attachment c-cip.xls

7/25/2019 Attachment C-CIP.xls

1/49

Attachment "C" CIP Data List for Sampling

Sequence of Completion

Phase 1- RFC supplies Attachment C for entity to input required data.

Phase 4 - Entity supplies detailed information back to RFC ia e!tranet "#eice $ample and Personnel $amp

Colored Coded Tabs

Entity populates &reen tabs

Red colored tabs are meant to illustrate the information required once samples are selected by RFC. 'here is

(ello) colored 'ab is customi*ed by the A'+ to assist the entity ia a list of applicable in scope requirement

Acronyms:

EAC, - Electronic Access Control and ,onitorin& AP - Access Point

CCA - Critical Cyber Asset

E$P - Electronic $ecurity Perimeter

CCA - on-Critical Cyber Asset

P$P - Physical $ecurity Perimeter

PAC$ - Physical Access Control $ystem

Phase - Entity completes the three &reen colored tabs/ Critical Assets0 Cyber Assets0 and Personnel and submfor more details.

Phase - RFC performs sample selection and sends back to entity for detailed information requests "#eice populated )ith requested samples%

RFC Action Required/RFC supplies the Attachment C to the entity as part of the 23 day notification packa&e. 'he CP eidence lisscope.

Next Steps:After this 5orkbook is completed0 sent to and receied by ReliabilityFirst0 the audit team )ill apply a sampliestablish and define a specific random sample set to audit a&ainst. 'he audit team )ill then send Eidence Raudited entity )ithin 13 calendar days of receipt of a completed Attachment C and6or no later than si!ty fie date of the Complaince Audit.


