A 45-day formal comment period and initial ballot for CIP-013-1 – Cyber Security – Supply Chain Risk Management concluded at 8 p.m. Eastern, Monday, March 6, 2017. Voting results can be accessed via the links below. The drafting team will review all responses received during the comment period and determine the next steps of the project.
The project will address directives from Federal Energy Regulatory Commission (FERC) Order No. 829 to develop a new or modified standard to address “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” See Order No. 829, at P 1.
Standard(s) Affected: The project will propose a new standard or revisions to approved Critical Infrastructure Protection (CIP) standards.
On July 21, 2016 FERC issued Order No. 829, Revised Critical Infrastructure Protection Reliability Standards. In this order, FERC directed that NERC either develop a new standard or develop modifications to an existing standard to address the following reliability objective:
[FERC] directs] NERC to develop a develop a forward-looking, objective-based Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. The new or modified Reliability Standard should address the following security objectives, discussed in detail below: (1) software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls”. See Order 829, at P 3.
The new standard or modified standard(s) are designed to “mitigate the risk of a cybersecurity incident affecting the reliable operation of the Bulk-Power System” (See Order No. 829, at P 1) and must be filed with regulatory authorities within one year of the Order No 829 effective date.