Filing to Canada Energy Regulator by the NERC Regarding Revisions to NERC Rules of Procedure
Canada Energy Regulator Filing of CIP-014 Evidence Retention Change
March 4, 2022Cyberattack on Nvidia results in data leak, credential theft
March 4, 2022
Summary:
The North American Electric Reliability Corporation (“NERC”) submitted this filing providing notice of revisions to the NERC Rules of Procedure (“ROP”) related to the Compliance Monitoring and Enforcement Program (“CMEP”), the Personnel Certification and Credential Maintenance Program, and the Training and Education Program. NERC proposed revisions to Sections 400 and 1500 and Appendices 2 and 4C related to the CMEP to enhance the ERO Enterprise’s risk-based approach to compliance monitoring and enforcement and to update and clarify the ROP.
Additional Discussion:
Overview:
Among the most significant proposed revisions to the CMEP, the ERO Enterprise proposes to refine several rules related to compliance monitoring, especially Compliance Audits. These changes are intended to move away from a more arbitrary, time-based approach to monitoring that at times prevents the ERO Enterprise from prioritizing activities based on risk. The changes provide a better way to balance the ERO Enterprise’s flexibility to monitor risk on a more real-time basis while still providing registered entities with enough time to prepare for monitoring activities. The changes include:
- Tailoring Compliance Audits of Reliability Coordinators, Balancing Authorities, and Transmission Operators based on reliability and security risks;
- Providing registered entities with at least 270 days’ notice of an upcoming Compliance Audit, in lieu of an Annual Audit Plan, with the detailed notice at least 90 days prior to the Compliance Audit;
- Focusing registered entity evidence retention requirements on current and future-looking reliability and security;
- Posting summary results of Compliance Audits instead of public versions of Compliance Audit reports; and
- Eliminating the posting of an annual Self-Certification schedule in favor of Self-Certifications tailored and scheduled according to specific risks. Registered entities would receive at least 60 days’ notice of an upcoming Self-Certification.
The ERO Enterprise also proposes to increase the efficiency of resolving minimal risk noncompliance. The increased efficiency is crucial to allow both the ERO Enterprise and industry to allocate resources to significant risks while maintaining visibility into emerging risks and trends. The proposed revisions build upon many years of successful implementation of prior streamlining efforts. Specifically, the ERO Enterprise proposes to:
- Exempt properly self-logged items from the Preliminary Screen and subsequent reporting and disposition processes; and
- Adopt a process for reviewing Compliance Exception determinations by exception, instead of the monthly process of submission and duplicative review of all Compliance Exceptions by the Compliance Enforcement Authority (“CEA”), NERC, and then FERC. NERC and FERC would have the opportunity to review the determinations (by periodic sampling) to evaluate the noncompliance’s minimal risk assessment and resolution as a Compliance Exception.
Associated Files:
