Project 2020-03 Supply Chain Low Impact Revisions

Related Files

Status
The informal comment period for the Project 2020-03 Supply Chain Low Impact Revisions Standard Authorization Request (SAR) has been extended, and is now open through 8 p.m. Eastern, Wednesday, June 3, 2020.

Additionally, nominations are being sought for SAR drafting team members through 8 p.m. Eastern, Wednesday, June 3, 2020.

Background
In its final report accepted by the NERC Board in May 2019, NERC documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards and recommended actions to address those risks. NERC staff recommended further study to determine whether new information supports modifying the standards to include low impact BES Cyber Systems with external connectivity by issuing a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure.

The Board approved the formal issuance of this data request on August 15, 2019. NERC collected the data from August 19 through October 3, 2019. A final report, Supply Chain Risk Assessment, was published in December 2019.  The report recommended the modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity.  Further, industry feedback was received regarding this recommendation at the February 2020 NERC Board meeting through MRC Policy Input.

After considering policy input, the NERC Board adopted a resolution to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Standard(s) Affected CIP-003-8

Purpose/Industry Need
This project will address the NERC Board resolution adopted at its February 2020 to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

 


Draft

Actions

Dates

Results
Consideration of Comments


 Standard Authorization Request

Supporting Materials

Unofficial Comment Form (Word) 


Comment Period

Info
(Updated)

Submit Comments



 04/03/20 - 06/03/20
(Extended)


Drafting Team Nominations


Supporting Materials

Unofficial Nomination Form (Word)

Nomination Period

Info
(Updated)

Submit Nominations



04/03/20 - 06/03/20
(Extended)