Standing up CISA

The newly renamed Cybersecurity and Infrastructure Security Agency is going to spend 2019 in transition, gearing up to assume the role of a major Department of Homeland Security component.

The organization, formerly called the National Protection and Programs Directorate, was elevated by legislation signed into law in November. Agency officials lobbied for the redesignation for years, arguing that NPPD's name and mission appeared vague and muddled to the general public.

Agency head Chris Krebs joked that the NPPD name, "sounds a lot like a Soviet-era military intelligence agency."

CISA Deputy Director Matthew Travis told FCW in an interview that the transition plan, dubbed "CISA 2020" reflects the goal of getting the agency in shape over the course of the next year. The plan lays out the blueprint for the component's "big muscle movements" organizationally. It was announced to CISA employees at a Dec. 20 virtual town hall event.

The blueprint sets out 12 categories that address the most important transformational issues at the agency -- such as IT, management functions and budget -- that need to be realigned during the transition. DHS headquarters, Congress and the Office of Management and Budget are expected to offer feedback on the plan in January and February.

CISA is also looking at consolidating the agency's eight offices into a single headquarters in parallel with the 12-point CISA 2020 plan, Travis said, but nothing has been decided.

There is subtraction as well as addition in play here. The law that created CISA transferred the Office of Biometric Identity Management to the DHS Management Directorate. CISA is also waiting to hear whether the Federal Protective Service, a NPPD unit that provides security for federal facilities, will find a new home inside DHS.

CISA has formed a working group to explore how the DHS secretary could move FPS within DHS. The shift of OBIM to the Management Directorate is complete, Travis said.

The day the CISA legislation was signed into law, Krebs said it was "more of a groundbreaking than a ribbon-cutting."

Though NPPD leadership anticipated the bill's passage and began planning for the change earlier this year, Krebs said that the slow-motion windup over more than three years didn't help with a head start.

The plan to operationalize the agency was "always just over the horizon," Krebs said Nov. 16 at a Chamber of Commerce event, and as a result, NPPD didn't make investments needed to support the future mission of the agency.

To transform from NPPD to CISA, Krebs said there would be a lot of "boring" but necessary work on business processes.

Suzanne Spaulding, the former NPPD undersecretary who launched the push for CISA, said the basic idea behind the new organization was to put cybersecurity and infrastructure security personnel into the same space, to support data sharing and response coordination.

Some of that consolidation has already happened, with the co-location of the National Infrastructure Coordinating Center and the National Cybersecurity and Communications Integration Center. However, a larger shared space for the component's Office of Cybersecurity and Communications, the Office of Infrastructure Protection and headquarters staff is needed. Additionally, back-office operations such as IT, said Spaulding, also need to be consolidated or transitioned into something new.