Discussion with Kevin
Perry (and Lew Folkerth) on the meaning of “Procurement”
People who
are coming to NERC CIP for the first time as a result of CIP-013 may be
surprised to learn that the two most important terms in the standard – “procurement”
(or “procure”) and “vendor” – aren’t officially defined (i.e. not included in
the NERC Glossary, meaning a definition was drafted, balloted by a NERC Ballot
Body, and approved by the NERC Board of Trustees). However, people who lived
through the process of implementation of CIP v5 – when the meanings of
essential undefined terms like “programmable”,
“affect
the BES”, and “External
Routable Connectivity” were fiercely debated, yet to this day there is no
official definition for any of these – shouldn’t be at all surprised that this
has happened again.
There is
actually a quasi-definition of “vendor” – it was drafted by the CIP-013
drafting team but wasn’t officially approved in the standard (a long,
complicated story, as with just about everything having to do with drafting and
enforcing NERC CIP standards) – that was included in the Supplemental Material
for CIP-013, so it wasn’t voted on or approved by FERC. However FERC mentioned
they liked this definition in Order 850,
so if it’s good enough for them, it’s good enough for me:
“The term vendor(s) as used in the
standard is limited to those persons, companies, or other organizations with
whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber
Systems and related services. It does not include other NERC registered
entities providing reliability services (e.g., Balancing Authority or
Reliability Coordinator services pursuant to NERC Reliability Standards). A
vendor, as used in the standard, may include: (i) developers or manufacturers
of information systems, system components, or information system services; (ii)
product resellers; or (iii) system integrators.”
But there is no definition of “procure”
or “procurement” anywhere in NERC or FERC documents; yet the term is definitely
used in CIP-013 R1.1. Even more importantly, the NERC Evidence Request
Spreadsheet (formerly the Evidence Request Tool) relies very heavily on the
term “procurement”, since all CIP-013 audits will start with a request for
documentation showing that the entity has conducted a procurement risk
assessment that follows CIP-013 R1.1 and R1.2, for every procurement over the
audit period (although the request will be for a random sample of those
procurements). What constitutes a procurement, anyway?
In a recent post,
I included the sentence “There’s no NERC definition of a ‘procurement’, meaning
it’s up to the entity to define what it means.” The next day, I received an
email about this statement from Kevin Perry, the former Chief CIP Auditor of the
late lamented SPP Regional Entity (SPP RE is now “gone with the wind”. In fact,
Kevin announced his upcoming retirement one week in 2017, and it seemed like
the next week SPP RE announced they were closing down; their “members” moved to
other NERC Regions, primarily to MRO but also some to SERC. I joked that, when
SPP RE learned Kevin was leaving – he was the only Chief CIP Auditor they ever
had – they decided it simply wasn’t worth going on anymore, so they announced
they were folding. In fact, both announcements had long been planned).
Getting an email from Kevin was
hardly an unusual occurrence, especially since he now has more time on his hands.
In the past – especially during the three-year period between FERC’s April 2013
NOPR
saying they would approve CIP v5 and the actual implementation of v5 in 2016 –
we’ve exchanged very long emails where (usually) I would start by asking a
question and he would reply, then I would embed comments in a different color,
followed by his doing the same, etc. etc. I don’t think we ever resolved any of
these questions to either of our satisfaction, but we always stopped the email
chain when we were out of colors that were easily distinguishable from each
other!
Kevin made some very good points
in his recent email, although I don’t agree with him 100%. But, rather than just
reply to him privately, I decided to make this a public effort, since I think
there is a lot to be learned (at least I’ve learned a lot from the discussion.
I hope you will, too). Below, I’ve incorporated his statements in normal text,
while my answers are all in italics.
Kevin’s first topic – What is “procurement”?
I agree that, as usual, NERC and
the SDT did a lousy job of defining a key term used in the Standard. I
found a decent web site that notes that there is a difference between
“procurement” and “purchase”, also noting that the purchase is a step in the
procurement process. The web site is at: https://www.slideshare.net/Procurify/what-is-the-difference-between-procurement-and-purchasing
I hadn’t thought before about a difference between
procurement and purchase, but now it makes a lot of sense to me. The final
slide of the deck gives the following definition of Procurement: “Procurement
(is) the sourcing activities, negotiation and strategic selection of goods and
services that are usually of importance to an organization.” For Purchasing,
the definition is “the process of how goods and services are ordered. It is
usually described as the transactional explicit function of procurement for goods
and services.”
The slides that Kevin linked make clear that purchasing is
just one component of the procurement process. The procurement starts with
“Identification of requirement”, which is when people first start discussing
the need to procure a product or service. I think this is correct and Lew
Folkerth of RF also believes that, based on a statement he made in his column
in the RF newsletter last fall (which I wrote about in this
post): “You will need to establish a beginning date for the procurement. The
effective date of a contract is not necessarily the beginning of a procurement.
The beginning date might be the date of an expenditure authorization or a
request for bid, quote, etc. You will then need to show how you followed your
risk management plan throughout the acquisition.”
Further steps include Purchase Request, RFQ, Selection of
the Vendor, Negotiation (of the contract), PO, and Goods Receipt. However, I
disagree with the slides when they list “Payment to Supplier” as the last step
in the procurement process. The author seems to not know about master
purchasing agreements, in which an organization designates a particular
supplier as their source for particular products or services. These agreements
almost always are for a fixed length of time, with the idea that more than one
purchase will be made during that time period. Each purchase will have its own
PO, but they’ll all be governed by the one master agreement.
The really interesting questions about what constitutes a
procurement come with a master agreement that includes multiple purchases. Does
a procurement risk assessment need to be performed for each purchase under the
master contract, or just the first time? For example, do you need to do one assessment
when you make the first purchase and then another a month later? How about if
you make one purchase and the next is three years later, yet it’s still under
the same master agreement?
Of course, if you’re looking for an answer to this question
that carries regulatory certainty, you’re out of luck here. The only ways to
get a certain answer to any question of interpretation of a requirement or
definition are a) to draft a Standards Authorization Request, get it approved
by NERC, and wait about three years for the revised standard to be drafted, balloted
and approved by NERC and FERC, and implemented; or b) to draft a Request for
Interpretation and get it approved by NERC. The Interpretation will be drafted,
and then it has to be balloted and approved by NERC and FERC. And guess how
long this takes? At least 1 ½ - 2 years. Neither option is particularly
helpful, IMHO, and they’re very rarely pursued.
So would you like to hear my opinion?...I didn’t think so,
but I’ll tell you anyway: In this situation, you need to ask yourself “Is it
likely the risks have changed since the last purchase?” If so, you should do a
new risk assessment; if not, you don’t need to. So when should you consider the
risks to have changed, and when should you consider them not to have changed?
Sometimes the answer to that is a no-brainer, like if the
product being purchased has been altered in some important way, the supplier
has changed ownership, a significant new cyber threat related to this product
has emerged, etc.
But absent no-brainer situations, you need to use your
judgment (i.e. your brain. You can find that by going to your nose and making a
90 degree turn). I’m sure that, if only a month has elapsed since the
procurement risk assessment, nobody will question it if you decide that a new
assessment isn’t needed. If it’s been a year, however, I think you might find
it hard to justify not doing an assessment to an auditor. And as far as everything
in between goes, I’d say it’s your own judgment.
Of course, since “procurement” isn’t defined, if you wait
five years to do a new assessment and you receive a violation because of that,
the violation will ultimately be thrown out – although you might have to go to
court to do that (CIP requirements – as Kevin informed me years ago – are
administrative law. You can appeal a CIP violation to an Administrative Law
Judge, although so far no such case has ever been fully adjudicated, meaning a
decision was reached). So I don’t recommend waiting five years between
procurement risk assessments, even if technically the same contract is in
effect.
But why would you want to wait five years (or one
year, for that matter) to do a new procurement risk assessment? Remember,
CIP-013 wasn’t put in place because some evil genius at FERC decided the power
industry wasn’t suffering enough from CIP. FERC ordered it because – again in
my opinion – supply chain security is the number two cybersecurity risk in the
world today, behind just ransomware.
Also, the procurement risk assessment won’t be that hard to
do, assuming you have a well-documented process that’s designed so it can be almost
completely executed by someone (e.g. in procurement) with minimal cybersecurity
knowledge – and it’s possible to design such a process, as I’ve found with my
clients. So you shouldn’t be afraid of performing these assessments regularly.
The more regularly you perform them, the easier they’ll get! (Note: the
procurement risk assessment is different from the vendor risk assessment. I’ll
discuss the difference in another post soon, since that was another topic in my
emails with Kevin).
(Kevin continues)
The concern is that if the
entity gets to define the term, what happens if the Region, NERC, or FERC
auditors disagree with the definition? It probably will not be pretty.
(Here, Kevin is referring to my statements, in the post
that prompted his email, that whenever there is a missing definition in a CIP
requirement, the entity should decide on a reasonable definition and document
it – and then make sure all of their compliance documentation from then on
shows that the definition was followed by the whole organization; the same goes
for the many ambiguities and “implicit
requirements” – over 50, by my count – in the current CIP standards. This
became the standard procedure that many entities followed as they prepared for
CIP v5, and it is still what all entities subject to CIP should follow today,
especially since virtually none of the missing definitions or ambiguities in
CIP v5, or v6, or v7 have ever been resolved)
My reaction to Kevin’s concern is I’m shocked – SHOCKED – to
hear that there might be disagreements between a NERC entity and an auditor,
NERC or FERC. Who could have imagined that such a thing could happen? J
Seriously, suppose a term is undefined and you drew up a
definition for it while you were coming into compliance. You made sure that
everyone in your organization, who was involved with compliance with the
standard(s) in question, followed that definition in everything they did for
compliance, and you documented that fact.
Yet it doesn’t sit well with your auditor two or three
years later when you’re audited. He/she says “Your definition should say X. It
doesn’t say X.” You simply say to the auditor “Please point me to the
definition of this term in the NERC Glossary and show me that it says X.” Of
course, the auditor won’t be able to do that. However, this doesn’t mean you
can come up with some ridiculous definition that doesn’t make sense at all –
for example, you define a procurement as something that can occur only in years
evenly divisible by 10 (sounds great, right! You’ve just cut your procurement
risk assessment workload by nine tenths!). You can and should be called out for
this definition, since auditors are allowed to use judgment about what’s
reasonable and what’s not.
I will point out that I can’t guarantee you’ll never get a
Potential non-Compliance in a case where you have laid out a reasonable position
and the auditor disagrees with it, even though there is nothing in the
requirement or official definition to support his/her opinion. I know one
entity that received a PNC for one of the CIP-014 requirements because they
hadn’t installed anti-tank barriers (I kid you not!) to protect a
substation subject to CIP-014. They of course contested the PNC and I’m sure it
will be thrown out. And the auditor is no longer employed by that Region,
praise the Lord. But it’s ridiculous that they should have even had to go through
this process.
(Kevin’s reply to the above
comment)
As long as the entity implements
a definition that is commonly used in business, then they should be good. Most, if not all utilities have a purchasing
department with defined procedures. Even
municipal utilities rely on their municipality’s purchasing procedures. You should be able to build a reasonable
definition from that.
Makes sense to me!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically
for your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment