Project 2020-03 Supply Chain Low Impact Revisions

​​Related Files

Status
A 45-day formal comment period for reliability standard CIP-003-X - Cyber Security — Security Management Controls is open through 8 p.m. Eastern, Monday, October 11, 2021. Ballot pools are being formed August 27 – September 27, 2021. An initial ballot for the standard and a non-binding poll of the associated Violation Risk Factors (VRFs) and Violation Severity Levels (VSLs) will be conducted October 1-11, 2021 .

Project 2016-02 (Virtualization) and Project 2020-03 (Supply Chain) are both making modifications to CIP-003. The Supply Chain team is using
"-X" in place of the version number, and Virtualization used "-Y". The version number will be assigned upon adoption by the NERC Board of Trustees.

​Background
In its final report accepted by the NERC Board in May 2019, NERC documented the results of the evaluation of supply chain risks associated with certain categories of assets not currently subject to the Supply Chain Standards and recommended actions to address those risks. NERC staff recommended further study to determine whether new information supports modifying the standards to include low impact BES Cyber Systems with external connectivity by issuing a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure.

The Board approved the formal issuance of this data request on August 15, 2019. NERC collected the data from August 19 through October 3, 2019. A final report, Supply Chain Risk Assessment, was published in December 2019.  The report recommended the modification of the Supply Chain Standards to include low impact BES Cyber Systems with remote electronic access connectivity.  Further, industry feedback was received regarding this recommendation at the February 2020 NERC Board meeting through MRC Policy Input.

After considering policy input, the NERC Board adopted a resolution to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Standard(s) Affected CIP-003-8

Purpose/Industry Need
This project will address the NERC Board resolution adopted at its February 2020 to initiate a project to modify Reliability Standard CIP-003-8 to include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications; (2) determine when active vendor remote access sessions are initiated; and (3) disable active vendor remote access when necessary.

Subscribe to this project's observer distribution list
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2020-03 Supply Chain Low Impact Revisions Observer List” in the Description Box.


Draft

Actions

Dates

Results
Consideration of Comments



Draft 1


CIP-003-X
Clean | Redline

Implementation Plan

Supporting Materials

Unofficial Comment Form (Word)

VRF and VSL Justifications​

Technical Rationale


Initial Ballot and Non-binding Poll

Info

Vote




10/01/21- 10/11/21

Join Ballot Pools

08/27/21 - 09/27/21

Comment Period

Info

Submit Comments


08/27/21- 10/11/21​


​​​Standard Authorization Request (SAR)
Clean | Redline​


The Standards Committee accepted the SAR on February 17, 2021



Supplemental Drafting Team Nominations

Unofficial Nomination Form (Word)


Nomination Period

Info

Submit Nominations

 


07/30/20 - 08/13/20​


 Standard Authorization Request

Supporting Materials

Unofficial Comment Form (Word) 


Comment Period

Info
(Updated)

Submit Comments



 04/03/20 - 06/03/20
(Extended)

 


Comments Received

 



Summary Response to Comments


Drafting Team Nominations


Supporting Materials

Unofficial Nomination Form (Word)


Nomination Period

Info
(Updated)

Submit Nominations



04/03/20 - 06/03/20
(Extended)

 

​