Why is CISA Move a Good Thing

On November 16, 2018 Department of Homeland Security Secretary Kirstjen M. Nielsen announced that the National Protection and Programs Directorate (NPPD) will be formally renamed as the Cybersecurity and Infrastructure Agency (CISA) and elevated to an operational agency within the Department.

What does this mean, what does it change, and what should the security industry expect?

Up until this announcement, many felt the mission of NPPD was unclear to the public and even to those in the Federal Government due to their unusual position as a subordinate directorate within the Management Directorate of DHS.   With the implementation of HR 3359, the CISA Act, CISA is now a full Component within the DHS organization; responsible for cybersecurity across the private and public sectors. 

In large part, this can be thought of as a rebranding. The mission of CISA remains the same however the CISA Act focuses the name of the organization on the work  actually performed.  However, by raising CISA to the level of a full DHS Component, it puts them on equal footing with the Science and Technology (S&T) Directorate with whom the prior NPPD has had a quiet internal competition.  Some experts have pointed to the attention given to S&T while NPPD sat under the Management Directorate.  By putting CISA at the same level, the two Components will have the same budgetary and mission clout as other DHS components; improving their ability to pursue emerging threats and solutions.

What doesn’t change?

First is their mission: CISA remains the outward-focused security agency of DHS, providing security advice and assistance across Federal agencies, State and Local Government as well as private industry. With the rise in cyber-crime and threats from various nation-states or terrorist organizations, the mission of CISA to protect National Infrastructure, Emergency Communications, and Cybersecurity resources.

Second is their affiliation with DHS.  Some had speculated that CISA would be given an elevation parallel to the Department of Homeland Security, but that did not happen.  CISA remains a key Component within DHS and will continue to interact and coordinate with both S&T as well as the DHS HQ Information Security Office, where Dr. John Zangardi (CIO) and Paul Beckman (CISO) set the tone for IT and IT Security across the Department.

Third is their responsibility for interagency collaboration.  As stated by Assistant Secretary Jeanette Manfra for the House Subcommittee on Cybersecurity and Infrastructure Protection (November 14, 2018), the work already in place in offices like the National Cybersecurity and Communications Integration Center (NCCIC) was highlighted as agreat success by the agency.  Their response capability to threats such as the North Korean “WannaCry” or the Russian “NotPetya” will only be strengthened in the wake of the CISA Act.

In addition, this move strengthens CISA’s ability to work closely with both the FBI and Department of Defense on rapid response to emerging threats.  While DoD remains focused on preserving the warfighting posture, they will continue to work with CISA to support their “Defend Forward” operations to ensure DHS can anticipate adversary action and protect national cybersecurity, critical infrastructure and emergency communications.

What does change?

The Office of Biometric Identity Management (OBIM) will be pulled out of CISA and reassigned within DHS HQ Management Directorate.  Typically a more inward-facing mission to provide and protect biometric data to facilitate travel, trade and immigration, OBIM as a “Line of Business” fits readily into the Headquarters Mission.

The big change is what some might call “command emphasis” on Cybersecurity.  The change represents an Executive focus and emphasis on not just physical threats to national security, but the rapidly increasing and ever-changing threats to an increasingly computerized economy.  Where cybersecurity was once just a footnote in security programs across the Federal Government, even buried within the Financial offices of private industry, this marks a milestone when Cybersecurity emerges into the spotlight as a critical mission.

Since 2015, DHS has had the authority to hire 1,000 new cybersecurity professionals. A large portion of those positions went to the former NPPD with an added “cyber pay” incentive for employees. According to a bullet in a recent DHS fact sheet, part of the hope with the new name is that it will help in recruiting top cybersecurity talent. The focus on building the cybersecurity workforce within DHS and CISA, specifically, supports the ever-rising national attention on cybersecurity issues. 

About the authors: Todd Skiles and Kim Vance are Senior CyberSecurity Program Managers with SE Solutions. Todd provides cybersecurity governance and assessment support to DHS with a focus on continuous process improvement. Ms. Vance leads an emerging technology governance team in support of National Security Systems, and has previously worked with NPPD CS&C in cybersecurity awareness. Opinions expressed in this article are the authors’ own.