The Homeland Security Department’s National Protection and Programs Directorate (NPPD) says it’s asserted itself as the agency in charge when it comes to cybersecurity.
The agency says it has the congressional authorities it needs to protect federal civilian networks and work with the private sector to mitigate cyber threats, but it is looking for just one other thing.
Insight by ProPricer: Emily Murphy, former GSA administrator, and Angela Styles, former OFPP administrator, discuss what updates to the mentor-protégé program mean for small and large businesses.
NPPD is still seeking the authority to restructure and rename its organization as the Cybersecurity and Infrastructure Security Agency.
Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson (R-Wis.) said members had tried to include the NPPD renaming authority in the 2018 omnibus, but the measure didn’t make it into the final bill.
“I don’t know what the objection was,” he said Tuesday during a hearing on DHS’ work to mitigate cybersecurity risks. “That might indicate further, future problems in terms of lack of cooperation, coordination within the agencies, within the committees [and] within Congress.”
Johnson said he hoped he could push a vote on the DHS Reauthorization Act, which includes the NPPD renaming and restructuring, to the Senate floor. If not, Johnson said he’d find another solution.
“It’s hard sometimes maybe for people to understand why this is so important, but it is very hard to go out and try to market our organization, which is purely dependent upon voluntary partnerships in critical infrastructure with a name like the National Protection and Programs Directorate,” said Jeanette Manfra, assistant secretary for cybersecurity and communications at NPPD. “It’s also a morale issue for our workforce. They don’t have a name that reflects what they do.”
The Government Accountability Office, which went through its own name change back in 2000, said it understood NPPD’s concerns.
“I can personally speak to the fact that when I went out on recruiting efforts and trips, people would see ‘General Accounting Office’ and just keep walking by,” Greg Wilshusen, GAO’s director of information security issues, said. “I would have to go out there and tell them, no, we do much more than that. It really does have an impact if your name reflects your mission. It creates esprit de corps as well as helping to generate interest in your work.”
The Senate committee spent much of the hearing questioning whether NPPD and DHS had its arms around the nation’s cybersecurity threats, particularly those risks on state election systems. But members also expressed their frustration with the current jurisdictional challenges in overseeing the department.
DHS has more than 92 to 108 different congressional committees and subcommittees that have jurisdiction over the department. Sen. Heidi Heitkamp (D-N.D.) called DHS’ congressional jurisdiction “the most disruptive oversight process in government.”
“When something really bad happens, I can only imagine the scramble to assume who’s responsible for not making sure we had the resources and making sure that we weren’t on the ball,” she said. “We have to fix this.”
Committee members on both sides of the aisle said those jurisdictional challenges prevented them from getting important legislation — like the NPPD renaming and restructuring — off the ground.
Though Manfra acknowledged the frustration with oversight, she said NPPD is pleased with the authorities Congress has given the agency.
“For us, it’s really about how do we ensure we have the capacity and the capability to fully implement those authorities,” she said.
The cybersecurity workforce is one area where NPPD wants to devote more time and attention.
DHS is putting the finishing touches on a completely new personnel system for cybersecurity positions within the department.
“[We’re] completely rethinking the way we think about civilian service and really applying best in class concepts of how technology companies hire workforce,” Manfra added. “The way they’re implementing the authority is going to allow us to have a very different approach to our workforce. We are also trying to improve the stuff we can control. Does everybody need the highest level of security clearance? The answer is no, because that’s often the thing that can take the longest in the hiring process. Are we being better recruiters? We can’t just rely on a website and people to apply via the website. We have to be out there targeting our employees. We have to understand what workforce we want.”
A new bill from Sen. Gary Peters (D-Mich.) may also help DHS and NPPD improve recruitment and retention of its cyber professionals.
The Federal Cybersecurity Joint Duty Program Act would establish an integrated cybersecurity workforce that lets its employees rotate to other positions throughout government, similar to other programs in the Defense Department and intelligence community.
Manfra said she was interested in looking at the details but supported the broad concept.
“Generally, we’re trying to think differently about the federal cyber workforce,” she said. “We can’t meet the demands in the current model, and I absolutely think being able to rotate personnel through agencies under DHS’ oversight … is something we’d be very willing to continue talking to you about.”
The program may also help the department bring more consistency in training for its federal cyber professionals, Manfra said, which is another priority for DHS.
DHS can currently conduct inter-agency rotations, but its employees can’t move back-and-forth to other departments.