivalent of 4.6 acres.
    We are already seeing the benefits of better data in the 
use of data analytics. For example, the Department uses the 
ADVANA tool recently to automate the quarterly review process 
of its obligations. This workflow tool eliminated 
inefficiencies and provided the analysts the time and the 
insights they needed to identify $316 million in high-risk 
funds, moving them from a low-priority function to better use 
of those before they canceled or expired.
    The audit is a foundational element of a broader landscape 
of business reform in the National Defense Strategy. We are 
moving forward on multiple fronts, improving our enterprise 
buying power, consolidating IT [information technology], 
realigning and reforming healthcare, consistent with 
congressional direction, reforming how we do background 
investigations to make them more effective and less expensive, 
and eliminating duplicate and inefficient business systems, as 
well as identifying efficiencies in what we like to call ``the 
fourth estate.''
    I would be remiss if I didn't mention the harmful impacts 
of the ongoing continuing resolution (CR). I recognize I'm 
preaching to the choir. The Department and the White House have 
both expressed the urgent need for Congress to pass the fiscal 
year 2020 authorization and appropriation bills. The CR stopgap 
measures are wasteful to the taxpayer. They delay storm-damage 
repairs and the damage the gains our military has made in 
readiness and modernization. Ultimately, a CR is good for the 
enemy, not for the men and women of the United States military. 
The administration and I urge Congress to come to agreement as 
quickly as possible, consistent with the budget deal reached in 
the summer.
    In closing, I'd like to thank President Trump for his 
leadership and the DOD workforce for embracing this complex and 
important issue. I'd also like to thank Congress and this 
committee, and in particular the committee staff, for your 
commitment to this massive undertaking and the role you have 
played in making an annual financial statement audit a regular 
way of doing business.
    The Department of Defense is one of the most complex 
enterprises in the world. In partnership with this Congress, we 
must continually improve our business practices in order to 
reduce costs and maintain our competitive edge. Each of us owes 
it to the American taxpayer to be as responsible in spending 
their money as they were in earning it.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Norquist follows:]

         Prepared Statement by The Honorable David L. Norquist
    Chairman Sullivan, Ranking Member Kaine, distinguished Members of 
the Committee, thank you for the opportunity to testify before you 
today on the Department of Defense financial statement audit. On 
November 15th, we completed our second Department-wide audit, which is 
one element of a broader reform agenda in support of the National 
Defense Strategy's third line of effort: to reform the Department for 
greater performance and affordability.
    There are three major questions about the audit I would like to 
address: 1) why do we have an audit; 2) what are the results of this 
year's audit; and 3) how does the audit and other reforms benefit 
American taxpayers?
                        why do we have an audit?
    Simply put, we conduct an annual financial statement audit in 
accordance with the Government Management Reform Act of 1994 because it 
is the most efficient way to evaluate an extraordinarily large and 
complex organization. DOD employs nearly three million servicemembers 
and civilians and operates in over 160 countries on all seven 
continents, spanning about 30 million acres of land. While a typical 
commercial airline manages between 300 and 1,600 aircraft, the Military 
Services fly approximately 16,000 aircraft. DOD maintains approximately 
573,000 facilities, including 267,000 buildings, 184,000 structures, 
and 122,000 linear assets across more than 4,500 sites. It's not just 
the scale but the breadth of our mission. We run one of the largest 
health care systems in the country, which covers more than nine million 
people. Our bases are like small cities that contain similar amenities 
and services like police stations, fire stations, grocery stores, 
hospitals, and schools. And we manage $292 billion in inventory, more 
than six times the size of Walmart, the world's largest retail company. 
In total, DOD manages nine supply chains with about five million items. 
Financial statement audits are a proven commercial solution that use 
independent auditors to provide sample-based assessments of complex 
operations. A financial statement audit includes:

      Verifying count, location and condition of our military 
equipment, property, materials, and supplies;
      Testing security vulnerabilities in our business systems; 
and
      Validating the accuracy of records and actions, such as 
promotions and separations.
                          a major undertaking
    The fiscal year 2019 Audit involved:

      $2.9 trillion in assets and $2.8 trillion in liabilities
      About 1,400 auditors
      More than 600 site visits to military bases, depots, and 
warehouses
      Auditors requested over 200,000 items

    To do this work, the auditors went through billions of 
transactions, pulled samples, and then tested them for accuracy and 
completeness. For example, for each payment to a contractor, auditors 
check to see if there is an invoice, a receiving report, and a matching 
contract. The auditors also confirm that they were approved at the 
right level, and recorded accurately and timely. Likewise, for each 
payment to an employee, military or civilian, auditors ask for proof 
that it was the correct payment for that employee. With respect to real 
property, the auditors asked the Services for their database of real 
property--to include buildings, underground water pipes, fence lines, 
etc.--and pulled a sample from that report. They then went to a select 
number of bases with that list and, for those items, checked what was 
supposed to be on each base. The auditors confirmed that it was there 
and what condition it was in and whether they had the records to 
demonstrate that they owned it. The auditors also looked around the 
base for any other property and checked to see if it was recorded. They 
did the same thing with inventory, going to warehouses, pulling samples 
of spare parts, and looking for completeness and accuracy. The results 
offer us independent feedback on how to improve our stewardship, and we 
are eager to receive this feedback.
               what are the results of this year's audit?
    For the fiscal year 2019 audit, more than 1,400 auditors reviewed 
billions of transactions from the more than 1,700 active accounts DOD 
manages. Consistent with last year, auditors reported:
      No evidence of fraud;
      No significant issues with amounts paid to civilian or 
military members;
      DOD could account for the existence and completeness of 
major military equipment; and
      All organizations with a clean opinion last year kept 
their clean opinion this year.

    In addition:

      One more organization, the Defense Commissary Agency 
(DeCA), moved up to an unmodified (or clean) opinion in fiscal year 
2019; and
      Of the 2,377 findings in fiscal year 2018, the Department 
was successful in closing more than 550, or 23 percent of the findings.

    The specific details are as follows:

      Six DOD organizations sustained their unmodified, or 
clean, opinions, which is the highest rating: U.S. Army Corps of 
Engineers (USACE) Civil Works; Military Retirement Fund (MRF); Defense 
Health Agency--Contract Resource Management (DHA-CRM); Defense Finance 
and Accounting Service--Working Capital Fund (DFAS); the Defense 
Contract Audit Agency (DCAA); and the DOD Office of Inspector General 
(DOD OIG), which will conclude in January.
      This is the 24th consecutive unmodified opinion for the 
Military Retirement Fund. The fund's nearly $900 billion represents 
approximately 30 percent of DOD's total assets.
      The Medicare-Eligible Retiree Health Care Fund (MERHCF) 
received a modified opinion, which means its financial statements are 
accurate with only modest exceptions.
      The remaining organizations received disclaimed audit 
opinions, which means the auditors did not have enough evidence to 
provide an opinion.
      No organization received an adverse opinion (i.e., were 
outright wrong).
                       defense commissary agency
                       
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    DeCA progressed from a qualified opinion in fiscal year 2018 to an 
unmodified (or clean) opinion this year.

    The audit went deeper this year. Auditor sample selections and 
information the Department submitted to auditors, called ``Provided by 
Client'' requests, rose from 40,000 in the fiscal year 2018 audit to 
45,000 this year. As a result, findings from all audits are also 
expected to increase.
    The fiscal year 2019 audit reports are complete and available for 
your review on our public website [https://comptroller.defense.gov/
odcfo/afr2019.aspx]. Auditors and the DOD Office of Inspector General 
will complete their contractual deliverables and provide detailed 
findings into our corporate database by the end of January. At that 
point, we will begin anew to address those findings, making needed 
improvements to our systems and processes. Unlike periodic program 
audits, the repetitive nature of these audits will go deeper each year 
while also providing us feedback that tells us if the fixes are in fact 
addressing the root cause and being sustained. That is part of the 
value that these audits provide. You will be able to see our progress--
first in the form of findings being remediated, then through a reduced 
number of what auditors refer to as material weaknesses, and, 
ultimately, through organizations moving from a disclaimer of opinion 
to a positive audit opinion. The fiscal year 2019 audit demonstrated 
progress but we have more to do.
             how does the audit benefit american taxpayers?
    The audit saves money by improving inventory management, 
identifying vulnerabilities in cybersecurity, and providing better data 
for decision-making.
Inventory
    The audit is helping us improve the accuracy of our inventory. It's 
necessary to know exactly what spare parts you have and where they are 
in order to improve readiness. For example, at the Navy, Fleet 
Logistics Center Jacksonville conducted a 10-week exploratory 
assessment of material held within two Active aviation squadrons and 
one building. They identified $81 million worth of active material not 
tracked in the system that was available for immediate use, decreasing 
maintenance time and filling 174 requisitions, including 30 high-
priority. They also eliminated unneeded equipment freeing up 
approximately 200,000 square feet (84.6 acres).
    There was also confirmations of excellence. Auditors performed more 
than 60 site visits in which, for the items tested, no exceptions were 
noted (i.e., a 100 percent pass rate). These site visits were performed 
to confirm the existence and completeness of a broad range of assets 
including, but not limited to, inventory, real property, ordnance, and/
or military equipment.
                  super hornet tailhooks--nas lemoore
                  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    At Naval Air Station Lemoore, located in California, 7 Super Hornet 
Tailhook sub-assemblies were turned in for repair. The tailhook is a 
``carcass constrained'' item, and will be returned back to fleet once 
repaired. More than 580 consumable and repairable items valued at $14 
million have bene identified.

IT Security
    The audit is helping us close vulnerabilities in our IT systems. 
Access controls, our biggest area of improvement, is an important part 
of National Security, especially since there is no doubt that potential 
adversaries are seeking to gain access to our systems in the hope of 
stealing sensitive information or planting harmful software that could 
erode our advantage on future battlefields. Access controls also reduce 
the risk of fraud, waste, and abuse by preventing individuals from 
committing fraud or improperly accessing sensitive information and 
concealing those acts by changing system records. For example, four 
years ago, Army auditors found 29 problems with regard to the Logistics 
Modernization Program. All of those issues were fixed. This year, 
auditors at Picatinny Arsenal in Morris County, New Jersey, tested 60 
IT application controls for the procurement, revenue, and inventory 
business process in the Logistics Modernization Program and found them 
to be effective with no exceptions noted.

          more than 60 sites achieved a 100 percent pass rate
          
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    At Tooele Army Depot in Utah, auditors tested 3.5 million items of 
Operating Materials and Supplies for completeness and found no 
exceptions.

Data Analytics
    Historically, the Department's data was scattered across hundreds 
of systems making it difficult to access information and answer basic 
business questions in a timely fashion. We have developed a single 
authoritative source for audit and business data analytics. This big 
data platform, ADVANA, currently hosts over 15 billion transactions, 
has over 7,000 users, 250+ dashboards, ingests data automatically from 
over 120 DOD source systems, reconciles over $1 trillion dollars in 
financial transactions, and has the flexibility to support analytics in 
the areas of audit, financial operations, cost management, and 
performance management.
    We are also already seeing the benefits of better data. For 
example, the Department, using the ADVANA tool, recently automated the 
quarterly review process of its obligations. This workflow tool 
eliminated inefficiencies and provided analysts time and insight to 
identify a cumulative $316 million in high-risk funds, allowing for a 
better use of those resources before expiring or canceling.
Costs
    I'm often asked if the money we are spending on the audit is worth 
it when we have so many other priorities. The two main costs for the 
audit itself are the fees to the Independent Public Accounting firms 
($195 million) and infrastructure to support the audits (about $250 
million). The $195 million in audit contract costs is approximately 1/
30th of one percent of DOD's budget and, as a percent of revenue, is 
equal to or less than what many of the top Fortune 100 companies pay 
their auditors. Additionally, findings from the audits help the 
Department identify areas that need improvement and validate the 
effectiveness of corrective actions. Since we spent nearly $500 million 
in fiscal year 2019 fixing audit problems, that feedback is critical. 
The total cost of performing the fiscal year 2019 audit, including 
remediation, remained consistent with the fiscal year 2018 audit, 
slightly less than $1 billion. Arguably, much of this work would need 
to be completed regardless of whether the annual financial statement 
audits were required.
    We expect the costs of the audit itself to remain relatively 
consistent over the next few years, but as our ability to support the 
audit improves and our reform efforts take hold, the cost to execute 
the audit will go down and the dividends from business reforms will 
continue to grow.
                           dod reform agenda
    The audit is a foundational element of a broader landscape of 
business reform described in the National Defense Strategy. We are 
moving forward on multiple fronts, such as improving our enterprise 
buying power; consolidating IT; realigning and reforming our 
healthcare; reforming how we conduct background investigations; 
eliminating duplicative and inefficient business systems; and 
identifying efficiencies within the Defense Wide organizations.
Buying Power
    The goal of Category Management is to negotiate pricing for the 
category as a whole--increasing economies of scale--resulting in lower 
pricing. Category Management and the audit are mutually supporting. 
Category Management centralizes purchases and increases inventory 
transparency supporting the audit. The audit provides better 
transaction data, increasing the transparency of what we are buying--
both quantities and prices. This information then indicates what items 
are good candidates for Category Management. For example, the Army 
programmed $1.6 billion in savings from professional services contracts 
in the fiscal year 2020-2024 FYDP as a result of employing category 
management. Similarly, a review of Cisco routers uncovered $61 million 
worth of equipment in a warehouse that DOD was paying to maintain as if 
they were installed. Some of the routers had been marked for disposal, 
but the DOD was still paying to maintain them. An interim contract is 
now in place, lowering customer prices.
IT Consolidation
    DOD has more than 2,500 data centers, 355 cloud efforts, 48,000 
applications, 11,000 circuits, and 1,850 business systems. 
Standardizing and modernizing the IT environment of networks, services, 
data centers, and leveraging Enterprise capabilities eliminates 
duplicative systems, and allows the Department to focus finite cyber 
resources across fewer areas, ultimately shrinking DOD's cyber threat. 
This has saved us $63 million through fiscal year 2020 and will save us 
another $73 million through fiscal year 2024. Additionally, in the 
defense agencies, we are consolidating 44 networks and 22 service desks 
into a single Enterprise service provider for Common Use IT and are 
closing 71 legacy data centers (18 closed; six more by the end of 
December).
Healthcare
    Reform isn't only about savings, in healthcare it's about restoring 
military readiness and providing quality care for over nine million 
eligible individuals. In implementing the fiscal year 2017 NDAA 
provisions (Sections 702, 703, and 721), we are strengthening the 
readiness of our military's medical force, while improving health care 
quality for our military and their families. Our largest undertaking is 
the ongoing consolidation of the Medical Treatment Facilities (MTFs) 
under the authority, direction and control of the Defense Health 
Agency. When complete, DOD will have a unified medical delivery system 
that more efficiently integrates purchased care and MTFs.
Background Investigations
    DOD assumed responsibility for the majority of the background 
investigations for the federal government. We began with a backlog of 
725,800 in April 2018 and have lowered the backlog by 437,800 as of 
October 2019. We are adopting continuous monitoring in lieu of periodic 
reinvestigations. Continuous monitoring is a vetting and adjudication 
process to use technology to evaluate security clearance holders on an 
ongoing basis, instead of more expensive periodic investigations.
Looking For Savings
    In the Army, Secretary Esper established the ``Night Court'' 
process that the Army used to cut approximately $2.5 billion per year 
in order to free up funding for higher modernization priorities. We are 
now conducting a similar Defense-Wide Review to take a close look at 
all DOD activities that do not fall under the Military Departments 
(e.g., the Defense Agencies and Field Activities, the Office of the 
Secretary of Defense, the Joint Staff, the Inspector General, and 
SOCOM). The purpose is to identify time, money, and manpower to put 
back into top priorities in the fiscal year 2021 President's Budget in 
support of the National Defense Strategy.
    Through the audit and these broader reform initiatives, we are 
looking for savings, large and small, to reinvest back into the 
lethality and readiness of our military forces.

                  looking for savings, large and small
                  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Previously, DLA stored 130 million physical maps in its warehouses. 
By moving to Print on Demand mapping, DOD saved $10 million in fiscal 
year 2018 by reducing physical inventory by 95 percent, removing 130 
million physical maps, and freeing up over 180,000 square feet of 
space. The new model uses digitized mapping that reduces shipping and 
storing. The next step is to adopt this new model across the Military 
Services.

                               conclusion
    The audit, resulting findings, and our subsequent corrective 
actions are doing exactly what they are supposed to do--find issues, 
validate efficient and effective processes, and help us focus limited 
resources on where we are most vulnerable or inefficient. We will keep 
this up every year, and this is how we will build a mechanism for 
sustaining improvements, move closer to a clean opinion, and continue 
to improve the efficiency of the Department.
    I would remiss if I did not mention the harmful impacts of the 
ongoing Continuing Resolution (CR). The Department and the White House 
have both expressed the urgent need for Congress to pass the fiscal 
year 2020 authorization and appropriation bills in order for the 
government to be funded at the levels of the bipartisan budget deal 
passed this summer. The CR stopgap measures are wasteful to the 
taxpayer and damages the gains our military has made in readiness and 
modernization over the last few years. In order for us to pivot towards 
planning for a future high-end fight against great power competition, 
as the National Defense Strategy guides us, DOD must have the ability 
to better align our funding towards the prioritized accounts and 
programs. Under a CR, we are unable to begin new programs or projects, 
production rates for weapons, equipment and munitions cannot be 
increased, and a CR disrupts major exercises and training events. 
Ultimately, a CR is good for the enemy, not the men and women of the 
United States military. The Administration urges Congress to come to 
agreement as quickly as possible consistent with the budget deal 
reached in the summer.
    In closing, I would like to thank President Trump for his 
commitment to the audit, Secretary Esper for his steady support, the 
Inspector General for his partnership, and the DOD leadership and 
workforce for embracing this complex and important effort. I would also 
like to thank Congress and this committee, both the Members and your 
staff, for your commitment to this massive undertaking and the role you 
have played in making an annual financial statement audit a regular way 
of doing business. Most importantly, thank you for your support for our 
men and women in uniform. Our collective efforts help ensure they have 
the resources to do their jobs and return home safely.
    The Department of Defense is one of the most complex enterprises in 
the world. In partnership with Congress, we must continually improve 
our business practices in order to reduce costs and maintain our 
competitive edge. Each of us owes it to the American taxpayers to be as 
responsible in spending their money as they were in earning it. As we 
undertake these financial audits in support of the National Defense 
Strategy, we will strive to make that an enduring legacy of this 
Administration.

    Senator Sullivan. Thank you, Mr. Secretary.
    Let me begin with a very basic question. And I'm not sure 
you have the answer, since you've only been in your position, 
in the Comptroller position, for a couple of years. But, from 
your perspective, why was the Pentagon never audited? You would 
think, given what you just mentioned--how important it is to 
the country, how large it is, how complex it is--that's exactly 
the kind of Federal agency that you do want to audit. Why was 
this the first time that somebody undertook this daunting task? 
And, again, I commend you for doing it.
    Secretary Norquist. Thank you, Mr. Chairman.
    Let me start, just to clarify. The Pentagon has multiple 
audits. We have GAO [Government Accountability Office], we have 
the IG [Inspector General], we have others. They do program 
audits, particular subjects. The difference with the financial 
statement is the sheer breadth and depth of it. It is an end-
to-end audit, on a dramatic scale.
    Senator Sullivan. What you just did twice.
    Secretary Norquist. What we just did twice.
    Senator Sullivan. That had never happened before.
    Secretary Norquist. That had never happened before.
    Senator Sullivan. Why?
    Secretary Norquist. Well, there's a couple of reasons. One 
is, it is an extremely hard task that would outlast anyone who 
started it. And so----
    Senator Sullivan. Okay, the Pentagon is used to hard tasks, 
so----
    Secretary Norquist. It is.
    Senator Sullivan. It won World War II, for example.
    Secretary Norquist. They did. They did.
    The challenge with the audit is, there was an emphasis on 
trying to get ready for it. This is where I brought a 
fundamentally different view from those who had come before me. 
They said, ``It's too expensive to pay the auditors. Let's get 
ourselves ready enough that we could pass the audit, and then 
bring the auditors in.'' My experience at the Department of 
Homeland Security (DHS), where they were under audit, was that 
that would be a major mistake.
    At DHS, we didn't have a choice. When I showed up, the 
auditors were already there. I found the auditors and their 
feedback to be the central piece of getting us to that clean 
opinion. So, my view is, the money we paid the auditors made 
sure that all the other money we were spending was going 
towards valuable things, we were getting feedback on whether we 
were being successful.
    So, even though Defense Department was spending money on 
fixing problems, they had no audit baseline by which to tell 
you: Were they better from one year to the next? We have fixed 
that in this approach. We are carefully measuring those items, 
precisely for that purpose. I think that's the biggest 
difference, and I believe that the auditors are the key step in 
getting us to the clean opinion, not something you bring at the 
end, when you think you're ready.
    Senator Sullivan. Okay. Let me dig into that a little bit 
more, because the audit did cost a lot of money. I think the 
fiscal year 2019 audit cost close to a billion dollars. If 
we're doing this annually, which is your goal--correct?
    Secretary Norquist. Uh-huh.
    Senator Sullivan.--will this eventually pay for itself or 
it already paying for itself?
    Secretary Norquist. Let's take that into pieces. Before we 
started the audit, the Department was spending $770 million to 
fix problems. With the audit piece--there's about 195-200 
million dollars we pay the external auditors. We know, from the 
experience of the Army Corps of Engineers, that, when they went 
from no opinion to a clean opinion, the cost of their audit 
dropped in half. So, over time, that number will come down as 
we start to move from where they have to do detailed sampling 
to what we call ``test of controls.'' But, that's a level of 
funding that's necessary for transparency, $200 million is \1/
13\ of 1 percent of our budget. To be held accountable, that's 
fine. We then have to spend certain money on DOD side to 
support that. Those numbers will come down, as well.
    The big number, about half-a-billion dollars, is in the 
remediation. The question there is, can you show what you have 
fixed? In the absence of the audit, it's very hard. One of the 
things I learned in my prior jobs is, self-reporting of fixing 
problems isn't a very reliable indicator. I was dependent upon 
the auditors confirming that people had, in fact, fixed it. And 
one of the best things the auditors show us is, when an 
organization says they fixed 10 problems, and the auditor 
agrees with all 10, I have great confidence in that 
organization's ability to go forward. If another organization 
claims they've fixed 10, and the auditor agrees with them on 3, 
I have a problem. I've got some training I need to do, some 
people I need to talk to. That's not going to get them to 
success. But, you can't wait till the end of the process to 
find that. You need the auditors doing that on a continual 
basis.
    We have already seen benefits and savings and return on 
investment, that I had not expected to see this early, long 
before we got to the point where I expected the cost to come 
down. But, we can--I can go on more about DFAS [Defense Finance 
and Accounting Service], but I'll let you wait if----
    Senator Sullivan. Well, let me just ask another basic 
question. For those of us who are not auditors, what, exactly, 
does this entail? You're going to installations, you have 
people fanning out over all our military bases, they're going 
to supply depots, what, exactly, are they doing? They're not 
counting every rifle and every tank. Or are they?
    Secretary Norquist. No, they can't, because the sheer labor 
that would be involved is the problem. What the commercial 
practice brings us is best practices, they will go up to the 
highest level of the organization and look into their databases 
and say, ``Show me everything you think you own and have in 
inventory.'' They start there. And then they pull samples from 
that and follow it all the way down to the installation. They 
went to Fort Wainwright, and they went to Anniston. And they 
come in with a list and say, ``I need to see--not just a tank, 
I need to see this tank, with this serial number that's 
supposed to be here.'' And when they show up, is it in working 
condition? Because that's one of the things they test for, is 
you're accurate on working condition. ``Do you have proof of 
ownership? Is it where it's supposed to be?'' They walk through 
each of those. Then they look around the base, and they find a 
series of items, and they go the other direction, which is, 
``Here are 25 things we found on the base. Show us that you, at 
the Department level, have them in your system.'' So, it goes 
one direction, and then it comes the other. What they're 
looking for is examples of a breakdown, where the summary is 
not equal to the parts. But, that's sampling process across 
inventory. Then they do the same thing with pay. ``You paid 
somebody a certain amount. Do you have the records to back up 
that that soldier was, in fact, promoted? Did they, in fact, 
qualify for hazardous-duty pay? Do you have the paperwork to 
support that? And can you produce it in a timely manner?'' 
That's the process they go through. It's relatively extensive, 
but it's the standards that we're held to.
    Senator Sullivan. Great. Thank you. Thank you, Mr. 
Secretary. I'm glad you're here to testify. And hopefully, 
we're all going to learn from this, and, most importantly, that 
the Pentagon is as well.
    Senator Kaine.
    Senator Kaine. Thank you, Mr. Chair.
    Mr. Secretary, I'm going to start with a question that is 
based, not on the audit, but on your role as Deputy Secretary 
of Defense, the number-two official within the Pentagon. I was 
proud to support your nomination.
    In the last day, there have been a number of articles that 
have come out, and I'll just read two headlines as examples. 
Business Insider, ``The Army Is Prepared to Move Lieutenant 
Colonel Alexander Vindman and His Family to a Safe Location, If 
Necessary.'' Reuters, ``Army Assessing Impeachment Witness 
Vindman's Security, U.S. official.'' These articles were based 
on some initial reporting that was done by the Wall Street 
Journal. Lieutenant Colonel Vindman is a Virginian--resident, 
like you are. Lieutenant Colonel Vindman is a patriotic 
American, like you are. I'm not going to ask you whether you 
think it's appropriate to attack his loyalty, his patriotism, 
his judgment, or his character, because I know how you would 
think about such an attack. I'm not going to ask you whether 
you think it's okay to use the White House social media account 
or other White House assets to amplify such an attack, because 
I know what you would think about that. But, I do want to ask 
you this. In your role as Deputy Secretary of Defense, will you 
make sure that members of the military are not punished or face 
reprisals for cooperating with Congress?
    Secretary Norquist. We take very seriously our 
responsibility to accurately and responsibly respond to 
Congress and, to the earlier part of your sentence, as well to 
any issues that relate to personal security. I'm not going to 
comment on any measures we take individuals on personal 
security, but we do take it very seriously and we expect people 
to be responsive and truthful in their dealings with Congress.
    Senator Kaine. Thank you very much for that. I would urge 
you, at this particular time, to be very diligent in protecting 
members of our military if they are cooperating with Congress. 
I think that your words, delivered here, should, hopefully, 
give some assurance and some confidence to some who are very, 
very worried. And I know they're worried because their families 
are calling my office. They're my constituents, and they're 
nervous about what might happen to them. You giving them that 
assurance publicly means something to them.
    Let me ask you this about the audit. A lot of the DOD 
programs that have to be audited are classified. So, when we do 
the NDAA, we're often grappling with issues in this room, even 
in a closed session, and then there's a separate classified 
annex that we have to spend, you know, in a more classified 
setting, figuring out our own responsibilities with those. Talk 
a little bit about how the audit approaches classified 
programs, and how you can do a real audit, and a meaningful 
one, while respecting the classified nature of the information.
    Secretary Norquist. Thank you.
    The challenge we had at the beginning was how to deal with 
classified information. In the budget, it's either--it's 
redacted or--in documents, it's often redacted, or it's 
otherwise just protected. We talked with GAO, who wants to be 
able to summarize the--a Federal Government-wide audit, and the 
concern was, ``If you do that here, if we have redactions, if 
we have classified annexes, you won't be able to do a 
government-wide audit.'' So, what we looked was, how do we do 
this in a way that we can keep it unclassified? And here I'd 
like to tip my hat to a group called FASAB [Federal Accounting 
Standards Advisory Board] They're the accounting standards 
group for the Federal Government. Because we had to go to them 
and say, ``We need you all to get a security clearance, because 
we have to be able to have conversations with you that are 
classified. And you have to give us the accounting standards on 
how to treat classified information.'' So, they did. That was 
one of the process we went through. They got security 
clearances. They, in fact, issue us classified guidance that 
allow us--you know, for example, when NASA [National 
Aeronautics and Space Administration] was going to a clean 
opinion, they went and said, ``Hey, we've got a question about 
satellites. Do we expense or depreciate?'' And so, we will have 
those types of things that are classified. And we will go to 
them, and they, in their clearances, will be able to say, 
``Here's how you should handle it in a classified'' answer that 
allows us to present the data in an unclassified report. Our 
auditors have security clearances, right up to the highest 
level. There's nothing that, because it's classified, is 
excluded from the audit. Even if it's the serious, most 
sensitive items, the IG will test it. There is nothing that's 
classified that is excluded from the scope of the audit.
    Senator Kaine. Excellent. Excellent.
    Let me ask you this. In a public hearing like this, I think 
we would like to get some success stories, so it's less about 
the findings or the agencies that passed, but do you have 
examples of things that you've learned in the audit process 
that you've already been able to direct toward this 
``efficiency for lethality'' construct that the DOD witness 
talked about recently at our hearing?
    Secretary Norquist. We have. Let me just walk through a 
couple of examples, and if people have others, I can go on 
extensively on this issue. But, let me pick the issue of 
inventory, and I'll use the Navy as an example.
    I mentioned how the auditors went down, and then they'd 
pull samples and test them backwards. What the Navy started 
discovering is warehouses and storage facilities that had items 
that had never been loaded into their inventory system. So, you 
opened it up, and you found spare parts. And the spare parts 
were not where somebody who's trying to order them can get to 
them. So, the Navy--and I will give credit to Vice Admiral 
Dixon Smith, the N4, because he was particularly aggressive in 
this and would travel to some of these bases and just say, 
``Open that up. Open that up.'' And they started to, and he's 
found enough concerns he's said they're going to take 100 
percent. But, even at the bases they have already visited, 
they've--which is about 5 or 6--they found $167 million worth 
of usable supplies that, when they put them into the system, 
addressed unneeded--unmet demands, things that were on 
backorder, other items that now can be put back into the 
system. Again, you have the part, but if somebody doesn't know 
it's there, if the person who ordered it rotates away and the 
new one doesn't know that's where it's stored, and, more 
importantly, from the Department, the Department doesn't know 
it, so the neighboring base doesn't see it, you're out. So, 
each one of those is an immediate and direct savings to the 
taxpayer.
    Senator Kaine. My time is expired, but others may want to 
hear other examples.
    Secretary Norquist. Hopefully--I've got a list. I'm happy 
to keep going.
    Senator Kaine. All right.
    Thank you, Mr. Secretary.
    Senator Sullivan. Senator Jones.
    Senator Jones. Thank you, Mr. Chairman.
    Mr. Secretary, thank you for being here, and thank you for 
the letter from November 15 regarding the Anniston Army Depot, 
which passed its audit test with 100 percent.
    Tell me briefly, if you would, how important are those 
audit tests? I'm proud of Anniston, but I assume those----
    Secretary Norquist. Right.
    Senator Jones.--were going on elsewhere, too. So, what's 
the importance?
    Secretary Norquist. These are the core of what the auditor 
does. When they pull samples from above, and they come down to 
a base, they're not testing everything on the base, but they've 
got a list of what they're looking for. At 60 of the places 
they showed up, there was 100 percent accuracy. Everything they 
looked for, that base had. And so, I sent you a letter because 
you had some of them in your State. That's incredibly valuable. 
One of the things that I have heard when I talk to the auditors 
is the importance of the local leadership. When they show up 
and the commander of the base meets them and walks them around, 
they can quickly see they're likely to have a good result 
because that leadership has control and oversight of the 
process. Now, we have other places where the samples are not 
there, so we have to get there on everyone. But, this is going 
to get solved at the local level, and then fixing the systems 
that lie between what's accurate at the local level and what we 
record at the departmentwide level. So, tremendous success.
    One of the reasons I sent those letters out is because we 
don't just want to use sticks. People can go give kudos to 
those who deserve it, and that will help drive this process 
forward.
    Senator Jones. As the process goes forward, those leaders 
at the various locations are going to get the word that they 
did participate and cooperate, and that'll----
    Secretary Norquist. Right.
    Senator Jones.--help everybody.
    Secretary Norquist. It's also in everyone' evaluation form.
    Senator Jones. Right.
    Secretary Norquist. Senior officers and civil servants, the 
SES's [Senior Executive Service] have the audit as their--part 
of their performance evaluation.
    Senator Jones. I want to move to an area where Senator 
Kaine kind of touched on. Are you familiar with the 
Antideficiency Act?
    Secretary Norquist. I am.
    Senator Jones. All right. I'm struggling here with a couple 
of things. On the one hand, I hear your testimony. You and I 
have talked in my office, and I just applaud your effort so 
much. You've emphasized the responsibility, and taking 
seriously your responsibility, to report to Congress. On the 
other hand, I'm also seeing this administration continually 
thwarting Congress's oversight capabilities. They're not 
producing witnesses, they're not producing documents, just 
because they don't particularly like the subject matter of the 
particular hearing. That's particularly going on in the House. 
Then, recently, I read a report this morning where OMB [the 
Office of Management and Budget] counsel has stated that, as a 
legislative branch of government, the GAO, when they report 
deficiencies or violations of the Antideficiency Act, that the 
administration, the executive branch agencies, have no 
obligation to report that back to Congress. It just seems to me 
that there is a concerted effort with the administration to 
just, basically, take those things that they don't want to 
report and just ignore the Article 1 branch of the 
Constitution. I'm really concerned about that. Have you seen 
OMB counsel's opinion? I'd like to hear your thoughts about 
that and whether or not that squares with what you said earlier 
about your ability and your earnest, honest efforts to report 
to Congress.
    Secretary Norquist. I haven't seen that opinion, and I 
don't know whether, as a matter of law, they are correct. But, 
I know, as a matter of practice, whenever I had to sign out one 
of those, it went to everybody. It went to the President, it 
went to the leaders of the House and the Senate, it went, I 
believe, to GAO. So, in practice, I know that, when we have 
one--an Antideficiency Act violation, the notification is 
broadspread.
    Senator Jones. Well, I think--and I appreciate that--I 
think that this is new. I may follow up with you, because I 
think that this is changing a practice that has been a practice 
across administrations, including this administration, but now 
we've come, apparently, with a counsel who expressed a new 
version of that. I may follow up to give you a chance to look 
at that guidance to see how it might affect the Department of 
Defense and your obligations to report to Congress.
    If I have time, you mentioned the Navy, where you found 
about $81 million of material, I think at the Jacksonville 
Naval Air Station, where it just freed up inventory, you were 
able to do some things. How important is that? What are the 
lessons that you can learn and take away from that particular 
episode, where there was, like, $280 million that was just 
really, kind of, unaccounted for--$81 million, when they found 
it, immediately got to use. Obviously, it is a little 
concerning to Congress that $280 million at place can not be 
accounted for. Tell me a little bit about what you're trying to 
implement and how the lessons learn from that.
    Secretary Norquist. The issue here is the value of the 
inventory. But, our concern is, over time, you know, people, if 
they buy inventory, if they store it without putting it into 
the system, they may know it's there, but their successor may 
not, the Department doesn't know it's there. It's inefficient. 
It's an inefficient way to use taxpayer resources. The value of 
the audit is, that's a problem, and the auditors will come up 
every year and poke them for that problem, and expose it, 
because the audit requires that, if we have it, it's in our 
system and it's properly recorded. That's why it goes both, 
``Can you account for what you have? And do you account for 
everything you have?'' This is valuable for readiness. This is 
valuable for making sure we make the best use of taxpayers' 
money.
    We think that there's a connection between this and some of 
the challenges of CRs, which is--a lot of this tends to be the 
type of supplies you might order at year-end. The more we can 
limit that, the more we can have the discipline over, ``When 
you buy it, you log it into the system.'' Right? ``You make 
sure that it's properly recorded.'' With the discipline--and 
this is where I get to the value of the audit--they come every 
year. It's not enough to clean out your office once. They're 
coming next year. They're coming the year after. You've got to 
make this a habit.
    Senator Jones. Are you satisfied that the systems in place 
are adequate? It's just a question of plugging them in, as 
opposed to, we need to upgrade the systems?
    Secretary Norquist. No, we're going to need to upgrade the 
systems. In some of the comments I got--because I met with each 
of the auditors, and one of them said, ``As you field your new 
ERP [enterprise resource planning] systems, which are more 
compliant and more effective, you need to make better use of 
technology.'' A lot of people are doing this manually, filling 
out paper forms and others. If they had tablets, where they 
could just do it more directly, they could barcode scan, all of 
those reduces the labor, and that increases compliance. What 
we're looking for here is places where either people stop doing 
it because they didn't have the labor and it was too hard, 
where the automation solution speeds that up. But, it 
highlights the very value of that, and that's important.
    Senator Jones. All right. Well, thank you, Mr. Secretary. I 
will follow up with written questions regarding the OMB 
guidance.
    Secretary Norquist. Okay.
    Senator Jones. Thank you, Mr. Chairman.
    Senator Sullivan. Senator Hirono.
    Senator Hirono. Thank you, Mr. Chairman.
    Considering how long it took for the DOD to undergo an 
audit, thank you very much for expressing your firm belief that 
audits are very important.
    As you noted, your auditors conducted a number of site 
visits, 600 site visits. Two of these visits were performed at 
Joint Base Pearl Harbor-Hickam and the Marine Corps Base 
Hawaii, and both of these came back 100 percent. And thank you 
for also noting how important it is that the local leadership 
buys in and cooperates with the audit. I want to give a shout-
out to the folks at Joint Base Pearl Harbor and the Marine 
Corps Base.
    Secretary Norquist. Excellent. Thank you for doing that.
    Senator Hirono. Thank you.
    One of the areas that were pointed out in the most recent 
audit were newly identified high-risk areas involving 
privatized housing programs and the F-35 program. I won't go 
into my questions relating to those, but I assume that you are 
going to be undergoing the things that you need to do to bring 
those programs up to snuff. Because there's a lot of concern 
about military housing. It's an ongoing----
    Secretary Norquist. Absolutely.
    Senator Hirono.--issue for us.
    Senator Kaine touched on this other matter recently 
regarding the threats to Alexander Vindman and also your Deputy 
Assistant Secretary of Defense, Laura Cooper, who--I don't know 
if she's already testified, but she certainly will be 
testifying, and not to mention the constant efforts to out the 
whistleblower, and, basically, the whistleblower feeling very 
threatened by everything that is going on. So, I note that you 
are doing everything you can to make sure that Colonel Vindman 
and Ms. Cooper remain safe. What steps have you already taken 
to send a clear message to DOD staff that their identity, their 
jobs, and safety will be protected if they come forward to 
report abuse or misconduct?
    Secretary Norquist. This is something that we have as a 
matter of practice on all sorts of things. We have IG reports, 
we have GAO reports. This is just part of the culture of how 
we--when people come forward, we expect them to be honest and 
truthful in their dealings, and we expect them to be taken care 
of in doing so. We look for, and the IG looks, if there's an 
issue of reprisal, to make sure that those are held accountable 
for it. We also look for their security. And again, as I 
mentioned, I'm not going to go into the measures we take, but 
if we think there's a security issue, we either deal with it, 
we deal with local authorities. These are the types of things 
that occur in different forums, and we provide the same 
standard and approach across them. I think it's an important 
signal that we send in the way we deal with organizations.
    Senator Hirono. I think, in this environment, it's very 
important for the DOD, from the top, to say that the 
whistleblowers who come out of the DOD, or anyone who 
participates in appropriate proceedings, that they will be 
safe. I think it's really important for that message to be 
quite obvious and put out there, and I hope that that's what 
you will do.
    On October 22, the day before Ms. Cooper was scheduled to 
testify before the House in a deposition, you signed a letter 
to Ms. Cooper's lawyer prohibiting her from participating in 
the impeachment inquiry. At her deposition, she was asked 
whether she was concerned about the repercussions against her 
at DOD for testifying, under subpoena, after receiving your 
letter. She stated, ``This is a challenging environment, and 
for a civil servant who is trying--who is just trying to 
fulfill my obligations, this is a challenge. This is 
challenging in both respects.'' This is quoting Ms. Cooper.
    In light of H. Res. 660 [House Resolution], which lays out 
the procedure for public impeachment hearings, will you refrain 
from prohibiting any other DOD official from cooperating with 
Congress, going forward?
    Secretary Norquist. I did not prohibit her. I forwarded to 
her lawyer the information we had received from the White House 
that expressed their views about the impeachment process. One 
of the challenges, we wouldn't be able to send a lawyer with 
her. I wanted her to have that available information. But, we 
understand each of the individuals are making their own 
decision on how to----
    Senator Hirono. So, even if you were just forwarding a 
letter that came, not out of your department, but it came out 
from--I forget where it emanated, but for you to send it, it 
does create a chilling effect. Are you intending to continue to 
forward these kinds of letters from the White House or from any 
other----
    Secretary Norquist. I don't know of any other individuals--
--
    Senator Hirono.--source?
    Secretary Norquist.--being called. My only point is, I 
would have felt it inappropriate to not have their lawyer be 
aware of this information. That's why we shared it.
    Senator Hirono. But, you can understand why it----
    Secretary Norquist. Oh, I understand. I understand the--
that that's----
    Senator Hirono.--it comes from the number-two person.
    Secretary Norquist.--which is, if you don't send it, it you 
do send it, what do you do? So, what we tried to do is set the 
right tone in the letter.
    Senator Hirono. So, in the letter, did you say, ``We're 
just forwarding this, we're not going to''----
    Secretary Norquist. I will check the language, and I will 
send it to you.
    [The information referred to follows:]

    Secretary Norquist. Please refer to Appendix B on page 48.

    Senator Hirono. Thank you.
    Secretary Norquist. But, I think we tried to be clear about 
the nature of it. We try to be very professional in it, and 
factual in the way we handle these.
    Senator Hirono. Could I just ask one more question? I have 
no idea what my time is.
    During his nomination hearing, I asked Secretary Esper 
whether he would commit to reinstating Parole in Place for 
undocumented family members of Active Duty servicemembers. 
Secretary Esper said that he would, ``look into it, for sure.'' 
We are still waiting for some response on this issue. But, we 
did receive a response from Acting Under Secretary of Defense 
for Personnel and Readiness, Mr. James Stewart, who deferred 
comment on the program to the Department of Homeland Security, 
but committed to working closely with DHS on the future of the 
policy.
    Well, you can understand why Active Duty servicemembers 
would be very concerned if the administration is going ahead--
Department of Homeland Security is going ahead and deporting 
undocumented members even as they are serving our country. I'd 
like to know what steps the DOD has taken to coordinate with 
DHS, as referred to in this letter from James Stewart on this 
issue, and whether DOD has urged DHS to reinstate this program 
not to deport undocumented family members of Active Duty 
personnel.
    Secretary Norquist. Senator, let me take that one for the 
record. I don't know the answer to your question.
    [The information referred to follows:]

    Secretary Norquist. Any significant event that impacts the 
readiness of servicemembers and their families is of concern. 
As such, the Department has worked closely with the Department 
of Homeland Security (DHS) as they reviewed the future of the 
Military Parole in Place policy and are not aware of any 
pending DHS termination. I note the passage of Section 1758 in 
the fiscal year 2020 National Defense Authorization Act that 
encourages DHS to continue to support Military Parole in Place 
and thank the Committee for its support.

    Senator Hirono. Well, I hope you get the message that we 
certainly don't want Active Duty servicemembers' families to be 
deported. That is not a good thing, and that program should be 
reinstated.
    Thank you.
    Senator Sullivan. Senator Ernst.
    Senator Ernst. Thank you, Mr. Chair.
    This is a really important hearing, I think, for all of us. 
And, Secretary Norquist, thank you for appearing today and 
testifying on this often overlooked topic. And Senator Sullivan 
and I were having a discussion yesterday, and we're just so 
thrilled actually to have some results to be put in front of 
us.
    You have done, really, what your predecessors haven't been 
able to do, or did not do at the Pentagon, which is making the 
audit a priority. We've had past Comptrollers and Chief 
Financial Officers at the Pentagon, of both political parties, 
and they have whined, they've complained, they've dragged their 
feet on this issue, and found every last excuse under the sun 
not to get it done. And so, we've had Pentagon hearings going 
on and on and on, here on the Hill, for decades. So, again, 
thanks for doing the hard job and getting this audit done, and 
not delaying it further. Despite the disclaimer of opinion from 
the last 2 years, we are much further along in this progress 
toward a clean opinion, and I just wanted to make that 
statement and thank you very much for your leadership on this 
topic.
    Now, the National Defense Strategy makes it clear that the 
United States has a very distinct challenge to maintain its 
supremacy in the global arena, and this has implications on our 
homeland defense, overseas operations, and the vibrancy of a 
free and open society. Before we dive into these strategic 
goals, it's good to take a step back and maybe do a little bit 
of housekeeping. What I'd like you to explain, Mr. Secretary, 
is, in addition to fiscal responsibility, how do you think the 
audit's findings actually fit into the NDS and benefit our 
operational and war mission capabilities?
    Secretary Norquist. Sure. So----
    Senator Ernst. Why do we need to do this?
    Secretary Norquist. Absolutely. The NDS has three lines of 
effort: enhancing lethality, working by, with, and through 
allies, and the third one is reform in the way we defend--
operate for more efficiency. The reason for that is twofold. 
One is, we can see the same deficit numbers everyone else can, 
and we understand the fiscal limits with which the Department 
needs to operate. The second is, we have a responsibility, 
regardless of what level of funding we receive, to make sure 
that we're using it with the maximum benefit to lethality. That 
includes both driving inefficiencies out of our business 
processes, as well as simply cutting low-priority items and 
moving it to high-priority items. You know, some of the things, 
they're not bad things, they're just not as essential as 
others.
    What the audit is helping us do is not only identify those 
inefficiencies where individual systems have been built that 
don't talk to each other--so, if you get to the point where you 
only enter the data once, and it flows through the system, 
there is a lot of labor savings and costs that come out of the 
way you operate, versus manual entries and transfers where they 
create data errors.
    The other part of the National Defense Strategy as you go 
through this is, you're trying to improve readiness. That gets 
to the issue of the spare parts: can I get the spare parts in 
the people's hands, can I get things through depot maintenance 
faster?
    And the last part is the data analytics. One of the big 
leaps in what the private sector's been able to do is to use 
terms--you can use ``big data,'' you can--"cloud,'' whatever 
you want to call them--but, they're able to manipulate 
incredibly large sums of data. Well, DOD, we have tens of 
billions of transactions. When we get audited, it goes back to 
funds Congress appropriate to us 8 or 9 years ago, because 
those funds are still available for payment or disbursement. 
The ability to organize those in a dataset, to search them, to 
track them, to be able to find errors, that allows us to adopt 
some of the best practice from the private sector on inventory 
and other things you can't do when you don't trust your data.
    Senator Ernst. Yeah.
    Secretary Norquist. And so, I think those types of reforms, 
we--we can't adopt private-sector best practices unless we can 
get to the quality of the data they have so that we can rely on 
it.
    Senator Ernst. Yes. And thank you. Kind of along that 
quality-versus-quantity issue, the DOD has closed 22 percent of 
the Notice of Findings and Recommendations from the fiscal year 
2018----
    Secretary Norquist. Correct.
    Senator Ernst.--Audit. But the number has actually 
increased. Should we interpret that as ``the system is 
working,'' or should we be worried that we're not making enough 
progress?
    Secretary Norquist. The first answer is, the system is 
working. There were, I think, 200 more auditors this year than 
last year. One of the things that we took as a lesson learned 
from my time at Homeland was, we set up these contracts--
normally, an auditor, when they think you're not going to pass, 
they stop working. They say, ``You have a disclaimer. We're 
done.'' We worked with our IG, who's been a tremendous help in 
this whole process, and the contracts basically say, ``Keep 
auditing. Even if you think we're going to fail, keep auditing. 
We want as many problems as you can find.'' And so, the thing I 
tell everyone inside the building is, when the auditors find, I 
think, 1,300 additional findings, those were always there. 
Right? The more clearly they identify them, the sooner we can 
make sure we have corrective action plans to address them. I 
expect, for the first couple of years, they will find more. We 
will keep closing them. We will get better and more efficient. 
At a certain point, they will have been able to fully go 
through it, and those numbers will come down. But, I see this 
as exactly what we're paying them for and what I hope we would 
get out of them.
    Senator Ernst. My time is expiring, so I just want to say, 
again, thanks for your leadership on this issue. It is such a 
bureaucratic beast, and trying to sort through that, boil it 
down, you've been able to take this on, and we, as Congress, 
truly do appreciate your effort. Thank you very much, Mr. 
Secretary.
    Thank you, Mr. Chair.
    Senator Sullivan. Thank you, Senator Ernst.
    Senator Shaheen.
    Senator Shaheen. Well, thank you.
    I would add my appreciation to what you've heard from my 
colleagues about the work that you're doing.
    You talked about the list of examples of successes based--
that you've already uncovered as the result of the audit. At 
some point, it would be helpful for us to get more of that list 
so that we can share that with others and let people know 
what's been successful, to date, about the audit.
    I want to go back to your early comment, though, about the 
CR, and preaching to the choir about the CR, because I do agree 
you're preaching to the choir, but I also think there doesn't 
seem to be a universal appreciation in Congress and in the 
administration for what the impact of a continuing resolution 
for the remainder of this year would be. And at what point--are 
you concerned that that might trigger the budget cap so it 
would kick us back into sequestration? Can you just talk about 
what the impacts are that you see if we are not able to get 
appropriations bills through?
    Secretary Norquist. Sure. So, let me take them--first, the 
CR, and then I'll go to sequestration.
    The CR is designed to be destructive. It is----
    Senator Shaheen. Right.
    Secretary Norquist.--designed in order to get you not to 
want to do it. So, the first thing it says is, no new-starts. 
So, if we have ammunition that we would like to buy more of 
that the Congress--the House, the Senate, the Republicans, and 
Democrats have all agreed, ``You need more,'' we get to October 
1, and we say, ``Let's not start buying it yet. Let's wait to 
place that order.'' We have research technologies, artificial 
intelligence, our hypersonic missiles. Republicans, Democrats, 
House, and Senate all agree, ``Let's give the Chinese a 3-more-
month headstart. Let's make it harder for our people to keep up 
in that technology race by letting this drag out.'' And then, 
the last part is, you've got families in training that 
constantly get disrupted because they don't--we may believe 
that there's a deal at the top-line, but they don't know what 
that means to the installation. And so, in good fiscal sense, 
they withhold the money, they delay training, they minimize 
what they are going to do, and then sometime in December or in 
a previous year's March, we then hand them all of that money 
and say, ``Now do it in 6 months.'' Well, they can't get back 
their October training exercise, they can't recover the time 
lost. Then we start having the challenges with inventory and 
others. It is a misuse of taxpayers' money to manage it in this 
way.
    The sequestration is even worse, because the sequestration 
is just a catastrophic cut that undermines everything. And 
again, they don't know whether you're going there, so they have 
to be very cautious about how they spend money. But, you'd have 
problems making payroll under sequestration. You'd have--you 
know, we could wait, but then we take an even cut in everything 
else. And then you've completely lost readiness. For anyone who 
has ship maintenance in their district--and they know the 
importance of the ships coming in on time, the maintenance 
happening on time--you can't recover. The ship depot--the ship 
facility can't take twice as many ships the next year. If they 
don't come in on time, you've lost it. This is something we 
need to avoid. This is something we need to minimize the 
length, if at all possible.
    Senator Shaheen. Thank you. I certainly agree, 100 percent.
    I want to ask about another issue that's outside of the 
audit, but it goes to your current role. And that is, as you're 
aware, I'm sure, there are a number of--virtually all military 
facilities have an issue with PFAS [Perfluorooctanoic acid] 
chemicals. Secretary Esper, to his credit, appointed a task 
force, the day he got sworn in, to address that on military 
installations. My understanding is that the Navy is very close 
to a breakthrough on finding a replacement for the element in 
firefighting foam that would be equally effective. Can you give 
us any update on that? And, if not, can you take that for the 
record?
    Secretary Norquist. Let me take the particular question of 
how close they are to the record.
    [The information referred to follows:]

    Secretary Norquist. The Environmental Security Technology 
Certification Program (ESTCP) is supporting two series of 
large-scale tests of fluorine-free alternatives to Aqueous Film 
Forming Foam (AFFF). The tests will be of both commercially-
developed alternatives, as well as alternatives being developed 
by the Strategic Environmental Research and Development Program 
(SERDP). The first test series is being conducted by the Naval 
Research Laboratory (NRL) and is 50 percent complete. The team 
of Tyndall Air Force Base and Battelle have just received 
approval of their test plans and will conduct their first test 
in January 2020. Both teams are slated to submit their initial 
test reports in February 2020.

    Secretary Norquist. I know this is an area very important 
to us. We have been researching alternatives. I think we spent 
$22 million on that. But, we'll continue, because we need a 
foam that protects armed service members when they're in high-
risk areas, but we also need it to be one that's 
environmentally safe. And so, we will definitely get you the 
answer on how they stand.
    As you pointed out, this is a high-priority area for the 
Secretary. He's got the task force working on 40 different 
actions. But, this is something--we're getting to that 
solution--is ultimately the right--the best place to end up.
    Senator Shaheen. Good. Thank you.
    Finally, in June, the Department released new standards for 
defense contractors called the Cybersecurity Maturity Model 
Certification, the CMMC, program. And I appreciate the need for 
this program, to ensure that there is cybersecurity in place 
for our contractors. But, can you talk about the extent to 
which the Department is working with those contractors? One of 
the things that we've heard from some of the businesses that we 
work with is that they're very concerned about the timeframe 
within which they have to comply with those standards, and also 
with the assistance. For the big folks, it's not an issue as 
much as for some of the smaller people who subcontract or who 
work with Defense, who don't have the capacity and the 
assistance that they need in order to comply. Can you talk 
about what's happening on that?
    Secretary Norquist. Sure. For those who are unfamiliar with 
this, one of the issues we have is vulnerabilities in our 
supply chain in the businesses we deal with. And so, other 
countries tend to attack their networks to try and extract 
important data. CMMC is a set of standards that they're 
expected--and, much like a financial statement audit, they 
would hire a firm to come in and check their controls and be 
able to verify the quality. Part of the intent of this is to 
recognize that the larger firms are going to have an easier 
time. We need to work with the small businesses. In some cases, 
like when we have requirements that a firm has a SCIF 
[Sensitive Compartmented Information Facility], they are able 
to hire a firm that--whose SCIF they have access to so that 
they can work with folks who can set up a network that meets 
this compliance. So, if you have a very small firm, you don't 
try and build your own network. You just subscribe to one 
that's already certified. Now you know you can count on it, and 
that firm then just provides it to you as part of their IT 
services. But, this is something that I know the CIO [Chief 
Information Officer] and the Under Secretary for A&S 
[Acquisition and Sustainment] are going to work very closely 
with the small business community. We need them, most of all, 
to get up to that standards, and we don't want this to be a 
barrier to entry.
    Senator Shaheen. Right. We don't want to lose all of the 
innovation that's coming out of the----
    Secretary Norquist. No, that's where a lot of the 
innovation is coming from. You're absolutely right, Senator.
    Senator Shaheen. Thank you.
    Thank you, Mr. Chairman.
    Senator Sullivan. Senator Ernst.
    Senator Ernst. Thank you, Mr. Chair.
    Mr. Secretary, along similar lines, but a little different 
question, focusing on the purchase of unsecure commercial 
items. Back in August, I had sent a letter to you highlighting 
the threat that was posed by commercial off-the-shelf computers 
and other types of electronic equipment, specifically those 
that have been made in communist China and those that present 
those cybersecurity risks. I appreciate the letter that you 
sent back in reply, which discussed the ways in which the 
Department is addressing those types of vulnerabilities, but 
perhaps you could, maybe, just give us a quick update now on 
the progress that the Department has actually made in that 
area.
    Secretary Norquist. Sure. So, one of the challenges you 
have in buying, particularly, electronics is--it's one thing to 
say this is a large Chinese-made product and it shouldn't be in 
the system. But, then you start buying other ones, and you 
start discovering components that were made--the company that 
provides it to you is a U.S.-based company, but all of a sudden 
there are components inside it. This is where the Department 
has to do careful analysis of what it's buying. We look at the 
threat intelligence, we look at their supply chains, and we 
test the products for its adherence to security standards. In 
some cases, we do penetration testing, red-teaming. But, we 
need to understand those supply chains to understand where are 
the places where we can't afford to have them bringing in those 
types of parts, because it creates a vulnerability. And working 
with those firms directly, in some cases, you can improve it if 
you take out the middleman, you buy directly from the vendor. 
But, in other cases, you have to understand if that vendor is 
assembling parts that includes pieces. Now, some of those 
pieces aren't a risk, others are. And that's where we have to 
work very carefully. And that's the process that we're putting 
in, both in--again, in cooperation between our CIO and our 
Under Secretary for Acquisition.
    Senator Ernst. Do you know, is the Department still 
purchasing equipment that possibly could have been manufactured 
in areas of concern?
    Secretary Norquist. Let me take that for the record so I 
know how far along in this we are.
    [The information referred to follows:]

    Secretary Norquist. Yes, the Department is still likely 
purchasing equipment manufactured in areas of concern. Many 
U.S. companies which produce cutting edge technologies also 
manufacture their products overseas. However, DOD does factor 
supply chain risk into our acquisition decisions, which 
distinguishes between products ``made in'' a country of 
concern, often as a routine business arrangement by U.S. 
companies, versus products ``made by'' a country of concern, 
where control and ownership may introduce extraordinary 
opportunities for malicious intervention. Location of 
manufacture is only one indicator of risk to the Department and 
must be assessed in the larger context of company ownership, 
board structures, security protocols, cybersecurity, financial 
relationships, and other considerations, to include 
counterintelligence. The Department is also participating in 
the Federal Acquisition Security Council (FASC), established in 
accordance with the 2018 SECURE Technology Act, with 
responsibilities and authorities to identify and address supply 
chain risks across the Federal Government.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Senator Ernst. Okay. Wonderful.
    Thank you very much, Mr. Chair.
    Senator Sullivan. Senator Kaine.
    Senator Kaine. Thank you.
    Mr. Secretary, what I said in my opening comments, that I 
wanted to try to get your opinion about when it might be 
reasonable to expect--as we work through the process of these 
annual audits and then, you know, engage in corrective 
activities, when might it be reasonable for the committee to 
expect that the Department would have a completely clean set of 
audits?
    Secretary Norquist. So, here's the trajectory you should 
expect. We have 24 organizations. I would expect, every year, 
to see movement forward, another one getting a clean opinion, 
people moving to modified. Within 5 or so years, I'd expect you 
to see the majority of them with a clean opinion. The 
Department itself won't get a clean opinion till the very last 
one falls. It took DHS 10 years to get a clean opinion. Five of 
those were waiting on the Coast Guard. Everyone else got to a 
clean opinion, and there was 5 years. And then, for several 
years, it was just Coast Guard property. Everything else was 
okay.
    So, you'll start to see the number come down. I found it 
very helpful, by the way, because, in the hearings, the Coast 
Guard used to get that as an opening question, when they were 
the one left out, as to, ``Why are you holding it up?'' That 
helped focus everybody's attention. But, that will--you'll see 
that over time. You'll see different parts get to a clean 
opinion. You'll see the number of problems going down. You'll 
see some where they have only a single issue holding them up. 
That's very helpful for focusing it. I don't know how it takes 
to get to the last one, because it's really who's the slowest 
and takes the longest, and that will be the final pin to drop.
    Senator Kaine. Thank you.
    Mr. Chair, I would just like to ask to be introduced in the 
record--in response to Senator Hirono's questions, Secretary 
Norquist talked about the letter that he sent to--under--over 
his signature, to Daniel Levin, who is the attorney for Laura 
Cooper, and there was a reference to that letter. The letter is 
about a page-and-a-half long, and the operative paragraph is 
the penultimate one, which reads, in relevant part, ``This 
letter informs you and Ms. Cooper of the administrationwide 
direction that executive personnel,'' ``cannot participate in 
the impeachment inquiry under these circumstances,'' period. I 
would like to introduce this for the record. And I'm going to 
have some additional followup via QFR [questions for the 
record] about this letter.
    Senator Sullivan. Without objection.
    [The information referred to follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Sullivan. Mr. Secretary, let me ask a couple of 
other questions.
    You mentioned that certain base commanders were very open 
and willing to work--did you run into some obstinance or 
resistance from other commanders? And was there a correlation 
between that and maybe not scoring so well? Or was the word out 
from the leadership in the Pentagon to make sure there was good 
cooperation here?
    Secretary Norquist. I think it's gotten better from year to 
year. The auditors were the ones who gave me the feedback, and 
they said the more they're engaged, the more likely that you 
are to see the results. It's a question of them focusing on the 
items in the process and what they need to be accountable for.
    But, here was the big surprise for the audit. One of the 
concerns we had, going in, from those of you advocating for 
audit and those of us pushing it, is the risk that it would be 
seen as a paperwork drill, ``You come, you audit me, and all 
you're doing to check is a bunch of paper and whether it--my 
bills match my invoices. This is just an admin drill.'' The 
issue over inventory, things that had direct benefit to 
readiness, this quickly turned around the views of the military 
that we dealt with to understand is--this wasn't about 
paperwork, this was about readiness, this was about being able 
to do their mission. So, I never ended up getting the pushback 
that I was afraid I was going to see and that everyone--until 
you started it, everyone just assumed was going to be the 
natural outcome of the audit. So, I think we've seen a change. 
I think we've seen that level of emphasis. Some places are 
stronger than others, but I think we're going to continue to 
see it grow.
    Senator Sullivan. Let me ask, related to that topic--you 
know, some of the media, which I'm glad they covered it, but, 
not surprisingly, the headlines were a little alarming. There 
was a Reuters piece, a couple of days ago, ``Pentagon Gets 
Failing Grade in its Second Audit.'' And then, a Bloomberg 
piece, just--well, yesterday, I think--headline, ``Air Force's 
Inventory Listed Wrong Sites for 79 Nuclear Missiles.'' So--
"misidentification of 79 Active Minuteman II nuclear-armed 
missiles, almost a fifth of the fleet.'' That's pretty 
alarming.
    Can you talk to some of these headlines, and particularly 
the one with regard to 79, ``missing nuclear missiles"?
    Secretary Norquist. Right. So, these types of----
    Senator Sullivan. Were they really missing? I'm a little 
bit concerned, if that was the case.
    Secretary Norquist. So, the proper title would have been, 
``79 Uninstalled Missile Motors,'' because they aren't actual 
ICBMs [Intercontinental Ballistic Missiles] and missiles. They 
are the motors that are used in them. And when they are pulled 
out and put into maintenance in the supply system, there was an 
issue in the accuracy of the supply system, because it's 
manual, tracking whether they were still on the base, and 
whether they were at the depot. But, I don't think 
``uninstalled missile motors in maintenance'' has the same 
drama as the title that you read.
    This comes up in the audit. Occasionally, you'll have some 
story that references the Department and trillions of dollars, 
even though that number is orders of magnitude larger than our 
budget. There are these types of misunderstandings of what the 
auditors--again, remember, these audit reports are written by 
accountants. So, they are written with a level of detail that 
makes sense to somebody of that background. But, to others, 
these stories come out, and you try and translate it, and you 
get it wrong. So, part of my job is, when these come up, 
explaining, ``No, our missiles are in the ground. We know where 
they are. They don't tend to move that often, for the ICBMs. 
So, 79 would not have been relocated. But, this is missile 
motors.'' And the answer is, it's still a problem, we still 
have to get inaccuracy of our missile motors, but it's not 
the--it's a regular supply issue and inaccuracy from a manually 
updated database.
    Senator Sullivan. Okay. So, on that headline, still useful, 
and it--obviously, keeping track of the missile motors is 
important, but it wasn't as if there was----
    Secretary Norquist. Correct.
    Senator Sullivan.--a loss of the----
    Secretary Norquist. Correct. And they did a----
    Senator Sullivan. We knew where these ICBMs were.
    Secretary Norquist. Right. And the auditors did a site 
visit at F.E. Warren, and they gave it 100 percent thumbs-up. I 
met with them and asked them what issues. They didn't even 
bring this one up. They just talked about supply issues, in 
general.
    Senator Sullivan. And ``failing grade"? That's accurate. 
Was it----
    Secretary Norquist. On the overall audit?
    Senator Sullivan. Yes.
    Secretary Norquist. Yeah, we didn't pass. I mean--well, let 
me--in fairness, seven organizations did, and the leaders of 
those should get credit, because many of them started those 
audits before anybody else in the Department. The--some of the 
funds, having clean opinions for 5 or 10 years. That was sheer 
will by the leadership of that organization, because there was 
not a pull signal from the Department level for many of those. 
So, credit to those who got it. But, we've still got another, 
you know----
    Senator Sullivan. Let me ask a more parochial question, 
from my perspective. You said you were at Fort Wainwright in 
Alaska. What were the findings there? Positive? Negative? Any 
good examples or things that need to be improved upon?
    Secretary Norquist. Sure. So, it's a great example of the 
test they did. They went to Fort Wainwright, and they had a 
list of 108 items that they wanted to find. These were 
everything from rotary-wing aircraft to coms gear. And then 
they looked around and picked 25 items they found, and then 
they went back to the database and said, ``Can you show me 
these 25?'' They had 95.5-percent pass rate. There were six 
things. Examples included: the serial number didn't match. 
Okay, well, then we can't be certain this is the same item. You 
have an item, but the serial doesn't match. Or the item was 
there, but it wasn't recorded in the system. Okay, you've got a 
missing piece entry. Six is somewhat small, but, again, this is 
a sample, so the question becomes, What--if you extrapolate 
that? But, it was 95.5-percent pass rate. That's a good example 
of the visits they did around the country. And I think it's the 
type of thing where that feedback is helpful, because the local 
commander can figure out why, ``Why do I have these six 
areas?'' And then they can determine, ``Is it in other areas, 
as well? Do I have--if they came back and pulled a different 
sample, would I be 100 percent or would I still have the same 
errors?'' And then they have, you know, 6 to 9 months to work 
on it before the auditors potentially sample them again.
    Senator Sullivan. Great. Thank you.
    Senator Perdue.
    Senator Perdue. Well, first of all, I want to thank you for 
your perseverance in here. You and the Ranking Member Kaine 
have been warriors on this for years.
    I want to thank you, Secretary, for giving us our first 
audit in the history of the United States. I know it's a 
laborious process, and I know it's expensive, to start with, to 
do your first one. I just have a couple of quick questions.
    When you look at the number--or the cost of this first 
exercise, pretty substantial, as you might imagine. This is our 
third-largest expense--item on our expense sheet, second only 
to Social Security and Medicare. But, it's only a few--it's 
only a little bit larger than some of our larger corporations. 
They do this routinely, and it doesn't cost them a billion 
dollars to do so. So, my question is, over time, do you see a 
possibility, number one, that we can get to the answers, here, 
quicker, now that we've got a start at it, we can get to a 
clean report? And then, what's the quantitative--I know we've 
talked about some of the subjective benefits of this, obvious--
that are obvious, but how do we quantify that? I mean, it seems 
to me--you've mentioned, in a private conversation, that you've 
pretty much already paid for this, in many regards, 
quantitatively. Can you just tell the committee and get that on 
the record for us?
    Secretary Norquist. Sure. So, you talked about the cost. 
Let's break it into the three parts.
    There's the amount we pay to the public accounting firms--
--
    Senator Perdue. Right.
    Secretary Norquist.--about $195 million. Compared to our 
size, not dramatically different than some of the other large 
firms.
    Senator Perdue. It's about right.
    Secretary Norquist. From the Corps of Engineers, their 
experience has been, though, that, as the audits move from 
these heavy sampling to reliance on controls, those costs will 
come down. So, we expect to see the amount we pay the auditors 
go down.
    We have a similar amount, about $250 million, that we spend 
either in labor of Federal employees or in the contract support 
that we use to support the audit. Some of that will come down. 
Some of that's just the cost of doing business correctly.
    When you look at what DFAS spends to process, they have 
very good data over how much they spend fixing errors. Their 
cost will go down by at least $400 million when they start 
getting clean data, which will fully cover the cost of the 
audit and the cost of our side of support.
    Senator Perdue. The clean data is a byproduct of an audit 
process.
    Secretary Norquist. It absolutely is. And you think about 
the labor we spend when a transaction comes through that's 
unclean. Somebody has to research, they've got to figure out 
why the codes are wrong----
    Senator Perdue. Right.
    Secretary Norquist.--which is an automatic--when the whole 
thing flies through without a touch. Right? And you're all set.
    The second half of that is the money we spend on fixing 
problems. And again, we're doing this to comply with our 
standards and with the law, so we were spending that money in 
the past, and we are spending now. The difference is, we didn't 
have the audit to tell us if it was right.
    So, I'll just pick a system example. You're fielding a new 
accounting system. In the past, you'd field it, and then you'd 
start discovering it didn't post right, it didn't do what you 
want to. The person fielding it now knows the auditors are 
going to show every year and test that system, so you're not 
going to be done with your implementation before the auditor's 
given you a list of problems. And the program manager's 
thinking, ``Am I paying you to make this system work?'' So, 
that level of discipline benefits the taxpayer through these 
fieldings to get it to the right level.
    What I was surprised by was, when you look at the money 
that the Navy has saved, the $167 million, when you look at the 
$316 million that the Department was able to use data analytics 
