The National Cybersecurity Protection System (NCPS) is an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing. The NCPS capabilities, operationally known as the EINSTEIN program, are one of a number of tools and capabilities that assist in federal network defense. These capabilities provide a technological foundation that enables the Department of Homeland Security (DHS) to secure and defend the federal civilian government’s information technology infrastructure against advanced cyber threats. NCPS advances DHS’s responsibilities as delineated in the Comprehensive National Cybersecurity Initiative (CNCI).
Development of NCPS capabilities relies on tight collaboration and integration with cross-federal stakeholders in order to support the defense of their underlying networks. Through these relationships, DHS is able to develop and deliver analytic products and real-time defensive services. This analysis provides valuable cyber incident information and generates situational awareness and decision support data that is used by incident response teams, governmental and critical infrastructure organizations, and national leadership.
NCPS capabilities span four broad technology areas:
- Information Sharing
NCPS intrusion detection capabilities alert DHS to the presence of malicious or potentially harmful computer network activity transiting to and from participating in federal executive branch civilian agencies’ information technology networks. This capability is deployed via EINSTEIN 2 and provides for improved detection and notification capabilities to provide near real time response to cyber threats.
NCPS analytics capability provides DHS analysts with the ability to compile and analyze information about cyber activity and inform Federal, state and local government agencies, private sector partners, infrastructure owners and operators, and the public about current and potential cybersecurity threats and vulnerabilities.
NCPS information sharing capabilities provide DHS a secure environment that will allow for the rapid exchange of cyber threat and cyber incident information among DHS cybersecurity analysts and their cybersecurity partners. The objective of NCPS information sharing capabilities is to prevent cybersecurity incidents from occurring through improved sharing of threat information, reduce response time through improved coordination and collaboration capabilities, and improve efficiencies through the use of more automated information sharing and through the exposure of analytical products. These capabilities will also facilitate the sharing of a wide range of data services that include commercial data feeds, internally generated analytic products, analytics tools, threat indicators and warnings, real time incident, and continuous monitoring data and will provide DHS analysts and their cyber partners with a Common Operating Picture of the threat landscape of federal executive branch civilian networks as generated from internal, Department and Agency, and commercial data sets.
NCPS Prevention capabilities are being delivered through EINSTEIN 3 Accelerated (E3A), which further advances the protection of federal civilian departments and agencies by providing active network defense capabilities and the ability to limit malicious activities from penetrating federal networks and systems. The objective of the NCPS Intrusion Prevention capability is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness, and security response. It will have the ability to automatically detect and respond to cyber threats in near real-time to mitigate cyber threats against federal executive branch civilian networks.
E3A is a unique system that utilizes classified information to protect unclassified network traffic for Federal Civilian Executive Branch networks and allows DHS to better detect, respond to, and appropriately counter known or suspected cyber threats identified. EINSTEIN 3 was scheduled to complete the delivery of capability to all federal civilian agencies in 2018, but with the evolution to E3A, we are currently projected to offer high-impact protection capabilities to all federal civilian agencies in 2016.