nerctranslate this page 201602 modifications to cip standards...%pdf-1.5 %âãÏÓ 1340 0 obj >...

CIP00367CyberSecuritySecurityManagementControls

PageDraft1ofCIP0037July2016 Page1of54

Standard Development Timeline

Thissectionismaintainedbythedraftingteamduringthedevelopmentofthestandardandwillberemovedwhenthestandardbecomeseffective. Description of Current Draft ThisdraftofCIP0037isaddressingthedirectiveissuedbytheFederalEnergyRegulatoryCommission(Commission)inparagraph73ofOrderNo.822whichreads:

[T]he Commission concludes that amodification to the Low Impact ExternalRoutableConnectivitydefinitiontoreflectthecommentaryintheGuidelinesandTechnicalBasissectionofCIP0036isnecessarytoprovideneededclaritytothedefinitionandeliminateambiguitysurroundingthetermdirectasitisusedintheproposeddefinition.Therefore,pursuanttosection215(d)(5)oftheFPA,wedirectNERCtodevelopamodificationtoprovidetheneededclarity,withinoneyearoftheeffectivedateofthisFinalRuleapprovingrevisionstothecybersecurityCriticalInfrastructureProtection(CIP)standards.

Previously,theGuidelinesandTechnicalBasishadapproximately10pagesofexplanationandnumerousreferencemodelstodescribedifferentformsofdirectvs.indirectaccessthatcouldbeusedtodeterminewhetherLowImpactExternalRoutableConnectivityexistedandthuswhetheraLowImpactBESCyberSystemElectronicAccessPoint(LEAP)wasrequired.Inthisrevision,thetermLowImpactExternalRoutableConnectivityhasbeenchangedtoLowImpactExternalRoutableCommunication(LERC)andsimplifiedsothatitisanattributeofaBESassetconcerningwhetherthereisroutableprotocolcommunicationsacrosstheassetboundarywithoutregardto'directvs.indirect'accessthatmayoccur.ThisgreatlysimplifiesandclarifiesthedefinitionofLERC.ItremovesthedependencybetweentheelectronicaccesscontrolsthatmaybeinplaceandhavingthosecontrolsdeterminewhetherLERCexistsornot.ForthoseBESassetsthathaveLERC,theSDTchangedtherequirementfromrequiringaLEAPtorequiringelectronicaccesscontrolstopermitonlynecessaryelectronicaccesstolowimpactBESCyberSystems(revisedAttachment1,Section3.1)withintheBESassetandexpandedtheGuidelinesandTechnicalBasiswithnumerousexamplesofelectronicaccesscontrols.GiventhemodifieddefinitionofLERCandtheproposedmodificationsinReliabilityCIP0037,thereisnolongeraneedfortheNERCGlossarytermLowImpactBESCyberSystemElectronicAccessPoint(LEAP).Consequently,NERCisproposingthattermforretirement.

Insummary,theCIPStandardDraftingTeamrevisedCIP0037,Attachments1and2,Sections2and3andtheassociatedHighVSLforRequirementR2.Nonsubstantiveerratachangeswerealsomadewithinthestandard,includingchangingESISACtoEISAC.



Completed Actions Date

StandardAuthorizationRequest(SAR)approved July20,2016

Draft1ofCIP0037postedforformalcommentandinitialballot July21September6,2016

Anticipated Actions Date

10dayfinalballot October,2016

NERCBoardofTrustees(BOT)adoption November,2016



A. Introduction

1. Title: CyberSecuritySecurityManagementControls2. Number: CIP003673. Purpose: Tospecifyconsistentandsustainablesecuritymanagementcontrolsthat

establishresponsibilityandaccountabilitytoprotectBESCyberSystemsagainstcompromisethatcouldleadtomisoperationorinstabilityintheBulkElectricSystem(BES).

4. Applicability:4.1. FunctionalEntities:Forthepurposeoftherequirementscontainedherein,the

followinglistoffunctionalentitieswillbecollectivelyreferredtoasResponsibleEntities.Forrequirementsinthisstandardwhereaspecificfunctionalentityorsubsetoffunctionalentitiesaretheapplicableentityorentities,thefunctionalentityorentitiesarespecifiedexplicitly.

4.1.1 BalancingAuthority4.1.2 DistributionProviderthatownsoneormoreofthefollowingFacilities,

systems,andequipmentfortheprotectionorrestorationoftheBES:

4.1.2.1 EachunderfrequencyLoadshedding(UFLS)orundervoltageLoadshedding(UVLS)systemthat:

4.1.2.1.1 ispartofaLoadsheddingprogramthatissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard;and

4.1.2.1.2 performsautomaticLoadsheddingunderacommoncontrolsystemownedbytheResponsibleEntity,withouthumanoperatorinitiation,of300MWormore.

4.1.2.2 EachSpecialProtectionSystem(SPS)orRemedialActionScheme(RAS)wheretheSPSorRASissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.

4.1.2.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliestoTransmissionwheretheProtectionSystemissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.

4.1.2.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitchingrequirementsfromaBlackstartResourceuptoandincludingthefirstinterconnectionpointofthestartingstationserviceofthenextgenerationunit(s)tobestarted.

4.1.3 GeneratorOperator4.1.4 GeneratorOwner



4.1.5 InterchangeCoordinatororInterchangeAuthority4.1.6 ReliabilityCoordinator4.1.7 TransmissionOperator4.1.8 TransmissionOwner

4.2. Facilities:Forthepurposeoftherequirementscontainedherein,thefollowingFacilities,systems,andequipmentownedbyeachResponsibleEntityin4.1abovearethosetowhichtheserequirementsareapplicable.ForrequirementsinthisstandardwhereaspecifictypeofFacilities,system,orequipmentorsubsetofFacilities,systems,andequipmentareapplicable,thesearespecifiedexplicitly.

4.2.1 DistributionProvider:OneormoreofthefollowingFacilities,systemsandequipmentownedbytheDistributionProviderfortheprotectionorrestorationoftheBES:

4.2.1.1 EachUFLSorUVLSSystemthat:4.2.1.1.1 ispartofaLoadsheddingprogramthatissubjectto

oneormorerequirementsinaNERCorRegionalReliabilityStandard;and

4.2.1.1.2 performsautomaticLoadsheddingunderacommoncontrolsystemownedbytheResponsibleEntity,withouthumanoperatorinitiation,of300MWormore.

4.2.1.2 EachSPSorRASwheretheSPSorRASissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.

4.2.1.3 EachProtectionSystem(excludingUFLSandUVLS)thatappliestoTransmissionwheretheProtectionSystemissubjecttooneormorerequirementsinaNERCorRegionalReliabilityStandard.

4.2.1.4 EachCrankingPathandgroupofElementsmeetingtheinitialswitchingrequirementsfromaBlackstartResourceuptoandincludingthefirstinterconnectionpointofthestartingstationserviceofthenextgenerationunit(s)tobestarted.

4.2.2 ResponsibleEntitieslistedin4.1otherthanDistributionProviders:AllBESFacilities.

4.2.3 Exemptions:ThefollowingareexemptfromStandardCIP0036:7:4.2.3.1 CyberAssetsatFacilitiesregulatedbytheCanadianNuclearSafety

Commission.



4.2.3.2 CyberAssetsassociatedwithcommunicationnetworksanddatacommunicationlinksbetweendiscreteElectronicSecurityPerimeters(ESPs).

4.2.3.3 Thesystems,structures,andcomponentsthatareregulatedbytheNuclearRegulatoryCommissionunderacybersecurityplanpursuantto10C.F.R.Section73.54.

4.2.3.4 ForDistributionProviders,thesystemsandequipmentthatarenotincludedinsection4.2.1above.

5. EffectiveDates:SeeImplementationPlanforCIP00367.

6. Background:StandardCIP003existsaspartofasuiteofCIPStandardsrelatedtocybersecurity,whichrequiretheinitialidentificationandcategorizationofBESCyberSystemsandrequireorganizational,operational,andproceduralcontrolstomitigaterisktoBESCyberSystems.

ThetermpolicyreferstooneoracollectionofwrittendocumentsthatareusedtocommunicatetheResponsibleEntitiesmanagementgoals,objectivesandexpectationsforhowtheResponsibleEntitywillprotectitsBESCyberSystems.Theuseofpoliciesalsoestablishesanoverallgovernancefoundationforcreatingacultureofsecurityandcompliancewithlaws,regulations,andstandards.

ThetermdocumentedprocessesreferstoasetofrequiredinstructionsspecifictotheResponsibleEntityandtoachieveaspecificoutcome.Thistermdoesnotimplyanynamingorapprovalstructurebeyondwhatisstatedintherequirements.Anentityshouldincludeasmuchasitbelievesnecessaryinitsdocumentedprocesses,butitmustaddresstheapplicablerequirements.

Thetermsprogramandplanaresometimesusedinplaceofdocumentedprocesseswhereitmakessenseandiscommonlyunderstood.Forexample,documentedprocessesdescribingaresponsearetypicallyreferredtoasplans(i.e.,incidentresponseplansandrecoveryplans).Likewise,asecurityplancandescribeanapproachinvolvingmultipleprocedurestoaddressabroadsubjectmatter.

Similarly,thetermprogrammayrefertotheorganizationsoverallimplementationofitspolicies,plans,andproceduresinvolvingasubjectmatter.Examplesinthestandardsincludethepersonnelriskassessmentprogramandthepersonneltrainingprogram.ThefullimplementationoftheCIPCyberSecurityReliabilityStandardscouldalsobereferredtoasaprogram.However,thetermsprogramandplandonotimplyanyadditionalrequirementsbeyondwhatisstatedinthestandards.

ResponsibleEntitiescanimplementcommoncontrolsthatmeetrequirementsformultiplehigh,medium,andlowimpactBESCyberSystems.Forexample,asingle



cybersecurityawarenessprogramcouldmeettherequirementsacrossmultipleBESCyberSystems.

Measuresprovideexamplesofevidencetoshowdocumentationandimplementationoftherequirement.Thesemeasuresservetoprovideguidancetoentitiesinacceptablerecordsofcomplianceandshouldnotbeviewedasanallinclusivelist.

Throughoutthestandards,unlessotherwisestated,bulleteditemsintherequirementsandmeasuresareitemsthatarelinkedwithanor,andnumbereditemsareitemsthatarelinkedwithanand.

ManyreferencesintheApplicabilitysectionuseathresholdof300MWforUFLSandUVLS.Thisparticularthresholdof300MWforUVLSandUFLSwasprovidedinVersion1oftheCIPCyberSecurityStandards.Thethresholdremainsat300MWsinceitisspecificallyaddressingUVLSandUFLS,whicharelastditcheffortstosavetheBES.AreviewofUFLStolerancesdefinedwithinRegionalReliabilityStandardsforUFLSprogramrequirementstodateindicatesthatthehistoricalvalueof300MWrepresentsanadequateandreasonablethresholdvalueforallowableUFLSoperationaltolerances.



B. Requirements and Measures

R1. EachResponsibleEntityshallreviewandobtainCIPSeniorManagerapprovalatleastonceevery15calendarmonthsforoneormoredocumentedcybersecuritypoliciesthatcollectivelyaddressthefollowingtopics:[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning]

1.1 ForitshighimpactandmediumimpactBESCyberSystems,ifany:1.1.1. Personnelandtraining(CIP004);1.1.2. ElectronicSecurityPerimeters(CIP005)includingInteractiveRemote

Access;

1.1.3. PhysicalsecurityofBESCyberSystems(CIP006);1.1.4. Systemsecuritymanagement(CIP007);1.1.5. Incidentreportingandresponseplanning(CIP008);1.1.6. RecoveryplansforBESCyberSystems(CIP009);1.1.7. Configurationchangemanagementandvulnerabilityassessments(CIP

010);

1.1.8. Informationprotection(CIP011);and1.1.9. DeclaringandrespondingtoCIPExceptionalCircumstances.

1.2 ForitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,ifany:

1.2.1. Cybersecurityawareness;1.2.2. Physicalsecuritycontrols;1.2.3. ElectronicaccesscontrolsforLowImpactExternalRoutable

ConnectivityCommunication(LERC)andDialupConnectivity;and

1.2.4. CyberSecurityIncidentresponseM1. Examplesofevidencemayinclude,butarenotlimitedto,policydocuments;revision

history,recordsofreview,orworkflowevidencefromadocumentmanagementsystemthatindicatereviewofeachcybersecuritypolicyatleastonceevery15calendarmonths;anddocumentedapprovalbytheCIPSeniorManagerforeachcybersecuritypolicy.

R2. EachResponsibleEntitywithatleastoneassetidentifiedinCIP002containinglowimpactBESCyberSystemsshallimplementoneormoredocumentedcybersecurityplan(s)foritslowimpactBESCyberSystemsthatincludethesectionsinAttachment1.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanning]

Note:Aninventory,list,ordiscreteidentificationoflowimpactBESCyberSystemsortheirBESCyberAssetsisnotrequired.Listsofauthorizedusersarenotrequired.



M2. Evidenceshallincludeeachofthedocumentedcybersecurityplan(s)thatcollectivelyincludeeachofthesectionsinAttachment1andadditionalevidencetodemonstrateimplementationofthecybersecurityplan(s).AdditionalexamplesofevidencepersectionarelocatedinAttachment2.

R3. EachResponsibleEntityshallidentifyaCIPSeniorManagerbynameanddocumentanychangewithin30calendardaysofthechange.[ViolationRiskFactor:Medium][TimeHorizon:OperationsPlanning]

M3. Anexampleofevidencemayinclude,butisnotlimitedto,adatedandapproveddocumentfromahighlevelofficialdesignatingthenameoftheindividualidentifiedastheCIPSeniorManager.

R4. TheResponsibleEntityshallimplementadocumentedprocesstodelegateauthority,unlessnodelegationsareused.WhereallowedbytheCIPStandards,theCIPSeniorManagermaydelegateauthorityforspecificactionstoadelegateordelegates.Thesedelegationsshallbedocumented,includingthenameortitleofthedelegate,thespecificactionsdelegated,andthedateofthedelegation;approvedbytheCIPSeniorManager;andupdatedwithin30daysofanychangetothedelegation.Delegationchangesdonotneedtobereinstatedwithachangetothedelegator.[ViolationRiskFactor:Lower][TimeHorizon:OperationsPlanning]

M4. Anexampleofevidencemayinclude,butisnotlimitedto,adateddocument,approvedbytheCIPSeniorManager,listingindividuals(bynameortitle)whoaredelegatedtheauthoritytoapproveorauthorizespecificallyidentifieditems.



C. Compliance

1. ComplianceMonitoringProcess1.1. ComplianceEnforcementAuthority:

AsdefinedintheNERCRulesofProcedure,ComplianceEnforcementAuthority(CEA)meansNERCortheRegionalEntityintheirrespectiverolesofmonitoringandenforcingcompliancewiththeNERCReliabilityStandards.

1.2. EvidenceRetention:Thefollowingevidenceretentionperiodsidentifytheperiodoftimeanentityisrequiredtoretainspecificevidencetodemonstratecompliance.Forinstanceswheretheevidenceretentionperiodspecifiedbelowisshorterthanthetimesincethelastaudit,theCEAmayaskanentitytoprovideotherevidencetoshowthatitwascompliantforthefulltimeperiodsincethelastaudit.

TheResponsibleEntityshallkeepdataorevidencetoshowcomplianceasidentifiedbelowunlessdirectedbyitsCEAtoretainspecificevidenceforalongerperiodoftimeaspartofaninvestigation:

EachResponsibleEntityshallretainevidenceofeachrequirementinthisstandardforthreecalendaryears.

IfaResponsibleEntityisfoundnoncompliant,itshallkeepinformationrelatedtothenoncomplianceuntilmitigationiscompleteandapprovedorforthetimespecifiedabove,whicheverislonger.

TheCEAshallkeepthelastauditrecordsandallrequestedandsubmittedsubsequentauditrecords.

1.3. ComplianceMonitoringandAssessmentProcesses:ComplianceAudits

SelfCertifications

SpotChecking

ComplianceInvestigations

SelfReporting

Complaints

1.4. AdditionalComplianceInformation:None



2. TableofComplianceElements

R# TimeHorizon

VRF ViolationSeverityLevels(CIP00367)

LowerVSL ModerateVSL HighVSL SevereVSL

R1 OperationsPlanning

Medium TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddressoneoftheninetopicsrequiredbyR1.(R1.1)

OR

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1within15calendarmonthsbutdid

TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddresstwooftheninetopicsrequiredbyR1.(R1.1)

OR

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1within16calendarmonthsbutdid

TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddressthreeoftheninetopicsrequiredbyR1.(R1.1)

OR

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1within17calendarmonthsbutdidcompletethisreviewinlessthanorequalto18

TheResponsibleEntitydocumentedandimplementedoneormorecybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystems,butdidnotaddressfourormoreoftheninetopicsrequiredbyR1.(R1.1)

OR

TheResponsibleEntitydidnothaveanydocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1.(R1.1)

OR



R# TimeHorizon



completethisreviewinlessthanorequalto16calendarmonthsofthepreviousreview.(R1.1)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin15calendarmonthsbutdidcompletethisapprovalinlessthanorequalto16calendarmonthsof

completethisreviewinlessthanorequalto17calendarmonthsofthepreviousreview.(R1.1)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin16calendarmonthsbutdidcompletethisapprovalinlessthanorequalto17calendarmonthsof

calendarmonthsofthepreviousreview.(R1.1)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin17calendarmonthsbutdidcompletethisapprovalinlessthanorequalto18calendarmonthsofthepreviousapproval.(R1)

OR

TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpact

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesasrequiredbyR1within18calendarmonthsofthepreviousreview.(R1)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitshighimpactandmediumimpactBESCyberSystemsasrequiredbyR1bytheCIPSeniorManagerwithin18calendarmonthsof



R# TimeHorizon



thepreviousapproval.(R1.1)

OR

TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,butdidnotaddressoneofthefourtopicsrequiredbyR1.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsas


OR

TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,butdidnotaddresstwoofthefourtopicsrequiredbyR1.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsas

BESCyberSystems,butdidnotaddressthreeofthefourtopicsrequiredbyR1.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsreviewoftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyR1within17calendarmonthsbutdidcompletethisreviewinlessthanorequalto18calendarmonthsofthepreviousreview.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforits


OR

TheResponsibleEntitydocumentedoneormorecybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystems,butdidnotaddressanyofthefourtopicsrequiredbyR1.(R1.2)

OR

TheResponsibleEntitydidnothaveanydocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyR1.(R1.2)



R# TimeHorizon



requiredbyRequirementR1within15calendarmonthsbutdidcompletethisreviewinlessthanorequalto16calendarmonthsofthepreviousreview.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin15calendarmonthsbutdidcompletethis

requiredbyRequirementR1within16calendarmonthsbutdidcompletethisreviewinlessthanorequalto17calendarmonthsofthepreviousreview.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin16calendarmonthsbut

assetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin17calendarmonthsbutdidcompletethisapprovalinlessthanorequalto18calendarmonthsofthepreviousapproval.(R1.2)

OR

TheResponsibleEntitydidnotcompleteitsapprovaloftheoneormoredocumentedcybersecuritypoliciesforitsassetsidentifiedinCIP002containinglowimpactBESCyberSystemsasrequiredbyRequirementR1bytheCIPSeniorManagerwithin18calendarmonthsofthepreviousapproval.(R1.2)



R# TimeHorizon



approvalinlessthanorequalto16calendarmonthsofthepreviousapproval.(R1.2)

didcompletethisapprovalinlessthanorequalto17calendarmonthsofthepreviousapproval.(R1.2)


Lower TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentcybersecurityawarenessaccordingtoCIP0036,RequirementR2,Attachment1,Section1.(R2)

OR

TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyber

TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtoreinforcecybersecuritypracticesatleastonceevery15calendarmonthsaccordingtoCIP0036,RequirementR2,Attachment1,Section1.(R2)

OR

TheResponsibleEntitydocumentedoneormoreincidentresponseplans

TheResponsibleEntitydocumentedoneormoreCyberSecurityIncidentresponseplanswithinitscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtotesteachCyberSecurityIncidentresponseplan(s)atleastonceevery36calendarmonthsaccordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)

OR

TheResponsibleEntitydocumentedthedeterminationof

TheResponsibleEntityfailedtodocumentorimplementoneormorecybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystemsaccordingtoCIP0036,RequirementR2,Attachment1.(R2)).



R# TimeHorizon



Systems,butfailedtodocumentoneormoreCyberSecurityIncidentresponseplansaccordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)

OR

TheResponsibleEntitydocumentedoneormoreCyberSecurityIncidentresponseplanswithinitscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtoupdateeachCyberSecurityIncidentresponseplan(s)within180daysaccordingtoCIP0036,RequirementR2,

withinitscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtoincludetheprocessforidentification,classification,andresponsetoCyberSecurityIncidentsaccordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)

(R2)

OR

TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentthedeterminationof

whetheranidentifiedCyberSecurityIncidentisaReportableCyberSecurityIncident,butfailedtonotifytheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC)accordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)

OR

TheResponsibleEntitydocumentedandimplementedelectronicaccesscontrolsforLERC,butfailedtoimplementaLEAPorpermitinboundandoutboundaccessaccordingtoCIP0036,RequirementR2,Attachment1,Section3.(R2)

OR



R# TimeHorizon



Attachment1,Section4.(R2)

whetheranidentifiedCyberSecurityIncidentisaReportableCyberSecurityIncidentandsubsequentnotificationtotheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC)accordingtoCIP0036,RequirementR2,Attachment1,Section4.(R2)

OR

TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentphysicalsecuritycontrolsaccordingtoCIP0036,

TheResponsibleEntitydocumentedandimplementedelectronicaccesscontrolsforitsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentandimplementauthenticationofallDialupConnectivity,ifany,thatprovidestheelectronicaccesstolowimpactBESCyberSystemscontrolsaccordingtoCIP0036,RequirementR2,Attachment1,Section3.(R2)

OR

TheResponsibleEntitydocumentedthephysicalaccesscontrolsforitsassetscontaininglowimpactBESCyberSystems,butfailedtoimplementthephysical



R# TimeHorizon



RequirementR2,Attachment1,Section2.(R2)

OR

TheResponsibleEntitydocumenteditscybersecurityplan(s)foritsassetscontaininglowimpactBESCyberSystems,butfailedtodocumentelectronicaccesscontrolsaccordingtoCIP0036,RequirementR2,Attachment1,Section3.(R2)

securitycontrolsaccordingtoCIP0036,RequirementR2,Attachment1,Section2.(R2)


Medium TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin30calendardaysbutdid

TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin40calendar

TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin50calendardaysbutdiddocumentthischangein

TheResponsibleEntityhasnotidentified,byname,aCIPSeniorManager.

OR



R# TimeHorizon



documentthischangeinlessthan40calendardaysofthechange.(R3)

daysbutdiddocumentthischangeinlessthan50calendardaysofthechange.(R3)

lessthan60calendardaysofthechange.(R3)

TheResponsibleEntityhasidentifiedbynameaCIPSeniorManager,butdidnotdocumentchangestotheCIPSeniorManagerwithin60calendardaysofthechange.(R3)


Lower TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,andspecificactionsdelegated,butdidnotdocumentchangestothedelegatewithin30calendardaysbutdiddocumentthischangeinlessthan40calendardaysofthechange.(R4)

TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,andspecificactionsdelegated,butdidnotdocumentchangestothedelegatewithin40calendardaysbutdiddocumentthischangeinlessthan50calendardaysofthechange.(R4)

TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,andspecificactionsdelegated,butdidnotdocumentchangestothedelegatewithin50calendardaysbutdiddocumentthischangeinlessthan60calendardaysofthechange.(R4)

TheResponsibleEntityhasuseddelegatedauthorityforactionswhereallowedbytheCIPStandards,butdoesnothaveaprocesstodelegateactionsfromtheCIPSeniorManager.(R4)

OR

TheResponsibleEntityhasidentifiedadelegatebyname,title,dateofdelegation,and



R# TimeHorizon



specificactionsdelegated,butdidnotdocumentchangestothedelegatewithin60calendardaysofthechange.(R4)

D. Regional Variances

None.

E. Interpretations

None.

F. Associated Documents

None.



Version History

Version Date Action ChangeTracking

1 1/16/06 R3.2ChangeControlCentertocontrolcenter.

3/24/06

2 9/30/09 Modificationstoclarifytherequirementsandtobringthecomplianceelementsintoconformancewiththelatestguidelinesfordevelopingcomplianceelementsofstandards.

Removalofreasonablebusinessjudgment.

ReplacedtheRROwiththeREasaresponsibleentity.

RewordingofEffectiveDate.

ChangedcompliancemonitortoComplianceEnforcementAuthority.

3 12/16/09 UpdatedVersionNumberfrom2to3

InRequirement1.6,deletedthesentencepertainingtoremovingcomponentorsystemfromserviceinordertoperformtesting,inresponsetoFERCorderissuedSeptember30,2009.

3 12/16/09 ApprovedbytheNERCBoardofTrustees.

3 3/31/10 ApprovedbyFERC.

4 1/24/11 ApprovedbytheNERCBoardofTrustees.

5 11/26/12 AdoptedbytheNERCBoardofTrustees. ModifiedtocoordinatewithotherCIPstandardsandtoreviseformattouseRBSTemplate.

5 11/22/13 FERCOrderissuedapprovingCIP0035.

6 11/13/14 AdoptedbytheNERCBoardofTrustees. AddressedtwoFERCdirectivesfromOrderNo.791relatedtoidentify,assess,andcorrect



Version Date Action ChangeTracking

languageandcommunicationnetworks.

6 2/12/15 AdoptedbytheNERCBoardofTrustees. Replaces theversionadoptedbytheBoardon11/13/2014.RevisedversionaddressesremainingdirectivesfromOrderNo.791relatedtotransientdevicesandlowimpactBESCyberSystems.

6 1/21/16 FERCOrderissuedapprovingCIP0036.DocketNo.RM1514000

7 TBD AdoptedbytheNERCBoardofTrustees. RevisedtoaddressFERCOrder822directiveregardingdefinitionofLERC



CIP-003-6 - Attachment 1

RequiredSectionsforCyberSecurityPlan(s)forAssetsContainingLowImpactBESCyberSystems

ResponsibleEntitiesshallincludeeachofthesectionsprovidedbelowinthecybersecurityplan(s)requiredunderRequirementR2.

ResponsibleEntitieswithmultipleimpactBESCyberSystemsratingscanutilizepolicies,procedures,andprocessesfortheirhighormediumimpactBESCyberSystemstofulfillthesectionsforthedevelopmentoflowimpactcybersecurityplan(s).EachResponsibleEntitycandevelopacybersecurityplan(s)eitherbyindividualassetorgroupsofassets.

Section1. CyberSecurityAwareness:EachResponsibleEntityshallreinforce,atleastonceevery15calendarmonths,cybersecuritypractices(whichmayincludeassociatedphysicalsecuritypractices).

Section2. PhysicalSecurityControls:EachResponsibleEntityshallcontrolphysicalaccess,basedonneedasdeterminedbytheResponsibleEntity,to(1)theassetorthelocationsofthelowimpactBESCyberSystemswithintheassetand(2)theLowImpactBESCyberSystemElectronicAccessPoints(LEAPs),,and(2)theCyberAsset(s),asspecifiedbytheResponsibleEntity,thatprovideelectronicaccesscontrol(s)implementedforSection3.1,ifany.

