Project 2008-06 Cyber Security Order 706
Related Files

Status: The Version 5 CIP Standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1, the associated implementation plan, and the associated definitions) were approved by the NERC Board of Trustees on November 26, 2012, and they are being prepared for filing with applicable regulatory authorities.

Purpose/Industry Need:

This set of revisions in this project includes:
  • Modifying the standards so they conform to the latest approved versions of the ERO Rules of Procedure as outlined in the Standard Review Guidelines identified in Attachment 1.
  • Addressing the directives issued by FERC, in Order 706 relative to the approved Cyber Security Standards CIP-002-1 through CIP-009-1. Specific requirements from the Order are identified in Attachment 2.
    -  Emphasis on Order 706 directive for NERC to address revisions to the CIP standards considering applicable feature of the NIST Security Risk Management Framework among other resources.
  • Incorporating clarifications from the Interpretation of CIP-006-1 Requirement 1.1.
  Activity Description Status
 
5
Version 5 CIP Standards Continue to address remaining Order 706 directives.

The Version 5 CIP Standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1, the associated implementation plan, and the associated definitions) were approved by the NERC Board of Trustees on November 26, 2012, and they are being prepared for filing with applicable regulatory authorities.

4 Update to Version 4 CIP Standards (Phase II) Represents a shift towards identifying and categorizing the BES Cyber Systems that support the functions critical to the reliable operation of the Bulk Electric System (BES) as a basis for applying security controls commensurate with the potential impact those BES Cyber Systems have on the reliability of the BES. FERC issued an Order on April 19, 2012 approving the CIP V4 standards.  The Order becomes effective on June 25, 2012.
3 Violation Risk Factors and Violation Severity Levels for CIP Version 2 (Phase I)

Violation Risk Factors (for CIP-003-2 and CIP-006-2) and Violation Severity Levels (CIP-002-2 through CIP-009-2

Approved by NERC Board of Trustees and filed with regulatory authorities.
2

Update from CIP Version 1 to Version 2 Standards (Phase I)

Revision of CIP-002-1 through CIP-009-1 to CIP-002-2 through CIP-009-2.  This part of the project included the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities.  Violation Risk Factors and Violation Severity Levels were done separately (see item 3 in list). Approved by FERC.  CIP Version 2 standards enforceable on April 1, 2010.
1 Standard Authorization Request (SAR) and Drafting Team Nominations   Complete 

Related or Supplemental Activities Pertaining to CIP Standards,
but not specifically part of Project 2008-06
Activity Description Status
Project 2009-21 Cyber Security 90-day Response Not originally part of Project 2008-06, but resulted from FERC approval of CIP Version 2 standards.  FERC issued directives due within 90 days. Approved by the NERC Board of Trustees and filed with regulatory authorities.
Project 2010-09 Cyber Security Order 706B Nuclear Plant Implementation Plan Special project to define implementation of CIP standards relative to nuclear power plants.

Implementation plan for CIP version 1 standards approved by FERC.

Plan for Version 2 and Version 3 is underway.