Project 2015-INT-02 Interpretation of CIP-007-5 for Foxguard Solutions

Related Files

NERC staff is working with the Project Management and Oversight Subcommittee of the NERC Standards Committee on prioritizing the project and forming an interpretation drafting team.

On July 8, 2015, FoxGuard Solutions submitted a request for Interpretation of the terms “source or sources” as used in Table 2 of both CIP-007-5.  Requirement R2 of CIP-007-5 references Table 2 as follows:

R2: Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-5  Table R2 – Security Patch Management.
Foxguard Solutions is asking for clarity of the following language found in Table 2:  
A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.  

The NERC Standards Committee accepted the request for Interpretation at the September 23, 2015 meeting.

Standard Affected: CIP-007-5 - Cyber Security - System Security Management


FoxGuard Solutions stated that the lack of clarity on what constitutes a “source” could cause Responsible Entities to spend unrecoverable person-hours attempting to monitor individual sources of cyber security patches for hundreds (if not thousands) of operating systems, software applications, network devices and field devices. The possibility of overlooking an available cyber security patch released from the vendor is increased due to the sheer number increased systems / devices now under scope of CIP-007-5. The greatest impact on the Responsible Entity would be for their High and Medium Impact assets. 


Draft Actions Dates Results Consideration of Comments
Request for Interpretation