Note from Tom: If you’re only looking for
today’s pandemic post, please go to my Pandemic Blog. If you’re
looking for my cyber/NERC CIP post, you’ve come to the right place.
I’ll admit I haven’t read the
Supplemental Material for CIP-013-1 in quite a while. When I did that today, I
was surprised when I read what it says about Requirement R2 in the Rationale
section:
The proposed requirement addresses Order No. 829 directives for
entities to periodically reassess selected supply chain cyber security risk
management controls (P. 46).
Entities perform periodic assessment to keep plans up-to-date and
address current and emerging supply chain-related concerns and vulnerabilities.
Examples of sources of information that the entity could consider include
guidance or information issued by:
• NERC or the E-ISAC
• ICS-CERT
• Canadian Cyber Incident Response Centre (CCIRC)
Responsible Entities are not required to renegotiate or abrogate
existing contracts (including amendments to master agreements and purchase
orders) when implementing an updated plan (i.e., the note in Requirement R2
applies to implementation of new plans and updated plans).
Meanwhile, R2 itself reads “R2.
Each Responsible Entity shall implement its supply chain cyber security risk
management plan(s) specified in Requirement R1.” How does this jibe with the Rationale
for R2, which is about periodically reviewing the plan, not implementing it?
It doesn’t jibe. The
Supplemental Material for R2 is really about R3. There doesn’t seem to be anything
in the Rationale about R2, since the first part is definitely all about R1. I’ll
admit there’s not a lot that can be said in the Rationale – which I imagine has
the status of Guidance, meaning the auditors are required to at least consider what
it says – about R2. Although I have said a lot about it in this blog,
as well as to my clients, since I consider R2 the biggest area of compliance
risk in CIP-013.
Of course, this mistake doesn’t
affect the interpretation or auditing of the standard, but still
I can’t believe I’m the first
one to notice this, since of course the wording of CIP-013-1 was finalized in
2017. Just goes to show that nobody reads the Supplemental Material.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment