Managing Emerging Critical Risks

The United States has undertaken initiatives in preparedness planning, risk assessment, early warning systems, public-private partnerships, and critical infrastructure protection, as examined in the report (OECD, 2023[1]) on the implementation of the OECD Recommendation on the Governance of Critical Risks [OECD/LEGAL/0405]

The National Preparedness Goal (U.S. Department of Homeland Security, 2015[2]) is a central component of U.S. risk management strategy. This goal outlines five mission areas—prevention, protection, mitigation, response, and recovery—along with 32 core capabilities aimed at addressing major national risks. FEMA issues the National Preparedness Report annually, which summarises progress and challenges in building and sustaining the capabilities needed to manage the greatest risks. This report supports decision-making across all levels of government, as well as in the private and non-profit sectors, by setting programme priorities and aligning resources with risk management needs (Federal Emergency Management Agency, 2022[3]).

While this case study recognises the role the entire Federal interagency plays in risk management and incident response, to provide a deeper analytical look at United States’ capability this case study focuses specifically on the Homeland Security Enterprise1, and its capabilities to manage emerging critical risks.

DHS recognises its evolving role in managing emerging critical risks and has taken steps to begin the process of developing capabilities. Policy documents such as the National Security Memorandum on Critical Infrastructure and Resilience (NSM-22) aim to enhance risk identification and mitigation by involving Sector Risk Management Agencies responsible for each of the 16 critical infrastructure sectors and the private sector. Programmes such as the Homeland Security Exercise and Evaluation Program (HSEEP) provide a framework for conducting exercises to assess and improve preparedness capabilities in response to a range of emerging and other critical risks.

While DHS has taken positive steps to recognise and address emerging risks, challenges remain. The system largely relies on top-down risk identification, and there is no unified, robust process across the homeland security enterprise to holistically identify and assess emerging risks or directly connect those findings to strategic planning, policy, and budget decisions. Authorities and processes for managing aspects of emerging risks are decentralised and fragmented, leading to inconsistent identification, implementation, and accountability for management of emerging risks across risk types. A lack of a consistent DHS-wide after-action processes hinders the consistent implementation of recommendations and accountability for policies to manage emerging risks. Efforts are underway in DHS to develop more flexible planning capabilities and to institutionalise improvements, but a fully matured, systematic approach has yet to be realised.

The United States follows a whole-of-society approach to anticipate and manage emerging critical risks. For many risks, such as natural hazards, the United States is governed by the principle of “locally executed, state managed, and federally supported,” While for other risks, like cyber, the Federal government plays a more active role. Across all risk, Federal executive agencies primarily play a supporting role in pre-incident risk reduction and post-incident response. Pre-incident risk management is typically the responsibility of agencies with subject matter expertise for particular substantive topics and varies widely based on the unique authorities and capabilities of those agencies, while incident response is more centralised.2 The more emerging a risk is, the less notice society has to prepare, which could lead to a larger role for the Federal government. The Department of Homeland Security (DHS) and its components, such as the Federal Emergency Management Agency (FEMA), Cybersecurity and Infrastructure Security Agency (CISA), and United States Coast Guard (USCG) (among others)3, are commonly called upon to manage incidents of national significance and have begun proactively preparing for emerging critical risks.

The Homeland Security Enterprise (HSE) in the United States is a collective effort that involves not just DHS but also other Federal departments and agencies, state and local governments, the private sector, and the public. Together, these entities work to prevent critical risks, reduce vulnerabilities, and minimise the damage from disasters and attacks that do occur. It’s designed to ensure the security of the nation and its people by integrating efforts and sharing information across traditional organisational boundaries. The HSE is an evolving enterprise that aims to adapt to new threats and challenges.

As noted, Federal agencies work with state, local, tribal, and territorial governments to enhance national preparedness. While specific state-level activities are beyond the scope of this study, the co-ordination mechanisms between federal and state entities are discussed where relevant.

There are many ways DHS and its components identify emerging risks. In a step towards pro-actively and systematically identifying Department-wide emerging risks, the Emerging Risks and Technologies (ERT) programme within the Science and Technology (S&T) Directorate is working to “establish a comprehensive, repeatable process for identifying emerging risks (including emerging technologies),” with a focus on anticipating risks “before any adverse impact to security can occur.”. Specifically, DHS leverages assessments with “interagency, academic, industry and foreign partners” to identify emerging risks. S&T’s focus for the ERT programme’s first activity is on the following set of emerging technologies (U.S. Department of Homeland Security, 2023[4]), subject to modification according to evolving threats:

• Intelligent swarms: Autonomous groups of systems working collectively, like drones or robots.

• Synthetic pandemics: Engineered pathogens or bio threats created through biotechnology.

• Additive manufacturing: Potential misuse of 3D printing technology for malicious purposes.

• AI as a Threat Vector: Potential ways adversaries can use AI to create risks.

• AI Information Integrity: How AI can be used to create fake content and disrupt information integrity.

• Digital Personhood: How migration to digital environments can change our understanding of identity.

• The Space domain and Critical Infrastructure: Security risks related to satellites, space assets, and extraterrestrial operations.

• The Metaverse: How expanded user base of the metaverse could change risk, particularly risk of exploitation.

Furthermore, CISA has leveraged research from many sources, including research performed by international bodies such as the OECD, WEF, IRGC, and NATO to identify several emerging risk areas and has developed structured initiatives that produce risk assessment information and risk management guidance. These areas include:

• Position, Navigation, and Timing (PNT)

• Space Weather

• Space Systems Infrastructure

• Smart Cities and Connected Communities

• Quantum Computing

• Artificial Intelligence

• Information and Communications Technology Supply Chains

• Supply Chain Disruptions

CISA’s view is that by considering a range of potential domains they increase capacity for systemic adaptation and that while it is important to consider emerging risks, it is also critical to consider many types of risks across a range of systemic conditions.

The United States is progressing in its approach to identifying emerging critical risks. The country has recognised the need to improve its identification of emerging critical risks and has initiated efforts to develop more systematic processes. However, the current approach remains largely top-down and lacks a fully matured, consistent method across departments and agencies.

Processes: DHS has initiated efforts to improve the identification of emerging critical risks, including through the Secretary’s release of strategic guidance to guide critical infrastructure security and resilience efforts by federal agencies, critical infrastructure owners and operators, and other government and private sector stakeholders. The issuance of NSM-22 in April 2024 aims to institutionalise risk identification by involving the private sector and Sector Risk Management Agencies to assess risks and inform a national risk management plan. NSM-22 establishes a two-year risk management cycle that prioritises the identification and mitigation of critical infrastructure risk at the asset, sector, and national levels (Mayorkas, 2024). However, the process has not yet been fully implemented.

While we have a foundation, the process hasn't fully matured, and most risk identification remains top-down. (Interview US-1)

Methodologies: Within DHS, components have their own methods for assessing risks relevant to their missions. There have been pilot projects, such as collaborating with RAND to produce structured assessments on emerging risks, but these efforts are limited in scope and pace. An interviewee indicated piloted work with RAND to produce structured assessments on emerging risks, but described the process as slow, taking three to four years for ten papers on emerging risks. When considering a five to ten-year time horizon, this is too slow.

CISA, USCG, and FEMA have mission-centric approaches to incorporating emerging risks into their planning activities. For example, CISA applies strategic foresight to identify important potential advances in technologies and novel applications of existing technologies to enable risk management across critical infrastructures. This approach supports the early identification of nationally significant emerging risks and the co-ordinated consideration of cross-sector risks within the critical infrastructure stakeholder community. Successful areas of recent engagement include artificial intelligence and supply chain risk management. However, the complexity of the emerging risk landscape could be more comprehensively addressed by incorporating signals of potential changes from a wider variety of sources, across Federal departments and agencies and the broader stakeholder community.

Top-down Approach: The identification of emerging risks is largely driven by senior leadership's focus. An interviewee described the identification process as top-down, with senior leadership raising concerns based on intelligence briefings, trends in risk data, or other information.

