Jan. 21, 2016: Because FERC didn't approve the CIP v6 standards by the end of 2015 but instead approved them today, the CIP v6 dates are mostly moved back by one quarter. Therefore, please see this post for the revised schedule (although the first part of the post below is still accurate, including the four "complications" listed. These complications still apply - as if the compliance schedule needed further complication!
Feb. 16, 2015: This post originally updated the post I did in July that addressed the timeline for compliance with CIP versions 5 and 6, which I called “Version 5.5” at that time. I have just updated the original version of this post from November, since that included compliance with standards that were part of CIP v7 (I had renamed it "v6.3940" to reflect that fact). The text of NERC's filing of the v5 revisions with FERC on Feb. 13 makes it clear that v7 is gone, and all of the "v5 revisions" now bear v6 suffixes (i.e. "-6" or "-2"), as they all did before last November. So I'm going back to "v5.5" as the designation of the CIP "version" that entities will have to comply with in the coming three years.
In other words, here is a comprehensive list of the CIP standards that NERC entities will have to comply with, replacing CIP v3. The rest of this post outlines the very complicated schedule for implementing these standards.
v5:
CIP-002-5.1
CIP-005-5
CIP-008-5
v6:
CIP-006-6
CIP-009-6
CIP-003-6
Feb. 16, 2015: This post originally updated the post I did in July that addressed the timeline for compliance with CIP versions 5 and 6, which I called “Version 5.5” at that time. I have just updated the original version of this post from November, since that included compliance with standards that were part of CIP v7 (I had renamed it "v6.3940" to reflect that fact). The text of NERC's filing of the v5 revisions with FERC on Feb. 13 makes it clear that v7 is gone, and all of the "v5 revisions" now bear v6 suffixes (i.e. "-6" or "-2"), as they all did before last November. So I'm going back to "v5.5" as the designation of the CIP "version" that entities will have to comply with in the coming three years.
In other words, here is a comprehensive list of the CIP standards that NERC entities will have to comply with, replacing CIP v3. The rest of this post outlines the very complicated schedule for implementing these standards.
v5:
CIP-002-5.1
CIP-005-5
CIP-008-5
v6:
CIP-006-6
CIP-009-6
CIP-003-6
CIP-004-6
CIP-007-6
CIP-010-2
CIP-011-2
CIP-007-6
CIP-010-2
CIP-011-2
The sharp-eyed reader may have noticed from the title that I’m
no longer calling this a discussion of a timeline, but rather of a schedule;
this is because I think the word “timeline” is no longer very helpful in
describing when NERC entities will need to comply with the new CIP versions. Let’s go back to ancient history: In the CIP v5 Implementation
Plan, there were two dates, one for compliance with all of the requirements
in all of the standards except CIP-003-5 R2, the other for compliance with that
requirement (the former date was the “High/Medium” impact date; the latter the “Low”
date). Due to when FERC approved v5, the
formulas yielded April 1, 2016 for Highs and Mediums and April 1, 2017 for
Lows. Even this structure was more
complicated than it was for CIP versions 2 and 3, where there was a single
compliance date.[i]
So how many compliance dates are there in CIP
version 5.5? There are now five, but saying
that still greatly understates the complexity of the schedule. This is because, while there was only one compliance
item tied to each of the two dates in v5 (i.e. a total of two items), there are
now between one and eight items corresponding to each of the v5.5 dates, for a
total of fifteen compliance items in all. That’s
why, instead of providing a timeline (which would be a mess to display), I now
prefer simply grouping under each date the items that have to be complied with
on that date. That is what I will
present below.
There are four further complications in the
v5.5 plan. I will leave these out of
the discussion of the compliance schedule, but want to point them out:
- The v5 plan
included dates for “Initial Performance of Certain Periodic Requirements”;
these are the dates by which you need to perform each of the annual (i.e.
15-month) or quarterly requirements.
Since these are in the v5 Implementation Plan, they refer just to
the v5 standards; however, the v6 Implementation Plan (which is the same as the one linked, although it no longer contains any references to v7 standards - I don't think NERC has released the "new" v6 plan, although it is included in the v6 filing. Since that filing is 3300 pages, I wouldn't recommend to my worst enemy that they download the file to find the Implementation Plan buried in it) simply refers to the v5
plan for the Initial Performance dates.
This means that, to determine these dates for the v6 plan, you have
to go back to the v5 plan and fill in the appropriate v5.5 standard
numbers (e.g. CIP-002-5.1, CIP-003-6, etc. as I listed them above).
- In the v5 plan,
there’s a table for “Planned or Unplanned Changes Resulting in a Higher
Categorization”; this refers mainly to new assets that are acquired or
commissioned. Again, the v6 plan
simply refers you back to the v5 plan for this. There was a similar provision for
versions 2 and 3, contained in a separate document whose acronym was “IPFNICCANRE”.
- The v6 plan
includes a section (consisting of a single sentence) providing for “Unplanned
Changes Resulting in Low Impact Categorization”. This is a new concept in CIP v6; it didn’t
appear at all in the v5 plan, perhaps because complying for new Low impact
assets wasn’t a big deal under v5 given what was required (or not
required) by CIP-003-5 R2.
- Of course, the
implementation schedules for Canada are different than for the US. Those vary by province and not all the
provinces are implementing v5 (at least not yet). Even the ones implementing it are
implementing different versions (since the FERC-approved standards have no
force in Canada, each province is free to modify or ignore any NERC
standards, or not implement them at all) – except for probably Ontario and
maybe New Brunswick, which tend to follow the FERC-approved standards almost to the letter.
