attachment c-cip.xls
TRANSCRIPT
-
7/25/2019 Attachment C-CIP.xls
1/49
Attachment "C" CIP Data List for Sampling
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 4 - Entity supplies detailed information back to RFC ia e!tranet "#eice $ample and Personnel $amp
Colored Coded Tabs
Entity populates &reen tabs
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. 'here is
(ello) colored 'ab is customi*ed by the A'+ to assist the entity ia a list of applicable in scope requirement
Acronyms:
EAC, - Electronic Access Control and ,onitorin& AP - Access Point
CCA - Critical Cyber Asset
E$P - Electronic $ecurity Perimeter
CCA - on-Critical Cyber Asset
P$P - Physical $ecurity Perimeter
PAC$ - Physical Access Control $ystem
Phase - Entity completes the three &reen colored tabs/ Critical Assets0 Cyber Assets0 and Personnel and submfor more details.
Phase - RFC performs sample selection and sends back to entity for detailed information requests "#eice populated )ith requested samples%
RFC Action Required/RFC supplies the Attachment C to the entity as part of the 23 day notification packa&e. 'he CP eidence lisscope.
Next Steps:After this 5orkbook is completed0 sent to and receied by ReliabilityFirst0 the audit team )ill apply a sampliestablish and define a specific random sample set to audit a&ainst. 'he audit team )ill then send Eidence Raudited entity )ithin 13 calendar days of receipt of a completed Attachment C and6or no later than si!ty fie date of the Complaince Audit.
-
7/25/2019 Attachment C-CIP.xls
2/49
Standard Requirement
CIP-002-3 R1
CIP-002-3 R1.1
CIP-002-3 R1.2
CIP-002-3 R1.2.1
CIP-002-3 R1.2.2
CIP-002-3 R1.2.3
CIP-002-3 R1.2.4
CIP-002-3 R1.2.5
CIP-002-3 R1.2.6
CIP-002-3 R1.2.7
CIP-002-3 R2
CIP-002-3 R3
CIP-002-3 R4
CIP-003-3 R1
CIP-003-3 R1.1
CIP-003-3 R1.2
CIP-003-3 R1.3
CIP-003-3 R2
CIP-003-3 R2.1
CIP-003-3 R2.2
CIP-002
-
7/25/2019 Attachment C-CIP.xls
3/49
CIP-003-3 R2.3
CIP-003-3 R2.4
CIP-003-3 R3
CIP-003-3 R3.1
CIP-003-3 R3.2
CIP-003-3 R3.2
CIP-003-3 R3.3
CIP-003-3 R4
CIP-003-3 R4.3
CIP-003-3 R5
CIP-003-3 R5.1
CIP-003-3 R5.1.2
CIP-003-3 R5.2
CIP-003-3 R5.3
CIP-003-3 R6
CIP-003-3 R6
CIP-004-3 R1
CIP-004-3 R1
CIP-004-3 R2
CIP-004-3 R2.1
CIP-004-3 R2.2
CIP-004-3 R2.3
CIP-004-3 R3
CIP-004-3 R3
CIP-004-3 R3.1
CIP-004-3 R3.2
CIP-004-3 R3.3
CIP-004-3 R4
CIP-004-3 R4.1
CIP-004-3 R4.1
CIP-004-3 R4.2
-
7/25/2019 Attachment C-CIP.xls
4/49
-
7/25/2019 Attachment C-CIP.xls
5/49
-
7/25/2019 Attachment C-CIP.xls
6/49
CIP-006-3 R7
CIP-006-3 R8
CIP-006-3 R8.1
CIP-006-3 R8.2
CIP-006-3 R8.3
CIP-007-3 R1
CIP-007-3 R1
CIP-007-3 R1
CIP-007-3 R1.1
CIP-007-3 R1.2
CIP-007-3 R1.3
CIP-007-3 R2
CIP-007-3 R2.3
CIP-007-3 R3
CIP-007-3 R3
CIP-007-3 R3
CIP-007-3 R4
CIP-007-3 R4
CIP-007-3 R4
CIP-007-3 R5
CIP-007-3 R5.1.1
-
7/25/2019 Attachment C-CIP.xls
7/49
CIP-007-3 R5.1.2
CIP-007-3 R5.1.3
CIP-007-3 R5.2
CIP-007-3 R5.2
CIP-007-3 R5.3
CIP-007-3 R5.3
CIP-007-3 R5.3.1
CIP-007-3 R5.3.2
CIP-007-3 R5.3.3
CIP-007-3 R6
CIP-007-3 R6
CIP-007-3 R6.1
CIP-007-3 R6.2
CIP-007-3 R6.2
CIP-007-3 R6.3
CIP-007-3 R6.4, R6.5
CIP-007-3 R7
CIP-007-3 R7.3
CIP-007-3 R8
CIP-007-3 R8.1
CIP-007-3 R8.4
CIP-007-3 R8.4
CIP-007-3 R9
CIP-008-3 R1
CIP-008-3 R1.1
-
7/25/2019 Attachment C-CIP.xls
8/49
CIP-008-3 R1.2
CIP-008-3 R1.2
CIP-008-3 R1.2
CIP-008-3 R1.3
CIP-008-3 R1.3
CIP-008-3 R1.4
CIP-008-3 R1.4
CIP-008-3 R1.5
CIP-008-3 R1.6
CIP-008-3 R2
CIP-009-3 R1
CIP-009-3 R1
CIP-009-3 R1.1
CIP-009-3 R1.1
CIP-009-3 R1.2
CIP-009-3 R1
CIP-009-3 R2
CIP-009-3 R3
CIP-009-3 R4
CIP-009-3 R5
2) Evidence identi*ed in this c
.) Evidence identi*ed in this liaudits or continued comlianceall relevant evidence submittecomliance)
1) Evidence identi*ed in this c
-
7/25/2019 Attachment C-CIP.xls
9/49
Provide Risk Based Assessme! "e!#odo$o% 'RBA"(
Provide evide)e !#a! a$$ re*+ired B asse! )a!e%ories ere eva$+a!ed / !#e RBA" or i)$+sio o Cri!i)a$ Asse! is!
