This is the
fourth (and probably not last!) in a series of posts on the question whether
CIP-013 is enforceable. The previous one is here.
For those of you who aren’t keeping score at home, this series started
with a conversation I had with a staff member of one of the NERC Regions, who
raised the question whether CIP-013, the upcoming supply chain security
management standard, is enforceable (spoiler alert: He doesn’t think so).
An auditor
from another region replied to that post with the contrary opinion, and I
published both of their responses (without taking sides) in the second
post. In the third post (linked above), I rethought my neutrality when I
considered the entire email that the staff member had sent me (in the second
post, I hadn’t published everything he said). This time, I published the entire
email and agreed with the staff member’s statement that CIP-013 (especially R2)
seems to conflict with at least one sentence in the NERC Rules of Procedure.
Today, I
emailed the staff member to make sure he saw this post. His reply showed me
that his question on the enforceability of CIP-013 goes beyond just the RoP. In
particular, he quotes the second sentence of the note next to R2 in the
standard, which reads “the following issues are beyond the scope of Requirement
R2: (1) the actual terms and conditions of a procurement contract; and (2)
vendor performance and adherence to a contract.”
The staff
member’s point is very simple: If the “actual terms and conditions” of a
procurement contract aren’t in scope for this requirement, yet the entity is
allowed to claim that they have complied with the requirement – in the case of
at least one of their vendors – by getting the vendor to include particular
language in their contract, then not only is R2 (and probably R1) not
enforceable, it isn’t even mandatory!
This is
certainly something I hadn’t thought about. Of course, I think there are a
number of entities who secretly wouldn’t mind if all of the CIP standards were non-mandatory, as were all NERC
standards before the US Energy Policy Act of 2005. But – sorry to break the bad
news – this isn’t allowed since, at least as of today, compliance with the laws
passed by Congress is still mandatory for everybody in the US, including FERC
and NERC (if this changes in the near future, I’ll let you know).
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
No comments:
Post a Comment