Identifying and Prioritizing Systemically Important Entities
Advancing Critical Infrastructure Security and Resilience
ResearchPublished Nov 20, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) is resourced to support a broad national strategy of layered deterrence by identifying systemically important entities and supporting in the mitigation of risks to national critical functions. This report documents systemic risks, cyber risks in software supply chains, past and ongoing analytical support to CISA, current limitations, and also outlines a path for future work.
Advancing Critical Infrastructure Security and Resilience
ResearchPublished Nov 20, 2023
In response to the mounting specter of systemic cyber risks, the Cyberspace Solarium Commission recommended that Congress codify the concept of Systemically Important Critical Infrastructure—later renamed Systemically Important Entities (SIEs)—and that the Cybersecurity and Infrastructure Security Agency (CISA) be resourced to identify SIEs and support in the mitigation of their risks to support a broader national strategy of layered deterrence. In support of the CISA National Risk Management Center (NRMC), this report clarifies the concepts of SIEs and introduces a data-driven methodology for their identification and prioritization. Specifically, the authors identify SIEs by their potential to affect national critical functions (NCFs) and prioritize SIEs by measures of their size and interconnectedness. This report builds on existing work regarding Critical IT Products and Services and extending the researchers' analysis to federal agencies and firms that install potentially vulnerable software, in addition to firms that write software. This report further documents systemic risks and cyber risks in software supply chains, past and ongoing analytical support to CISA, and current limitations, and it outlines a path for future work.
This research was prepared for the National Risk Management Center, Cybersecurity and Infrastructure Security Agency and conducted within the Infrastructure, Immigration, and Security Operations Program of the RAND Homeland Security Research Division.
This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.