Reliability Standard Audit Worksheet
CIP-010-AB-1
Cyber Security - Configuration Change Management
and Vulnerability Assessments
Audit Summary
Registered Entity:
[Registered Entity name as it appears in the AESO ARS Registry]
Functional Entity:
[Functional entities for which the Registered Entity above was registered
throughout the audit period]
Audit Period:
From: [Audit start date or standard effective date, whichever comes
later]
To:
[Audit end date or standard withdrawal/supersede date,
whichever comes first]
Audit:
[Scheduled (YYYY-QX) or Spot Check YYYY-MM-DD]
Compliance Monitoring
Entity:
Alberta Electric System Operator (AESO)
Suspected Non-Compliance
to the standard?
Date of Completion:
No
Yes
[If Yes, list the requirements with suspected contravention
findings e.g. R1, R2, R7]
[Use YYYY-MM-DD format]
Assessment Commentary
[Information (if any) relevant to audit findings below]
Findings
R1
[Summary of Findings]
R2
[Summary of Findings]
R3
[Summary of Findings]
Document1
Page 1 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management
and Vulnerability Assessments
Contact Information
Audited Entity
Compliance Primary
[Name]
[Title]
[Phone]
[Email]
Subject Matter Expert [Name]
[Title]
[Phone]
[Email]
AESO Team
Lead Auditor
Sign-off
[Name]
[Title]
[Phone]
[Email]
Date:
[Name]
[Title]
[Phone]
[Email]
Date:
Compliance Manager [Name]
[Title]
[Phone]
[Email]
Date:
Standard Owner
Date:
Auditor
Document1
Signature:
Signature:
Signature:
[Name]
[Title]
[Phone]
[Email]
Signature:
Page 2 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management
and Vulnerability Assessments
Applicability
4.1. For the purpose of the requirements contained herein, the following list of entities will be collectively
referred to as “Responsible Entities”. For requirements in this reliability standard where a specific entity or
subset of entities are the applicable entity or entities, the entity or entities are specified explicitly.
4.1.1. [Intentionally left blank.]
4.1.2. a legal owner of an electric distribution system that owns one or more of the following
facilities, systems, and equipment for the protection or restoration of the bulk electric system:
4.1.2.1. each underfrequency load shedding or under voltage load shed system that:
4.1.2.1.1. is part of a load shedding program that is subject to one or more
requirements in a reliability standard; and
4.1.2.1.2. performs automatic load shedding under a common control system owned
by the entity in subsection 4.1.2., without human operator initiation, of 300 MW or
more;
4.1.2.2. each remedial action scheme where the remedial action scheme is subject to one
or more requirements in a reliability standard;
4.1.2.3. each protection system (excluding underfrequency load shedding and under
voltage load shed) that applies to transmission where the protection system is subject to
one or more requirements in a reliability standard; and
4.1.2.4. each cranking path and group of elements meeting the initial switching
requirements from a contracted blackstart resource up to and including the first point of
supply and/or point of delivery of the next generating unit or aggregated generating
facility to be started;
4.1.3. the operator of a generating unit and the operator of an aggregated generating facility;
4.1.4. the legal owner of a generating unit and the legal owner of an aggregated generating
facility;
4.1.5. [Intentionally left blank.]
4.1.6. [Intentionally left blank.]
4.1.7. the operator of a transmission facility;
4.1.8. the legal owner of a transmission facility; and
4.1.9. the ISO.
4.2. For the purpose of the requirements contained herein, the following facilities, systems, and equipment
owned by each Responsible Entity in subsection 4.1 above are those to which these requirements are
applicable. For requirements in this reliability standard where a specific type of facilities, system, or
equipment or subset of facilities, systems, and equipment are applicable, these are specified explicitly.
Document1
Page 3 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management
and Vulnerability Assessments
4.2.1. One or more of the following facilities, systems and equipment that operate at, or control
elements that operate at, a nominal voltage of 25 kV or less and are owned by a legal owner of an
electric distribution system or a legal owner of a transmission facility for the protection or
restoration of the bulk electric system:
4.2.1.1. each underfrequency load shedding or under voltage load shed system that:
4.2.1.1.1. is part of a load shedding program that is subject to one or more
requirements in a reliability standard; and
4.2.1.1.2. performs automatic load shedding under a common control system owned
by one or more of the entities in subsection 4.2.1, without human operator initiation,
of 300 MW or more;
4.2.1.2. each remedial action scheme where the remedial action scheme is subject to one
or more requirements in a reliability standard;
4.2.1.3. each protection system (excluding underfrequency load shedding and under
voltage load shed) that applies to transmission where the protection system is subject to
one or more requirements in a reliability standard; and
4.2.1.4. each cranking path and group of elements meeting the initial switching
requirements from a contracted blackstart resource up to and including the first point of
supply and/or point of delivery of the next generating unit or aggregated generating
facility to be started;
4.2.2. Responsible Entities listed in subsection 4.1 other than a legal owner of an electric
distribution system are responsible for:
4.2.2.1. each transmission facility that is part of the bulk electric system except each
transmission facility that:
4.2.2.1.1. is a transformer with fewer than 2 windings at 100 kV or higher and does
not connect a contracted blackstart resource;
4.2.2.1.2. radially connects only to load;
4.2.2.1.3. radially connects only to one or more generating units or aggregated
