Sunday, December 8, 2013

The Ten Effective Dates of CIP Version 5

If you are like me and haven’t paid much attention to the details of the CIP Version 5 implementation plan, you may have forgotten – as I did – that there are more than the two implementation dates that everyone has been focusing on: April 1, 2016 for Medium/High impact and April 1, 2017 for Lows. 

However, Carter Manucy of the Florida Municipal Power Agency has been paying attention to the plan, and he pointed out to me that there are in fact ten effective dates: the two just mentioned, and eight listed in the section entitled “Initial Performance of Certain Periodic Requirements”. 

Fortunately, Carter has saved us all some time by putting all these dates on a timeline – along with the dates of the various events in the development and approval of CIP Versions 4 and 5.  He does point out that he can't guarantee this is right, so don't blame him if it isn't.  However, if you find a problem with it, let him know!  He's at

(!2/12: The diagram below has been updated to correct a small typo in the original)


  1. The NERC CIP Compliance Manager at a large power producer emailed me about this post, to remind me about the concept of bookending. This was implemented by at least a few Regional Entities to address the question of when an annual requirement (like cyber vulnerability assessments) should be performed. Essentially, it said that these requirements should have been addressed before the compliance date for the standards.

    WECC addressed this in writing in the runup to the 10/1/2010 compliance date for CIP Version 3. This meant that the CVA, and other annual performance requirements required by V3, had to have been done before that date.

    The CIP Manager points out to me that, if bookending continues to be the policy for the RE's with CIP V5, then this effectively collapses all of Carter's dates into two: 4/1/2016 for High/Mediums and 4/1/2017 for Lows. So all these other dates are irrelevant.

    At first, I agreed with him. But then I had second thoughts. I believe that the "initial performance" dates Carter lists were inserted in the V5 Implementation Plan by the SDT precisely to avoid the need for bookending. In other words, they were saying to the regions, "We really don't want the entities to have to perform all of these annual requirements before their compliance date. We actually want initial performance to be the dates that we say."

    I can't remember whether I was at an SDT meeting where they discussed this, but it just makes sense - why would they have specified these dates if they would end up not being relevant?

  2. The CIP Manager pointed out to me today that there could be good reasons why some Regional Entities would still want to apply bookending with CIP Version 5. So I need to modify what I said above by advising entities to make sure your entity isn't requiring bookending before you bake these dates into your compliance program.

    He also pointed out a small error in Carter's chart, which Carter corrected. I have inserted the revised copy.