Nerc Cip V7 Standards And Requirements Flashcards
CIP-002-5.1
BES Cyber System Categorization
CIP-002 R1
Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: Control Centers and backup Control Centers, Transmission stations and substations, Generation resources, Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements, Special Protection Systems that support the reliable operation of the Bulk Electric System; and For Distribution Providers
CIP-002 R1.1
Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;
CIP-002 R1.2
Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset;
CIP-002 R1.3
Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
CIP-002 R2.1
Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1,
CIP-002 R2.2
Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1.
CIP-003-7
Security Management Controls
CIP-003 R1
Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:
CIP-003 R2
Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
CIP-003 R3
Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change.
CIP-003 R4
The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator.
CIP-003 Attachment 1 Section 2
Lows Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.
CIP-003 Attachment 1 Section 3
Lows Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to:3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that are: between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s); using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); andnot used for time-sensitive protection or control functions between intelligent electronic devices (e.g., communications using protocol IEC TR- 61850-90-5 R-GOOSE).3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.
CIP-003 Attachment 1 Section 1
Lows Cyber Security Awareness: Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).
CIP-003 Attachment 1 Section 4
Lows Cyber Security Incident Response: Each Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or group of assets, which shall include:4.1 Identification, classification, and response to Cyber Security Incidents;4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law;4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals;4.4 Incident handling for Cyber Security Incidents;4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by: (1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber Security Incident; and4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident.
CIP-003 Attachment 1 Section 5
Lows Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media. The plan(s) shall include:5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the use of one or a combination of the following in an ongoing or on-demand manner (per Transient Cyber Asset capability):⢠Antivirus software, including manual or managed updates of signatures or patterns;⢠Application whitelisting; or⢠Other method(s) to mitigate the introduction of malicious code.5.2 For Transient Cyber Asset(s) managed by a party other than the Responsible Entity, if any, the use of one or a combination of the following prior to connecting the Transient Cyber Asset to a low impact BES Cyber System (per Transient Cyber Asset capability):Review of antivirus update level;Review of antivirus update process used by the party;Review of application whitelisting used by the party;Review use of live operating system and software executable only from read-only media;Review of system hardening used by the party; orOther method(s) to mitigate the introduction of malicious code.5.3 For Removable Media, the use of each of the following:5.3.1 Method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES Cyber System; and5.3.2 Mitigation of the threat of detected malicious code on the Removable Media prior to connecting Removable Media to a low impact BES Cyber System.
CIP-004-6
Personnel and Training
CIP-004 R2.2
Require completion of the training specified in Part 2.1 prior to granting authorized electronic access and authorized unescorted physical access to applicable Cyber Assets, except during CIP Exceptional Circumstances.
CIP-004 R2.3
Require completion of the training specified in Part 2.1 at least once every 15 calendar months.
CIP-004 R1
Security Awareness Program: Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in CIP-004-6 Table R1 - Security Awareness Program.
CIP-004 R2
Cyber Security Training Program: Cyber Security Training Program: Each Responsible Entity shall implement one or more cyber security training program(s) appropriate to individual roles, functions, or responsibilities that collectively includes each of the applicable requirement parts in CIP-004-6 Table R2 - Cyber Security Training Program.
CIP-004 R3
Personnel Risk Assessment Program: Each Responsible Entity shall implement one or more documented personnel risk assessment program(s) to attain and retain authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively include each of the applicable requirement parts in CIP-004-6 Table R3 - Personnel Risk Assessment Program.
CIP-004 R4
Access Management Program: Each Responsible Entity shall implement one or more documented access management program(s) that collectively include each of the applicable requirement parts in CIP-004-6 Table R4 - Access Management Program.
CIP-004 R5
Access Revocation: Each Responsible Entity shall implement one or more documented access revocation program(s) that collectively include each of the applicable requirement parts in CIP-004-6 Table R5 - Access Revocation.
CIP-004 R1.1
Security awareness that, at least once each calendar quarter, reinforces cyber security practices (which may include associated physical security practices) for the Responsible Entity's personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.
CIP-004 R2.1
Training content on:2.1.1. Cyber security policies;2.1.2. Physical access controls;2.1.3. Electronic access controls;2.1.4. The visitor control program;2.1.5. Handling of BES Cyber SystemInformation and its storage;2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity's incidentresponse plan;2.1.7. Recovery plans for BES CyberSystems; 2.1.8. Response to Cyber SecurityIncidents; and2.1.9. Cyber security risks associated with a BES Cyber System's electronic interconnectivity and interoperability withother Cyber Assets, including Transient Cyber Assets, and with Removable Media.