Challenges: The subject-matter-based approach of the United States government means that departments and agencies concentrate on their specific areas, which can lead to gaps in identifying cross-cutting emerging risks:

When something occurs requiring a response before this process happens, there's an inherent gap.(Interview US-1)

Additionally, while NSM-22 is building maturity of assessment across critical infrastructure (which represents a significant amount of the Nation’s risk) there is no dedicated office within DHS responsible for risk assessment across the entire homeland security enterprise, which hampers the development of a cohesive strategy for emerging risk identification. For the critical infrastructure domain, emerging risk identification is performed by a dedicated team at CISA’s National Risk Management Center. CISA has also convened interagency and cross-sector bodies with public and private sector representatives for certain emerging risk areas such as ICT Supply Chains, Artificial Intelligence, Space Weather, Space Infrastructure and resilient Position, Navigation, and Timing signalling.

Efforts to Improve: Previously mentioned initiatives such as NSM-22 and the DHS Science and Technology Directorate's Emerging Risks and Technologies (ERT) Program aim to enhance the identification of emerging risks. However, these initiatives are still developing, and their effectiveness in creating a systematic approach remains to be seen.

The United States has a progressing approach to assessing and sharing information about emerging critical risks, though challenges remain in achieving a fully integrated system.

Mandate to Share: The National Preparedness Goal highlights the need to "Deliver coordinated, prompt, reliable, and actionable information to the whole community through the use of clear, consistent, accessible... methods to effectively relay information regarding any threat or hazard..." (U.S. Department of Homeland Security, 2015), while the National Security Memorandum on Critical Infrastructure Security and Resilience asserts that “The appropriate sharing of timely, actionable information... among Federal, State, local, Tribal, and territorial entities; owners and operators; and other relevant stakeholders, is essential for effective risk management” (President of the United States, 2024[5]).

Information Sharing Mechanisms: A DHS memorandum (Mayorkas, 2024) on priorities for critical infrastructure outlines the need for collaboration with Sector Risk Management Agencies and the private sector to identify and mitigate risks. Priority areas include cyber threats, artificial intelligence, supply chain vulnerabilities, climate risks, and dependencies on space systems.

Efforts have been made to enhance information sharing about emerging risks across federal agencies and with external partners. CISA is one agency tasked with this. According to the Secretary of Homeland Security's memorandum, "As the National Coordinator for the security and resilience of critical infrastructure, the CISA Director will drive efforts by Sector Risk Management Agencies, other Federal departments and agencies, owners and operators, and others in the critical infrastructure community to address these priority risks" (Mayorkas, 2024[6]).

Challenges in Information Sharing: An interviewed official asserted that “There's no structured process across the entire homeland enterprise” Interview (US-1) for conducting tailored risk assessments and sharing information. The official also noted that while components may share information within their domains, there is no dedicated office within DHS responsible for risk assessment across the entire homeland security enterprise.

This decentralisation hampers the development of a cohesive strategy for emerging risk identification and information sharing. (Interview US-1)

The United States exhibits a combination of progressing and established levels of maturity in assessing management capabilities for known risks but faces challenges in evaluating and addressing gaps related to certain emerging critical risks, particularly unknown unknowns. The absence of a unified, robust process and reliance on top-down identification hinder proactive gap identification and management capability assessment.

Management Maturity for Known Risks: For known knowns and known unknowns, US government departments and agencies have established processes to assess management capabilities and identify gaps within their specific domains:

Departments or agencies with clear responsibility likely have processes—structured risk assessments, horizon scanning, or foresight efforts—to identify challenges. (Interview US-1)

Top-Down Risk Identification: "Most of our risk identification is top-down, with senior leadership raising concerns based on intelligence briefings or other information" (Interview US-1). Without a structured assessment process to inform leadership, their picture will not be as comprehensive as it could be.

Efforts to Improve Management Assessment: NSM-22 establishes a two-year risk management cycle that prioritises the identification and mitigation of critical infrastructure risk at the asset, sector, and national levels (Mayorkas, 2024). It emphasises the need to "identify areas of concentrated risk and systemically important entities to inform the government's ability to manage risk" (Mayorkas, 2024[6]). However, the process has not yet been fully implemented, and until then "we don't yet have a consistent, executable process with clear deliverables and prioritisation" (Interview US-1).

The Department has begun incorporating emerging risk consideration into existing processes and documents, attempting to expand response and management capabilities to account for unexpected incidents. "We're making progress but still have much growing to do" (Interview US-1).

CISA is also planning to enhance its ability to account for emerging risks in line with NSM-22. A new risk management cycle will inform the development of the 2025 National Infrastructure Risk Management Plan (National Plan), which aims to guide federal efforts to secure and protect critical infrastructure in the coming years. “This assessment will enable CISA to prioritise systemic risk reduction efforts—detailed in the National Plan—that the United States government will take in collaboration with relevant federal, state and local, private, and international partners” (Easterly, 2024[7]).

Absence of Overall Responsibility:

A government official highlighted varying levels of maturity in terms of managing different categories of risks:

• Known Knowns and Known Unknowns: The United States is more mature in managing these risks. “For the known knowns and known unknowns, as long as the issue is known, there's an opportunity for someone to have assigned responsibility.”

• Unknown Unknowns: Significant challenges exist in managing these risks. “For risks without historical precedent, unexpected events, or those lacking existing authorities... we face significant challenges”. To address this challenge, DHS has begun to prioritise future research into how to use risk management to reduce strategic surprise.

The United States is progressing in developing and prioritising recommendations for managing identified risks and coping with uncertainty, particularly in areas that have gained leadership attention. However, the absence of a structured, systematic process across the homeland security enterprise hinders the consistent development and prioritisation of recommendations.

Challenges in integrating risk assessments into policy and budgeting decisions and in assigning responsibility for emerging risks affect the ability to manage risks effectively and cope with uncertainty.

Prioritisation Based on Leadership Focus: The development and prioritisation of recommendations are often driven by leadership focus on specific risks

When something has leadership focus, it can unlock various actions, but there's no structured process for considering changes in risk in a holistic way. (Interview US-1)

For instance, when artificial intelligence became a priority, the White House issued an executive order (President of the United States, 2023[8]), leading the Secretary and heads of other federal agencies to take specified actions to prioritise this issue, including associated risks.

Challenges with Emerging Risks: At the headquarters level, DHS lacks a robust method to objectively evaluate changes in the risk environment and elevate them to leadership for prioritisation. Integrating the finding across component risk assessments into policy and budgeting decisions remains a challenge.

We lack robust processes to assess risks and integrate them into priorities, policies, and budgets. (Interview US-1)

The National Infrastructure Risk Management Plan 2025 will acknowledge that making all critical infrastructure immune from all threats is not feasible. It focuses on enhancing resilience against prioritised risks based on sector-specific and cross-sector risk assessments. The director of CISA refers to emerging risks in stating that “we must collectively address emergent risks and an uncertain future while remaining vigilant against longstanding threats like terrorism, natural disasters, and targeted violence.” (Easterly, 2024) It remains to be seen how the process envisaged will translate into the development of prioritised recommendations for managing risks, especially emerging critical risks.

Ad Hoc Development of Recommendations: Recommendations are often developed in response to immediate concerns, and no evidence was found of a systematic process. Nascent initiatives, such as NSM-22’s call for DHS to outline priority risk areas and co-ordinated efforts to address them, look to address this gap (Mayorkas, 2024[6]) The memorandum emphasises the need to "address a range of emergent and complex risks" and to "prioritise mitigations that reduce the frequency—and more importantly the consequences—of adverse incidents when they occur" (Mayorkas, 2024[6]). However, the process of translating these priorities into actionable recommendations and integrating them into existing strategies is untested.

Challenges in Assigning Responsibility: The lack of a comprehensive process for assessment of emerging critical risks and responsibility for managing them impedes the ability to determine management maturity. Assigning responsibility for risks and corresponding recommendations is challenging due to a lack of incentives and clear authorities. An official noted, "Assigning responsibility for risks is challenging due to lack of incentives. Leadership may be reluctant to take on additional responsibilities without corresponding resources, as failure could result in blame" (Interview). This challenge affects the ability to develop and prioritise recommendations, as there may be reluctance to own emerging risks without designated authority or resources. The NSM-22 risk management cycle includes a review of authorities and identification of gaps as an intentional way to address this challenge.

Coping with Uncertainty: There is evidence of favouring an all-hazards approach to risk management, which for many aspects of risk management is a preferred approach for preparing for uncertainty. Presidential Policy Directive 8 establishes a national preparedness system, which includes a series of integrated planning frameworks, such as the National Response Framework (NRF). The NRF, which is a guide to how the nation responds to all types of disasters and emergencies, endorses an all-hazards approach to risk management. “The NRF is built on scalable, flexible, and adaptable concepts identified in the National Incident Management System (NIMS) to align key roles and responsibilities across the Nation.” (Federal Emergency Management Agency (FEMA), 2019[9])

Flexible incident co-ordination structures are a strength in the United States’ management of emerging critical risks; however, as risks continue to grow more complex, those co-ordination structures need to continue to mature and incorporate organisations that have less experience and less well-defined roles within incident response.

The NSM-22 risk assessment cycle for both sector-specific and cross-sector risks includes the development of reasonable worst case planning scenarios in collaboration with partners. The process of convening public and private sector partners and developing planning scenarios that are plausible and severely consequential forces the examination of several uncertain factors. The goal in using these reasonable worst case planning scenarios is that mitigations would also be effective for less severe events.

We need to develop flexible response capabilities that work for current systems and future unforeseen events. (Interview US-1)

The United States demonstrates a progressing level of maturity in conducting emerging critical risk exercise series, with initiatives aimed at improving preparedness for multiple hazards. Efforts such as integrating cyber and physical response teams demonstrate progress in addressing new threat landscapes. However, explicit focus on emerging critical risks is still in its early stages.

Exercise Guidance: A key part of the United States’ exercise work is the Homeland Security Exercise and Evaluation Program. HSEEP is a framework developed by FEMA to guide organisations in planning, conducting, and assessing exercises aimed at improving national preparedness. It offers a consistent methodology for exercise programme management, design and development, conduct, evaluation, and improvement planning: “a progressive approach includes the use of various exercises aligned to a common set of programme priorities and objectives with an increasing level of complexity over time” (Federal Emergency Management Agency, 2024[10]). Furthermore, the integration of the whole community into the exercise planning and execution process enhances information sharing and collaboration. This would be an asset for addressing the complexities of emerging risks. Components such as CISA and FEMA exercise emerging risk areas such as cybersecurity, extreme weather events and space weather impacts on infrastructure, which is significant progress. This case study did not identify any exercises testing responses to the emergence of a risk (as opposed to impacts during incident response), as envisioned in the Framework.

Exercises Based on Specific Scenarios: The Department of Homeland Security (DHS) conducts exercises to test and validate plans for managing incidents:

Recently, we exercised a newly developed doctrine and Plan. Senior leaders participated in hypothetical scenarios to assess execution, identify gaps, and discuss responsibilities, which helped adjust plans and foster discussions on varying scenarios. (Interview US-1)

The NSM-22 risk management process for sector-specific and cross-sector risks generates planning scenarios as described above, co-ordinated with public and private sector partners. Where mitigation planning engagement identifies gaps in authorities, responsibilities,

Challenges in Institutionalisation: While exercises have been conducted to prepare for emerging risks, there is no documentation of them being institutionalised in a systematic way. This indicates a reliance on individual initiatives rather than a structured, enduring process.

After-Action Reviews and Learning: After exercises, the National Exercise Programme conducts hot washes and produces after-action reports summarising conclusions and needed changes to plans. However, the official highlighted that the after-action processes are not comprehensive:

DHS does not conduct a government-wide after-action process for disasters that provides cross-cutting recommendations to all parties involved. (Interview US-1)

Limitations and Areas for Improvement: There is recognition that more needs to be done to conduct exercises focused specifically on emerging risks.

We recognise the need to conduct more emerging risk-focused exercises as outlined in the framework. (Interview US-1)

Furthermore, because exercises are designed to validate and test plans, the success of emerging risk exercises are partially tied to implementation of other aspects of the framework. The more we plan for emerging risks, the more they will be exercised.

The United States is progressing in developing flexible and adaptable strategic plans for emerging risks. Initiatives such as scenario-agnostic planning and the integration of cyber and physical response teams demonstrate movement toward more flexible strategies. However, challenges in fully institutionalising these practices and the reliance on ad hoc efforts limit the maturity of strategic planning.

Adaptation of Planning Processes: The upcoming National Infrastructure Risk Management Plan intends to adopt a new risk assessment cycle to incorporate emerging threats (Easterly, 2024[7]). An interviewee also noted that DHS is adapting its planning approaches to be more flexible and responsive to emerging risks. The official described different approaches to planning:

• Plans based on specific risks with representative scenarios.

• Mid-level scenario-agnostic plans where a condition is assumed without specifying the cause (e.g. significant power outage).

• Truly scenario-agnostic plans for any major incident requiring mobilisation.

Benchmarking against specific scenarios helps test the plan under stressful conditions. The idea is to invest in a base plan that outlines policies, procedures, and organisational structures applicable regardless of the specific scenario, allowing leadership to adjust based on circumstances. (Interview US-1)

Integration of New Threats and Capabilities: DHS recognises that emerging risks require thinking beyond traditional roles and integrating new players and capabilities.

Emerging risks force us to think beyond these traditional roles and consider wider impacts, such as economic effects or other areas not typically part of emergency management. (Interview US-1)

Interview responses indicated that efforts are underway to develop plans that incorporate additional stakeholders and missions into FEMA's National Response Coordination Center (the operation centre, located at FEMA headquarters, that co-ordinates federal support for major disasters).

Integration of Emerging Risks: Planning, exercises, and real-world response are beginning to incorporate considerations of emerging risks. For example, during the Russia’s war of aggression against Ukraine, DHS formed the Domestic Preparedness and Response Unified Coordination Group, integrating cyber experts from CISA and physical consequence management experts from FEMA into a co-ordinated incident response.

This was the first time we integrated cyber and physical response in this way, recognising the potential for cyber-physical consequences and the need to co-ordinate accordingly. (Interview US-1)

This example demonstrates progress in developing flexible plans that can address complex, emerging threats.

The United States exhibits a progressing level of maturity in implementing recommendations for managing emerging critical risks, integrating some initiatives into existing processes but facing challenges in establishing a consistent and systematic approach.

Integration into Existing Processes: DHS works to incorporate recommendations into existing strategic, policy, and budgetary processes when emerging risks gain leadership attention. For example, after the Colonial Pipeline ransomware incident, DHS conducted senior-level interviews to identify areas for improvement and made recommendations to leadership. Once Russia's invasion of Ukraine occurred, these recommendations became a high priority. The government official stated, "We implemented them, and since then, we've been working to institutionalise these improvements" (Interview US-1).

Efforts to Institutionalise Improvements: DHS is making efforts to institutionalise improvements and recommendations. DHS has recently developed multiple pieces of doctrine, policy, and plans in support of managing emerging critical risk and is working to implement Presidential guidance such as NSM-22. Despite this progress, DHS would still benefit from maturing its system for connecting risk identification and assessment of emerging critical risks with budget, strategy, and policy development processes.

The United States has recognised the importance of improving the identification and management of emerging critical risks. Initiatives like NSM-22 establish a framework for involving Sector Risk Management Agencies and the private sector in risk assessment and management planning. DHS’ Emerging Risks and Technologies (ERT) Program aims to develop a comprehensive process for identifying and prioritising emerging risks. Agencies like the CISA are attempting to conduct tailored risk assessments based on leadership concerns, and there is movement toward more flexible, scenario-agnostic planning to address unexpected incidents. In recent years, DHS has also made significant improvements to its maturity to manage unexpected and complex incidents.

The absence of a unified, robust process for identifying and managing emerging critical risks across the homeland security enterprise is a significant gap. Risk identification remains largely top-down, and there is no dedicated office within DHS responsible for comprehensive risk assessment. Challenges in rapidly assigning responsibility for emerging risks and fragmented after-action processes hinder the development and implementation of recommendations. Institutionalising flexible and adaptable strategic planning practices is needed to ensure consistent preparedness for emerging risks, regardless of immediate leadership focus.

Burrows, M., 2012. Global Trends 2030: Alternative Worlds. US National Intelligence Council.

Clark, J., 2023. Cooperation Across DOD, Private Sector Critical Amid Emerging Cyber Threats. US Dep. Def. URL https://www.defense.gov/News/News-Stories/Article/Article/3519167/cooperation-across-dod-private-sector-critical-amid-emerging-cyber-threats (accessed 11.14.24).

Easterly, J., 2024. A Plan to Protect Critical Infrastructure from 21st Century Threats. Purp. Natl. Infrastruct. Risk Manag. Plan. URL https://www.cisa.gov/news-events/news/plan-protect-critical-infrastructure-21st-century-threats (accessed 11.12.24).

