U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

National Cybersecurity Assessments and Technical Services (NCATS)

Signing up

Request information about the service(s) you are interested in by emailing ncats_info@hq.dhs.gov.

All services are available at no cost to federal agencies, state and local governments, critical infrastructure, and private organizations generally.

Cyber Hygiene: Vulnerability Scanning  helps secure your internet-facing systems from weak configuration and known vulnerabilities, and encourages the adoption of modern security best practices. DHS performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After we receive the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you’ll begin receiving reports within two weeks.

A Phishing Campaign Assessment (PCA) measures your team’s propensity to click on email phishing lures. Phishing is commonly used as a means to breach an organization’s network. The assessment occurs over a 6 week period, and the results can be used to provide guidance for anti-phishing training and awareness.

A Risk and Vulnerability Assessment (RVA) allows you to select from a menu of several network security services, including:

  • network mapping and vulnerability scanning,
  • phishing engagements,
  • web application or database evaluations,
  • a full penetration test

The assessment period differs by the number and type of services requested, but a typical RVA will take place over a two week period. There is one week of testing from the internet and one week of evaluation, at your location, internal to your network.

(NOTE: After DHS receives the required paperwork for an RVA, you will be prioritized based on national mission needs, number of prior stakeholders in your sector, etc. DHS is taking proactive steps and creating new services, such as remote penetration testing, to assist stakeholders with security relevant issues.)

A Validated Architecture Design Review (VADR) evaluates your systems, networks, and security services to determine if they are designed, built, and operated in a reliable and resilient manner. VADRs are based on standards, guidelines, and best practices and are designed for Operational Technology (OT) and Information Technology (IT) environments. A VADR includes:

  • Architecture Design Review
  • System Configuration and Log Review
  • Network Traffic Analysis

Back to Top

Back to Top