The Cybersecurity and Infrastructure Security Agency (CISA) has the mission to provide a common baseline of security across the Federal Civilian Executive Branch (FCEB) and to help agencies manage their cyber risk. This common baseline is provided in part through the EINSTEIN system. EINSTEIN serves two key roles in FCEB cybersecurity. First, EINSTEIN detects and blocks cyberattacks from compromising federal agencies. Second, EINSTEIN provides CISA with the situational awareness to use threat information detected in one agency to protect the rest of the government and to help the private sector protect itself.
For questions concerning EINSTEIN, please contact the NCPS Program Office.
A useful analogy for understanding EINSTEIN is that of physical protections at a government facility. The first phase of EINSTEIN, known as EINSTEIN 1 (E1), is like a camera at the entrance to the facility that records cars entering and leaving and identifies unusual changes in the number of cars. EINSTEIN 2 (E2) adds the ability to detect suspicious cars based upon a watch list. E2 does not stop the cars, but it sets off an alarm. In sum, E1 and E2 detect potential cyberattacks before they can enter the facility. The latest phase of the program, known as EINSTEIN 3 Accelerated (E3A), is akin to a guard post at the highway that leads to multiple government facilities. E3A uses classified information to look at the cars and compare them with a watch list. E3A then actively blocks prohibited cars from entering the facility. Using classified information allows E3A to detect and block many of the most significant cybersecurity threats.
The EINSTEIN system is used to protect FCEB agencies. It is not used by the Department of Defense or the Intelligence Community. The EINSTEIN system uses widely available commercial technology.
Importantly, EINSTEIN is not a silver bullet. Security cannot be achieved through only one type of tool. That is why security professionals believe in defense-in-depth: employing multiple tools in combination to manage the risks of cyberattacks. EINSTEIN provides perimeter defense for FCEB agencies, but it will never be able to block every cyberattack. For that reason, it must be complemented with other systems and tools inside agency networks, such as Continuous Diagnostics and Mitigation, and by proactive efforts from each federal agency to implement cybersecurity best practices, such as multi-factor authentication and employee training.
The first iteration of EINSTEIN was developed in 2003. E1 monitors the flow of network traffic transiting to and from FCEB agencies. In technical terms, E1 records and analyzes network traffic flow records. This capability allows CISA to identify potentially malicious activity and to conduct critical forensic analysis after an incident occurs.
E2, first deployed in 2008, identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures. In technical terms, it is an intrusion detection system. On a typical day, E2 sensors generate approximately 30,000 alerts about potential cyberattacks. These alerts are each evaluated by CISA cybersecurity personnel to determine whether the alert represents a compromise and if further remediation is needed. If so, CISA works with the victim agency to address the intrusion.
E1 and E2 are fully deployed and screening all FCEB traffic that is routed through Trusted Internet Connections (secure gateways between each agency’s internal network and the Internet). As of December 2021, 256 FCEB agencies are participating in E1/E2, representing approximately 2.125 million users, or 99% of the total user population.
EINSTEIN 3 Accelerated
In 2010, CISA began planning for the design and development of an intrusion prevention capability (previously referred to as EINSTEIN 3) to identify and block cyberattacks. The intention was to use classified signatures to protect government networks. As noted, using classified indicators allows CISA to detect and block many of the most significant cyberattacks.
In 2012, CISA transitioned to a new approach in which major Internet Service Providers provide intrusion prevention security services for FCEB agencies using widely available commercial technology. This capability is called E3A. E3A allows CISA to both detect cyberattacks targeting FCEB networks and actively prevent potential compromises.
The E3A program also serves as a platform to aggregate FCEB traffic so that CISA can implement new and advanced protections. In other words, by putting all federal government traffic through a few locations, CISA can easily add security tools to those locations. To this end, CISA is piloting protections that will automatically identify possible cyberattacks for further analysis, even if the precise attack has not been seen before. CISA is examining technologies from the private sector to evolve to this next stage of network defense.
CISA integrates privacy protections into all its programs from the outset and employs a layered approach to privacy oversight for the agency's cybersecurity activities. It starts with CISA’s Chief Privacy Officer and extends through dedicated privacy staff across the agency. Privacy Impact Assessments (PIAs) are conducted on each CISA program to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. PIAs help the public understand what personally identifiable information the agency is collecting, why it is being collected, and how it will be used, shared, accessed, and stored. PIAs use the Fair Information Practice Principles (pdf, 107KB) to assess and mitigate any impact on an individual’s privacy. DHS has conducted a PIA for Intrusion Detection (pdf, 445KB), which replaced the PIAs for E1 and E2, and a PIA for E3A (pdf, 256KB).