The FERC, In Order 706 (Mandatory Reliability Standards for Critical Infrastructure Protection) (Issued January 18, 2008) approved eight Critical Infrastructure Protection (CIP) Reliability Standards directs NERC to develop modifications to the CIP Reliability Standards to address specific concerns. The Order also states that NERC should file Violation Severity Levels before the auditable compliant stage.

Since the CIP Standards have been approved and are enforceable, the “Levels of Non-Compliance” must be replaced with “Violation Severity Levels”. This is in accordance with the Order on Compliance Filing dated June 7, 2007 (Docket #RR06-1-007), which directed NERC to replace the ‘Levels of Non-compliance’ (in the 83 standards it approved) with ‘Violation Severity Levels.’ It also requires development of Violation Severity Levels of new or revised standards.

This project will meet the FERC directives regarding the development of Violation Severity Levels (VSL) for the cyber group of standards: CIP-002-1 – Critical Cyber Asset Identification, CIP-003-1 – Security Management Controls, CIP-004-1 – Personnel and Training, CIP-005-1 – Electronic Security Perimeter(s), CIP-006-1 – Physical Security of Critical Cyber Assets, CIP-007-1 – Systems Security Management, CIP-008-1 – Incident Reporting & Response Planning, CIP-009-1 – Recovery Plans for Critical Cyber Assets.