CIP-002-1 through CIP-009-1
Timeline Activities for 2008 - 2010
CIP-002-1 through CIP-009-1 timeline
January 18, 2008
Semi-annual
Self-Certifications
conducted by NERC
and the Regional
Entities focused on
progress toward
compliance
FERC
Final
Rule:
Order 706
July 1, 2008,
December 31, 2008,
July 1, 2009, or
December 31, 2009
Depending on
Entity and Standard
(See Tables)
Regional Entity
Compliance Managers will
conduct a synchronized
Self-Certification of the
Requirements for specific
functions
Note: Compliant Stage Requirements
are subject to CMEP for Self-Report,
Self-Certification, Investigations and
Periodic Reports.
Does NOT include: Compliance Audits
or planned Spot Checks
Compliant Stage
Remedial Action P 97 (1)
Substantially Compliant Stage
& Mitigation Plan if applicable
July 1, 2009,
December 31, 2009,
July 1, 2010, or
December 31, 2010
Depending on
Entity and Standard
(See Tables)
Note: Auditably Compliant Stage
Requirements are subject to full
CMEP including Audits and Spot
Checks
Regional Entity
Compliance
Auditably
Managers
Compliant
conduct Spot
Stage
Checks for CIP
Standards
based on
implementation
schedule
Mitigation Plan per CMEP
Compliant Stage and Auditably Compliant Stage
Note: FERC Order No. 706 at P 97:
(1)
97. Further, we adopt our CIP NOPR proposals that, while an entity should not be subject to a monetary penalty if it is unable to
certify that it is on schedule, such an entity should explain to the ERO the reason it is unable to self-certify. The ERO and the Regional Entities
should then work with such an entity either informally or, if appropriate, by requiring a remedial plan to assist such an entity in achieving full
2
compliance in a timely manner. Further, we expect the ERO and the Regional Entities to provide informational guidance, upon request, to assist a
responsible entity in assessing its progress in reaching “auditably compliant” status.
Implementation Plan – Table 1A
Table 1A – System Control Centers for BA, TOP that
were required to self certify UA 1200 and RC
Date
Substantially
Compliant Stage
Compliant Stage
7/1/2008
28 Requirements
13 Requirements
7/1/2009
7/1/2010
28 Requirements
Auditably
Compliant Stage
13 Requirements
41 Requirements
3
Implementation Plan – Table 1B
Table 1B – Other facilities for BA, TOP that were
required to self certify UA 1200 and RC
Date
Substantially
Compliant Stage
Compliant Stage
7/1/2008
40 Requirements
1 Requirement
7/1/2009
7/1/2010
39 Requirements
Auditably
Compliant Stage
2 Requirements
41 Requirements
4
Implementation Plan – Table 2
Table 2 – TSP, those BA and TOP not required to self
certify to UA Standard 1200, NERC, and Regional
Entities.
Date
Substantially
Compliant Stage
Compliant Stage
7/1/2008
40 Requirements
1 Requirement
7/1/2009
7/1/2010
40 Requirements
Auditably
Compliant Stage
1 Requirement
41 Requirements
5
Implementation Plan – Table 3
Table 3 – IA, TO, GO, GOP, and LSE
Date
Substantially
Compliant Stage
Compliant Stage
12/31/2008
40 Requirements
1 Requirement
12/31/2009
12/31/2010
40 Requirements
Auditably
Compliant Stage
1 Requirement
41 Requirements
6
Implementation Plan – Table 4
Table 4 – Entities Registering in 2007 and Thereafter
(Does not include Balancing Authorities and Transmission
Operators required to self-certify UA Standard 1200 and
Reliability Coordinators.)
Date
Upon
Registration
Registration
+ 12 Months
Registration
+ 24 Months
Registration
+ 36 Months
Not Started
Begin Work
Stage
Substantially
Compliant
Stage
40
Requirements
1
Requirement
40
Requirements
Compliant
Stage
Auditably
Compliant
Stage
1
Requirement
40
Requirements
1
Requirement
41
Requirements
7
Semi-Annual Self-Certification
During the timeframe between FERC approval and the
requirement reaching the “Compliant” stage of the CIP
Implementation Plan, a semi-annual self-certification will
be conducted.
 Beginning July 1, 2008 there will be 28 requirements
from Table 1A, 40 requirements from Table 1B and 40
requirements from Table 2 for which the Registered
Entity must complete the semi-annual self-certification
focused on progress toward substantially compliant.
 Beginning December 31, 2008, there will be 40
requirements from Table 3 for which the Registered
Entity must complete the semi-annual self-certification.
 Table 4 is based on registration dates as outlined in the
implementation plan.
8
Semi-Annual Self-Certification
NERC will issue the semi-annual self-certification
to the Regional Entities.
 The Regional Entities will send the semi-annual
self-certification forms to the Registered Entities
(applicability based on the CIP Implementation
Plan).
 A Registered Entity that indicates it has not
reached the milestone for a requirement, will be
required to explain why this milestone has not
been met.
9
Semi-Annual Self-Certification
In response to Registered Entities that report in
the semi-annual self-certification they have not
met the CIP Implementation Plan Milestones,
the Regional Entity will:
 Work informally with the Registered Entity or
 Require a Remedial Action Plan to assist the
Registered Entity in achieving full compliance.
Note: These activities are outside the CMEP
process.
10
Compliant Stage
Compliant means the entity meets the full intent of
the requirements (i.e. has identified its cyber
security perimeter) and is beginning to maintain
required “data,” “documents,” “documentation,”
“logs,” and “records” to become auditably
compliant.
 Subject to the CMEP process including Remedial
Actions and Mitigation Plans.
 Subject to penalties and sanctions in accordance
with the CMEP and ROP.
 Not subject to compliance audits or planned spot
checks.
11
Compliant Stage – 13 Requirements
July 2008
July 1, 2008 the following NERC standards
CIP 002-1 through CIP 009-1 have certain
requirements that reach the Compliant Stage as
defined within the CIP Implementation Plan and
subject to Self-Certification.
CIP-002-1 Cyber Security — Critical Cyber Asset
Identification
R1 Critical Asset Identification Method
R2 Critical Asset Identification list
R3 Critical Cyber Asset Identification list
12
Compliant Stage – 13 Requirements
July 1, 2008 - Continued
CIP-003-1 Cyber Security — Security Management
Controls
R1 Cyber security policy documented and implemented
R2 Senior manager assigned with overall responsibility to
CIP-002-1 through CIP-009-1
R3 Exceptions documented and authorized by the senior
manager
CIP-004-1 Cyber Security — Personnel and Training
R2 Establish, maintain, and document an annual cyber
security training program
R3 Documented and implemented personnel risk
assessment program
R4 List of personnel and access rights cyber/physical to
Critical Cyber Assets
13
Compliant Stage – 13 Requirements
July 1, 2008 -Continued
CIP-005-1 None
CIP-006-1 None
CIP-007-1 Cyber Security — Systems Security
Management
R1 Test procedures to ensure changes to CCA’s do not
adversely effect cyber security controls
CIP-008-1 Cyber Security — Incident Reporting and
Response
Planning
R1 Develop and maintain a Cyber Security Incident
response plan
14
Compliant Stage – 13 Requirements
July 1, 2008 -Continued
CIP-009-1 Cyber Security — Recovery Plans for
Critical Cyber
Assets
R1 Create and annually review recovery plan(s) for Critical
Cyber Assets
R2 Recovery plan(s) shall be exercised at least annually
15
Compliant Stage
NERC will include the self-certification questions with
respect to the 13 requirements that reach the
Compliant Stage to the Regional Entities as part of the
semi-annual self-certification.
 The Regional Entities will send the Self-Certification
forms (as part of the semi-annual self-certification) to
the Registered Entities (applicability based on the CIP
Implementation Plan).
 A Registered Entity that indicates it has not met the
full intent of a Compliant Stage requirement will be
subject to the CMEP process.
 Subject to penalties and sanctions in accordance with
the CMEP and ROP.
16
Compliant Stage – Monitoring Methods
Self-Reporting – Registered Entity is to report when they are not
compliant or auditably compliant with a requirement
Self-Certification – Beginning July 1, 2008, there will be 13 requirements
from the CIP Implementation Plan Table 1A, and 1 requirement from
Table 1A, and Table 2, the Registered Entity must self certify they are
compliant with the each requirement.
Beginning December 31, 2008, Registered Entities in Table 3 must
self-certify that they are compliant with the 1 requirement.
Investigations – For cause due to an event, complaint, report or other
identified by other means.
Not Subject to compliance audits or planned spot checks.
Note: Potential violations at the Compliant and Auditably Compliant
Stages can be identified in Readiness Evaluations.
17
Additional activities
Adjust the Actively Monitored List
•
2008 Compliance Monitoring and Enforcement Program will only include the 13
requirements by function that are identified as “Compliant” (subject to the compliant
dates in the implementation plan).
Develop CIP IT Auditing Training
•
Two classes 4th quarter 2008
•
Two classes 1st quarter 2009
•
NERC Regional Compliance Program Coordinators
•
Regional Entity Lead Auditors
Develop RSAWS for the 13 requirements that reach the “Compliant” stage on
July 1, 2008. as a tool for the Regional Entities and Registered Entities.
Develop RSAWS based on Auditably Compliant Requirements Schedule .
18