DHS’s Cybersecurity Mission—An Overview



Updated August 9, 2023
DHS’s Cybersecurity Mission—An Overview
After a cyberattack, much attention is paid to who the
provides technical assistance to achieve security (before,
responsible party could be. But helping organizations
during, and after an incident), and shares information with
protect themselves, respond to and recover from incidents is
entities to encourage changes in security postures. The
vital to the resiliency of the nation. The U.S. Department of
department does this as part of the critical infrastructure
Homeland Security (DHS) works broadly to manage all
protection mission granted to DHS by the Homeland
manner of cybersecurity risks, regardless of the individual
Security Act of 2002 (P.L. 107-296, as amended) and as
threat actor.
part of specific cybersecurity authorities granted in the
National Cybersecurity Protection Act of 2014 (P.L. 113-
This In Focus describes DHS’s cybersecurity missions and
282), the Cybersecurity Act of 2015 (P.L. 114-113,
how the Department interacts with others to accomplish
Division N), and the Cybersecurity and Infrastructure
them.
Security Agency Act of 2018 (P.L. 115-278).
DHS’s Cybersecurity Missions
Law Enforcement
DHS has a variety of cybersecurity missions, which span
DHS can investigate a variety of cybercrimes through the
the spectrum of prevention, protection, mitigation, response
department’s law enforcement agencies. These crimes
and recovery. In operating along this spectrum, DHS seeks
include those enabled by the use of ICT, such as intellectual
to assess cyber risks and use its understanding of those risks
property theft or financial theft. Many criminal endeavors
to promote security and resilience of information
also carry a cyber element, such as the smuggling of money
communication technology (ICT) systems. When a cyber
across borders through the use of cryptocurrencies and
incident occurs, DHS has capabilities and authorities to
stored-value cards.
provide direct assistance to the victim (both federal and
nonfederal) to help that victim recover from the incident.
Research and Development
Through its components and the Science and Technology
Information Sharing
Directorate, the department funds research and
DHS seeks to improve the cybersecurity of the nation by
development into technologies with the objective of
sharing information among federal entities and with
improving cybersecurity and transitioning those
nonfederal entities (e.g., state governments and the private
technologies to wide adoption.
sector). This can be classified information from an
intelligence community source, sensitive information from
Mission Execution by DHS Components
an industry partner, or unclassified information that is being
There are many entities within DHS that execute the
promulgated through DHS’s communications channels.
department’s cybersecurity mission. Below are a few DHS
However, information sharing by itself does not improve
components with cybersecurity roles.
cybersecurity. That requires someone (e.g., a system
administrator or an end user) to change a behavior in
Cybersecurity and Infrastructure Security Agency
response to learning the shared information.
(CISA)
CISA is the primary DHS component involved with
Federal Network Security
cybersecurity. CISA coordinates civilian cybersecurity
DHS monitors for threats against federal agencies and takes
activities and serves as the primary interface between the
actions (either unilaterally or in collaboration with other
nonfederal entities and the federal government. CISA also
agencies) to respond to threats. DHS can block malicious
performs stakeholder outreach, develops policies and
internet traffic before it enters an agency, inform an agency
implementing guidance for federal agency cybersecurity,
when it has a vulnerability, direct agencies to mitigate
and deploys tools for cybersecurity. CISA is also the sector-
threats, and provide technical assistance to agencies to
specific agency for many sectors, including information
respond to cyber risks. The Federal Information Security
technology (IT), Communications, Dams, Nuclear
Modernization Act of 2014 (P.L. 113-283) codified the role
Facilities, and Government Facilities (including election
that DHS plays in securing federal networks along with the
infrastructure).
role that OMB, the National Institute of Standards and
Technology (NIST), and the individual agencies play.
U.S. Secret Service (USSS)
USSS investigates crimes against the financial sector and
Critical Infrastructure Protection
threats online, and in IT as part of its mission to protect the
DHS identifies entities among the 16 critical infrastructure
President and dignitaries.
sectors (as set forth in Presidential Policy Directive 21) and
works with them to mitigate risks, regardless of whether
those risks are natural (like a hurricane) or man-made (like
a cyberattack). DHS conducts risk assessments of entities,
https://crsreports.congress.gov

