NERC Extends the Formal Comment period for Reliability Standard CIP-003-X – Cyber Security —” Security Management Controls”
SPP Recent Meeting Materials Published RE: FERC Order 881
March 13, 2022China cyber attacks on U.S. state governments
March 13, 2022
Summary:
The 45-day formal comment period for reliability standard CIP-003-X - Cyber Security — Security Management Controls has been extended and is now open through 8 p.m. (Eastern), Friday, April 15, 2022. An additional ballot for the standard and a non-binding poll of the associated Violation Risk Factors (VRFs) and Violation Severity Levels (VSLs) will be conducted April 6-15, 2022 . This project will address the NERC Board resolution adopted at its February 2020 to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary. Project 2016-02 (Virtualization) and Project 2020-03 (Supply Chain) are both making modifications to CIP-003. The Supply Chain team is using “-X" in place of the version number, and Virtualization used “-Y." The actual version number will be assigned upon adoption by the NERC Board of Trustees.
Additional Discussion:
In its final report accepted by the NERC Board in May 2019, NERC documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards and recommended actions to address those risks. NERC staff recommended further study to determine whether new information supports modifying the standards to include low impact BES Cyber Systems with external connectivity by issuing a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure.
The Board approved the formal issuance of this data request on August 15, 2019. NERC collected the data from August 19 through October 3, 2019. A final report, Supply Chain Risk Management, was published in December 2019. The report recommended the modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity. Further, industry feedback was received regarding this recommendation at the February 2020 NERC Board meeting.
After considering policy input, the NERC Board adopted a resolution to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.
Standard(s) Affected:
Commenting Link:
Associated Files:
