In this third installment on successfully implementing the NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the different administrative parts of the Standards: policies, plans, processes and procedures.
Policy, Plans, Process and Procedures
Definitions used by the Regional Entities for Policy, Plan, Process, and Procedure are included in Section 6, titled “Background,” of the CIP Standards and are briefly covered below.
A policy is normally a strategic statement from senior management indicating the importance of addressing the CIP Standards, but often lacks details on how the Standards will specifically be addressed. Many earlier policy statements under CIP Versions 1, 2 and 3 quoted the CIP Standard text as part of the statements; however, this approach is now discouraged by Regions, whose officials are looking for a statement on management’s commitment to reliable facility operations and adherence to CIP Standards as one path to meeting those goals.
Plans, processes and procedures are documents that include tactical details on executing strategic policy statements. As noted in Section 6, “program” is used interchangeably with “plan.”
At Burns & McDonnell, here is how we approach these documents:
- Plans, or programs — Present a high-level description of how various parts of the Standards are covered. While the number of plan documents depends on how the Entity approaches its compliance program, the approach typically is broken down into one plan for each major Standard and Requirement. Burns & McDonnell recommends developing an opening statement for each plan, or section within a plan, that covers a Requirement in such way that it can be used to help complete the related Reliability Standards Audit Worksheet (RSAW) — ultimately expediting completion of the RSAW.
- Processes — Provide details on how the plan is executed, and generate of evidence to demonstrate compliance with the Standards. Process documents can cover single or multiple components of a plan, depending on the material.
- Procedures — Sometimes referred to as Work Instructions, procedures have details on executing specific tasks within a Process and are normally segmented into individual documents covering each particular task. While procedure details can be included in process instructions to reduce the number of documents, the material — depending on level of detail needed; instruction length; or a desire to provide only the necessary information for executing a specific task — also can be broken out into individual procedures.
Documentation Ready Date
As noted in this series’ first article, the implementation schedule for the Low Impact requirements is staggered between April 1, 2017, and September 1, 2018. But based on information received from NERC and several Regional Entities, all CIP-003-6, R2 Plans, Processes and Procedures documents must be completed by April 1, 2017. And because of this, the information on how an Entity handles Cyber Security Awareness, Physical Security Controls, Electronic Access Controls and Cyber Security Incident Response must be completed by April 1, 2017, even though the Physical Security and Electronic Access Controls do not have to be fully implemented until September 1, 2018.
But if an Entity hasn’t completed its Physical and Electronic Controls by April 1, what should be done? As of this posting, the Regions believe an Entity should have a good understanding on what needs to be done by April 1 for the Physical and Electronic Controls, and those controls should be documented. The Regions understand that an Entity may not have all controls fully tested by this date, and if the actual implementation after April 1 uncovers issues resulting in a change the document should be updated with a record of all modifications retained from April 1, 2017, going forward.
Single or Multiple Documents
Due to the lower number of requirements for Low Impact BCS, should an Entity have one or multiple documents covering the requirements? Based on Burns & McDonnell’s experience and studied implementations, the creation of a single document or multiple documents depends on the size and complexity of an Entity’s environment, and how the Entity wants to manage the information. There is no one best way, and it comes down many times to an Entities preference.
If you have any questions on how to approach the policies, plans, process and procedures, Burns & McDonnell recommends Entities contact peer Registered Entities, or your Regional Entity. Burns & McDonnell is also capable of assisting Entities based on our years of experience with the CIP Standards and helping Entities with the High, Medium and Low Impact BCS implementations.
The following information may be of assistance in your Low Impact BCS research and implementation efforts:
- TRE conducted a Low Impact workshop on May 19, 2016. Slides for the workshop can be found here.
- My previous posts for the Low Impact article series: an Introduction to NERC CIP Low Impact Requirements , and NERC CIP Low Impact Requirements – Cultural Change.
- Burns & McDonnell will have our second annual Power Utility Security & Compliance Symposium, August 8-9, 2016, which will cover several subjects related to Low Impact BCS.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.