Have you been keeping up with the developments on NERC’s Critical Infrastructure Protection (CIP) Standards? With the CIP Version 5 modifications approved under Order 822 and with FERC ruling on the motion to delay enforcement dates of the V5 standards approved under Order 791, the Implementation Plans for both set of standards become easier to understand and apply. Here’s what you need to know about the CIP implementation schedule, with compliance deadlines approaching on July 1:
Two Implementation Plans
The NERC filing, which became Order 822, contained an Implementation Plan (Exhibit B) for the standards covered by that filing, but it excluded CIP-002-5.1, CIP-005-5 and CIP-008-5 since they weren’t modified. The NERC filing included information for handling “Initial Performance of Certain Periodic Requirements,” pointing to the Implementation Plan approved under the Order 791 (Exhibit B) filing. Although it is not explicitly stated in the Order 822 Implementation Plan, the excluded Standards would follow the Implementation Plan approved under Order 791, resulting in two Implementation Plans for the standards now enforceable on July 1, 2016.
Now that the enforcement dates for Order 791 align with those approved under Order 822, the industry avoids staggered implementation. While not significant, keeping track of the dates under a staggered enforcement schedule would have been more complex than it needed to be, with some periodic items starting in early April only to be replaced a few months later. To help you understand the combined implementation plans, I’ve provided a summary of key dates below:
For simplicity, details on the full Implementation Plan aren’t included here. For example, CIP-009 R2/Part 2.3 and CIP-010-2 R3/Part 3.2 are to be executed every 36 months, but the Implementation Plan indicated the initial performance must be executed within the first 24 months. If you’re interested in the complete plan document that explains the 24-month timing and other information, please connect with me on LinkedIn or send me an email.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.