Monday, December 21, 2015

A Revised Compliance Schedule for CIPs v5 and v6

January 21, 2016: FERC approved CIP v6 today. However, the effective date of the Order is 65 days after publication in the Federal Registry. This means it needs to be published in the FR by next Wednesday, in order for the dates below to be valid. Otherwise, the effective date will be in Q2, and some (but not all) of the dates below will move back a quarter. In any case, they won't move back any further than that.

February 26, 2016: I have revised this post to reflect the fact that FERC just moved back the compliance date for all the CIP v5 requirements that affect High and Medium impact BES Cyber Systems to July 1. As I explain in this post, none of the other dates are changed by this action.

On November 8, 2014, I published a post listing the incredibly complicated set of compliance events for CIP versions 5 and 6. This was based on the CIP v5 Implementation Plan (which was of course set in stone with FERC’s approval of v5 in 2013) and the v6 Implementation Plan (which was at the time in its final draft form and seemed very likely to be approved by the NERC ballot body, by the NERC Board of Trustees, and finally by FERC).

Until less than two weeks ago, I saw no need to revise this schedule, and I’ve referred to it constantly in my posts as the current compliance schedule for v5 and v6. However, last week I wrote a post pointing out that FERC’s failure to approve CIP v6 in December 2015 meant that the v6 compliance dates would be pushed back by at least three months. Even with that, I didn’t think I needed to do anything more than put a note to this effect on the original post, and keep referring to that post when I needed to reference the compliance timeline.

However, a few days ago Michael Wilson of Tri-State Generation and Transmission wrote in to question a few of the v6 dates I had in the original post. He also pointed me to a WECC webinar in which one or two compliance dates were listed that aren’t even in the v6 Implementation Plan – and therefore weren’t in my original post (I suppose these could be called “implicit effective dates”, just as there are “implicit requirements” in v5 and v6).[i]

At this point, I decided I really needed to rewrite the original post; Michael collaborated with me to make sure this one was complete and accurate. So here is my new compliance schedule for CIPs v5 and v6. Note one big caveat: The dates below are based on the assumption that FERC will approve v6 before April 1, 2016 – meaning the dates in the v6 Implementation Plan will be pushed back three months. If they go beyond that date, some of the dates will be pushed back two quarters, and possibly more depending on when FERC approves v6.[ii]

One note: You may notice that this plan is even more complicated than what was in my original post (mainly because I left out some of the finer points and of course missed the “implicit effective dates”). I wish to emphasize that I’m not making this up; this is what’s in the v6 Implementation Plan. I originally considered the v5 plan to be complicated because it had two dates, one for Highs/Mediums and one for Lows. That plan now seems like the paragon of simplicity compared to the v6 plan, which has separate effective dates not only for individual standards, but for individual requirements, individual requirement parts, and even particular applicability categories within a single requirement part.[iii]

July 1, 2016
This is the date both the v5 and v6 standards become effective. As is shown below, the actual compliance dates for many v6 requirements and requirement parts are later.

CIP-002-5.1, CIP-005-5 and CIP-008-5: Highs and Mediums have to comply with these three standards in full. In addition, Lows have to comply with only CIP-002-5.1 R1 and R2 (i.e. they have to identify their “assets containing Low impact BES Cyber Systems” and have the CIP Senior Manager approve the list).

CIP-003-6 - except for R1.2, R2 and Attachment 1 (Lows): The three items listed are all for Lows, and they have other compliance dates. 

CIP-004-6: Entities must comply with this standard in full. 

CIP-006-6 (except for R1.10, for Control Centers that weren’t Critical Assets with CCAs under v3): R1.10 was ordered by FERC in Order 791, and says that cabling between ESP devices, that itself goes outside a PSP, needs to be physically or logically protected.  This requirement part becomes effective on this date, except that Control Centers that weren’t Critical Assets under v3 are given more time to comply.[v] Once again, folks, I'm not making this stuff up! There's no way I could dream up something so complicated; indeed, I think Rube Goldberg himself would doff his cap in admiration of how complicated the v6 implementation plan is.

CIP-007-6: This standard needs to be complied with in full, but there is an exception for certain devices under R1.2; compliance for these devices is due at a later date.  These devices are “Nonprogrammable communication components located inside both a PSP and an ESP,” which is a new item added to the Applicability section of R1.2 in the v6 version of the standard (this is also the first time NERC CIP requirements have applied to devices that are not Cyber Assets).

