Cyber Security Standards
Transition Guidance (Revised)
To: Regional Entities and Responsible Entities
From: NERC Compliance Operations
Date: DRAFT DATE: June 9, 2014
1. Introduction
As the CIP Reliability Standards have developed and matured, the overarching philosophy has been
consistent: apply the appropriate cyber security measures to protect the reliable operation of the Bulk
Electric System (BES). The transition to Version 5 Critical Infrastructure Protection (CIP) Reliability
Standards (V5) does not mean that there is expected to be a single point in time when Responsible
Entities will move from compliance with Version 3 CIP Reliability Standards (V3) to compliance with V5.
Establishing compliance with V5 will be an ongoing process.
The “Effective Date” of V5 is April 1, 2014, which is based on the date that the V5 Standards were
approved by FERC. Until the “compliance enforcement date” of April 1, 2016, compliance with V3 remains
mandatory and enforceable, and will be assessed until the official V5 compliance enforcement date.
However, during the transition period, there will be a flexible approach to the evaluation of V3
compliance.
This updated Cyber Security Standards Transition Guidance applies to Regional Entities and Responsible
Entities. It provides guidance and flexibility for implementing changes to achieve compliance with V5
without undue concerns regarding compliance status with V3. It explains how auditors will assess
compliance during the time between the issuance date of this revised Cyber Security Standards Transition
Guidance and the enforcement date of V5 (“Transition Period”). Since additional changes are being
drafted to the V5 Standards, this transition guidance document will be updated if necessary to reflect any
changes that are approved by FERC.
This guidance supersedes previous Cyber Security Standards Transition Guidance.
2. Background
FERC Order 791 was issued on November 22, 2013, approving CIP Reliability Standards 002-5 through 0111, with certain directives that were subsequently referred to a specially formed Standards Drafting Team
(SDT) for resolution. For those issues not requiring action by the SDT, the Commission also approved
NERC’s implementation plan allowing Responsible Entities to transition from compliance with the
currently-effective CIP V3 Reliability Standards to compliance with the CIP V5 Reliability Standards. The
Order also stated that Version 4 CIP Reliability Standards (V4) will never be mandatory and enforceable.
3. Newly Identified BES Cyber Systems
As per the release of this document, a Responsible Entity with newly identified systems and facilities shall
begin implementing V5. A Responsible Entity that previously would have referred to the Implementation
Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities1 in CIP V3 or that has used the
V5 Impact Ratings to identify new assets may move directly to compliance with CIP V5. This allows entities
that will be implementing new systems or that have newly identified assets applicable to V5 a clear path
without the added compliance requirements of V3 during the transition period. Any newly identified High
or Medium Impact systems will be enforced as per the April 1, 2016 compliance enforcement date.
Responsible Entities that have assets identified by an acquisition or that have received a Registered ThirdParty Designation (see below) will be provided the latter of either a 12 calendar month implementation
window from the time of notification in accordance with V5 Implementation Plan2 or an implementation
date of April 1, 2016 for any newly identified BES Cyber Systems.

(Impact Rating 2.3) Each generation Facility that its Planning Coordinator or Transmission Planner
designates, and informs the Generator Owner or Generator Operator, as necessary, to avoid an
Adverse Reliability Impact in the planning horizon of more than one year.

(Impact Rating 2.6) Generation at a single plant location or Transmission Facilities at a single
station or substation location that are identified by its Reliability Coordinator, Planning
Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability
Operating Limits (IROLs) and their associated contingencies.

