By CHHS Extern Kaitlyn Holzer 

On November 16th, The President signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law. The House of Representatives had passed the bill on November 12th and the Senate passed it in October 2018. Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, sponsored the bill.

The Cybersecurity and Infrastructure Security Agency Act amends the Homeland Security Act of 2002 to redesignate the National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA). The new agency will consist of a cybersecurity division, infrastructure security division, and emergency communications division. Similar to the NPPD, CISA will have a privacy officer who will ensure compliance with federal laws. Under the Act, CISA’s responsibilities include:

• Leading cybersecurity and critical infrastructure security programs;
• Operations (including the federal government’s cyber incident response team);
• Associated policy;
• Coordinating with non-federal and federal entities; and
• Maintaining chemical facility antiterrorism standards

Additionally, CISA will be led by the Director of National Cybersecurity and Infrastructure Security, who has not been named at this time.

In a statement made by the NPPD Under Secretary, Christopher Krebs, the enactment of CISA reflects the “progress in the national effort to improve our collective efforts in cybersecurity.” According to Undersecretary Krebs, CISA will allow DHS to better regulate cybersecurity across the government and recruit more cybersecurity professionals. CISA will also help other federal agencies maintain and manages risks within their cyber infrastructure. Prior to the creation of CISA, each federal agency was responsible for their own cyber infrastructure.

Although the creation of CISA eliminates NPPD, day-to-day operations are not expected to change. Undersecretary Krebs noted that CISA gives “NPPD a name that reflects what it actually does.” CISA will work with an increased budget and more authority in imposing cybersecurity regulations. CISA has now has 180 days to report to Congress on the development of its programs.

Congress initially drafted the bill because NPPD’s responsibilities rapidly expanded as cyber threats against the United States increased. More recently, NPPD’s responsibilities included taking the lead on maintaining the nation’s cyber infrastructure after the Russian interference in the 2016 election.

The budget increase will aid in CISA’s management the National Cybersecurity and Communications Integration Center, which provides 24/7 cyber analysis and incident response to the public and private sectors, infrastructure resilience efforts in coordination with the National Risk Management Center, and emergency communication.

The creation of CISA will not alter the cyber capabilities of other federal agencies. For example, the FBI still has the authority to investigate cybercrime. CISA will lead federal agencies in infrastructure protection programs, associated policy making, and asset response activities surrounding national cybersecurity.

In the upcoming year, CISA will work towards DHS’ long term initiative of mapping out critical functions in the cyber infrastructure sector and changing the culture and practices of supply chain operations and procurement. Department of Homeland Security Secretary Kirstjen Nielsen believes this initiative will combat threats to degrade the nation’s critical infrastructure.