Provide evide)e !#a! a$$ )o!ro$ )e!ers ad /a)k+ )o!ro$ )e!ers ere )osidered / !#e RBA"
Provide evide)e !#a! a$$ se)ia$ ro!e)!io ss!ems ere )osidered / !#e RBA"
Provide evide)e o a addi!ioa$ asse!s )osidered / !#e RBA"
Provide evide)e !#a! !#e seior maa%er or de$e%a!e aroved RBA", CA $is!, ad CCA $is!
Provide evide)e o !#e assi%me! o a seior maa%er, i)$+di% da!e o desi%a!io ad ee)!ive da!e o a )#a%es
Provide evide)e !#a! !#e assi%me! o !#e seior maa%er i)$+des !#e re*+ired iorma!io
I a$i)a/$e, rovide !#e ee)!ive da!e o a )#a%e !o !#e assi%me! o !#e seior maa%er
ReliabilityFirstCIP Evidence List hrough CIP-009 are alicable to RC! "#! I#! $SP! $%! $%P! &%!
Evidence.
Provide evide)e !#a! !#e RBA" i)$+des /o!# ro)ed+res ad eva$+a!io )ri!eria, ad !#a! !#e eva$+a!io )ri!eria are risk-
/ased
Provide evide)e !#a! a$$ !rasmissio s+/s!a!ios ere )osidered / !#e RBA", ad !#a! eva$+a!io o !#ese asse!s aserormed a! !#e s+/s!a!io $eve$
Provide evide)e !#a! a$$ %eera!io reso+r)es ere )osidered / !#e RBA", ad !#a! eva$+a!io o !#ese asse!s aserormed a! !#e $eve$ o %rea!es! )ommoa$i!
Provide evide)e !#a! a! $eas! !#e %eera!or's( +sed i !#e reerred resora!io a!# are ide!ied as Cri!i)a$ Asse!sI a$i)a/$e, rovide ss!em res!ora!io $a
Provide evide)e !#a! a$$ a+!oma!i) $oad s#eddi% ss!ems mee!i% !#e arame!ers o !#e s!adard ere )osidered / !#eRBA"
Provide Cri!i)a$ Asse! is! derived !#ro+%# a+a$ a$i)a!io o RBA"Provide evide)e o a+a$ revie o !#e Cri!i)a$ Asse! $is!Suorting Evidenceor B asse!s !#a! ere added or a)*+ired, rovide evide)e !#a! said asse!s ere eva$+a!ed / !#e RBA"
Provide $is! o Cri!i)a$ C/er Asse!sProvide evide)e !#a! a$$ )/er asse!s asso)ia!ed i!# ea)# Cri!i)a$ Asse! ere eva$+a!ed as ossi/$e Cri!i)a$ C/er Asse!sSuorting EvidenceI a )omre#esive $is! o C/er Asse!s as +sed as !#e /asis or eva$+a!io, rovide !#is $is!. #e $is! s#o+$d /e 1( %ro+ed/ Cri!i)a$ Asse! 2( #ave a +i*+e ide!ier or !#e C/er asse! s+)# as a devi)e ame 3( !#e !e o C/er Asse! 'e.%.
server, orks!a!io, e!ork devi)e, e!). 4( #e re$ia/i$i! +)!ios !#e C/er Asse! s+or!s 5( #e e!ork se%me!s !#eC/er Asse! is )oe)!ed !o 'e!ork se%me! ide!ier or C$ass C address sa)e as dei)!ed o a e!ork !oo$o%dia%ram(. I a )omre#esive $is! o C/er Asse!s as o! +sed as a /asis or !#is eva$+a!io, rovide a e$aa!io o #o!#e C/er Asse!s asso)ia!ed i!# !#e Cri!i)a$ Asse! ere ide!ied or )osidera!io as a Cri!i)a$ C/er Asse! ad !#e $is! oC/er Asse!s )osidered
Provide C/er e)+ri! Po$i)+or!i% vide)eProvide a$$ o$i)ies reere)ed / !#e )/er se)+ri! o$i) !#a! address a o !#e re*+ireme!s i CIP-002-3 !#ro+%# CIP-009-3
Provide evide)e !#a! ea)# versio o !#e )/er se)+ri! o$i) addresses ea)# o !#e re*+ireme!s i CIP-002-3 !#ro+%#
CIP-009-3 ad )o!ais rovisio or emer%e) si!+a!ios
Provide evide)e !#a! !#e C/er e)+ri! Po$i), i)$+di% a o$i) i)orora!ed / reere)e, #as /ee made readi$avai$a/$e !o a$$ ersoe$ i!# a+!#oried e$e)!roi) or +es)or!ed #si)a$ a))ess !o a Cri!i)a$ C/er Asse!
Provide evide)e !#a! ea)# versio o !#e )/er se)+ri! o$i), i)$+di% a o$i) i)orora!ed / reere)e, #as /eearoved / !#e seior maa%er assi%ed i er R2
-
7/25/2019 Attachment C-CIP.xls
10/49
or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o !#e da!e o arova$
or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o !#e e$aa!io o !#e e)essi! or !#e e)e!io
or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o a )omesa!i% meas+res
or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o !#e a+a$ revie
Provide iorma!io ro!e)!io ro%ram
Provide evide)e o a a+a$ assessme! o iorma!io ro!e)!io ro%ram
Provide a))ess )o!ro$ ro%ram
Provide $is! o desi%a!ed ersoe$ #o are resosi/$e or a+!#orii% $o%i)a$ or #si)a$ a))ess !o ro!e)!ed iorma!io
Provide evide)e o a+a$ veri)a!io o !#e $is! o ersoe$ resosi/$e or a+!#orii% a))ess !o ro!e)!ed iorma!io
Provide evide)e o a+a$ revie o a))ess rivi$e%es
Provide evide)e o !#e a+a$ assessme! o ro)esses or )o!ro$$i% a))ess rivi$e%es !o ro!e)!ed iorma!io
Provide !#e ro)ess or )#a%e )o!ro$ ad )o%+ra!io maa%eme!
Provide evide)e !#a! !#e )#a%e )o!ro$ ad )o%+ra!io maa%eme! ro)ess #as /ee im$eme!ed
Provide aareess ro%ram
Provide evide)e o aareess reior)eme!
Provide !raii% ma!eria$ !#a! addresses a$$ o R2.2 ad i!s s+/ re*+ireme!s
Provide !raii% do)+me!a!io !#a! i)$+des a+a$ !raii% )om$e!io da!es
Provide Persoe$ Risk Assessme! ro%ram
Provide do)+me!a!io !#a! se)ies #e !#e PRA as )od+)!ed ad #e a))ess as %ra!ed
Provide do)+me!a!io !#a! !#e PRA ro%ram i)$+des a$$ e$eme!s o R3.1
Provide do)+me!a!io !#a! !#e $is!'s( is revieed *+ar!er$ ad +da!ed i!#i seve das o a )#a%e o a))ess
Provide do)+me!a!io !#a! a))ess $is!'s( or )o!ra)!ors ad servi)e vedors are roer$ mai!aied
I a$i)a/$e, rovide evide)e o de$e%a!io o a+!#ori!, i)$+di% !#e se)i) a)!ios or #i)# a+!#ori! is de$e%a!ed ad!#e ee)!ive da!e o !#e de$e%a!io
I a$i)a/$e, rovide evide)e o !#a! e)e!ios rom !#e re*+ireme!s o !#e )/er se)+ri! o$i) ere do)+me!ed ada+!#oried / !#e semior maa%er or de$e%a!e's(.
Provide do)+me!a!io o e)e!ios !o !#e C/er e)+ri! Po$i), i)$+di% eired e)e!ios, or a asser!io !#a! !#ere#ave /ee o e)e!ios !o !#e C/er e)+ri! Po$i) d+ri% !#e )om$ia)e eriod
Provide C/er e)+ri! raii% Pro%ramSuorting EvidenceAddresses !o #om i! a$ies, de$iver, revie, ad +da!e re*+e)ies
Provide raii% :o)+me!a!io, i.e., a!!eda)e re)ordsSuorting EvidenceI)$+de a$$ re$eva! ersoe$ !#a! do)+me!s da!e o a+!#oria!io ad da!e o !raii%
Provide Persoe$ Risk Assessme! Pro%ram $a%+a%e !#a! addresses )ri!eria i!# rese)! !o ;or )a+se; ad s)#ed+$es orre-assessme!