CIP-004 R3.1
Process to confirm identity.
CIP-004 R3.2
Process to perform a seven year criminal history records check as part of each personnel risk assessment that includes:3.2.1. current residence, regardless ofduration; and3.2.2. other locations where, during the seven years immediately prior to the date of the criminal history records check, the subject has resided for six consecutive months or more. If it is not possible to perform a full seven year criminal history records check, conduct as much of the seven year criminal history records check as possible and document the reason the full seven year criminal history recordscheck could not be performed.
CIP-004 R3.4
Criteria or process for verifying that personnel risk assessments performed for contractors or service vendors are conducted according to Parts 3.1 through 3.3.
CIP-004 R3.3
Criteria or process to evaluate criminal history records checks for authorizing access.
CIP-004 R3.5
Process to ensure that individuals withauthorized electronic or authorizedunescorted physical access have had apersonnel risk assessment completedaccording to Parts 3.1 to 3.4 within the lastseven years.
CIP-004 R4.1
Process to authorize based on need, asdetermined by the Responsible Entity,except for CIP Exceptional Circumstances:4.1.1. Electronic access;4.1.2. Unescorted physical access into aPhysical Security Perimeter; and4.1.3. Access to designated storage locations, whether physical or electronic, for BES Cyber System Information.
CIP-004 R4.2
Verify at least once each calendar quarter that individuals with active electronic access or unescorted physical access have authorization records.
CIP-004 R4.3
For electronic access, verify at least onceevery 15 calendar months that all user accounts, user account groups, or user role categories, and their specific, associated privileges are correct and are those that the Responsible Entity determines are necessary.
CIP-004 R4.4
Verify at least once every 15 calendar months that access to the designated storage locations for BES Cyber System Information, whether physical or electronic, are correct and are those that the Responsible Entity determines are necessary for performing assigned work functions.
CIP-004 R5.5
For termination actions, change passwords for shared account(s) known to the user within 30 calendar days of the termination action. For reassignments or transfers, change passwords for shared account(s) known to the user within 30 calendar days following the date that the Responsible Entity determines that the individual no longer requires retention of that access.If the Responsible Entity determines and documents that extenuating operating circumstances require a longer time period, change the password(s) within 10 calendar days following the end of the operating circumstances.
CIP-004 R5.1
A process to initiate removal of an individual's ability for unescorted physical access and Interactive Remote Access upon a termination action, and complete the removals within 24 hours of the termination action (Removal of the ability for access may be different than deletion, disabling, revocation, or removal of all access rights).
CIP-004 R5.2
For reassignments or transfers, revoke the individual's authorized electronic access to individual accounts and authorized unescorted physical access that the Responsible Entity determines are not necessary by the end of the next calendar day following the date that the Responsible Entity determines that the individual no longer requires retention of that access.
CIP-004 R5.3
For termination actions, revoke the individual's access to the designated storage locations for BES Cyber System Information, whether physical or electronic (unless already revoked according to Requirement R5.1), by the end of the next calendar day following the effective date of the termination action.
CIP-004 R5.4
For termination actions, revoke the individual's non-shared user accounts (unless already revoked according to Parts 5.1 or 5.3) within 30 calendar days of the effective date of the termination action.
CIP-005-5
Electronic Security Perimeter
CIP-005 R1
Electronic Security Perimeter: Each Responsible Entity shall implement one or more documented processes that collectively include each of the applicable requirement parts in CIP-005-5 Table R1 - Electronic Security Perimeter.
CIP-005 R2
Interactive Remote Access Management: Each Responsible Entity allowing Interactive Remote Access to BES Cyber Systems shall implement one or more documented processes that collectively include the applicable requirement parts, where technically feasible, in CIP-005-5 Table R2 - Interactive Remote Access Management.
CIP-005 R1.1
All applicable Cyber Assets connectedto a network via a routable protocol shall reside within a defined ESP.
CIP-005 R1.2
All External Routable Connectivitymust be through an identified Electronic Access Point (EAP).
CIP-005 R1.3
Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default.
CIP-005 R1.4
Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets.
CIP-005 R1.5
Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.
