It seems
like every other post I write nowadays starts with something I read in the
weekly EnergySec newsletter. Today’s post was prompted by speculation in this
week’s newsletter that, due to yesterday's FERC action pushing back the CIP v5 compliance date by three months, some other CIP compliance dates for the v5 or the v6 standards
might be pushed back, thus leading to even more confusion than currently reigns
(if indeed such a thing is possible!).
On reading
this, I immediately noted that there is no way the v6 implementation dates will
be affected by this move, since those dates don’t depend at all on v5, and FERC
only moved the main v5 date. As for the v5 dates themselves, there were only
two anyway (vs. about 12 compliance events in v6, which are clustered among
three dates): April 1 (now July 1), 2016 for High and Medium requirements, and
April 1, 2017 for the one Low impact requirement in v5, CIP-003-5 R2.
These two
dates were set independently of each other in the v5 Implementation
Plan, so the fact that the High/Medium date is moved back three months
doesn’t mean anything for the Low date. In fact, the Low date for v5 is
meaningless, since CIP-003-5 R2 will be superseded by CIP-003-6 R2 – which comes
into effect the same date, April 1, 2017.
To reflect
this new change, I have changed the post I did in December with a revised compliance
schedule. That post was prompted by the fact that FERC hadn’t approved v6
in December, meaning the v6 date was moved back to July 1. Of course, it was
because that date is now July 1 that FERC yesterday agreed to move the v5 date
to coincide with it. I’m tempted to say this will be the last change in the
v5/v6 compliance dates, but I would have said the same thing in December.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
It's not entirely meaningless, as documentation and designation of CIP Senior Manager will be required under Version 5 on April 1, 2016 for Lows.
ReplyDeleteRyan, nothing is required on 4/1/16. All the v5 and v6 standards are now effective on 7/1/16. Highs, Mediums and Lows all have to comply with CIP-002-5.1 R1 on that date, and they need evidence.They also all have to designate their Senior Manager on that date per CIP-003-6 R3.
DeleteSince the order simply read: “Accordingly, the implementation of the CIP version 5 Reliability Standards for entities with High and Medium Impact BES Cyber Systems is deferred from April 1, 2016 to July 1, 2016 to align with the effective date for the revised CIP Reliability Standards approved in Order No. 822.”
DeleteThere are requirements for an audit, as a Low, on 4/1/16. These include an assessment to prove that the entity only has Low Impact BES Cyber Systems (ironic) and a CIP Senior Manager Designation in accordance with CIP-003-5 R3.
However, NERC has just yesterday responded with clarification that ALL CIP was pushed back to Version 6 so this point doesn't matter anymore.
Not to mention R1 for CIP-002-5.1, which you have to follow to even determine Low/Medium/High. Will Lows be required to have evidence associated w/ this requirement, while Medium/High will not? It doesn't make sense.
ReplyDelete"Each Responsible Entity shall implement a process that considers each of the
following assets for purposes of parts 1.1 through 1.3"
An Interested Party pointed out that I should make it clear that the Initial Performance of Periodic Requirements dates - described in the v5 implementation plan - will also change, since they're tied to the v5 effective date. Since that date is now three months later, they will be three months later as well.
ReplyDeleteYou're right, Ryan. FERC definitely misspoke when they said "High and Medium". Thanks for catching that.
ReplyDelete