CIP-003-7 & CIP-003-8

Effective Dates

August 15, 2019

Holly EddyCISA, CRISC, CISSP

Auditor, Cyber Security

▪ CIP-003-7 and CIP-003-8 Effective Dates

▪ Changes between CIP-003-7 and CIP-003-8

▪ Review of Section 5.2.2

▪ Implementation Dates

2

Agenda

▪ January 1, 2020

• CIP-003-7 will be subject to enforcement

▪ April 1, 2020

• CIP-003-8 will be subject to enforcement

*Please note approval has not been published in the Federal Register as of this date.

Between January 1 and March 31, 2020, entities

must afford protections required by CIP-003-7.

3

What’s effective? When?

▪ No changes to:

• R1, R3, R4

• R2 Attachment 1, Sections 1, 2, 3, and 4

4

CIP-003-8

▪ Updates to Applicability; removing—

• Special Protection System from 4.1.2.2 and 4.2.1.2

• Interchange Coordinator or Interchange

Authority as criterion 4.1.5

▪ Section 5.2 of Attachment 1

• 5.2.1 “The use of” is now “Use”

• Added Section 5.2.2

◦ Example evidence in Attachment 2 and G&TB

5

Changes Between CIP-003-7 and CIP-003-8

▪ Added Section 5.2.2:

• “For any method used pursuant to 5.2.1, Responsible

Entities shall determine whether any additional

mitigation actions are necessary and implement such

actions prior to connecting the Transient Cyber Asset.”

6

CIP-003-8 Section 5.2.2

▪ Section 5.2.1

• Documentation of change management system; email

or procedures documenting a review of the installed

antivirus update; email or other documentation

identifying the antivirus update process, use of

application whitelisting, etc. used by the party

▪ Section 5.2.2

• Documentation of change management systems,

electronic mail, or contracts that identify a review to

determine whether additional mitigation is necessary

and has been implemented before connecting

7

Example Evidence

8

Employing CIP-010 R4

Removable Media

CIP-003-7/8 Section 5.3 CIP-010-2/3 Att 1 Section 3.2

TCAs managed by a party other than the Responsible Entity

CIP-003-8 Att 1 Section 5.2Section 5.2.2

CIP-010-2/3 Att 1 Section 2.2Section 2.3

TCAs managed by the Responsible Entity

CIP-003-7/8 Att 1 Section 5.1 CIP-010-2/3 Att 1 Section 1.4

Implementation Plan Dates

Standard/RequirementImplementation Dates for

CIP-003-7 CIP-003-8

CIP-003-8 Security Management Controls 1/1/2020 4/1/2020

CIP-003-8 R1.1 Policies for high- & medium-impact BCS 7/1/2016

CIP-003-8 R1.2Policies for assets containing low-impact BCS 1/1/2020

CIP-003-8 R2

CIP-003-8, Att 1, Section 1 Cyber Security Awareness 4/1/2017

CIP-003-8, Att 1, Section 2 Physical Security Controls 1/1/2020

CIP-003-8, Att 1, Section 3 Electronic Access Controls 1/1/2020

CIP-003-8, Att 1, Section 4 Cyber Security Incident Response 4/1/2017

CIP-003-8, Att 1, Section 5 Transient Cyber Assets and Removable Media Malicious Code Risk Mitigation

Section 5.1 1/1/2020

Section 5.2 1/1/2020

Section 5.2.2 n/a 4/1/2020

Section 5.3 1/1/2020

CIP-003-8 R3 Identify a CIP Senior Manager 7/1/2016

CIP-003-8 R4 Delegate CIP Senior Manager authority 7/1/2016

9

CIP Reliability Standard Effective Date

CIP-005-6 July 1, 2020

CIP-008-6 January 1, 2021

CIP-010-3 July 1, 2020

CIP-013-1 July 1, 2020

10

Subject to Future Enforcement

CIP Reliability Standard Filing Date

CIP-012-1 September 18, 2018

11

Filed and Pending Regulatory Approval

Note: On April 18, 2019, FERC published its Notice of Proposed Rulemaking regarding CIP-012-1.

12

For CIP Questions

Contact:

Holly Eddy

heddy@wecc.org

13

▪ NERC. (April 2019) CIP-003-8 - Cyber Security—Security Management Controls. Retrieved from: https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-003-8_Clean_04182019.pdf

▪ NERC. (January 2017) CIP-003-7(i) - Cyber Security—Security Management Controls. Retrieved from: https://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/CIP-003-7%28i%29_clean_01302017_team.pdf

▪ FERC. (31 July 2019) Approval of Reliability Standard CIP-003-8 (Cyber Security -Security Management Controls). Retrieved from: https://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20190731-3015

▪ NERC. (23 January 2015) CIP‐010‐2—Cyber Security—Configuration Change Management and Vulnerability Assessments. Retrieved from: https://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/CIP-010-2_CLEAN_BOARD.pdf

▪ NERC. (July 2017) CIP-010-3 – Cyber Security—Configuration Change Management and Vulnerability Assessments. Retrieved from: https://www.nerc.com/pa/Stand/Project%20201603%20Cyber%20Security%20Supply%20Chain%20Managem/CIP-010-3_Clean_071117.pdf

14

References