I have been unusually silent on CIP-013
lately; I’ve gone a whole month since posting
about it. However, that doesn’t mean it’s not coming. I still believe (and
others do as well) that FERC will approve the standard in Q3 (meaning at their September meeting). And
as the post just referenced shows, I still believe the most likely compliance
date for CIP-013 is April 1, 2020, while the next most likely is July 1,
2020. And as I said in this
post in January, you really need to aim to have your supply chain cyber
security risk management plan (which is the whole point of CIP-013, of course)
finished by six months before the compliance date, to give you time to have it
reviewed by your region.
So you really need to consider October 1, 2019 or January 1, 2020 as your “plan completion date”. Once your region has given you
their comments on your plan, and you’ve adjusted the plan to address those
comments, you should then put it into place. Hopefully, you'll have it implemented with at least a little
time remaining before the compliance date. And if you’re one of the entities that likes
to come into compliance at least 90 days before the compliance date (as did a
number of entities in the run-up to CIP version 5), then you need to move each of these
dates up by 90 days, to July 1 or October 1, 2019).
So now the date you will need to have your
supply chain cyber security risk management plan developed is as early as next
July 1! Does that seem very far away? Not if you know what you will need to do
to develop your plan (hint: it’s a lot).
Which brings me to the subject of this post. Tom
Alrich LLC is offering a free 1-2 hour webinar workshop for your company on
CIP-013 and what you will need to do to comply with it. The purpose of the workshop is to get the
different groups that will be involved in complying with CIP-013 – supply chain,
legal, cyber security and NERC compliance - thinking about the issues that are
involved. And in case you haven’t been reading my posts on this subject,
complying with CIP-013 will be very
different from complying with any of the previous CIP standards. The topics
to be addressed can include:
- CIP-013 is one of the first
risk-based NERC standards. While it’s not mandatory, it is highly advised
to classify both BES Cyber Systems and vendors by the degree of risk they
pose, with different plan strategies corresponding to different degrees
of risk. How can you do this?
- The standard doesn’t list the particular
risks (although I would prefer the term ‘threats’) that you need to address
in your supply chain cyber security risk management plan. How can you compile
a credible yet manageable list of risks for your plan?
- CIP-013 is the first plan-based CIP
standard that doesn’t prescribe any particular actions - it simply
requires that you develop and implement a plan[i].
How will you develop the plan and how will it be audited?
- While attention has mostly focused
on the requirement to mitigate vendor risk, the entity also needs to
mitigate implementation risks and risks of transition between vendors, as
well as risks posed by services vendors. What are possible strategies for
these?
- While much of the discussion of
CIP-013 has focused on the question of getting vendors to agree to
contract language, it is a fact that contract language isn’t the only way
– or probably even the preferred way – to get vendor agreement to take
actions required by CIP-013. What are good strategies for obtaining
vendor commitment, so that the high-cost option of demanding contract
language can be avoided, except in cases where it is really needed?
- How do you document that
vendors followed through on their promises? And what do you do if a
vendor doesn’t keep its promise, or won’t make any promise to you in the
first place?
If you would like to discuss this with me,
please drop me an email at tom@tomalrich.com
or call me at 312-515-8996. Thanks!
[i]
CIP-013 R1.2 lists six general risk mitigation goals that must be addressed in
your plan, but doesn’t require you to take specific steps to achieve any of
these six goals. The new versions of CIP-005 and CIP-010 that were balloted
with CIP-013 (and will be implemented when CIP-013 is) include three new
requirement parts (CIP-005-6 R2.4 and R2.5, and CIP-010-3 R1.6) that in fact do
require the entity to take specific actions that implement two of the items in
CIP-013 R1.2 (specifically R1.2.6 and R1.2.5). But CIP-013 itself doesn’t
require any specific actions.
I want to emphasize that this is an individual offer to your organization, not just an invitation to a general webinar (maybe I'll have some of those later as well). The idea is to help your organization - and all the groups involved - start thinking about what you need to do to comply with CIP-013.
ReplyDelete