DHS Cybersecurity Agency Could Get a New Name and a RevampNational Protection and Programs Directorate Title Fails to Describe Its Purpose
What does the title National Protection and Programs Directorate mean to you? It's not so clear, unless you are familiar with the organizational chart of the U.S. Department of Homeland Security.
When John Kelly became DHS secretary in January, the now White House chief of staff couldn't answer that question after reviewing the department's organizational chart. "What is that? I don't know what that is. I don't know what it means. We've got to fix that," Christopher Krebs, the acting head of the National Protection and Programs Directorate, or NPPD, quoted Kelly at the ISMG Breach Prevention Summit in Washington earlier this year.
"What is that? I don't know what that is. I don't know what it means. We've got to fix that."
Does calling it the Cybersecurity and Infrastructure Security Agency make more sense? It does to the House of Representatives.
With no objections, the House on Monday passed by a voice vote the Cybersecurity and Infrastructure Security Agency Act of 2017, or HR 3359, to rename the National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency and reconfigure it.
Getting the Jargon Right
The name change is more than symbolic. "By authorizing the Cybersecurity and Infrastructure Security Agency within DHS, this bill establishes the structure, the nomenclature and the flexibility to best serve the American people," Rep. John Ratcliffe, R-Texas, a bill co-sponsor who chairs the House Homeland Security Cybersecurity and Infrastructure Protection Subcommittee, said during House debate on the measure.
One of NPPD's most significant missions is to oversee cybersecurity among federal government civilian agencies - the .gov domain - and to coordinate IT security initiatives with other entities, such as state, local, tribal and territorial governments as well as the private sector, including the operators of the nation's critical infrastructure.
Renaming NPPD would "better communicate its mission to stakeholders, agency partners and the cyber talent DHS needs to come work in the federal government," said Rep. Nanette Diaz Barragán, D-Calif., the Democrats' floor manager for the bill. "Make no mistake, these are not mere administrative or bureaucratic changes. HR 3359 would transform NPPD into an operational agency on par with TSA or Customs and Border Protection." The Transportation Security Administration and Customers and Border Protection also reside within DHS.
NPPD Established in 2007
Cybersecurity has been part of DHS's mission since it was formed by merging 22 federal agencies in 2003, but NPPD didn't come into existence until Congress enacted a law reorganizing parts of DHS in 2007.
Besides giving NPPD a new name, the bill would:
- Designate the agency's leader as director - rather than an undersecretary - who would report directly to the departmental secretary;
- Establish the post of deputy director - now known as deputy undersecretary - to assist the director in managing the agency;
- Create three divisions - cybersecurity, infrastructure security and emergency communications - with each headed by an assistant director, whose rank would be equivalent of an assistant secretary; and
- Transfer NPPD's Office of Biometric Identity Management to the department's Management Directorate and Federal Protective Service to another DHS component that the secretary determines would be appropriate.
The measure also would codify many of the cybersecurity and infrastructure protection responsibilities of NPPD.
The bill has been a priority for several years for its chief sponsor, House Homeland Security Chairman Michael McCaul, R-Texas. "This realignment will achieve DHS's goal of creating a stand-alone operational organization, focusing on and elevating the vital cybersecurity mission of the department," McCaul said on the House floor.
McCaul introduced similar legislation in the last Congress. That bill stalled over jurisdictional disputes with other committee chairmen whose panels also provide cybersecurity oversight. This time, the bill was referred to the other committees, including the Energy and Commerce and Transportation and Infrastructure committees, but the Homeland Security Committee was the only panel to approve the bill.
Kirstjen Nielsen, the new DHS secretary, praised the House for passing the bill and urged the Senate to do the same. "As the threat landscape shifts and becomes more complex, our approach to security must evolve," she said in a statement.
The bill will now be assigned to the Senate Homeland Security and Governmental Affairs Committee, but it's leaders have been mute on if or when it would take it up.
Over the years, it's been commonplace for the House to pass significant cybersecurity legislation that then dies in the Senate. Ultimately, the Senate usually gets around to enacting vital House-passed cybersecurity measures, though it can take years. With other pressing matters - passing a budget and a tax bill, for instance - don't count on any Senate action this year on the DHS cybersecurity bill. But the Senate could vote on the bill in 2018. Remember, the current 115th Congress continues through next December.
Eventually, the DHS agency responsible for cybersecurity will likely carry a name that better reflects its mission.