Detection and Prevention

CISA rapidly notifies relevant critical infrastructure stakeholders of elevated risk exposure, conducts incident management operations, provides vulnerability assessments, and directly deploys risk management information, tools, and technical services to mitigate risk, including regulatory enforcement where authorized.

Continuous Diagnostics and Mitigation

The Continuous Diagnostics and Mitigation (CDM) Program is an implementation approach consistent with the information security continuous monitoring methodology. CDM is a suite of capabilities and tools that enables network administrators to know the state of their respective networks at any given time, thus reducing the attack surface of their networks; informs on the relative risks of threats; and makes it possible for system personnel to identify and mitigate flaws at near-network speed.

The CDM Program fortifies government networks and systems with capabilities and tools. These capabilities and tools identify cybersecurity risks on an ongoing basis; prioritize these risks based on potential impacts; and enable cybersecurity personnel to mitigate the most significant problems first.

The CDM tools Special Item Number (SIN) supports the CISA CDM Program. The hardware and software products and associated services under this SIN undergo a DHS product qualification process to be added to the CDM Approved Products List (APL). The full list of CDM subcategories includes tools, associated maintenance, and other related activities, such as training. The SIN is organized by CDM capabilities into five subcategories. As shown below, the five CDM Tools SIN subcategories cover the fifteen CDM Tool Functional Areas (TFAs) and allow for future innovation.

The CDM Tools SIN on GSA IT Schedule 70 is available to SLTT entities through the Cooperative Purchasing Agreement. Please reach out to for further information.

Enhanced Cybersecurity Services

The Enhanced Cybersecurity Services (ECS) program facilitates the protection of IT networks by offering intrusion detection and prevention services through approved service providers. All U.S.-based public or private entities, including State, Local, Tribal, and Territorial (SLTT) organizations are eligible to participate.

ECS is a near real-time intrusion detection and prevention capability, not a threat feed. CISA partners with approved service providers that have completed a rigorous system accreditation process to offer ECS. Upon approval, these service providers receive unclassified, sensitive and classified cyber threat information from CISA and use it to protect their ECS customers.

The two primary ECS services are Domain Name System (DNS) sinkholing and email filtering. These services block possible malware communications and spear phishing campaigns targeting networks.

For ECS, CISA Central sources information from across the federal government and intelligence community, and shares it with ECS service providers, As the hub for national cybersecurity, CISA Central has a unique vantage point into the threats targeting the .gov, SLTT, and critical infrastructure.

Participating in ECS affords organizations quick and efficient way to receive protections that use classified information to thwart possible malicious communications and spearphishing campaigns without having to meet the otherwise burdensome requirements of maintaining secure facilities and employing cleared personnel.

ECS is a commercial intrusion detection and prevention service sponsored by CISA and offered by approved private sector partners to any U.S.-based public or private entity. As a potential ECS customer, you can reach out directly to accredited ECS service providers to learn more about pricing and technical requirements. The ECS service provider you choose does not have to be your Internet provider.

For more information about the program and ECS service provider contact information, please visit

Incident Response, Recovery, and Cyber Threat Hunting

The incident response team falls under the guidance of the CISA Central Hunt and Incident Response Team (HIRT). HIRT provides incident response, management and coordination activities for cyber incidents occurring in the critical infrastructure sectors as well as government entities at the Federal, State, Local, Tribal, and Territorial levels. HIRT works with its constituents to identify and contain adversary activity and develop mitigation plans for removal and remediation of root cause. HIRT provides technical expertise and capacity to its constituents in responding to incidents. Incident response efforts focus on finding the root cause of an incident by searching for TTPs along with behaviors and associated artifacts in the victim network.

NIST defines an incident as a computer security incident, a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. HIRT further defines an individual incident as a distinct, potentially malicious event, perpetrated by a single threat actor, using a single TTP; or series of related TTPs, against a single victim. Examples include but are not limited to, malware infections, data theft, data corruption, and ransomware encryption, denial of service, control systems intrusions and threats against assets.

In support of incident response, HIRT has four types of customer engagements:

  • remote assistance,
  • advisory deployment,
  • remote deployment, and
  • on-site deployment.

HIRT incident response is action taken to respond to a suspected incident and address the increased risk resulting from the incident. The goal is to manage the situation in a way that ensures safety, reduces risk, limits damage and reduces recovery time and costs. Most response actions will be technical in nature but any action taken to reduce the impact of an incident is considered part of the incident response. Following an engagement and upon completion of analysis, the HIRT will deliver an Engagement Report (ER) to the customer within 30-60 days. The ER provides the background, scope, findings, security best practices, and conclusions relevant to the hunt.

For more information, visit For more questions on this topic or CISA in general, please contact To report anomalous cyber activity and/or cyber incidents 24/7 email or (888) 282-0870.

Malware Analysis

The Advanced Malware Analysis Center provides 24/7 dynamic analysis of malicious code. Stakeholders submit samples via an online website and receive a technical document outlining analysis results. Experts provide detailed recommendations for malware removal and recovery activities. This service can be performed in conjunction with incident response services if required.

Service benefits include the following.

  • Isolated network – A standalone, closed computer network system ensures containment.
  • Classified capability – A Sensitive Compartmented Information Facility is used for coordination with members of the intelligence community, law enforcement, and trusted third parties as it is the only accredited federal malware lab of its kind.
  • Analytical capabilities – Experts analyze the current state of computer systems, storage mediums, and physical memory of computer systems.
  • Extrication of malicious code – Analysts conduct static analysis and behavior analysis of malicious code types (e.g., worms, Trojans, spyware, botnets, and rootkits) using standard reverse engineering and debugging tools for malicious artifacts that are extracted from infected systems and submitted to CISA for analysis.

To submit malware for analysis, visit the the Malware Analysis Submissions page. For further questions or requests, contact the CISA Service Desk.

Was this webpage helpful?  Yes  |  Somewhat  |  No