[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


    EXAMINING THE MISSION, STRUCTURE, AND REORGANIZATION EFFORT OF THE 
              NATIONAL PROTECTION AND PROGRAMS DIRECTORATE

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                     CYBERSECURITY, INFRASTRUCTURE
                        PROTECTION, AND SECURITY
                              TECHNOLOGIES

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 7, 2015

                               __________

                           Serial No. 114-34

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 

                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________
                               
                               
                         U.S. GOVERNMENT PUBLISHING OFFICE
99-576 PDF                     WASHINGTON : 2016                         
                               
________________________________________________________________________________________                               
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
                             
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island
    Chair                            Brian Higgins, New York
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Lou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania            Filemon Vela, Texas
Curt Clawson, Florida                Bonnie Watson Coleman, New Jersey
John Katko, New York                 Kathleen M. Rice, New York
Will Hurd, Texas                     Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
                   Brendan P. Shields, Staff Director
                    Joan V. O'Hara,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 
                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                    John Ratcliffe, Texas, Chairman
Peter T. King, New York              Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             Loretta Sanchez, California
Scott Perry, Pennsylvania            Sheila Jackson Lee, Texas
Curt Clawson, Florida                James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York     Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Brett DeWitt, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk
       Christopher Schepis, Minority Subcommittee Staff Director
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5
The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security.......................................................     6

                               Witnesses

Ms. Suzanne E. Spaulding, Under Secretary, National Protection 
  and Programs Directorate, U.S. Department of Homeland Security:
  Oral Statement.................................................     7
  Joint Prepared Statement.......................................    10
Ms. Phyllis A. Schneck, Deputy Under Secretary, Cybersecurity and 
  Communications, National Protection and Programs Directorate, 
  U.S. Department of Homeland Security:
  Oral Statement.................................................    13
  Joint Prepared Statement.......................................    10
Mr. Ronald J. Clark, Deputy Under Secretary, National Protection 
  and Programs Directorate, U.S. Department of Homeland Security
  Oral Statement.................................................    15
  Joint Prepared Statement.......................................    10
Mr. Chris P. Currie, Director, Emergency Management, National 
  Preparedness and Critical Infrastructure Protection, Homeland 
  Security and Justice Team, U.S. Government Accountability 
  Office:
  Oral Statement.................................................    16
  Prepared Statement.............................................    18

                             For the Record

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Letters........................................................    28

                                Appendix

Questions From Chairman John Ratcliffe for Suzanne E. Spaulding..    43
Questions From Honorable Scott Perry for Suzanne E. Spaulding....    52
Questions From Ranking Member Bennie G. Thompson for Suzanne E. 
  Spaulding......................................................    52
Questions From Chairman John Ratcliffe for Phyllis A. Schneck....    54
Question From Chairman John Ratcliffe for Ronald J. Clark........    55
Questions From Ranking Member Bennie G. Thompson for Chris P. 
  Currie.........................................................    56

 
  EXAMINING THE MISSION, STRUCTURE, AND REORGANIZATION EFFORT OF THE 
              NATIONAL PROTECTION AND PROGRAMS DIRECTORATE

                              ----------                              


                       Wednesday, October 7, 2015

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:13 a.m., in 
Room 311, Cannon House Office Building, Hon. John Ratcliffe 
[Chairman of the subcommittee] presiding.
    Present: Representatives Ratcliffe, McCaul, Perry, Clawson, 
Donovan, Richmond, and Langevin.
    Mr. Ratcliffe. The Committee on Homeland Security 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies will come to order. The subcommittee is 
meeting today to examine the National Protection and Programs 
Directorate, or NPPD's, proposed reorganization effort.
    I now recognize myself for an opening statement.
    Prior to any reorganization of NPPD, Congress needs to 
first determine whether or not the proposal would establish a 
clear operational mission for the directorate, streamline the 
organizational structure, and whether the proposal can be 
effectively carried out by a qualified workforce.
    We also have questions on how the proposed changes would 
help make acquisition efforts for the cybersecurity mission 
more effective and more efficient. Perhaps most importantly, 
this committee needs to know how the realignment would help 
build confidence in both the public and private sectors that 
DHS is dedicated to focusing on its emerging cybersecurity 
mission.
    Growing cyber threats are presenting new homeland security 
challenges every day, and as such, this committee needs to 
ensure that DHS is optimally organized to successfully combat 
these emerging threats.
    As a Nation, we seem to finally be grasping the magnitude 
of the potential consequences of a major cyber attack, 
particularly as serious cyber breaches have already become part 
of our daily lives.
    As we have seen this year with the damaging breach to the 
Office of Personnel Management and other similar breaches, 
cyber subversions are only increasing in their numbers and in 
their severity. We have seen cyber attacks destroy private 
companies' computer and data breaches that exfiltrate corporate 
information, employee data, emails, intellectual property.
    Bottom line, it is vitally important that we are prepared 
to combat this evolving threat.
    Additionally, much of our Nation's critical infrastructure 
is privately-owned, and there now exists an interconnectedness 
of physical security and cybersecurity. This means that someone 
sitting at a keyboard can issue commands to blow up a gas 
pipeline, to cause the air traffic control system to 
malfunction, or take control of someone's automobile, all of 
which could result in a loss of life, not just the theft of 
personal information from a database.
    It is NPPD's mission to work with both public and private 
partners to reduce these risks from both cybersecurity and 
infrastructure threats and make the Nation's physical and 
digital infrastructure more resilient and secure. NPPD is also 
responsible for securing Federal networks and working with the 
private sector to secure the dot-com domain.
    As such, I would hope that NPPD plans on consulting with 
the private sector and its partners to hear their informed 
views on the proposed plan before moving forward. So far, I 
have only heard from outside stakeholders that there has been 
little to no outreach, and that is very disconcerting.
    Additionally, despite multiple media reports that DHS 
leadership is pushing to reorganize its cybersecurity and 
infrastructure protection missions, the committee has received 
minimal details from DHS at this point.
    Over the past several years this committee has built up a 
collaborative relationship working with NPPD, consulting with 
it to pass several strong and bipartisan pieces of legislation 
to improve chemical security and to strengthen DHS's 
cybersecurity mission and stature in the Federal Government.
    Given our shared goal to protect this country, several 
Members of the committee and I were very disappointed to learn 
about this proposal through leaked reports in the media. The 
committee only received a briefing after these reports in the 
press; and unfortunately, only minimal details on the 
reorganization effort, after several requests, have been 
provided in the time since.
    Only last week did the staff here receive an additional 
briefing, having been met with road blocks when trying to 
obtain additional information. Even more disappointing, the 
committee has heard that DHS leadership had planned to move 
forward unilaterally on several efforts without Congressional 
review or approval.
    I remind the witnesses that it is Congress' job to create 
the laws and the administration's job to execute them. After 
all, the Founding Fathers purposely enumerated Congress' role 
in Article I of the Constitution before any powers were given 
to the Executive.
    Over the past several weeks the committee has sent a strong 
message to DHS leadership making it clear that transparency 
with Congress and the American people is not a choice. The 
committee sent a bipartisan letter to DHS leadership expressing 
its disappointment in the process and reiterating the Congress' 
oversight and authorization roles and responsibilities.
    Additionally, the committee marked up several pieces of 
legislation last week, including one that would explicitly 
prohibit DHS from undertaking any reorganization or realignment 
of NPPD without Congressional review and approval. Just 
yesterday, that legislation passed the House unanimously.
    I hope that our message is clear.
    The committee is committed to working with NPPD's senior 
leadership to further strengthen its efforts and ensure that it 
has a clear mission, streamlined organizational structure, and 
a qualified workforce to carry out both its infrastructure 
protection and its cybersecurity responsibilities. But this 
will be a joint effort with Congress.
    I look forward to hearing more about your proposal for 
reorganization and then turning the page to begin working 
together to craft authorization legislation for the National 
Protection and Programs Directorate that would ensure that it 
has the tools and proper authorities to defend this Nation from 
both cyber and physical threats.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
    Prior to any reorganization of NPPD, Congress needs to first 
determine whether or not the proposal would establish a clear 
operational mission for the directorate, streamline the organizational 
structure, and can be effectively carried out by a qualified workforce. 
We also have questions on how the proposed changes would help make 
acquisition efforts for the cybersecurity mission more effective and 
efficient. And perhaps most importantly, this committee needs to know 
how the realignment would help build confidence in both the public and 
private sectors that DHS is dedicated to focusing on its emerging 
cybersecurity mission.
    Growing cyber threats are presenting new homeland security 
challenges every day; and as such, this committee needs to ensure that 
DHS is optimally organized to successfully combat these emerging 
threats.
    As a Nation, we seem to finally be grasping the magnitude of the 
potential consequences of a major cyber attack, particularly as serious 
cyber breaches have already become part of our daily lives. As we have 
seen this year with the damaging breach to the Office of Personnel 
Management and other similar breaches, cyber subversions are only 
increasing in number. We have seen cyber attacks destroy private 
companies' computers and data breaches that exfiltrate corporate 
information, employee data, emails, intellectual property. It is 
vitally important that we are prepared to combat this evolving threat.
    Additionally, much of our Nation's critical infrastructure is 
privately owned, and there now exists an interconnectedness of physical 
security and cybersecurity. This means that someone sitting at a 
keyboard can issue commands to blow up a gas pipeline, cause the air 
traffic control system to malfunction, or take control of someone's 
automobile--all of which would result in loss of life--not just the 
theft of personal information from a database.
    It is NPPD's mission to work with both public and private partners 
to reduce these risks from both cybersecurity and infrastructure 
threats and make the Nation's physical and digital infrastructure more 
resilient and secure. NPPD is also responsible for securing Federal 
networks and working with the private sector to secure the ``.com'' 
domain. As such, I would hope that NPPD plans on consulting with the 
private sector and its partners to hear their informed views on the 
proposed plan before moving forward. So far, I have only heard from 
outside stakeholders that there has been little to no outreach and that 
is really disconcerting.
    Additionally, despite multiple media reports that DHS leadership is 
pushing to reorganize its cybersecurity and infrastructure protection 
missions, the committee has received minimal details from DHS.
    Over the past several years, this committee had built up a 
collaborative working relationship with NPPD, consulting with it to 
pass several strong and bipartisan pieces of legislation to improve 
chemical security and strengthen DHS's cybersecurity mission and 
stature in the Federal Government. Given our shared goal to protect 
this country, several Members of the committee and I were very 
disappointed to learn about this proposal through leaked reports in the 
media. The committee only received a briefing after these reports in 
the press, and unfortunately, only minimal details on the 
reorganization effort, after several requests, have been provided 
since.
    Only last week did staff receive an additional briefing, having 
been met with roadblocks when trying to obtain additional information. 
Even more disappointing, the committee has heard that DHS leadership 
had planned to move forward unilaterally on several efforts without 
Congressional review and approval.
    I will remind the witnesses that it is Congress' job to create the 
laws and the administration's job to execute them. After all, the 
Founding Fathers purposely enumerated Congress' role in Article One of 
the Constitution, before any powers were given to the Executive.
    Over the past several weeks, the committee has sent a strong 
message to DHS leadership making it clear that transparency with 
Congress and the American people is not a choice. The committee sent a 
bipartisan letter to DHS leadership expressing disappointment in the 
process and reiterating the Congress' oversight and authorization roles 
and responsibilities. Additionally, the committee marked up several 
pieces of legislation last week, including one that would explicitly 
prohibit DHS from undertaking any reorganization or realignment of NPPD 
without Congressional review and approval. Just yesterday, that 
legislation passed the House unanimously. I hope our message is clear.
    The committee is committed to working with NPPD's senior leadership 
to further strengthen its efforts and ensure that it has a clear 
mission, streamlined organizational structure, and a qualified 
workforce to carry out both its infrastructure protection and 
cybersecurity responsibilities--but this will be a joint effort with 
Congress. I look forward to hearing more about your proposal for 
reorganization and then turning the page to begin working together to 
craft authorization legislation for the National Protection and 
Programs Directorate that would ensure it has the tools and proper 
authorities to defend this Nation from both cyber and physical threats.

    Mr. Ratcliffe. The Chair now recognizes the Ranking 
Minority Member of the subcommittee, the gentleman from 
Louisiana, Mr. Richmond, for any statement that he may have.
    Mr. Richmond. Thank you, Mr. Chairman.
    I want to welcome Under Secretary Spaulding and her deputy 
secretaries to the subcommittee and thank them for taking time 
to come and explain their plan to transform the National 
Protection and Programs Directorate, the NPPD.
    I also want to thank Chris Currie, head of the emergency 
management national preparedness and critical infrastructure 
protection team at GAO.
    Chris and his colleagues provide this subcommittee and 
committee with insights and analysis into the day-to-day 
operations of organizations like NPPD and inform us in ways we 
couldn't learn any other way. They are invaluable to us.
    Against the backdrop of challenges that the Department 
faces--tightening budgets, low morale, complex oversight 
structures--there are key issue areas that DHS leaders must 
address in order to achieve, as Secretary Johnson has 
envisioned, a Department-wide Unity of Effort, including a plan 
to reorganize and realign NPPD.
    There will be many details that we on the subcommittee will 
need to study and evaluate before we feel comfortable enough to 
give recommendations or assess legislative initiatives for the 
plan, and I hope we can begin that process today.
    We know that NPPD is a large and multi-layered directorate 
with a wide range of responsibility, from chemical facility 
security, pipelines, refineries, ports, and other critical 
infrastructure protection, to cybersecurity. It covers such a 
range that some might say it lacks a single central mission.
    I am interested today in learning how the Secretary's plan 
to allow NPPD to become operational will be accomplished 
without shredding or rearranging its current responsibilities, 
and how it will create an overall central mission.
    This is important because my district is a prime example of 
the importance of both physical infrastructure security and 
cyber network security. My district includes the largest port 
network in the country, the largest petrochemical footprint in 
the Nation, and significant refining capacity. All of these 
facilities have complex and challenging physical security and 
cybersecurity challenges.
    There are funding concerns too. If the reorganization or 
realignment will require modifications to NPPD's appropriations 
structure, will the Department request additional budgetary 
flexibility or transfer authority from Congress beyond those 
that the Department already has available?
    Let's be clear: This reorganization is both massive and a 
crucial undertaking. I continue to have a lot of questions 
about both this kind of major--how this kind of major overhaul 
will work and what all the implications are for the proposed 
changes.
    So I hope this hearing leads to some answers so that we can 
work together to improve the Department.
    With that, I look forward to hearing the testimony and I 
yield back.
    [The statement of Ranking Member Richmond follows:]
             Statement of Ranking Member Cedric L. Richmond
                            October 7, 2015
    Thank you Mr. Chairman.
    I want to welcome Under Secretary Spaulding and her deputy 
secretaries to the subcommittee and thank them for taking time to come 
explain their plan to ``transform'' the National Protection and 
Programs Directorate, the NPPD.
    I also want to thank Chris Currie, head of the Emergency Management 
National Preparedness and Critical Infrastructure Protection Team at 
GAO. Chris and his colleagues provide this subcommittee and committee 
with insights and analysis into the day-to-day operations of 
organizations like NPPD, and inform us in ways we couldn't learn any 
other way--they are invaluable to us.
    Against the backdrop of challenges that the Department faces; 
tightening budgets, low morale, complex oversight structures, there are 
key issue areas that DHS leaders must address in order to achieve, as 
Secretary Johnson has envisioned, a Department-wide Unity of Effort, 
including a plan to reorganize and realign NPPD.
    There will be many details that we on the subcommittee will need to 
study and evaluate before we will feel comfortable enough to give 
recommendations, or assess legislative initiatives for the plan, and I 
hope we can begin that process today.
    We know that NPPD is a large and multi-layered directorate, with a 
wide range of responsibility: From chemical facility security, 
pipelines, refineries, ports and other critical infrastructure 
protection, to cybersecurity. It covers such a range that some might 
say it lacks a single, central mission.
    I am interested today in learning how the Secretary's plan to allow 
NPPD to become ``operational'' will be accomplished without shedding or 
re-arranging its current responsibilities, and how it will create an 
overall, central mission.
    This is important because my district is a prime example of the 
importance of both physical infrastructure security and cyber network 
security. My district includes the largest port network in the country, 
the largest petrochemical footprint in the Nation, and significant 
refining capacity. And all of these facilities have complex and 
challenging physical security and cybersecurity challenges.
    There are funding concerns too.
    If the reorganization or realignment will require modifications to 
NPPD's appropriations structure, will the Department request additional 
budgetary flexibilities, or transfer authority from Congress, beyond 
those that the Department already has available?
    Let's be clear, this reorganization is both a massive and a crucial 
undertaking.
    I continue to have a lot of questions about both how this kind of 
major overhaul would work, and what all the implications are for the 
proposed changes, so I hope this hearing leads to some answers so that 
we can work together to improve the Department.
    I look forward to the testimony and discussion today, and I yield 
back.

    Mr. Ratcliffe. The gentleman yields back.
    The Chair now recognizes the Chairman of the full 
committee, the gentleman from Texas, Mr. McCaul, for any 
statement he may have.
    Mr. McCaul. Thank the Chairman. Thank you for holding this 
hearing on the National Protection and Program Directorate.
    I also want to thank Under Secretary Spaulding for the 
meeting I had yesterday. I thought it was a very good briefing 
on moving forward, and I think that is important because 
Congress has to review the proposal in its entirety once it is 
finally submitted and understand how it could improve our 
Nation's cybersecurity posture and protection of our critical 
infrastructures.
    Additionally, any effort that will significantly alter the 
way the Department carries out its responsibilities is one that 
Congress needs to weigh in on. The Chairman mentioned the 
letter we sent on September 15, and the most recent legislation 
that Mr. Richmond passed on the floor, I believe yesterday.
    We take the Department's cybersecurity mission very 
seriously.
    I want to commend the good work that you have done--both 
you and Dr. Schneck--in this very, very important mission and 
in building the capabilities within DHS to carry it out. You 
only need to read the newspaper to know what the threat really 
is, and you know it better than anybody.
    From the OPM hack to the Sony attacks to Iran's constant 
attacks on the financial sector, from Russia, from China--it is 
everywhere. It is not just the future; it is the here and now, 
of criminal theft of intellectual property, of espionage, and 
cyber warfare.
    So we want to, as we have in the past, work with you to 
advance this mission. I would say that the Members of this 
committee are perhaps your biggest advocates in the Congress 
because we believe that what you are doing is so important.
    So I look forward to hearing more about the reorganization 
and the proposed changes, but I do think that should be done in 
full collaboration with the Congress, and specifically with 
this committee. We passed 15 bills, marked them up last week, 
to improve the Department, and I think this hearing will go a 
long way to strengthening the NPPD's mission that we strongly 
believe in.
    If I could just end with--I know that the Senate is taking, 
finally, up the cybersecurity legislation that we passed out of 
this committee many months ago by an overwhelming majority. I 
would ask that they take into account the bills that we passed 
out of the House and the bills that we passed previously in the 
last Congress and not do anything that would conflict with 
existing law.
    My concern is that these laws we passed last Congress may 
be disregarded, and I think that would be very 
counterproductive to the process and counterproductive to a 
conference committee, in the event we ever get to that point.
    So I would ask that the Senate look at that as they measure 
and weigh in on the final bill that they mark up on 
cybersecurity legislation. This has to be done right, because I 
can think of no more important mission than this one.
    So with that, again, I want to thank the Chairman.
    I want to thank the witnesses not only for being here but 
for the work that you do day in and day out. We don't often say 
``thank you'' enough, and I would just like to, on behalf of 
this committee, say thanks for the great work you do to protect 
our country.
    With that, I yield back.
    Mr. Ratcliffe. Thank you, Mr. Chairman.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    We are pleased, as the Chairman referenced, to have a 
distinguished panel of witnesses with us on this important 
topic today.
    The Honorable Suzanne Spaulding serves as the under 
secretary for the National Protection and Programs Directorate 
at the U.S. Department of Homeland Security.
    Welcome back, Under Secretary.
    Dr. Phyllis Schneck serves as the deputy under secretary 
for cybersecurity and communications for the National 
Protection and Programs Directorate at the U.S. Department of 
Homeland Security.
    Dr. Schneck, good to see you again.
    Dr. Ronald Clark serves as the deputy under secretary for 
the National Protection and Programs Directorate at the U.S. 
Department of Homeland Security.
    Welcome back to this subcommittee.
    Mr. Chris Currie is the director of emergency management 
national preparedness and critical infrastructure protection 
for the homeland security and justice team at the U.S. 
Government Accountability Office.
    Welcome, Mr. Currie.
    I would like to ask the witnesses to stand and raise your 
right hand so I can swear you in to testify.
    [Witnesses sworn.]
    Let the record reflect that the witnesses have answered in 
the affirmative.
    You may be seated.
    The witnesses' full statements will appear in the record.
    The Chair recognizes Under Secretary Spaulding for 5 
minutes for her opening statement.