generating facilities with a combined maximum authorized real power of less
than or equal to 67.5 MW and does not connect a contracted blackstart resource;
or
4.2.2.1.4. radially connects to load and one or more generating units or aggregated
generating facilities that have a combined maximum authorized real power of
less than or equal to 67.5 MW and does not connect a contracted blackstart
resource;
Document1
Page 4 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management
and Vulnerability Assessments
4.2.2.2. a reactive power resource that is dedicated to supplying or absorbing reactive
power that is connected at 100 kV or higher, or through a dedicated transformer with a highside voltage of 100 kV or higher, except those reactive power resources operated by an
end-use customer for its own use;
4.2.2.3. a generating unit that is:
4.2.2.3.1. directly connected to the bulk electric system and has a maximum
authorized real power rating greater than 18 MW unless the generating unit is part
of an industrial complex;
4.2.2.3.2. within a power plant which:
4.2.2.3.2.1. is not part of an aggregated generating facility;
4.2.2.3.2.2. is directly connected to the bulk electric system; and
4.2.2.3.2.3. has a combined maximum authorized real power rating greater
than 67.5 MW unless the power plant is part of an industrial complex;
4.2.2.3.3. within an industrial complex with supply transmission service
greater than 67.5 MW; or
4.2.2.3.4. a contracted blackstart resource;
4.2.2.4. an aggregated generating facility that is:
4.2.2.4.1. directly connected to the bulk electric system and has a maximum
authorized real power rating greater than 67.5 MW unless the aggregated
generating facility is part of an industrial complex;
4.2.2.4.2. within an industrial complex with supply transmission service greater
than 67.5 MW; or
4.2.2.4.3. a contracted blackstart resource;
and
4.2.2.5. control centres and backup control centres.
4.2.3. The following are exempt from this reliability standard:
4.2.3.1. [Intentionally left blank.]
4.2.3.2. cyber assets associated with communication networks and data communication
links between discrete electronic security perimeters.
4.2.3.3. [Intentionally left blank.]
4.2.3.4. for the legal owner of an electric distribution system, the systems and equipment
that are not included in subsection 4.2.1 above.
Document1
Page 5 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management
and Vulnerability Assessments
4.2.3.5. Responsible Entities that identify that they have no BES cyber systems categorized
as High Impact or Medium Impact according to the CIP‐002-AB‐5.1 identification and
categorization processes.
4.2.2.3.2.2. is directly connected to the bulk electric system; and
4.2.2.3.2.3. has a combined maximum authorized real power rating greater
than 67.5 MW unless the power plant is part of an industrial complex;
4.2.2.3.3. within an industrial complex with supply transmission service greater
than 67.5 MW; or
4.2.2.3.4. a contracted blackstart resource;
4.2.2.4. an aggregated generating facility that is:
4.2.2.4.1. directly connected to the bulk electric system and has a maximum
authorized real power rating greater than 67.5 MW unless the aggregated
generating facility is part of an industrial complex;
4.2.2.4.2. within an industrial complex with supply transmission service greater
than 67.5 MW; or
4.2.2.4.3. a contracted blackstart resource;
and
4.2.2.5. control centres and backup control centres.
4.2.3. The following are exempt from this reliability standard:
4.2.3.1. [Intentionally left blank.]
4.2.3.2. cyber assets associated with communication networks and data communication
links between discrete electronic security perimeters.
4.2.3.3. [Intentionally left blank.]
4.2.3.4. for the legal owner of an electric distribution system, the systems and equipment
that are not included in subsection 4.2.1 above.
4.2.3.5. Responsible Entities that identify that they have no BES cyber systems categorized
as High Impact or Medium Impact according to the CIP‐002-AB‐5.1 identification and
categorization processes.
Document1
Page 6 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Compliance Assessment
R1
Requirement & Measure
Evidence Submission
Evidence Description
Evidence
Assessment Approach
Auditor Notes
R1. Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects
deficiencies, one or more documented processes that
collectively include each of the applicable requirement
parts in CIP‐010-AB‐1 Table R1 – Configuration Change
Management.
M1. Evidence must include each of the applicable
documented processes that collectively include each of
the applicable requirement parts in CIP‐010-AB‐1 Table
R1 – Configuration Change Management and additional
evidence to demonstrate implementation as described in
the Measures column of the table.
Part 1.1 in Table R1 – Configuration Change
Management
AR1 Part 1.1 Please
provide:
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
(i) One or more
documented processes
pertaining to
requirement R1 Part
1.1.
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
Part 1.1 (i) submitted evidence]
evidence]
Medium Impact BES cyber systems and their
associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
Requirements
Develop a baseline configuration, individually or by group,
(ii) Evidence that the
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
which shall include the following items:
processes pertaining to Part 1.1 (ii) submitted evidence]
evidence]
1.1.1. operating system(s) (including version) or firmware
requirement R1 Part 1.1
where no independent operating system exists;
1.1.2. any commercially available or open‐source
have been
implemented.
application software (including version) intentionally
installed;
1.1.3. any custom software installed;
1.1.4. any logical network accessible ports; and
1.1.5. any security patches applied.
Measures
Examples of evidence may include, but are not limited to:

a spreadsheet identifying the required items of
the baseline configuration for each cyber asset,
individually or by group; or

a record in an asset management system that
identifies the required items of the baseline
configuration for each cyber asset, individually
or by group.
Document1
Page 7 of 18
Verify that the Responsible Entity has documented [For AESO use only]
one or more processes that include the
development of a baseline configuration for each
Applicable System.
For each Applicable System, verify the above
documented process(es) collectively include all of
the following:

operating system(s) (including version) or
firmware where no independent operating
system exists;

any commercially available or opensource application software (including
version) intentionally installed;

any custom software installed;

any logical network accessible ports; and

any security patches applied.
Verify the Responsible Entity has a baseline
[For AESO use only]
configuration for each Applicable System,
individually or by group, which includes:

operating system(s) (including version) or
firmware where no independent operating
system exists;

any commercially available or opensource application software (including
version) intentionally installed;

any custom software installed;

any logical network accessible ports; and

any security patches applied.
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Evidence Submission
Part 1.2 in Table R1 – Configuration Change
Management
AR1 Part 1.2 Please
provide:
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
(i) One or more
documented processes
pertaining to
requirement R1 Part
1.2.
Evidence Description
Evidence
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
Part 1.2 (i) submitted evidence]
evidence]
Assessment Approach
Auditor Notes
Verify the Responsible Entity documented one or
more processes to authorize and document
changes that deviate from the existing baseline
configuration.
[For AESO use only]
For each Applicable System, verify the
Responsible Entity authorized and documented
changes that deviate from the existing baseline
configuration.
[For AESO use only]
Medium Impact BES cyber systems and their
associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
Requirements
Authorize and document changes that deviate from the
existing baseline configuration.
Measures
Examples of evidence may include, but are not limited to:

a change request record and associated
electronic authorization (performed by the
individual or group with the authority to authorize
the change) in a change management system
for each change; or

documentation that the change was performed in
accordance with the requirement.
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
(ii) Evidence that the
Part 1.2 (ii) submitted evidence]
evidence]
processes pertaining to
requirement R1 Part 1.2
have been
implemented; including
a list of authorized
changes that deviate
from the existing
baseline configuration
that occurred during the
audit period.
Document1
Page 8 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Evidence Submission
Part 1.3 in Table R1 – Configuration Change
Management
AR1 Part 1.3 Please
provide:
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
(i) One or more
documented processes
pertaining to
requirement R1 Part
1.3.
Evidence Description
Evidence
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
Part 1.3 ( (i) submitted evidence]
evidence]
Assessment Approach
Auditor Notes
For a change that deviates from the existing
baseline configuration, verify the Responsible
Entity documented one or more processes for
updating the baseline configuration as necessary
within 30 days of completing the change.
[For AESO use only]
For each Applicable System, for a change that
deviates from the existing baseline configuration,
verify the Responsible Entity updated the baseline
configuration as necessary within 30 days of
completing the change.
[For AESO use only]
Medium Impact BES cyber systems and their
associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
Requirements
For a change that deviates from the existing baseline
configuration, update the baseline configuration as
necessary within 30 days of completing the change.
Measures
An example of evidence may include, but is not limited to,
updated baseline documentation with a date that is within
30 days of the date of the completion of the change.
(ii) Evidence that the
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
processes pertaining to Part 1.3 (ii) submitted evidence]
evidence]
requirement R1 Part 1.3
have been
implemented; including
the date when each
change in requirement
R1 Part 1.2 was
completed and the
corresponding date
when the baseline
configuration was
updated.
Document1
Page 9 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Evidence Submission
Part 1.4 in Table R1 – Configuration Change
Management
AR1 Part 1.4 Please
provide:
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
(i) One or more
documented processes
pertaining to
requirement R1 Part
1.4.
Evidence Description
Evidence
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
Part 1.4 ( (i) submitted evidence]
evidence]
Medium Impact BES cyber systems and their
associated:
1. electronic access control or monitoring systems;
2. physical access control systems; and
3. protected cyber assets
Requirements
For a change that deviates from the existing baseline
configuration:
1.4.1. prior to the change, determine required cyber
security controls in CIP‐005 and CIP‐007 that could be
impacted by the change;
1.4.2. following the change, verify that required cyber
security controls determined in 1.4.1 are not adversely
affected; and
1.4.3. document the results of the verification.
(ii) Evidence that the
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
processes pertaining to Part 1.4 (ii) submitted evidence]
evidence]
requirement R1 Part 1.4
have been
implemented.
Measures
An example of evidence may include, but is not limited to,
a list of cyber security controls verified or tested along
with the dated test results.
Document1
Page 10 of 18
Assessment Approach
Auditor Notes
For a change that deviates from the existing
[For AESO use only]
baseline configuration, verify the Responsible
Entity documented one or more processes to:

determine, prior to the change, required
cyber security controls in CIP-005 and
CIP-007 that could be impacted by the
change;

verify, following the change, that required
cyber security controls determined in Part
1.4.1 are not adversely affected; and

document the results of the verification.
For each change that deviates from the existing
baseline configuration, for each Applicable
System, verify that:

prior to the change, the Responsible
Entity has determined the required
security controls in CIP-005 and CIP-007
that could be impacted by the change;

following the change, the Responsible
Entity has verified that the required cyber
security controls determined in 1, above,
are not adversely affected; and

the Responsible Entity has documented
the results of the verification required by
2, above.
[For AESO use only]
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Evidence Submission
Part 1.5 in Table R1 – Configuration Change
Management
AR1. Part 1.5 Please
provide:
Applicable Systems
High Impact BES cyber systems
(i) One or more
documented processes
pertaining to
requirement R1 Part
1.5.
Requirements
Where technically feasible, for each change that deviates
from the existing baseline configuration:
Evidence Description
Evidence
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
Part 1.5 (i) submitted evidence]
evidence]
1.5.1. prior to implementing any change in the production
environment, test the changes in a test environment or
test the changes in a production environment where the
test is performed in a manner that minimizes adverse
effects, that models the baseline configuration to ensure
that required cyber security controls in CIP‐005 and CIP‐
007 are not adversely affected; and
1.5.2. document the results of the testing and, if a test
environment was used, the differences between the test
environment and the production environment, including a
description of the measures used to account for any
differences in operation between the test and production
environments.
Assessment Approach
Auditor Notes
For changes that deviate from the existing
[For AESO use only]
baseline configuration, verify the Responsible
Entity documented one or more processes that
include:

prior to implementing any change in the
production environment, test the changes
in a test environment or test the changes
in a production environment where the
test is performed in a manner that
minimizes adverse effects, that models
the baseline configuration to ensure that
required cyber security controls in CIP005 and CIP-007 are not adversely
affected; and

