In October, I wrote a post pointing out that, even though the likely implementation date for CIP-013, the new supply chain security management standard, was more than two years away, there were good reasons to at least start the compliance planning process. The main reason why I made this assertion was that vendor contracts come up for renewal all the time. If your NERC entity knows what cyber security language you should request for CIP-013 purposes and can get it incorporated in new contracts, you will be saving yourselves many times more effort when CIP-013 comes into effect, since it is always harder to get vendors’ undivided attention when there isn’t a new contract on the horizon.
That argument is still valid, but there are a couple more that demand even more attention. First, I heard this morning that FERC has CIP-013 on their agenda for their meeting this Thursday. They will almost certainly do one of two things: a) Issue a Notice of Proposed Rulemaking (NOPR) stating their intention to approve CIP-013 and asking for comments; or b) Issue an Order approving CIP-013. In either of these cases, they could also make clear their intention to order changes to the standard, which would then have to be drafted and voted on as CIP-013-2. But either way, CIP-013-1 will be on the path to implementation.
The difference between these two cases, as far as the implementation timeline goes, is that an Order would start the clock ticking on the 18-month implementation plan for CIP-013, meaning compliance will be due about 18 months after this Thursday (the due date would probably be October 1, 2019). However, if they issue a NOPR (and I believe this is the more likely course) and allow 3-4 months for comment before issuing their Order, the compliance date will be either January 1, 2020 or April 1, 2020; my guess is it will be the latter.
So does April 1, 2020 sound like it’s a long time away? If you are a small organization (with one or more Medium or High impact assets), this might in fact be a long time. But if you’re a medium-to-large organization, you can’t wait much longer to at least begin your planning process for coming into compliance with CIP-013. I have been discussing what CIP-013 compliance requires with some NERC entities in the past few months, and I can assure you it’s probably a lot more than you thought. In fact, I will soon start a series of posts on what is needed for CIP-013 compliance, so you can understand why I say this.
However, there’s another reason why it’s important to start CIP-013 compliance soon, that I realized when I wrote this post last week. The gist of the post is that plan-based requirements (like those in CIP-013) need to be treated differently by the NERC Regional Entities than prescriptive requirements (like many of those in most of the other CIP standards). When an entity is required to develop and implement a plan, as in the case of CIP-013 R1 and R2, there really needs to be some mechanism for the Region itself to be able to review the plan before it is implemented. The post describes such a mechanism, which was suggested to me by an auditor; most importantly, it’s a mechanism that’s already in effect in one Region and could be replicated in others.
So, while I can’t promise anything, I think it’s a good assumption that by maybe a year and a half from now, most if not all of the Regions will be able to review your CIP-013 supply chain cyber security risk management plan and offer you comments on it. The comments won’t touch on whether the plan is “compliant” or not, but will touch on how what you are proposing in the plan compares with best practices. My guess is most NERC entities will welcome being able to have this review, to avoid the problems that were discussed in relation to CIP-014 (another plan-based CIP standard) in this post and this one.
So let’s say your entity waits a few months, then starts leisurely thinking about what CIP-013 requires. Meanwhile, FERC issues their Order approving the standard and the compliance date is now set for April 1, 2020. You realize that you now have a little more than 18 months to become fully compliant. You accelerate the compliance planning process, and as soon as possible start to implement compliance (remember, you will have to be compliant on the effective date of the standard). You make a Herculean effort, and you are finished – including having a fully developed plan – by say February 2020.
You might feel pretty good about this, but let’s say you then decide to ask your Region to review your plan. They say they’ll be glad to do this, but since a number of other entities have just asked the Region to review their plans, it will be more than say six months before they can review yours and report back to you on it (say they’ll get back by August 2020).
This means you will have to start implementing your plan in April, without having the benefit of any feedback from your Region. The main reason you asked for the review was to be able to hear and act on the results before you started implementing the plan; while it will still be good to have those results, it would obviously have been much better to have them at least a few months before April 1. You will have to start implementing the plan without knowing what your Region thinks of it.
Ideally, it would have been better if you could have finished your plan say by October 1, six months before the CIP-013 implementation date. That would have given your Region time to review and comment on the plan, as well as given you time to change the plan to reflect those comments – all before the April 1, 2020 compliance date. But obviously, this would have required starting the CIP-013 process earlier, like say around January 2018!
The moral of this story is of course that you should really start thinking now about the different structures required for CIP-013 compliance, and how you will implement them at your organization. And now here’s the sales pitch: Tom Alrich Consulting is prepared to help you do this thinking! The first step might be a set of workshops over say three days to a week, including the different groups that will be involved with CIP-013 compliance – and unlike the previous CIP standards, CIP-013 will require substantial involvement from Supply Chain and Legal, as well as Cyber Security, IT and NERC Compliance. With the experience of those workshops, I can work with you to develop a roadmap for your CIP-013 compliance implementation – and leave enough time for review by your Region! Like more information on this? Drop me an email at firstname.lastname@example.org.
The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com.