Following the long-awaited passage of the Cybersecurity and Infrastructure Security Agency (CISA) Act in the Senate, the head of the organization set to be elevated as the nation’s official cybersecurity agency expressed his satisfaction at how congressional approval of a simple name change will reinforce the authority of the Federal government’s lead organization in cyberspace.
“First and foremost, it means only about four more weeks do I have to go by the incomprehensible and unpronounceable National Protection and Programs Directorate (NPPD),” Christopher Krebs, the Department of Homeland Security (DHS) under secretary for NPPD, said today at an event organized by GovernmentCIO Media.
Under the legislation, Krebs would be named the director of the newly enshrined agency. He has for some time noted how the cumbersome NPPD label has distracted many–partners, recruits, and the like–from recognizing the congressionally-established authorities NPPD already has, as the Federal lead on critical infrastructure and cyber protection.
The CISA Act doesn’t grant NPPD any additional authorities–Congress has already made it the leader in Federal cyber, requiring Senate confirmation for Krebs’ position. Still, the bill took years to reach this point, despite DHS Secretary Nielsen and Vice President Pence pressing for its passage in the Senate.
“It clarifies and clearly signifies mission. So when I go out there and my team goes out there engaging stakeholders, principally the private sector and critical infrastructure community, it makes the icebreaker that much easier,” Krebs said of the bill. “Instead it’s, ‘Hey, we’re DHS and we’re the national cybersecurity agency,’ effectively.”
Krebs said that the bill–which must be sent back to the House to reconcile new Senate amendments before it becomes law–is “going to help out significantly in terms of recruiting.”
“Probably most importantly, it streamlines the organization,” Krebs said. He explained that upon NPPD’s establishment in 2007, the organization was essentially a “conglomeration of disparate security programs within DHS that didn’t fit neatly within TSA, or FEMA, or other established legacy agencies.”
“In terms of mission, they didn’t actually directly align,” Krebs said. “So over time as the threat landscape, particularly from a cybersecurity perspective, has evolved, and the Department’s role has been clarified and strengthened by Congress, it really became clear that the Department needed a single voice, a single agency or organization who was able to carry out the Secretary’s critical infrastructure protection and cybersecurity authorities.”
Krebs indicated that there will also be further realignment before CISA can be operationalized. Current NPPD offices that don’t fit within the core CISA mission will be transitioned out. Those include the Office of Biometric Identity Management, which will shift to DHS’ Management Directorate, and the Federal Protective Service, which will also have an “offramp or transition process,” he said.
“Lots more to do, in terms of transitioning and getting to full operational capability, but that one, right-out-the-gate, getting the name change, is just so critical for the organization,” Krebs added.