I have been unusually silent on CIP-013 lately; I’ve gone a whole month since posting about it. However, that doesn’t mean it’s not coming. I still believe (and others do as well) that FERC will approve the standard in Q3 (meaning at their September meeting). And as the post just referenced shows, I still believe the most likely compliance date for CIP-013 is April 1, 2020, while the next most likely is July 1, 2020 (Note from Tom 8/13: I said 1/1/20 was the second-most likely compliance date in the post just linked, but it's now no longer possible for that to happen, so I've updated the dates in this post). And as I said in this post in January, you really need to aim to have your supply chain cyber security risk management plan (which is the whole point of CIP-013, of course) finished by six months before the compliance date, to give you time to have it reviewed by your region.
So you really need to consider October 1, 2019 or January 1, 2020 as your “plan completion date”. Once your region has given you their comments on your plan, and you’ve adjusted the plan to address those comments, you should then put it into place. Hopefully, you'll have it implemented with at least a little time remaining before the compliance date. And if you’re one of the entities that likes to come into compliance at least 90 days before the compliance date (as did a number of entities in the run-up to CIP version 5), then you need to move each of these dates up by 90 days, to July 1 or October 1, 2019).
So now the date you will need to have your supply chain cyber security risk management plan developed is as early as next July 1! Does that seem very far away? Not if you know what you will need to do to develop your plan (hint: it’s a lot).
Which brings me to the subject of this post. Tom Alrich LLC is offering a free 2-3 hour webinar workshop for your company on CIP-013, and what you will need to do to comply with it. The owner of the company also tells me that he will be glad to come onsite to do this as well, schedule permitting.
The purpose of the workshop is to get the different groups that will be involved in complying with CIP-013 – supply chain, legal, cyber security and NERC compliance - thinking about the issues that are involved (in fact, there could be two webinars, maybe one for the security/NERC CIP folks and one for supply chain and legal). And in case you haven’t been reading my posts on this subject, complying with CIP-013 will be very different from complying with any of the previous CIP standards. The topics to be addressed can include:
- CIP-013 is one of the first risk-based NERC standards. While it’s not mandatory, it is highly advised to classify both BES Cyber Systems and vendors by the degree of risk they pose, with different plan strategies corresponding to different degrees of risk. How can you do this?
- The standard doesn’t list the particular risks (although I would prefer the term ‘threats’) that you need to address in your supply chain cyber security risk management plan. How can you compile a credible yet manageable list of risks for your plan?
- CIP-013 is the first plan-based CIP standard that doesn’t prescribe any particular actions - it simply requires that you develop and implement a plan[i]. How will you develop the plan and how will it be audited?
- While attention has mostly focused on the requirement to mitigate vendor risk, the entity also needs to mitigate implementation risks and risks of transition between vendors, as well as risks posed by services vendors. What are possible strategies for these?
- While much of the discussion of CIP-013 has focused on the question of getting vendors to agree to contract language, it is a fact that contract language isn’t the only way – or probably even the preferred way – to get vendor agreement to take actions required by CIP-013. What are good strategies for obtaining vendor commitment, so that the high-cost option of demanding contract language can be avoided, except in cases where it is really needed?
- How do you document that vendors followed through on their promises? And what do you do if a vendor doesn’t keep its promise, or won’t make any promise to you in the first place?
If you would like to discuss this with me, please drop me an email at firstname.lastname@example.org or call me at 312-515-8996. Thanks!
[i] CIP-013 R1.2 lists six general risk mitigation goals that must be addressed in your plan, but doesn’t require you to take specific steps to achieve any of these six goals. The new versions of CIP-005 and CIP-010 that were balloted with CIP-013 (and will be implemented when CIP-013 is) include three new requirement parts (CIP-005-6 R2.4 and R2.5, and CIP-010-3 R1.6) that in fact do require the entity to take specific actions that implement two of the items in CIP-013 R1.2 (specifically R1.2.6 and R1.2.5). But CIP-013 itself doesn’t require any specific actions.