Cybersecurity is one of the most pressing issues facing higher ed. Unfortunately, third-party penetration testing and vulnerability assessments can be incredibly expensive, especially for large universities. It may sound too good to be true, but there is a suite of cybersecurity programs offered for free to help private companies and higher-ed institutions mitigate the risks of cyber threats.
National cybersecurity assessments and technical services
The Department of Homeland Security provides a series of cybersecurity programs through their National Cybersecurity and Communications Integration Center (NCCIC). As part of the NCCIC, the National Cybersecurity Assessments and Technical Services (NCATS) team aims to help prevent cybersecurity breaches and provide assistance if an incident does occur. Their mission “is to measurably decrease the risks present in our Nation’s cybersecurity infrastructure,” and according to their annual report, they’re doing a great job of fulfilling that promise. In fiscal year 2017, NCATS helped mitigate 300,000 vulnerabilities while conducting cyber hygiene scans for more than 600 government and private sector stakeholders.
Earlier this year, we had the opportunity to speak with a few members of the NCATS team to discuss their programs, the application process, and some of the concerns that we and others had about their offerings. What follows is the summation of that interview, an interview with one of their clients, and additional research into the programs they offer.
NCATS primarily offers two programs: the Risk and Vulnerability Assessment (RVA) and the Cyber Hygiene (CH) program. The former, and more robust of the two, involves a team of NCATS engineers performing a series of tests on your university’s network and providing an in-depth analysis of the overall strength of your cybersecurity. The latter is an ongoing non-credentialed scan of your IP perimeter. According to Sean McAfee, a member of NCCIC, “what you see is what you get” when it comes to their services. He expressed that “it’s the same level of expertise from our side. It’s the same scans and tests, regardless of whether it’s the private sector or a university.”
Risk & Vulnerability Assessment
As the more resource intensive option, the RVA requires more preparation and planning from both parties, but it may also yield more impactful results. An average RVA engagement takes approximately two weeks. Once initiated, the NCATS team will assign four to five engineers to your institution who will begin their assessment off-site. Once that phase of the assessment is completed, NCATS may require a conference room or office at your institution to complete the second portion of onsite testing.