Late last year, as the enforcement date for the two revised standards that “enable” BCSI in the cloud approached on January 1, 2024 (for those not keeping score at home, BCSI means BES Cyber System Information. The two revised standards are CIP-004-7 and CIP-011-3), a panic set in among some groups within the NERC CIP compliance community.
Without going into a lot of detail, the panic came about because
certain NERC Regional Auditors and others became concerned that use of SaaS
applications would be verboten for NERC entities with high and/or medium
impact BES environments when the two revised standards took effect on January
1. This was ironic, since CIP-004-7 and CIP-011-3 were intended to remove a barrier
to use of SaaS that was caused by two words in two Requirement Parts in previous
versions of CIP-004: “storage locations”. Everyone was hoping that removal of
those words would finally lead to widespread usage of SaaS.
The cause of the new panic was the words “provisioned access”
in the new CIP-004-7 Requirement R6 Part 6.1, which I wrote about in this
post. The way those two words were used in R6.1 seemed to imply that a SaaS
provider would need to seek the NERC entity’s permission whenever the provider wanted
to authorize a new employee to load the entity’s BCSI into the application. In
fact, they would need to do this for every NERC entity that utilizes the SaaS
application – i.e., each NERC entity would have to specifically authorize each new
(or transferred) employee by name. This caused widespread dismay, since it
seemed unlikely that a SaaS provider would ever agree to do this.
Fortunately, a deus ex machina appeared from backstage
to make the problem go away. This came in the form of NERC’s approval, in late
December, of a paper called “Usage
of Cloud Solutions for BES Cyber System Information” as official
Implementation Guidance for the two revised CIP standards. On page 13 of that
document, in a discussion of compliance evidence for authorization of provisioned
access to BCSI by employees of a SaaS provider or CSP, these words appear: “…Documented
process for how CSP personnel provisioned access is authorized based on need,
whether authorized directly by the Responsible Entity or indirectly by a
contractual agreement with the CSP…” (my emphasis).
The contractual agreement referred to here is usually called
a delegation agreement by those like me who pretend they know something about
legal matters. The fact that this was “allowed” by the new Implementation
Guidance removed the dark cloud (no pun intended. Honestly) that hung over use
of SaaS by NERC entities – even though, as I noted in this
post, it doesn’t seem like most NERC entities with medium or high impact BES
environments have gotten over their previous reluctance to use SaaS.
In any case, it seems clear now that a NERC entity should be
able to delegate (with a written agreement, of course) to the SaaS provider the
authority to authorize provisioned access to their BCSI, if the SaaS provider
follows the entity’s policies for authorizing such access. The
delegation agreement will need to spell out specifically what those policies
are. The provider will have to follow the policies of each customer that is a
NERC entity, although there’s nothing to prevent the entities from
collaborating to make sure they require a common set of policies, rather than
each one requiring the provider to do something different.
What isn’t clear is whether the delegation agreement for
CIP-004-7 Requirement R6 Part R6.1 should also apply to Parts 6.2.1, 6.2.2, and
6.3. That seems to make sense, but the Implementation Guidance only mentions a
delegation agreement in R6.1. You need to discuss with your Region whether they
interpret the statement regarding R6.1 to also apply to R6.2 and R6.3. It’s also
possible that auditors will think that a delegation agreement isn’t needed for compliance
with R6.2 and R6.3, as it is with 6.1.
This means that a NERC entity with a high and/or medium
impact BES environment that wishes to use a SaaS application should make sure
they have a delegation agreement in place with the SaaS provider for CIP-004-7
R6.1 compliance. It is also possible that a delegation agreement will be needed
for compliance with CIP-011-3 R1.2 compliance; the need for this will be
determined by the contents of the entity’s Information Protection Plan.
Since delegation agreements have not normally been needed
for NERC CIP compliance, why are they suddenly needed now, because of CIP-004-7
and CIP-011-3 coming into effect last January?[i]
Until then, there was no CIP standard that did not assume the NERC entity would
always exercise complete control over their systems subject to CIP compliance. Thus,
the need for a delegation agreement never even came up.
What does this mean for BES Cyber Systems (BCS), Electronic
Access Control or Monitoring Systems (EACMS), or Physical Access Control
Systems (PACS) in the cloud? Of course, since the new Standards Drafting Team that
will develop new or revised CIP standards is still being constituted, all we
can do is speculate now. But it seems to me that it’s likely that delegation
agreements will play an important role in whatever new “Cloud CIP” standards
emerge in a few years. You’d better get
used to them!
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] If
you have needed to have a delegation agreement previously for compliance with a
CIP requirement, please email me about that.
No comments:
Post a Comment