SPP.org 1

EMS Users Group – CIP Standards

The Compliance Audits Are Coming…Are You Ready?

SPP.org

Compliance Program

• Currently spot checking “AC” requirements

Applicable Standard(s) and Requirement(s):

3

Standard: Requirement: CIP-002-1 R1, R2, R3CIP-003-1 R1, R2, R3CIP-004-1 R2, R3, R4CIP-007-1 R1CIP-008-1 R1CIP-009-1 R1, R2

SPP.org

Compliance Program

• Expected Spot Check Schedule

• Table 1 entities (RC + BA, TOP – Subject to 1200)

1. 13 requirements through 6/30/2010

2. All requirements beginning 7/1/2010

• Table 2 entities (TSP, RRO, NERC + BA, TOP – Not subject to 1200)

1. All requirements beginning 7/1/2010

• Table 3 entities (IA, TO, GO, GOP, LSE)

1. All requirements beginning 1/1/2011

4

SPP.org

Compliance Program

• Considerations

• Any “Compliant” requirement can be spot-checked

1. Verify or confirm self-certifications

2. Verify or confirm self-reports of non-compliance

3. Verify or confirm periodic data submittals

4. In response to system events or operating problems

• Can expand scheduled spot check scope as necessary

1. Audit uncovers possible non-compliance of requirement not in original scope

5

SPP.org

Expectations

• The audited entity has the obligation to demonstrate compliance

• Sufficient, appropriate, and adequate documentation

• Demonstrate sustained compliance

• The auditor

• Starts with neutral position

• Seeks additional evidence as necessary to make compliance determination

6

SPP.org

Approach

• Entity completes Q/RSAWs and possibly supplemental questions prior to on-site audit or spot check.

• Entity may be asked to submit certain evidence in advance of on-site audit or spot check.

• Certain requirements will be statistically sampled during audit or spot check.

7

SPP.org

How to prepare

• Starting now

• Consider pre-audit (internal or third-party) review

• Build culture of compliance into your processes

• Upon notice

• Collect evidence of compliance

• Identify subject matter experts

• During audit

• Be prepared to supply additional evidence

8

SPP.org

Some Issues

• Annual means 12 months, not calendar year.

• Periodic reviews/approvals need to be date stamped as well as signed.

• Authorized access needs evidence of authorization/approval.

• A request is not the same as an action.

• Electronic records can replace paper as long as all requirements are met.

9

SPP.org

An Example – CIP-004/R4

• The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets.

• How do you prove that the list is complete?

• How do you prove that the list is accurate?

• How do you prove access was authorized?

10

SPP.org

An Example – CIP-004/R4

• You can maintain paper records

• Possible reconciliation issues with reality

• Need evidence of actions, not requests

• Need evidence of approvals

• You can rely on the access control systems to maintain records

• Need date-stamped transaction logs

• Still need to demonstrate approvals

11

SPP.org

Technical Feasibility Exception

• Interim guidance issued July 1, 2009

• Regions, not NERC, will manage process.

• NERC has oversight role.

• Regions working with NERC to develop a workable solution.

• Interim guidance will be revised and reissued, possibly on or about September 21, 2009.

• Region/NERC solution will be forwarded to FERC for approval.

12

SPP.org

Technical Feasibility Exception

• The TFE Process (as currently expected)

• TFE requests limited to 14 or 15 specific CIP requirements that contain enabling language.

• Entities will submit a “Part A” TFE request to the Region.

1. Region has 60 days to initially accept or reject.

2. Entity will be able to remedy/resubmit a deficient TFE request.

3. Safe Harbor granted once TFE request is accepted.

13

SPP.org

Technical Feasibility Exception

• The TFE Approval Process

• Region has one year to complete comprehensive review of TFE request for approval.

• Entity will be afforded opportunity to remedy and resubmit a rejected TFE request.

• Entity will have to execute and maintain a remediation plan to achieve strict compliance.

• Rejection of request, failure to maintain remediation, or failure to report periodically could void safe harbor.

14

SPP.org

Technical Feasibility Exception

• TFE Process

• TFE Requests approved by Region subject to NERC review

1. NERC could override Region decision.

• Once approved, entity must still maintain remediation and reporting plans or risk loss of safe harbor.

• Entity can request amendment/modification to accepted or approved TFE request.

1. Amendment not effective until approved.

2. Rejection reverts to previous version of request.

15

SPP.org

CIP Standards Development

• Version 2 pending before FERC

• Minor revisions to address time-critical aspects of Order 706.

• Eliminated use of reasonable business judgment.

• Minor, mostly non-controversial quick fixes.

• Version 3 being developed

• Concept paper published for comment.

• Requirements and security controls catalog beginning to be drafted.

16

SPP.org

CIP Standards Development

• Expected Timeline

• Post first draft of CIP-002-3 in December 2009.

• Publish first revision and security controls catalog (CIP-003-3 through CIP-009-3) in April 2010.

• Publish final revisions to CIP-002-3 through CIP-009-3 with implementation plan for ballot in December 2010.

• Big paradigm change. Will take some getting used to.

17

SPP.org

Questions?

18