North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) – Standards for planning, operating, and securing North America’s Bulk Power System. Protects “Critical Cyber Assets”

There are 82 CIP Standards (domains): 11 are subject to enforcement, 71 are inactive. The 11 domains have about 25 universes and hundreds of tests, subtests, and sub-subtests all of which is publicly accessible and free.  The hard part is that each domain has its own pdf.  If you think you can do this without specific industry knowledge, you are wrong.  Even if you do have the background, the information is not all on one pdf.  It's no less of a commitment than the FFIEC Examination Handbook or HIPAA HITECH.  You're biting off a few years of your life.  

If you have the industry background but you'd like some help to normalize the NERC CIP to programs we already understand, such as NIST frameworks and CIS CSC, we are ready to help.   From the perspective of mapping, here's the raw data exposed to help you plan your own journey, and also two major resources to perform your own mapping.  If this is something you'd like to assign, give us a call.  It's only a few days of consulting work and we'd be happy to help.

EnterpriseGRC Solutions is prepared to map your NERC CIP effort to NIST SP800-53 and various other relevant cybersecurity frameworks and standards.

-Mapping to NIST: https://pdfs.semanticscholar.org/8fd7/e6c2bb443481a42ca303f015e32e675282af.pdf

-Mapping to CIS CSC: https://www.sans.org/media/critical-security-controls/nerc-cip-mapping-sans20-csc.pdf

Nerc CIP

 

BCSC-002.1 Implement a process that considers assets BCSC-002 BCSC-002.1

Each Responsible Entity shall implement a process that considers each of the  following assets for purposes of parts 1.1 through 1.3:  [Violation Risk Factor:  High][Time Horizon: Operations Planning]
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources; 
iv.Systems and facilities critical to system restoration, including Blackstart  Resources and Cranking Paths and initial switching requirements;   v.Special Protection Systems that support the reliable operation of the Bulk  Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
Acceptable evidence includes, but is not limited to, dated electronic or physical lists required by Requirement BCSC-002.1, and parts 1.1 and 1.2.

BCSC-002.2 Review and approve identifications BCSC-002 BCSC-002.2

The Responsible Entity shall follow the related parts. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning] Acceptable evidence includes, but is not limited to, electronic or physical dated records to demonstrate that the Responsible Entity has reviewed and updated, where necessary, the identifications required in Requirement BCSC-002.1 and its parts, and has had its CIP Senior Manager or delegate approve the identifications required in Requirement 002.1 and its parts at least once every 15 calendar months, even if it has none identified in Requirement 002.1 and its parts, as required by Requirement 002.2.

SMC-003.1 Review and obtain CIP Senior Manager approval SMC-003 SMC-003.1

Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the related parts and their topics.
[Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
Examples of evidence may include but are not limited to, policy documents; revision history, records of review, or workflow evidence from a document management system
that indicate review of each cyber security policy at least once every 15 calendar months, and documented approval by the CIP Senior Manager for each cyber security policy.

SMC-003.2 Implement one or more cybersecurity plan(s) for low impact BES Cyber Systems SMC-003 SMC-003.2

Each Responsible Entity with at least one asset identified in BCSC-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the related tests. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]
Note: An inventory, list, or discrete identification of low impact BES Cyber Systems or their BES Cyber Assets is not required. Lists of authorized users are not required.
Evidence shall include each of the documented cyber security plan(s) that collectively include each of the sections in the related tests and additional evidence to demonstrate implementation of the cyber security plan(s). Additional examples of evidence per section are also located in the related tests.

SMC-003.3 Identify a CIP Senior Manager and document change SMC-003 SMC-003.3

Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]
An example of evidence may include, but is not limited to, a dated and approved document from a high level official designating the name of the individual identified as the CIP Senior Manager.

SMC-003.4 Implement a documented process to delegate authority SMC-003 SMC-003.4

The Responsible Entity shall implement a documented process to delegate authority unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager, and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]
An example of evidence may include, but is not limited to, a dated document, approved by the CIP Senior Manager, listing individuals (by name or title) who are delegated the authority to approve or authorize specifically identified items.

PT-004.1 Implement one or more documented processes that include requirement parts from the Security Awareness Program PT-004 PT-004.1

Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts of Security Awareness Program. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of Security Awareness Program and additional evidence to demonstrate implementation as described in the Measures section.

PT-004.2 Implement one or more cyber security training program(s) PT-004 PT-004.2

Each Responsible Entity shall implement one or more cyber security training program(s) appropriate to individual roles, functions, or responsibilities that collectively includes each of the applicable requirement parts of Cyber Security Training Program. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning]
Evidence must include the training program that includes each of the applicable requirement parts of Cyber Security Training Program and additional evidence to demonstrate implementation of the program(s).

PT-004.3 Implement one or more documented personnel risk assessment program(s) PT-004 PT-004.3

Each Responsible Entity shall implement one or more documented personnel risk assessment program(s) to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively include each of the applicable requirement parts of Personnel Risk Assessment Program. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].
Evidence must include the documented personnel risk assessment programs that collectively include each of the applicable requirement parts of Personnel Risk Assessment Program and additional evidence to demonstrate implementation of the program(s).

PT-004.4 Implement one or more documented access management program(s) PT-004 PT-004.4

Each Responsible Entity shall implement one or more documented access management program(s) that collectively include each of the applicable requirement parts of Access Management Program. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations].
Evidence must include the documented processes that collectively include each of the applicable requirement parts of Access Management Program and additional evidence to demonstrate that the access management program was implemented as described in the Measures section.

PT-004.5 Implement one or more documented access revocation program(s) PT-004 PT-004.5

Each Responsible Entity shall implement one or more documented access revocation program(s) that collectively include each of the applicable requirement parts of Access Revocation. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Planning].
Evidence must include each of the applicable documented programs that collectively include each of the applicable requirement parts of Access Revocation and additional evidence to demonstrate implementation as described in the Measures section.

ESP-005.1 Implement one or more documented processes for Electronic Security Perimeter ESP-005 ESP-005.1

Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts of Electronic Security Perimeter. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations].
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of Electronic Security Perimeter and additional evidence to demonstrate implementation as described in the Measures section.

ESP-005.2 Implement one or more documented processes for Interactive Remote Access Management ESP-005 ESP-005.2

Each Responsible Entity allowing Interactive Remote Access to BES Cyber Systems shall implement one or more documented processes that collectively include the applicable requirement parts, where technically feasible, in Interactive Remote Access Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operations].
Evidence must include the documented processes that collectively address each of the applicable requirement parts of Remote Access Management and additional evidence to demonstrate implementation as described in the Measures section.

PSBCS-006.1 Implement one or more documented physical security plan(s) PSBCS-006 PSBCS-006.1

Each Responsible Entity shall implement one or more documented physical security plan(s) that collectively include all of the applicable requirement parts of Physical Security Plan. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning and Same Day Operations].
Evidence must include each of the documented physical security plans that collectively include all of the applicable requirement parts of Physical Security Plan and additional evidence to demonstrate implementation of the plan or plans as described in the Measures section.

PSBCS-006.2 Implement one or more documented visitor control program(s) PSBCS-006 PSBCS-006.2

Each Responsible Entity shall implement one or more documented visitor control program(s) that include each of the applicable requirement parts of Visitor Control Program. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations].
Evidence must include one or more documented visitor control programs that collectively include each of the applicable requirement parts of Visitor Control Program and additional evidence to demonstrate implementation as described in the Measures section.

PSBCS-006.3 Implement one or more documented Physical Access Control System maintenance and testing program(s) PSBCS-006 PSBCS-006.3

Each Responsible Entity shall implement one or more documented Physical Access Control System maintenance and testing program(s) that collectively include each of the applicable requirement parts of Physical Access Control System Maintenance and Testing Program. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning].
Evidence must include each of the documented Physical Access Control System maintenance and testing programs that collectively include each of the applicable requirement parts of Physical Access Control System Maintenance and Testing Program and additional evidence to demonstrate implementation as described in the Measures section.

SSM-007.1 Implement one or more documented process(es) for Ports and Services SSM-007 SSM-007.1

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Ports and Services. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations.]
Evidence must include the documented processes that collectively include each of the applicable requirement parts of Ports and Services and additional evidence to demonstrate implementation as described in the Measures section.

SSM-007.2 Implement one or more documented process(es) for Security Patch Management SSM-007 SSM-007.2

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Security Patch Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of Security Patch Management and additional evidence to demonstrate implementation as described in the Measures section.

SSM-007.3 Implement one or more documented process(es) for Malicious Code Prevention SSM-007 SSM-007.3

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Malicious Code Prevention. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations].
Evidence must include each of the documented processes that collectively include each of the applicable requirement parts of Malicious Code Prevention and additional evidence to demonstrate implementation as described in the Measures section.

SSM-007.4 Implement one or more documented process(es) for Security Event Monitoring SSM-007 SSM-007.4

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Security Event Monitoring. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Assessment.]
Evidence must include each of the documented processes that collectively include each of the applicable requirement parts of Security Event Monitoring and additional evidence to demonstrate implementation as described in the Measures section.

SSM-007.5 Implement one or more documented process(es) for System Access Control SSM-007 SSM-007.5

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of System Access Controls. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of System Access Controls and additional evidence to demonstrate implementation as described in the Measures section.

IRRP-008.1 Document one or more Cyber Security Incident response plan(s) IRRP-008 IRRP-008.1

Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts of Cyber Security Incident Response Plan Specifications. [Violation Risk Factor: Lower] [Time Horizon: Long Term Planning].
Evidence must include each of the documented plan(s) that collectively include each of the applicable requirement parts of Cyber Security Incident Response Plan Specifications.

IRRP-008.2 Implement each of the documented Cyber Security Incident response plans IRRP-008 IRRP-008.2

Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts of Cyber Security Incident Response Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-Time Operations].
Evidence must include, but is not limited to, documentation that collectively demonstrates implementation of each of the applicable requirement parts of Cyber Security Incident Response Plan Implementation and Testing.

IRRP-008.3 Maintain each of the Cyber Security Incident response plans IRRP-008 IRRP-008.3

Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable requirement parts of Cyber Security Incident Response Plan Review, Update, and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations Assessment].
Evidence must include, but is not limited to, documentation that collectively demonstrates maintenance of each Cyber Security Incident response plan according to the applicable requirement parts of Cyber Security Incident.

RPBCS-009.1 Have one or more documented recovery plan(s) RPBCS-009 RPBCS-009.1

Each Responsible Entity shall have one or more documented recovery plan(s) that collectively include each of the applicable requirement parts of Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning].
Evidence must include the documented recovery plan(s) that collectively include the applicable requirement parts of Recovery Plan Specifications.

RPBCS-009.2 Implement the documented recovery plan(s) RPBCS-009 RPBCS-009.2

Each Responsible Entity shall implement its documented recovery plan(s) to collectively include each of the applicable requirement parts of Recovery Plan Implementation and Testing. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning and Real-time Operations.]
Evidence must include, but is not limited to, documentation that collectively demonstrates implementation of each of the applicable requirement parts of Recovery Plan Implementation and Testing.

RPBCS-009.3 Maintain each of the recovery plan(s) RPBCS-009 RPBCS-009.3

Each Responsible Entity shall maintain each of its recovery plan(s) in accordance with each of the applicable requirement parts of Recovery Plan Review, Update and Communication. [Violation Risk Factor: Lower] [Time Horizon: Operations Assessment].
Acceptable evidence includes, but is not limited to, each of the applicable requirement parts of Recovery Plan Review, Update and Communication.

