Resources for Federal Government

CISA engages with the Federal Government on use of the Cybersecurity Framework. The resources below are aligned to the five Cybersecurity Framework Function Areas. Some resources and programs align to more than one Function Area. This page will be updated as additional resources are identified.

On This Page:
Identify
Protect
Detect
Respond

Resources to Identify

Cybersecurity Evaluation Tool (CSET) and On-Site Cybersecurity Consulting

Industrial control systems security posture assessments, offered through CSET, a self-assessment tool. Features include a mapping to control systems standards based on the sector as well as a network architecture mapping tool. The tool can be downloaded for self-use or organizations can request a facilitated site visit, which could include basic security assessments, network architectural review and verification, network scanning using custom tools to identify malicious activity and indicators of compromise, and penetration testing. More information is available at: http://ics-cert.us-cert.gov/assessments.

Industrial Control Systems Security Recommended Practices

A list of recommended practices aimed at helping industry understand and prepare for ongoing and emerging control systems cybersecurity issues, vulnerabilities, and mitigation strategies. ICS-CERT works with the control systems community to ensure that the recommended practices are vetted by industry subject matter experts before being published. Recommended practices cover topics such as defense-in-depth strategies, cyber forensics, and incident response, and are updated on a routine basis to account for emerging issues and practices. Access to recommended practices is provided through: http://ics-cert.us-cert.gov/introduction-recommended-practices.  

National Cybersecurity Assessment & Technical Services (NCATS)

NCATS leverages existing “best in breed” cybersecurity assessment methodologies, commercial best practices and integration of threat intelligence that enable cybersecurity stakeholders with decision making/risk management guidance and recommendations. NCATS provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks. NCATS security services are available at no-cost to stakeholders and can range from one day to two weeks depending on the security services required. For more information, email: ncats_info@hq.dhs.gov

Federal Virtual Training Environment (FedVTE)

The FedVTE content library contains pre-recorded classroom cybersecurity training for Federal Government personnel and contractors, as well as State, local, tribal, and territorial government personnel. FedVTE provides government-wide, online, and on-demand access to cybersecurity training to help the workforce maintain expertise and foster operational readiness. With courses ranging from beginner to advanced levels, the system is available at no cost to users, and is accessible from any internet-enabled computer. For more information, visit www.fedvte.usalearning.gov.

CyberChain Portal-Based Assessment Tool

This portal, managed by the University of Maryland Robert H. Smith School of Business Supply Chain Management Center, provides risk assessment tools, scenario based mapping tools, anonymous information sharing, and assessments to calculate factors such vulnerability and risk maturity capability. Tools also enable diagnosis of IT supply chain trouble spots and areas for improvement based on NIST guidelines. Learn more at https://cyberchain.rhsmith.umd.edu/.


Back to Top
 

Resources to Protect

Industrial Control Systems Security Training

Training in industrial control systems at the overview, intermediate, and advanced levels, including web-based and instructor-led formats. More information on ICS-CERT training opportunities are available at: http://ics-cert.us-cert.gov/training-available-through-ics-cert

Industrial Control Systems Security Recommended Practices

A list of recommended practices aimed at helping industry understand and prepare for ongoing and emerging control systems cybersecurity issues, vulnerabilities, and mitigation strategies. CISA works with the control systems community to ensure that the recommended practices are vetted by industry subject matter experts before being published. Recommended practices cover topics such as defense-in-depth strategies, cyber forensics, and incident response, and are updated on a routine basis to account for emerging issues and practices. Access to recommended practices is provided through: http://ics-cert.us-cert.gov/introduction-recommended-practices

National Cyber Awareness System (NCAS)

CISA produces advisories, alerts, analysis reports, current activities, weekly security bulletins, and tips to alert readers of emerging cyber threats and vulnerabilities. More information on obtaining NCAS products is available at:

Federal Network Resilience (FNR)

The FNR Branch collaborates across the Federal Government to enhance the Nation’s cybersecurity posture through long-term strategic prevention of attacks against Federal Civilian Executive Branch (FCEB) networks. FNR will support interagency collaboration on Framework use across the FCEB. This will occur as the C³ Voluntary Program develops additional resources over time to support Framework use by the Federal Government. For more information, visit: http://dhs.gov/federal-network-resilience.