document the results of the testing and, if
a test environment was used, the
differences between the test environment
and the production environment,
including a description of the measures
used to account for any differences in
operation between the test and
production environments.
Measures
An example of evidence may include, but is not limited to
a list of cyber security controls tested along with
successful test results and a list of differences between
the production and test environments with descriptions of
how any differences were accounted for, including the
date of the test.
Document1
Page 11 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Evidence Submission
Evidence Description
Evidence
(ii) Evidence that the
[Click and edit to enter description for AR1 [Click and edit to embed file or link to
processes pertaining to Part 1.5 (ii) submitted evidence]
evidence]
requirement R1 Part 1.5
have been
implemented.
Assessment Approach
Verify that, for each Applicable System, for each
change that deviates from the existing baseline
configuration, prior to implementing any change in
the production environment:

the Responsible Entity tested the
changes in a test environment; or

the Responsible Entity tested the
changes in a production environment
where the test is performed in a manner
that minimizes adverse effects, that
models the baseline configuration to
ensure that required cyber security
controls in CIP-005 and CIP-007 are not
adversely affected; or

an approved Technical Feasibility
Exception covers this circumstance.
Auditor Notes
[For AESO use only]
Verify that, for each Applicable System, where
technically feasible, for each change that deviates
from the existing baseline configuration, verify:

the Responsible Entity documented the
results of the testing; and

if a test environment was used, the
Responsible Entity documented the
differences between the test environment
and the production environment,
including a description of the measures
used to account for any differences in
operation between the test and
production environments.
If an approved Technical Feasibility Exception is
applicable to this Part, verify the compensating
measures identified by the approved Technical
Feasibility Exception are implemented.
Findings
[For AESO use only]
Document1
Page 12 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
R2
Requirement & Measure
Evidence Submission
Evidence Description
Evidence
Assessment Approach
Auditor Notes
R2. Each Responsible Entity shall implement, in a
manner that identifies, assesses, and corrects
deficiencies, one or more documented processes that
collectively include each of the applicable requirement
parts in CIP‐010-AB‐1 Table R2 – Configuration
Monitoring.
M2. Evidence must include each of the applicable
documented processes that collectively include each of
the applicable requirement parts in CIP‐010-AB‐1 Table
R2 – Configuration Monitoring and additional evidence to
demonstrate implementation as described in the
Measures column of the table.
Part 2.1 in Table R2 – Configuration Monitoring
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring
systems; and
2. protected cyber assets
AR2 Part 2.1 Please
provide:
[Click and edit to enter description for AR2
Part 2.1 (i) submitted evidence]
[Click and edit to embed file or link to
evidence]
(i) One or more
documented processes
pertaining to
requirement R2 Part
2.1.
Verify the Responsible Entity documented one or
more processes to monitor at least once every 35
days for changes to the baseline configuration (as
described in Requirement R1, Part 1.1).

[For AESO use only]
Verify the Responsible Entity documented one or
more processes to document and investigate
detected unauthorized changes.
Requirements
Monitor at least once every 35 days for changes to the
baseline configuration (as described in requirement R1,
Part 1.1). Document and investigate detected
unauthorized changes.
Measures
An example of evidence may include, but is not limited
to, logs from a system that is monitoring the
configuration along with records of investigation for any
unauthorized changes that were detected.
(ii) Evidence that the
[Click and edit to enter description for AR2
processes pertaining to Part 2.1 (ii) submitted evidence]
requirement R2 Part
2.1 have been
implemented.
[Click and edit to embed file or link to
evidence]
For each Applicable System, verify the
Responsible Entity monitored at least once every
35 days for changes to the baseline configuration
(as described in Requirement R1, Part 1.1).
[For AESO use only]
For each Applicable System, verify all detected
unauthorized changes were documented and
investigated.
Findings
[For AESO use only]
Document1
Page 13 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
R3
Requirement & Measure
Evidence Submission
Evidence Description
Evidence
Assessment Approach
Auditor Notes
R3. Each Responsible Entity shall implement one or
more documented processes that collectively include
each of the applicable requirement parts in CIP‐010-AB‐
1 Table R3– Vulnerability Assessments.
M3. Evidence must include each of the applicable
documented processes that collectively include each of
the applicable requirement parts in CIP‐010-AB‐1 Table
R3 – Vulnerability Assessments and additional evidence
to demonstrate implementation as described in the
Measures column of the table.
Part 3.1 in Table R3 – Vulnerability Assessments
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring
systems;
2. physical access control systems; and
3. protected cyber assets
AR3 Part 3.1 Please
provide:
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
Part 3.1 (i) submitted evidence]
evidence]
(i) One or more
documented processes
pertaining to
requirement R3 Part
3.1.
Verify the Responsible Entity documented one or
more processes for conducting a paper or active
vulnerability assessment at least once every 15
months.
[For AESO use only]
For each Applicable System, verify the
Responsible Entity conducted a paper or active
vulnerability assessment at least once every 15
months.
[For AESO use only]
Medium Impact BES cyber systems and their
associated:
1. electronic access control or monitoring
systems;
2. physical access control systems; and
3. protected cyber assets
Requirements
At least once every 15 months, conduct a paper or
active vulnerability assessment.
Measures
Examples of evidence may include, but are not limited
to:

a document listing the date of the assessment
(performed at least once every 15 months), the
controls assessed for each BES cyber system
along with the method of assessment; or

a document listing the date of the assessment
and the output of any tools used to perform the
assessment.
Document1
(ii) Evidence that the
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
processes pertaining to Part 3.1 (ii) submitted evidence]
evidence]
requirement R3 Part
3.1 have been
implemented.
Page 14 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Part 3.2 in Table R3 – Vulnerability Assessments
Applicable Systems
High Impact BES cyber systems
Requirements
Where technically feasible, at least once every 36
months:
Evidence Submission
AR3 Part 3.2 Please
provide:
Evidence Description
Evidence
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
Part 3.2 (i) submitted evidence]
evidence]
(i) One or more
documented processes
pertaining to
requirement R3 Part
3.2.
3.2.1 perform an active vulnerability assessment in a test
environment, or perform an active vulnerability
assessment in a production environment where the test
is performed in a manner that minimizes adverse effects,
that models the baseline configuration of the BES cyber
system in a production environment; and
3.2.2 document the results of the testing and, if a test
environment was used, the differences between the test
environment and the production environment, including a
description of the measures used to account for any
differences in operation between the test and production
environments.
Assessment Approach
Verify the Responsible Entity documented one or
more processes to:

perform an active vulnerability
assessment in a test environment, or
perform an active vulnerability
assessment in a production environment
where the test is performed in a manner
that minimizes adverse effects, that
models the baseline configuration of the
BES cyber system in a production
environment; and

Measures
An example of evidence may include, but is not limited
to, a document listing the date of the assessment
(ii) Evidence that the
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
(performed at least once every 36 months), the output
processes pertaining to Part 3.2 (ii) submitted evidence]
evidence]
of the tools used to perform the assessment, and a list of
requirement R3 Part
differences between the production and test
3.2 have been
environments with descriptions of how any differences
implemented.
were accounted for in conducting the assessment.

Document1
Page 15 of 18
[For AESO use only]
document the results of the testing and, if
a test environment was used, the
differences between the test environment
and the production environment,
including a description of the measures
used to account for any differences in
operation between the test and
production environments.
For each Applicable System, was an active
vulnerability assessment technically feasible?

