I have gone
back and forth on the cloud and NERC CIP. I used to say that, even though the
CIP requirements probably forbid use of the cloud, I thought that the auditors
would permit it with certain precautions. But right after New Year’s I got a
scare and went through a couple months of fearing that any entity storing BES
Cyber System Information in the cloud was going to be found in violation of
NERC CIP (as discussed in footnote 1 in this
post from early January). However, I recently posted
that it should be fine to store BCSI in the cloud (according to at least one
CIP auditor) as long as you comply with four requirement parts, discussed in
the post.
I am still
of that opinion. However, I was reminded this week that getting the evidence
required for compliance isn’t a trivial pursuit. If you aren’t storing the
proper evidence now, you should probably reach out to your cloud provider and
get it; plus you may need to self-report non-compliance for the period that you
stored BCSI in the cloud without having this evidence.[i]
What is this
evidence? You will need to have[ii]:
- CIP-011 R1.2: Evidence
that your cloud provider is following the requirements of your Information
Protection Plan (which at a minimum should address the three requirement
parts listed below, but should in general include everything that you
believe is important for protecting BCSI. In fact, my guess is your IPP
should require the same steps of the cloud provider as you require of your
own organization. It will probably be difficult to justify to the auditor
an IPP that says certain steps are necessary for your organization, but
they’re not necessary for a third party that is storing your BCSI).
- CIP-004-6 R4.1.3:
Evidence that your cloud provider has restricted access to
designated storage locations, physical or electronic, for BCSI.
- CIP-004-6 R4.4:
Evidence that the access your cloud provider allows to designated
storage locations, physical or electronic, is restricted to individuals
for whom it is necessary to perform assigned work functions.
- CIP-004-6 R5.3: Evidence
that access for individuals who have been terminated has been revoked by
the end of the next calendar day following the effective date of their
termination.
Of course,
for suggestions on how you can produce evidence of the above requirement parts,
you should look at the Measures column in the requirements table, as well as
the Guidance and Technical Basis. Even more importantly, you should look at
whatever guidance your Regional Entity has provided regarding evidence.
However,
keep in mind that simply providing an attestation from your cloud provider that
they are complying with the provisions in your IPP, as well as with the three
CIP-004 requirement parts listed above, will probably not be acceptable. Your
provider will need to provide you evidence similar to what you (the NERC
entity) would have to provide for compliance with the same requirement parts.
If you look
at the Measures for CIP-011 R1.2, CIP-004 R4.1.3 and CIP-004 R4.4, I think you’ll
agree that it shouldn’t be too hard for the cloud provider to comply with
those. The provider basically needs to show you that they have implemented
certain procedures that are compliant with either your IPP (for CIP-011 R1.2)
or with the applicable requirement part (CIP-004 R4.1.3 and R4.4). In my
opinion, this shouldn’t be too difficult.[iii]
However,
CIP-004 R5.3 is a different story. While the other three requirement parts are
what I call non-prescriptive (or at least minimally prescriptive), R5.3 is quite
prescriptive. At least in some regions, to show you are complying with that
requirement part, you have to be prepared to provide evidence that you have
complied in every instance to which
it applies. That is, for every termination action, you will need to have
evidence that access was removed before the end of the next calendar day.
Let’s see a
show of hands. How many people think their cloud provider is going to provide
that evidence? I didn’t think I’d see any…. Yes, folks, there’s going to have
to be another way to provide evidence that your cloud provider is complying
with CIP-004 R5.3 with respect to your BCSI.
Regarding evidence, the auditor said “The Regions are not
going to go onsite to the third-party provider and audit their compliance with
the CIP Standards. It is up to the
Registered Entity to demonstrate compliance.
They can do so by either requiring the third-party to submit sufficient,
appropriate, and applicable evidence to provide a reasonable assurance that
they are complying with the applicable requirements, or to require the
third-party to undergo an external audit by a reputable unrelated third-party
audit firm and provide the detailed report of the third-party audit. The audit report will need to be sufficiently
detailed to demonstrate the applicable controls conform to the requirements of
the CIP standards and that they are effectively implemented.”
When I pressed the auditor on the question of whether the
entity would need to get evidence of every termination from their cloud
provider for compliance with R5.3, he didn’t rule out that there might be another
way to provide evidence. One way would of course be an audit report (such as a
SOC 2 audit) showing that the provider promptly removes access in the case of
terminations. When I asked him if that was the only way, he said “As an
auditor, especially under V5, I must keep an open mind and evaluate whatever
evidence is submitted to see if I can rely on it to reach a reasonable
determination of compliance or not. ”
So there you have it.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
As any NERC compliance professional knows, “If you didn’t document it, you didn’t
do it.”
[ii]
In what I write below, I’m not providing any new information on how to comply
with CIP if you have BCSI stored in the cloud. I’m only rephrasing what is shown
in the standards, and what an auditor has said to me in recent emails. If you
go back to the post I just referenced, you’ll see that these four bullet points
correspond to the four requirement parts listed in the post (CIP-011 R1.2 and
three requirement parts from CIP-004).
[iii]
Although it’s conceivable your cloud provider may absolutely refuse to do any
of these things. If so, you may need to start looking for another provider, or
figure out a way to keep actual BCSI out of the cloud (see another post coming
soon that will discuss this idea).
No comments:
Post a Comment