CIP-005 R2.1
Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset.
CIP-005 R2.2
For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System.
CIP-005 R2.3
Require multi-factor authentication forall Interactive Remote Access sessions.
CIP-006-6
Physical Security of BES Cyber Systems
CIP-006 R1
Physical Security Plan: Each Responsible Entity shall implement one or more documented physical security plan(s) that collectively include all of the applicable requirement parts in CIP-006-6 Table R1 - Physical Security Plan.
CIP-006 R2
Visitor Control Program: Each Responsible Entity shall implement one or more documented visitor control program(s) that include each of the applicable requirement parts in CIP-006-6 Table R2 - Visitor Control Program.
CIP-006 R3
Physical Access Control System Maintenance and Testing Program: Each Responsible Entity shall implement one or more documented Physical Access Control System maintenance and testing program(s) that collectively include each of the applicable requirement parts in CIP-006-6 Table R3 - Maintenance and Testing Program.
CIP-006 R1.1
Define operational or procedural controls to restrict physical access.
CIP-006 R1.2
Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access.
CIP-006 R1.3
Where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access.
CIP-006 R1.4
Monitor for unauthorized access through a physical access point into a Physical Security Perimeter.
CIP-006 R1.5
Issue an alarm or alert in response to detected unauthorized access through a physical access point into a Physical Security Perimeter to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection.
CIP-006 R1.6
Monitor each Physical Access Control System for unauthorized physical access to a Physical Access Control System.
CIP-006 R1.7
Issue an alarm or alert in response to detected unauthorized physical access to a Physical Access Control System to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of the detection.
CIP-006 R1.8
Log (through automated means or by personnel who control entry) entry of each individual with authorized unescorted physical access into each Physical Security Perimeter, with information to identify the individual and date and time of entry.
CIP-006 R1.9
Retain physical access logs of entry ofindividuals with authorized unescortedphysical access into each Physical Security Perimeter for at least ninety calendar days.
CIP-006 R1.10
Restrict physical access to cabling and other nonprogrammable communication components used for connection between applicable Cyber Assets within the same Electronic Security Perimeter in those instances when such cabling and components are located outside of a Physical Security Perimeter. Where physical access restrictions to such cabling and components are not implemented, the Responsible Entity shall document and implement one or more of the following:- encryption of data that transits such cabling and components; or - monitoring the status of the communication link composed of such cabling and components and issuing an alarm or alert in response to detected communication failures to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection; or- an equally effective logical protection.
CIP-006 R2.1
Require continuous escorted access of visitors (individuals who are provided access but are not authorized for unescorted physical access) within each Physical Security Perimeter, except during CIP Exceptional Circumstances.
CIP-006 R2.2
Require manual or automated logging of visitor entry into and exit from the Physical Security Perimeter that includes date and time of the initial entry and last exit, the visitor's name, and the name of an individual point of contact responsible for the visitor, except during CIP Exceptional Circumstances.
CIP-006 R2.3
Retain visitor logs for at least ninety calendar days.
CIP-006 R3.1
Maintenance and testing of each Physical Access Control System and locally mounted hardware or devices at the Physical Security Perimeter at least once every 24 calendar months to ensure they function properly.
CIP-007-6
Systems Security Management
CIP-007 R1
Ports & Services: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R1 - Ports and Services.
CIP-007 R2
Patch Security Management: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R2 - Security Patch Management.
CIP-007 R3
Malicious Code Prevention: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R3 - Malicious Code Prevention.
CIP-007 R4
Security Event Monitoring: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R4 - Security Event Monitoring.
CIP-007 R5
System Access Controls: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R5 - System Access Controls.
CIP-007 R1.1
Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.
CIP-007 R1.2
Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or Removable Media.
CIP-007 R2.1
A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.
CIP-007 R2.2
At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1.
CIP-007 R2.3
For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions:- Apply the applicable patches; or- Create a dated mitigation plan; or- Revise an existing mitigationplan.Mitigation plans shall include the Responsible Entity's planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations.
CIP-007 R2.4
For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate.
CIP-007 R3.1
Deploy method(s) to deter, detect, or prevent malicious code.
CIP-007 R3.2
Mitigate the threat of detected malicious code.
CIP-007 R3.3
For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns.
CIP-007 R4.1
Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events:4.1.1. Detected successful login attempts;4.1.2. Detected failed access attempts and failed login attempts;4.1.3. Detected malicious code.