Section3. ElectronicAccessControls:EachResponsibleEntityshall:3.1 ForImplementelectronicaccesscontrol(s)forLERC,ifany,implementaLEAP

topermitonlynecessaryinboundandoutboundbidirectionalroutableprotocolaccess;andelectronicaccesstolowimpactBESCyberSystem(s).

3.2 ImplementauthenticationforallDialupConnectivity,ifany,thatprovidesaccesstolowimpactBESCyberSystems,perCyberAssetcapability.

Section4. CyberSecurityIncidentResponse:EachResponsibleEntityshallhaveoneormoreCyberSecurityIncidentresponseplan(s),eitherbyassetorgroupofassets,whichshallinclude:

4.1 Identification,classification,andresponsetoCyberSecurityIncidents;4.2 DeterminationofwhetheranidentifiedCyberSecurityIncidentisa

ReportableCyberSecurityIncidentandsubsequentnotificationtotheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC),unlessprohibitedbylaw;

4.3 IdentificationoftherolesandresponsibilitiesforCyberSecurityIncidentresponsebygroupsorindividuals;

4.4 IncidenthandlingforCyberSecurityIncidents;



4.5 TestingtheCyberSecurityIncidentresponseplan(s)atleastonceevery36calendarmonthsby:(1)respondingtoanactualReportableCyberSecurityIncident;(2)usingadrillortabletopexerciseofaReportableCyberSecurityIncident;or(3)usinganoperationalexerciseofaReportableCyberSecurityIncident;and

4.6 UpdatingtheCyberSecurityIncidentresponseplan(s),ifneeded,within180calendardaysaftercompletionofaCyberSecurityIncidentresponseplan(s)testoractualReportableCyberSecurityIncident.



CIP-003-6 - Attachment 2

ExamplesofEvidenceforCyberSecurityPlan(s)forAssetsContainingLowImpactBESCyberSystems

Section1. CyberSecurityAwareness:AnexampleofevidenceforSection1mayinclude,butisnotlimitedto,documentationthatthereinforcementofcybersecuritypracticesoccurredatleastonceevery15calendarmonths.Theevidencecouldbedocumentationthroughoneormoreofthefollowingmethods:

Directcommunications(forexample,emails,memos,orcomputerbasedtraining);

Indirectcommunications(forexample,posters,intranet,orbrochures);or

Managementsupportandreinforcement(forexample,presentationsormeetings).

Section2. PhysicalSecurityControls:ExamplesofevidenceforSection2mayinclude,butarenotlimitedto:

Documentationoftheselectedaccesscontrol(s)(e.g.,cardkey,locks,perimetercontrols),monitoringcontrols(e.g.,alarmsystems,humanobservation),orotheroperational,procedural,ortechnicalphysicalsecuritycontrolsthatcontrolphysicalaccesstoboth:

a. Theasset,ifany,orthelocationsofthelowimpactBESCyberSystemswithintheasset;and

b. TheCyberAssetspecifiedbytheResponsibleEntitythatprovideselectronicaccesscontrolsimplementedforSection3.1,ifany,containingaLEAP.

Section3. ElectronicAccessControls:ExamplesofevidenceforSection3mayinclude,butarenotlimitedto:

1. Documentation,suchasrepresentativediagramsorlistsofimplementedelectronicaccesscontrols(e.g.,restrictingIPaddresses,ports,orservices;authenticatingusers;airgappingnetworks;terminatingroutableprotocolsessionsonanonBESCyberAsset;implementingunidirectionalgateways)showingthatinboundandoutboundconnectionsforanyLEAP(s)areLERCateachassetorgroupofassetscontaininglowimpactBESCyberSystems,isconfinedtoonlythosetothataccesstheResponsibleEntitydeemsnecessary(e.g.,byrestrictingIPaddresses,ports,orservices);anddocumentation;and

1.2. DocumentationofauthenticationforDialupConnectivity(e.g.,dialoutonlytoapreprogrammednumbertodeliverdata,dialbackmodems,modemsthatmustberemotelycontrolledbythecontrolcenterorcontrolroom,oraccesscontrolontheBESCyberSystem).



Section4. CyberSecurityIncidentResponse:AnexampleofevidenceforSection4mayinclude,butisnotlimitedto,dateddocumentation,suchaspolicies,procedures,orprocessdocumentsofoneormoreCyberSecurityIncidentresponseplan(s)developedeitherbyassetorgroupofassetsthatincludethefollowingprocesses:

1. toidentify,classify,andrespondtoCyberSecurityIncidents;todeterminewhetheranidentifiedCyberSecurityIncidentisaReportableCyberSecurityIncidentandfornotifyingtheElectricitySectorInformationSharingandAnalysisCenter(ESEISAC);

2. toidentifyanddocumenttherolesandresponsibilitiesforCyberSecurityIncidentresponsebygroupsorindividuals(e.g.,initiating,documenting,monitoring,reporting,etc.);

3. forincidenthandlingofaCyberSecurityIncident(e.g.,containment,eradication,orrecovery/incidentresolution);

4. fortestingtheplan(s)alongwiththedateddocumentationthatatesthasbeencompletedatleastonceevery36calendarmonths;and

5. toupdate,asneeded,CyberSecurityIncidentresponseplan(s)within180calendardaysaftercompletionofatestoractualReportableCyberSecurityIncident.

GuidelinesandTechnicalBasisCIP0037SupplementalMaterial


Guidelines and Technical Basis

Section 4 Scope of Applicability of the CIP Cyber Security Standards Section4.ApplicabilityofthestandardsprovidesimportantinformationforResponsibleEntitiestodeterminethescopeoftheapplicabilityoftheCIPCyberSecurityRequirements.

Section4.1.FunctionalEntitiesisalistofNERCfunctionalentitiestowhichthestandardapplies.IftheentityisregisteredasoneormoreofthefunctionalentitieslistedinSection4.1,thentheNERCCIPCyberSecurityStandardsapply.NotethatthereisaqualificationinSection4.1thatrestrictstheapplicabilityinthecaseofDistributionProviderstoonlythosethatowncertaintypesofsystemsandequipmentlistedin4.2.

Section4.2.FacilitiesdefinesthescopeoftheFacilities,systems,andequipmentownedbytheResponsibleEntity,asqualifiedinSection4.1,thatissubjecttotherequirementsofthestandard.InadditiontothesetofBESFacilities,ControlCenters,andothersystemsandequipment,thelistincludesthesetofsystemsandequipmentownedbyDistributionProviders.WhiletheNERCGlossarytermFacilitiesalreadyincludestheBEScharacteristic,theadditionaluseofthetermBEShereismeanttoreinforcethescopeofapplicabilityoftheseFacilitieswhereitisused,especiallyinthisapplicabilityscopingsection.ThisineffectsetsthescopeofFacilities,systems,andequipmentthatissubjecttothestandards.

Requirement R1: IndevelopingpoliciesincompliancewithRequirementR1,thenumberofpoliciesandtheircontentshouldbeguidedbyaResponsibleEntity'smanagementstructureandoperatingconditions.Policiesmightbeincludedaspartofageneralinformationsecurityprogramfortheentireorganization,orascomponentsofspecificprograms.TheResponsibleEntityhastheflexibilitytodevelopasinglecomprehensivecybersecuritypolicycoveringtherequiredtopics,oritmaychoosetodevelopasinglehighlevelumbrellapolicyandprovideadditionalpolicydetailinlowerleveldocumentsinitsdocumentationhierarchy.Inthecaseofahighlevelumbrellapolicy,theResponsibleEntitywouldbeexpectedtoprovidethehighlevelpolicyaswellastheadditionaldocumentationinordertodemonstratecompliancewithCIP00367,RequirementR1.

IfaResponsibleEntityhasanyhighormediumimpactBESCyberSystems,theoneormorecybersecuritypoliciesmustcovertheninesubjectmatterareasrequiredbyCIP00367,RequirementR1,Part1.1.IfaResponsibleEntityhasidentifiedfromCIP002anyassetscontaininglowimpactBESCyberSystems,,alsoreferredtohereinas(BESassets),theoneormorecybersecuritypoliciesmustcoverthefoursubjectmatterareasrequiredbyRequirementR1,Part1.2.

ResponsibleEntitiesthathavemultipleimpactratedBESCyberSystemsarenotrequiredtocreateseparatecybersecuritypoliciesforhigh,medium,orlowimpactBESCyberSystems.TheResponsibleEntitieshavetheflexibilitytodeveloppoliciesthatcoverallthreeimpactratings.

ImplementationofthecybersecuritypolicyisnotspecificallyincludedinCIP00367,RequirementR1asitisenvisionedthattheimplementationofthispolicyisevidencedthroughsuccessfulimplementationofCIP003throughCIP011.However,ResponsibleEntitiesareencouragednottolimitthescopeoftheircybersecuritypoliciestoonlythoserequirementsin



NERCcybersecurityReliabilityStandards,buttodevelopaholisticcybersecuritypolicyappropriateforitsorganization.ElementsofapolicythatextendbeyondthescopeofNERCscybersecurityReliabilityStandardswillnotbeconsideredcandidatesforpotentialviolationsalthoughtheywillhelpdemonstratetheorganizationsinternalcultureofcomplianceandposturetowardscybersecurity.

ForPart1.1,theResponsibleEntityshouldconsiderthefollowingforeachoftherequiredtopicsinitsoneormorecybersecuritypoliciesformediumandhighimpactBESCyberSystems,ifany:

1.1.1 Personnelandtraining(CIP004)

Organizationpositiononacceptablebackgroundinvestigations

Identificationofpossibledisciplinaryactionforviolatingthispolicy

Accountmanagement

1.1.2 ElectronicSecurityPerimeters(CIP005)includingInteractiveRemoteAccess

Organizationstanceonuseofwirelessnetworks

Identificationofacceptableauthenticationmethods

Identificationoftrustedanduntrustedresources

MonitoringandloggingofingressandegressatElectronicAccessPoints

MaintaininguptodateantimalwaresoftwarebeforeinitiatingInteractiveRemoteAccess

MaintaininguptodatepatchlevelsforoperatingsystemsandapplicationsusedtoinitiateInteractiveRemoteAccess

DisablingVPNsplittunnelingordualhomedworkstationsbeforeinitiatingInteractiveRemoteAccess

Forvendors,contractors,orconsultants:includelanguageincontractsthatrequiresadherencetotheResponsibleEntitysInteractiveRemoteAccesscontrols

1.1.3 PhysicalsecurityofBESCyberSystems(CIP006)

StrategyforprotectingCyberAssetsfromunauthorizedphysicalaccess

Acceptablephysicalaccesscontrolmethods

Monitoringandloggingofphysicalingress

1.1.4 Systemsecuritymanagement(CIP007)

Strategiesforsystemhardening

Acceptablemethodsofauthenticationandaccesscontrol

Passwordpoliciesincludinglength,complexity,enforcement,preventionofbruteforceattempts



MonitoringandloggingofBESCyberSystems

1.1.5 Incidentreportingandresponseplanning(CIP008)

RecognitionofCyberSecurityIncidents

Appropriatenotificationsupondiscoveryofanincident

ObligationstoreportCyberSecurityIncidents

1.1.6 RecoveryplansforBESCyberSystems(CIP009)

Availabilityofsparecomponents

Availabilityofsystembackups

1.1.7 Configurationchangemanagementandvulnerabilityassessments(CIP010)

Initiationofchangerequests

Approvalofchanges

Breakfixprocesses

1.1.8 Informationprotection(CIP011)

Informationaccesscontrolmethods

Notificationofunauthorizedinformationdisclosure

Informationaccessonaneedtoknowbasis

1.1.9 DeclaringandrespondingtoCIPExceptionalCircumstances

ProcessestoinvokespecialproceduresintheeventofaCIPExceptionalCircumstance

ProcessestoallowforexceptionstopolicythatdonotviolateCIPrequirements

RequirementsrelatingtoexceptionstoaResponsibleEntityssecuritypolicieswereremovedbecauseitisageneralmanagementissuethatisnotwithinthescopeofareliabilityrequirement.Itisaninternalpolicyrequirementandnotareliabilityrequirement.However,ResponsibleEntitiesareencouragedtocontinuethispracticeasacomponentoftheircybersecuritypolicies.

InthisandallsubsequentrequiredapprovalsintheNERCCIPReliabilityStandards,theResponsibleEntitymayelecttousehardcopyorelectronicapprovalstotheextentthatthereissufficientevidencetoensuretheauthenticityoftheapprovingparty.

Requirement R2: UsingthelistofassetscontaininglowimpactBESCyberSystemsfromCIP002,theintentoftherequirementisforeachResponsibleEntitytocreate,document,andimplementoneormorecybersecurityplan(s)thataddressesobjectivecriteriafortheprotectionoflowimpactBESCyberSystems.TheprotectionsrequiredbyRequirementR2reflectthelevelofriskthatmisuseortheunavailabilityoflowimpactBESCyberSystemsposestotheBES.TheintentisthattherequiredprotectionsarepartofaprogramthatcoversthelowimpactBESCyberSystems



collectivelyeitheratanassetorsitelevel(assetscontaininglowimpactBESCyberSystems),butnotatanindividualdeviceorsystemlevel.

Therearefoursubjectmatterareas,asidentifiedinAttachment1,thatmustbecoveredbythecybersecurityplan:(1)cybersecurityawareness,(2)physicalsecuritycontrols,(3)electronicaccesscontrolsforLERCandDialupConnectivity,and(4)CyberSecurityIncidentresponse.

Requirement R2, Attachment 1 Asnoted,Attachment1containsthesectionsthatmustbeinthecybersecurityplan(s).Theintentistoallowentitiesthathaveacombinationofhigh,medium,andlowimpactBESCyberSystemstheflexibilitytochoose,ifdesired,tocovertheirlowimpactBESCyberSystems(oranysubset)undertheirprogramsusedforthehighormediumimpactBESCyberSystemsratherthanmaintaintwoseparateprograms.GuidanceforeachofthefoursubjectmatterareasofAttachment1isprovidedbelow.

Requirement R2, Attachment 1, Section 1 Cyber Security Awareness Theintentofthecybersecurityawarenessprogramisforentitiestoreinforcegoodcybersecuritypracticeswiththeirpersonnelatleastonceevery15calendarmonths.Theentityhasthediscretiontodeterminethetopicstobeaddressedandthemannerinwhichitwillcommunicatethesetopics.Asevidenceofcompliance,theResponsibleEntityshouldbeabletoproducetheawarenessmaterialthatwasdeliveredaccordingtothedeliverymethod(s)(e.g.,posters,emails,ortopicsatstaffmeetings,etc.).TheResponsibleEntityisnotrequiredtomaintainlistsofrecipientsandtrackthereceptionoftheawarenessmaterialbypersonnel.

Althoughthefocusoftheawarenessiscybersecurity,itdoesnotmeanthatonlytechnologyrelatedtopicscanbeincludedintheprogram.Appropriatephysicalsecuritytopics(e.g.,tailgatingawarenessandprotectionofbadgesforphysicalsecurity,orIfyouseesomething,saysomethingcampaigns,etc.)arevalidforcybersecurityawareness.TheintentistocovertopicsconcerninganyaspectoftheprotectionofBESCyberSystems.

Requirement R2, Attachment 1, Section 2 Physical Security Controls TheResponsibleEntitymustdocumentandimplementmethodstocontrolphysicalaccessto(1)theassetorthelocationsoflowimpactBESCyberSystemsatassetscontaininglowimpactBESwithintheasset,and(2)CyberSystemAssetsthatimplementtheelectronicaccesscontrol(s)and(2)LEAPsspecifiedbytheResponsibleEntityinSection3,ifany.IftheLEAPistheseCyberAssetsarelocatedwithintheBESassetandinheritsinheritthesamecontrolsoutlinedinSection2,thiscanbenotedbytheResponsibleEntityineitheritspoliciesorcybersecurityplan(s)toavoidduplicatedocumentationofthesamecontrols.

TheResponsibleEntityhastheflexibilityintheselectionofthemethodsusedtomeettheobjectivetocontrolphysicalaccesstotheasset(s)containinglowimpactBESCyberSystems,System(s)orthelowimpactBESCyberSystemsthemselves,orLEAPsaswellasphysicalprotectionoftheelectronicaccesscontrolCyberAssetsspecifiedbytheResponsibleEntity,ifany.TheResponsibleEntitymayuseoneoracombinationofaccesscontrols,monitoringcontrols,orotheroperational,procedural,ortechnicalphysicalsecuritycontrols.Entitiesmayuseperimetercontrols(e.g.,fenceswithlockedgates,guards,orsiteaccesspolicies,etc.)ormoregranularareasofphysicalaccesscontrolinareaswherelowimpactBESCyberSystemsarelocated,suchascontrolroomsorcontrolhouses.Userauthorizationprogramsandlistsof



authorizedusersforphysicalaccessarenotrequiredalthoughtheyareanoptiontomeetthesecurityobjective.

TheobjectiveistocontrolthephysicalaccessbasedonneedasdeterminedbytheResponsibleEntity.Theneedcanbedocumentedatthepolicylevelforaccesstothesiteorsystems,includingLEAPs..Therequirementdoesnotobligateanentitytospecifyaneedforeachaccessorauthorizationofauserforaccess.

Monitoringasaphysicalsecuritycontrolcanbeusedasacomplementoranalternativetoaccesscontrol.Examplesofmonitoringcontrolsinclude,butarenotlimitedto:(1)alarmsystemstodetectmotionorentryintoacontrolledarea,or(2)humanobservationofacontrolledarea.Monitoringdoesnotnecessarilyrequireloggingandmaintaininglogsbutcouldincludemonitoringthatphysicalaccesshasoccurredorbeenattempted(e.g.,dooralarm,orhumanobservation,etc.).ThemonitoringdoesnotneedtobeperlowimpactBESCyberSystembutshouldbeattheappropriateleveltomeetthesecurityobjective.

Requirement R2, Attachment 1, Section 3 Electronic Access Controls Section3requirestheestablishmentofboundaryprotectionselectronicaccesscontrolsforassetscontaininglowimpactBESCyberSystems,alsoreferredtohereinas(BESassets)whenthelowimpactBESCyberSystemshavebidirectionalexternalroutableprotocolcommunication(LERC)orDialupConnectivityispresenttodevicesexternaltoorfromtheassetcontainingthelowimpactBESCyberSystems.System(s).TheestablishmentofboundaryprotectionselectronicaccesscontrolsisintendedtocontrolcommunicationeitherintotheassetcontaininglowimpactBESCyberSystem(s)ortothelowimpactBESCyberSystemitselftoreducetherisksassociatedwithuncontrolledcommunicationusingroutableprotocolsorDialupConnectivity.Thetermelectronicaccesscontrolisusedinthegeneralsense,i.e.,tocontrolaccess,andnotinthespecifictechnicalsenserequiringauthentication,authorization,andauditing.TheResponsibleEntityisnotrequiredtoestablishLERCcommunicationoraLEAPifthereisnobidirectionalroutableprotocolcommunicationorInthecasewherethereisnoLERCorDialupConnectivitypresent.Inthecasewherethereisnoexternalbidirectionalroutableprotocolcommunication,theResponsibleEntitycandocumenttheabsenceofsuchcommunicationinitslowimpactcybersecurityplan(s).

Whenidentifyingelectronicaccesscontrols,ResponsibleEntitiesareprovidedflexibilityintheselectionofthecontrolsthatmeettheiroperationalneedswhilemeetingthesecurityobjectiveofallowingonlynecessaryelectronicaccesstolowimpactBESCyberSystems.

Inessence,ResponsibleEntitiesaretodetermineLERCorDialupConnectivityfortheirBESassetsandthen,ifpresent,documentandimplementelectronicaccesscontrol(s).

Determining LERC ThedefinedtermsLERCandLEAParetermLowImpactExternalRoutableCommunication(LERC)isusedtoavoidconfusionwiththesimilartermstermExternalRoutableConnectivity(ERC)usedforhighandmediumimpactBESCyberSystems(e.g.,ExternalRoutableConnectivity(ERC)orasthesetermsaredifferentconcepts.TheinputtothisrequirementfromCIP002isalistofassetscontaininglowimpactBESCyberSystems,thereforeLERCisanattributeofaBESassetandinvolvesroutableprotocolcommunicationstoorfromtheBESasset(crossingthe



assetboundary)withoutregardtoconnectivitytoCyberAssetswithintheBESasset.ERContheotherhandisanattributeofanindividualhighormediumimpactBESCyberSystemandisrelativetoanElectronicAccessPoint(EAP)).Tofutureproofthestandards,andinSecurityPerimeter(ESP).

WithLERCbeingaBESassetlevelattribute,itisusedasahigherlevelfiltertoexcludefromfurtherconsiderationthoseassetscontaininglowimpactBESCyberSystemsthathavenoroutableprotocolcommunicationstothemfromoutsidetheBESasset.ResponsibleEntitiescanthenconcentratetheirelectronicaccesscontroleffortsonthoseBESassetsthatdohaveLERC.However,thisalsomeansthatLERCcanexistforaBESassetevenifthereisnoroutableprotocolconnectivitytoanylowimpactBESCyberSystemwithintheBESasset.Inordertoavoidfuturetechnologyissues,thedefinitionsLERCdefinitionspecificallyexcludepointtopointexcludescommunicationsbetweenintelligentelectronicdevicesthatuseroutablecommunicationprotocolsfortimesensitiveprotectionorcontrolfunctionsbetweenTransmissionstationorsubstationnonControlCenterBESassetscontaininglowimpactBESCyberSystems,,suchasIEC61850messaging.ThisdoesnotexcludeControlCentertofieldcommunicationbutratherexcludesthecommunicationbetweentheintelligentelectronicdevicesthemselves.(e.g.relays)inthefield.AResponsibleEntityusingthistechnologyisnotexpectedtoimplementaLEAPtheelectronicaccesscontrolsnotedherein.Thisexceptionwasincludedsoasnottoinhibitthefunctionalityofthetimesensitiverequirementsrelatedtothistechnologynortoprecludetheuseofsuchtimesensitivereliabilityenhancingfunctionsiftheyusearoutableprotocolinthefuture.

Determining Asset Boundary AsLERCisaBESassetlevelattribute,itinvolvesadeterminationbytheResponsibleEntityofaBESassetboundaryfortheirassetscontaininglowimpactBESCyberSystems.ThisboundarywillvarybyBESassettype(ControlCenter,substation,generationresource)andthespecificconfigurationoftheBESasset.TheintentisfortheResponsibleEntitytodefinetheBESassetboundarysuchthatthelowimpactBESCyberSystem(s)thatarelocatedattheBESassetarecontainedwithintheBESassetboundary.ThisisstrictlyfordeterminingwhatconstitutestheBESassetandfordeterminingwhichroutableprotocolcommunicationsandnetworksareinternalorinsideorlocaltotheBESassetandwhichareexternaltooroutsidetheBESasset.ThisisnotanElectronicSecurityPerimeterorPhysicalSecurityPerimeterasdefinedformediumandhighimpactBESCyberSystems.FortheassetcontaininglowimpactBESCyberSystem(s),theBESassetboundaryissynonymoustotheconceptofalogicalborderdemarcationwhereroutableprotocolcommunication(e.g.LERC)entersandexitstheBESassetcontainingthelowimpactBESCyberSystem.SomeexamplesofwaysaResponsibleEntitymaydetermineBESassetboundariesare:

ForControlCenters

o Designatedareas(room(s)orfloor(s))iftheControlCenterislocatedwithinalargerbuilding.

o Abuildingifinadedicatedbuildingonasharedcampus.



o Theproperty/fencelineiftheControlCenterisadedicatedfacilityondedicatedproperty.

Forsubstations,thiscouldbetheproperty/fencelineorthecontrolhouse.

Forgenerationresources:

o Fossil/hydrogeneratingfacilities:Thiscouldbetheproperty/fenceline.Ifpumpsorwellsorotherequipmentthatarepartoftheplantassetareoutsidethepropertyline,thentheBESassetboundarycouldexpandtoaccommodateallthatisconsideredpartoftheplant.

o Solarfarms:Thiscouldbethepropertyline(s)orfence(s)surroundingallsolarpanelsandinterconnectionfacilities.

o Windfarms:Thiscouldbethecollectionofindividualturbinesplustheequipmentneededforinterconnection.

o Cogenerationfacilities:Thiscouldbetheidentifiedportionofthelargerplantthatperformsgeneration.

Determining Electronic Access Controls OnceaResponsibleEntityhasdeterminedthatLERCexistsattheBESassetboundary,theResponsibleEntitydocumentsandimplementsitschosenelectronicaccesscontrol(s).Thecontrol(s)mustallowonlynecessaryaccessasdeterminedbytheResponsibleEntityandtheyneedtobeabletoexplainthereasonsfortheelectronicaccesspermittedwiththeirelectronicaccesscontrols.ThereasoningforthenecessaryaccesscontrolscanbedocumentedwithintheResponsibleEntityscybersecurityplan(s)orotherpoliciesorproceduresassociatedwiththeelectronicaccesscontrols.

Concept DiagramsThediagramsonthefollowingpagesareprovidedasexamplestoillustratevariouselectronicaccesscontrolsataconceptuallevel.RegardlessoftheconceptsorconfigurationschosenbytheResponsibleEntity,thesecurityobjectiveofpermittingonlynecessaryaccesstolowimpactBESCyberSystemsmustbemetwhenthereisLERCtoaBESasset.

NOTE: Thisisnotanexhaustivelistofapplicableconcepts. LERCispresentineachdiagram. Thesamelegendisusedineachdiagram;however,thediagrammaynotcontainallofthe

articlesrepresentedinthelegend. ThetermBESAssetBoundaryiscapitalizedinthediagramsbutitisnotadefinedterm.



LERC Reference Model 1 Physical Isolation TheResponsibleEntitymaychoosetophysicallyisolatethelowimpactBESCyberSystem(s)fromtheLERC.Thiscontroliscommonlyreferredtoasanairgap.TheserialnonroutableprotocolconnectionandtheroutableprotocolLERCarecompletelyisolatedfromeachother.ThereisnoequipmentsharedwiththelowimpactBESCyberSystem(s).

Reference Model 1



LERC Reference Model 2 Logical Isolation TheResponsibleEntitymaychoosetologicallyisolatethelowimpactBESCyberSystem(s)fromtheLERC.ThelowimpactBESCyberSystem(s)isonanisolatednetworksegmentwithlogicalcontrolspreventingroutableprotocolcommunicationintooroutofthenetworkcontainingthelowimpactBESCyberSystem(s).

Reference Model 2



LERC Reference Model 3 Host-based Inbound & Outbound Access Permissions TheResponsibleEntitymaychoosetoutilizeahostbasedfirewalltechnologyonthelowimpactBESCyberSystem(s)thatmanageselectronicaccesspermissionsothatonlynecessaryinboundandoutboundroutableprotocolaccessisallowedtothelowimpactBESCyberSystem(s).

Reference Model 3



LERC Reference Model 4 Network-based Inbound & Outbound Access Permissions TheResponsibleEntitymaychoosetoutilizeasecuritydevicethatpermitsonlynecessaryaccesstothelowimpactBESCyberSystem(s)withintheBESasset.Inthisexample,twolowimpactBESCyberSystemsareaccessedovertheLERCastheIP/Serialconverteriscontinuingthesamecommunicationssessionfromdevice(s)outsidetheBESassetboundarytothelowimpactBESCyberSystems.ThesecuritydeviceprovidestheelectronicaccesscontrolstopermitonlynecessaryinboundandoutboundroutableprotocolaccesstothelowimpactBESCyberSystems.