CCC-010.1 Implement one or more documented process(es) for Configuration Change Management CCC-010 CCC-010.1

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Configuration Change Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of Configuration Change Management and additional evidence to demonstrate implementation as described in the Measures section.

CCC-010.2 Implement one or more documented process(es) for Configuration Monitoring CCC-010 CCC-010.2

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Configuration Monitoring. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of Configuration Monitoring and additional evidence to demonstrate implementation as described in the Measures section.

CCC-010.3 Implement one or more documented process(es) for Vulnerability Assessments CCC-010 CCC-010.3

Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts of Vulnerability Assessments. [Violation Risk Factor: Medium] [Time Horizon: Long-term Planning and Operations Planning]
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of Vulnerability Assessments and additional evidence to demonstrate implementation as described in the Measures section.

CCC-010.4 Implement one or more documented plan(s) for Transient Cyber Assets and Removable Media CCC-010 CCC-010.4

Each Responsible Entity, for its high impact and medium impact BES Cyber Systems and associated Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) for Transient Cyber Assets and Removable Media that include the sections of Plans for Transient Cyber Assets and Removable Media. [Violation Risk Factor: Medium] [Time Horizon: Long-term Planning and Operations Planning]
Evidence shall include each of the documented plan(s) for Transient Cyber Assets and Removable Media that collectively include each of the applicable sections of Plans for Transient Cyber Assets and Removable Media and additional evidence to demonstrate implementation of plan(s) for Transient Cyber Assets and Removable Media. Additional examples of evidence per section are also part of Plans for Transient Cyber Assets and Removable Media. If a Responsible Entity does not use Transient Cyber Asset(s) or Removable Media, examples of evidence include, but are not limited to, a statement, policy, or other document that states the Responsible Entity does not use Transient Cyber Asset(s) or Removable Media.

IP-011.1 Implement one or more documented information protection program(s) IP-011 IP-011.1

Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts of Information Protection. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].
Evidence for the information protection program must include the applicable requirement parts of Information Protection and additional evidence to demonstrate implementation as described in the Measures section.

IP-011.2 Implement one or more documented process(es) for BES Cyber Asset Reuse and Disposal IP-011 IP-011.2

Each Responsible Entity shall implement one or more documented process(es) that collectively include the applicable requirement parts of BES Cyber Asset Reuse and Disposal. [Violation Risk Factor: Lower] [Time Horizon: Operations Planning].
Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts of BES Cyber Asset Reuse and Disposal and additional evidence to demonstrate implementation as described in the Measures section.

PS-014.1 Perform an initial risk assessment and subsequent risk assessments of Transmission stations and Transmission substations PS-014 PS-014.1

Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection. [VRF: High; Time-Horizon: Long-term Planning]
Examples of acceptable evidence may include, but are not limited to, dated written or electronic documentation of the risk assessment of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria in Applicability Section 4.1.1 as specified in Requirement 014.1. Additionally, examples of acceptable evidence may include, but are not limited to, dated written or electronic documentation of the identification of the primary control center that operationally controls each Transmission station or Transmission substation identified in the Requirement 014.1 risk assessment as specified in Requirement 014.1, Part 1.2.

PS-014.2 Have an unaffiliated third party verify the risk assessment PS-014 PS-014.2

Each Transmission Owner shall have an unaffiliated third party verify the risk assessment performed under Requirement 014.1. The verification may occur concurrent with or after the risk assessment performed under Requirement 014.1. [VRF: Medium; Time-Horizon: Long-term Planning]
Examples of acceptable evidence may include, but are not limited to, dated written or electronic documentation that the Transmission Owner completed an unaffiliated third party verification of the Requirement 014.1 risk assessment and satisfied all of the applicable provisions of Requirement 014.2, including, if applicable, documenting the technical basis for not modifying the Requirement 014.1 identification as specified under Part 2.3. Additionally, examples of evidence may include, but are not limited to, written or electronic documentation of procedures to protect information under Part 2.4.

PS-014.3 Notify the Transmission Operator regarding the identification and the date of completion of Requirement 014.2 PS-014 PS-014.3

For a primary control center(s) identified by the Transmission Owner according to Requirement 014.1, Part 1.2 that a) operationally controls an identified Transmission station or Transmission substation verified according to Requirement 014.2, and b) is not under the operational control of the Transmission Owner: the Transmission Owner shall, within seven calendar days following completion of Requirement 014.2, notify the Transmission Operator that has operational control of the primary control center of such identification and the date of completion of Requirement 014.2. [VRF: Lower; TimeHorizon: Long-term Planning]
Examples of acceptable evidence may include, but are not limited to, dated written or electronic notifications or communications that the Transmission Owner notified each Transmission Operator, as applicable, according to Requirement 014.3.

PS-014.4 Conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each Transmission station(s), Transmission substation(s), and primary control center(s) PS-014 PS-014.4

Each Transmission Owner that identified a Transmission station, Transmission substation, or a primary control center in Requirement 014.1 and verified according to Requirement 014.2, and each Transmission Operator notified by a Transmission Owner according to Requirement 014.3, shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified in Requirement 014.1 and verified according to Requirement 014.2. The evaluation shall consider the following: [VRF: Medium; Time-Horizon: Operations Planning, Long-term Planning]
Examples of evidence may include, but are not limited to, dated written or electronic documentation that the Transmission Owner or Transmission Operator conducted an evaluation of the potential threats and vulnerabilities of a physical attack to their respective Transmission station(s), Transmission substation(s) and primary control center(s) as specified in Requirement 014.4.

PS-014.5 Develop and implement a documented physical security plan(s) of each Transmission station(s), Transmission substation(s), and primary control center(s) PS-014 PS-014.5

Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement 014.1 and verified according to Requirement 014.2, and each Transmission Operator notified by a Transmission Owner according to Requirement 014.3, shall develop and implement a documented physical security plan(s) that covers their respective Transmission station(s), Transmission substation(s), and primary control center(s). The physical security plan(s) shall be developed within 120 calendar days following the completion of Requirement 014.2 and executed according to the timeline specified in the physical security plan(s). The physical security plan(s) shall include the related parts. [VRF: High; Time Horizon: Long-term Planning]
Examples of evidence may include, but are not limited to, dated written or electronic documentation of its physical security plan(s) that covers their respective identified and verified Transmission station(s), Transmission substation(s), and primary control center(s) as specified in Requirement 014.5, and additional evidence demonstrating execution of the physical security plan according to the timeline specified in the physical security plan.

PS-014.6 Have an unaffiliated third party review the evaluation of Requirement 014.4 and the security plan(s) developed under Requirement 014.5 PS-014 PS-014.6

Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement 014.1 and verified according to Requirement 014.2, and each Transmission Operator notified by a Transmission Owner according to Requirement 014.3, shall have an unaffiliated third party review the evaluation performed under Requirement 014.4 and the security plan(s) developed under Requirement 014.5. The review may occur concurrently with or after completion of the evaluation performed under Requirement 014.4 and the security plan development under Requirement 014.5. [VRF: Medium; Time-Horizon: Long-term Planning]
Examples of evidence may include, but are not limited to, written or electronic documentation that the Transmission Owner or Transmission Operator had an unaffiliated third party review the evaluation performed under Requirement 014.4 and the security plan(s) developed under Requirement 014.5 as specified in Requirement 014.6 including, if applicable, documenting the reasons for not modifying the evaluation or security plan(s) in accordance with a recommendation under Part 6.3. Additionally, examples of evidence may include, but are not limited to, written or electronic documentation of procedures to protect information under Part 6.4.