.govCAR Recommendations: Mobile Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) developed .govCAR—Cybersecurity Architecture Review of the .gov domain—to take a threat-based approach to cybersecurity risk management. Traditional risk management focuses on consequence and vulnerability (i.e., compliance and cyber hygiene), while a threat-based approach looks at cybersecurity capabilities from an adversary’s standpoint. This next-generation approach directly identifies areas where mitigations should be applied for best defense.

Overview

The recommendations below provide organizations with actionable guidance on—and justifications for future investments in—mobile cybersecurity capabilities. CISA based these recommendations on a .govCAR analysis that identified how—in an exemplar enterprise mobile environment at a typical organization—mobile devices and organizational sensitive data on those devices are protected.

Key Takeaways

The .govCAR analysis identified a range of capabilities that can be deployed to increase threat mitigation coverage. The major finding indicates that to provide maximum coverage against mobile threat actions, organizations must deploy Enterprise Mobility Management (EMM), Mobile Threat Defense (MTD), and Mobile App Vetting (MAV) capabilities together as an integrated solution, and not as a series of standalone products. Note: although integration and interoperability of these three capabilities are key, this solution does not require organizations to source each of the capabilities from a single vendor.

Mobile Cybersecurity Architecture

A typical mobile cybersecurity architecture is made of capabilities and protections for an organization’s mobile environment. The .govCAR analysis addressed two mobile use cases, which represent the predominant deployment models across the Federal Government:

  • Corporate-Owned, Personally Enabled devices (known as COPE devices) are corporate-owned and centrally managed mobile devices capable of remotely accessing enterprise resources. COPE devices allow for personal use as they have fewer restrictions than EEA devices (see below) on non-enterprise applications and data.
  • Enterprise-Enabled, Owned by the Agency devices (known as EEA devices) are also corporate-owned and centrally managed mobile devices capable of remotely accessing enterprise resources. However, EEA devices restrict (or strictly limit) personal use. Tradeoffs between security and functional usability in this model are made at the discretion of the organization’s leadership.

Both COPE and EEA devices and their associated data belong to the enterprise.

Mobile Cybersecurity Capabilities

Mobile cybersecurity capabilities allow organizations to manage and protect mobile devices. The .govCAR analysis revealed that among these, the following capabilities—when used together in an integrated solution—provide maximum coverage against mobile threat actions (see figure 1):

  • Enterprise Mobility Management (EMM) consists of the following functions:
    • Mobile Device Management (MDM), which manages the policy and configuration of mobile devices;
    • Mobile Application Management (MAM), which manages application configuration on mobile devices; and
    • Mobile Identity Management (MIM), which provides certificate and password-based authentication and access to devices, containers, and applications.
  • Mobile Threat Defense (MTD) provides signature-based anti-virus and device/application activity monitoring and anomaly detection. When integrated with EMM, it can alert EMM to apply remediations to the device (e.g., update policies). Integrating these two capabilities decreases response time, improving mobile device protection.
  • Mobile Application Vetting (MAV) detects software or configuration flaws in mobile applications before they are deployed. MAV is traditionally provided as a service that organizations use to submit mobile apps for evaluation. When integrated with EMM, it can provide reputation score feeds that inform automatic updates to application whitelisting and blacklisting, which eliminates the need for manual submissions.

Figure 1: Mobile cybersecurity capabilities and features

Mobile Device Security

Although there are no current regulatory requirements that mandate the responsible selection of mobile devices for the Federal Civilian Executive Branch, agencies should consider supply chain risks. Agencies should also consider maintaining their own approved product lists (APLs) or using those developed by organizations such as the National Information Assurance Partnership, which maintains the Protection Profile for Mobile Device Fundamentals (PP_MD). PP_MD is one of several sets of security requirements for mobile devices (PP_MD covers both hardware and software, but not the rest of the mobile infrastructure). Another resource is the Commercial Solutions for Classified Program (CSfC) maintained by the National Security Agency/Central Security Service (NSA/CSS).

The .govCAR analysis demonstrated improved mobile device security when using PP_MD-compliant devices. If not acquiring PP_MD-compliant devices, organizations should, at the minimum, consider application whitelisting as a mandatory capability requirement.

