What Is the 1531b Government Program (CyberSentry)?

The CISA CyberSentry program, established by the National Defense Authorization Act for Fiscal Year 2021, is a voluntary partnership to help secure U.S. critical infrastructure from cyber threats. Administered by the Cybersecurity and Infrastructure Security Agency (CISA), the program provides threat detection and monitoring to partners operating systems that support National Critical Functions (NCFs).

The core of CyberSentry is a threat detection capability provided by CISA. While the government-furnished equipment and services are provided at no fee, partners are responsible for their own internal costs. This initiative is not designed to replace a company’s existing cybersecurity measures but to augment them with federal resources and threat intelligence. The program fosters a collective defense model, where insights from one partner help protect all participants.

Eligibility for Participation

Participation in the CyberSentry program is for partners who operate significant systems supporting National Critical Functions (NCFs). CISA defines critical infrastructure as the assets, systems, and networks so essential to the country that their incapacitation would have a debilitating effect on national security, economic security, or public health and safety.

The federal government identifies 16 critical infrastructure sectors whose entities are the intended participants:

• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials, and Waste Sector
• Transportation Systems Sector
• Water and Wastewater Systems Sector

Core Program Components and Operations

The functional core of the CyberSentry program is the deployment of government-furnished sensor technology within a partner’s network environments. These hardware and software capabilities are placed at partner facilities to provide CISA with visibility into both information technology (IT) and operational technology (OT) networks. The sensors are designed to monitor for known and unidentified malicious activity without disrupting ongoing operations.

Once active, sensors collect network traffic data for analysis by CISA personnel. While the focus is on network metadata, the system can collect packet content in certain situations as governed by legal agreements. CISA analysts correlate this partner-supplied information with government and international partner intelligence to detect threats that might otherwise go unnoticed.

The partnership is highly collaborative. When CISA analysts identify a potential cybersecurity concern, they promptly notify the partner organization. The agency then works directly with the partner to help investigate the issue, providing tailored mitigation advice and context.

In situations where a significant threat is discovered, CISA can offer more direct support. If requested by the partner, the agency may deploy onsite resources for real-time threat hunting and incident response. Insights from these engagements are anonymized and used to inform other CISA missions and the broader critical infrastructure community.

Information and Agreements for Enrollment

Before an organization can enroll in the CyberSentry program, it must be prepared to enter into a formal agreement with the government. The primary mechanism for this is a governing agreement, such as a Cooperative Research and Development Agreement (CRADA), between CISA and the participating entity.

This legal instrument outlines the roles and responsibilities of both CISA and the partner organization. It details protocols for data handling, liability, and the protection of sensitive information shared by the company and the government. An organization must be willing to share in-depth network traffic for the program to be effective.

From a technical perspective, a prospective participant needs to compile detailed information about its network architecture. This includes creating comprehensive network diagrams that map key ingress and egress points, data flows, and the relationship between IT and OT systems.

Administratively, the organization must identify key personnel to manage the partnership. This requires designating a primary point of contact for program coordination and technical contacts who can work with CISA analysts on a day-to-day basis for threat notifications and response efforts.

The Enrollment Process

Participation in the CyberSentry program is by invitation from CISA. The agency identifies and invites organizations based on their connection to critical infrastructure and National Critical Functions. Organizations can also express interest by contacting the CyberSentry Program Management Office.

Following the initial contact, CISA and the applicant enter an assessment and scoping phase. During this stage, CISA works with the organization’s technical team to review the provided network architecture information. The goal is to define the precise scope of participation, including where the government-furnished sensors will be deployed.

With the scope defined, the process moves to the legal and administrative phase where the formal governing agreement is executed. Legal teams from both the organization and CISA review and sign the document, officially establishing the partnership and its legal boundaries.

The final stage is the technical deployment. CISA coordinates with the partner’s technical staff to install and activate the CyberSentry hardware and software. Once the sensors are operational, CISA provides the partner with access to their own CyberSentry dashboard, marking the beginning of routine collaboration.