Discussion with Kevin Perry (and Lew Folkerth) on the meaning of “Procurement”

People who are coming to NERC CIP for the first time as a result of CIP-013 may be surprised to learn that the two most important terms in the standard – “procurement” (or “procure”) and “vendor” – aren’t officially defined (i.e. not included in the NERC Glossary, meaning a definition was drafted, balloted by a NERC Ballot Body, and approved by the NERC Board of Trustees). However, people who lived through the process of implementation of CIP v5 – when the meanings of essential undefined terms like “programmable”, “affect the BES”, and “External Routable Connectivity” were fiercely debated, yet to this day there is no official definition for any of these – shouldn’t be at all surprised that this has happened again.

There is actually a quasi-definition of “vendor” – it was drafted by the CIP-013 drafting team but wasn’t officially approved in the standard (a long, complicated story, as with just about everything having to do with drafting and enforcing NERC CIP standards) – that was included in the Supplemental Material for CIP-013, so it wasn’t voted on or approved by FERC. However FERC mentioned they liked this definition in Order 850, so if it’s good enough for them, it’s good enough for me:

“The term vendor(s) as used in the standard is limited to those persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber Systems and related services. It does not include other NERC registered entities providing reliability services (e.g., Balancing Authority or Reliability Coordinator services pursuant to NERC Reliability Standards). A vendor, as used in the standard, may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers; or (iii) system integrators.”

But there is no definition of “procure” or “procurement” anywhere in NERC or FERC documents; yet th­e term is definitely used in CIP-013 R1.1. Even more importantly, the NERC Evidence Request Spreadsheet (formerly the Evidence Request Tool) relies very heavily on the term “procurement”, since all CIP-013 audits will start with a request for documentation showing that the entity has conducted a procurement risk assessment that follows CIP-013 R1.1 and R1.2, for every procurement over the audit period (although the request will be for a random sample of those procurements). What constitutes a procurement, anyway?

In a recent post, I included the sentence “There’s no NERC definition of a ‘procurement’, meaning it’s up to the entity to define what it means.” The next day, I received an email about this statement from Kevin Perry, the former Chief CIP Auditor of the late lamented SPP Regional Entity (SPP RE is now “gone with the wind”. In fact, Kevin announced his upcoming retirement one week in 2017, and it seemed like the next week SPP RE announced they were closing down; their “members” moved to other NERC Regions, primarily to MRO but also some to SERC. I joked that, when SPP RE learned Kevin was leaving – he was the only Chief CIP Auditor they ever had – they decided it simply wasn’t worth going on anymore, so they announced they were folding. In fact, both announcements had long been planned).

Getting an email from Kevin was hardly an unusual occurrence, especially since he now has more time on his hands. In the past – especially during the three-year period between FERC’s April 2013 NOPR saying they would approve CIP v5 and the actual implementation of v5 in 2016 – we’ve exchanged very long emails where (usually) I would start by asking a question and he would reply, then I would embed comments in a different color, followed by his doing the same, etc. etc. I don’t think we ever resolved any of these questions to either of our satisfaction, but we always stopped the email chain when we were out of colors that were easily distinguishable from each other!

Kevin made some very good points in his recent email, although I don’t agree with him 100%. But, rather than just reply to him privately, I decided to make this a public effort, since I think there is a lot to be learned (at least I’ve learned a lot from the discussion. I hope you will, too). Below, I’ve incorporated his statements in normal text, while my answers are all in italics.

Kevin’s first topic – What is “procurement”?

I agree that, as usual, NERC and the SDT did a lousy job of defining a key term used in the Standard.  I found a decent web site that notes that there is a difference between “procurement” and “purchase”, also noting that the purchase is a step in the procurement process.  The web site is at: https://www.slideshare.net/Procurify/what-is-the-difference-between-procurement-and-purchasing

I hadn’t thought before about a difference between procurement and purchase, but now it makes a lot of sense to me. The final slide of the deck gives the following definition of Procurement: “Procurement (is) the sourcing activities, negotiation and strategic selection of goods and services that are usually of importance to an organization.” For Purchasing, the definition is “the process of how goods and services are ordered. It is usually described as the transactional explicit function of procurement for goods and services.”

The slides that Kevin linked make clear that purchasing is just one component of the procurement process. The procurement starts with “Identification of requirement”, which is when people first start discussing the need to procure a product or service. I think this is correct and Lew Folkerth of RF also believes that, based on a statement he made in his column in the RF newsletter last fall (which I wrote about in this post): “You will need to establish a beginning date for the procurement. The effective date of a contract is not necessarily the beginning of a procurement. The beginning date might be the date of an expenditure authorization or a request for bid, quote, etc. You will then need to show how you followed your risk management plan throughout the acquisition.”

Further steps include Purchase Request, RFQ, Selection of the Vendor, Negotiation (of the contract), PO, and Goods Receipt. However, I disagree with the slides when they list “Payment to Supplier” as the last step in the procurement process. The author seems to not know about master purchasing agreements, in which an organization designates a particular supplier as their source for particular products or services. These agreements almost always are for a fixed length of time, with the idea that more than one purchase will be made during that time period. Each purchase will have its own PO, but they’ll all be governed by the one master agreement.

The really interesting questions about what constitutes a procurement come with a master agreement that includes multiple purchases. Does a procurement risk assessment need to be performed for each purchase under the master contract, or just the first time? For example, do you need to do one assessment when you make the first purchase and then another a month later? How about if you make one purchase and the next is three years later, yet it’s still under the same master agreement?

