Wednesday, August 26, 2020

The contract language bugaboo – Part I



If you're looking for my pandemic posts, go here.

Probably the biggest misconception about CIP-013 since it was drafted is that contract language has some sort of special place in compliance. I have heard a number of people, including people who work for NERC, one or two in high positions, say that the purpose of CIP-013 is mitigating supply chain cybersecurity risks through contract language – or something like that.

I’ve never believed that, but I’ve also never seriously investigated where the idea came from. However, since I’m now working on a book on CIP-013 compliance (and supply chain cybersecurity more generally), I decided to find out.

First, I asked whether there’s anything in the language of the requirements themselves that would lead to the conclusion that contracts have a special place. And here was my first surprise: Nowhere in the requirements is there any mention of contracts or contract negotiations in any way (I’m amazed that I never even noticed this before. After all, the entire text of the three CIP-013 requirements is about four sentences long).

However, there is a note to R2 (which isn’t part of the requirement but is part of the enforceable language, I’m sure):

Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract.

Of course, far from requiring contract negotiations for CIP-013-1 compliance, the first sentence of the above note explicitly states that contracts or contract negotiations are not required for compliance. And the second sentence effectively states that auditors are forbidden to require a NERC Entity to provide a contract as evidence. This leads to the conclusion that, if contracts were in some way required for CIP-013-1 compliance, that requirement would never be enforceable, since the NERC Entity is not obligated to prove compliance by showing the contract.

Here's how I understand the role of contract language in CIP-013-1:

1.      A NERC entity will often determine that a Supplier or Vendor has unmitigated supply chain cybersecurity risks that could result in damage to the Bulk Electric System. They will often determine this as a result of the Supplier or Vendor’s (I’ll say “Supplier” from now on, but I mean both) answers to a questionnaire that the entity provided to them.

2.      For example, one of the questions in the questionnaire I’ve developed with my clients is “Will we be provided with a complete inventory of accounts that exist in the product upon shipment to us?” This question is based on the risk stated as “A Supplier might create an account on a Product during development and not inform us of it.” If the Supplier answers No, this means there is a high likelihood that this risk is present in their products, so the risk is unmitigated (in my simple world, a risk is either mitigated – low likelihood – or unmitigated – high likelihood. I haven’t yet seen a good reason to go beyond that degree of granularity).

3.      Given that the Supplier has a high likelihood of having this risk present in their environment, the NERC entity – let’s say that’s you - should try to get them to do something about it. The mitigation for this risk is to get them to commit to providing that inventory whenever they ship a product. How will you do this?

4.      Of course, one way to get the Supplier to commit to doing something is to try to get them to agree to a term in their contract. But in a lot of cases there’s simply no option for a contract. For example, the Supplier may have a five-year contract that is halfway through its term; they may make it clear they’re not at all interested in renegotiating the contract now.

5.      Do you just throw up your hands and say “Oh well, we tried”? No, there are other options, all of which are much less expensive than negotiating contract terms. Here’s an idea: Why don’t you pick up your phone and call the Supplier? Just ask them if they’ll do this.

6.      If they say no, and if there’s no current provision in their contract that would allow your lawyers to pressure them, at this point you might have to just go with plan B: Work out your own mitigation to the Risk in question. In the case of the Risk discussed above, one mitigation would be to make your own inventory of the accounts on the device, when you purchase another of their products but before you install it.

7.      Of course, this might not be too emotionally satisfying, since you’d certainly be forgiven if you harbored the desire to really stick it to this Supplier for turning you down flat on what should be a fairly simple request. So you’ll bide your time until their contract is up for renewal, and make sure they agree to this term then.

8.      But what if you call them and they say yes? I would think that there would be very few Suppliers – except very large ones that won’t even talk to you – that wouldn’t do their best to accommodate your request.

9.      At that point, you don’t just say thanks and hang up. You need to ask them when they’ll start doing this. If they say they can’t implement the policy for three months, then mark that on your calendar – and call them back then to make sure they’ve done it.

The most important step of the ones above is the last one. This is because getting a Supplier to agree to do something – whether they agree in a contract term, on a phone call, in an email or in their own blood on an animal skin – doesn’t in itself mitigate any risk. It’s only when they actually do what they promised that risk is mitigated. You always have to follow up with them to make sure they did what they promised, and if they say they haven’t done it yet but will in say another three months, you need to keep after them until they actually do it.

So contract language is simply one means of getting a Supplier or Vendor to agree to do something you would like them to do. In some cases and in some organizations, it might well be the best way of accomplishing that goal. In other cases and in other organizations, it’s not even an option (for instance, I know that in some federal government agencies, deviating from the standard contract in any way takes so much time and effort that it’s usually not even worth attempting). Whatever is the easiest and least expensive option for your organization is the best way to do it. Contract language doesn’t have any special status in CIP-013 compliance.

In part II of this post, I’ll describe what I realized when I looked into how this misperception came to be. You’ll be pleased to know that I identified the culprit.


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Are you hot at work – or should be – on getting ready for CIP-013-1 compliance on October 1? Here is my summary of what you need to do between now and then.


No comments:

Post a Comment