FEMA, 2024a. 2022-2026 FEMA Strategic Plan. U.S. Department of Homeland Security, Washington, DC.

FEMA, 2024b. Homeland Security Exercise and Evaluation Program [WWW Document]. URL https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep (accessed 11.11.24).

FEMA, 2022. National Preparedness Report. U.S. Department of Homeland Security, Washington, DC.

Joint Task Force Transformation Initiative, 2018. Risk management framework for information systems and organizations: a system life cycle approach for security and privacy (No. NIST SP 800-37r2). National Institute of Standards and Technology, Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-37r2

Mayorkas, A.N., 2024. Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience (2024-2025).

OECD, 2023. Report on the Implementation of the OECD Recommendation on the Governance of Critical Risks (No. C(2023)163). OECD Publishing, Paris.

President of the United States, 2024. National Security Memorandum on Critical Infrastructure Security and Resilience [WWW Document]. White House. URL https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/ (accessed 11.12.24).

President of the United States, 2023. Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence [WWW Document]. White House. URL https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/ (accessed 11.13.24).

President of the United States, 2003. Management of Domestic Incidents.

U.S. Department of Health & Human Sciences, 2022. National Biodefense Strategy and Implementation Plan. U.S. Federal Government, Washington, DC.

U.S. Department of Health & Human Services, 2024. Technical Resources [WWW Document]. ASPR TRACIE. URL https://asprtracie.hhs.gov//technical-resources (accessed 11.14.24).

U.S. Department of Homeland Security, 2024. Homeland Security Enterprise [WWW Document]. Homel. Secur. URL https://www.dhs.gov/topics/homeland-security-enterprise (accessed 11.20.24).

U.S. Department of Homeland Security, 2023. Emerging Risks and Technologies Fact Sheet, Science and Technology. Washington, DC.

U.S. Department of Homeland Security, 2015. National Preparedness Goal. U.S. Federal Government, Washington, DC.

U.S. Government Accountability Office, 2018. Long-Range Emerging Threats Facing the United States as Identifies by Federal Agencies (Report to Congressional Committees No. GAO-19-204SP), National Security. U.S. Federal Government, Washington, DC.

Williams, D.M., Avery, V.F., Coombs, M.L., Cox, D.A., Horwitz, L.R., McBride, S.K., McClymont, R.J., Moran, S.C., 2020. U.S. Geological Survey 2018 Kīlauea Volcano eruption response in Hawai’i—After-action review (No. 2020–1041), Open-File Report. U.S. Geological Survey. https://doi.org/10.3133/ofr20201041

Anonymised and referenced in the text as US-1 and US-2

DHS official, covering the case study as a whole [4 September 2024]

FEMA official, covering science and technology capabilities [7 October 2024]

[7] Easterly, J. (2024), A Plan to Protect Critical Infrastructure from 21st Century Threats, https://www.cisa.gov/news-events/news/plan-protect-critical-infrastructure-21st-century-threats (accessed on 12 November 2024).

[10] Federal Emergency Management Agency (2024), Homeland Security Exercise and Evaluation Program, https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep (accessed on 11 November 2024).

[3] Federal Emergency Management Agency (2022), National Preparedness Report, U.S. Department of Homeland Security.

[9] Federal Emergency Management Agency (FEMA) (2019), National Response Framework, https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf.

[6] Mayorkas, A. (2024), Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience (2024-2025).

[1] OECD (2023), Report on the Implementation of the OECD Recommendation on the Governance of Critical Risks, OECD Publishing, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0405.

[5] President of the United States (2024), National Security Memorandum on Critical Infrastructure Security and Resilience, https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/ (accessed on 12 November 2024).

[8] President of the United States (2023), Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/ (accessed on 13 November 2024).

[11] President of the United States (2003), Management of Domestic Incidents.

[12] U.S. Department of Homeland Security (2024), Homeland Security Enterprise, https://www.dhs.gov/topics/homeland-security-enterprise (accessed on  2024).

[4] U.S. Department of Homeland Security (2023), Emerging Risks and Technologies Fact Sheet, Science and Technology, U.S. Department of Homeland Security.

[2] U.S. Department of Homeland Security (2015), National Preparedness Goal.