   STATEMENT OF HON. SUZANNE E. SPAULDING, UNDER SECRETARY, 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Ms. Spaulding. Thank you.
    Chairman McCaul, thank you for your very gracious remarks.
    Chairman Ratcliffe, Ranking Member Richmond, distinguished 
Members of the committee, thank you very much for this 
opportunity to be here today to discuss the Department's 
important cyber and infrastructure protection mission and the 
changes in the National Protection and Programs Directorate 
that I have the privilege of leading that we believe are 
necessary to keep pace with the dynamic and evolving risks that 
our partners in Government and the private sector face each and 
every day.
    I want to start by saying that I understand the committee's 
frustration that information related to the changes that were 
under consideration leaked prematurely to the media before we 
had a plan that the Secretary had an opportunity to review and 
I could get down here to brief the committee on that plan.
    This is an on-going process that continues, and managing 
change is always a challenge as I balance the need to follow 
appropriate Executive branch procedures, continue to be 
inclusive and transparent with my workforce, respect your very 
important legislative and oversight roles, and communicate 
appropriately with our public and our private stakeholders.
    I place a very high priority on making sure that we are 
consulting with you and with the rest of Congress. We have 
tried to ensure that your staff is informed at appropriate 
points throughout this process, and we look forward to 
continuing to work with you toward our shared objective of 
strengthening DHS's ability to execute its critical mission of 
cyber and infrastructure priority--protection.
    We will do this by working to achieve three key priorities 
with the changes that we have proposed: Achieving greater Unity 
of Effort, strengthening operations, and improving our mission 
support.
    Achieving greater Unity of Effort in our cyber and 
infrastructure protection mission is part of Secretary 
Johnson's overall work to bring greater Unity of Effort across 
the entire Department. Within NPPD, we need to take a holistic 
approach across cyber and physical risks the private sector 
increasingly takes and reflect the world that they face--a 
world in which cyber and physical, as Chairman Ratcliffe noted, 
and Ranking Member Richmond, are increasingly intertwined.
    We see this in the Internet of Things. We know that cyber 
attacks can have physical consequences, such as disrupting the 
electric grid or causing a dam to malfunction, just as physical 
events, such as storms and flooding, can cause cyber outages. 
We need to understand these connections and we need to manage 
those risks in the same interconnected way.
    In this time of scarce resources we must fully leverage all 
the outstanding expertise, capabilities, insights, information, 
relationships across our entire organization to accomplish our 
cyber and infrastructure protection mission. We cannot afford 
to operate in stovepipes that hamper essential collaboration 
and integration.
    Ultimately, the transition we are talking about is about 
strengthening operations--our ability to make a difference on 
the ground, in partnership with our stakeholders in Government 
and the private sector. To fully accomplish this objective we 
need excellence in our mission support functions, particularly 
acquisition and program management.
    This plan includes not only some restructuring of the 
organization, but also cultural, governance, and process 
changes, and even changing our name. You should each have a 
copy of our proposed organizational structure, and I am going 
to start at the bottom of that organizational chart with our 
three entities that will be executing operational activity: The 
National Cybersecurity and Communications Integration Center, 
our NCCIC; Infrastructure Security; and the Federal Protective 
Service.
    Under our plan, the NCCIC, our 247 operations center, is 
elevated and focused on operations to effectively respond to 
and mitigate cyber incidents. It would include all the current 
NCCIC functions but also bring in important dot-gov functions, 
including Einstein and our continuous diagnostics and 
mitigation.
    The second operational entity would be Infrastructure 
Security. This entity will work on stakeholder engagement and 
build capacity throughout our stakeholders in Government, in 
State, local, territorial, and Tribal, and the private sector.
    They will provide training, technical assistance, 
assessments, and work with those folks in the field and through 
support to sector coordinating councils. They will bring in 
those same activities that are now occurring in the Office of 
Cybersecurity and Communications including the Office of 
Emergency Communications; our effort to promote the adoption of 
the NIST Cybersecurity Framework, called C-Cubed V.P.; and our 
cybersecurity advisors, field forces that are now deployed all 
across the country. They will have the protective security 
advisors and our chem inspectors, so that we can integrate our 
field forces and that operational activity more effectively.
    Third is the Federal Protective Service, which will 
continue its law enforcement and security operations to protect 
Federal facilities all across the country and the people who 
work in them and visit them every single day. This plan will 
increase their ability to bring cybersecurity fully into that 
security assessments and mitigation measures for those Federal 
facilities and help to better integrate their field operations 
so that they can leverage what goes on and the capabilities 
across the rest of NPPD and vice-versa. To ensure that 
interconnectedness and to facilitate that, we are establishing 
an operations and watch function that brings together existing 
capabilities so that we can better integrate our operational 
planning and our situational awareness.
    Finally, we are strengthening our mission support 
operations by flattening and streamlining those functions and 
in some cases, particularly in acquisition and program 
management, bringing together a cadre of professionals that can 
make sure we have got clear oversight and guidance, who will 
then be embedded with the users whose requirements they have to 
ensure they are meeting on a daily basis.
    Implementation of this plan will require Congressional 
action. We understand the committee is working on possible 
legislation and has asked for DHS input, and we are working to 
respond quickly to that request.
    In closing, I want to again thank the committee for its 
strong support for our mission and for this opportunity to 
share our vision for an organization that can meet the Nation's 
challenges--the challenges that we face today and for years to 
come.
    Thank you very much. I am very pleased to be accompanied 
today by my outstanding deputies, and I understand that they 
will have a few opening remarks, Chairman.
    Thank you.
    [The joint prepared statement of Ms. Spaulding, Ms. 
Schneck, and Mr. Clark follows:]
 Joint Prepared Statement of Suzanne E. Spaulding, Phyllis A. Schneck, 
                          and Ronald J. Clark
                            October 7, 2015
    Thank you, Chairman Ratcliffe, Ranking Member Richmond, and 
distinguished Members of the subcommittee. I appreciate the opportunity 
to appear before you today to discuss the Department's cyber and 
infrastructure protection mission and the proposed transformation of 
the National Protection and Programs Directorate (NPPD). The growing 
demand for NPPD services as a result of the evolving risks requires the 
organization to be prepared to address whatever challenges we face in 
the future. Therefore we are developing a plan that will strengthen our 
ability to carry out NPPD's mission.
           nppd's cyber and infrastructure protection mission
    NPPD serves a critical role in homeland security by leading the 
National effort to secure and enhance the resilience of the Nation's 
infrastructure against cyber and physical risks. NPPD works with 
interagency partners as well as owners and operators of critical 
infrastructure in the private sector and State, local, Tribal, and 
territorial government agencies to, collectively, maintain secure, 
functioning, and resilient infrastructure that is vital to public 
confidence and the Nation's safety, prosperity, and well-being.
    I'd like to thank Members of this subcommittee for the continued 
recognition and support of this critical mission. In just the past 
year, the subcommittee demonstrated bi-partisan support for NPPD's 
mission by introducing legislation that enhanced authority for NPPD 
operations in the areas of cybersecurity and infrastructure protection, 
specifically chemical facility security. Through the leadership of this 
subcommittee, as well as Chairman McCaul and Ranking Member Thompson, 
these bills ultimately became law. Most recently, the subcommittee 
introduced legislation, which was passed by the House of 
Representatives to improve cybersecurity by encouraging voluntary 
information sharing between and amongst the private sector and NPPD's 
National Cybersecurity & Communications Integration Center (NCCIC). 
This important legislation would strengthen cybersecurity by enabling 
automated sharing of cyber threat indicators in a way that protects 
privacy and brings this important information together so that trends 
can be seen and malicious cyber activity can be better understood and 
detected. I appreciate your continued support for our mission, and I am 
committed to continuing working with you to ensure we have the 
authority and tools necessary to succeed.
    NPPD was initially created in 2007 as a headquarters component of 
the Department by combining several existing entities. Over the years, 
the mission has evolved and NPPD has taken on more operational 
responsibility; especially as threats have grown. Malicious cyber 
activity has become more sophisticated over time, requiring an equally 
sophisticated and agile response. Given the importance of the mission 
and the evolving risks to critical infrastructure, NPPD must transition 
to an operational focus that fully leverages the combined expertise, 
skills, information, and relationships throughout DHS.
                           transforming nppd
    To accomplish this vision, DHS is proposing a transformation that 
will achieve three key priorities: (1) Greater Unity of Effort across 
the organization, particularly across cyber and physical threats, 
vulnerabilities, consequences, and mitigation; (2) Enhanced operational 
activity; and (3) Excellence in acquisition program management and 
other mission support functions. This transformation includes 
restructuring the organization; cultural, governance, and process 
changes; further cementing the organization as an operational component 
within the Department, and changing our name to better reflect our 
mission.
    DHS is proposing changes in the structure of the organization to 
enable enhancements in operations. In the new structure, operations 
would be carried out through three interconnected, operational 
directorates. This will allow for focused operations with the necessary 
coordination to ensure our operations mitigate risk in a holistic, 
comprehensive manner.
    The first directorate, Infrastructure Security, will focus on 
activities to protect the Nation's infrastructure from cyber and 
physical risks by working with private and public-sector owners and 
operators to build the capacity to assess and manage these risks. 
Through regionally-based field operations--to include the Protective 
Security Advisors, Cyber Security Advisors, Regional Emergency 
Communications Coordinators, and the Chemical Security Inspectors--
Infrastructure Security will deliver training, technical assistance, 
and assessments directly to stakeholders to enable these owners and 
operators to increase security and resilience. This includes working 
with facilities that are often identified as soft targets because of 
their open access. The foundation of Infrastructure Security will 
include existing programs within the Office of Cybersecurity and 
Communications, including the Office of Emergency Communications, the 
Cyber Security Advisor program, and the Critical Infrastructure Cyber 
Community (C3) Voluntary Program. In addition, Infrastructure Security 
will include programs currently within the Office of Infrastructure 
Protection, including the Protective Security Advisor program and the 
Chemical Facility Anti-Terrorism Standards program. It will also 
execute the Sector-Specific Agency responsibilities for nine sectors 
and serve as the National coordinator for the remaining sectors.
    The second operational directorate will focus on cyber-specific 
operations and DHS's responsibility to mitigate and respond to threats 
to information technology (IT) and communication assets, networks, and 
systems. Through an enhanced and elevated NCCIC, we would execute 
cyber-specific protection, prevention, mitigation, incident response 
and recovery operations for private and public-sector partners, 
including protection of Federal networks. The focus on this area of 
operational activity will ensure DHS is able to respond to malicious 
cyber activity at the speed demanded by the rapidly-evolving threat, 
while closely aligning pre-incident prevention and protection with 
incident detection, response, and recovery. The NCCIC will also 
collaborate with the other two operational directorates to ensure cyber 
operations and expertise support, and benefit from, the operational 
activity of those protecting Federal facilities and building capacity 
with public and private-sector stakeholders.
    The third operational directorate, the Federal Protective Service, 
will continue to focus on the direct protection of Federal facilities, 
and those who work in and visit them, across the Nation, through 
integrated law enforcement and security operations. It will increase 
its focus on protecting cybersecurity aspects of Federal facilities in 
coordination with the NCCIC. In addition, the Federal Protective 
Service will better integrate its field operations with field forces in 
Infrastructure Security to enable comprehensive security and resilience 
for our stakeholders, as well as co-locate incident management support 
with the combined watch functions of the NCCIC and the National 
Infrastructure Coordinating Center (NICC) to gain efficiencies and 
improve situational awareness.
    To ensure coordinated execution of the mission and better 
integration among the three operational activities, we will combine 
existing elements to establish a mission support element for 
coordinated operations, joint operational planning, and integrated 
situational awareness. NPPD is currently piloting these enhancements to 
strengthen situational awareness and operational coordination using the 
National Infrastructure Coordinating Center as a foundation. We will 
use the results of the pilot to inform the establishment of permanent 
mechanisms for integrated situational awareness, coordinated 
operations, operational planning, and integrated continuity planning. 
The Office of Cyber and Infrastructure Analysis will support this 
important coordination function. In 2014, NPPD established the Office 
of Cyber and Infrastructure Analysis as a first step in integrating key 
risk-assessment activity, particularly with regard to understanding 
interdependencies and consequences across physical and cyber. This 
function will provide essential analysis to support coordinated 
operational planning and joint situational awareness. This integrated 
operations and watch function will serve as a critical element of the 
Department's counterterrorism mission in protecting critical 
infrastructure, including Federal facilities and those who work in and 
visit them.
    Enhanced operations will be supported through improved mission 
support functions. We will re-orient the roles of operational and 
mission support elements so operators are focused on operations and 
mission support elements are structured with appropriate authorities to 
effectively and efficiently support operations, consistent with the 
structure of other DHS operating components. We will change the way the 
organization executes and manages acquisition programs. DHS is 
proposing an Acquisition Program Management function to enable greater 
effectiveness and accountability in acquisition programs and ensure 
that operational programs have the tools required in a timely manner. 
These changes will also help us collaborate with the DHS Science and 
Technology Directorate to strengthen our ability to leverage 
innovation, research, and development for DHS and National benefit. 
Aligning activities that provide oversight and accountability for these 
large acquisition programs will allow operational directorates to focus 
on executing daily operations with the confidence that their 
requirements are being met by a team of acquisitions professionals. In 
many instances, these acquisition professionals will continue to be co-
located with the programs they support to ensure user requirements are 
well-understood and being met.
    We will also enable those carrying out day-to-day operations to 
focus on the mission by changing current business models for other 
management functions as well. Streamlining and centralizing management 
of business support functions will create efficiencies by reducing 
management layers and provide greater predictability and agility in 
meeting the needs of the workforce and of our operations. We will 
ensure the delivery of these services remains customer-focused by 
placing staff in the same location as the operators when their needs 
can best be met by in-person support. Centralizing management of these 
activities will support the goal of enabling operators to focus on 
operations while ensuring mission support elements are empowered to 
support the operators and effectively carry out our mission.
    This proposed structure reflects the three priorities of the 
transition; but a critical part of the transformation to achieve these 
priorities includes an underlying support structure with updated 
processes and internal governance to ensure the organizational 
structure permits the necessary flexibility and integration of programs 
required to carry out NPPD's mission. In addition, the proposed 
structure will allow for enhanced operations and performance of its 
critical mission with minimal requirements for new resources by 
identifying and implementing a series of efficiencies. In a time of 
growing mission demands and continued resource constraints, greater 
efficiencies are imperative and DHS is committed to ensuring that 
direct impacts to budget from the transformation are minimal. This 
approach can be achieved through the combination and co-location of 
similar functions, the establishment of a joint planning function that 
leverages existing planning resources in a coordinated manner, and a 
flattening of certain management functions.
                        benefit to stakeholders
    Reducing risks to critical infrastructure is a joint effort between 
the private and public sectors. DHS is unable to carry out our mission 
without the support and participation of stakeholders within the public 
and private sectors, including critical infrastructure owners and 
operators, public safety and Government officials at all levels of 
Government, and our interagency partners. Therefore, this 
transformation is designed to directly benefit these stakeholders. 
Through the changes outlined above, DHS will be able to more 
effectively and efficiently leverage relationships to support 
operational activity by identifying, coordinating, managing, and 
countering physical and cyber risks to infrastructure.
    DHS is committed to improving service delivery to customers by 
enhancing our staff presence outside the District of Columbia and 
better integrating field activities. A more robust field force will 
directly engage with stakeholders located throughout the Nation and 
carry out operations at a local level. In order to create efficiencies, 
improve the delivery of services to public and private-sector customers 
in the field, and ensure DHS is addressing cybersecurity and 
infrastructure protection regional priorities, we will more fully 
integrate and support regional operations. To achieve the priorities of 
both enhancing operations and achieving a Unity of Effort across 
programs, we will use the results of an on-going regional pilot project 
to inform a plan for aligning field forces into a more cohesive 
organization. By embracing a regionally-focused organizational 
framework, we can tailor the delivery of programs that reflect regional 
needs and that evolve as the capabilities of each region to mature and 
expand. This framework also will better position us to develop career 
path options for regional and headquarters-based employees.
    In addition to our external stakeholders, this transformation will 
benefit the workforce. I am privileged to serve with the committed men 
and women of NPPD. Our workforce carries out the incredibly difficult 
and demanding mission of protecting our Nation's infrastructure, both 
cyber and physical. The hard work and dedication of our staff forms the 
backbone of our operations as we strive to meet evolving mission needs. 
Many of the ideas I have discussed above for this transformation came 
directly from our workforce, and our employees have served a critical 
role in this process by developing plans and recommendations. Our 
employees best know the requirements and demands of this mission; 
therefore, I value their input and feedback. Their efforts and 
continued role in this process will be all the more important as we 
move forward to strengthen our capabilities to carry out this 
challenging and evolving mission.
    As we continue to develop NPPD's organizational structure and 
improve our governance processes to support are evolving mission, a new 
organizational name would support our efforts help create a more 
unified and strong sense of identity, enhance stakeholder outreach, and 
reflect the operational activities NPPD employees carry out each day.
                               next steps
    The plan for NPPD's transformation I have just outlined provides a 
clear path to further enhance and improve our ability to carry out the 
mission. However, our work is not yet complete. Senior executives are 
now working on action plans to further develop details for the proposed 
areas of change I named above. We are also working with our stakeholder 
community to ensure their feedback is incorporated into this 
organizational construct.
    Several of the areas I have identified above will require 
Congressional action to amend existing law, seek approval of 
organizational changes, and enable the changes. I appreciate the 
opportunity to appear before you today to discuss our proposal and look 
forward to working with Members of Congress on the implementation of 
this plan. Your support to date has enabled NPPD to carry out our 
critical operations and make significant progress, in collaboration 
with our stakeholders, to protect the Nation's infrastructure. Together 
we can ensure DHS is best positioned to carry out the critical mission 
of cybersecurity and infrastructure protection now and in the future.
    In closing, I would like to note that October is National 
Cybersecurity Awareness Month and next month, November, is Critical 
Infrastructure Security and Resilience Month. Every year we use these 
opportunities to raise awareness of the importance of the cybersecurity 
and infrastructure protection mission. This hearing is an important 
part of that dialogue and I thank you for the opportunity to testify 
before you today.
    I look forward to your questions.

    Mr. Ratcliffe. Thank you, Under Secretary Spaulding.
    The Chair now recognizes Dr. Schneck for 5 minutes.

   STATEMENT OF PHYLLIS A. SCHNECK, DEPUTY UNDER SECRETARY, 
   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND 
   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Schneck. Chairman Ratcliffe, Ranking Member Richmond, 
Chairman McCaul, distinguished Members of the committee, thank 
you for this opportunity to appear today. In my over, now, 2 
years in Government, I continue to really be impressed and 
enjoy the support that we get from our Congressmen and Senators 
in truly making things happen.
    Our critical infrastructures, as you know, and our cyber 
connectivity therein, are under attack; they have become open 
hunting season for a very egregious and witted adversary.
    These adversaries seek to damage our way of life. It is a 
broad range of threat, as you know, from the economic money or 
turning our information--our private information, our health 
information, our financial information--into currency. It moves 
up the spectrum to the theft of intellectual property, and then 
to the destructive side where, as the under secretary 
mentioned, a single computer instruction or command can cause a 
change that creates a physical event. That is why we are here 
today.
    Our critical infrastructures are owned and operated mostly 
by the private sector. There has never been a harder time for a 
large private-sector company, like the one from which I came, 
to work with the U.S. Government in our environment, but there 
has never been a more urgent time.
    All of this work that is needed is based on trust, customer 
service, stakeholder engagement, and the ability for us to be 
able to reach out and bring a field of expertise, from our 
cyber experts to our electric power experts to those in between 
that run our programs.
    This transformation will strengthen our cyber mission. It 
will strengthen our ability to reach out to our customers and 
to serve them well.
    Fighting back against this constantly-evolving threat 
requires this fully collaborative approach. NPPD can't do our 
mission if we don't do this.
    We have been doing it well. We can do it faster and better, 
and as the adversary excels, with no lawyers and no way of life 
to protect and plenty of money, we will not be able to fight 
them if we don't organize the way that is being suggested today 
so that we can bring everything we have to bear, just as we did 
in the private sector.
    This adversary takes an expeditious fight, and we can bring 
that. NPPD has been evolving for several years, as our mission 
has demanded. The latest step will improve our ability and--to 
carry out both our cyber and our infrastructure protection 
mission in better collaboration with our stakeholders, and 
programmatically, these changes are designed to make it easier 
for us to bring everything we have to the table, meaning we can 
bring expertise about the sector, we can bring the people that 
have the trusted relationships within the sector, we can bring 
the exact cyber people that understand the problem, and come to 
the fight more quickly.
    We can bring that team today, and we do, but we can 
assemble it and be designed as a much more efficiently well-
oiled machine to do this mission and take on this adversary. 
Through this transformation we focus on customer service, 
delivering this service to our customers, and making sure that 
we provide our stakeholders across the Nation not only the 
service in helping them fix an event or spot a threat, but to 
teach them, to give them programs such as the C-Cubed V.P.--or 
the Cybersecurity and Critical Infrastructure Community 
Voluntary Program that comes with the President's Executive 
Order on best practices for cyber--bringing them these programs 
so they can teach themselves how to protect their networks, and 
teach their supply chain, and teach their colleagues.
    So we are building more secure communities by joining our 
critical infrastructure expertise, our outreach, and joining 
that trust with our cyber experts. We need to have a structure 
that lets us continue to operate in this time of growing 
mission demand and continued resource constraints.
    I wish I could say that the threat was going away. It is 
growing. Our job is to neutralize that, and the way we do that 
is to be more artful.
    Our adversaries are constantly evolving. They have 
absolutely no barrier to overcome.
    If we are to overcome their artful hold, we have to be more 
masterful and more agile, and that is what this realignment is 
designed to do. It allows us to be more efficient and allows us 
to be more efficient with the tools that you have provided us 
in legislation; it allows us to make better use of your 
tremendous advocacy and get out there with the strength that we 
bring as a whole of Government, and do that with a whole of 
NPPD.
    Our Secretary always tells us that homeland security--that 
cybersecurity is a part of homeland security. Our job is to 
make sure that technology and innovation are enabled, that the 
private sector is enabled to make more money so they can 
innovate and build great things, and that our citizens can 
enjoy new technologies.
    Our job is to make our infrastructure resilient to damage 
so that the American way of life continues to be enjoyable, and 
fun, and a great place to make these new technologies without a 
fear of what new technology can bring. To neutralize that, we 
need this transformation to strengthen our cybersecurity 
mission, to bring everything we have got in trust, in 
capability, in infrastructure knowledge, infrastructure 
expertise, sector knowledge, feet on the street--use the field 
forces, our Federal Protective Service, who see everything that 
is happening in a Federal building and day out--use their 
awareness of the HVAC systems that have been known as targets 
to understand exactly what is happening and bring that all 
together.
    Our transformation will enable all of this. It will enable 
the cybersecurity piece of homeland security in the Secretary's 
Unity of Effort. We look forward to bringing more customer 
service and being even more of a service that our taxpayers 
will be proud of.
    So thank you, and I look forward to your questions.
    Mr. Ratcliffe. Thank you, Dr. Schneck.
    Chair now recognizes Dr. Clark for 5 minutes for his 
opening statement.

