[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] EXAMINING THE MISSION, STRUCTURE, AND REORGANIZATION EFFORT OF THE NATIONAL PROTECTION AND PROGRAMS DIRECTORATE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION __________ OCTOBER 7, 2015 __________ Serial No. 114-34 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PUBLISHING OFFICE 99-576 PDF WASHINGTON : 2016 ________________________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey Scott Perry, Pennsylvania Filemon Vela, Texas Curt Clawson, Florida Bonnie Watson Coleman, New Jersey John Katko, New York Kathleen M. Rice, New York Will Hurd, Texas Norma J. Torres, California Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Daniel M. Donovan, Jr., New York Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES John Ratcliffe, Texas, Chairman Peter T. King, New York Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania Loretta Sanchez, California Scott Perry, Pennsylvania Sheila Jackson Lee, Texas Curt Clawson, Florida James R. Langevin, Rhode Island Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Brett DeWitt, Subcommittee Staff Director Dennis Terry, Subcommittee Clerk Christopher Schepis, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 4 Prepared Statement............................................. 5 The Honorable Michael T. McCaul, a Representative in Congress From the State of Texas, and Chairman, Committee on Homeland Security....................................................... 6 Witnesses Ms. Suzanne E. Spaulding, Under Secretary, National Protection and Programs Directorate, U.S. Department of Homeland Security: Oral Statement................................................. 7 Joint Prepared Statement....................................... 10 Ms. Phyllis A. Schneck, Deputy Under Secretary, Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security: Oral Statement................................................. 13 Joint Prepared Statement....................................... 10 Mr. Ronald J. Clark, Deputy Under Secretary, National Protection and Programs Directorate, U.S. Department of Homeland Security Oral Statement................................................. 15 Joint Prepared Statement....................................... 10 Mr. Chris P. Currie, Director, Emergency Management, National Preparedness and Critical Infrastructure Protection, Homeland Security and Justice Team, U.S. Government Accountability Office: Oral Statement................................................. 16 Prepared Statement............................................. 18 For the Record The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Letters........................................................ 28 Appendix Questions From Chairman John Ratcliffe for Suzanne E. Spaulding.. 43 Questions From Honorable Scott Perry for Suzanne E. Spaulding.... 52 Questions From Ranking Member Bennie G. Thompson for Suzanne E. Spaulding...................................................... 52 Questions From Chairman John Ratcliffe for Phyllis A. Schneck.... 54 Question From Chairman John Ratcliffe for Ronald J. Clark........ 55 Questions From Ranking Member Bennie G. Thompson for Chris P. Currie......................................................... 56 EXAMINING THE MISSION, STRUCTURE, AND REORGANIZATION EFFORT OF THE NATIONAL PROTECTION AND PROGRAMS DIRECTORATE ---------- Wednesday, October 7, 2015 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to call, at 10:13 a.m., in Room 311, Cannon House Office Building, Hon. John Ratcliffe [Chairman of the subcommittee] presiding. Present: Representatives Ratcliffe, McCaul, Perry, Clawson, Donovan, Richmond, and Langevin. Mr. Ratcliffe. The Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittee is meeting today to examine the National Protection and Programs Directorate, or NPPD's, proposed reorganization effort. I now recognize myself for an opening statement. Prior to any reorganization of NPPD, Congress needs to first determine whether or not the proposal would establish a clear operational mission for the directorate, streamline the organizational structure, and whether the proposal can be effectively carried out by a qualified workforce. We also have questions on how the proposed changes would help make acquisition efforts for the cybersecurity mission more effective and more efficient. Perhaps most importantly, this committee needs to know how the realignment would help build confidence in both the public and private sectors that DHS is dedicated to focusing on its emerging cybersecurity mission. Growing cyber threats are presenting new homeland security challenges every day, and as such, this committee needs to ensure that DHS is optimally organized to successfully combat these emerging threats. As a Nation, we seem to finally be grasping the magnitude of the potential consequences of a major cyber attack, particularly as serious cyber breaches have already become part of our daily lives. As we have seen this year with the damaging breach to the Office of Personnel Management and other similar breaches, cyber subversions are only increasing in their numbers and in their severity. We have seen cyber attacks destroy private companies' computer and data breaches that exfiltrate corporate information, employee data, emails, intellectual property. Bottom line, it is vitally important that we are prepared to combat this evolving threat. Additionally, much of our Nation's critical infrastructure is privately-owned, and there now exists an interconnectedness of physical security and cybersecurity. This means that someone sitting at a keyboard can issue commands to blow up a gas pipeline, to cause the air traffic control system to malfunction, or take control of someone's automobile, all of which could result in a loss of life, not just the theft of personal information from a database. It is NPPD's mission to work with both public and private partners to reduce these risks from both cybersecurity and infrastructure threats and make the Nation's physical and digital infrastructure more resilient and secure. NPPD is also responsible for securing Federal networks and working with the private sector to secure the dot-com domain. As such, I would hope that NPPD plans on consulting with the private sector and its partners to hear their informed views on the proposed plan before moving forward. So far, I have only heard from outside stakeholders that there has been little to no outreach, and that is very disconcerting. Additionally, despite multiple media reports that DHS leadership is pushing to reorganize its cybersecurity and infrastructure protection missions, the committee has received minimal details from DHS at this point. Over the past several years this committee has built up a collaborative relationship working with NPPD, consulting with it to pass several strong and bipartisan pieces of legislation to improve chemical security and to strengthen DHS's cybersecurity mission and stature in the Federal Government. Given our shared goal to protect this country, several Members of the committee and I were very disappointed to learn about this proposal through leaked reports in the media. The committee only received a briefing after these reports in the press; and unfortunately, only minimal details on the reorganization effort, after several requests, have been provided in the time since. Only last week did the staff here receive an additional briefing, having been met with road blocks when trying to obtain additional information. Even more disappointing, the committee has heard that DHS leadership had planned to move forward unilaterally on several efforts without Congressional review or approval. I remind the witnesses that it is Congress' job to create the laws and the administration's job to execute them. After all, the Founding Fathers purposely enumerated Congress' role in Article I of the Constitution before any powers were given to the Executive. Over the past several weeks the committee has sent a strong message to DHS leadership making it clear that transparency with Congress and the American people is not a choice. The committee sent a bipartisan letter to DHS leadership expressing its disappointment in the process and reiterating the Congress' oversight and authorization roles and responsibilities. Additionally, the committee marked up several pieces of legislation last week, including one that would explicitly prohibit DHS from undertaking any reorganization or realignment of NPPD without Congressional review and approval. Just yesterday, that legislation passed the House unanimously. I hope that our message is clear. The committee is committed to working with NPPD's senior leadership to further strengthen its efforts and ensure that it has a clear mission, streamlined organizational structure, and a qualified workforce to carry out both its infrastructure protection and its cybersecurity responsibilities. But this will be a joint effort with Congress. I look forward to hearing more about your proposal for reorganization and then turning the page to begin working together to craft authorization legislation for the National Protection and Programs Directorate that would ensure that it has the tools and proper authorities to defend this Nation from both cyber and physical threats. [The statement of Chairman Ratcliffe follows:] Statement of Chairman John Ratcliffe Prior to any reorganization of NPPD, Congress needs to first determine whether or not the proposal would establish a clear operational mission for the directorate, streamline the organizational structure, and can be effectively carried out by a qualified workforce. We also have questions on how the proposed changes would help make acquisition efforts for the cybersecurity mission more effective and efficient. And perhaps most importantly, this committee needs to know how the realignment would help build confidence in both the public and private sectors that DHS is dedicated to focusing on its emerging cybersecurity mission. Growing cyber threats are presenting new homeland security challenges every day; and as such, this committee needs to ensure that DHS is optimally organized to successfully combat these emerging threats. As a Nation, we seem to finally be grasping the magnitude of the potential consequences of a major cyber attack, particularly as serious cyber breaches have already become part of our daily lives. As we have seen this year with the damaging breach to the Office of Personnel Management and other similar breaches, cyber subversions are only increasing in number. We have seen cyber attacks destroy private companies' computers and data breaches that exfiltrate corporate information, employee data, emails, intellectual property. It is vitally important that we are prepared to combat this evolving threat. Additionally, much of our Nation's critical infrastructure is privately owned, and there now exists an interconnectedness of physical security and cybersecurity. This means that someone sitting at a keyboard can issue commands to blow up a gas pipeline, cause the air traffic control system to malfunction, or take control of someone's automobile--all of which would result in loss of life--not just the theft of personal information from a database. It is NPPD's mission to work with both public and private partners to reduce these risks from both cybersecurity and infrastructure threats and make the Nation's physical and digital infrastructure more resilient and secure. NPPD is also responsible for securing Federal networks and working with the private sector to secure the ``.com'' domain. As such, I would hope that NPPD plans on consulting with the private sector and its partners to hear their informed views on the proposed plan before moving forward. So far, I have only heard from outside stakeholders that there has been little to no outreach and that is really disconcerting. Additionally, despite multiple media reports that DHS leadership is pushing to reorganize its cybersecurity and infrastructure protection missions, the committee has received minimal details from DHS. Over the past several years, this committee had built up a collaborative working relationship with NPPD, consulting with it to pass several strong and bipartisan pieces of legislation to improve chemical security and strengthen DHS's cybersecurity mission and stature in the Federal Government. Given our shared goal to protect this country, several Members of the committee and I were very disappointed to learn about this proposal through leaked reports in the media. The committee only received a briefing after these reports in the press, and unfortunately, only minimal details on the reorganization effort, after several requests, have been provided since. Only last week did staff receive an additional briefing, having been met with roadblocks when trying to obtain additional information. Even more disappointing, the committee has heard that DHS leadership had planned to move forward unilaterally on several efforts without Congressional review and approval. I will remind the witnesses that it is Congress' job to create the laws and the administration's job to execute them. After all, the Founding Fathers purposely enumerated Congress' role in Article One of the Constitution, before any powers were given to the Executive. Over the past several weeks, the committee has sent a strong message to DHS leadership making it clear that transparency with Congress and the American people is not a choice. The committee sent a bipartisan letter to DHS leadership expressing disappointment in the process and reiterating the Congress' oversight and authorization roles and responsibilities. Additionally, the committee marked up several pieces of legislation last week, including one that would explicitly prohibit DHS from undertaking any reorganization or realignment of NPPD without Congressional review and approval. Just yesterday, that legislation passed the House unanimously. I hope our message is clear. The committee is committed to working with NPPD's senior leadership to further strengthen its efforts and ensure that it has a clear mission, streamlined organizational structure, and a qualified workforce to carry out both its infrastructure protection and cybersecurity responsibilities--but this will be a joint effort with Congress. I look forward to hearing more about your proposal for reorganization and then turning the page to begin working together to craft authorization legislation for the National Protection and Programs Directorate that would ensure it has the tools and proper authorities to defend this Nation from both cyber and physical threats. Mr. Ratcliffe. The Chair now recognizes the Ranking Minority Member of the subcommittee, the gentleman from Louisiana, Mr. Richmond, for any statement that he may have. Mr. Richmond. Thank you, Mr. Chairman. I want to welcome Under Secretary Spaulding and her deputy secretaries to the subcommittee and thank them for taking time to come and explain their plan to transform the National Protection and Programs Directorate, the NPPD. I also want to thank Chris Currie, head of the emergency management national preparedness and critical infrastructure protection team at GAO. Chris and his colleagues provide this subcommittee and committee with insights and analysis into the day-to-day operations of organizations like NPPD and inform us in ways we couldn't learn any other way. They are invaluable to us. Against the backdrop of challenges that the Department faces--tightening budgets, low morale, complex oversight structures--there are key issue areas that DHS leaders must address in order to achieve, as Secretary Johnson has envisioned, a Department-wide Unity of Effort, including a plan to reorganize and realign NPPD. There will be many details that we on the subcommittee will need to study and evaluate before we feel comfortable enough to give recommendations or assess legislative initiatives for the plan, and I hope we can begin that process today. We know that NPPD is a large and multi-layered directorate with a wide range of responsibility, from chemical facility security, pipelines, refineries, ports, and other critical infrastructure protection, to cybersecurity. It covers such a range that some might say it lacks a single central mission. I am interested today in learning how the Secretary's plan to allow NPPD to become operational will be accomplished without shredding or rearranging its current responsibilities, and how it will create an overall central mission. This is important because my district is a prime example of the importance of both physical infrastructure security and cyber network security. My district includes the largest port network in the country, the largest petrochemical footprint in the Nation, and significant refining capacity. All of these facilities have complex and challenging physical security and cybersecurity challenges. There are funding concerns too. If the reorganization or realignment will require modifications to NPPD's appropriations structure, will the Department request additional budgetary flexibility or transfer authority from Congress beyond those that the Department already has available? Let's be clear: This reorganization is both massive and a crucial undertaking. I continue to have a lot of questions about both this kind of major--how this kind of major overhaul will work and what all the implications are for the proposed changes. So I hope this hearing leads to some answers so that we can work together to improve the Department. With that, I look forward to hearing the testimony and I yield back. [The statement of Ranking Member Richmond follows:] Statement of Ranking Member Cedric L. Richmond October 7, 2015 Thank you Mr. Chairman. I want to welcome Under Secretary Spaulding and her deputy secretaries to the subcommittee and thank them for taking time to come explain their plan to ``transform'' the National Protection and Programs Directorate, the NPPD. I also want to thank Chris Currie, head of the Emergency Management National Preparedness and Critical Infrastructure Protection Team at GAO. Chris and his colleagues provide this subcommittee and committee with insights and analysis into the day-to-day operations of organizations like NPPD, and inform us in ways we couldn't learn any other way--they are invaluable to us. Against the backdrop of challenges that the Department faces; tightening budgets, low morale, complex oversight structures, there are key issue areas that DHS leaders must address in order to achieve, as Secretary Johnson has envisioned, a Department-wide Unity of Effort, including a plan to reorganize and realign NPPD. There will be many details that we on the subcommittee will need to study and evaluate before we will feel comfortable enough to give recommendations, or assess legislative initiatives for the plan, and I hope we can begin that process today. We know that NPPD is a large and multi-layered directorate, with a wide range of responsibility: From chemical facility security, pipelines, refineries, ports and other critical infrastructure protection, to cybersecurity. It covers such a range that some might say it lacks a single, central mission. I am interested today in learning how the Secretary's plan to allow NPPD to become ``operational'' will be accomplished without shedding or re-arranging its current responsibilities, and how it will create an overall, central mission. This is important because my district is a prime example of the importance of both physical infrastructure security and cyber network security. My district includes the largest port network in the country, the largest petrochemical footprint in the Nation, and significant refining capacity. And all of these facilities have complex and challenging physical security and cybersecurity challenges. There are funding concerns too. If the reorganization or realignment will require modifications to NPPD's appropriations structure, will the Department request additional budgetary flexibilities, or transfer authority from Congress, beyond those that the Department already has available? Let's be clear, this reorganization is both a massive and a crucial undertaking. I continue to have a lot of questions about both how this kind of major overhaul would work, and what all the implications are for the proposed changes, so I hope this hearing leads to some answers so that we can work together to improve the Department. I look forward to the testimony and discussion today, and I yield back. Mr. Ratcliffe. The gentleman yields back. The Chair now recognizes the Chairman of the full committee, the gentleman from Texas, Mr. McCaul, for any statement he may have. Mr. McCaul. Thank the Chairman. Thank you for holding this hearing on the National Protection and Program Directorate. I also want to thank Under Secretary Spaulding for the meeting I had yesterday. I thought it was a very good briefing on moving forward, and I think that is important because Congress has to review the proposal in its entirety once it is finally submitted and understand how it could improve our Nation's cybersecurity posture and protection of our critical infrastructures. Additionally, any effort that will significantly alter the way the Department carries out its responsibilities is one that Congress needs to weigh in on. The Chairman mentioned the letter we sent on September 15, and the most recent legislation that Mr. Richmond passed on the floor, I believe yesterday. We take the Department's cybersecurity mission very seriously. I want to commend the good work that you have done--both you and Dr. Schneck--in this very, very important mission and in building the capabilities within DHS to carry it out. You only need to read the newspaper to know what the threat really is, and you know it better than anybody. From the OPM hack to the Sony attacks to Iran's constant attacks on the financial sector, from Russia, from China--it is everywhere. It is not just the future; it is the here and now, of criminal theft of intellectual property, of espionage, and cyber warfare. So we want to, as we have in the past, work with you to advance this mission. I would say that the Members of this committee are perhaps your biggest advocates in the Congress because we believe that what you are doing is so important. So I look forward to hearing more about the reorganization and the proposed changes, but I do think that should be done in full collaboration with the Congress, and specifically with this committee. We passed 15 bills, marked them up last week, to improve the Department, and I think this hearing will go a long way to strengthening the NPPD's mission that we strongly believe in. If I could just end with--I know that the Senate is taking, finally, up the cybersecurity legislation that we passed out of this committee many months ago by an overwhelming majority. I would ask that they take into account the bills that we passed out of the House and the bills that we passed previously in the last Congress and not do anything that would conflict with existing law. My concern is that these laws we passed last Congress may be disregarded, and I think that would be very counterproductive to the process and counterproductive to a conference committee, in the event we ever get to that point. So I would ask that the Senate look at that as they measure and weigh in on the final bill that they mark up on cybersecurity legislation. This has to be done right, because I can think of no more important mission than this one. So with that, again, I want to thank the Chairman. I want to thank the witnesses not only for being here but for the work that you do day in and day out. We don't often say ``thank you'' enough, and I would just like to, on behalf of this committee, say thanks for the great work you do to protect our country. With that, I yield back. Mr. Ratcliffe. Thank you, Mr. Chairman. Other Members of the committee are reminded that opening statements may be submitted for the record. We are pleased, as the Chairman referenced, to have a distinguished panel of witnesses with us on this important topic today. The Honorable Suzanne Spaulding serves as the under secretary for the National Protection and Programs Directorate at the U.S. Department of Homeland Security. Welcome back, Under Secretary. Dr. Phyllis Schneck serves as the deputy under secretary for cybersecurity and communications for the National Protection and Programs Directorate at the U.S. Department of Homeland Security. Dr. Schneck, good to see you again. Dr. Ronald Clark serves as the deputy under secretary for the National Protection and Programs Directorate at the U.S. Department of Homeland Security. Welcome back to this subcommittee. Mr. Chris Currie is the director of emergency management national preparedness and critical infrastructure protection for the homeland security and justice team at the U.S. Government Accountability Office. Welcome, Mr. Currie. I would like to ask the witnesses to stand and raise your right hand so I can swear you in to testify. [Witnesses sworn.] Let the record reflect that the witnesses have answered in the affirmative. You may be seated. The witnesses' full statements will appear in the record. The Chair recognizes Under Secretary Spaulding for 5 minutes for her opening statement. STATEMENT OF HON. SUZANNE E. SPAULDING, UNDER SECRETARY, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Spaulding. Thank you. Chairman McCaul, thank you for your very gracious remarks. Chairman Ratcliffe, Ranking Member Richmond, distinguished Members of the committee, thank you very much for this opportunity to be here today to discuss the Department's important cyber and infrastructure protection mission and the changes in the National Protection and Programs Directorate that I have the privilege of leading that we believe are necessary to keep pace with the dynamic and evolving risks that our partners in Government and the private sector face each and every day. I want to start by saying that I understand the committee's frustration that information related to the changes that were under consideration leaked prematurely to the media before we had a plan that the Secretary had an opportunity to review and I could get down here to brief the committee on that plan. This is an on-going process that continues, and managing change is always a challenge as I balance the need to follow appropriate Executive branch procedures, continue to be inclusive and transparent with my workforce, respect your very important legislative and oversight roles, and communicate appropriately with our public and our private stakeholders. I place a very high priority on making sure that we are consulting with you and with the rest of Congress. We have tried to ensure that your staff is informed at appropriate points throughout this process, and we look forward to continuing to work with you toward our shared objective of strengthening DHS's ability to execute its critical mission of cyber and infrastructure priority--protection. We will do this by working to achieve three key priorities with the changes that we have proposed: Achieving greater Unity of Effort, strengthening operations, and improving our mission support. Achieving greater Unity of Effort in our cyber and infrastructure protection mission is part of Secretary Johnson's overall work to bring greater Unity of Effort across the entire Department. Within NPPD, we need to take a holistic approach across cyber and physical risks the private sector increasingly takes and reflect the world that they face--a world in which cyber and physical, as Chairman Ratcliffe noted, and Ranking Member Richmond, are increasingly intertwined. We see this in the Internet of Things. We know that cyber attacks can have physical consequences, such as disrupting the electric grid or causing a dam to malfunction, just as physical events, such as storms and flooding, can cause cyber outages. We need to understand these connections and we need to manage those risks in the same interconnected way. In this time of scarce resources we must fully leverage all the outstanding expertise, capabilities, insights, information, relationships across our entire organization to accomplish our cyber and infrastructure protection mission. We cannot afford to operate in stovepipes that hamper essential collaboration and integration. Ultimately, the transition we are talking about is about strengthening operations--our ability to make a difference on the ground, in partnership with our stakeholders in Government and the private sector. To fully accomplish this objective we need excellence in our mission support functions, particularly acquisition and program management. This plan includes not only some restructuring of the organization, but also cultural, governance, and process changes, and even changing our name. You should each have a copy of our proposed organizational structure, and I am going to start at the bottom of that organizational chart with our three entities that will be executing operational activity: The National Cybersecurity and Communications Integration Center, our NCCIC; Infrastructure Security; and the Federal Protective Service. Under our plan, the NCCIC, our 247 operations center, is elevated and focused on operations to effectively respond to and mitigate cyber incidents. It would include all the current NCCIC functions but also bring in important dot-gov functions, including Einstein and our continuous diagnostics and mitigation. The second operational entity would be Infrastructure Security. This entity will work on stakeholder engagement and build capacity throughout our stakeholders in Government, in State, local, territorial, and Tribal, and the private sector. They will provide training, technical assistance, assessments, and work with those folks in the field and through support to sector coordinating councils. They will bring in those same activities that are now occurring in the Office of Cybersecurity and Communications including the Office of Emergency Communications; our effort to promote the adoption of the NIST Cybersecurity Framework, called C-Cubed V.P.; and our cybersecurity advisors, field forces that are now deployed all across the country. They will have the protective security advisors and our chem inspectors, so that we can integrate our field forces and that operational activity more effectively. Third is the Federal Protective Service, which will continue its law enforcement and security operations to protect Federal facilities all across the country and the people who work in them and visit them every single day. This plan will increase their ability to bring cybersecurity fully into that security assessments and mitigation measures for those Federal facilities and help to better integrate their field operations so that they can leverage what goes on and the capabilities across the rest of NPPD and vice-versa. To ensure that interconnectedness and to facilitate that, we are establishing an operations and watch function that brings together existing capabilities so that we can better integrate our operational planning and our situational awareness. Finally, we are strengthening our mission support operations by flattening and streamlining those functions and in some cases, particularly in acquisition and program management, bringing together a cadre of professionals that can make sure we have got clear oversight and guidance, who will then be embedded with the users whose requirements they have to ensure they are meeting on a daily basis. Implementation of this plan will require Congressional action. We understand the committee is working on possible legislation and has asked for DHS input, and we are working to respond quickly to that request. In closing, I want to again thank the committee for its strong support for our mission and for this opportunity to share our vision for an organization that can meet the Nation's challenges--the challenges that we face today and for years to come. Thank you very much. I am very pleased to be accompanied today by my outstanding deputies, and I understand that they will have a few opening remarks, Chairman. Thank you. [The joint prepared statement of Ms. Spaulding, Ms. Schneck, and Mr. Clark follows:] Joint Prepared Statement of Suzanne E. Spaulding, Phyllis A. Schneck, and Ronald J. Clark October 7, 2015 Thank you, Chairman Ratcliffe, Ranking Member Richmond, and distinguished Members of the subcommittee. I appreciate the opportunity to appear before you today to discuss the Department's cyber and infrastructure protection mission and the proposed transformation of the National Protection and Programs Directorate (NPPD). The growing demand for NPPD services as a result of the evolving risks requires the organization to be prepared to address whatever challenges we face in the future. Therefore we are developing a plan that will strengthen our ability to carry out NPPD's mission. nppd's cyber and infrastructure protection mission NPPD serves a critical role in homeland security by leading the National effort to secure and enhance the resilience of the Nation's infrastructure against cyber and physical risks. NPPD works with interagency partners as well as owners and operators of critical infrastructure in the private sector and State, local, Tribal, and territorial government agencies to, collectively, maintain secure, functioning, and resilient infrastructure that is vital to public confidence and the Nation's safety, prosperity, and well-being. I'd like to thank Members of this subcommittee for the continued recognition and support of this critical mission. In just the past year, the subcommittee demonstrated bi-partisan support for NPPD's mission by introducing legislation that enhanced authority for NPPD operations in the areas of cybersecurity and infrastructure protection, specifically chemical facility security. Through the leadership of this subcommittee, as well as Chairman McCaul and Ranking Member Thompson, these bills ultimately became law. Most recently, the subcommittee introduced legislation, which was passed by the House of Representatives to improve cybersecurity by encouraging voluntary information sharing between and amongst the private sector and NPPD's National Cybersecurity & Communications Integration Center (NCCIC). This important legislation would strengthen cybersecurity by enabling automated sharing of cyber threat indicators in a way that protects privacy and brings this important information together so that trends can be seen and malicious cyber activity can be better understood and detected. I appreciate your continued support for our mission, and I am committed to continuing working with you to ensure we have the authority and tools necessary to succeed. NPPD was initially created in 2007 as a headquarters component of the Department by combining several existing entities. Over the years, the mission has evolved and NPPD has taken on more operational responsibility; especially as threats have grown. Malicious cyber activity has become more sophisticated over time, requiring an equally sophisticated and agile response. Given the importance of the mission and the evolving risks to critical infrastructure, NPPD must transition to an operational focus that fully leverages the combined expertise, skills, information, and relationships throughout DHS. transforming nppd To accomplish this vision, DHS is proposing a transformation that will achieve three key priorities: (1) Greater Unity of Effort across the organization, particularly across cyber and physical threats, vulnerabilities, consequences, and mitigation; (2) Enhanced operational activity; and (3) Excellence in acquisition program management and other mission support functions. This transformation includes restructuring the organization; cultural, governance, and process changes; further cementing the organization as an operational component within the Department, and changing our name to better reflect our mission. DHS is proposing changes in the structure of the organization to enable enhancements in operations. In the new structure, operations would be carried out through three interconnected, operational directorates. This will allow for focused operations with the necessary coordination to ensure our operations mitigate risk in a holistic, comprehensive manner. The first directorate, Infrastructure Security, will focus on activities to protect the Nation's infrastructure from cyber and physical risks by working with private and public-sector owners and operators to build the capacity to assess and manage these risks. Through regionally-based field operations--to include the Protective Security Advisors, Cyber Security Advisors, Regional Emergency Communications Coordinators, and the Chemical Security Inspectors-- Infrastructure Security will deliver training, technical assistance, and assessments directly to stakeholders to enable these owners and operators to increase security and resilience. This includes working with facilities that are often identified as soft targets because of their open access. The foundation of Infrastructure Security will include existing programs within the Office of Cybersecurity and Communications, including the Office of Emergency Communications, the Cyber Security Advisor program, and the Critical Infrastructure Cyber Community (C3) Voluntary Program. In addition, Infrastructure Security will include programs currently within the Office of Infrastructure Protection, including the Protective Security Advisor program and the Chemical Facility Anti-Terrorism Standards program. It will also execute the Sector-Specific Agency responsibilities for nine sectors and serve as the National coordinator for the remaining sectors. The second operational directorate will focus on cyber-specific operations and DHS's responsibility to mitigate and respond to threats to information technology (IT) and communication assets, networks, and systems. Through an enhanced and elevated NCCIC, we would execute cyber-specific protection, prevention, mitigation, incident response and recovery operations for private and public-sector partners, including protection of Federal networks. The focus on this area of operational activity will ensure DHS is able to respond to malicious cyber activity at the speed demanded by the rapidly-evolving threat, while closely aligning pre-incident prevention and protection with incident detection, response, and recovery. The NCCIC will also collaborate with the other two operational directorates to ensure cyber operations and expertise support, and benefit from, the operational activity of those protecting Federal facilities and building capacity with public and private-sector stakeholders. The third operational directorate, the Federal Protective Service, will continue to focus on the direct protection of Federal facilities, and those who work in and visit them, across the Nation, through integrated law enforcement and security operations. It will increase its focus on protecting cybersecurity aspects of Federal facilities in coordination with the NCCIC. In addition, the Federal Protective Service will better integrate its field operations with field forces in Infrastructure Security to enable comprehensive security and resilience for our stakeholders, as well as co-locate incident management support with the combined watch functions of the NCCIC and the National Infrastructure Coordinating Center (NICC) to gain efficiencies and improve situational awareness. To ensure coordinated execution of the mission and better integration among the three operational activities, we will combine existing elements to establish a mission support element for coordinated operations, joint operational planning, and integrated situational awareness. NPPD is currently piloting these enhancements to strengthen situational awareness and operational coordination using the National Infrastructure Coordinating Center as a foundation. We will use the results of the pilot to inform the establishment of permanent mechanisms for integrated situational awareness, coordinated operations, operational planning, and integrated continuity planning. The Office of Cyber and Infrastructure Analysis will support this important coordination function. In 2014, NPPD established the Office of Cyber and Infrastructure Analysis as a first step in integrating key risk-assessment activity, particularly with regard to understanding interdependencies and consequences across physical and cyber. This function will provide essential analysis to support coordinated operational planning and joint situational awareness. This integrated operations and watch function will serve as a critical element of the Department's counterterrorism mission in protecting critical infrastructure, including Federal facilities and those who work in and visit them. Enhanced operations will be supported through improved mission support functions. We will re-orient the roles of operational and mission support elements so operators are focused on operations and mission support elements are structured with appropriate authorities to effectively and efficiently support operations, consistent with the structure of other DHS operating components. We will change the way the organization executes and manages acquisition programs. DHS is proposing an Acquisition Program Management function to enable greater effectiveness and accountability in acquisition programs and ensure that operational programs have the tools required in a timely manner. These changes will also help us collaborate with the DHS Science and Technology Directorate to strengthen our ability to leverage innovation, research, and development for DHS and National benefit. Aligning activities that provide oversight and accountability for these large acquisition programs will allow operational directorates to focus on executing daily operations with the confidence that their requirements are being met by a team of acquisitions professionals. In many instances, these acquisition professionals will continue to be co- located with the programs they support to ensure user requirements are well-understood and being met. We will also enable those carrying out day-to-day operations to focus on the mission by changing current business models for other management functions as well. Streamlining and centralizing management of business support functions will create efficiencies by reducing management layers and provide greater predictability and agility in meeting the needs of the workforce and of our operations. We will ensure the delivery of these services remains customer-focused by placing staff in the same location as the operators when their needs can best be met by in-person support. Centralizing management of these activities will support the goal of enabling operators to focus on operations while ensuring mission support elements are empowered to support the operators and effectively carry out our mission. This proposed structure reflects the three priorities of the transition; but a critical part of the transformation to achieve these priorities includes an underlying support structure with updated processes and internal governance to ensure the organizational structure permits the necessary flexibility and integration of programs required to carry out NPPD's mission. In addition, the proposed structure will allow for enhanced operations and performance of its critical mission with minimal requirements for new resources by identifying and implementing a series of efficiencies. In a time of growing mission demands and continued resource constraints, greater efficiencies are imperative and DHS is committed to ensuring that direct impacts to budget from the transformation are minimal. This approach can be achieved through the combination and co-location of similar functions, the establishment of a joint planning function that leverages existing planning resources in a coordinated manner, and a flattening of certain management functions. benefit to stakeholders Reducing risks to critical infrastructure is a joint effort between the private and public sectors. DHS is unable to carry out our mission without the support and participation of stakeholders within the public and private sectors, including critical infrastructure owners and operators, public safety and Government officials at all levels of Government, and our interagency partners. Therefore, this transformation is designed to directly benefit these stakeholders. Through the changes outlined above, DHS will be able to more effectively and efficiently leverage relationships to support operational activity by identifying, coordinating, managing, and countering physical and cyber risks to infrastructure. DHS is committed to improving service delivery to customers by enhancing our staff presence outside the District of Columbia and better integrating field activities. A more robust field force will directly engage with stakeholders located throughout the Nation and carry out operations at a local level. In order to create efficiencies, improve the delivery of services to public and private-sector customers in the field, and ensure DHS is addressing cybersecurity and infrastructure protection regional priorities, we will more fully integrate and support regional operations. To achieve the priorities of both enhancing operations and achieving a Unity of Effort across programs, we will use the results of an on-going regional pilot project to inform a plan for aligning field forces into a more cohesive organization. By embracing a regionally-focused organizational framework, we can tailor the delivery of programs that reflect regional needs and that evolve as the capabilities of each region to mature and expand. This framework also will better position us to develop career path options for regional and headquarters-based employees. In addition to our external stakeholders, this transformation will benefit the workforce. I am privileged to serve with the committed men and women of NPPD. Our workforce carries out the incredibly difficult and demanding mission of protecting our Nation's infrastructure, both cyber and physical. The hard work and dedication of our staff forms the backbone of our operations as we strive to meet evolving mission needs. Many of the ideas I have discussed above for this transformation came directly from our workforce, and our employees have served a critical role in this process by developing plans and recommendations. Our employees best know the requirements and demands of this mission; therefore, I value their input and feedback. Their efforts and continued role in this process will be all the more important as we move forward to strengthen our capabilities to carry out this challenging and evolving mission. As we continue to develop NPPD's organizational structure and improve our governance processes to support are evolving mission, a new organizational name would support our efforts help create a more unified and strong sense of identity, enhance stakeholder outreach, and reflect the operational activities NPPD employees carry out each day. next steps The plan for NPPD's transformation I have just outlined provides a clear path to further enhance and improve our ability to carry out the mission. However, our work is not yet complete. Senior executives are now working on action plans to further develop details for the proposed areas of change I named above. We are also working with our stakeholder community to ensure their feedback is incorporated into this organizational construct. Several of the areas I have identified above will require Congressional action to amend existing law, seek approval of organizational changes, and enable the changes. I appreciate the opportunity to appear before you today to discuss our proposal and look forward to working with Members of Congress on the implementation of this plan. Your support to date has enabled NPPD to carry out our critical operations and make significant progress, in collaboration with our stakeholders, to protect the Nation's infrastructure. Together we can ensure DHS is best positioned to carry out the critical mission of cybersecurity and infrastructure protection now and in the future. In closing, I would like to note that October is National Cybersecurity Awareness Month and next month, November, is Critical Infrastructure Security and Resilience Month. Every year we use these opportunities to raise awareness of the importance of the cybersecurity and infrastructure protection mission. This hearing is an important part of that dialogue and I thank you for the opportunity to testify before you today. I look forward to your questions. Mr. Ratcliffe. Thank you, Under Secretary Spaulding. The Chair now recognizes Dr. Schneck for 5 minutes. STATEMENT OF PHYLLIS A. SCHNECK, DEPUTY UNDER SECRETARY, CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Schneck. Chairman Ratcliffe, Ranking Member Richmond, Chairman McCaul, distinguished Members of the committee, thank you for this opportunity to appear today. In my over, now, 2 years in Government, I continue to really be impressed and enjoy the support that we get from our Congressmen and Senators in truly making things happen. Our critical infrastructures, as you know, and our cyber connectivity therein, are under attack; they have become open hunting season for a very egregious and witted adversary. These adversaries seek to damage our way of life. It is a broad range of threat, as you know, from the economic money or turning our information--our private information, our health information, our financial information--into currency. It moves up the spectrum to the theft of intellectual property, and then to the destructive side where, as the under secretary mentioned, a single computer instruction or command can cause a change that creates a physical event. That is why we are here today. Our critical infrastructures are owned and operated mostly by the private sector. There has never been a harder time for a large private-sector company, like the one from which I came, to work with the U.S. Government in our environment, but there has never been a more urgent time. All of this work that is needed is based on trust, customer service, stakeholder engagement, and the ability for us to be able to reach out and bring a field of expertise, from our cyber experts to our electric power experts to those in between that run our programs. This transformation will strengthen our cyber mission. It will strengthen our ability to reach out to our customers and to serve them well. Fighting back against this constantly-evolving threat requires this fully collaborative approach. NPPD can't do our mission if we don't do this. We have been doing it well. We can do it faster and better, and as the adversary excels, with no lawyers and no way of life to protect and plenty of money, we will not be able to fight them if we don't organize the way that is being suggested today so that we can bring everything we have to bear, just as we did in the private sector. This adversary takes an expeditious fight, and we can bring that. NPPD has been evolving for several years, as our mission has demanded. The latest step will improve our ability and--to carry out both our cyber and our infrastructure protection mission in better collaboration with our stakeholders, and programmatically, these changes are designed to make it easier for us to bring everything we have to the table, meaning we can bring expertise about the sector, we can bring the people that have the trusted relationships within the sector, we can bring the exact cyber people that understand the problem, and come to the fight more quickly. We can bring that team today, and we do, but we can assemble it and be designed as a much more efficiently well- oiled machine to do this mission and take on this adversary. Through this transformation we focus on customer service, delivering this service to our customers, and making sure that we provide our stakeholders across the Nation not only the service in helping them fix an event or spot a threat, but to teach them, to give them programs such as the C-Cubed V.P.