to recover as we did our budget scrubs, that's the cost of what 
we're spending on the audit, and then some. So, in terms of 
paying the auditors, we're already recovering that.
    Senator Perdue. Right.
    Secretary Norquist. Now we're just living off the benefit 
of all of their findings, making sure the rest of the money we 
spend is better, that our processes get better, and that we 
bring discipline to the system. So, I had originally expected 
that this would be a savings some years out. And I know the 
patience with, ``Just wait, it will pass.'' But, we are seeing 
that benefit now, and we are seeing the benefit to the taxpayer 
immediately.
    Senator Perdue. Can I ask one more, real quick?
    I know you've talked about continuing resolutions since 
you've taken this job. And we now know, because the SECNAV 
[Secretary of the Navy], Secretary Spencer, has actually talked 
to us quantitatively about that, and now the service heads--
Secretaries have also done that across the board. We now know 
that it costs upwards of couple-hundred-billion dollars over 10 
years, in terms of these--the CR practice that we've been under 
for the last 45 years. Only 4 times in the last 45 years have 
we actually funded the government on time. And that means no 
need for a continuing resolution at the beginning of the year. 
In the last decade, all but one year, we've--the first quarter 
has been under a continuing resolution.
    Now, this current debate that we'll have tomorrow, if we 
have a vote on the next continuing resolution, will be the 
188th continuing resolution. Can you describe to us how the 
audit interacts with our growing awareness of how this 
insidious thing called a continuing resolution just devastates 
the military? It doesn't sound so onerous to me, as a business 
guy, coming--you're going to spend no more than last year? That 
doesn't sound so bad. But, because it ties the hands of the 
military at the line-item level, seems to me we're building in 
tremendous intrinsic costs there just because of our lack of 
doing the job here in Congress. And I know you agree with that. 
How would the audit help us identify, expose those wasteful 
efforts? Like, $4 billion right now we're spending today, we're 
spending against $4 billion of programs that the DOD has 
already said are obsolete, we don't want to spend those 
anymore, but we're obliged to under the continuing resolution 
law.
    Secretary Norquist. So, you think of a contract where 
you're buying some supply. Normally, you might place the order 
at the beginning of the year for the entire year. And instead, 
you're going to take that, and somebody's going to make an 
order that covers the first 6 weeks. And then, after your 
contracting action, they have to do all the normal paperwork, 
they've got to load it in the system, and then, when the CR is 
extended, they do another contract for another 4 or 6 weeks. We 
keep breaking this contract into multiple parts, increasing the 
amount of manual labor that you have to do, increasing the 
chance for data error, making it much harder on the vendor to 
deliver the quantity at the right cost. What the audit will 
show you is just the volume of transactions you have 
artificially generated, the amount of additional work. We see 
the consequences with some of these inventory issues at year-
end, where we held back money for 3 to 6 months, and then we 
push it forward and expect people to move out and be able to 
execute it with the 3 to 6 months left.
    Senator Perdue. We're holding excess inventory in 
anticipation of 3 months or more that we can't use.
    Secretary Norquist. Or at the very end of the year, it's 
the one thing I can order. Right? So, I order the inventory, 
but it's a rush, because I didn't get it in a normal sequence 
like I did, so I put it on the shelf. I'll get around to 
loading it into the inventory system later. Life gets busy----
    The other part is, the people doing the audit are the ones 
most affected by the CR. It's the acquisition community, it's 
the financial--all these folks who are now spending their time 
over here, we want over on the other side, getting the data and 
getting the process right.
    It's very disruptive, and the audit highlights that. And 
then, the whole effect on the mission side, on the families, on 
the deployments, those are a pretty serious problem.
    Senator Perdue. Thank you.
    Thank you, Mr. Chair.
    Senator Sullivan. Senator Blackburn.
    Senator Blackburn. Thank you, Mr. Chairman.
    And, Mr. Secretary, thank you for being with us today.
    I'll have tell you, going back to my freshman year in the 
House in 2003, we started working on the management initiative, 
the DOD audit processes, trying to simplify this and get 
everybody into a system where data would be interoperable, you 
would be able to put a lot of this online at that point. Now we 
want it all in the Cloud. But, what has frustrated me, and, I 
think, what continues to frustrate some of our men and women in 
uniform, is that you take two steps forward, you take a couple 
of steps back, and you end up not making as much progress as 
you would like to see made.
    So, with our interests in Tennessee--Fort Campbell, 
Millington Air Naval Station, Arnold Air, our National Guard 
presence, the full-time National Guard Intel Unit--as I talk 
with these men and women, one of the things that continues to 
come up is having a standardized process, having best 
practices, and being able to look, not just at what is 
immediately in front of you, but looking out--further out. 
Senator Perdue just talked about the necessity for having 
budget authority and not running on a CR. That's a big part of 
that. And we realize that. But, also, I think the--what comes 
back to being an issue with DOD is the fact that they just 
can't seem to get ahead of this process and get those best 
practices in place.
    So, what I'd like to hear from you is, if you've got a 
system in place to really incentivize identification of cost 
savings by DOD employees, if that would help. And also, what 
about a best-practices database? Is that something that, as you 
go through this and you pull this data, and you go in and 
research this, are you building a best-practices database that 
is going to be available systemwide? And then, the third thing 
I would say is, leveraging leaders from the private sector who 
can really come in, based on their experience, and help you 
streamline processes and optimize operations for the 
Department. Because right now--and this is one of the problems, 
I think, that our units have when they're deployed, is the 
number of hoops they have to jump through to get authority or 
something that they need in a timely manner.
    As you look, holistically, at this and what you intend to 
glean from it, if you'll just answer those, it would be 
helpful.
    Secretary Norquist. Sure. One of the important things is 
how the audit puts a spotlight on some of those problems. And 
one of the things that we have set up at the Department is, we 
have three forums that include the headquarters, but also Army, 
Navy, and Air Force. One of them focuses on the IT aspects of 
the audit; another, on the logistics, which is a lot of the 
issue you're talking about; and the third is on financial 
management. And part of the answer is, we're all going to find 
the same problem. So, when we have the right fix, when we have 
a solution that is usable across it--and so, for example, the 
Army is experimenting with--it's a series of codes called a 
BOT, a micro-thing--but, what it does is, it's software that, 
when you depart, runs through the accounts and looks for every 
place you had a login account, and turns it off instead of 
waiting for six different organizations to get the paperwork to 
go in and turn off your access. That works. Everybody can adopt 
it. The similar thing we're looking at is, how do I make sure 
somebody doesn't login as one user in one account, still login 
as another. We're trying to design a control that prevents 
somebody from doing both of those functions. All of those are 
best practices, and we have a forum that shares those.
    You talk about being in the private sector. Secretary 
Spencer, at the Navy, bought in private-sector overview of how 
you do aircraft maintenance and has been looking through and 
adopting some of the best practices on the Navy aircraft in 
order to fix the depot issues, the supply issues they have been 
facing. And so, when they have those, they then share them with 
the other services. But, each of these answers, there's a lot 
of analogy to what we do, even though we're different, in the 
private sector. And the more we can--we used to call it, you 
know, best practices in government. I think it used to be 
called plagiarism when I was in college. But, you take their 
ideas, and you use them, and you use it to drive efficiency in 
the process.
    Senator Blackburn. Thank you.
    I yield back.
    Senator Sullivan. Thank you, Senator Blackburn.
    Senator Perdue.
    Senator Perdue. Well, thank you for accommodating. I just 
have one more.
    We could do this all day, Mr. Secretary, but you've got a 
job to do, and we do, too.
    But, this is so impactful. We're talking about big dollars 
here, $160 billion that we spent. Where do we go from here? And 
what do you think we're going to identify? If you're not ready 
to quantify this today, I totally understand that. But, one of 
the purposes of an audit is to look at operational 
effectiveness and best practices Senator Blackburn just 
mentioned. But, I'm looking at the top-line. This is our, sort 
of, first deep-dive look at the broad base of the DOD. And, 
when you look at the impacts of CRs and other things, given the 
NDS, what do you think the potential is going to be for some 
rationalization of this lost cause?
    For example--and I will just highlight this quickly--we 
spend about 14 percent of the total money on overhead. Now, 
that's up from about 2 percent in about the Vietnam era. So, 
it's 2 percent to 14. I'd like to know what that increase is. 
That should be part of the audit process, as well. Then we 
allocate the balance--a third, a third, a third--which is not 
consistent with the NDS. And I would hope that the audit, in 
getting more efficacy about where the money is spent and how 
that's decided, will give us some flexibility in how to address 
that.
    So, my question, sir, is, where do we go from here? What's 
the next step this year? And what do you hope to improve after 
the first audit? And then, secondarily, what do you think the 
rationalization potential could be in DOD? If you're not ready 
to quantify a number there, I would totally understand. But, at 
least directionally, give us some idea of what you're thinking.
    Secretary Norquist. Sure. So, I think the next big step--I 
mean, in the small steps, we're going to keep identifying the 
errors, we're going to close them--the next big step is to take 
advantage of the data we have. Part of it is, we used to do 
transactions in blocks, thousands of transactions as a single 
entry. Can't do that and pass an audit. So, we're doing 
individual transactions. The advantage of that is, you can now 
search on them. So, whereas, before, somebody looking at a 
budget would see they had $100 million, they've spent 50; they 
can now click on that and get every single transaction that 
makes that up. Well, now if you want to get after overhead, if 
you want to get after some of those other expenses, you can go 
through those transactions and sort out, is this overhead, as 
in logistics support and maintenance and essential things, or 
is this overhead, as in I hired a consultant? Right? And am I 
getting something? So, that level of transaction-level data.
    Part of what I want to push for is, we should be able to 
have a meeting in the Pentagon that looks like what you'd have 
in a business company, where all the business units are there 
and you've got a report from your CFO [Chief Financial 
Officer], that there's no discussion about the report. It is an 
accurate summary of the financial activities of each of the 
organization. We're now going to have a discussion about what 
it means. Right? If you don't trust the data, you can't get 
there. But, if you start having this transaction level, we can 
bring it up.
    We use, in Defense, something called PPBE ``planning, 
program, budget, execution.'' It doesn't have a backloop--
right?--where you go and you say, and here's what we did and 
how it comes back. So, we may end up changing that to PPBA, 
where we go from budgeting to the accountability, which is, did 
you do with the money, what did you get for it? Before I do 
programming for the next 5 years, how do I take that 
information back into the system? And this is moving accounting 
from being a note at the end that we send a report to somebody 
to--and again, the audit report is just to somebody, but it's 
the data that produces it that can come back to the leadership 
in a usable format. And this is what private-sector companies 
are able to do, because they trust their data. And that's what 
we want to be able to get to from how you manage an entity.
    Senator Perdue. Well, of all the people who come to the 
Hill and testify, I have to tell you, you have consistently 
been a straight shooter, and I so much appreciate that. Thanks 
for all you're doing over there.
    Thank you, Mr. Chair, for----
    Senator Sullivan. Thank you, Senator Perdue.
    And I want to thank the Secretary, as well.
    I want to thank my colleagues. You're looking--three of the 
leaders in the Senate on these audit and budget issues for the 
Pentagon--Senator Ernst, Senator Blackburn, Senator Perdue. So, 
thank you, to them.
    And, you know, Mr. Secretary, you did raise the issue of 
the CR, and heard bipartisan concern here today, which I think 
is important, how you described it. There is a way to deal with 
it, which is to allow us to get on the Defense appropriations 
bill and have my colleagues on the other side stop 
filibustering from getting on that, and we can just vote on it. 
That would certainly help. That's what we're trying to do. So, 
to the bipartisan concern, there's a simple answer: Let's get 
on the bill and vote on the Defense approps bill that came out 
of the Appropriations Committee with a strong bipartisan 
support. But, we'll continue to press that. I certainly will.
    Well, I want to thank you, again.
    And members are requested to submit any additional 
questions for the record by Friday at noon.
    Mr. Secretary, I appreciate and respectfully ask that you 
promptly respond to any of these additional questions from any 
of the members of this committee.
    With that, we are adjourned.
    [Whereupon, at 10:49 a.m., the committee adjourned.]

    [Questions for the record with answers supplied follow:]
              Questions Submitted by Senator David Perdue
                        audit of digital assets
    1. Senator Perdue. Secretary Norquist, the fiscal year 2018 and 
fiscal year 2019 Department of Defense audits revealed problems 
throughout DOD concerning inventory accuracy and complying with 
cybersecurity discipline. While these audits have identified physical 
assets, including properties and systems under DOD's management, I am 
concerned that the department is failing to obtain a full account of 
its digital assets, specifically Internet Protocol (IP) addresses owned 
and operated by DOD. To what extent has the DOD audit included a 
comprehensive inventory count of DOD's digital assets (e.g. IP 
addresses, certificates, domains, and cloud instances, as well as 
services and DOD assets hosted in contractor and cloud environments)?
    Secretary Norquist. All DOD financial statement audits have been 
performed by independent auditors in accordance with applicable 
professional standards with the objective of rendering an opinion on 
the fairness of presentation of the financial statements in accordance 
with generally accepted accounting principles. The auditor's testing 
may provide some feedback on the sufficiency of the controls over 
digital assets, but a financial statement audit is not expected to 
address all of the specific points above.

      For those digital assets that are subject to inclusion on 
the financial statements (expensed or capitalized), the financial 
statement auditors perform testing of management's controls and 
substantive testing of transactions on a sample basis which may 
identify instances of incomplete or inaccurate accounting for these 
assets.
      This may include assets such as computing hardware and 
software purchased / developed by DOD. However, this would not 
typically include digital assets such as IP addresses and certificates 
that are not recorded in the financial statements.

    Furthermore, the DOD doesn't technically ``own'' IPv4 address space 
such that we could sell the IPv4 addresses and keep proceeds. DOD has 
an allocation of IPv4 address space, and IF some or all of that address 
space were sold in accordance with statute and policy, the proceeds 
would go to the U.S. Treasury and not DOD. While the Department may not 
own IP addresses, it is the responsibility of management to perform 
inventory counts of the Department's assets, including digital assets. 
DOD is increasing enterprise-wide maturity in IT asset inventory 
reporting for commercial software licenses and commodity IT laptop and 
desktop computers by: improving property accountability for commercial 
software license purchases; modernizing cybersecurity end-point 
identification, management and asset reporting solutions; and, 
implementing enterprise-wide purchasing and licensing solutions for the 
most widely-used commercial software products and commodity laptop and 
desktop computers.
    While professional standards require auditors to obtain sufficient 
knowledge of information systems relevant to financial reporting to 
plan and perform the audit, they do not require the verification of 
every single internet protocol address or digital asset.

    2. Senator Perdue. Secretary Norquist, if not, what reasoning/
review is behind the Department's decision to not include digital 
assets in the audit's purview?
    Secretary Norquist. The objective of the DOD audit is to verify 
that the Department's financial statements are fairly stated by 
assessing the DOD's ability to capture, record and report its financial 
activity and balances. All of the DOD's books and records are subject 
to audit scrutiny, including digital assets that have a significant 
impact on the financial statements. The DOD Office of Inspector General 
(DOD OIG) auditors and the independent public accounting (IPA) firms 
performing the audit determine the scope of the audit and the specific 
procedures to perform.

    3. Senator Perdue. Secretary Norquist, with regards to DOD audit 
protocol, do auditors from outside firms, as well as auditors from 
DOD's Office of Inspector General (OIG), include digital inventory when 
conducting site visits?
    Secretary Norquist. The DOD OIG auditors and the IPA firms 
performing the audit determine the scope of the audit and the specific 
procedures to perform. The DOD OIG has an oversight role for the audit, 
including understanding the IPAs' site visit objectives, planned test 
procedures, and samples selected. If the auditors, deem digital assets 
to be significant (i.e., subject for inclusion on the financial 
statements based on generally accepted accounting principles), they 
will include them in the scope of the audit accordingly.

    4. Senator Perdue. Secretary Norquist, what level of risk is the 
Department assuming by not having a proper accounting of global DOD 
digital assets?
    Secretary Norquist. To the extent that the inability to account for 
digital assets reflects an inability to monitor activity on Department 
of Defense (DOD) networks, or is indicative of unevaluated software or 
hardware operating on DOD networks, this would present a cybersecurity 
risk. However, the ability to meet the financial/accounting requirement 
would not necessarily reduce cybersecurity risk and vice versa.
    Financial risks from weaknesses in accounting for digital assets 
typically include increased likelihood of incurring higher costs for 
purchasing and maintaining IT assets, when compared with IT asset costs 
for entities with well-managed digital asset inventories. The potential 
cost risks from poor inventory accounting can arise from purchasing 
excess inventory, failing to maximize volume purchase discounts, 
planning and negotiating procurements with incomplete price and 
requirements data, and struggling to optimize asset utilization.
    DOD software applications, hardware appliances, and hosting 
locations / enclaves are required to undergo assessment and 
authorization following the DOD Risk Management Framework (DOD 
Instruction 8510.01) on an annual basis. DOD Authorizing Officials (AO) 
are responsible for assuring that software and devices connected to 
their networks are properly accredited. The workflow and evidence is 
tracked and maintained in automated systems such as the Enterprise 
Mission Assurance Support System (eMASS). Similarly, and as described 
in greater detail below in response to QFR 6, DOD has long leveraged 
network scanning technologies to evaluate status and configurations on 
DOD networks. DOD is in the processes of migrating toward an 
infrastructure of end-point management through comply-to-connect and 
automated continuous monitoring technologies, further described below.

    5. Senator Perdue. Secretary Norquist, how is the Department 
quantifying that risk?
    Secretary Norquist. Regarding the financial risks, the Department 
of Defense (DOD) quantifies the risks of higher costs from weaknesses 
in digital asset inventories by estimating the potential cost avoidance 
that could be achieved by improving IT asset visibility, IT asset 
management, and IT category management procurement processes. This 
analysis includes estimating the potential cost improvements and 
efficiencies that could be achieved by: implementing enterprise 
software licensing and purchasing solutions that align purchases with 
validated requirements; using category management and acquisition 
strategies that optimize contract terms and prices for the most widely 
used commercial assets; and, reducing duplicative procurement actions.
    Regarding cybersecurity risks associated with status of devices, 
software and systems operating on DOD Networks, DOD maintains its cyber 
hygiene scorecard. Compiled from data provided from its legacy 
information security continuous monitoring (ISCM) capability, that 
scorecard tracks status of key configuration control and security 
architecture metrics, and is leveraged by DOD to meet Federal 
Information Security Management Act (FISMA) reporting requirements. The 
importance to DOD of improving the ability to monitor and manage 
network software and devices operating on its endpoints, is reflected 
in this being an initiative within the DOD Top 10 Cyber Landscape 
efforts, and is track within the DOD Top 10 Cyber Scorecard.

    6. Senator Perdue. Secretary Norquist, if the Department is not 
capturing digital inventory in the DOD audit, how does it intend to 
continuously discover and monitor digital assets that are dynamic and 
ephemeral?
    Secretary Norquist. DOD is modernizing its capability to 
continuously discover and monitor digital assets by transitioning from 
the legacy information security continuous monitoring (ISCM) to Comply-
to-connect (C2C) and Automated Continuous Endpoint Monitoring (ACEM) 
frameworks. ACEM enhances the existing end-point management solution by 
providing a more effective means to discover end points that are not 
currently managed using ISCM solutions, which will enable more complete 
deployment of current and planned end-point management solutions. 
Implementing C2C will ensure that all hosts--regardless of whether 
asset is a physical device or virtual host--are authenticated as known 
and authorized resources, and are configured in compliance with 
applicable cybersecurity and asset management policies and standards. 
ISCM, ACEM, and C2C are and will continue to be continuous monitoring 
activities. The monitoring data could be leveraged at any point in time 
to support audit requirements.
    Implementation of the C2C framework, in particular, will improve 
ability to manage static and ephemeral hosts by denying access to 
network resources and services for hosts that fail to authenticate or 
fail to meet minimum cybersecurity policy requirements. C2C, along with 
ACEM and other planned cybersecurity modernization initiatives, will 
increase the ability to automate remediation of deficiencies in policy 
compliance for authorized hosts, regardless of whether the host is a 
physical or virtual host. Operators will be required to intervene on an 
exception basis to address unauthorized assets or assets that cannot be 
brought into configuration compliance using automated solutions.

                  identifying huawei inventory oconus
    7. Senator Perdue. Secretary Norquist, the U.S. military maintains 
hundreds of military bases in more than 70 countries worldwide. Some of 
these bases rely on the host nation's telecommunication networks to 
provide the base with broadband services. Many of these countries 
utilize equipment from Huawei to operate their telecommunications 
network. When auditors conduct site visits OCONUS [Outside Continental 
United States], are they evaluating the cybersecurity risks that 
military installations are potentially incurring by relying on 
telecommunication networks that utilize Huawei equipment, particularly 
in light of recent legislation that has prohibited that use?
    Secretary Norquist. Financial statement auditors test information 
system controls in support of a financial statement audit. In such 
instances, the testing generally involves assessing general and 
application controls such as security management and configuration 
management. The scope of a financial statement audit typically does not 
include evaluating the cybersecurity risks related to use of specific 
telecommunications networks unless those networks are relevant and 
significant to the DOD's financial statements.

      Even in those cases, the auditor's primary consideration 
would be controls over the initiation of unauthorized transactions or 
changes to data relevant to financial reporting and would not address 
controls to prevent espionage (i.e., unauthorized ability to view data 
transmitted over telecommunication networks).

    8. Senator Perdue. Secretary Norquist, if not, what are the 
potential risks that DOD could incur by failing to create cybersecurity 
protocols that ensure military bases OCONUS are not operating on 
networks that utilize Huawei equipment?
    Secretary Norquist. The Department shares your concern regarding 
the supply chain risk posed by Huawei, and other Chinese providers. DOD 
is aware that there is likely proliferation of these technologies 
within commercial telecommunications upon which DOD may be required to 
rely, particularly in foreign countries. However, DOD always assumes 
that its network traffic is vulnerable in foreign countries, takes 
steps to reduce the risk to its network traffic through strong 
encryption, and redundant and diverse communications.
                               __________
                Questions Submitted by Senator Jack Reed
                      transparency of audit firms
    9. Senator Reed. Secretary Norquist, as part of his confirmation 
process, Secretary Esper noted that it is important for the Secretary 
of Defense to know whether an auditor has been disciplined in the past 
for poor performance before an auditor is selected to do work for DOD. 
Do you agree with Secretary Esper?
    Secretary Norquist. Yes, it would absolutely be prudent for the 
Secretary of Defense to be aware of this information and for the DOD to 
have a full understanding of the specific circumstances and any 
remediating factors related to a case where an auditor has been 
disciplined for poor performance in the past. This type of information 
is relevant and should be closely examined in making procurement 
decisions with taxpayer funds.

    10. Senator Reed. Secretary Norquist, will you personally commit to 
using your best efforts to ensure that as part of any contract action 
(including awards, renewals, and amendments), the Department requires 
any accounting firm providing financial statement auditing or audit 
remediation services to the Department in support of the audit required 
under section 3521 of title 31, United States Code, to provide the 
Department with a statement setting forth the details of any 
disciplinary proceedings conducted by any entity with the authority to 
enforce compliance with rules or laws applying to audit services 
offered by the accounting firm or its associated persons?
    Secretary Norquist. Yes, in March 2019 a Defense Federal 
Acquisition Regulation supplement rule was issued to implement section 
1006 of the fiscal year 2019 National Defense Authorization Act (NDAA), 
which requires these statements to be made part contracting process The 
Department is continuing to refine the process whereby future 
solicitations for audit services would require accounting firms to 
verify that either they have not been subject to any such disciplinary 
proceedings, or in the event that they have been subject to 
disciplinary proceedings, fully disclose the related facts and 
circumstances as part of the solicitation response.
                               __________
             Questions Submitted by Senator Jeanne Shaheen
                  pfas-free firefighting foam research
    11. Senator Shaheen. Secretary Norquist, I understand that the 
Naval Research Laboratory is currently working on developing an 
alternative fluorine-free firefighting foam. Can you provide an update 
on the ongoing research and the status on its fielding and 
implementation?
    Secretary Norquist. The Environmental Security Technology 
Certification Program (ESTCP) is supporting two series of large-scale 
tests of fluorine-free alternatives to Aqueous Film Forming Foam 
(AFFF). The tests will be of both commercially-developed alternatives, 
as well as alternatives being developed by the Strategic Environmental 
Research and Development Program (SERDP). The first test series is 
being conducted by the Naval Research Laboratory (NRL) and is 50 
percent complete. The team of Tyndall Air Force Base and Battelle have 
just received approval of their test plans and will conduct their first 
test in January 2020. Both teams are slated to submit their initial 
test reports in February 2020.
                               __________
             Questions Submitted by Senator Mazie K. Hirono
                          obstructing congress
    12. Senator Hirono. Secretary Norquist, in response to my question 
about whether you would refrain from prohibiting DOD officials, like 
Ms. Laura Cooper, from participating in the House of Representatives' 
impeachment inquiry, you stated: ``I did not prohibit her. What I did 
was I forwarded her the information that we-- I forwarded to her lawyer 
the information we had received from the White House that expressed 
their views about the impeachment process.'' Your letter to Mr. Levin, 
however, does more than forward the White House's letter. Your letter 
states, ``This letter informs you and Ms. Cooper of the Administration-
wide direction that Executive Branch personnel `cannot participate in 
[the impeachment] inquiry under these circumstances'.'' As I stated at 
the hearing, a letter like this does create a chilling effect. Will you 
refrain from prohibiting or deterring any other DOD officials from 
cooperating with Congress going forward?
    Secretary Norquist. On October 22, 2019, I wrote Ms. Cooper's 
personal counsel to inform him of the Administration-wide direction 
that Executive Branch personnel cannot participate in the impeachment 
inquiry under the circumstances. Though interagency communications 
remain confidential, I can say the Administration's guidance remains 
the same.

    13. Senator Hirono. Secretary Norquist, will you agree to formally 
notify everyone who works at DOD of their legal right to report 
misconduct to Congress without retaliation?
    Secretary Norquist. Pursuant to the No FEAR Act, all personnel are 
informed of the rights and protections available to them under Federal 
antidiscrimination and whistleblower protection laws. New employees 
receive No FEAR Act training within 90 calendar days of their 
appointment to service. Further, all employees are required to complete 
refresher training every two years to ensure continued understanding of 
their rights and responsibilities.

    14. Senator Hirono. Secretary Norquist, you stated at the hearing 
that you ``take very seriously our responsibility to accurately and 
responsibly respond to Congress.'' On November 3, 2019, the Department 
of Defense General Counsel, Paul Ney, ordered the Pentagon to identify 
and submit for review all documents about the distribution of military 
aid to Ukraine. Will you allow your staff to cooperate with Congress 
and provide documents collected by General Counsel Paul Ney to 
Congress?
    Secretary Norquist. The Department remains firmly committed to 
accommodating congressional oversight. Most if not all the documents 
collected internally pursuant to the DOD General Counsel's memorandum 
of October 3, 2019, are also responsive to the House Permanent Select 
Committee on Intelligence's subpoena of October 7, 2019. There are 
legal and practical concerns with the subpoena as detailed in the White 
House Counsel's letter of October 8, 2019, which must be addressed 
prior to any responsive documents being supplied to Congress.