Auditor Notes
[For AESO use only]
If yes, verify:
o
An active vulnerability
assessment was conducted at
least once every 36 months, in
accordance with 3.2.1; and
o
results of testing are
documented, in accordance with
3.2.2.
If no, verify the compensating measures
identified by the approved Technical
Feasibility Exception are implemented.
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Part 3.3 in Table R3 – Vulnerability Assessments
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring
systems;
2. protected cyber assets
Evidence Submission
AR3 Part 3.3 Please
provide:
Evidence Description
Evidence
Assessment Approach
Auditor Notes
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
Part 3.3 (i) submitted evidence]
evidence]
Verify the Responsible Entity documented one or
more processes for performing an active
vulnerability assessment, prior to adding a new
applicable cyber asset to a production
environment, of the new cyber asset, except for
CIP exceptional circumstances and like
replacements of the same type of cyber asset
with a baseline configuration that models an
existing baseline configuration of the previous or
other existing cyber asset.
[For AESO use only]
(ii) Evidence that the
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
processes pertaining to Part 3.3 (ii) submitted evidence]
evidence]
requirement R3 Part
3.3 have been
implemented.
For each Applicable System, was a new
applicable cyber asset added to a production
environment? If yes, verify that an active
vulnerability assessment of the new cyber asset
was performed prior to adding it to a production
environment, except for CIP exceptional
circumstances and like replacements of the
same type of cyber asset with a baseline
configuration that models an existing baseline
configuration of the previous or other existing
cyber asset.
[For AESO use only]
(i) One or more
documented processes
pertaining to
requirement R3 Part
3.3.
Requirements
Prior to adding a new applicable cyber asset to a
production environment, perform an active vulnerability
assessment of the new cyber asset, except for CIP
exceptional circumstances and like replacements of
the same type of cyber asset with a baseline
configuration that models an existing baseline
configuration of the previous or other existing cyber
asset.
Measures
An example of evidence may include, but is not limited
to, a document listing the date of the assessment
(performed prior to the commissioning of the new cyber
asset) and the output of any tools used to perform the
assessment.
If the Responsible Entity has experienced an
exception for CIP exceptional circumstances,
verify the Responsible Entity has adhered to any
applicable cyber security policies.
Document1
Page 16 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management and Vulnerability Assessments
Requirement & Measure
Part 3.4 in Table R3 – Vulnerability Assessments
Applicable Systems
High Impact BES cyber systems and their associated:
1. electronic access control or monitoring
systems;
2. physical access control systems; and
3. protected cyber assets
Evidence Submission
AR3 Part 3.4 Please
provide:
Evidence Description
Evidence
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
Part 3.4 (i) submitted evidence]
evidence]
(i) One or more
documented processes
pertaining to
requirement R3 Part
3.4.
Assessment Approach
Verify the Responsible Entity documented one or
more processes to document the results of the
assessments conducted according to Parts 3.1,
3.2, and 3.3 and the action plan to remediate or
mitigate vulnerabilities identified in the
assessments including the planned date of
completing the action plan and the execution
status of any remediation or mitigation action
items.
Auditor Notes
[For AESO use only]
Medium Impact BES cyber systems and their
associated:
1. electronic access control or monitoring
systems;
2. physical access control systems; and
3. protected cyber assets
Requirements
Document the results of the assessments conducted
according to Parts 3.1, 3.2, and 3.3 and the action plan
to remediate or mitigate vulnerabilities identified in the
assessments including the planned date of completing
the action plan and the execution status of any
remediation or mitigation action items.
Measures
An example of evidence may include, but is not limited
to, a document listing the results or the review or
assessment, a list of action items, documented proposed
dates of completion for the action plan, and records of
the status of the action items (such as minutes of a
status meeting, updates in a work order system, or a
spreadsheet tracking the action items).
(ii) Evidence that the
[Click and edit to enter description for AR3 [Click and edit to embed file or link to
processes pertaining to Part 3.4 (ii) submitted evidence]
evidence]
requirement R3 Part
3.4 have been
implemented.
For each Applicable System, for each assessment [For AESO use only]
conducted according to Parts 3.1, 3.2, and 3.3,
verify the results of the assessment were
documented.
For each Applicable System, for each assessment
conducted according to Parts 3.1, 3.2, and 3.3,
were there vulnerabilities identified?
If yes, verify:

an action plan to remediate or mitigate
the identified vulnerabilities was created
or modified;

the action plan includes a planned date
of completion;
the action plan includes the execution
status of any remediation or mitigation
action items;
the status of the action plan, if the
planned date of completion has been
exceeded; and



the completion of the action plan, if the
action plan status is complete.
Findings
[For AESO use only]
Document1
Page 17 of 18
Version 1.0 – 2015-12-01
CIP-010-AB-1
Cyber Security – Configuration Change Management
and Vulnerability Assessments
General Notes
The AESO developed this Reliability Standard Audit Worksheet (RSAW) to add clarity and consistency to the
audit team’s assessment of compliance with this reliability standard, including the approach elected to assess
requirements.
Additionally, the RSAW provides a non-exclusive list of examples of the types of evidence a market
participant may produce or may be asked to produce to demonstrate compliance with this reliability standard.
A market participant’s adherence to the examples contained within this RSAW does not constitute compliance
with the reliability standard.
This document is not an AESO authoritative document and revisions to it may be made from time to time by
the AESO. Market participants are notified of revisions through the stakeholder update process.
Notes to File
[For AESO use only: any observations, remarks or action items for future audits]
Revision History
Version
1.0
Document1
Issue Date
Description
December 1, 2015
Initial version of Worksheet
Page 18 of 18
Version 1.0 – 2015-12-01