I have gone back and forth on the cloud and NERC CIP. I used to say that, even though the CIP requirements probably forbid use of the cloud, I thought that the auditors would permit it with certain precautions. But right after New Year’s I got a scare and went through a couple months of fearing that any entity storing BES Cyber System Information in the cloud was going to be found in violation of NERC CIP (as discussed in footnote 1 in this post from early January). However, I recently posted that it should be fine to store BCSI in the cloud (according to at least one CIP auditor) as long as you comply with four requirement parts, discussed in the post.
I am still of that opinion. However, I was reminded this week that getting the evidence required for compliance isn’t a trivial pursuit. If you aren’t storing the proper evidence now, you should probably reach out to your cloud provider and get it; plus you may need to self-report non-compliance for the period that you stored BCSI in the cloud without having this evidence.[i]
What is this evidence? You will need to have[ii]:
- CIP-011 R1.2: Evidence that your cloud provider is following the requirements of your Information Protection Plan (which at a minimum should address the three requirement parts listed below, but should in general include everything that you believe is important for protecting BCSI. In fact, my guess is your IPP should require the same steps of the cloud provider as you require of your own organization. It will probably be difficult to justify to the auditor an IPP that says certain steps are necessary for your organization, but they’re not necessary for a third party that is storing your BCSI).
- CIP-004-6 R4.1.3: Evidence that your cloud provider has restricted access to designated storage locations, physical or electronic, for BCSI.
- CIP-004-6 R4.4: Evidence that the access your cloud provider allows to designated storage locations, physical or electronic, is restricted to individuals for whom it is necessary to perform assigned work functions.
- CIP-004-6 R5.3: Evidence that access for individuals who have been terminated has been revoked by the end of the next calendar day following the effective date of their termination.
Of course, for suggestions on how you can produce evidence of the above requirement parts, you should look at the Measures column in the requirements table, as well as the Guidance and Technical Basis. Even more importantly, you should look at whatever guidance your Regional Entity has provided regarding evidence.
However, keep in mind that simply providing an attestation from your cloud provider that they are complying with the provisions in your IPP, as well as with the three CIP-004 requirement parts listed above, will probably not be acceptable. Your provider will need to provide you evidence similar to what you (the NERC entity) would have to provide for compliance with the same requirement parts.
If you look at the Measures for CIP-011 R1.2, CIP-004 R4.1.3 and CIP-004 R4.4, I think you’ll agree that it shouldn’t be too hard for the cloud provider to comply with those. The provider basically needs to show you that they have implemented certain procedures that are compliant with either your IPP (for CIP-011 R1.2) or with the applicable requirement part (CIP-004 R4.1.3 and R4.4). In my opinion, this shouldn’t be too difficult.[iii]
However, CIP-004 R5.3 is a different story. While the other three requirement parts are what I call non-prescriptive (or at least minimally prescriptive), R5.3 is quite prescriptive. At least in some regions, to show you are complying with that requirement part, you have to be prepared to provide evidence that you have complied in every instance to which it applies. That is, for every termination action, you will need to have evidence that access was removed before the end of the next calendar day.
Let’s see a show of hands. How many people think their cloud provider is going to provide that evidence? I didn’t think I’d see any…. Yes, folks, there’s going to have to be another way to provide evidence that your cloud provider is complying with CIP-004 R5.3 with respect to your BCSI.
Regarding evidence, the auditor said “The Regions are not going to go onsite to the third-party provider and audit their compliance with the CIP Standards. It is up to the Registered Entity to demonstrate compliance. They can do so by either requiring the third-party to submit sufficient, appropriate, and applicable evidence to provide a reasonable assurance that they are complying with the applicable requirements, or to require the third-party to undergo an external audit by a reputable unrelated third-party audit firm and provide the detailed report of the third-party audit. The audit report will need to be sufficiently detailed to demonstrate the applicable controls conform to the requirements of the CIP standards and that they are effectively implemented.”
When I pressed the auditor on the question of whether the entity would need to get evidence of every termination from their cloud provider for compliance with R5.3, he didn’t rule out that there might be another way to provide evidence. One way would of course be an audit report (such as a SOC 2 audit) showing that the provider promptly removes access in the case of terminations. When I asked him if that was the only way, he said “As an auditor, especially under V5, I must keep an open mind and evaluate whatever evidence is submitted to see if I can rely on it to reach a reasonable determination of compliance or not.”
So there you have it.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] As any NERC compliance professional knows, “If you didn’t document it, you didn’t do it.”
[ii] In what I write below, I’m not providing any new information on how to comply with CIP if you have BCSI stored in the cloud. I’m only rephrasing what is shown in the standards, and what an auditor has said to me in recent emails. If you go back to the post I just referenced, you’ll see that these four bullet points correspond to the four requirement parts listed in the post (CIP-011 R1.2 and three requirement parts from CIP-004).
[iii] Although it’s conceivable your cloud provider may absolutely refuse to do any of these things. If so, you may need to start looking for another provider, or figure out a way to keep actual BCSI out of the cloud (see another post coming soon that will discuss this idea).