Saturday, November 8, 2014

The Compliance Schedule for CIP Version 5.5

Jan. 21, 2016: Because FERC didn't approve the CIP v6 standards by the end of 2015 but instead approved them today, the CIP v6 dates are mostly moved back by one quarter. Therefore, please see this post for the revised schedule (although the first part of the post below is still accurate, including the four "complications" listed. These complications still apply - as if the compliance schedule needed further complication!

Feb. 16, 2015: This post originally updated the post I did in July that addressed the timeline for compliance with CIP versions 5 and 6, which I called “Version 5.5” at that time.  I have just updated the original version of this post from November, since that included compliance with standards that were part of CIP v7 (I had renamed it "v6.3940" to reflect that fact).   The text of NERC's filing of the v5 revisions with FERC on Feb. 13 makes it clear that v7 is gone, and all of the "v5 revisions" now bear v6 suffixes (i.e. "-6" or "-2"), as they all did before last November.  So I'm going back to "v5.5" as the designation of the CIP "version" that entities will have to comply with in the coming three years.

In other words, here is a comprehensive list of the CIP standards that NERC entities will have to comply with, replacing CIP v3.  The rest of this post outlines the very complicated schedule for implementing these standards.



The sharp-eyed reader may have noticed from the title that I’m no longer calling this a discussion of a timeline, but rather of a schedule; this is because I think the word “timeline” is no longer very helpful in describing when NERC entities will need to comply with the new CIP versions.  Let’s go back to ancient history:  In the CIP v5 Implementation Plan, there were two dates, one for compliance with all of the requirements in all of the standards except CIP-003-5 R2, the other for compliance with that requirement (the former date was the “High/Medium” impact date; the latter the “Low” date).  Due to when FERC approved v5, the formulas yielded April 1, 2016 for Highs and Mediums and April 1, 2017 for Lows.  Even this structure was more complicated than it was for CIP versions 2 and 3, where there was a single compliance date.[i]

So how many compliance dates are there in CIP version 5.5?  There are now five, but saying that still greatly understates the complexity of the schedule.  This is because, while there was only one compliance item tied to each of the two dates in v5 (i.e. a total of two items), there are now between one and eight items corresponding to each of the v5.5 dates, for a total of fifteen compliance items in all.  That’s why, instead of providing a timeline (which would be a mess to display), I now prefer simply grouping under each date the items that have to be complied with on that date.  That is what I will present below.

There are four further complications in the v5.5 plan.  I will leave these out of the discussion of the compliance schedule, but want to point them out:

  1. The v5 plan included dates for “Initial Performance of Certain Periodic Requirements”; these are the dates by which you need to perform each of the annual (i.e. 15-month) or quarterly requirements.  Since these are in the v5 Implementation Plan, they refer just to the v5 standards; however, the v6 Implementation Plan (which is the same as the one linked, although it no longer contains any references to v7 standards - I don't think NERC has released the "new" v6 plan, although it is included in the v6 filing.  Since that filing is 3300 pages, I wouldn't recommend to my worst enemy that they download the file to find the Implementation Plan buried in it) simply refers to the v5 plan for the Initial Performance dates.  This means that, to determine these dates for the v6 plan, you have to go back to the v5 plan and fill in the appropriate v5.5 standard numbers (e.g. CIP-002-5.1, CIP-003-6, etc. as I listed them above). 
  2. In the v5 plan, there’s a table for “Planned or Unplanned Changes Resulting in a Higher Categorization”; this refers mainly to new assets that are acquired or commissioned.  Again, the v6 plan simply refers you back to the v5 plan for this.  There was a similar provision for versions 2 and 3, contained in a separate document whose acronym was “IPFNICCANRE”.
  3. The v6 plan includes a section (consisting of a single sentence) providing for “Unplanned Changes Resulting in Low Impact Categorization”.  This is a new concept in CIP v6; it didn’t appear at all in the v5 plan, perhaps because complying for new Low impact assets wasn’t a big deal under v5 given what was required (or not required) by CIP-003-5 R2.
  4. Of course, the implementation schedules for Canada are different than for the US.  Those vary by province and not all the provinces are implementing v5 (at least not yet).  Even the ones implementing it are implementing different versions (since the FERC-approved standards have no force in Canada, each province is free to modify or ignore any NERC standards, or not implement them at all) – except for probably Ontario and maybe New Brunswick, which tend to follow the FERC-approved standards almost to the letter.
Before I lay out the implementation schedule for v5.5, here is a caveat: Most of the rules in the v6 plan say something like “April 1, 2016 or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority…”  In the schedule below, I have always taken just the fixed date from these rules, since the only way the other condition could happen would be if FERC delayed approving v6 for maybe nine months after NERC submits it (which will be before Feb. 2015).  Since FERC asked for these new requirements and has been closely following their development, I think it’s likely they’ll approve them fairly quickly once they receive them from NERC.

So finally, here are the five compliance dates and what you have to comply with on each date, along with short explanations of the different items – that is, assuming I understand why they’re there (there's at least one that I simply don't understand).

April 1, 2016
For Mediums and Highs, this is the date for compliance with:
          CIP-002-5.1, CIP-005-5 and CIP-008-5 – Highs and Mediums have to comply with these three standards in full (Ryan Strom ponted out in a comment below that Lows have to comply with just CIP-002-5.1 - but nothing else - on this date).
          CIP-003-6 - except for R1.2, R2 and Attachment 1 (Lows)[iii] – Since CIP-003-6 is essentially the same as CIP-003-5.1 except for R1.2, R2 and Attachment 1, this means you have to comply with the Medium and High parts of the standard and leave the Low impact parts for later.  The Low impact parts are R1.2 (which is the same as R2 in CIP-003-5) and R2/Attachment 1, which is the enhanced requirement for Low impact assets (ordered by FERC in Order 791).
          CIP-004-6 – Compliance with this standard in full.
          CIP-006-6 - except for BCS at Control Centers that weren’t CCAs under v3, and for R1.10 – As with CIP-003-6, this basically says you need to comply with the “v5” requirements in CIP-006, and leave the new stuff (R1.10) for later.  R1.10 was ordered by FERC in Order 791, and says that cabling between ESP devices, that itself goes outside a PSP, needs to be physically or logically protected.  In addition, Control Centers that weren’t Critical Assets under v3 are given more time to comply.
          CIP-007-6 – This standard needs to be complied with in full, but there is an exception for certain devices under R1.2; compliance for these devices is due at a later date.  I don’t understand why this exception is there; if anyone does, please tell me.
          CIP-009-6 – Compliance with this standard in full.
          CIP-010-2 except for R4 -  Since R4 is the new requirement for Transient Electronic Devices (another item required by FERC in Order 791), this just means you have to comply with the “v5” requirements in this standard on this date.
          CIP-011-2 – Compliance with this standard in full. 

January 1, 2017
For Mediums and Highs, this is the date for compliance with:
          CIP-006-6 – for BES Cyber Systems at Control Centers that weren’t Critical Cyber Assets under v3
          CIP-006-6 R1.10 (ESP cabling outside a PSP)
          CIP-007-6 R1.2 for certain devices
          CIP-010-2 R4 (transient devices)

April 1, 2017
  • CIP-003-6 R1.2, R2 and Attachment 1 – These are the requirements that apply to Low impact assets in v6 (R1.2 is the same as R2 in CIP-003-5; the new R2 is the one that addresses FERC’s mandate in Order 791 for specific requirements for Lows.  Attachment 1 provides the detail for R2).  However, entities only have to comply with the first and fourth elements of Attachment 1 on this date; these are the security awareness policy and incident response plan.  Elements two and three – physical and electronic access controls – need to have policies developed (due to R1.2) on this date, but the policies don’t have to be implemented ‘til later.  I swear, I’m not making this up; there’s no way I could think of something so complicated on my own.  I’m not sure even Rube Goldberg could have.

September 1, 2018
On this date, Lows have to implement Sections 2 and 3 of CIP-003-6 Attachment 1.  These sections cover physical security and electronic access controls.
There you have it.  This is the complete implementation plan for CIP v5.5, subject of course to the four complications and two caveats I’ve listed above.  I suggest you blow this schedule up and mount it on the wall of your palatial office (or your cube, whichever is applicable).  And what should be the title?  I suggest “Simplified Compliance Schedule for CIP version 5.5”.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] However, CIP version 1 had a very complicated structure for determining compliance dates.

[ii] If you’re not familiar with the V6 standards, you can find them here.  You need to download the most recent draft of each standard.

[iii] Yes, there is now an Attachment 1 in CIP-003-6.  There’s also an Attachment 1 in CIP-010-2.  In both cases, the attachment made it much easier to understand the new requirement (i.e. the requirement itself would have been very long and wordy if all the detail were included in it), so I don’t argue with the need for it.  Of course, the question then becomes why the requirements are so complicated in the first place.  My only answer to that is, “You see, this is NERC…”


  1. Tom, excellent analysis of the schedule. One comment though:

    Wouldn't all entities be required to comply with aspects of CIP-002-5 on April 1, 2016? It is my understanding that a formal process is required under R1. The process is to be completed by all entities, even if that process were to prove only Low Assets through the bright-line criteria. Then, under R2, the process is to be reviewed every 15 months and approved by a CIP Senior Manager, also required by "Low Only" entities.

    1. Good point, Ryan! You're right, the Lows do have to comply with CIP-002-5 on that date. Just made the change.

  2. I would also suggest adding the timeline/schedule for CIP-014 given that the effective dates will likely overlap with CIP V5 implementation and have an impact on those projects.

    1. I'm afraid I don't agree with you on this, Sister Laws. For one thing, we don't know the CIP-014 timeline since FERC hasn't approved it yet. More importantly, CIP-014 isn't part of the CIP cyber security standards (just like the old CIP-001, which addressed sabotage reporting).

      Obviously, NERC entitities that have to comply with CIP-014 need to be aware of its compliance dates, but I don't see it being helpful to include that in the schedule for this post. Lord knows it's already complicated enough!