The House late Tuesday approved long-pending legislation that authorizes the Department of Homeland Security to reorganize its existing National Protection and Programs Directorate (NPPD) in order to create a new component agency–the Cybersecurity and Infrastructure Security Agency–within DHS.
The Senate approved the bill–the Cybersecurity and Infrastructure Security Agency Act (CISA Act)–in early October but included some amendments to the measure. The House, which had okayed the bill in late 2017, took action yesterday to approve the Senate amendments, and the bill now awaits President Trump’s signature.
The new CISA agency will have responsibility for leading cybersecurity and critical infrastructure security programs, coordinating a national critical infrastructure security effort, and coordinating with other agencies, among other mandates.
As a separate component agency of DHS, CISA likely will enjoy a higher profile in DHS management and budgeting efforts, and its name will better reflect the agency’s mission. The NPPD moniker had drawn complaints from DHS officials since the Obama administration as a source of confusion about mission.
Christopher Krebs, who is now DHS under secretary for NPPD, will head CISA.
Following Senate approval of the CISA Act last month, Krebs said he was looking forward to the structural change for the “incomprehensible and unpronounceable National Protection and Programs Directorate.” He and other DHS officials have long complained how the NPPD label has distracted many–partners, recruits, and the like–from recognizing the congressionally-established authorities NPPD already has, as the Federal lead on critical infrastructure and cyber protection.
Krebs said in October that current NPPD offices that don’t fit within the core CISA mission will be transitioned out. Those include the Office of Biometric Identity Management, which will shift to DHS’ Management Directorate, and the Federal Protective Service, which will also have an “offramp or transition process,” he said.
“Lots more to do, in terms of transitioning and getting to full operational capability, but that one, right-out-the-gate, getting the name change, is just so critical for the organization,” he said.
Commenting Tuesday evening on House approval of the CISA Act, Krebs said it “represents real progress in the national effort to improve our collective efforts in cybersecurity.” He continued, “Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms. The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”
“Today’s vote is a significant step to stand up a federal government cybersecurity agency,” said DHS Secretary Kirstjen Nielsen in a statement. “The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical. It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”