This is the fourth (and probably not last!) in a series of posts on the question whether CIP-013 is enforceable. The previous one is here. For those of you who aren’t keeping score at home, this series started with a conversation I had with a staff member of one of the NERC Regions, who raised the question whether CIP-013, the upcoming supply chain security management standard, is enforceable (spoiler alert: He doesn’t think so).
An auditor from another region replied to that post with the contrary opinion, and I published both of their responses (without taking sides) in the second post. In the third post (linked above), I rethought my neutrality when I considered the entire email that the staff member had sent me (in the second post, I hadn’t published everything he said). This time, I published the entire email and agreed with the staff member’s statement that CIP-013 (especially R2) seems to conflict with at least one sentence in the NERC Rules of Procedure.
Today, I emailed the staff member to make sure he saw this post. His reply showed me that his question on the enforceability of CIP-013 goes beyond just the RoP. In particular, he quotes the second sentence of the note next to R2 in the standard, which reads “the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract.”
The staff member’s point is very simple: If the “actual terms and conditions” of a procurement contract aren’t in scope for this requirement, yet the entity is allowed to claim that they have complied with the requirement – in the case of at least one of their vendors – by getting the vendor to include particular language in their contract, then not only is R2 (and probably R1) not enforceable, it isn’t even mandatory!
This is certainly something I hadn’t thought about. Of course, I think there are a number of entities who secretly wouldn’t mind if all of the CIP standards were non-mandatory, as were all NERC standards before the US Energy Policy Act of 2005. But – sorry to break the bad news – this isn’t allowed since, at least as of today, compliance with the laws passed by Congress is still mandatory for everybody in the US, including FERC and NERC (if this changes in the near future, I’ll let you know).
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.