2/49

Standard Requirement

CIP-002-3 R1

CIP-002-3 R1.1

CIP-002-3 R1.2

CIP-002-3 R1.2.1

CIP-002-3 R1.2.2

CIP-002-3 R1.2.3

CIP-002-3 R1.2.4

CIP-002-3 R1.2.5

CIP-002-3 R1.2.6

CIP-002-3 R1.2.7

CIP-002-3 R2

CIP-002-3 R3

CIP-002-3 R4

CIP-003-3 R1

CIP-003-3 R1.1

CIP-003-3 R1.2

CIP-003-3 R1.3

CIP-003-3 R2

CIP-003-3 R2.1

CIP-003-3 R2.2

CIP-002


3/49

CIP-003-3 R2.3

CIP-003-3 R2.4

CIP-003-3 R3

CIP-003-3 R3.1

CIP-003-3 R3.2

CIP-003-3 R3.2

CIP-003-3 R3.3

CIP-003-3 R4

CIP-003-3 R4.3

CIP-003-3 R5

CIP-003-3 R5.1

CIP-003-3 R5.1.2

CIP-003-3 R5.2

CIP-003-3 R5.3

CIP-003-3 R6

CIP-003-3 R6

CIP-004-3 R1

CIP-004-3 R1

CIP-004-3 R2

CIP-004-3 R2.1

CIP-004-3 R2.2

CIP-004-3 R2.3

CIP-004-3 R3

CIP-004-3 R3

CIP-004-3 R3.1

CIP-004-3 R3.2

CIP-004-3 R3.3

CIP-004-3 R4

CIP-004-3 R4.1

CIP-004-3 R4.1

CIP-004-3 R4.2


4/49


5/49


6/49

CIP-006-3 R7

CIP-006-3 R8

CIP-006-3 R8.1

CIP-006-3 R8.2

CIP-006-3 R8.3

CIP-007-3 R1

CIP-007-3 R1

CIP-007-3 R1

CIP-007-3 R1.1

CIP-007-3 R1.2

CIP-007-3 R1.3

CIP-007-3 R2

CIP-007-3 R2.3

CIP-007-3 R3

CIP-007-3 R3

CIP-007-3 R3

CIP-007-3 R4

CIP-007-3 R4

CIP-007-3 R4

CIP-007-3 R5

CIP-007-3 R5.1.1


7/49

CIP-007-3 R5.1.2

CIP-007-3 R5.1.3

CIP-007-3 R5.2

CIP-007-3 R5.2

CIP-007-3 R5.3

CIP-007-3 R5.3

CIP-007-3 R5.3.1

CIP-007-3 R5.3.2

CIP-007-3 R5.3.3

CIP-007-3 R6

CIP-007-3 R6

CIP-007-3 R6.1

CIP-007-3 R6.2

CIP-007-3 R6.2

CIP-007-3 R6.3

CIP-007-3 R6.4, R6.5

CIP-007-3 R7

CIP-007-3 R7.3

CIP-007-3 R8

CIP-007-3 R8.1

CIP-007-3 R8.4

CIP-007-3 R8.4

CIP-007-3 R9

CIP-008-3 R1

CIP-008-3 R1.1


8/49

CIP-008-3 R1.2

CIP-008-3 R1.2

CIP-008-3 R1.2

CIP-008-3 R1.3

CIP-008-3 R1.3

CIP-008-3 R1.4

CIP-008-3 R1.4

CIP-008-3 R1.5

CIP-008-3 R1.6

CIP-008-3 R2

CIP-009-3 R1

CIP-009-3 R1

CIP-009-3 R1.1

CIP-009-3 R1.1

CIP-009-3 R1.2

CIP-009-3 R1

CIP-009-3 R2

CIP-009-3 R3

CIP-009-3 R4

CIP-009-3 R5

2) Evidence identi*ed in this c

.) Evidence identi*ed in this liaudits or continued comlianceall relevant evidence submittecomliance)

1) Evidence identi*ed in this c


9/49

Provide Risk Based Assessme! "e!#odo$o% 'RBA"(

Provide evide)e !#a! a$$ re*+ired B asse! )a!e%ories ere eva$+a!ed / !#e RBA" or i)$+sio o Cri!i)a$ Asse! is!

Provide evide)e !#a! a$$ )o!ro$ )e!ers ad /a)k+ )o!ro$ )e!ers ere )osidered / !#e RBA"

Provide evide)e !#a! a$$ se)ia$ ro!e)!io ss!ems ere )osidered / !#e RBA"

Provide evide)e o a addi!ioa$ asse!s )osidered / !#e RBA"

Provide evide)e !#a! !#e seior maa%er or de$e%a!e aroved RBA", CA $is!, ad CCA $is!

Provide evide)e o !#e assi%me! o a seior maa%er, i)$+di% da!e o desi%a!io ad ee)!ive da!e o a )#a%es

Provide evide)e !#a! !#e assi%me! o !#e seior maa%er i)$+des !#e re*+ired iorma!io

I a$i)a/$e, rovide !#e ee)!ive da!e o a )#a%e !o !#e assi%me! o !#e seior maa%er

ReliabilityFirstCIP Evidence List hrough CIP-009 are alicable to RC! "#! I#! $SP! $%! $%P! &%!

Evidence.

Provide evide)e !#a! !#e RBA" i)$+des /o!# ro)ed+res ad eva$+a!io )ri!eria, ad !#a! !#e eva$+a!io )ri!eria are risk-

/ased

Provide evide)e !#a! a$$ !rasmissio s+/s!a!ios ere )osidered / !#e RBA", ad !#a! eva$+a!io o !#ese asse!s aserormed a! !#e s+/s!a!io $eve$

Provide evide)e !#a! a$$ %eera!io reso+r)es ere )osidered / !#e RBA", ad !#a! eva$+a!io o !#ese asse!s aserormed a! !#e $eve$ o %rea!es! )ommoa$i!

Provide evide)e !#a! a! $eas! !#e %eera!or's( +sed i !#e reerred resora!io a!# are ide!ied as Cri!i)a$ Asse!sI a$i)a/$e, rovide ss!em res!ora!io $a

Provide evide)e !#a! a$$ a+!oma!i) $oad s#eddi% ss!ems mee!i% !#e arame!ers o !#e s!adard ere )osidered / !#eRBA"

Provide Cri!i)a$ Asse! is! derived !#ro+%# a+a$ a$i)a!io o RBA"Provide evide)e o a+a$ revie o !#e Cri!i)a$ Asse! $is!Suorting Evidenceor B asse!s !#a! ere added or a)*+ired, rovide evide)e !#a! said asse!s ere eva$+a!ed / !#e RBA"

Provide $is! o Cri!i)a$ C/er Asse!sProvide evide)e !#a! a$$ )/er asse!s asso)ia!ed i!# ea)# Cri!i)a$ Asse! ere eva$+a!ed as ossi/$e Cri!i)a$ C/er Asse!sSuorting EvidenceI a )omre#esive $is! o C/er Asse!s as +sed as !#e /asis or eva$+a!io, rovide !#is $is!. #e $is! s#o+$d /e 1( %ro+ed/ Cri!i)a$ Asse! 2( #ave a +i*+e ide!ier or !#e C/er asse! s+)# as a devi)e ame 3( !#e !e o C/er Asse! 'e.%.

server, orks!a!io, e!ork devi)e, e!). 4( #e re$ia/i$i! +)!ios !#e C/er Asse! s+or!s 5( #e e!ork se%me!s !#eC/er Asse! is )oe)!ed !o 'e!ork se%me! ide!ier or C$ass C address sa)e as dei)!ed o a e!ork !oo$o%dia%ram(. I a )omre#esive $is! o C/er Asse!s as o! +sed as a /asis or !#is eva$+a!io, rovide a e$aa!io o #o!#e C/er Asse!s asso)ia!ed i!# !#e Cri!i)a$ Asse! ere ide!ied or )osidera!io as a Cri!i)a$ C/er Asse! ad !#e $is! oC/er Asse!s )osidered

Provide C/er e)+ri! Po$i)+or!i% vide)eProvide a$$ o$i)ies reere)ed / !#e )/er se)+ri! o$i) !#a! address a o !#e re*+ireme!s i CIP-002-3 !#ro+%# CIP-009-3

Provide evide)e !#a! ea)# versio o !#e )/er se)+ri! o$i) addresses ea)# o !#e re*+ireme!s i CIP-002-3 !#ro+%#

CIP-009-3 ad )o!ais rovisio or emer%e) si!+a!ios

Provide evide)e !#a! !#e C/er e)+ri! Po$i), i)$+di% a o$i) i)orora!ed / reere)e, #as /ee made readi$avai$a/$e !o a$$ ersoe$ i!# a+!#oried e$e)!roi) or +es)or!ed #si)a$ a))ess !o a Cri!i)a$ C/er Asse!

Provide evide)e !#a! ea)# versio o !#e )/er se)+ri! o$i), i)$+di% a o$i) i)orora!ed / reere)e, #as /eearoved / !#e seior maa%er assi%ed i er R2


10/49

or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o !#e da!e o arova$

or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o !#e e$aa!io o !#e e)essi! or !#e e)e!io

or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o a )omesa!i% meas+res

or ea)# e)e!io !o !#e )/er se)+ri! o$i), rovide evide)e o !#e a+a$ revie

Provide iorma!io ro!e)!io ro%ram

Provide evide)e o a a+a$ assessme! o iorma!io ro!e)!io ro%ram

Provide a))ess )o!ro$ ro%ram

Provide $is! o desi%a!ed ersoe$ #o are resosi/$e or a+!#orii% $o%i)a$ or #si)a$ a))ess !o ro!e)!ed iorma!io

Provide evide)e o a+a$ veri)a!io o !#e $is! o ersoe$ resosi/$e or a+!#orii% a))ess !o ro!e)!ed iorma!io

Provide evide)e o a+a$ revie o a))ess rivi$e%es

Provide evide)e o !#e a+a$ assessme! o ro)esses or )o!ro$$i% a))ess rivi$e%es !o ro!e)!ed iorma!io

Provide !#e ro)ess or )#a%e )o!ro$ ad )o%+ra!io maa%eme!

Provide evide)e !#a! !#e )#a%e )o!ro$ ad )o%+ra!io maa%eme! ro)ess #as /ee im$eme!ed

Provide aareess ro%ram

Provide evide)e o aareess reior)eme!

Provide !raii% ma!eria$ !#a! addresses a$$ o R2.2 ad i!s s+/ re*+ireme!s

Provide !raii% do)+me!a!io !#a! i)$+des a+a$ !raii% )om$e!io da!es

Provide Persoe$ Risk Assessme! ro%ram

Provide do)+me!a!io !#a! se)ies #e !#e PRA as )od+)!ed ad #e a))ess as %ra!ed

Provide do)+me!a!io !#a! !#e PRA ro%ram i)$+des a$$ e$eme!s o R3.1

Provide do)+me!a!io !#a! !#e $is!'s( is revieed *+ar!er$ ad +da!ed i!#i seve das o a )#a%e o a))ess

Provide do)+me!a!io !#a! a))ess $is!'s( or )o!ra)!ors ad servi)e vedors are roer$ mai!aied

I a$i)a/$e, rovide evide)e o de$e%a!io o a+!#ori!, i)$+di% !#e se)i) a)!ios or #i)# a+!#ori! is de$e%a!ed ad!#e ee)!ive da!e o !#e de$e%a!io

I a$i)a/$e, rovide evide)e o !#a! e)e!ios rom !#e re*+ireme!s o !#e )/er se)+ri! o$i) ere do)+me!ed ada+!#oried / !#e semior maa%er or de$e%a!e's(.

Provide do)+me!a!io o e)e!ios !o !#e C/er e)+ri! Po$i), i)$+di% eired e)e!ios, or a asser!io !#a! !#ere#ave /ee o e)e!ios !o !#e C/er e)+ri! Po$i) d+ri% !#e )om$ia)e eriod

Provide C/er e)+ri! raii% Pro%ramSuorting EvidenceAddresses !o #om i! a$ies, de$iver, revie, ad +da!e re*+e)ies

Provide raii% :o)+me!a!io, i.e., a!!eda)e re)ordsSuorting EvidenceI)$+de a$$ re$eva! ersoe$ !#a! do)+me!s da!e o a+!#oria!io ad da!e o !raii%

Provide Persoe$ Risk Assessme! Pro%ram $a%+a%e !#a! addresses )ri!eria i!# rese)! !o ;or )a+se; ad s)#ed+$es orre-assessme!

Provide do)+me!a!io o assessme! res+$!s or a$$ re$eva! ersoe$Suorting Evidence

:o)+me!a!io, i.e., da!a/ase, a$i)a!io or sreads#ee! !#a! s#os roo o assessme!s ma!)#ed a%ais! CIP-004 R4$is!'s(Co!ra)! a%reeme!s ad asso)ia!ed do)+me!a!io

Provide $is!'s(, i.e., sreads#ee!, da!a/ase or o!#er a$i)a!io !#a! !ra)ks a$$ e$e)!roi) ad #si)a$ a))ess ri%#!sSuorting Evidence:o)+me!a!io o a+!#oried a))ess arova$s

Provide do)+me!a!io !#a! a))ess is revoked i!#i 24 or ersoe$ !ermia!ed or )a+se ad i!#i seve )a$edar dasor ersoe$ #o o $o%er eed a))ess


11/49

or ea)# P, ide!i ea)# C/er Asse! residi% i!#i !#e erime!er

or ea)# P, ide!i ea)# a))ess oi! !o !#e P

or ea)# P, ide!i ea)# )/er asse! +sed i !#e a))ess )o!ro$ o !#e P

or ea)# P, ide!i ea)# )/er asse! +sed i !#e moi!ori% o !#e P

or ea)# P, rovide do)+me!a!io o ro)esses ad me)#aisms or )o!ro$ o e$e)!roi) a))ess !o !#e P

Provide !#e ro)ed+re or se)+ri% dia$-+ a))ess !o ea)# P

or ea)# a))ess )o!ro$ devi)e, rovide !#e do)+me! ide!ii% !#e )o!e! o !#e a))e!a/$e +se /aer

I is +sed !o mee! !#is re*+ireme! i)$+de iorma!io i !#e


12/49

Provide do)+me!a!io o res+$!s o a+a$ v+$era/i$i! assessme!

I a$i)a/$e, rovide a)!io $a !o remedia!e or mi!i%a!e v+$era/i$i!ies ad !#e ee)+!io s!a!+s o !#e a)!io $a

Provide do)+me!a!io o a+a$ revie or a$$ evide)e or CIP-005

Provide evide)e !#a! +da!es !o e!ork )o!ro$ do)+me!a!io ere made i!#i 90 das o a )#a%e

Provide P#si)a$ e)+ri! P$a

Provide do)+me!a!io o arova$ o P#si)a$ e)+ri! P$a / !#e seior maa%er or de$e%a!e's(

or ea)# C/er Asse! i!#i a P, ide!i !#e P#si)a$ e)+ri! Perime!er 'PP( asso)ia!ed i!# !#a! C/er Asse!.



13/49

or ea)# PP, rovide evide)e o a mai!ea)e ad !es!i% ro%ram or a$$ #si)a$ se)+ri! ss!ems

or ea)# PP, rovide evide)e o !es!i% ad mai!ea)e o a$$ #si)a$ se)+ri! me)#aisms

or ea)# PP, rovide !#e re!e!io eriod or !#e !es!i% ad mai!ea)e re)ords

or ea)# PP, rovide !#e re!e!io eriod or o+!a%e re)ords re%ardi% a))ess )o!ro$s, $o%%i% ad moi!ori%

Provide evide)e !#a! a$$ C/er Asse!s i!#i !#e $e)!roi) e)+ri! Perime!er are s+/=e)! !o !#e re*+ired !es! ro)ed+res

Provide evide)e !#a! a$$ )/er se)+ri! )o!ro$s #ave /ee i)$+ded i !#e !es! $as

Provide do)+me!a!io !#a! !es!i% as erormed i a maer !#a! miimies ima)! o !#e rod+)!io evirome!

Provide do)+me!a!io !#a! !es!i% as erormed i a maer !#a! ree)!s !#e rod+)!io evirome!

