S4_Call
AAA  AAA 

Revised NERC CIP standards out for 45 day comment period

Just in time for the season, some light reading for your holiday travels. You have until January 5 to get your comments in regarding the first draft of the revised NERC cyber security standards. According to the NERC announcement, this set of revisions includes:

  • Addressing the directives issued by FERC, in Order 706 relative to the approved Cyber Security Standards CIP-002-1 through CIP-009-1.  Refer to http://www.ferc.gov/whats-new/comm-meet/2008/011708/E-2.pdf for the complete text of the final order.  Specific requirements from the Order are identified in Attachment 2.  –  Emphasis on Order 706 directive for NERC to address revisions to the CIP standards considering applicable feature of the NIST Security Risk Management Framework among other resources.
  • Modifying the standards so they conform to the latest approved versions of the ERO Rules of Procedure as outlined in the Standard Review Guidelines identified in Attachment 1.
  • Incorporating clarifications from the Interpretation of CIP-006-1 Requirement 1.1.

The best summary of the changes is on the first page of the electronic comment form.

The zipped download package includes a redline version for each of the requirements so you can easily see what has changed. I haven’t had time to read and digest it all but a quick glance will show that the “reasonable business judgment” and “acceptance of risk” language is no more.

Author: Jason Holcomb
Posted: November 24th, 2008 under NERC CIP, Standards & Orgs.
Comments: 3

Comments

Comment from Chris G
Time: November 25, 2008, 9:58 am

When is it expected the NOPR changes will be incorporated into the CIP standards … is there a timeline from NERC/FERC on when this might happen? THX!

Comment from Jason Holcomb
Time: November 25, 2008, 3:11 pm

Chris – Good question. I believe this first set of revisions addresses some of the FERC NOPR issues with further revisions to come. (e.g. the “reasonable business judgment” is something that was called out in the NOPR) I’m just a sideline observer, though, so maybe someone else can chime in on the details and time frames.

Comment from Michael Toecker
Time: November 26, 2008, 1:17 pm

Chris,

According to meeting notes and presentations from the NERC website, the Standard Development Team (SDT) is tackling the NOPR edits in three phases:

Phase 1: Editorial or “Must Do” items from the FERC NOPR. Scheduled to be meet the July 1st, 2009 timeframe.
Phase 2: Determined to handle the majority of issues, designed to be sent to the commission in Oct 2010
Phase 3: Handle the unresolved complex and/or challenging issues from Phase 2. If there are no issues, there may not be a Phase 3

All of this information is available on the NERC website, in the “Standards Under Development” section.

Write a comment