In case any of you aren’t sure, the initial compliance date for CIP v5/v6 is 15 days from today, July 1. Entities with High, Medium and Low impact assets all have compliance obligations on that day. And the ever-vigilant Lew Folkerth of RF has just put out a last-minute “checklist” listing some areas where he thinks entities may be deficient. You can find it in RF’s most recent newsletter in Lew’s usual column, “The Lighthouse”.
I won’t try to summarize the article, but here are a few high points:
- Being part of a Regional Entity, he emphasizes evidence you will need to have starting July 1.
- There is a sidebar listing five things that Lows have to do by that date.
- There is only one point on which I disagree with him. It is found in the second column of page 11, starting with “Ensure your reliability…” He says “In implementing a compliance program, it is important that we not only obey the letter of the Standard, but that we achieve the intent of the Standard as well.”
Regarding this last point, I have previously written about the fallacy of believing that it would ever be possible to determine the intent of one of the CIP standards. Thinking that you will be able to justify a particular compliance action you have taken (or not taken) based on some “knowledge” you may have of what the Standards Drafting Team “intended” a requirement to mean is a fool’s errand.
On the other hand, I know well that Lew doesn’t mean that. I believe what he is saying here is that entities always need to be looking beyond the CIP requirements to what is really required from a pure cyber security point of view. And that the auditors won’t be just looking strictly at whether you have complied with the letter of the requirement, but whether you have taken the steps you should reasonably take for cyber security, even if they aren’t mandated by the CIP standards.
However, it is important to keep in mind that, when you’re audited, you won’t get a PV for not going beyond the CIP standards. You may get a Recommendation that you do that, but it can never become a PV, even if you choose not to follow the Recommendation. For a more in depth discussion of this point, see Lew’s discussion in this post.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.