DHS’s Cybersecurity Mission—An Overview
Immigration and Customs Enforcement (ICE)
• The National Cyber Security Alliance (NCSA) is a
ICE’s Homeland Security Investigations (HSI) investigates
public-private partnership between DHS and the private
crimes on the internet such as intellectual property theft,
sector to promote cybersecurity awareness. National
currency smuggling and child exploitation, among others.
Cybersecurity Awareness Month is part of this
partnership.
Transportation Security Agency (TSA)
TSA, as the sector-specific agency for the transportation
Working with Others for Cybersecurity
sector, has the responsibility to assess risks to the sector,
DHS serves a national customer base when delivering
share information on mitigating those risks and coordinate
cybersecurity capabilities and developing policies.
activities for risk mitigation. Through its regulatory
However, these customers may be divided into two main
authority, TSA also imposes security and reporting
groups: the .gov domain and the .com domain—or, as
requirements on transportation facilities (e.g., pipeline
described in the National Cybersecurity Protection Act of
operators, airports, and railways).
2014, federal and nonfederal entities. DHS has the power to
compel federal agencies to act, but must collaborate and
U.S. Coast Guard (USCG)
entice nonfederal agencies to act.
USCG, as the sector-specific agency for the maritime
sector, assesses risks to the maritime industry, shares
Federal Agencies (.gov)
information, and works with the industry to mitigate those
DHS has specific authorities with regard to federal agency
risks. Additionally, as a military branch, USCG has further
cybersecurity. As such, DHS has established forums and
cyber responsibilities to the Department of Defense.
coordination mechanisms to work with agencies to improve
agency cybersecurity, and it has other mechanisms to work
Federal Emergency Management Agency (FEMA)
with agencies toward national cybersecurity. DHS must
FEMA is the lead federal agency responsible for emergency
deploy security technologies on agency networks to
response. It works with CISA on cyber response planning
improve the security of the .gov domain. In doing so, DHS
and ensures it aligns to the doctrine established in the
has a process to obtain and maintain agreements with
National Response Framework (NRF). FEMA and CISA
individual agencies for the use of that technology. DHS
also partner to administer grants to state and local
uses the federal chief information officer (CIO) and chief
governments.
information security officer (CISO) councils, which discuss
federal IT security broadly. DHS also collaborates with
Specific Programs
other agencies, like NIST and the DOE national
DHS operates programs across components to execute
laboratories, to develop and promulgate cybersecurity best
against the variety of its cybersecurity missions. Below are
practices for federal and nonfederal entities.
a few such programs, but it is not an exhaustive list.
Private Sector (.com)
• The National Cybersecurity Protection System (NCPS)
DHS works with the IT sector to develop and implement
commonly referred to as EINSTEIN logs traffic coming
improved cybersecurity tactics that could be deployed
into and out of agency networks from the public
nationally. During the Obama Administration, policies were
internet, alerts when known malicious traffic is
created to position DHS as the lead federal agency for
identified, and blocks certain malicious traffic. A limit
interacting with the private sector on a variety of security
of NCPS is that it has to have seen and analyzed the
matters. Presidential Policy Directive 41 (PPD-41) states
malicious traffic before, rather than being able to
that DHS is the lead for asset response, or helping victims
identify novel malicious traffic at first encounter—
of cyber attacks recover. This does not replace the FBI’s
EINSTEIN can only block known threats. CISA is
responsibility for criminal investigation, as it states the FBI
working on the next evolution of NCPS to identify
is the lead for threat response, nor does it detract from
anomalous threats.
DOD’s capabilities, as it is long-standing policy for military

capabilities to supplement civilian capabilities when
Continuous Diagnostics and Mitigation (CDM) is a
necessary, as part of Defense Support for Civil Authorities
program that deploys sensors on an agency’s network to
(DSCA). Viewed another way, domestic cybersecurity is
identify what the agency has attached to their network
primarily a civilian matter rather than a military or law
and the vulnerabilities of those devices. It compares this
enforcement matter. However, the military and law
against intelligence to prioritize actively exploited
enforcement agencies bring capabilities that can assist the
vulnerabilities for patching.
private sector.
Automated Information Sharing (AIS) was authorized in
the Cybersecurity Information Sharing Act of 2015 (P.L.
The Cybersecurity Act of 2015 establishes DHS as the
114-113 Division N, Title I) and provides for machine-
portal for sharing information between the private sector
to-machine sharing of cyber threat indicators and
and the government. DHS is obligated to inform other
defensive measures among the private sector, to DHS,
federal agencies of pertinent information without delay.
and through DHS, among federal agencies.

International
Electronic Crimes Task Forces (ECTF) are operated by
CISA works with international partners to collaborate on
the USSS out of their field offices to assist local law
operations, share information with national-level response
enforcement in investigating computer crimes.
teams, and influence the ecosystem. Some specific
activities include engaging with standards development and
https://crsreports.congress.gov

DHS’s Cybersecurity Mission—An Overview
participating in exercises to build confidence and
Chris Jaikaran, Specialist in Cybersecurity Policy
capabilities.
IF10683


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF10683 · VERSION 5 · UPDATED