Summary: The Department of Homeland Security Authorization Act of 2017

On March 7, the Senate Homeland Security and Governmental Affairs Committee voted 10-to-one to approve legislation authorizing the operations of the Department of Homeland Security (DHS) for the first time since the Department’s inception on March 1, 2003.

Created in the wake of 9/11 as a “stand-alone, Cabinet-level department to further coordinate and unify national homeland security efforts,” DHS is composed of 22 different federal departments. These departments include the Coast Guard; the U.S. Secret Service; the Transportation Security Administration (TSA); the Federal Emergency Management Agency (FEMA); U.S. Citizenship and Immigration Services (USCIS); U.S. Immigrations and Customs Enforcement (ICE); and U.S. Customs and Border Protection (CBP) (the last three of which constitute the reorganized version of the Immigration and Naturalization Service formerly at the Department of Justice).

The legislation to authorize DHS has taken three years to hammer out, with considerable difficulty. Much of that difficulty stemmed from the plethora of congressional committees which oversee DHS, a problem which was somewhat resolved in the House early last year through a Memorandum of Understanding between its oversight committees. The committees agreed to shepherd through an authorization bill, with the House Committee on Homeland Security taking the lead.

Because it has been 15 years since DHS has received direction from Congress except through annual appropriations bills, the authorization bill has quite a lot of ground to cover. It is divided into seven titles: (1) DHS Headquarters; (2) Acquisition Accountability and Efficiency; (3) Intelligence and Information Sharing; (4) Emergency Preparedness, Response, and Communications; (5) FEMA; (6) Cybersecurity and Infrastructure Security Agency; and (7) Other Matters. Below is a title-by-title summary of the legislation, along with major amendments.

I. DHS Headquarters

Title I is divided into two sections, “Headquarters Operations” and “Human Resources.” It amends the original Homeland Security Act of 2002 (HSA) largely by codifying the existing administrative structure of DHS, though with a few notable changes.

a. Headquarters Operations

First, Title I changes the name of the “Office of State and Local Coordination” to the “Office of Partnership and Engagement,” before codifying each of the existing components of DHS. It states that assistant secretaries for public affairs, legislative affairs, and the Office of Countering Weapons of Mass Destruction are to be appointed by the president; the rest are appointed by the secretary. Any new assistant secretary positions must be created by statute. Title I also codifies the responsibilities of the existing chief privacy officer (CPO) and FOIA officer, the chief financial officer (CFO), and the chief information officer (CIO).

Under the legislation establishing the Department of Homeland Security in 2002, the secretary must provide a Homeland Security Review to Congress every four years. Title I shifts the due date for the review from Dec. 31 to Sept. 30 and requires the secretary to retain certain documentation of his or her consultation with relevant stakeholders in drafting the review. It also orders the department to produce a report 90 days from submission of the review detailing how its recommendations are being implemented.

Title I then outlines revised contours for the existing Office of Strategy, Policy, and Plans (OSPP) by abolishing the Office of International Affairs and transferring its duties over to the OSPP. The existing Office of the Private Sector is placed within the OSPP as well. The outlines of the revised OSPP also call for the DHS secretary to review the functions and responsibilities of each internationally-focused component of the department and eliminate unnecessary duplication within a year, providing the results of the review to Congress within 30 days after it is complete. The secretary is also to create an action plan to address duplication and overlap and submit it to Congress within the same one-year timeframe.

After codifying the functions and responsibilities of the chief procurement officer, chief security officer, inspector general, Office of Civil Rights and Civil Liberties, undersecretary for science and technology, and the chief scientist, Title I codifies the guidelines for DHS’s Rotation Program, including the Intelligence Rotational Assignment Program.

Currently, the department must submit a “Future Years Homeland Security Program” to Congress along with each budget request. The title amends the deadline for the report from 90 to 60 days after the submission of the president’s budget and requires that the report be made public, with allowance for a classified annex.

