The Cybersecurity and Infrastructure Security Agency (CISA) has the mission to provide a common baseline of security across the Federal Civilian Executive Branch (FCEB) and to help agencies manage their cyber risk. This common baseline is provided in part through the EINSTEIN system.
A useful analogy for understanding EINSTEIN is that of physical protections at a government facility. The first phase of EINSTEIN, known as EINSTEIN 1 (E1), is like a camera at the entrance to the facility that records cars entering and leaving and identifies unusual changes in the number of cars. The second phase, EINSTEIN 2 (E2), adds the ability to detect suspicious cars based upon a watch list. E2 does not stop the cars, but it sets off an alarm. In sum, E1 and E2 detect potential cyberattacks before they can enter the facility. The last phase of the program, known as EINSTEIN 3 Accelerated (E3A), was akin to a guard post at the highway that leads to multiple government facilities. E3A used classified information to look at the cars and compare them with a watch list. E3A then actively prevented prohibited cars from entering the facility. Using classified information allowed E3A to detect and prevent many of the most significant cybersecurity threats.
The EINSTEIN system is used to protect FCEB agencies. It is not used by the Department of Defense or the Intelligence Community. The EINSTEIN system uses widely available commercial technology.
Importantly, EINSTEIN is not a silver bullet. Security cannot be achieved through only one type of tool. That is why security professionals believe in defense-in-depth: employing multiple tools in combination to manage the risks of cyberattacks. EINSTEIN provides perimeter defense for FCEB agencies, but it will never be able to block every cyberattack. For that reason, it must be complemented with other systems and tools inside agency networks, such as Continuous Diagnostics and Mitigation, and by proactive efforts from each federal agency to implement cybersecurity best practices, such as multi-factor authentication and employee training.
Although CISA has retired the NCPS intrusion prevention capability (E3A), the intrusion detection capability (E1 and E2) remains in operation.
The first iteration of EINSTEIN was developed in 2003. E1 monitors the flow of network traffic transiting to and from FCEB agencies. In technical terms, E1 records and analyzes network traffic flow records. This capability allows CISA to identify potentially malicious activity and to conduct critical forensic analysis after an incident occurs.
E2, first deployed in 2008, identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures. In technical terms, it is an intrusion detection system. On a typical day, E2 sensors generate approximately 30,000 alerts about potential cyberattacks. These alerts are each evaluated by CISA cybersecurity personnel to determine whether the alert represents a compromise and if further remediation is needed. If so, CISA works with the victim agency to address the intrusion.
E1 and E2 are fully deployed and screening FCEB traffic that is routed through Trusted Internet Connections (secure gateways between each agency's internal network and the Internet).
CISA integrates privacy protections into all its programs from the outset and employs a layered approach to privacy oversight for the agency's cybersecurity activities. It starts with CISA's Chief Privacy Officer and extends through dedicated privacy staff across the agency. Privacy Impact Assessments (PIAs) are conducted on each CISA program to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. PIAs help the public understand what personally identifiable information the agency is collecting, why it is being collected, and how it will be used, shared, accessed, and stored. PIAs use the Fair Information Practice Principles (pdf, 107KB) to assess and mitigate any impact on an individual's privacy. DHS has conducted a PIA for Intrusion Detection (pdf, 445KB), which replaced the PIAs for E1 and E2.