Provide do)+me!a!io o !es! res+$!s



14/49

Provide evide)e o a a+a$ revie o +ser a))o+!s !o veri a))ess rivi$e%es

Provide o$i) o +se o admiis!ra!or, s#ared, ad o!#er %eeri) a))o+! rivi$e%es

Ide!i !#ose idivid+a$s i!# a))ess !o s#ared a))o+!s

Provide evide)e !#a! assords ad#ere !o 5.3 s+/ re*+ireme!s as !e)#i)a$$ easi/$e

I is +sed !o mee! !#is re*+ireme! i)$+de iorma!io i !#e a+di! !rai$s. Provide evide)e or !#e o$$oi% da!es

Date1Date2Date3Date4Date5

or ea)# C/er Asse! se$e)!ed rovide evide)e !#a! $o%s o ss!em eve!s re$a!ed !o )/erse)+ri! are mai!aied ad revieed.

Provide evide)e or !#e o$$oi% da!esDate1Date2Date3Date4Date5


15/49

Provide ro$es ad resosi/i$i!ies

Provide i)ide! #ad$i% ro)ed+re

Provide )omm+i)a!io $as

Provide ro)ess or reor!i% i)ide!s !o !#e -IAC

Provide ro)ess or +da!i% resose ro)ed+res

Provide evide)e o a+a$ revie

Provide )/er se)+ri! i)ide! do)+me!a!io

Provide Cri!i)a$ C/er Asse! Re)over P$as

is! !#e Re)over $a !#a! )overs !#e se$e)!ed )/er asse!s.

Provide )odi!ios !#a! o+$d ivoke !#e re)over $a

Provide re)over a)!ios

Provide ro$es ad resosi/i$i!ies

Provide evide)e o a+a$ revie

Provide do)+me!a!io o )#a%es !o !#e re)over $a's( ad do)+me!a!io o a$$ )omm+i)a!ios

Provide do)+me!a!io re%ardi% !#e /a)k+ ad s!ora%e o iorma!io

Provide do)+me!a!io o a+a$ !es!i% o /a)k+ media

'otes

lumn must be submitted +0 days be,ore the scheduled audit revie date)

Provide evide)e !#a! a$$ reor!a/$e i)ide!s ere reor!ed !o !#e -IAC or a asser!io !#a! !#ere #ave /ee oreor!a/$e i)ide!s d+ri% !#e so! )#e)k eriod

Provide #is!or o Resose P$a +da!es or a asser!io !#a! !#ere #ave /ee o +da!es made d+ri% !#e so! )#e)keriod

Provide #is!or o i)ide! resose !es!s )od+)!ed, i)$+di% 1( !e o !es! 'e.%. aer dri$$, !a/$e-!o eer)ise, +$$resose dri$$, e!).( 2( da!e o !es! 3( i)ide!'s( or eve!'s( !es!ed

Provide #is!or o re)over $a eer)ises )od+)!ed, i)$+di% 1( !e o !es! 'e.%. aer dri$$, !a/$e-!o eer)ise, +$$resose dri$$, e!).( 2( da!e o !es! 3( eve!'s( or )odi!io's( !es!ed

ting is the result o, each requirement) $his listing is intended to rovide guida) Submission o, identi*ed evidence does not guarantee a *nding o, comliance tand ma/e *nal determinations o, comliance based uon the literal language o

lumn must be submitted as designated by ReliabilityFirst)


16/49

o! i )oe

%P! LSE! 'ERC! ( RE

+0 3ays2 4on Request1


17/49

o! i )oe

o! i )oe

o! i )oe

o! i )oe

o! i )oe

ee :evi)e am$i% a/

o! i )oe

o! i )oe ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/

ee Persoe$ am$i% a/


18/49

ee Persoe$ am$i% a/

ee :evi)e am$i% a/

o! i )oe

ee :evi)e am$i% a/


19/49

ee :evi)e am$i% a/

ee :evi)e am$i% a/


20/49

ee :evi)e am$i% a/

ee :evi)e am$i% a/

ee :evi)e am$i% a/

ee :evi)e am$i% a/

ee :evi)e am$i% a/


21/49

ee :evi)e am$i% a/

ee :evi)e am$i% a/

o! i )oe


22/49

ee :evi)e am$i% a/

o! i )oe

ce to the entities in rearation ,or theiro the requirement) ReliabilityFirst ill reviethe requirement and the evidences roo, o,


23/49

Attachment "C" CIP Data List for Sampling Phase Instru

Please complete the follo!ing !orsheets:

Critical Assets -ame of Critical Asset

Asset Function - Enter the function of the Critical Asset0 e.&. Primary69ack-:p6Aleternate Control Center0 $

Responsible Re&istered Entity- For a combined audit of multiple re&istered entities

Cyber Asset ame - ame of the Cyber Asset

Critical Asset ame - ame of the Critical Asset )here the Cyber Asset resides E$P ame - ame of E$P containin& Cyber Asset

P$P ame - ame of P$P containin& Cyber Asset

;endor - ame of endor for identified Cyber Asset

,odel - ,odel ame and umber of identified Cyber Asset

;irtual ,achine - Enter


24/49

Colored Coded Tabs


Red colored tabs are meant to illustrate the information required once samples are selected by RFC. 'here is

(ello) colored 'ab is customi*ed by the A'+ to assist the entity ia a list of applicable in scope requirement

Sequence of Completion

Phase 1- RFC supplies Attachment C for entity to input required data.

Phase - Entity completes the three &reen colored tabs Critical Assets0 Cyber Assets0 and Personnel and subm

Phase 4 - Entity supplies detailed information back to RFC ia e!tranet "#eice $ample and Personnel $amp

Acronyms:

EAC, - Electronic Access Control and ,onitorin&

AP - Access Point






Phase - RFC performs sample selection and sends back to entity for detailed information requests "#eice populated )ith requested samples%

Next Steps:

After this 5orkbook is completed0 sent to and receied by ReliabilityFirst0 the audit team )ill apply a sampliestablish and define a specific random sample set to audit a&ainst. 'he audit team )ill then send Eidence Raudited entity )ithin 13 calendar days of receipt of a completed Attachment C and6or no later than si!ty fie date of the Complaince Audit.


25/49

Critical #sset #sset 5unction

1 D@EPARF PRI"ARG CDRD CR R1 G

2 DREPARF BACF-@P CDRD CR R2 G

3 C:ARCRF @BAID R3

Sequentialnumber

ResonsibleRegistered

Entity

Indicate i,Critical under

6ersion 1criteria


26/49

Ei%#

G "edi+m

G o

Indicate i,Critical under

6ersion +criteria

"ES CyberSystems ImactRating 6ersion 7

Criteria


27/49

1 A"PHABC D@EPARF A"PHPCC A

2 A"PH: DREPARF A"PHCC A

3 A"PHJEI D@EPARF A"PH@BAID A

4 A"PHKF D@EPARF A"PH@BAID A

5 A"PH"D D@EPARF A"PH@BAID A

Sequentialnumber

Cyber #sset'ame

Critical #ssethere CC# resides

'ame o, ESPhere C# resides

'amhere


28/49

'ame #ccess $ye Personnel $ye

1 AA", IRA" P#si)a$ A))ess Co!ra)!or

2 AA"2, IRA"2 C/er A))ess edor

3 AA"3, IRA"3 Bo!# m$oee

4 AA"3, IRA"4 Pro!e)!ed Iorma!io o$ m$oee

Sequentialnumber


29/49

3ate o, $ermination

>A 12>15>2011 R1 G>

12>15>2011 12>15>2011 R2 G>

>A 1>3>2012 R3 G>

>A 1>3>2012 R3 G>

3ate o, PersonnelChange


Entity$erminated,or Cause


30/49

6endor 8odelSequential

number

CriticalCyber#sset'ame

Critical#ssethereCC#

resides

'ame o,ESP

hereCC#

resides

'ame o,PSP

hereCC#

resides


31/49

CC#

'CC#

#P

E#C8

P#CS

I%S Plat,orm

or%erating

System6irtual

8achine#sset$ye

Suorting%rgani:ation

Cyber#sset$ye


Entity


32/49

CIP1 R=

Indicate i,Criticalunder

6ersion 1criteria

Indicate i,Criticalunder

6ersion +criteria

"ES CyberSystems

Imact Rating>6ersion 7

%nly?

or !#e se$e)!ed C/er

Asse!s, rovidedo)+me!a!io !odemos!ra!e !#a! !#e)#a%e )o!ro$ ad

)o%+ra!iomaa%eme! ro)ess

#as /ee im$eme!ed.Provide )#a%es or !#eas! ear immedia!e$

rior !o !#e 90 dao!i)a!io.


33/49


34/49

CIP= R7 CIP= R@ CIP@ R.

Provide evide)e !#a!

@a+!#oried a))essa!!em!s are revieedimmedia!e$ ad

#ad$ed i a))orda)ei!# !#e ro)ed+res

se)ied i Re*+ireme!CIP-008-3. Provide

evide)e o !#e 90 dasrior !o !#e 90 da

o!i)a!io.

