Browse Skills

Ecosystem Risk Ranker (CISA CPG 4.1)

    Critical Infrastructure CISA CPG Risk Management Supply Chain SLA
    Get Started with This Skill

    Overview

    Map and rank external dependencies (SaaS, cloud, utilities) essential to a Critical Service. Assigns criticality scores by impact of vendor outage on mission and validates vendor uptime SLAs against the organization’s Maximum Allowable Downtime (MAD). Aligned with CISA CPG 4.1 Critical Service Dependency Map.

    Example Conversation

    You: We need a Critical Service dependency map for our water utility (CISA CPG 4.1). Our MAD from the BIA is 4 hours per year for the treatment control system. I have three key vendors: SCADA SaaS (99.9% uptime), cloud historian (99.5%), and a power-monitoring API (no SLA yet). Can you rank them and check SLA alignment?

    Agent: I’ll build the dependency map with criticality and run sla_alignment_check for each vendor where we have an SLA. Our MAD is 4 h/year, so I’ll use that for all three checks.

    Agent: Running sla_alignment_check for SCADA SaaS (99.9%)…

    Agent: SCADA SaaS: MISALIGNED — vendor allowed downtime ~8.76 h/year (above your MAD of 4 h/year); gap 4.76 h/year. Checking the historian (99.5%) next…

    Agent: Historian (99.5%): MISALIGNED — allowed downtime ~43.8 h/year; gap 39.8 h/year. For the power-monitoring API I’ve marked “No SLA — obtain and re-check.” I’ve created critical-service-dependency-map.md with the dependency table, criticality rationale, and the SLA alignment results. For the two misaligned vendors, the doc recommends renegotiating SLA or adding redundancy (e.g. local buffer or failover).

    You: We renegotiated SCADA to 99.95%. Can you re-run the check and update the map?

    Agent: Re-ran sla_alignment_check for SCADA SaaS with 99.95% (allowed downtime ~4.38 h/year). Still slightly above your 4 h MAD — gap 0.38 h/year. Updated the dependency map with the new result and a note that the gap is small; you may accept the risk or push for 99.96%.

    What the Tool Validates

    The skill includes one extension tool:

    sla_alignment_check compares a vendor’s contractual uptime SLA to your organization’s Maximum Allowable Downtime (MAD) for the Critical Service:

    • Input: mad_hours_per_year (organization MAD); for the vendor, either vendor_uptime_percent (e.g. 99.9) or vendor_downtime_hours_per_year; optional vendor_name for the report.
    • Logic: Converts vendor uptime % to allowed downtime in hours per year (8760 h/year). Compares vendor allowed downtime to MAD.
    • Output: ALIGNED (vendor downtime ≤ MAD) or MISALIGNED (vendor downtime > MAD), with the vendor’s allowed downtime and, when misaligned, the gap in hours per year. Use the result to decide whether to renegotiate SLAs, add redundancy, or accept and document the risk.
    • Run after defining MAD (from BIA/RTO) and gathering vendor SLAs; re-run when SLAs or MAD change so CPG 4.1 evidence stays current.

    Output Excerpt

    Excerpt from a generated Critical Service dependency map (dependency table and SLA alignment summary), followed by a sample sla_alignment_check report.

    Dependency map (excerpt):

    ## Critical Service: Treatment control system
- **MAD:** 4 hours/year (from BIA, 2025)

## External dependencies

| Vendor / dependency   | Role                 | Criticality | Uptime SLA | Alignment   | Notes                    |
|----------------------|----------------------|-------------|------------|-------------|--------------------------|
| SCADA SaaS           | Control-plane UI     | Critical    | 99.9%      | MISALIGNED  | Gap 4.76 h/year; renegotiate or add failover |
| Cloud historian      | Process data storage | High        | 99.5%      | MISALIGNED  | Gap 39.8 h/year          |
| Power-monitoring API | Alarms / external    | Medium      | —          | Not checked | Obtain SLA and re-run check |

    sla_alignment_check report (excerpt):

    === SLA vs MAD Alignment Check (CISA CPG 4.1) ===
Vendor: SCADA SaaS

Organization MAD: 4 hours/year
Vendor allowed downtime: 8.76 hours/year
  (from 99.9% uptime SLA)

Result: MISALIGNED — Gap: 4.76 hours/year. Vendor can be down longer than the organization can tolerate. Consider renegotiating SLA or adding redundancy.

    Getting Started

    Add your source materials to the project workspace (e.g. MAD from BIA/RTO, vendor list with SLAs), then activate the Ecosystem Risk Ranker (CISA CPG 4.1) skill. The agent will guide you through building the dependency map, assigning criticality, and validating SLA alignment. Re-run sla_alignment_check when SLAs or MAD change to keep evidence current.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started