My longtime friend Trey Cross emailed me today about something that was mentioned in NERC’s weekly Standards, Compliance and Enforcement bulletin: the initial performance date for four CIP requirement parts is July 1, 2018. This means that, by that date:
- At High impact Control Centers, recovery plans need to be tested with an operational test. Per CIP-009 R2.3, this needs to be done every 36 months.
- At High impact Control Centers, there needs to be an active vulnerability assessment. Per CIP-010 R3.2, R3.2.1 and R3.2.2, this also needs to be done every 36 months.
I verified this by looking at NERC’s spreadsheet for CIP v5 effective dates (available here). Of course, the requirements in question became effective on July 1, 2016, along with the other CIP v5 requirements. But does this mean the entity has until July 1, 2019 to perform these things for the first time? No, it doesn’t.
When CIP version 1 was implemented, most entities assumed that the clock would start running on periodic requirements (like these) on the effective date of the requirement, yet some regions required that the vulnerability assessment be performed before the effective date. Since the v1 standards never said anything about initial performance dates, I doubt that any entities were give violations for not finishing their SVAs on time, but after that snafu the drafting teams always made sure to specify the “initial performance dates for periodic requirements”. Of course, this was done in the case of CIP v5 and v6, so here we are.
I would think that almost all High Control Centers would have done this, but if not…hey, you didn’t have anything else to do on weekends in June, did you?
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss this, you can email me at the same address.