DHS's Cybersecurity Restructuring Plan Reflects Uncertainty and Optimism

The concept of integrating of federal cyber and physical security efforts and reorganizing the National Protection and Programs Directorate (NPPD) – DHS’s lead cybersecurity agency – was raised to Congress last October by NPPD Undersecretary Suzanne Spaulding. The reorganization plan was presented to Congress back in March and a copy of it was picked up by the Lawfare Institute and further publicized by Federal Computer Week.

If enacted as planned, the transition would designate NPPD as an operational component within DHS, change its name to the Cyber and Infrastructure Protection Agency (CIPA), and realign the component’s programs and functions. The plan would also empower the National Cybersecurity and Communications Integration Center (NCCIC) – NPPD’s around-the-clock hub for analyzing and disseminating cyber threat information – by giving it in its own federal office and aligning it with two of the largest-budgeted DHS cybersecurity programs: EINSTEIN and Continuous Diagnostics and Mitigation (CMD).

The plan gained traction in June when the Cybersecurity and Infrastructure Protection Agency Act of 2016 was introduced in the House. The bill would authorize the new CIPA with four component divisions: cybersecurity, infrastructure protection, emergency communication, and the federal protective service.

The complexity and far-reaching impacts of the task at hand is reflected in the variety of House committees to which the bill was referred for consideration, given that provisions in the bill fall within the jurisdiction of so many committees. In addition to the Committee on Homeland Security, CIPA was sent to the Committees on Energy and Commerce, Oversight and Government Reform, and Transportation and Infrastructure.

While not much official movement on CIPA has occurred, the White House has begun making some supporting adjustments to existing federal cyber policy. In July, The White House released Presidential Policy Directive 41 (PPD-41) on United States Cyber Incident Coordination that delineated the roles of the Department of Homeland Security, the Department of Justice, and the Office of the Director of National Intelligence in responding to significant cyber incidents. The directive also laid out the three concurrent lines of effort – threat response, asset response, and intelligence support – that agencies will take in responding to a cyber incident. In addition agencies directly affected by an incident will take on a fourth concurrent line of effort to manage the effects of the cyber incident on its operations, customers, and workforce.

As autumn fast approaches and much of Washington turns its attention to presidential and Congressional elections, the future of the current CIPA bill remains uncertain as to whether it will move forward in the final session of the current Congress. Nonetheless, proponents remain optimistic that the reorg and collaboration could still come to fruition, even if not until a new administration and Congress.