PROJECT MATRIX

It is generally known that the private sector owns and operates upwards from 85% of the critical infrastructure upon which the United States depends. However, the many agencies of the Federal government perform a wide range of functions and services vital to our national and homeland security, economic stability, and public health and safety; functions such as public health advisories, social entitlements, and weather forecasting, which the private sector can’t or won’t perform. Thus, many departments and agencies in the Federal government contribute to critical infrastructure assurance because they are responsible and accountable for maintaining appropriate levels of systems security, emergency preparedness, and continuity of government operations. Also, since September 11th, 2001, we have become acutely aware of the need for government to protect the U.S. homeland and to be able to provide timely warnings of potential terrorist or cyber-activist attacks.

In addition to its own considerable infrastructures and facilities, the government increasingly depends on privately owned and operated infrastructures to support delivery of these services. For example, over 90 percent of Defense Department communications transit the public switched network. Accordingly, to assure its own ability to continue to discharge its responsibilities, the Federal government must also undertake an analysis of its vulnerabilities and dependencies.

To assist civilian Federal agencies in this effort, as called for in Presidential Decision Directive 63, the Critical Infrastructure Assurance Office (CIAO) developed Project MatrixÔ. Through the Matrix process, CIAO works with the civilian departments and agencies to enable them to identify the assets and associated dependencies that are required for them to perform their national-critical functions. In a two-step process, Project MatrixÔ first identifies: (i) the nationally essential functions and services and the critical assets responsible for their performance; (ii) the critical dependencies on assets located in other Federal departments and agencies; and the critical dependencies on privately owned and operated infrastructures.

Once such critical assets and associated dependencies are identified, Federal departments and agencies must assess their vulnerability to physical or cyber interruptions and develop and implement plans to manage risk. Where performance of essential government functions and services depends on privately owned and operated infrastructures, Federal departments and agencies must work with the owners and operators of these specific infrastructure companies – on mutually agreed upon terms – to ensure that adequate security measures are established and maintained.
 

Last revision: 4 November 2002