Provide do)+me!a!io o assessme! res+$!s or a$$ re$eva! ersoe$Suorting Evidence
:o)+me!a!io, i.e., da!a/ase, a$i)a!io or sreads#ee! !#a! s#os roo o assessme!s ma!)#ed a%ais! CIP-004 R4$is!'s(Co!ra)! a%reeme!s ad asso)ia!ed do)+me!a!io
Provide $is!'s(, i.e., sreads#ee!, da!a/ase or o!#er a$i)a!io !#a! !ra)ks a$$ e$e)!roi) ad #si)a$ a))ess ri%#!sSuorting Evidence:o)+me!a!io o a+!#oried a))ess arova$s
Provide do)+me!a!io !#a! a))ess is revoked i!#i 24 or ersoe$ !ermia!ed or )a+se ad i!#i seve )a$edar dasor ersoe$ #o o $o%er eed a))ess
-
7/25/2019 Attachment C-CIP.xls
11/49
or ea)# P, ide!i ea)# C/er Asse! residi% i!#i !#e erime!er
or ea)# P, ide!i ea)# a))ess oi! !o !#e P
or ea)# P, ide!i ea)# )/er asse! +sed i !#e a))ess )o!ro$ o !#e P
or ea)# P, ide!i ea)# )/er asse! +sed i !#e moi!ori% o !#e P
or ea)# P, rovide do)+me!a!io o ro)esses ad me)#aisms or )o!ro$ o e$e)!roi) a))ess !o !#e P
Provide !#e ro)ed+re or se)+ri% dia$-+ a))ess !o ea)# P
or ea)# a))ess )o!ro$ devi)e, rovide !#e do)+me! ide!ii% !#e )o!e! o !#e a))e!a/$e +se /aer
I is +sed !o mee! !#is re*+ireme! i)$+de iorma!io i !#e
-
7/25/2019 Attachment C-CIP.xls
12/49
Provide do)+me!a!io o res+$!s o a+a$ v+$era/i$i! assessme!
I a$i)a/$e, rovide a)!io $a !o remedia!e or mi!i%a!e v+$era/i$i!ies ad !#e ee)+!io s!a!+s o !#e a)!io $a
Provide do)+me!a!io o a+a$ revie or a$$ evide)e or CIP-005
Provide evide)e !#a! +da!es !o e!ork )o!ro$ do)+me!a!io ere made i!#i 90 das o a )#a%e
Provide P#si)a$ e)+ri! P$a
Provide do)+me!a!io o arova$ o P#si)a$ e)+ri! P$a / !#e seior maa%er or de$e%a!e's(
or ea)# C/er Asse! i!#i a P, ide!i !#e P#si)a$ e)+ri! Perime!er 'PP( asso)ia!ed i!# !#a! C/er Asse!.
I is +sed !o mee! !#is re*+ireme! i)$+de iorma!io i !#e
-
7/25/2019 Attachment C-CIP.xls
13/49
or ea)# PP, rovide evide)e o a mai!ea)e ad !es!i% ro%ram or a$$ #si)a$ se)+ri! ss!ems
or ea)# PP, rovide evide)e o !es!i% ad mai!ea)e o a$$ #si)a$ se)+ri! me)#aisms
or ea)# PP, rovide !#e re!e!io eriod or !#e !es!i% ad mai!ea)e re)ords
or ea)# PP, rovide !#e re!e!io eriod or o+!a%e re)ords re%ardi% a))ess )o!ro$s, $o%%i% ad moi!ori%
Provide evide)e !#a! a$$ C/er Asse!s i!#i !#e $e)!roi) e)+ri! Perime!er are s+/=e)! !o !#e re*+ired !es! ro)ed+res
Provide evide)e !#a! a$$ )/er se)+ri! )o!ro$s #ave /ee i)$+ded i !#e !es! $as
Provide do)+me!a!io !#a! !es!i% as erormed i a maer !#a! miimies ima)! o !#e rod+)!io evirome!
Provide do)+me!a!io !#a! !es!i% as erormed i a maer !#a! ree)!s !#e rod+)!io evirome!
Provide do)+me!a!io o !es! res+$!s
I is +sed !o mee! !#is re*+ireme! i)$+de iorma!io i !#e
-
7/25/2019 Attachment C-CIP.xls
14/49
Provide evide)e o a a+a$ revie o +ser a))o+!s !o veri a))ess rivi$e%es
Provide o$i) o +se o admiis!ra!or, s#ared, ad o!#er %eeri) a))o+! rivi$e%es
Ide!i !#ose idivid+a$s i!# a))ess !o s#ared a))o+!s
Provide evide)e !#a! assords ad#ere !o 5.3 s+/ re*+ireme!s as !e)#i)a$$ easi/$e
I is +sed !o mee! !#is re*+ireme! i)$+de iorma!io i !#e a+di! !rai$s. Provide evide)e or !#e o$$oi% da!es
Date1Date2Date3Date4Date5
or ea)# C/er Asse! se$e)!ed rovide evide)e !#a! $o%s o ss!em eve!s re$a!ed !o )/erse)+ri! are mai!aied ad revieed.
Provide evide)e or !#e o$$oi% da!esDate1Date2Date3Date4Date5
-
7/25/2019 Attachment C-CIP.xls
15/49
Provide ro$es ad resosi/i$i!ies
Provide i)ide! #ad$i% ro)ed+re
Provide )omm+i)a!io $as
Provide ro)ess or reor!i% i)ide!s !o !#e -IAC
Provide ro)ess or +da!i% resose ro)ed+res
Provide evide)e o a+a$ revie
Provide )/er se)+ri! i)ide! do)+me!a!io
Provide Cri!i)a$ C/er Asse! Re)over P$as
is! !#e Re)over $a !#a! )overs !#e se$e)!ed )/er asse!s.
Provide )odi!ios !#a! o+$d ivoke !#e re)over $a
Provide re)over a)!ios
Provide ro$es ad resosi/i$i!ies
Provide evide)e o a+a$ revie
Provide do)+me!a!io o )#a%es !o !#e re)over $a's( ad do)+me!a!io o a$$ )omm+i)a!ios
Provide do)+me!a!io re%ardi% !#e /a)k+ ad s!ora%e o iorma!io
Provide do)+me!a!io o a+a$ !es!i% o /a)k+ media
'otes
lumn must be submitted +0 days be,ore the scheduled audit revie date)
Provide evide)e !#a! a$$ reor!a/$e i)ide!s ere reor!ed !o !#e -IAC or a asser!io !#a! !#ere #ave /ee oreor!a/$e i)ide!s d+ri% !#e so! )#e)k eriod
Provide #is!or o Resose P$a +da!es or a asser!io !#a! !#ere #ave /ee o +da!es made d+ri% !#e so! )#e)keriod
Provide #is!or o i)ide! resose !es!s )od+)!ed, i)$+di% 1( !e o !es! 'e.%. aer dri$$, !a/$e-!o eer)ise, +$$resose dri$$, e!).( 2( da!e o !es! 3( i)ide!'s( or eve!'s( !es!ed
Provide #is!or o re)over $a eer)ises )od+)!ed, i)$+di% 1( !e o !es! 'e.%. aer dri$$, !a/$e-!o eer)ise, +$$resose dri$$, e!).( 2( da!e o !es! 3( eve!'s( or )odi!io's( !es!ed
ting is the result o, each requirement) $his listing is intended to rovide guida) Submission o, identi*ed evidence does not guarantee a *nding o, comliance tand ma/e *nal determinations o, comliance based uon the literal language o
lumn must be submitted as designated by ReliabilityFirst)
-
7/25/2019 Attachment C-CIP.xls
16/49
o! i )oe
%P! LSE! 'ERC! ( RE
+0 3ays2 4on Request1
-
7/25/2019 Attachment C-CIP.xls
17/49
o! i )oe
o! i )oe
o! i )oe
o! i )oe
o! i )oe
ee :evi)e am$i% a/
o! i )oe
o! i )oe ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
ee Persoe$ am$i% a/
-
7/25/2019 Attachment C-CIP.xls
18/49
ee Persoe$ am$i% a/
ee :evi)e am$i% a/
o! i )oe
ee :evi)e am$i% a/
-
7/25/2019 Attachment C-CIP.xls
19/49
ee :evi)e am$i% a/
ee :evi)e am$i% a/
-
7/25/2019 Attachment C-CIP.xls
20/49
ee :evi)e am$i% a/
ee :evi)e am$i% a/
ee :evi)e am$i% a/
ee :evi)e am$i% a/
ee :evi)e am$i% a/
-
7/25/2019 Attachment C-CIP.xls
21/49
ee :evi)e am$i% a/
ee :evi)e am$i% a/
o! i )oe
-
7/25/2019 Attachment C-CIP.xls
22/49
ee :evi)e am$i% a/
o! i )oe
ce to the entities in rearation ,or theiro the requirement) ReliabilityFirst ill reviethe requirement and the evidences roo, o,
-
7/25/2019 Attachment C-CIP.xls
23/49
Attachment "C" CIP Data List for Sampling Phase Instru
Please complete the follo!ing !orsheets:
Critical Assets -ame of Critical Asset
Asset Function - Enter the function of the Critical Asset0 e.&. Primary69ack-:p6Aleternate Control Center0 $
Responsible Re&istered Entity- For a combined audit of multiple re&istered entities
Cyber Asset ame - ame of the Cyber Asset
Critical Asset ame - ame of the Critical Asset )here the Cyber Asset resides E$P ame - ame of E$P containin& Cyber Asset
P$P ame - ame of P$P containin& Cyber Asset
;endor - ame of endor for identified Cyber Asset
,odel - ,odel ame and umber of identified Cyber Asset
;irtual ,achine - Enter
-
7/25/2019 Attachment C-CIP.xls
24/49
Colored Coded Tabs
Entity populates &reen tabs
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. 'here is
(ello) colored 'ab is customi*ed by the A'+ to assist the entity ia a list of applicable in scope requirement
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase - Entity completes the three &reen colored tabs Critical Assets0 Cyber Assets0 and Personnel and subm
Phase 4 - Entity supplies detailed information back to RFC ia e!tranet "#eice $ample and Personnel $amp
Acronyms:
EAC, - Electronic Access Control and ,onitorin&
AP - Access Point
CCA - Critical Cyber Asset
E$P - Electronic $ecurity Perimeter
CCA - on-Critical Cyber Asset
P$P - Physical $ecurity Perimeter
PAC$ - Physical Access Control $ystem
Phase - RFC performs sample selection and sends back to entity for detailed information requests "#eice populated )ith requested samples%
Next Steps:
After this 5orkbook is completed0 sent to and receied by ReliabilityFirst0 the audit team )ill apply a sampliestablish and define a specific random sample set to audit a&ainst. 'he audit team )ill then send Eidence Raudited entity )ithin 13 calendar days of receipt of a completed Attachment C and6or no later than si!ty fie date of the Complaince Audit.
-
7/25/2019 Attachment C-CIP.xls
25/49
Critical #sset #sset 5unction
1 D@EPARF PRI"ARG CDRD CR R1 G
2 DREPARF BACF-@P CDRD CR R2 G
3 C:ARCRF @BAID R3
Sequentialnumber
ResonsibleRegistered
Entity
Indicate i,Critical under
6ersion 1criteria
-
7/25/2019 Attachment C-CIP.xls
26/49
Ei%#
G "edi+m
G o
Indicate i,Critical under
6ersion +criteria
"ES CyberSystems ImactRating 6ersion 7
Criteria
-
7/25/2019 Attachment C-CIP.xls
27/49
1 A"PHABC D@EPARF A"PHPCC A
2 A"PH: DREPARF A"PHCC A
3 A"PHJEI D@EPARF A"PH@BAID A
4 A"PHKF D@EPARF A"PH@BAID A
5 A"PH"D D@EPARF A"PH@BAID A
Sequentialnumber
Cyber #sset'ame
Critical #ssethere CC# resides
'ame o, ESPhere C# resides
'amhere
-
7/25/2019 Attachment C-CIP.xls
28/49
'ame #ccess $ye Personnel $ye
1 AA", IRA" P#si)a$ A))ess Co!ra)!or
2 AA"2, IRA"2 C/er A))ess edor
3 AA"3, IRA"3 Bo!# m$oee
4 AA"3, IRA"4 Pro!e)!ed Iorma!io o$ m$oee
Sequentialnumber
-
7/25/2019 Attachment C-CIP.xls
29/49
3ate o, $ermination
>A 12>15>2011 R1 G>
12>15>2011 12>15>2011 R2 G>
>A 1>3>2012 R3 G>
>A 1>3>2012 R3 G>
3ate o, PersonnelChange
ResonsibleRegistered
Entity$erminated,or Cause
-
7/25/2019 Attachment C-CIP.xls
30/49
6endor 8odelSequential
number
CriticalCyber#sset'ame
Critical#ssethereCC#
resides
'ame o,ESP
hereCC#
resides
'ame o,PSP
hereCC#
resides
-
7/25/2019 Attachment C-CIP.xls
31/49
CC#
'CC#
#P
E#C8
P#CS
I%S Plat,orm
or%erating
System6irtual
8achine#sset$ye
Suorting%rgani:ation
Cyber#sset$ye
ResonsibleRegistered
Entity
-
7/25/2019 Attachment C-CIP.xls
32/49
CIP1 R=
Indicate i,Criticalunder
6ersion 1criteria
Indicate i,Criticalunder
6ersion +criteria
"ES CyberSystems
Imact Rating>6ersion 7
%nly?
or !#e se$e)!ed C/er
Asse!s, rovidedo)+me!a!io !odemos!ra!e !#a! !#e)#a%e )o!ro$ ad
)o%+ra!iomaa%eme! ro)ess
#as /ee im$eme!ed.Provide )#a%es or !#eas! ear immedia!e$
rior !o !#e 90 dao!i)a!io.
-
7/25/2019 Attachment C-CIP.xls
33/49
-
7/25/2019 Attachment C-CIP.xls
34/49
CIP= R7 CIP= R@ CIP@ R.
Provide evide)e !#a!
@a+!#oried a))essa!!em!s are revieedimmedia!e$ ad
#ad$ed i a))orda)ei!# !#e ro)ed+res
se)ied i Re*+ireme!CIP-008-3. Provide
evide)e o !#e 90 dasrior !o !#e 90 da
o!i)a!io.
'+$ or a$$ PPs !#a!!#e am$ed Asse!s
reside i(
Provide evide)e o
#si)a$ a))ess $o%s or!#e im$eme!ed $o%%i%so$+!io's( !#a!
demos!ra!es 90)a$edar das or!# o
$o%s .Provide evide)e or !#e
o$$oi% da!esDate1Date2Date3Date4Date5
(Supply for all PSPsthat the SampledAssets reside in)
Provide evide)e
'i)$+di% !es! res+$!s(!#a! a$$ si%i)a!+da!es made !o C/erAsse!s se$e)!ed #ave/ee !es!ed. Provideevide)e or !#e as!
ear immedia!e$ rior!o !#e 90 dao!i)a!io.
-
7/25/2019 Attachment C-CIP.xls
35/49
CIP@ R2 CIP@ R1 CIP@ R+
or ea)# C/er Asse!
se$e)!ed, rovide a $is! oea)# a)!ive or! adservi)e. or ea)# a)!ive
or! ad servi)eide!ied, rovide a
des)ri!io o !#e or! orservi)e ad ide!i !#e
eed !o !#a! or! orservi)e !o /e ea/$ed
or ea)# C/er Asse!
se$e)!ed, rovideevide)e o !#eassessme! ad
im$eme!a!io ose)+ri! a!)#es.
or ea)# C/er Asse!
se$e)!ed, rovideevide)e o !#eim$eme!io o a!i-
vir+s ad ma$arereve!io !oo$s ad
!es!i% ad is!a$$a!ioo si%a!+res +da!es.
-
7/25/2019 Attachment C-CIP.xls
36/49
CIP@ R7).)2 CIP@ R= CIP 9 R.
Provide evide)e o a+di!
!rai$s o idivid+a$ +sera))o+! a)!ivi!demos!ra!i% 90 das
or!# o $o%s>a+di! !rai$s.Provide evide)e or !#e
o$$oi% da!es:a!e1:a!e2:a!e3:a!e4:a!e5
or ea)# C/er Asse!
se$e)!ed rovideevide)e !#a! $o%s oss!em eve!s re$a!ed !o
)/er se)+ri! aremai!aied ad
revieed.Provide evide)e or !#e
o$$oi% da!esDate1Date2Date3Date4Date5
is! !#e Re)over $a
!#a! )overs !#e se$e)!ed)/er asse!s.
-
7/25/2019 Attachment C-CIP.xls
37/49
'ame #ccess $ye Personnel $ye Entity
'ame #ccess $ye Personnel $yeSequential
number
ResonsibleRegistered
Entity
D$des! o
re)ord
-
7/25/2019 Attachment C-CIP.xls
38/49
RAIIJ PRA :A PR
2012:A
2013:A
A:AC DJRL@
: 'G>(
D:D
RCDR:
"D
RC
M
CECF
'G>(
7 GRCRI"IA
CECF
'G>(
-
7/25/2019 Attachment C-CIP.xls
39/49
CD CRIICA CGBR
R:AC:PRA A"PRL@:
'or mos!
re)e! PRA('G>(
'RC !o)om$e!e(
R:AC: PRAA"P
RCI: 'ormos! re)e! PRA(:A
A@EDRINAID
:A
JRA::A
C@RRA@ -ACI >
DACI
AGCEAJ
I ACC
RIJE'G>(
:ACEAJI:II
:
-
7/25/2019 Attachment C-CIP.xls
40/49
A - A@EDRIN: CGBR ACC
:ACEAJ
"A:
ACCRDCAI
D
RL@IR:'G>(
"PDG"
R"IA: DR
CA@'G>(
I G,R"IAI
D :A
ACCD
DJR
RL@IR:'G>(
I G,:A
I:II
:
ACCRDCAI
D :A
A@EDRINAID
:A
-
7/25/2019 Attachment C-CIP.xls
41/49
CRIICA CGBR A - A@EDRIN: @CDR: PEGICA ACC
JRA::A
C@RRA@ -ACI >
DACI
AGCEAJ
I ACC
RIJE'G>(
:ACEAJI:II
:
:ACEAJ
"A:
ACCRDCAI
D
RL@IR:'G>(
"PDG"
R"IA: DR
CA@'G>(
I G,R"IAI
D :A
-
7/25/2019 Attachment C-CIP.xls
42/49
PRA ad raii%
IGCD""
RCCD""
ACCD
DJR
RL@IR:'G>(
I G,:A
I:II
:
ACCRDCAI
D :A
Provide evide)e oreda)!ed
/a)k%ro+d )#e)kad !raii% re)ords.
