If you're looking for my
pandemic posts, go here.
Probably the biggest misconception
about CIP-013 since it was drafted is that contract language has some sort of
special place in compliance. I have heard a number of people, including people
who work for NERC, one or two in high positions, say that the purpose of
CIP-013 is mitigating supply chain cybersecurity risks through contract
language – or something like that.
I’ve never believed that, but I’ve
also never seriously investigated where the idea came from. However, since I’m now
working on a book on CIP-013 compliance (and supply chain cybersecurity more
generally), I decided to find out.
First, I asked whether there’s
anything in the language of the requirements themselves that would lead to the
conclusion that contracts have a special place. And here was my first surprise:
Nowhere in the requirements is there any mention of contracts or contract
negotiations in any way (I’m amazed that I never even noticed this before.
After all, the entire text of the three CIP-013 requirements is about four
sentences long).
However, there is a note to R2
(which isn’t part of the requirement but is part of the enforceable language,
I’m sure):
Implementation of the plan does not require the Responsible
Entity to renegotiate or abrogate existing contracts (including amendments to
master agreements and purchase orders). Additionally, the following issues are
beyond the scope of Requirement R2: (1) the actual terms and conditions of a
procurement contract; and (2) vendor performance and adherence to a contract.
Of course, far from requiring
contract negotiations for CIP-013-1 compliance, the first sentence of the above
note explicitly states that contracts or contract negotiations are not
required for compliance. And the second sentence effectively states that
auditors are forbidden to require a NERC Entity to provide a contract as
evidence. This leads to the conclusion that, if contracts were in some way
required for CIP-013-1 compliance, that requirement would never be enforceable,
since the NERC Entity is not obligated to prove compliance by showing the
contract.
Here's how I understand the role
of contract language in CIP-013-1:
1.
A NERC entity will often determine that a Supplier
or Vendor has unmitigated supply chain cybersecurity risks that could
result in damage to the Bulk Electric System. They will often determine this as
a result of the Supplier or Vendor’s (I’ll say “Supplier” from now on, but I
mean both) answers to a questionnaire that the entity provided to them.
2.
For example, one of the questions in the
questionnaire I’ve developed with my clients is “Will we be provided with a
complete inventory of accounts that exist in the product upon shipment to us?”
This question is based on the risk stated as “A Supplier might create an
account on a Product during development and not inform us of it.” If the
Supplier answers No, this means there is a high likelihood that this risk is
present in their products, so the risk is unmitigated (in my simple world, a
risk is either mitigated – low likelihood – or unmitigated – high likelihood. I
haven’t yet seen a good reason to go beyond that degree of granularity).
3.
Given that the Supplier has a high likelihood of
having this risk present in their environment, the NERC entity – let’s say
that’s you - should try to get them to do something about it. The mitigation
for this risk is to get them to commit to providing that inventory whenever
they ship a product. How will you do this?
4.
Of course, one way to get the Supplier to commit
to doing something is to try to get them to agree to a term in their contract. But
in a lot of cases there’s simply no option for a contract. For example, the
Supplier may have a five-year contract that is halfway through its term; they may
make it clear they’re not at all interested in renegotiating the contract now.
5.
Do you just throw up your hands and say “Oh
well, we tried”? No, there are other options, all of which are much less
expensive than negotiating contract terms. Here’s an idea: Why don’t you pick
up your phone and call the Supplier? Just ask them if they’ll do this.
6.
If they say no, and if there’s no current
provision in their contract that would allow your lawyers to pressure them, at
this point you might have to just go with plan B: Work out your own mitigation
to the Risk in question. In the case of the Risk discussed above, one
mitigation would be to make your own inventory of the accounts on the device,
when you purchase another of their products but before you install it.
7.
Of course, this might not be too emotionally
satisfying, since you’d certainly be forgiven if you harbored the desire to
really stick it to this Supplier for turning you down flat on what should be a
fairly simple request. So you’ll bide your time until their contract is up for
renewal, and make sure they agree to this term then.
8.
But what if you call them and they say yes? I
would think that there would be very few Suppliers – except very large ones
that won’t even talk to you – that wouldn’t do their best to accommodate your
request.
9.
At that point, you don’t just say thanks and
hang up. You need to ask them when they’ll start doing this. If they say they
can’t implement the policy for three months, then mark that on your calendar –
and call them back then to make sure they’ve done it.
The most important step of the
ones above is the last one. This is because getting a Supplier to agree to do
something – whether they agree in a contract term, on a phone call, in an email
or in their own blood on an animal skin – doesn’t in itself mitigate any risk.
It’s only when they actually do what they promised that risk is mitigated. You
always have to follow up with them to make sure they did what they promised,
and if they say they haven’t done it yet but will in say another three months,
you need to keep after them until they actually do it.
So contract language is simply one
means of getting a Supplier or Vendor to agree to do something you would like
them to do. In some cases and in some organizations, it might well be the best
way of accomplishing that goal. In other cases and in other organizations, it’s
not even an option (for instance, I know that in some federal government
agencies, deviating from the standard contract in any way takes so much time
and effort that it’s usually not even worth attempting). Whatever is the
easiest and least expensive option for your organization is the best way to do
it. Contract language doesn’t have any special status in CIP-013 compliance.
In part II of this post, I’ll describe
what I realized when I looked into how this misperception came to be. You’ll be
pleased to know that I identified the culprit.
Any
opinions expressed in this blog post are strictly mine and are not necessarily
shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
Are
you hot at work – or should be – on getting ready for CIP-013-1 compliance on
October 1? Here is my summary of what you need to do between now and then.
No comments:
Post a Comment