In this recent post, I came to the conclusion – led there by an auditor – that NERC entities can entrust BES Cyber System Information (for Medium and High impact BES Cyber Systems) to cloud providers, as long as they comply with four requirement parts: CIP-011 R1.2, CIP-004 R4.1.3, CIP-004 R4.4 and CIP-004 R5.3.
However, it seems I may have missed two requirement parts. At the WECC CIP User Group meeting in Denver recently, auditor Morgan King did a very good presentation on CIP and virtualization (for the slides, go to this page and click on the presentation with his name on it). While the virtualization discussion was very good, he also brought up the cloud (since the two technologies go hand in hand). On slides 23 and 24, he lists six requirement parts that apply to BCSI in the cloud. Besides the four I just listed, he also includes CIP-004 R2.1.5 and CIP-011 R2.1. So I recommend you make sure you’re compliant with all six of these.
Since all six of these requirement parts will require that the cloud provider have certain policies and procedures in place – and that they maintain the same level of documentation that is required of the entity itself - I know some readers will object that this places too big a burden on the entity itself, that they will in effect have to audit the cloud provider. If you have this objection, I recommend you look at this post, which points out that a third party audit like SOC 2 could well be considered sufficient evidence of compliance.
And I also recommend this post, which points out that encrypting the data in the cloud is a good mitigation measure for compliance with some of the six requirement parts, but it doesn’t remove the obligation to comply with those parts. You will still have to provide evidence that you and your cloud provider are complying with each part.
Another thing you want to keep in mind is that your Information Protection Plan from CIP-011 R1.2 requires measures to address data in transit, not just at rest. This means you might need to encrypt the data before it goes to the cloud provider, depending on how you send it.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.