STATEMENT OF RONALD J. CLARK, DEPUTY UNDER SECRETARY, NATIONAL 
    PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Mr. Clark. Chairman Ratcliffe, Ranking Member Richmond, 
Chairman McCaul, and distinguished Members of the subcommittee, 
thank you for the opportunity to appear before you today.
    With 2 decades of service as a United States Marine Corps 
infantry officer, 5 years at the National Security Council, my 
mission and instinct at NPPD has been to focus on mitigating 
threats, driving down risk, and executing intelligence-driven 
operations--operations focused on the protection of Federal 
facilities, critical infrastructure, and the American people.
    NPPD occupies unique mission space, and we must ensure the 
full leveraging of its unique expertise, information, and 
capabilities. We are committed to enhancing our operational 
capacity and capability and taking the actions needed to 
enhance our security of critical infrastructure.
    The threat we face today is increasingly elusive, 
unpredictable, and violent. The threat increasingly extends 
across physical and cyber domains and can be carried out by 
criminal elements; aspirants of an extremist ideology; or 
terrorists, foreign, or domestic.
    In response to this dynamic threat environment, over the 
past year we have executed a series of enhanced security 
operations across the country to detect, deter, and deny 
potential threats to thousands of Federal facilities and 
millions of occupants. These operations entailed a series of 
intensified security protocols that increased our presence, 
awareness, and ability to respond.
    We have also enhanced our efforts directed at State and 
local partners, private-sector owners and operators of critical 
infrastructure. This dimension of our security campaign focused 
on building capacity, sharing threat information and trends, 
and, most importantly, addressing the very real concerns of 
local partners, private-sector stakeholders, and the faith-
based community.
    While we have seen progress to date, we must continue to 
enhance our operational capabilities because our adversaries 
have repeatedly demonstrated their ability to adapt to our 
security measures. Whether the operation is focused on the 
direct protection of a Federal building, ensuring the security 
parameters of a chemical facility, deploying a cybersecurity 
advisor team, or expanding the capacity of public and private-
sector partners, robust analytical support is essential. 
Operations must be driven by the best possible information.
    Toward this end, we have focused on sharpening our analytic 
capabilities. For example, today our ability to complete 
forward-looking analysis and to systematically map the 
interdependencies of critical infrastructure by our Office of 
Cyber and Infrastructure Analysis is exceptional.
    Their analytical support to the decision-making process is 
critical. We have pragmatically integrated this robust analytic 
capability with an enduring focus on fielding low-cost, high-
impact tools that increase mission assurance, team welfare, 
precision, and speed.
    Thank you again for this opportunity. Thank you, as well, 
for your enduring support to the Department of Homeland 
Security over many years.
    Thank you.
    Mr. Ratcliffe. Thank you, Dr. Clark.
    Chair now recognizes Mr. Currie for 5 minutes for his 
opening statement.

 STATEMENT OF CHRIS P. CURRIE, DIRECTOR, EMERGENCY MANAGEMENT, 
 NATIONAL PREPAREDNESS AND CRITICAL INFRASTRUCTURE PROTECTION, 
      HOMELAND SECURITY AND JUSTICE TEAM, U.S. GOVERNMENT 
                     ACCOUNTABILITY OFFICE

    Mr. Currie. Thank you, Mr. Chairman, Ranking Member 
Richmond, and other Members of the subcommittee. I appreciate 
the opportunity to be here today to talk about the potential 
reorganization of NPPD.
    I wanted to say up front that we at GAO don't have many 
details on the specific reorganization or any on-going work on 
this issue. However, over the years we have evaluated numerous 
agency creations and transformations and reorganizations, and 
based on real-life lessons learned, we have developed a number 
of questions and--that need to be answered and factors that 
need to be addressed during these types of changes.
    Also, as the committee knows, the initial implementation of 
DHS and broader management issues at the Department are still 
on our high-risk list. So we think our work across these areas 
is important to consider in any potential change in NPPD's 
structure or mission.
    Before I get into the specifics of our work I did want to 
make a key point: NPPD has the critical and difficult mission 
of securing both cyber and physical critical infrastructure and 
the interdependencies between both of those things. To do this, 
it needs to be able to adapt and change with the threat as 
needed, so it is not surprising that NPPD would propose a 
reorganization to adapt to the changing threat and additional 
responsibilities it has.
    However, our experience at DHS and other agencies has shown 
that it is often the management issues that can creep in as 
problems later on after these things are done in areas like 
human capital and acquisition. These areas are just as critical 
to think through as the mission need that is driving the 
reorganization because they can hinder success.
    Our work across Government points to key questions that 
need to be answered in these situations. For example: What are 
the goals? What are the real costs and benefits? How can the 
up-front cost be funded? This one is important: Who are the key 
stakeholders and how are their views being considered?
    Specifically, during the creation of DHS we outlined a 
number of key practices and steps for successful organizational 
transformations. Although an NPPD reorg is maybe not on that 
scale, they are still applicable and important, and here are 
just a few examples from that work: Establishing a coherent 
mission and integrated strategic goals to guide the 
transformation; establishing a communication strategy to create 
shared expectations and report progress; and last, involving 
employees to obtain their ideas and gain their ownership for 
the transformation because they are the ones that are going to 
have to make it happen.
    We have also found that successful Government 
reorganizations balance executive and legislative roles, as you 
mentioned up front, Mr. Chairman. For example, Congressional 
deliberative processes, such as this hearing, serve as an 
important function of getting input from Congress but also a 
variety of stakeholders that are affected by the change. They 
also provide important checks and balances.
    Now, let me talk a bit about our high-risk work and DHS 
management. DHS has made much progress in this area since its 
creation, but more work is needed.
    We have found that management challenges have had a direct 
impact on DHS's ability to meet its mission. For example, in 
the area of acquisitions, which has been discussed a lot this 
morning--or to put it in plain speak, when an agency purchases 
a service or a technology--delivering major acquisitions aimed 
at achieving mission capabilities that are on time and within 
budget has been difficult for the Department. It will be 
important for NPPD to consider that as it rolls out large cyber 
acquisitions across Government, sometimes now under accelerated 
time frames.
    In the area of human capital, or people management, DHS and 
NPPD have struggled with low employee morale, which can affect 
mission execution. Also, NPPD faces a challenge in attracting 
people with the technical skills it needs to accomplish its 
mission, such as cybersecurity specialists.
    The last quick point I would make is that while there are 
risks to any reorganization, there can also be many benefits. 
The best practices we have developed and I discussed--and there 
is a lot more detail in my formal written statement--are things 
that we have developed from real-life case examples from real 
agencies; they are not just theory. If done effectively, 
organizations can emerge from reorganization stronger than 
before.
    This concludes my prepared statement, and I look forward to 
your questions.
    [The prepared statement of Mr. Currie follows:]
                 Prepared Statement of Chris P. Currie
                            October 7, 2015
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
Subcommittee: I am pleased to be here today to discuss our observations 
on the potential reorganization of the Department of Homeland 
Security's (DHS) National Protection and Programs Directorate (NPPD). 
NPPD is the DHS component responsible for addressing physical and cyber 
infrastructure protection, a mission area of critical importance in 
today's threat environment. Critical infrastructure owners and 
operators continue to experience increasingly sophisticated cyber 
intrusions and a ``cyber-physical convergence'' has changed the risks 
to critical infrastructure ranging from energy and transportation to 
agriculture and health care, according to a DHS strategic review.\1\
---------------------------------------------------------------------------
    \1\ DHS, The 2014 Quadrennial Homeland Security Review (Washington, 
DC: June 2014).
---------------------------------------------------------------------------
    NPPD's potential reorganization is the latest in DHS's 
organizational evolution. In 2003, we designated implementing and 
transforming DHS as high-risk because DHS had to transform 22 
agencies--several with major management challenges--into one 
department.\2\ Further, failure to effectively address DHS's management 
and mission risks could have serious consequences for U.S. National and 
economic security. Over the past 12 years, the focus of this high-risk 
area has evolved in tandem with DHS's maturation and evolution. The 
overriding tenet has consistently remained DHS's ability to build a 
single, cohesive, and effective department that is greater than the sum 
of its parts--a goal that requires effective collaboration and 
integration of its various components and management functions.
---------------------------------------------------------------------------
    \2\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: 
Feb. 11, 2015).
---------------------------------------------------------------------------
    You asked us to offer our perspectives on reorganizations, given 
anticipated but unspecified changes planned at NPPD. This statement 
describes key factors for consideration in a NPPD reorganization. It 
includes observations from our prior work on organizational change, 
reorganization, and transformation, applicable themes from GAO's high-
risk list, and NPPD-related areas from our work in assessing 
programmatic duplication, overlap, and fragmentation.
    This testimony is based on reports we issued from 2003 through 
2015.\3\ For this work, among other things, we convened a forum to 
identify and discuss useful practices and lessons learned from major 
private- and public-sector organizational mergers, acquisitions, and 
transformations; conducted interviews with knowledgeable officials; 
reviewed relevant literature and agency documentation; reviewed the 
status of high-risk issues; and identified material in our routine 
audit work where areas of potential fragmentation, overlap, and 
duplication were identified. Recurring themes and findings from those 
data-gathering efforts are summarized in the published reports. More 
detailed information on our scope and methodology appears in the 
published reports.
---------------------------------------------------------------------------
    \3\ GAO, Streamlining Government: Questions to Consider When 
Evaluating Proposals to Consolidate Physical Infrastructure and 
Management Functions, GAO-12-542 (Washington, DC: May 23, 2012); GAO, 
Government Efficiency and Effectiveness: Opportunities for Improvement 
and Considerations for Restructuring, GAO-12-454T (Washington, DC: 
March 21, 2012); GAO, High-Risk Series: An Update, GAO-15-290 
(Washington, DC: Feb. 11, 2015); GAO, 2015 Annual Report: Additional 
Opportunities to Reduce Fragmentation, Overlap, and Duplication and 
Achieve Other Financial Benefits, GAO-15-404SP (Washington, DC: April 
14, 2015); GAO, Results-Oriented Cultures: Implementation Steps to 
Assist Mergers and Organizational Transformations, GAO-03-669 
(Washington, DC: July 2, 2003).
---------------------------------------------------------------------------
    We conducted the work upon which this statement is based in 
accordance with generally-accepted Government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives.
                               background
    The Homeland Security Act of 2002 created DHS and gave the 
Department wide-ranging responsibilities for, among other things, 
leading and coordinating the overall National critical infrastructure 
protection effort.\4\ For example, the Act required DHS to develop a 
comprehensive National plan for securing the Nation's critical 
infrastructure and key resources, including power production, 
generation, and distribution systems, and information technology and 
telecommunication systems, among others.\5\ Homeland Security 
Presidential Directive (HSPD) 7 further defined critical infrastructure 
protection responsibilities for DHS and other departments.\6\ For 
example, HSPD-7 directed DHS to establish uniform policies, approaches, 
guidelines, and methodologies for integrating Federal infrastructure 
protection and risk management activities within and across critical 
infrastructure sectors. Various other statutes and directives provide 
specific legal authorities for infrastructure protection and resiliency 
programs.\7\
---------------------------------------------------------------------------
    \4\ See generally Pub. L. No. 107-296, 116 Stat. 2135 (2002). Title 
II of the Homeland Security Act, as amended, primarily addresses the 
Department's responsibilities for critical infrastructure protection.
    \5\ See 6 U.S.C.  121(d)(5). ``Critical infrastructure'' are 
systems and assets, whether physical or virtual, so vital to the United 
States that their incapacity or destruction would have a debilitating 
impact on National security, National economic security, National 
public health or safety, or any combination of those matters. 42 U.S.C. 
 5195c(e). Key resources are publicly or privately controlled 
resources essential to minimal operations of the economy or Government. 
6 U.S.C.  101(10).
    \6\ Homeland Security Presidential Directive/HSPD-7, Critical 
Infrastructure Identification, Prioritization, and Protection (Dec. 17, 
2003).
    \7\ For example, the Cyber Security Research and Development Act, 
enacted in January 2002, authorized funding through fiscal year 2007 
for the National Institute of Standards and Technology and the National 
Science Foundation to facilitate increased research and development for 
computer and network security and to support related research 
fellowships and training. See generally Pub. L. No. 107-305, 116 Stat. 
2367 (2002). Other critical infrastructure-related Presidential 
Directives include HSPD-3, which addresses implementation of the 
Homeland Security Advisory System; HSPD-9, which establishes a National 
policy to defend the Nation's agriculture and food system; HSPD-10, 
which addresses U.S. efforts to prevent, protect against, and mitigate 
biological weapons attacks perpetrated against the United States and 
its global interests; HSPD-19, which addresses the prevention and 
detection of, protection against, and response to terrorist use of 
explosives in the United States; HSPD-20, which addresses the 
establishment of a comprehensive and effective National continuity 
policy; and HSPD-22, which, as described in the NIPP, addresses the 
ability of the United States to prevent, protect, respond to, and 
recover from terrorist attacks employing toxic chemicals. Presidential 
Policy Directive/PPD-21--Critical Infrastructure Security and 
Resilience--issued February 12, 2013, revoked HSPD-7 but provided that 
plans developed pursuant to HSPD-7 shall remain in effect until 
specifically revoked or superseded.
---------------------------------------------------------------------------
    NPPD was established in 2007 as DHS evolved. Specifically, after 
the Post-Katrina Emergency Management Reform Act of 2006 transferred to 
the Federal Emergency Management Agency most of what was then termed 
the Preparedness Directorate, the Secretary of Homeland Security at 
that time created NPPD. NPPD combined most of the remaining functions 
of the Preparedness Directorate, such as the Office of Infrastructure 
Protection, with other functions.\8\ For example, the Office of Cyber 
Security and Telecommunications combined with the National 
Communications System and the new Office of Emergency Communications 
and was renamed the Office of Cyber Security and Communications. As 
reported in DHS's fiscal year 2016 budget request, NPPD employs 
approximately 3,500 staff. NPPD's current organizational structure 
includes 5 divisions.
---------------------------------------------------------------------------
    \8\ See 6 U.S.C.  315. See also 6 U.S.C.  452 (authorizing the 
Secretary to allocate or reallocate functions among the officers of the 
Department, and to establish, consolidate, alter, or discontinue 
organizational units within the Department).
---------------------------------------------------------------------------
   The Federal Protective Service is the agency charged with 
        protecting and delivering law enforcement to and protection 
        services for Federal facilities.
   The Office of Biometric Identity Management, formerly US-
        VISIT, provides biometric identity services to DHS and its 
        mission partners.
   The Office of Cybersecurity and Communications has the 
        mission of assuring the security, resiliency, and reliability 
        of the Nation's cyber and communications infrastructure.
   The Office of Cyber and Infrastructure Analysis provides 
        consolidated all-hazards consequence analysis focusing on cyber 
        and physical critical infrastructure interdependencies and the 
        impact of a cyber threat or incident to the Nation's critical 
        infrastructure.
   The Office of Infrastructure Protection leads the 
        coordinated National effort to reduce risk to critical 
        infrastructure posed by acts of terrorism.
    Many of NPPD's activities are guided by the 2013 National 
Infrastructure Protection Plan (NIPP). NPPD issues the NIPP in 
accordance with requirements set forth in the Homeland Security Act, as 
amended, HSPD-7, and more recently Presidential Policy Directive-21--
Critical Infrastructure Security and Resilience. The NIPP was developed 
through a collaborative process involving critical infrastructure 
stakeholders. Central to the NIPP is managing the risks from 
significant threat and hazards to physical and cyber critical 
infrastructure, requiring an integrated approach to:
   Identify, deter, detect, disrupt, and prepare for threats 
        and hazards to the Nation's critical infrastructure;
   Reduce vulnerabilities of critical assets, systems, and 
        networks; and
   Mitigate the potential consequences to critical 
        infrastructure of incidents or adverse events that do occur.
         key factors for consideration in a nppd reorganization
    Our prior work includes four areas that offer valuable insights for 
agency officials to consider when evaluating or implementing a 
reorganization or transformation. These areas include: (1) Considering 
key questions for consolidation decision making and factors for success 
when implementing an organizational change; (2) balancing Executive and 
Congressional roles in the decision-making process; (3) considering 
themes and findings in our DHS high-risk work; and (4) addressing any 
related duplication, overlap, or fragmentation of existing programs.
Key Questions to Consider During Organizational Consolidation and 
        Practices for Transformation Implementation
    Two sets of considerations for organizational transformations 
provide insights for NPPD's organizational change decision making and 
implementation. First, in May 2012, we reported on key questions for 
agency officials to consider when evaluating an organizational change 
that involves consolidation.\9\ Table 1 provides a summary of these key 
questions from our previous work on organizational transformations, 
which we developed through a review of selected consolidation 
initiatives at the Federal agency level, among other things. Attention 
to these factors would provide NPPD with assurance that important 
aspects of effective organizational change are addressed.
---------------------------------------------------------------------------
    \9\ GAO-12-542.

------------------------------------------------------------------------
                              Key Questions
-------------------------------------------------------------------------
What are the goals of the consolidation? What opportunities will be
 addressed through the consolidation and what problems will be solved?
 What problems, if any, will be created?
What will be the likely costs and benefits of the consolidation? Are
 sufficiently reliable data available to support a business-case
 analysis or cost-benefit analysis?
How can the up-front costs associated with the consolidation be funded?
Who are the consolidation stakeholders, and how will they be affected?
 How have the stakeholders been involved in the decision, and how have
 their views been considered? On balance, do stakeholders understand the
 rationale for consolidation?
To what extent do plans show that change management practices will be
 used to implement the consolidation?
------------------------------------------------------------------------
Source: GAO-12-542.

    Second, as DHS was formed, we reported in July 2003 on key 
practices and implementation steps for mergers and organizational 
transformations. The factors listed in Table 2 were built on the 
lessons learned from the experiences of large private and public-sector 
organizations. The resulting practices we developed are intended to 
help agencies transform their cultures so that they can be more 
results-oriented, customer-focused, and collaborative in nature. As 
NPPD reorganizes, consulting each of these practices would ensure that 
lessons learned from other organizations are considered.

    TABLE 2.--KEY PRACTICES AND IMPLEMENTATION STEPS FOR MERGERS AND
                     ORGANIZATIONAL TRANSFORMATIONS
 
------------------------------------------------------------------------
     Key Factors When Implementing
         Organizational Change                 Implementation Step
------------------------------------------------------------------------
Ensure top leadership drives the          Define and articulate
 transformation.                          a succinct and compelling
                                          reason for change.
                                          Balance continued
                                          delivery of services with
                                          merger and transformation
                                          activities.
Establish a coherent mission and          Adopt leading
 integrated strategic goals to guide      practices for results-oriented
 the transformation.                      strategic planning and
                                          reporting.
Focus on a key set of principles and      Embed core values in
 priorities at the outset of the          every aspect of the
 transformation.                          organization to reinforce the
                                          new culture.
Set implementation goals and a time       Make public
 line to build momentum and show          implementation goals and time
 progress from Day 1.                     line.
                                          Seek and monitor
                                          employee attitudes and take
                                          appropriate follow-up actions.
                                          Identify cultural
                                          features of merging
                                          organizations to increase
                                          understanding of former work
                                          environments.
                                          Attract and retain key
                                          talent.
                                          Establish an
                                          organization-wide knowledge
                                          and skills inventory to
                                          exchange knowledge among
                                          merging organizations.
Dedicate an implementation team to        Establish networks to
 manage the transformation process.       support implementation team.
                                          Select high-performing
                                          team members.
Use the performance management system     Adopt leading
 to define responsibility and assure      practices to implement
 accountability for change.               effective performance
                                          management systems with
                                          adequate safeguards.
Establish a communication strategy to     Communicate early and
 create shared expectations and report    often to build trust.
 related progress.                        Ensure consistency of
                                          message.
                                          Encourage two-way
                                          communication.
                                          Provide information to
                                          meet specific needs of
                                          employees.
Involve employees to obtain their ideas   Use employee teams.
 and gain their ownership for the         Involve employees in
 transformation.                          planning and sharing
                                          performance information.
                                          Incorporate employee
                                          feedback into new policies and
                                          procedures.
                                          Delegate authority to
                                          appropriate organizational
                                          levels.
Build a world-class organization.......   Adopt leading
                                          practices to build a world-
                                          class organization.
------------------------------------------------------------------------
Source: GAO-03-669.

Balancing Executive and Congressional Roles in Reorganization Decision-
        making
    In March 2012, we found that successful Government reorganizations 
balanced Executive and Legislative roles and that all key players 
engaged in discussions about reorganizing Government: The President, 
Congress, and other parties with vested interests, including State and 
local governments, the private sector, and citizens.\10\ It is 
important that consensus is obtained on identified problems and needs, 
and that the solutions our Government legislates and implements can 
effectively remedy the problems we face in a timely manner. Fixing the 
wrong problems, or even worse, fixing the right problems poorly, could 
cause more harm than good.
---------------------------------------------------------------------------
    \10\ GAO-12-454T.
---------------------------------------------------------------------------
    We found that it is imperative that Congress and the administration 
form an effective working relationship on restructuring initiatives. 
Any systemic changes to Federal structures and functions should be 
approved by Congress and implemented by the Executive branch, so each 
has a stake in the outcome. In addition, Congressional deliberative 
processes serve the vital function of both gaining input from a variety 
of clientele and stakeholders affected by any changes and providing an 
important Constitutional check and counterbalance to the Executive 
branch.
                     applicable gao high-risk work
Securing Cyber Critical Infrastructure and Federal Information Systems 
        and Protecting the Privacy of Personally Identifiable 
        Information
    Safeguarding the systems that support critical infrastructures--
referred to as cyber critical infrastructure protection--is a 
continuing concern cited in our 2015 High-Risk Series Update.\11\ Given 
NPPD's current cybersecurity activities, addressing these concerns in 
any reorganization effort would be critical. For example, NPPD conducts 
analysis of cyber and physical critical infrastructure 
interdependencies and the impact of a cyber threat or incident to the 
Nation's critical infrastructure. Sustained attention to this function 
is vitally important. In our 2015 High-Risk Series Update report, we 
note that to address the substantial cyber critical infrastructure 
risks facing the Nation, Executive branch agencies, in particular DHS, 
need to continue to enhance their cyber analytical and technical 
capabilities (including capabilities to address Federal cross-agency 
priorities), expand oversight of Federal agencies' implementation of 
information security, and demonstrate progress in strengthening the 
effectiveness of public/private-sector partnerships in securing cyber 
critical infrastructures.
---------------------------------------------------------------------------
    \11\ GAO-15-290.
---------------------------------------------------------------------------
    In our 2015 High-Risk Series Update report, we highlight two 
additional high-risk areas related to securing cyber critical 
infrastructure. The security of our Federal cyber assets has been on 
our list of high-risk areas since 1997. In 2003, we expanded this high-
risk area to include the protection of critical cyber infrastructure. 
This year, we added protecting the privacy of personally identifiable 
information (PII)--information that is collected, maintained, and 
shared by both Federal and non-Federal entities.
Strengthening DHS Management Functions
    Our 2015 High-Risk Series Update found that DHS made significant 
progress in addressing our concerns, but that considerable work remains 
in several areas. To the extent that these issues are relevant to a 
reorganized NPPD, consideration of each area would be important so as 
not to jeopardize DHS's progress in taking steps toward addressing its 
implementation and transformation as a high-risk area. These areas of 
concern include:
   Acquisition management.--DHS has taken a number of actions 
        to establish effective component-level acquisition capability, 
        such as initiating assessments of component policies and 
        processes for managing acquisitions. In addition, DHS is 
        working to assess and address whether appropriate numbers of 
        trained acquisition personnel are in place at the Department 
        and component levels, an outcome it has partially addressed. 
        Further, while DHS has initiated efforts to demonstrate that 
        major acquisition programs are on track to achieve their cost, 
        schedule, and capability goals, DHS officials have acknowledged 
        it will be years before this outcome has been fully addressed. 
        Much of the necessary program information is not yet 
        consistently available or up-to-date. Attention to effective 
        acquisition management is particularly important in an NPPD 
        reorganization, given the substantial costs for cybersecurity 
        programmatic efforts. For example, NPPD's National 
        Cybersecurity Protection System, intended to defend the Federal 
        civilian Government's information technology infrastructure 
        from cyber threats, had a life-cycle cost of $5.7 billion as of 
        January 2015.
   IT management.--While the Department obtained a clean 
        opinion on its financial statements, in November 2014, the 
        Department's financial statement auditor reported that 
        continued flaws in security controls such as those for access 
        controls, configuration management, and segregation of duties 
        were a material weakness for fiscal year 2014 financial 
        reporting. Thus, the Department needs to remediate the material 
        weakness in information security controls reported by its 
        financial statement auditor.
   Financial management.--We reported in September 2013 that 
        DHS needs to modernize key components' financial management 
        systems and comply with financial management system 
        requirements. The components' financial management system 
        modernization efforts are at various stages due, in part, to a 
        bid protest and the need to resolve critical stability issues 
        with a legacy financial system before moving forward with 
        system modernization efforts. Without sound controls and 
        systems, DHS faces long-term challenges in ensuring its 
        financial management systems generate reliable, useful, and 
        timely information for day-to-day decision making.
   Human capital management.--The Office of Personnel 
        Management's 2014 Federal Employee Viewpoint Survey data showed 
        that DHS's scores continued to decrease in all 4 dimensions of 
        the survey's index for human capital accountability and 
        assessment--job satisfaction, talent management, leadership and 
        knowledge management, and results-oriented performance culture. 
        Morale problems are particularly an issue among NPPD employees, 
        who report some of the lowest morale scores among Federal 
        agency subcomponents. DHS has taken steps to identify where it 
        has the most significant employee satisfaction problems and 
        developed plans to address those problems. In September 2012, 
        we recommended, among other things, that DHS improve its root-
        cause analysis efforts related to these plans. As of February 
        2015, DHS reported actions underway to address our 
        recommendations but had not fully implemented them. Given the 
        sustained decrease in DHS employee morale indicated by Federal 
        Employee Viewpoint Survey data, it is particularly important 
        that DHS fully implement these recommendations and thereby help 
        identify appropriate actions to take to improve morale within 
        its components and Department-wide. In addition, given NPPD's 
        low morale scores, attention to employee concerns during 
        reorganization is crucial to engaging employees in 
        accomplishing NPPD's missions.
   Management integration.--The Secretary's April 2014 
        Strengthening Departmental Unity of Effort memorandum 
        highlighted a number of initiatives designed to allow the 
        Department to operate in a more integrated fashion, such as the 
        Integrated Investment Life Cycle Management initiative, to 
        manage investments across the Department's components and 
        management functions. DHS completed its pilot for a portion of 
        this initiative in March 2014 and, according to DHS's Executive 
        Director for Management Integration, has begun expanding its 
        application to new portfolios, such as border security and 
        information sharing, among others. However, given that these 
        main management integration initiatives are in the early stages 
        of implementation and contingent upon DHS following through 
        with its plans, it is too early to assess their impact. To 
        achieve this outcome, DHS needs to continue to demonstrate 
        sustainable progress integrating its management functions 
        within and across the Department and its components.
Related GAO Work on Duplication, Overlap, or Fragmentation
    Our prior work identified areas where agencies may be able to 
achieve greater efficiency or effectiveness by reducing programmatic 
duplication, overlap, and fragmentation.\12\ Since 2011, we have 
reported annually on this topic, presenting nearly 200 areas wherein 
opportunities existed for Executive branch agencies or Congress to 
reduce, eliminate, or better manage fragmentation, overlap, or 
duplication; achieve costs savings; or enhance revenue. Several of our 
findings in the reports relate to DHS and NPPD activities. For example, 
consistent with a previous recommendation with which DHS agreed, in 
2015 we reported that DHS could mitigate potential duplication or gaps 
by consistently capturing and maintaining data from overlapping 
vulnerability assessments of critical infrastructure and improving data 
sharing and coordination among the offices and components involved with 
these assessments, of which NPPD is one.\13\ Also, in 2012, we found 
that Federal facility risk assessments were duplicative, as they were 
conducted by multiple Federal agencies, including NPPD's Federal 
Protective Service (FPS). We recommended that DHS should work with 
Federal agencies to determine their reasons for duplicating the 
activities included in FPS's risk assessments and identify measures to 
reduce this duplication.\14\ DHS did not comment on whether it agreed 
with this recommendation at the time it was made and the recommendation 
was not fully addressed as of March 2015. Addressing these duplication 
concerns and any other fragmentation, overlap, or unnecessary 
duplication that agency officials may identify as part of its 
reorganization will improve the agencies' overall efficiency and 
effectiveness.
---------------------------------------------------------------------------
    \12\ Fragmentation refers to those circumstances in which more than 
one Federal agency (or more than one organization within an agency) is 
involved in the same broad area of National need and opportunities 
exist to improve service delivery. Overlap occurs when multiple 
agencies or programs have similar goals, engage in similar activities 
or strategies to achieve them, or target similar beneficiaries. 
Duplication occurs when 2 or more agencies or programs are engaged in 
the same activities or provide the same services to the same 
beneficiaries.
    \13\ GAO-15-404SP and GAO, Critical Infrastructure Protection: DHS 
Action Needed to Enhance Integration and Coordination of Vulnerability 
Assessment Efforts, GAO-14-507 (Washington, DC: Sept. 15, 2014).
    \14\ GAO-12-342SP.
---------------------------------------------------------------------------
    Given the critical nature of NPPD's mission, considering key 
factors from our previous work would help inform a reorganization 
effort. For example, the lessons learned by other organizations 
involved in substantial transformations could provide key insights for 
agency officials as they consider and implement reorganization. 
Attention to these and the other factors we identified would improve 
the chances of a successful NPPD reorganization.
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
subcommittee, this concludes my prepared statement. I would be happy to 
respond to any questions you may have.

    Mr. Ratcliffe. Thank you, Mr. Currie.
    I now recognize myself for 5 minutes for questions.
    So, as I referenced in my opening statement, it was 5 
months ago, it was back in June that I first read about this 
possible reorganization at NPPD through various media sources. 
After several months of requests for information from DHS, 
Chairman McCaul and Ranking Member Richmond and I wrote to 
Secretary Johnson 3 weeks ago to express our concern about our 
ability to fill our role of Congressional oversight and 
authorization.
    It was yesterday that I received from Secretary Johnson a 
hand-delivered response to that letter, which essentially says, 
``I approved NPPD's transition plan and understand that Under 
Secretary Suzanne Spaulding is scheduled to brief you this 
week. Thank you again for your letter and your interest in this 
important issue.''
    Under Secretary Spaulding, you and I did, in fact, meet 
yesterday. But I want to make sure that we are all on the same 
page here, because I heard your testimony today about the 
collaborative effort that--in moving forward in this process, 
but the letter from Secretary Johnson appears to say, ``I have 
approved this and the ship has sailed.''
    So I want to give you an opportunity to address that point 
again.
    Ms. Spaulding. Thank you, Mr. Chairman. I appreciate that 
opportunity.
    This has, as I said, been an on-going process. In fact, it 
is one that did not start with looking at a wiring diagram but 
really did start with looking at finding all of the ways which 
we could work more collaboratively and efficiently and 
effectively across NPPD.
    When we reached a point where we felt that the benefits of 
that collaboration and integration were increasingly apparent 
and that it was also increasingly apparent that we were asking 
our folks every day to fight the organizational structure, to 
accomplish that collaboration and integration we were asking 
them to do, we started looking at how we could better align our 
missions--our functions to facilitate what we were asking them 
to do.
    The first step in that was to create an overarching 
structure. What are the broad outlines? What would that look 
like if we did that?
    So we came up with a proposal. I sat down with the 
Secretary.
    He said, ``That looks right to me. That seems to be on the 
right track.'' I briefed my workforce that this is what we were 
proposing to the Secretary.
    As soon as the Secretary had approved that, we came down to 
the Hill to talk about, ``These are the overarching--this is 
the broad outline of what we are doing.'' That was this summer.
    Unfortunately, in trying to be transparent with my 
workforce and inclusive, make sure that they are providing 
essential input, we have increased the number of people who 
have this information and who have the potential to go and talk 
to the press.
    But we have all through this process--again, and the 
Secretary directed us to develop a more detailed implementation 
plan, to get it to him by the end of the summer, by August 31, 
which we did. He took a very quick opportunity to review that 
and make sure that he was comfortable with it, gave us some 
guidance.
    We got final approval on that plan and were immediately on 
the phone to say, ``We are--we now have something we can come 
up and brief you on.''
    So this is a difficult process of, you know, going through 
the steps and making sure that all of our various folks are 
informed at the appropriate times, but it is absolutely our 
intent to work in a collaborative way with Congress----
    Mr. Ratcliffe. Okay.
    Ms. Spaulding [continuing]. On this process.
    Mr. Ratcliffe. Thank you, Under Secretary. But just so we 
are clear, do you agree with me that DHS can't move forward on 
at least certain elements of this reorganization without 
Congressional authorization under the Homeland Security Act?
    Ms. Spaulding. Absolutely.
    Mr. Ratcliffe. Okay. Your conversations with Secretary 
Johnson are that he is clear on that as well?
    Ms. Spaulding. Absolutely.
    Mr. Ratcliffe. Okay.
    Given NPPD's responsibility for engaging with and 
encouraging stakeholder input for both its cybersecurity and 
physical security missions, can you tell us what your 
engagement has been at this point in time with NPPD's 
stakeholders regarding this reorganization effort?
    Ms. Spaulding. Yes. Again, as I said, my priority has been 
to make sure that we are up here telling you as we have gone 
through this process where we are in the process and giving you 
the detail as we develop it in this plan. So this is part of 
what I have talked about balancing.
    So when we had the broad outline, and once we had been up 
here to be able to talk with your staff about that, I took 
advantage of opportunities in front of some of our stakeholder 
groups to tell them--to give them that same broad picture about 
where NPPD was moving, so that as we went through this process 
they would not be surprised by things that came out.
    Now that we have had an opportunity to get up and brief the 
Congress on this next level of detail in our plan, which is an 
on-going process, we are reaching out to our further 
stakeholder groups to make sure that we are providing them that 
additional detail, as well. So again, this is an outreach 
effort that is on-going.
    Mr. Ratcliffe. Okay. My time is expired, but--so very 
quickly, have you reached out to the financial services and the 
tech sectors?
    Ms. Spaulding. So the financial services and tech sectors 
are part of the cross-sector coordinating council, and I met 
with them a couple of months ago to make sure that they 
understood that this process was underway and the direction in 
which we are moving.
    Mr. Ratcliffe. And----
    Ms. Spaulding. We are now going sector-by-sector to do our 
outreach. But again, I wanted to be up on the Hill first.
    Mr. Ratcliffe. Okay. Have you at this point had any 
discussions with your Federal cybersecurity partners, like FBI 
and DOD, on this proposed reorg and gotten any feedback from 
them at this point?
    Ms. Spaulding. Not in any formal way, Chairman. But again, 
both of those are very close working partners and they are 
aware of the direction in which NPPD has been moving.
    Mr. Ratcliffe. Okay. With respect to all those 
stakeholders, is it your intent to take their input into 
account in--with respect to this reorganization as--and if 
necessary adjust what has been proposed?
    Ms. Spaulding. There is a lot of detail that still is being 
worked out on this plan. In fact, I have designated champions 
for each of the key areas who are working--continue to work in 
an inclusive way with my workforce to fill out those details, 
and they will be seeking input from our stakeholders to make 
sure that we are, as we move forward on this, that we are 
getting it right.
    Mr. Ratcliffe. Thank you. My time is expired.
    The Chair now recognizes Ranking Minority Member of the 
subcommittee, Mr. Richmond, for his questions.
    Mr. Richmond. Thank you.
    I would just start with a quick statement, which is, you 
know, I am really disappointed that we had to get here the way 
we got here. I think it is just a lack of communication.
    What I hope it is not is the dismissing our role and our 
task and our authority and responsibility to make sure that the 
people of this country are protected and Government is running 
as efficiently and as smoothly as possible. We take that very 
seriously.
    I think that this committee, more than other committees, 
works in a bipartisan fashion, and we try to be part of the 
solution and not part of the problem. So just in the future, I 
would hope that we could communicate so that we don't have to 
have these type of meetings.
    I don't want to be in the business of reorganizing NPPD. 
You all wake up and you do it every day.
    We do a million and one things. We have to figure out peace 
in the Middle East; we have to figure out how to stop breaches; 
and we have to figure out how to pass a budget.
    So we have a million things on our plate, and I always 
believe in deferring to the experts that do it, and I defer. 
But I think that in deferring we still have a role to play in 
making sure that, No. 1, it makes sense; No. 2, that we think 
it achieves the efficiency and Unity of Effort which we all 
hope to accomplish.
    So just think of us as part of the team and--at least me--
and I would like to be helpful.
    With all of that, let me ask you a question. With the 
reorganization, with your mission, how does operating under 
continuing resolution affect your ability to not only 
reorganize but to budget, to plan, and to accomplish your 
overall mission?
    Ms. Spaulding. Ranking Member, first let me again thank you 
personally, as well as the committee, for your strong support 
for DHS and for NPPD and, most importantly, for our mission. We 
have very much appreciated the partnership here, the 
collaboration with the committee. I cannot emphasize enough 
that that is--has always been our intent and continues to be 
our intent, and I make that firm commitment to you.
    I appreciate the question about the impact of a continuing 
resolution. I mean, effectively what the continuing resolution 
says is: Everything is frozen in place at last year's level of 
funding and activity.
    Unfortunately, our adversaries are not frozen in place. Our 
adversaries are moving as fast as they can. They are changing; 
they are evolving; they are responding to what we are doing, 
and getting better, and finding ways around the mitigations 
that we put in place, whether it is terrorists or cyber 
hackers, or nation-states.
    This transition reflects that, but every day we are looking 
at ways in which we can build our capacity, we can do this 
better, and we can continue to meet the challenge from our 
adversary. Continuing resolution makes that very difficult.
    Mr. Richmond. In my district, which we have talked about 
the infrastructure and the petrochemical and the refineries and 
the ports, I also have a lot of labor and union membership in 
my district; not only people work for DHS, but in the ports, 
the refineries, the other areas. What measures are in place to 
engage with labor, both public and private, regarding the 
changes you plan to make?
    Ms. Spaulding. We have had on-going consultations and 
discussions with the unions throughout this process, both 
because I value their input as representatives of important 
parts of my work force, but also, obviously, to be respectful 
of bargaining agreements and the requirements of the law and 
policies. So we certainly have, as I said, had a number of 
meetings and briefings with our union representatives.
    We also have regular meetings with a coalition that 
includes labor generally, and in areas like our implementation 
of Chemical Facility Anti-Terrorism Standards, for example, 
with our high-risk chemical facilities, we have benefited from 
the input of labor union representatives throughout that 
industry. So those consultations and discussions continue.
    Mr. Richmond. Really quickly to Chris, what are your 
biggest concerns about this reorganization, and what could 
derail success?
    Mr. Currie. Thank you, sir, for the question.
    You know, I wouldn't so much say at this point I have 
concerns. I don't know that many details about it.
    I think the biggest factor is that--that I am thinking 
about in this is that these best practices for reorganizations 
and transformations are followed. Oftentimes what we have seen 
is when organizations rush these things, or they rush through 
these things to address a real and pressing mission need, 
oftentimes it is later on that the, like I said in my 
statement, the management issues creep up, the acquisition 
problems, the human capital problems.
    Because, quite frankly, some of these things take time and 
they take deliberation. For example, gathering employee 
feedback is one of our best practices, but not just gathering 
it, but showing employees how it was incorporated and actually 
using the feedback and closing the loop on that so they feel 
invested in it. That takes time and it can be a little painful, 
quite frankly.
    So, not that NPPB is rushing through this--I am not aware 
of the details. But when that happens, sometimes mistakes can 
be made.
    Mr. Ratcliffe. Gentleman yields back.
    I ask unanimous consent at this time to enter into the 
record the September 15--yes, September 15, 2015 letter from 
Members of the committee to Secretary Johnson, and Secretary 
Johnson's October 6, 2015 response to the Members of the 
committee that I referenced earlier in my opening and 
questions.
    Without objection, so ordered.
    [The information follows:]
       Letter Submitted For the Record by Chairman John Ratcliffe
                                September 15, 2015.
    Dear Secretary Johnson: As leaders of the primary committee of 
oversight of the Department of Homeland Security (Department), we are 
encouraged by many of the efforts you are undertaking to strengthen 
unity of effort within the Department. We share your desire to ensure 
the Department is optimally organized to achieve its vital mission and 
appreciate the responsiveness of your staff on some of the aspects of 
this effort. However, we are concerned with the lack of transparency on 
the proposed reorganization of the National Protection and Programs 
Directorate (NPPD).
    Despite multiple media reports on the proposal to reorganize NPPD 
and numerous requests for information from our staff, we have yet to 
receive any specific details from the Department. NPPD is home to a 
number of important organizations, including the National Cybersecurity 
and Communications Integration Center, the Office of Biometric Identity 
Management, the Office of Emergency Communications, the Office of 
Infrastructure Protection, and the Federal Protective Service, which 
all need to be properly represented in any reorganization of NPPD to 
effectively carry out their missions.
    As you are aware, we are drafting legislation to update and improve 
the Department, including NPPD. We took the first step in this effort 
with the passage of H.R. 1731, which would rename NPPD as Cybersecurity 
and Infrastructure Protection and codify a Deputy Under Secretary for 
Cybersecurity and a Deputy Under Secretary for Infrastructure 
Protection. As the Committee continues to work to fulfill its oversight 
responsibilities and strengthen the Department, we will lead further 
efforts to reorganize NPPD. We value your perspective on this process. 
As such, receipt of information on your recommendation for the 
organization of NPPD is necessary promptly.
    We look forward to working hand-in-hand with you and Under 
Secretary Spaulding on this critical effort. Thank you for your 
consideration.
            Sincerely,
                                         Michael T. McCaul,
                          Chairman, Committee on Homeland Security.
                                           Bennie Thompson,
                    Ranking Member, Committee on Homeland Security.
                                            John Ratcliffe,
Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, 

                                         and Security Technologies.
                                           Cedric Richmond,
     Ranking Member, Subcommittee on Cybersecurity, Infrastructure 
                                                       Protection, 
                                         and Security Technologies.
                                            Candice Miller,
            Chairman, Subcommittee on Border and Maritime Security.
                                              Filemon Vela,
      Ranking Member, Subcommittee on Border and Maritime Security.
                                               Scott Perry,
     Chairman, Subcommittee on Oversight and Management Efficiency.
                                     Bonnie Watson Coleman,
          Ranking Member, Subcommittee on Oversight and Management 
                                                        Efficiency.
                                            Martha McSally,
    Chairman, Emergency Preparedness, Response, and Communications.
                                              Donald Payne,
             Ranking Member, Emergency Preparedness, Response, and 
                                                    Communications.
                                 ______
                                 
       Letter Submitted For the Record by Chairman John Ratcliffe
                                   October 6, 2015.
The Honorable John Ratcliffe,
Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and 
        Security Technologies, U.S. House of Represetatives, 
        Washington, DC 20515.
    Dear Chairman Ratcliffe: Thank you for your September 15, 2015 
letter.
    The U.S. Department of Homeland Security's (DHS) National 
Protection and Programs Directorate (NPPD) executes core parts of the 
Department's mission. In particular, NPPD oversees operational activity 
aimed at securing and enhancing the resilience of the Nation's 
infrastructure against cyber and physical risks. I recently approved 
NPPD's transition plan and understand that Under Secretary Suzanne 
Spaulding briefed your staff on this plan last week and is scheduled to 
brief you this week. In addition, Under Secretary Spaulding will appear 
before your Committee's Cybersecurity, Infrastructure Protection, and 
Security Technologies Subcommittee on October 7, 2015, to address 
additional concerns. The transition plan includes the steps necessary 
for NPPD to become a DHS Operating Component through strengthening the 
operational aspects of the cyber and infrastructure protection missions 
and realigning the mission support functions of NPPD to better support 
these operations.
    I am grateful for the support the Committee on Homeland Security 
has provided to the Department's cyber and infrastructure protection 
mission--particularly the actions taken to clarify the authority to 
carry out our operations effectively. I am committed to continuing this 
collaboration and look forward to working with you and your staff to 
ensure the Department is best situated to carry out the mission of 
cyber and infrastructure protection.
    Thank you again for your letter and interest in this important 
issue. The co-signers of your letter will receive separate, identical 
responses. Should you wish to discuss this matter further, please do 
not hesitate to contact me.
            Sincerely,
                                       Jeh Charles Johnson.
    Mr. Ratcliffe. Chair will now recognize other Members of 
the subcommittee for 5 minutes for questions they may wish to 
ask the witnesses. In accordance with committee rules and 
practice, I plan to recognize Members who were present at the 
start of the hearing by seniority of the subcommittee. Those 
coming in later will be recognized in the order of arrival.
    Chair now recognizes the gentleman from New York, Mr. 
Donovan, for 5 minutes.
    Mr. Donovan. Thank you, Mr. Chairman.
    To the panel, let me also, as the Chairman said, as our 
Ranking Member said, thank you for the efforts that you make to 
protect our Nation. They are very, very much appreciated by 
everyone here and everyone in America.
    Under Secretary Spaulding, I heard in your testimony and 
read your testimony that was submitted that you have identified 
areas where Congressional action is required to change existing 
regulations that you have. That statement makes it very clear 
that--why it is important to engage directly with the committee 
before going so far down the road in a major reorganization.
    I would also note that one of the specific areas of 
improvement noted by the Government Accountability Office in 
its review of DHS management functions is the need to better 
communicate with Congress.
    Can you outline for us specific areas that you believe 
Congressional action is necessary before you are able to 
reorganize as you wish to? I know this is a difficult forum to 
do that, so if there is an opportunity after today's hearing to 
put that in writing for us so we can understand what you feel 
is necessary from us so you can perform your functions.
    Ms. Spaulding. Great. Thank you, Congressman. We will take 
advantage of that opportunity to provide the committee with 
some input on the legislation that I believe the committee is 
considering, as well.
    But I will give you, you know, at least one example where 
it is very clear that Congress needs to act. We would like to 
move the Office of Emergency Communications to align it with 
other stakeholder outreach and capacity-building efforts that 
go on in NPPD that are very similar functions and put that into 
that infrastructure security organization.
    Right now the Office of Emergency Communications, by 
statute, reports to the assistant secretary for cybersecurity. 
So that will require a statutory change.
    There is really not a lot about NPPD that is in statute, 
but those things that are there will require some statutory 
change.
    In addition, we are very aware that Congress has said 
significant reorganizations require Congressional approval, and 
so, you know, again, we will be coming down and continue to 
work with you to accomplish those things.
    Mr. Donovan. It is just very helpful to us to know what it 
is that you need.
    Just briefly, Mr. Currie, you describe--this is an 
incredibly talented panel of individuals who dedicated their 
careers or part of their careers to helping protect our Nation. 
You mentioned about how difficult it is to recruit people.
    You all were recruited. Maybe Jeh had the--put the arm on 
you to make you guys come along, but you guys were recruited. 
You talked about the difficulty with morale with the employees 
of DHS.
    Can you explain to me why it is so difficult, do you feel, 
to recruit candidates to perform this very essential duty to 
our Nation and why you feel like morale in the Department is so 
low?
    Mr. Currie. Yes, sir. Well, first of all, I mean, I think--
and this--folks on this panel could probably speak to the 
details of the difficulty in cyber recruiting more than me, but 
I think it is pretty clear that the types of individuals with 
the specializations and experiences you need are very 
attractive to those in the private sector that are looking for 
the same skills and can pay much more. So that is one piece.
    The other piece is--we have reported on this in hiring--is 
that the process in Federal hiring can be a disincentive, too, 
and it can often take, you know, a very, very long time--6 
months to a year--to get processed. They have to undergo very 
stringent personnel background checks, and in these positions 
have to get probably Top Secret or Secure Compartmentalized 
Information clearances. That takes even more time.
    So all of these processes make it very difficult to attract 
and retain. But I know this is something that the under 
secretary has talked about in the different forums and thinks 
about a lot.
    The issue of DHS morale is something that we have 
actually--we have done several engagements or audits looking 
specifically at that issue. It is a challenge. We have not 
really zeroed it down to one specific reason, but there are a 
lot of key themes.
    The way the Department was formed initially, bringing 
together 22 different component agencies, all with very 
different missions and cultures, from agencies like TSA all the 
way to agencies like Coast Guard, created a huge challenge in 
becoming one different department.
    I think the challenge that NPPD has--one of the challenges 
is--and the folks on the panel mentioned it--is all these 
disparate missions and workforces coming together. For example, 
FPS was added to NPPD in 2009. They serve a completely 
different mission than folks at the NCCIC in the cyber role.
    So I think, you know, having--and from what I understand 
from my behind-the-scenes discussions, part of this 
reorganization is intended to bring the group together and the 
workforces together under one clear mission, too.
    Mr. Donovan. Thank you very much.
    I don't have any time to yield, Mr. Chairman. Thank you.
    Ms. Spaulding. Congressman, if I might, Mr. Chairman, on 
the morale issue, I would note that NPPD in the latest survey 
results did go up slightly, but it is at least a trend in the 
right direction. The numbers are nowhere near where we would 
like them to be or where they ought to be for our workforce, 
but we are at least encouraged that we are nudging along in the 
right direction.
    I mentioned in my opening statement that one of the things 
we are hoping to do is to change our name. I actually think 
that while that may seem superficial, that that will also help 
improve our morale by providing our workforce with a clear 
sense of their identity and that cyber and infrastructure 
protection is what we are all about--FPS, the NCCIC, 
Infrastructure Security, all of our organization.
    We are all part of the same team. One team, one fight. I 
think that will help morale.
    I know that the under secretaries are prepared to--our 
deputy under secretaries--to talk about what we are doing on 
the hiring front at the appropriate time.
    Mr. Ratcliffe. Chair now recognizes the gentleman from 
Florida, Mr. Clawson.
    Mr. Clawson. Thank you, Ms. Under Secretary, and the rest 
of you, for your good work. Appreciate you coming in today.
    You know, our budgets seem to go up every year. We seem to 
spend, you know, 5 or 10 percent more no matter what happens, 
and the taxpayer is on the tab for that while the median wage 
in our country continues to fall.
    So we are kind of in this pressure where we seem to forget 
the constituents that pay the bills--I am speaking in general 
terms now--while our own budgets go up and up.
    If we do the--when you do the reorganization, will the 
budget actually go down? Will we actually get cost efficiencies 
and cost productivity like the rest of the world lives with, or 
is it just going to keep going up every year whether we do this 
reorganization or not?
    I see the 8.5 percent, you know, when I--so I hear 
everything you are saying today, and I look at the 8.6 
percent--am I--do I have the number right for 2016 for a year-
over-year increase, if I have the right number--and I say what, 
you know, what--we are doing all these great things but we just 
keep spending more money. Am I missing on the data there or am 
I correct?
    Ms. Spaulding. Congressman, I will have to get back to you. 
I don't have that number in my head. But I would----
    Mr. Clawson. But you agree----
    Ms. Spaulding [continuing]. I would bet that you have got 
that number right, but I can certainly get back to you on that.
    But I certainly take your broader point, and I want to 
emphasize that a significant part of what we are--why we are 
doing this is to make sure that we are operating as efficiently 
as we can. Our mission is growing every single day, and we are 
painfully aware that there are not a lot of resources--
additional resources out there that can be handed over to us to 
meet that growing demand.
    We have got to become more efficient at doing our mission 
so that we do not have to keep coming back and asking for 
additional resources to do that. We think that, again, picking 
up on GAO's emphasis on management, that has been a clear 
focus.
    I said I had three priorities: Unity of Effort, stronger 
operations, and improved mission support. That is our 
management function. There is a place where we have already 
begun to create efficiencies--they are reflected in the fiscal 
year 2016 budget--where we identified over $21 million of 
efficiencies within our budget.
    But we are going to continue to work at flattening that 
organization and creating those efficiencies. I think by 
leveraging our work force all toward this mission and bringing 
them, for example, our folks who are out there in the field 
doing infrastructure protection fully into the cyber mission, 
that creates a significant efficiency that allows us to do more 
in that cyber mission without asking for as--you know, the kind 
of additional resources that that growth in mission might 
suggest.
    So I hear you, and it is a key objective of mine.
    Mr. Clawson. Mr. Currie, do you have any comments on this? 
Do you believe that if we do the reorganization we will get 
better cost control and cost reduction for the taxpayer, or do 
you have enough information to have an opinion?
    Mr. Currie. No, sir. We don't have enough information on 
it.
    But this is really important. One of the first things that 
we note to do in such a transformation is to do a full 
assessment of the costs and benefits.
    When I say that, that is not just, you know, a 1-page list 
of, ``here is what is going to work well and here is what we 
are going to save or not.'' I mean, this is a--we ask for an 
extensive assessment of what the actual costs of this are going 
to be over time and then what the perceived benefits are, and 
then ask officials to weigh that in the future to see, you 
know, what decisions they need to make.
    Mr. Clawson. I agree with everything I am hearing on a 
qualitative level, you know, unifying the mission, better 
communication, common metrics. We all understand all that.
    But if going into next year your budget goes up in a 
meaningful way on a year-over-year basis then we have a much 
more difficult conversation about why we did this. So if we are 
going to constantly reorganize just to increase the budget, 
then I would be remiss in my responsibilities to my 
stakeholders, which is the taxpayers, if we didn't point that 
out.
    So at least speaking for me and my constituents, I would 
like to support it. You certainly have a positive tone here and 
all over it. But if your numbers are going to keep going up 
then we ought to have--reorganization or not, we ought to have 
a budget conversation because that is part of our 
responsibility is oversight, as well.
    You agree with what I am saying, Under Secretary?
    Ms. Spaulding. Absolutely. Congress clearly has a, you 
know, a vital role in determining the level of resources that 
should be devoted to this mission space.
    You know, what I am--we are trying to accomplish this 
transformation or reorganization and restructuring of our 
organization in as budget-neutral a fashion as possible. We are 
realigning existing missions and functions.
    That having been said, you know, if Congress wants DHS to 
do more in the cyber space and to take on additional roles and 
additional functions, we will have to come down and have a 
conversation about resources devoted to that. But as I said, 
this transition is designed to do what we are doing today more 
efficiently and more effectively.
    Mr. Ratcliffe. Thank the gentleman.
    Welcome the gentleman from Rhode Island, recognize him for 
5 minutes. Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank our witnesses for being here today and your 
work you are doing on this issue.
    So for Secretary Spaulding, I think--let me begin, if I 
could, with you. I think I am beginning to get my head around 
the proposed organizational changes that we are making, but I 
am still a bit confused as to how the restructuring will affect 
cybersecurity roles and responsibilities. For instance, it 
seems that the NCCIC will be responsible for some outreach to 
sectors, but critical infrastructure, cyber community program, 
and cyber advisors will be in the Infrastructure Security 
component.
    So can you clarify what cybersecurity responsibilities 
Infrastructure Security and the Federal Protective Service will 
have, and why the Department assigned those responsibilities?
    Ms. Spaulding. Yes. Thank you, Congressman.
    You know, one of the things that we want to emphasize is 
that putting both cyber and physical stakeholder outreach and 
engagement management within Infrastructure Security is meant 
to strengthen, facilitate, coordinate that outreach, not to get 
in the way of existing relationships.
    So for example, the private sector is represented on the 
floor of the NCCIC today. That will not change. Those tactical 
operational relationships that are focused on that, you know, 
making sure that we have the capabilities for incident response 
and mitigation that is the lifeblood of the NCCIC--those 
relationships and that work will not change.
    What we will change is that our work that goes on every day 
all across the country, where we sit down with critical 
infrastructure owners and operators, primarily today through 
our protective security advisors in the Office of 
Infrastructure Protections, those field forces will be fully 
enlisted in our cyber mission, in addition to the physical 
security mission that they focus on today. So that will 
strengthen our cybersecurity mission and ability to execute 
that, and I will give you an example that I know you are, you 
know, you are very well aware of.
    If, for example, today the NCCIC sees malicious activity, 
say, in a water facility, their ability to turn quickly to the 
folks who have on-going relationships with that sector and with 
individual owners and operators all across the country to get--
to use that network, to use those field forces, to get that 
word out quickly, ``This is what to be on the lookout for; this 
is what to watch for,'' that kind of speed of getting that 
information out is what is going to help us protect and do 
effective network defense. That is what we are trying to build 
in this.
    Mr. Langevin. So do you feel that this is going to help you 
to be more proactive, as opposed to reactive? Is that what you 
are suggesting?
    Ms. Spaulding. Absolutely. They will be out there every day 
with those owners and operators doing not just physical 
security assessments but cybersecurity assessments, identifying 
ahead of time critical vulnerabilities, configuration, et 
cetera, and working with them, in collaboration with the NCCIC 
and our cyber ninjas, as I call them, on mitigation measures.
    Mr. Langevin. All right. I think that is critically 
important that--not being so much in a reactive role but being 
more proactive. That is what is going to really ultimately keep 
us safer.
    Secretary Spaulding, DHS has a number of important 
responsibilities under FISMA, and some in Congress are looking 
to expand them even further. These responsibilities encompass 
information sharing but extend far beyond it. DHS is also 
responsible for developing and helping to deploy network 
security technologies on Federal networks.
    Can you explain why these functions are included under the 
NCCIC?
    Ms. Spaulding. I am going to have Deputy Under Secretary 
Schneck weigh in on this, as well, but the NCCIC is really 
designed to be our--execute our operations on cybersecurity. A 
big part of that is the EINSTEIN and Continuous Diagnostics and 
Mitigation, and our best practices under FISMA with the dot-
gov.
    Part of what Deputy Under Secretary Schneck has been 
working on in her time at NPPD is making sure that we do, in 
fact, have an integrated architecture and an overarching 
strategy that brings these things together. So again, this is 
an area where we want the organizational structure to support 
that.
    Dr. Schneck.
    Ms. Schneck. Thank you.
    Thank you, Congressman Langevin, for all of your support 
over many, many years.
    So the NCCIC is the tip of the spear. That is the 247 
watch center and it houses our CERT, our Computer Emergency 
Readiness Teams, for both regular I.T. as well as those systems 
that control physical infrastructure such as lights, water, 
refineries, as was mentioned earlier, ports.
    Within that we also have now--we are going to be looking at 
the Einstein and CDM programs, as we have been doing over the 
past 2 years. There is not just protecting the Federal 
agencies--so the EINSTEIN program, as you recall, watches 
whether bad guys are trying to get into Federal agencies and 
whether those agencies are unknowingly calling out to bad guys.
    We also get a large piece of situational awareness from 
that program. We see, with the help of our privacy and civil 
liberties experts, all the traffic going--all the internet 
traffic going in and out of our Federal agencies, and we use 
that for situational awareness.
    As we roll out Continuous Diagnostics and Mitigation to 
protect the inside of the agency networks, each agency gets a 
dashboard, like the one in your car that shows you gas and 
speed and things about your car. This dashboard shows you 24/7 
things about the security of each agency's network.
    As we combine the data from each agency's dashboard--this 
is just coming out now--with the data that we see from outside, 
watching who is trying to hurt our agencies by coming in and 
where they might be calling--we put together a large map of how 
to connect the dots, so a large piece of situational awareness. 
I sometimes nickname it ``The Weather Map,'' because when you 
put all that data together you see things that you wouldn't see 
without it.
    That helps that NCCIC, that response center, understand 
exactly what is happening, and it helps us as being the center 
of machine-to-machine, so very fast information sharing, make 
sense of what we are seeing, and push more context and more 
cyber-threat indicators, if you will, to everyone--not just to 
Government, but to private sector, to universities, so that we 
can paint a much bigger security picture across our country.
    So all those programs--sometimes I call it the artifacts, 
the data they produce, or the exhaust across the Federal 
Government--we push that out to everyone, to the private 
sector, and again, with the help of all of our privacy and 
civil liberties experts.
    Mr. Langevin. Thank you.
    Mr. Chairman, are we going to go for a second round? 
Because I had one more question, as well.
    Mr. Ratcliffe. We are.
    Mr. Langevin. Okay.
    Mr. Ratcliffe. So the gentleman yields back?
    Mr. Langevin. I yield back.
    Mr. Ratcliffe. I would like to take advantage of having you 
all here to get some additional information, and so we will do 
a second round of questions for any Members that want to take 
advantage of that opportunity.
    So I recognize myself for an additional 5 minutes of 
questions.
    Under Secretary Spaulding, we have obviously got some 
information. Can you give us a date for when we will get the 
full plan? We have talked about some of the parameters of it 
and a transition plan, but can you give us some idea of when we 
could expect to see the full plan as you propose it?
    Ms. Spaulding. So again, I keep emphasizing that this is an 
on-going process, and so, you know, we--again, we are striving 
to have by the end of this calendar year the next level of 
details on this plan and be ready, you know, in consultation 
with Congress, to really begin to move out on some of the 
things particularly that will require Congressional approval.
    But again, I want to emphasize that this has been a--part 
of this on-going process has been that we have been doing the 
things that enhance collaboration and integration all along, 
and as we see those opportunities, like the regional field 
pilot project, you know, we will be undertaking those.
    Mr. Ratcliffe. Well, let me follow up on that because, you 
know, what I hear you saying is that obviously we agree on the 
fact that there are a number of things that absolutely do 
require Congressional authorization, but I--as I hear your 
testimony and the collaborative spirit in which you are here, I 
would--would it be fair to say that you are committed to 
collaborating with Congress to authorize 100 percent of NPPD?
    Ms. Spaulding. I believe Congress today authorizes 100 
percent of NPPD. Chairman, I am not sure I am getting the 
thrust of your question. Congress authorizes our activities and 
appropriates the funding for those.
    Mr. Ratcliffe. Absolutely. I just want to be clear because 
we talk about parts of things that Congress may authorize, and 
I just wanted to--I think we are very much on the same page 
there, so I appreciate that.
    Dr. Schneck and Dr. Clark, question for you: In this 
proposed--this new Office of Infrastructure Security it appears 
that you have got the CFATS, or the Chemical Facility 
Antiterrorism Standards, program in there, which is a 
regulatory program, in with the Critical Infrastructure Cyber 
Community Voluntary Program, which some refer to as C-Cubed.
    Is there a concern there of having a regulatory program in 
with a voluntary program? Because my experience is that folks 
are very reluctant in a voluntary program to share their 
vulnerabilities with a regulator who may then hold them 
accountable for that.
    Mr. Clark. Chairman, I think it is a fair concern, and a 
particular concern, I think, for industry, whether this--
whether they are entering into a regulatory relationship or one 
that they are voluntarily entering into. The current structural 
separation of the divisions and the management of that 
information sharing, I believe both for yourself and Ranking 
Member, you have a number of CFATS facilities with--inside your 
district, so there is a very clear compartmented mechanism that 
allows us to differentiate the two. We need to continue to be 
clear with our stakeholders the difference and which regulatory 
regime they are a part of.
    Mr. Ratcliffe. Dr. Schneck.
    Ms. Schneck. Yes, I would echo that, and I would add, we 
are accustomed to this. So the structure today, if I am not 
mistaken, has a large voluntary work piece within the Office of 
Infrastructure Protection, so basically all of the voluntary 
outreach to all sectors except for I.T. and coms that come 
under cybersecurity and communication. So our stakeholders are 
very, very accustomed to working within an organization that 
houses a regulatory regime as well.
    In addition, DHS itself has law enforcement inside of the 
agency itself, although our part is not law enforcement. Our 
stakeholders--customers, as I call them--are also very okay and 
very accustomed to working with us as the non-law enforcement 
piece, and then reach out as needed and desired to Homeland 
Security Investigations, or the Secret Service, or even 
externally to our friends at the FBI.
    Ms. Spaulding. I would add, we do have two statutory 
regimes that enable us to protect that information. Under CFATS 
we have a critical vulnerability information regime that 
requires that that information that is provided under that 
regulatory regime be held within that regulatory regime. We 
also have a PCII, Protected Critical Infrastructure 
Information, where companies that voluntarily provide us with 
vulnerability information, we are prohibited from giving it to 
regulators.
    So we have in place that--and again, as Dr. Schneck said, 
our stakeholders are very comfortable with these things 
coexisting today.
    Mr. Ratcliffe. Okay. Thank you.
    I do want to follow up on the, you know, a point that Dr. 
Schneck made about the law enforcement components, and 
something that you said earlier, a term that you used a number 
of times, Under Secretary, and that is that part of the goal 
here of this reorganization or realignment is to make NPPD an 
operational component. But I think that most people would agree 
that NPPD has some operational aspects, but when most people--I 
think when most people think of the term ``operational 
component'' they think of Secret Service or Customs and Border 
Protection.
    So I guess I want to get you on the record to say, what do 
you mean when you use the term ``operational''?
    Ms. Spaulding. So, you know, I would ask people to think 
more like FEMA, which is an operational component. What I mean 
by that is making a difference on the ground, that we are about 
being out there and executing this mission directly with our 
stakeholders, so sitting down with them to do these 
assessments, to offer this technical assistance and training, 
whether it is active-shooter training or it is table-top 
exercises for responding to combine physical and cyber 
consequences and incidents, that our PSAs, our chemicals 
inspectors are out there every day.
    What I want to do is to make sure that both within my 
organization, within the Department, and within our stakeholder 
community, everyone understands that is what we are about. We 
are about that activity on the ground, making a difference in 
security and resilience of our Nation's critical 
infrastructure.
    Mr. Ratcliffe. Terrific. My time is expired.
    Recognize the gentleman from Louisiana, Mr. Richmond.
    Mr. Richmond. Thank you.
    Let me go back to the back-and-forth that you had with the 
Chairman about your need to have Congressional approval. I 
guess as I see it, as you are doing your reorganization and you 
see things that you all need to do and you start to implement 
it, you don't believe that you have to get Congressional 
approval for every step of your reorganization, do you?
    Ms. Spaulding. There is a Congressional prohibition on 
significant reorganizations without Congressional approval, and 
so I am consulting all the time to make sure that we are not 
doing anything that would, you know, run afoul of that 
obligation.
    Mr. Richmond. But the things you can do that you think 
bring in efficiencies, make us more secure, and are going 
towards the Unity of Effort you all are moving forward with?
    Ms. Spaulding. Have been. So developing a strategic plan 
that is much more integrated across all of our organization, 
setting up, you know, a function to provide a better-integrated 
briefing to me every day, you know, a set of folks who ping all 
of the components and find out what they are doing.
    I want to take that to the next step, where they are 
actually providing an integrated versus just compiled, but we 
need to beef up that function.
    But absolutely. You know, we moved our National 
Infrastructure Coordinating Center into the same building as 
our National Cybersecurity Integration Center to bring the 
physical--people watching the physical world closer together 
with the people watching our networks, right, our cyber space. 
I want to get them in the same room, for example.
    Mr. Richmond. Okay.
    I guess you also have a pilot in Atlanta, where you are 
now--your consolidation project. Do you plan any more of those?
    Ms. Spaulding. So, given the terrific results of that pilot 
project to date, I think it is very likely that we will be 
coming down to talk with you about our plans to extend that 
across the country to have this regional integration in the 
field--not just at headquarters, but really where it matters, 
which is out in the field.
    I would encourage Members of this committee and--but, you 
know, to get down to Atlanta and visit with those folks if you 
find yourself in the area, because it is very inspiring and 
very exciting.
    Just putting these various field forces together in the 
same office to sit around the table every day, the light bulbs 
have been going off every single day about the ways in which 
they can all do their mission and we can do our mission better 
by working more closely together.
    Mr. Richmond. Well, and I will actually make that 
commitment and take you up on that offer to----
    Ms. Spaulding. Excellent.
    Mr. Richmond [continuing]. Go visit.
    The other thing I would just say is as concerned as I am 
about, you know, anyone keeping to themselves about 
reorganization and where we think we should go, I guess I am 
just as concerned that--it is my understanding that the 
Majority side is working on a reorganization also, and I would 
just hope that we don't get into, you know, a power contest 
about who does what and when and we just actually sit down and 
get together and figure out how we continue to make--and 
protect our cybersecurity networks and keep our citizens safe.
    I will say again, my philosophy in life, and I think that 
Congress would be better off if everybody understood and know 
what they know, and know what they don't know. The fact that 
there are experts that wake up every day trying to keep us safe 
and protect the internet, I think we have a role to play in 
oversight; I think we have a role to play in planning the 
mission; but I think that there are other people who actually 
go out and run the plays after we meet in the huddle and we 
call the play.
    So I just want to make sure that as we are in the huddle 
that everybody is talking. I guess that is for the Majority 
side, that is for you all, and that is for us, that we are not 
working in seclusion when I think that if we work together we 
can get to where we want to be faster because you said it--
these things change every day, every night, and we have to be 
perfect 100 percent of the time and the hackers have to get 
lucky once. When they get lucky we all pay for it.
    So I just think that this is one of those areas, and I do 
commend the Chairman because we have worked in a bipartisan 
manner, for the most part, because it is so important.
    I would just encourage you to continue to do that because 
the mission is so great and the consequences are even greater.
    With that, I yield back.
    Mr. Ratcliffe. Thank the gentleman. I thank the gentleman--
appreciate the spirit of the Ranking Member's comments and 
certainly associate myself with his comments that, you know 
cybersecurity should not be a partisan issue.
    With that, I recognize the gentleman from Rhode Island 
again, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I completely agree, 
and I want to thank you, Mr. Chairman, and the Ranking Member, 
for the time and attention you are placing on this issue on 
cyber and on the reorganization.
    To our panel, thank you again for your testimony.
    Sticking with Federal network security, one of my chief 
concerns is that because agencies are primarily responsible for 
their own InfoSec, DHS inherently has a more reactive posture. 
It is basically limited in the protective measures that it can 
take by the action or inaction of the agencies that it is 
helping to protect.
    So do you believe that a reorganization will--or, for that 
matter, even can--help DHS be more proactive, given that the 
primary responsibility still lies elsewhere? Do you believe 
that agencies should, in fact, have primary responsibility for 
their own InfoSec?
    Ms. Spaulding. Congressman, we are obviously not waiting 
for reorg to step up our efforts in the dot-gov arena, and we 
have been greatly aided in that by the work of this committee 
and of the Congress, including the authority that the Secretary 
was given in legislation that you enacted last year to issue 
binding operational directives.
    So we do not feel in any way that we are limited to being 
reactive when incidents happen. Our folks are out there every 
day working with departments and agencies to make sure they are 
aware of the requirements of FISMA and broader best practices 
and standards. Using the Secretary's authority, he issued his 
first binding operational directive related to patching 
critical identified vulnerabilities, and it has made a 
significant difference.
    So I do think that this reorganization will help us to 
strengthen that, but I--but we are moving out on that right 
now.
    Deputy Under Secretary, I don't know if you want to add----
    Ms. Schneck. I would only say on the proactivity front I 
think the merging of expertise more expeditiously across the 
different sectors will help us greatly as we build out on our 
vision. Einstein is a tool in the box. It is a platform. It 
provides us data and the ability to see and stop some things.
    But moving out on top of that, we have the opportunity to 
leverage innovation across the private sector. That goes to, as 
we open our Silicon Valley office and get more and more 
exposure to the latest and greatest technologies, not only how 
to protect them but to use them and to bring them back into 
Federal civilian government and all of our customers. As we 
look at all across the sectors, it is going to allow the cyber 
folks to work faster to understand what part of what place 
needs to be protected better, how to leverage data analytics, 
and how to move with the agility that before this only our 
adversary has enjoyed.
    Mr. Langevin. Thank you.
    I hope this will help us to be more proactive.
    I just would point out once again, Under Secretary, that, 
you know, the term ``binding operational directive'' sounds 
very authoritative, but it still has no teeth. There are no 
consequences.
    So if agencies aren't really compelled, they are not held 
accountable, then you--we are still back at Square 1. So I will 
be anxious to see the actual--how we quantify action on these 
binding operational directives, and that it is not just a fancy 
term with no teeth.
    So with that, I just want to also turn back to the issue of 
regional coordination.
    New Jersey recently stood up the New Jersey Cybersecurity 
and Communications Integration Cell, and other States have 
begun similar efforts to coordinate critical infrastructure 
protection, particularly with respect to cybersecurity. Again, 
can you expand upon this a little more--how will regional 
integration take advantage of and avoid conflicting with 
existing State efforts?
    Ms. Spaulding. We work very closely with State homeland 
security advisors and emergency response and public safety, but 
various parts of our organization work with various parts of 
that--those State, local, territorial, and Tribal governments, 
and that is part of what we are trying to do with this 
reorganization is to make sure that we are doing that--that 
those engagements are coordinated; that they are integrated 
where it is appropriate, where they are operating in a 
collaborative way.
    Where relationships that a protective security advisor may 
have by virtue of having been there in the wake of a storm--
Super Storm Sandy--to help identify critical infrastructure and 
prioritize the allocation of resources, that those 
relationships can be brought to bear when our cybersecurity 
advisor has information to impart or wants to talk about how 
the emergency communications need to be strengthened against 
cyber--potential cybersecurity vulnerabilities, for example.
    So I do think this will strengthen, as opposed to conflict 
with, those very important relationships and the kind of 
integration that is happening in our States. It will happen at 
the field. In addition to the work we will do at headquarters, 
the key really is going to be making sure that we have our 
field forces talking to each other, and that is what this 
regionalization is really all about.
    Mr. Langevin. Do you envision that these regional 
integration, say, centers, are they going to be co-located or 
actually happen at the FEMA Region One--at the FEMA regional 
headquarters?
    Ms. Spaulding. They will align with FEMA regions, and 
certainly in Region Four the goal is to share a building, I 
think, with FEMA. FEMA is moving right now. But that won't 
necessarily be the model for every region across the country.
    But certainly that relationship is absolutely critical. We 
support FEMA in very important ways.
    The team down there is supporting the response to the 
flooding in South Carolina, for example, and across the 
Southeast. So those relationships are important, and where co-
location makes sense we will do that.
    Mr. Langevin. Very good.
    Thank you all.
    Thank you, Mr. Chairman. I yield back.
    Mr. Ratcliffe. Gentleman yields back.
    Thank all the witnesses for being here today. I thank you 
for your testimony, for its content, for the spirit of your 
testimony, and for the candor of your responses to the 
questions.
    I thank the--all the Members for their presence and for 
their thoughtful questions to the panel.
    Members of the committee may have some additional questions 
for the witnesses, and I think that has been indicated, and we 
will ask you to respond to those in writing.
    Pursuant to committee rule 7(e), the hearing record will be 
held open for a period of 10 days. Without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

    Questions From Chairman John Ratcliffe for Suzanne E. Spaulding
    Question 1. What problem are you trying to solve with this 
reorganization? Why move forward on a reorganization, now, towards the 
end of an administration?
    Question 2. What is the mission of NPPD? What mission will this 
reorganization create?
    Answer. The mission of NPPD is to lead the National effort to 
secure and enhance the resilience of the Nation's infrastructure in the 
face of cyber and physical risks. As discussed in the Transition Plan, 
NPPD underwent a review of its mission and core functions that has 
informed the proposed transformation. NPPD is not proposing a new 
mission. The new structure proposed by NPPD will allow the organization 
to carry out and deliver the current mission in a more integrated and 
effective manner.
    NPPD is undertaking this transformation to strengthen operations, 
enhance unity across the organization to address both cyber and 
physical risks to infrastructure, create greater efficiency, and 
improve services provided to stakeholders. NPPD's legacy structure, 
particularly the programmatic divide between physical and cybersecurity 
and resilience efforts, limits the effectiveness of operations, creates 
silos between programs, is less efficient because there are multiple 
layers of business support functions, and does not provide service to 
our stakeholders at a level reflective of NPPD's capability. The need 
for these changes has been steadily growing as the Nation faces an 
evolving threat environment, especially within the cyber mission. These 
threats facing businesses and governments at every level are not 
receding; our adversaries are not pausing. We cannot wait to optimize 
our capability to meet this challenge. Moreover, since the concepts and 
plans for these changes were developed by the NPPD workforce made up of 
career civil servants, we expect the transformation to be enduring 
across administrations.
    Question 3. This is the second major reorganization within NPPD in 
3 years (CS&C and OCIA were recently reorganized as well as the 
movement of offices like OBIM and FPS into NPPD). NPPD was itself 
created less than a decade ago. What specific metrics do you have that 
support the argument that this reorganization is best for DHS in the 
long term, is manageable in the long term, and is the best use of 
employee time and taxpayer dollars?
    Answer. The proposed restructuring is focused on the component's 
full mission space to respond to evolving threats. Subcomponents within 
NPPD have undergone organizational change but there has never been a 
component-wide restructuring that addressed the component's full 
mission space and evolving threat requirements. NPPD was created on 
March 31, 2007, pursuant to DHS's authority under Section 872 of the 
Homeland Security Act of 2002 (Pub. L. 107-296). Upon its creation, 
NPPD was comprised of the Office of Cybersecurity and 
Telecommunications (CS&T), the Office of Infrastructure Protection 
(IP), the Office of Risk Management and Analysis (RMA), the Office of 
Intergovernmental Programs (IGP), and United States Visitor and 
Immigrant Status Indicator Technology (US-VISIT). Over the years, 
various pieces of the organization have been transitioned out of the 
organization (RMA and IGP) or have been altered (US-VISIT became Office 
of Biometric and Identity Management (OBIM) at the direction of 
Congress). NPPD also assumed responsibility for the Federal Protective 
Service (FPS) in 2009 and established the Office of Cyber and 
Infrastructure Analysis (OCIA) in 2014. Most significantly, NPPD has 
grown from a headquarters component of a few hundred to an operational 
entity with a workforce of more than 3,000 Federal employees and 
approximately 15,000 contractors located throughout the country.
    Guidance on enhancing the security and resilience of critical 
infrastructure, including the 2014 Quadrennial Homeland Security Review 
and the 2013 National Infrastructure Protection Plan, has increasingly 
recognized that entities must use a holistic risk management framework 
that considers both cyber and physical risks. Over the past few years, 
NPPD has conducted a thorough review of current functions in order to 
align the structure of its programs to known industry best practices as 
well as understand how NPPD can operate more efficiently. This has 
included working with the Department to identify functions that may be 
better located in other parts of the organization and engaging the NPPD 
workforce to determine how NPPD should best carry out its mission. 
While organizational change can be challenging, when carried out 
following best practices, such as those identified by the Government 
Accountability Office, the change will ultimately benefit the mission.
    Question 4. You have said that one of the reasons for this 
reorganization is to adapt to an evolving threat. Is it the correct 
answer to reorganize every time the Nation faces a new threat? Does 
reorganization not distract from the addressing the threat?
    Answer. Our adversaries are agile and adaptive; we must be also. 
Since NPPD was created in 2007, the evolving cyber threat has resulted 
in clarified operational authorities, including significant legislation 
initiated by this committee. The organization has grown in complexity, 
and the convergence of risks facing infrastructure require that NPPD 
better integrate its efforts across the organization to more 
effectively and efficiently carry out its mission. In a time of growing 
mission demands and continued resource constraints, greater 
efficiencies are imperative. NPPD is balancing current operations by 
following U.S Government Accountability Office (GAO) best practices for 
reorganization to ensure the mission does not suffer.
    Question 5. In late September, it was reported that the Department 
of Homeland Security was rated last in the 2015 Federal Employee 
Viewpoint Survey. How will this reorganization impact this finding? 
Will a major reorganization or realignment not increase the turmoil?
    Answer. The transformation is designed to provide greater clarity 
of mission, a stronger sense of identity, and structures and 
capabilities that make it easier for the workforce to effectively 
accomplish mission requirements. The NPPD workforce carries out the 
incredibly difficult and demanding mission of protecting our Nation's 
infrastructure and their hard work forms the backbone of our operations 
as we strive to meet evolving mission needs. Having structures in place 
that facilitate the operational focus and holistic approach that the 
mission requires, as well as a name that clearly conveys that mission, 
should help improve morale. Although NPPD still needs to make 
significant progress in improving morale, Federal Employee Viewpoint 
Survey scores have been rising. Moreover, NPPD is following best 
practices in change management, particularly those recommended by GAO, 
to involve employees, build trust, and gain ownership for the 
transformation. More than 100 employees participated in working groups 
that took place from July-August 2015, and many more have become 
involved as the planning efforts continue. Many of the ideas we 
proposed in the Transition Plan came directly from our workforce, and 
our employees have served a critical role in this process by developing 
recommendations, the Transition Plan, and follow-on action plans.
    Question 6. GAO recommends obtaining consensus with stakeholders on 
identified problems and needs as well as solutions when considering 
reorganization. Do you have a record of input provided by your 
employees? If so, please share that information. If not, why not? If 
not, how was input formally tracked and integrated? Was any feedback 
provided in response to specific employee comments? Morale at NPPD is 
and has been dismal. (Among the lowest at DHS and the Federal 
Government). How confident are you that this proposal will improve 
morale? How can you know when the plan has been recently completed? How 
can you ensure any reorganization will not affect morale in a negative 
way? Have you surveyed your workforce? If this negatively impacts 
morale, who should we hold accountable?
    Answer. As noted above, GAO best practices on transition recommends 
obtaining consensus with stakeholders on identified problems and needs 
as well as solutions when considering reorganization. This 
transformation and the ideas proposed in the Transition Plan have been 
driven by NPPD employees. Feedback was first collected through the 
working groups of the Mission Integration Cell in the form of 
recommendations on how to better integrate programs (attached as 
requested).* The Mission Integration Cell recommendations were used to 
develop the framework for the proposed organization. Employees were 
then asked to participate in working groups to develop the Transition 
Plan. The Transition Plan, which was previously provided to the 
committee, but is also attached,* includes input provided by employees. 
Feedback was provided to all specific comments received. In addition, 
NPPD has established an email account for employees to submit questions 
and receive answers regarding the transformation. These questions are 
tracked and cleared of personally identifiable information, then posted 
to the internal NPPD Transformation site.
---------------------------------------------------------------------------
    * [The information was not received at the time of publication.]
---------------------------------------------------------------------------
    Cultural change is often more difficult than structural change, but 
when accomplished, it can generate dramatic, positive results for the 
workforce. NPPD's Federal Employee Viewpoint Survey results have risen 
slightly over the last few years. While we still have a long way to go, 
making cultural changes as discussed in the Transition Plan will 
further support improving morale. Critical to this success is ensuring 
that changes to structure, process, vision, human capital and knowledge 
management systems, and governance are designed to reinforce the new 
culture of the organization. We are cognizant of the impact to the 
workforce. However, an organizational structure that is agile and 
allows flexibility to respond to the evolving mission provides 
stability to the workforce as well as clarity of focus for the 
organization going forward. NPPD has taken steps to ensure there is 
appropriate change management support throughout the transition.
    Question 7. Part of your plan includes regional integration, but 
the regional pilot that has not yet concluded, nor has it formally 
reported its findings. What is the purpose of this pilot, if not to 
gather data for the proposal? How much has this pilot cost, and how 
much will it cost, including office costs, equipment, travel, per diem, 
overtime, and man-hours?
    Answer. In July 2015, NPPD established a 6-month Regional 
Integration Pilot to assess the benefits of integrated field forces and 
to provide recommendations for aligning NPPD's field forces into a more 
cohesive organization. To achieve the priorities of both enhancing 
operations and achieving a Unity of Effort across programs, NPPD will 
evaluate the on-going results of the pilot project to inform any plan 
to shift resources and personnel from the National Capital Region (NCR) 
and establish regional headquarters in the 10 Federal regions.
    Initial findings have indicated the need for additional staff to be 
located in the field, but specifics on which positions will wait until 
the After-Action Report is completed. In addition, NPPD will need to 
work closely with the Department's Management Directorate for space and 
resource allocations as consideration is made for regional integration.
    Costs for the first quarter of the pilot are included below. This 
does not include salaries and benefits since those are not new costs 
and would be incurred whether the position was stationed in the field 
or headquarters.

       PILOT COSTS FOR QUARTER 4 FISCAL YEAR 2015 (JULY-SEPTEMBER)
 
------------------------------------------------------------------------
                         Expense                              Amount
------------------------------------------------------------------------
Rent....................................................      $82,127.22
Security................................................        9,331.86
Information Technology (IT).............................       14,463.75
Supplies................................................       26,380.00
Travel (includes Per Diem)..............................      199,170.61
                                                         ---------------
      Total.............................................      335,676.52
------------------------------------------------------------------------