'ame o P: $e ors+/mi!!ed evide)e(
-
7/25/2019 Attachment C-CIP.xls
43/49
CIP 6 R1.5 CIP 7 R5
Provide evide)e orRevie o a))ess
a+!#oria!io re*+es!sad revo)a!io o a))ess
a+!#oria!io
'ame o P: $e ors+/mi!!ed evide)e(
Provide evide)e !#a!#e Resosi/$e !i!s#a$$ es+re !#a! +ser
a))o+!s areim$eme!ed as
aroved / desi%a!edersoe$
'ame o P: $e ors+/mi!!ed evide)e(
-
7/25/2019 Attachment C-CIP.xls
44/49
Attachment "C" CIP Data List for Sampling Phase ) Instructions
Please complete the follo!ing !orsheets:
Cyber Asset ame - ame of the Cyber Asset
Critical Asset ame - ame of the Critical Asset )here the Cyber Asset resides
E$P ame - ame of E$P containin& Cyber Asset
P$P ame - ame of P$P containin& Cyber Asset
;endor - ame of endor for identified Cyber Asset
,odel - ,odel ame and umber of identified Cyber Asset
;irtual ,achine - Enter i&h6,edium6+o)%- 'his is only releant if Entity hasincorporated or adopted CP-33 ;ersion 8 criteria
-
7/25/2019 Attachment C-CIP.xls
45/49
-
7/25/2019 Attachment C-CIP.xls
46/49
-
7/25/2019 Attachment C-CIP.xls
47/49
Attachment "C" CIP Data List for Sampling Phase - Instructions
Please complete the follo!ing !orsheets:
Complete the required fields for each person
Colored Coded Tabs
Entity populates &reen tabs
Sequence of CompletionPhase 1- RFC supplies Attachment C for entity to input required data.
.ntityAction Required/Complete the #eice $ample and Personnel $ample tabs per belo) instructions and return toRFC no later than forty $-/' calendar days priorto the scheduled reie) date of theCompliance Audit.
De#ice Sample"+ist of selected Cyber Assets and the associated $tandards and Requirements%
Please proide an eidence file reference for each $tandard6Requirement column listed that isnot
-
7/25/2019 Attachment C-CIP.xls
48/49
Acronyms:
EAC, - Electronic Access Control and ,onitorin&
AP - Access Point
CCA - Critical Cyber Asset
E$P - Electronic $ecurity Perimeter
CCA - on-Critical Cyber Asset
P$P - Physical $ecurity Perimeter
PAC$ - Physical Access Control $ystem
Phase 4 - Entity supplies detailed information back to RFC ia e!tranet "#eice $ample andPersonnel $ample tabs completed%
-
7/25/2019 Attachment C-CIP.xls
49/49
3ate 'ame
:e)em/er 17, 2010 Bo/ Ga!es 1 Ii!ia$ re$ease o A!!a)#m
e/r+ar 15, 2011 Bo/ Ga!es 2 Added !e !o Cri!i)a$ ass
D)!o/er 19, 2011 Bo/ Ga!es 3
:e)em/er 19, 2011 Fris!ie P+r)e$$ 4 C#a%ed d+e da!e i is!
:e)em/er 20, 2011 R#oda Bramer 5
Ka+ar 23, 2012 R#oda Bramer 5.1
e/r+ar 23, 2012 odd #omso 5.2
K+e 25, 2012 Ko# Fe$$er#a$s 5.3 I)orora!ed m+$!i$e sam
K+$ 3, 2012 Ko# Fe$$er#a$s 5.4 Added Resosi/$e Re%is
A+%+s! 24, 2012 Ko# Fe$$er#a$s 5.5 I)$+ded eed/a)k s+%%e
ovem/er 15, 2012 Ko# Fe$$er#a$s 6 Re$ease i)$+di% is!r+)
ovem/er 28, 2012 Ko# Fe$$er#a$s 6.1 Re$ease i)$+di% is!r+)
Ka+ar 22, 2013 Ko# Fe$$er#a$s 6.2 A$i%ed C+s!om vide)e
"ar)# 7, 2013 Ko# Fe$$er#a$s 6.3 Ad=+s!ed :evi)e am$e
"a 10, 2013 Ko# Fe$$er#a$s 6.4
"a 31, 2013 Ko# Fe$$er#a$s 6.5
K+$ 11, 2013 Ko# Fe$$er#a$s 6.6
A+%+s! 22, 2013 Ko# Fe$$er#a$s 6.7 Removed Co$+m o Pe
6ersion'umber
Added a )#a%es !a/ ad10>1>2010 !#ro+%# !#e 90R6
Added Asse! +)!io e$Added edor? "ode$? P$ae$ds !o !#e CCA, o-CCC#a%ed a//revia!io !o Added eam$es !o !#e
1( C#a%ed e$d ;Asse! )$ari!?2( Added $!ers o ea)# 3( Removed C#a%es !a/4( Added ;:a!e o ermi
!a/.5( Added ;Cri!i)a$ Asse!; /a)k !o !#e Cri!i)a$ Asse!6( Added addi!ioa$ eam7( @da!ed !#e Is!r+)!io8( "oved Is!r+)!io !a/ 9( "oved !#e Persoe$ !
Added a ;Ges; or ;o; )oAsse!s, o-Cri!i)a$ C/eA$so +da!ed !#e Is!r+)!
Added )o$+ms A ad Ais!r+)!ios or #ase 2 a
Added )o$+ms ,,J !o CCo$+ms ,D,P !o :evi)e5 o !#e CIP !adards. AIs!r+)!ios !a/s.
:evi)e am$e "a!ri - A
Persoe$ sam$e !em$aCIP evide)e-)+s!omie -:e$e!ed $ie 108 'red+d:e$e!ed $ie 145 'red+d
C#a%ed P#ase 2 Is!r+)!i $ d d i i