CIP-007 R4.2
Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability):4.2.1. Detected malicious code from Part 4.1; and 4.2.2. Detected failure of Part 4.1 event logging.
CIP-007 R4.3
Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances.
CIP-007 R4.4
Review a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents.
CIP-007 R5.1
Have a method(s) to enforce authentication of interactive user access, where technically feasible.
CIP-007 R5.2
Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s).
CIP-007 R5.3
Identify individuals who have authorized access to shared accounts.
CIP-007 R5.4
Change known default passwords, per Cyber Asset capability
CIP-007 R5.5
For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: 5.5.1. Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and5.5.2. Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.
CIP-007 R5.6
Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months.
CIP-007 R5.7
Where technically feasible, either:- Limit the number of unsuccessful authentication attempts; or- Generate alerts after a threshold of unsuccessful authentication attempts.
CIP-008-5
Recovery Plans for BES Cyber Systems
CIP-008 R1
Cyber Security Incident Response Plan Specifications: Each Responsible Entity shall document one or more Cyber Security Incident response plan(s) that collectively include each of the applicable requirement parts in CIP-008-5 Table R1 - Cyber Security Incident Response Plan Specifications.
CIP-008 R2
Cyber Security Incident Response Plan Implementation and Testing: Each Responsible Entity shall implement each of its documented Cyber Security Incident response plans to collectively include each of the applicable requirement parts in CIP-008-5 Table R2 - Cyber Security Incident Response Plan Implementation and Testing.
CIP-008 R3
Cyber Security Incident Response Plan Review, Update, and Communication: Each Responsible Entity shall maintain each of its Cyber Security Incident response plans according to each of the applicable requirement parts in CIP-008-5 Table R3 - Cyber Security Incident Response Plan Review, Update, and Communication.
CIP-008 R1.1
One or more processes to identify, classify, and respond to Cyber Security Incidents.
CIP-008 R1.2
One or more processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident and notify the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law. Initial notification to the ES-ISAC, which may be only a preliminary notice, shall not exceed one hour from the determination of aReportable Cyber Security Incident.
CIP-008 R1.3
The roles and responsibilities of Cyber Security Incident response groups or individuals.
CIP-008 R1.4
Incident handling procedures forCyber Security Incidents.
CIP-008 R2.1
Test each Cyber Security Incidentresponse plan(s) at least once every 15 calendar months:- By responding to an actual Reportable Cyber Security Incident;- With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or- With an operational exercise of a Reportable Cyber Security Incident.
CIP-008 R2.2
Use the Cyber Security Incidentresponse plan(s) under Requirement R1 when responding to a Reportable Cyber Security Incident or performing an exercise of a Reportable Cyber Security Incident. Document deviations from the plan(s) taken during the response to the incident or exercise.
CIP-008 R2.3
Retain records related to Reportable Cyber Security Incidents.
CIP-008 R3.1
No later than 90 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security Incident response:3.1.1. Document any lessons learned or document the absence of any lessons learned;3.1.2. Update the Cyber Security Incident response plan based on any documented lessons learned associated with the plan; and3.1.3. Notify each person or group with a defined role in the Cyber Security Incident response plan of the updates to the Cyber Security Incident response plan based on any documented lessons learned.
CIP-008 R3.2
No later than 60 calendar days after a change to the roles or responsibilities, Cyber Security Incident response groups or individuals, or technology that the Responsible Entity determines would impact the ability to execute the plan:3.2.1. Update the Cyber Security Incident response plan(s); and3.2.2. Notify each person or group with a defined role in the Cyber Security Incident response plan of the updates.
CIP-009-6
Recovery Plans for BES Cyber Systems
CIP-009 R1
Recovery Plan Specifications: Each Responsible Entity shall have one or more documented recovery plan(s) that collectively include each of the applicable requirement parts in CIP-009-6 Table R1 - Recovery Plan Specifications.
CIP-009 R2
Recovery Plan Implementation and Testing: Each Responsible Entity shall implement its documented recovery plan(s) to collectively include each of the applicable requirement parts in CIP-009-6 Table R2 - Recovery Plan Implementation and Testing.
CIP-009 R3
Recovery Plan Review, Update and Communication: Each Responsible Entity shall maintain each of its recovery plan(s) in accordance with each of the applicable requirement parts in CIP-009-6 Table R3 - Recovery Plan Review, Update and Communication.
