CIP-003-7 & CIP-003-8
Effective Dates
August 15, 2019
Holly EddyCISA, CRISC, CISSP
Auditor, Cyber Security
▪ CIP-003-7 and CIP-003-8 Effective Dates
▪ Changes between CIP-003-7 and CIP-003-8
▪ Review of Section 5.2.2
▪ Implementation Dates
2
Agenda
▪ January 1, 2020
• CIP-003-7 will be subject to enforcement
▪ April 1, 2020
• CIP-003-8 will be subject to enforcement
*Please note approval has not been published in the Federal Register as of this date.
Between January 1 and March 31, 2020, entities
must afford protections required by CIP-003-7.
3
What’s effective? When?
▪ No changes to:
• R1, R3, R4
• R2 Attachment 1, Sections 1, 2, 3, and 4
4
CIP-003-8
▪ Updates to Applicability; removing—
• Special Protection System from 4.1.2.2 and 4.2.1.2
• Interchange Coordinator or Interchange
Authority as criterion 4.1.5
▪ Section 5.2 of Attachment 1
• 5.2.1 “The use of” is now “Use”
• Added Section 5.2.2
◦ Example evidence in Attachment 2 and G&TB
5
Changes Between CIP-003-7 and CIP-003-8
▪ Added Section 5.2.2:
• “For any method used pursuant to 5.2.1, Responsible
Entities shall determine whether any additional
mitigation actions are necessary and implement such
actions prior to connecting the Transient Cyber Asset.”
6
CIP-003-8 Section 5.2.2
▪ Section 5.2.1
• Documentation of change management system; email
or procedures documenting a review of the installed
antivirus update; email or other documentation
identifying the antivirus update process, use of
application whitelisting, etc. used by the party
▪ Section 5.2.2
• Documentation of change management systems,
electronic mail, or contracts that identify a review to
determine whether additional mitigation is necessary
and has been implemented before connecting
7
Example Evidence
8
Employing CIP-010 R4
Removable Media
CIP-003-7/8 Section 5.3 CIP-010-2/3 Att 1 Section 3.2
TCAs managed by a party other than the Responsible Entity
CIP-003-8 Att 1 Section 5.2Section 5.2.2
CIP-010-2/3 Att 1 Section 2.2Section 2.3
TCAs managed by the Responsible Entity
CIP-003-7/8 Att 1 Section 5.1 CIP-010-2/3 Att 1 Section 1.4
Implementation Plan Dates
Standard/RequirementImplementation Dates for
CIP-003-7 CIP-003-8
CIP-003-8 Security Management Controls 1/1/2020 4/1/2020
CIP-003-8 R1.1 Policies for high- & medium-impact BCS 7/1/2016
CIP-003-8 R1.2Policies for assets containing low-impact BCS 1/1/2020
CIP-003-8 R2
CIP-003-8, Att 1, Section 1 Cyber Security Awareness 4/1/2017
CIP-003-8, Att 1, Section 2 Physical Security Controls 1/1/2020
CIP-003-8, Att 1, Section 3 Electronic Access Controls 1/1/2020
CIP-003-8, Att 1, Section 4 Cyber Security Incident Response 4/1/2017
CIP-003-8, Att 1, Section 5 Transient Cyber Assets and Removable Media Malicious Code Risk Mitigation
Section 5.1 1/1/2020
Section 5.2 1/1/2020
Section 5.2.2 n/a 4/1/2020
Section 5.3 1/1/2020
CIP-003-8 R3 Identify a CIP Senior Manager 7/1/2016
CIP-003-8 R4 Delegate CIP Senior Manager authority 7/1/2016
9
CIP Reliability Standard Effective Date
CIP-005-6 July 1, 2020
CIP-008-6 January 1, 2021
CIP-010-3 July 1, 2020
CIP-013-1 July 1, 2020
10
Subject to Future Enforcement
CIP Reliability Standard Filing Date
CIP-012-1 September 18, 2018
11
Filed and Pending Regulatory Approval
Note: On April 18, 2019, FERC published its Notice of Proposed Rulemaking regarding CIP-012-1.
12
For CIP Questions
▪ NERC. (April 2019) CIP-003-8 - Cyber Security—Security Management Controls. Retrieved from: https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-003-8_Clean_04182019.pdf
▪ NERC. (January 2017) CIP-003-7(i) - Cyber Security—Security Management Controls. Retrieved from: https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-003-7%28i%29_clean_01302017_team.pdf
▪ FERC. (31 July 2019) Approval of Reliability Standard CIP-003-8 (Cyber Security -Security Management Controls). Retrieved from: https://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20190731-3015
▪ NERC. (23 January 2015) CIP‐010‐2—Cyber Security—Configuration Change Management and Vulnerability Assessments. Retrieved from: https://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/CIP-010-2_CLEAN_BOARD.pdf
▪ NERC. (July 2017) CIP-010-3 – Cyber Security—Configuration Change Management and Vulnerability Assessments. Retrieved from: https://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-010-3_Clean_071117.pdf
14
References