If you have Low impact assets, you probably know the deadline for compliance with Sections 1 and 4 of Attachment 1 of CIP-003-6 R2 is this April 1. However, you may not know that you are required to have your first exercise of your incident response plan (under Section 4) completed by April 1. To be honest, I didn’t know that until today either; I had thought it was simply an area of ambiguity, so the regions would be on their own to say what they wanted their entities to do – and they couldn’t issue a PV if the entity hasn’t exercised its plan before that date.
However, today a longtime NERC compliance professional emailed me to ask me this question. I took this quite seriously since this is someone who has been working closely with the CIP standards since version 1; if he wasn’t sure, I knew I needed to investigate this. So I checked with two regional CIP auditors (from different regions) and with Lew Folkerth of RF, who was a CIP auditor but now provides great insight on CIP to RF members (and to the whole NERC community, through the RF newsletter and frequent posts by me, such as this one).
All of them said the same thing: A NERC entity with one or more Low impact BES assets (more specifically, one or more assets that contain a Low impact BES Cyber System) needs to complete their first incident response plan exercise before April 1. Moreover, this isn’t some arbitrary decision made by NERC or the regions; it’s baked into the implementation plans for CIP v5 and v6 (but it’s a complicated story to figure out – hence the fact that there is so much confusion on this question). Here is what Lew said by email:
Lew said: “Where the ERO is coming from on this is that the V5 Implementation Plan (October 26, 2012) states that the initial performance for CIP-003-5 R2 is “on or before the effective date of CIP-003-5 R2…”
The V5 Revisions Implementation Plan (January 23, 2015) states “The following sections of the Implementation Plan for Version 5 CIP Cyber Security Standards (Version 5 Plan) remain the same: Initial Performance of Certain Periodic Requirements – For those requirements with recurring periodic obligations, refer to the Version 5 Plan for compliance dates. – These compliance dates are not extended by the effective date of CIP Version 5 Revisions[i].”
However, Lew did send another email that said “If an entity is not going to complete testing of its Cyber Security Incident response plan as required by CIP-003-6 R2 Attachment 1 Section 4.5, then the entity should self-report this issue to its Region as soon as possible. The entity will have an opportunity to work with the Region’s Enforcement Group and to explain the misunderstanding, and that the testing was completed as soon as practical after the issue was identified.”
A word to the wise – as well as to the merely tardy.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] What the two quotes say together is that the CIP v5 initial performance dates for periodic requirements (those that have to be done periodically, like every 15 months) apply to v6 as well. Since the initial performance date specified for CIP-003 R2 in v5 was April 1, 2017, and since that date is unchanged in v6, there shouldn’t be any question that entities with Low assets need to exercise their response plans by April 1.
But this ignores an important fact: What was CIP-003 R2 in CIP v5 is now CIP-003 R1.2 in v6 (and there was no R1.2 in v5, only R1). So I would really read the two quotes as saying that the initial performance date for CIP-003 R1.2 in v6 is the same as that for CIP-003 R2 in v5. And what about CIP-003-6 R2? That really should have been addressed separately in the v6 implementation plan – i.e. the SDT should have specifically listed the initial performance date for R2 as April 1.
I do think this is a legitimate problem, but not one that’s likely to be addressed before April 1. So I just suggest we all put it down on the List of Unfair Things in NERC CIP – by my latest count, this is number 4,527 - and work on getting the CSIRP exercised by that date. For the last word on this subject, I quote my favorite philosopher, Jimmy Carter, who said “Life is unfair”.