'+$ or a$$ PPs !#a!!#e am$ed Asse!s

reside i(

Provide evide)e o

#si)a$ a))ess $o%s or!#e im$eme!ed $o%%i%so$+!io's( !#a!

demos!ra!es 90)a$edar das or!# o

$o%s .Provide evide)e or !#e

o$$oi% da!esDate1Date2Date3Date4Date5

(Supply for all PSPsthat the SampledAssets reside in)

Provide evide)e

'i)$+di% !es! res+$!s(!#a! a$$ si%i)a!+da!es made !o C/erAsse!s se$e)!ed #ave/ee !es!ed. Provideevide)e or !#e as!

ear immedia!e$ rior!o !#e 90 dao!i)a!io.


35/49

CIP@ R2 CIP@ R1 CIP@ R+

or ea)# C/er Asse!

se$e)!ed, rovide a $is! oea)# a)!ive or! adservi)e. or ea)# a)!ive

or! ad servi)eide!ied, rovide a

des)ri!io o !#e or! orservi)e ad ide!i !#e

eed !o !#a! or! orservi)e !o /e ea/$ed

or ea)# C/er Asse!

se$e)!ed, rovideevide)e o !#eassessme! ad

im$eme!a!io ose)+ri! a!)#es.

or ea)# C/er Asse!

se$e)!ed, rovideevide)e o !#eim$eme!io o a!i-

vir+s ad ma$arereve!io !oo$s ad

!es!i% ad is!a$$a!ioo si%a!+res +da!es.


36/49

CIP@ R7).)2 CIP@ R= CIP 9 R.

Provide evide)e o a+di!

!rai$s o idivid+a$ +sera))o+! a)!ivi!demos!ra!i% 90 das

or!# o $o%s>a+di! !rai$s.Provide evide)e or !#e

o$$oi% da!es:a!e1:a!e2:a!e3:a!e4:a!e5

or ea)# C/er Asse!

se$e)!ed rovideevide)e !#a! $o%s oss!em eve!s re$a!ed !o

)/er se)+ri! aremai!aied ad

revieed.Provide evide)e or !#e

o$$oi% da!esDate1Date2Date3Date4Date5

is! !#e Re)over $a

!#a! )overs !#e se$e)!ed)/er asse!s.


37/49

'ame #ccess $ye Personnel $ye Entity

'ame #ccess $ye Personnel $yeSequential

number


Entity

D$des! o

re)ord


38/49

RAIIJ PRA :A PR

2012:A

2013:A

A:AC DJRL@

: 'G>(

D:D

RCDR:

"D

RC

M

CECF

'G>(

7 GRCRI"IA

CECF

'G>(


39/49

CD CRIICA CGBR

R:AC:PRA A"PRL@:

'or mos!

re)e! PRA('G>(

'RC !o)om$e!e(

R:AC: PRAA"P

RCI: 'ormos! re)e! PRA(:A

A@EDRINAID

:A

JRA::A

C@RRA@ -ACI >

DACI

AGCEAJ

I ACC

RIJE'G>(

:ACEAJI:II

:


40/49

A - A@EDRIN: CGBR ACC

:ACEAJ

"A:

ACCRDCAI

D

RL@IR:'G>(

"PDG"

R"IA: DR

CA@'G>(

I G,R"IAI

D :A

ACCD

DJR

RL@IR:'G>(

I G,:A

I:II

:

ACCRDCAI

D :A

A@EDRINAID

:A


41/49

CRIICA CGBR A - A@EDRIN: @CDR: PEGICA ACC

JRA::A

C@RRA@ -ACI >

DACI

AGCEAJ

I ACC

RIJE'G>(

:ACEAJI:II

:

:ACEAJ

"A:

ACCRDCAI

D

RL@IR:'G>(

"PDG"

R"IA: DR

CA@'G>(

I G,R"IAI

D :A


42/49

PRA ad raii%

IGCD""

RCCD""

ACCD

DJR

RL@IR:'G>(

I G,:A

I:II

:

ACCRDCAI

D :A

Provide evide)e oreda)!ed

/a)k%ro+d )#e)kad !raii% re)ords.

