search
  |    Account Log-In/Register    |    Contact Us
Project 2015-INT-02 Interpretation of CIP-007-5 for Foxguard Solutions

Related Files

Status
NERC staff is working with the Project Management and Oversight Subcommittee of the NERC Standards Committee on prioritizing the project and forming an interpretation drafting team.
 
Background

On July 8, 2015, FoxGuard Solutions submitted a request for Interpretation of the terms “source or sources” as used in Table 2 of both CIP-007-5.  Requirement R2 of CIP-007-5 references Table 2 as follows:

R2: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-5  Table R2 – Security Patch Management.
 
Foxguard Solutions is asking for clarity of the following language found in Table 2:  
A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.  

The NERC Standards Committee accepted the request for Interpretation at the September 23, 2015 meeting.

Standard Affected: CIP-007-5 - Cyber Security - System Security Management

Purpose/Need

FoxGuard Solutions stated that the lack of clarity on what constitutes a “source” could cause Responsible Entities to spend unrecoverable person-hours attempting to monitor individual sources of cyber security patches for hundreds (if not thousands) of operating systems, software applications, network devices and field devices. The possibility of overlooking an available cyber security patch released from the vendor is increased due to the sheer number increased systems / devices now under scope of CIP-007-5. The greatest impact on the Responsible Entity would be for their High and Medium Impact assets. 

 

Draft Actions Dates Results Consideration of Comments
Request for Interpretation
 

 

 
 

home | account log-in/register | legal and privacy/trademark policy | site map | careers | contact us

Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560
Washington Office | 1325 G Street, NW Suite 600, Washington, DC 20005| 202-400-3000

Copyright 2016 North American Electric Reliability Corporation. All rights reserved.