National Cybersecurity Protection System (NCPS)

The National Cybersecurity Protection System (NCPS) is an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing capabilities that defend the civilian Federal Government's information technology infrastructure from cyber threats and includes the hardware, software, supporting processes, training, and services that the program develops and acquires to support the Department's cybersecurity mission.  The NCPS capabilities, operationally known as the EINSTEIN set of capabilities , are one of a number of tools and capabilities that assist in federal network defense. These capabilities provide a technological foundation that enables the Department of Homeland Security (DHS) to secure and defend the federal civilian government’s information technology infrastructure against advanced cyber threats. NCPS advances DHS’s responsibilities as delineated in the Comprehensive National Cybersecurity Initiative (CNCI).


Development of NCPS capabilities relies on tight collaboration and integration with cross-federal stakeholders in order to support the defense of their underlying networks. Through these relationships, DHS is able to develop and deliver analytic products and real-time defensive services. This analysis provides valuable cyber incident information and generates situational awareness and decision support data that is used by incident response teams, governmental and critical infrastructure organizations, and national leadership.

NCPS capabilities span four broad technology areas:

  • Detection
  • Analytics
  • Information Sharing
  • Prevention


The NCPS Intrusion Detection capability, delivered via EINSTEIN 1 (E1) (historically known as Block 1.0) and EINSTEIN 2 (E2), is a passive, signature-based sensor grid that monitors network traffic for malicious activity to and from participating Federal Executive D/As. This capability enables the identification of potential malicious activity and traffic entering or exiting federal networks using a signature-based intrusion detection technology. E2 uses signatures derived from numerous sources such as commercial or public computer security information, incidents reported to the National Cybersecurity and Communications Integration Center (NCCIC), information from federal partners, and/or independent in-depth analysis by NCCIC. This capability provides CS&C cybersecurity analysts with an improved understanding of the network environment and with increased ability to address network weaknesses and vulnerabilities.


The NCPS Analytics capability provides CS&C cybersecurity analysts with the ability to compile and analyze information about multiple security enclaves about cyber activity, and inform the public about current and potential cybersecurity threats and vulnerabilities. Analytics include Security Information and Event Management (SIEM) solution for NCPS. The SIEM solution simplified cyber analysis by aggregating similar events, thereby reducing duplication; correlating related events that might otherwise go unnoticed; and providing visualization capabilities, thus making it easier to see relationships. The Analytics capability also includes Packet Capture (PCAP) tools, a malware analysis laboratory, flow visualization tools, incident management and response tools, and high input/output databases that allow for the analysis of large data sets. 

Information Sharing

NCPS Information Sharing capabilities establish a flexible set of capabilities, implemented at multiple classification levels that will allow for the rapid exchange of cyber threat and cyber incident information among DHS cybersecurity analysts and their cybersecurity partners. The objective of the Information Sharing capability is to: (1) prevent cybersecurity incidents from occurring through improved sharing of threat information; (2) reduce the time to respond to incidents through improved coordination and collaboration capabilities; and (3) improve efficiencies through the use of more automated information sharing and through the disclosure of analysis capabilities. Information Sharing will provide a secure environment for sharing cybersecurity information with a wide range of security operations and information-sharing centers across federal, state, local, and tribal governments and private and international boundaries. Information Sharing aims to prevent cybersecurity incidents from occurring by improving coordination and collaboration, automated information sharing, and analysis capabilities in a manner that protects privacy and civil liberties. Additional capabilities under Information Sharing will provide CS&C cybersecurity analysts with a common operating picture (COP) of the threat landscape of Federal Executive Branch civilian networks as generated from department and agency (D/A) data sets, ultimately allowing for advanced visualization, analysis, and workflow capabilities.


NCPS Intrusion Prevention capabilities are part of EINSTEIN 3 Accelerated (E3A), which further advances the protection of federal civilian D/As by providing active network defense capabilities and the ability to prevent and limit malicious activities from penetrating federal networks and systems. The objective of the NCPS Intrusion Prevention capability is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness, and security response. It includes the ability to detect cyber threats automatically, respond appropriately to those cyber threats, and support enhanced information sharing by the NCCIC with federal D/As.


Was this document helpful?  Yes  |  Somewhat  |  No