CIP-004-2 - ReliabilityFirst

Q – The data retention period for Standards CIP-002 to CIP-009 versions 2
and 3 state:
“The Responsible Entity shall keep all documentation and records from the
previous full calendar year unless directed by its Compliance Enforcement
Authority to retain specific evidence for a longer period of time as part of an
Can I presume that documents and evident not relevant (outdated) during that
time frame will not be subject to review during a three year or six year audit
or spot-check?
A- ReliabilityFirst will conduct CIP audits for the compliance period of the
previous full calendar year to the date of the audit. This means that any
document that was in effect on January 1, 2010, or later may be examined
in an audit occurring in 2011. As it is possible the rules may change,
ReliabilityFirst suggests that entities keep documents beginning with the
most recent audit unless otherwise indicated by the language of the
Q – If a CCA is identified today as not being able to have malware
installed in compliance with CIP-007 R4, but the CCA was not
included in a TFE previously is that a violation of CIP-007 R4? This
could be generalized to any CCA found to not meet a requirement
which should have been included in a TFE but was missed when the
TFEs were prepared.
A- The Entity should file a Self-Report and the Mitigation Plan should
include submitting a TFE.
Q – For those TFEs where the "compensating measures and/or
mitigating measures are complete", can you provide direction on the
expectation for submitting a Quarterly Report?
A- Quarterly Reports and required for all “Approved” TFEs regardless
of the status of their Compensating/Mitigating Measures.
Q – Could you please comment on use of VLANs?
Is this an
acceptable means for separating networks and ESPs sharing a
common firewall?
A- VLANs are not prohibited by the language of the standard.
However, care is needed in the configuration of VLANs and the
associated compliance documentation. If VLANs residing within an
ESP and VLANs not within an ESP are mixed on the same switch,
then that switch will meet the definition of an access point to the
ESP and must be documented and protected accordingly.
Q - Per CIP-005 R1.2, "For a dial-up accessible Critical Cyber Asset that
uses a non-routable protocol, the Responsible Entity shall define an
Electronic Security Perimeter for that single access point at the dial-up
device." What should be on the ESP diagram/within the ESP? Just the
access modem per R1.2? Do CCAs go outside or inside the ESP since
these are connected via non-routable protocol?
A – The CIP-005-1 FAQ Q3 gives us the guidance, “If a dialup modem on a
critical bulk electric asset is used for configuration or polling it must be in an
Electronic Security Perimeter that is just around the dialup access point
(e.g., SCADA-controlled, dial-back, or other technologies that give proper
access controls and logging).” So in this case the ESP would be drawn only
around the modem. In addition, CIP-006-3, D.1.5.2 gives the guidance, “For
dial-up accessible Critical Cyber Assets that use non-routable protocols, the
Responsible Entity shall not be required to comply with Standard CIP-006-3
for that single access point at the dial-up device.”
Q- Please describe what is done on a tour of substations as part of a
compliance audit? Will the number of substations visited be based
on the sampling criteria?
A- a) ReliabilityFirst is currently reviewing the necessity of on site visits to
generation plants and/or transmission substations. The ATL may determine
that such visits are necessary in order to complete an audit. If site visits are
required, auditors, using the entity’s policy and procedures related to
physical security perimeters as a guide as well as the wording of the CIP006 requirements, will concentrate on physical security perimeter defined by
the entity, aspects of the six wall border such as entrance and exit points,
monitoring and alarm responses such as logs, card key systems, security,
b) The number of substations to be visited will be determined through
statistical sampling or non-statistical sampling depending on the number of
substations eligible for a site visit. Location of substations is not a factor in
determining the number of sites to be visited.
Q – Please describe what is done on a tour of control centers as part
of a compliance audit?
A – From a physical security perspective, control center tours will
concentrate on physical security requirements as identified in
entity’s policy, procedures, and wording of CIP-006. In addition to
physical security assessment, tours of control rooms may include
conversation with one or more controllers in order to assess their
knowledge of CIP requirements applicable to a control center
environment. There is no official “checklist” for what to look for or
assess during a control room or tour so each site visited may vary in
content and focus.
Q – Please describe the CIP compliance audit timeline starting at the
90 day notice and audit logistics (e,g, number of teams, room
requirements)? Is CIP-001 included?
A – The CIP compliance audit timeline, following the entity’s receipt of the 90 day notification package,
includes the following milestones:
• Audit Team Lead (ATL) contacts entity to discuss audit process approximately 85 calendar days
before the scheduled audit.
• Entity submits evidence package to ReliabilityFirst 40 calendar days before the scheduled audit.
• Audit team conducts pre-audit reviews during the weeks just prior to the scheduled audit.
• Audit team conducts the scheduled onsite audit including Opening and Exit Briefings. One week
onsite is typical but can be extended as needed.
• Audit team develops the audit report following the scheduled audit. This activity can take up to 70
business days, from draft to final version, based on the comment and review cycles with the audit
team and entity.
The audit logistics are explained within the 90 day audit notification letter and the following documents within
the 90 day notification package: General Instructions and Audit Preparation Guidelines. Any specific
logistics or needs are addressed between the ATL and the Entity’s Primary Compliance Contact prior to
conducting the scheduled audit.
Until otherwise notified, CIP-001 will continue being audited in the scope of the Operations and Planning (e.g.
693) Standards.
Q -Do you anticipate the January 2011 self certification to cover both
version 2 and version 3 or just version 2 CIP standards?
A – Currently, NERC has communicated, within the ERO, that the
January 2011 CIP Self Certifications will be collected covering the
CIP V2 standards for the period of 4/1/2010 to 9/30/2010. NERC is
in the process of finalizing a NERC Compliance Public Bulletin for
posting in the near future.
Q - How are web based pre-audit reviews between audit teams or
with entity SME secured?
A - Web-based meetings are secured using common best practices
which include, but are not limited to, passwords and SSL
communication. ReliabilityFirst holds all audit related materials in
the strictest confidence and maintains Physical and Electronic Cyber
Security. ReliabilityFirst ensures all CIP information is handled in
accordance with CIP guidelines.
Q – When evaluating the PSP during an audit does the entity need to
provide any equipment (e.g. ladders)?
A – ReliabilityFirst is currently reviewing the necessity of on site visits
to generation plants and/or transmission substations The ATL may
determine that such visits are necessary in order to complete an
audit. If site visits are required, the entity will be requested to provide
hard hats, goggles, and any equipment necessary to perform the
team assessment of the site. Generally, auditors will not need to use
a ladder however the immediate availability of one would maximize
time for completion of a site visit.
Q - When defining “annual”, as in testing, some testing must be done when appropriate and done
earlier than every 12 months. If testing is done early, but not in consecutive years, is that deemed
non compliant? For instance, testing on 2/28/10 for 2010 compliance and then testing 12/31/10 for
2011 compliance. If our definition of “annual” is stated in writing as such, if not defined in standard
by NERC or RFC, is this sufficient for compliance? This applies to both CIP and 693 standards.
A - Until such time as NERC provides additional guidance, ReliabilityFirst will consider a
reasonable definition of the term annual, as long as that definition is defined within an entity’s
compliance program or applicable procedures. If the definition of annual is not included in the
entity’s documentation, ReliabilityFirst auditors will use the pending NERC definition of annual as
at least once per calendar year, but not exceeding 15 months between occurrences.
A definition of annual that is not “within reason” might be one that defines annual as “every 18
months.” In your specific example, if your compliance documentation states that testing for a
calendar year may be done before that calendar year starts, and provides a limit to how much
before the calendar year is acceptable, then a ReliabilityFirst audit may find that acceptable.
Without an understanding of your exact compliance situation, it is not possible to give 100%
assurance on this topic. This approach is used by both CIP and 693 auditors.
Q- Have FERC and/or NERC been on any CIP 43 audits with
RFC? If yes, did NERC and FERC participate in the preaudit
A- Yes, a NERC observer has attended a ReliabilityFirst CIP 43 audit.
Both FERC and NERC have observed CIP 13 Spot Checks. In all
cases, FERC and NERC observers participate in the pre-audit
Q - When Steve Garn says we need to submit annual report “after
acceptance of your TFE”, is that Part A Acceptance or Part B
A – The Annual Report is required for those TFEs whose Part A has
been “Accepted.” It is “due on the last business day of the month
immediately following the end of the fourth calendar quarter after
acceptance of the TFE Request.”
