Identifying and Prioritizing Systemically Important Entities

Advancing Critical Infrastructure Security and Resilience

John Bordeaux, Jonathan W. Welburn, Sasha Romanosky, Benjamin Boudreaux, Aaron Strong, Shannon Prier, Cheryl K. Montemayor, Jhacova Williams, Jessica Welburn Paige, Michael J. D. Vermeer, et al.

ResearchPublished Nov 20, 2023

In response to the mounting specter of systemic cyber risks, the Cyberspace Solarium Commission recommended that Congress codify the concept of Systemically Important Critical Infrastructure—later renamed Systemically Important Entities (SIEs)—and that the Cybersecurity and Infrastructure Security Agency (CISA) be resourced to identify SIEs and support in the mitigation of their risks to support a broader national strategy of layered deterrence. In support of the CISA National Risk Management Center (NRMC), this report clarifies the concepts of SIEs and introduces a data-driven methodology for their identification and prioritization. Specifically, the authors identify SIEs by their potential to affect national critical functions (NCFs) and prioritize SIEs by measures of their size and interconnectedness. This report builds on existing work regarding Critical IT Products and Services and extending the researchers' analysis to federal agencies and firms that install potentially vulnerable software, in addition to firms that write software. This report further documents systemic risks and cyber risks in software supply chains, past and ongoing analytical support to CISA, and current limitations, and it outlines a path for future work.

Key Findings

  • The authors examined previous discussions of systemic risk drawn from historical observations of economic crises and examinations of systemic cyber risk to develop definitions of systemic importance and SIEs.
  • The authors used these definitions in developing a transparent, data-driven methodology for identifying and prioritizing SIEs.
  • Specifically, the authors introduce a two-step process of (1) connecting NCFs to economic sectors and (2) connecting economic sectors to specific entities.
  • The authors also developed an analytic platform, the Systemic Importance Analytic Model (SIAM), to process initial lists of entities associated with NCFs.

Recommendations

  • This report provides NRMC with potential objective criteria for determining a prioritized list of SIEs—a list which can enable CISA to strengthen entity risk management and coordination, allocate resources, monitor threats and hazards, and prioritize planning in support of a broader national strategy of layered deterrence.
  • Significant work remains in developing concepts and modeling approaches for systemic risk to critical infrastructure, advancing NRMC's incorporation and stewardship of data sets for analysis and visualization, maturing the SIE Program Office processes and procedures for analysis and outreach, and advancing SIAM to reflect emerging perspectives for prioritization—including public health and safety, national security, equity, and other areas.
  • Several analysis needs that would help advance the NRMC's risk reduction mission include (1) advancing SIE concepts and modeling approaches, (2) developing data management methods and planning for analytic input data, (3) advancing SIE as a sustainable program, and (4) refining the SIE analytic platform.

Order a Print Copy

Format
Paperback
Page count
99 pages
List Price
$28.00
Buy link
Add to Cart

Topics

Document Details

  • Availability: Available
  • Year: 2023
  • Print Format: Paperback
  • Paperback Pages: 99
  • Paperback Price: $28.00
  • Paperback ISBN/EAN: 1-9774-0984-9
  • DOI: https://doi.org/10.7249/RRA1512-1
  • Document Number: RR-A1512-1

Citation

RAND Style Manual
Bordeaux, John, Jonathan W. Welburn, Sasha Romanosky, Benjamin Boudreaux, Aaron Strong, Shannon Prier, Cheryl K. Montemayor, Jhacova Williams, Jessica Welburn Paige, Michael J. D. Vermeer, and Zev Winkelman, Identifying and Prioritizing Systemically Important Entities: Advancing Critical Infrastructure Security and Resilience, Homeland Security Operational Analysis Center operated by the RAND Corporation, RR-A1512-1, 2023. As of September 11, 2024: https://www.rand.org/pubs/research_reports/RRA1512-1.html
Chicago Manual of Style
Bordeaux, John, Jonathan W. Welburn, Sasha Romanosky, Benjamin Boudreaux, Aaron Strong, Shannon Prier, Cheryl K. Montemayor, Jhacova Williams, Jessica Welburn Paige, Michael J. D. Vermeer, and Zev Winkelman, Identifying and Prioritizing Systemically Important Entities: Advancing Critical Infrastructure Security and Resilience. Homeland Security Operational Analysis Center operated by the RAND Corporation, 2023. https://www.rand.org/pubs/research_reports/RRA1512-1.html. Also available in print form.
BibTeX RIS

This research was prepared for the National Risk Management Center, Cybersecurity and Infrastructure Security Agency and conducted within the Infrastructure, Immigration, and Security Operations Program of the RAND Homeland Security Research Division.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.