(Impact Rating 2.8) Transmission Facilities, including generation interconnection Facilities,
providing the generation interconnection required to connect generator output to the
Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable,
would result in the loss of the generation Facilities identified by any Generator Owner as a result
of its application of Attachment 1, criterion 2.1 or 2.3.
4. Compliance during the Transition Period
Responsible Entities are expected to take the appropriate actions to become compliant with the V5
Standards by the compliance enforcement date, while maintaining compliance with the V3 Standards
consistent with this Guidance Document.
1
http://www.nerc.com/pa/Stand/CIP0023RD/Imp-Plan_Newly_Identified_CCA_RE_clean_last_approval_2009Nov19.pdf
Implementation Plan for Version” 5 http://www.nerc.com/pa/Stand/CIP00251RD/Implementation_Plan_clean_4_(2012-1024-1352).pdf
2“
Cyber Security Standards Transition Guidance (Revised)
2
Responsible Entities that previously identified their Critical Cyber Assets (CCAs) according to the brightline criteria in V4 no longer have that approach available because of FERC’s Order approving V5. Thus,
Responsible Entities that are not using a Risk Based Assessment Methodology to identify CCAs as directed
by V3 must use the bright-line criteria that is described in CIP-002-5. A Responsible Entity that has been
relying on V4 bright-line criteria for identifying its Critical Assets will be expected to update its process and
associated documentation within 60 days of the publication date of this Transition Guidance.
While the new CIP Reliability Standards designated as CIP-002-5 through CIP-011-1 represent a significant
change from V3 in terms of applicability and breadth, many are “Mostly Compatible” (MC) with the
language and expectations of the V3 requirements. In light of these similarities, Responsible Entities can
move toward compliance with V5 requirements with confidence, understanding that Regional Entities will
exercise discretion when assessing compliance to V3 requirements during the transition period. If a
Responsible Entity is satisfying a designated V5 requirement, it will be considered to also be meeting the
“MC” V3 requirement.
5. Transition Period Audits
During the transition period, the Compliance Monitoring and Enforcement Program (CMEP) will continue
to be the guiding directive for the conduct of CIP audits. CMEP documents such as the “Actively
Monitored List” will be updated for consistency with this Transition Guidance.
For those Responsibility Entities without V3 Critical Assets or Critical Cyber Assets, Regional Entities will
forgo scheduled audits for CIP Standards until the requirements for Low Impact BES Cyber Systems are
formally approved and the Implementation Date has been determined. A Regional Entity can use other
monitoring methods such as Spot Checks, Self-Certifications, outreach, etc. in lieu of off-site audits for
entities without V3 Critical Assets or Critical Cyber Assets.
Beginning on August 1, 2014, Responsible Entities with CIP audits scheduled to occur before April 1, 2016,
will be expected to notify their Regional Entity regarding which of these circumstances applies to them for
the upcoming audit:
1. The Responsible Entity has begun the early adoption process for V5 and if so, which V5
requirements to assess during the audit, or
2. The Responsible Entity will demonstrate compliance with V3 without regard to the V5
requirements.
The notification process will begin when the Regional Entity sends a Request for Information (RFI) to the
Responsible Entity 45 days prior to the normal 90-day audit notification letter (i.e., 135 days before audit).
The RFI will include the spreadsheet with the requirements and compliance expectations listed in the
Compatibility Tables. The Responsible Entity will return the completed spreadsheet to the Region within
15 days of receipt.
Cyber Security Standards Transition Guidance (Revised)
3
The “Compatibility Tables3” show the requirements from V5 that have been deemed as “mostly
compatible” with a V3 counterpart. This comparison is intended to help Responsible Entities maintain
adequate protection of BES assets as they move from compliance with V3 to compliance with V5 of the
CIP Reliability Standards. For each V3 requirement that maps to V5 and that has been identified as
“mostly compatible”, the Responsible Entity can declare if they comply with V5. If so, V5 will be the initial
basis of review for that requirement. Any deficiencies noted during an audit will be addressed from the
perspective of compliance with V3.
An additional consideration regarding the declaration of compliance with V5 is the “in progress” state of
implementation; e.g., multiple locations or facilities that are not at the same stage of V5 implementation.
In that case, the declaration sent to the Regional Entity should define by category, location, etc. where V5
or V3 requirements should apply.
During an audit, an entity found to be compliant with the declared V5 requirement will also be considered
compliant with the “MC” V3 requirement without further review. If an entity is found to be non-compliant
with a declared V5 requirement, the auditors will revert to a V3 review for the requirement in question.
Any potential findings and enforcement action will apply if the Responsible Entity is not compliant with
the V3 requirement during the audit period. Auditors may offer recommendations for V5 compliance;
however, no formal violations will be issued for V5 requirements during the transition period.
6. V5 Implementation Study
Six Responsible Entities participated in a study to voluntarily implement the V5 Standards prior to the
enforcement date of April 1, 2016. One goal of the study was to identify processes, tools, and other
guidance for achieving compliance with V5 requirements. While lessons learned and related information
from the study are expected to be helpful and informative, they are also intended to clarify areas that
some Registered Entities may find challenging. Helpful information, such as “Lessons Learned,” is available
at the V5 Implementation Study page at NERC’s website.
7. Technical Feasibility Exceptions (TFEs)
In general, TFEs will align with the overall transition process from V3 to V5 and will be considered in the
context of the underlying requirement(s).
For TFEs pertaining to issues that were also TFEs in V3, the transition process will be limited to updating
the appropriate references as well as refining the applicable mitigation plans. In the meantime, updates
and changes can be submitted as necessary via a Material Change Report (MCR).
3
Insert link for Compatibility Table
Cyber Security Standards Transition Guidance (Revised)
4
V5 TFEs pertinent to V3 TFEs
V5
V3
CIP-005-5 R2.3
CIP-005-3 R2.4
CIP-007-5 R1.1
CIP-007-3 R2.3
CIP-007-5 R4.3
CIP-007-3 R6.4
CIP-007-5 R5.6
CIP-007-3 R5.3.3
Table 6.1
If a system or device is unable to meet strict compliance with a V5 requirement that has no associated TFE
per V3, a TFE request will be necessary. Specific instructions pertaining to V5 TFE procedures will be part
of the next update to Appendix 4D of NERC’s Rules of Procedure. Until that update, a Responsible Entity
should contact the Regional Entity for guidance regarding those V5 TFEs.
V5 TFEs not associated with V3 TFEs
CIP-005-5
CIP-006-5
CIP-007-5
CIP-010-1
R1.4
R1.3
R5.1
R1.5
R5.7
R3.2.
R2.1
R2.2
Table 6.2
Existing TFEs that are no longer applicable per V5 requirements will be considered terminated upon the
final release of this document.
V3 TFEs superseded when V5 is
Implemented
CIP-005-3
CIP-006-3
CIP-007-3
R3.1
R1.1
R3.2
R4
R5.3
R 5.3.1
R 5.3.2
R6
Table 6.3
Cyber Security Standards Transition Guidance (Revised)
5