'ame o P: $e ors+/mi!!ed evide)e(


43/49

CIP 6 R1.5 CIP 7 R5

Provide evide)e orRevie o a))ess

a+!#oria!io re*+es!sad revo)a!io o a))ess

a+!#oria!io


Provide evide)e !#a!#e Resosi/$e !i!s#a$$ es+re !#a! +ser

a))o+!s areim$eme!ed as

aroved / desi%a!edersoe$



44/49

Attachment "C" CIP Data List for Sampling Phase ) Instructions


Cyber Asset ame - ame of the Cyber Asset

Critical Asset ame - ame of the Critical Asset )here the Cyber Asset resides

E$P ame - ame of E$P containin& Cyber Asset

P$P ame - ame of P$P containin& Cyber Asset

;endor - ame of endor for identified Cyber Asset

,odel - ,odel ame and umber of identified Cyber Asset

;irtual ,achine - Enter i&h6,edium6+o)%- 'his is only releant if Entity hasincorporated or adopted CP-33 ;ersion 8 criteria


45/49


46/49


47/49

Attachment "C" CIP Data List for Sampling Phase - Instructions


Complete the required fields for each person

Colored Coded Tabs


Sequence of CompletionPhase 1- RFC supplies Attachment C for entity to input required data.

.ntityAction Required/Complete the #eice $ample and Personnel $ample tabs per belo) instructions and return toRFC no later than forty $-/' calendar days priorto the scheduled reie) date of theCompliance Audit.

De#ice Sample"+ist of selected Cyber Assets and the associated $tandards and Requirements%

Please proide an eidence file reference for each $tandard6Requirement column listed that isnot


48/49

Acronyms:

EAC, - Electronic Access Control and ,onitorin&

AP - Access Point






Phase 4 - Entity supplies detailed information back to RFC ia e!tranet "#eice $ample andPersonnel $ample tabs completed%


49/49

3ate 'ame

:e)em/er 17, 2010 Bo/ Ga!es 1 Ii!ia$ re$ease o A!!a)#m

e/r+ar 15, 2011 Bo/ Ga!es 2 Added !e !o Cri!i)a$ ass

D)!o/er 19, 2011 Bo/ Ga!es 3

:e)em/er 19, 2011 Fris!ie P+r)e$$ 4 C#a%ed d+e da!e i is!

:e)em/er 20, 2011 R#oda Bramer 5

Ka+ar 23, 2012 R#oda Bramer 5.1

e/r+ar 23, 2012 odd #omso 5.2

K+e 25, 2012 Ko# Fe$$er#a$s 5.3 I)orora!ed m+$!i$e sam

K+$ 3, 2012 Ko# Fe$$er#a$s 5.4 Added Resosi/$e Re%is

A+%+s! 24, 2012 Ko# Fe$$er#a$s 5.5 I)$+ded eed/a)k s+%%e

ovem/er 15, 2012 Ko# Fe$$er#a$s 6 Re$ease i)$+di% is!r+)

ovem/er 28, 2012 Ko# Fe$$er#a$s 6.1 Re$ease i)$+di% is!r+)

Ka+ar 22, 2013 Ko# Fe$$er#a$s 6.2 A$i%ed C+s!om vide)e

"ar)# 7, 2013 Ko# Fe$$er#a$s 6.3 Ad=+s!ed :evi)e am$e

"a 10, 2013 Ko# Fe$$er#a$s 6.4

"a 31, 2013 Ko# Fe$$er#a$s 6.5

K+$ 11, 2013 Ko# Fe$$er#a$s 6.6

A+%+s! 22, 2013 Ko# Fe$$er#a$s 6.7 Removed Co$+m o Pe

6ersion'umber

Added a )#a%es !a/ ad10>1>2010 !#ro+%# !#e 90R6

Added Asse! +)!io e$Added edor? "ode$? P$ae$ds !o !#e CCA, o-CCC#a%ed a//revia!io !o Added eam$es !o !#e

1( C#a%ed e$d ;Asse! )$ari!?2( Added $!ers o ea)# 3( Removed C#a%es !a/4( Added ;:a!e o ermi

!a/.5( Added ;Cri!i)a$ Asse!; /a)k !o !#e Cri!i)a$ Asse!6( Added addi!ioa$ eam7( @da!ed !#e Is!r+)!io8( "oved Is!r+)!io !a/ 9( "oved !#e Persoe$ !

Added a ;Ges; or ;o; )oAsse!s, o-Cri!i)a$ C/eA$so +da!ed !#e Is!r+)!

Added )o$+ms A ad Ais!r+)!ios or #ase 2 a

Added )o$+ms ,,J !o CCo$+ms ,D,P !o :evi)e5 o !#e CIP !adards. AIs!r+)!ios !a/s.

:evi)e am$e "a!ri - A

Persoe$ sam$e !em$aCIP evide)e-)+s!omie -:e$e!ed $ie 108 'red+d:e$e!ed $ie 145 'red+d

C#a%ed P#ase 2 Is!r+)!i $ d d i i

attachment c-cip.xls

Documents