I think a lot of CIP compliance professionals have September 1, 2018 circled on their calendars in heavy red ink, given the amount of work they think will need to be done by that date. I’m referring here to the date that compliance with CIP-003-6 R2 Attachment 1, Sections 2 and 3, comes due (the other two sections having already come due). These two sections cover physical and electronic access control for Low impact assets.
However, as I pointed out in a post last November, FERC called that date into question in their October NOPR, in which they proposed to approve CIP-003-7, the revised version of CIP-003 that was approved by NERC early in 2017. The implementation plan for CIP-003-7 says it will come into effect 18 months after FERC approves it, and that CIP-003-6 will be superseded when that happens. In other words, when FERC approves CIP-003-7 (and I believe it is highly likely they will do this, since they said they would!), the clock will start running on the 18 months. And the 9/1/18 date will end up being just another Saturday on a Labor Day weekend.
So what will be the implementation date for CIP-003-7? In the post, I pointed to July 1, 2019; however, I’m not sure what I was smoking when I said that. Since the plan says the implementation date is the first day of the calendar quarter after the 18-month anniversary of the approval by FERC, this means that, for my guess to have been right, FERC would have had to approve CIP-003-7 not much more than a month after I wrote the post (i.e. in December, since I wrote the post on November 12).
Of course, FERC didn’t approve CIP-003-7 in December. If they approve it before March 31, the effective date will be October 1, 2019. And if they approve it in the second quarter, the date will be January 1, 2020.
So, unless FERC decides not to approve CIP-003-7 after all (hardly a likely scenario), CIP-003-6 will never come into effect, and CIP-003-7 will come into effect more than a year after the 9/1/18 date that everyone has circled on their calendars. You can take this as a Valentine’s Day present.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. I would also love to talk about this; please email me at the same address.