CISA considering the future state of EINSTEIN as agencies modernize

CISA is considering changes to EINSTEIN 1 and EINSTEIN 2, which monitor traffic routed in and out of physical networks and systems.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

The Cybersecurity and Infrastructure wants feedback from industry on the future of its EINSTEIN federal cybersecurity program.

CISA is looking to modernize parts of EINSTEIN — the program also known as the National Cybersecurity Protection System, which provides a frontline capability to monitor network traffic in and out of federal civilian branch agencies and situational awareness of malicious activity across the federal government — as “evolutions of technologies and threat landscapes have highlighted limitations in the EINSTEIN capabilities and the benefits it provides,” the agency said in a request for information published this week.

This means replacing sensors on agency networks that have been in place, in some cases, for a decade or longer. Specifically, CISA is considering changes to EINSTEIN 1 and EINSTEIN 2, which monitor traffic routed in and out of physical networks and systems.

“The visibility provided by existing EINSTEIN sensors remains a crucial enabler of CISA’s mission to protect [federal civilian executive branch] agencies,” reads the RFI, posted by the General Services Administration on behalf of CISA. “It is one component that CISA uses to gain operational visibility, protect FCEB agencies, and respond to threats. With the limitations of EINSTEIN capabilities, CISA stands to lose that needed visibility. Consequently, a new solution may be necessary to compensate for this loss of visibility to protect FCEB agencies adequately.”


Federal agencies’ enterprise IT architectures have been modernized and have evolved, largely by migrating to the cloud, since EINSTEIN was first introduced in 2003 and subsequently added to. This means CISA and agencies will need to also “consider other broader strategies beyond replacing the existing footprint of EINSTIEN capabilities (e.g., optimal placements in federal agencies, new technologies/techniques to maximize visibility, etc.).”

“For future CISA needs, the augmentation or replacement of this visibility must be considered within the current networking environment and how it may be combined and used with other data sources acquired by CISA analysts,” the RFI reads.

Industry responses are due by July 14.

The contract motion comes after CISA, in the fiscal 2024 president’s budget proposal, requested $425 million to restructure parts of EINSTEIN into a new Cyber Analytics and Data System. That system is meant to provide “tools and capabilities to facilitate the ingestion and integration of data as well as orchestrate and automate the analysis of data that supports the rapid identification, detection, mitigation, and prevention of malicious cyber activity.”

The 2024 budget request also called for $67 million for EINSTEIN and another $408 million for the agency’s Continuous Diagnostics and Mitigation (CDM) program, which provides agencies with a “window into the security posture of agency computers, servers, and other Internet-connected devices.”


CISA recently released a separate RFI for deploying new CDM capabilities across the federal government.

Latest Podcasts