Reference Model 4



LERC Reference Model 5 Centralized Network-based Inbound & Outbound Access Permissions TheResponsibleEntitymaychoosetoutilizeasecuritydeviceatacentralizedlocationthatmayormaynotbeanotherBESasset.Theelectronicaccesscontrol(s)donotnecessarilyhavetoresideinsidetheassetcontainingthelowimpactBESCyberSystem(s).AsecuritydeviceisinplaceatLocationXtoactastheelectronicaccesscontrolandpermitonlynecessaryinboundandoutboundroutableprotocolaccesstothelowimpactBESCyberSystem(s).CareshouldbetakenthatelectronicaccesstoorbetweeneachBESassetisthroughtheelectronicaccesscontrolsatthecentralizedlocation.

Reference Model 5



LERC Reference Model 6 Uni-directional Gateway TheResponsibleEntitymaychoosetoutilizeaunidirectionalgatewayastheelectronicaccesscontrol.ThelowimpactBESCyberSystem(s)isnotaccessible(datacannotflowintothelowimpactBESCyberSystem)fromtheLERCduetotheimplementationofaoneway(unidirectional)pathfordatatoflowacrosstheBESassetboundary.

Reference Model 6



LERC Reference Model 7 User Authentication TheResponsibleEntitymaychoosetoutilizeanonBESCyberAssetbetweenthenetworkoutsidetheBESassetboundaryandthelowimpactBESCyberSystemtoperformuserauthenticationforinteractiveaccess.ThenonBESCyberAssetwouldrequireauthenticationbeforeestablishinganewconnectiontothelowimpactBESCyberSystem.TheelectronicaccesscontroldepictedinthisreferencemodelmaynotmeetthesecurityobjectiveforcontrollingdevicetodevicecommunicationacrosstheLERCdependingonthespecificsystemconfigurationinplace.

Reference Model 7



LERC Reference Model 8 Session Termination TheResponsibleEntitymaychoosetoterminateroutableprotocolapplicationsessionsatanonBESCyberAssetinsidetheassetcontainingthelowimpactBESCyberSystem(s)suchthataseparateapplicationsessionisestablishedtothelowimpactBESCyberSystem(s)fromthenonBESCyberAsset(theroutablesessionfromoutsidetheBESasset).TheResponsibleEntitymaychoosetoauthenticateaccessatanonBESCyberAsseteitheroutsideBESassetboundaryorinsidetheassetcontainingthelowimpactBESCyberSystem(s)suchthatunauthenticatedaccesstothelowimpactBESCyberSystem(s)isprohibited.ThenonBESCyberAssetsitsonademilitarizedzone(DMZ)betweenthenetworkoutsidetheBESassetboundaryandthelowimpactBESCyberSystem(s).ThenonBESCyberAssetintheDMZterminatestheroutableprotocolsessionandestablishesanewsessiontothelowimpactBESCyberSystem(s).Additionally,asecuritydevicepermitstrafficfromthenetworkoutsidetheBESassetboundarytoflowonlytoandfromthenonBESCyberAssetintheDMZ(theroutablesessiontothelowimpactBESCyberSystem).

Reference Model 8



LERC Reference Model 9 LERC and ERC ThereisbothLERCandERCpresentinthisreferencemodelbecausethereisatleastonemediumimpactBESCyberSystemandonelowimpactBESCyberSystemwithintheBESasset.TheResponsibleEntitymaychoosetoleverageaninterfaceonthemediumimpactElectronicAccessControlorMonitoringSystems(EACMS)devicetoprovideelectronicaccesscontrolsfortheLERC.TheEACMSisthereforeperformingmultiplefunctionsasamediumimpactEACMSandasimplementinglowimpactelectronicaccesscontrols.

Reference Model 9



When determining whether there is LERC to the low impact BES Cyber System, the definition uses the phrases direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. The intent of direct in the definition is to indicate LERC exists if a person is sitting at another device outside of the asset containing the low impact BES Cyber System, and the person can connect to logon, configure, read, or interact, etc. with the low impact BES Cyber System using a bi-directional routable protocol within a single end-to-end protocol session even if there is a serial-to-routable protocol conversion. The reverse case would also be LERC, in which the individual sits at the low impact BES Cyber System and connects to a device outside the asset containing low impact BES Cyber Systems using a single end-to-end bi-directional routable protocol session. Additionally, for device-to-device connection, LERC exists if the Responsible Entity has devices outside of the asset containing the low impact BES Cyber System sending or receiving bi-directional routable communication to or from the low impact BES Cyber System. When identifying a LEAP, Responsible Entities are provided flexibility in the selection of the interface on a Cyber Asset that controls the LERC. Examples include, but are not limited to, the internal (facing the low impact BES Cyber Systems) interface on an external or host-based firewall, the internal interface on a router that has implemented an access control list (ACL), or other security device. The entity also has flexibility with respect to the location of the LEAP. LEAPs are not required to reside at the asset containing the low impact BES Cyber Systems. Furthermore, the entity is not required to establish a unique physical LEAP per asset containing low impact BES Cyber Systems. Responsible Entities can have a single Cyber Asset containing multiple LEAPs that controls the LERC for more than one asset containing low impact BES Cyber Systems. Locating the Cyber Asset with multiple LEAPs at an external location with multiple assets containing low impact BES Cyber Systems behind it, however, should not allow uncontrolled access to assets containing low impact BES Cyber Systems sharing a Cyber Asset containing the LEAP(s). In Reference Model 4, the communication flows through an IP/Serial converter. LERC is correctly identified in this Reference Model because the IP/Serial converter in this instance is doing nothing more than extending the communication between the low impact BES Cyber System and the Cyber Asset outside the asset containing the low impact BES Cyber System. In contrast, Reference Model 6 has placed a Cyber Asset that performs a complete break or interruption that does not allow the user or device data flow to directly communicate with the low impact BES Cyber System. The Cyber Asset in Reference Model 6 is preventing extending access to the low impact BES Cyber System from the Cyber Asset outside the asset containing the low impact BES Cyber System. The intent is that if the IP/Serial converter that is deployed only does a pass-through of the data flow communication, then that pass-through data flow communication is LERC and a LEAP is required. However, if that IP/Serial converter performs some type of authentication in the data flow at the asset containing the low impact BES Cyber System before the communication can be sent to the low impact BES Cyber System, then that type of IP/Serial converter implementation is not LERC.



A Cyber Asset that contains interface(s) that only perform the function of a LEAP does not meet the definition of Electronic Access Control or Monitoring System (EACMS) associated with medium or high impact BES Cyber Systems and is not subject to the requirements applicable to an EACMS. However, a Cyber Asset may contain some interfaces that function as a LEAP and other interfaces that function as an EAP for high or medium impact BES Cyber Systems. In this case, the Cyber Asset would also be subject to the requirements applicable to the EACMS associated with the medium or high impact BES Cyber Systems. Examples of sufficient access controls may include:

Any LERC for the asset passes through a LEAP with explicit inbound and outbound access permissions defined, or equivalent method by which both inbound and outbound connections are confined to only those that the Responsible Entity deems necessary (e.g., IP addresses, ports, or services).

As shown in Reference Model 1 below, the low impact BES Cyber System has a host-based firewall that is controlling the inbound and outbound access. In this model, it is also possible that the host-based firewall could be on a non-BES Cyber Asset. The intent is that the host-based firewall controls the inbound and outbound access between the low impact BES Cyber System and the Cyber Asset in the business network.

As shown in Reference Model 5 below, a non-BES Cyber Asset has been placed between the low impact BES Cyber System on the substation network and the Cyber Asset in the business network. The expectation is that the non-BES Cyber Asset has provided a protocol break so that access to the low impact BES Cyber System is only from the non-BES Cyber Asset that is located within the asset containing the low impact BES Cyber System.

Dial-up Connectivity DialupConnectivitytoalowimpactBESCyberSystemissettodialoutonly(noautoanswer)toapreprogrammednumbertodeliverdata.IncomingDialupConnectivityistoadialbackmodem,amodemthatmustberemotelycontrolledbythecontrolcenterorcontrolroom,hassomeformofaccesscontrol,orthelowimpactBESCyberSystemhasaccesscontrol.

Insufficient Access Controls Someexamplesofsituationsthatwouldlacksufficientaccesscontrolstomeettheintentofthisrequirementinclude:

AnassethasDialupConnectivityandalowimpactBESCyberSystemisreachableviaanautoanswermodemthatconnectsanycallertotheCyberAssetthathasadefaultpassword.Thereisnopracticalaccesscontrolinthisinstance.

AnassethasLERCduetoaBESCyberSystemwithinithavingawirelesscardonapubliccarrierthatallowstheBESCyberSystemtobereachableviaapublicIPaddress.Inessence,lowimpactBESCyberSystemsshouldnotbeaccessiblefromtheInternetandsearchenginessuchasShodan.

InReferenceModel5,usingjustdualDualhomingormultiplenetworkinterfacecardswithoutdisablingIPforwardinginthenonBESCyberAssetwithintheDMZtoprovide



separationbetweenthelowimpactBESCyberSystem(s)andthebusinessexternalnetworkwouldnotmeettheintentofcontrollinginboundandoutboundelectronicaccessassumingtherewasnootherhostbasedfirewallorothersecuritydevicedevicesonthatthenonBESCyberAsset.