    Question 8. How will the proposed reorganization affect CS&C and IP 
partners? Are there any metrics to indicate their preferences? Has 
formal feedback on the plan been requested through the Sector-Specific 
Agencies?
    Answer. The key changes for the Office of Cybersecurity and 
Communications (CS&C) and the Office of Infrastructure Protection (IP) 
are the elevation of the National Cybersecurity and Communications 
Integration Center (NCCIC) to the Assistant Secretary level and the 
enlistment of IP's expertise and relationships fully into the cyber 
mission. Through the organizational changes outlined in the Transition 
Plan, NPPD will be able to more effectively and efficiently support our 
partners in the private sector, across the interagency, and in State, 
local, territorial, and Tribal governments. It will elevate and focus 
cyber mitigation and response operations, facilitate a holistic 
approach to NPPD's risk management support, and allow the entire 
organization to better leverage stakeholder relationships to support 
operational activity countering physical and cyber risks. NPPD is also 
committed to improving service delivery to customers by enhancing the 
presence of NPPD staff in the field and better integrating field 
service activities. A robust field force will directly engage with 
stakeholders located throughout the country and carry out NPPD 
operations at a local level.
    NPPD has been engaging stakeholder groups, including partners 
through the sectors, to inform them of the proposed plan and receive 
their feedback. This includes briefings to the Cross-Sector Council 
(Federal Senior Leadership Council; Critical Infrastructure-Cross 
Sector Council; Regional Consortium Coordinating Council Chair and Vice 
Chair; State, Local, Tribal, and Territorial Government Coordinating 
Council Chair and Vice Chair; and the National Council of ISACs Chair 
and Vice Chair); the Information Technology, Communications, and Energy 
(Electricity Subsector) Sectors; the SAFECOM Executive Committee and 
Emergency Response Council; the National Council of State-wide 
Interoperability Coordinators; the National Security Telecommunications 
Advisory Committee; the Homeland Security Advisory Committee; as well 
as other sector and stakeholder groups.
    Question 9. How does the proposed reorganization help build 
confidence in the public and private sectors that DHS is focusing on 
its cybersecurity mission?
    Answer. A key outcome of the transition to elevate the stature of 
the National Cybersecurity and Communications Integration Center 
(NCCIC) within the organization. This will enable the Department to 
focus on the technical cyber operations that are essential to increase 
the operational readiness and resilience of information technology and 
communications assets, systems, and networks through vulnerability 
mitigation, incident response, and recovery. In addition, integrating 
stakeholder capacity-building efforts within the new infrastructure 
security entity will bring coordinated mission support to public and 
private sectors by more effectively bringing existing relationships, 
critical infrastructure expertise, and relevant data to bear on the 
cyber mission. Finally, changing NPPD's name to Cyber and 
Infrastructure Protection will clarify who is responsible for this 
mission space.
    Question 10. One of the top priorities of this committee has been 
to ensure DHS and NPPD have a qualified cyber workforce to carry out 
its mission. With the proposed reorganization, Infrastructure Security 
would include several cybersecurity programs that would be moved out of 
NPPD's cyber entity, CS&C, and merged with NPPD's physical mission. It 
is hard enough to recruit good cybersecurity talent, how will the 
Department be able to recruit individuals that have expertise in the 
cybersecurity mission and physical mission?
    Answer. Hiring technical experts with the appropriate level of 
cyber expertise is a challenge for all of Government and will continue 
to be so. This committee addressed this issue with the development of 
legislation that passed Congress last year to enhance cyber workforce 
hiring efforts. However, it is important to understand that not all of 
these positions require technical cyber expertise. The concept is to 
bring physical security experts and cybersecurity experts together to 
achieve a holistic approach to the risk-management capacity of NPPD's 
stakeholders. The stakeholder engagement programs that are currently 
located within the Office of Cybersecurity and Communications and are 
proposed to move to the new Infrastructure Security would retain the 
staff currently running these programs. Within Infrastructure Security, 
these programs would align with programs currently residing within the 
Office of Infrastructure Protection also currently focus on stakeholder 
engagement; combining these efforts enhances the ability of the 
organization to address cyber risks.
    In addition, through the transformation, NPPD is planning ways to 
raise the baseline expertise of our current staff. For example, we have 
been offering cybersecurity training to Protective Security Advisors to 
raise their level of expertise and we plan to continue this with the 
entire organization, to include training provided at the National 
Computer Forensics Institute (NCFI). As a cybersecurity organization, 
the entire NPPD workforce must have a basic level knowledge of 
cybersecurity. One of the Transformation Plan actions is to increase 
training for our current staff and ensure future staff has access to 
the training necessary to carry out their positions.
    Question 11. Given that cybersecurity is an emerging National 
priority, why do you think it is necessary to potentially disrupt 
current operations and support activities? (Possibly creating risk for 
current operations.) Is NPPD and DHS's cybersecurity mission somehow 
under-performing? If so, why hasn't this been mentioned before?
    Answer. Our adversaries are constantly improving their 
capabilities. We must do the same. The increased operational 
responsibilities that have been assigned to NPPD over the last few 
years reflect a growing appreciation for the important work NPPD has 
been doing. NPPD's responsibilities in this mission area will continue 
to grow, making greater efficiency imperative. For example, the NCCIC 
has seen a tremendous increase in workload over the last few years. 
From fiscal year 2012 to fiscal year 2013, there was an increase of 35% 
of reported incidents. From fiscal year 2013 to fiscal year 2014, there 
was a 31% increase, and preliminary data suggests that from fiscal year 
2014 to fiscal year 2015, there was a 40% increase in reported 
incidents. Overall, this is a 146% increase in reported incidents from 
fiscal year 2012 to fiscal year 2015. The technical operations being 
carried out by the NCCIC must remain the priority of NCCIC leadership, 
but not at the expense of capacity-building activities that are 
proposed to transfer to the new Infrastructure Security. The 
transformation will ensure the organization is best suited to address 
current and future challenges.
    Question 12. Has NPPD attempted to formally align business process 
across IP and CS&C? Have any joint or cross-cutting policies and 
procedures been created? (Please provide all of the policies, 
procedures, and management directives or formal management guidance 
focused on achieving better integration prior to this reorganization 
attempt--to include any finalized pilot reports). How much management 
oversight was dedicated to aligning these offices, short of 
reorganization? If these efforts failed or were insufficient, why did 
they fail? Has a formal Business Impact Analysis been done? When will 
this be completed?
    Answer. To create efficiencies, and ensure greater agility in 
mission support functions, NPPD is proposing to formally align business 
processes by centralizing the strategic management of many of its 
business support functions of existing subcomponents, while embedding 
business support professionals with operators. This will improve 
operational efficiencies by providing strategic management direction 
while ensuring the effective delivery of business support functions. In 
this model, NPPD will ensure high levels of customer service by 
distributing staff according to the needs of the operational or mission 
support element, and embedding staff to support operations directly. 
The intended outcome for NPPD is an effective, efficient, integrated 
business support structure for better coordination and better support 
to the mission areas.
    NPPD leadership has also issued management guidance in the past 
specific to better integrating programs to support cyber and physical 
risks to infrastructure. In 2011, then-Under Secretary Rand Beers 
established the Integrated Analysis Task Force as a pilot to assess the 
best approach for integrating analytic support for all of NPPD. For 
example, to demonstrate the value of bringing expertise from across 
NPPD to understand the potential physical consequences from a cyber 
incident, Integrated Analysis Task Force collaborated with the State of 
New Jersey at 4 Water and Wastewater Sector facilities to assess the 
facilities' systems and identify site-specific options to mitigate 
potential physical consequences that could stem from exploited cyber 
vulnerabilities within those systems. Through the fiscal year 2014 
budget process, Congress formally approved the establishment of the 
Office of Cyber and Infrastructure Analysis to continue this work 
permanently.
    Another example of a temporary task force created by NPPD 
leadership to integrate programs to support cyber and physical risks to 
infrastructure was the Integrated Task Force, established from February 
2013 to February 2014. The Integrated Task Force was established to 
lead the Department's implementation of Executive Order (EO) 13636 on 
Improving Critical Infrastructure Cybersecurity and Presidential Policy 
Directive (PPD)-21 on Critical Infrastructure Security and Resilience. 
The Integrated Task Force coordinated interagency, public- and private-
sector efforts and ensured that implementation across the homeland 
security enterprise was effectively integrated and synchronized.
    Both of these efforts demonstrate the effectiveness of taking an 
integrated approach to NPPD's mission; however, due to limitations 
related to permanently establishing task forces and assigning personnel 
on long-term detail assignments, the model is unsustainable for long-
term success. Just as the success of the Integrated Analysis Task Force 
led to formal integration of NPPD's analytic functions, the efforts of 
the Integrated Task Force have informed NPPD's proposal to formally 
integrate programs to address cyber and physical risks.
    Question 13. How will NPPD perform better separating the NCCIC from 
CS&C and moving other cybersecurity functions to an infrastructure 
security division? What assurances can you provide that capabilities 
will not be duplicated or re-created?
    Answer. Elevating the NCCIC to the Assistant Secretary level will 
bring focused, senior-level attention to those critical cyber 
operations. And bringing cyber risk management expertise together with 
physical risk management expertise will allow NPPD to bring a holistic 
approach to its capacity-building efforts with the private and public 
sectors. GAO has specifically called for NPPD to analyze its programs 
for ``fragmentation, overlap, or unnecessary duplication.'' DHS is 
proposing alignment of like functions--those that currently exist 
within the Office of Cybersecurity and Communications and the Office of 
Infrastructure Protection. These capacity-building operations are 
different than the technical operations that exist within the current 
NCCIC. Together, capacity building and technical operations ensure 
private and public-sector partners can prepare for, prevent, mitigate, 
and respond to cyber and physical threats to infrastructure. Through 
the planning process the development of clear roles and 
responsibilities will ensure NPPD capabilities are not duplicated.
    Question 14. Where will DHS's responsibilities for State and local 
government cybersecurity reside? Critical Infrastructure cybersecurity? 
Best practice development? Will the NCCIC retain or re-create any cyber 
outreach functions, or will it rely on the new organization? Where will 
operational coordination and stakeholder outreach take place?
    Answer. Responsibility for State and local cybersecurity, critical 
infrastructure cybersecurity, and best practice development will reside 
within the proposed Cyber and Infrastructure Protection organization. 
Specifically, the NCCIC will continue its work with the Multi-State 
Information Sharing and Analysis Center (MS-ISAC) and will continue to 
conduct necessary outreach and engagement with public and private-
sector stakeholders to support its technical cyber operations. 
Operational coordination will be a primary function of the proposed 
Operations Coordination and Watch Center, ensuring there are 
appropriate plans in place and these plans are exercised regularly. 
Infrastructure Security will serve as the lead for ensuring strategic 
engagement plans are developed in an integrated manner. These technical 
and strategic engagement efforts will be integrated in the new 
organization through the establishment of processes that will enable 
the new structure to engage stakeholders in a coordinated manner. This 
will include the use of technology such as a customer relationship 
management tool. It is envisioned that Infrastructure Security will be 
responsible for the overarching management of coordinating engagement 
activities to ensure appropriate technology is leveraged, processes are 
developed, and engagement activities meet stakeholder requirements.
    Question 15. Your peers in the cybersecurity community seem to be 
moving in a different direction: Consolidation around cyber. They are 
creating cyber-focused organizations, not cyber and physical hybrids. 
(CYBERCOM, FBI Cyber Division, etc.) Why are you moving to diffuse 
cybersecurity functions and missions rather than consolidating?
    Answer. DHS has consolidated cyber mitigation and response 
operations in the NCCIC, and the Transition Plan strengthens that 
consolidation by bringing into the NCCIC key cyber operational 
capabilities like EINSTEIN and Continuous Diagnostics and Mitigation. 
Effectively meeting the challenge to critical infrastructure posed by 
cyber threats, however, also requires a risk management approach that 
reflects the increasing convergence of cyber and physical. We see this 
convergence in the Internet of Things, in the potential for cyber 
attacks to produce physical consequences, in attacks that combine 
disruption of information and communication technology and physical 
destruction, and in the cyber dependence of networked security systems 
like closed circuit security cameras and electronic access controls. It 
is essential to avoid cyber and physical stovepipes when assessing 
critical infrastructure threats, vulnerabilities, consequences, and 
mitigation measures. The first indication of a major cyber attack may 
come from detecting its manifestation in the physical world. And the 
most cost-effective measure to address a cyber threat may be to 
mitigate potential physical consequences or to create redundancies that 
are not cyber dependent. By aligning voluntary partnership and 
communications programs to Infrastructure Security, NPPD's cyber and 
physical security capacity-building programs will be better positioned 
to support public and private-sector stakeholders in the development of 
risk management assessments and investments across physical and cyber. 
In addition, by leveraging the entirety of the organization to address 
its cybersecurity responsibilities, NPPD will enhance its effectiveness 
to achieve the cyber mission.
    Question 16. How many CIKR, State, and local and other partners 
combine their physical security organizations and cybersecurity 
organizations? Is this kind of re-organization a best practice 
somewhere, or do other organizations use processes to bridge gaps 
between cybersecurity and physical security? If DHS is leading the way, 
do you have any evidence that anyone else is following?
    Answer. Physical and cybersecurity requirements for critical 
infrastructure owners and operators are inextricably linked. An attack 
on an IT-based system may have impacts on physical security and vice 
versa, which is why NPPD has been focused on integrating its programs 
related to cyber and physical risks to infrastructure and better 
understanding the link between physical and cybersecurity. For example, 
in 2014 GAO released a report on Federal facility cybersecurity and 
recommended that NPPD develop and implement a strategy to address cyber 
risk to building and access control systems. In addition, GAO 
recommended that NPPD, through the Interagency Security Committee, 
revise its Design-Basis Threat report to include cyber threats to 
building and access control systems (Federal Facility Cybersecurity: 
DHS and GSA Should Address Cyber Risk to Building and Access Control 
Systems; GAO-15-6). The proposed transformation is designed to enable 
the services NPPD provides for comprehensive security of 
infrastructure.
    Adopting holistic enterprise risk management frameworks has been a 
growing best practice in the private sector and is now being identified 
as an approach Federal agencies need to take by the Office of 
Management and Budget through Circular A-11.
    As described in a 2013 National Security Telecommunications 
Advisory Committee (NSTAC) Report to the President on Secure Government 
Communications,\1\ industry has realized many advantages to creating a 
centralized risk management governance model. The report notes that 
``Instituting this centralized risk management governance framework 
requires defining and prioritizing the functions and capabilities 
relevant to the organization's objectives (risks and opportunities), 
assessing them in terms of likelihood and magnitude of impact, 
determining a response strategy, and monitoring progress. Industry 
representatives briefing the NSTAC held that centralizing risk 
governance allows an organization to more effectively manage all risks 
to the business/mission (including but not limited to IT risks) and 
create a strategy for managing consequences of intrusions. By 
identifying and proactively addressing risks and opportunities, 
business enterprises protect and create value for their stakeholders, 
including owners, employees, customers, regulators, and society 
overall.''\2\ The report goes on to describe how industry has 
implemented this new approach. ``Industry leaders and some Government 
leaders have shifted their organizational responsibilities and made 
qualitative changes to how they manage enterprise risks. (Emphasis 
added.) The new paradigm covers all lines of business, creating a shift 
in strategic emphasis from compliance to improving how security risks 
are managed. Risks can come from uncertainty in financial markets, 
project failures, legal liabilities, credit risk, accidents, natural 
causes, and disasters, as well as deliberate attacks by an adversary. 
Once organizations expand the alignment of current threats solely from 
IT to all mission functions, a holistic view of the risks can be 
addressed.''\3\
---------------------------------------------------------------------------
    \1\ NSTAC Report to the President on Secure Government 
Communications, http://www.dhs.gov/sites/default/files/publications/
NSTAC%20Report%20to%20the%20President%20- 
on%20Secure%20Government%20Communications%20%20Fina%20%20%20_1.pdf.
    \2\ Id. at page 36.
    \3\ Id. at page 36.
---------------------------------------------------------------------------
    Question 17. How many man-hours have been committed to this 
reorganization effort and how many man-hours will be required to carry 
it to its conclusion? What is the time frame for finalizing the 
reorganization, and are you committed to seeing it through personally?
    Answer. While initial efforts for enhanced integration were started 
in June 2014, NPPD assigned a team of 7 employees in July 2015 to serve 
full-time on the implementation planning team. In accordance with GAO 
best practices, NPPD has involved employees in the development of the 
Transition Plan, with more than 100 employees participating in the 
development of the Transition Plan between July and August; although 
the numbers of hours committed from each employee were different. NPPD 
has completed an initial phase of planning and will continue planning 
efforts in the new calendar year. This will include the development of 
processes and other activities that will position the organization to 
implement the Transition Plan following Congressional action. The time 
frame for final completion will be dependent on Congressional action as 
indicated in the Transition Plan. NPPD is committed to seeing the plan 
implemented.
    Question 18. The argument is that in order to achieve greater Unity 
of Effort, enhanced operational activities, and excellence in 
acquisition program management a reorganization or transformation is 
required. Why can't these goals be accomplished working within NPPD's 
current structure?
    Answer. NPPD's workforce endeavors every day to work more 
collaboratively and efficiently across the organization. However, the 
current organizational structure makes it harder to achieve Unity of 
Effort by promoting stovepipes and layers. The Transition Plan is 
designed instead to facilitate the kind of integration we seek, rather 
than asking employees to overcome structural impediments.
    Question 19. Congress recently passed a law designating the NCCIC 
as the Federal civilian interface for sharing information concerning 
cybersecurity risks, incidents, analysis, and warnings for Federal and 
non-Federal entities, including owners and operators of critical 
infrastructure information systems. Yet, you propose to create a new 
organization outside of the NCCIC that would be the primary mechanism 
for communicating about cybersecurity risk to a large segment of your 
customers. Why re-create a new organization to conduct these activities 
outside of the NCCIC?
    Answer. Congress's designation of the NCCIC as a Federal civilian 
interface for sharing information concerning cybersecurity risks, 
incidents, analysis, and warnings for Federal and non-Federal entities, 
including owners and operators of critical infrastructure information 
systems, was a significant step and will remain as envisioned by this 
committee. Within the NPPD structure, there are other entities 
responsible for communicating about risks to critical infrastructure--
the Office of Infrastructure Protection is responsible for engaging 
public and private-sector partners on risks to infrastructure, 
including cyber infrastructure, and within the Office of Cybersecurity 
and Communications, the Stakeholder Engagement and Critical 
Infrastructure Resilience division is also responsible for engaging 
public and private-sector partners on cyber risks to infrastructure, 
including communications infrastructure. NPPD is proposing to align 
these like activities in order to ensure a more integrated approach for 
managing risk to infrastructure. These activities would be informed by 
and directly complement the operational work of the NCCIC.
    Question 20. GAO has DHS cybersecurity operations on its high-risk 
list. How will this help directly address their concerns?
    Answer. The proposed transformation will directly address the GAO 
High-Risk list related to cybersecurity by enhancing NPPD's ability to 
carry out its mission. NPPD is undertaking this transformation to 
strengthen operations, enhance unity across the organization to address 
both cyber and physical risks to infrastructure, create greater 
efficiency, and improve services provided to stakeholders. Elevating 
the NCCIC within the organization will enable the Department to focus 
on the technical cyber operations that are essential to increase the 
operational readiness and resilience of information technology and 
communications assets, systems, and networks through vulnerability 
mitigation, incident response, and recovery. In addition, integrating 
stakeholder capacity-building efforts within a new infrastructure 
security entity will bring coordinated mission support to public and 
private sectors by more effectively bring existing relationships, 
critical infrastructure expertise, and relevant data to bear on the 
cyber mission.
    Question 21. How will focusing on a reorganization and having 
employees adapt to new supervisors and chains of command distract the 
workforce from a real-time, 24/7 operational mission?
    Answer. There will inevitably be some period of adjustment, but 
there will not be significant disruption to the operational mission. 
Our workforce has been a priority as we have developed this plan, and 
will continue to be in the future. The primary way we have ensured 
preparation for the challenges related to the workforce is by directly 
involving our employees in the development of the plan and keeping them 
informed throughout the process. We have brought in change management 
support to help us ensure that as we move forward in this process; and 
we are appropriately communicating and engaging with our employees.
    All of these actions are best practices as defined by GAO in their 
report ``Implementation Steps to Assist Mergers and Organizational 
Transformations.'' Making these changes will offer our employees new 
opportunities and demonstrate the importance of their work. It is 
recognized that we must be diligent in our commitment to addressing 
challenges as we continue forward in this process.
    Question 22. The testimony you provided noted that you were looking 
to develop career path options for regional and headquarters-based 
employees. What are the current options? Why is reorganization 
necessary to offer these options?
    Answer. There is not currently a well-defined career path for NPPD 
employees, especially in the field where there are limited positions. 
Placing more positions at different grade levels in the field would 
allow for career path options, which would aid in employee retention 
and job satisfaction. In addition, the centralization of business 
support functions, specifically human resources, will allow for the 
development of cross-component strategies for career paths and 
development opportunities for employees. Placing more positions in the 
field at various grade levels and centralizing business support 
functions are key aspects of the overall Transition Plan.
    Question 23. In your testimony you noted, ``Infrastructure 
Security, will focus on activities to protect the Nation's 
infrastructure from cyber and physical risks.'' If one of the goals of 
Infrastructure Security is to look at the cyber and physical risk to 
critical infrastructure, why has the Office of Cybersecurity and 
Infrastructure Analysis or OCIA not moved into Infrastructure Security? 
Isn't that the mission of OCIA?
    Answer. The Office of Cyber and Infrastructure Analysis (OCIA) 
provides mission support across NPPD, informing decision makers on 
potential impacts to critical infrastructure from all-hazards through 
comprehensive consequence analysis during both steady-state and crisis 
action. The establishment of OCIA was the first step in formally 
integrating NPPD's programs and OCIA now serves as an integrated 
analysis function for the organization. OCIA will continue in the new 
structure to provide infrastructure consequence analysis, decision 
support, and modeling capabilities in support of the NCCIC, 
Infrastructure Security, and the Federal Protective Service.
    Question 24. When the proposed reorganization first came to light, 
the general thought was that NPPD was seeking its own Acquisition 
authority to build on its work through Network Security Deployment of 
programs like EINSTEIN and Continuous Diagnostics and Mitigation. 
However, from the briefing you provided recently this goal is not as 
clear. What is your goal or plan for acquisitions within NPPD? What is 
the new proposed function, Acquisition Program Management? What does it 
mean for the directorate? Why move functions like life-cycle logistics 
and the role of contracting office representative away from the 
organizations and programs that utilize the programs and tools that 
result from acquisition programs?
    Answer. NPPD is not seeking Head of Contracting Activity (HCA) 
Authority, which currently resides within the DHS Management 
Directorate.
    The Transition Plan envisions the creation of an Acquisition 
Program Management function to oversee the planning, implementation, 
and management of NPPD acquisition programs. Similar to other DHS 
components, the Acquisition Program Management function will be led by 
an acquisition executive with the knowledge and experience to oversee 
such programs. The Director of Acquisition Program Management will be 
supported by a cadre of acquisition professionals (i.e., systems 
engineers, cost estimators, life-cycle logisticians, and other subject-
matter experts) to help support and oversee acquisition programs. 
Acquisition Programs will be established and staffed within the 
particular function that is being supported by the acquisition program. 
For example, the National Cybersecurity Protection System (NCPS), more 
commonly known as EINSTEIN, would have dedicated staff within the NCCIC 
and be supported by the Acquisition Program Management function to 
ensure the acquisition is properly managed. Acquisition Programs 
(depending on their level/dollar value and complexity) will fall under 
the purview of a Portfolio Manager who reports to the operational 
entity, and is staffed by one or more program managers and supporting 
staff including Contracting Officer's Representatives and other 
subject-matter experts needed to adequately staff the program. The 
Director of Acquisition Program Management will provide input into the 
performance evaluation of the Portfolio Manager. This proposed 
structure is based on best practices currently in use for large-scale 
acquisitions and is consistent with structure(s) recommended by the 
Management Directorate.
    Question 25. The Office of Emergency Communications (OEC) has 
extensive experience working with State and local first responders to 
enhance communications interoperability. What outreach have you done 
with State and local stakeholders on the NPPD reorganization proposal 
and what it specifically means for OEC?
    Answer. NPPD has briefed stakeholders of the Office of Emergency 
Communications (OEC) on the transition plan, including members of the 
SAFECOM Executive Committee and Emergency Response Council and the 
National Council of State-wide Interoperability Coordinators.
    Question 26. How will the movement of OEC into an Infrastructure 
Security division enhance its operations or at least continue its level 
of engagement with State and local first responders?
    Answer. OEC carries out a critical part of NPPD's mission by 
advancing interoperable and National security/emergency preparedness 
communications by building the capacity of first responders through 
training, technical assistance, and development of governance 
structures across the country. Placing OEC within an organization that 
is focused on these types of capacity-building operations will enable 
OEC to continue the excellent work it does every day as well as expand 
its reach to new stakeholders through Infrastructure Security's sector 
relationships, such as the Emergency Services Sector, and the 
integrated field forces that will promote the wide range of NPPD 
programs and services.
    Question 27. As DHS and GSA looks to implement Phase 2 and Phase 3 
of the Continuous Diagnostic & Mitigation (CDM) program, is secure 
content management or data encryption at the document level an area of 
focus? What is CDM's time line for implementing these types of secure 
content management solutions for Federal agencies as a part of CDM?
    Answer. Yes. Secure content management and data encryption are 
associated with the CDM Phase 3 capability. Under the Boundary 
Protection technical requirements currently in draft, secure content 
management is addressed by in-coming inspection of web, email, and 
other traffic. Data protection is being addressed through Digital 
Rights Management Capabilities. The CDM program is a dynamic approach 
to fortifying the cybersecurity of Government networks and systems. CDM 
provides Federal departments and agencies with capabilities and tools 
that identify cybersecurity risks on an on-going basis, prioritize 
these risks based upon potential impacts, and enable cybersecurity 
personnel to mitigate the most significant problems first.
    Task order planning to provide the Phase 3 capabilities is 
underway. We are on schedule to release the draft technical 
requirements to the Continuous Monitoring as a Service (CMaaS) Blanket 
Purchase Agreement holders in the second quarter of fiscal year 2016. 
That will be followed by additional technical requirements for the 
remainder of Phase 3 capabilities (i.e., Incident Management and 
Security Lifecycle Management) in the third quarter of fiscal year 
2016. We expect solicitations to be released by fiscal year 2017.
    We will continue to update the committee as appropriate.
     Questions From Honorable Scott Perry for Suzanne E. Spaulding
    Question 1. The testimony you provided noted that the proposed 
reorganization will increase FPS's focus on protecting cybersecurity 
aspects of Federal facilities in coordination with the NCCIC. Is 
anything like this happening now? How will the reorganization change 
current behavior?
    Answer. In 2013, NPPD carried out a cross-NPPD assessment of a 
Federal facility that examined the cybersecurity of the facility. As a 
result, over the last few years NPPD has directed more attention to 
ensuring Federal facilities are appropriately considering cyber risks. 
GAO released a report in December 2014 that recommended NPPD develop 
and implement a strategy to address cyber risk to building and access 
control systems. NPPD is currently finalizing that strategy. The 
reorganization would support this strategy by appropriately 
prioritizing resources to ensure the strategy is effectively 
implemented.
    Question 2. How do you view the role of the Federal Protective 
Service (FPS) relative to NPPD? How will this reorganization affect 
that organization? How will FPS be integrated into the directorate? How 
do you view the role of FPS in protecting physical infrastructure? How 
do you view FPS's role in terms of physical-cyber alignment?
    Answer. The Federal Protective Service (FPS) carries out NPPD's 
mission by managing risk and ensuring continuity for one of the most 
crucial elements of National critical infrastructure--the Nation's 
Federal facilities. A key aspect of their work is assessing the 
security of Federal facilities and recommending mitigation measures to 
the Facility Security Committees. The transformation will provide 
mechanisms and structure to better leverage this data, expertise, and 
activity across NPPD. FPS will better integrate its field operations 
with field forces throughout the organization to enable comprehensive 
security and resilience for NPPD stakeholders, as well as co-locate 
incident management support with NPPD Watch functions to gain 
efficiencies and improve situational awareness. Cybersecurity of 
Federal facilities will continue to expand as an area requiring 
attention as they adopt the use of more technology for physical 
security and other purposes. Through the transformation and integrated 
operations, FPS will have greater access to cybersecurity support to 
enable the protection of Federal facilities from cyber risks.
    Questions From Ranking Member Bennie G. Thompson for Suzanne E. 
                               Spaulding
    Question 1. You have said that the reorganization of NPPD is 
intended to result in integrated situational awareness and operational 
coordination. In August, I wrote to you asking to explain the 
limitations of the current operational structure; however, you failed 
to give specific examples in your response. Once again, I ask, what are 
the limitations of the current organizational structure that can only 
be addressed through reorganization?
    Answer. NPPD's current organizational structure evolved over 
several years. It consists of 5 subcomponents as well as the Office of 
the Under Secretary which primarily provides management services. The 
current organizational structure is not optimized to ensure that we are 
fully leveraging our resources, expertise, relationships, and data 
across all of NPPD. Nor does it provide the level of agility that is 
required to achieve our mission against rapidly evolving threats and a 
dynamic set of adversaries.
    To date, we've made some progress toward achieving this necessary 
integration. In 2014, NPPD established the Office of Cyber and 
Infrastructure Analysis to serve as an integrated analysis function for 
the organization. We have seen the benefit of having an integrated 
function and we are now seeking to formalize additional integrated 
functions, such as the proposed Operations Coordination and Watch 
function. The Operations Coordination and Watch function would pull 
together information received from our staff, as well as stakeholders, 
and ensure we develop a comprehensive picture of the state of 
infrastructure across all sectors. We currently develop situational 
awareness reports for various stakeholder groups, but because 
situational awareness is developed within the subcomponents, we do not 
always have an integrated picture of infrastructure.
    In addition, the Operations Coordination and Watch function will 
also provide essential operations coordination to ensure that the 
operations we carry out on an everyday basis, as well as operations 
during incidents, are well-coordinated and achieve mission objectives. 
For example, in support of the pilot taking place in Region IV, the 
joint operations coordination function developed a cross-NPPD hurricane 
response plan. The team has been able to use that plan to prepare for 
and respond to hurricanes, storms, and even the recent flooding in 
South Carolina. Without the integrated operational planning function 
being piloted, we would not have been as successful in carrying out our 
mission.
    Question 2. In May 2013, NPPD issued a strategic plan, which was 
intended to guide the directorate's activities for the next 5 years. 
Today, we are considering a wide-scale reorganization of the component. 
Before we consider this reorganization it would be good to hear a 
little about any past or current efforts at ``leveraging synergies''' 
within NPPD to get subcomponents to work ``in concert across 
subcomponent.'' Please share with the committee what has been done 
since this strategic plan and if any of the results are informing the 
reorganization of the component.
    Answer. Integrating NPPD operations and having the subcomponents 
work better together, has been a priority for several years and is 
reflected in the strategic plan. In June 2014, in an effort to identify 
ways to better integrate program across NPPD, the Mission Integration 
Cell was established. Over the next 6 months, members of the Mission 
Integration Cell facilitated working groups comprised of employees from 
across the organization to brainstorm ideas for better integrating our 
operations and provided recommendations to me. As a result of these 
recommendations, we have implemented several interim solutions and used 
the recommendations as the basis for the proposed transformation.
    For example, one of the recommendations of the working group was to 
establish a pilot to assess whether integrated field operations would 
improve our ability to carry out our mission. The pilot includes staff 
currently based in the region, as well as staff based in the NCR, who 
have been placed in the region on a temporary basis. By the end of the 
pilot, we hope to have a better sense of what resources are necessary 
in the field to ensure the services we deliver to our stakeholders 
(technical assistance, training, assessments, etc.) are enabling secure 
and resilient infrastructure. The pilot will further inform our 
proposal for reorganization.
    Question 3. There are over 3,500 employees that could potentially 
be impacted by a reorganization at NPPD. To what degree have you 
planned for the inevitable challenges, particularly personnel 
challenges, associated with major organizational reorganizations?
    Answer. Our workforce has been a priority as we have developed this 
plan and will continue to be in the future. We are providing regular 
communications along with engaging employees in the transition work 
groups from across a broad spectrum of the organization. This effort 
has been driven by employees, going back to the Mission Integration 
Cell working groups and the recommendations that were presented from 
our employees as a part of that initial effort. To develop the 
Transition Plan, we established 5 working groups of more than 100 
staff. Their ideas shaped the proposal we are discussing today. We've 
also offered a forum for employees to provide feedback and ask 
questions, through town halls as well as emails and newsletters.
    In addition, we brought in change management support to help ensure 
that, as we move forward in this process, we are addressing the 
challenges associated with the transformation and appropriately 
communicating and engaging with our employees. All of these actions are 
best practices as defined by GAO in its report ``Implementation Steps 
to Assist Mergers and Organizational Transformations.'' We expect that 
the proposed transformation will offer our employees new opportunities 
and demonstrate the importance of their work. However, we know that we 
must be diligent in our commitment to addressing challenges as we 
continue this process.
    Question 4. According to your NPPD Transformation Plan, there is a 
regional integration pilot field office located in Atlanta, Georgia. 
Will you please describe the functions of this field office? How are 
you using the outcomes from this ``pilot'' to inform your 
reorganization plans?
    Answer. In July 2015, NPPD established a Regional Integration Pilot 
to assess the benefits of integrated field forces and provide 
recommendations for aligning NPPD's field forces into a more cohesive 
organization. The office includes personnel who were already assigned 
to Atlanta as well as staff who normally carry out similar job duties 
based in the National Capital Region (NCR). NPPD is also testing a few 
new positions to see if those positions are useful to integrated field 
operations. Together, these professionals are carrying out the various 
programs and services that NPPD currently provides.
    To achieve the priorities of both enhancing operations and 
achieving a Unity of Effort across programs, NPPD will evaluate the 
results of the pilot project to inform any plan to shift resources and 
personnel from the NCR and establish regional headquarters in the 10 
Federal regions. The results of the pilot will assist NPPD in 
developing a regionally-focused organizational framework. This will 
enable NPPD to tailor the delivery of programs that reflect regional 
needs and evolve as the capabilities of each region to mature and 
expand. This framework will better position NPPD to integrate programs 
at headquarters and in the field and move towards a unified, field-
based service delivery model; integrate current field forces and field 
business support operations; expand capabilities of regional assets in 
order to provide enhanced and regionally relevant support to regional 
and local stakeholders; and develop career path options for regional 
and headquarter-based employees.
    Question 5. Under Secretary Spaulding, as you know, OEC is the home 
of SAFECOM and performs important outreach to first-responder 
organizations. As the NPPD reorganization proposal was developed, how 
do you engage with first responder groups?
    Answer. NPPD has briefed stakeholders of the Office of Emergency 
Communications (OEC) on the Transition Plan, including members of the 
SAFECOM Executive Committee and Emergency Response Council and the 
National Council of State-wide Interoperability Coordinators. As we 
move forward with planning efforts, feedback from these stakeholders 
will be critical to the continued success of OEC and NPPD as whole.
    Question 6. Under Secretary Spaulding, historically, Members of 
this committee have raised concerns that the Office of Emergency 
Communications was overshadowed by the cybersecurity mission at CS&C. 
How will moving OEC and NPPD's other emergency communications 
activities to Infrastructure Protection address the concerns this 
committee has raised in the past, and result in improved emphasis on 
developing robust National emergency communications capabilities?
    Answer. NPPD leadership appreciates the committee's concerns about 
the future of OEC and has taken this feedback into account as we have 
developed the Transition Plan. OEC carries out a critical part of 
NPPD's mission in advancing interoperable and National security/
emergency preparedness communications, building the capacity of first 
responders through training/technical assistance, and development of 
governance structures across the Nation. Integrating OEC with the 
Infrastructure Security organization that is focused on these types of 
capacity-building operations will enable OEC to more readily 
collaborate with colleagues and expand its reach to new stakeholders 
through Infrastructure Security's sector relationships, such as the 
Emergency Services Sector, and the integrated field forces who will 
promote the wide range of NPPD programs and services.
     Questions From Chairman John Ratcliffe for Phyllis A. Schneck
    Question 1. According to the proposed new organization chart the 
NCCIC, FNR, and NSD activities of CS&C would be separated out and the 
Office of Emergency Communications and stakeholder engagement would be 
moved into the new infrastructure security division. There is concern 
that this separates and potentially limits the directorate's current 
cybersecurity roles and missions. There is also concern that this will 
change the way the overarching cybersecurity strategy and policy 
decisions are made within NPPD and DHS. In order to accomplish the 
Department's cybersecurity mission, and strategy (especially as 
required in the bill passed by the House on October 6) there needs to 
be a central function that is constantly addressing needs and evolving 
strategy and policy. Where will those essential strategy, mission, and 
vision roles take place under the proposed structure?
    Answer. The proposed new structure for NPPD would include a 
centralized policy function to ensure that infrastructure security and 
resilience strategies, plans, and policies are integrated across NPPD's 
entire mission space. This centralized function will be a critical link 
between policymaking and operations, and the working group is currently 
developing an implementation plan for these functions that ensures 
essential connectivity with the operational entities. A reorganized 
NPPD will ensure policy development is more connected to NPPD 
leadership priorities and more coordinated across the organization, 
which will benefit stakeholders with whom we engage on policy matters. 
The new structure will aim to consolidate and potentially elevate 
policy functions, align and coordinate activity across all NPPD 
components, and maintain links between policy development and 
operational activity.
    Question 2. Currently, CS&C is responsible for the Office of 
Emergency Communications, the NCCIC, Stakeholder Engagement and Cyber 
Infrastructure Resilience, Federal Network Resilience and Network 
Security Deployment. A number of these offices and related roles and 
responsibilities would be moved in the proposed reorganization. The 
proposal seems to focus NPPD's cybersecurity work more fully on the 
cybersecurity of our Nation's critical infrastructure. However, based 
on the comprehensive nature of CS&C, is this new direction limiting to 
CS&C's work with public sector and the cybersecurity mission more 
broadly?
    Answer. No. The Transition Plan further consolidates the public-
sector cyber operational activity in an elevated NCCIC, which will 
strengthen the cyber mission overall and particularly with regard to 
.gov. It will provide continued, and where appropriate, enhanced 
engagement with public-sector stakeholders, especially in addressing 
cyber risks. This includes work with State and local partners through 
the Multi-State Information Sharing and Analysis Center (MS-ISAC), 
continued engagement and capacity-building operations with State and 
local officials such as chief information security officers and chief 
information officers, as well as continued cyber resilience assessments 
for State and local officials. In addition, NPPD will be better-
positioned to execute our statutory authorities related to securing the 
.gov and working with the interagency on areas like Federal Information 
Security Management Act (FISMA) compliance.
    Question 3. The Office of Emergency Communications (OEC) is 
currently authorized in law. Based on the latest information provided, 
under this proposal it would be shifted to the new infrastructure 
security division. How do you see the role and functions of OEC 
changing in this reorganization? Why does the office need to move? Is 
this move possible under current law?
    Answer. OEC carries out a critical part of NPPD's mission by 
advancing interoperable and National security/emergency preparedness 
communications by building the capacity of first responders through 
training, technical assistance, and development of governance 
structures across the country. The role of OEC is not envisioned to 
change within the new structure. Integrating OEC with the 
Infrastructure Security organization that is focused on these types of 
capacity-building operations will enable OEC to more readily 
collaborate with colleagues and expand its reach to new stakeholders 
through Infrastructure Security's sector relationships, such as the 
Emergency Services Sector, and the integrated field forces who will 
promote the wide range of NPPD programs and services.
    As the Under Secretary stated in response to a question from Rep. 
Donovan during the hearing, moving OEC is one example where NPPD would 
require Congressional action to support its proposed reorganization. 
The Homeland Security Act, as amended, requires the Director of the 
Office of Emergency Communications to report to the Assistant Secretary 
for Cybersecurity and Communications.
    Question 4. Understanding DHS has a significant volume of sensitive 
and personally-identifiable information (PII) which has been exposed 
over the last few years, does the agency have plans to fund and deploy 
enterprise-wide digital rights management solutions across the 
Department to protect against future data leaks?
    Answer. Security of data and protecting sensitive and PII will 
continue to be a priority for the Department as well as for Cyber and 
Infrastructure Protection. The Transition Plan envisions enhanced 
privacy and IT security, including carrying out new requirements under 
the Federal Information Technology Acquisition Reform Act (FITARA). The 
Department will continue to explore ways to manage data and protect 
against data leaks.
       Questions From Chairman John Ratcliffe for Ronald J. Clark
    Question 1. Protective Security Advisors (PSA's) have become the 
primary interface for private-sector stakeholders. The proposal would 
also create cybersecurity advisors. While the distinction does seem 
useful, isn't this inconsistent with your overall plan to merge 
physical and cyber skills? If you need distinct and separate security 
advisors, isn't that an indication that these are two distinct and 
separate missions?
    Answer. NPPD established the Cyber Security Advisor program several 
years ago to complement the PSAs, who work directly with our public and 
private-sector partners. Cyber Security Advisors and PSAs work together 
to conduct assessments and inform public and private-sector owners and 
operators of existing programs and resources available to protect 
infrastructure in support of NPPD's mission. The proposed 
transformation would enable greater effectiveness by providing 
institutional structures, particularly in the field, to enable these 
key collaborative activities. We ``merge'' these skills by creating 
institutional and operational mechanisms that make it easier for cyber 
experts and physical security experts to work closely together, learn 
from each other, and better support our stakeholders with the kind of 
holistic assistance that reflects the world they face; a world in which 
the lines between cyber and physical risks are increasingly blurred.
    Question 2. Last Congress, the committee made significant 
improvements to the Chemical Facility Anti-Terrorism Standards or CFATS 
program within the Infrastructure Security Compliance Division (ISCD). 
ISCD has made significant improvements in clearing the backlog of 
facility inspections and certifications. The committee is committed to 
seeing this success continue, how will this reorganization impact ISCD 
and the CFATS program?
    Answer. NPPD appreciates the committee's support of the Chemical 
Facility Anti-Terrorism Standards (CFATS) program and is committed to 
the program's continued success. The CFATS program is an excellent 
example of how infrastructure owners and operators must address both 
cyber and physical risks to infrastructure, as one of the Risk-Based 
Performance Standards requires facilities to assess their cybersecurity 
as part of the CFATS regulatory requirements. Under the Transition 
Plan, the CFATS program would reside within the Infrastructure Security 
entity to align with other similar capacity-building operations, but 
would retain the integrity of the regulatory program. Chemical Security 
Inspectors will remain an important part of NPPD's field forces and 
will continue to interact with Protective Security Advisors and Cyber 
Security Advisors.
  Questions From Ranking Member Bennie G. Thompson for Chris P. Currie
    Question 1. Mr. Currie, you testified that successful Government 
reorganizations balanced both the Executive and Legislative roles. You 
also testified that parties with vested interests should be involved in 
discussions about reorganizing. I agree. The party with one of the most 
vested interests with the reorganization of NPPD is its workforce. How 
important is it for NPPD to have a workforce plan that minimalizes 
negative impacts on morale? What should a Government successful 
workforce plan look like?
    Answer. It is vitally important for NPPD to have a workforce plan 
that minimizes any negative impacts on morale that may arise due to 
reorganization. Employee morale at NPPD is consistently low relative to 
other DHS components and to other Federal agency subcomponents. 
Therefore, it is imperative that NPPD consider how the planned 
reorganization could potentially enhance and not further lower employee 
morale, as an engaged and motivated workforce will be crucial 
accomplishing NPPD's missions.
    In our previous work identifying key factors for implementing 
successful organizational change based on the experiences of past large 
and small organizational transformations, we found that involving 
employees to obtain their ideas and gain their ownership of a 
reorganization was crucial. Specifically, it is important to seek out 
and monitor employee attitudes, as well as to take appropriate follow-
up actions. Especially at the outset of the transformation, obtaining 
employees' attitudes through pulse surveys, focus groups, or 
confidential hotlines can serve as a quick check of how employees are 
feeling about the large-scale changes that are occurring and the new 
organization as a whole. While monitoring employee attitudes provides 
good information, it is important for employees to see that top 
leadership not only listens to their concerns, but also takes action 
and makes appropriate adjustments to the transformation in a visible 
way. By not taking appropriate follow-up action, negative attitudes may 
translate into actions, such as employee departures, among other 
things, that could have a detrimental effect on the transformation.
    Beyond these concerns specific to organizational change, we 
identified in past work on strategic workforce planning 5 key 
principles that lead to more effective workplans. Inclusion of these 
principles in NPPD's workforce planning will be important for ensuring 
success.
   Involve top management, employees, and other stakeholders in 
        developing, communicating, and implementing the strategic 
        workforce plan.
   Determine the critical skills and competencies that will be 
        needed to achieve current and future programmatic results.
   Develop strategies that are tailored to address gaps in 
        number, deployment, and alignment of human capital approaches 
        for enabling and sustaining the contributions of all critical 
        skills and competencies.
   Build the capability needed to address administrative, 
        educational, and other requirements important to support 
        workforce planning strategies.
   Monitor and evaluate the agency's progress toward its human 
        capital goals and the contribution that human capital results 
        have made toward achieving programmatic results
    Question 2. As you know, Secretary Johnson's Unity of Effort 
initiative has not been principally focused on driving reorganizations, 
but rather putting in place structures to improve performance across 
the Department and foster greater collaboration and coordination. Based 
on your observations of Federal reorganizing, how can a reorganization 
of NPPD contribute to the Unity of Effort at the Department?
    Answer. DHS's Unity of Effort initiative calls for better 
traceability between DHS's strategic objectives and mission execution, 
among other things, in order to improve both Departmental cohesiveness 
and operational effectiveness. In testimony before this committee, 
Under Secretary Spaulding stated that the proposed reorganization would 
include 3 interconnected operational directorates that will allow for 
focused operations with the necessary coordination to ensure that 
operations mitigate risk in a holistic, comprehensive manner. To the 
extent that this reorganization approach would create better alignment 
between DHS's overall strategic objectives and mission execution, it 
would contribute to DHS's Unity of Effort initiative.
    Our past work identifying lessons learned from private and public-
sector transformations found that a key factor to successfully 
implementing large-scale change is to focus on a key set of principles 
and priorities at the outset of the transformation and to embed these 
core values into every aspect of the organization to reinforce the new 
culture. In this case, DHS's Unity of Effort may be supported by NPPD's 
proposed reorganization if Unity of Effort principles were made 
explicit in the initial stages of the process and reinforced throughout 
NPPD's new proposed directorates. As we note in our work on 
organizational transformations, key principles--such as DHS's Unity of 
Effort--can serve as an anchor that remains valid and enduring while 
organizations, personnel, programs, and processes may change.

                                 [all]