                            parole in place
    15. Senator Hirono. Secretary Norquist, recent news reports 
indicated that the Trump administration has been looking into 
terminating the ``parole in place'' program for military families since 
this summer. This program, which began under President George W. Bush, 
has helped undocumented family members of servicemembers adjust their 
legal status without being forced to leave the United States and face a 
ban from entering the country for up to 10 years. According to a July 
5, 2018, Military Times article, data showed that rejections of parole 
in place requests for families of Active Duty members rose from 11 
percent in fiscal year 2016 to about 14.5 percent in fiscal year 2018. 
When I asked you about this program during the hearing, you said that 
you would take my question for the record. Secretary Esper previously 
committed to me that he would look into this issue. What steps has DOD 
taken to coordinate with the Department of Homeland Security (DHS) on 
this issue?
    Secretary Norquist. Any significant event that impacts the 
readiness of our servicemembers and their families is of concern. As 
such, we have worked closely with the Department of Homeland Security 
as they reviewed the future of the Military Parole in Place policy and 
are not aware of any pending DHS termination. We note the passage of 
Section 1758 in the Fiscal Year 2020 National Defense Authorization Act 
that encourages DHS to continue to support Military Parole in Place and 
thank the Committee for its support.

    16. Senator Hirono. Secretary Norquist, has DOD urged DHS to 
preserve this parole in place program or reconsider DHS's recent 
increase in rates of denial of parole in place for families of Active 
Duty servicemembers?
    Secretary Norquist. The Department has worked closely with the 
Department of Homeland Security (DHS) as they reviewed the future of 
the Military Parole in Place policy, and is not aware of any pending 
DHS termination.

    17. Senator Hirono. Secretary Norquist, during his nomination 
hearing, Secretary Esper indicated he would not expend any DOD 
resources to help DHS identify and deport veterans. To your knowledge, 
has DOD provided to DHS any information or resources related to 
veterans who may be subject to deportation?
    Secretary Norquist. The Defense Department is not aware of any such 
information being provided to the Department of Homeland Security 
related to veteran deportation. The Department does provide information 
pertinent to the naturalization adjudications of qualifying 
servicemembers as requested.
                               __________
                Questions Submitted by Senator Tim Kaine
                participation in the impeachment inquiry
    18. Senator Kaine. Secretary Norquist, In your October 22, 2019, 
letter to Daniel Levin, the counsel for Ms. Laura Cooper, you provided 
the Administration's direction stating that Executive Branch personnel 
``cannot participate in the impeachment inquiry'' and that even if 
issued a Congressional subpoena to compel their appearance and 
testimony that the Supreme Court Ruling in United States v. Rumely, 345 
U.S. 41 (1953) held ``that a person cannot be sanctioned for refusing 
to comply with a congressional subpoena unauthorized by a House Rule or 
Resolution.'' Did you send this letter at the direction of the White 
House?
    Secretary Norquist. On October 22, 2019, I wrote Ms. Cooper's 
personal counsel to inform him of the Administration-wide direction 
that Executive Branch personnel cannot participate in the impeachment 
inquiry under the circumstances. Though interagency communications 
remain confidential, I can say the Administration's guidance remains 
the same.

    19. Senator Kaine. Secretary Norquist, In your October 22, 2019, 
letter to Daniel Levin, the counsel for Ms. Laura Cooper, you provided 
the Administration's direction stating that Executive Branch personnel 
``cannot participate in the impeachment inquiry'' and that even if 
issued a Congressional subpoena to compel their appearance and 
testimony that the Supreme Court Ruling in United States v. Rumely, 345 
U.S. 41 (1953) held ``that a person cannot be sanctioned for refusing 
to comply with a congressional subpoena unauthorized by a House Rule or 
Resolution.'' Did the White House draft this letter?
    Secretary Norquist. On October 22, 2019, I wrote Ms. Cooper's 
personal counsel to inform him of the Administration-wide direction 
that Executive Branch personnel cannot participate in the impeachment 
inquiry under the circumstances. To answer your question, respectfully, 
interagency communications remain confidential.

    20. Senator Kaine. Secretary Norquist, In your October 22, 2019, 
letter to Daniel Levin, the counsel for Ms. Laura Cooper, you provided 
the Administration's direction stating that Executive Branch personnel 
``cannot participate in the impeachment inquiry'' and that even if 
issued a Congressional subpoena to compel an appearance and testimony 
that the Supreme Court Ruling in United States v. Rumely, 345 U.S. 41 
(1953) held ``that a person cannot be sanctioned for refusing to comply 
with a congressional subpoena unauthorized by a House Rule or 
Resolution.'' Are other Departments of the Executive Branch providing 
similar, or identical, letters to witnesses requested in the 
impeachment inquiry?
    Secretary Norquist. I respectfully refer you to the other 
Departments you are referencing.

    21. Senator Kaine. Secretary Norquist, In your October 22, 2019, 
letter to Daniel Levin, the counsel for Ms. Laura Cooper, you provided 
the Administration's direction stating that Executive Branch personnel 
``cannot participate in the impeachment inquiry'' and that even if 
issued a Congressional subpoena to compel an appearance and testimony 
that the Supreme Court Ruling in United States v. Rumely, 345 U.S. 41 
(1953) held ``that a person cannot be sanctioned for refusing to comply 
with a congressional subpoena unauthorized by a House Rule or 
Resolution.'' Why did you fail to state that witnesses who did comply 
with the House impeachment inquiry, voluntarily or under subpoena, 
would not be discouraged or subjected to adverse administrative action?
    Secretary Norquist. The Department will not tolerate any unlawful 
act of retaliation or reprisal against DOD personnel who have 
participated in the House impeachment inquiry.

    22. Senator Kaine. Secretary Norquist, in your October 22, 2019, 
letter to Daniel Levin, the counsel for Ms. Laura Cooper, you provided 
the Administration's direction stating that Executive Branch personnel 
``cannot participate in the impeachment inquiry'' and that even if 
issued a Congressional subpoena to compel an appearance and testimony 
that the Supreme Court Ruling in United States v. Rumely, 345 U.S. 41 
(1953) held ``that a person cannot be sanctioned for refusing to comply 
with a congressional subpoena unauthorized by a House Rule or 
Resolution.'' Will witnesses to participate with the House impeachment 
inquiry, voluntarily or under subpoena, be subjected to retaliation or 
adverse administrative action?
    Secretary Norquist. The Department will not tolerate any unlawful 
act of retaliation or reprisal against DOD personnel who have 
participated in the House impeachment inquiry. Pursuant to the No FEAR 
Act, all personnel are informed of the rights and protections available 
to them under Federal antidiscrimination and whistleblower protection 
laws. New employees receive No FEAR Act training within 90 calendar 
days of their appointment to service. Further, all employees are 
required to complete refresher training every two years to ensure 
continued understanding of their rights and responsibilities.
                 resources to respond to audit findings
    23. Senator Kaine. Secretary Norquist, the recent audit found a 
number of deficiencies in DOD accounting practices, including with 
respect to controlling access to informational technology (IT) systems, 
inappropriate accounting for inventory on military installations, and 
lack of supporting documentation for many transactions. The military 
services have many competing budgetary priorities, when the fiscal year 
2021 budget request is delivered to the Hill, can you commit to 
providing this committee a list and accounting of the unfunded or 
underfunded activities that would address and close the findings and 
recommendations of the audit?
    Secretary Norquist. Yes, I will commit to providing the committee 
with a list of unfunded or underfunded activities that would help 
address open audit findings.
    Specific to the Services, there were fiscal year 2020 congressional 
marks related to business systems modernization efforts for fiscal year 
2020 that will impede progress towards an audit opinion. For example, 
the Department of the Navy enacted funding reduction to Information 
Technology Development totaled $123.6 million, including a $61.7 
million cut to the Navy's new integrated military pay and personnel 
system (NP2). The Air Force integrated personnel and pay system (IPPS) 
was zeroed out by $20 million in the marks. These types of 
congressional marks negatively impact the financial statement audit.
    Details related to the marks are included in Appendix A on page 47.
          metrics to ascertain progress towards a clean audit
    24. Senator Kaine. Secretary Norquist, DOD has been under a mandate 
to achieve a clean audit since the passage of the 1990 Chief Financial 
Officers Act. We are closer now than we have ever been, but the path 
forward is still unclear. What specific metrics should we be tracking 
to see that forward progress is being made on the path to the clean 
audit and that we are not backsliding or losing momentum?
    Secretary Norquist. Maintaining consistent and continued audit 
progress is a priority for the Department. Our leadership team is 
tracking a broad array of metrics to monitor and measure that include 
but are not limited to:

      The number of material weaknesses that were validated by 
external auditors as fully resolved or downgraded in the current fiscal 
year over prior fiscal years,
      Progression of audit opinions from disclaimer to modified 
and/or unmodified,
      The total number of open audit notices of findings and 
recommendations (NFRs) for the most recent fiscal year and the 
preceding two fiscal years,
      The number of repeat or reissued NFRs from the most 
recent fiscal year (trends), and
      The number of closed NFRs in the current fiscal year and 
prior fiscal years.

    The Department's NFR Database consolidates and tracks the status of 
NFRs from the DOD consolidated audit as well as Component audits and 
examinations. The database encourages accountability and transparency 
as it provides visibility of issued findings for the entire DOD 
community. As part of complying with the fiscal year 2020 National 
Defense Authorization Act (NDAA), we will provide you and your staff 
information relating to these metrics.
                               __________
               Questions Submitted by Senator Doug Jones
                         response to gao audits
    25. Senator Jones. Secretary Norquist, in a memorandum to Agency 
General Counsels dated November 5, 2019, entitled ``Reminder Regarding 
Non-Binding Nature of GAO Opinions,'' the Office of Management and 
Budget General Counsel Mark Paoletta advised that ``an Executive Branch 
agency is under no obligation to report an action it has determined 
does not constitute an Anti-deficiency Act (ADA) violation,'' despite a 
finding by the Government Accountability Office (GAO) that the agency 
has committed an ADA violation. This I believe to be a change in 
practice, and I'm concerned that it will have a negative impact on 
Congressional oversight. What guidance have you received about 
implementing this ``reminder'' and what is the Department of Defense's 
plan for reporting findings by the GAO or the Department of ADA 
violations in the future?
    Secretary Norquist. The Department of Defense (DOD) intends to 
follow the guidance set forth in OMB Circular A-11, as explained by the 
Office of Management and Budget (OMB) General Counsel. Specifically, in 
cases where DOD, after consultation with OMB, agrees with the 
Government Accountability Office (GAO) that an Anti-deficiency Act 
(ADA) violation has occurred, the Department will report the violation.
    In cases where DOD does not agree, after consultation with OMB, 
with the GAO's finding that an ADA violation occurred, the Department 
will exercise its discretion, on a case-by-case basis, as to whether to 
report or otherwise communicate with GAO and Congress on the matter. I 
understand that, over the past 10 years, there has been only one 
instance where the GAO determined that DOD violated the ADA, contrary 
to the Department's conclusion that no violation had occurred. In that 
case, the OGC conducted a short fact-finding inquiry and prepared a 
written opinion that was forwarded to GAO and OMB explaining its 
conclusion that the ADA had not been violated.

                           Appendix A

         details related to the service fiscal year 2020 marks
Air Force:
    For AF related to unfunded and underfunded requirements, primary 
concerns is to minimize impact to findings remediation related to IT 
corrective actions. Reference, the discussion on marks against 
programs. AF IPPS was zeroed out ($20M) in the marks. The major audit 
issues in MIL Pay require transformation and integration of pay and 
entitlements. AF needs support to minimize impacts to IT fixes and 
avoid delays with business systems reform in support of audit.
Navy:
    The Department of the Navy (DON) has a prioritized strategy to 
consolidate systems, improve business processes, and financial 
reporting--with the goal of an expedited favorable audit opinion. This 
Department-wide undertaking was adequately funded in the President's 
Budget for fiscal year 2020 and throughout upcoming budget years. 
However, the Appropriations Act for fiscal year 2020 signed in December 
reduced the funding for several crucial priorities. The marks focused 
on business systems modernization efforts, a linchpin in DON's plan. 
These reductions will significantly delay plans to streamline business 
operations and implement automated controls necessary for audit 
compliance. The marks will impede DON's progress toward an audit 
opinion.
    Enacted funding reduction to Information Technology Development 
totaled $123.6 million. This mark in part included the following major 
audit-related initiatives:

      $61.7 million cut to the Navy's new integrated military 
pay and personnel system (NP2);
      $14.8 million reduction to the planned ships/subs 
enterprise maintenance solution (NMMES-TR);
      $11.9 million cut to a new Departmental contract-writing 
system (ePS), which will integrate buying with accounting and contract 
payments; and
      $3.2 million reduction for the Naval Operation Supply 
System (NOSS), which will integrate requisitioning, inventory, and 
logistics services.

    In addition to the above marks, Enterprise Information Technology 
was given a $10 million Congressional mark, comprising in part the 
modernization to DON's target accounting system (Navy ERP) and to the 
primary civilian time and attendance system (SLDCADA). Congress also 
marked an Operations and Maintenance, Navy, account (4A1M) by $15 
million; this account contains funding for audit-related business 
process improvements.
    The Marine Corps' goal is to achieve a modified/qualified audit 
opinion on its financial statements in fiscal year 2020. In order to 
meet this goal in fiscal year 2020, the Marine Corps identified $44 
million in requirements that are unfunded or underfunded. Funding these 
requirements would speed the Marine Corps' progress toward a modified/
qualified opinion. Half of the amount would provide for government 
employees and vendor personnel to correct deficiencies and respond to 
auditors; the other half would improve inventory management systems. 
DON leaders are analyzing options to mitigate this funding gap.

                           Appendix B

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]