Project Matrix identifies how systems interact

Project Matrix identifies how systems interact

Project Matrix is a tool that will help agencies focus priorities and scarce resources, CIAO's John A. Tritak says.

By assessing their mutual reliance, federal agencies hope to find and correct security weaknesses

By Christopher J. Dorobek

GCN Staff

Agencies are finding that some of their most significant cybersecurity weaknesses do not begin at home.

Identifying interdependencies between agencies and the Achilles' heels they create could be critical to getting funds to protect systems, security experts said.

Under the Clinton administration's National Plan for Information Systems Protection, agencies are beginning to assess their mutual reliance. This analysis will help agencies target security efforts on key systems, said John A. Tritak, director of the Critical Infrastructure Assurance Office.

CIAO has developed Project Matrix to guide agencies as they assess interdependencies and the joint impact of systems being attacked, Tritak said.

Such analysis also provides a clear assessment of vulnerabilities, which will help agencies focus security funding, officials said.

'This helps focus priorities and scarce resources,' Tritak said.

Project Matrix helps agencies decide what they need to secure first, said Jeffrey A. Hunker, senior director for critical infrastructure protection at the White House's National Security Council.

'We are providing them with something that the government has never had'an inventory of its critical assets,' said Hilary Lombardo, CIAO policy analyst for information security. Project Matrix also gives agency chief information officers and chief financial officers a way to channel their resources, he said.

New perspective

It cost CIAO approximately $200,000 to develop and refine Project Matrix for use across the federal government, Lombardo said.

'This project provides the additional value-added benefit of being a common-standard cross-cutting methodology,' he said.

Agencies have looked at their own vulnerabilities, Tritak said, but few have reviewed interdependencies.

'We're not identifying the vulnerabilities. We're identifying the vulnerable assets [that agencies have],' he said.

While Matrix will identify the interdependencies, agencies themselves must conduct the vulnerability assessments, Lombardo said.

At the Commerce Department, a prototype of Project Matrix helped officials identify critical systems that had been overlooked, said Commerce chief information officer Roger W. Baker.

As a result, the department has a detailed assessment of who relies on its systems, its vulnerabilities and what the department needs to do its job, he said.

Identifying interdependencies was the top goal in the administration's critical infrastructure protection plan [GCN, Jan. 24, Page 1].

Project Matrix has three steps:

•Step 1: Identify the agency's Presidential Decision Directive 63 assets

•Step 2: Conduct a functional analysis to identify the agency's major nodes and networks

•Step 3: Conduct an in-depth infrastructure dependency and interdependency analysis.

The overall process is expected to take 18 months to two years, Lombardo said.

He estimates agencies could spend:

•$25,000 to $125,000 for Step 1

•$40,000 per asset for Step 2

•$65,000 per asset for Step 3.

Costs would depend on how much contractor support is needed to implement the steps. Increased contractor support would raise Project Matrix's costs, Lombardo said.

'We're concentrating on the PDD-63-relevant assets as opposed to the mission-critical assets,' he said.

The relevant assets are defined as systems that are critical to national security, national economic security, or public health and safety.

Y2K blueprint

Project Matrix attempts to follow the cooperative model agencies used to prepare for year 2000. It lets agencies share a framework for analyzing interdependencies, Lombardo said, rather than having each agency develop individual methods.

'The government has been working in stovepipes for the longest time,' Lombardo said. 'Unfortunately it seems we're now realizing that we need to share the information with each otherSecurity is common to other agencies, and we have to share information.'

Officials from the Office of Management and Budget, the Federal Emergency Management Agency and CIAO have listed 14 agencies that should use Project Matrix or a similar method.

Four more agencies will be using it this fiscal year: the Energy, Health and Human Services, and Treasury departments, and the Social Security Administration.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above