CIP-009 R1.1
Conditions for activation of therecovery plan(s).
CIP-009 R1.2
Roles and responsibilities ofresponders.
CIP-009 R1.3
One or more processes for the backup and storage of information required to recover BES Cyber System functionality.
CIP-009 R1.4
One or more processes to verify the successful completion of the backup processes in Part 1.3 and to address any backup failures.
CIP-009 R1.5
One or more processes to preserve data, per Cyber Asset capability, for determining the cause of a Cyber Security Incident that triggers activation of the recovery plan(s).Data preservation should not impede or restrict recovery.
CIP-009 R2.1
Test each of the recovery plans referenced in Requirement R1 at least once every 15 calendar months:- By recovering from an actual incident;- With a paper drill or tabletop exercise; or- With an operational exercise.
CIP-009 R2.2
Test a representative sample of information used to recover BES Cyber System functionality at least once every 15 calendar months to ensure that the information is useable and is compatible with current configurations.An actual recovery that incorporates the information used to recover BES Cyber System functionality substitutes for this test.
CIP-009 R2.3
Test each of the recovery plans referenced in Requirement R1 at least once every 36 calendar months through an operational exercise of the recovery plans in an environment representative of the productionenvironment. An actual recovery response may substitute for an operational exercise.
CIP-009 R3.1
No later than 90 calendar days after completion of a recovery plan test or actual recovery:3.1.1. Document any lessons learned associated with a recovery plan test or actual recovery or document the absence of anylessons learned;3.1.2. Update the recovery plan based on any documented lessons learned associated with the plan; and3.1.3. Notify each person or group with a defined role in the recovery plan of the updates to the recovery plan based on anydocumented lessons learned.
CIP-009 R3.2
No later than 60 calendar days after a change to the roles or responsibilities, responders, or technology that the Responsible Entity determines would impact the ability to execute the recovery plan:3.2.1. Update the recovery plan; and3.2.2. Notify each person or group with a defined role in the recovery plan of the updates.
CIP-010-2
Configuration Change Management and Vulnerability Assessments for BES Cyber Systems
CIP-010 R1
Configuration Change Management: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-2 Table R1 - Configuration Change Management.
CIP-010 R2
Configuration Monitoring: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-2 Table R2 - Configuration Monitoring.
CIP-010 R3
Vulnerability Assessments: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-2 Table R3- Vulnerability Assessments.
CIP-010 R4
Transient Cyber Assets and Removable Media: Each Responsible Entity, for its high impact and medium impact BES Cyber Systems and associated Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) for Transient Cyber Assets and Removable Media that include the sections in Attachment 1.
CIP-010 R1.1
Develop a baseline configuration, individually or by group, which shall include the following items:1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists;1.1.2. Any commercially available or open-source application software (including version)intentionally installed;1.1.3. Any custom software installed;1.1.4. Any logical network accessible ports; and1.1.5. Any security patches applied.
CIP-010 R1.2
Authorize and document changes thatdeviate from the existing baselineconfiguration.
CIP-010 R1.3
For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary within 30 calendar days of completing the change.
CIP-010 R1.4
For a change that deviates from the existing baseline configuration: 1.4.1. Prior to the change, determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change;1.4.2. Following the change, verify thatrequired cyber security controls determined in 1.4.1 are not adversely affected; and1.4.3. Document the results of the verification.
CIP-010 R1.5
Where technically feasible, for each change that deviates from the existing baseline configuration:1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or test the changes in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber security controlsin CIP-005 and CIP-007 are not adversely affected; and1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments.
CIP-010 R2.1
Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes.
CIP-010 R3.1
At least once every 15 calendar months, conduct a paper or active vulnerability assessment.
CIP-010 R3.2
Where technically feasible, at least once every 36 calendar months: 3.2.1 Perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration of the BES Cyber System in a production environment; and 3.2.2 Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments.
CIP-010 R3.3
Prior to adding a new applicable Cyber Asset to a production environment, perform an active vulnerability assessment of the new Cyber Asset, except for CIP Exceptional Circumstances and like replacements of the same type of Cyber Asset with a baseline configuration that models an existing baseline configuration of the previous or other existing Cyber Asset.
CIP-010 R3.4
Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of anyremediation or mitigation action items.
CIP-010 Attachment 1 Section 1.1
Transient Cyber Asset Management (Managed by Entity): Responsible Entities shall manage Transient Cyber Asset(s), individually or by group: (1) in an ongoing manner to ensure compliance with applicable requirements at all times, (2) in an on-demand manner applying the applicable requirements before connection to a BES Cyber System, or (3) a combination of both (1) and (2) above.
CIP-010 Attachment 1 Section 1.2
Transient Cyber Asset Authorization(Managed by Entity): For each individual or group of Transient Cyber Asset(s), each Responsible Entity shall authorize:1.2.1 Users, either individually or by group or role;1.2.2 Locations, either individually or by group; and1.2.3 Uses, which shall be limited to what is necessary to perform business functions.
CIP-010 Attachment 1 Section 1.3
Software Vulnerability Mitigation (Managed by Entity): Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability):- Security Patching- Live operating system and software executable only from read-only media;- System hardening; or- Other method(s) to mitigate software vulnerabilities.
CIP-010 Attachment 1 Section 1.4
Introduction of Malicious Code Mitigation (Managed by Entity): Use one or a combination of the following methods to achieve the objective of mitigating the introduction of malicious code (per Transient Cyber Asset capability):- Antivirus software, including manual or managed updates of signatures or patterns;- Application whitelisting; or- Other method(s) to mitigate the introduction of malicious code.
CIP-010 Attachment 1 Section 1.5
Unauthorized Use Mitigation (Managed by Entity): Use one or a combination of the following methods to achieve the objective of mitigating the risk of unauthorized use of Transient Cyber Asset(s):- Restrict physical access;- Full-disk encryption with authentication;- Multi-factor authentication; or- Other method(s) to mitigate the risk of unauthorized use.
CIP-010 Attachment 1 Section 2.1
Software Vulnerability Mitigation (Managed by 3rd Party): Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability):- Review of installed security patch(es);- Review of security patching process used by the party;- Review of other vulnerability mitigation performed by the party; or- Other method(s) to mitigate software vulnerabilities.
CIP-010 Attachment 1 Section 2.2
Introduction of malicious code mitigation (Managed by 3rd Party): Use one or a combination of the following methods to achieve the objective of mitigating malicious code (per Transient Cyber Asset capability):- Review of antivirus update level;- Review of antivirus update process used by the party;- Review of application whitelisting used by the party;- Review use of live operating system and software executable only from read-only media;- Review of system hardening used by the party; or- Other method(s) to mitigate malicious code.
CIP-010 Attachment 1 Section 2.3
For any method used to mitigate software vulnerabilities or malicious code as specified in 2.1 and 2.2, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset (Managed by 3rd Party).
CIP-010 Attachment 1 Section 3.1
Removable Media Authorization: For each individual or group of Removable Media, each Responsible Entity shall authorize:3.1.1. Users, either individually or by group or role; and3.1.2. Locations, either individually or by group.
CIP-010 Attachment 1 Section 3.2
RM Malicious Code Mitigation: To achieve the objective of mitigating the threat of introducing malicious code to high impact or medium impact BES Cyber Systems and their associated Protected Cyber Assets, each Responsible Entity shall:3.2.1. Use method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES Cyber System or Protected Cyber Assets; and3.2.2. Mitigate the threat of detected malicious code on Removable Media prior to connecting the Removable Media to a high impact or medium impact BES Cyber System or associated Protected Cyber Assets.
CIP-011-2
Information Protection
CIP-011 R1
Information Protection: Each Responsible Entity shall implement one or more documented information protection program(s) that collectively includes each of the applicable requirement parts in CIP-011-2 Table R1 - Information Protection.
CIP-011 R2
Reuse and Disposal: Each Responsible Entity shall implement one or more documented process(es) that collectively include the applicable requirement parts in CIP-011-2 Table R2 - BES Cyber Asset Reuse and Disposal.
CIP-011 R1.1
Method(s) to identify information that meets the definition of BES Cyber System Information.
CIP-011 R1.2
Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use.
CIP-011 R2.1
Prior to the release for reuse of applicable Cyber Assets that contain BES Cyber System Information (except for reuse within other systems identified in the "Applicable Systems" column), the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset data storage media.
CIP-011 R2.2
Prior to the disposal of applicable Cyber Assets that contain BES Cyber System Information, the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset or destroy the data storagemedia.