# Ecosystem Risk Ranker (CISA CPG 4.1) > Map and rank external dependencies (SaaS, cloud, utilities) essential to a Critical Service. Assigns criticality scores by impact of vendor outage on mission and validates vendor uptime SLAs against the organization's Maximum Allowable Downtime (MAD). Aligned with CISA CPG 4.1 Critical Service Dependency Map. Tags: Critical Infrastructure, CISA CPG, Risk Management, Supply Chain, SLA ## Example Prompts - Build a Critical Service dependency map for our water utility and check vendor SLAs against our MAD - Rank our external SaaS and cloud providers by impact of their outage on our primary mission - Validate that our hospital's key vendors have uptime SLAs aligned with our maximum allowable downtime - Prepare evidence of implementation for CISA CPG 4.1 Critical Service Dependency Map URL: https://rakenne.app/skills/ecosystem-risk-ranker/index.md Try this skill: https://rakenne.app/a/?skill=ecosystem-risk-ranker ## Overview Map and rank external dependencies (SaaS, cloud, utilities) essential to a Critical Service. Assigns criticality scores by impact of vendor outage on mission and validates vendor uptime SLAs against the organization's Maximum Allowable Downtime (MAD). Aligned with CISA CPG 4.1 Critical Service Dependency Map. ## Example Conversation > **You:** We need a Critical Service dependency map for our water utility (CISA CPG 4.1). Our MAD from the BIA is 4 hours per year for the treatment control system. I have three key vendors: SCADA SaaS (99.9% uptime), cloud historian (99.5%), and a power-monitoring API (no SLA yet). Can you rank them and check SLA alignment? > **Agent:** I'll build the dependency map with criticality and run `sla_alignment_check` for each vendor where we have an SLA. Our MAD is 4 h/year, so I'll use that for all three checks. > **Agent:** Running `sla_alignment_check` for SCADA SaaS (99.9%)... > **Agent:** SCADA SaaS: **MISALIGNED** — vendor allowed downtime ~8.76 h/year (above your MAD of 4 h/year); gap 4.76 h/year. Checking the historian (99.5%) next... > **Agent:** Historian (99.5%): **MISALIGNED** — allowed downtime ~43.8 h/year; gap 39.8 h/year. For the power-monitoring API I've marked "No SLA — obtain and re-check." I've created `critical-service-dependency-map.md` with the dependency table, criticality rationale, and the SLA alignment results. For the two misaligned vendors, the doc recommends renegotiating SLA or adding redundancy (e.g. local buffer or failover). > **You:** We renegotiated SCADA to 99.95%. Can you re-run the check and update the map? > **Agent:** Re-ran `sla_alignment_check` for SCADA SaaS with 99.95% (allowed downtime ~4.38 h/year). Still slightly above your 4 h MAD — gap 0.38 h/year. Updated the dependency map with the new result and a note that the gap is small; you may accept the risk or push for 99.96%. ## What the Tool Validates The skill includes one extension tool: **`sla_alignment_check`** compares a vendor's contractual uptime SLA to your organization's Maximum Allowable Downtime (MAD) for the Critical Service: - **Input:** `mad_hours_per_year` (organization MAD); for the vendor, either `vendor_uptime_percent` (e.g. 99.9) or `vendor_downtime_hours_per_year`; optional `vendor_name` for the report. - **Logic:** Converts vendor uptime % to allowed downtime in hours per year (8760 h/year). Compares vendor allowed downtime to MAD. - **Output:** ALIGNED (vendor downtime ≤ MAD) or MISALIGNED (vendor downtime > MAD), with the vendor's allowed downtime and, when misaligned, the gap in hours per year. Use the result to decide whether to renegotiate SLAs, add redundancy, or accept and document the risk. - Run after defining MAD (from BIA/RTO) and gathering vendor SLAs; re-run when SLAs or MAD change so CPG 4.1 evidence stays current. ## Output Excerpt Excerpt from a generated Critical Service dependency map (dependency table and SLA alignment summary), followed by a sample **sla_alignment_check** report. **Dependency map (excerpt):** ```markdown ## Critical Service: Treatment control system - **MAD:** 4 hours/year (from BIA, 2025) ## External dependencies | Vendor / dependency | Role | Criticality | Uptime SLA | Alignment | Notes | |----------------------|----------------------|-------------|------------|-------------|--------------------------| | SCADA SaaS | Control-plane UI | Critical | 99.9% | MISALIGNED | Gap 4.76 h/year; renegotiate or add failover | | Cloud historian | Process data storage | High | 99.5% | MISALIGNED | Gap 39.8 h/year | | Power-monitoring API | Alarms / external | Medium | — | Not checked | Obtain SLA and re-run check | ``` **sla_alignment_check report (excerpt):** ``` === SLA vs MAD Alignment Check (CISA CPG 4.1) === Vendor: SCADA SaaS Organization MAD: 4 hours/year Vendor allowed downtime: 8.76 hours/year (from 99.9% uptime SLA) Result: MISALIGNED — Gap: 4.76 hours/year. Vendor can be down longer than the organization can tolerate. Consider renegotiating SLA or adding redundancy. ``` ## Getting Started Add your source materials to the project workspace (e.g. MAD from BIA/RTO, vendor list with SLAs), then activate the *Ecosystem Risk Ranker (CISA CPG 4.1)* skill. The agent will guide you through building the dependency map, assigning criticality, and validating SLA alignment. Re-run `sla_alignment_check` when SLAs or MAD change to keep evidence current. --- Back to [Skill Library](https://rakenne.app/skills/index.md)