The potential reorganization of the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) is the latest in DHS’s organizational evolution that was the subject of a hearing Wednesday by the House Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
In 2003, Congress’ investigative branch, the Government Accountability Office (GAO) “designated implementing and transforming DHS as high risk because DHS had to transform 22 agencies — several with major management challenges — into one department.”
“The overriding tenet has consistently remained DHS’s ability to build a single, cohesive and effective department that is greater than the sum of its parts — a goal that requires effective collaboration and integration of its various components and management functions,” Chris P. Currie, director of GAO’s Emergency Management National Preparedness and Critical Infrastructure Protection Homeland Security and Justice Team, told the subcommittee.
Currie said, “This statement describes key factors for consideration in a NPPD reorganization. It includes observations from GAO’s prior work on organizational change, reorganization and transformation, applicable themes from GAO’s high risk list and NPPD related areas from GAO’s work in assessing programmatic duplication, overlap and fragmentation.
Currie’s testimony was based on reports GAO issued from 2003 through 2015.
“Specifically,” GAO previously reported, “safeguarding the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is a continuing concern cited in GAO’s 2015 High Risk Series Update report. Given the National Protection and Programs Directorate’s current cybersecurity activities, addressing these concerns in any reorganization effort would be critical.”
“For example,” GAO disclosed in its audit report, “NPPD conducts analysis of cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the nation’s critical infrastructure. Sustained attention to this function is vitally important.
GAO also identified “areas where agencies may be able to achieve greater efficiency or effectiveness by reducing programmatic duplication, overlap and fragmentation.”
Since 2011, Currie said GAO “has reported annually on this topic,” and that, “Several of its findings in the reports relate to DHS and NPPD activities. For example, in 2015, GAO reiterated a September 2014 recommendation that DHS should mitigate potential duplication or gaps by consistently capturing and maintaining data from overlapping vulnerability assessments of critical infrastructure and improving data sharing and coordination among the offices and components involved with these assessments, of which NPPD is one.”
DHS agreed with the recommendation that attention to potential programmatic overlap, duplication and fragmentation during an NPPD reorganization could improve the agency’s overall efficiency.
NPPD is vital to DHS’s mission because it’s responsible for addressing physical and cyber infrastructure protection – “a mission area of critical importance in today’s threat environment,” Currie said, noting that, “Critical infrastructure owners and operators continue to experience increasingly sophisticated cyber intrusions and a ‘cyber-physical convergence’ has changed the risks to critical infrastructure ranging from energy and transportation to agriculture and health care, according to a DHS strategic review.”
“Given the importance of the mission and the evolving risks to critical infrastructure, NPPD must transition to an operational focus that fully leverages the combined expertise, skills, information and relationships throughout DHS,” said NPPD Under Secretary Suzanne Spaulding; Deputy Under Secretary Dr. Ronald J. Clark and Deputy Under Secretary for Cybersecurity and Communications in joint testimony.
To transform NPPD to meet this vision, they told the subcommittee that, “DHS is proposing a transformation that will achieve three key priorities: Greater unity of effort across the organization, particularly across cyber and physical threats, vulnerabilities, consequences and mitigation; enhanced operational activity; and excellence in acquisition program management and other mission support functions. This transformation includes restructuring the organization; cultural, governance and process changes; further cementing the organization as an operational component within the department; and changing our name to better reflect our mission.”
Consequently, they told the subcommittee, “DHS is proposing changes in the structure of the organization to enable enhancements in operations. In the new structure, operations would be carried out through three interconnected, operational directorates,” which “will allow for focused operations with the necessary coordination to ensure our operations mitigate risk in a holistic, comprehensive manner.”
“The first directorate, Infrastructure Security, will focus on activities to protect the nation’s infrastructure from cyber and physical risks by working with private and public sector owners and operators to build the capacity to assess and manage these risks,” the NPDD officials said in their joint statement to the subcommittee. “Through regionally-based field operations — to include the Protective Security Advisors, Cyber Security Advisors, Regional Emergency Communications Coordinators and the Chemical Security Inspectors — Infrastructure Security will deliver training, technical assistance and assessments directly to stakeholders to enable these owners and operators to increase security and resilience. This includes working with facilities that are often identified as soft targets because of their open access. The foundation of Infrastructure Security will include existing programs within the Office of Cybersecurity and Communications, including the Office of Emergency Communications, the Cyber Security Advisor program and the Critical Infrastructure Cyber Community (C³) Voluntary Program.”
“In addition,” they told the subcommittee, “Infrastructure Security will include programs currently within the Office of Infrastructure Protection, including the Protective Security Advisor program and the Chemical Facility Anti-Terrorism Standards program. It will also execute the Sector Specific Agency responsibilities for nine sectors and serve as the national coordinator for
the remaining sectors.”
The second operational directorate will focus on cyber-specific operations and DHS’s responsibility to mitigate and respond to cyber threats to information technology communication assets, networks and systems.
“Through an enhanced and elevated NCCIC [National Cybersecurity & Communications Integration Center], we would execute cyber-specific protection, prevention, mitigation, incident response and recovery operations for private and public sector partners, including protection of federal networks,” the officials stated, noting that, “The focus on this area of operational activity will ensure DHS is able to respond to malicious cyber activity at the speed demanded by the rapidly evolving threat, while closely aligning pre-incident prevention and protection with incident detection, response and recovery.”
“The NCCIC,” they continued, “will also collaborate with the other two operational directorates to ensure cyber operations and expertise support, and benefit from, the operational activity of those protecting federal facilities and building capacity with public and private-sector stakeholders.”
The third operational directorate, the Federal Protective Service (FPS), would continue to focus on the direct protection of all federal facilities and those who work in and visit them “through integrated law enforcement and security operations.” It will also “increase its focuson protecting cybersecurity aspects of federal facilities in coordination with the NCCIC.”
In addition, FPS will be in position to “better integrate its field operations with field forces in Infrastructure Security to enable comprehensive security and resilience for our stakeholders, as well as co-locate incident management support with the combined watch functions of the NCCIC and the National Infrastructure Coordinating Center to gain efficiencies and improve situational awareness.”
“Safeguarding the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is a continuing concern cited in our 2015 High Risk Series Update,” GAO’s Currie told the panel. “Given NPPD’s current cybersecurity activities, addressing these concerns in any reorganization effort would be critical. For example, NPPD conducts analysis of cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the nation’s critical infrastructure. Sustained attention to this function is vitally important.”
Currie said, “In our 2015 High-Risk Series Update report, we note that to address the substantial cyber critical infrastructure risks facing the nation, executive branch agencies, in particular DHS, need to continue to enhance their cyber analytical and technical capabilities (including capabilities to address federal cross-agency priorities), expand oversight of federal agencies’ implementation of information security and demonstrate progress in strengthening the effectiveness of public-private sector partnerships in securing cyber critical infrastructures."