Is CIP-013 Unenforceable?

I heard an interesting comment this week from a friend on the staff of one of the Regional Entities, who is very knowledgeable about CIP and NERC enforcement in general. His opinion is that CIP-013 is unenforceable, as it stands in the second draft – the one now being balloted. Why does he think this? Here’s the smoking gun: the note below CIP-013 R2 (and since it’s a note, not part of the blue boxes, it does need to be considered as a binding modification of the requirement. I’ll have more to say on those blue boxes in one of my next posts – there is more going on with them than meets the eye) reads

“Note: Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract.”

My friend points out that he has no problem with the first sentence. In fact, this thought was part of FERC’s Order 829, which ordered NERC to develop the standard; it was also in the first draft of CIP-013. His problem is with the second sentence, which was in neither Order 829 nor the first draft. And of the two parts of the second sentence, his problem is with the first part.

What is the problem? Let’s look at the requirement it’s attached to. R1.2 requires development of a supply chain cyber security risk management plan that includes (but isn’t limited to):

1.     One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable:

a.      Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

b.     Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

c.      Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;

d.      Disclosure by vendors of known vulnerabilities;

e.      Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and

f.       Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s).

R2 requires implementation of that plan. In an audit, the Responsible Entity is going to have to demonstrate that they have taken steps to get their vendors to provide all of these things. There are various ways to do this, and they can vary according to the risk posed by the vendor and/or the risk posed by the product or service being purchased. It is certain that many entities will attempt to achieve these goals by using legal contract language, at least in the case of some of their vendors.

My friend’s concern is that the first part of the second sentence of the note essentially says that the actual terms and conditions of a procurement contract are out of scope for the audit. This means that the auditor can’t ask the entity to show him or her a vendor contract, to demonstrate their assertion that they have used contract language to address one or more of the items listed in R1.2 for a particular vendor.

So let’s say the entity shows their auditors the section of their plan that describes how they will address each of the six items in R1.2, and the plan says that, for very important vendors like their EMS vendor, they will address all of the items using contract language; it looks at first glance like they’ve complied with R1.2, since they have a proper plan for achieving the objectives listed above.

Now the auditors move to R2, which requires the entity to implement the plan. They get to the section of the plan that corresponds to R1.2, and tell the entity that they would like to see evidence that they have complied with this part of the requirement for each of their top ten vendors, starting with the EMS vendor. And since the plan says that the entity will use contract language to address the six items in R1.2, at least for this vendor, the auditors request to see that contract to verify the language is actually there – or more likely, that the language is acceptable as evidence of compliance. At that point, the entity points them to the second sentence of the note and (politely) repeats that the “actual terms and conditions of a procurement contract” are out of scope. Therefore, they don’t need to produce the contract.

So how are the auditors going to verify the entity’s assertion that they have complied with R1.2 for their EMS vendor using contract language, if they aren’t allowed to see the contract? My friend’s answer is that the auditors can’t verify this assertion without being allowed to see the evidence. And what if the entity asserts they have used contract language to address R1.2 for all of their vendors? Then the auditors aren’t going to verify compliance – at least for the items in R1.2 - at all for this entity. Do you see any issue with this?

But other than the fact that it’s not enforceable, my friend doesn’t have any big problems with CIP-013.

Note: There were two follow-up posts on this subject, including this and this.

Any opinions expressed in this post are those of the author, not necessarily those of Deloitte.