Proven Compliance Solutions Inc. (PCS) reminds Registered Entities that the deadline of January 1, 2020 is fast approaching for transitioning their North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance programs to meet the latest version of CIP-003.
As the deadline swiftly approaches for transitioning CIP compliance programs to the meet the new CIP-003-7 cyber security standard requirements, entities will need to document and implement some important changes. As part of this transition, each program must now incorporate the following:
Policy statements for:
1. Transient Cyber Assets and Removable Media malicious code risk mitigation.
2. Declaring and responding to CIP Exceptional Circumstances.
In addition, entities are required to:
1. Document and implement a Physical Security Controls Plan to protect their low impact BCS and the Cyber Assets, providing electronic access controls for those devices to only those personnel who are deemed to need access.
2. Document and implement an Electronic Access Controls Plan.
3. Document all necessary inbound and outbound electronic access for any communications that meet all of the following criteria:
Between a low impact BCS and a Cyber Asset outside the low impact facility
Using a routable protocol when entering or leaving the low impact facility
Not used for real-time sensitive protection or control functions between intelligent electronic devices (note that SCADA communications are not to be considered “real-time sensitive”)
4. Document and implement a Transient Cyber Asset and Removable Media Plan to mitigate the risk of malicious code to low impact BCS.
PCS believes that developing and implementing your program to transition from CIP-003-6 to CIP-003-7 well in advance of the January 1, 2020 deadline is prudent and has been encouraging and supporting its clients with numerous program updates underway. Ryan Carlson, CISSP-PSP and PCS Vice President – Critical Infrastructure Protection Services explained, “The time is now to complete transition efforts to CIP-003-7. Last minute development and implementation carries with it a significantly higher risk of noncompliance.”
PCS CIP staff members have been in the business of CIP program development, implementation, technical procedure writing, staff training, and mock audit/gap analysis projects since the inception of NERC CIP mandatory compliance. Having two former Regional CIP auditors on staff, PCS CIP team members fully understand the ramifications of CIP compliance and are working with numerous clients in multiple NERC Regions throughout the U.S. and Canada to implement their CIP programs. PCS delivers compliance interpretations based on extensive auditing experience, coupled with programs and processes that provide clients with confidence in the compliance status of their organization.
For information on how PCS can support your organization’s NERC Reliability Standards compliance needs, please contact Dale Zahn at (262) 436-4116 or visit our website at www.provencompliance.com. #NERCcompliance #NERC #criticalinfrastructureprotection #weccreliability #SPPorg #ReliabilityFirst #Texas_RE_Inc
