DHS cyber reorg bill passes House

A reorganization of the Department of Homeland Security's cyber shop is one step closer to reality after the House passed a bill by voice vote Dec. 11.

The legislation, Cybersecurity and Infrastructure Security Agency Act of 2017, would rename the National Protection and Programs Directorate and bind the department's cyber and physical security missions and create new director-level position at the agency that reports directly to the DHS secretary.

The bill could also empower the DHS secretary to more freely make changes within the agency around procurement, human resources and organizational structure, according to a DHS official with knowledge of NPPD operations.

Rep. Michael McCaul (R-Texas), the bill’s sponsor and chair of the House Homeland Security committee, said the legislation would help achieve a long-held goal of former and current DHS officials to create a stand-alone operational organization around cyber and infrastructure security.

“It's an opportunity we have today to elevate the importance of cybersecurity at the Department of Homeland Security, to achieve its goal of protecting the United States,” McCaul said Dec. 11 on the House floor.

In a prepared statement, DHS Secretary Kirstjen Nielsen commended the House for pushing through the legislation and urged the Senate to do the same.

“As the threat landscape shifts and becomes more complex, our approach to security must evolve,” Nielsen said.

Beyond the name change, the bill is expected to make it easier to reorganize the structure of the agency. Currently, the NPPD functions as a headquarters component within DHS, meaning it requires congressional approval before reallocating funds or resources. The bill would place these authorities more directly under the control of the DHS secretary as long as he or she certifies changes to Congress 60 days in advance.

Rep. Jim Langevin (D-R.I.) took to the House floor saying he hoped the bill’s passage "helps make crystal clear that DHS is the primary agency for domestic cybersecurity in peacetime."

"Despite it being notionally a headquarters component, NPPD is home to the government's premiere cyber incident response teams; the 24/7 watch floor and information sharing hub; and the Federal Network Resilience Division tasked with supporting other agencies in defending their networks," Langevin said. The bill "recognizes that these activities go far beyond NPPD's original mission and raises the renamed component to an agency on par with Customs and Border Protection or the [Transportation Security Administration]."

DHS officials have been pushing for the move for years, but legislation has languished on Capitol Hill over the past year as various congressional committees wrangled over jurisdiction.

Suzanne Spaulding, former undersecretary of NPPD, was one of the earliest proponents of reorganizing the office. She told FCW that the push to achieve greater unity between the agency’s cyber and infrastructure missions was in part an outgrowth of efforts to convince private-sector companies to better integrate their own cyber components. If DHS was going to advise others to look at these issues more holistically, she said, it probably made sense for it to do the same.

"What I pushed for, and what we were working every day to accomplish at NPPD, was to not have cybersecurity in a technology stovepipe off to the side, separate and apart from the rest of the critical infrastructure protection mission," Spaulding said.

She said NPPD's original designation as a headquarters component was an anachronism that stemmed from its early days as a small office with approximately 400 employees. Today, she said NPPD encompasses more than 3,000 federal workers and another 18,000 contractors and has increasingly taken on operational components around cyber and infrastructure security that necessitate more autonomy.

“It certainly will strengthen DHS' profile or presence in the interagency [process] and with regards to its stakeholders, particularly for cybersecurity but also its overall critical infrastructure mission," said Spaulding.

Spaulding also said that while it may seem unimportant, renaming the agency to clearly communicate its core missions to outside stakeholders may be one of the biggest impacts of the legislation.

“I actually think it will make a significant difference to have both our workforce and the stakeholders across government and out across the private sector see a name for the organization they work with that reflects that mission,” Spaulding said.

The bill still needs to be passed in the Senate and signed by the president to become law.