Of course, if you’re looking for an answer to this question that carries regulatory certainty, you’re out of luck here. The only ways to get a certain answer to any question of interpretation of a requirement or definition are a) to draft a Standards Authorization Request, get it approved by NERC, and wait about three years for the revised standard to be drafted, balloted and approved by NERC and FERC, and implemented; or b) to draft a Request for Interpretation and get it approved by NERC. The Interpretation will be drafted, and then it has to be balloted and approved by NERC and FERC. And guess how long this takes? At least 1 ½ - 2 years. Neither option is particularly helpful, IMHO, and they’re very rarely pursued.

So would you like to hear my opinion?...I didn’t think so, but I’ll tell you anyway: In this situation, you need to ask yourself “Is it likely the risks have changed since the last purchase?” If so, you should do a new risk assessment; if not, you don’t need to. So when should you consider the risks to have changed, and when should you consider them not to have changed?

Sometimes the answer to that is a no-brainer, like if the product being purchased has been altered in some important way, the supplier has changed ownership, a significant new cyber threat related to this product has emerged, etc.

But absent no-brainer situations, you need to use your judgment (i.e. your brain. You can find that by going to your nose and making a 90 degree turn). I’m sure that, if only a month has elapsed since the procurement risk assessment, nobody will question it if you decide that a new assessment isn’t needed. If it’s been a year, however, I think you might find it hard to justify not doing an assessment to an auditor. And as far as everything in between goes, I’d say it’s your own judgment.

Of course, since “procurement” isn’t defined, if you wait five years to do a new assessment and you receive a violation because of that, the violation will ultimately be thrown out – although you might have to go to court to do that (CIP requirements – as Kevin informed me years ago – are administrative law. You can appeal a CIP violation to an Administrative Law Judge, although so far no such case has ever been fully adjudicated, meaning a decision was reached). So I don’t recommend waiting five years between procurement risk assessments, even if technically the same contract is in effect.

But why would you want to wait five years (or one year, for that matter) to do a new procurement risk assessment? Remember, CIP-013 wasn’t put in place because some evil genius at FERC decided the power industry wasn’t suffering enough from CIP. FERC ordered it because – again in my opinion – supply chain security is the number two cybersecurity risk in the world today, behind just ransomware.

Also, the procurement risk assessment won’t be that hard to do, assuming you have a well-documented process that’s designed so it can be almost completely executed by someone (e.g. in procurement) with minimal cybersecurity knowledge – and it’s possible to design such a process, as I’ve found with my clients. So you shouldn’t be afraid of performing these assessments regularly. The more regularly you perform them, the easier they’ll get! (Note: the procurement risk assessment is different from the vendor risk assessment. I’ll discuss the difference in another post soon, since that was another topic in my emails with Kevin).

(Kevin continues)

The concern is that if the entity gets to define the term, what happens if the Region, NERC, or FERC auditors disagree with the definition?  It probably will not be pretty.

(Here, Kevin is referring to my statements, in the post that prompted his email, that whenever there is a missing definition in a CIP requirement, the entity should decide on a reasonable definition and document it – and then make sure all of their compliance documentation from then on shows that the definition was followed by the whole organization; the same goes for the many ambiguities and  “implicit requirements” – over 50, by my count – in the current CIP standards. This became the standard procedure that many entities followed as they prepared for CIP v5, and it is still what all entities subject to CIP should follow today, especially since virtually none of the missing definitions or ambiguities in CIP v5, or v6, or v7 have ever been resolved)

My reaction to Kevin’s concern is I’m shocked – SHOCKED – to hear that there might be disagreements between a NERC entity and an auditor, NERC or FERC. Who could have imagined that such a thing could happen? J

Seriously, suppose a term is undefined and you drew up a definition for it while you were coming into compliance. You made sure that everyone in your organization, who was involved with compliance with the standard(s) in question, followed that definition in everything they did for compliance, and you documented that fact.

Yet it doesn’t sit well with your auditor two or three years later when you’re audited. He/she says “Your definition should say X. It doesn’t say X.” You simply say to the auditor “Please point me to the definition of this term in the NERC Glossary and show me that it says X.” Of course, the auditor won’t be able to do that. However, this doesn’t mean you can come up with some ridiculous definition that doesn’t make sense at all – for example, you define a procurement as something that can occur only in years evenly divisible by 10 (sounds great, right! You’ve just cut your procurement risk assessment workload by nine tenths!). You can and should be called out for this definition, since auditors are allowed to use judgment about what’s reasonable and what’s not.

I will point out that I can’t guarantee you’ll never get a Potential non-Compliance in a case where you have laid out a reasonable position and the auditor disagrees with it, even though there is nothing in the requirement or official definition to support his/her opinion. I know one entity that received a PNC for one of the CIP-014 requirements because they hadn’t installed anti-tank barriers (I kid you not!) to protect a substation subject to CIP-014. They of course contested the PNC and I’m sure it will be thrown out. And the auditor is no longer employed by that Region, praise the Lord. But it’s ridiculous that they should have even had to go through this process.

(Kevin’s reply to the above comment)

As long as the entity implements a definition that is commonly used in business, then they should be good.  Most, if not all utilities have a purchasing department with defined procedures.  Even municipal utilities rely on their municipality’s purchasing procedures.  You should be able to build a reasonable definition from that.

Makes sense to me!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.