NERC CIP v7 Standards and Requirements
CIP-002-5.1 - BES Cyber System Categorization
CIP-002 R1 - Each Responsible Entity shall implement a process that considers
each of the following assets for purposes of parts 1.1 through 1.3: Control Centers
and backup Control Centers, Transmission stations and substations, Generation
resources, Systems and facilities critical to system restoration, including Blackstart
Resources and Cranking Paths and initial switching requirements, Special
Protection Systems that support the reliable operation of the Bulk Electric System;
and For Distribution Providers
CIP-002 R1.1 - Identify each of the high impact BES Cyber Systems according to
Attachment 1, Section 1, if any, at each asset;
CIP-002 R1.2 - Identify each of the medium impact BES Cyber Systems according
to Attachment 1, Section 2, if any, at each asset;
CIP-002 R1.3 - Identify each asset that contains a low impact BES Cyber System
according to Attachment 1, Section 3, if any (a discrete list of low impact BES
Cyber Systems is not required).
CIP-002 R2.1 - Review the identifications in Requirement R1 and its parts (and
update them if there are changes identified) at least once every 15 calendar months,
even if it has no identified items in Requirement R1,
CIP-002 R2.2 - Have its CIP Senior Manager or delegate approve the
identifications required by Requirement R1 at least once every 15 calendar months,
even if it has no identified items in Requirement R1.
CIP-003-7 - Security Management Controls
CIP-003 R1 - Each Responsible Entity shall review and obtain CIP Senior
Manager approval at least once every 15 calendar months for one or more
documented cyber security policies that collectively address the following topics:
,CIP-003 R2 - Each Responsible Entity with at least one asset identified in CIP-002
containing low impact BES Cyber Systems shall implement one or more
documented cyber security plan(s) for its low impact BES Cyber Systems that
include the sections in Attachment 1.
CIP-003 R3 - Each Responsible Entity shall identify a CIP Senior Manager by
name and document any change within 30 calendar days of the change.
CIP-003 R4 - The Responsible Entity shall implement a documented process to
delegate authority, unless no delegations are used. Where allowed by the CIP
Standards, the CIP Senior Manager may delegate authority for specific actions to a
delegate or delegates. These delegations shall be documented, including the name
or title of the delegate, the specific actions delegated, and the date of the
delegation; approved by the CIP Senior Manager; and updated within 30 days of
any change to the delegation. Delegation changes do not need to be reinstated with
a change to the delegator.
CIP-003 Attachment 1 Section 2 - Lows Physical Security Controls: Each
Responsible Entity shall control physical access, based on need as determined by
the Responsible Entity, to (1) the asset or the locations of the low impact BES
Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the
Responsible Entity, that provide electronic access control(s) implemented for
Section 3.1, if any.
CIP-003 Attachment 1 Section 3 - Lows Electronic Access Controls: For each
asset containing low impact BES Cyber System(s) identified pursuant to CIP-002,
the Responsible Entity shall implement electronic access controls to:
3.1 Permit only necessary inbound and outbound electronic access as determined
by the Responsible Entity for any communications that are:
between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset
containing low impact BES Cyber System(s); using a routable protocol when
entering or leaving the asset containing the low impact BES Cyber System(s); and
not used for time-sensitive protection or control functions between intelligent
electronic devices (e.g., communications using protocol IEC TR- 61850-90-5 R-
GOOSE).
, 3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low
impact BES Cyber System(s), per Cyber Asset capability.
CIP-003 Attachment 1 Section 1 - Lows Cyber Security Awareness: Each
Responsible Entity shall reinforce, at least once every 15 calendar months, cyber
security practices (which may include associated physical security practices).
CIP-003 Attachment 1 Section 4 - Lows Cyber Security Incident Response: Each
Responsible Entity shall have one or more Cyber Security Incident response
plan(s), either by asset or group of assets, which shall include:
4.1 Identification, classification, and response to Cyber Security Incidents;
4.2 Determination of whether an identified Cyber Security Incident is a Reportable
Cyber Security Incident and subsequent notification to the Electricity Sector
Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;
4.3 Identification of the roles and responsibilities for Cyber Security Incident
response by groups or individuals;
4.4 Incident handling for Cyber Security Incidents;
4.5 Testing the Cyber Security Incident response plan(s) at least once every 36
calendar months by: (1) responding to an actual Reportable Cyber Security
Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security
Incident; or (3) using an operational exercise of a Reportable Cyber Security
Incident; and
4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180
calendar days after completion of a Cyber Security Incident response plan(s) test or
actual Reportable Cyber Security Incident.
CIP-003 Attachment 1 Section 5 - Lows Transient Cyber Asset and Removable
Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement,
except under CIP Exceptional Circumstances, one or more plan(s) to achieve the
objective of mitigating the risk of the introduction of malicious code to low impact
BES Cyber Systems through the use of Transient Cyber Assets or Removable
Media. The plan(s) shall include:
5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the
use of one or a combination of the following in an ongoing or on-demand manner
(per Transient Cyber Asset capability):