Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium Businesses
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
Breadcrumb
  1. Home
  2. Resources & Tools
  3. Programs
Share:

Resources & Tools

  • All Resources & Tools
  • Services
  • Programs
  • Resources
  • Training
  • Groups

National Cybersecurity Protection System

The National Cybersecurity Protection System (NCPS) is an integrated system-of-systems that delivers a range of capabilities, such as intrusion detection, analytics, information sharing, and intrusion prevention. These capabilities provide a technological foundation that enables the Cybersecurity and Infrastructure Security Agency (CISA) to secure and defend the Federal Civilian Executive Branch (FCEB) agencies' information technology infrastructure against advanced cyber threats. NCPS advances CISA's responsibilities as delineated in the Comprehensive National Cybersecurity Initiative (CNCI).

NCPS includes the hardware, software, supporting processes, training, and services that the program acquires, engineers, and supports to fulfill the agency's cybersecurity mission. One of CISA's key technologies within NCPS is EINSTEIN, one of many tools and capabilities that assist in federal network defense. The goal of the NCPS EINSTEIN set of capabilities is to provide the Federal Government with an early warning system, improved situational awareness of intrusion threats to FCEB networks, near real-time identification of malicious cyber activity, and prevention of that malicious cyber activity.

Development of NCPS capabilities relies on tight collaboration and integration with cross-federal stakeholders to support the defense of their underlying networks. Through these relationships, CISA can develop and deliver analytic products and real-time defensive services. This collaboration provides valuable cyber incident information and generates situational awareness and decision support data that is used by incident response teams, governmental and critical infrastructure organizations, and national leadership.

NCPS capabilities span four broad technology areas.

  • Intrusion Detection
  • Analytics
  • Information Sharing
  • Intrusion Prevention

Intrusion Detection

The NCPS Intrusion Detection capability, delivered via EINSTEIN 1 and EINSTEIN 2, is a passive, signature-based sensor grid that monitors network traffic for malicious activity to and from participating departments and agencies (D/As). This capability enables the identification of potential malicious activity and traffic entering or exiting federal networks using a signature-based intrusion detection technology. Intrusion Detection uses signatures derived from numerous sources such as commercial or public computer security information, incidents reported to CISA, information from federal partners, and/or independent in-depth analysis by CISA analysts. This capability provides CISA cybersecurity analysts with improved understanding of the network environment and with increased ability to address network weaknesses and vulnerabilities.

Analytics

The NCPS Analytics capability provides CISA cybersecurity analysts with the ability to compile and analyze information about cyber activity in multiple security enclaves and inform government agencies, private sector partners, infrastructure owners and operators, and the public about current and potential cybersecurity threats and vulnerabilities. The Analytics capability includes a Security Information and Event Management (SIEM) solution for NCPS. The SIEM solution simplifies cyber analysis by: aggregating similar events, thereby reducing duplication; correlating related events that might otherwise go unnoticed; and providing visualization capabilities, thus making it easier to see relationships. The Analytics capability also includes Packet Capture tools, a malware analysis laboratory, flow visualization tools, incident management and response tools, and high input/output databases that allow for the analysis of large data sets.

Information Sharing

NCPS Information Sharing capabilities establish a flexible set of capabilities, implemented at multiple classification levels, that allow for the rapid exchange of cyber threat and cyber incident information among CISA cybersecurity analysts and their cybersecurity partners. The objective of the Information Sharing capability is to: (1) prevent cybersecurity incidents from occurring through improved sharing of threat information; (2) reduce the time to respond to incidents through improved coordination and collaboration capabilities; and (3) improve efficiencies with more automated information sharing and through the disclosure of analysis capabilities. Information Sharing provides a secure environment for sharing cybersecurity information with a wide range of security operations and information-sharing centers across federal, state, local, tribal, private, and international boundaries. Information Sharing aims to prevent cybersecurity incidents from occurring by improving coordination and collaboration capabilities, automated information sharing, and analysis capabilities in a manner that protects privacy and civil liberties. Additional capabilities under Information Sharing will provide CISA analysts with a common operating picture of the threat landscape of FCEB networks as generated from D/A data sets, ultimately allowing for advanced visualization, analysis, and workflow capabilities.

Intrusion Prevention

NCPS Intrusion Prevention capabilities include EINSTEIN 3 Accelerated, which further advances the protection of FCEB D/As by providing active network defense capabilities and the ability to prevent and limit malicious activities from penetrating federal networks and systems. The objective of the NCPS Intrusion Prevention capability is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness, and security response. It includes the ability to detect cyber threats automatically, respond appropriately to those cyber threats, and support enhanced information sharing by CISA with federal D/As.

Privacy

CISA integrates privacy protections into all its programs from the outset and employs a layered approach to privacy oversight for the agency's cybersecurity activities. It starts with CISA's Chief Privacy Officer and extends through dedicated privacy staff across the agency. Privacy Impact Assessments (PIAs) are conducted on each CISA program to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. PIAs help the public understand what personally identifiable information the agency is collecting, why it is being collected, and how it will be used, shared, accessed, and stored. PIAs use the Fair Information Practice Principles (pdf, 107KB) to assess and mitigate any impact on an individual's privacy. DHS has conducted a PIA for NCPS (pdf, 395KB).

Cloud Interface Reference Architecture

NCPS is evolving to ensure that security information about cloud-based traffic can be captured and analyzed and CISA analysts can continue to provide situational awareness and support to the agencies. To support this goal, CISA is developing a cloud-based architecture to collect and analyze agency cloud security data. This reference architecture explains how agencies can interact with that system. It includes background about how the cloud impacts NCPS, discusses what security information needs to be captured in the cloud and how it can be captured, and provides reporting patterns to explain how that information can be sent to CISA. The NCPS Cloud Interface Reference Architecture (NCIRA) was released as two individual volumes. This first volume provides an overview of changes to NCPS to accommodate the collection of relevant data from agencies' cloud environments and provides general reporting patterns for sending cloud telemetry to CISA. The second volume provides an index of common reporting patterns and considerations for how agencies can send cloud-specific data to the NCPS cloud-based architecture. Individual cloud service providers can use NCIRA Volume One and NCIRA Volume Two to offer guidance on vendor solutions that align with these reporting patterns.

  • Cyber Threats and Advisories
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback