Updated December 19, 2018
DHS’s Cybersecurity Mission—An Overview
Much of the U.S. government’s cybersecurity apparatus
entities to encourage changes in security postures. The
focuses on the adversary—the person or organization that
department does this as part of the critical infrastructure
seeks to or has already carried out an attack against
protection mission granted to DHS as part of the Homeland
information technology (IT) systems. The U.S. Department
Security Act of 2002 (as amended, P.L. 107-296) and as
of Homeland Security (DHS) is unique in the government’s
part of specific cybersecurity authorities granted in the
structure because its work to ensure national cybersecurity
National Cybersecurity Protection Act of 2014 (P.L. 113-
is largely agnostic to any individual threat actor, but
282), the Cybersecurity Act of 2015 (P.L. 114-113,
informed by the risks that the actor presents. This In Focus
Division N), and the Cybersecurity and Infrastructure
describes DHS’s cybersecurity missions and how the
Security Agency Act of 2018 (P.L. 115-278).
Department interacts with others to accomplish its missions.
Law Enforcement
DHS’s Cybersecurity Missions
DHS can investigate a variety of cybercrimes through the
DHS has a variety of cybersecurity missions, which span
department’s law enforcement agencies. These crimes
the spectrum of prevention, protection, mitigation, response
include those enabled by the use of ICT, such as intellectual
and recovery. In operating along this spectrum, DHS seeks
property theft or financial theft. Increasingly, criminal
to assess cyber risks and use its understanding of those risks
endeavors carry a cyber element, such as the smuggling of
to promote security and resilience of information
money across borders through the use of cryptocurrencies
communication technology (ICT) systems. When a cyber
and stored-value cards.
incident occurs, DHS has capabilities and authorities to
provide direct assistance to the victim (both federal and
Research and Development
non-federal) to help that victim recover from the incident.
Through its components and the Science and Technology
Directorate, the department funds research and
Information Sharing
development into technologies with the objective of
DHS seeks to improve the cybersecurity of the nation by
improving cybersecurity and transitioning those
sharing information among federal entities and with non-
technologies to wide adoption.
federal entities (e.g., state governments and the private
sector). This can be classified information from an
Mission Execution by DHS Components
intelligence community source, sensitive information from
There are many entities within DHS that execute the
an industry partner or unclassified information that is being
department’s cybersecurity mission. Below are a few DHS
promulgated through DHS’s communications channels.
components with cybersecurity roles.
However, information sharing by itself does not improve
cybersecurity, but requires someone (e.g., a system
Cybersecurity and Infrastructure Security Agency
administrator or an end user) to change a behavior in
CISA is the primary component involved with
response to learning the shared information.
cybersecurity. Congress created it from a previous
component (P.L. 115-278). Through the National
Federal Network Security
Cybersecurity and Communications Integration Center
DHS monitors for threats against federal agencies and takes
(NCCIC), DHS’s cyber watch center, the department
actions (either unilaterally or in collaboration with other
coordinates civilian cybersecurity activities and serves as
agencies) to respond to threats. DHS can block malicious
the primary interface between the non-federal entities and
Internet traffic before it enters an agency, inform an agency
the federal government. Within the NCCIC are the U.S.
when it has a vulnerability, direct agencies to mitigate
Computer Emergency Readiness Team (US-CERT) and the
threats, and provide technical assistance to agencies to
Industrial Control Systems Cyber Emergency Response
respond to cyber risks. The Federal Information Security
Team (ICS-CERT) which find and develop mitigating
Modernization Act of 2014 (P.L. 113-283) codified the role
solutions against cyber threats. CISA also performs
that DHS plays in securing federal networks (along with the
stakeholder outreach, develops policies and implementing
role that OMB, the NIST, and the individual agencies play).
guidance for federal agency cybersecurity, and deploys
tools for cybersecurity. CISA is also the sector specific
Critical Infrastructure Protection
agency for many sectors, including IT, Communications,
DHS identifies entities among the 16 critical infrastructure
Dams, Nuclear Facilities, and Government Facilities
sectors (as set forth in Presidential Policy Directive 21) and
(including election infrastructure).
works with them to mitigate risks, regardless of whether
those risks are natural (like a hurricane) or man-made (like
U.S. Secret Service
a cyber attack). DHS conducts risk assessments of entities,
USSS investigates crimes against the financial sector and
provides technical assistance to achieve security (before,
threats online and in IT as part of its mission to protect the
during and after an incident), and shares information with
President and dignitaries.
https://crsreports.congress.gov
DHS’s Cybersecurity Mission—An Overview
Immigration and Customs Enforcement
The National Cyber Security Alliance (NCSA) is a
ICE’s Homeland Security Investigations (HSI) investigates
public-private partnership between DHS and the private
crimes on the Internet such as intellectual property theft,
sector to promote cybersecurity awareness. National
currency smuggling and child exploitation, among others.