--or the Cybersecurity and Critical Infrastructure Community Voluntary Program that comes with the President's Executive Order on best practices for cyber--bringing them these programs so they can teach themselves how to protect their networks, and teach their supply chain, and teach their colleagues. So we are building more secure communities by joining our critical infrastructure expertise, our outreach, and joining that trust with our cyber experts. We need to have a structure that lets us continue to operate in this time of growing mission demand and continued resource constraints. I wish I could say that the threat was going away. It is growing. Our job is to neutralize that, and the way we do that is to be more artful. Our adversaries are constantly evolving. They have absolutely no barrier to overcome. If we are to overcome their artful hold, we have to be more masterful and more agile, and that is what this realignment is designed to do. It allows us to be more efficient and allows us to be more efficient with the tools that you have provided us in legislation; it allows us to make better use of your tremendous advocacy and get out there with the strength that we bring as a whole of Government, and do that with a whole of NPPD. Our Secretary always tells us that homeland security--that cybersecurity is a part of homeland security. Our job is to make sure that technology and innovation are enabled, that the private sector is enabled to make more money so they can innovate and build great things, and that our citizens can enjoy new technologies. Our job is to make our infrastructure resilient to damage so that the American way of life continues to be enjoyable, and fun, and a great place to make these new technologies without a fear of what new technology can bring. To neutralize that, we need this transformation to strengthen our cybersecurity mission, to bring everything we have got in trust, in capability, in infrastructure knowledge, infrastructure expertise, sector knowledge, feet on the street--use the field forces, our Federal Protective Service, who see everything that is happening in a Federal building and day out--use their awareness of the HVAC systems that have been known as targets to understand exactly what is happening and bring that all together. Our transformation will enable all of this. It will enable the cybersecurity piece of homeland security in the Secretary's Unity of Effort. We look forward to bringing more customer service and being even more of a service that our taxpayers will be proud of. So thank you, and I look forward to your questions. Mr. Ratcliffe. Thank you, Dr. Schneck. Chair now recognizes Dr. Clark for 5 minutes for his opening statement. STATEMENT OF RONALD J. CLARK, DEPUTY UNDER SECRETARY, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Clark. Chairman Ratcliffe, Ranking Member Richmond, Chairman McCaul, and distinguished Members of the subcommittee, thank you for the opportunity to appear before you today. With 2 decades of service as a United States Marine Corps infantry officer, 5 years at the National Security Council, my mission and instinct at NPPD has been to focus on mitigating threats, driving down risk, and executing intelligence-driven operations--operations focused on the protection of Federal facilities, critical infrastructure, and the American people. NPPD occupies unique mission space, and we must ensure the full leveraging of its unique expertise, information, and capabilities. We are committed to enhancing our operational capacity and capability and taking the actions needed to enhance our security of critical infrastructure. The threat we face today is increasingly elusive, unpredictable, and violent. The threat increasingly extends across physical and cyber domains and can be carried out by criminal elements; aspirants of an extremist ideology; or terrorists, foreign, or domestic. In response to this dynamic threat environment, over the past year we have executed a series of enhanced security operations across the country to detect, deter, and deny potential threats to thousands of Federal facilities and millions of occupants. These operations entailed a series of intensified security protocols that increased our presence, awareness, and ability to respond. We have also enhanced our efforts directed at State and local partners, private-sector owners and operators of critical infrastructure. This dimension of our security campaign focused on building capacity, sharing threat information and trends, and, most importantly, addressing the very real concerns of local partners, private-sector stakeholders, and the faith- based community. While we have seen progress to date, we must continue to enhance our operational capabilities because our adversaries have repeatedly demonstrated their ability to adapt to our security measures. Whether the operation is focused on the direct protection of a Federal building, ensuring the security parameters of a chemical facility, deploying a cybersecurity advisor team, or expanding the capacity of public and private- sector partners, robust analytical support is essential. Operations must be driven by the best possible information. Toward this end, we have focused on sharpening our analytic capabilities. For example, today our ability to complete forward-looking analysis and to systematically map the interdependencies of critical infrastructure by our Office of Cyber and Infrastructure Analysis is exceptional. Their analytical support to the decision-making process is critical. We have pragmatically integrated this robust analytic capability with an enduring focus on fielding low-cost, high- impact tools that increase mission assurance, team welfare, precision, and speed. Thank you again for this opportunity. Thank you, as well, for your enduring support to the Department of Homeland Security over many years. Thank you. Mr. Ratcliffe. Thank you, Dr. Clark. Chair now recognizes Mr. Currie for 5 minutes for his opening statement. STATEMENT OF CHRIS P. CURRIE, DIRECTOR, EMERGENCY MANAGEMENT, NATIONAL PREPAREDNESS AND CRITICAL INFRASTRUCTURE PROTECTION, HOMELAND SECURITY AND JUSTICE TEAM, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Currie. Thank you, Mr. Chairman, Ranking Member Richmond, and other Members of the subcommittee. I appreciate the opportunity to be here today to talk about the potential reorganization of NPPD. I wanted to say up front that we at GAO don't have many details on the specific reorganization or any on-going work on this issue. However, over the years we have evaluated numerous agency creations and transformations and reorganizations, and based on real-life lessons learned, we have developed a number of questions and--that need to be answered and factors that need to be addressed during these types of changes. Also, as the committee knows, the initial implementation of DHS and broader management issues at the Department are still on our high-risk list. So we think our work across these areas is important to consider in any potential change in NPPD's structure or mission. Before I get into the specifics of our work I did want to make a key point: NPPD has the critical and difficult mission of securing both cyber and physical critical infrastructure and the interdependencies between both of those things. To do this, it needs to be able to adapt and change with the threat as needed, so it is not surprising that NPPD would propose a reorganization to adapt to the changing threat and additional responsibilities it has. However, our experience at DHS and other agencies has shown that it is often the management issues that can creep in as problems later on after these things are done in areas like human capital and acquisition. These areas are just as critical to think through as the mission need that is driving the reorganization because they can hinder success. Our work across Government points to key questions that need to be answered in these situations. For example: What are the goals? What are the real costs and benefits? How can the up-front cost be funded? This one is important: Who are the key stakeholders and how are their views being considered? Specifically, during the creation of DHS we outlined a number of key practices and steps for successful organizational transformations. Although an NPPD reorg is maybe not on that scale, they are still applicable and important, and here are just a few examples from that work: Establishing a coherent mission and integrated strategic goals to guide the transformation; establishing a communication strategy to create shared expectations and report progress; and last, involving employees to obtain their ideas and gain their ownership for the transformation because they are the ones that are going to have to make it happen. We have also found that successful Government reorganizations balance executive and legislative roles, as you mentioned up front, Mr. Chairman. For example, Congressional deliberative processes, such as this hearing, serve as an important function of getting input from Congress but also a variety of stakeholders that are affected by the change. They also provide important checks and balances. Now, let me talk a bit about our high-risk work and DHS management. DHS has made much progress in this area since its creation, but more work is needed. We have found that management challenges have had a direct impact on DHS's ability to meet its mission. For example, in the area of acquisitions, which has been discussed a lot this morning--or to put it in plain speak, when an agency purchases a service or a technology--delivering major acquisitions aimed at achieving mission capabilities that are on time and within budget has been difficult for the Department. It will be important for NPPD to consider that as it rolls out large cyber acquisitions across Government, sometimes now under accelerated time frames. In the area of human capital, or people management, DHS and NPPD have struggled with low employee morale, which can affect mission execution. Also, NPPD faces a challenge in attracting people with the technical skills it needs to accomplish its mission, such as cybersecurity specialists. The last quick point I would make is that while there are risks to any reorganization, there can also be many benefits. The best practices we have developed and I discussed--and there is a lot more detail in my formal written statement--are things that we have developed from real-life case examples from real agencies; they are not just theory. If done effectively, organizations can emerge from reorganization stronger than before. This concludes my prepared statement, and I look forward to your questions. [The prepared statement of Mr. Currie follows:] Prepared Statement of Chris P. Currie October 7, 2015 Chairman Ratcliffe, Ranking Member Richmond, and Members of the Subcommittee: I am pleased to be here today to discuss our observations on the potential reorganization of the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD). NPPD is the DHS component responsible for addressing physical and cyber infrastructure protection, a mission area of critical importance in today's threat environment. Critical infrastructure owners and operators continue to experience increasingly sophisticated cyber intrusions and a ``cyber-physical convergence'' has changed the risks to critical infrastructure ranging from energy and transportation to agriculture and health care, according to a DHS strategic review.\1\ --------------------------------------------------------------------------- \1\ DHS, The 2014 Quadrennial Homeland Security Review (Washington, DC: June 2014). --------------------------------------------------------------------------- NPPD's potential reorganization is the latest in DHS's organizational evolution. In 2003, we designated implementing and transforming DHS as high-risk because DHS had to transform 22 agencies--several with major management challenges--into one department.\2\ Further, failure to effectively address DHS's management and mission risks could have serious consequences for U.S. National and economic security. Over the past 12 years, the focus of this high-risk area has evolved in tandem with DHS's maturation and evolution. The overriding tenet has consistently remained DHS's ability to build a single, cohesive, and effective department that is greater than the sum of its parts--a goal that requires effective collaboration and integration of its various components and management functions. --------------------------------------------------------------------------- \2\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: Feb. 11, 2015). --------------------------------------------------------------------------- You asked us to offer our perspectives on reorganizations, given anticipated but unspecified changes planned at NPPD. This statement describes key factors for consideration in a NPPD reorganization. It includes observations from our prior work on organizational change, reorganization, and transformation, applicable themes from GAO's high- risk list, and NPPD-related areas from our work in assessing programmatic duplication, overlap, and fragmentation. This testimony is based on reports we issued from 2003 through 2015.\3\ For this work, among other things, we convened a forum to identify and discuss useful practices and lessons learned from major private- and public-sector organizational mergers, acquisitions, and transformations; conducted interviews with knowledgeable officials; reviewed relevant literature and agency documentation; reviewed the status of high-risk issues; and identified material in our routine audit work where areas of potential fragmentation, overlap, and duplication were identified. Recurring themes and findings from those data-gathering efforts are summarized in the published reports. More detailed information on our scope and methodology appears in the published reports. --------------------------------------------------------------------------- \3\ GAO, Streamlining Government: Questions to Consider When Evaluating Proposals to Consolidate Physical Infrastructure and Management Functions, GAO-12-542 (Washington, DC: May 23, 2012); GAO, Government Efficiency and Effectiveness: Opportunities for Improvement and Considerations for Restructuring, GAO-12-454T (Washington, DC: March 21, 2012); GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: Feb. 11, 2015); GAO, 2015 Annual Report: Additional Opportunities to Reduce Fragmentation, Overlap, and Duplication and Achieve Other Financial Benefits, GAO-15-404SP (Washington, DC: April 14, 2015); GAO, Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformations, GAO-03-669 (Washington, DC: July 2, 2003). --------------------------------------------------------------------------- We conducted the work upon which this statement is based in accordance with generally-accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. background The Homeland Security Act of 2002 created DHS and gave the Department wide-ranging responsibilities for, among other things, leading and coordinating the overall National critical infrastructure protection effort.\4\ For example, the Act required DHS to develop a comprehensive National plan for securing the Nation's critical infrastructure and key resources, including power production, generation, and distribution systems, and information technology and telecommunication systems, among others.\5\ Homeland Security Presidential Directive (HSPD) 7 further defined critical infrastructure protection responsibilities for DHS and other departments.\6\ For example, HSPD-7 directed DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating Federal infrastructure protection and risk management activities within and across critical infrastructure sectors. Various other statutes and directives provide specific legal authorities for infrastructure protection and resiliency programs.\7\ --------------------------------------------------------------------------- \4\ See generally Pub. L. No. 107-296, 116 Stat. 2135 (2002). Title II of the Homeland Security Act, as amended, primarily addresses the Department's responsibilities for critical infrastructure protection. \5\ See 6 U.S.C. 121(d)(5). ``Critical infrastructure'' are systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on National security, National economic security, National public health or safety, or any combination of those matters. 42 U.S.C. 5195c(e). Key resources are publicly or privately controlled resources essential to minimal operations of the economy or Government. 6 U.S.C. 101(10). \6\ Homeland Security Presidential Directive/HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection (Dec. 17, 2003). \7\ For example, the Cyber Security Research and Development Act, enacted in January 2002, authorized funding through fiscal year 2007 for the National Institute of Standards and Technology and the National Science Foundation to facilitate increased research and development for computer and network security and to support related research fellowships and training. See generally Pub. L. No. 107-305, 116 Stat. 2367 (2002). Other critical infrastructure-related Presidential Directives include HSPD-3, which addresses implementation of the Homeland Security Advisory System; HSPD-9, which establishes a National policy to defend the Nation's agriculture and food system; HSPD-10, which addresses U.S. efforts to prevent, protect against, and mitigate biological weapons attacks perpetrated against the United States and its global interests; HSPD-19, which addresses the prevention and detection of, protection against, and response to terrorist use of explosives in the United States; HSPD-20, which addresses the establishment of a comprehensive and effective National continuity policy; and HSPD-22, which, as described in the NIPP, addresses the ability of the United States to prevent, protect, respond to, and recover from terrorist attacks employing toxic chemicals. Presidential Policy Directive/PPD-21--Critical Infrastructure Security and Resilience--issued February 12, 2013, revoked HSPD-7 but provided that plans developed pursuant to HSPD-7 shall remain in effect until specifically revoked or superseded. --------------------------------------------------------------------------- NPPD was established in 2007 as DHS evolved. Specifically, after the Post-Katrina Emergency Management Reform Act of 2006 transferred to the Federal Emergency Management Agency most of what was then termed the Preparedness Directorate, the Secretary of Homeland Security at that time created NPPD. NPPD combined most of the remaining functions of the Preparedness Directorate, such as the Office of Infrastructure Protection, with other functions.\8\ For example, the Office of Cyber Security and Telecommunications combined with the National Communications System and the new Office of Emergency Communications and was renamed the Office of Cyber Security and Communications. As reported in DHS's fiscal year 2016 budget request, NPPD employs approximately 3,500 staff. NPPD's current organizational structure includes 5 divisions. --------------------------------------------------------------------------- \8\ See 6 U.S.C. 315. See also 6 U.S.C. 452 (authorizing the Secretary to allocate or reallocate functions among the officers of the Department, and to establish, consolidate, alter, or discontinue organizational units within the Department). ---------------------------------------------------------------------------The Federal Protective Service is the agency charged with protecting and delivering law enforcement to and protection services for Federal facilities. The Office of Biometric Identity Management, formerly US- VISIT, provides biometric identity services to DHS and its mission partners. The Office of Cybersecurity and Communications has the mission of assuring the security, resiliency, and reliability of the Nation's cyber and communications infrastructure. The Office of Cyber and Infrastructure Analysis provides consolidated all-hazards consequence analysis focusing on cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the Nation's critical infrastructure. The Office of Infrastructure Protection leads the coordinated National effort to reduce risk to critical infrastructure posed by acts of terrorism. Many of NPPD's activities are guided by the 2013 National Infrastructure Protection Plan (NIPP). NPPD issues the NIPP in accordance with requirements set forth in the Homeland Security Act, as amended, HSPD-7, and more recently Presidential Policy Directive-21-- Critical Infrastructure Security and Resilience. The NIPP was developed through a collaborative process involving critical infrastructure stakeholders. Central to the NIPP is managing the risks from significant threat and hazards to physical and cyber critical infrastructure, requiring an integrated approach to: Identify, deter, detect, disrupt, and prepare for threats and hazards to the Nation's critical infrastructure; Reduce vulnerabilities of critical assets, systems, and networks; and Mitigate the potential consequences to critical infrastructure of incidents or adverse events that do occur. key factors for consideration in a nppd reorganization Our prior work includes four areas that offer valuable insights for agency officials to consider when evaluating or implementing a reorganization or transformation. These areas include: (1) Considering key questions for consolidation decision making and factors for success when implementing an organizational change; (2) balancing Executive and Congressional roles in the decision-making process; (3) considering themes and findings in our DHS high-risk work; and (4) addressing any related duplication, overlap, or fragmentation of existing programs. Key Questions to Consider During Organizational Consolidation and Practices for Transformation Implementation Two sets of considerations for organizational transformations provide insights for NPPD's organizational change decision making and implementation. First, in May 2012, we reported on key questions for agency officials to consider when evaluating an organizational change that involves consolidation.\9\ Table 1 provides a summary of these key questions from our previous work on organizational transformations, which we developed through a review of selected consolidation initiatives at the Federal agency level, among other things. Attention to these factors would provide NPPD with assurance that important aspects of effective organizational change are addressed. --------------------------------------------------------------------------- \9\ GAO-12-542. ------------------------------------------------------------------------ Key Questions ------------------------------------------------------------------------- What are the goals of the consolidation? What opportunities will be addressed through the consolidation and what problems will be solved? What problems, if any, will be created? What will be the likely costs and benefits of the consolidation? Are sufficiently reliable data available to support a business-case analysis or cost-benefit analysis? How can the up-front costs associated with the consolidation be funded? Who are the consolidation stakeholders, and how will they be affected? How have the stakeholders been involved in the decision, and how have their views been considered? On balance, do stakeholders understand the rationale for consolidation? To what extent do plans show that change management practices will be used to implement the consolidation? ------------------------------------------------------------------------ Source: GAO-12-542. Second, as DHS was formed, we reported in July 2003 on key practices and implementation steps for mergers and organizational transformations. The factors listed in Table 2 were built on the lessons learned from the experiences of large private and public-sector organizations. The resulting practices we developed are intended to help agencies transform their cultures so that they can be more results-oriented, customer-focused, and collaborative in nature. As NPPD reorganizes, consulting each of these practices would ensure that lessons learned from other organizations are considered. TABLE 2.--KEY PRACTICES AND IMPLEMENTATION STEPS FOR MERGERS AND ORGANIZATIONAL TRANSFORMATIONS ------------------------------------------------------------------------ Key Factors When Implementing Organizational Change Implementation Step ------------------------------------------------------------------------ Ensure top leadership drives the Define and articulate transformation. a succinct and compelling reason for change. Balance continued delivery of services with merger and transformation activities. Establish a coherent mission and Adopt leading integrated strategic goals to guide practices for results-oriented the transformation. strategic planning and reporting. Focus on a key set of principles and Embed core values in priorities at the outset of the every aspect of the transformation. organization to reinforce the new culture. Set implementation goals and a time Make public line to build momentum and show implementation goals and time progress from Day 1. line. Seek and monitor employee attitudes and take appropriate follow-up actions. Identify cultural features of merging organizations to increase understanding of former work environments. Attract and retain key talent. Establish an organization-wide knowledge and skills inventory to exchange knowledge among merging organizations. Dedicate an implementation team to Establish networks to manage the transformation process. support implementation team. Select high-performing team members. Use the performance management system Adopt leading to define responsibility and assure practices to implement accountability for change. effective performance management systems with adequate safeguards. Establish a communication strategy to Communicate early and create shared expectations and report often to build trust. related progress. Ensure consistency of message. Encourage two-way communication. Provide information to meet specific needs of employees. Involve employees to obtain their ideas Use employee teams. and gain their ownership for the Involve employees in transformation. planning and sharing performance information. Incorporate employee feedback into new policies and procedures. Delegate authority to appropriate organizational levels. Build a world-class organization....... Adopt leading practices to build a world- class organization. ------------------------------------------------------------------------ Source: GAO-03-669. Balancing Executive and Congressional Roles in Reorganization Decision- making In March 2012, we found that successful Government reorganizations balanced Executive and Legislative roles and that all key players engaged in discussions about reorganizing Government: The President, Congress, and other parties with vested interests, including State and local governments, the private sector, and citizens.\10\ It is important that consensus is obtained on identified problems and needs, and that the solutions our Government legislates and implements can effectively remedy the problems we face in a timely manner. Fixing the wrong problems, or even worse, fixing the right problems poorly, could cause more harm than good. --------------------------------------------------------------------------- \10\ GAO-12-454T. --------------------------------------------------------------------------- We found that it is imperative that Congress and the administration form an effective working relationship on restructuring initiatives. Any systemic changes to Federal structures and functions should be approved by Congress and implemented by the Executive branch, so each has a stake in the outcome. In addition, Congressional deliberative processes serve the vital function of both gaining input from a variety of clientele and stakeholders affected by any changes and providing an important Constitutional check and counterbalance to the Executive branch. applicable gao high-risk work Securing Cyber Critical Infrastructure and Federal Information Systems and Protecting the Privacy of Personally Identifiable Information Safeguarding the systems that support critical infrastructures-- referred to as cyber critical infrastructure protection--is a continuing concern cited in our 2015 High-Risk Series Update.\11\ Given NPPD's current cybersecurity activities, addressing these concerns in any reorganization effort would be critical. For example, NPPD conducts analysis of cyber and physical critical infrastructure interdependencies and the impact of a cyber threat or incident to the Nation's critical infrastructure. Sustained attention to this function is vitally important. In our 2015 High-Risk Series Update report, we note that to address the substantial cyber critical infrastructure risks facing the Nation, Executive branch agencies, in particular DHS, need to continue to enhance their cyber analytical and technical capabilities (including capabilities to address Federal cross-agency priorities), expand oversight of Federal agencies' implementation of information security, and demonstrate progress in strengthening the effectiveness of public/private-sector partnerships in securing cyber critical infrastructures. --------------------------------------------------------------------------- \11\ GAO-15-290. --------------------------------------------------------------------------- In our 2015 High-Risk Series Update report, we highlight two additional high-risk areas related to securing cyber critical infrastructure. The security of our Federal cyber assets has been on our list of high-risk areas since 1997. In 2003, we expanded this high- risk area to include the protection of critical cyber infrastructure. This year, we added protecting the privacy of personally identifiable information (PII)--information that is collected, maintained, and shared by both Federal and non-Federal entities. Strengthening DHS Management Functions Our 2015 High-Risk Series Update found that DHS made significant progress in addressing our concerns, but that considerable work remains in several areas. To the extent that these issues are relevant to a reorganized NPPD, consideration of each area would be important so as not to jeopardize DHS's progress in taking steps toward addressing its implementation and transformation as a high-risk area. These areas of concern include: Acquisition management.--DHS has taken a number of actions to establish effective component-level acquisition capability, such as initiating assessments of component policies and processes for managing acquisitions. In addition, DHS is working to assess and address whether appropriate numbers of trained acquisition personnel are in place at the Department and component levels, an outcome it has partially addressed. Further, while DHS has initiated efforts to demonstrate that major acquisition programs are on track to achieve their cost, schedule, and capability goals, DHS officials have acknowledged it will be years before this outcome has been fully addressed. Much of the necessary program information is not yet consistently available or up-to-date. Attention to effective acquisition management is particularly important in an NPPD reorganization, given the substantial costs for cybersecurity programmatic efforts. For example, NPPD's National Cybersecurity Protection System, intended to defend the Federal civilian Government's information technology infrastructure from cyber threats, had a life-cycle cost of $5.7 billion as of January 2015. IT management.--While the Department obtained a clean opinion on its financial statements, in November 2014, the Department's financial statement auditor reported that continued flaws in security controls such as those for access controls, configuration management, and segregation of duties were a material weakness for fiscal year 2014 financial reporting. Thus, the Department needs to remediate the material weakness in information security controls reported by its financial statement auditor. Financial management.--We reported in September 2013 that DHS needs to modernize key components' financial management systems and comply with financial management system requirements. The components' financial management system modernization efforts are at various stages due, in part, to a bid protest and the need to resolve critical stability issues with a legacy financial system before moving forward with system modernization efforts. Without sound controls and systems, DHS faces long-term challenges in ensuring its financial management systems generate reliable, useful, and timely information for day-to-day decision making. Human capital management.--The Office of Personnel Management's 2014 Federal Employee Viewpoint Survey data showed that DHS's scores continued to decrease in all 4 dimensions of the survey's index for human capital accountability and assessment--job satisfaction, talent management, leadership and knowledge management, and results-oriented performance culture. Morale problems are particularly an issue among NPPD employees, who report some of the lowest morale scores among Federal agency subcomponents. DHS has taken steps to identify where it has the most significant employee satisfaction problems and developed plans to address those problems. In September 2012, we recommended, among other things, that DHS improve its root- cause analysis efforts related to these plans. As of February 2015, DHS reported actions underway to address our recommendations but had not fully implemented them. Given the sustained decrease in DHS employee morale indicated by Federal Employee Viewpoint Survey data, it is particularly important that DHS fully implement these recommendations and thereby help identify appropriate actions to take to improve morale within its components and Department-wide. In addition, given NPPD's low morale scores, attention to employee concerns during reorganization is crucial to engaging employees in accomplishing NPPD's missions. Management integration.--The Secretary's April 2014 Strengthening Departmental Unity of Effort memorandum highlighted a number of initiatives designed to allow the Department to operate in a more integrated fashion, such as the Integrated Investment Life Cycle Management initiative, to manage investments across the Department's components and management functions. DHS completed its pilot for a portion of this initiative in March 2014 and, according to DHS's Executive Director for Management Integration, has begun expanding its application to new portfolios, such as border security and information sharing, among others. However, given that these main management integration initiatives are in the early stages of implementation and contingent upon DHS following through with its plans, it is too early to assess their impact. To achieve this outcome, DHS needs to continue to demonstrate sustainable progress integrating its management functions within and across the Department and its components. Related GAO Work on Duplication, Overlap, or Fragmentation Our prior work identified areas where agencies may be able to achieve greater efficiency or effectiveness by reducing programmatic duplication, overlap, and fragmentation.\12\ Since 2011, we have reported annually on this topic, presenting nearly 200 areas wherein opportunities existed for Executive branch agencies or Congress to reduce, eliminate, or better manage fragmentation, overlap, or duplication; achieve costs savings; or enhance revenue. Several of our findings in the reports relate to DHS and NPPD activities. For example, consistent with a previous recommendation with which DHS agreed, in 2015 we reported that DHS could mitigate potential duplication or gaps by consistently capturing and maintaining data from overlapping vulnerability assessments of critical infrastructure and improving data sharing and coordination among the offices and components involved with these assessments, of which NPPD is one.\13\ Also, in 2012, we found that Federal facility risk assessments were duplicative, as they were conducted by multiple Federal agencies, including NPPD's Federal Protective Service (FPS). We recommended that DHS should work with Federal agencies to determine their reasons for duplicating the activities included in FPS's risk assessments and identify measures to reduce this duplication.\14\ DHS did not comment on whether it agreed with this recommendation at the time it was made and the recommendation was not fully addressed as of March 2015. Addressing these duplication concerns and any other fragmentation, overlap, or unnecessary duplication that agency officials may identify as part of its reorganization will improve the agencies' overall efficiency and effectiveness. --------------------------------------------------------------------------- \12\ Fragmentation refers to those circumstances in which more than one Federal agency (or more than one organization within an agency) is involved in the same broad area of National need and opportunities exist to improve service delivery. Overlap occurs when multiple agencies or programs have similar goals, engage in similar activities or strategies to achieve them, or target similar beneficiaries. Duplication occurs when 2 or more agencies or programs are engaged in the same activities or provide the same services to the same beneficiaries. \13\ GAO-15-404SP and GAO, Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts, GAO-14-507 (Washington, DC: Sept. 15, 2014). \14\ GAO-12-342SP. --------------------------------------------------------------------------- Given the critical nature of NPPD's mission, considering key factors from our previous work would help inform a reorganization effort. For example, the lessons learned by other organizations involved in substantial transformations could provide key insights for agency officials as they consider and implement reorganization. Attention to these and the other factors we identified would improve the chances of a successful NPPD reorganization. Chairman Ratcliffe, Ranking Member Richmond, and Members of the subcommittee, this concludes my prepared statement. I would be happy to respond to any questions you may have. Mr. Ratcliffe. Thank you, Mr. Currie. I now recognize myself for 5 minutes for questions. So, as I referenced in my opening statement, it was 5 months ago, it was back in June that I first read about this possible reorganization at NPPD through various media sources. After several months of requests for information from DHS, Chairman McCaul and Ranking Member Richmond and I wrote to Secretary Johnson 3 weeks ago to express our concern about our ability to fill our role of Congressional oversight and authorization. It was yesterday that I received from Secretary Johnson a hand-delivered response to that letter, which essentially says, ``I approved NPPD's transition plan and understand that Under Secretary Suzanne Spaulding is scheduled to brief you this week. Thank you again for your letter and your interest in this important issue.'' Under Secretary Spaulding, you and I did, in fact, meet yesterday. But I want to make sure that we are all on the same page here, because I heard your testimony today about the collaborative effort that--in moving forward in this process, but the letter from Secretary Johnson appears to say, ``I have approved this and the ship has sailed.'' So I want to give you an opportunity to address that point again. Ms. Spaulding. Thank you, Mr. Chairman. I appreciate that opportunity. This has, as I said, been an on-going process. In fact, it is one that did not start with looking at a wiring diagram but really did start with looking at finding all of the ways which we could work more collaboratively and efficiently and effectively across NPPD. When we reached a point where we felt that the benefits of that collaboration and integration were increasingly apparent and that it was also increasingly apparent that we were asking our folks every day to fight the organizational structure, to accomplish that collaboration and integration we were asking them to do, we started looking at how we could better align our missions--our functions to facilitate what we were asking them to do. The first step in that was to create an overarching structure. What are the broad outlines? What would that look like if we did that? So we came up with a proposal. I sat down with the Secretary. He said, ``That looks right to me. That seems to be on the right track.'' I briefed my workforce that this is what we were proposing to the Secretary. As soon as the Secretary had approved that, we came down to the Hill to talk about, ``These are the overarching--this is the broad outline of what we are doing.'' That was this summer. Unfortunately, in trying to be transparent with my workforce and inclusive, make sure that they are providing essential input, we have increased the number of people who have this information and who have the potential to go and talk to the press. But we have all through this process--again, and the Secretary directed us to develop a more detailed implementation plan, to get it to him by the end of the summer, by August 31, which we did. He took a very quick opportunity to review that and make sure that he was comfortable with it, gave us some guidance. We got final approval on that plan and were immediately on the phone to say, ``We are--we now have something we can come up and brief you on.'' So this is a difficult process of, you know, going through the steps and making sure that all of our various folks are informed at the appropriate times, but it is absolutely our intent to work in a collaborative way with Congress---- Mr. Ratcliffe. Okay. Ms. Spaulding [continuing]. On this process. Mr. Ratcliffe. Thank you, Under Secretary. But just so we are clear, do you agree with me that DHS can't move forward on at least certain elements of this reorganization without Congressional authorization under the Homeland Security Act? Ms. Spaulding. Absolutely. Mr. Ratcliffe. Okay. Your conversations with Secretary Johnson are that he is clear on that as well? Ms. Spaulding. Absolutely. Mr. Ratcliffe. Okay. Given NPPD's responsibility for engaging with and encouraging stakeholder input for both its cybersecurity and physical security missions, can you tell us what your engagement has been at this point in time with NPPD's stakeholders regarding this reorganization effort? Ms. Spaulding. Yes. Again, as I said, my priority has been to make sure that we are up here telling you as we have gone through this process where we are in the process and giving you the detail as we develop it in this plan. So this is part of what I have talked about balancing. So when we had the broad outline, and once we had been up here to be able to talk with your staff about that, I took advantage of opportunities in front of some of our stakeholder groups to tell them--to give them that same broad picture about where NPPD was moving, so that as we went through this process they would not be surprised by things that came out. Now that we have had an opportunity to get up and brief the Congress on this next level of detail in our plan, which is an on-going process, we are reaching out to our further stakeholder groups to make sure that we are providing them that additional detail, as well. So again, this is an outreach effort that is on-going. Mr. Ratcliffe. Okay. My time is expired, but--so very quickly, have you reached out to the financial services and the tech sectors? Ms. Spaulding. So the financial services and tech sectors are part of the cross-sector coordinating council, and I met with them a couple of months ago to make sure that they understood that this process was underway and the direction in which we are moving. Mr. Ratcliffe. And---- Ms. Spaulding. We are now going sector-by-sector to do our outreach. But again, I wanted to be up on the Hill first. Mr. Ratcliffe. Okay. Have you at this point had any discussions with your Federal cybersecurity partners, like FBI and DOD, on this proposed reorg and gotten any feedback from them at this point? Ms. Spaulding. Not in any formal way, Chairman. But again, both of those are very close working partners and they are aware of the direction in which NPPD has been moving. Mr. Ratcliffe. Okay. With respect to all those stakeholders, is it your intent to take their input into account in--with respect to this reorganization as--and if necessary adjust what has been proposed? Ms. Spaulding. There is a lot of detail that still is being worked out on this plan. In fact, I have designated champions for each of the key areas who are working--continue to work in an inclusive way with my workforce to fill out those details, and they will be seeking input from our stakeholders to make sure that we are, as we move forward on this, that we are getting it right. Mr. Ratcliffe. Thank you. My time is expired. The Chair now recognizes Ranking Minority Member of the subcommittee, Mr. Richmond, for his questions. Mr. Richmond. Thank you. I would just start with a quick statement, which is, you know, I am really disappointed that we had to get here the way we got here. I think it is just a lack of communication. What I hope it is not is the dismissing our role and our task and our authority and responsibility to make sure that the people of this country are protected and Government is running as efficiently and as smoothly as possible. We take that very seriously. I think that this committee, more than other committees, works in a bipartisan fashion, and we try to be part of the solution and not part of the problem. So just in the future, I would hope that we could communicate so that we don't have to have these type of meetings. I don't want to be in the business of reorganizing NPPD. You all wake up and you do it every day. We do a million and one things. We have to figure out peace in the Middle East; we have to figure out how to stop breaches; and we have to figure out how to pass a budget. So we have a million things on our plate, and I always believe in deferring to the experts that do it, and I defer. But I think that in deferring we still have a role to play in making sure that, No. 1, it makes sense; No. 2, that we think it achieves the efficiency and Unity of Effort which we all hope to accomplish. So just think of us as part of the team and--at least me-- and I would like to be helpful. With all of that, let me ask you a question. With the reorganization, with your mission, how does operating under continuing resolution affect your ability to not only reorganize but to budget, to plan, and to accomplish your overall mission? Ms. Spaulding. Ranking Member, first let me again thank you personally, as well as the committee, for your strong support for DHS and for NPPD and, most importantly, for our mission. We have very much appreciated the partnership here, the collaboration with the committee. I cannot emphasize enough that that is--has always been our intent and continues to be our intent, and I make that firm commitment to you. I appreciate the question about the impact of a continuing resolution. I mean, effectively what the continuing resolution says is: Everything is frozen in place at last year's level of funding and activity. Unfortunately, our adversaries are not frozen in place. Our adversaries are moving as fast as they can. They are changing; they are evolving; they are responding to what we are doing, and getting better, and finding ways around the mitigations that we put in place, whether it is terrorists or cyber hackers, or nation-states. This transition reflects that, but every day we are looking at ways in which we can build our capacity, we can do this better, and we can continue to meet the challenge from our adversary. Continuing resolution makes that very difficult. Mr. Richmond. In my district, which we have talked about the infrastructure and the petrochemical and the refineries and the ports, I also have a lot of labor and union membership in my district; not only people work for DHS, but in the ports, the refineries, the other areas. What measures are in place to engage with labor, both public and private, regarding the changes you plan to make? Ms. Spaulding. We have had on-going consultations and discussions with the unions throughout this process, both because I value their input as representatives of important parts of my work force, but also, obviously, to be respectful of bargaining agreements and the requirements of the law and policies. So we certainly have, as I said, had a number of meetings and briefings with our union representatives. We also have regular meetings with a coalition that includes labor generally, and in areas like our implementation of Chemical Facility Anti-Terrorism Standards, for example, with our high-risk chemical facilities, we have benefited from the input of labor union representatives throughout that industry. So those consultations and discussions continue. Mr. Richmond. Really quickly to Chris, what are your biggest concerns about this reorganization, and what could derail success? Mr. Currie. Thank you, sir, for the question. You know, I wouldn't so much say at this point I have concerns. I don't know that many details about it. I think the biggest factor is that--that I am thinking about in this is that these best practices for reorganizations and transformations are followed. Oftentimes what we have seen is when organizations rush these things, or they rush through these things to address a real and pressing mission need, oftentimes it is later on that the, like I said in my statement, the management issues creep up, the acquisition problems, the human capital problems. Because, quite frankly, some of these things take time and they take deliberation. For example, gathering employee feedback is one of our best practices, but not just gathering it, but showing employees how it was incorporated and actually using the feedback and closing the loop on that so they feel invested in it. That takes time and it can be a little painful, quite frankly. So, not that NPPB is rushing through this--I am not aware of the details. But when that happens, sometimes mistakes can be made. Mr. Ratcliffe. Gentleman yields back. I ask unanimous consent at this time to enter into the record the September 15--yes, September 15, 2015 letter from Members of the committee to Secretary Johnson, and Secretary Johnson's October 6, 2015 response to the Members of the committee that I referenced earlier in my opening and questions. Without objection, so ordered. [The information follows:] Letter Submitted For the Record by Chairman John Ratcliffe September 15, 2015. Dear Secretary Johnson: As leaders of the primary committee of oversight of the Department of Homeland Security (Department), we are encouraged by many of the efforts you are undertaking to strengthen unity of effort within the Department. We share your desire to ensure the Department is optimally organized to achieve its vital mission and appreciate the responsiveness of your staff on some of the aspects of this effort. However, we are concerned with the lack of transparency on the proposed reorganization of the National Protection and Programs Directorate (NPPD). Despite multiple media reports on the proposal to reorganize NPPD and numerous requests for information from our staff, we have yet to receive any specific details from the Department. NPPD is home to a number of important organizations, including the National Cybersecurity and Communications Integration Center, the Office of Biometric Identity Management, the Office of Emergency Communications, the Office of Infrastructure Protection, and the Federal Protective Service, which all need to be properly represented in any reorganization of NPPD to effectively carry out their missions. As you are aware, we are drafting legislation to update and improve the Department, including NPPD. We took the first step in this effort with the passage of H.R. 1731, which would rename NPPD as Cybersecurity and Infrastructure Protection and codify a Deputy Under Secretary for Cybersecurity and a Deputy Under Secretary for Infrastructure Protection. As the Committee continues to work to fulfill its oversight responsibilities and strengthen the Department, we will lead further efforts to reorganize NPPD. We value your perspective on this process. As such, receipt of information on your recommendation for the organization of NPPD is necessary promptly. We look forward to working hand-in-hand with you and Under Secretary Spaulding on this critical effort. Thank you for your consideration. Sincerely, Michael T. McCaul, Chairman, Committee on Homeland Security. Bennie Thompson, Ranking Member, Committee on Homeland Security. John Ratcliffe, Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. Cedric Richmond, Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. Candice Miller, Chairman, Subcommittee on Border and Maritime Security. Filemon Vela, Ranking Member, Subcommittee on Border and Maritime Security. Scott Perry, Chairman, Subcommittee on Oversight and Management Efficiency. Bonnie Watson Coleman, Ranking Member, Subcommittee on Oversight and Management Efficiency. Martha McSally, Chairman, Emergency Preparedness, Response, and Communications. Donald Payne, Ranking Member, Emergency Preparedness, Response, and Communications. ______ Letter Submitted For the Record by Chairman John Ratcliffe October 6, 2015. The Honorable John Ratcliffe, Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, U.S. House of Represetatives, Washington, DC 20515. Dear Chairman Ratcliffe: Thank you for your September 15, 2015 letter. The U.S. Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) executes core parts of the Department's mission. In particular, NPPD oversees operational activity aimed at securing and enhancing the resilience of the Nation's infrastructure against cyber and physical risks. I recently approved NPPD's transition plan and understand that Under Secretary Suzanne Spaulding briefed your staff on this plan last week and is scheduled to brief you this week. In addition, Under Secretary Spaulding will appear before your Committee's Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee on October 7, 2015, to address additional concerns. The transition plan includes the steps necessary for NPPD to become a DHS Operating Component through strengthening the operational aspects of the cyber and infrastructure protection missions and realigning the mission support functions of NPPD to better support these operations. I am grateful for the support the Committee on Homeland Security has provided to the Department's cyber and infrastructure protection mission--particularly the actions taken to clarify the authority to carry out our operations effectively. I am committed to continuing this collaboration and look forward to working with you and your staff to ensure the Department is best situated to carry out the mission of cyber and infrastructure protection. Thank you again for your letter and interest in this important issue. The co-signers of your letter will receive separate, identical responses. Should you wish to discuss this matter further, please do not hesitate to contact me. Sincerely, Jeh Charles Johnson. Mr. Ratcliffe. Chair will now recognize other Members of the subcommittee for 5 minutes for questions they may wish to ask the witnesses. In accordance with committee rules and practice, I plan to recognize Members who were present at the start of the hearing by seniority of the subcommittee. Those coming in later will be recognized in the order of arrival. Chair now recognizes the gentleman from New York, Mr. Donovan, for 5 minutes. Mr. Donovan. Thank you, Mr. Chairman. To the panel, let me also, as the Chairman said, as our Ranking Member said, thank you for the efforts that you make to protect our Nation. They are very, very much appreciated by everyone here and everyone in America. Under Secretary Spaulding, I heard in your testimony and read your testimony that was submitted that you have identified areas where Congressional action is required to change existing regulations that you have. That statement makes it very clear that--why it is important to engage directly with the committee before going so far down the road in a major reorganization. I would also note that one of the specific areas of improvement noted by the Government Accountability Office in its review of DHS management functions is the need to better communicate with Congress. Can you outline for us specific areas that you believe Congressional action is necessary before you are able to reorganize as you wish to? I know this is a difficult forum to do that, so if there is an opportunity after today's hearing to put that in writing for us so we can understand what you feel is necessary from us so you can perform your functions. Ms. Spaulding. Great. Thank you, Congressman. We will take advantage of that opportunity to provide the committee with some input on the legislation that I believe the committee is considering, as well. But I will give you, you know, at least one example where it is very clear that Congress needs to act. We would like to move the Office of Emergency Communications to align it with other stakeholder outreach and capacity-building efforts that go on in NPPD that are very similar functions and put that into that infrastructure security organization. Right now the Office of Emergency Communications, by statute, reports to the assistant secretary for cybersecurity. So that will require a statutory change. There is really not a lot about NPPD that is in statute, but those things that are there will require some statutory change. In addition, we are very aware that Congress has said significant reorganizations require Congressional approval, and so, you know, again, we will be coming down and continue to work with you to accomplish those things. Mr. Donovan. It is just very helpful to us to know what it is that you need. Just briefly, Mr. Currie, you describe--this is an incredibly talented panel of individuals who dedicated their careers or part of their careers to helping protect our Nation. You mentioned about how difficult it is to recruit people. You all were recruited. Maybe Jeh had the--put the arm on you to make you guys come along, but you guys were recruited. You talked about the difficulty with morale with the employees of DHS. Can you explain to me why it is so difficult, do you feel, to recruit candidates to perform this very essential duty to our Nation and why you feel like morale in the Department is so low? Mr. Currie. Yes, sir. Well, first of all, I mean, I think-- and this--folks on this panel could probably speak to the details of the difficulty in cyber recruiting more than me, but I think it is pretty clear that the types of individuals with the specializations and experiences you need are very attractive to those in the private sector that are looking for the same skills and can pay much more. So that is one piece. The other piece is--we have reported on this in hiring--is that the process in Federal hiring can be a disincentive, too, and it can often take, you know, a very, very long time--6 months to a year--to get processed. They have to undergo very stringent personnel background checks, and in these positions have to get probably Top Secret or Secure Compartmentalized Information clearances. That takes even more time. So all of these processes make it very difficult to attract and retain. But I know this is something that the under secretary has talked about in the different forums and thinks about a lot. The issue of DHS morale is something that we have actually--we have done several engagements or audits looking specifically at that issue. It is a challenge. We have not really zeroed it down to one specific reason, but there are a lot of key themes. The way the Department was formed initially, bringing together 22 different component agencies, all with very different missions and cultures, from agencies like TSA all the way to agencies like Coast Guard, created a huge challenge in becoming one different department. I think the challenge that NPPD has--one of the challenges is--and the folks on the panel mentioned it--is all these disparate missions and workforces coming together. For example, FPS was added to NPPD in 2009. They serve a completely different mission than folks at the NCCIC in the cyber role. So I think, you know, having--and from what I understand from my behind-the-scenes discussions, part of this reorganization is intended to bring the group together and the workforces together under one clear mission, too. Mr. Donovan. Thank you very much. I don't have any time to yield, Mr. Chairman. Thank you. Ms. Spaulding. Congressman, if I might, Mr. Chairman, on the morale issue, I would note that NPPD in the latest survey results did go up slightly, but it is at least a trend in the right direction. The numbers are nowhere near where we would like them to be or where they ought to be for our workforce, but we are at least encouraged that we are nudging along in the right direction. I mentioned in my opening statement that one of the things we are hoping to do is to change our name. I actually think that while that may seem superficial, that that will also help improve our morale by providing our workforce with a clear sense of their identity and that cyber and infrastructure protection is what we are all about--FPS, the NCCIC, Infrastructure Security, all of our organization. We are all part of the same team. One team, one fight. I think that will help morale. I know that the under secretaries are prepared to--our deputy under secretaries--to talk about what we are doing on the hiring front at the appropriate time. Mr. Ratcliffe. Chair now recognizes the gentleman from Florida, Mr. Clawson. Mr. Clawson. Thank you, Ms. Under Secretary, and the rest of you, for your good work. Appreciate you coming in today. You know, our budgets seem to go up every year. We seem to spend, you know, 5 or 10 percent more no matter what happens, and the taxpayer is on the tab for that while the median wage in our country continues to fall. So we are kind of in this pressure where we seem to forget the constituents that pay the bills--I am speaking in general terms now--while our own budgets go up and up. If we do the--when you do the reorganization, will the budget actually go down? Will we actually get cost efficiencies and cost productivity like the rest of the world lives with, or is it just going to keep going up every year whether we do this reorganization or not? I see the 8.5 percent, you know, when I--so I hear everything you are saying today, and I look at the 8.6 percent--am I--do I have the number right for 2016 for a year- over-year increase, if I have the right number--and I say what, you know, what--we are doing all these great things but we just keep spending more money. Am I missing on the data there or am I correct? Ms. Spaulding. Congressman, I will have to get back to you. I don't have that number in my head. But I would---- Mr. Clawson. But you agree---- Ms. Spaulding [continuing]. I would bet that you have got that number right, but I can certainly get back to you on that. But I certainly take your broader point, and I want to emphasize that a significant part of what we are--why we are doing this is to make sure that we are operating as efficiently as we can. Our mission is growing every single day, and we are painfully aware that there are not a lot of resources-- additional resources out there that can be handed over to us to meet that growing demand. We have got to become more efficient at doing our mission so that we do not have to keep coming back and asking for additional resources to do that. We think that, again, picking up on GAO's emphasis on management, that has been a clear focus. I said I had three priorities: Unity of Effort, stronger operations, and improved mission support. That is our management function. There is a place where we have already begun to create efficiencies--they are reflected in the fiscal year 2016 budget--where we identified over $21 million of efficiencies within our budget. But we are going to continue to work at flattening that organization and creating those efficiencies. I think by leveraging our work force all toward this mission and bringing them, for example, our folks who are out there in the field doing infrastructure protection fully into the cyber mission, that creates a significant efficiency that allows us to do more in that cyber mission without asking for as--you know, the kind of additional resources that that growth in mission might suggest. So I hear you, and it is a key objective of mine. Mr. Clawson. Mr. Currie, do you have any comments on this? Do you believe that if we do the reorganization we will get better cost control and cost reduction for the taxpayer, or do you have enough information to have an opinion? Mr. Currie. No, sir. We don't have enough information on it. But this is really important. One of the first things that we note to do in such a transformation is to do a full assessment of the costs and benefits. When I say that, that is not just, you know, a 1-page list of, ``here is what is going to work well and here is what we are going to save or not.'' I mean, this is a--we ask for an extensive assessment of what the actual costs of this are going to be over time and then what the perceived benefits are, and then ask officials to weigh that in the future to see, you know, what decisions they need to make. Mr. Clawson. I agree with everything I am hearing on a qualitative level, you know, unifying the mission, better communication, common metrics. We all understand all that. But if going into next year your budget goes up in a meaningful way on a year-over-year basis then we have a much more difficult conversation about why we did this. So if we are going to constantly reorganize just to increase the budget, then I would be remiss in my responsibilities to my stakeholders, which is the taxpayers, if we didn't point that out. So at least speaking for me and my constituents, I would like to support it. You certainly have a positive tone here and all over it. But if your numbers are going to keep going up then we ought to have--reorganization or not, we ought to have a budget conversation because that is part of our responsibility is oversight, as well. You agree with what I am saying, Under Secretary? Ms. Spaulding. Absolutely. Congress clearly has a, you know, a vital role in determining the level of resources that should be devoted to this mission space. You know, what I am--we are trying to accomplish this transformation or reorganization and restructuring of our organization in as budget-neutral a fashion as possible. We are realigning existing missions and functions. That having been said, you know, if Congress wants DHS to do more in the cyber space and to take on additional roles and additional functions, we will have to come down and have a conversation about resources devoted to that. But as I said, this transition is designed to do what we are doing today more efficiently and more effectively. Mr. Ratcliffe. Thank the gentleman. Welcome the gentleman from Rhode Island, recognize him for 5 minutes. Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. I want to thank our witnesses for being here today and your work you are doing on this issue. So for Secretary Spaulding, I think--let me begin, if I could, with you. I think I am beginning to get my head around the proposed organizational changes that we are making, but I am still a bit confused as to how the restructuring will affect cybersecurity roles and responsibilities. For instance, it seems that the NCCIC will be responsible for some outreach to sectors, but critical infrastructure, cyber community program, and cyber advisors will be in the Infrastructure Security component. So can you clarify what cybersecurity responsibilities Infrastructure Security and the Federal Protective Service will have, and why the Department assigned those responsibilities? Ms. Spaulding. Yes. Thank you, Congressman. You know, one of the things that we want to emphasize is that putting both cyber and physical stakeholder outreach and engagement management within Infrastructure Security is meant to strengthen, facilitate, coordinate that outreach, not to get in the way of existing relationships. So for example, the private sector is represented on the floor of the NCCIC today. That will not change. Those tactical operational relationships that are focused on that, you know, making sure that we have the capabilities for incident response and mitigation that is the lifeblood of the NCCIC--those relationships and that work will not change. What we will change is that our work that goes on every day all across the country, where we sit down with critical infrastructure owners and operators, primarily today through our protective security advisors in the Office of Infrastructure Protections, those field forces will be fully enlisted in our cyber mission, in addition to the physical security mission that they focus on today. So that will strengthen our cybersecurity mission and ability to execute that, and I will give you an example that I know you are, you know, you are very well aware of. If, for example, today the NCCIC sees malicious activity, say, in a water facility, their ability to turn quickly to the folks who have on-going relationships with that sector and with individual owners and operators all across the country to get-- to use that network, to use those field forces, to get that word out quickly, ``This is what to be on the lookout for; this is what to watch for,'' that kind of speed of getting that information out is what is going to help us protect and do effective network defense. That is what we are trying to build in this. Mr. Langevin. So do you feel that this is going to help you to be more proactive, as opposed to reactive? Is that what you are suggesting? Ms. Spaulding. Absolutely. They will be out there every day with those owners and operators doing not just physical security assessments but cybersecurity assessments, identifying ahead of time critical vulnerabilities, configuration, et cetera, and working with them, in collaboration with the NCCIC and our cyber ninjas, as I call them, on mitigation measures. Mr. Langevin. All right. I think that is critically important that--not being so much in a reactive role but being more proactive. That is what is going to really ultimately keep us safer. Secretary Spaulding, DHS has a number of important responsibilities under FISMA, and some in Congress are looking to expand them even further. These responsibilities encompass information sharing but extend far beyond it. DHS is also responsible for developing and helping to deploy network security technologies on Federal networks. Can you explain why these functions are included under the NCCIC? Ms. Spaulding. I am going to have Deputy Under Secretary Schneck weigh in on this, as well, but the NCCIC is really designed to be our--execute our operations on cybersecurity. A big part of that is the EINSTEIN and Continuous Diagnostics and Mitigation, and our best practices under FISMA with the dot- gov. Part of what Deputy Under Secretary Schneck has been working on in her time at NPPD is making sure that we do, in fact, have an integrated architecture and an overarching strategy that brings these things together. So again, this is an area where we want the organizational structure to support that. Dr. Schneck. Ms. Schneck. Thank you. Thank you, Congressman Langevin, for all of your support over many, many years. So the NCCIC is the tip of the spear. That is the 247 watch center and it houses our CERT, our Computer Emergency Readiness Teams, for both regular I.T. as well as those systems that control physical infrastructure such as lights, water, refineries, as was mentioned earlier, ports. Within that we also have now--we are going to be looking at the Einstein and CDM programs, as we have been doing over the past 2 years. There is not just protecting the Federal agencies--so the EINSTEIN program, as you recall, watches whether bad guys are trying to get into Federal agencies and whether those agencies are unknowingly calling out to bad guys. We also get a large piece of situational awareness from that program. We see, with the help of our privacy and civil liberties experts, all the traffic going--all the internet traffic going in and out of our Federal agencies, and we use that for situational awareness. As we roll out Continuous Diagnostics and Mitigation to protect the inside of the agency networks, each agency gets a dashboard, like the one in your car that shows you gas and speed and things about your car. This dashboard shows you 24/7 things about the security of each agency's network. As we combine the data from each agency's dashboard--this is just coming out now--with the data that we see from outside, watching who is trying to hurt our agencies by coming in and where they might be calling--we put together a large map of how to connect the dots, so a large piece of situational awareness. I sometimes nickname it ``The Weather Map,'' because when you put all that data together you see things that you wouldn't see without it. That helps that NCCIC, that response center, understand exactly what is happening, and it helps us as being the center of machine-to-machine, so very fast information sharing, make sense of what we are seeing, and push more context and more cyber-threat indicators, if you will, to everyone--not just to Government, but to private sector, to universities, so that we can paint a much bigger security picture across our country. So all those programs--sometimes I call it the artifacts, the data they produce, or the exhaust across the Federal Government--we push that out to everyone, to the private sector, and again, with the help of all of our privacy and civil liberties experts. Mr. Langevin. Thank you. Mr. Chairman, are we going to go for a second round? Because I had one more question, as well. Mr. Ratcliffe. We are. Mr. Langevin. Okay. Mr. Ratcliffe. So the gentleman yields back? Mr. Langevin. I yield back. Mr. Ratcliffe. I would like to take advantage of having you all here to get some additional information, and so we will do a second round of questions for any Members that want to take advantage of that opportunity. So I recognize myself for an additional 5 minutes of questions. Under Secretary Spaulding, we have obviously got some information. Can you give us a date for when we will get the full plan? We have talked about some of the parameters of it and a transition plan, but can you give us some idea of when we could expect to see the full plan as you propose it? Ms. Spaulding. So again, I keep emphasizing that this is an on-going process, and so, you know, we--again, we are striving to have by the end of this calendar year the next level of details on this plan and be ready, you know, in consultation with Congress, to really begin to move out on some of the things particularly that will require Congressional approval. But again, I want to emphasize that this has been a--part of this on-going process has been that we have been doing the things that enhance collaboration and integration all along, and as we see those opportunities, like the regional field pilot project, you know, we will be undertaking those. Mr. Ratcliffe. Well, let me follow up on that because, you know, what I hear you saying is that obviously we agree on the fact that there are a number of things that absolutely do require Congressional authorization, but I--as I hear your testimony and the collaborative spirit in which you are here, I would--would it be fair to say that you are committed to collaborating with Congress to authorize 100 percent of NPPD? Ms. Spaulding. I believe Congress today authorizes 100 percent of NPPD. Chairman, I am not sure I am getting the thrust of your question. Congress authorizes our activities and appropriates the funding for those. Mr. Ratcliffe. Absolutely. I just want to be clear because we talk about parts of things that Congress may authorize, and I just wanted to--I think we are very much on the same page there, so I appreciate that. Dr. Schneck and Dr. Clark, question for you: In this proposed--this new Office of Infrastructure Security it appears that you have got the CFATS, or the Chemical Facility Antiterrorism Standards, program in there, which is a regulatory program, in with the Critical Infrastructure Cyber Community Voluntary Program, which some refer to as C-Cubed. Is there a concern there of having a regulatory program in with a voluntary program? Because my experience is that folks are very reluctant in a voluntary program to share their vulnerabilities with a regulator who may then hold them accountable for that. Mr. Clark. Chairman, I think it is a fair concern, and a particular concern, I think, for industry, whether this-- whether they are entering into a regulatory relationship or one that they are voluntarily entering into. The current structural separation of the divisions and the management of that information sharing, I believe both for yourself and Ranking Member, you have a number of CFATS facilities with--inside your district, so there is a very clear compartmented mechanism that allows us to differentiate the two. We need to continue to be clear with our stakeholders the difference and which regulatory regime they are a part of. Mr. Ratcliffe. Dr. Schneck. Ms. Schneck. Yes, I would echo that, and I would add, we are accustomed to this. So the structure today, if I am not mistaken, has a large voluntary work piece within the Office of Infrastructure Protection, so basically all of the voluntary outreach to all sectors except for I.T. and coms that come under cybersecurity and communication. So our stakeholders are very, very accustomed to working within an organization that houses a regulatory regime as well. In addition, DHS itself has law enforcement inside of the agency itself, although our part is not law enforcement. Our stakeholders--customers, as I call them--are also very okay and very accustomed to working with us as the non-law enforcement piece, and then reach out as needed and desired to Homeland Security Investigations, or the Secret Service, or even externally to our friends at the FBI. Ms. Spaulding. I would add, we do have two statutory regimes that enable us to protect that information. Under CFATS we have a critical vulnerability information regime that requires that that information that is provided under that regulatory regime be held within that regulatory regime. We also have a PCII, Protected Critical Infrastructure Information, where companies that voluntarily provide us with vulnerability information, we are prohibited from giving it to regulators. So we have in place that--and again, as Dr. Schneck said, our stakeholders are very comfortable with these things coexisting today. Mr. Ratcliffe. Okay. Thank you. I do want to follow up on the, you know, a point that Dr. Schneck made about the law enforcement components, and something that you said earlier, a term that you used a number of times, Under Secretary, and that is that part of the goal here of this reorganization or realignment is to make NPPD an operational component. But I think that most people would agree that NPPD has some operational aspects, but when most people--I think when most people think of the term ``operational component'' they think of Secret Service or Customs and Border Protection. So I guess I want to get you on the record to say, what do you mean when you use the term ``operational''? Ms. Spaulding. So, you know, I would ask people to think more like FEMA, which is an operational component. What I mean by that is making a difference on the ground, that we are about being out there and executing this mission directly with our stakeholders, so sitting down with them to do these assessments, to offer this technical assistance and training, whether it is active-shooter training or it is table-top exercises for responding to combine physical and cyber consequences and incidents, that our PSAs, our chemicals inspectors are out there every day. What I want to do is to make sure that both within my organization, within the Department, and within our stakeholder community, everyone understands that is what we are about. We are about that activity on the ground, making a difference in security and resilience of our Nation's critical infrastructure. Mr. Ratcliffe. Terrific. My time is expired. Recognize the gentleman from Louisiana, Mr. Richmond. Mr. Richmond. Thank you. Let me go back to the back-and-forth that you had with the Chairman about your need to have Congressional approval. I guess as I see it, as you are doing your reorganization and you see things that you all need to do and you start to implement it, you don't believe that you have to get Congressional approval for every step of your reorganization, do you? Ms. Spaulding. There is a Congressional prohibition on significant reorganizations without Congressional approval, and so I am consulting all the time to make sure that we are not doing anything that would, you know, run afoul of that obligation. Mr. Richmond. But the things you can do that you think bring in efficiencies, make us more secure, and are going towards the Unity of Effort you all are moving forward with? Ms. Spaulding. Have been. So developing a strategic plan that is much more integrated across all of our organization, setting up, you know, a function to provide a better-integrated briefing to me every day, you know, a set of folks who ping all of the components and find out what they are doing. I want to take that to the next step, where they are actually providing an integrated versus just compiled, but we need to beef up that function. But absolutely. You know, we moved our National Infrastructure Coordinating Center into the same building as our National Cybersecurity Integration Center to bring the physical--people watching the physical world closer together with the people watching our networks, right, our cyber space. I want to get them in the same room, for example. Mr. Richmond. Okay. I guess you also have a pilot in Atlanta, where you are now--your consolidation project. Do you plan any more of those? Ms. Spaulding. So, given the terrific results of that pilot project to date, I think it is very likely that we will be coming down to talk with you about our plans to extend that across the country to have this regional integration in the field--not just at headquarters, but really where it matters, which is out in the field. I would encourage Members of this committee and--but, you know, to get down to Atlanta and visit with those folks if you find yourself in the area, because it is very inspiring and very exciting. Just putting these various field forces together in the same office to sit around the table every day, the light bulbs have been going off every single day about the ways in which they can all do their mission and we can do our mission better by working more closely together. Mr. Richmond. Well, and I will actually make that commitment and take you up on that offer to---- Ms. Spaulding. Excellent. Mr. Richmond [continuing]. Go visit. The other thing I would just say is as concerned as I am about, you know, anyone keeping to themselves about reorganization and where we think we should go, I guess I am just as concerned that--it is my understanding that the Majority side is working on a reorganization also, and I would just hope that we don't get into, you know, a power contest about who does what and when and we just actually sit down and get together and figure out how we continue to make--and protect our cybersecurity networks and keep our citizens safe. I will say again, my philosophy in life, and I think that Congress would be better off if everybody understood and know what they know, and know what they don't know. The fact that there are experts that wake up every day trying to keep us safe and protect the internet, I think we have a role to play in oversight; I think we have a role to play in planning the mission; but I think that there are other people who actually go out and run the plays after we meet in the huddle and we call the play. So I just want to make sure that as we are in the huddle that everybody is talking. I guess that is for the Majority side, that is for you all, and that is for us, that we are not working in seclusion when I think that if we work together we can get to where we want to be faster because you said it-- these things change every day, every night, and we have to be perfect 100 percent of the time and the hackers have to get lucky once. When they get lucky we all pay for it. So I just think that this is one of those areas, and I do commend the Chairman because we have worked in a bipartisan manner, for the most part, because it is so important. I would just encourage you to continue to do that because the mission is so great and the consequences are even greater. With that, I yield back. Mr. Ratcliffe. Thank the gentleman. I thank the gentleman-- appreciate the spirit of the Ranking Member's comments and certainly associate myself with his comments that, you know cybersecurity should not be a partisan issue. With that, I recognize the gentleman from Rhode Island again, Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. I completely agree, and I want to thank you, Mr. Chairman, and the Ranking Member, for the time and attention you are placing on this issue on cyber and on the reorganization. To our panel, thank you again for your testimony. Sticking with Federal network security, one of my chief concerns is that because agencies are primarily responsible for their own InfoSec, DHS inherently has a more reactive posture. It is basically limited in the protective measures that it can take by the action or inaction of the agencies that it is helping to protect. So do you believe that a reorganization will--or, for that matter, even can--help DHS be more proactive, given that the primary responsibility still lies elsewhere? Do you believe that agencies should, in fact, have primary responsibility for their own InfoSec? Ms. Spaulding. Congressman, we are obviously not waiting for reorg to step up our efforts in the dot-gov arena, and we have been greatly aided in that by the work of this committee and of the Congress, including the authority that the Secretary was given in legislation that you enacted last year to issue binding operational directives. So we do not feel in any way that we are limited to being reactive when incidents happen. Our folks are out there every day working with departments and agencies to make sure they are aware of the requirements of FISMA and broader best practices and standards. Using the Secretary's authority, he issued his first binding operational directive related to patching critical identified vulnerabilities, and it has made a significant difference. So I do think that this reorganization will help us to strengthen that, but I--but we are moving out on that right now. Deputy Under Secretary, I don't know if you want to add---- Ms. Schneck. I would only say on the proactivity front I think the merging of expertise more expeditiously across the different sectors will help us greatly as we build out on our vision. Einstein is a tool in the box. It is a platform. It provides us data and the ability to see and stop some things. But moving out on top of that, we have the opportunity to leverage innovation across the private sector. That goes to, as we open our Silicon Valley office and get more and more exposure to the latest and greatest technologies, not only how to protect them but to use them and to bring them back into Federal civilian government and all of our customers. As we look at all across the sectors, it is going to allow the cyber folks to work faster to understand what part of what place needs to be protected better, how to leverage data analytics, and how to move with the agility that before this only our adversary has enjoyed. Mr. Langevin. Thank you. I hope this will help us to be more proactive. I just would point out once again, Under Secretary, that, you know, the term ``binding operational directive'' sounds very authoritative, but it still has no teeth. There are no consequences. So if agencies aren't really compelled, they are not held accountable, then you--we are still back at Square 1. So I will be anxious to see the actual--how we quantify action on these binding operational directives, and that it is not just a fancy term with no teeth. So with that, I just want to also turn back to the issue of regional coordination. New Jersey recently stood up the New Jersey Cybersecurity and Communications Integration Cell, and other States have begun similar efforts to coordinate critical infrastructure protection, particularly with respect to cybersecurity. Again, can you expand upon this a little more--how will regional integration take advantage of and avoid conflicting with existing State efforts? Ms. Spaulding. We work very closely with State homeland security advisors and emergency response and public safety, but various parts of our organization work with various parts of that--those State, local, territorial, and Tribal governments, and that is part of what we are trying to do with this reorganization is to make sure that we are doing that--that those engagements are coordinated; that they are integrated where it is appropriate, where they are operating in a collaborative way. Where relationships that a protective security advisor may have by virtue of having been there in the wake of a storm-- Super Storm Sandy--to help identify critical infrastructure and prioritize the allocation of resources, that those relationships can be brought to bear when our cybersecurity advisor has information to impart or wants to talk about how the emergency communications need to be strengthened against cyber--potential cybersecurity vulnerabilities, for example. So I do think this will strengthen, as opposed to conflict with, those very important relationships and the kind of integration that is happening in our States. It will happen at the field. In addition to the work we will do at headquarters, the key really is going to be making sure that we have our field forces talking to each other, and that is what this regionalization is really all about. Mr. Langevin. Do you envision that these regional integration, say, centers, are they going to be co-located or actually happen at the FEMA Region One--at the FEMA regional headquarters? Ms. Spaulding. They will align with FEMA regions, and certainly in Region Four the goal is to share a building, I think, with FEMA. FEMA is moving right now. But that won't necessarily be the model for every region across the country. But certainly that relationship is absolutely critical. We support FEMA in very important ways. The team down there is supporting the response to the flooding in South Carolina, for example, and across the Southeast. So those relationships are important, and where co- location makes sense we will do that. Mr. Langevin. Very good. Thank you all. Thank you, Mr. Chairman. I yield back. Mr. Ratcliffe. Gentleman yields back. Thank all the witnesses for being here today. I thank you for your testimony, for its content, for the spirit of your testimony, and for the candor of your responses to the questions. I thank the--all the Members for their presence and for their thoughtful questions to the panel. Members of the committee may have some additional questions for the witnesses, and I think that has been indicated, and we will ask you to respond to those in writing. Pursuant to committee rule 7(e), the hearing record will be held open for a period of 10 days. Without objection, the subcommittee stands adjourned. [Whereupon, at 11:40 a.m., the subcommittee was adjourned.] A P P E N D I X ---------- Questions From Chairman John Ratcliffe for Suzanne E. Spaulding Question 1. What problem are you trying to solve with this reorganization? Why move forward on a reorganization, now, towards the end of an administration? Question 2. What is the mission of NPPD? What mission will this reorganization create? Answer. The mission of NPPD is to lead the National effort to secure and enhance the resilience of the Nation's infrastructure in the face of cyber and physical risks. As discussed in the Transition Plan, NPPD underwent a review of its mission and core functions that has informed the proposed transformation. NPPD is not proposing a new mission. The new structure proposed by NPPD will allow the organization to carry out and deliver the current mission in a more integrated and effective manner. NPPD is undertaking this transformation to strengthen operations, enhance unity across the organization to address both cyber and physical risks to infrastructure, create greater efficiency, and improve services provided to stakeholders. NPPD's legacy structure, particularly the programmatic divide between physical and cybersecurity and resilience efforts, limits the effectiveness of operations, creates silos between programs, is less efficient because there are multiple layers of business support functions, and does not provide service to our stakeholders at a level reflective of NPPD's capability. The need for these changes has been steadily growing as the Nation faces an evolving threat environment, especially within the cyber mission. These threats facing businesses and governments at every level are not receding; our adversaries are not pausing. We cannot wait to optimize our capability to meet this challenge. Moreover, since the concepts and plans for these changes were developed by the NPPD workforce made up of career civil servants, we expect the transformation to be enduring across administrations. Question 3. This is the second major reorganization within NPPD in 3 years (CS&C and OCIA were recently reorganized as well as the movement of offices like OBIM and FPS into NPPD). NPPD was itself created less than a decade ago. What specific metrics do you have that support the argument that this reorganization is best for DHS in the long term, is manageable in the long term, and is the best use of employee time and taxpayer dollars? Answer. The proposed restructuring is focused on the component's full mission space to respond to evolving threats. Subcomponents within NPPD have undergone organizational change but there has never been a component-wide restructuring that addressed the component's full mission space and evolving threat requirements. NPPD was created on March 31, 2007, pursuant to DHS's authority under Section 872 of the Homeland Security Act of 2002 (Pub. L. 107-296). Upon its creation, NPPD was comprised of the Office of Cybersecurity and Telecommunications (CS&T), the Office of Infrastructure Protection (IP), the Office of Risk Management and Analysis (RMA), the Office of Intergovernmental Programs (IGP), and United States Visitor and Immigrant Status Indicator Technology (US-VISIT). Over the years, various pieces of the organization have been transitioned out of the organization (RMA and IGP) or have been altered (US-VISIT became Office of Biometric and Identity Management (OBIM) at the direction of Congress). NPPD also assumed responsibility for the Federal Protective Service (FPS) in 2009 and established the Office of Cyber and Infrastructure Analysis (OCIA) in 2014. Most significantly, NPPD has grown from a headquarters component of a few hundred to an operational entity with a workforce of more than 3,000 Federal employees and approximately 15,000 contractors located throughout the country. Guidance on enhancing the security and resilience of critical infrastructure, including the 2014 Quadrennial Homeland Security Review and the 2013 National Infrastructure Protection Plan, has increasingly recognized that entities must use a holistic risk management framework that considers both cyber and physical risks. Over the past few years, NPPD has conducted a thorough review of current functions in order to align the structure of its programs to known industry best practices as well as understand how NPPD can operate more efficiently. This has included working with the Department to identify functions that may be better located in other parts of the organization and engaging the NPPD workforce to determine how NPPD should best carry out its mission. While organizational change can be challenging, when carried out following best practices, such as those identified by the Government Accountability Office, the change will ultimately benefit the mission. Question 4. You have said that one of the reasons for this reorganization is to adapt to an evolving threat. Is it the correct answer to reorganize every time the Nation faces a new threat? Does reorganization not distract from the addressing the threat? Answer. Our adversaries are agile and adaptive; we must be also. Since NPPD was created in 2007, the evolving cyber threat has resulted in clarified operational authorities, including significant legislation initiated by this committee. The organization has grown in complexity, and the convergence of risks facing infrastructure require that NPPD better integrate its efforts across the organization to more effectively and efficiently carry out its mission. In a time of growing mission demands and continued resource constraints, greater efficiencies are imperative. NPPD is balancing current operations by following U.S Government Accountability Office (GAO) best practices for reorganization to ensure the mission does not suffer. Question 5. In late September, it was reported that the Department of Homeland Security was rated last in the 2015 Federal Employee Viewpoint Survey. How will this reorganization impact this finding? Will a major reorganization or realignment not increase the turmoil? Answer. The transformation is designed to provide greater clarity of mission, a stronger sense of identity, and structures and capabilities that make it easier for the workforce to effectively accomplish mission requirements. The NPPD workforce carries out the incredibly difficult and demanding mission of protecting our Nation's infrastructure and their hard work forms the backbone of our operations as we strive to meet evolving mission needs. Having structures in place that facilitate the operational focus and holistic approach that the mission requires, as well as a name that clearly conveys that mission, should help improve morale. Although NPPD still needs to make significant progress in improving morale, Federal Employee Viewpoint Survey scores have been rising. Moreover, NPPD is following best practices in change management, particularly those recommended by GAO, to involve employees, build trust, and gain ownership for the transformation. More than 100 employees participated in working groups that took place from July-August 2015, and many more have become involved as the planning efforts continue. Many of the ideas we proposed in the Transition Plan came directly from our workforce, and our employees have served a critical role in this process by developing recommendations, the Transition Plan, and follow-on action plans. Question 6. GAO recommends obtaining consensus with stakeholders on identified problems and needs as well as solutions when considering reorganization. Do you have a record of input provided by your employees? If so, please share that information. If not, why not? If not, how was input formally tracked and integrated? Was any feedback provided in response to specific employee comments? Morale at NPPD is and has been dismal. (Among the lowest at DHS and the Federal Government). How confident are you that this proposal will improve morale? How can you know when the plan has been recently completed? How can you ensure any reorganization will not affect morale in a negative way? Have you surveyed your workforce? If this negatively impacts morale, who should we hold accountable? Answer. As noted above, GAO best practices on transition recommends obtaining consensus with stakeholders on identified problems and needs as well as solutions when considering reorganization. This transformation and the ideas proposed in the Transition Plan have been driven by NPPD employees. Feedback was first collected through the working groups of the Mission Integration Cell in the form of recommendations on how to better integrate programs (attached as requested).* The Mission Integration Cell recommendations were used to develop the framework for the proposed organization. Employees were then asked to participate in working groups to develop the Transition Plan. The Transition Plan, which was previously provided to the committee, but is also attached,* includes input provided by employees. Feedback was provided to all specific comments received. In addition, NPPD has established an email account for employees to submit questions and receive answers regarding the transformation. These questions are tracked and cleared of personally identifiable information, then posted to the internal NPPD Transformation site. --------------------------------------------------------------------------- * [The information was not received at the time of publication.] --------------------------------------------------------------------------- Cultural change is often more difficult than structural change, but when accomplished, it can generate dramatic, positive results for the workforce. NPPD's Federal Employee Viewpoint Survey results have risen slightly over the last few years. While we still have a long way to go, making cultural changes as discussed in the Transition Plan will further support improving morale. Critical to this success is ensuring that changes to structure, process, vision, human capital and knowledge management systems, and governance are designed to reinforce the new culture of the organization. We are cognizant of the impact to the workforce. However, an organizational structure that is agile and allows flexibility to respond to the evolving mission provides stability to the workforce as well as clarity of focus for the organization going forward. NPPD has taken steps to ensure there is appropriate change management support throughout the transition. Question 7. Part of your plan includes regional integration, but the regional pilot that has not yet concluded, nor has it formally reported its findings. What is the purpose of this pilot, if not to gather data for the proposal? How much has this pilot cost, and how much will it cost, including office costs, equipment, travel, per diem, overtime, and man-hours? Answer. In July 2015, NPPD established a 6-month Regional Integration Pilot to assess the benefits of integrated field forces and to provide recommendations for aligning NPPD's field forces into a more cohesive organization. To achieve the priorities of both enhancing operations and achieving a Unity of Effort across programs, NPPD will evaluate the on-going results of the pilot project to inform any plan to shift resources and personnel from the National Capital Region (NCR) and establish regional headquarters in the 10 Federal regions. Initial findings have indicated the need for additional staff to be located in the field, but specifics on which positions will wait until the After-Action Report is completed. In addition, NPPD will need to work closely with the Department's Management Directorate for space and resource allocations as consideration is made for regional integration. Costs for the first quarter of the pilot are included below. This does not include salaries and benefits since those are not new costs and would be incurred whether the position was stationed in the field or headquarters. PILOT COSTS FOR QUARTER 4 FISCAL YEAR 2015 (JULY-SEPTEMBER) ------------------------------------------------------------------------ Expense Amount ------------------------------------------------------------------------ Rent.................................................... $82,127.22 Security................................................ 9,331.86 Information Technology (IT)............................. 14,463.75 Supplies................................................ 26,380.00 Travel (includes Per Diem).............................. 199,170.61 --------------- Total............................................. 335,676.52 ------------------------------------------------------------------------ Question 8. How will the proposed reorganization affect CS&C and IP partners? Are there any metrics to indicate their preferences? Has formal feedback on the plan been requested through the Sector-Specific Agencies? Answer. The key changes for the Office of Cybersecurity and Communications (CS&C) and the Office of Infrastructure Protection (IP) are the elevation of the National Cybersecurity and Communications Integration Center (NCCIC) to the Assistant Secretary level and the enlistment of IP's expertise and relationships fully into the cyber mission. Through the organizational changes outlined in the Transition Plan, NPPD will be able to more effectively and efficiently support our partners in the private sector, across the interagency, and in State, local, territorial, and Tribal governments. It will elevate and focus cyber mitigation and response operations, facilitate a holistic approach to NPPD's risk management support, and allow the entire organization to better leverage stakeholder relationships to support operational activity countering physical and cyber risks. NPPD is also committed to improving service delivery to customers by enhancing the presence of NPPD staff in the field and better integrating field service activities. A robust field force will directly engage with stakeholders located throughout the country and carry out NPPD operations at a local level. NPPD has been engaging stakeholder groups, including partners through the sectors, to inform them of the proposed plan and receive their feedback. This includes briefings to the Cross-Sector Council (Federal Senior Leadership Council; Critical Infrastructure-Cross Sector Council; Regional Consortium Coordinating Council Chair and Vice Chair; State, Local, Tribal, and Territorial Government Coordinating Council Chair and Vice Chair; and the National Council of ISACs Chair and Vice Chair); the Information Technology, Communications, and Energy (Electricity Subsector) Sectors; the SAFECOM Executive Committee and Emergency Response Council; the National Council of State-wide Interoperability Coordinators; the National Security Telecommunications Advisory Committee; the Homeland Security Advisory Committee; as well as other sector and stakeholder groups. Question 9. How does the proposed reorganization help build confidence in the public and private sectors that DHS is focusing on its cybersecurity mission? Answer. A key outcome of the transition to elevate the stature of the National Cybersecurity and Communications Integration Center (NCCIC) within the organization. This will enable the Department to focus on the technical cyber operations that are essential to increase the operational readiness and resilience of information technology and communications assets, systems, and networks through vulnerability mitigation, incident response, and recovery. In addition, integrating stakeholder capacity-building efforts within the new infrastructure security entity will bring coordinated mission support to public and private sectors by more effectively bringing existing relationships, critical infrastructure expertise, and relevant data to bear on the cyber mission. Finally, changing NPPD's name to Cyber and Infrastructure Protection will clarify who is responsible for this mission space. Question 10. One of the top priorities of this committee has been to ensure DHS and NPPD have a qualified cyber workforce to carry out its mission. With the proposed reorganization, Infrastructure Security would include several cybersecurity programs that would be moved out of NPPD's cyber entity, CS&C, and merged with NPPD's physical mission. It is hard enough to recruit good cybersecurity talent, how will the Department be able to recruit individuals that have expertise in the cybersecurity mission and physical mission? Answer. Hiring technical experts with the appropriate level of cyber expertise is a challenge for all of Government and will continue to be so. This committee addressed this issue with the development of legislation that passed Congress last year to enhance cyber workforce hiring efforts. However, it is important to understand that not all of these positions require technical cyber expertise. The concept is to bring physical security experts and cybersecurity experts together to achieve a holistic approach to the risk-management capacity of NPPD's stakeholders. The stakeholder engagement programs that are currently located within the Office of Cybersecurity and Communications and are proposed to move to the new Infrastructure Security would retain the staff currently running these programs. Within Infrastructure Security, these programs would align with programs currently residing within the Office of Infrastructure Protection also currently focus on stakeholder engagement; combining these efforts enhances the ability of the organization to address cyber risks. In addition, through the transformation, NPPD is planning ways to raise the baseline expertise of our current staff. For example, we have been offering cybersecurity training to Protective Security Advisors to raise their level of expertise and we plan to continue this with the entire organization, to include training provided at the National Computer Forensics Institute (NCFI). As a cybersecurity organization, the entire NPPD workforce must have a basic level knowledge of cybersecurity. One of the Transformation Plan actions is to increase training for our current staff and ensure future staff has access to the training necessary to carry out their positions. Question 11. Given that cybersecurity is an emerging National priority, why do you think it is necessary to potentially disrupt current operations and support activities? (Possibly creating risk for current operations.) Is NPPD and DHS's cybersecurity mission somehow under-performing? If so, why hasn't this been mentioned before? Answer. Our adversaries are constantly improving their capabilities. We must do the same. The increased operational responsibilities that have been assigned to NPPD over the last few years reflect a growing appreciation for the important work NPPD has been doing. NPPD's responsibilities in this mission area will continue to grow, making greater efficiency imperative. For example, the NCCIC has seen a tremendous increase in workload over the last few years. From fiscal year 2012 to fiscal year 2013, there was an increase of 35% of reported incidents. From fiscal year 2013 to fiscal year 2014, there was a 31% increase, and preliminary data suggests that from fiscal year 2014 to fiscal year 2015, there was a 40% increase in reported incidents. Overall, this is a 146% increase in reported incidents from fiscal year 2012 to fiscal year 2015. The technical operations being carried out by the NCCIC must remain the priority of NCCIC leadership, but not at the expense of capacity-building activities that are proposed to transfer to the new Infrastructure Security. The transformation will ensure the organization is best suited to address current and future challenges. Question 12. Has NPPD attempted to formally align business process across IP and CS&C? Have any joint or cross-cutting policies and procedures been created? (Please provide all of the policies, procedures, and management directives or formal management guidance focused on achieving better integration prior to this reorganization attempt--to include any finalized pilot reports). How much management oversight was dedicated to aligning these offices, short of reorganization? If these efforts failed or were insufficient, why did they fail? Has a formal Business Impact Analysis been done? When will this be completed? Answer. To create efficiencies, and ensure greater agility in mission support functions, NPPD is proposing to formally align business processes by centralizing the strategic management of many of its business support functions of existing subcomponents, while embedding business support professionals with operators. This will improve operational efficiencies by providing strategic management direction while ensuring the effective delivery of business support functions. In this model, NPPD will ensure high levels of customer service by distributing staff according to the needs of the operational or mission support element, and embedding staff to support operations directly. The intended outcome for NPPD is an effective, efficient, integrated business support structure for better coordination and better support to the mission areas. NPPD leadership has also issued management guidance in the past specific to better integrating programs to support cyber and physical risks to infrastructure. In 2011, then-Under Secretary Rand Beers established the Integrated Analysis Task Force as a pilot to assess the best approach for integrating analytic support for all of NPPD. For example, to demonstrate the value of bringing expertise from across NPPD to understand the potential physical consequences from a cyber incident, Integrated Analysis Task Force collaborated with the State of New Jersey at 4 Water and Wastewater Sector facilities to assess the facilities' systems and identify site-specific options to mitigate potential physical consequences that could stem from exploited cyber vulnerabilities within those systems. Through the fiscal year 2014 budget process, Congress formally approved the establishment of the Office of Cyber and Infrastructure Analysis to continue this work permanently. Another example of a temporary task force created by NPPD leadership to integrate programs to support cyber and physical risks to infrastructure was the Integrated Task Force, established from February 2013 to February 2014. The Integrated Task Force was established to lead the Department's implementation of Executive Order (EO) 13636 on Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD)-21 on Critical Infrastructure Security and Resilience. The Integrated Task Force coordinated interagency, public- and private- sector efforts and ensured that implementation across the homeland security enterprise was effectively integrated and synchronized. Both of these efforts demonstrate the effectiveness of taking an integrated approach to NPPD's mission; however, due to limitations related to permanently establishing task forces and assigning personnel on long-term detail assignments, the model is unsustainable for long- term success. Just as the success of the Integrated Analysis Task Force led to formal integration of NPPD's analytic functions, the efforts of the Integrated Task Force have informed NPPD's proposal to formally integrate programs to address cyber and physical risks. Question 13. How will NPPD perform better separating the NCCIC from CS&C and moving other cybersecurity functions to an infrastructure security division? What assurances can you provide that capabilities will not be duplicated or re-created? Answer. Elevating the NCCIC to the Assistant Secretary level will bring focused, senior-level attention to those critical cyber operations. And bringing cyber risk management expertise together with physical risk management expertise will allow NPPD to bring a holistic approach to its capacity-building efforts with the private and public sectors. GAO has specifically called for NPPD to analyze its programs for ``fragmentation, overlap, or unnecessary duplication.'' DHS is proposing alignment of like functions--those that currently exist within the Office of Cybersecurity and Communications and the Office of Infrastructure Protection. These capacity-building operations are different than the technical operations that exist within the current NCCIC. Together, capacity building and technical operations ensure private and public-sector partners can prepare for, prevent, mitigate, and respond to cyber and physical threats to infrastructure. Through the planning process the development of clear roles and responsibilities will ensure NPPD capabilities are not duplicated. Question 14. Where will DHS's responsibilities for State and local government cybersecurity reside? Critical Infrastructure cybersecurity? Best practice development? Will the NCCIC retain or re-create any cyber outreach functions, or will it rely on the new organization? Where will operational coordination and stakeholder outreach take place? Answer. Responsibility for State and local cybersecurity, critical infrastructure cybersecurity, and best practice development will reside within the proposed Cyber and Infrastructure Protection organization. Specifically, the NCCIC will continue its work with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and will continue to conduct necessary outreach and engagement with public and private- sector stakeholders to support its technical cyber operations. Operational coordination will be a primary function of the proposed Operations Coordination and Watch Center, ensuring there are appropriate plans in place and these plans are exercised regularly. Infrastructure Security will serve as the lead for ensuring strategic engagement plans are developed in an integrated manner. These technical and strategic engagement efforts will be integrated in the new organization through the establishment of processes that will enable the new structure to engage stakeholders in a coordinated manner. This will include the use of technology such as a customer relationship management tool. It is envisioned that Infrastructure Security will be responsible for the overarching management of coordinating engagement activities to ensure appropriate technology is leveraged, processes are developed, and engagement activities meet stakeholder requirements. Question 15. Your peers in the cybersecurity community seem to be moving in a different direction: Consolidation around cyber. They are creating cyber-focused organizations, not cyber and physical hybrids. (CYBERCOM, FBI Cyber Division, etc.) Why are you moving to diffuse cybersecurity functions and missions rather than consolidating? Answer. DHS has consolidated cyber mitigation and response operations in the NCCIC, and the Transition Plan strengthens that consolidation by bringing into the NCCIC key cyber operational capabilities like EINSTEIN and Continuous Diagnostics and Mitigation. Effectively meeting the challenge to critical infrastructure posed by cyber threats, however, also requires a risk management approach that reflects the increasing convergence of cyber and physical. We see this convergence in the Internet of Things, in the potential for cyber attacks to produce physical consequences, in attacks that combine disruption of information and communication technology and physical destruction, and in the cyber dependence of networked security systems like closed circuit security cameras and electronic access controls. It is essential to avoid cyber and physical stovepipes when assessing critical infrastructure threats, vulnerabilities, consequences, and mitigation measures. The first indication of a major cyber attack may come from detecting its manifestation in the physical world. And the most cost-effective measure to address a cyber threat may be to mitigate potential physical consequences or to create redundancies that are not cyber dependent. By aligning voluntary partnership and communications programs to Infrastructure Security, NPPD's cyber and physical security capacity-building programs will be better positioned to support public and private-sector stakeholders in the development of risk management assessments and investments across physical and cyber. In addition, by leveraging the entirety of the organization to address its cybersecurity responsibilities, NPPD will enhance its effectiveness to achieve the cyber mission. Question 16. How many CIKR, State, and local and other partners combine their physical security organizations and cybersecurity organizations? Is this kind of re-organization a best practice somewhere, or do other organizations use processes to bridge gaps between cybersecurity and physical security? If DHS is leading the way, do you have any evidence that anyone else is following? Answer. Physical and cybersecurity requirements for critical infrastructure owners and operators are inextricably linked. An attack on an IT-based system may have impacts on physical security and vice versa, which is why NPPD has been focused on integrating its programs related to cyber and physical risks to infrastructure and better understanding the link between physical and cybersecurity. For example, in 2014 GAO released a report on Federal facility cybersecurity and recommended that NPPD develop and implement a strategy to address cyber risk to building and access control systems. In addition, GAO recommended that NPPD, through the Interagency Security Committee, revise its Design-Basis Threat report to include cyber threats to building and access control systems (Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems; GAO-15-6). The proposed transformation is designed to enable the services NPPD provides for comprehensive security of infrastructure. Adopting holistic enterprise risk management frameworks has been a growing best practice in the private sector and is now being identified as an approach Federal agencies need to take by the Office of Management and Budget through Circular A-11. As described in a 2013 National Security Telecommunications Advisory Committee (NSTAC) Report to the President on Secure Government Communications,\1\ industry has realized many advantages to creating a centralized risk management governance model. The report notes that ``Instituting this centralized risk management governance framework requires defining and prioritizing the functions and capabilities relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. Industry representatives briefing the NSTAC held that centralizing risk governance allows an organization to more effectively manage all risks to the business/mission (including but not limited to IT risks) and create a strategy for managing consequences of intrusions. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.''\2\ The report goes on to describe how industry has implemented this new approach. ``Industry leaders and some Government leaders have shifted their organizational responsibilities and made qualitative changes to how they manage enterprise risks. (Emphasis added.) The new paradigm covers all lines of business, creating a shift in strategic emphasis from compliance to improving how security risks are managed. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes, and disasters, as well as deliberate attacks by an adversary. Once organizations expand the alignment of current threats solely from IT to all mission functions, a holistic view of the risks can be addressed.''\3\ --------------------------------------------------------------------------- \1\ NSTAC Report to the President on Secure Government Communications, http://www.dhs.gov/sites/default/files/publications/ NSTAC%20Report%20to%20the%20President%20- on%20Secure%20Government%20Communications%20%20Fina%20%20%20_1.pdf. \2\ Id. at page 36. \3\ Id. at page 36. --------------------------------------------------------------------------- Question 17. How many man-hours have been committed to this reorganization effort and how many man-hours will be required to carry it to its conclusion? What is the time frame for finalizing the reorganization, and are you committed to seeing it through personally? Answer. While initial efforts for enhanced integration were started in June 2014, NPPD assigned a team of 7 employees in July 2015 to serve full-time on the implementation planning team. In accordance with GAO best practices, NPPD has involved employees in the development of the Transition Plan, with more than 100 employees participating in the development of the Transition Plan between July and August; although the numbers of hours committed from each employee were different. NPPD has completed an initial phase of planning and will continue planning efforts in the new calendar year. This will include the development of processes and other activities that will position the organization to implement the Transition Plan following Congressional action. The time frame for final completion will be dependent on Congressional action as indicated in the Transition Plan. NPPD is committed to seeing the plan implemented. Question 18. The argument is that in order to achieve greater Unity of Effort, enhanced operational activities, and excellence in acquisition program management a reorganization or transformation is required. Why can't these goals be accomplished working within NPPD's current structure? Answer. NPPD's workforce endeavors every day to work more collaboratively and efficiently across the organization. However, the current organizational structure makes it harder to achieve Unity of Effort by promoting stovepipes and layers. The Transition Plan is designed instead to facilitate the kind of integration we seek, rather than asking employees to overcome structural impediments. Question 19. Congress recently passed a law designating the NCCIC as the Federal civilian interface for sharing information concerning cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including owners and operators of critical infrastructure information systems. Yet, you propose to create a new organization outside of the NCCIC that would be the primary mechanism for communicating about cybersecurity risk to a large segment of your customers. Why re-create a new organization to conduct these activities outside of the NCCIC? Answer. Congress's designation of the NCCIC as a Federal civilian interface for sharing information concerning cybersecurity risks, incidents, analysis, and warnings for Federal and non-Federal entities, including owners and operators of critical infrastructure information systems, was a significant step and will remain as envisioned by this committee. Within the NPPD structure, there are other entities responsible for communicating about risks to critical infrastructure-- the Office of Infrastructure Protection is responsible for engaging public and private-sector partners on risks to infrastructure, including cyber infrastructure, and within the Office of Cybersecurity and Communications, the Stakeholder Engagement and Critical Infrastructure Resilience division is also responsible for engaging public and private-sector partners on cyber risks to infrastructure, including communications infrastructure. NPPD is proposing to align these like activities in order to ensure a more integrated approach for managing risk to infrastructure. These activities would be informed by and directly complement the operational work of the NCCIC. Question 20. GAO has DHS cybersecurity operations on its high-risk list. How will this help directly address their concerns? Answer. The proposed transformation will directly address the GAO High-Risk list related to cybersecurity by enhancing NPPD's ability to carry out its mission. NPPD is undertaking this transformation to strengthen operations, enhance unity across the organization to address both cyber and physical risks to infrastructure, create greater efficiency, and improve services provided to stakeholders. Elevating the NCCIC within the organization will enable the Department to focus on the technical cyber operations that are essential to increase the operational readiness and resilience of information technology and communications assets, systems, and networks through vulnerability mitigation, incident response, and recovery. In addition, integrating stakeholder capacity-building efforts within a new infrastructure security entity will bring coordinated mission support to public and private sectors by more effectively bring existing relationships, critical infrastructure expertise, and relevant data to bear on the cyber mission. Question 21. How will focusing on a reorganization and having employees adapt to new supervisors and chains of command distract the workforce from a real-time, 24/7 operational mission? Answer. There will inevitably be some period of adjustment, but there will not be significant disruption to the operational mission. Our workforce has been a priority as we have developed this plan, and will continue to be in the future. The primary way we have ensured preparation for the challenges related to the workforce is by directly involving our employees in the development of the plan and keeping them informed throughout the process. We have brought in change management support to help us ensure that as we move forward in this process; and we are appropriately communicating and engaging with our employees. All of these actions are best practices as defined by GAO in their report ``Implementation Steps to Assist Mergers and Organizational Transformations.'' Making these changes will offer our employees new opportunities and demonstrate the importance of their work. It is recognized that we must be diligent in our commitment to addressing challenges as we continue forward in this process. Question 22. The testimony you provided noted that you were looking to develop career path options for regional and headquarters-based employees. What are the current options? Why is reorganization necessary to offer these options? Answer. There is not currently a well-defined career path for NPPD employees, especially in the field where there are limited positions. Placing more positions at different grade levels in the field would allow for career path options, which would aid in employee retention and job satisfaction. In addition, the centralization of business support functions, specifically human resources, will allow for the development of cross-component strategies for career paths and development opportunities for employees. Placing more positions in the field at various grade levels and centralizing business support functions are key aspects of the overall Transition Plan. Question 23. In your testimony you noted, ``Infrastructure Security, will focus on activities to protect the Nation's infrastructure from cyber and physical risks.'' If one of the goals of Infrastructure Security is to look at the cyber and physical risk to critical infrastructure, why has the Office of Cybersecurity and Infrastructure Analysis or OCIA not moved into Infrastructure Security? Isn't that the mission of OCIA? Answer. The Office of Cyber and Infrastructure Analysis (OCIA) provides mission support across NPPD, informing decision makers on potential impacts to critical infrastructure from all-hazards through comprehensive consequence analysis during both steady-state and crisis action. The establishment of OCIA was the first step in formally integrating NPPD's programs and OCIA now serves as an integrated analysis function for the organization. OCIA will continue in the new structure to provide infrastructure consequence analysis, decision support, and modeling capabilities in support of the NCCIC, Infrastructure Security, and the Federal Protective Service. Question 24. When the proposed reorganization first came to light, the general thought was that NPPD was seeking its own Acquisition authority to build on its work through Network Security Deployment of programs like EINSTEIN and Continuous Diagnostics and Mitigation. However, from the briefing you provided recently this goal is not as clear. What is your goal or plan for acquisitions within NPPD? What is the new proposed function, Acquisition Program Management? What does it mean for the directorate? Why move functions like life-cycle logistics and the role of contracting office representative away from the organizations and programs that utilize the programs and tools that result from acquisition programs? Answer. NPPD is not seeking Head of Contracting Activity (HCA) Authority, which currently resides within the DHS Management Directorate. The Transition Plan envisions the creation of an Acquisition Program Management function to oversee the planning, implementation, and management of NPPD acquisition programs. Similar to other DHS components, the Acquisition Program Management function will be led by an acquisition executive with the knowledge and experience to oversee such programs. The Director of Acquisition Program Management will be supported by a cadre of acquisition professionals (i.e., systems engineers, cost estimators, life-cycle logisticians, and other subject- matter experts) to help support and oversee acquisition programs. Acquisition Programs will be established and staffed within the particular function that is being supported by the acquisition program. For example, the National Cybersecurity Protection System (NCPS), more commonly known as EINSTEIN, would have dedicated staff within the NCCIC and be supported by the Acquisition Program Management function to ensure the acquisition is properly managed. Acquisition Programs (depending on their level/dollar value and complexity) will fall under the purview of a Portfolio Manager who reports to the operational entity, and is staffed by one or more program managers and supporting staff including Contracting Officer's Representatives and other subject-matter experts needed to adequately staff the program. The Director of Acquisition Program Management will provide input into the performance evaluation of the Portfolio Manager. This proposed structure is based on best practices currently in use for large-scale acquisitions and is consistent with structure(s) recommended by the Management Directorate. Question 25. The Office of Emergency Communications (OEC) has extensive experience working with State and local first responders to enhance communications interoperability. What outreach have you done with State and local stakeholders on the NPPD reorganization proposal and what it specifically means for OEC? Answer. NPPD has briefed stakeholders of the Office of Emergency Communications (OEC) on the transition plan, including members of the SAFECOM Executive Committee and Emergency Response Council and the National Council of State-wide Interoperability Coordinators. Question 26. How will the movement of OEC into an Infrastructure Security division enhance its operations or at least continue its level of engagement with State and local first responders? Answer. OEC carries out a critical part of NPPD's mission by advancing interoperable and National security/emergency preparedness communications by building the capacity of first responders through training, technical assistance, and development of governance structures across the country. Placing OEC within an organization that is focused on these types of capacity-building operations will enable OEC to continue the excellent work it does every day as well as expand its reach to new stakeholders through Infrastructure Security's sector relationships, such as the Emergency Services Sector, and the integrated field forces that will promote the wide range of NPPD programs and services. Question 27. As DHS and GSA looks to implement Phase 2 and Phase 3 of the Continuous Diagnostic & Mitigation (CDM) program, is secure content management or data encryption at the document level an area of focus? What is CDM's time line for implementing these types of secure content management solutions for Federal agencies as a part of CDM? Answer. Yes. Secure content management and data encryption are associated with the CDM Phase 3 capability. Under the Boundary Protection technical requirements currently in draft, secure content management is addressed by in-coming inspection of web, email, and other traffic. Data protection is being addressed through Digital Rights Management Capabilities. The CDM program is a dynamic approach to fortifying the cybersecurity of Government networks and systems. CDM provides Federal departments and agencies with capabilities and tools that identify cybersecurity risks on an on-going basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. Task order planning to provide the Phase 3 capabilities is underway. We are on schedule to release the draft technical requirements to the Continuous Monitoring as a Service (CMaaS) Blanket Purchase Agreement holders in the second quarter of fiscal year 2016. That will be followed by additional technical requirements for the remainder of Phase 3 capabilities (i.e., Incident Management and Security Lifecycle Management) in the third quarter of fiscal year 2016. We expect solicitations to be released by fiscal year 2017. We will continue to update the committee as appropriate. Questions From Honorable Scott Perry for Suzanne E. Spaulding Question 1. The testimony you provided noted that the proposed reorganization will increase FPS's focus on protecting cybersecurity aspects of Federal facilities in coordination with the NCCIC. Is anything like this happening now? How will the reorganization change current behavior? Answer. In 2013, NPPD carried out a cross-NPPD assessment of a Federal facility that examined the cybersecurity of the facility. As a result, over the last few years NPPD has directed more attention to ensuring Federal facilities are appropriately considering cyber risks. GAO released a report in December 2014 that recommended NPPD develop and implement a strategy to address cyber risk to building and access control systems. NPPD is currently finalizing that strategy. The reorganization would support this strategy by appropriately prioritizing resources to ensure the strategy is effectively implemented. Question 2. How do you view the role of the Federal Protective Service (FPS) relative to NPPD? How will this reorganization affect that organization? How will FPS be integrated into the directorate? How do you view the role of FPS in protecting physical infrastructure? How do you view FPS's role in terms of physical-cyber alignment? Answer. The Federal Protective Service (FPS) carries out NPPD's mission by managing risk and ensuring continuity for one of the most crucial elements of National critical infrastructure--the Nation's Federal facilities. A key aspect of their work is assessing the security of Federal facilities and recommending mitigation measures to the Facility Security Committees. The transformation will provide mechanisms and structure to better leverage this data, expertise, and activity across NPPD. FPS will better integrate its field operations with field forces throughout the organization to enable comprehensive security and resilience for NPPD stakeholders, as well as co-locate incident management support with NPPD Watch functions to gain efficiencies and improve situational awareness. Cybersecurity of Federal facilities will continue to expand as an area requiring attention as they adopt the use of more technology for physical security and other purposes. Through the transformation and integrated operations, FPS will have greater access to cybersecurity support to enable the protection of Federal facilities from cyber risks. Questions From Ranking Member Bennie G. Thompson for Suzanne E. Spaulding Question 1. You have said that the reorganization of NPPD is intended to result in integrated situational awareness and operational coordination. In August, I wrote to you asking to explain the limitations of the current operational structure; however, you failed to give specific examples in your response. Once again, I ask, what are the limitations of the current organizational structure that can only be addressed through reorganization? Answer. NPPD's current organizational structure evolved over several years. It consists of 5 subcomponents as well as the Office of the Under Secretary which primarily provides management services. The current organizational structure is not optimized to ensure that we are fully leveraging our resources, expertise, relationships, and data across all of NPPD. Nor does it provide the level of agility that is required to achieve our mission against rapidly evolving threats and a dynamic set of adversaries. To date, we've made some progress toward achieving this necessary integration. In 2014, NPPD established the Office of Cyber and Infrastructure Analysis to serve as an integrated analysis function for the organization. We have seen the benefit of having an integrated function and we are now seeking to formalize additional integrated functions, such as the proposed Operations Coordination and Watch function. The Operations Coordination and Watch function would pull together information received from our staff, as well as stakeholders, and ensure we develop a comprehensive picture of the state of infrastructure across all sectors. We currently develop situational awareness reports for various stakeholder groups, but because situational awareness is developed within the subcomponents, we do not always have an integrated picture of infrastructure. In addition, the Operations Coordination and Watch function will also provide essential operations coordination to ensure that the operations we carry out on an everyday basis, as well as operations during incidents, are well-coordinated and achieve mission objectives. For example, in support of the pilot taking place in Region IV, the joint operations coordination function developed a cross-NPPD hurricane response plan. The team has been able to use that plan to prepare for and respond to hurricanes, storms, and even the recent flooding in South Carolina. Without the integrated operational planning function being piloted, we would not have been as successful in carrying out our mission. Question 2. In May 2013, NPPD issued a strategic plan, which was intended to guide the directorate's activities for the next 5 years. Today, we are considering a wide-scale reorganization of the component. Before we consider this reorganization it would be good to hear a little about any past or current efforts at ``leveraging synergies''' within NPPD to get subcomponents to work ``in concert across subcomponent.'' Please share with the committee what has been done since this strategic plan and if any of the results are informing the reorganization of the component. Answer. Integrating NPPD operations and having the subcomponents work better together, has been a priority for several years and is reflected in the strategic plan. In June 2014, in an effort to identify ways to better integrate program across NPPD, the Mission Integration Cell was established. Over the next 6 months, members of the Mission Integration Cell facilitated working groups comprised of employees from across the organization to brainstorm ideas for better integrating our operations and provided recommendations to me. As a result of these recommendations, we have implemented several interim solutions and used the recommendations as the basis for the proposed transformation. For example, one of the recommendations of the working group was to establish a pilot to assess whether integrated field operations would improve our ability to carry out our mission. The pilot includes staff currently based in the region, as well as staff based in the NCR, who have been placed in the region on a temporary basis. By the end of the pilot, we hope to have a better sense of what resources are necessary in the field to ensure the services we deliver to our stakeholders (technical assistance, training, assessments, etc.) are enabling secure and resilient infrastructure. The pilot will further inform our proposal for reorganization. Question 3. There are over 3,500 employees that could potentially be impacted by a reorganization at NPPD. To what degree have you planned for the inevitable challenges, particularly personnel challenges, associated with major organizational reorganizations? Answer. Our workforce has been a priority as we have developed this plan and will continue to be in the future. We are providing regular communications along with engaging employees in the transition work groups from across a broad spectrum of the organization. This effort has been driven by employees, going back to the Mission Integration Cell working groups and the recommendations that were presented from our employees as a part of that initial effort. To develop the Transition Plan, we established 5 working groups of more than 100 staff. Their ideas shaped the proposal we are discussing today. We've also offered a forum for employees to provide feedback and ask questions, through town halls as well as emails and newsletters. In addition, we brought in change management support to help ensure that, as we move forward in this process, we are addressing the challenges associated with the transformation and appropriately communicating and engaging with our employees. All of these actions are best practices as defined by GAO in its report ``Implementation Steps to Assist Mergers and Organizational Transformations.'' We expect that the proposed transformation will offer our employees new opportunities and demonstrate the importance of their work. However, we know that we must be diligent in our commitment to addressing challenges as we continue this process. Question 4. According to your NPPD Transformation Plan, there is a regional integration pilot field office located in Atlanta, Georgia. Will you please describe the functions of this field office? How are you using the outcomes from this ``pilot'' to inform your reorganization plans? Answer. In July 2015, NPPD established a Regional Integration Pilot to assess the benefits of integrated field forces and provide recommendations for aligning NPPD's field forces into a more cohesive organization. The office includes personnel who were already assigned to Atlanta as well as staff who normally carry out similar job duties based in the National Capital Region (NCR). NPPD is also testing a few new positions to see if those positions are useful to integrated field operations. Together, these professionals are carrying out the various programs and services that NPPD currently provides. To achieve the priorities of both enhancing operations and achieving a Unity of Effort across programs, NPPD will evaluate the results of the pilot project to inform any plan to shift resources and personnel from the NCR and establish regional headquarters in the 10 Federal regions. The results of the pilot will assist NPPD in developing a regionally-focused organizational framework. This will enable NPPD to tailor the delivery of programs that reflect regional needs and evolve as the capabilities of each region to mature and expand. This framework will better position NPPD to integrate programs at headquarters and in the field and move towards a unified, field- based service delivery model; integrate current field forces and field business support operations; expand capabilities of regional assets in order to provide enhanced and regionally relevant support to regional and local stakeholders; and develop career path options for regional and headquarter-based employees. Question 5. Under Secretary Spaulding, as you know, OEC is the home of SAFECOM and performs important outreach to first-responder organizations. As the NPPD reorganization proposal was developed, how do you engage with first responder groups? Answer. NPPD has briefed stakeholders of the Office of Emergency Communications (OEC) on the Transition Plan, including members of the SAFECOM Executive Committee and Emergency Response Council and the National Council of State-wide Interoperability Coordinators. As we move forward with planning efforts, feedback from these stakeholders will be critical to the continued success of OEC and NPPD as whole. Question 6. Under Secretary Spaulding, historically, Members of this committee have raised concerns that the Office of Emergency Communications was overshadowed by the cybersecurity mission at CS&C. How will moving OEC and NPPD's other emergency communications activities to Infrastructure Protection address the concerns this committee has raised in the past, and result in improved emphasis on developing robust National emergency communications capabilities? Answer. NPPD leadership appreciates the committee's concerns about the future of OEC and has taken this feedback into account as we have developed the Transition Plan. OEC carries out a critical part of NPPD's mission in advancing interoperable and National security/ emergency preparedness communications, building the capacity of first responders through training/technical assistance, and development of governance structures across the Nation. Integrating OEC with the Infrastructure Security organization that is focused on these types of capacity-building operations will enable OEC to more readily collaborate with colleagues and expand its reach to new stakeholders through Infrastructure Security's sector relationships, such as the Emergency Services Sector, and the integrated field forces who will promote the wide range of NPPD programs and services. Questions From Chairman John Ratcliffe for Phyllis A. Schneck Question 1. According to the proposed new organization chart the NCCIC, FNR, and NSD activities of CS&C would be separated out and the Office of Emergency Communications and stakeholder engagement would be moved into the new infrastructure security division. There is concern that this separates and potentially limits the directorate's current cybersecurity roles and missions. There is also concern that this will change the way the overarching cybersecurity strategy and policy decisions are made within NPPD and DHS. In order to accomplish the Department's cybersecurity mission, and strategy (especially as required in the bill passed by the House on October 6) there needs to be a central function that is constantly addressing needs and evolving strategy and policy. Where will those essential strategy, mission, and vision roles take place under the proposed structure? Answer. The proposed new structure for NPPD would include a centralized policy function to ensure that infrastructure security and resilience strategies, plans, and policies are integrated across NPPD's entire mission space. This centralized function will be a critical link between policymaking and operations, and the working group is currently developing an implementation plan for these functions that ensures essential connectivity with the operational entities. A reorganized NPPD will ensure policy development is more connected to NPPD leadership priorities and more coordinated across the organization, which will benefit stakeholders with whom we engage on policy matters. The new structure will aim to consolidate and potentially elevate policy functions, align and coordinate activity across all NPPD components, and maintain links between policy development and operational activity. Question 2. Currently, CS&C is responsible for the Office of Emergency Communications, the NCCIC, Stakeholder Engagement and Cyber Infrastructure Resilience, Federal Network Resilience and Network Security Deployment. A number of these offices and related roles and responsibilities would be moved in the proposed reorganization. The proposal seems to focus NPPD's cybersecurity work more fully on the cybersecurity of our Nation's critical infrastructure. However, based on the comprehensive nature of CS&C, is this new direction limiting to CS&C's work with public sector and the cybersecurity mission more broadly? Answer. No. The Transition Plan further consolidates the public- sector cyber operational activity in an elevated NCCIC, which will strengthen the cyber mission overall and particularly with regard to .gov. It will provide continued, and where appropriate, enhanced engagement with public-sector stakeholders, especially in addressing cyber risks. This includes work with State and local partners through the Multi-State Information Sharing and Analysis Center (MS-ISAC), continued engagement and capacity-building operations with State and local officials such as chief information security officers and chief information officers, as well as continued cyber resilience assessments for State and local officials. In addition, NPPD will be better- positioned to execute our statutory authorities related to securing the .gov and working with the interagency on areas like Federal Information Security Management Act (FISMA) compliance. Question 3. The Office of Emergency Communications (OEC) is currently authorized in law. Based on the latest information provided, under this proposal it would be shifted to the new infrastructure security division. How do you see the role and functions of OEC changing in this reorganization? Why does the office need to move? Is this move possible under current law? Answer. OEC carries out a critical part of NPPD's mission by advancing interoperable and National security/emergency preparedness communications by building the capacity of first responders through training, technical assistance, and development of governance structures across the country. The role of OEC is not envisioned to change within the new structure. Integrating OEC with the Infrastructure Security organization that is focused on these types of capacity-building operations will enable OEC to more readily collaborate with colleagues and expand its reach to new stakeholders through Infrastructure Security's sector relationships, such as the Emergency Services Sector, and the integrated field forces who will promote the wide range of NPPD programs and services. As the Under Secretary stated in response to a question from Rep. Donovan during the hearing, moving OEC is one example where NPPD would require Congressional action to support its proposed reorganization. The Homeland Security Act, as amended, requires the Director of the Office of Emergency Communications to report to the Assistant Secretary for Cybersecurity and Communications. Question 4. Understanding DHS has a significant volume of sensitive and personally-identifiable information (PII) which has been exposed over the last few years, does the agency have plans to fund and deploy enterprise-wide digital rights management solutions across the Department to protect against future data leaks? Answer. Security of data and protecting sensitive and PII will continue to be a priority for the Department as well as for Cyber and Infrastructure Protection. The Transition Plan envisions enhanced privacy and IT security, including carrying out new requirements under the Federal Information Technology Acquisition Reform Act (FITARA). The Department will continue to explore ways to manage data and protect against data leaks. Questions From Chairman John Ratcliffe for Ronald J. Clark Question 1. Protective Security Advisors (PSA's) have become the primary interface for private-sector stakeholders. The proposal would also create cybersecurity advisors. While the distinction does seem useful, isn't this inconsistent with your overall plan to merge physical and cyber skills? If you need distinct and separate security advisors, isn't that an indication that these are two distinct and separate missions? Answer. NPPD established the Cyber Security Advisor program several years ago to complement the PSAs, who work directly with our public and private-sector partners. Cyber Security Advisors and PSAs work together to conduct assessments and inform public and private-sector owners and operators of existing programs and resources available to protect infrastructure in support of NPPD's mission. The proposed transformation would enable greater effectiveness by providing institutional structures, particularly in the field, to enable these key collaborative activities. We ``merge'' these skills by creating institutional and operational mechanisms that make it easier for cyber experts and physical security experts to work closely together, learn from each other, and better support our stakeholders with the kind of holistic assistance that reflects the world they face; a world in which the lines between cyber and physical risks are increasingly blurred. Question 2. Last Congress, the committee made significant improvements to the Chemical Facility Anti-Terrorism Standards or CFATS program within the Infrastructure Security Compliance Division (ISCD). ISCD has made significant improvements in clearing the backlog of facility inspections and certifications. The committee is committed to seeing this success continue, how will this reorganization impact ISCD and the CFATS program? Answer. NPPD appreciates the committee's support of the Chemical Facility Anti-Terrorism Standards (CFATS) program and is committed to the program's continued success. The CFATS program is an excellent example of how infrastructure owners and operators must address both cyber and physical risks to infrastructure, as one of the Risk-Based Performance Standards requires facilities to assess their cybersecurity as part of the CFATS regulatory requirements. Under the Transition Plan, the CFATS program would reside within the Infrastructure Security entity to align with other similar capacity-building operations, but would retain the integrity of the regulatory program. Chemical Security Inspectors will remain an important part of NPPD's field forces and will continue to interact with Protective Security Advisors and Cyber Security Advisors. Questions From Ranking Member Bennie G. Thompson for Chris P. Currie Question 1. Mr. Currie, you testified that successful Government reorganizations balanced both the Executive and Legislative roles. You also testified that parties with vested interests should be involved in discussions about reorganizing. I agree. The party with one of the most vested interests with the reorganization of NPPD is its workforce. How important is it for NPPD to have a workforce plan that minimalizes negative impacts on morale? What should a Government successful workforce plan look like? Answer. It is vitally important for NPPD to have a workforce plan that minimizes any negative impacts on morale that may arise due to reorganization. Employee morale at NPPD is consistently low relative to other DHS components and to other Federal agency subcomponents. Therefore, it is imperative that NPPD consider how the planned reorganization could potentially enhance and not further lower employee morale, as an engaged and motivated workforce will be crucial accomplishing NPPD's missions. In our previous work identifying key factors for implementing successful organizational change based on the experiences of past large and small organizational transformations, we found that involving employees to obtain their ideas and gain their ownership of a reorganization was crucial. Specifically, it is important to seek out and monitor employee attitudes, as well as to take appropriate follow- up actions. Especially at the outset of the transformation, obtaining employees' attitudes through pulse surveys, focus groups, or confidential hotlines can serve as a quick check of how employees are feeling about the large-scale changes that are occurring and the new organization as a whole. While monitoring employee attitudes provides good information, it is important for employees to see that top leadership not only listens to their concerns, but also takes action and makes appropriate adjustments to the transformation in a visible way. By not taking appropriate follow-up action, negative attitudes may translate into actions, such as employee departures, among other things, that could have a detrimental effect on the transformation. Beyond these concerns specific to organizational change, we identified in past work on strategic workforce planning 5 key principles that lead to more effective workplans. Inclusion of these principles in NPPD's workforce planning will be important for ensuring success. Involve top management, employees, and other stakeholders in developing, communicating, and implementing the strategic workforce plan. Determine the critical skills and competencies that will be needed to achieve current and future programmatic results. Develop strategies that are tailored to address gaps in number, deployment, and alignment of human capital approaches for enabling and sustaining the contributions of all critical skills and competencies. Build the capability needed to address administrative, educational, and other requirements important to support workforce planning strategies. Monitor and evaluate the agency's progress toward its human capital goals and the contribution that human capital results have made toward achieving programmatic results Question 2. As you know, Secretary Johnson's Unity of Effort initiative has not been principally focused on driving reorganizations, but rather putting in place structures to improve performance across the Department and foster greater collaboration and coordination. Based on your observations of Federal reorganizing, how can a reorganization of NPPD contribute to the Unity of Effort at the Department? Answer. DHS's Unity of Effort initiative calls for better traceability between DHS's strategic objectives and mission execution, among other things, in order to improve both Departmental cohesiveness and operational effectiveness. In testimony before this committee, Under Secretary Spaulding stated that the proposed reorganization would include 3 interconnected operational directorates that will allow for focused operations with the necessary coordination to ensure that operations mitigate risk in a holistic, comprehensive manner. To the extent that this reorganization approach would create better alignment between DHS's overall strategic objectives and mission execution, it would contribute to DHS's Unity of Effort initiative. Our past work identifying lessons learned from private and public- sector transformations found that a key factor to successfully implementing large-scale change is to focus on a key set of principles and priorities at the outset of the transformation and to embed these core values into every aspect of the organization to reinforce the new culture. In this case, DHS's Unity of Effort may be supported by NPPD's proposed reorganization if Unity of Effort principles were made explicit in the initial stages of the process and reinforced throughout NPPD's new proposed directorates. As we note in our work on organizational transformations, key principles--such as DHS's Unity of Effort--can serve as an anchor that remains valid and enduring while organizations, personnel, programs, and processes may change. [all]