Saturday, April 27, 2013

Why Your Next CIP Version may be 6, not 5

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

July 25: The purpose of this post is to explain what I see to be the sequence of events for approval of whatever the next compliance version of CIP will be, either 5 or 6.  A separate post (also updated today) discusses the possible timing of those events, as well as of compliance with the new version.
I. FERC's comment period on the CIP Version 5 NOPR concluded in June; they are now mulling over the comments received.  It is possible they will ask for more information from NERC, but their next official step will be to approve V5, as they said they would do in the NOPR.

The question is whether they simply approve V5, or whether they also order NERC to provide a compliance filing.  This would be a new version of CIP that would start from what is in V5 now, but would include the various changes FERC will ask for (of course, nobody knows what those changes will be, but the NOPR gives a good indication of what FERC intended to ask for, at least in April when they wrote it).

You may wonder why FERC can't simply send V5 back to NERC and say, "Please change this." Why do they have to order a new version?  Although this isn't entirely clear, it seems that FERC doesn't have the power, under the Federal Power Act of 2005 Section 215, to do that; the only steps they can take are to either completely approve or completely reject a proposed standard.  This is what happened in September 2009: FERC approved CIP Version 2, but at the same time ordered NERC to come back in 90 days with a new version that included a requirement for physical escort of visitors in the PSP - this became CIP V3.[i]

But FERC also can't simply remand V5 and tell NERC to come back with something better.   If they do that, NERC will have to draw up a SAR, constitute a new SDT, spend a year or so drawing up an entirely new CIP Version 6, go through a few ballots before it’s approved, etc. – a 3-4 year process.   It is very unlikely that FERC (or NERC for that matter) has the stomach to go through all of this, especially since FERC couldn’t be at all sure that the sausage that came out at the end would be any more to their liking than V5 is now.

II. If FERC approves V5 and doesn't order any changes (this is what NERC, EEI, and most of the other commenters asked for), then the implementation dates will kick in per the V5 implementation plan. See my companion post on the question of dates.

If FERC approves V5 but orders a compliance filing, they will  give NERC a certain amount of time to come back with a new version - which I believe will be called CIP Version 6.  Given the amount of work that will be required to draw up and ballot a new version, I'm thinking nine months would be a good time frame; however, I'm guessing that FERC is impatient, so I'll say six months here.

III. Version 6 will have a provision in the implementation plan a lot like what was in Version 5: It will say that, should Version 5 be approved but not implemented when V6 is approved, V5 will never come into effect.  This is why I am saying that the next version of CIP, that NERC entities have to comply with, will be V6 - so we'll go from V3 to V6.  How's that for progress?

IV. When NERC returns to FERC with V6, it is likely that FERC will approve V6 fairly quickly (since the V6 that NERC brings back should include everything that FERC asked for in the compliance filing, and nothing more).  At that point, the compliance timeline for V6 will kick in.

V. But here's another wrinkle: The V6 compliance timeline may not be the same as the one currently in V5.  That timeline says that High and Medium impact facilities have to comply two years after FERC's approval, while Lows have three years.  In their NOPR, FERC expressed deep skepticism about this approach, saying the time periods were too long.  

Of course, most comments FERC received said to leave the implementation timeline unchanged. But it is possible that at least the High/Medium compliance date will be moved forward; I'm guessing it might even come down to one year from two.  I believe / hope that the date for Lows will remain at three years, though.  Many conversations with NERC entities on this topic have convinced me that bringing the Lows into compliance will be a huge job, and even three years will be pushing it (one reason why FERC might treat Lows differently from High/Mediums is that, in theory, the latter have mostly had to comply with CIP Versions 1-3.  So there shouldn't be such a huge effort for them as for Lows, which will be total CIP virgins, so to speak).

Now you can go to the timeline post to see what I think the likely compliance dates are.

If you haven't signed up for the joint Honeywell / EnergySec webinar on CIP Version 5 on August 21 - "Covering your Assets in CIP Version 5" - I recommend you do it today!  Seats are going fast, and you might end up sitting behind a pole if you wait too long.  Remember, even if you can't make that date, you should still sign up, so you'll receive the link to the recording when it's available a couple days after the webinar.  You can sign up here.

[i] I must admit that after rereading the Federal Power Act Section 215 (which established the whole NERC/FERC relationship), I am no longer completely sure that FERC can't simply require changes in Version 5 itself.  However, were they to do this - and given that it will take at a minimum 6 months or more for changes to be made by NERC - to do this would jeopardize their stated (in the NOPR) purpose of having the industry avoid CIP Version 4.  They would have to do this by Sept. 1, 2013 and give NERC the bare minimum of six months to make the changes - both unlikely events, in my opinion.

Also, by approving V5 as is and requiring a compliance filing, FERC makes sure there is a new CIP version coming, even if NERC totally messes up and never completes the compliance filing.  FERC doesn't have that leverage otherwise.


  1. Tom ...

    I gather step 4.5 will be an industry ballot on Version 6 for each of the Standards, the definitions & the timeline? How long does that normally take?


    1. If FERC provides a compliance deadline for Version 6, then it doesn't really matter. The balloting will be rushed to meet the deadline, and if the ballot is negative, the Board can still go ahead and approve the new version without it (ROP section 321).

      And it's almost certain FERC will provide a deadline, although hopefully not 3 months as in the case of CIP V3. Order 706 mandated a new version when FERC approved V1. And what's the version that finally fulfilled (or as much as possible) Order 706? It's V5! I don't think FERC wants to wait another five years to get V6.