DHS Officials Commit to Seeking Congress' Approval of Reorganization of Cybersecurity-Centric Division

NPPD reorganization must “be done in full collaboration with Congress” and House Homeland Security, said Chairman Michael McCaul, R-Texas. DHS and House Homeland Security have collaborated effectively in the past and the committee's members remain “perhaps your biggest advocates” in the House, McCaul said. Multiple House Homeland Security members are “very disappointed to find out about this proposal through leaked reports in the media” and are frustrated that DHS has been reluctant to provide more than “minimal details of the reorganization” via briefings and other subsequent information requests, Ratcliffe said. House Homeland Security members had also been told that DHS leadership “had planned to move forward unilaterally” on aspects of the NPPD reorganization without seeking congressional approval, Ratcliffe said. House Cybersecurity ranking member Cedric Richmond, D-La., said he's also “disappointed that we had to get here the way that we got here” because of a “lack of communication” from DHS. “What I hope it's not is dismissing our role” in protecting U.S. citizens' cybersecurity, he said.

The House passed Richmond's DHS Cybersecurity Strategy Act (HR-3510) Tuesday on a voice vote. The bill, drafted in response to House Homeland Security's concerns about how DHS was conducting its NPPD reorganization planning, would require the department to submit that plan and its cybersecurity strategy to Congress. The bill would also mandate that DHS be the hub for federal and civilian cybersecurity information sharing, and require that the department be the main federal provider of technical assistance to entities that suffer data breaches (see 1509300065).

McCaul urged the Senate Wednesday to factor in provisions from HR-3510 and the House-passed Protecting Cyber Networks Act (HR-1560) cybersecurity information sharing bill in its consideration of the controversial Cybersecurity Information Sharing Act (S-754). That bill is expected to return to the Senate floor after next week's recess following months of negotiations (see 1510060046). It would be “counterproductive” for the Senate not to account for House-passed cybersecurity legislation, McCaul said. “This has to be done right."

DHS had always planned to consult Congress on its NPPD reorganization plan and early work on the plan was “leaked prematurely to the media,” Spaulding said. DHS officials had met internally with department staff about the reorganization work but that “increased the number of people who have this information and who have the potential to go and talk to the press,” she said. Planners of NPPD reorganization hope to create three directorate subdivisions that will each handle a portions of NPPD's cybersecurity responsibility -- one focused on infrastructure protection, one on mitigating cyberthreats and one on direct protection of federal assets, Spaulding said. NPPD reorganization is likely to focus on streamlining the directorate's operations and increasing its operational efficiency, Spaulding said. The reorganization is likely to also include a name change, she said. “While that seems superficial, that will also help improve our morale by providing our workforce with a clear sense” of identity since NPPD's main focuses are cybersecurity and critical infrastructure protection, Spaulding said.

Congress and DHS will need to maintain an “effective working relationship” to make a NPPD reorganization work, said GAO Director-Homeland Security and Justice Team Chris Currie. Congressional oversight of the reorganization will ensure there is a counterbalance to DHS and the White House, he said. DHS must ensure the NPPD transformation involves establishing a coherent mission for the division and a key set of principles for the reorganized division's culture, Currie said. DHS leaders will need to drive the reorganization but should also collect feedback from NPPD employees, he said.