In October of 2017, FERC issued a NOPR stating that they intend to approve CIP-003-7, which includes the revamped “LERC” requirement and also the requirement for Transient Cyber Assets and Removable Media used at Low impact assets. In November, I put out a post on the NOPR, which turned out to be the first of five parts.
In that post, I made two statements about the implementation date for CIP-003-7. First, I said that the implementation plan is for 18 months and the likely date for compliance was July 1, 2019. This was a mistake, because that date was just a little more than 18 months from the date I wrote the post. I was obviously assuming that FERC would approve the standard within a few weeks of when I wrote the post. This would have been a physical impossibility, since they were asking for comments on their proposed changes. The comment period would be a couple months, and wouldn’t start until at least January. Then FERC would have to analyze the comments and make their decisions on the various issues. There was no way FERC could approve CIP-003-7 for at least five or six months; I have no idea what I was smoking when I said otherwise. This means it is likely – and was always likely – that FERC won’t approve CIP-003-7 until the second quarter of this year. So the effective date for the standard will probably be January 1, 2020.
The second statement I made in the post was that NERC entities wouldn’t have to comply with the physical and electronic access control parts of CIP-003-6 R2 (specifically, sections 2 and 3 of Attachment 1) until CIP-003-7 comes into effect. In other words, implementation of these two sections of CIP-003-6 will be superseded by version 7.
I have continued to believe this was correct until today at the WECC CIP workshop in Boise, Idaho[i], when WECC auditors stated a couple times that compliance with both sections 2 and 3 of version 6 is still due on September 1 of this year – although they will allow the entity to describe what they have done using the language of v7[ii]. This will save entities from having to rewrite their documentation when v7 comes into effect.
I was of course surprised by this, but I wondered if I’d been wrong. So I went back to NERC’s Implementation Plan, where I found these words: “..this Implementation Plan clarifies that under Requirement R2 of CIP-003-7(i), the Responsible Entity shall not be required to include in its cyber security plan(s) any elements related to Sections 2, 3, and 5 of Attachment 1 until the effective date of CIP-003-7(i). Upon the effective date of CIP-003-7(i), the Responsible Entity’s cyber security plan(s) must include the elements required by Sections 2, 3, and 5 of Attachment 1 and the Responsible Entity must implement the controls included in its plan to meet the objectives of Sections 2, 3, and 5.”
This is very clear: NERC was saying that entities wouldn’t need to comply with the physical and electronic access control requirement parts of CIP-003-v6 until the effective date of CIP-003-7. FERC merely paraphrased this language. Specifically, in paragraph 45 of the NOPR, FERC says “NERC explains that the proposed implementation plan does not alter the previously-approved compliance dates for Reliability Standard CIP-003-6 other than the compliance date for Reliability Standard CIP-003-6, Requirement R2, Attachment 1, Sections 2 and 3, which would be replaced with the effective date for proposed Reliability Standard CIP-003-7. NERC also proposes that the retirement of Reliability Standard CIP-003-6 and the associated definitions become effective on the effective date of proposed Reliability Standard CIP-003-7.” (my emphasis)
Does this mean I’m saying WECC entities should stop whatever they’re doing to implement physical and electronic access controls for Lows - and take a long vacation before they start the push again next year? I think you would be on solid compliance grounds if you did that, but in the unlikely event that FERC doesn't approve CIP-003-7, you'll be in a bad place. Whenever I have asked an entity whether they’re still going full bore to meet the September 1, 2018 date, they have inevitably said yes.
What this points out is something that NERC entities have known for a long time: the whole business of effective dates of new or revised NERC standards needs to be revisited (in fact, I had a discussion of exactly that issue with one entity during the WECC workshop). This is certainly not the first time I’ve seen lots of confusion about the effective date for a standard.
Note: After posting this last night, I had email conversations this morning with auditors from two other NERC Regions, as well as WECC. The two other regions both said they were telling their entities that they expect the effective date for the physical and electronic access controls to be pushed back to the v7 effective date. However, a WECC auditor - that I'd also emailed this morning - replied to me that they are operating on the prudent assumption that FERC won't approve v7, meaning the 9/1/18 date will still be valid. As I said above, I regard this as very unlikely, but no entity should put aside their implementation of physical and electronic access controls at Lows now. The consequences would be very severe if FERC decides to surprise everybody and not approve CIP-003-7!
Also note that I did amend some of the language from the post last night, to clarify WECC's motivation in saying that the 9/1/18 date remains in effect. They are being very careful, and it is indubitable that, as of today, the effective date for the Low impact electronic access control requirement remains 9/1/18.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
[i] Which is a wonderful town, by the way!
[ii] Since CIP-003-7 does away with the LERC and LEAP terms but still allows the entity to comply in the same ways they could comply with Sections 2 and 3 in CIP-003-6 R2, this means that, if the entity complies with CIP-003-6 and later complies with CIP-003-7, they will need to rewrite their documentation but won’t need to make any actual changes to the physical or electronic access controls themselves – unless they want to, of course.