The General Services Administration (GSA) has issued a Request for Information (RFI) on behalf of the Cybersecurity and Infrastructure Security Agency (CISA), which is seeking technical input from industry on detecting and responding to threats within Federal civilian agency networks as CISA moves to modernize “legacy capabilities” under its EINSTEIN program.
The 20 year-old EINSTEIN program is used by CISA to detect and block cyberattacks aimed at Federal civilian agencies. The program also “provides CISA with the situational awareness to use threat information detected in one agency to protect the rest of the government and to help the private sector protect itself,” according to the agency.
“CISA plans to modernize the legacy capabilities used under the EINSTEIN program to detect threats targeting federal networks,” the agency said in the RFI. CISA said the RFI is aimed to gather market research on the subject, and said the agency is not obligated to release any future solicitation based on responses to the RFI.
Replies to the RFI are due by July 14.
Driving the Modernization Effort
In explaining the need to modernize, the agency said that “the visibility provided by existing EINSTEIN sensors remains a crucial enabler of CISA’s mission to protect FCEB agencies. It is one component that CISA uses to gain operational visibility, protect FCEB agencies, and respond to threats.”
“With the limitations of EINSTEIN capabilities, CISA stands to lose that needed visibility,” the agency said. “Consequently, a new solution may be necessary to compensate for this loss of visibility to protect FCEB agencies adequately.”
“For future CISA needs, the augmentation or replacement of this visibility must be considered within the current networking environment and how it may be combined and used with other data sources acquired by CISA analysts,” the agency said. “The results will allow CISA to determine how to increase its operational visibility into and respond to malicious cyber activities against the nation and provide operationally relevant data to agencies to strengthen their networks.”
“The visibility provided by EINSTEIN capabilities was based on topology and physical hardware placement (sensors) placed at agency perimeters,” CISA explained. “Given changes to technology and agency architectures, this modernization effort needs to consider other broader strategies beyond replacing the existing footprint of EINSTIEN capabilities (e.g., optimal placements in federal agencies, new technologies/techniques to maximize visibility, etc.).”
“CISA continues to offer new cybersecurity services to FCEB Agencies, such as Protective DNS, with ongoing plans for other offerings and pilots,” the agency said. “These services allow CISA to collect additional data to support their analysts and defense operations. CISA is seeking input on what the solution space to meet visibility needs without EINSTEIN capabilities may include.”
“The scope of this effort is limited to ‘on-premises’ networks owned or managed by or on behalf of federal agencies,” CISA said, adding it does not include “Contractor Owned/Contractor Operated (COCO) deployments, cloud environments, or any combination thereof.”
EINSTEIN Evolution
Earlier this year in an exclusive interview with MeriTalk Matt Hartman, CISA’s Deputy Executive Assistant Director for Cybersecurity, said the agency is looking to fiscal year 2024 to accelerate a fundamental restructuring of its EINSTEIN intrusion detection and prevention capabilities. Those were first deployed in their initial stages in 2003, and subsequently expanded to incorporate capabilities that work to detect and block cyber threats aimed at Federal civilian government agencies.
Some of the EINSTEIN changes are being driven by creation of CISA’s Cyber Analytic and Data System (CADS) which will give the agency a new environment for scalable analysis of cyber risk data. With the advent of CADS, CISA is also changing its National Cybersecurity Protection System (NCPS) – which is described by the agency as an integrated system-of-systems that delivers a range of capabilities, such as intrusion detection and prevention, analytics, information sharing, and core infrastructure – and includes the EINSTEIN capabilities.
CISA’s Hartman said in April that the analytics, information sharing, and core infrastructure elements of NCPS will be shifting to CADS, but that the EINSTEIN suite of intrusion detection and prevention services will not.
“We understand that some of our capabilities provided legacy capabilities to detect and prevent cyber threats targeting Federal agencies require fairly urgent modernization, including in some cases by shifting from government-provided technologies delivered by NCPS to commercial shared services,” he explained.
“One of these capabilities – Protective DNS – blocks internet traffic to and from known malicious websites, preventing adversaries from executing some types of intrusions or stealing data from Federal agencies,” he continued. “We are in the process of fully transitioning this capability to a commercial shared service, with full Federal Civilian Executive Branch agency migration expected by the end of this fiscal year.
“In parallel, we’re exploring the need for a second capability called Protective Email to filter potentially malicious emails that may contain viruses or malicious links to infected websites,” Hartman said.
“So together, Protective DNS and Protective Email – which you will see in the FY24 budget – will serve as the successor to CISA’s EINSTEIN 3A government-furnished capabilities,” he said.
Asked where that leaves the earlier EINSTEIN capabilities, Hartman replied, “the legacy NCPS-funded intrusion detection sensors that are deployed at every Federal agency where the agency’s internal network is connected to the public internet – commonly referred to as EINSTEIN 1 and EINSTEIN 2 – remain valuable in detecting certain types of attacks, but they also require modernization to address changes in the technology environment.”
“To do that, the FY24 President’s budget requests funding to modernize these capabilities, which will likely include deployment of new types of sensors or transition of existing sensors to different parts of agencies’ technology environments,” he said.
Hartman added that the names of the EINSTEIN 1 and EINSTEIN 2 capabilities may change down the road. “We are in the process of an urgent modernization effort, and that may come with a shift in branding,” he said.
“Regardless of their names, they will no longer be part of NCPS as it shifts to CADS in FY24,” he said. “They will be delivered and executed by different parts of the organization, really to allow the CADS team to focus their efforts on this extraordinarily important mission of providing the analytic infrastructure required to enable efficient analysis of our increasingly rich data, which will result in the cyber risk reduction actions that are core to our mission.”