Managing and Responding to CIP Low Impact Self-Certifications

CIP Low Impact Self-Certifications

In the last few years self-certifications have evolved from a simple internal assessment and response regarding an entity’s compliance status, to what now seems to be more of a self-audit, with data sampling, spreadsheets, evidence gathering, and NERC tools as part of the process. Proving your compliance to the North American Electric Reliability Corporation’s (NERC) Reliability Standards can be a time-consuming, and sometimes daunting task.

We’ve noticed a trend occurring among the Regional Entities that is focusing on the CIP Low Impact requirements identified in Reliability Standard CIP-003-8 – Cyber Security – Security Management Controls. Submitting proof of policies and plans, along with their implementation is included in the self-certifications. For example, ReliabilityFirst (RF) recently discussed their approach to CIP Low Impact Self-Certifications. Their process will include completion of a modified NERC Evidence Request Tool (ERT) for Level 1 and Level 2 evidence requests, additional requests for information, if necessary, and possible evidence walkthroughs and demonstrations. The Midwest Reliability Organization (MRO) approach includes completion of a detailed worksheet and submission of evidence. The worksheet includes narratives, data sampling and proof of the data sampling method, and specific evidence requested within the worksheet, including your cyber security policy and various cyber security plans identified in the Standard.

Are you prepared to fully address these items and provide the narratives and evidence necessary to prove your compliance? Here are some items to consider:

Are you confident you have correctly identified your BES Cyber Assets and BES Cyber Systems?

Are you comfortable using the NERC CIP Evidence Request Tool (ERT)?

Do you have experience responding to the ERT Level 1 and Level 2 evidence requests?

Does your Cyber Security Policy address each of the items listed in Attachment 1 of CIP-003-8?

Do you have Cyber Security Plans in place and supporting evidence for the following?

Cyber Security Awareness

Physical Security Controls

Electronic Access Controls

Cyber Security Incident Response, including testing of the Plan

Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation

Proven Compliance Solutions Inc. (PCS) is recognized in the U.S. and Canada for our NERC Reliability Standards compliance support services. Our team has extensive knowledge and experience with the Critical Infrastructure Protection (CIP) Standards. We have assisted and actively participated in all types of Regional compliance monitoring activities, including audits, spot checks, and self-certifications. We are equipped and ready to assist you with this extended approach that the Regional Entities are taking with the CIP Low Impact Self-Certifications.

For more information on how we can assist your organization with its NERC Reliability Standards compliance needs, contact Dale Zahn at or (262) 436-4116. To learn more about Proven Compliance Solutions Inc., visit our website at


More Posts