Before I lay out the implementation schedule for v5.5, here is a caveat: Most of the rules in the
v6 plan say something like “April 1, 2016 or the first day of the first
calendar quarter that is three calendar months after the date that the standard
is approved by an applicable governmental authority…” In the schedule below, I have always taken
just the fixed date from these rules, since the only way the other condition
could happen would be if FERC delayed approving v6 for maybe nine months after
NERC submits it (which will be before Feb. 2015). Since FERC asked for these new requirements and has been closely
following their development, I think it’s likely they’ll approve them fairly
quickly once they receive them from NERC.
So finally, here are the five compliance dates
and what you have to comply with on each date, along with short explanations of
the different items – that is, assuming I understand why they’re there (there's at least one that I simply don't understand).
April
1, 2016
For Mediums and Highs, this is the date for
compliance with:
•
CIP-002-5.1,
CIP-005-5 and CIP-008-5 –
Highs and Mediums have to comply with these three standards in full (Ryan Strom ponted out in a comment below that Lows have to comply with just CIP-002-5.1 - but nothing else - on this date).
•
CIP-003-6 - except for R1.2, R2 and Attachment 1 (Lows)[iii] – Since CIP-003-6 is essentially the same as
CIP-003-5.1 except for R1.2, R2 and Attachment 1, this means you have to comply
with the Medium and High parts of the standard and leave the Low impact parts
for later. The Low impact parts are R1.2
(which is the same as R2 in CIP-003-5) and R2/Attachment 1, which is the
enhanced requirement for Low impact assets (ordered by FERC in Order 791).
•
CIP-004-6 – Compliance with this standard in full.
•
CIP-006-6
- except for BCS at Control Centers that weren’t CCAs under v3, and for R1.10 – As with CIP-003-6, this basically says you
need to comply with the “v5” requirements in CIP-006, and leave the new stuff
(R1.10) for later. R1.10 was ordered by
FERC in Order 791, and says that cabling between ESP devices, that itself goes
outside a PSP, needs to be physically or logically protected. In addition, Control Centers that weren’t
Critical Assets under v3 are given more time to comply.
•
CIP-007-6 – This standard needs to be complied with in
full, but there is an exception for certain devices under R1.2; compliance for
these devices is due at a later date. I
don’t understand why this exception is there; if anyone does, please tell me.
•
CIP-009-6 – Compliance with this standard in full.
•
CIP-010-2 except for R4 - Since R4 is the new requirement for Transient Electronic
Devices (another item required by FERC in Order 791), this just means you have
to comply with the “v5” requirements in this standard on this date.
•
CIP-011-2 – Compliance with this
standard in full.
January
1, 2017
For Mediums and Highs, this is the date for
compliance with:
•
CIP-006-6
– for BES Cyber Systems at Control Centers that weren’t Critical Cyber Assets
under v3
•
CIP-006-6
R1.10 (ESP cabling outside a
PSP)
•
CIP-007-6 R1.2 for certain devices
•
CIP-010-2 R4 (transient devices)
April
1, 2017
- CIP-003-6 R1.2, R2 and Attachment 1 – These are the requirements that apply to Low impact assets in v6 (R1.2 is the same as R2 in CIP-003-5; the new R2 is the one that addresses FERC’s mandate in Order 791 for specific requirements for Lows. Attachment 1 provides the detail for R2). However, entities only have to comply with the first and fourth elements of Attachment 1 on this date; these are the security awareness policy and incident response plan. Elements two and three – physical and electronic access controls – need to have policies developed (due to R1.2) on this date, but the policies don’t have to be implemented ‘til later. I swear, I’m not making this up; there’s no way I could think of something so complicated on my own. I’m not sure even Rube Goldberg could have.
September
1, 2018
On this date, Lows have to implement Sections 2 and 3 of CIP-003-6 Attachment 1. These sections cover physical security and electronic access controls.
There you have it. This is the complete implementation plan for
CIP v5.5, subject of course to the four complications and two caveats I’ve
listed above. I suggest you blow this schedule
up and mount it on the wall of your palatial office (or your cube, whichever is
applicable). And what should be the
title? I suggest “Simplified Compliance
Schedule for CIP version 5.5”.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
However, CIP version 1 had a very complicated structure for determining compliance
dates.
[ii]
If you’re not familiar with the V6 standards, you can find them here. You need to download the most recent draft of
each standard.
[iii]
Yes, there is now an Attachment 1 in CIP-003-6.
There’s also an Attachment 1 in CIP-010-2. In both cases, the attachment made it much
easier to understand the new requirement (i.e. the requirement itself would
have been very long and wordy if all the detail were included in it), so I
don’t argue with the need for it. Of
course, the question then becomes why the requirements are so complicated in the
first place. My only answer to that is,
“You see, this is NERC…”
Tom, excellent analysis of the schedule. One comment though:
ReplyDeleteWouldn't all entities be required to comply with aspects of CIP-002-5 on April 1, 2016? It is my understanding that a formal process is required under R1. The process is to be completed by all entities, even if that process were to prove only Low Assets through the bright-line criteria. Then, under R2, the process is to be reviewed every 15 months and approved by a CIP Senior Manager, also required by "Low Only" entities.
Good point, Ryan! You're right, the Lows do have to comply with CIP-002-5 on that date. Just made the change.
DeleteI would also suggest adding the timeline/schedule for CIP-014 given that the effective dates will likely overlap with CIP V5 implementation and have an impact on those projects.
ReplyDeleteI'm afraid I don't agree with you on this, Sister Laws. For one thing, we don't know the CIP-014 timeline since FERC hasn't approved it yet. More importantly, CIP-014 isn't part of the CIP cyber security standards (just like the old CIP-001, which addressed sabotage reporting).
DeleteObviously, NERC entitities that have to comply with CIP-014 need to be aware of its compliance dates, but I don't see it being helpful to include that in the schedule for this post. Lord knows it's already complicated enough!