CIP-009-6: Entities must comply with this standard in full. 

CIP-010-2 except for R4

CIP-011-2: Entities must comply with this standard in full. 

April 1, 2017
CIP-006-6 R1.10: For Control Centers that weren’t Critical Assets (with CCAs) under v3, R1.10 now becomes effective.

CIP-007-6 R1.2 for certain devices: See the discussion of CIP-007-6 above.

CIP-010-2 R4: This is the requirement for transient devices.

CIP-003-6 R1.2, R2 and Attachment 1 – These are the Requirements that apply to Low impact assets in v6. R1.2 – which requires four policies, without specifying their content - is the same as R2 in CIP-003-5 (which is superseded by its v6 counterpart). The new R2 is the one that addresses FERC’s mandate in Order 791 for specific requirements for Lows. There are essentially two parts to this Requirement. First, the Requirement itself calls for a plan to address the four areas in Attachment 1; this plan must be in place on April 1, 2017.

The other part of R2 is contained in Attachment 1, which provides the detail on what is required for those four areas, each in its own section.  However, entities only have to comply with the first and fourth sections of Attachment 1 on April 1, 2017; these are the security awareness policy and incident response plan.  For sections two and three – physical and electronic access controls – entities need to have policies developed (due to R1.2) on April 1, 2017, but the controls themselves don’t have to be implemented until later. 
September 1, 2018
On this date, Lows have to implement Sections 2 and 3 of CIP-003-6 Attachment 1.  These sections mandate physical and electronic access controls. 

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] I had also made a mistake by stating that FERC’s non-action in December, 2015 meant that all of the v6 compliance dates will be moved back at least three months. The Low impact requirements in v6 will still become effective on the same dates as previously - April 1, 2017 or Sept. 1, 2018.

[ii] My original post started with the following four caveats. These still apply:

1)       The v5 plan included dates for “Initial Performance of Certain Periodic Requirements”; these are the dates by which you need to perform each of the annual (i.e. 15-month) or quarterly requirements.  Since these are in the v5 Implementation Plan, they refer just to the v5 standards; however, the v6 Implementation Plan simply refers to the v5 plan for the Initial Performance dates [I’m not linking the final version of this plan because it’s buried in the 3300-page filing for v6. If you would like me to send you the copy I’m working with – the draft prepared for the final NERC ballot (although it refers to v7 as well as v6 - long story) - email me at].  This means that, to determine these dates for the v6 plan, you have to go back to the v5 plan and fill in the appropriate v5 or v6 standard numbers (e.g. CIP-002-5.1, CIP-003-6, etc.).

2)       In the v5 plan, there’s a table for “Planned or Unplanned Changes Resulting in a Higher Categorization”; this refers mainly to new assets that are acquired or commissioned.  Again, the v6 plan simply refers you back to the v5 plan for this.  There was a similar provision for versions 2 and 3, contained in a separate document whose acronym was “IPFNICCANRE”. However, that document is no longer valid once v5 comes into effect in April.

3)       The v6 plan includes a section (consisting of a single sentence) providing for “Unplanned Changes Resulting in Low Impact Categorization”.  This is a new concept in CIP v6; it didn’t appear at all in the v5 plan, perhaps because complying for new Low impact assets wasn’t a big deal under v5 given what was required (or not required) by CIP-003-5 R2.

4)       Of course, the implementation schedules for Canada are different than for the US.  Those vary by province and not all the provinces are implementing v5 (at least not yet).  Even the ones implementing it may be implementing slightly different versions (since the FERC-approved standards have no force in Canada, each province is free to modify any NERC standards as they see fit, or not implement them at all) – except for probably Ontario, New Brunswick and perhaps Nova Scotia, which tend to follow the FERC-approved standards almost to the letter.

[iii] There’s also a separate date based on whether the facility had Critical Cyber Assets under CIP v3 – which of course isn’t in any way related to the v5 or v6 standards themselves. I’m surprised there aren’t also separate dates that depend on whether the person implementing v5 compliance is left- or right-handed - although I should be careful what I say, for fear the v7 implementation plan may contain such a provision!

[iv] This exception isn’t in the v6 implementation plan, but was pointed out by WECC in a recent webinar; Michael called my attention to this.

[v] Note I got this wrong in my original post. I thought that R1.10 compliance was postponed for everybody, but Michael pointed out it is just for these specific Control Centers.

No comments:

Post a Comment