Q - Are entities required to submit TFEs related to CIP-007 R5.3 if
their cyber assets cannot technically enforce the password
complexity requirements in CIP-007 R5.3 and its minors (R5.3.1R5.3.3)? Is it acceptable to not file a TFE if the entity has both
technical and procedural controls as CIP-007 R5 indicates:
R5. Account Management — The Responsible Entity shall establish,
implement, and document technical and procedural controls that
enforce access authentication of, and accountability for, all user
activity, and that minimize the risk of unauthorized system access.
A- TFEs are required.
The technical and procedural controls are part
of the compensating and mitigating measures.
Q - For TFE annual reports - are these due 1 year after both Part A
and Part B of a TFE was approved by RFC, or 1 year after just the
Part A was approved by RFC?
A - The Annual Report is required for those TFEs whose Part A has
been “Accepted.” It is “due on the last business day of the month
immediately following the end of the fourth calendar quarter after
acceptance of the TFE Request.”
Q - When will the quarterly and annual TFE report templates be
A – The TFE Quarterly Report Template was E-mailed on October 5,
2010 to Entities who had “Approved” TFEs. The Annual Report
Template will hopefully be issued by the end of this year.
Q - Does the Senior Manager signature need to be a wet signature or
can it be electronic for the TFE Quarterly Reports?
A - An electronic signature is acceptable.
Q- I thought Steve said that the quarterly reports for TFE(s) are
required when Part A is Accepted.
A- Steve did say “Accepted” which was incorrect.
“Approved” which is correct.
The slide did say
Q-Steve addressed the fact that multiple TFEs may be needed for devices that cannot meet
multiple sub-requirements of R5.3. However, I thought perhaps the questioner wanted to know
(as I do) whether or not procedural as well as technical controls are acceptable for eliminating the
need for a password TFE.
I understand the case where a device simply cannot meet one or more of the R5.3 requirements. A
TFE (or TFEs) is clearly required in that case. However, my question is for devices where
suitable passwords are possible, but the user cannot be technically forced to choose such a
suitable password.
For example, Microsoft Windows passwords can in fact meet all of the R5.3 sub-requirements (length,
complexity, change frequency). However, Microsoft has made it so the complexity portion cannot
be ENFORCED to fully meet R5.3.2. If the entity has a policy requiring employees to choose a
password meeting the complexity requirements of R5.3.2 (even if Windows does not force them to
do so), is this considered an adequate procedural control, such that a TFE is not required?
A- TFEs are required.
The technical and procedural controls are
part of the compensating and mitigating measures.
Q - Will RFC auditors comply with any entity safety training prior to
working onsite? Some internal requirements for safety require
training for all personnel and visitors, depending on the asset and
the required access.
A- Currently ReliabilityFirst is currently reviewing the necessity of on
site visits to generation plants and/or transmission substations. As
part of this evaluation, ReliabilityFirst is reviewing any additional
training that may be needed to visit the sites and will be informing
the entities of our decision.
Q- CIP 004 R4 – for terminations, what type of
documentation to support evidence that the access was
revoked within the 24 hour or 7 day criteria?
A- The type of documentation provided to an audit team in
order to demonstrate compliance with CIP-004 R4.2 is
determined by each Responsible Entity. There are no set
rules for what is “good enough.” If you think your
evidence may be weak, you should consider
supplementing the evidence with additional relevant
evidence to demonstrate that you have sufficient
evidence to demonstrate compliance.
Q- On TFEs, which TFEs require quarterly or annual reporting?
Are all TFEs included on both?
A- Quarterly Reports are required for all “Approved” TFEs.
Reports are required for all “Accepted” TFEs.
Q- If there is such a high percentage of TFEs that don't have changes
(mentioned 90%+), wouldn't it make more sense to have quarterly
reports by exception?
A- The Excel version of the Quarterly Report Template (which has
been adopted) will minimize data entry. All “Approved” TFEs must
be included in the Quarterly Report.
A copy of all presentations can be found on our website at
CIP Audit Team
Gary Campbell, Manager Compliance Audits
Lew Folkerth
Steve Garn
Mike Ketchens
Karen Yoder
John Kellerhals
Tony Purgar (Compliance Enforcement)

similar documents