While it might not have made nearly as much noise as the Mueller investigation, midterm upheaval or Pelosi speakership drama, there was a piece of really important legislation signed into law late last week that could have major ramifications for how much of the U.S. cybersecurity apparatus operates now and into the future. The bill, known as the CISA Act, (for “Cybersecurity and Infrastructure Security Agency”) both reorganizes and rebrands its predecessor, the National Protection and Programs Directorate (NPPD), which was a program under the umbrella of the Department of Homeland Security (DHS) as CISA, which will be a standalone federal agency in charge of overseeing civilian and federal cybersecurity programs. While in a lot of ways, this is semantic, it also has major implications for policing, protection and enforcement in practice.
CISA > NPPD
The NPPD was founded in 2007 and already handles almost all of DHS’s cybersecurity operations. It also drew together an alphabet soup of other sub-departments under its direction, as per ZDNet: “NPPD was the government entity in charge of physical and cyber-security of federal networks and critical infrastructure, and oversaw the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP).”
So how is this different?
From a day-to-day perspective, not a ton will change. But, elevating NPPD from a program to the full-federal-agency level as CISA will bring with it both an increased budget as well as far more latitude and authority to impose directives.
“The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical,” DHS Secretary Kirstjen Nielsen said. “It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”
2018’s CISA “(not to be confused with the 2015 surveillance bill of the same acronym) will solidify the name and role of the DHS’ cybersecurity operation, consolidating both infosec and physical infrastructure security operations into a unified agency”, according to The Register.
What the shift to CISA means for your business
Federal policy at this level takes a while to actually filter down into discernible action items at a local level. Simply reorganizing and rebranding a program into an agency doesn’t immediately make our digital infrastructure more secure. But what it does is lay the groundwork for a more holistic approach to cybersecurity.
Cybersecurity is no longer a feature of IT, it’s a department-level concern within companies, too. It’s not just one element of a single person’s job — it has to be a full-time concern, lest the smallest thing slip through the cracks and devastate your network and all the data therein.
Most small to even mid-sized businesses can’t afford a full-time cybersecurity expert on staff (which is why a Managed Service/IT Provider makes so much sense for so many companies). And to be honest, for so much of the time, it doesn’t make sense to spend that much money on what could possibly happen… except if that possibility is truly crippling.
The U.S. government took a major step in acknowledging the extent of outstanding threats as well as giving us the right mindset and authority to start counteracting them. I would suggest companies adopt a similar (if more economically modest) approach as well.