The House on Tuesday evening unanimously approved a bill to change the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) to the Cybersecurity and Infrastructure Security Agency (CISA), a name change several years in the making that recognizes the mission and operational role the directorate has in helping to safeguard the nation’s critical infrastructures and networks from cyber and physical threats.

The Cybersecurity and Infrastructure Security Agency Act (H.R. 3359) passed the Senate in October and now awaits the signature of President Trump to go into effect. The bill has broad bipartisan support and was sought by the Obama administration in 2015 to sharpen the operational focus of NPPD amid a constant and increasing barrage of cyber threats to the government and private sector.

Department of Homeland Security Secretary Kirstjen Nielsen
Department of Homeland Security Secretary Kirstjen Nielsen

“Today’s vote is a significant step to stand up a federal government cybersecurity agency,” Homeland Security Secretary Kirstjen Nielsen said in a statement Tuesday night after the House action. “The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical.”

DHS officials in the Trump and Obama administrations have said that that the proposed switch from NPPD to an agency is more than a name change, arguing that it gives current employees a more tangible connection to their mission and will make it easier to hire potential employees because the mission will be obvious, rather than lost in the awkward title, National Protection and Programs Directorate.

These officials also have said it will raise awareness of other interested parties, including Congress, in what NPPD actually does.

“CISA will help bring the recognition this team deserves and will empower the team to more effectively execute its vital mission,” Nielsen said. Christopher Krebs, the under secretary of NPPD, also said in a statement that “The changes will also improve the department’s ability to engage industry and government stakeholders and recruit top cybersecurity talent.”

Krebs, speaking Wednesday at a quarterly meeting of the President’s National Security  Telecommunications Advisory Committee, said about the forthcoming change to CISA, “Most importantly, it puts us on the level of other operational agencies in the federal government, including in the department,” such as the Transportation Security Agency and Federal Emergency Management Agency, and “it cements our position as the lead civilian agency for cyber security.”

The NPPD cyber security division helps track cyber threats to the federal civilian government and private sector. The infrastructure protection office coordinates national programs and policies for critical infrastructure security and resilience. The directorate also houses the Office of Biometric Identity Management (OBIM), which operates a biometric repository, and the Federal Protective Service, which provides security to government-owned and leased buildings.

The bill directs DHS to move OBIM to the Management Directorate, which maintains the office as a headquarters element able to serve the entire department and other mission stakeholders, a spokeswoman for OBIM said.

Krebs said “Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms.”

The legislation establishing CISA was introduced by Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, and co-sponsored by the ranking member, Rep. Bennie Thompson (D-Miss.). 

Suzanne Spaulding, who led NPPD when the Obama administration proposed the change to an operational agency, told Defense Daily in an email response for comment that CISA “reflects the vital mission they work so hard to achieve every day.”

She also praised the efforts of DHS under the current administration for continuing to “mature the organization so that it has the credibility to become the first new operational component at DHS since the department was created,” highlighting the comprehensive approach they are taking to critical infrastructure protection “that recognizes the increasing interplay between cyber and physical risks.”