National Cybersecurity Protection System

The National Cybersecurity Protection System (NCPS) is an integrated system-of-systems that delivers a range of capabilities, such as intrusion detection, analytics, and information sharing. These capabilities provide a technological foundation that enables the Cybersecurity and Infrastructure Security Agency (CISA) to secure and defend the Federal Civilian Executive Branch (FCEB) agencies' information technology infrastructure against advanced cyber threats.

NCPS includes the hardware, software, supporting processes, training, and services that the program acquires, engineers, and supports to fulfill the agency's cybersecurity mission. One of CISA's key technologies within NCPS is an intrusion detection capability known as EINSTEIN, one of many tools and capabilities that assist in federal network defense. The goal of the NCPS EINSTEIN set of capabilities is to provide the Federal Government with an early warning system, improved situational awareness of intrusion threats to FCEB networks, and near real-time identification of malicious cyber activity.

Development of NCPS capabilities relies on tight collaboration and integration with cross-federal stakeholders to support the defense of their underlying networks. Through these relationships, CISA can develop and deliver analytic products and real-time defensive services. This collaboration provides valuable cyber incident information and generates situational awareness and decision support data that is used by incident response teams, governmental and critical infrastructure organizations, and national leadership.

Intrusion Detection

The NCPS Intrusion Detection capability, delivered via EINSTEIN, is a sensor grid that monitors network traffic for malicious activity to and from participating departments and agencies (D/As). This capability enables the identification of potential malicious activity and traffic entering or exiting federal networks using a signature-based intrusion detection technology. This capability provides CISA cybersecurity analysts with improved understanding of the network environment and with increased ability to address network weaknesses and vulnerabilities.

Privacy

CISA integrates privacy protections into all its programs from the outset and employs a layered approach to privacy oversight for the agency's cybersecurity activities. It starts with CISA's Chief Privacy Officer and extends through dedicated privacy staff across the agency. Privacy Impact Assessments (PIAs) are conducted on each CISA program to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. PIAs help the public understand what personally identifiable information the agency is collecting, why it is being collected, and how it will be used, shared, accessed, and stored. PIAs use the Fair Information Practice Principles (pdf, 107KB) to assess and mitigate any impact on an individual's privacy. DHS has conducted a PIA for NCPS (pdf, 395KB).

Cloud Interface Reference Architecture

CISA CSD is evolving to ensure that security information about cloud-based traffic can be captured and analyzed and CISA analysts can continue to provide situational awareness and support to the agencies. To support this goal, CISA is developing a cloud-based architecture to collect and analyze agency cloud security data. This reference architecture explains how agencies can interact with that system. It includes background about how the cloud impacts the CISA cyber mission, discusses what security information needs to be captured in the cloud and how it can be captured, and provides reporting patterns to explain how that information can be sent to CISA. The NCPS Cloud Interface Reference Architecture (NCIRA) was released as two individual volumes. The first volume provides an overview of changes CSD is implementing to accommodate the collection of relevant data from agencies' cloud environments and provides general reporting patterns for sending cloud telemetry to CISA. The second volume provides an index of common reporting patterns and considerations for how agencies can send cloud-specific data to the NCPS cloud-based architecture. Individual cloud service providers can use NCIRA Volume One (pdf, 1.74MB) and NCIRA Volume Two (pdf, 3.38MB) to offer guidance on vendor solutions that align with these reporting patterns.