Home » Cybersecurity » Governance, Risk & Compliance » Use This NERC CIP v6 Standards Summary to Stay Compliant

Use This NERC CIP v6 Standards Summary to Stay Compliant

Thanks to FERC’s Order 822, the North American Electric Reliability Corporation’s critical infrastructure protection standards, known as NERC CIP, are continually updated. Seven updated standards proposed by NERC for inclusion have now been accepted.

April 1st, 2016, was the compliance deadline for the NERC CIP v5 requirements. Most of the newly-approved standards had a compliance date of July 1st, 2016, (“the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority”), with notable exceptions called out in Order 822 itself.

My objective here is to talk meaningfully about the changes in the CIP v6 standards themselves. There are seven newly-approved standards to consider.

Staying Up to Date with NERC CIP Standards

The changes for CIP-004-6, CIP-007-6, CIP-009-6 and CIP-011-2 primarily revolve around two consistent items. First, NERC eliminated a specific bit of language: “ … in a manner that identifies, assesses, and corrects deficiencies.”

This language appeared in a number of the CIP requirements, but FERC determined in Order 791 that the language “is too vague to be audited.”

The second change is updating guidance to specifically include Transient Cyber Assets and Removable Media. CIP-004-6 and CIP-011-2 include specific additions to add these devices to the existing requirements. The actual requirements for managing and securing transient assets and removable media are addressed in CIP-010-2, but we’ll get to that.

I asked one of our NERC Alliance Network partners specializing in CIP training about how the changes in CIP-004 will affect registered entities. Nick Santora from the security awareness training company Curricula, recommends that organizations get their training in place as early as possible. “Otherwise, you will need to perform and demonstrate training for your entire staff, contractors, vendors, etc… [without enough time (Read more...)