Title I lists a number of other reporting requirements as well. These include: a Field Efficiencies Plan to be delivered to the Senate and House Homeland Security committees and the House Committee on Transportation and Infrastructure within 270 days, providing an account of facility cost and recommendations to streamline them (largely modeled on the Efficiency Review launched by Secretary Janet Napolitano in 2009); a report on the reprogramming or transferring of funds for operational surges for the next five years; a report on cost savings and efficiency within the next two years; and a long-term real property strategy to be reported to Congress within 180 days.

The first part of Title I finishes by codifying the existing Office for Countering Weapons of Mass Destruction and chief medical officer. Section 1117, which provides for these entities, sunsets in five years. Title I also terminates the Domestic Nuclear Detection Office and the Office of Health Affairs, along with the positions of Assistant Secretary for Health Affairs and Director for Domestic Nuclear Detection. It also authorizes DHS to enter into agreements with other countries and international NGOs in consultation with the State Department or the appropriate agency, something it already does (see here and here).

b. Human Resources and Other Matters

Title I provides a few amendments to the position of Chief Human Capital Resources Officer and requires the secretary to produce an action plan within 180 days detailing how to improve employee engagement, diversity, inclusion and development. The obligation to create the action plan internally terminates after five years, but the secretary is still required to submit a department-wide action plan to Congress every two years, along with component-specific plans.

Title I also reminds the secretary of his or her obligation to provide assistance to state and local officials in securing election infrastructure. It requires that the secretary submit a yearly report to Congress detailing:

• DHS’s responsibilities for “coordinating the election infrastructure critical infrastructure subsector”;
• One-year and five-year plans for improving the security of election infrastructure that include “lessons learned, best practices, and obstacles from the previous year”;
• Election infrastructure work with each individual “State, unit of local government, and tribal and territorial government,” along with the Government and Sector Coordinating Councils at DHS.

Again, the report is to be submitted in unclassified form, allowing for a classified annex.

Originally, Sens. James Lankford and Kamala Harris sought to supplement this provision with an amendment establishing a presumption that state and local officials would share information with DHS about threats to election infrastructure. Lankford withdrew the amendment due to pushback from a number of secretaries of state with concerns that this would “federalize” the elections process. Lankford and Harris now reportedly intend to introduce the amendment as a stand-alone bill.

Title I concludes by, among other things, eliminating the director of shared services and the Office of Counternarcotics Enforcement. The shared services directorate, which coordinates resources between the CBP and USCIS, had come under criticism for mismanagement in the past. In a 2010 report, the Counternarcotics Enforcement Office was described by the department’s inspector general as facing “inherent difficulties,” and having “trouble fulfilling its statutory duties”. The office was later defunded and transferred to the Office of Strategy, Policy, and Plans in the 2012 Consolidated Appropriations Act.

II. Acquisition Accountability and Efficiency

Title II clarifies and adds to the authorities of the undersecretary for management, including the delegation of acquisition authority. It briefly outlines the acquisition authorities of the CFO and the CIO and codifies the existing Office of Program Accountability and Risk Management. It also provides for the creation of a post to manage acquisition innovation within the undersecretary’s office and the functions of that post; it then requires a report on all activities taken under the provisions listed within 90 days.

Next, Title II requires the establishment of an Acquisition Review Board. Sen. Steve Daines introduced legislation to establish such a board in April of last year, and his proposal is largely incorporated here. The board would, among other things, adopt cost-benefit analysis practices and determine whether proposed acquisitions meet the necessary requirements under the acquisition lifecycle framework. Another reporting requirement is levied if a program is approved without an acquisition program baseline―the notification is to be completed in seven days, and the rationale within 60 days.

Title II then lays out a number of oversight mechanisms to ensure that acquisition practices are as efficient as possible. First, it requires the deputy secretary to create policies to increase efficiency by reducing duplication in acquisition programs. Next, it provides for the creation of a Department Leadership Council to assist the secretary in coordinating within the department. It outlines a structure review by the DHS inspector general of “suspension and debarment” procedures, which have been the subject of litigation between Kaspersky Lab and DHS: Kaspersky claims that DHS’s designation of the its software as an “information security risk” constitutes an effective debarment (see here and here). Further, Title II outlines a structure for notification to the Secretary and submission of a remediation plan and root cause analysis in the event of a breach in a major program.

Last, the title requires that within a year, the undersecretary for management submit to the “appropriate congressional committees” for a multiyear acquisition strategy, which will “guide the overall direction of the acquisitions of the Department while allowing flexibility to deal with every-changing threats and risks.” The plan would include a prioritized list of programs and their benefits; an inventory of investments and real property assets; a plan to address funding gaps, competition, and workforce management; and an identification of capabilities, with a focus on flexible, frugal, and efficient solutions.

III. Intelligence and Information Sharing

One of the most important sections of the legislation, Title III is divided into two parts: the DHS intelligence enterprise and stakeholder information-sharing.

a. DHS Intelligence Enterprise

Title III begins by instructing the secretary (through the CIO and in coordination with the general counsel, the privacy office, the Office of Civil Rights and Civil Liberties, and DHS’s intelligence components to create a policy guidance for the processing, analysis, production, and dissemination of homeland security and terrorism information. The policy guidance must provide the following:

• A description of the “guiding principles” of DHS’s intelligence enterprise;
• A summary of the roles and responsibilities of each intelligence component;
• Guidance for processing, analysis, and production of information;
• Guidance for dissemination of such information between relevant federal, state, local, and tribal agencies (see here, here, and here for existing MOUs on this subject); and
• A statement of intent about how such dissemination should assist the relevant agencies.

The guidance should be released in unclassified form, with allowance for a classified index, and is to be reviewed every five years.

The next provision (Section 1302) provides the undersecretary for intelligence and analysis (I&A)―who also serves as the chief intelligence officer of DHS per Section 201(b)(2) of the Homeland Security Act―with staff for his CIO role that has “appropriate component intelligence program expertise and experience.” Title III then lays out requirements for the department’s annual Terrorist Threat Assessment, to be produced yearly over the next five years. This report must also be submitted in unclassified form, allowing for a classified annex. The creation of a DHS data framework that adheres to privacy principles and laws, and that it is readily accessible to trained and cleared employees, is also required.

Title III then codifies another already-existing program, the Inside Threat Program (ITP). The provision providing for the creation of the ITP (Section 1305) largely tracks the setup of the current framework at DHS as mandated by executive order 13587, which the Obama administration promulgated in 2011 to “ensure the responsible sharing and safeguarding of classified national security information.” While the most notorious recent leaks have come from NSA (namely from Edward Snowden, Harold Martin and Reality Winner), Congress has also focused its attention on leaks from within DHS (see for example here).

Title III then instructs the intelligence undersecretary, in coordination with agencies including the Treasury Department, the State Department, and the FBI, to assess within 120 days the threat of terrorists’ use of virtual currencies (such as Bitcoin and Tether). The undersecretary is also to develop a threat assessment as to whether transnational criminal organizations are exploiting border vulnerabilities. Both assessments will be shared with state, local and tribal law enforcement officials. To some extent this provision (Section 1307) reflects the focus and language of Section 3(j) of executive order 13535, signed by President Trump in the early days of his administration.

Further, Title III establishes a Counter Threat Advisory Board, which is quite similar to the existing Counterterrorism Advisory Board (CTAB) that the House Committee on Homeland Security’s Task Force on Combating Terrorist and Foreign Fighter Travel concluded last year should be authorized by Congress. The Board would have a charter and members from the TSA, CBP, ICE, FEMA, Coast Guard, USCIS, Secret Service, National Protection and Programs Directorate, Office of Operations Coordination, Office of General Counsel, I&A, OSPP, Science and Technology Directorate, Office of State and Local Law Enforcement, Privacy Office, and the Office of Civil Rights and Civil Liberties. No additional funds are provided for the Board to operate, and they are to report on their activities to Congress within 90 days. The bill establishes the board for two years.

b. Stakeholder Information Sharing

Section 210A of the HSA established the Fusion Center Initiative to coordinate information sharing between sectors of the federal government and state and local governments. Section 1311 of Title III renames the Fusion Center Initiative as the “Department of Homeland Security Fusion Center Partnership Initiative.” Many of the amendments to this section refocus the department’s efforts on the “National Network of Fusion Centers,” rather than on “State, local, and regional fusion centers.” Notably, the Act does not include the HSA’s requirement for the performance of “tabletop and live training exercises” to assess the capabilities of networks, listed at Section 210A(b)(3). As part of the initiative, the I&A Undersecretary is to negotiate memoranda of understanding (MOU) between DHS and each state and/or local government regarding the fusion centers. The undersecretary is also required to report annually to Congress on the value of the fusion centers until 2024.

Next, Title III runs through a number of other requirements on a fusion centers, including: (1) an assessment of fusion center personnel needs; (2) a report to Congress on the strategy for supporting counternarcotics initiatives; (3) a report to Congress on how state and local analysts are given security clearances; (4) an assessment of the need for updates to information technology systems; (5) an inventory of classified facilities. Title III also requires the secretary, in conjunction with the attorney general, to share information on individuals suspected to “pose a terrorist threat,” and who are or were incarcerated in federal prison, with state, local, and regional fusion centers. DHS is to provide those fusion centers with “periodic assessments” of the risk posed by “known or suspected terrorists currently incarcerated in a Federal correctional facility.”

Title III amends Section 2006(b) of the HSA to require an annual report from the assistant secretary for the Office of State and Local Law Enforcement on the Office’s activities for the next five years. The assistant secretary must also produce an annual catalog that “summarizes opportunities for training, publications, programs, and services available to State, local, tribal, and territorial law enforcement agencies from the Department.”

The section concludes by levying a very specific “duty to report”: Whenever a terrorist attack occurs in the United States, the primary agency investigating it will be required to submit an unclassified report (with allowance for a classified annex), in collaboration with the homeland security secretary, attorney general, FBI director, and as appropriate, the director of the National Counterterrorism Center, one year after the completion of the investigation. Each report is to include: (1) a statement of facts; (2) an explanation of any gaps in national security that could have prevented the attack; (3) any recommendations for additional measures to improve homeland security; and (4) a summary of the report for distribution to the public. The duty to report does not apply where any of the named officials above determine that the information required could “jeopardize an ongoing investigation or prosecution,” a determination they must make known to Congress.

IV. Emergency Preparedness, Response, and Communications

Title IV is a section-by-section revision of the state and local law enforcement provisions of the HSA, which either levies new reporting requirements on existing programs or updates the law to reflect the current reality. It is divided into parts: (1) Grants, Training, Exercises, and Coordination, and (2) Communications.

a. Grants, Training, Exercises, and Coordination

Title IV begins by adding new reporting requirements for the state and local governments that participate in the Urban Area Security Initiative, a federal grant program administered by FEMA that targetes urban areas at high-risk for terrorist threats, and the State Homeland Security Security Grant Program. Both provisions require the metropolitan entities involved to create an assessment of the terrorist threat consistent with FEMA’s Comprehensive Preparedness Guide 201. It also adds new reporting requirements on the Assistant Secretary for State and Local Law Enforcement on the use of the money from the above programs.

Title IV then authorizes broader permitted uses of funds for the programs than listed in the HSA, including for “enhancing medical preparedness ... [with] the development and maintenance of an initial pharmaceutical stockpile” and “enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents.” It also commissions a study by the Comptroller General about how much of the funds from these programs are used for cybersecurity efforts.

After imposing more review and reporting requirements for equipment purchased under the grant program, Title IV directs the FEMA Administrator to enter into an MOU about grants to transportation agencies and port authorities with the following component chiefs: CBP commissioner, TSA administrator, Coast Guard Commandant, I&A undersecretary, assistant director for Emergency Communications, assistant secretary for state and local law enforcement, countering violent extremism (CVE) coordinator, the Officer for CIvil Rights and Civil Liberties, and the chief medical officer. This MOU requirement takes an existing MOU between FEMA and TSA on transportation security grants and expands it to include all the other above-named agencies. The inclusion of the CVE coordinator is notable given that the Trump administration has reportedly mulled scrapping the CVE program altogether.

Next, after imposing more reporting requirements on the FEMA administrator (including posting a summary of audits from the DHS inspector general on its website), Title IV indicates that it is the sense of Congress that DHS should “to the greatest extent practicable, work to share actionable information [on cyber threats] in an unclassified form related to such threats.” It then outlines the broad contours of “Operation Stonegarden”―an existing grant program led by CBP for those states with maritime borders or those bordering Canada and Mexico to interdict undocumented immigrants, drugs, and weapons―and the Non-Profit Security Grant Program. The title also authorizes the “Joint Counterterrorism Awareness Workshop Series” coordinated annually between DHS, the National Counterterrorism Center, and the FBI.

Title IV additionally requires DHS to coordinate with other federal agencies to “develop and conduct an exercise related to the terrorist and foreign fighter threat” as part of DHS’s National Exercise Program, within a year. The exercise would involve two scenarios: one involving a person leaving the country to join a terrorist organization abroad (known as the “foreign fighter problem”), and the other involving “terrorist infiltration into the United States, including United States citizens and foreign nationals.” Title IV also provides for accountability regarding grants by increasing reporting requirements.

b. Communications

Title IV concludes by briefly addressing communications, striking a few obsolete provisions from the HSA and updating reporting requirements for the Assistant Director for Emergency Communications, a position outlined in greater depth Title VI.

V. FEMA

The initial provisions of Title V―entitled the “FEMA Reauthorization Act of 2018”―list the appropriations for the agency and its components until fiscal 2020. The title authorizes the Rural Domestic Preparedness Consortium and the Center for Faith-Based and Neighborhood Partnerships and instructs the President to develop coordinating responsibilities between the agencies under the National Response Framework. It also authorizes the Remedial Action Management Program.

Title V then addresses a report by the Management Review Team on May 8, 2017 regarding live agent training at the Center for Domestic Preparedness’s Chemical, Ordnance, Biological and Radiological (COBRA) Training Facility in Anniston, Ala. The report detailed a lack of external oversight of the program, complaints of race and gender mistreatment, and insufficient repairs to facilities. Title V requires the FEMA Administrator to develop a plan to address those findings, and report to Congress on those efforts.

After authorizing the Office of the Senior Law Enforcement Advisor and outlining its responsibilities, Title V requires that the FEMA administrator to designate an individual to serve as the “chief management official and principal advisor ... on matters related to the management of [FEMA]” regarding such tasks as procurement, human resources, information technology and communications, real property investment, security for personnel, technology, and facilities, and any other management duties. It also authorizes the Office of Disability Integration and Coordination.

Title V concludes by requiring more reporting from the FEMA administrator, such as developing a plan to streamline information collection from disaster assistance recipients and creating a website to post the amount of assistance awarded, all in conjunction with the small business administration and the department of housing and urban development. The rest of the title is composed of website and reporting requirements to ensure accountability for the funds given to state, local and tribal governments and private entities in the form of disaster assistance, mission assignments, and contracts, as well as the handling of unobligated funding (funds the government is not duty-bound to pay out).

VI. Cybersecurity and Infrastructure Security Agency

Title VI is probably the most significant section of the act. The provision―which adopts wholesale the Cybersecurity and Infrastructure Security Agency Act of 2017, already adopted by the House of Representatives―drastically amends the HSA. It signals a recognition by Congress of the transition undergone by the National Protection and Program Directorate (NPPD) to house its physical- and cybersecurity elements in one place. The NPPD’s new structure largely, though not entirely, maps onto the reorganization proposed by DHS back in March 2016 (and flagged by Paul Rosenzweig for Lawfare here). (For more information on the dialogue about reorganization of the NPPD on Lawfare to make it more operational, see here and here).

After Title VI lists relevant definitions, it redesignates the NPPD as the “Cybersecurity and Infrastructure Security Agency,” or CISA (which may become confusing given this is also the acronym for the Cyber Information Sharing Act) and designates a director of cybersecurity and infrastructure security to replace the undersecretary of the NPPD listed at Section 103(a)(1)(H) of the HSA. It then lists the responsibilities of the DHS secretary with regard to cybersecurity and infrastructure security, which includes threat information analysis, vulnerabilities assessment, protection recommendations, the creation of a national plan for security critical infrastructure, and consultation and coordination with state, local, tribal, and territorial government agencies and the private sector. Title VI also requires the secretary to provide a staff of analysts for the agency, which can include contractors and employees of other federal agencies.

Title VI then turns to the reorganization of the agency’s structure. It establishes three divisions:

• The Cybersecurity Division (replacing the Office of Cybersecurity and Communications);
• The Infrastructure Security Division (replacing the Office of Infrastructure Protection); and
• The Emergency Communications Division (replacing the Office of Emergency Communications)

Each division is run by an assistant director appointed by the president, with a privacy officer to ensure privacy protection and compliance with the Privacy Act.

Title VI then sets a calendar of congressional briefings on various aspects of the new agency for the new director, before levying a reporting requirement to be fulfilled within 90 days about the agency’s fulfillment of the requirements from the Cybersecurity Workforce Assessment Act, and within 180 days as to the most efficient way to consolidate the new agency’s work. It transfers the Office of Biometric Identity Management over to the DHS management directorate. Under the new structure, it is unclear where the Federal Protective Service (FPS), previously housed in the NPPD, will reside: the title directs the secretary to submit a recommendation to the relevant congressional committees and the OMB about where the FPS should be transferred to. The recommendation must come within 90 days of a report from the GAO on the FPS’s placement, as requested by Congress.

Title VI concludes by directing the homeland security secretary, in coordination with the OMB director, the head of the GSA, to submit a report within 120 days on DHS’s leadership in “cloud-based cybersecurity deployments for civilian Federal departments and agencies.”

VII. Other Matters

Title VII’s largest provision involves the establishment of the “Commission to Review the Congressional Oversight of the Department of Homeland Security.” The commission would be a bipartisan congressional body with six members (three Republicans and three Democrats) appointed by the leadership of both chambers and cleared to view classified information. The commission is charged with conducting a comprehensive study of congressional oversight of DHS, to be submitted to the president and Congress within nine months after passage of the Act. The commission will terminate within a year, and will be assisted by the homeland security secretary, the attorney general, the secretary of state, the OMB director, and any other agency head as required.

Currently, there are 92 different committees and subcommittees that DHS reports to. There have been numerous calls to streamline congressional oversight of DHS, starting with the 9/11 Commission Report and continuing to this day. In fact, the DHS Authorization Act has been held up in the Senate due to infighting between oversight committees within that body.

Amendments

A total of 26 amendments to the main bill made it out of committee, many of which focused on improving cybersecurity or targeting emerging technologies. For instance, Sen. Kamala Harris proposed mandating a “cybersecurity talent exchange pilot program” (which would allow private citizens to use their skills for DHS), while Sen. Maggie Hassan proposed creating a “bug bounty” program to allow for the detection of vulnerabilities by “white hat” hackers similar to an existing Pentagon program. The Hassan amendment would codify an already existing bill, entitled the “Hack the DHS Act,” which Hassan introduced last year. Sen. Rob Portman introduced an amendment that would require DHS to report on the threat posed by terrorists’ use of blockchain technology, which has been the subject of increased interest on the Hill, and Sen. Steve Daines sought to shore up cybersecurity research and development and to protect personally identifiable information.

Notably, Sen. Claire McCaskill addressed the debarment and suspension program that, as mentioned above, has been the subject of litigation between DHS and Kaspersky Lab. And Sen. Tom Carper wanted to institute an annual report to Congress regarding the progress of DHS on CVE programs, again signaling that the Trump administration’s moves on the issue have some opposition in Congress.

Conclusion

The question now is whether the Act will pass the full Senate, what will the compromise bill between both chambers look like, and whether the president will sign it. It is unclear whether the bill will have smooth sailing through the Senate now that it has passed through the Senate Homeland Security Committee, as there is no coordination between the relevant Senate committees overseeing DHS similar to the agreement between the House committees mentioned above. If the bill makes it to the full Senate for a vote, it will need to be reconciled with the legislation already passed by the House. It is likely that the president will sign the bill, as Trump has not yet voiced any objections. But the bill has a long way to go before it reaches the president’s desk.