Cybersecurity Awareness Month is part of this
partnership.
Transportation Security Agency
TSA, as the sector-specific agency for the transportation
Working with Others for Cybersecurity
sector, has the responsibility to assess risks to the sector,
DHS serves a national customer base when delivering
share information on mitigating those risks and coordinate
cybersecurity capabilities and developing policies.
activities for risk mitigation.
However, these customers may be divided into two main
groups: the .gov domain and the .com domain—or, as
U.S. Coast Guard
described in the National Cybersecurity Protection Act of
USCG, as the sector-specific agency for the maritime
2014, federal and non-federal entities. DHS has the power
sector, assesses risks to the maritime industry, shares
to compel federal agencies to act, but must collaborate and
information, and works with the industry to mitigate those
entice non-federal agencies to act.
risks. Additionally, as a military branch, USCG has further
cyber responsibilities to the Department of Defense.
Federal Agencies (.gov)
DHS has specific authorities with regard to federal agency
Federal Emergency Management Agency
cybersecurity. As such, DHS has established forums and
FEMA, as the agency responsible for emergency response,
coordination mechanisms to work with agencies to improve
worked with the predecessor to CISA to develop the
agency cybersecurity, and it has other mechanisms to work
National Cyber Incident Response Plan (NCIRP) and
with agencies toward national cybersecurity. DHS must
ensure it aligns to the doctrine established in the National
deploy security technologies on agency networks to
Response Framework (NRF).
improve the security of the .gov domain. In doing so, DHS
has a process to obtain and maintain agreements with
Specific Programs
individual agencies for the use of that technology. DHS
DHS operates programs across components to execute
uses the federal chief information officer (CIO) and chief
against the variety of its cybersecurity missions. Below are
information security officer (CISO) councils, which discuss
a few such programs, but it is not an exhaustive list.
federal IT security broadly. DHS also collaborates with
other agencies, like NIST and the DOE national
The National Cybersecurity Protection System (NCPS)
laboratories, to develop and promulgate cybersecurity best
commonly referred to as EINSTEIN logs traffic coming
practices for federal and non-federal entities.
into and out of agency networks from the public
Internet, alerts when known malicious traffic is
Private Sector (.com)
identified, and blocks certain malicious traffic. A limit
DHS works with the IT sector to develop and implement
of NCPS is that it has to have seen and analyzed the
improved cybersecurity tactics that could be deployed
malicious traffic before, rather than being able to
nationally. During the Obama Administration, policies were
identify novel malicious traffic at first encounter—
created to position DHS as the lead federal agency for
EINSTEIN can only block known threats.
interacting with the private sector on a variety of security
matters. Presidential Policy Directive 41 (PPD-41) states
Continuous Diagnostics and Mitigation (CDM) is a
that DHS is the lead for asset response, or helping victims
program that deploys sensors on an agency’s network to
of cyber attacks recover. This does not replace the FBI’s
identify what the agency has attached to their network
responsibility for criminal investigation, as it states the FBI
and the vulnerabilities of those devices. It compares this
is the lead for threat response, nor does it detract from
against intelligence to prioritize actively exploited
DOD’s capabilities, as it is long-standing policy for military
vulnerabilities for patching.
capabilities to supplement civilian capabilities when
Automated Information Sharing (AIS) was authorized in
necessary as part of Defense Support for Civil Authorities
the Cybersecurity Information Sharing Act of 2015 (P.L.
(DSCA). Viewed another way, domestic cybersecurity is
114-113 Division N, Title I) and provides for machine-
primarily a civilian matter rather than a military or law
to-machine sharing of cyber threat indicators and
enforcement matter. However, the military and law
defensive measures among the private sector, to DHS,
enforcement agencies bring capabilities that can assist the
and through DHS, among federal agencies.
private sector.
Electronic Crimes Task Forces (ECTF) are operated by
The Cybersecurity Act of 2015 establishes DHS as the
the USSS out of their field offices to assist local law
portal for sharing information between the private sector
enforcement in investigating computer crimes.
and the government. DHS is obligated to inform other
The Critical Infrastructure Cyber Community Voluntary
federal agencies of pertinent information without delay.
Program (C3VP) seeks to encourage adoption of the
NIST Cybersecurity Framework.
Chris Jaikaran, Analyst in Cybersecurity Policy
IF10683
https://crsreports.congress.gov
DHS’s Cybersecurity Mission—An Overview
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10683 · VERSION 3 · UPDATED