ThefollowingdiagramsprovidereferenceexamplesintendedtoillustratehowtodeterminewhetherthereisLERCandforimplementingaLEAP.Whilethesediagramsidentifyseveralpossibleconfigurations,ResponsibleEntitiesmayhaveadditionalconfigurationsnotidentifiedbelow.



Requirement R2, Attachment 1, Section 4 Cyber Security Incident Response TheentityshouldhaveoneormoredocumentedCyberSecurityIncidentresponseplan(s)thatincludeeachofthetopicslistedinSection4.If,inthenormalcourseofbusiness,suspiciousactivitiesarenotedatanassetcontaininglowimpactBESCyberSystem(s),theintentisfortheentitytoimplementaCyberSecurityIncidentresponseplanthatwillguidetheentityinrespondingtotheincidentandreportingtheincidentifitrisestothelevelofaReportableCyberSecurityIncident.

EntitiesareprovidedtheflexibilitytodeveloptheirAttachment1,Section4CyberSecurityIncidentresponseplan(s)byassetorgroupofassets.TheplansdonotneedtobeonaperassetsiteorperlowimpactBESCyberSystembasis.EntitiescanchoosetouseasingleenterprisewideplantofulfilltheobligationsforlowimpactBESCyberSystems.

Theplan(s)mustbetestedonceevery36months.ThisisnotanexerciseperlowimpactBESCyberAssetorpertypeofBESCyberAssetbutratherisanexerciseofeachincidentresponseplantheentitycreatedtomeetthisrequirement.AnactualReportableCyberSecurityIncidentcountsasanexerciseasdootherformsoftabletopexercisesordrills.NERCledexercisessuchasGridExparticipationwouldalsocountasanexerciseprovidedtheentitysresponseplanisfollowed.TheintentoftherequirementisforentitiestokeeptheCyberSecurityIncident



responseplan(s)current,whichincludesupdatingtheplan(s),ifneeded,within180daysfollowingatestoranactualincident.

ForlowimpactBESCyberSystems,theonlyportionofthedefinitionofCyberSecurityIncidentthatwouldapplyisAmaliciousactorsuspiciouseventthatdisrupts,orwasanattempttodisrupt,theoperationofaBESCyberSystem.TheotherportionofthatdefinitionisnottobeusedtorequireESPsandPSPsforlowimpactBESCyberSystems.

Requirement R3: TheintentofCIP00367,RequirementR3iseffectivelyunchangedsincepriorversionsofthestandard.ThespecificdescriptionoftheCIPSeniorManagerhasnowbeenincludedasadefinedtermratherthanclarifiedintheReliabilityStandarditselftopreventanyunnecessarycrossreferencetothisstandard.ItisexpectedthattheCIPSeniorManagerwillplayakeyroleinensuringproperstrategicplanning,executive/boardlevelawareness,andoverallprogramgovernance.

Requirement R4: AsindicatedintherationaleforCIP00367,RequirementR4,thisrequirementisintendedtodemonstrateaclearlineofauthorityandownershipforsecuritymatters.TheintentoftheSDTwasnottoimposeanyparticularorganizationalstructure,but,rather,theintentistoaffordtheResponsibleEntitysignificantflexibilitytoadaptthisrequirementtoitsexistingorganizationalstructure.AResponsibleEntitymaysatisfythisrequirementthroughasingledelegationdocumentorthroughmultipledelegationdocuments.TheResponsibleEntitycanmakeuseofthedelegationofthedelegationauthorityitselftoincreasetheflexibilityinhowthisappliestoitsorganization.Insuchacase,delegationsmayexistinnumerousdocumentationrecordsaslongasthecollectionofthesedocumentationrecordsshowsaclearlineofauthoritybacktotheCIPSeniorManager.Inaddition,theCIPSeniorManagercouldalsochoosenottodelegateanyauthorityandmeetthisrequirementwithoutsuchdelegationdocumentation.

TheResponsibleEntitymustkeepitsdocumentationoftheCIPSeniorManagerandanydelegationsuptodate.Thisistoensurethatindividualsdonotassumeanyundocumentedauthority.However,delegationsdonothavetobereinstatediftheindividualwhodelegatedthetaskchangesrolesortheindividualisreplaced.Forinstance,assumethatJohnDoeisnamedtheCIPSeniorManagerandhedelegatesaspecifictasktotheSubstationMaintenanceManager.IfJohnDoeisreplacedastheCIPSeniorManager,theCIPSeniorManagerdocumentationmustbeupdatedwithinthespecifiedtimeframe,buttheexistingdelegationtotheSubstationMaintenanceManagerremainsineffectasapprovedbythepreviousCIPSeniorManager,JohnDoe.

Rationale: Duringdevelopmentofthisstandard,textboxeswereembeddedwithinthestandardtoexplaintherationaleforvariouspartsofthestandard.UponBOTapproval,thetextfromtherationaletextboxeswasmovedtothissection.

Rationale for Requirement R1: OneormoresecuritypoliciesenableeffectiveimplementationoftherequirementsofthecybersecurityReliabilityStandards.ThepurposeofpoliciesistoprovideamanagementandgovernancefoundationforallrequirementsthatapplytoaResponsibleEntitysBESCyber



Systems.TheResponsibleEntitycandemonstratethroughitspoliciesthatitsmanagementsupportstheaccountabilityandresponsibilitynecessaryforeffectiveimplementationoftherequirements.

AnnualreviewandapprovalofthecybersecuritypoliciesensuresthatthepoliciesarekeptuptodateandperiodicallyreaffirmsmanagementscommitmenttotheprotectionofitsBESCyberSystems.

Rationale for Requirement R2: InresponsetoFERCOrderNo.791,RequirementR2requiresentitiestodevelopandimplementcybersecurityplanstomeetspecificsecuritycontrolobjectivesforassetscontaininglowimpactBESCyberSystem(s).Thecybersecurityplan(s)coversfoursubjectmatterareas:(1)cybersecurityawareness;(2)physicalsecuritycontrols;(3)electronicaccesscontrols;and(4)CyberSecurityIncidentresponse.Thisplan(s),alongwiththecybersecuritypoliciesrequiredunderRequirementR1,Part1.2,providesaframeworkforoperational,procedural,andtechnicalsafeguardsforlowimpactBESCyberSystems.

ConsideringthevariedtypesoflowimpactBESCyberSystemsacrosstheBES,Attachment1providesResponsibleEntitiesflexibilityonhowtoapplythesecuritycontrolstomeetthesecurityobjectives.Additionally,becausemanyResponsibleEntitieshavemultipleimpactratedBESCyberSystems,nothingintherequirementprohibitsentitiesfromusingtheirhighandmediumimpactBESCyberSystempolicies,procedures,andprocessestoimplementsecuritycontrolsrequiredforlowimpactBESCyberSystems,asdetailedinRequirementR2,Attachment1.

ResponsibleEntitieswillusetheiridentifiedassetscontaininglowimpactBESCyberSystem(s)(developedpursuanttoCIP002)tosubstantiatethesitesorlocationsassociatedwithlowimpactBESCyberSystem(s).However,thereisnorequirementorcomplianceexpectationforResponsibleEntitiestomaintainalist(s)ofindividuallowimpactBESCyberSystem(s)andtheirassociatedcyberassetsortomaintainalistofauthorizedusers.

Rationale for Requirement R3: TheidentificationanddocumentationofthesingleCIPSeniorManagerensuresthatthereisclearauthorityandownershipfortheCIPprogramwithinanorganization,ascalledforinBlackoutReportRecommendation43.ThelanguagethatidentifiesCIPSeniorManagerresponsibilitiesisincludedintheGlossaryofTermsusedinNERCReliabilityStandardssothatitmaybeusedacrossthebodyofCIPstandardswithoutanexplicitcrossreference.

FERCOrderNo.706,Paragraph296,requestsconsiderationofwhetherthesingleseniormanagershouldbeacorporateofficerorequivalent.Asimplicatedthroughthedefinedterm,theseniormanagerhastheoverallauthorityandresponsibilityforleadingandmanagingimplementationoftherequirementswithinthissetofstandardswhichensuresthattheseniormanagerisofsufficientpositionintheResponsibleEntitytoensurethatcybersecurityreceivestheprominencethatisnecessary.Inaddition,giventherangeofbusinessmodelsforresponsibleentities,frommunicipal,cooperative,federalagencies,investorownedutilities,privatelyownedutilities,andeverythinginbetween,theSDTbelievesthatrequiringtheCIP



SeniorManagertobeacorporateofficerorequivalentwouldbeextremelydifficulttointerpretandenforceonaconsistentbasis.



Rationale for Requirement R4: Theintentoftherequirementistoensureclearaccountabilitywithinanorganizationforcertainsecuritymatters.Italsoensuresthatdelegationsarekeptuptodateandthatindividualsdonotassumeundocumentedauthority.

InFERCOrderNo.706,Paragraphs379and381,theCommissionnotesthatRecommendation43ofthe2003BlackoutReportcallsforclearlinesofauthorityandownershipforsecuritymatters.Withthisinmind,theStandardDraftingTeamhassoughttoprovideclarityintherequirementfordelegationssothatthislineofauthorityisclearandapparentfromthedocumenteddelegations.