Recommendations

The results of .govCAR analysis strongly suggest that organizations consider all three dimensions of risk (threat, vulnerabilities, and consequences) and use the following lifecycle model:

  • Stage One – Device Selection: Organizations should first understand their supply chain risk and select devices they can trust. Depending on their risk profile, organizations may want to develop their own APLs or consult third-party APLs before acquiring new mobile devices.
  • Stage Two – Deployment Model Selection: Next, organizations should determine whether to use a COPE or an EEA device deployment model.
  • Final Stage – Mobile Cybersecurity Capabilities Integration: Finally, to achieve maximum effectiveness of available mobile cybersecurity capabilities, .govCAR recommends organizations invest in and deploy Enterprise Mobility Management, Mobile Threat Defense, and Mobile Application Vetting capabilities together, as an integrated solution. The .govCAR analysis demonstrated that coverage against all adversarial threat actions greatly improve only when all three capabilities were integrated (i.e., there was no improvement to the cumulative effectiveness scores of any individual capability).

 
Figure 2: Coverage of threat actions improves from EMM by itself vs. integration with MTD and MAV

About .govCAR

.govCAR represents an evolution in managing cybersecurity. CISA developed .govCAR to take a threat-based approach to cybersecurity risk management—an advancement from the traditional consequence (compliance) and vulnerability (cyber hygiene) based approaches. This next generation approach looks at cybersecurity capabilities the same way an adversary does to directly identify areas where mitigations should be applied for best defense.
.govCAR is vendor agnostic and does not evaluate specific vendors or products. For more information on the .govCAR methodology, contact CyberLiaison@hq.dhs.gov for the “What is .govCAR” fact sheet.

Contact and Disclaimer

For inquiries about CISA cybersecurity programs, please contact CyberLiaison@hq.dhs.gov. CISA designed .govCAR recommendations to communicate the most critical findings and actionable guidance resulting from analysis performed by CISA using the .govCAR methodology. For background information on the .govCAR methodology, contact CyberLiaison@hq.dhs.gov for the “What is .govCAR” fact sheet. For detailed technical reports on .govCAR spins, contact CyberLiaison@hq.dhs.gov for the .govCAR Technical Annexes and Spin Summary.

References/Resources

National Cybersecurity Assessment & Technical Services (NCATS)

NCATS leverages existing “best in breed” cybersecurity assessment methodologies, commercial best practices and integration of threat intelligence that enable cybersecurity stakeholders with decision making/risk management guidance and recommendations. NCATS provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks. NCATS security services are available at no-cost to stakeholders and can range from one day to two weeks depending on the security services required. For more information, email: ncats_info@hq.dhs.gov

Federal Virtual Training Environment (FedVTE)

The FedVTE content library contains pre-recorded classroom cybersecurity training for Federal Government personnel and contractors, as well as State, local, tribal, and territorial government personnel. FedVTE provides government-wide, online, and on-demand access to cybersecurity training to help the workforce maintain expertise and foster operational readiness. With courses ranging from beginner to advanced levels, the system is available at no cost to users, and is accessible from any internet-enabled computer. For more information, visit www.fedvte.usalearning.gov.

Information Systems Security Line of Business Security and Awareness Training

Information Systems Security Line of Business (ISSLoB) Security and Awareness Training (SAT) provides common suites of information systems security training products and services for the Federal Government. ISSLoB SAT standardizes skills and competencies in order to align with nationally recognized credentials, such as the Cybersecurity Framework and the National Initiative for Cybersecurity Education (NICE).  ISSLoB provides a repository of government sponsored or approved training products and sources that will reach all levels of government executives. For more information, visit: http://dhs.gov/information-systems-security-line-business-security-and-awareness-training.

Network Security Deployment (NSD)

NSD strives to improve the cybersecurity of Federal Government departments, agencies, and partners by delivering the technologies and services needed to fulfill the Department’s cybersecurity mission. NSD is responsible for designing, developing, acquiring, deploying, sustaining, and providing customer support for the National Cybersecurity Protection System (NCPS). NCPS satisfies aspects of the Department’s mission requirements under the Comprehensive National Cybersecurity Initiative by delivering intrusion detection, advanced analytics, information sharing, and intrusion prevention capabilities that diminish the potential impact of cyber threats. For more information, visit: http://dhs.gov/network-security-deployment.

National Security Agency (NSA) / Information Assurance Directorate (IAD) National Security Cyber Assistance Program

The NSA/IAD has established a National Security Cyber Assistance Program wherein commercial organizations can receive accreditation for cyber incident response services. This accreditation in Cyber Incident Response Assistance will validate that an organization has established processes, effective tools and knowledgeable people with the proper skill set and expertise to perform cyber incident response for national security systems. Visit http://www.nsa.gov/ia for more information or download best practices for keeping your home network secure at https://www.us-cert.gov/ncas/tips/ST15-002

Stop.Think.Connect.™ Campaign

Launched in 2010, the Stop.Think.Connect.™ Campaign was created to empower Americans to reduce cyber risk online by incorporating safe habits into their online routines. In an effort to encourage much needed Federal agency and SLTT government leadership on this important issue, the Stop.Think.Connect. Campaign created the Cyber Awareness Coalition as an outlet for government at all levels to work directly with DHS and the Stop.Think.Connect. Campaign to promote cybersecurity awareness. For more information on how to get involved with the Cyber Awareness Coalition, visit www.dhs.gov/stopthinkconnect or email stopthinkconnect@dhs.gov.


Back to Top
 

Resources to Detect

Continuous Diagnostics and Mitigation (CDM)

The CDM program is a dynamic approach to fortifying the cybersecurity of computer networks and systems. Through the CDM program, DHS works with partners across the entire FCEB government to deploy and maintain an array of sensors for hardware asset management, software asset management and whitelisting, vulnerability management, compliance setting management and feed data about an agency’s cybersecurity flaws, and present those risks in an automated and continuously-updated dashboard.  CDM, which will also be available for State and local entities as well as the Defense Industrial Base Sector, provides our stakeholders with the tools they need protect their networks and enhances their ability to see and counteract day-to-day cyber threats.

DHS coordinates the national response to significant cyber incidents and maintains a common operational picture for cyberspace across the government. Part of that responsibility includes network intrusion detection and prevention technology under a program known as Einstein. When both programs are implemented, they will provide complementary protections across the dot-gov domain, further protecting the government’s infrastructure and the Nation’s data.

The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, understand the relative risks and threats, and help system personnel to identify and mitigate flaws at near-network speed. CDM program resources will also be mapped to the Framework. This will occur as the C³ Voluntary Program develops additional resources over time to support Framework use by the Federal Government. More information is available at: http://dhs.gov/cdm.

Federal Virtual Training Environment (FedVTE)

The FedVTE content library contains pre-recorded classroom cybersecurity training for Federal Government personnel and contractors, as well as State, local, tribal, and territorial government personnel. FedVTE provides government-wide, online, and on-demand access to cybersecurity training to help the workforce maintain expertise and foster operational readiness. With courses ranging from beginner to advanced levels, the system is available at no cost to users, and is accessible from any internet-enabled computer. For more information, visit www.fedvte.usalearning.gov.

Network Security Deployment (NSD)

NSD strives to improve the cybersecurity of Federal Government departments, agencies, and partners by delivering the technologies and services needed to fulfill the Department’s cybersecurity mission. NSD is responsible for designing, developing, acquiring, deploying, sustaining, and providing customer support for the National Cybersecurity Protection System (NCPS). NCPS satisfies aspects of the Department’s mission requirements under the Comprehensive National Cybersecurity Initiative by delivering intrusion detection, advanced analytics, information sharing, and intrusion prevention capabilities that diminish the potential impact of cyber threats. For more information, visit: http://dhs.gov/network-security-deployment.


Back to Top
 

Resources to Respond

Cyber Incident Response and Analysis

CISA’s National Cybersecurity and Communications Integration Center (NCCIC) offers remote and on-site incident response capabilities, including expert intrusion analysis and mitigation guidance to customers who lack an in-house capability or require external assistance to manage a cyber-incident. The National Coordinating Center for Communications (NCC) coordinates 24/7 interagency and industry efforts to protect and restore communications during times of crisis. Please email ncciccustomerservice@hq.dhs.gov for more information.

National Security Agency (NSA) / Information Assurance Directorate (IAD) National Security Cyber Assistance Program

The NSA/IAD has established a National Security Cyber Assistance Program wherein commercial organizations can receive accreditation for cyber incident response services. This accreditation in Cyber Incident Response Assistance will validate that an organization has established processes, effective tools and knowledgeable people with the proper skill set and expertise to perform cyber incident response for national security systems. Visit http://www.nsa.gov/ia for more information or download best practices for keeping your home network secure at http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf.


Back to Top